SM4: Add SM4 block cipher to EVP
[openssl.git] / util / mkdef.pl
index 1d47561..1ca1112 100755 (executable)
@@ -1,22 +1,30 @@
-#!/usr/local/bin/perl -w
+#! /usr/bin/env perl
+# Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
 #
 # generate a .def file
 #
 # It does this by parsing the header files and looking for the
 # prototyped functions: it then prunes the output.
 #
-# Intermediary files are created, call libeay.num and ssleay.num,
+# Intermediary files are created, call libcrypto.num and libssl.num,
 # The format of these files is:
 #
-#      routine-name    nnnn    info
+#      routine-name    nnnn    vers    info
 #
-# and the "info" part is actually a colon-separated string of fields with
-# the following meaning:
+# The "nnnn" and "vers" fields are the numeric id and version for the symbol
+# respectively. The "info" part is actually a colon-separated string of fields
+# with the following meaning:
 #
 #      existence:platform:kind:algorithms
 #
 # - "existence" can be "EXIST" or "NOEXIST" depending on if the symbol is
-#   found somewhere in the source, 
+#   found somewhere in the source,
 # - "platforms" is empty if it exists on all platforms, otherwise it contains
 #   comma-separated list of the platform, just as they are if the symbol exists
 #   for those platforms, or prepended with a "!" if not.  This helps resolve
@@ -28,7 +36,7 @@
 #   The semantics for the platforms is that every item is checked against the
 #   environment.  For the negative items ("!FOO"), if any of them is false
 #   (i.e. "FOO" is true) in the environment, the corresponding symbol can't be
-#   used.  For the positive itms, if all of them are false in the environment,
+#   used.  For the positive items, if all of them are false in the environment,
 #   the corresponding symbol can't be used.  Any combination of positive and
 #   negative items are possible, and of course leave room for some redundancy.
 # - "kind" is "FUNCTION" or "VARIABLE".  The meaning of that is obvious.
 #   exclude.
 #
 
+use lib ".";
+use configdata;
+use File::Spec::Functions;
+use File::Basename;
+use FindBin;
+use lib "$FindBin::Bin/perl";
+use OpenSSL::Glob;
+
 my $debug=0;
 
-my $crypto_num= "util/libeay.num";
-my $ssl_num=    "util/ssleay.num";
+my $crypto_num= catfile($config{sourcedir},"util","libcrypto.num");
+my $ssl_num=    catfile($config{sourcedir},"util","libssl.num");
 my $libname;
 
 my $do_update = 0;
@@ -51,24 +67,25 @@ my $do_ctest = 0;
 my $do_ctestall = 0;
 my $do_checkexist = 0;
 
-my $VMSVAX=0;
-my $VMSNonVAX=0;
 my $VMS=0;
 my $W32=0;
 my $NT=0;
-my $OS2=0;
+my $UNIX=0;
+my $linux=0;
 # Set this to make typesafe STACK definitions appear in DEF
 my $safe_stack_def = 0;
 
 my @known_platforms = ( "__FreeBSD__", "PERL5",
-                       "EXPORT_VAR_AS_FUNCTION", "ZLIB",
-                       "OPENSSL_FIPS", "OPENSSL_FIPSCAPABLE" );
-my @known_ossl_platforms = ( "VMS", "WIN32", "WINNT", "OS2" );
+                       "EXPORT_VAR_AS_FUNCTION", "ZLIB", "_WIN32"
+                       );
+my @known_ossl_platforms = ( "UNIX", "VMS", "WIN32", "WINNT", "OS2" );
 my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
                         "CAST", "MD2", "MD4", "MD5", "SHA", "SHA0", "SHA1",
                         "SHA256", "SHA512", "RMD160",
-                        "MDC2", "WHIRLPOOL", "RSA", "DSA", "DH", "EC", "ECDH", "ECDSA", "EC2M",
-                        "HMAC", "AES", "CAMELLIA", "SEED", "GOST",
+                        "MDC2", "WHIRLPOOL", "RSA", "DSA", "DH", "EC", "EC2M",
+                        "HMAC", "AES", "CAMELLIA", "SEED", "GOST", "ARIA", "SM4",
+                         "SCRYPT", "CHACHA", "POLY1305", "BLAKE2",
+                        "SIPHASH",
                         # EC_NISTP_64_GCC_128
                         "EC_NISTP_64_GCC_128",
                         # Envelope "algorithms"
@@ -77,23 +94,32 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
                         "BIO", "COMP", "BUFFER", "LHASH", "STACK", "ERR",
                         "LOCKING",
                         # External "algorithms"
-                        "FP_API", "STDIO", "SOCK", "KRB5", "DGRAM",
+                        "FP_API", "STDIO", "SOCK", "DGRAM",
+                         "CRYPTO_MDEBUG",
                         # Engines
-                        "STATIC_ENGINE", "ENGINE", "HW", "GMP",
+                         "STATIC_ENGINE", "ENGINE", "HW", "GMP",
+                        # Entropy Gathering
+                        "EGD",
+                        # Certificate Transparency
+                        "CT",
+                        # RFC3779
+                        "RFC3779",
                         # TLS
-                        "TLSEXT", "PSK", "SRP", "HEARTBEATS",
+                        "PSK", "SRP", "HEARTBEATS",
                         # CMS
                         "CMS",
+                         "OCSP",
                         # CryptoAPI Engine
                         "CAPIENG",
-                        # SSL v3 method
-                        "SSL3_METHOD",
-                        # JPAKE
-                        "JPAKE",
+                        # SSL methods
+                        "SSL3_METHOD", "TLS1_METHOD", "TLS1_1_METHOD", "TLS1_2_METHOD", "DTLS1_METHOD", "DTLS1_2_METHOD",
                         # NEXTPROTONEG
                         "NEXTPROTONEG",
                         # Deprecated functions
-                        "DEPRECATED",
+                        "DEPRECATEDIN_0_9_8",
+                        "DEPRECATEDIN_1_0_0",
+                        "DEPRECATEDIN_1_1_0",
+                        "DEPRECATEDIN_1_2_0",
                         # SCTP
                         "SCTP",
                         # SRTP
@@ -102,39 +128,36 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
                         "SSL_TRACE",
                         # Unit testing
                         "UNIT_TEST",
+                        # User Interface
+                        "UI_CONSOLE",
+                        #
+                        "TS",
                         # OCB mode
                         "OCB",
+                        "CMAC",
                          # APPLINK (win build feature?)
                          "APPLINK"
                      );
 
-my $options="";
-open(IN,"<Makefile") || die "unable to open Makefile!\n";
-while(<IN>) {
-    $options=$1 if (/^OPTIONS=(.*)$/);
+my %disabled_algorithms;
+
+foreach (@known_algorithms) {
+    $disabled_algorithms{$_} = 0;
+}
+# disabled by default
+$disabled_algorithms{"STATIC_ENGINE"} = 1;
+
+my $apiv = sprintf "%x%02x%02x", split(/\./, $config{api});
+foreach (keys %disabled_algorithms) {
+       if (/^DEPRECATEDIN_(\d+)_(\d+)_(\d+)$/) {
+               my $depv = sprintf "%x%02x%02x", $1, $2, $3;
+               $disabled_algorithms{$_} = 1 if $apiv ge $depv;
+       }
 }
-close(IN);
-
-# The following ciphers may be excluded (by Configure). This means functions
-# defined with ifndef(NO_XXX) are not included in the .def file, and everything
-# in directory xxx is ignored.
-my $no_rc2; my $no_rc4; my $no_rc5; my $no_idea; my $no_des; my $no_bf;
-my $no_cast; my $no_whirlpool; my $no_camellia; my $no_seed;
-my $no_md2; my $no_md4; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2;
-my $no_rsa; my $no_dsa; my $no_dh; my $no_aes; my $no_krb5;
-my $no_ec; my $no_ecdsa; my $no_ecdh; my $no_engine; my $no_hw;
-my $no_fp_api; my $no_static_engine=1; my $no_gmp; my $no_deprecated;
-my $no_psk; my $no_tlsext; my $no_cms; my $no_capieng;
-my $no_jpake; my $no_srp; my $no_ec2m; my $no_nistp_gcc; 
-my $no_nextprotoneg; my $no_sctp; my $no_srtp; my $no_ssl_trace;
-my $no_unit_test; my $no_ssl3_method; my $no_ocb;
-
-my $fips;
 
 my $zlib;
 
-
-foreach (@ARGV, split(/ /, $options))
+foreach (@ARGV, split(/ /, $config{options}))
        {
        $debug=1 if $_ eq "debug";
        $W32=1 if $_ eq "32";
@@ -143,112 +166,60 @@ foreach (@ARGV, split(/ /, $options))
                $W32 = 1;
                $NT = 1;
        }
-       if ($_ eq "VMS-VAX") {
-               $VMS=1;
-               $VMSVAX=1;
-       }
-       if ($_ eq "VMS-NonVAX") {
-               $VMS=1;
-               $VMSNonVAX=1;
+       if ($_ eq "linux") {
+               $linux=1;
+               $UNIX=1;
        }
        $VMS=1 if $_ eq "VMS";
-       $OS2=1 if $_ eq "OS2";
-       $fips=1 if /^fips/;
        if ($_ eq "zlib" || $_ eq "enable-zlib" || $_ eq "zlib-dynamic"
                         || $_ eq "enable-zlib-dynamic") {
                $zlib = 1;
        }
 
-       $do_ssl=1 if $_ eq "ssleay";
+       $do_ssl=1 if $_ eq "libssl";
        if ($_ eq "ssl") {
-               $do_ssl=1; 
+               $do_ssl=1;
                $libname=$_
        }
-       $do_crypto=1 if $_ eq "libeay";
+       $do_crypto=1 if $_ eq "libcrypto";
        if ($_ eq "crypto") {
                $do_crypto=1;
                $libname=$_;
        }
-       $no_static_engine=1 if $_ eq "no-static-engine";
-       $no_static_engine=0 if $_ eq "enable-static-engine";
        $do_update=1 if $_ eq "update";
        $do_rewrite=1 if $_ eq "rewrite";
        $do_ctest=1 if $_ eq "ctest";
        $do_ctestall=1 if $_ eq "ctestall";
        $do_checkexist=1 if $_ eq "exist";
-       #$safe_stack_def=1 if $_ eq "-DDEBUG_SAFESTACK";
-
-       if    (/^no-rc2$/)      { $no_rc2=1; }
-       elsif (/^no-rc4$/)      { $no_rc4=1; }
-       elsif (/^no-rc5$/)      { $no_rc5=1; }
-       elsif (/^no-idea$/)     { $no_idea=1; }
-       elsif (/^no-des$/)      { $no_des=1; $no_mdc2=1; }
-       elsif (/^no-bf$/)       { $no_bf=1; }
-       elsif (/^no-cast$/)     { $no_cast=1; }
-       elsif (/^no-whirlpool$/)     { $no_whirlpool=1; }
-       elsif (/^no-md2$/)      { $no_md2=1; }
-       elsif (/^no-md4$/)      { $no_md4=1; }
-       elsif (/^no-md5$/)      { $no_md5=1; }
-       elsif (/^no-sha$/)      { $no_sha=1; }
-       elsif (/^no-ripemd$/)   { $no_ripemd=1; }
-       elsif (/^no-mdc2$/)     { $no_mdc2=1; }
-       elsif (/^no-rsa$/)      { $no_rsa=1; }
-       elsif (/^no-dsa$/)      { $no_dsa=1; }
-       elsif (/^no-dh$/)       { $no_dh=1; }
-       elsif (/^no-ec$/)       { $no_ec=1; }
-       elsif (/^no-ecdsa$/)    { $no_ecdsa=1; }
-       elsif (/^no-ecdh$/)     { $no_ecdh=1; }
-       elsif (/^no-aes$/)      { $no_aes=1; }
-       elsif (/^no-camellia$/) { $no_camellia=1; }
-       elsif (/^no-seed$/)     { $no_seed=1; }
-       elsif (/^no-evp$/)      { $no_evp=1; }
-       elsif (/^no-lhash$/)    { $no_lhash=1; }
-       elsif (/^no-stack$/)    { $no_stack=1; }
-       elsif (/^no-err$/)      { $no_err=1; }
-       elsif (/^no-buffer$/)   { $no_buffer=1; }
-       elsif (/^no-bio$/)      { $no_bio=1; }
-       #elsif (/^no-locking$/) { $no_locking=1; }
-       elsif (/^no-comp$/)     { $no_comp=1; }
-       elsif (/^no-dso$/)      { $no_dso=1; }
-       elsif (/^no-krb5$/)     { $no_krb5=1; }
-       elsif (/^no-engine$/)   { $no_engine=1; }
-       elsif (/^no-hw$/)       { $no_hw=1; }
-       elsif (/^no-gmp$/)      { $no_gmp=1; }
-       elsif (/^no-tlsext$/)   { $no_tlsext=1; }
-       elsif (/^no-cms$/)      { $no_cms=1; }
-       elsif (/^no-ec2m$/)     { $no_ec2m=1; }
-       elsif (/^no-ec-nistp224-64-gcc-128$/)   { $no_nistp_gcc=1; }
-       elsif (/^no-nextprotoneg$/)     { $no_nextprotoneg=1; }
-       elsif (/^no-ssl3-method$/) { $no_ssl3_method=1; }
-       elsif (/^no-ssl-trace$/) { $no_ssl_trace=1; }
-       elsif (/^no-capieng$/)  { $no_capieng=1; }
-       elsif (/^no-jpake$/)    { $no_jpake=1; }
-       elsif (/^no-srp$/)      { $no_srp=1; }
-       elsif (/^no-sctp$/)     { $no_sctp=1; }
-       elsif (/^no-srtp$/)     { $no_srtp=1; }
-       elsif (/^no-unit-test$/){ $no_unit_test=1; }
-       elsif (/^no-deprecated$/) { $no_deprecated=1; }
-       elsif (/^no-ocb/){ $no_ocb=1; }
+       if (/^(enable|disable|no)-(.*)$/) {
+               my $alg = uc $2;
+               $alg =~ tr/-/_/;
+               if (exists $disabled_algorithms{$alg}) {
+                       $disabled_algorithms{$alg} = $1 eq "enable" ? 0 : 1;
+               }
        }
 
+       }
 
-if (!$libname) { 
+if (!$libname) {
        if ($do_ssl) {
-               $libname="SSLEAY";
+               $libname="LIBSSL";
        }
        if ($do_crypto) {
-               $libname="LIBEAY";
+               $libname="LIBCRYPTO";
        }
 }
 
 # If no platform is given, assume WIN32
-if ($W32 + $VMS + $OS2 == 0) {
+if ($W32 + $VMS + $linux == 0) {
        $W32 = 1;
 }
+die "Please, only one platform at a time"
+    if ($W32 + $VMS + $linux > 1);
 
 if (!$do_ssl && !$do_crypto)
        {
-       print STDERR "usage: $0 ( ssl | crypto ) [ 16 | 32 | NT | OS2 ]\n";
+       print STDERR "usage: $0 ( ssl | crypto ) [ 16 | 32 | NT | OS2 | linux | VMS ]\n";
        exit(1);
        }
 
@@ -257,110 +228,64 @@ $max_ssl = $max_num;
 %crypto_list=&load_numbers($crypto_num);
 $max_crypto = $max_num;
 
-my $ssl="ssl/ssl.h";
-$ssl.=" ssl/kssl.h";
-$ssl.=" ssl/tls1.h";
-$ssl.=" ssl/srtp.h";
-
-my $crypto ="crypto/crypto.h";
-$crypto.=" crypto/cryptlib.h";
-$crypto.=" crypto/o_dir.h";
-$crypto.=" crypto/o_str.h";
-$crypto.=" crypto/des/des.h" ; # unless $no_des;
-$crypto.=" crypto/idea/idea.h" ; # unless $no_idea;
-$crypto.=" crypto/rc4/rc4.h" ; # unless $no_rc4;
-$crypto.=" crypto/rc5/rc5.h" ; # unless $no_rc5;
-$crypto.=" crypto/rc2/rc2.h" ; # unless $no_rc2;
-$crypto.=" crypto/bf/blowfish.h" ; # unless $no_bf;
-$crypto.=" crypto/cast/cast.h" ; # unless $no_cast;
-$crypto.=" crypto/whrlpool/whrlpool.h" ;
-$crypto.=" crypto/md2/md2.h" ; # unless $no_md2;
-$crypto.=" crypto/md4/md4.h" ; # unless $no_md4;
-$crypto.=" crypto/md5/md5.h" ; # unless $no_md5;
-$crypto.=" crypto/mdc2/mdc2.h" ; # unless $no_mdc2;
-$crypto.=" crypto/sha/sha.h" ; # unless $no_sha;
-$crypto.=" crypto/ripemd/ripemd.h" ; # unless $no_ripemd;
-$crypto.=" crypto/aes/aes.h" ; # unless $no_aes;
-$crypto.=" crypto/camellia/camellia.h" ; # unless $no_camellia;
-$crypto.=" crypto/seed/seed.h"; # unless $no_seed;
-
-$crypto.=" crypto/bn/bn.h";
-$crypto.=" crypto/rsa/rsa.h" ; # unless $no_rsa;
-$crypto.=" crypto/dsa/dsa.h" ; # unless $no_dsa;
-$crypto.=" crypto/dh/dh.h" ; # unless $no_dh;
-$crypto.=" crypto/ec/ec.h" ; # unless $no_ec;
-$crypto.=" crypto/ecdsa/ecdsa.h" ; # unless $no_ecdsa;
-$crypto.=" crypto/ecdh/ecdh.h" ; # unless $no_ecdh;
-$crypto.=" crypto/hmac/hmac.h" ; # unless $no_hmac;
-$crypto.=" crypto/cmac/cmac.h" ;
-
-$crypto.=" crypto/engine/engine.h"; # unless $no_engine;
-$crypto.=" crypto/stack/stack.h" ; # unless $no_stack;
-$crypto.=" crypto/buffer/buffer.h" ; # unless $no_buffer;
-$crypto.=" crypto/bio/bio.h" ; # unless $no_bio;
-$crypto.=" crypto/dso/dso.h" ; # unless $no_dso;
-$crypto.=" crypto/lhash/lhash.h" ; # unless $no_lhash;
-$crypto.=" crypto/conf/conf.h";
-$crypto.=" crypto/txt_db/txt_db.h";
-
-$crypto.=" crypto/evp/evp.h" ; # unless $no_evp;
-$crypto.=" crypto/objects/objects.h";
-$crypto.=" crypto/pem/pem.h";
-#$crypto.=" crypto/meth/meth.h";
-$crypto.=" crypto/asn1/asn1.h";
-$crypto.=" crypto/asn1/asn1t.h";
-$crypto.=" crypto/asn1/asn1_mac.h";
-$crypto.=" crypto/err/err.h" ; # unless $no_err;
-$crypto.=" crypto/pkcs7/pkcs7.h";
-$crypto.=" crypto/pkcs12/pkcs12.h";
-$crypto.=" crypto/x509/x509.h";
-$crypto.=" crypto/x509/x509_vfy.h";
-$crypto.=" crypto/x509v3/x509v3.h";
-$crypto.=" crypto/ts/ts.h";
-$crypto.=" crypto/rand/rand.h";
-$crypto.=" crypto/comp/comp.h" ; # unless $no_comp;
-$crypto.=" crypto/ocsp/ocsp.h";
-$crypto.=" crypto/ui/ui.h";
-$crypto.=" crypto/krb5/krb5_asn.h";
-#$crypto.=" crypto/store/store.h";
-$crypto.=" crypto/pqueue/pqueue.h";
-$crypto.=" crypto/cms/cms.h";
-$crypto.=" crypto/jpake/jpake.h";
-$crypto.=" crypto/srp/srp.h";
-$crypto.=" crypto/modes/modes.h";
-
-my $symhacks="crypto/symhacks.h";
-
-my @ssl_symbols = &do_defs("SSLEAY", $ssl, $symhacks);
-my @crypto_symbols = &do_defs("LIBEAY", $crypto, $symhacks);
+my $ssl="include/openssl/ssl.h";
+$ssl.=" include/openssl/sslerr.h";
+$ssl.=" include/openssl/tls1.h";
+$ssl.=" include/openssl/srtp.h";
+
+# When scanning include/openssl, skip all SSL files and some internal ones.
+my %skipthese;
+foreach my $f ( split(/\s+/, $ssl) ) {
+    $skipthese{$f} = 1;
+}
+$skipthese{'include/openssl/conf_api.h'} = 1;
+$skipthese{'include/openssl/ebcdic.h'} = 1;
+$skipthese{'include/openssl/opensslconf.h'} = 1;
+
+# We use headers found in include/openssl and include/internal only.
+# The latter is needed so libssl.so/.dll/.exe can link properly.
+my $crypto ="include/internal/dso.h";
+$crypto.=" include/internal/o_dir.h";
+$crypto.=" include/internal/o_str.h";
+$crypto.=" include/internal/err.h";
+$crypto.=" include/internal/rand.h";
+foreach my $f ( glob(catfile($config{sourcedir},'include/openssl/*.h')) ) {
+    my $fn = "include/openssl/" . lc(basename($f));
+    $crypto .= " $fn" if !defined $skipthese{$fn} && $f !~ m@/[a-z]+err\.h$@;
+}
+
+my $symhacks="include/openssl/symhacks.h";
+
+my @ssl_symbols = &do_defs("LIBSSL", $ssl, $symhacks);
+my @crypto_symbols = &do_defs("LIBCRYPTO", $crypto, $symhacks);
 
 if ($do_update) {
 
 if ($do_ssl == 1) {
 
-       &maybe_add_info("SSLEAY",*ssl_list,@ssl_symbols);
+       &maybe_add_info("LIBSSL",*ssl_list,@ssl_symbols);
        if ($do_rewrite == 1) {
                open(OUT, ">$ssl_num");
-               &rewrite_numbers(*OUT,"SSLEAY",*ssl_list,@ssl_symbols);
+               &rewrite_numbers(*OUT,"LIBSSL",*ssl_list,@ssl_symbols);
        } else {
                open(OUT, ">>$ssl_num");
        }
-       &update_numbers(*OUT,"SSLEAY",*ssl_list,$max_ssl,@ssl_symbols);
+       &update_numbers(*OUT,"LIBSSL",*ssl_list,$max_ssl,@ssl_symbols);
        close OUT;
 }
 
 if($do_crypto == 1) {
 
-       &maybe_add_info("LIBEAY",*crypto_list,@crypto_symbols);
+       &maybe_add_info("LIBCRYPTO",*crypto_list,@crypto_symbols);
        if ($do_rewrite == 1) {
                open(OUT, ">$crypto_num");
-               &rewrite_numbers(*OUT,"LIBEAY",*crypto_list,@crypto_symbols);
+               &rewrite_numbers(*OUT,"LIBCRYPTO",*crypto_list,@crypto_symbols);
        } else {
                open(OUT, ">>$crypto_num");
        }
-       &update_numbers(*OUT,"LIBEAY",*crypto_list,$max_crypto,@crypto_symbols);
+       &update_numbers(*OUT,"LIBCRYPTO",*crypto_list,$max_crypto,@crypto_symbols);
        close OUT;
-} 
+}
 
 } elsif ($do_checkexist) {
        &check_existing(*ssl_list, @ssl_symbols)
@@ -378,10 +303,10 @@ if($do_crypto == 1) {
 int main()
 {
 EOF
-       &print_test_file(*STDOUT,"SSLEAY",*ssl_list,$do_ctestall,@ssl_symbols)
+       &print_test_file(*STDOUT,"LIBSSL",*ssl_list,$do_ctestall,@ssl_symbols)
                if $do_ssl == 1;
 
-       &print_test_file(*STDOUT,"LIBEAY",*crypto_list,$do_ctestall,@crypto_symbols)
+       &print_test_file(*STDOUT,"LIBCRYPTO",*crypto_list,$do_ctestall,@crypto_symbols)
                if $do_crypto == 1;
 
        print "}\n";
@@ -415,14 +340,16 @@ sub do_defs
 
        foreach $file (split(/\s+/,$symhacksfile." ".$files))
                {
-               print STDERR "DEBUG: starting on $file:\n" if $debug;
-               open(IN,"<$file") || die "unable to open $file:$!\n";
+               my $fn = catfile($config{sourcedir},$file);
+               print STDERR "DEBUG: starting on $fn:\n" if $debug;
+               open(IN,"<$fn") || die "Can't open $fn, $!,";
                my $line = "", my $def= "";
                my %tag = (
                        (map { $_ => 0 } @known_platforms),
                        (map { "OPENSSL_SYS_".$_ => 0 } @known_ossl_platforms),
                        (map { "OPENSSL_NO_".$_ => 0 } @known_algorithms),
                        (map { "OPENSSL_USE_".$_ => 0 } @known_algorithms),
+                       (grep /^DEPRECATED_/, @known_algorithms),
                        NOPROTO         => 0,
                        PERL5           => 0,
                        _WINDLL         => 0,
@@ -485,15 +412,16 @@ sub do_defs
 
                print STDERR "DEBUG: parsing ----------\n" if $debug;
                while(<IN>) {
+                       s|\R$||; # Better chomp
                        if($parens > 0) {
-                               #Inside a DECLARE_DEPRECATED
+                               #Inside a DEPRECATEDIN
                                $stored_multiline .= $_;
-                               chomp $stored_multiline;
-                               print STDERR "DEBUG: Continuing multiline DEPRECATED: $stored_multiline\n" if $debug;
+                               print STDERR "DEBUG: Continuing multiline DEPRECATEDIN: $stored_multiline\n" if $debug;
                                $parens = count_parens($stored_multiline);
                                if ($parens == 0) {
-                                       $stored_multiline =~ /^\s*DECLARE_DEPRECATED\s*\(\s*(\w*(\s|\*|\w)*)/;
-                                       $def .= "$1(void);";
+                                       $def .= do_deprecated($stored_multiline,
+                                                       \@current_platforms,
+                                                       \@current_algorithms);
                                }
                                next;
                        }
@@ -508,14 +436,12 @@ sub do_defs
                        }
 
                        if (/\\$/) {
-                               chomp; # remove eol
-                               chop; # remove ending backslash
-                               $line = $_;
+                               $line = $`; # keep what was before the backslash
                                next;
                        }
 
                        if(/\/\*/) {
-                               if (not /\*\//) {       # multiline comment...
+                               if (not /\*\//) {       # multi-line comment...
                                        $line = $_;     # ... just accumulate
                                        next;
                                } else {
@@ -527,13 +453,31 @@ sub do_defs
                                $cpp++ if /^#\s*if/;
                                $cpp-- if /^#\s*endif/;
                                next;
-                       }
-                       $cpp = 1 if /^#.*ifdef.*cplusplus/;
+                       }
+                       if (/^#.*ifdef.*cplusplus/) {
+                               $cpp = 1;
+                               next;
+                       }
 
                        s/{[^{}]*}//gs;                      # ignore {} blocks
                        print STDERR "DEBUG: \$def=\"$def\"\n" if $debug && $def ne "";
                        print STDERR "DEBUG: \$_=\"$_\"\n" if $debug;
-                       if (/^\#\s*ifndef\s+(.*)/) {
+                       if (/^\#\s*if\s+OPENSSL_API_COMPAT\s*(\S)\s*(0x[0-9a-fA-F]{8})L\s*$/) {
+                               my $op = $1;
+                               my $v = hex($2);
+                               if ($op ne '<' && $op ne '>=') {
+                                   die "$file unacceptable operator $op: $_\n";
+                               }
+                               my ($one, $major, $minor) =
+                                   ( ($v >> 28) & 0xf,
+                                     ($v >> 20) & 0xff,
+                                     ($v >> 12) & 0xff );
+                               my $t = "DEPRECATEDIN_${one}_${major}_${minor}";
+                               push(@tag,"-");
+                               push(@tag,$t);
+                               $tag{$t}=($op eq '<' ? 1 : -1);
+                               print STDERR "DEBUG: $file: found tag $t = $tag{$t}\n" if $debug;
+                       } elsif (/^\#\s*ifndef\s+(.*)/) {
                                push(@tag,"-");
                                push(@tag,$1);
                                $tag{$1}=-1;
@@ -615,6 +559,7 @@ sub do_defs
                                pop(@tag);
                        } elsif (/^\#\s*else/) {
                                my $tag_i = $#tag;
+                               die "$file unmatched else\n" if $tag_i < 0;
                                while($tag[$tag_i] ne "-") {
                                        my $t=$tag[$tag_i];
                                        $tag{$t}= -$tag{$t};
@@ -633,6 +578,9 @@ sub do_defs
                                push(@tag,"TRUE");
                                $tag{"TRUE"}=-1;
                                print STDERR "DEBUG: $file: found 0\n" if $debug;
+                       } elsif (/^\#\s*if\s+/) {
+                               #Some other unrecognized "if" style
+                               push(@tag,"-");
                        } elsif (/^\#\s*define\s+(\w+)\s+(\w+)/
                                 && $symhacking && $tag{'TRUE'} != -1) {
                                # This is for aliasing.  When we find an alias,
@@ -660,6 +608,9 @@ sub do_defs
                                    , grep(!/^$/,
                                         map { $tag{"OPENSSL_USE_".$_} == 1 ? $_ : "" }
                                         @known_algorithms);
+                               push @current_algorithms,
+                                   grep { /^DEPRECATEDIN_/ && $tag{$_} == 1 }
+                                   @known_algorithms;
                                $def .=
                                    "#INFO:"
                                        .join(',',@current_platforms).":"
@@ -667,13 +618,14 @@ sub do_defs
                                next;
                        }
                        if ($tag{'TRUE'} != -1) {
-                               if (/^\s*DECLARE_STACK_OF\s*\(\s*(\w*)\s*\)/) {
+                               if (/^\s*DEFINE_STACK_OF\s*\(\s*(\w*)\s*\)/
+                                               || /^\s*DEFINE_STACK_OF_CONST\s*\(\s*(\w*)\s*\)/) {
                                        next;
                                } elsif (/^\s*DECLARE_ASN1_ENCODE_FUNCTIONS\s*\(\s*(\w*)\s*,\s*(\w*)\s*,\s*(\w*)\s*\)/) {
                                        $def .= "int d2i_$3(void);";
                                        $def .= "int i2d_$3(void);";
                                        # Variant for platforms that do not
-                                       # have to access globale variables
+                                       # have to access global variables
                                        # in shared libraries through functions
                                        $def .=
                                            "#INFO:"
@@ -685,7 +637,7 @@ sub do_defs
                                                .join(',',@current_platforms).":"
                                                    .join(',',@current_algorithms).";";
                                        # Variant for platforms that have to
-                                       # access globale variables in shared
+                                       # access global variables in shared
                                        # libraries through functions
                                        &$make_variant("$2_it","$2_it",
                                                      "EXPORT_VAR_AS_FUNCTION",
@@ -697,7 +649,7 @@ sub do_defs
                                        $def .= "int $3_free(void);";
                                        $def .= "int $3_new(void);";
                                        # Variant for platforms that do not
-                                       # have to access globale variables
+                                       # have to access global variables
                                        # in shared libraries through functions
                                        $def .=
                                            "#INFO:"
@@ -709,7 +661,7 @@ sub do_defs
                                                .join(',',@current_platforms).":"
                                                    .join(',',@current_algorithms).";";
                                        # Variant for platforms that have to
-                                       # access globale variables in shared
+                                       # access global variables in shared
                                        # libraries through functions
                                        &$make_variant("$2_it","$2_it",
                                                      "EXPORT_VAR_AS_FUNCTION",
@@ -722,7 +674,7 @@ sub do_defs
                                        $def .= "int $1_free(void);";
                                        $def .= "int $1_new(void);";
                                        # Variant for platforms that do not
-                                       # have to access globale variables
+                                       # have to access global variables
                                        # in shared libraries through functions
                                        $def .=
                                            "#INFO:"
@@ -734,7 +686,7 @@ sub do_defs
                                                .join(',',@current_platforms).":"
                                                    .join(',',@current_algorithms).";";
                                        # Variant for platforms that have to
-                                       # access globale variables in shared
+                                       # access global variables in shared
                                        # libraries through functions
                                        &$make_variant("$1_it","$1_it",
                                                      "EXPORT_VAR_AS_FUNCTION",
@@ -744,7 +696,7 @@ sub do_defs
                                        $def .= "int d2i_$2(void);";
                                        $def .= "int i2d_$2(void);";
                                        # Variant for platforms that do not
-                                       # have to access globale variables
+                                       # have to access global variables
                                        # in shared libraries through functions
                                        $def .=
                                            "#INFO:"
@@ -756,7 +708,7 @@ sub do_defs
                                                .join(',',@current_platforms).":"
                                                    .join(',',@current_algorithms).";";
                                        # Variant for platforms that have to
-                                       # access globale variables in shared
+                                       # access global variables in shared
                                        # libraries through functions
                                        &$make_variant("$2_it","$2_it",
                                                      "EXPORT_VAR_AS_FUNCTION",
@@ -772,7 +724,7 @@ sub do_defs
                                        $def .= "int $2_free(void);";
                                        $def .= "int $2_new(void);";
                                        # Variant for platforms that do not
-                                       # have to access globale variables
+                                       # have to access global variables
                                        # in shared libraries through functions
                                        $def .=
                                            "#INFO:"
@@ -784,7 +736,7 @@ sub do_defs
                                                .join(',',@current_platforms).":"
                                                    .join(',',@current_algorithms).";";
                                        # Variant for platforms that have to
-                                       # access globale variables in shared
+                                       # access global variables in shared
                                        # libraries through functions
                                        &$make_variant("$2_it","$2_it",
                                                      "EXPORT_VAR_AS_FUNCTION",
@@ -792,7 +744,7 @@ sub do_defs
                                        next;
                                } elsif (/^\s*DECLARE_ASN1_ITEM\s*\(\s*(\w*)\s*\)/) {
                                        # Variant for platforms that do not
-                                       # have to access globale variables
+                                       # have to access global variables
                                        # in shared libraries through functions
                                        $def .=
                                            "#INFO:"
@@ -804,7 +756,7 @@ sub do_defs
                                                .join(',',@current_platforms).":"
                                                    .join(',',@current_algorithms).";";
                                        # Variant for platforms that have to
-                                       # access globale variables in shared
+                                       # access global variables in shared
                                        # libraries through functions
                                        &$make_variant("$1_it","$1_it",
                                                      "EXPORT_VAR_AS_FUNCTION",
@@ -828,7 +780,7 @@ sub do_defs
                                        $def .=
                                            "#INFO:"
                                                .join(',',@current_platforms).":"
-                                                   .join(',',@current_algorithms).";";
+                                                   .join(',',"STDIO",@current_algorithms).";";
                                        $def .= "int PEM_read_$1(void);";
                                        $def .= "int PEM_write_$1(void);";
                                        $def .=
@@ -845,7 +797,7 @@ sub do_defs
                                        $def .=
                                            "#INFO:"
                                                .join(',',@current_platforms).":"
-                                                   .join(',',@current_algorithms).";";
+                                                   .join(',',"STDIO",@current_algorithms).";";
                                        $def .= "int PEM_write_$1(void);";
                                        $def .=
                                            "#INFO:"
@@ -859,18 +811,18 @@ sub do_defs
                                        $def .=
                                            "#INFO:"
                                                .join(',',@current_platforms).":"
-                                                   .join(',',@current_algorithms).";";
+                                                   .join(',',"STDIO",@current_algorithms).";";
                                        $def .= "int PEM_read_$1(void);";
                                        $def .=
                                            "#INFO:"
                                                .join(',',@current_platforms).":"
-                                                   .join(',',@current_algorithms).";";
+                                                   .join(',',"STDIO",@current_algorithms).";";
                                        # Things that are everywhere
                                        $def .= "int PEM_read_bio_$1(void);";
                                        next;
                                } elsif (/^OPENSSL_DECLARE_GLOBAL\s*\(\s*(\w*)\s*,\s*(\w*)\s*\)/) {
                                        # Variant for platforms that do not
-                                       # have to access globale variables
+                                       # have to access global variables
                                        # in shared libraries through functions
                                        $def .=
                                            "#INFO:"
@@ -882,19 +834,20 @@ sub do_defs
                                                .join(',',@current_platforms).":"
                                                    .join(',',@current_algorithms).";";
                                        # Variant for platforms that have to
-                                       # access globale variables in shared
+                                       # access global variables in shared
                                        # libraries through functions
                                        &$make_variant("_shadow_$2","_shadow_$2",
                                                      "EXPORT_VAR_AS_FUNCTION",
                                                      "FUNCTION");
-                               } elsif (/^\s*DECLARE_DEPRECATED\s*\(\s*(\w*(\s|\*|\w)*)/) {
+                               } elsif (/^\s*DEPRECATEDIN/) {
                                        $parens = count_parens($_);
                                        if ($parens == 0) {
-                                               $def .= "$1(void);";
+                                               $def .= do_deprecated($_,
+                                                       \@current_platforms,
+                                                       \@current_algorithms);
                                        } else {
                                                $stored_multiline = $_;
-                                               chomp $stored_multiline;
-                                               print STDERR "DEBUG: Found multiline DEPRECATED starting with: $stored_multiline\n" if $debug;
+                                               print STDERR "DEBUG: Found multiline DEPRECATEDIN starting with: $stored_multiline\n" if $debug;
                                                next;
                                        }
                                } elsif ($tag{'CONST_STRICT'} != 1) {
@@ -907,6 +860,7 @@ sub do_defs
                        }
                }
                close(IN);
+               die "$file: Unmatched tags\n" if $#tag >= 0;
 
                my $algs;
                my $plays;
@@ -959,22 +913,6 @@ sub do_defs
 
                        $p = $plats;
                        $a = $algs;
-                       $a .= ",BF" if($s =~ /EVP_bf/);
-                       $a .= ",CAST" if($s =~ /EVP_cast/);
-                       $a .= ",DES" if($s =~ /EVP_des/);
-                       $a .= ",DSA" if($s =~ /EVP_dss/);
-                       $a .= ",IDEA" if($s =~ /EVP_idea/);
-                       $a .= ",MD2" if($s =~ /EVP_md2/);
-                       $a .= ",MD4" if($s =~ /EVP_md4/);
-                       $a .= ",MD5" if($s =~ /EVP_md5/);
-                       $a .= ",RC2" if($s =~ /EVP_rc2/);
-                       $a .= ",RC4" if($s =~ /EVP_rc4/);
-                       $a .= ",RC5" if($s =~ /EVP_rc5/);
-                       $a .= ",RMD160" if($s =~ /EVP_ripemd/);
-                       $a .= ",RSA" if($s =~ /EVP_(Open|Seal)(Final|Init)/);
-                       $a .= ",RSA" if($s =~ /PEM_Seal(Final|Init|Update)/);
-                       $a .= ",RSA" if($s =~ /RSAPrivateKey/);
-                       $a .= ",RSA" if($s =~ /SSLv23?_((client|server)_)?method/);
 
                        $platform{$s} =
                            &reduce_platforms((defined($platform{$s})?$platform{$s}.',':"").$p);
@@ -1006,19 +944,6 @@ sub do_defs
        $platform{"PEM_write_NS_CERT_SEQ"} = "VMS";
        $platform{"PEM_read_P8_PRIV_KEY_INFO"} = "VMS";
        $platform{"PEM_write_P8_PRIV_KEY_INFO"} = "VMS";
-       $platform{"EVP_sha384"} = "!VMSVAX";
-       $platform{"EVP_sha512"} = "!VMSVAX";
-       $platform{"SHA384_Init"} = "!VMSVAX";
-       $platform{"SHA384_Transform"} = "!VMSVAX";
-       $platform{"SHA384_Update"} = "!VMSVAX";
-       $platform{"SHA384_Final"} = "!VMSVAX";
-       $platform{"SHA384"} = "!VMSVAX";
-       $platform{"SHA512_Init"} = "!VMSVAX";
-       $platform{"SHA512_Transform"} = "!VMSVAX";
-       $platform{"SHA512_Update"} = "!VMSVAX";
-       $platform{"SHA512_Final"} = "!VMSVAX";
-       $platform{"SHA512"} = "!VMSVAX";
-
 
        # Info we know about
 
@@ -1072,7 +997,8 @@ sub reduce_platforms
        return $ret;
 }
 
-sub info_string {
+sub info_string
+{
        (my $symbol, my $exist, my $platforms, my $kind, my $algorithms) = @_;
 
        my %a = defined($algorithms) ?
@@ -1090,20 +1016,20 @@ sub info_string {
        return $ret;
 }
 
-sub maybe_add_info {
+sub maybe_add_info
+{
        (my $name, *nums, my @symbols) = @_;
        my $sym;
        my $new_info = 0;
        my %syms=();
 
-       print STDERR "Updating $name info\n";
        foreach $sym (@symbols) {
                (my $s, my $i) = split /\\/, $sym;
                if (defined($nums{$s})) {
                        $i =~ s/^(.*?:.*?:\w+)(\(\w+\))?/$1/;
-                       (my $n, my $dummy) = split /\\/, $nums{$s};
+                       (my $n, my $vers, my $dummy) = split /\\/, $nums{$s};
                        if (!defined($dummy) || $i ne $dummy) {
-                               $nums{$s} = $n."\\".$i;
+                               $nums{$s} = $n."\\".$vers."\\".$i;
                                $new_info++;
                                print STDERR "DEBUG: maybe_add_info for $s: \"$dummy\" => \"$i\"\n" if $debug;
                        }
@@ -1113,19 +1039,18 @@ sub maybe_add_info {
 
        my @s=sort { &parse_number($nums{$a},"n") <=> &parse_number($nums{$b},"n") } keys %nums;
        foreach $sym (@s) {
-               (my $n, my $i) = split /\\/, $nums{$sym};
+               (my $n, my $vers, my $i) = split /\\/, $nums{$sym};
                if (!defined($syms{$sym}) && $i !~ /^NOEXIST:/) {
                        $new_info++;
                        print STDERR "DEBUG: maybe_add_info for $sym: -> undefined\n" if $debug;
                }
        }
        if ($new_info) {
-               print STDERR "$new_info old symbols got an info update\n";
+               print STDERR "$name: $new_info old symbols have updated info\n";
                if (!$do_rewrite) {
                        print STDERR "You should do a rewrite to fix this.\n";
                }
        } else {
-               print STDERR "No old symbols needed info update\n";
        }
 }
 
@@ -1143,83 +1068,22 @@ sub is_valid
 
                if ($platforms) {
                        # platforms
-                       if ($keyword eq "VMSVAX" && $VMSVAX) { return 1; }
-                       if ($keyword eq "VMSNonVAX" && $VMSNonVAX) { return 1; }
+                       if ($keyword eq "UNIX" && $UNIX) { return 1; }
                        if ($keyword eq "VMS" && $VMS) { return 1; }
                        if ($keyword eq "WIN32" && $W32) { return 1; }
+                       if ($keyword eq "_WIN32" && $W32) { return 1; }
                        if ($keyword eq "WINNT" && $NT) { return 1; }
-                       if ($keyword eq "OS2" && $OS2) { return 1; }
                        # Special platforms:
                        # EXPORT_VAR_AS_FUNCTION means that global variables
-                       # will be represented as functions.  This currently
-                       # only happens on VMS-VAX.
-                       if ($keyword eq "EXPORT_VAR_AS_FUNCTION" && ($VMSVAX || $W32)) {
-                               return 1;
-                       }
-                       if ($keyword eq "OPENSSL_FIPSCAPABLE") {
-                               return 0;
-                       }
-                       if ($keyword eq "OPENSSL_FIPS" && $fips) {
+                       # will be represented as functions.
+                       if ($keyword eq "EXPORT_VAR_AS_FUNCTION" && $W32) {
                                return 1;
                        }
                        if ($keyword eq "ZLIB" && $zlib) { return 1; }
                        return 0;
                } else {
                        # algorithms
-                       if ($keyword eq "RC2" && $no_rc2) { return 0; }
-                       if ($keyword eq "RC4" && $no_rc4) { return 0; }
-                       if ($keyword eq "RC5" && $no_rc5) { return 0; }
-                       if ($keyword eq "IDEA" && $no_idea) { return 0; }
-                       if ($keyword eq "DES" && $no_des) { return 0; }
-                       if ($keyword eq "BF" && $no_bf) { return 0; }
-                       if ($keyword eq "CAST" && $no_cast) { return 0; }
-                       if ($keyword eq "MD2" && $no_md2) { return 0; }
-                       if ($keyword eq "MD4" && $no_md4) { return 0; }
-                       if ($keyword eq "MD5" && $no_md5) { return 0; }
-                       if ($keyword eq "SHA" && $no_sha) { return 0; }
-                       if ($keyword eq "RMD160" && $no_ripemd) { return 0; }
-                       if ($keyword eq "MDC2" && $no_mdc2) { return 0; }
-                       if ($keyword eq "WHIRLPOOL" && $no_whirlpool) { return 0; }
-                       if ($keyword eq "RSA" && $no_rsa) { return 0; }
-                       if ($keyword eq "DSA" && $no_dsa) { return 0; }
-                       if ($keyword eq "DH" && $no_dh) { return 0; }
-                       if ($keyword eq "EC" && $no_ec) { return 0; }
-                       if ($keyword eq "ECDSA" && $no_ecdsa) { return 0; }
-                       if ($keyword eq "ECDH" && $no_ecdh) { return 0; }
-                       if ($keyword eq "AES" && $no_aes) { return 0; }
-                       if ($keyword eq "CAMELLIA" && $no_camellia) { return 0; }
-                       if ($keyword eq "SEED" && $no_seed) { return 0; }
-                       if ($keyword eq "EVP" && $no_evp) { return 0; }
-                       if ($keyword eq "LHASH" && $no_lhash) { return 0; }
-                       if ($keyword eq "STACK" && $no_stack) { return 0; }
-                       if ($keyword eq "ERR" && $no_err) { return 0; }
-                       if ($keyword eq "BUFFER" && $no_buffer) { return 0; }
-                       if ($keyword eq "BIO" && $no_bio) { return 0; }
-                       if ($keyword eq "COMP" && $no_comp) { return 0; }
-                       if ($keyword eq "DSO" && $no_dso) { return 0; }
-                       if ($keyword eq "KRB5" && $no_krb5) { return 0; }
-                       if ($keyword eq "ENGINE" && $no_engine) { return 0; }
-                       if ($keyword eq "HW" && $no_hw) { return 0; }
-                       if ($keyword eq "FP_API" && $no_fp_api) { return 0; }
-                       if ($keyword eq "STATIC_ENGINE" && $no_static_engine) { return 0; }
-                       if ($keyword eq "GMP" && $no_gmp) { return 0; }
-                       if ($keyword eq "TLSEXT" && $no_tlsext) { return 0; }
-                       if ($keyword eq "PSK" && $no_psk) { return 0; }
-                       if ($keyword eq "CMS" && $no_cms) { return 0; }
-                       if ($keyword eq "EC_NISTP_64_GCC_128" && $no_nistp_gcc)
-                                       { return 0; }
-                       if ($keyword eq "EC2M" && $no_ec2m) { return 0; }
-                       if ($keyword eq "NEXTPROTONEG" && $no_nextprotoneg) { return 0; }
-                       if ($keyword eq "SSL3_METHOD" && $no_ssl3_method) { return 0; }
-                       if ($keyword eq "SSL_TRACE" && $no_ssl_trace) { return 0; }
-                       if ($keyword eq "CAPIENG" && $no_capieng) { return 0; }
-                       if ($keyword eq "JPAKE" && $no_jpake) { return 0; }
-                       if ($keyword eq "SRP" && $no_srp) { return 0; }
-                       if ($keyword eq "SCTP" && $no_sctp) { return 0; }
-                       if ($keyword eq "SRTP" && $no_srtp) { return 0; }
-                       if ($keyword eq "UNIT_TEST" && $no_unit_test) { return 0; }
-                       if ($keyword eq "DEPRECATED" && $no_deprecated) { return 0; }
-                       if ($keyword eq "OCB" && $no_ocb) { return 0; }
+                       if ($disabled_algorithms{$keyword} == 1) { return 0;}
 
                        # Nothing recognise as true
                        return 1;
@@ -1264,7 +1128,7 @@ sub print_test_file
                        }
                        $prev = $s2;    # To warn about duplicates...
 
-                       ($nn,$ni)=($nums{$s2} =~ /^(.*?)\\(.*)$/);
+                       (my $nn, my $vers, my $ni) = split /\\/, $nums{$s2};
                        if ($v) {
                                print OUT "\textern int $s2; /* type unknown */ /* $nn $ni */\n";
                        } else {
@@ -1274,15 +1138,9 @@ sub print_test_file
        }
 }
 
-sub get_version {
-   local *MF;
-   my $v = '?';
-   open MF, 'Makefile' or return $v;
-   while (<MF>) {
-     $v = $1, last if /^VERSION=(.*?)\s*$/;
-   }
-   close MF;
-   return $v;
+sub get_version
+{
+   return $config{version};
 }
 
 sub print_def_file
@@ -1295,25 +1153,17 @@ sub print_def_file
        my $version = get_version();
        my $what = "OpenSSL: implementation of Secure Socket Layer";
        my $description = "$what $version, $name - http://$http_vendor";
+       my $prevsymversion = "", $prevprevsymversion = "";
+        # For VMS
+        my $prevnum = 0;
+        my $symvtextcount = 0;
 
        if ($W32)
                { $libname.="32"; }
-       elsif ($OS2)
-               { # DLL names should not clash on the whole system.
-                 # However, they should not have any particular relationship
-                 # to the name of the static library.  Chose descriptive names
-                 # (must be at most 8 chars).
-                 my %translate = (ssl => 'open_ssl', crypto => 'cryptssl');
-                 $libname = $translate{$name} || $name;
-                 $liboptions = <<EOO;
-INITINSTANCE
-DATA MULTIPLE NONSHARED
-EOO
-                 # Vendor field can't contain colon, drat; so we omit http://
-                 $description = "\@#$http_vendor:$version#\@$what; DLL for library $name.  Build for EMX -Zmtd";
-               }
 
-       print OUT <<"EOF";
+        if ($W32)
+                {
+                print OUT <<"EOF";
 ;
 ; Definition file for the DLL version of the $name library from OpenSSL
 ;
@@ -1322,40 +1172,132 @@ LIBRARY         $libname       $liboptions
 
 EOF
 
-       print "EXPORTS\n";
+               print "EXPORTS\n";
+                }
+        elsif ($VMS)
+                {
+                print OUT <<"EOF";
+CASE_SENSITIVE=YES
+SYMBOL_VECTOR=(-
+EOF
+                $symvtextcount = 16; # length of "SYMBOL_VECTOR=(-"
+                }
 
-       (@e)=grep(/^SSLeay(\{[0-9]+\})?\\.*?:.*?:FUNCTION/,@symbols);
-       (@r)=grep(/^\w+(\{[0-9]+\})?\\.*?:.*?:FUNCTION/ && !/^SSLeay(\{[0-9]+\})?\\.*?:.*?:FUNCTION/,@symbols);
+       (@r)=grep(/^\w+(\{[0-9]+\})?\\.*?:.*?:FUNCTION/,@symbols);
        (@v)=grep(/^\w+(\{[0-9]+\})?\\.*?:.*?:VARIABLE/,@symbols);
-       @symbols=((sort @e),(sort @r), (sort @v));
-
-
-       foreach $sym (@symbols) {
-               (my $s, my $i) = $sym =~ /^(.*?)\\(.*)$/;
-               my $v = 0;
-               $v = 1 if $i =~ /^.*?:.*?:VARIABLE/;
-               if (!defined($nums{$s})) {
-                       printf STDERR "Warning: $s does not have a number assigned\n"
-                           if(!$do_update);
+        if ($VMS) {
+            # VMS needs to have the symbols on slot number order
+            @symbols=(map { $_->[1] }
+                      sort { $a->[0] <=> $b->[0] }
+                      map { (my $s, my $i) = $_ =~ /^(.*?)\\(.*)$/;
+                            die "Error: $s doesn't have a number assigned\n"
+                                if !defined($nums{$s});
+                            (my $n, my @rest) = split /\\/, $nums{$s};
+                            [ $n, $_ ] } (@e, @r, @v));
+        } else {
+            @symbols=((sort @e),(sort @r), (sort @v));
+        }
+
+       my ($baseversion, $currversion) = get_openssl_version();
+       my $thisversion;
+       do {
+               if (!defined($thisversion)) {
+                       $thisversion = $baseversion;
                } else {
-                       (my $n, my $dummy) = split /\\/, $nums{$s};
-                       my %pf = ();
-                       my $p = ($i =~ /^[^:]*:([^:]*):/,$1);
-                       my $a = ($i =~ /^[^:]*:[^:]*:[^:]*:([^:]*)/,$1);
-                       if (is_valid($p,1) && is_valid($a,0)) {
-                               my $s2 = ($s =~ /^(.*?)(\{[0-9]+\})?$/, $1);
-                               if ($prev eq $s2) {
-                                       print STDERR "Warning: Symbol '",$s2,"' redefined. old=",($nums{$prev} =~ /^(.*?)\\/,$1),", new=",($nums{$s2} =~ /^(.*?)\\/,$1),"\n";
-                               }
-                               $prev = $s2;    # To warn about duplicates...
-                               if($v && !$OS2) {
-                                       printf OUT "    %s%-39s @%-8d DATA\n",($W32)?"":"_",$s2,$n;
-                               } else {
-                                       printf OUT "    %s%-39s @%d\n",($W32||$OS2)?"":"_",$s2,$n;
+                       $thisversion = get_next_version($thisversion);
+               }
+               foreach $sym (@symbols) {
+                       (my $s, my $i) = $sym =~ /^(.*?)\\(.*)$/;
+                       my $v = 0;
+                       $v = 1 if $i =~ /^.*?:.*?:VARIABLE/;
+                       if (!defined($nums{$s})) {
+                               die "Error: $s does not have a number assigned\n"
+                                       if(!$do_update);
+                       } else {
+                               (my $n, my $symversion, my $dummy) = split /\\/, $nums{$s};
+                               my %pf = ();
+                               my $p = ($i =~ /^[^:]*:([^:]*):/,$1);
+                               my $a = ($i =~ /^[^:]*:[^:]*:[^:]*:([^:]*)/,$1);
+                               if (is_valid($p,1) && is_valid($a,0)) {
+                                       my $s2 = ($s =~ /^(.*?)(\{[0-9]+\})?$/, $1);
+                                       if ($prev eq $s2) {
+                                               print STDERR "Warning: Symbol '",$s2,
+                                                       "' redefined. old=",($nums{$prev} =~ /^(.*?)\\/,$1),
+                                                       ", new=",($nums{$s2} =~ /^(.*?)\\/,$1),"\n";
+                                       }
+                                       $prev = $s2;    # To warn about duplicates...
+                                       if($linux) {
+                                               next if $symversion ne $thisversion;
+                                               if ($symversion ne $prevsymversion) {
+                                                       if ($prevsymversion ne "") {
+                                                               if ($prevprevsymversion ne "") {
+                                                                       print OUT "} OPENSSL_"
+                                                                                               ."$prevprevsymversion;\n\n";
+                                                               } else {
+                                                                       print OUT "};\n\n";
+                                                               }
+                                                       }
+                                                       print OUT "OPENSSL_$symversion {\n    global:\n";
+                                                       $prevprevsymversion = $prevsymversion;
+                                                       $prevsymversion = $symversion;
+                                               }
+                                               print OUT "        $s2;\n";
+                                        } elsif ($VMS) {
+                                            while(++$prevnum < $n) {
+                                                my $symline=" ,SPARE -\n  ,SPARE -\n";
+                                                if ($symvtextcount + length($symline) - 2 > 1024) {
+                                                    print OUT ")\nSYMBOL_VECTOR=(-\n";
+                                                    $symvtextcount = 16; # length of "SYMBOL_VECTOR=(-"
+                                                }
+                                                if ($symvtextcount == 16) {
+                                                    # Take away first comma
+                                                    $symline =~ s/,//;
+                                                }
+                                                print OUT $symline;
+                                                $symvtextcount += length($symline) - 2;
+                                            }
+                                            (my $s_uc = $s) =~ tr/a-z/A-Z/;
+                                            my $symtype=
+                                                $v ? "DATA" : "PROCEDURE";
+                                            my $symline=
+                                                ($s_uc ne $s
+                                                 ? " ,$s_uc/$s=$symtype -\n  ,$s=$symtype -\n"
+                                                 : " ,$s=$symtype -\n  ,SPARE -\n");
+                                            if ($symvtextcount + length($symline) - 2 > 1024) {
+                                                print OUT ")\nSYMBOL_VECTOR=(-\n";
+                                                $symvtextcount = 16; # length of "SYMBOL_VECTOR=(-"
+                                            }
+                                            if ($symvtextcount == 16) {
+                                                # Take away first comma
+                                                $symline =~ s/,//;
+                                            }
+                                            print OUT $symline;
+                                            $symvtextcount += length($symline) - 2;
+                                       } elsif($v) {
+                                               printf OUT "    %s%-39s DATA\n",
+                                                               ($W32)?"":"_",$s2;
+                                       } else {
+                                               printf OUT "    %s%s\n",
+                                                               ($W32)?"":"_",$s2;
+                                       }
                                }
                        }
                }
-       }
+       } while ($linux && $thisversion ne $currversion);
+       if ($linux) {
+               if ($prevprevsymversion ne "") {
+                       print OUT "    local: *;\n} OPENSSL_$prevprevsymversion;\n\n";
+               } else {
+                       print OUT "    local: *;\n};\n\n";
+               }
+       } elsif ($VMS) {
+            print OUT ")\n";
+            (my $libvmaj, my $libvmin, my $libvedit) =
+                $currversion =~ /^(\d+)_(\d+)_(\d+)$/;
+            # The reason to multiply the edit number with 100 is to make space
+            # for the possibility that we want to encode the patch letters
+            print OUT "GSMATCH=LEQUAL,",($libvmaj * 100 + $libvmin),",",($libvedit * 100),"\n";
+        }
        printf OUT "\n";
 }
 
@@ -1363,15 +1305,18 @@ sub load_numbers
 {
        my($name)=@_;
        my(@a,%ret);
+       my $prevversion;
 
        $max_num = 0;
        $num_noinfo = 0;
        $prev = "";
        $prev_cnt = 0;
 
+       my ($baseversion, $currversion) = get_openssl_version();
+
        open(IN,"<$name") || die "unable to open $name:$!\n";
        while (<IN>) {
-               chop;
+               s|\R$||;        # Better chomp
                s/#.*$//;
                next if /^\s*$/;
                @a=split;
@@ -1398,7 +1343,13 @@ sub load_numbers
                        $ret{$a[0]}=$a[1];
                        $num_noinfo++;
                } else {
-                       $ret{$a[0]}=$a[1]."\\".$a[2]; # \\ is a special marker
+                       #Sanity check the version number
+                       if (defined $prevversion) {
+                               check_version_lte($prevversion, $a[2]);
+                       }
+                       check_version_lte($a[2], $currversion);
+                       $prevversion = $a[2];
+                       $ret{$a[0]}=$a[1]."\\".$a[2]."\\".$a[3]; # \\ is a special marker
                }
                $max_num = $a[1] if $a[1] > $max_num;
                $prev=$a[0];
@@ -1418,7 +1369,7 @@ sub load_numbers
 sub parse_number
 {
        (my $str, my $what) = @_;
-       (my $n, my $i) = split(/\\/,$str);
+       (my $n, my $v, my $i) = split(/\\/,$str);
        if ($what eq "n") {
                return $n;
        } else {
@@ -1431,8 +1382,6 @@ sub rewrite_numbers
        (*OUT,$name,*nums,@symbols)=@_;
        my $thing;
 
-       print STDERR "Rewriting $name\n";
-
        my @r = grep(/^\w+(\{[0-9]+\})?\\.*?:.*?:\w+\(\w+\)/,@symbols);
        my $r; my %r; my %rsyms;
        foreach $r (@r) {
@@ -1454,7 +1403,7 @@ sub rewrite_numbers
            || $a cmp $b
        } keys %nums;
        foreach $sym (@s) {
-               (my $n, my $i) = split /\\/, $nums{$sym};
+               (my $n, my $vers, my $i) = split /\\/, $nums{$sym};
                next if defined($i) && $i =~ /^.*?:.*?:\w+\(\w+\)/;
                next if defined($rsyms{$sym});
                print STDERR "DEBUG: rewrite_numbers for sym = ",$sym,": i = ",$i,", n = ",$n,", rsym{sym} = ",$rsyms{$sym},"syms{sym} = ",$syms{$sym},"\n" if $debug;
@@ -1462,12 +1411,12 @@ sub rewrite_numbers
                        if !defined($i) || $i eq "" || !defined($syms{$sym});
                my $s2 = $sym;
                $s2 =~ s/\{[0-9]+\}$//;
-               printf OUT "%s%-39s %d\t%s\n","",$s2,$n,$i;
+               printf OUT "%s%-39s %d\t%s\t%s\n","",$s2,$n,$vers,$i;
                if (exists $r{$sym}) {
                        (my $s, $i) = split /\\/,$r{$sym};
                        my $s2 = $s;
                        $s2 =~ s/\{[0-9]+\}$//;
-                       printf OUT "%s%-39s %d\t%s\n","",$s2,$n,$i;
+                       printf OUT "%s%-39s %d\t%s\t%s\n","",$s2,$n,$vers,$i;
                }
        }
 }
@@ -1476,8 +1425,10 @@ sub update_numbers
 {
        (*OUT,$name,*nums,my $start_num, my @symbols)=@_;
        my $new_syms = 0;
+       my $basevers;
+       my $vers;
 
-       print STDERR "Updating $name numbers\n";
+       ($basevers, $vers) = get_openssl_version();
 
        my @r = grep(/^\w+(\{[0-9]+\})?\\.*?:.*?:\w+\(\w+\)/,@symbols);
        my $r; my %r; my %rsyms;
@@ -1495,23 +1446,22 @@ sub update_numbers
                next if defined($rsyms{$sym});
                die "ERROR: Symbol $sym had no info attached to it."
                    if $i eq "";
-               next if $i =~ /OPENSSL_FIPSCAPABLE/;
                if (!exists $nums{$s}) {
                        $new_syms++;
                        my $s2 = $s;
                        $s2 =~ s/\{[0-9]+\}$//;
-                       printf OUT "%s%-39s %d\t%s\n","",$s2, ++$start_num,$i;
+                       printf OUT "%s%-39s %d\t%s\t%s\n","",$s2, ++$start_num,$vers,$i;
                        if (exists $r{$s}) {
                                ($s, $i) = split /\\/,$r{$s};
                                $s =~ s/\{[0-9]+\}$//;
-                               printf OUT "%s%-39s %d\t%s\n","",$s, $start_num,$i;
+                               printf OUT "%s%-39s %d\t%s\t%s\n","",$s, $start_num,$vers,$i;
                        }
                }
        }
        if($new_syms) {
-               print STDERR "$new_syms New symbols added\n";
+               print STDERR "$name: Added $new_syms new symbols\n";
        } else {
-               print STDERR "No New symbols Added\n";
+               print STDERR "$name: No new symbols added\n";
        }
 }
 
@@ -1547,3 +1497,146 @@ sub count_parens
        return $open - $close;
 }
 
+#Parse opensslv.h to get the current version number. Also work out the base
+#version, i.e. the lowest version number that is binary compatible with this
+#version
+sub get_openssl_version()
+{
+       my $fn = catfile($config{sourcedir},"include","openssl","opensslv.h");
+       open (IN, "$fn") || die "Can't open opensslv.h";
+
+       while(<IN>) {
+               if (/OPENSSL_VERSION_TEXT\s+"OpenSSL (\d\.\d\.)(\d[a-z]*)(-| )/) {
+                       my $suffix = $2;
+                       (my $baseversion = $1) =~ s/\./_/g;
+                       close IN;
+                       return ($baseversion."0", $baseversion.$suffix);
+               }
+       }
+       die "Can't find OpenSSL version number\n";
+}
+
+#Given an OpenSSL version number, calculate the next version number. If the
+#version number gets to a.b.czz then we go to a.b.(c+1)
+sub get_next_version()
+{
+       my $thisversion = shift;
+
+       my ($base, $letter) = $thisversion =~ /^(\d_\d_\d)([a-z]{0,2})$/;
+
+       if ($letter eq "zz") {
+               my $lastnum = substr($base, -1);
+               return substr($base, 0, length($base)-1).(++$lastnum);
+       }
+       return $base.get_next_letter($letter);
+}
+
+#Given the letters off the end of an OpenSSL version string, calculate what
+#the letters for the next release would be.
+sub get_next_letter()
+{
+       my $thisletter = shift;
+       my $baseletter = "";
+       my $endletter;
+
+       if ($thisletter eq "") {
+               return "a";
+       }
+       if ((length $thisletter) > 1) {
+               ($baseletter, $endletter) = $thisletter =~ /([a-z]+)([a-z])/;
+       } else {
+               $endletter = $thisletter;
+       }
+
+       if ($endletter eq "z") {
+               return $thisletter."a";
+       } else {
+               return $baseletter.(++$endletter);
+       }
+}
+
+#Check if a version is less than or equal to the current version. Its a fatal
+#error if not. They must also only differ in letters, or the last number (i.e.
+#the first two numbers must be the same)
+sub check_version_lte()
+{
+       my ($testversion, $currversion) = @_;
+       my $lentv;
+       my $lencv;
+       my $cvbase;
+
+       my ($cvnums) = $currversion =~ /^(\d_\d_\d)[a-z]*$/;
+       my ($tvnums) = $testversion =~ /^(\d_\d_\d)[a-z]*$/;
+
+       #Die if we can't parse the version numbers or they don't look sane
+       die "Invalid version number: $testversion and $currversion\n"
+               if (!defined($cvnums) || !defined($tvnums)
+                       || length($cvnums) != 5
+                       || length($tvnums) != 5);
+
+       #If the base versions (without letters) don't match check they only differ
+       #in the last number
+       if ($cvnums ne $tvnums) {
+               die "Invalid version number: $testversion "
+                       ."for current version $currversion\n"
+                       if (substr($cvnums, 0, 4) ne substr($tvnums, 0, 4));
+               return;
+       }
+       #If we get here then the base version (i.e. the numbers) are the same - they
+       #only differ in the letters
+
+       $lentv = length $testversion;
+       $lencv = length $currversion;
+
+       #If the testversion has more letters than the current version then it must
+       #be later (or malformed)
+       if ($lentv > $lencv) {
+               die "Invalid version number: $testversion "
+                       ."is greater than $currversion\n";
+       }
+
+       #Get the last letter from the current version
+       my ($cvletter) = $currversion =~ /([a-z])$/;
+       if (defined $cvletter) {
+               ($cvbase) = $currversion =~ /(\d_\d_\d[a-z]*)$cvletter$/;
+       } else {
+               $cvbase = $currversion;
+       }
+       die "Unable to parse version number $currversion" if (!defined $cvbase);
+       my $tvbase;
+       my ($tvletter) = $testversion =~ /([a-z])$/;
+       if (defined $tvletter) {
+               ($tvbase) = $testversion =~ /(\d_\d_\d[a-z]*)$tvletter$/;
+       } else {
+               $tvbase = $testversion;
+       }
+       die "Unable to parse version number $testversion" if (!defined $tvbase);
+
+       if ($lencv > $lentv) {
+               #If current version has more letters than testversion then testversion
+               #minus the final letter must be a substring of the current version
+               die "Invalid version number $testversion "
+                       ."is greater than $currversion or is invalid\n"
+                       if (index($cvbase, $tvbase) != 0);
+       } else {
+               #If both versions have the same number of letters then they must be
+               #equal up to the last letter, and the last letter in testversion must
+               #be less than or equal to the last letter in current version.
+               die "Invalid version number $testversion "
+                       ."is greater than $currversion\n"
+                       if (($cvbase ne $tvbase) && ($tvletter gt $cvletter));
+       }
+}
+
+sub do_deprecated()
+{
+       my ($decl, $plats, $algs) = @_;
+       $decl =~ /^\s*(DEPRECATEDIN_\d+_\d+_\d+)\s*\((.*)\)\s*$/
+            or die "Bad DEPRECTEDIN: $decl\n";
+       my $info1 .= "#INFO:";
+       $info1 .= join(',', @{$plats}) . ":";
+       my $info2 = $info1;
+       $info1 .= join(',',@{$algs}, $1) . ";";
+       $info2 .= join(',',@{$algs}) . ";";
+       return $info1 . $2 . ";" . $info2;
+}