7 files changed, 306 insertions, 881 deletions

diff --git a/secure/lib/libcrypto/Makefile b/secure/lib/libcrypto/Makefile
index c56c005e9a53..702270ed3468 100644
--- a/secure/lib/libcrypto/Makefile
+++ b/secure/lib/libcrypto/Makefile
@@ -1,150 +1,122 @@
 # $FreeBSD$
 
-.include "Makefile.inc"
+LIB=		crypto
+SHLIB_MAJOR=	3
 
-.PATH:	${LCRYPTO_SRC} ${LCRYPTO_SRC}/asn1 ${LCRYPTO_SRC}/bf \
-	${LCRYPTO_SRC}/bio ${LCRYPTO_SRC}/bn ${LCRYPTO_SRC}/buffer \
-	${LCRYPTO_SRC}/cast ${LCRYPTO_SRC}/comp ${LCRYPTO_SRC}/conf \
-	${LCRYPTO_SRC}/des ${LCRYPTO_SRC}/dh ${LCRYPTO_SRC}/dsa \
-	${LCRYPTO_SRC}/dso ${LCRYPTO_SRC}/err ${LCRYPTO_SRC}/evp \
-	${LCRYPTO_SRC}/hmac ${LCRYPTO_SRC}/lhash ${LCRYPTO_SRC}/md2 \
-	${LCRYPTO_SRC}/md4 ${LCRYPTO_SRC}/md5 ${LCRYPTO_SRC}/mdc2 \
-	${LCRYPTO_SRC}/objects ${LCRYPTO_SRC}/pem ${LCRYPTO_SRC}/pkcs7 \
-	${LCRYPTO_SRC}/pkcs12 ${LCRYPTO_SRC}/rand ${LCRYPTO_SRC}/rc2 \
-	${LCRYPTO_SRC}/rc4 ${LCRYPTO_SRC}/rc5 ${LCRYPTO_SRC}/ripemd \
-	${LCRYPTO_SRC}/rsa ${LCRYPTO_SRC}/../rsaref ${LCRYPTO_SRC}/sha \
-	${LCRYPTO_SRC}/stack ${LCRYPTO_SRC}/txt_db ${LCRYPTO_SRC}/x509 \
-	${LCRYPTO_SRC}/x509v3
+NOLINT=		true
 
-.if !defined(NOPERL) && ${MACHINE_ARCH} == "i386"
-.PATH:	${LCRYPTO_SRC}/rc4/asm ${LCRYPTO_SRC}/rc5/asm \
-	${LCRYPTO_SRC}/des/asm ${LCRYPTO_SRC}/cast/asm \
-	${LCRYPTO_SRC}/sha/asm ${LCRYPTO_SRC}/bn/asm \
-	${LCRYPTO_SRC}/bf/asm ${LCRYPTO_SRC}/md5/asm \
-	${LCRYPTO_SRC}/ripemd/asm
-PERLPATH=	${LCRYPTO_SRC}/des/asm:${LCRYPTO_SRC}/perlasm
+.if exists(Makefile.man)
+.include "Makefile.man"
 .endif
-
-.if defined(MAKE_IDEA) && ${MAKE_IDEA} == YES
-.PATH:  ${LCRYPTO_SRC}/idea
+.if defined(NOTYET)
+MAN+=	config.5 des_modes.7
 .endif
 
-LIB=		crypto
-SHLIB_MAJOR=	2
-
-MAINTAINER=	kris
+.include "Makefile.inc"
 
 # base sources
-SRCS+=	cpt_err.c cryptlib.c cversion.c ebcdic.c ex_data.c mem.c mem_dbg.c \
-	tmdiff.c uid.c
+SRCS+=	cpt_err.c cryptlib.c cversion.c ebcdic.c ex_data.c mem.c mem_clr.c \
+	mem_dbg.c o_time.c tmdiff.c uid.c
 
-# asn1
+# aes
+SRCS+=	aes_cbc.c aes_cfb.c aes_core.c aes_ctr.c aes_ecb.c aes_misc.c aes_ofb.c
 
-SRCS+=	a_bitstr.c a_bmp.c a_bool.c a_bytes.c a_d2i_fp.c a_digest.c \
+# asn1
+SRCS+=	a_bitstr.c a_bool.c a_bytes.c a_d2i_fp.c a_digest.c \
 	a_dup.c a_enum.c a_gentm.c a_hdr.c a_i2d_fp.c a_int.c \
-	a_mbstr.c a_meth.c a_null.c a_object.c a_octet.c a_print.c \
+	a_mbstr.c a_meth.c a_object.c a_octet.c a_print.c \
 	a_set.c a_sign.c a_strex.c a_strnid.c a_time.c a_type.c \
-	a_utctm.c a_utf8.c a_verify.c a_vis.c asn1_err.c asn1_lib.c \
-	asn1_par.c asn_pack.c d2i_dhp.c d2i_dsap.c d2i_pr.c d2i_pu.c \
-	d2i_r_pr.c d2i_r_pu.c d2i_s_pr.c d2i_s_pu.c evp_asn1.c \
-	f_enum.c f_int.c f_string.c i2d_dhp.c i2d_dsap.c i2d_pr.c \
-	i2d_pu.c i2d_r_pr.c i2d_r_pu.c i2d_s_pr.c i2d_s_pu.c n_pkey.c \
-	nsseq.c p5_pbe.c p5_pbev2.c p7_dgst.c p7_enc.c p7_enc_c.c \
-	p7_evp.c p7_i_s.c p7_lib.c p7_recip.c p7_s_e.c p7_signd.c \
-	p7_signi.c p8_pkey.c t_bitst.c t_crl.c t_pkey.c t_req.c \
-	t_spki.c t_x509.c t_x509a.c x_algor.c x_attrib.c x_cinf.c \
-	x_crl.c x_exten.c x_info.c x_name.c x_pkey.c x_pubkey.c \
+	a_utctm.c a_utf8.c a_verify.c asn1_err.c asn1_lib.c \
+	asn1_par.c asn_moid.c asn_pack.c d2i_pr.c d2i_pu.c \
+	evp_asn1.c f_enum.c f_int.c f_string.c i2d_pr.c i2d_pu.c \
+	n_pkey.c nsseq.c p5_pbe.c p5_pbev2.c p8_pkey.c t_bitst.c \
+	t_crl.c t_pkey.c t_req.c t_spki.c t_x509.c t_x509a.c \
+	tasn_dec.c tasn_enc.c tasn_fre.c tasn_new.c tasn_typ.c \
+	tasn_utl.c x_algor.c x_attrib.c x_bignum.c x_crl.c \
+	x_exten.c x_info.c x_long.c x_name.c x_pkey.c x_pubkey.c \
 	x_req.c x_sig.c x_spki.c x_val.c x_x509.c x_x509a.c
 
-# blowfish
-SRCS+=	bf_cfb64.c bf_ecb.c bf_ofb64.c bf_skey.c
-.if !defined(NOPERL) && ${MACHINE_ARCH} == "i386"
-.if ${MACHINE_CPU:Mi686}
-SRCS+=	bf-686.pl
-.else
-SRCS+=	bf-586.pl
-.endif
-.else
-SRCS+=	bf_enc.c
-.endif
+# bf
+SRCS+=	bf_cfb64.c bf_ecb.c bf_enc.c bf_ofb64.c bf_skey.c
 
 # bio
-SRCS+=	b_dump.c b_print.c b_sock.c bf_buff.c bf_nbio.c bf_null.c \
-	bio_cb.c bio_err.c bio_lib.c bss_acpt.c bss_bio.c bss_conn.c \
-	bss_fd.c bss_file.c bss_log.c bss_mem.c bss_null.c bss_sock.c
+SRCS+=	b_dump.c b_print.c b_sock.c bf_buff.c bf_lbuf.c bf_nbio.c \
+	bf_null.c bio_cb.c bio_err.c bio_lib.c bss_acpt.c bss_bio.c \
+	bss_conn.c bss_fd.c bss_file.c bss_log.c bss_mem.c \
+	bss_null.c bss_sock.c
 
 # bn
-
-SRCS+=	bn_add.c bn_blind.c bn_ctx.c bn_div.c bn_err.c \
-	bn_exp.c bn_exp2.c bn_gcd.c bn_lib.c bn_mont.c bn_mpi.c \
-	bn_mul.c bn_prime.c bn_print.c bn_rand.c bn_recp.c bn_shift.c \
-	bn_sqr.c bn_word.c
-.if !defined(NOPERL) && ${MACHINE_ARCH} == "i386"
-SRCS+=	bn-586.pl co-586.pl
-.else
-SRCS+=	bn_asm.c
-.endif
+SRCS+=	bn_add.c bn_asm.c bn_blind.c bn_ctx.c bn_div.c bn_err.c bn_exp.c \
+	bn_exp2.c bn_gcd.c bn_kron.c bn_lib.c bn_mod.c bn_mont.c \
+	bn_mpi.c bn_mul.c bn_prime.c bn_print.c bn_rand.c bn_recp.c \
+	bn_shift.c bn_sqr.c bn_sqrt.c bn_word.c
 
 # buffer
-SRCS+=	buf_err.c buffer.c 
+SRCS+=	buf_err.c buffer.c
 
 # cast
-SRCS+=	c_cfb64.c c_ecb.c c_ofb64.c c_skey.c
-.if !defined(NOPERL) && ${MACHINE_ARCH} == "i386"
-SRCS+=	cast-586.pl
-.else
-SRCS+=	c_enc.c
-.endif
+SRCS+=	c_cfb64.c c_ecb.c c_enc.c c_ofb64.c c_skey.c
 
 # comp
-SRCS+=	c_rle.c c_zlib.c comp_lib.c
+SRCS+=	c_rle.c c_zlib.c comp_err.c comp_lib.c
 
 # conf
-SRCS+=	conf_api.c conf_def.c conf_err.c conf_lib.c
+SRCS+=	conf_api.c conf_def.c conf_err.c conf_lib.c conf_mall.c conf_mod.c conf_sap.c
 
 # des
-SRCS+=	cbc_cksm.c cbc_enc.c cfb64ede.c cfb64enc.c cfb_enc.c \
-	ecb3_enc.c ecb_enc.c ede_cbcm_enc.c enc_read.c enc_writ.c \
-	fcrypt.c ofb64ede.c ofb64enc.c ofb_enc.c pcbc_enc.c \
-	qud_cksm.c rand_key.c read2pwd.c read_pwd.c rpc_enc.c \
-	set_key.c str2key.c xcbc_enc.c rnd_keys.c
-.if !defined(NOPERL) && ${MACHINE_ARCH} == "i386"
-SRCS+=	des-586.pl crypt586.pl
-.else
-SRCS+=	des_enc.c fcrypt_b.c
-.endif
+SRCS+=	cbc3_enc.c cbc_cksm.c cbc_enc.c cfb64ede.c cfb64enc.c cfb_enc.c \
+	des_enc.c des_old.c des_old2.c ecb3_enc.c ecb_enc.c ede_cbcm_enc.c \
+	enc_read.c enc_writ.c fcrypt.c fcrypt_b.c ofb64ede.c ofb64enc.c \
+	ofb_enc.c pcbc_enc.c qud_cksm.c rand_key.c read2pwd.c \
+	rpc_enc.c set_key.c str2key.c xcbc_enc.c
 
 # dh
-SRCS+=	dh_check.c dh_err.c dh_gen.c dh_key.c dh_lib.c
+SRCS+=	dh_asn1.c dh_check.c dh_err.c dh_gen.c dh_key.c dh_lib.c
 
-# dsa 
-SRCS+=	dsa_asn1.c dsa_err.c dsa_gen.c dsa_key.c dsa_lib.c dsa_ossl.c \
-	dsa_sign.c dsa_vrf.c
+# dsa
+SRCS+=	dsa_asn1.c dsa_err.c dsa_gen.c dsa_key.c dsa_lib.c dsa_ossl.c dsa_sign.c dsa_vrf.c
 
 # dso
-SRCS+=	dso_dl.c dso_dlfcn.c dso_err.c dso_lib.c dso_null.c \
-	dso_openssl.c
+SRCS+=	dso_dl.c dso_dlfcn.c dso_err.c dso_lib.c dso_null.c dso_openssl.c
+
+# ec
+SRCS+=	ec_cvt.c ec_err.c ec_lib.c ec_mult.c ecp_mont.c ecp_nist.c \
+	ecp_recp.c ecp_smpl.c
+
+# engine
+SRCS+=	eng_all.c eng_cnf.c eng_ctrl.c eng_dyn.c eng_err.c eng_fat.c \
+	eng_init.c eng_lib.c eng_list.c eng_openssl.c eng_pkey.c \
+	eng_table.c hw_4758_cca.c hw_4758_cca_err.c hw_aep.c hw_aep_err.c \
+	hw_atalla.c hw_atalla_err.c hw_cryptodev.c hw_cswift.c \
+	hw_cswift_err.c hw_ncipher.c hw_ncipher_err.c hw_nuron.c \
+	hw_nuron_err.c hw_sureware.c hw_sureware_err.c hw_ubsec.c \
+	hw_ubsec_err.c tb_cipher.c tb_dh.c tb_digest.c tb_dsa.c tb_rand.c \
+	tb_rsa.c
 
 # err
 SRCS+=	err.c err_all.c err_prn.c
 
 # evp
 SRCS+=	bio_b64.c bio_enc.c bio_md.c bio_ok.c c_all.c c_allc.c c_alld.c \
-	digest.c e_bf.c e_cast.c e_des.c e_des3.c e_idea.c e_null.c \
-	e_rc2.c e_rc4.c e_rc5.c e_xcbc_d.c encode.c evp_enc.c \
-	evp_err.c evp_key.c evp_lib.c evp_pbe.c evp_pkey.c m_dss.c \
-	m_dss1.c m_md2.c m_md4.c m_md5.c m_mdc2.c m_null.c m_ripemd.c \
-	m_sha.c m_sha1.c names.c p5_crpt.c p5_crpt2.c p_dec.c p_enc.c \
-	p_lib.c p_open.c p_seal.c p_sign.c p_verify.c
+	digest.c e_aes.c e_bf.c e_cast.c e_des.c e_des3.c e_idea.c \
+	e_null.c e_rc2.c e_rc4.c e_rc5.c e_xcbc_d.c encode.c evp_acnf.c \
+	evp_enc.c evp_err.c evp_key.c evp_lib.c evp_pbe.c evp_pkey.c \
+	m_dss.c m_dss1.c m_md2.c m_md4.c m_md5.c m_mdc2.c m_null.c \
+	m_ripemd.c m_sha.c m_sha1.c names.c openbsd_hw.c p5_crpt.c \
+	p5_crpt2.c p_dec.c p_enc.c p_lib.c p_open.c p_seal.c p_sign.c \
+	p_verify.c
 
 # hmac
 SRCS+=	hmac.c
 
 # idea
 .if defined(MAKE_IDEA) && ${MAKE_IDEA} == YES
-SRCS+=	i_ecb.c i_cbc.c i_cfb64.c i_ofb64.c i_skey.c
+SRCS+=	i_cbc.c i_cfb64.c i_ecb.c i_ofb64.c i_skey.c
 .endif
 
+# krb5
+#SRCS+=	krb5_asn.c
+
 # lhash
 SRCS+=	lh_stats.c lhash.c
 
@@ -156,247 +128,131 @@ SRCS+=	md4_dgst.c md4_one.c
 
 # md5
 SRCS+=	md5_dgst.c md5_one.c
-.if !defined(NOPERL) && ${MACHINE_ARCH} == "i386"
-SRCS+=	md5-586.pl
-.endif
 
 # mdc2
-SRCS+=	mdc2dgst.c mdc2_one.c
+SRCS+=	mdc2_one.c mdc2dgst.c
 
 # objects
 SRCS+=	o_names.c obj_dat.c obj_err.c obj_lib.c
 
-# pem
-SRCS+=	pem_all.c pem_err.c pem_info.c pem_lib.c pem_seal.c pem_sign.c
+# ocsp
+SRCS+=	ocsp_asn.c ocsp_cl.c ocsp_err.c ocsp_ext.c ocsp_ht.c \
+	ocsp_lib.c ocsp_prn.c ocsp_srv.c ocsp_vfy.c
 
-# pkcs7
-SRCS+=	pk7_attr.c pk7_doit.c pk7_lib.c pk7_mime.c pk7_smime.c pkcs7err.c 
+# pem
+SRCS+=	pem_all.c pem_err.c pem_info.c pem_lib.c pem_oth.c pem_pk8.c \
+	pem_pkey.c pem_seal.c pem_sign.c pem_x509.c pem_xaux.c
 
 # pkcs12
-SRCS+=	p12_add.c p12_attr.c p12_bags.c p12_crpt.c p12_crt.c p12_decr.c \
-	p12_init.c p12_key.c p12_kiss.c p12_lib.c p12_mac.c p12_mutl.c \
-	p12_npas.c p12_sbag.c p12_utl.c pk12err.c
+SRCS+=	p12_add.c p12_asn.c p12_attr.c p12_crpt.c p12_crt.c \
+	p12_decr.c p12_init.c p12_key.c p12_kiss.c p12_mutl.c \
+	p12_npas.c p12_p8d.c p12_p8e.c p12_utl.c pk12err.c
+
+# pkcs7
+SRCS+=	example.c pk7_asn1.c pk7_attr.c pk7_dgst.c pk7_doit.c \
+	pk7_lib.c pk7_mime.c pk7_smime.c pkcs7err.c
 
 # rand
-SRCS+=	md_rand.c rand_egd.c rand_err.c rand_lib.c rand_win.c randfile.c
+SRCS+=	md_rand.c rand_egd.c rand_err.c rand_lib.c rand_unix.c randfile.c
 
 # rc2
-SRCS+=	rc2_cbc.c rc2cfb64.c rc2_ecb.c rc2ofb64.c rc2_skey.c 
+SRCS+=	rc2_cbc.c rc2_ecb.c rc2_skey.c rc2cfb64.c rc2ofb64.c
 
 # rc4
-SRCS+=	rc4_skey.c
-.if !defined(NOPERL) && ${MACHINE_ARCH} == "i386"
-SRCS+=	rc4-586.pl
-.else
-SRCS+=	rc4_enc.c
-.endif
+SRCS+=	rc4_enc.c rc4_skey.c
 
 # rc5
-SRCS+=	rc5cfb64.c rc5_ecb.c rc5ofb64.c rc5_skey.c
-.if !defined(NOPERL) && ${MACHINE_ARCH} == "i386"
-SRCS+=	rc5-586.pl
-.else
-SRCS+=	rc5_enc.c
-.endif
+SRCS+=	rc5_ecb.c rc5_enc.c rc5_skey.c rc5cfb64.c rc5ofb64.c
 
 # ripemd
 SRCS+=	rmd_dgst.c rmd_one.c
-.if !defined(NOPERL) && ${MACHINE_ARCH} == "i386"
-SRCS+=	rmd-586.pl
-.endif
 
 # rsa
-.if defined(WITH_RSA) && ${WITH_RSA} == YES
-SRCS+=	rsa_chk.c rsa_eay.c rsa_err.c rsa_gen.c rsa_lib.c rsa_none.c \
-	rsa_null.c rsa_oaep.c rsa_pk1.c rsa_saos.c rsa_sign.c rsa_ssl.c
-.endif
+SRCS+=	rsa_asn1.c rsa_chk.c rsa_eay.c rsa_err.c rsa_gen.c rsa_lib.c \
+	rsa_none.c rsa_null.c rsa_oaep.c rsa_pk1.c rsa_saos.c \
+	rsa_sign.c rsa_ssl.c
 
 # sha
-SRCS+=	sha_dgst.c sha_one.c sha1_one.c sha1dgst.c
-.if !defined(NOPERL) && ${MACHINE_ARCH} == "i386"
-SRCS+=	sha1-586.pl
-.endif
+SRCS+=	sha1_one.c sha1dgst.c sha_dgst.c sha_one.c
 
 # stack
 SRCS+=	stack.c
 
+# threads
+SRCS+=	th-lock.c
+
 # txt_db
 SRCS+=	txt_db.c
 
-# x509
-SRCS+=	by_dir.c by_file.c x509_att.c x509_cmp.c x509_d2.c x509_def.c \
-	x509_err.c x509_ext.c x509_lu.c x509_obj.c x509_r2x.c \
-	x509_req.c x509_set.c x509_trs.c x509_txt.c x509_v3.c \
-	x509_vfy.c x509name.c x509rset.c x509spki.c x509type.c x_all.c 
-# x509v3
-SRCS+=	v3_akey.c v3_alt.c v3_bcons.c v3_bitst.c v3_conf.c v3_cpols.c \
-	v3_crld.c v3_enum.c v3_extku.c v3_genn.c v3_ia5.c v3_info.c \
-	v3_int.c v3_lib.c v3_pku.c v3_prn.c v3_purp.c v3_skey.c \
-	v3_sxnet.c v3_utl.c v3err.c
-
-POD1+=	apps/CA.pl.pod apps/asn1parse.pod apps/ca.pod \
-	apps/ciphers.pod apps/crl.pod \
-	apps/crl2pkcs7.pod apps/dgst.pod apps/dhparam.pod apps/dsa.pod \
-	apps/dsaparam.pod apps/enc.pod apps/gendsa.pod apps/genrsa.pod \
-	apps/nseq.pod apps/openssl.pod apps/passwd.pod apps/pkcs12.pod \
-	apps/pkcs7.pod apps/pkcs8.pod apps/rand.pod apps/req.pod \
-	apps/rsa.pod apps/rsautl.pod apps/s_client.pod \
-	apps/s_server.pod apps/sess_id.pod apps/smime.pod \
-	apps/speed.pod apps/spkac.pod apps/verify.pod apps/version.pod \
-	apps/x509.pod
-
-POD3+=	crypto/BIO_ctrl.pod crypto/BIO_f_base64.pod \
-	crypto/BIO_f_buffer.pod crypto/BIO_f_cipher.pod \
-	crypto/BIO_f_md.pod crypto/BIO_f_null.pod crypto/BIO_f_ssl.pod \
-	crypto/BIO_find_type.pod crypto/BIO_new.pod \
-	crypto/BIO_new_bio_pair.pod crypto/BIO_push.pod \
-	crypto/BIO_read.pod crypto/BIO_s_accept.pod \
-	crypto/BIO_s_bio.pod crypto/BIO_s_connect.pod \
-	crypto/BIO_s_fd.pod crypto/BIO_s_file.pod crypto/BIO_s_mem.pod \
-	crypto/BIO_s_null.pod crypto/BIO_s_socket.pod \
-	crypto/BIO_set_callback.pod crypto/BIO_should_retry.pod \
-	crypto/BN_CTX_new.pod crypto/BN_CTX_start.pod \
-	crypto/BN_add.pod crypto/BN_add_word.pod crypto/BN_bn2bin.pod \
-	crypto/BN_cmp.pod crypto/BN_copy.pod \
-	crypto/BN_generate_prime.pod crypto/BN_mod_inverse.pod \
-	crypto/BN_mod_mul_montgomery.pod \
-	crypto/BN_mod_mul_reciprocal.pod crypto/BN_new.pod \
-	crypto/BN_num_bytes.pod crypto/BN_rand.pod \
-	crypto/BN_set_bit.pod crypto/BN_zero.pod \
-	crypto/CRYPTO_set_ex_data.pod crypto/DH_generate_key.pod \
-	crypto/DH_generate_parameters.pod \
-	crypto/DH_get_ex_new_index.pod crypto/DH_new.pod \
-	crypto/DH_set_method.pod crypto/DH_size.pod \
-	crypto/DSA_SIG_new.pod crypto/DSA_do_sign.pod \
-	crypto/DSA_dup_DH.pod crypto/DSA_generate_key.pod \
-	crypto/DSA_generate_parameters.pod \
-	crypto/DSA_get_ex_new_index.pod crypto/DSA_new.pod \
-	crypto/DSA_set_method.pod crypto/DSA_sign.pod \
-	crypto/DSA_size.pod crypto/ERR_GET_LIB.pod \
-	crypto/ERR_clear_error.pod crypto/ERR_error_string.pod \
-	crypto/ERR_get_error.pod crypto/ERR_load_crypto_strings.pod \
-	crypto/ERR_load_strings.pod crypto/ERR_print_errors.pod \
-	crypto/ERR_put_error.pod crypto/ERR_remove_state.pod \
-	crypto/EVP_DigestInit.pod crypto/EVP_EncryptInit.pod \
-	crypto/EVP_OpenInit.pod crypto/EVP_SealInit.pod \
-	crypto/EVP_SignInit.pod crypto/EVP_VerifyInit.pod \
-	crypto/OPENSSL_VERSION_NUMBER.pod \
-	crypto/OpenSSL_add_all_algorithms.pod crypto/RAND_add.pod \
-	crypto/RAND_bytes.pod crypto/RAND_cleanup.pod \
-	crypto/RAND_egd.pod crypto/RAND_load_file.pod \
-	crypto/RAND_set_rand_method.pod crypto/RSA_blinding_on.pod \
-	crypto/RSA_check_key.pod crypto/RSA_generate_key.pod \
-	crypto/RSA_get_ex_new_index.pod crypto/RSA_new.pod \
-	crypto/RSA_padding_add_PKCS1_type_1.pod crypto/RSA_print.pod \
-	crypto/RSA_private_encrypt.pod crypto/RSA_public_encrypt.pod \
-	crypto/RSA_set_method.pod crypto/RSA_sign.pod \
-	crypto/RSA_sign_ASN1_OCTET_STRING.pod crypto/RSA_size.pod \
-	crypto/bio.pod crypto/blowfish.pod crypto/bn.pod \
-	crypto/bn_internal.pod crypto/buffer.pod crypto/crypto.pod \
-	crypto/d2i_DHparams.pod crypto/d2i_RSAPublicKey.pod \
-	crypto/des.pod crypto/des_modes.pod crypto/dh.pod \
-	crypto/dsa.pod crypto/err.pod crypto/evp.pod crypto/hmac.pod \
-	crypto/lh_stats.pod crypto/lhash.pod crypto/md5.pod \
-	crypto/mdc2.pod crypto/rand.pod crypto/rc4.pod \
-	crypto/ripemd.pod crypto/rsa.pod crypto/sha.pod \
-	crypto/threads.pod
+# ui
+SRCS+=	ui_compat.c ui_err.c ui_lib.c ui_openssl.c ui_util.c
 
-POD3+=	ssl/SSL_CIPHER_get_name.pod \
-	ssl/SSL_CTX_add_extra_chain_cert.pod \
-	ssl/SSL_CTX_add_session.pod ssl/SSL_CTX_flush_sessions.pod \
-	ssl/SSL_CTX_free.pod ssl/SSL_CTX_get_ex_new_index.pod \
-	ssl/SSL_CTX_get_verify_mode.pod \
-	ssl/SSL_CTX_load_verify_locations.pod ssl/SSL_CTX_new.pod \
-	ssl/SSL_CTX_sess_set_cache_size.pod ssl/SSL_CTX_sess_set_get_cb.pod \
-	ssl/SSL_CTX_sessions.pod ssl/SSL_CTX_set_cipher_list.pod \
-	ssl/SSL_CTX_set_client_CA_list.pod \
-	ssl/SSL_CTX_set_client_cert_cb.pod \
-	ssl/SSL_CTX_set_default_passwd_cb.pod ssl/SSL_CTX_set_options.pod\
-	ssl/SSL_CTX_set_session_cache_mode.pod \
-	ssl/SSL_CTX_set_session_id_context.pod \
-	ssl/SSL_CTX_set_ssl_version.pod \
-	ssl/SSL_CTX_set_timeout.pod ssl/SSL_CTX_set_verify.pod \
-	ssl/SSL_CTX_use_certificate.pod ssl/SSL_SESSION_free.pod \
-	ssl/SSL_SESSION_get_ex_new_index.pod \
-	ssl/SSL_SESSION_get_time.pod \
-	ssl/SSL_accept.pod ssl/SSL_clear.pod ssl/SSL_connect.pod \
-	ssl/SSL_do_handshake.pod \
-	ssl/SSL_free.pod ssl/SSL_get_ciphers.pod \
-	ssl/SSL_get_client_CA_list.pod ssl/SSL_get_current_cipher.pod \
-	ssl/SSL_get_error.pod ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod \
-	ssl/SSL_get_ex_new_index.pod ssl/SSL_get_fd.pod \
-	ssl/SSL_get_peer_cert_chain.pod ssl/SSL_get_peer_certificate.pod \
-	ssl/SSL_get_rbio.pod ssl/SSL_get_session.pod \
-	ssl/SSL_get_verify_result.pod ssl/SSL_library_init.pod \
-	ssl/SSL_load_client_CA_file.pod ssl/SSL_new.pod ssl/SSL_pending.pod \
-	ssl/SSL_read.pod ssl/SSL_set_bio.pod ssl/SSL_set_fd.pod \
-	ssl/SSL_set_session.pod ssl/SSL_set_verify_result.pod \
-	ssl/SSL_shutdown.pod ssl/SSL_write.pod ssl/d2i_SSL_SESSION.pod \
-	ssl/ssl.pod ssl/SSL_CTX_sess_number.pod ssl/SSL_CTX_set_mode.pod \
-	ssl/SSL_get_version.pod ssl/SSL_set_connect_state.pod \
-	ssl/SSL_set_shutdown.pod ssl/SSL_alert_type_string.pod \
-	ssl/SSL_COMP_add_compression_method.pod ssl/SSL_CTX_ctrl.pod \
-	ssl/SSL_CTX_set_cert_store.pod \
-	ssl/SSL_CTX_set_cert_verify_callback.pod \
-	ssl/SSL_CTX_set_info_callback.pod ssl/SSL_CTX_set_quiet_shutdown.pod \
-	ssl/SSL_CTX_set_tmp_dh_callback.pod \
-	ssl/SSL_CTX_set_tmp_rsa_callback.pod ssl/SSL_get_default_timeout.pod \
-	ssl/SSL_get_SSL_CTX.pod ssl/SSL_rstate_string.pod \
-	ssl/SSL_session_reused.pod ssl/SSL_state_string.pod \
-	ssl/SSL_want.pod
-
-POD5+=	apps/config.pod
-
-.if defined(WANT_OPENSSL_MANPAGES)
-.for section in 1 3 5
-.for pod in ${POD${section}}
-.for target in ${pod:T:S/.pod/.${section}/g}
-MAN+= ${target}
-CLEANFILES+= ${target}
-${target}: ${LCRYPTO_SRC}/../doc/${pod}
-	pod2man ${LCRYPTO_SRC}/../doc/${pod} > ${target}
-.endfor
-.endfor
-.endfor
-.endif
-
-MAN+=	des_crypt.3
+# x509
+SRCS+=	by_dir.c by_file.c x509_att.c x509_cmp.c x509_d2.c \
+	x509_def.c x509_err.c x509_ext.c x509_lu.c x509_obj.c \
+	x509_r2x.c x509_req.c x509_set.c x509_trs.c x509_txt.c \
+	x509_v3.c x509_vfy.c x509cset.c x509name.c x509rset.c \
+	x509spki.c x509type.c x_all.c
 
-MLINKS= des_crypt.3 des_read_password.3 \
-	des_crypt.3 des_read_2password.3 des_crypt.3 des_string_to_key.3 \
-	des_crypt.3 des_string_to_2key.3 des_crypt.3 des_read_pw_string.3 \
-	des_crypt.3 des_random_key.3 des_crypt.3 des_set_key.3 \
-	des_crypt.3 des_key_sched.3 des_crypt.3 des_ecb_encrypt.3 \
-	des_crypt.3 des_3ecb_encrypt.3 des_crypt.3 des_cbc_encrypt.3 \
-	des_crypt.3 des_3cbc_encrypt.3 des_crypt.3 des_pcbc_encrypt.3 \
-	des_crypt.3 des_cfb_encrypt.3 des_crypt.3 des_ofb_encrypt.3 \
-	des_crypt.3 des_cbc_cksum.3 des_crypt.3 des_quad_cksum.3 \
-	des_crypt.3 des_enc_read.3 des_crypt.3 des_enc_write.3 \
-	des_crypt.3 des_set_odd_parity.3 des_crypt.3 des_is_weak_key.3
+# x509v3
+SRCS+=	v3_akey.c v3_akeya.c v3_alt.c v3_bcons.c v3_bitst.c \
+	v3_conf.c v3_cpols.c v3_crld.c v3_enum.c v3_extku.c \
+	v3_genn.c v3_ia5.c v3_info.c v3_int.c v3_lib.c v3_ocsp.c \
+	v3_pku.c v3_prn.c v3_purp.c v3_skey.c v3_sxnet.c v3_utl.c v3err.c
 
 INCS=		${HDRS} openssl/evp.h openssl/opensslconf.h
 INCSDIR=	${INCLUDEDIR}/openssl
-INCSLINKS=	openssl/des.h ${INCLUDEDIR}/des.h
-
-afterinstall:
-.if !defined(NOPIC)
-SYMLINKS+=	lib${LIB}.so.${SHLIB_MAJOR} ${LIBDIR}/libdes.so.3
-SYMLINKS+=	lib${LIB}.so.${SHLIB_MAJOR} ${LIBDIR}/libdes.so
-.endif
-SYMLINKS+=	lib${LIB}.a ${LIBDIR}/libdes.a
-.if !defined(NOPROFILE)
-SYMLINKS+=	lib${LIB}_p.a ${LIBDIR}/libdes_p.a
-.endif
 
 .include <bsd.lib.mk>
 
-.if !defined(NOPERL) && ${MACHINE_ARCH} == "i386"
-CLEANFILES+=	${SRCS:M*.pl:S/.pl$/.cmt/} ${SRCS:M*.pl:S/.pl$/.s/}
-.SUFFIXES:	.pl .cmt
-.pl.cmt:
-	perl -I${PERLPATH} ${.ALLSRC} elf ${CPUTYPE:Mi386:S/i//} > ${.TARGET}
-
-.cmt.s:
-	tr -d "'" < ${.ALLSRC} > ${.TARGET}
+.if defined(MAKE_IDEA) && ${MAKE_IDEA} == YES
+_ideapath=	${LCRYPTO_SRC}/crypto/idea
 .endif
 
+.PATH: \
+	${LCRYPTO_SRC}/crypto \
+	${LCRYPTO_SRC}/crypto/aes \
+	${LCRYPTO_SRC}/crypto/asn1 \
+	${LCRYPTO_SRC}/crypto/bf \
+	${LCRYPTO_SRC}/crypto/bio \
+	${LCRYPTO_SRC}/crypto/bn \
+	${LCRYPTO_SRC}/crypto/buffer \
+	${LCRYPTO_SRC}/crypto/cast \
+	${LCRYPTO_SRC}/crypto/comp \
+	${LCRYPTO_SRC}/crypto/conf \
+	${LCRYPTO_SRC}/crypto/des \
+	${LCRYPTO_SRC}/crypto/dh \
+	${LCRYPTO_SRC}/crypto/dsa \
+	${LCRYPTO_SRC}/crypto/dso \
+	${LCRYPTO_SRC}/crypto/ec \
+	${LCRYPTO_SRC}/crypto/engine \
+	${LCRYPTO_SRC}/crypto/err \
+	${LCRYPTO_SRC}/crypto/evp \
+	${LCRYPTO_SRC}/crypto/hmac \
+	${_ideapath} \
+	${LCRYPTO_SRC}/crypto/krb5 \
+	${LCRYPTO_SRC}/crypto/lhash \
+	${LCRYPTO_SRC}/crypto/md2 \
+	${LCRYPTO_SRC}/crypto/md4 \
+	${LCRYPTO_SRC}/crypto/md5 \
+	${LCRYPTO_SRC}/crypto/mdc2 \
+	${LCRYPTO_SRC}/crypto/objects \
+	${LCRYPTO_SRC}/crypto/ocsp \
+	${LCRYPTO_SRC}/crypto/pem \
+	${LCRYPTO_SRC}/crypto/pkcs12 \
+	${LCRYPTO_SRC}/crypto/pkcs7 \
+	${LCRYPTO_SRC}/crypto/rand \
+	${LCRYPTO_SRC}/crypto/rc2 \
+	${LCRYPTO_SRC}/crypto/rc4 \
+	${LCRYPTO_SRC}/crypto/rc5 \
+	${LCRYPTO_SRC}/crypto/ripemd \
+	${LCRYPTO_SRC}/crypto/rsa \
+	${LCRYPTO_SRC}/crypto/sha \
+	${LCRYPTO_SRC}/crypto/stack \
+	${LCRYPTO_SRC}/crypto/threads \
+	${LCRYPTO_SRC}/crypto/txt_db \
+	${LCRYPTO_SRC}/crypto/ui \
+	${LCRYPTO_SRC}/crypto/x509 \
+	${LCRYPTO_SRC}/crypto/x509v3 \
+	${LCRYPTO_SRC} \
+	${.CURDIR}/man
diff --git a/secure/lib/libcrypto/Makefile.inc b/secure/lib/libcrypto/Makefile.inc
index c0a603ee6fdd..24d32df3dd60 100644
--- a/secure/lib/libcrypto/Makefile.inc
+++ b/secure/lib/libcrypto/Makefile.inc
@@ -1,36 +1,72 @@
 # $FreeBSD$
 
-LCRYPTO_SRC=	${.CURDIR}/../../../crypto/openssl/crypto
-CFLAGS+= -DTERMIOS -DANSI_SOURCE -I${LCRYPTO_SRC} -I${.OBJDIR}
+LCRYPTO_SRC=	${.CURDIR}/../../../crypto/openssl
+LCRYPTO_DOC=	${.CURDIR}/../../../crypto/openssl/doc
+
+CFLAGS+=	-DTERMIOS -DANSI_SOURCE
+CFLAGS+=	-I${LCRYPTO_SRC} -I${LCRYPTO_SRC}/crypto \
+		-I${LCRYPTO_SRC}/crypto/engine -I${.OBJDIR}
+
 .if !defined(MAKE_IDEA) || ${MAKE_IDEA} != YES
-CFLAGS+= -DNO_IDEA
+CFLAGS+=	-DOPENSSL_NO_IDEA
+.else
+_idea_h=	idea/idea.h
 .endif
 
 .if ${MACHINE_ARCH} == "i386"
-CFLAGS+= -DL_ENDIAN 
-.if !defined(NOPERL)
-CFLAGS+= -DSHA1_ASM -DBN_ASM -DMD5_ASM -DRMD160_ASM
-.endif
+CFLAGS+= -DL_ENDIAN
 .elif ${MACHINE_ARCH} == "alpha"
 # no ENDIAN stuff defined for alpha (64-bit)
 .endif
 
-WITH_RSA?= YES
-
-HDRS=	asn1/asn1.h asn1/asn1_mac.h bio/bio.h bf/blowfish.h bn/bn.h \
-	buffer/buffer.h cast/cast.h comp/comp.h conf/conf.h crypto.h \
-	des/des.h dh/dh.h dsa/dsa.h ../e_os.h ../e_os2.h ebcdic.h \
-	err/err.h hmac/hmac.h lhash/lhash.h md2/md2.h \
-	md5/md5.h mdc2/mdc2.h objects/objects.h opensslv.h pem/pem.h \
-	pem/pem2.h pkcs12/pkcs12.h pkcs7/pkcs7.h rand/rand.h rc2/rc2.h \
-	rc4/rc4.h rc5/rc5.h ripemd/ripemd.h rsa/rsa.h stack/safestack.h \
-	sha/sha.h stack/stack.h tmdiff.h txt_db/txt_db.h x509/x509.h \
-	x509/x509_vfy.h x509v3/x509v3.h symhacks.h objects/obj_mac.h \
-	md4/md4.h dso/dso.h conf/conf_api.h
-
-.if defined(MAKE_IDEA) && ${MAKE_IDEA} == YES
-HDRS+= idea/idea.h
-.endif
+HDRS+=	\
+	../e_os.h ../e_os2.h \
+	crypto.h \
+	ebcdic.h \
+	opensslv.h \
+	ossl_typ.h \
+	symhacks.h \
+	tmdiff.h \
+	aes/aes.h aes/aes_locl.h \
+	asn1/asn1.h asn1/asn1_mac.h asn1/asn1t.h \
+	bio/bio.h \
+	bf/blowfish.h \
+	bn/bn.h \
+	buffer/buffer.h \
+	cast/cast.h \
+	comp/comp.h \
+	conf/conf.h conf/conf_api.h \
+	des/des.h des/des_old.h \
+	dh/dh.h \
+	dsa/dsa.h \
+	dso/dso.h \
+	ec/ec.h \
+	engine/eng_int.h engine/engine.h engine/hw_4758_cca_err.h \
+	engine/hw_aep_err.h engine/hw_atalla_err.h engine/hw_cswift_err.h \
+	engine/hw_ncipher_err.h engine/hw_nuron_err.h engine/hw_sureware_err.h \
+	engine/hw_ubsec_err.h \
+	err/err.h \
+	hmac/hmac.h \
+	${_idea_h} \
+	krb5/krb5_asn.h \
+	lhash/lhash.h \
+	md2/md2.h \
+	md4/md4.h \
+	md5/md5.h \
+	mdc2/mdc2.h \
+	ocsp/ocsp.h \
+	objects/objects.h objects/obj_mac.h \
+	pem/pem.h pem/pem2.h \
+	pkcs12/pkcs12.h pkcs7/pkcs7.h \
+	rand/rand.h \
+	rc2/rc2.h rc4/rc4.h rc5/rc5.h \
+	ripemd/ripemd.h \
+	rsa/rsa.h \
+	stack/stack.h stack/safestack.h \
+	sha/sha.h \
+	txt_db/txt_db.h \
+	ui/ui.h ui/ui_compat.h ui/ui_locl.h \
+	x509/x509.h x509/x509_vfy.h x509v3/x509v3.h
 
 SRCS+=		buildinf.h openssl/opensslconf.h openssl/evp.h
 CLEANFILES+=	buildinf.h openssl/opensslconf.h openssl/evp.h
@@ -44,19 +80,65 @@ buildinf.h:
 	echo "  #define DATE \"`LC_ALL=C date`\""; \
 	echo "#endif" ) > ${.TARGET}
 
-#	XXX:  The openssl/ dependencies are not correct, in that a change in
-#	any of ${HDRS} ${EXTRA_HDRS} will no repopulate openssl/.
-#	This deficiency will be fixed in a later commit.
-
-openssl/opensslconf.h:  ../libcrypto/opensslconf-${MACHINE_ARCH}.h
+openssl/opensslconf.h:  ../../lib/libcrypto/opensslconf-${MACHINE_ARCH}.h
 	mkdir -p openssl
 	cp ${.OODATE} ${.TARGET}
-	${INSTALL} -C -m 444 ${HDRS:S;^;${LCRYPTO_SRC}/;} ${EXTRA_HDRS} openssl
 
-openssl/evp.h: ${LCRYPTO_SRC}/evp/evp.h
+openssl/evp.h: ${LCRYPTO_SRC}/crypto/evp/evp.h
 	mkdir -p openssl
 .if !defined(MAKE_IDEA) || ${MAKE_IDEA} != YES
-	sed '/^#ifndef NO_IDEA$$/,/^#endif$$/d' ${.OODATE} > ${.TARGET}
+	sed '/^#ifndef OPENSSL_NO_IDEA$$/,/^#endif$$/d' ${.OODATE} > ${.TARGET}
 .else
-	${INSTALL} -m 444 ${.OODATE} ${.TARGET}
+	${INSTALL} -C -m 444 ${.OODATE} ${.TARGET}
 .endif
+
+SRCS+=	${HDRS:T:S;^;openssl/;}
+.for h in ${HDRS:S/^/${LCRYPTO_SRC}\/crypto\//}
+openssl/${h:T}: ${h}
+	mkdir -p openssl
+	${INSTALL} -C -m 444 ${h} openssl
+.endfor
+
+MANDIR=	${SHAREDIR}/openssl/man/man
+
+.if defined(LIB)
+_docs=	${LIB}
+_skip=	des_modes
+_sec=	3
+.else
+_docs=	apps
+_skip=	config
+_sec=	1
+.endif
+
+man-update:
+.for manpage in ${MAN}
+	@(sec=${manpage:E}; \
+	pod=${manpage:R}.pod; \
+	cp ${LCRYPTO_DOC}/${_docs}/$$pod .; \
+	pod2man --section=$$sec --release="0.9.7" --center="OpenSSL" \
+	  $$pod > ${.CURDIR}/man/${manpage}; \
+	rm $$pod; \
+	${ECHO} ${manpage})
+.endfor
+
+man-makefile-update:
+	rm -f ${.CURDIR}/Makefile.man
+	echo '# $$FreeBSD$$' >> ${.CURDIR}/Makefile.man
+	echo '# DO NOT EDIT: generated from man-makefile-update target' >> \
+	    ${.CURDIR}/Makefile.man
+	for i in ${LCRYPTO_DOC}/${_docs}/*.pod; do \
+		fn=`basename $$i .pod`; \
+		if [ "$$fn" != "${_skip}" ]; then \
+		${ECHO} "MAN+= $$fn.${_sec}" >> ${.CURDIR}/Makefile.man; \
+		fi; \
+	done
+	for i in ${LCRYPTO_DOC}/${_docs}/*.pod; do \
+		fn=`basename $$i .pod`; \
+		if [ "$$fn" != "${_skip}" ]; then \
+		perl ${LCRYPTO_SRC}/util/extract-names.pl < $$i | \
+		  awk "/^$$fn\$$/ { next; } \
+		  { print \"MLINKS+= $$fn.${_sec} \" \$$1 \".${_sec}\" }" >> \
+		  ${.CURDIR}/Makefile.man; \
+		fi; \
+	done
diff --git a/secure/lib/libcrypto/des_crypt.3 b/secure/lib/libcrypto/des_crypt.3
deleted file mode 100644
index ed12ff9322e8..000000000000
--- a/secure/lib/libcrypto/des_crypt.3
+++ /dev/null
@@ -1,509 +0,0 @@
-.\" $FreeBSD$
-.TH DES_CRYPT 3 
-.SH NAME
-des_read_password, des_read_2password,
-des_string_to_key, des_string_to_2key, des_read_pw_string,
-des_random_key, des_set_key,
-des_key_sched, des_ecb_encrypt, des_ecb3_encrypt, des_cbc_encrypt,
-des_3cbc_encrypt,
-des_pcbc_encrypt, des_cfb_encrypt, des_ofb_encrypt,
-des_cbc_cksum, des_quad_cksum,
-des_enc_read, des_enc_write, des_set_odd_parity,
-des_is_weak_key, crypt \- (non USA) DES encryption
-.SH SYNOPSIS
-.nf
-.nj
-.ft B
-#include <openssl/des.h>
-.PP
-.B int des_read_password(key,prompt,verify)
-des_cblock *key;
-char *prompt;
-int verify;
-.PP
-.B int des_read_2password(key1,key2,prompt,verify)
-des_cblock *key1,*key2;
-char *prompt;
-int verify;
-.PP
-.B int des_string_to_key(str,key)
-char *str;
-des_cblock *key;
-.PP
-.B int des_string_to_2keys(str,key1,key2)
-char *str;
-des_cblock *key1,*key2;
-.PP
-.B int des_read_pw_string(buf,length,prompt,verify)
-char *buf;
-int length;
-char *prompt;
-int verify;
-.PP
-.B int des_random_key(key)
-des_cblock *key;
-.PP
-.B int des_set_key(key,schedule)
-des_cblock *key;
-des_key_schedule schedule;
-.PP
-.B int des_key_sched(key,schedule)
-des_cblock *key;
-des_key_schedule schedule;
-.PP
-.B int des_ecb_encrypt(input,output,schedule,encrypt)
-des_cblock *input;
-des_cblock *output;
-des_key_schedule schedule;
-int encrypt;
-.PP
-.B int des_ecb3_encrypt(input,output,ks1,ks2,encrypt)
-des_cblock *input;
-des_cblock *output;
-des_key_schedule ks1,ks2;
-int encrypt;
-.PP
-.B int des_cbc_encrypt(input,output,length,schedule,ivec,encrypt)
-des_cblock *input;
-des_cblock *output;
-long length;
-des_key_schedule schedule;
-des_cblock *ivec;
-int encrypt;
-.PP
-.B int des_3cbc_encrypt(input,output,length,sk1,sk2,ivec1,ivec2,encrypt)
-des_cblock *input;
-des_cblock *output;
-long length;
-des_key_schedule sk1;
-des_key_schedule sk2;
-des_cblock *ivec1;
-des_cblock *ivec2;
-int encrypt;
-.PP
-.B int des_pcbc_encrypt(input,output,length,schedule,ivec,encrypt)
-des_cblock *input;
-des_cblock *output;
-long length;
-des_key_schedule schedule;
-des_cblock *ivec;
-int encrypt;
-.PP
-.B int des_cfb_encrypt(input,output,numbits,length,schedule,ivec,encrypt)
-unsigned char *input;
-unsigned char *output;
-int numbits;
-long length;
-des_key_schedule schedule;
-des_cblock *ivec;
-int encrypt;
-.PP
-.B int des_ofb_encrypt(input,output,numbits,length,schedule,ivec)
-unsigned char *input,*output;
-int numbits;
-long length;
-des_key_schedule schedule;
-des_cblock *ivec;
-.PP
-.B unsigned long des_cbc_cksum(input,output,length,schedule,ivec)
-des_cblock *input;
-des_cblock *output;
-long length;
-des_key_schedule schedule;
-des_cblock *ivec;
-.PP
-.B unsigned long des_quad_cksum(input,output,length,out_count,seed)
-des_cblock *input;
-des_cblock *output;
-long length;
-int out_count;
-des_cblock *seed;
-.PP
-.B int des_check_key;
-.PP
-.B int des_enc_read(fd,buf,len,sched,iv)
-int fd;
-char *buf;
-int len;
-des_key_schedule sched;
-des_cblock *iv;
-.PP
-.B int des_enc_write(fd,buf,len,sched,iv)
-int fd;
-char *buf;
-int len;
-des_key_schedule sched;
-des_cblock *iv;
-.PP
-.B extern int des_rw_mode;
-.PP
-.B void des_set_odd_parity(key)
-des_cblock *key;
-.PP
-.B int des_is_weak_key(key)
-des_cblock *key;
-.PP
-.B char *crypt(passwd,salt)
-char *passwd;
-char *salt;
-.PP
-.fi
-.SH DESCRIPTION
-This library contains a fast implementation of the DES encryption
-algorithm.
-.PP
-There are two phases to the use of DES encryption.
-The first is the generation of a
-.I des_key_schedule
-from a key,
-the second is the actual encryption.
-A des key is of type
-.I des_cblock.
-This type is made from 8 characters with odd parity.
-The least significant bit in the character is the parity bit.
-The key schedule is an expanded form of the key; it is used to speed the
-encryption process.
-.PP
-.I des_read_password
-writes the string specified by prompt to the standard output,
-turns off echo and reads an input string from standard input
-until terminated with a newline.
-If verify is non-zero, it prompts and reads the input again and verifies
-that both entered passwords are the same.
-The entered string is converted into a des key by using the
-.I des_string_to_key
-routine.
-The new key is placed in the
-.I des_cblock
-that was passed (by reference) to the routine.
-If there were no errors,
-.I des_read_password
-returns 0,
--1 is returned if there was a terminal error and 1 is returned for
-any other error.
-.PP
-.I des_read_2password
-operates in the same way as
-.I des_read_password
-except that it generates 2 keys by using the
-.I des_string_to_2key
-function.
-.PP
-.I des_read_pw_string
-is called by
-.I des_read_password
-to read and verify a string from a terminal device.
-The string is returned in
-.I buf.
-The size of
-.I buf
-is passed to the routine via the
-.I length
-parameter.
-.PP
-.I des_string_to_key
-converts a string into a valid des key.
-.PP
-.I des_string_to_2key
-converts a string into 2 valid des keys.
-This routine is best suited for used to generate keys for use with
-.I des_ecb3_encrypt.
-.PP
-.I des_random_key
-returns a random key that is made of a combination of process id,
-time and an increasing counter.
-.PP
-Before a des key can be used it is converted into a
-.I des_key_schedule
-via the
-.I des_set_key
-routine.
-If the
-.I des_check_key
-flag is non-zero,
-.I des_set_key
-will check that the key passed is of odd parity and is not a week or
-semi-weak key.
-If the parity is wrong,
-then -1 is returned.
-If the key is a weak key,
-then -2 is returned.
-If an error is returned,
-the key schedule is not generated.
-.PP
-.I des_key_sched
-is another name for the
-.I des_set_key
-function.
-.PP
-The following routines mostly operate on an input and output stream of
-.I des_cblock's.
-.PP
-.I des_ecb_encrypt
-is the basic DES encryption routine that encrypts or decrypts a single 8-byte
-.I des_cblock
-in
-.I electronic code book
-mode.
-It always transforms the input data, pointed to by
-.I input,
-into the output data,
-pointed to by the
-.I output
-argument.
-If the
-.I encrypt
-argument is non-zero (DES_ENCRYPT),
-the
-.I input
-(cleartext) is encrypted in to the
-.I output
-(ciphertext) using the key_schedule specified by the
-.I schedule
-argument,
-previously set via
-.I des_set_key.
-If
-.I encrypt
-is zero (DES_DECRYPT),
-the
-.I input
-(now ciphertext)
-is decrypted into the
-.I output
-(now cleartext).
-Input and output may overlap.
-No meaningful value is returned.
-.PP
-.I des_ecb3_encrypt
-encrypts/decrypts the
-.I input
-block by using triple ecb DES encryption.
-This involves encrypting the input with 
-.I ks1,
-decryption with the key schedule
-.I ks2,
-and then encryption with the first again.
-This routine greatly reduces the chances of brute force breaking of
-DES and has the advantage of if
-.I ks1
-and
-.I ks2
-are the same, it is equivalent to just encryption using ecb mode and
-.I ks1
-as the key.
-.PP
-.I des_cbc_encrypt
-encrypts/decrypts using the
-.I cipher-block-chaining
-mode of DES.
-If the
-.I encrypt
-argument is non-zero,
-the routine cipher-block-chain encrypts the cleartext data pointed to by the
-.I input
-argument into the ciphertext pointed to by the
-.I output
-argument,
-using the key schedule provided by the
-.I schedule
-argument,
-and initialisation vector provided by the
-.I ivec
-argument.
-If the
-.I length
-argument is not an integral multiple of eight bytes, 
-the last block is copied to a temporary area and zero filled.
-The output is always
-an integral multiple of eight bytes.
-To make multiple cbc encrypt calls on a large amount of data appear to
-be one 
-.I des_cbc_encrypt
-call, the
-.I ivec
-of subsequent calls should be the last 8 bytes of the output.
-.PP
-.I des_3cbc_encrypt
-encrypts/decrypts the
-.I input
-block by using triple cbc DES encryption.
-This involves encrypting the input with key schedule
-.I ks1,
-decryption with the key schedule
-.I ks2,
-and then encryption with the first again.
-2 initialisation vectors are required,
-.I ivec1
-and
-.I ivec2.
-Unlike
-.I des_cbc_encrypt,
-these initialisation vectors are modified by the subroutine.
-This routine greatly reduces the chances of brute force breaking of
-DES and has the advantage of if
-.I ks1
-and
-.I ks2
-are the same, it is equivalent to just encryption using cbc mode and
-.I ks1
-as the key.
-.PP
-.I des_pcbc_encrypt
-encrypt/decrypts using a modified block chaining mode.
-It provides better error propagation characteristics than cbc
-encryption.
-.PP
-.I des_cfb_encrypt
-encrypt/decrypts using cipher feedback mode.  This method takes an
-array of characters as input and outputs and array of characters.  It
-does not require any padding to 8 character groups.  Note: the ivec
-variable is changed and the new changed value needs to be passed to
-the next call to this function.  Since this function runs a complete
-DES ecb encryption per numbits, this function is only suggested for
-use when sending small numbers of characters.
-.PP
-.I des_ofb_encrypt
-encrypt using output feedback mode.  This method takes an
-array of characters as input and outputs and array of characters.  It
-does not require any padding to 8 character groups.  Note: the ivec
-variable is changed and the new changed value needs to be passed to
-the next call to this function.  Since this function runs a complete
-DES ecb encryption per numbits, this function is only suggested for
-use when sending small numbers of characters.
-.PP
-.I des_cbc_cksum
-produces an 8 byte checksum based on the input stream (via cbc encryption).
-The last 4 bytes of the checksum is returned and the complete 8 bytes is
-placed in
-.I output.
-.PP
-.I des_quad_cksum
-returns a 4 byte checksum from the input bytes.
-The algorithm can be iterated over the input,
-depending on
-.I out_count,
-1, 2, 3 or 4 times.
-If
-.I output
-is non-NULL,
-the 8 bytes generated by each pass are written into
-.I output.
-.PP
-.I des_enc_write
-is used to write
-.I len
-bytes
-to file descriptor
-.I fd
-from buffer
-.I buf.
-The data is encrypted via
-.I pcbc_encrypt
-(default) using
-.I sched
-for the key and
-.I iv
-as a starting vector.
-The actual data send down
-.I fd
-consists of 4 bytes (in network byte order) containing the length of the
-following encrypted data.  The encrypted data then follows, padded with random
-data out to a multiple of 8 bytes.
-.PP
-.I des_enc_read
-is used to read
-.I len
-bytes
-from file descriptor
-.I fd
-into buffer
-.I buf.
-The data being read from
-.I fd
-is assumed to have come from
-.I des_enc_write
-and is decrypted using
-.I sched
-for the key schedule and
-.I iv
-for the initial vector.
-The
-.I des_enc_read/des_enc_write
-pair can be used to read/write to files, pipes and sockets.
-I have used them in implementing a version of rlogin in which all
-data is encrypted.
-.PP
-.I des_rw_mode
-is used to specify the encryption mode to use with 
-.I des_enc_read
-and 
-.I des_end_write.
-If set to
-.I DES_PCBC_MODE
-(the default), des_pcbc_encrypt is used.
-If set to
-.I DES_CBC_MODE
-des_cbc_encrypt is used.
-These two routines and the variable are not part of the normal MIT library.
-.PP
-.I des_set_odd_parity
-sets the parity of the passed
-.I key
-to odd.  This routine is not part of the standard MIT library.
-.PP
-.I des_is_weak_key
-returns 1 is the passed key is a weak key (pick again :-),
-0 if it is ok.
-This routine is not part of the standard MIT library.
-.PP
-.I crypt
-is a replacement for the normal system crypt.
-It is much faster than the system crypt.
-.PP
-.SH FILES
-/usr/include/openssl/des.h
-.br
-/usr/lib/libcrypto.a
-.PP
-The encryption routines have been tested on 16bit, 32bit and 64bit
-machines of various endian and even works under VMS.
-.PP
-.SH BUGS
-.PP
-If you think this manual is sparse,
-read the des_crypt(3) manual from the MIT kerberos (or bones outside
-of the USA) distribution.
-.PP
-.I des_cfb_encrypt
-and
-.I des_ofb_encrypt
-operates on input of 8 bits.  What this means is that if you set
-numbits to 12, and length to 2, the first 12 bits will come from the 1st
-input byte and the low half of the second input byte.  The second 12
-bits will have the low 8 bits taken from the 3rd input byte and the
-top 4 bits taken from the 4th input byte.  The same holds for output.
-This function has been implemented this way because most people will
-be using a multiple of 8 and because once you get into pulling bytes input
-bytes apart things get ugly!
-.PP
-.I des_read_pw_string
-is the most machine/OS dependent function and normally generates the
-most problems when porting this code.
-.PP
-.I des_string_to_key
-is probably different from the MIT version since there are lots
-of fun ways to implement one-way encryption of a text string.
-.PP
-The routines are optimised for 32 bit machines and so are not efficient
-on IBM PCs.
-.PP
-NOTE: extensive work has been done on this library since this document
-was origionally written.  Please try to read des.doc from the libdes
-distribution since it is far more upto date and documents more of the
-functions.  Libdes is now also being shipped as part of SSLeay, a
-general cryptographic library that amonst other things implements
-netscapes SSL protocoll.  The most recent version can be found in
-SSLeay distributions.
-.SH AUTHOR
-Eric Young (eay@cryptsoft.com)
diff --git a/secure/lib/libcrypto/opensslconf-alpha.h b/secure/lib/libcrypto/opensslconf-alpha.h
index bcbfc08fd0d1..14e5af5bf018 100644
--- a/secure/lib/libcrypto/opensslconf-alpha.h
+++ b/secure/lib/libcrypto/opensslconf-alpha.h
@@ -64,7 +64,7 @@
 #endif
 #endif
 
-#if defined(HEADER_DES_H) && !defined(DES_LONG)
+#if (defined(HEADER_DES_H) || defined(HEADER_NEW_DES_H)) && !defined(DES_LONG)
 /* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
  * %20 speed up (longs are 8 bytes, int's are 4). */
 #ifndef DES_LONG
@@ -173,3 +173,5 @@ YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
 
 #endif /* DES_DEFAULT_OPTIONS */
 #endif /* HEADER_DES_LOCL_H */
+/* The Kerberos 5 support is MIT-specific. */
+#define OPENSSL_NO_KRB5
diff --git a/secure/lib/libcrypto/opensslconf-i386.h b/secure/lib/libcrypto/opensslconf-i386.h
index fc3cf0432479..736c996ce4c3 100644
--- a/secure/lib/libcrypto/opensslconf-i386.h
+++ b/secure/lib/libcrypto/opensslconf-i386.h
@@ -64,7 +64,7 @@
 #endif
 #endif
 
-#if defined(HEADER_DES_H) && !defined(DES_LONG)
+#if (defined(HEADER_DES_H) || defined(HEADER_NEW_DES_H)) && !defined(DES_LONG)
 /* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
  * %20 speed up (longs are 8 bytes, int's are 4). */
 #ifndef DES_LONG
@@ -173,3 +173,5 @@ YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
 
 #endif /* DES_DEFAULT_OPTIONS */
 #endif /* HEADER_DES_LOCL_H */
+/* The Kerberos 5 support is MIT-specific. */
+#define OPENSSL_NO_KRB5
diff --git a/secure/lib/libssl/Makefile b/secure/lib/libssl/Makefile
index 9fbaf339db13..8c039cad45d9 100644
--- a/secure/lib/libssl/Makefile
+++ b/secure/lib/libssl/Makefile
@@ -1,25 +1,26 @@
 # $FreeBSD$
 
-.include "../libcrypto/Makefile.inc"
-
-LCRYPTOSSL_SRC=${LCRYPTO_SRC}/../ssl
-
-.PATH:	${LCRYPTOSSL_SRC}
-
 LIB=		ssl
-SHLIB_MAJOR=	2
+SHLIB_MAJOR=	3
 
-MAINTAINER=	kris
+NOLINT=		true
 
-SRCS+=	bio_ssl.c s23_clnt.c s23_lib.c s23_meth.c s23_pkt.c s23_srvr.c \
+.if exists(Makefile.man)
+.include "Makefile.man"
+.endif
+.include "../libcrypto/Makefile.inc"
+
+SRCS=	bio_ssl.c s23_clnt.c s23_lib.c s23_meth.c s23_pkt.c s23_srvr.c \
 	s2_clnt.c s2_enc.c s2_lib.c s2_meth.c s2_pkt.c s2_srvr.c \
 	s3_both.c s3_clnt.c s3_enc.c s3_lib.c s3_meth.c s3_pkt.c \
 	s3_srvr.c ssl_algs.c ssl_asn1.c ssl_cert.c ssl_ciph.c \
 	ssl_err.c ssl_err2.c ssl_lib.c ssl_rsa.c ssl_sess.c ssl_stat.c \
-	ssl_txt.c t1_clnt.c t1_enc.c t1_lib.c t1_meth.c t1_srvr.o \
+	ssl_txt.c t1_clnt.c t1_enc.c t1_lib.c t1_meth.c t1_srvr.c
 
-INCS=	ssl.h ssl2.h ssl23.h ssl3.h ssl_locl.h tls1.h
+INCS=	kssl.h ssl.h ssl2.h ssl23.h ssl3.h tls1.h
 INCSDIR=${INCLUDEDIR}/openssl
-HDRS+=	${INCS:S;^;../ssl/;}
 
 .include <bsd.lib.mk>
+
+.PATH:	${LCRYPTO_SRC}/ssl \
+	${.CURDIR}/man
diff --git a/secure/usr.bin/openssl/Makefile b/secure/usr.bin/openssl/Makefile
index 61479d004e1f..0b41c15442bc 100644
--- a/secure/usr.bin/openssl/Makefile
+++ b/secure/usr.bin/openssl/Makefile
@@ -1,37 +1,28 @@
 # $FreeBSD$
 
-OPENSSL_SRC= ${.CURDIR}/../../../crypto/openssl/apps
-LCRYPTO_SRC= ${.CURDIR}/../../../crypto/openssl/crypto
-
-.PATH:	${OPENSSL_SRC} ${OPENSSL_SRC}/../doc/apps/
-
-PROG=	openssl
-
-MAINTAINER=	kris
+PROG=	xopenssl
+PROGNAME=	openssl
 
 DPADD=	${LIBSSL} ${LIBCRYPTO}
 LDADD=	-lssl -lcrypto
-MLINKS=	openssl.1 ssl.8
 
-CFLAGS+= -DMONOLITH -I${.CURDIR}
+NOLINT=		true
 
-WITH_RSA?=	YES
-.if ${WITH_RSA} == NO
-CFLAGS+=	-DNO_RSA -DNO_SSL2
+.if exists(Makefile.man)
+.include "Makefile.man"
 .endif
+.include "../../lib/libcrypto/Makefile.inc"
 
-SRCS=	app_rand.c apps.c asn1pars.c ca.c ciphers.c crl.c crl2p7.c \
-	dgst.c dh.c dhparam.c dsa.c dsaparam.c enc.c errstr.c gendh.c \
-	gendsa.c genrsa.c nseq.c openssl.c passwd.c pkcs12.c pkcs7.c \
-	pkcs8.c rand.c req.c rsa.c rsautl.c s_cb.c s_client.c \
-	s_server.c s_socket.c s_time.c sess_id.c smime.c speed.c \
-	spkac.c verify.c version.c x509.o
+CFLAGS+= -DMONOLITH -I${.CURDIR}
 
-CLEANFILES=	openssl.1
+SRCS+=	app_rand.c apps.c asn1pars.c ca.c ciphers.c crl.c crl2p7.c \
+	dgst.c dh.c dhparam.c dsa.c dsaparam.c enc.c engine.c errstr.c \
+	gendh.c gendsa.c genrsa.c nseq.c ocsp.c openssl.c passwd.c \
+	pkcs12.c pkcs7.c pkcs8.c rand.c req.c rsa.c rsautl.c s_cb.c \
+	s_client.c s_server.c s_socket.c s_time.c sess_id.c smime.c \
+	speed.c spkac.c verify.c version.c x509.c
 
 .include <bsd.prog.mk>
 
-.SUFFIXES: .out .o .c .cc .cpp .cxx .C .m .y .l .s .S .pod
-
-.pod.1:
-	pod2man ${.IMPSRC} > ${.TARGET}
+.PATH:	${LCRYPTO_SRC}/apps \
+	${.CURDIR}/man