Type-checked (and modern C compliant) OBJ_bsearch.
diff --git a/CHANGES b/CHANGES
index ecead77..0a087c1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,11 @@
 
  Changes between 0.9.8j and 0.9.9  [xx XXX xxxx]
 
+  *) Type-checked OBJ_bsearch. Also some constification necessitated
+     by type-checking.  Still to come: TXT_DB, bsearch(?),
+     OBJ_bsearch_ex, qsort, CRYPTO_EX_DATA, ASN1_VALUE, ASN1_STRING,
+     CONF_VALUE.  [Ben Laurie]
+
   *) New function OPENSSL_gmtime_adj() to add a specific number of days and
      seconds to a tm structure directly, instead of going through OS
      specific date routines. This avoids any issues with OS routines such
diff --git a/Configure b/Configure
index aa396e0..77b13e4 100755
--- a/Configure
+++ b/Configure
@@ -164,6 +164,7 @@
 "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
 "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
 "debug-ben-debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::::",
+"debug-ben-no-opt",	"gcc: -Wall -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG -Werror -DL_ENDIAN -DTERMIOS -Wall -g3::(unknown)::::::",
 "debug-ben-strict",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
 "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 "debug-bodo",	"gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -march=i486 -pedantic -Wshadow -Wall::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
diff --git a/apps/s_client.c b/apps/s_client.c
index 776196e..12e5c40 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -1531,7 +1531,7 @@
 	char buf[BUFSIZ];
 	STACK_OF(X509) *sk;
 	STACK_OF(X509_NAME) *sk2;
-	SSL_CIPHER *c;
+	const SSL_CIPHER *c;
 	X509_NAME *xn;
 	int j,i;
 #ifndef OPENSSL_NO_COMP
diff --git a/apps/s_server.c b/apps/s_server.c
index 27e520a..c95057a 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -2182,7 +2182,7 @@
 	int ret=1;
 	int i,j,k,blank,dot;
 	SSL *con;
-	SSL_CIPHER *c;
+	const SSL_CIPHER *c;
 	BIO *io,*ssl_bio,*sbio;
 	long total_bytes;
 
diff --git a/crypto/asn1/a_strnid.c b/crypto/asn1/a_strnid.c
index ecf1d60..f0d5416 100644
--- a/crypto/asn1/a_strnid.c
+++ b/crypto/asn1/a_strnid.c
@@ -67,7 +67,6 @@
 static void st_free(ASN1_STRING_TABLE *tbl);
 static int sk_table_cmp(const ASN1_STRING_TABLE * const *a,
 			const ASN1_STRING_TABLE * const *b);
-static int table_cmp(const void *a, const void *b);
 
 
 /* This is the global mask for the mbstring functions: this is use to
@@ -186,22 +185,25 @@
 	return (*a)->nid - (*b)->nid;
 }
 
-static int table_cmp(const void *a, const void *b)
+DECLARE_OBJ_BSEARCH_CMP_FN(ASN1_STRING_TABLE, ASN1_STRING_TABLE, table_cmp);
+
+static int table_cmp(const ASN1_STRING_TABLE *a, const ASN1_STRING_TABLE *b)
 {
-	const ASN1_STRING_TABLE *sa = a, *sb = b;
-	return sa->nid - sb->nid;
+	return a->nid - b->nid;
 }
 
+IMPLEMENT_OBJ_BSEARCH_CMP_FN(ASN1_STRING_TABLE, ASN1_STRING_TABLE, table_cmp);
+
 ASN1_STRING_TABLE *ASN1_STRING_TABLE_get(int nid)
 {
 	int idx;
 	ASN1_STRING_TABLE *ttmp;
 	ASN1_STRING_TABLE fnd;
 	fnd.nid = nid;
-	ttmp = (ASN1_STRING_TABLE *) OBJ_bsearch((char *)&fnd,
-					(char *)tbl_standard, 
-			sizeof(tbl_standard)/sizeof(ASN1_STRING_TABLE),
-			sizeof(ASN1_STRING_TABLE), table_cmp);
+	ttmp = OBJ_bsearch(ASN1_STRING_TABLE, &fnd,
+			   ASN1_STRING_TABLE, tbl_standard, 
+			   sizeof(tbl_standard)/sizeof(ASN1_STRING_TABLE),
+			   table_cmp);
 	if(ttmp) return ttmp;
 	if(!stable) return NULL;
 	idx = sk_ASN1_STRING_TABLE_find(stable, &fnd);
diff --git a/crypto/asn1/ameth_lib.c b/crypto/asn1/ameth_lib.c
index 47cbdd2..300195b 100644
--- a/crypto/asn1/ameth_lib.c
+++ b/crypto/asn1/ameth_lib.c
@@ -112,12 +112,18 @@
 	}
 #endif
 
+DECLARE_OBJ_BSEARCH_CMP_FN(EVP_PKEY_ASN1_METHOD *,
+			   const EVP_PKEY_ASN1_METHOD *, ameth_cmp);
+
 static int ameth_cmp(const EVP_PKEY_ASN1_METHOD * const *a,
-                const EVP_PKEY_ASN1_METHOD * const *b)
+		     const EVP_PKEY_ASN1_METHOD * const *b)
 	{
         return ((*a)->pkey_id - (*b)->pkey_id);
 	}
 
+IMPLEMENT_OBJ_BSEARCH_CMP_FN(EVP_PKEY_ASN1_METHOD *,
+			     const EVP_PKEY_ASN1_METHOD *, ameth_cmp);
+
 int EVP_PKEY_asn1_get_count(void)
 	{
 	int num = sizeof(standard_methods)/sizeof(EVP_PKEY_ASN1_METHOD *);
@@ -139,7 +145,8 @@
 
 static const EVP_PKEY_ASN1_METHOD *pkey_asn1_find(int type)
 	{
-	EVP_PKEY_ASN1_METHOD tmp, *t = &tmp, **ret;
+	EVP_PKEY_ASN1_METHOD tmp, *t = &tmp;
+	const EVP_PKEY_ASN1_METHOD **ret;
 	tmp.pkey_id = type;
 	if (app_methods)
 		{
@@ -148,11 +155,11 @@
 		if (idx >= 0)
 			return sk_EVP_PKEY_ASN1_METHOD_value(app_methods, idx);
 		}
-	ret = (EVP_PKEY_ASN1_METHOD **) OBJ_bsearch((char *)&t,
-        		(char *)standard_methods,
-			sizeof(standard_methods)/sizeof(EVP_PKEY_ASN1_METHOD *),
-        		sizeof(EVP_PKEY_ASN1_METHOD *),
-			(int (*)(const void *, const void *))ameth_cmp);
+	ret = OBJ_bsearch(EVP_PKEY_ASN1_METHOD *, &t,
+			  const EVP_PKEY_ASN1_METHOD *, standard_methods,
+			  sizeof(standard_methods)
+			  /sizeof(EVP_PKEY_ASN1_METHOD *),
+			  ameth_cmp);
 	if (!ret || !*ret)
 		return NULL;
 	return *ret;
diff --git a/crypto/evp/evp_pbe.c b/crypto/evp/evp_pbe.c
index 8fecd34..7d6a502 100644
--- a/crypto/evp/evp_pbe.c
+++ b/crypto/evp/evp_pbe.c
@@ -189,10 +189,10 @@
 	return 1;	
 }
 
-static int pbe_cmp2(const void *a, const void *b)
+DECLARE_OBJ_BSEARCH_CMP_FN(EVP_PBE_CTL, EVP_PBE_CTL, pbe_cmp2);
+
+static int pbe_cmp2(const EVP_PBE_CTL *pbe1, const EVP_PBE_CTL *pbe2)
 	{
-	const EVP_PBE_CTL *pbe1 = a;
-	const EVP_PBE_CTL *pbe2 = b;
 	int ret = pbe1->pbe_type - pbe2->pbe_type;
 	if (ret)
 		return ret;
@@ -200,6 +200,8 @@
 		return pbe1->pbe_nid - pbe2->pbe_nid;
 	}
 
+IMPLEMENT_OBJ_BSEARCH_CMP_FN(EVP_PBE_CTL, EVP_PBE_CTL, pbe_cmp2);
+
 static int pbe_cmp(const EVP_PBE_CTL * const *a, const EVP_PBE_CTL * const *b)
 	{
 	int ret = (*a)->pbe_type - (*b)->pbe_type;
@@ -269,11 +271,10 @@
 		}
 	if (pbetmp == NULL)
 		{
-		pbetmp = (EVP_PBE_CTL *) OBJ_bsearch((char *)&pbelu,
-        		(char *)builtin_pbe,
-			sizeof(builtin_pbe)/sizeof(EVP_PBE_CTL),
-        		sizeof(EVP_PBE_CTL),
-			pbe_cmp2);
+		pbetmp = OBJ_bsearch(EVP_PBE_CTL, &pbelu,
+				     EVP_PBE_CTL, builtin_pbe,
+				     sizeof(builtin_pbe)/sizeof(EVP_PBE_CTL),
+				     pbe_cmp2);
 		}
 	if (pbetmp == NULL)
 		return 0;
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index 765a6c0..3fd11cb 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -84,15 +84,22 @@
 	&hmac_pkey_meth,
 	};
 
+DECLARE_OBJ_BSEARCH_CMP_FN(EVP_PKEY_METHOD *, const EVP_PKEY_METHOD *,
+			   pmeth_cmp);
+
 static int pmeth_cmp(const EVP_PKEY_METHOD * const *a,
-                const EVP_PKEY_METHOD * const *b)
+		     const EVP_PKEY_METHOD * const *b)
 	{
         return ((*a)->pkey_id - (*b)->pkey_id);
 	}
 
+IMPLEMENT_OBJ_BSEARCH_CMP_FN(EVP_PKEY_METHOD *, const EVP_PKEY_METHOD *,
+			     pmeth_cmp);
+
 const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type)
 	{
-	EVP_PKEY_METHOD tmp, *t = &tmp, **ret;
+	EVP_PKEY_METHOD tmp, *t = &tmp;
+	const EVP_PKEY_METHOD **ret;
 	tmp.pkey_id = type;
 	if (app_pkey_methods)
 		{
@@ -101,11 +108,10 @@
 		if (idx >= 0)
 			return sk_EVP_PKEY_METHOD_value(app_pkey_methods, idx);
 		}
-	ret = (EVP_PKEY_METHOD **) OBJ_bsearch((char *)&t,
-        		(char *)standard_methods,
-			sizeof(standard_methods)/sizeof(EVP_PKEY_METHOD *),
-        		sizeof(EVP_PKEY_METHOD *),
-			(int (*)(const void *, const void *))pmeth_cmp);
+	ret = OBJ_bsearch(EVP_PKEY_METHOD *, &t,
+			  const EVP_PKEY_METHOD *, standard_methods,
+			  sizeof(standard_methods)/sizeof(EVP_PKEY_METHOD *),
+			  pmeth_cmp);
 	if (!ret || !*ret)
 		return NULL;
 	return *ret;
diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c
index db88f5f..acb6bcf 100644
--- a/crypto/objects/obj_dat.c
+++ b/crypto/objects/obj_dat.c
@@ -81,9 +81,10 @@
 static const unsigned int obj_objs[1];
 #endif
 
-static int sn_cmp(const void *a, const void *b);
-static int ln_cmp(const void *a, const void *b);
-static int obj_cmp(const void *a, const void *b);
+DECLARE_OBJ_BSEARCH_CMP_FN(const ASN1_OBJECT *, const unsigned int, sn_cmp);
+DECLARE_OBJ_BSEARCH_CMP_FN(const ASN1_OBJECT *, const unsigned int, ln_cmp);
+DECLARE_OBJ_BSEARCH_CMP_FN(const ASN1_OBJECT *, const unsigned int, obj_cmp);
+
 #define ADDED_DATA	0
 #define ADDED_SNAME	1
 #define ADDED_LNAME	2
@@ -99,19 +100,15 @@
 static int new_nid=NUM_NID;
 static LHASH_OF(ADDED_OBJ) *added=NULL;
 
-static int sn_cmp(const void *a, const void *b)
-	{
-	const ASN1_OBJECT * const *ap = a;
-	const unsigned int *bp = b;
-	return(strcmp((*ap)->sn,nid_objs[*bp].sn));
-	}
+static int sn_cmp(const ASN1_OBJECT * const *a, const unsigned int *b)
+	{ return(strcmp((*a)->sn,nid_objs[*b].sn)); }
 
-static int ln_cmp(const void *a, const void *b)
-	{ 
-	const ASN1_OBJECT * const *ap = a;
-	const unsigned int *bp = b;
-	return(strcmp((*ap)->ln,nid_objs[*bp].ln));
-	}
+IMPLEMENT_OBJ_BSEARCH_CMP_FN(const ASN1_OBJECT *, const unsigned int, sn_cmp)
+
+static int ln_cmp(const ASN1_OBJECT * const *a, const unsigned int *b)
+	{ return(strcmp((*a)->ln,nid_objs[*b].ln)); }
+
+IMPLEMENT_OBJ_BSEARCH_CMP_FN(const ASN1_OBJECT *, const unsigned int, ln_cmp)
 
 static unsigned long added_obj_hash(const ADDED_OBJ *ca)
 	{
@@ -385,6 +382,19 @@
 		}
 	}
 
+static int obj_cmp(const ASN1_OBJECT * const *ap, const unsigned int *bp)
+	{
+	int j;
+	const ASN1_OBJECT *a= *ap;
+	const ASN1_OBJECT *b= &nid_objs[*bp];
+
+	j=(a->length - b->length);
+        if (j) return(j);
+	return(memcmp(a->data,b->data,a->length));
+	}
+
+IMPLEMENT_OBJ_BSEARCH_CMP_FN(const ASN1_OBJECT *, const unsigned int, obj_cmp)
+
 int OBJ_obj2nid(const ASN1_OBJECT *a)
 	{
 	const unsigned int *op;
@@ -402,8 +412,8 @@
 		adp=lh_ADDED_OBJ_retrieve(added,&ad);
 		if (adp != NULL) return (adp->obj->nid);
 		}
-	op=(const unsigned int *)OBJ_bsearch((const char *)&a,(const char *)obj_objs,
-		NUM_OBJ, sizeof(obj_objs[0]),obj_cmp);
+	op=OBJ_bsearch(const ASN1_OBJECT *, &a, const unsigned int, obj_objs,
+		       NUM_OBJ, obj_cmp);
 	if (op == NULL)
 		return(NID_undef);
 	return(nid_objs[*op].nid);
@@ -625,7 +635,8 @@
 
 int OBJ_ln2nid(const char *s)
 	{
-	ASN1_OBJECT o,*oo= &o;
+	ASN1_OBJECT o;
+	const ASN1_OBJECT *oo= &o;
 	ADDED_OBJ ad,*adp;
 	const unsigned int *op;
 
@@ -637,15 +648,16 @@
 		adp=lh_ADDED_OBJ_retrieve(added,&ad);
 		if (adp != NULL) return (adp->obj->nid);
 		}
-	op=(const unsigned int*)OBJ_bsearch((char *)&oo,(char *)ln_objs, NUM_LN,
-		sizeof(ln_objs[0]),ln_cmp);
+	op=OBJ_bsearch(const ASN1_OBJECT *, &oo, const unsigned int, ln_objs,
+				   NUM_LN, ln_cmp);
 	if (op == NULL) return(NID_undef);
 	return(nid_objs[*op].nid);
 	}
 
 int OBJ_sn2nid(const char *s)
 	{
-	ASN1_OBJECT o,*oo= &o;
+	ASN1_OBJECT o;
+	const ASN1_OBJECT *oo= &o;
 	ADDED_OBJ ad,*adp;
 	const unsigned int *op;
 
@@ -657,32 +669,22 @@
 		adp=lh_ADDED_OBJ_retrieve(added,&ad);
 		if (adp != NULL) return (adp->obj->nid);
 		}
-	op=(const unsigned int *)OBJ_bsearch((char *)&oo,(char *)sn_objs,NUM_SN,
-		sizeof(sn_objs[0]),sn_cmp);
+	op=OBJ_bsearch(const ASN1_OBJECT *, &oo, const unsigned int, sn_objs,
+				   NUM_SN, sn_cmp);
 	if (op == NULL) return(NID_undef);
 	return(nid_objs[*op].nid);
 	}
 
-static int obj_cmp(const void *ap, const void *bp)
-	{
-	int j;
-	const ASN1_OBJECT *a= *(ASN1_OBJECT * const *)ap;
-	const ASN1_OBJECT *b= &nid_objs[*((const unsigned int *)bp)];
-
-	j=(a->length - b->length);
-        if (j) return(j);
-	return(memcmp(a->data,b->data,a->length));
-        }
-
-const char *OBJ_bsearch(const char *key, const char *base, int num, int size,
-	int (*cmp)(const void *, const void *))
+const void *OBJ_bsearch_(const void *key, const void *base, int num, int size,
+			 int (*cmp)(const void *, const void *))
 	{
 	return OBJ_bsearch_ex(key, base, num, size, cmp, 0);
 	}
 
-const char *OBJ_bsearch_ex(const char *key, const char *base, int num,
+const void *OBJ_bsearch_ex(const void *key, const void *base_, int num,
 	int size, int (*cmp)(const void *, const void *), int flags)
 	{
+	const char *base=base_;
 	int l,h,i=0,c=0;
 	const char *p = NULL;
 
diff --git a/crypto/objects/obj_xref.c b/crypto/objects/obj_xref.c
index 4ebaa1c..3e85e7a 100644
--- a/crypto/objects/obj_xref.c
+++ b/crypto/objects/obj_xref.c
@@ -64,28 +64,35 @@
 
 static int cmp_sig(const nid_triple *a, const nid_triple *b)
 	{
-	return **a - **b;
+	return a->sign_id - b->sign_id;
 	}
 
+DECLARE_OBJ_BSEARCH_CMP_FN(const nid_triple, const nid_triple, cmp_sig);
+IMPLEMENT_OBJ_BSEARCH_CMP_FN(const nid_triple, const nid_triple, cmp_sig)
+
 static int cmp_sig_sk(const nid_triple * const *a, const nid_triple * const *b)
 	{
-	return ***a - ***b;
+	return (*a)->sign_id - (*b)->sign_id;
 	}
 
+DECLARE_OBJ_BSEARCH_CMP_FN(const nid_triple *, const nid_triple *, cmp_sigx);
+
 static int cmp_sigx(const nid_triple * const *a, const nid_triple * const *b)
 	{
 	int ret;
-	ret = (**a)[1] - (**b)[1];
+	ret = (*a)->hash_id - (*b)->hash_id;
 	if (ret)
 		return ret;
-	return (**a)[2] - (**b)[2];
+	return (*a)->pkey_id - (*b)->pkey_id;
 	}
 
+IMPLEMENT_OBJ_BSEARCH_CMP_FN(const nid_triple *, const nid_triple *, cmp_sigx)
 
 int OBJ_find_sigid_algs(int signid, int *pdig_nid, int *ppkey_nid)
 	{
-	nid_triple tmp, *rv = NULL;
-	tmp[0] = signid;
+	nid_triple tmp;
+	const nid_triple *rv = NULL;
+	tmp.sign_id = signid;
 
 	if (sig_app)
 		{
@@ -97,25 +104,27 @@
 #ifndef OBJ_XREF_TEST2
 	if (rv == NULL)
 		{
-		rv = (nid_triple *)OBJ_bsearch((char *)&tmp,
-				(char *)sigoid_srt,
-				sizeof(sigoid_srt) / sizeof(nid_triple),
-				sizeof(nid_triple),
-				(int (*)(const void *, const void *))cmp_sig);
+		rv = OBJ_bsearch(const nid_triple,&tmp,
+				 const nid_triple,sigoid_srt,
+				 sizeof(sigoid_srt) / sizeof(nid_triple),
+				 cmp_sig);
 		}
 #endif
 	if (rv == NULL)
 		return 0;
-	*pdig_nid = (*rv)[1];
-	*ppkey_nid = (*rv)[2];
+	*pdig_nid = rv->hash_id;
+	*ppkey_nid = rv->pkey_id;
 	return 1;
 	}
 
 int OBJ_find_sigid_by_algs(int *psignid, int dig_nid, int pkey_nid)
 	{
-	nid_triple tmp, *t=&tmp, **rv = NULL;
-	tmp[1] = dig_nid;
-	tmp[2] = pkey_nid;
+	nid_triple tmp;
+	const nid_triple const *t=&tmp;
+	const nid_triple **rv = NULL;
+
+	tmp.hash_id = dig_nid;
+	tmp.pkey_id = pkey_nid;
 
 	if (sigx_app)
 		{
@@ -130,16 +139,15 @@
 #ifndef OBJ_XREF_TEST2
 	if (rv == NULL)
 		{
-		rv = (nid_triple **)OBJ_bsearch((char *)&t,
-				(char *)sigoid_srt_xref,
-				sizeof(sigoid_srt_xref) / sizeof(nid_triple *),
-				sizeof(nid_triple *),
-				(int (*)(const void *, const void *))cmp_sigx);
+		rv = OBJ_bsearch(const nid_triple *,&t,
+				 const nid_triple *,sigoid_srt_xref,
+				 sizeof(sigoid_srt_xref) / sizeof(nid_triple *),
+				 cmp_sigx);
 		}
 #endif
 	if (rv == NULL)
 		return 0;
-	*psignid = (**rv)[0];
+	*psignid = (*rv)->sign_id;
 	return 1;
 	}
 
@@ -157,9 +165,9 @@
 	ntr = OPENSSL_malloc(sizeof(int) * 3);
 	if (!ntr)
 		return 0;
-	(*ntr)[0] = signid;
-	(*ntr)[1] = dig_id;
-	(*ntr)[2] = pkey_id;
+	ntr->sign_id = signid;
+	ntr->hash_id = dig_id;
+	ntr->pkey_id = pkey_id;
 
 	if (!sk_nid_triple_push(sig_app, ntr))
 		{
diff --git a/crypto/objects/obj_xref.h b/crypto/objects/obj_xref.h
deleted file mode 100644
index c139d3a..0000000
--- a/crypto/objects/obj_xref.h
+++ /dev/null
@@ -1,69 +0,0 @@
-
-typedef int nid_triple[3];
-
-static const nid_triple sigoid_srt[] =
-	{
-	{NID_md2WithRSAEncryption, NID_md2, NID_rsaEncryption},
-	{NID_md5WithRSAEncryption, NID_md5, NID_rsaEncryption},
-	{NID_shaWithRSAEncryption, NID_sha, NID_rsaEncryption},
-	{NID_sha1WithRSAEncryption, NID_sha1, NID_rsaEncryption},
-	{NID_dsaWithSHA, NID_sha, NID_dsa},
-	{NID_dsaWithSHA1_2, NID_sha1, NID_dsa_2},
-	{NID_mdc2WithRSA, NID_mdc2, NID_rsaEncryption},
-	{NID_md5WithRSA, NID_md5, NID_rsa},
-	{NID_dsaWithSHA1, NID_sha1, NID_dsa},
-	{NID_sha1WithRSA, NID_sha1, NID_rsa},
-	{NID_ripemd160WithRSA, NID_ripemd160, NID_rsaEncryption},
-	{NID_md4WithRSAEncryption, NID_md4, NID_rsaEncryption},
-	{NID_ecdsa_with_SHA1, NID_sha1, NID_X9_62_id_ecPublicKey},
-	{NID_sha256WithRSAEncryption, NID_sha256, NID_rsaEncryption},
-	{NID_sha384WithRSAEncryption, NID_sha384, NID_rsaEncryption},
-	{NID_sha512WithRSAEncryption, NID_sha512, NID_rsaEncryption},
-	{NID_sha224WithRSAEncryption, NID_sha224, NID_rsaEncryption},
-	{NID_ecdsa_with_Recommended, NID_undef, NID_X9_62_id_ecPublicKey},
-	{NID_ecdsa_with_Specified, NID_undef, NID_X9_62_id_ecPublicKey},
-	{NID_ecdsa_with_SHA224, NID_sha224, NID_X9_62_id_ecPublicKey},
-	{NID_ecdsa_with_SHA256, NID_sha256, NID_X9_62_id_ecPublicKey},
-	{NID_ecdsa_with_SHA384, NID_sha384, NID_X9_62_id_ecPublicKey},
-	{NID_ecdsa_with_SHA512, NID_sha512, NID_X9_62_id_ecPublicKey},
-	{NID_dsa_with_SHA224, NID_sha224, NID_dsa},
-	{NID_dsa_with_SHA256, NID_sha256, NID_dsa},
-	{NID_id_GostR3411_94_with_GostR3410_2001, NID_id_GostR3411_94, NID_id_GostR3410_2001},
-	{NID_id_GostR3411_94_with_GostR3410_94, NID_id_GostR3411_94, NID_id_GostR3410_94},
-	{NID_id_GostR3411_94_with_GostR3410_94_cc, NID_id_GostR3411_94, NID_id_GostR3410_94_cc},
-	{NID_id_GostR3411_94_with_GostR3410_2001_cc, NID_id_GostR3411_94, NID_id_GostR3410_2001_cc},
-	};
-
-static const nid_triple * const sigoid_srt_xref[] =
-	{
-	&sigoid_srt[17],
-	&sigoid_srt[18],
-	&sigoid_srt[0],
-	&sigoid_srt[1],
-	&sigoid_srt[7],
-	&sigoid_srt[2],
-	&sigoid_srt[4],
-	&sigoid_srt[3],
-	&sigoid_srt[9],
-	&sigoid_srt[5],
-	&sigoid_srt[8],
-	&sigoid_srt[12],
-	&sigoid_srt[6],
-	&sigoid_srt[10],
-	&sigoid_srt[11],
-	&sigoid_srt[13],
-	&sigoid_srt[24],
-	&sigoid_srt[20],
-	&sigoid_srt[14],
-	&sigoid_srt[21],
-	&sigoid_srt[15],
-	&sigoid_srt[22],
-	&sigoid_srt[16],
-	&sigoid_srt[23],
-	&sigoid_srt[19],
-	&sigoid_srt[25],
-	&sigoid_srt[26],
-	&sigoid_srt[27],
-	&sigoid_srt[28],
-	};
-
diff --git a/crypto/objects/objects.h b/crypto/objects/objects.h
index 7d8cdc9..7dc1bf5 100644
--- a/crypto/objects/objects.h
+++ b/crypto/objects/objects.h
@@ -1011,10 +1011,68 @@
 int		OBJ_ln2nid(const char *s);
 int		OBJ_sn2nid(const char *s);
 int		OBJ_cmp(const ASN1_OBJECT *a,const ASN1_OBJECT *b);
-const char *	OBJ_bsearch(const char *key,const char *base,int num,int size,
-	int (*cmp)(const void *, const void *));
-const char *	OBJ_bsearch_ex(const char *key,const char *base,int num,
-	int size, int (*cmp)(const void *, const void *), int flags);
+const void *	OBJ_bsearch_(const void *key,const void *base,int num,int size,
+			     int (*cmp)(const void *, const void *));
+const void *	OBJ_bsearch_ex(const void *key,const void *base,int num,
+			       int size, int (*cmp)(const void *, const void *),
+			       int flags);
+
+#define _DECLARE_OBJ_BSEARCH_CMP_FN(scope, type1, type2, cmp)	\
+  scope type1 *cmp##_type_1; \
+  scope type2 *cmp##_type_2;					\
+  scope int cmp##_BSEARCH_CMP_FN(const void *, const void *);		\
+  scope int cmp(const type1 const *, const type2 const *);
+
+#define DECLARE_OBJ_BSEARCH_CMP_FN(type1, type2, cmp)	\
+  _DECLARE_OBJ_BSEARCH_CMP_FN(static, type1, type2, cmp)
+#define DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(type1, type2, cmp)	\
+  _DECLARE_OBJ_BSEARCH_CMP_FN(, type1, type2, cmp)
+
+/*
+ * Unsolved problem: if a type is actually a pointer type, like
+ * nid_triple is, then its impossible to get a const where you need
+ * it. Consider:
+ *
+ * typedef int nid_triple[3];
+ * const void *a_;
+ * const nid_triple const *a = a_;
+ *
+ * The assignement discards a const because what you really want is:
+ *
+ * const int const * const *a = a_;
+ *
+ * But if you do that, you lose the fact that a is an array of 3 ints,
+ * which breaks comparison functions.
+ *
+ * Thus we end up having to cast, sadly, or unpack the
+ * declarations. Or, as I finally did in this case, delcare nid_triple
+ * to be a struct, which it should have been in the first place.
+ *
+ * Ben, August 2008.
+ *
+ * Also, strictly speaking not all types need be const, but handling
+ * the non-constness means a lot of complication, and in practice
+ * comparison routines do always not touch their arguments.
+ */
+#define _IMPLEMENT_OBJ_BSEARCH_CMP_FN(scope, type1, type2, cmp)	\
+  scope int cmp##_BSEARCH_CMP_FN(const void *a_, const void *b_)	\
+      { \
+      const type1 const *a = a_; \
+      const type2 const *b = b_; \
+      return cmp(a,b); \
+      }
+
+#define IMPLEMENT_OBJ_BSEARCH_CMP_FN(type1, type2, cmp) \
+  _IMPLEMENT_OBJ_BSEARCH_CMP_FN(static, type1, type2, cmp)
+#define IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(type1, type2, cmp)	\
+  _IMPLEMENT_OBJ_BSEARCH_CMP_FN(, type1, type2, cmp)
+
+#define OBJ_bsearch(type1,key,type2,base,num,cmp)			       \
+  ((type2 *)OBJ_bsearch_(CHECKED_PTR_OF(type1,key),CHECKED_PTR_OF(type2,base), \
+			 num,sizeof(type2),				\
+			 (cmp##_type_1=CHECKED_PTR_OF(type1,cmp##_type_1), \
+			  cmp##_type_2=CHECKED_PTR_OF(type2,cmp##_type_2), \
+			  cmp##_BSEARCH_CMP_FN)))
 
 int		OBJ_new_nid(int num);
 int		OBJ_add_object(const ASN1_OBJECT *obj);
diff --git a/crypto/objects/objxref.pl b/crypto/objects/objxref.pl
index 0dd360b..4a42924 100644
--- a/crypto/objects/objxref.pl
+++ b/crypto/objects/objxref.pl
@@ -50,8 +50,14 @@
 	
 
 print <<EOF;
+/* AUTOGENERATED BY $0, DO NOT EDIT */
 
-typedef int nid_triple[3];
+typedef struct
+	{
+	int sign_id;
+	int hash_id;
+	int pkey_id;
+	} nid_triple;
 
 static const nid_triple sigoid_srt[] =
 	{
diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
index e9db6d6..9c37c4d 100644
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -356,12 +356,17 @@
 
 static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;
 
-static int table_cmp(const void *pa, const void *pb)
+static int table_cmp(const X509_VERIFY_PARAM *a, const X509_VERIFY_PARAM *b)
+
 	{
-	const X509_VERIFY_PARAM *a = pa, *b = pb;
 	return strcmp(a->name, b->name);
 	}
 
+DECLARE_OBJ_BSEARCH_CMP_FN(const X509_VERIFY_PARAM, const X509_VERIFY_PARAM,
+			   table_cmp);
+IMPLEMENT_OBJ_BSEARCH_CMP_FN(const X509_VERIFY_PARAM, const X509_VERIFY_PARAM,
+			     table_cmp);
+
 static int param_cmp(const X509_VERIFY_PARAM * const *a,
 			const X509_VERIFY_PARAM * const *b)
 	{
@@ -397,6 +402,7 @@
 	{
 	int idx;
 	X509_VERIFY_PARAM pm;
+
 	pm.name = (char *)name;
 	if (param_table)
 		{
@@ -404,11 +410,10 @@
 		if (idx != -1)
 			return sk_X509_VERIFY_PARAM_value(param_table, idx);
 		}
-	return (const X509_VERIFY_PARAM *) OBJ_bsearch((char *)&pm,
-				(char *)&default_table,
-				sizeof(default_table)/sizeof(X509_VERIFY_PARAM),
-				sizeof(X509_VERIFY_PARAM),
-				table_cmp);
+	return OBJ_bsearch(const X509_VERIFY_PARAM, &pm,
+			   const X509_VERIFY_PARAM, default_table,
+			   sizeof(default_table)/sizeof(X509_VERIFY_PARAM),
+			   table_cmp);
 	}
 
 void X509_VERIFY_PARAM_table_cleanup(void)
diff --git a/crypto/x509v3/ext_dat.h b/crypto/x509v3/ext_dat.h
index 59837a4..22a390a 100644
--- a/crypto/x509v3/ext_dat.h
+++ b/crypto/x509v3/ext_dat.h
@@ -73,7 +73,7 @@
  * order of the ext_nid values.
  */
 
-static X509V3_EXT_METHOD *standard_exts[] = {
+static const X509V3_EXT_METHOD *standard_exts[] = {
 &v3_nscert,
 &v3_ns_ia5_list[0],
 &v3_ns_ia5_list[1],
diff --git a/crypto/x509v3/v3_alt.c b/crypto/x509v3/v3_alt.c
index 2c2d6c4..55b4484 100644
--- a/crypto/x509v3/v3_alt.c
+++ b/crypto/x509v3/v3_alt.c
@@ -392,8 +392,8 @@
 	
 }
 
-GENERAL_NAMES *v2i_GENERAL_NAMES(X509V3_EXT_METHOD *method,
-				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
+				 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
 {
 	GENERAL_NAME *gen;
 	GENERAL_NAMES *gens = NULL;
@@ -414,15 +414,15 @@
 	return NULL;
 }
 
-GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-							 CONF_VALUE *cnf)
+GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+			       CONF_VALUE *cnf)
 	{
 	return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0);
 	}
 
 GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
-				X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-				int gen_type, char *value, int is_nc)
+			       const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+			       int gen_type, char *value, int is_nc)
 	{
 	char is_string = 0;
 	GENERAL_NAME *gen = NULL;
@@ -518,8 +518,8 @@
 	}
 
 GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
-				X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-						 CONF_VALUE *cnf, int is_nc)
+				  const X509V3_EXT_METHOD *method,
+				  X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc)
 	{
 	int type;
 
diff --git a/crypto/x509v3/v3_conf.c b/crypto/x509v3/v3_conf.c
index e654ae7..df3b991 100644
--- a/crypto/x509v3/v3_conf.c
+++ b/crypto/x509v3/v3_conf.c
@@ -72,8 +72,8 @@
 static X509_EXTENSION *v3_generic_extension(const char *ext, char *value, int crit, int type, X509V3_CTX *ctx);
 static char *conf_lhash_get_string(void *db, char *section, char *value);
 static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section);
-static X509_EXTENSION *do_ext_i2d(X509V3_EXT_METHOD *method, int ext_nid,
-						 int crit, void *ext_struc);
+static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,
+				  int crit, void *ext_struc);
 static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len);
 /* CONF *conf:  Config file    */
 /* char *name:  Name    */
@@ -115,7 +115,7 @@
 static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
 				    int crit, char *value)
 	{
-	X509V3_EXT_METHOD *method;
+	const X509V3_EXT_METHOD *method;
 	X509_EXTENSION *ext;
 	STACK_OF(CONF_VALUE) *nval;
 	void *ext_struc;
@@ -172,7 +172,7 @@
 
 	}
 
-static X509_EXTENSION *do_ext_i2d(X509V3_EXT_METHOD *method, int ext_nid,
+static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,
 				  int crit, void *ext_struc)
 	{
 	unsigned char *ext_der;
@@ -214,7 +214,7 @@
 
 X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc)
 	{
-	X509V3_EXT_METHOD *method;
+	const X509V3_EXT_METHOD *method;
 	if (!(method = X509V3_EXT_get_nid(ext_nid))) {
 		X509V3err(X509V3_F_X509V3_EXT_I2D,X509V3_R_UNKNOWN_EXTENSION);
 		return NULL;
diff --git a/crypto/x509v3/v3_crld.c b/crypto/x509v3/v3_crld.c
index 17a1fbf..c5e616c 100644
--- a/crypto/x509v3/v3_crld.c
+++ b/crypto/x509v3/v3_crld.c
@@ -63,10 +63,10 @@
 #include <openssl/asn1t.h>
 #include <openssl/x509v3.h>
 
-static void *v2i_crld(X509V3_EXT_METHOD *method,
-				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
-static int i2r_crldp(X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
-								int indent);
+static void *v2i_crld(const X509V3_EXT_METHOD *method,
+		      X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
+		     int indent);
 
 const X509V3_EXT_METHOD v3_crld =
 	{
@@ -308,8 +308,8 @@
 	return NULL;
 	}
 
-static void *v2i_crld(X509V3_EXT_METHOD *method,
-				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+static void *v2i_crld(const X509V3_EXT_METHOD *method,
+		      X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
 	{
 	STACK_OF(DIST_POINT) *crld = NULL;
 	GENERAL_NAMES *gens = NULL;
@@ -426,10 +426,10 @@
 
 IMPLEMENT_ASN1_FUNCTIONS(ISSUING_DIST_POINT)
 
-static int i2r_idp(X509V3_EXT_METHOD *method,
-	     void *pidp, BIO *out, int indent);
-static void *v2i_idp(X509V3_EXT_METHOD *method,
-				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
+		   int indent);
+static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+		     STACK_OF(CONF_VALUE) *nval);
 
 const X509V3_EXT_METHOD v3_idp =
 	{
@@ -443,8 +443,8 @@
 	NULL
 	};
 
-static void *v2i_idp(X509V3_EXT_METHOD *method,
-				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+		     STACK_OF(CONF_VALUE) *nval)
 	{
 	ISSUING_DIST_POINT *idp = NULL;
 	CONF_VALUE *cnf;
@@ -535,7 +535,8 @@
 	return 1;
 	}
 
-static int i2r_idp(X509V3_EXT_METHOD *method, void *pidp, BIO *out, int indent)
+static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
+		   int indent)
 	{
 	ISSUING_DIST_POINT *idp = pidp;
 	if (idp->distpoint)
@@ -559,8 +560,8 @@
 	return 1;
 	}
 
-static int i2r_crldp(X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
-								int indent)
+static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
+		     int indent)
 	{
 	STACK_OF(DIST_POINT) *crld = pcrldp;
 	DIST_POINT *point;
diff --git a/crypto/x509v3/v3_extku.c b/crypto/x509v3/v3_extku.c
index a4efe00..4e968b9 100644
--- a/crypto/x509v3/v3_extku.c
+++ b/crypto/x509v3/v3_extku.c
@@ -63,9 +63,10 @@
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
 
-static void *v2i_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
-				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
-static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
+static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
+				    X509V3_CTX *ctx,
+				    STACK_OF(CONF_VALUE) *nval);
+static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
 		void *eku, STACK_OF(CONF_VALUE) *extlist);
 
 const X509V3_EXT_METHOD v3_ext_ku = {
@@ -97,8 +98,9 @@
 
 IMPLEMENT_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE)
 
-static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
-		void *a, STACK_OF(CONF_VALUE) *ext_list)
+static STACK_OF(CONF_VALUE) *
+  i2v_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method, void *a,
+			 STACK_OF(CONF_VALUE) *ext_list)
 {
 	EXTENDED_KEY_USAGE *eku = a;
 	int i;
@@ -112,8 +114,8 @@
 	return ext_list;
 }
 
-static void *v2i_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
-				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
+				    X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
 {
 	EXTENDED_KEY_USAGE *extku;
 	char *extval;
diff --git a/crypto/x509v3/v3_lib.c b/crypto/x509v3/v3_lib.c
index f3015ea..3ad5b29 100644
--- a/crypto/x509v3/v3_lib.c
+++ b/crypto/x509v3/v3_lib.c
@@ -84,20 +84,26 @@
 }
 
 static int ext_cmp(const X509V3_EXT_METHOD * const *a,
-		const X509V3_EXT_METHOD * const *b)
+		   const X509V3_EXT_METHOD * const *b)
 {
 	return ((*a)->ext_nid - (*b)->ext_nid);
 }
 
-X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid)
+DECLARE_OBJ_BSEARCH_CMP_FN(const X509V3_EXT_METHOD *, const X509V3_EXT_METHOD *,
+			   ext_cmp);
+IMPLEMENT_OBJ_BSEARCH_CMP_FN(const X509V3_EXT_METHOD *,
+			     const X509V3_EXT_METHOD *, ext_cmp);
+
+const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid)
 {
-	X509V3_EXT_METHOD tmp, *t = &tmp, **ret;
+	X509V3_EXT_METHOD tmp;
+	const X509V3_EXT_METHOD *t = &tmp, * const *ret;
 	int idx;
 	if(nid < 0) return NULL;
 	tmp.ext_nid = nid;
-	ret = (X509V3_EXT_METHOD **) OBJ_bsearch((char *)&t,
-			(char *)standard_exts, STANDARD_EXTENSION_COUNT,
-			sizeof(X509V3_EXT_METHOD *), (int (*)(const void *, const void *))ext_cmp);
+	ret = OBJ_bsearch(const X509V3_EXT_METHOD *, &t,
+			  const X509V3_EXT_METHOD *, standard_exts,
+			  STANDARD_EXTENSION_COUNT, ext_cmp);
 	if(ret) return *ret;
 	if(!ext_list) return NULL;
 	idx = sk_X509V3_EXT_METHOD_find(ext_list, &tmp);
@@ -105,7 +111,7 @@
 	return sk_X509V3_EXT_METHOD_value(ext_list, idx);
 }
 
-X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext)
+const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext)
 {
 	int nid;
 	if((nid = OBJ_obj2nid(ext->object)) == NID_undef) return NULL;
@@ -122,7 +128,9 @@
 
 int X509V3_EXT_add_alias(int nid_to, int nid_from)
 {
-	X509V3_EXT_METHOD *ext, *tmpext;
+	const X509V3_EXT_METHOD *ext;
+	X509V3_EXT_METHOD *tmpext;
+
 	if(!(ext = X509V3_EXT_get_nid(nid_from))) {
 		X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS,X509V3_R_EXTENSION_NOT_FOUND);
 		return 0;
@@ -161,7 +169,7 @@
 
 void *X509V3_EXT_d2i(X509_EXTENSION *ext)
 {
-	X509V3_EXT_METHOD *method;
+	const X509V3_EXT_METHOD *method;
 	const unsigned char *p;
 
 	if(!(method = X509V3_EXT_get(ext))) return NULL;
diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c
index 9a99cb2..452437d 100644
--- a/crypto/x509v3/v3_ncons.c
+++ b/crypto/x509v3/v3_ncons.c
@@ -63,13 +63,13 @@
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
 
-static void *v2i_NAME_CONSTRAINTS(X509V3_EXT_METHOD *method,
-				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
-static int i2r_NAME_CONSTRAINTS(X509V3_EXT_METHOD *method, 
+static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
+				  X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, 
 				void *a, BIO *bp, int ind);
-static int do_i2r_name_constraints(X509V3_EXT_METHOD *method,
-				STACK_OF(GENERAL_SUBTREE) *trees,
-					BIO *bp, int ind, char *name);
+static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
+				   STACK_OF(GENERAL_SUBTREE) *trees,
+				   BIO *bp, int ind, char *name);
 static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip);
 
 static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc);
@@ -106,8 +106,8 @@
 IMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
 IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
 
-static void *v2i_NAME_CONSTRAINTS(X509V3_EXT_METHOD *method,
-				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
+				  X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
 	{
 	int i;
 	CONF_VALUE tval, *val;
@@ -162,8 +162,8 @@
 
 	
 
-static int i2r_NAME_CONSTRAINTS(X509V3_EXT_METHOD *method,
-				void *a, BIO *bp, int ind)
+static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
+				BIO *bp, int ind)
 	{
 	NAME_CONSTRAINTS *ncons = a;
 	do_i2r_name_constraints(method, ncons->permittedSubtrees,
@@ -173,9 +173,9 @@
 	return 1;
 	}
 
-static int do_i2r_name_constraints(X509V3_EXT_METHOD *method,
-				STACK_OF(GENERAL_SUBTREE) *trees,
-					BIO *bp, int ind, char *name)
+static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
+				   STACK_OF(GENERAL_SUBTREE) *trees,
+				   BIO *bp, int ind, char *name)
 	{
 	GENERAL_SUBTREE *tree;
 	int i;
diff --git a/crypto/x509v3/v3_ocsp.c b/crypto/x509v3/v3_ocsp.c
index 62aac06..ac1fee6 100644
--- a/crypto/x509v3/v3_ocsp.c
+++ b/crypto/x509v3/v3_ocsp.c
@@ -68,19 +68,26 @@
 /* OCSP extensions and a couple of CRL entry extensions
  */
 
-static int i2r_ocsp_crlid(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent);
-static int i2r_ocsp_acutoff(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent);
-static int i2r_object(X509V3_EXT_METHOD *method, void *obj, BIO *out, int indent);
+static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *nonce,
+			  BIO *out, int indent);
+static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *nonce,
+			    BIO *out, int indent);
+static int i2r_object(const X509V3_EXT_METHOD *method, void *obj, BIO *out,
+		      int indent);
 
 static void *ocsp_nonce_new(void);
 static int i2d_ocsp_nonce(void *a, unsigned char **pp);
 static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length);
 static void ocsp_nonce_free(void *a);
-static int i2r_ocsp_nonce(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent);
+static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce,
+			  BIO *out, int indent);
 
-static int i2r_ocsp_nocheck(X509V3_EXT_METHOD *method, void *nocheck, BIO *out, int indent);
-static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, const char *str);
-static int i2r_ocsp_serviceloc(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind);
+static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method,
+			    void *nocheck, BIO *out, int indent);
+static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+			      const char *str);
+static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
+			       BIO *bp, int ind);
 
 const X509V3_EXT_METHOD v3_ocsp_crlid = {
 	NID_id_pkix_OCSP_CrlID, 0, ASN1_ITEM_ref(OCSP_CRLID),
@@ -148,7 +155,8 @@
 	NULL
 };
 
-static int i2r_ocsp_crlid(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
+static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *in, BIO *bp,
+			  int ind)
 {
 	OCSP_CRLID *a = in;
 	if (a->crlUrl)
@@ -174,7 +182,8 @@
 	return 0;
 }
 
-static int i2r_ocsp_acutoff(X509V3_EXT_METHOD *method, void *cutoff, BIO *bp, int ind)
+static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *cutoff,
+			    BIO *bp, int ind)
 {
 	if (!BIO_printf(bp, "%*s", ind, "")) return 0;
 	if(!ASN1_GENERALIZEDTIME_print(bp, cutoff)) return 0;
@@ -182,7 +191,8 @@
 }
 
 
-static int i2r_object(X509V3_EXT_METHOD *method, void *oid, BIO *bp, int ind)
+static int i2r_object(const X509V3_EXT_METHOD *method, void *oid, BIO *bp,
+		      int ind)
 {
 	if (!BIO_printf(bp, "%*s", ind, "")) return 0;
 	if(!i2a_ASN1_OBJECT(bp, oid)) return 0;
@@ -232,7 +242,8 @@
 	M_ASN1_OCTET_STRING_free(a);
 }
 
-static int i2r_ocsp_nonce(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent)
+static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce,
+			  BIO *out, int indent)
 {
 	if(BIO_printf(out, "%*s", indent, "") <= 0) return 0;
 	if(i2a_ASN1_STRING(out, nonce, V_ASN1_OCTET_STRING) <= 0) return 0;
@@ -241,17 +252,20 @@
 
 /* Nocheck is just a single NULL. Don't print anything and always set it */
 
-static int i2r_ocsp_nocheck(X509V3_EXT_METHOD *method, void *nocheck, BIO *out, int indent)
+static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, void *nocheck,
+			    BIO *out, int indent)
 {
 	return 1;
 }
 
-static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, const char *str)
+static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+			      const char *str)
 {
 	return ASN1_NULL_new();
 }
 
-static int i2r_ocsp_serviceloc(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
+static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
+			       BIO *bp, int ind)
         {
 	int i;
 	OCSP_SERVICELOC *a = in;
diff --git a/crypto/x509v3/v3_pcons.c b/crypto/x509v3/v3_pcons.c
index 13248c2..a14aa30 100644
--- a/crypto/x509v3/v3_pcons.c
+++ b/crypto/x509v3/v3_pcons.c
@@ -64,10 +64,12 @@
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
 
-static STACK_OF(CONF_VALUE) *i2v_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method,
-				void *bcons, STACK_OF(CONF_VALUE) *extlist);
-static void *v2i_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method,
-				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
+static STACK_OF(CONF_VALUE) *
+i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *bcons,
+		       STACK_OF(CONF_VALUE) *extlist);
+static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method,
+				    X509V3_CTX *ctx,
+				    STACK_OF(CONF_VALUE) *values);
 
 const X509V3_EXT_METHOD v3_policy_constraints = {
 NID_policy_constraints, 0,
@@ -88,8 +90,9 @@
 IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)
 
 
-static STACK_OF(CONF_VALUE) *i2v_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method,
-	     void *a, STACK_OF(CONF_VALUE) *extlist)
+static STACK_OF(CONF_VALUE) *
+i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
+		       STACK_OF(CONF_VALUE) *extlist)
 {
 	POLICY_CONSTRAINTS *pcons = a;
 	X509V3_add_value_int("Require Explicit Policy",
@@ -99,8 +102,9 @@
 	return extlist;
 }
 
-static void *v2i_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method,
-	     X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values)
+static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method,
+				    X509V3_CTX *ctx,
+				    STACK_OF(CONF_VALUE) *values)
 {
 	POLICY_CONSTRAINTS *pcons=NULL;
 	CONF_VALUE *val;
diff --git a/crypto/x509v3/v3_pmaps.c b/crypto/x509v3/v3_pmaps.c
index 6263032..bac5a50 100644
--- a/crypto/x509v3/v3_pmaps.c
+++ b/crypto/x509v3/v3_pmaps.c
@@ -63,10 +63,11 @@
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
 
-static void *v2i_POLICY_MAPPINGS(X509V3_EXT_METHOD *method,
-				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
-static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(X509V3_EXT_METHOD *method,
-				void *pmps, STACK_OF(CONF_VALUE) *extlist);
+static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
+				 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+static STACK_OF(CONF_VALUE) *
+i2v_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, void *pmps,
+		    STACK_OF(CONF_VALUE) *extlist);
 
 const X509V3_EXT_METHOD v3_policy_mappings = {
 	NID_policy_mappings, 0,
@@ -92,8 +93,9 @@
 IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING)
 
 
-static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(X509V3_EXT_METHOD *method,
-		void *a, STACK_OF(CONF_VALUE) *ext_list)
+static STACK_OF(CONF_VALUE) *
+i2v_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, void *a,
+		    STACK_OF(CONF_VALUE) *ext_list)
 {
 	POLICY_MAPPINGS *pmaps = a;
 	POLICY_MAPPING *pmap;
@@ -109,8 +111,8 @@
 	return ext_list;
 }
 
-static void *v2i_POLICY_MAPPINGS(X509V3_EXT_METHOD *method,
-				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
+				 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
 {
 	POLICY_MAPPINGS *pmaps;
 	POLICY_MAPPING *pmap;
diff --git a/crypto/x509v3/v3_prn.c b/crypto/x509v3/v3_prn.c
index 20bd9bd..feb5768 100644
--- a/crypto/x509v3/v3_prn.c
+++ b/crypto/x509v3/v3_prn.c
@@ -110,7 +110,7 @@
 	void *ext_str = NULL;
 	char *value = NULL;
 	const unsigned char *p;
-	X509V3_EXT_METHOD *method;	
+	const X509V3_EXT_METHOD *method;	
 	STACK_OF(CONF_VALUE) *nval = NULL;
 	int ok = 1;
 
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 1ca370d..a5d9805 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -267,11 +267,14 @@
 	return xp->trust;
 }
 
-static int nid_cmp(int *a, int *b)
+static int nid_cmp(const int *a, const int *b)
 	{
 	return *a - *b;
 	}
 
+DECLARE_OBJ_BSEARCH_CMP_FN(int, int, nid_cmp);
+IMPLEMENT_OBJ_BSEARCH_CMP_FN(int, int, nid_cmp);
+
 int X509_supported_extension(X509_EXTENSION *ex)
 	{
 	/* This table is a list of the NIDs of supported extensions:
@@ -282,7 +285,7 @@
 	 * searched using bsearch.
 	 */
 
-	static int supported_nids[] = {
+	static const int supported_nids[] = {
 		NID_netscape_cert_type, /* 71 */
         	NID_key_usage,		/* 83 */
 		NID_subject_alt_name,	/* 85 */
@@ -300,16 +303,13 @@
 		NID_inhibit_any_policy	/* 748 */
 	};
 
-	int ex_nid;
-
-	ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
+	const int ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
 
 	if (ex_nid == NID_undef) 
 		return 0;
 
-	if (OBJ_bsearch((char *)&ex_nid, (char *)supported_nids,
-		sizeof(supported_nids)/sizeof(int), sizeof(int),
-		(int (*)(const void *, const void *))nid_cmp))
+	if (OBJ_bsearch(int, &ex_nid, int, supported_nids,
+			sizeof(supported_nids)/sizeof(int), nid_cmp))
 		return 1;
 	return 0;
 	}
diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h
index 22b1b7f..460a040 100644
--- a/crypto/x509v3/x509v3.h
+++ b/crypto/x509v3/x509v3.h
@@ -76,12 +76,19 @@
 typedef void (*X509V3_EXT_FREE)(void *);
 typedef void * (*X509V3_EXT_D2I)(void *, const unsigned char ** , long);
 typedef int (*X509V3_EXT_I2D)(void *, unsigned char **);
-typedef STACK_OF(CONF_VALUE) * (*X509V3_EXT_I2V)(struct v3_ext_method *method, void *ext, STACK_OF(CONF_VALUE) *extlist);
-typedef void * (*X509V3_EXT_V2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, STACK_OF(CONF_VALUE) *values);
-typedef char * (*X509V3_EXT_I2S)(struct v3_ext_method *method, void *ext);
-typedef void * (*X509V3_EXT_S2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, const char *str);
-typedef int (*X509V3_EXT_I2R)(struct v3_ext_method *method, void *ext, BIO *out, int indent);
-typedef void * (*X509V3_EXT_R2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, const char *str);
+typedef STACK_OF(CONF_VALUE) *
+  (*X509V3_EXT_I2V)(const struct v3_ext_method *method, void *ext,
+		    STACK_OF(CONF_VALUE) *extlist);
+typedef void * (*X509V3_EXT_V2I)(const struct v3_ext_method *method,
+				 struct v3_ext_ctx *ctx,
+				 STACK_OF(CONF_VALUE) *values);
+typedef char * (*X509V3_EXT_I2S)(const struct v3_ext_method *method, void *ext);
+typedef void * (*X509V3_EXT_S2I)(const struct v3_ext_method *method,
+				 struct v3_ext_ctx *ctx, const char *str);
+typedef int (*X509V3_EXT_I2R)(const struct v3_ext_method *method, void *ext,
+			      BIO *out, int indent);
+typedef void * (*X509V3_EXT_R2I)(const struct v3_ext_method *method,
+				 struct v3_ext_ctx *ctx, const char *str);
 
 /* V3 extension structure */
 
@@ -533,8 +540,8 @@
 
 STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
 		GENERAL_NAMES *gen, STACK_OF(CONF_VALUE) *extlist);
-GENERAL_NAMES *v2i_GENERAL_NAMES(X509V3_EXT_METHOD *method,
-				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
+				 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
 
 DECLARE_ASN1_FUNCTIONS(OTHERNAME)
 DECLARE_ASN1_FUNCTIONS(EDIPARTYNAME)
@@ -584,14 +591,15 @@
 DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS)
 
 GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
-				X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-				int gen_type, char *value, int is_nc);
+			       const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+			       int gen_type, char *value, int is_nc);
 
 #ifdef HEADER_CONF_H
-GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-							CONF_VALUE *cnf);
-GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out, X509V3_EXT_METHOD *method,
-				X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc);
+GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+			       CONF_VALUE *cnf);
+GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
+				  const X509V3_EXT_METHOD *method,
+				  X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc);
 void X509V3_conf_free(CONF_VALUE *val);
 
 X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid, char *value);
@@ -644,8 +652,8 @@
 int X509V3_EXT_add_alias(int nid_to, int nid_from);
 void X509V3_EXT_cleanup(void);
 
-X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext);
-X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid);
+const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext);
+const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid);
 int X509V3_add_standard_extensions(void);
 STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line);
 void *X509V3_EXT_d2i(X509_EXTENSION *ext);
diff --git a/engines/Makefile b/engines/Makefile
index fdf8774..1cdfb26 100644
--- a/engines/Makefile
+++ b/engines/Makefile
@@ -219,8 +219,7 @@
 e_capi.o: ../include/openssl/evp.h ../include/openssl/lhash.h
 e_capi.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
 e_capi.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-e_capi.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-e_capi.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+e_capi.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
 e_capi.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 e_capi.o: ../include/openssl/sha.h ../include/openssl/stack.h
 e_capi.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index d948691..bd28b75 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -175,9 +175,9 @@
  * to explicitly list their SSL_* codes. Currently RC4 is the only one
  * available, but if new ones emerge, they will have to be added...
  */
-SSL_CIPHER *dtls1_get_cipher(unsigned int u)
+const SSL_CIPHER *dtls1_get_cipher(unsigned int u)
 	{
-	SSL_CIPHER *ciph = ssl3_get_cipher(u);
+	const SSL_CIPHER *ciph = ssl3_get_cipher(u);
 
 	if (ciph != NULL)
 		{
diff --git a/ssl/s23_lib.c b/ssl/s23_lib.c
index 88fb564..e3fce53 100644
--- a/ssl/s23_lib.c
+++ b/ssl/s23_lib.c
@@ -74,7 +74,7 @@
 	    );
 	}
 
-SSL_CIPHER *ssl23_get_cipher(unsigned int u)
+const SSL_CIPHER *ssl23_get_cipher(unsigned int u)
 	{
 	unsigned int uu=ssl3_num_ciphers();
 
@@ -90,9 +90,10 @@
 
 /* This function needs to check if the ciphers required are actually
  * available */
-SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p)
+const SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p)
 	{
-	SSL_CIPHER c,*cp;
+	SSL_CIPHER c;
+	const SSL_CIPHER *cp;
 	unsigned long id;
 	int n;
 
diff --git a/ssl/s2_lib.c b/ssl/s2_lib.c
index 25148d3..d93a2c7 100644
--- a/ssl/s2_lib.c
+++ b/ssl/s2_lib.c
@@ -121,7 +121,7 @@
 #define SSL2_NUM_CIPHERS (sizeof(ssl2_ciphers)/sizeof(SSL_CIPHER))
 
 /* list of available SSLv2 ciphers (sorted by id) */
-OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
+OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[]={
 #if 0
 /* NULL_WITH_MD5 v3 */
 	{
@@ -303,7 +303,7 @@
 	return(SSL2_NUM_CIPHERS);
 	}
 
-SSL_CIPHER *ssl2_get_cipher(unsigned int u)
+const SSL_CIPHER *ssl2_get_cipher(unsigned int u)
 	{
 	if (u < SSL2_NUM_CIPHERS)
 		return(&(ssl2_ciphers[SSL2_NUM_CIPHERS-1-u]));
@@ -412,20 +412,22 @@
 	return(0);
 	}
 
+IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(const SSL_CIPHER, const SSL_CIPHER,
+				    ssl_cipher_id_cmp);
+
 /* This function needs to check if the ciphers required are actually
  * available */
-SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p)
+const SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p)
 	{
-	SSL_CIPHER c,*cp;
+	SSL_CIPHER c;
+	const SSL_CIPHER *cp;
 	unsigned long id;
 
 	id=0x02000000L|((unsigned long)p[0]<<16L)|
 		((unsigned long)p[1]<<8L)|(unsigned long)p[2];
 	c.id=id;
-	cp = (SSL_CIPHER *)OBJ_bsearch((char *)&c,
-		(char *)ssl2_ciphers,
-		SSL2_NUM_CIPHERS,sizeof(SSL_CIPHER),
-		FP_ICC ssl_cipher_id_cmp);
+	cp = OBJ_bsearch(const SSL_CIPHER, &c, const SSL_CIPHER, ssl2_ciphers,
+			 SSL2_NUM_CIPHERS, ssl_cipher_id_cmp);
 	if ((cp == NULL) || (cp->valid == 0))
 		return NULL;
 	else
diff --git a/ssl/s2_meth.c b/ssl/s2_meth.c
index 2bffa78..f0e8ca5 100644
--- a/ssl/s2_meth.c
+++ b/ssl/s2_meth.c
@@ -71,9 +71,9 @@
 	}
 
 IMPLEMENT_ssl2_meth_func(SSLv2_method,
-			ssl2_accept,
-			ssl2_connect,
-			ssl2_get_method)
+			 ssl2_accept,
+			 ssl2_connect,
+			 ssl2_get_method)
 
 #else /* !OPENSSL_NO_SSL2 */
 
diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c
index 6490d0b..b43a046 100644
--- a/ssl/s2_srvr.c
+++ b/ssl/s2_srvr.c
@@ -366,7 +366,7 @@
 	int is_export,i,n,keya,ek;
 	unsigned long len;
 	unsigned char *p;
-	SSL_CIPHER *cp;
+	const SSL_CIPHER *cp;
 	const EVP_CIPHER *c;
 	const EVP_MD *md;
 
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index e339dbc..aae1334 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -719,7 +719,7 @@
 int ssl3_get_server_hello(SSL *s)
 	{
 	STACK_OF(SSL_CIPHER) *sk;
-	SSL_CIPHER *c;
+	const SSL_CIPHER *c;
 	unsigned char *p,*d;
 	int i,al,ok;
 	unsigned int j;
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index f09238f..7e89699 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -2101,7 +2101,7 @@
 	return(SSL3_NUM_CIPHERS);
 	}
 
-SSL_CIPHER *ssl3_get_cipher(unsigned int u)
+const SSL_CIPHER *ssl3_get_cipher(unsigned int u)
 	{
 	if (u < SSL3_NUM_CIPHERS)
 		return(&(ssl3_ciphers[SSL3_NUM_CIPHERS-1-u]));
@@ -2786,17 +2786,16 @@
 
 /* This function needs to check if the ciphers required are actually
  * available */
-SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p)
+const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p)
 	{
-	SSL_CIPHER c,*cp;
+	SSL_CIPHER c;
+	const SSL_CIPHER *cp;
 	unsigned long id;
 
 	id=0x03000000L|((unsigned long)p[0]<<8L)|(unsigned long)p[1];
 	c.id=id;
-	cp = (SSL_CIPHER *)OBJ_bsearch((char *)&c,
-		(char *)ssl3_ciphers,
-		SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER),
-		FP_ICC ssl_cipher_id_cmp);
+	cp = OBJ_bsearch(SSL_CIPHER, &c, SSL_CIPHER, ssl3_ciphers,
+			 SSL3_NUM_CIPHERS, ssl_cipher_id_cmp);
 	if (cp == NULL || cp->valid == 0)
 		return NULL;
 	else
diff --git a/ssl/s3_meth.c b/ssl/s3_meth.c
index 6b39ce8..cdddb17 100644
--- a/ssl/s3_meth.c
+++ b/ssl/s3_meth.c
@@ -70,8 +70,8 @@
 	}
 
 IMPLEMENT_ssl3_meth_func(SSLv3_method,
-			ssl3_accept,
-			ssl3_connect,
-			ssl3_get_method)
+			 ssl3_accept,
+			 ssl3_connect,
+			 ssl3_get_method)
 
 
diff --git a/ssl/ssl.h b/ssl/ssl.h
index d3fdccd..f23f24b 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -401,11 +401,11 @@
 	int (*ssl_dispatch_alert)(SSL *s);
 	long (*ssl_ctrl)(SSL *s,int cmd,long larg,void *parg);
 	long (*ssl_ctx_ctrl)(SSL_CTX *ctx,int cmd,long larg,void *parg);
-	SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr);
+	const SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr);
 	int (*put_cipher_by_char)(const SSL_CIPHER *cipher,unsigned char *ptr);
 	int (*ssl_pending)(const SSL *s);
 	int (*num_ciphers)(void);
-	SSL_CIPHER *(*get_cipher)(unsigned ncipher);
+	const SSL_CIPHER *(*get_cipher)(unsigned ncipher);
 	const struct ssl_method_st *(*get_ssl_method)(int version);
 	long (*get_timeout)(void);
 	struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */
@@ -483,7 +483,7 @@
 
 	int compress_meth;		/* Need to lookup the method */
 
-	SSL_CIPHER *cipher;
+	const SSL_CIPHER *cipher;
 	unsigned long cipher_id;	/* when ASN.1 loaded, this
 					 * needs to be used to load
 					 * the 'cipher' structure */
@@ -1431,7 +1431,7 @@
 
 void	SSL_CTX_flush_sessions(SSL_CTX *ctx,long tm);
 
-SSL_CIPHER *SSL_get_current_cipher(const SSL *s);
+const SSL_CIPHER *SSL_get_current_cipher(const SSL *s);
 int	SSL_CIPHER_get_bits(const SSL_CIPHER *c,int *alg_bits);
 char *	SSL_CIPHER_get_version(const SSL_CIPHER *c);
 const char *	SSL_CIPHER_get_name(const SSL_CIPHER *c);
diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index 646a8e6..56f17f6 100644
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -465,7 +465,7 @@
 		int message_type;
 
 		/* used to hold the new cipher we are going to use */
-		SSL_CIPHER *new_cipher;
+		const SSL_CIPHER *new_cipher;
 #ifndef OPENSSL_NO_DH
 		DH *dh;
 #endif
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index c31d6e0..e60a490 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -207,7 +207,7 @@
 
 typedef struct cipher_order_st
 	{
-	SSL_CIPHER *cipher;
+	const SSL_CIPHER *cipher;
 	int active;
 	int dead;
 	struct cipher_order_st *next,*prev;
@@ -437,7 +437,7 @@
 	     const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size,SSL_COMP **comp)
 	{
 	int i;
-	SSL_CIPHER *c;
+	const SSL_CIPHER *c;
 
 	c=s->cipher;
 	if (c == NULL) return(0);
@@ -682,7 +682,7 @@
                 CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
 	{
 	int i, co_list_num;
-	SSL_CIPHER *c;
+	const SSL_CIPHER *c;
 
 	/*
 	 * We have num_of_ciphers descriptions compiled in, depending on the
@@ -745,7 +745,7 @@
 		}
 	}
 
-static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list,
+static void ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list,
                         int num_of_group_aliases,
                         unsigned long disabled_mkey, unsigned long disabled_auth,
                         unsigned long disabled_enc, unsigned long disabled_mac,
@@ -753,7 +753,7 @@
 			CIPHER_ORDER *head)
 	{
 	CIPHER_ORDER *ciph_curr;
-	SSL_CIPHER **ca_curr;
+	const SSL_CIPHER **ca_curr;
 	int i;
 	unsigned long mask_mkey = ~disabled_mkey;
 	unsigned long mask_auth = ~disabled_auth;
@@ -823,7 +823,7 @@
 		CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
 	{
 	CIPHER_ORDER *head, *tail, *curr, *curr2, *last;
-	SSL_CIPHER *cp;
+	const SSL_CIPHER *cp;
 	int reverse = 0;
 
 #ifdef CIPHER_DEBUG
@@ -999,7 +999,7 @@
 
 static int ssl_cipher_process_rulestr(const char *rule_str,
                 CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p,
-                SSL_CIPHER **ca_list)
+                const SSL_CIPHER **ca_list)
 	{
 	unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength;
 	const char *l, *start, *buf;
@@ -1258,7 +1258,7 @@
 	STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list;
 	const char *rule_p;
 	CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
-	SSL_CIPHER **ca_list = NULL;
+	const SSL_CIPHER **ca_list = NULL;
 
 	/*
 	 * Return with error if nothing to do.
@@ -1345,8 +1345,7 @@
 	 */
 	num_of_group_aliases = sizeof(cipher_aliases) / sizeof(SSL_CIPHER);
 	num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
-	ca_list =
-		(SSL_CIPHER **)OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max);
+	ca_list = OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max);
 	if (ca_list == NULL)
 		{
 		OPENSSL_free(co_list);
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 203bce6..803894c 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1348,7 +1348,7 @@
 STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
 					       STACK_OF(SSL_CIPHER) **skp)
 	{
-	SSL_CIPHER *c;
+	const SSL_CIPHER *c;
 	STACK_OF(SSL_CIPHER) *sk;
 	int i,n;
 
@@ -1751,7 +1751,7 @@
 	X509_VERIFY_PARAM_set_depth(ctx->param, depth);
 	}
 
-void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
+void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 	{
 	CERT_PKEY *cpk;
 	int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign;
@@ -1963,7 +1963,7 @@
 #define ku_reject(x, usage) \
 	(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
 
-int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs)
+int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
 	{
 	unsigned long alg_k, alg_a;
 	EVP_PKEY *pkey = NULL;
@@ -2109,7 +2109,7 @@
 	return(c->pkeys[i].x509);
 	}
 
-EVP_PKEY *ssl_get_sign_pkey(SSL *s,SSL_CIPHER *cipher)
+EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher)
 	{
 	unsigned long alg_a;
 	CERT *c;
@@ -2547,7 +2547,7 @@
 		return(NULL);
 	}
 
-SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
+const SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
 	{
 	if ((s->session != NULL) && (s->session->cipher != NULL))
 		return(s->session->cipher);
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index a499a16..ad69a71 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -577,7 +577,7 @@
 #endif
 
 extern SSL3_ENC_METHOD ssl3_undef_enc_method;
-OPENSSL_EXTERN SSL_CIPHER ssl2_ciphers[];
+OPENSSL_EXTERN const SSL_CIPHER ssl2_ciphers[];
 OPENSSL_EXTERN SSL_CIPHER ssl3_ciphers[];
 
 
@@ -784,6 +784,8 @@
 int ssl_get_new_session(SSL *s, int session);
 int ssl_get_prev_session(SSL *s, unsigned char *session,int len, const unsigned char *limit);
 int ssl_cipher_id_cmp(const SSL_CIPHER *a,const SSL_CIPHER *b);
+DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(const SSL_CIPHER, const SSL_CIPHER,
+				  ssl_cipher_id_cmp);
 int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
 			const SSL_CIPHER * const *bp);
 STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
@@ -803,9 +805,9 @@
 int ssl_undefined_void_function(void);
 int ssl_undefined_const_function(const SSL *s);
 X509 *ssl_get_server_send_cert(SSL *);
-EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *);
+EVP_PKEY *ssl_get_sign_pkey(SSL *,const SSL_CIPHER *);
 int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
-void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher);
+void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher);
 STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
 int ssl_verify_alarm_type(long type);
 void ssl_load_ciphers(void);
@@ -814,7 +816,7 @@
 int ssl2_generate_key_material(SSL *s);
 void ssl2_enc(SSL *s,int send_data);
 void ssl2_mac(SSL *s,unsigned char *mac,int send_data);
-SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p);
+const SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p);
 int ssl2_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p);
 int ssl2_part_read(SSL *s, unsigned long f, int i);
 int ssl2_do_write(SSL *s);
@@ -822,7 +824,7 @@
 void ssl2_return_error(SSL *s,int reason);
 void ssl2_write_error(SSL *s);
 int ssl2_num_ciphers(void);
-SSL_CIPHER *ssl2_get_cipher(unsigned int u);
+const SSL_CIPHER *ssl2_get_cipher(unsigned int u);
 int	ssl2_new(SSL *s);
 void	ssl2_free(SSL *s);
 int	ssl2_accept(SSL *s);
@@ -839,7 +841,7 @@
 int	ssl2_pending(const SSL *s);
 long	ssl2_default_timeout(void );
 
-SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
+const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
 int ssl3_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p);
 void ssl3_init_finished_mac(SSL *s);
 int ssl3_send_server_certificate(SSL *s);
@@ -858,7 +860,7 @@
 long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok);
 int ssl3_send_finished(SSL *s, int a, int b, const char *sender,int slen);
 int ssl3_num_ciphers(void);
-SSL_CIPHER *ssl3_get_cipher(unsigned int u);
+const SSL_CIPHER *ssl3_get_cipher(unsigned int u);
 int ssl3_renegotiate(SSL *ssl); 
 int ssl3_renegotiate_check(SSL *ssl); 
 int ssl3_dispatch_alert(SSL *s);
@@ -899,12 +901,12 @@
 long ssl3_default_timeout(void );
 
 int ssl23_num_ciphers(void );
-SSL_CIPHER *ssl23_get_cipher(unsigned int u);
+const SSL_CIPHER *ssl23_get_cipher(unsigned int u);
 int ssl23_read(SSL *s, void *buf, int len);
 int ssl23_peek(SSL *s, void *buf, int len);
 int ssl23_write(SSL *s, const void *buf, int len);
 int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p);
-SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p);
+const SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p);
 long ssl23_default_timeout(void );
 
 long tls1_default_timeout(void);
@@ -934,7 +936,7 @@
 void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr);
 void dtls1_reset_seq_numbers(SSL *s, int rw);
 long dtls1_default_timeout(void);
-SSL_CIPHER *dtls1_get_cipher(unsigned int u);
+const SSL_CIPHER *dtls1_get_cipher(unsigned int u);
 
 
 /* some client-only functions */
@@ -1020,7 +1022,7 @@
 int ssl_ok(SSL *s);
 
 #ifndef OPENSSL_NO_ECDH
-int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs);
+int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs);
 #endif
 
 SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
diff --git a/ssl/ssltest.c b/ssl/ssltest.c
index b20ab0f..c76f667 100644
--- a/ssl/ssltest.c
+++ b/ssl/ssltest.c
@@ -317,7 +317,7 @@
 
 static void print_details(SSL *c_ssl, const char *prefix)
 	{
-	SSL_CIPHER *ciph;
+	const SSL_CIPHER *ciph;
 	X509 *cert;
 		
 	ciph=SSL_get_current_cipher(c_ssl);
@@ -2408,7 +2408,7 @@
 	{
 	int i = 0;
 	const SSL_METHOD *meth;
-	SSL_CIPHER *ci, *tci = NULL;
+	const SSL_CIPHER *ci, *tci = NULL;
 
 #ifndef OPENSSL_NO_SSL2
 	fprintf(stderr, "testing SSLv2 cipher list order: ");