Check for OPENSSL_NO_RSA, OPENSSL_NO_DSA and OPENSSL_NO_DH and disable

appropriate code if any of them is defined.

10 files changed, 363 insertions, 23 deletions

diff --git a/crypto/engine/engine.h b/crypto/engine/engine.h
index 48300fe769..a85cfff87b 100644
--- a/crypto/engine/engine.h
+++ b/crypto/engine/engine.h
@@ -60,9 +60,15 @@
 #define HEADER_ENGINE_H
 
 #include <openssl/bn.h>
+#ifndef OPENSSL_NO_RSA
 #include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
+#endif
+#ifndef OPENSSL_NO_DH
 #include <openssl/dh.h>
+#endif
 #include <openssl/rand.h>
 #include <openssl/evp.h>
 #include <openssl/symhacks.h>
@@ -71,6 +77,17 @@
 extern "C" {
 #endif
 
+/* Fixups for missing algorithms */
+#ifdef OPENSSL_NO_RSA
+typedef void RSA_METHOD;
+#endif
+#ifdef OPENSSL_NO_DSA
+typedef void DSA_METHOD;
+#endif
+#ifdef OPENSSL_NO_DH
+typedef void DH_METHOD;
+#endif
+
 /* These flags are used to control combinations of algorithm (methods)
  * by bitwise "OR"ing. */
 #define ENGINE_METHOD_RSA		(unsigned int)0x0001
@@ -442,6 +459,7 @@ void ERR_load_ENGINE_strings(void);
 #define ENGINE_F_ENGINE_CTRL_CMD_STRING			 171
 #define ENGINE_F_ENGINE_FINISH				 107
 #define ENGINE_F_ENGINE_FREE				 108
+#define ENGINE_F_ENGINE_GET_DEFAULT_TYPE		 177
 #define ENGINE_F_ENGINE_GET_NEXT			 115
 #define ENGINE_F_ENGINE_GET_PREV			 116
 #define ENGINE_F_ENGINE_INIT				 119
@@ -492,6 +510,8 @@ void ERR_load_ENGINE_strings(void);
 #define ENGINE_R_COMMAND_TAKES_NO_INPUT			 136
 #define ENGINE_R_CONFLICTING_ENGINE_ID			 103
 #define ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED		 119
+#define ENGINE_R_DH_NOT_IMPLEMENTED			 139
+#define ENGINE_R_DSA_NOT_IMPLEMENTED			 140
 #define ENGINE_R_DSO_FAILURE				 104
 #define ENGINE_R_DSO_FUNCTION_NOT_FOUND			 131
 #define ENGINE_R_DSO_NOT_FOUND				 132
@@ -515,9 +535,11 @@ void ERR_load_ENGINE_strings(void);
 #define ENGINE_R_NO_REFERENCE				 130
 #define ENGINE_R_NO_SUCH_ENGINE				 116
 #define ENGINE_R_NO_UNLOAD_FUNCTION			 126
+#define ENGINE_R_PRIVATE_KEY_ALGORITHMS_DISABLED	 142
 #define ENGINE_R_PROVIDE_PARAMETERS			 113
 #define ENGINE_R_REQUEST_FAILED				 114
 #define ENGINE_R_REQUEST_FALLBACK			 118
+#define ENGINE_R_RSA_NOT_IMPLEMENTED			 141
 #define ENGINE_R_SIZE_TOO_LARGE_OR_TOO_SMALL		 122
 #define ENGINE_R_UNIT_FAILURE				 115
 
diff --git a/crypto/engine/engine_err.c b/crypto/engine/engine_err.c
index 24202a1bee..33e1ede2db 100644
--- a/crypto/engine/engine_err.c
+++ b/crypto/engine/engine_err.c
@@ -86,6 +86,7 @@ static ERR_STRING_DATA ENGINE_str_functs[]=
 {ERR_PACK(0,ENGINE_F_ENGINE_CTRL_CMD_STRING,0),	"ENGINE_ctrl_cmd_string"},
 {ERR_PACK(0,ENGINE_F_ENGINE_FINISH,0),	"ENGINE_finish"},
 {ERR_PACK(0,ENGINE_F_ENGINE_FREE,0),	"ENGINE_free"},
+{ERR_PACK(0,ENGINE_F_ENGINE_GET_DEFAULT_TYPE,0),	"ENGINE_GET_DEFAULT_TYPE"},
 {ERR_PACK(0,ENGINE_F_ENGINE_GET_NEXT,0),	"ENGINE_get_next"},
 {ERR_PACK(0,ENGINE_F_ENGINE_GET_PREV,0),	"ENGINE_get_prev"},
 {ERR_PACK(0,ENGINE_F_ENGINE_INIT,0),	"ENGINE_init"},
@@ -139,6 +140,8 @@ static ERR_STRING_DATA ENGINE_str_reasons[]=
 {ENGINE_R_COMMAND_TAKES_NO_INPUT         ,"command takes no input"},
 {ENGINE_R_CONFLICTING_ENGINE_ID          ,"conflicting engine id"},
 {ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED   ,"ctrl command not implemented"},
+{ENGINE_R_DH_NOT_IMPLEMENTED             ,"dh not implemented"},
+{ENGINE_R_DSA_NOT_IMPLEMENTED            ,"dsa not implemented"},
 {ENGINE_R_DSO_FAILURE                    ,"DSO failure"},
 {ENGINE_R_DSO_FUNCTION_NOT_FOUND         ,"dso function not found"},
 {ENGINE_R_DSO_NOT_FOUND                  ,"dso not found"},
@@ -162,9 +165,11 @@ static ERR_STRING_DATA ENGINE_str_reasons[]=
 {ENGINE_R_NO_REFERENCE                   ,"no reference"},
 {ENGINE_R_NO_SUCH_ENGINE                 ,"no such engine"},
 {ENGINE_R_NO_UNLOAD_FUNCTION             ,"no unload function"},
+{ENGINE_R_PRIVATE_KEY_ALGORITHMS_DISABLED,"private key algorithms disabled"},
 {ENGINE_R_PROVIDE_PARAMETERS             ,"provide parameters"},
 {ENGINE_R_REQUEST_FAILED                 ,"request failed"},
 {ENGINE_R_REQUEST_FALLBACK               ,"request fallback"},
+{ENGINE_R_RSA_NOT_IMPLEMENTED            ,"rsa not implemented"},
 {ENGINE_R_SIZE_TOO_LARGE_OR_TOO_SMALL    ,"size too large or too small"},
 {ENGINE_R_UNIT_FAILURE                   ,"unit failure"},
 {0,NULL}
diff --git a/crypto/engine/engine_lib.c b/crypto/engine/engine_lib.c
index eb9f2c4daa..ef94227e04 100644
--- a/crypto/engine/engine_lib.c
+++ b/crypto/engine/engine_lib.c
@@ -67,9 +67,15 @@
  * reference and the caller is responsible for freeing that when they
  * are finished with it (with a call to ENGINE_finish() *NOT* just
  * ENGINE_free()!!!!!!). */
+#ifndef OPENSSL_NO_RSA
 static ENGINE *engine_def_rsa = NULL;
+#endif
+#ifndef OPENSSL_NO_DSA
 static ENGINE *engine_def_dsa = NULL;
+#endif
+#ifndef OPENSSL_NO_DH
 static ENGINE *engine_def_dh = NULL;
+#endif
 static ENGINE *engine_def_rand = NULL;
 static ENGINE *engine_def_bn_mod_exp = NULL;
 static ENGINE *engine_def_bn_mod_exp_crt = NULL;
@@ -125,9 +131,15 @@ static void engine_def_check(void)
 			goto skip_set_defaults;
 		/* OK, we got a functional reference, so we get one each
 		 * for the defaults too. */
+#ifndef OPENSSL_NO_RSA
 		engine_def_check_util(&engine_def_rsa, e);
+#endif
+#ifndef OPENSSL_NO_RSA
 		engine_def_check_util(&engine_def_dsa, e);
+#endif
+#ifndef OPENSSL_NO_DH
 		engine_def_check_util(&engine_def_dh, e);
+#endif
 		engine_def_check_util(&engine_def_rand, e);
 		engine_def_check_util(&engine_def_bn_mod_exp, e);
 		engine_def_check_util(&engine_def_bn_mod_exp_crt, e);
@@ -590,12 +602,18 @@ static ENGINE *engine_get_default_type(ENGINE_TYPE t)
 	CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
 	switch(t)
 		{
+#ifndef OPENSSL_NO_RSA
 	case ENGINE_TYPE_RSA:
 		ret = engine_def_rsa; break;
+#endif
+#ifndef OPENSSL_NO_DSA
 	case ENGINE_TYPE_DSA:
 		ret = engine_def_dsa; break;
+#endif
+#ifndef OPENSSL_NO_DH
 	case ENGINE_TYPE_DH:
 		ret = engine_def_dh; break;
+#endif
 	case ENGINE_TYPE_RAND:
 		ret = engine_def_rand; break;
 	case ENGINE_TYPE_BN_MOD_EXP:
@@ -615,20 +633,26 @@ static ENGINE *engine_get_default_type(ENGINE_TYPE t)
 	return ret;
 	}
 
+#ifndef OPENSSL_NO_RSA
 ENGINE *ENGINE_get_default_RSA(void)
 	{
 	return engine_get_default_type(ENGINE_TYPE_RSA);
 	}
+#endif
 
+#ifndef OPENSSL_NO_DSA
 ENGINE *ENGINE_get_default_DSA(void)
 	{
 	return engine_get_default_type(ENGINE_TYPE_DSA);
 	}
+#endif
 
+#ifndef OPENSSL_NO_DH
 ENGINE *ENGINE_get_default_DH(void)
 	{
 	return engine_get_default_type(ENGINE_TYPE_DH);
 	}
+#endif
 
 ENGINE *ENGINE_get_default_RAND(void)
 	{
@@ -671,15 +695,21 @@ static int engine_set_default_type(ENGINE_TYPE t, ENGINE *e)
 	CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
 	switch(t)
 		{
+#ifndef OPENSSL_NO_RSA
 	case ENGINE_TYPE_RSA:
 		old = engine_def_rsa;
 		engine_def_rsa = e; break;
+#endif
+#ifndef OPENSSL_NO_DSA
 	case ENGINE_TYPE_DSA:
 		old = engine_def_dsa;
 		engine_def_dsa = e; break;
+#endif
+#ifndef OPENSSL_NO_DH
 	case ENGINE_TYPE_DH:
 		old = engine_def_dh;
 		engine_def_dh = e; break;
+#endif
 	case ENGINE_TYPE_RAND:
 		old = engine_def_rand;
 		engine_def_rand = e; break;
@@ -702,20 +732,26 @@ static int engine_set_default_type(ENGINE_TYPE t, ENGINE *e)
 	return 1;
 	}
 
+#ifndef OPENSSL_NO_RSA
 int ENGINE_set_default_RSA(ENGINE *e)
 	{
 	return engine_set_default_type(ENGINE_TYPE_RSA, e);
 	}
+#endif
 
+#ifndef OPENSSL_NO_DSA
 int ENGINE_set_default_DSA(ENGINE *e)
 	{
 	return engine_set_default_type(ENGINE_TYPE_DSA, e);
 	}
+#endif
 
+#ifndef OPENSSL_NO_DH
 int ENGINE_set_default_DH(ENGINE *e)
 	{
 	return engine_set_default_type(ENGINE_TYPE_DH, e);
 	}
+#endif
 
 int ENGINE_set_default_RAND(ENGINE *e)
 	{
@@ -734,15 +770,21 @@ int ENGINE_set_default_BN_mod_exp_crt(ENGINE *e)
 
 int ENGINE_set_default(ENGINE *e, unsigned int flags)
 	{
+#ifndef OPENSSL_NO_RSA
 	if((flags & ENGINE_METHOD_RSA) && e->rsa_meth &&
 			!ENGINE_set_default_RSA(e))
 		return 0;
+#endif
+#ifndef OPENSSL_NO_DSA
 	if((flags & ENGINE_METHOD_DSA) && e->dsa_meth &&
 			!ENGINE_set_default_DSA(e))
 		return 0;
+#endif
+#ifndef OPENSSL_NO_DH
 	if((flags & ENGINE_METHOD_DH) && e->dh_meth &&
 			!ENGINE_set_default_DH(e))
 		return 0;
+#endif
 	if((flags & ENGINE_METHOD_RAND) && e->rand_meth &&
 			!ENGINE_set_default_RAND(e))
 		return 0;
diff --git a/crypto/engine/engine_list.c b/crypto/engine/engine_list.c
index 530207e8a6..cc57e658ab 100644
--- a/crypto/engine/engine_list.c
+++ b/crypto/engine/engine_list.c
@@ -402,20 +402,32 @@ int ENGINE_set_name(ENGINE *e, const char *name)
 
 int ENGINE_set_RSA(ENGINE *e, const RSA_METHOD *rsa_meth)
 	{
+#ifndef OPENSSL_NO_RSA
 	e->rsa_meth = rsa_meth;
 	return 1;
+#else
+        return 0;
+#endif
 	}
 
 int ENGINE_set_DSA(ENGINE *e, const DSA_METHOD *dsa_meth)
 	{
+#ifndef OPENSSL_NO_DSA
 	e->dsa_meth = dsa_meth;
 	return 1;
+#else
+        return 0;
+#endif
 	}
 
 int ENGINE_set_DH(ENGINE *e, const DH_METHOD *dh_meth)
 	{
+#ifndef OPENSSL_NO_DH
 	e->dh_meth = dh_meth;
 	return 1;
+#else
+        return 0;
+#endif
 	}
 
 int ENGINE_set_RAND(ENGINE *e, const RAND_METHOD *rand_meth)
@@ -482,9 +494,15 @@ int ENGINE_cpy(ENGINE *dest, const ENGINE *src)
 	{
 	if(ENGINE_set_id(dest, ENGINE_get_id(src)) &&
 			ENGINE_set_name(dest, ENGINE_get_name(src)) &&
+#ifndef OPENSSL_NO_RSA
 			ENGINE_set_RSA(dest, ENGINE_get_RSA(src)) &&
+#endif
+#ifndef OPENSSL_NO_RSA
 			ENGINE_set_DSA(dest, ENGINE_get_DSA(src)) &&
+#endif
+#ifndef OPENSSL_NO_RSA
 			ENGINE_set_DH(dest, ENGINE_get_DH(src)) &&
+#endif
 			ENGINE_set_RAND(dest, ENGINE_get_RAND(src)) &&
 			ENGINE_set_BN_mod_exp(dest,
 					ENGINE_get_BN_mod_exp(src)) &&
diff --git a/crypto/engine/engine_openssl.c b/crypto/engine/engine_openssl.c
index 35cfd2354a..cd885c0409 100644
--- a/crypto/engine/engine_openssl.c
+++ b/crypto/engine/engine_openssl.c
@@ -62,11 +62,6 @@
 #include "cryptlib.h"
 #include <openssl/engine.h>
 #include <openssl/dso.h>
-#include <openssl/rsa.h>
-#include <openssl/dsa.h>
-#include <openssl/dh.h>
-#include <openssl/rand.h>
-#include <openssl/bn.h>
 
 /* This is the only function we need to implement as OpenSSL
  * doesn't have a native CRT mod_exp. Perhaps this should be
@@ -88,9 +83,15 @@ ENGINE *ENGINE_openssl()
 		return NULL;
 	if(!ENGINE_set_id(ret, engine_openssl_id) ||
 			!ENGINE_set_name(ret, engine_openssl_name) ||
+#ifndef OPENSSL_NO_RSA
 			!ENGINE_set_RSA(ret, RSA_get_default_openssl_method()) ||
+#endif
+#ifndef OPENSSL_NO_DSA
 			!ENGINE_set_DSA(ret, DSA_get_default_openssl_method()) ||
+#endif
+#ifndef OPENSSL_NO_DH
 			!ENGINE_set_DH(ret, DH_get_default_openssl_method()) ||
+#endif
 			!ENGINE_set_RAND(ret, RAND_SSLeay()) ||
 			!ENGINE_set_BN_mod_exp(ret, BN_mod_exp) ||
 			!ENGINE_set_BN_mod_exp_crt(ret, openssl_mod_exp_crt))
diff --git a/crypto/engine/hw_atalla.c b/crypto/engine/hw_atalla.c
index 8bf702aac0..5deb2c4382 100644
--- a/crypto/engine/hw_atalla.c
+++ b/crypto/engine/hw_atalla.c
@@ -79,12 +79,15 @@ static int atalla_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)());
 static int atalla_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 		const BIGNUM *m, BN_CTX *ctx);
 
+#ifndef OPENSSL_NO_RSA
 /* RSA stuff */
 static int atalla_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa);
+#endif
 /* This function is aliased to mod_exp (with the mont stuff dropped). */
 static int atalla_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
 
+#ifndef OPENSSL_NO_DSA
 /* DSA stuff */
 static int atalla_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
 		BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
@@ -92,12 +95,15 @@ static int atalla_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
 static int atalla_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
 		const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
 		BN_MONT_CTX *m_ctx);
+#endif
 
+#ifndef OPENSSL_NO_DH
 /* DH stuff */
 /* This function is alised to mod_exp (with the DH and mont dropped). */
 static int atalla_mod_exp_dh(const DH *dh, BIGNUM *r,
 		const BIGNUM *a, const BIGNUM *p,
 		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+#endif
 
 /* The definitions for control commands specific to this engine */
 #define ATALLA_CMD_SO_PATH		ENGINE_CMD_BASE
@@ -109,6 +115,7 @@ static const ENGINE_CMD_DEFN atalla_cmd_defns[] = {
 	{0, NULL, NULL, 0}
 	};
 
+#ifndef OPENSSL_NO_RSA
 /* Our internal RSA_METHOD that we provide pointers to */
 static RSA_METHOD atalla_rsa =
 	{
@@ -126,7 +133,9 @@ static RSA_METHOD atalla_rsa =
 	NULL,
 	NULL
 	};
+#endif
 
+#ifndef OPENSSL_NO_DSA
 /* Our internal DSA_METHOD that we provide pointers to */
 static DSA_METHOD atalla_dsa =
 	{
@@ -141,7 +150,9 @@ static DSA_METHOD atalla_dsa =
 	0, /* flags */
 	NULL /* app_data */
 	};
+#endif
 
+#ifndef OPENSSL_NO_DH
 /* Our internal DH_METHOD that we provide pointers to */
 static DH_METHOD atalla_dh =
 	{
@@ -154,6 +165,7 @@ static DH_METHOD atalla_dh =
 	0,
 	NULL
 	};
+#endif
 
 /* Constants used when creating the ENGINE */
 static const char *engine_atalla_id = "atalla";
@@ -163,17 +175,29 @@ static const char *engine_atalla_name = "Atalla hardware engine support";
  * (indeed - the lock will already be held by our caller!!!) */
 ENGINE *ENGINE_atalla()
 	{
+#ifndef OPENSSL_NO_RSA
 	const RSA_METHOD *meth1;
+#endif
+#ifndef OPENSSL_NO_DSA
 	const DSA_METHOD *meth2;
+#endif
+#ifndef OPENSSL_NO_DH
 	const DH_METHOD *meth3;
+#endif
 	ENGINE *ret = ENGINE_new();
 	if(!ret)
 		return NULL;
 	if(!ENGINE_set_id(ret, engine_atalla_id) ||
 			!ENGINE_set_name(ret, engine_atalla_name) ||
+#ifndef OPENSSL_NO_RSA
 			!ENGINE_set_RSA(ret, &atalla_rsa) ||
+#endif
+#ifndef OPENSSL_NO_DSA
 			!ENGINE_set_DSA(ret, &atalla_dsa) ||
+#endif
+#ifndef OPENSSL_NO_DH
 			!ENGINE_set_DH(ret, &atalla_dh) ||
+#endif
 			!ENGINE_set_BN_mod_exp(ret, atalla_mod_exp) ||
 			!ENGINE_set_init_function(ret, atalla_init) ||
 			!ENGINE_set_finish_function(ret, atalla_finish) ||
@@ -184,6 +208,7 @@ ENGINE *ENGINE_atalla()
 		return NULL;
 		}
 
+#ifndef OPENSSL_NO_RSA
 	/* We know that the "PKCS1_SSLeay()" functions hook properly
 	 * to the atalla-specific mod_exp and mod_exp_crt so we use
 	 * those functions. NB: We don't use ENGINE_openssl() or
@@ -196,18 +221,23 @@ ENGINE *ENGINE_atalla()
 	atalla_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
 	atalla_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
 	atalla_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
+#endif
 
+#ifndef OPENSSL_NO_DSA
 	/* Use the DSA_OpenSSL() method and just hook the mod_exp-ish
 	 * bits. */
 	meth2 = DSA_OpenSSL();
 	atalla_dsa.dsa_do_sign = meth2->dsa_do_sign;
 	atalla_dsa.dsa_sign_setup = meth2->dsa_sign_setup;
 	atalla_dsa.dsa_do_verify = meth2->dsa_do_verify;
+#endif
 
+#ifndef OPENSSL_NO_DH
 	/* Much the same for Diffie-Hellman */
 	meth3 = DH_OpenSSL();
 	atalla_dh.generate_key = meth3->generate_key;
 	atalla_dh.compute_key = meth3->compute_key;
+#endif
 	return ret;
 	}
 
@@ -405,6 +435,7 @@ static int atalla_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 		ENGINEerr(ENGINE_F_ATALLA_MOD_EXP,ENGINE_R_REQUEST_FAILED);
 		goto err;
 	}
+
 	/* Convert the response */
 	BN_bin2bn((unsigned char *)result->d, numbytes, r);
 	to_return = 1;
@@ -413,6 +444,7 @@ err:
 	return to_return;
 	}
 
+#ifndef OPENSSL_NO_RSA
 static int atalla_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
 	{
 	BN_CTX *ctx = NULL;
@@ -436,7 +468,9 @@ err:
 		BN_CTX_free(ctx);
 	return to_return;
 	}
+#endif
 
+#ifndef OPENSSL_NO_DSA
 /* This code was liberated and adapted from the commented-out code in
  * dsa_ossl.c. Because of the unoptimised form of the Atalla acceleration
  * (it doesn't have a CRT form for RSA), this function means that an
@@ -464,13 +498,13 @@ end:
 	return to_return;
 	}
 
-
 static int atalla_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
 		const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
 		BN_MONT_CTX *m_ctx)
 	{
 	return atalla_mod_exp(r, a, p, m, ctx);
 	}
+#endif
 
 /* This function is aliased to mod_exp (with the mont stuff dropped). */
 static int atalla_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
@@ -479,6 +513,7 @@ static int atalla_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 	return atalla_mod_exp(r, a, p, m, ctx);
 	}
 
+#ifndef OPENSSL_NO_DH
 /* This function is aliased to mod_exp (with the dh and mont dropped). */
 static int atalla_mod_exp_dh(const DH *dh, BIGNUM *r,
 		const BIGNUM *a, const BIGNUM *p,
@@ -486,6 +521,7 @@ static int atalla_mod_exp_dh(const DH *dh, BIGNUM *r,
 	{
 	return atalla_mod_exp(r, a, p, m, ctx);
 	}
+#endif
 
 #endif /* !OPENSSL_NO_HW_ATALLA */
 #endif /* !OPENSSL_NO_HW */
diff --git a/crypto/engine/hw_cswift.c b/crypto/engine/hw_cswift.c
index 15983525e1..5471dbe501 100644
--- a/crypto/engine/hw_cswift.c
+++ b/crypto/engine/hw_cswift.c
@@ -94,22 +94,28 @@ static int cswift_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 		const BIGNUM *q, const BIGNUM *dmp1, const BIGNUM *dmq1,
 		const BIGNUM *iqmp, BN_CTX *ctx);
 
+#ifndef OPENSSL_NO_RSA
 /* RSA stuff */
 static int cswift_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa);
+#endif
 /* This function is aliased to mod_exp (with the mont stuff dropped). */
 static int cswift_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
 
+#ifndef OPENSSL_NO_DSA
 /* DSA stuff */
 static DSA_SIG *cswift_dsa_sign(const unsigned char *dgst, int dlen, DSA *dsa);
 static int cswift_dsa_verify(const unsigned char *dgst, int dgst_len,
 				DSA_SIG *sig, DSA *dsa);
+#endif
 
+#ifndef OPENSSL_NO_DH
 /* DH stuff */
 /* This function is alised to mod_exp (with the DH and mont dropped). */
 static int cswift_mod_exp_dh(const DH *dh, BIGNUM *r,
 		const BIGNUM *a, const BIGNUM *p,
 		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+#endif
 
 /* The definitions for control commands specific to this engine */
 #define CSWIFT_CMD_SO_PATH		ENGINE_CMD_BASE
@@ -121,6 +127,7 @@ static const ENGINE_CMD_DEFN cswift_cmd_defns[] = {
 	{0, NULL, NULL, 0}
 	};
 
+#ifndef OPENSSL_NO_RSA
 /* Our internal RSA_METHOD that we provide pointers to */
 static RSA_METHOD cswift_rsa =
 	{
@@ -138,7 +145,9 @@ static RSA_METHOD cswift_rsa =
 	NULL,
 	NULL
 	};
+#endif
 
+#ifndef OPENSSL_NO_DSA
 /* Our internal DSA_METHOD that we provide pointers to */
 static DSA_METHOD cswift_dsa =
 	{
@@ -153,7 +162,9 @@ static DSA_METHOD cswift_dsa =
 	0, /* flags */
 	NULL /* app_data */
 	};
+#endif
 
+#ifndef OPENSSL_NO_DH
 /* Our internal DH_METHOD that we provide pointers to */
 static DH_METHOD cswift_dh =
 	{
@@ -166,6 +177,7 @@ static DH_METHOD cswift_dh =
 	0,
 	NULL
 	};
+#endif
 
 /* Constants used when creating the ENGINE */
 static const char *engine_cswift_id = "cswift";
@@ -175,16 +187,26 @@ static const char *engine_cswift_name = "CryptoSwift hardware engine support";
  * (indeed - the lock will already be held by our caller!!!) */
 ENGINE *ENGINE_cswift()
 	{
+#ifndef OPENSSL_NO_RSA
 	const RSA_METHOD *meth1;
+#endif
+#ifndef OPENSSL_NO_DH
 	const DH_METHOD *meth2;
+#endif
 	ENGINE *ret = ENGINE_new();
 	if(!ret)
 		return NULL;
 	if(!ENGINE_set_id(ret, engine_cswift_id) ||
 			!ENGINE_set_name(ret, engine_cswift_name) ||
+#ifndef OPENSSL_NO_RSA
 			!ENGINE_set_RSA(ret, &cswift_rsa) ||
+#endif
+#ifndef OPENSSL_NO_DSA
 			!ENGINE_set_DSA(ret, &cswift_dsa) ||
+#endif
+#ifndef OPENSSL_NO_DH
 			!ENGINE_set_DH(ret, &cswift_dh) ||
+#endif
 			!ENGINE_set_BN_mod_exp(ret, &cswift_mod_exp) ||
 			!ENGINE_set_BN_mod_exp_crt(ret, &cswift_mod_exp_crt) ||
 			!ENGINE_set_init_function(ret, cswift_init) ||
@@ -196,6 +218,7 @@ ENGINE *ENGINE_cswift()
 		return NULL;
 		}
 
+#ifndef OPENSSL_NO_RSA
 	/* We know that the "PKCS1_SSLeay()" functions hook properly
 	 * to the cswift-specific mod_exp and mod_exp_crt so we use
 	 * those functions. NB: We don't use ENGINE_openssl() or
@@ -208,11 +231,14 @@ ENGINE *ENGINE_cswift()
 	cswift_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
 	cswift_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
 	cswift_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
+#endif
 
+#ifndef OPENSSL_NO_DH
 	/* Much the same for Diffie-Hellman */
 	meth2 = DH_OpenSSL();
 	cswift_dh.generate_key = meth2->generate_key;
 	cswift_dh.compute_key = meth2->compute_key;
+#endif
 	return ret;
 	}
 
@@ -572,6 +598,7 @@ err:
 	return to_return;
 	}
  
+#ifndef OPENSSL_NO_RSA
 static int cswift_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
 	{
 	BN_CTX *ctx;
@@ -591,6 +618,7 @@ err:
 		BN_CTX_free(ctx);
 	return to_return;
 	}
+#endif
 
 /* This function is aliased to mod_exp (with the mont stuff dropped). */
 static int cswift_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
@@ -599,6 +627,7 @@ static int cswift_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 	return cswift_mod_exp(r, a, p, m, ctx);
 	}
 
+#ifndef OPENSSL_NO_DSA
 static DSA_SIG *cswift_dsa_sign(const unsigned char *dgst, int dlen, DSA *dsa)
 	{
 	SW_CONTEXT_HANDLE hac;
@@ -823,7 +852,9 @@ err:
 		}
 	return to_return;
 	}
+#endif
 
+#ifndef OPENSSL_NO_DH
 /* This function is aliased to mod_exp (with the dh and mont dropped). */
 static int cswift_mod_exp_dh(const DH *dh, BIGNUM *r,
 		const BIGNUM *a, const BIGNUM *p,
@@ -831,6 +862,7 @@ static int cswift_mod_exp_dh(const DH *dh, BIGNUM *r,
 	{
 	return cswift_mod_exp(r, a, p, m, ctx);
 	}
+#endif
 
 #endif /* !OPENSSL_NO_HW_CSWIFT */
 #endif /* !OPENSSL_NO_HW */
diff --git a/crypto/engine/hw_ncipher.c b/crypto/engine/hw_ncipher.c
index dc645d554b..597471ff58 100644
--- a/crypto/engine/hw_ncipher.c
+++ b/crypto/engine/hw_ncipher.c
@@ -95,8 +95,10 @@ static void hwcrhk_mutex_destroy(HWCryptoHook_Mutex*);
 static int hwcrhk_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 		const BIGNUM *m, BN_CTX *ctx);
 
+#ifndef OPENSSL_NO_RSA
 /* RSA stuff */
 static int hwcrhk_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa);
+#endif
 /* This function is aliased to mod_exp (with the mont stuff dropped). */
 static int hwcrhk_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
@@ -146,6 +148,7 @@ static const ENGINE_CMD_DEFN hwcrhk_cmd_defns[] = {
 	{0, NULL, NULL, 0}
 	};
 
+#ifndef OPENSSL_NO_RSA
 /* Our internal RSA_METHOD that we provide pointers to */
 static RSA_METHOD hwcrhk_rsa =
 	{
@@ -163,7 +166,9 @@ static RSA_METHOD hwcrhk_rsa =
 	NULL,
 	NULL
 	};
+#endif
 
+#ifndef OPENSSL_NO_DH
 /* Our internal DH_METHOD that we provide pointers to */
 static DH_METHOD hwcrhk_dh =
 	{
@@ -176,6 +181,7 @@ static DH_METHOD hwcrhk_dh =
 	0,
 	NULL
 	};
+#endif
 
 static RAND_METHOD hwcrhk_rand =
 	{
@@ -294,15 +300,23 @@ static HWCryptoHook_InitInfo hwcrhk_globals = {
  * (indeed - the lock will already be held by our caller!!!) */
 ENGINE *ENGINE_ncipher()
 	{
+#ifndef OPENSSL_NO_RSA
 	const RSA_METHOD *meth1;
+#endif
+#ifndef OPENSSL_NO_DH
 	const DH_METHOD *meth2;
+#endif
 	ENGINE *ret = ENGINE_new();
 	if(!ret)
 		return NULL;
 	if(!ENGINE_set_id(ret, engine_hwcrhk_id) ||
 			!ENGINE_set_name(ret, engine_hwcrhk_name) ||
+#ifndef OPENSSL_NO_RSA
 			!ENGINE_set_RSA(ret, &hwcrhk_rsa) ||
+#endif
+#ifndef OPENSSL_NO_DH
 			!ENGINE_set_DH(ret, &hwcrhk_dh) ||
+#endif
 			!ENGINE_set_RAND(ret, &hwcrhk_rand) ||
 			!ENGINE_set_BN_mod_exp(ret, hwcrhk_mod_exp) ||
 			!ENGINE_set_init_function(ret, hwcrhk_init) ||
@@ -316,6 +330,7 @@ ENGINE *ENGINE_ncipher()
 		return NULL;
 		}
 
+#ifndef OPENSSL_NO_RSA
 	/* We know that the "PKCS1_SSLeay()" functions hook properly
 	 * to the cswift-specific mod_exp and mod_exp_crt so we use
 	 * those functions. NB: We don't use ENGINE_openssl() or
@@ -328,11 +343,14 @@ ENGINE *ENGINE_ncipher()
 	hwcrhk_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
 	hwcrhk_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
 	hwcrhk_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
+#endif
 
+#ifndef OPENSSL_NO_DH
 	/* Much the same for Diffie-Hellman */
 	meth2 = DH_OpenSSL();
 	hwcrhk_dh.generate_key = meth2->generate_key;
 	hwcrhk_dh.compute_key = meth2->compute_key;
+#endif
 	return ret;
 	}
 
@@ -343,18 +361,24 @@ ENGINE *ENGINE_ncipher()
  * implicitly. */
 static DSO *hwcrhk_dso = NULL;
 static HWCryptoHook_ContextHandle hwcrhk_context = 0;
-static int hndidx = -1;	/* Index for KM handle.  Not really used yet. */
+#ifndef OPENSSL_NO_RSA
+static int hndidx_rsa = -1;    /* Index for KM handle.  Not really used yet. */
+#endif
 
 /* These are the function pointers that are (un)set when the library has
  * successfully (un)loaded. */
 static HWCryptoHook_Init_t *p_hwcrhk_Init = NULL;
 static HWCryptoHook_Finish_t *p_hwcrhk_Finish = NULL;
 static HWCryptoHook_ModExp_t *p_hwcrhk_ModExp = NULL;
+#ifndef OPENSSL_NO_RSA
 static HWCryptoHook_RSA_t *p_hwcrhk_RSA = NULL;
+#endif
 static HWCryptoHook_RandomBytes_t *p_hwcrhk_RandomBytes = NULL;
+#ifndef OPENSSL_NO_RSA
 static HWCryptoHook_RSALoadKey_t *p_hwcrhk_RSALoadKey = NULL;
 static HWCryptoHook_RSAGetPublicKey_t *p_hwcrhk_RSAGetPublicKey = NULL;
 static HWCryptoHook_RSAUnloadKey_t *p_hwcrhk_RSAUnloadKey = NULL;
+#endif
 static HWCryptoHook_ModExpCRT_t *p_hwcrhk_ModExpCRT = NULL;
 
 /* Used in the DSO operations. */
@@ -363,11 +387,15 @@ static const char *HWCRHK_LIBNAME = def_HWCRHK_LIBNAME;
 static const char *n_hwcrhk_Init = "HWCryptoHook_Init";
 static const char *n_hwcrhk_Finish = "HWCryptoHook_Finish";
 static const char *n_hwcrhk_ModExp = "HWCryptoHook_ModExp";
+#ifndef OPENSSL_NO_RSA
 static const char *n_hwcrhk_RSA = "HWCryptoHook_RSA";
+#endif
 static const char *n_hwcrhk_RandomBytes = "HWCryptoHook_RandomBytes";
+#ifndef OPENSSL_NO_RSA
 static const char *n_hwcrhk_RSALoadKey = "HWCryptoHook_RSALoadKey";
 static const char *n_hwcrhk_RSAGetPublicKey = "HWCryptoHook_RSAGetPublicKey";
 static const char *n_hwcrhk_RSAUnloadKey = "HWCryptoHook_RSAUnloadKey";
+#endif
 static const char *n_hwcrhk_ModExpCRT = "HWCryptoHook_ModExpCRT";
 
 /* HWCryptoHook library functions and mechanics - these are used by the
@@ -403,10 +431,12 @@ static int hwcrhk_init(ENGINE *e)
 	HWCryptoHook_Init_t *p1;
 	HWCryptoHook_Finish_t *p2;
 	HWCryptoHook_ModExp_t *p3;
+#ifndef OPENSSL_NO_RSA
 	HWCryptoHook_RSA_t *p4;
 	HWCryptoHook_RSALoadKey_t *p5;
 	HWCryptoHook_RSAGetPublicKey_t *p6;
 	HWCryptoHook_RSAUnloadKey_t *p7;
+#endif
 	HWCryptoHook_RandomBytes_t *p8;
 	HWCryptoHook_ModExpCRT_t *p9;
 
@@ -428,6 +458,7 @@ static int hwcrhk_init(ENGINE *e)
 			DSO_bind_func(hwcrhk_dso, n_hwcrhk_Finish)) ||
 		!(p3 = (HWCryptoHook_ModExp_t *)
 			DSO_bind_func(hwcrhk_dso, n_hwcrhk_ModExp)) ||
+#ifndef OPENSSL_NO_RSA
 		!(p4 = (HWCryptoHook_RSA_t *)
 			DSO_bind_func(hwcrhk_dso, n_hwcrhk_RSA)) ||
 		!(p5 = (HWCryptoHook_RSALoadKey_t *)
@@ -436,6 +467,7 @@ static int hwcrhk_init(ENGINE *e)
 			DSO_bind_func(hwcrhk_dso, n_hwcrhk_RSAGetPublicKey)) ||
 		!(p7 = (HWCryptoHook_RSAUnloadKey_t *)
 			DSO_bind_func(hwcrhk_dso, n_hwcrhk_RSAUnloadKey)) ||
+#endif
 		!(p8 = (HWCryptoHook_RandomBytes_t *)
 			DSO_bind_func(hwcrhk_dso, n_hwcrhk_RandomBytes)) ||
 		!(p9 = (HWCryptoHook_ModExpCRT_t *)
@@ -448,10 +480,12 @@ static int hwcrhk_init(ENGINE *e)
 	p_hwcrhk_Init = p1;
 	p_hwcrhk_Finish = p2;
 	p_hwcrhk_ModExp = p3;
+#ifndef OPENSSL_NO_RSA
 	p_hwcrhk_RSA = p4;
 	p_hwcrhk_RSALoadKey = p5;
 	p_hwcrhk_RSAGetPublicKey = p6;
 	p_hwcrhk_RSAUnloadKey = p7;
+#endif
 	p_hwcrhk_RandomBytes = p8;
 	p_hwcrhk_ModExpCRT = p9;
 
@@ -476,10 +510,12 @@ static int hwcrhk_init(ENGINE *e)
 		goto err;
 		}
 	/* Everything's fine. */
-	if (hndidx == -1)
-		hndidx = RSA_get_ex_new_index(0,
+#ifndef OPENSSL_NO_RSA
+	if (hndidx_rsa == -1)
+		hndidx_rsa = RSA_get_ex_new_index(0,
 			"nFast HWCryptoHook RSA key handle",
 			NULL, NULL, hwcrhk_ex_free);
+#endif
 	return 1;
 err:
 	if(hwcrhk_dso)
@@ -488,10 +524,12 @@ err:
 	p_hwcrhk_Init = NULL;
 	p_hwcrhk_Finish = NULL;
 	p_hwcrhk_ModExp = NULL;
+#ifndef OPENSSL_NO_RSA
 	p_hwcrhk_RSA = NULL;
 	p_hwcrhk_RSALoadKey = NULL;
 	p_hwcrhk_RSAGetPublicKey = NULL;
 	p_hwcrhk_RSAUnloadKey = NULL;
+#endif
 	p_hwcrhk_ModExpCRT = NULL;
 	p_hwcrhk_RandomBytes = NULL;
 	return 0;
@@ -520,10 +558,12 @@ static int hwcrhk_finish(ENGINE *e)
 	p_hwcrhk_Init = NULL;
 	p_hwcrhk_Finish = NULL;
 	p_hwcrhk_ModExp = NULL;
+#ifndef OPENSSL_NO_RSA
 	p_hwcrhk_RSA = NULL;
 	p_hwcrhk_RSALoadKey = NULL;
 	p_hwcrhk_RSAGetPublicKey = NULL;
 	p_hwcrhk_RSAUnloadKey = NULL;
+#endif
 	p_hwcrhk_ModExpCRT = NULL;
 	p_hwcrhk_RandomBytes = NULL;
 	return to_return;
@@ -613,11 +653,17 @@ static int hwcrhk_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
 static EVP_PKEY *hwcrhk_load_privkey(ENGINE *eng, const char *key_id,
 	const char *passphrase)
 	{
+#ifndef OPENSSL_NO_RSA
 	RSA *rtmp = NULL;
+#endif
 	EVP_PKEY *res = NULL;
+#ifndef OPENSSL_NO_RSA
 	HWCryptoHook_MPI e, n;
 	HWCryptoHook_RSAKeyHandle *hptr;
+#endif
+#if !defined(OPENSSL_NO_RSA)
 	HWCryptoHook_ErrMsgBuf rmsg;
+#endif
 
 	if(!hwcrhk_context)
 		{
@@ -625,6 +671,7 @@ static EVP_PKEY *hwcrhk_load_privkey(ENGINE *eng, const char *key_id,
 			ENGINE_R_NOT_INITIALISED);
 		goto err;
 		}
+#ifndef OPENSSL_NO_RSA
 	hptr = OPENSSL_malloc(sizeof(HWCryptoHook_RSAKeyHandle));
 	if (!hptr)
 		{
@@ -646,8 +693,10 @@ static EVP_PKEY *hwcrhk_load_privkey(ENGINE *eng, const char *key_id,
 			ENGINE_R_NO_KEY);
 		goto err;
 		}
+#endif
+#ifndef OPENSSL_NO_RSA
 	rtmp = RSA_new_method(eng);
-	RSA_set_ex_data(rtmp, hndidx, (char *)hptr);
+	RSA_set_ex_data(rtmp, hndidx_rsa, (char *)hptr);
 	rtmp->e = BN_new();
 	rtmp->n = BN_new();
 	rtmp->flags |= RSA_FLAG_EXT_PKEY;
@@ -660,7 +709,7 @@ static EVP_PKEY *hwcrhk_load_privkey(ENGINE *eng, const char *key_id,
 		ERR_add_error_data(1,rmsg.buf);
 		goto err;
 		}
-			
+
 	bn_expand2(rtmp->e, e.size/sizeof(BN_ULONG));
 	bn_expand2(rtmp->n, n.size/sizeof(BN_ULONG));
 	MPI2BN(rtmp->e, e);
@@ -680,24 +729,36 @@ static EVP_PKEY *hwcrhk_load_privkey(ENGINE *eng, const char *key_id,
 
 	res = EVP_PKEY_new();
 	EVP_PKEY_assign_RSA(res, rtmp);
+#endif
+
+        if (!res)
+                ENGINEerr(ENGINE_F_HWCRHK_LOAD_PUBKEY,
+                        ENGINE_R_PRIVATE_KEY_ALGORITHMS_DISABLED);
 
 	return res;
  err:
 	if (res)
 		EVP_PKEY_free(res);
+#ifndef OPENSSL_NO_RSA
 	if (rtmp)
 		RSA_free(rtmp);
+#endif
 	return NULL;
 	}
 
 static EVP_PKEY *hwcrhk_load_pubkey(ENGINE *eng, const char *key_id,
 	const char *passphrase)
 	{
-	EVP_PKEY *res = hwcrhk_load_privkey(eng, key_id, passphrase);
+	EVP_PKEY *res = NULL;
+
+#ifndef OPENSSL_NO_RSA
+        res = hwcrhk_load_privkey(eng, key_id, passphrase);
+#endif
 
 	if (res)
 		switch(res->type)
 			{
+#ifndef OPENSSL_NO_RSA
 		case EVP_PKEY_RSA:
 			{
 			RSA *rsa = NULL;
@@ -710,6 +771,7 @@ static EVP_PKEY *hwcrhk_load_pubkey(ENGINE *eng, const char *key_id,
 			CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
 			RSA_free(rsa);
 			}
+#endif
 		default:
 			ENGINEerr(ENGINE_F_HWCRHK_LOAD_PUBKEY,
 				ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED);
@@ -779,7 +841,8 @@ static int hwcrhk_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 err:
 	return to_return;
 	}
- 
+
+#ifndef OPENSSL_NO_RSA 
 static int hwcrhk_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa)
 	{
 	char tempbuf[1024];
@@ -796,7 +859,7 @@ static int hwcrhk_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa)
 	/* This provides support for nForce keys.  Since that's opaque data
 	   all we do is provide a handle to the proper key and let HWCryptoHook
 	   take care of the rest. */
-	if ((hptr = (HWCryptoHook_RSAKeyHandle *) RSA_get_ex_data(rsa, hndidx))
+	if ((hptr = (HWCryptoHook_RSAKeyHandle *) RSA_get_ex_data(rsa, hndidx_rsa))
 		!= NULL)
 		{
 		HWCryptoHook_MPI m_a, m_r;
@@ -894,6 +957,7 @@ static int hwcrhk_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa)
 err:
 	return to_return;
 	}
+#endif
 
 /* This function is aliased to mod_exp (with the mont stuff dropped). */
 static int hwcrhk_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
@@ -961,16 +1025,24 @@ static void hwcrhk_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
 {
 	char tempbuf[1024];
 	HWCryptoHook_ErrMsgBuf rmsg;
+#ifndef OPENSSL_NO_RSA
 	HWCryptoHook_RSAKeyHandle *hptr;
+#endif
+#if !defined(OPENSSL_NO_RSA)
 	int ret;
+#endif
 
 	rmsg.buf = tempbuf;
 	rmsg.size = 1024;
 
+#ifndef OPENSSL_NO_RSA
 	hptr = (HWCryptoHook_RSAKeyHandle *) item;
-	if(!hptr) return;
-	ret = p_hwcrhk_RSAUnloadKey(*hptr, NULL);
-	OPENSSL_free(hptr);
+	if(hptr)
+                {
+                ret = p_hwcrhk_RSAUnloadKey(*hptr, NULL);
+                OPENSSL_free(hptr);
+                }
+#endif
 }
 
 /* Mutex calls: since the HWCryptoHook model closely follows the POSIX model
diff --git a/crypto/engine/hw_nuron.c b/crypto/engine/hw_nuron.c
index d5697dade6..06eafa7176 100644
--- a/crypto/engine/hw_nuron.c
+++ b/crypto/engine/hw_nuron.c
@@ -164,11 +164,14 @@ static int nuron_mod_exp(BIGNUM *r,const BIGNUM *a,const BIGNUM *p,
 	return pfnModExp(r,a,p,m);
 	}
 
+#ifndef OPENSSL_NO_RSA
 static int nuron_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
 	{
 	return nuron_mod_exp(r0,I,rsa->d,rsa->n,NULL);
 	}
+#endif
 
+#ifndef OPENSSL_NO_DSA
 /* This code was liberated and adapted from the commented-out code in
  * dsa_ossl.c. Because of the unoptimised form of the Atalla acceleration
  * (it doesn't have a CRT form for RSA), this function means that an
@@ -206,6 +209,7 @@ static int nuron_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
 	{
 	return nuron_mod_exp(r, a, p, m, ctx);
 	}
+#endif
 
 /* This function is aliased to mod_exp (with the mont stuff dropped). */
 static int nuron_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
@@ -214,6 +218,7 @@ static int nuron_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 	return nuron_mod_exp(r, a, p, m, ctx);
 	}
 
+#ifndef OPENSSL_NO_DH
 /* This function is aliased to mod_exp (with the dh and mont dropped). */
 static int nuron_mod_exp_dh(const DH *dh, BIGNUM *r,
 		const BIGNUM *a, const BIGNUM *p,
@@ -221,7 +226,9 @@ static int nuron_mod_exp_dh(const DH *dh, BIGNUM *r,
 	{
 	return nuron_mod_exp(r, a, p, m, ctx);
 	}
+#endif
 
+#ifndef OPENSSL_NO_RSA
 static RSA_METHOD nuron_rsa =
 	{
 	"Nuron RSA method",
@@ -238,7 +245,9 @@ static RSA_METHOD nuron_rsa =
 	NULL,
 	NULL
 	};
+#endif
 
+#ifndef OPENSSL_NO_DSA
 static DSA_METHOD nuron_dsa =
 	{
 	"Nuron DSA method",
@@ -252,7 +261,9 @@ static DSA_METHOD nuron_dsa =
 	0, /* flags */
 	NULL /* app_data */
 	};
+#endif
 
+#ifndef OPENSSL_NO_DH
 static DH_METHOD nuron_dh =
 	{
 	"Nuron DH method",
@@ -264,6 +275,7 @@ static DH_METHOD nuron_dh =
 	0,
 	NULL
 	};
+#endif
 
 /* Constants used when creating the ENGINE */
 static const char *engine_nuron_id = "nuron";
@@ -273,17 +285,29 @@ static const char *engine_nuron_name = "Nuron hardware engine support";
  * (indeed - the lock will already be held by our caller!!!) */
 ENGINE *ENGINE_nuron()
 	{
+#ifndef OPENSSL_NO_RSA
 	const RSA_METHOD *meth1;
+#endif
+#ifndef OPENSSL_NO_DSA
 	const DSA_METHOD *meth2;
+#endif
+#ifndef OPENSSL_NO_DH
 	const DH_METHOD *meth3;
+#endif
 	ENGINE *ret = ENGINE_new();
 	if(!ret)
 		return NULL;
 	if(!ENGINE_set_id(ret, engine_nuron_id) ||
 			!ENGINE_set_name(ret, engine_nuron_name) ||
+#ifndef OPENSSL_NO_RSA
 			!ENGINE_set_RSA(ret, &nuron_rsa) ||
+#endif
+#ifndef OPENSSL_NO_DSA
 			!ENGINE_set_DSA(ret, &nuron_dsa) ||
+#endif
+#ifndef OPENSSL_NO_DH
 			!ENGINE_set_DH(ret, &nuron_dh) ||
+#endif
 			!ENGINE_set_BN_mod_exp(ret, nuron_mod_exp) ||
 			!ENGINE_set_init_function(ret, nuron_init) ||
 			!ENGINE_set_finish_function(ret, nuron_finish) ||
@@ -294,6 +318,7 @@ ENGINE *ENGINE_nuron()
 		return NULL;
 		}
 
+#ifndef OPENSSL_NO_RSA
 	/* We know that the "PKCS1_SSLeay()" functions hook properly
 	 * to the nuron-specific mod_exp and mod_exp_crt so we use
 	 * those functions. NB: We don't use ENGINE_openssl() or
@@ -306,18 +331,23 @@ ENGINE *ENGINE_nuron()
 	nuron_rsa.rsa_pub_dec=meth1->rsa_pub_dec;
 	nuron_rsa.rsa_priv_enc=meth1->rsa_priv_enc;
 	nuron_rsa.rsa_priv_dec=meth1->rsa_priv_dec;
+#endif
 
+#ifndef OPENSSL_NO_DSA
 	/* Use the DSA_OpenSSL() method and just hook the mod_exp-ish
 	 * bits. */
 	meth2=DSA_OpenSSL();
 	nuron_dsa.dsa_do_sign=meth2->dsa_do_sign;
 	nuron_dsa.dsa_sign_setup=meth2->dsa_sign_setup;
 	nuron_dsa.dsa_do_verify=meth2->dsa_do_verify;
+#endif
 
+#ifndef OPENSSL_NO_DH
 	/* Much the same for Diffie-Hellman */
 	meth3=DH_OpenSSL();
 	nuron_dh.generate_key=meth3->generate_key;
 	nuron_dh.compute_key=meth3->compute_key;
+#endif
 	return ret;
 	}
 
diff --git a/crypto/engine/hw_ubsec.c b/crypto/engine/hw_ubsec.c
index d948135568..ca14d36c76 100644
--- a/crypto/engine/hw_ubsec.c
+++ b/crypto/engine/hw_ubsec.c
@@ -81,9 +81,12 @@ static int ubsec_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 static int ubsec_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 			const BIGNUM *q, const BIGNUM *dp,
 			const BIGNUM *dq, const BIGNUM *qinv, BN_CTX *ctx);
+#ifndef OPENSSL_NO_RSA
 static int ubsec_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa);
+#endif
 static int ubsec_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+#ifndef OPENSSL_NO_DSA
 #if NOT_USED
 static int ubsec_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
 		BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
@@ -95,11 +98,14 @@ static int ubsec_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
 static DSA_SIG *ubsec_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
 static int ubsec_dsa_verify(const unsigned char *dgst, int dgst_len,
                                 DSA_SIG *sig, DSA *dsa);
+#endif
+#ifndef OPENSSL_NO_DH
 static int ubsec_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
 		const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
 		BN_MONT_CTX *m_ctx);
 static int ubsec_dh_compute_key(unsigned char *key,const BIGNUM *pub_key,DH *dh);
 static int ubsec_dh_generate_key(DH *dh);
+#endif
 
 #if NOT_USED
 static int ubsec_rand_bytes(unsigned char *buf, int num);
@@ -115,8 +121,8 @@ static const ENGINE_CMD_DEFN ubsec_cmd_defns[] = {
 	{0, NULL, NULL, 0}
 	};
 
+#ifndef OPENSSL_NO_RSA
 /* Our internal RSA_METHOD that we provide pointers to */
-
 static RSA_METHOD ubsec_rsa =
 	{
 	"UBSEC RSA method",
@@ -133,7 +139,9 @@ static RSA_METHOD ubsec_rsa =
 	NULL,
 	NULL
 	};
+#endif
 
+#ifndef OPENSSL_NO_DSA
 /* Our internal DSA_METHOD that we provide pointers to */
 static DSA_METHOD ubsec_dsa =
 	{
@@ -148,7 +156,9 @@ static DSA_METHOD ubsec_dsa =
 	0, /* flags */
 	NULL /* app_data */
 	};
+#endif
 
+#ifndef OPENSSL_NO_DH
 /* Our internal DH_METHOD that we provide pointers to */
 static DH_METHOD ubsec_dh =
 	{
@@ -161,6 +171,7 @@ static DH_METHOD ubsec_dh =
 	0,
 	NULL
 	};
+#endif
 
 /* Constants used when creating the ENGINE */
 static const char *engine_ubsec_id = "ubsec";
@@ -170,18 +181,28 @@ static const char *engine_ubsec_name = "UBSEC hardware engine support";
  * (indeed - the lock will already be held by our caller!!!) */
 ENGINE *ENGINE_ubsec()
 	{
+#ifndef OPENSSL_NO_RSA
 	const RSA_METHOD *meth1;
+#endif
+#ifndef OPENSSL_NO_DH
 #ifndef HAVE_UBSEC_DH
 	const DH_METHOD *meth3;
 #endif /* HAVE_UBSEC_DH */
+#endif
 	ENGINE *ret = ENGINE_new();
 	if(!ret)
 		return NULL;
 	if(!ENGINE_set_id(ret, engine_ubsec_id) ||
 			!ENGINE_set_name(ret, engine_ubsec_name) ||
+#ifndef OPENSSL_NO_RSA
 			!ENGINE_set_RSA(ret, &ubsec_rsa) ||
+#endif
+#ifndef OPENSSL_NO_DSA
 			!ENGINE_set_DSA(ret, &ubsec_dsa) ||
+#endif
+#ifndef OPENSSL_NO_DH
 			!ENGINE_set_DH(ret, &ubsec_dh) ||
+#endif
 			!ENGINE_set_BN_mod_exp(ret, ubsec_mod_exp) ||
 			!ENGINE_set_BN_mod_exp_crt(ret, ubsec_mod_exp_crt) ||
 			!ENGINE_set_init_function(ret, ubsec_init) ||
@@ -193,6 +214,7 @@ ENGINE *ENGINE_ubsec()
 		return NULL;
 		}
 
+#ifndef OPENSSL_NO_RSA
 	/* We know that the "PKCS1_SSLeay()" functions hook properly
 	 * to the Broadcom-specific mod_exp and mod_exp_crt so we use
 	 * those functions. NB: We don't use ENGINE_openssl() or
@@ -205,13 +227,16 @@ ENGINE *ENGINE_ubsec()
 	ubsec_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
 	ubsec_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
 	ubsec_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
+#endif
 
+#ifndef OPENSSL_NO_DH
 #ifndef HAVE_UBSEC_DH
 	/* Much the same for Diffie-Hellman */
 	meth3 = DH_OpenSSL();
 	ubsec_dh.generate_key = meth3->generate_key;
 	ubsec_dh.compute_key = meth3->compute_key;
 #endif /* HAVE_UBSEC_DH */
+#endif
 
 	return ret;
 	}
@@ -231,13 +256,19 @@ static t_UBSEC_ubsec_bytes_to_bits *p_UBSEC_ubsec_bytes_to_bits = NULL;
 static t_UBSEC_ubsec_bits_to_bytes *p_UBSEC_ubsec_bits_to_bytes = NULL;
 static t_UBSEC_ubsec_open *p_UBSEC_ubsec_open = NULL;
 static t_UBSEC_ubsec_close *p_UBSEC_ubsec_close = NULL;
+#ifndef OPENSSL_NO_DH
 static t_UBSEC_diffie_hellman_generate_ioctl 
 	*p_UBSEC_diffie_hellman_generate_ioctl = NULL;
 static t_UBSEC_diffie_hellman_agree_ioctl *p_UBSEC_diffie_hellman_agree_ioctl = NULL;
+#endif
+/* #ifndef OPENSSL_NO_RSA */
 static t_UBSEC_rsa_mod_exp_ioctl *p_UBSEC_rsa_mod_exp_ioctl = NULL;
 static t_UBSEC_rsa_mod_exp_crt_ioctl *p_UBSEC_rsa_mod_exp_crt_ioctl = NULL;
+/* #endif */
+#ifndef OPENSSL_NO_DSA
 static t_UBSEC_dsa_sign_ioctl *p_UBSEC_dsa_sign_ioctl = NULL;
 static t_UBSEC_dsa_verify_ioctl *p_UBSEC_dsa_verify_ioctl = NULL;
+#endif
 static t_UBSEC_math_accelerate_ioctl *p_UBSEC_math_accelerate_ioctl = NULL;
 static t_UBSEC_rng_ioctl *p_UBSEC_rng_ioctl = NULL;
 
@@ -251,12 +282,18 @@ static const char *UBSEC_F1 = "ubsec_bytes_to_bits";
 static const char *UBSEC_F2 = "ubsec_bits_to_bytes";
 static const char *UBSEC_F3 = "ubsec_open";
 static const char *UBSEC_F4 = "ubsec_close";
+#ifndef OPENSSL_NO_DH
 static const char *UBSEC_F5 = "diffie_hellman_generate_ioctl";
 static const char *UBSEC_F6 = "diffie_hellman_agree_ioctl";
+#endif
+/* #ifndef OPENSSL_NO_RSA */
 static const char *UBSEC_F7 = "rsa_mod_exp_ioctl";
 static const char *UBSEC_F8 = "rsa_mod_exp_crt_ioctl";
+/* #endif */
+#ifndef OPENSSL_NO_DSA
 static const char *UBSEC_F9 = "dsa_sign_ioctl";
 static const char *UBSEC_F10 = "dsa_verify_ioctl";
+#endif
 static const char *UBSEC_F11 = "math_accelerate_ioctl";
 static const char *UBSEC_F12 = "rng_ioctl";
 
@@ -267,12 +304,18 @@ static int ubsec_init(ENGINE *e)
 	t_UBSEC_ubsec_bits_to_bytes *p2;
 	t_UBSEC_ubsec_open *p3;
 	t_UBSEC_ubsec_close *p4;
+#ifndef OPENSSL_NO_DH
 	t_UBSEC_diffie_hellman_generate_ioctl *p5;
 	t_UBSEC_diffie_hellman_agree_ioctl *p6;
+#endif
+/* #ifndef OPENSSL_NO_RSA */
 	t_UBSEC_rsa_mod_exp_ioctl *p7;
 	t_UBSEC_rsa_mod_exp_crt_ioctl *p8;
+/* #endif */
+#ifndef OPENSSL_NO_DSA
 	t_UBSEC_dsa_sign_ioctl *p9;
 	t_UBSEC_dsa_verify_ioctl *p10;
+#endif
 	t_UBSEC_math_accelerate_ioctl *p11;
 	t_UBSEC_rng_ioctl *p12;
 	int fd = 0;
@@ -297,14 +340,20 @@ static int ubsec_init(ENGINE *e)
 	!(p2 = (t_UBSEC_ubsec_bits_to_bytes *) DSO_bind_func(ubsec_dso, UBSEC_F2)) ||
 	!(p3 = (t_UBSEC_ubsec_open *) DSO_bind_func(ubsec_dso, UBSEC_F3)) ||
 	!(p4 = (t_UBSEC_ubsec_close *) DSO_bind_func(ubsec_dso, UBSEC_F4)) ||
+#ifndef OPENSSL_NO_DH
 	!(p5 = (t_UBSEC_diffie_hellman_generate_ioctl *) 
 				DSO_bind_func(ubsec_dso, UBSEC_F5)) ||
 	!(p6 = (t_UBSEC_diffie_hellman_agree_ioctl *) 
 				DSO_bind_func(ubsec_dso, UBSEC_F6)) ||
+#endif
+/* #ifndef OPENSSL_NO_RSA */
 	!(p7 = (t_UBSEC_rsa_mod_exp_ioctl *) DSO_bind_func(ubsec_dso, UBSEC_F7)) ||
 	!(p8 = (t_UBSEC_rsa_mod_exp_crt_ioctl *) DSO_bind_func(ubsec_dso, UBSEC_F8)) ||
+/* #endif */
+#ifndef OPENSSL_NO_DSA
 	!(p9 = (t_UBSEC_dsa_sign_ioctl *) DSO_bind_func(ubsec_dso, UBSEC_F9)) ||
 	!(p10 = (t_UBSEC_dsa_verify_ioctl *) DSO_bind_func(ubsec_dso, UBSEC_F10)) ||
+#endif
 	!(p11 = (t_UBSEC_math_accelerate_ioctl *) 
 				DSO_bind_func(ubsec_dso, UBSEC_F11)) ||
 	!(p12 = (t_UBSEC_rng_ioctl *) DSO_bind_func(ubsec_dso, UBSEC_F12)))
@@ -318,12 +367,18 @@ static int ubsec_init(ENGINE *e)
 	p_UBSEC_ubsec_bits_to_bytes = p2;
 	p_UBSEC_ubsec_open = p3;
 	p_UBSEC_ubsec_close = p4;
+#ifndef OPENSSL_NO_DH
 	p_UBSEC_diffie_hellman_generate_ioctl = p5;
 	p_UBSEC_diffie_hellman_agree_ioctl = p6;
+#endif
+#ifndef OPENSSL_NO_RSA
 	p_UBSEC_rsa_mod_exp_ioctl = p7;
 	p_UBSEC_rsa_mod_exp_crt_ioctl = p8;
+#endif
+#ifndef OPENSSL_NO_DSA
 	p_UBSEC_dsa_sign_ioctl = p9;
 	p_UBSEC_dsa_verify_ioctl = p10;
+#endif
 	p_UBSEC_math_accelerate_ioctl = p11;
 	p_UBSEC_rng_ioctl = p12;
 
@@ -345,12 +400,18 @@ err:
 	p_UBSEC_ubsec_bits_to_bytes = NULL;
 	p_UBSEC_ubsec_open = NULL;
 	p_UBSEC_ubsec_close = NULL;
+#ifndef OPENSSL_NO_DH
 	p_UBSEC_diffie_hellman_generate_ioctl = NULL;
 	p_UBSEC_diffie_hellman_agree_ioctl = NULL;
+#endif
+#ifndef OPENSSL_NO_RSA
 	p_UBSEC_rsa_mod_exp_ioctl = NULL;
 	p_UBSEC_rsa_mod_exp_crt_ioctl = NULL;
+#endif
+#ifndef OPENSSL_NO_DSA
 	p_UBSEC_dsa_sign_ioctl = NULL;
 	p_UBSEC_dsa_verify_ioctl = NULL;
+#endif
 	p_UBSEC_math_accelerate_ioctl = NULL;
 	p_UBSEC_rng_ioctl = NULL;
 
@@ -374,12 +435,18 @@ static int ubsec_finish(ENGINE *e)
 	p_UBSEC_ubsec_bits_to_bytes = NULL;
 	p_UBSEC_ubsec_open = NULL;
 	p_UBSEC_ubsec_close = NULL;
+#ifndef OPENSSL_NO_DH
 	p_UBSEC_diffie_hellman_generate_ioctl = NULL;
 	p_UBSEC_diffie_hellman_agree_ioctl = NULL;
+#endif
+#ifndef OPENSSL_NO_RSA
 	p_UBSEC_rsa_mod_exp_ioctl = NULL;
 	p_UBSEC_rsa_mod_exp_crt_ioctl = NULL;
+#endif
+#ifndef OPENSSL_NO_DSA
 	p_UBSEC_dsa_sign_ioctl = NULL;
 	p_UBSEC_dsa_verify_ioctl = NULL;
+#endif
 	p_UBSEC_math_accelerate_ioctl = NULL;
 	p_UBSEC_rng_ioctl = NULL;
 	return 1;
@@ -456,6 +523,7 @@ static int ubsec_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 	return 1;
 	}
 
+#ifndef OPENSSL_NO_RSA
 static int ubsec_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
 	{
 	BN_CTX *ctx;
@@ -485,6 +553,7 @@ err:
 		BN_CTX_free(ctx);
 	return to_return;
 	}
+#endif
 
 static int ubsec_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 			const BIGNUM *q, const BIGNUM *dp,
@@ -532,6 +601,7 @@ static int ubsec_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 	return 1;
 }
 
+#ifndef OPENSSL_NO_DSA
 #if NOT_USED
 static int ubsec_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
 		BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
@@ -560,26 +630,33 @@ static int ubsec_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
 	return ubsec_mod_exp(r, a, p, m, ctx);
 	}
 #endif
+#endif
 
 /*
  * This function is aliased to mod_exp (with the mont stuff dropped).
  */
 static int ubsec_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 		const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
-{
+        {
 	int ret = 0;
 
+#ifndef OPENSSL_NO_RSA
  	/* Do in software if the key is too large for the hardware. */
-	if (BN_num_bits(m) > 1024) {
+	if (BN_num_bits(m) > 1024)
+                {
 		const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
 		ret = (*meth->bn_mod_exp)(r, a, p, m, ctx, m_ctx);
-	} else {
+                }
+        else
+#endif
+                {
 		ret = ubsec_mod_exp(r, a, p, m, ctx);
-	}
+                }
 	
 	return ret;
-}
+        }
 
+#ifndef OPENSSL_NO_DH
 /* This function is aliased to mod_exp (with the dh and mont dropped). */
 static int ubsec_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
 		const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
@@ -587,7 +664,9 @@ static int ubsec_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
 	{
 	return ubsec_mod_exp(r, a, p, m, ctx);
 	}
+#endif
 
+#ifndef OPENSSL_NO_DSA
 static DSA_SIG *ubsec_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
 	{
 	DSA_SIG *to_return = NULL;
@@ -701,7 +780,9 @@ err:
 	BN_clear_free(&v);
 	return to_return;
 	}
+#endif
 
+#ifndef OPENSSL_NO_DSA
 static int ubsec_dh_compute_key (unsigned char *key,const BIGNUM *pub_key,DH *dh)
 	{
 	return 0;
@@ -711,6 +792,7 @@ static int ubsec_dh_generate_key (DH *dh)
 	{
 	return 0;
 	}
+#endif
 
 #ifdef NOT_USED
 static int ubsec_rand_bytes(unsigned char *buf, int num)