[openssl] master update

Matt Caswell matt at openssl.org
Thu May 30 10:23:29 UTC 2019


The branch master has been updated
       via  8869ad4a39f13307ab710c1c53d97a46e144aef0 (commit)
      from  cec3901aa2ad09d504cb076100cf6e4b37d01775 (commit)


- Log -----------------------------------------------------------------
commit 8869ad4a39f13307ab710c1c53d97a46e144aef0
Author: Andreas Kretschmer <andreas.kretschmer at siemens.com>
Date:   Tue Apr 2 11:16:53 2019 +0200

    Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL
    Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712)
    
    CMP and CRMF API is added to libcrypto, and the "cmp" app to the openssl CLI.
        Adds extensive man pages and tests.  Integration into build scripts.
    
    Incremental pull request based on OpenSSL commit 1362190b1b78 of 2018-09-26
    
    3rd chunk: CMP ASN.1 structures (in crypto/cmp/cmp_asn.c) and related files
    
    Reviewed-by: Bernd Edlinger <bernd.edlinger at hotmail.de>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/8669)

-----------------------------------------------------------------------

Summary of changes:
 INSTALL                                          |   3 +
 crypto/build.info                                |   2 +-
 crypto/cmp/build.info                            |   2 +
 crypto/cmp/cmp_asn.c                             | 398 +++++++++++++++
 crypto/cmp/cmp_err.c                             |  35 ++
 crypto/cmp/cmp_int.h                             | 589 +++++++++++++++++++++++
 crypto/crmf/crmf_asn.c                           |   6 +-
 crypto/crmf/crmf_int.h                           |   6 +-
 crypto/crmf/crmf_lib.c                           |   4 +-
 crypto/crmf/crmf_pbm.c                           |   6 +-
 crypto/err/err.c                                 |   1 +
 crypto/err/err_all.c                             |   2 +
 crypto/err/openssl.ec                            |   1 +
 doc/man3/OSSL_CMP_ITAV_set0.pod                  | 105 ++++
 doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod             |   2 +-
 doc/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod |   2 +-
 doc/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.pod  |   2 +-
 doc/man3/OSSL_CRMF_MSG_set_validity.pod          |   2 +-
 doc/man3/OSSL_CRMF_pbmp_new.pod                  |   2 +-
 doc/man3/X509_dup.pod                            |  23 +-
 doc/man3/d2i_X509.pod                            |  20 +
 include/openssl/cmp.h                            | 243 ++++++++++
 include/openssl/{buffererr.h => cmperr.h}        |  24 +-
 include/openssl/crmf.h                           |   6 +-
 include/openssl/err.h                            |   2 +
 util/libcrypto.num                               | 302 ++++++------
 26 files changed, 1611 insertions(+), 179 deletions(-)
 create mode 100644 crypto/cmp/build.info
 create mode 100644 crypto/cmp/cmp_asn.c
 create mode 100644 crypto/cmp/cmp_err.c
 create mode 100644 crypto/cmp/cmp_int.h
 create mode 100644 doc/man3/OSSL_CMP_ITAV_set0.pod
 create mode 100644 include/openssl/cmp.h
 copy include/openssl/{buffererr.h => cmperr.h} (51%)

diff --git a/INSTALL b/INSTALL
index 605f1d4..e980f50 100644
--- a/INSTALL
+++ b/INSTALL
@@ -314,6 +314,9 @@
                    Don't build the CAPI engine. This option will be forced if
                    on a platform that does not support CAPI.
 
+  no-cmp
+                   Don't build support for CMP features
+
   no-cms
                    Don't build support for CMS features
 
diff --git a/crypto/build.info b/crypto/build.info
index 629e819..7798bcb 100644
--- a/crypto/build.info
+++ b/crypto/build.info
@@ -5,7 +5,7 @@ SUBDIRS=objects buffer bio stack lhash rand evp asn1 pem x509 conf \
         md2 md4 md5 sha mdc2 gmac hmac ripemd whrlpool poly1305 blake2 \
         siphash sm3 des aes rc2 rc4 rc5 idea aria bf cast camellia \
         seed sm4 chacha modes bn ec rsa dsa dh sm2 dso engine \
-        err comp ocsp cms ts srp cmac ct async kmac ess crmf
+        err comp ocsp cms ts srp cmac ct async kmac ess crmf cmp
 
 LIBS=../libcrypto
 # The Core
diff --git a/crypto/cmp/build.info b/crypto/cmp/build.info
new file mode 100644
index 0000000..6b6ccaa
--- /dev/null
+++ b/crypto/cmp/build.info
@@ -0,0 +1,2 @@
+LIBS=../../libcrypto
+SOURCE[../../libcrypto]= cmp_asn.c cmp_err.c
diff --git a/crypto/cmp/cmp_asn.c b/crypto/cmp/cmp_asn.c
new file mode 100644
index 0000000..8555586
--- /dev/null
+++ b/crypto/cmp/cmp_asn.c
@@ -0,0 +1,398 @@
+/*
+ * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright Nokia 2007-2019
+ * Copyright Siemens AG 2015-2019
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ *
+ * CMP implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
+ */
+
+#include <openssl/asn1t.h>
+
+#include "cmp_int.h"
+
+/* explicit #includes not strictly needed since implied by the above: */
+#include <openssl/cmp.h>
+#include <openssl/crmf.h>
+
+/* ASN.1 declarations from RFC4210 */
+ASN1_SEQUENCE(OSSL_CMP_REVANNCONTENT) = {
+    /* OSSL_CMP_PKISTATUS is effectively ASN1_INTEGER so it is used directly */
+    ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, status, ASN1_INTEGER),
+    ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, certId, OSSL_CRMF_CERTID),
+    ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, willBeRevokedAt, ASN1_GENERALIZEDTIME),
+    ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, badSinceDate, ASN1_GENERALIZEDTIME),
+    ASN1_OPT(OSSL_CMP_REVANNCONTENT, crlDetails, X509_EXTENSIONS)
+} ASN1_SEQUENCE_END(OSSL_CMP_REVANNCONTENT)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_REVANNCONTENT)
+
+
+ASN1_SEQUENCE(OSSL_CMP_CHALLENGE) = {
+    ASN1_OPT(OSSL_CMP_CHALLENGE, owf, X509_ALGOR),
+    ASN1_SIMPLE(OSSL_CMP_CHALLENGE, witness, ASN1_OCTET_STRING),
+    ASN1_SIMPLE(OSSL_CMP_CHALLENGE, challenge, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END(OSSL_CMP_CHALLENGE)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CHALLENGE)
+
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_POPODECKEYCHALLCONTENT) =
+    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
+                          OSSL_CMP_POPODECKEYCHALLCONTENT, OSSL_CMP_CHALLENGE)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POPODECKEYCHALLCONTENT)
+
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_POPODECKEYRESPCONTENT) =
+    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
+                          OSSL_CMP_POPODECKEYRESPCONTENT, ASN1_INTEGER)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POPODECKEYRESPCONTENT)
+
+
+ASN1_SEQUENCE(OSSL_CMP_CAKEYUPDANNCONTENT) = {
+    /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
+    ASN1_SIMPLE(OSSL_CMP_CAKEYUPDANNCONTENT, oldWithNew, X509),
+    /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
+    ASN1_SIMPLE(OSSL_CMP_CAKEYUPDANNCONTENT, newWithOld, X509),
+    /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
+    ASN1_SIMPLE(OSSL_CMP_CAKEYUPDANNCONTENT, newWithNew, X509)
+} ASN1_SEQUENCE_END(OSSL_CMP_CAKEYUPDANNCONTENT)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CAKEYUPDANNCONTENT)
+
+
+ASN1_SEQUENCE(OSSL_CMP_ERRORMSGCONTENT) = {
+    ASN1_SIMPLE(OSSL_CMP_ERRORMSGCONTENT, pKIStatusInfo, OSSL_CMP_PKISI),
+    ASN1_OPT(OSSL_CMP_ERRORMSGCONTENT, errorCode, ASN1_INTEGER),
+    /*
+     * OSSL_CMP_PKIFREETEXT is effectively a sequence of ASN1_UTF8STRING
+     * so it is used directly
+     *
+     */
+    ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ERRORMSGCONTENT, errorDetails, ASN1_UTF8STRING)
+} ASN1_SEQUENCE_END(OSSL_CMP_ERRORMSGCONTENT)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_ERRORMSGCONTENT)
+
+ASN1_ADB_TEMPLATE(infotypeandvalue_default) = ASN1_OPT(OSSL_CMP_ITAV,
+        infoValue.other, ASN1_ANY);
+/* ITAV means InfoTypeAndValue */
+ASN1_ADB(OSSL_CMP_ITAV) = {
+    /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
+    ADB_ENTRY(NID_id_it_caProtEncCert, ASN1_OPT(OSSL_CMP_ITAV,
+                                                infoValue.caProtEncCert, X509)),
+    ADB_ENTRY(NID_id_it_signKeyPairTypes,
+              ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV,
+                                   infoValue.signKeyPairTypes, X509_ALGOR)),
+    ADB_ENTRY(NID_id_it_encKeyPairTypes,
+              ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV,
+                                   infoValue.encKeyPairTypes, X509_ALGOR)),
+    ADB_ENTRY(NID_id_it_preferredSymmAlg,
+              ASN1_OPT(OSSL_CMP_ITAV, infoValue.preferredSymmAlg,
+                       X509_ALGOR)),
+    ADB_ENTRY(NID_id_it_caKeyUpdateInfo,
+              ASN1_OPT(OSSL_CMP_ITAV, infoValue.caKeyUpdateInfo,
+                       OSSL_CMP_CAKEYUPDANNCONTENT)),
+    ADB_ENTRY(NID_id_it_currentCRL,
+              ASN1_OPT(OSSL_CMP_ITAV, infoValue.currentCRL, X509_CRL)),
+    ADB_ENTRY(NID_id_it_unsupportedOIDs,
+              ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV,
+                                   infoValue.unsupportedOIDs, ASN1_OBJECT)),
+    ADB_ENTRY(NID_id_it_keyPairParamReq,
+              ASN1_OPT(OSSL_CMP_ITAV, infoValue.keyPairParamReq,
+                       ASN1_OBJECT)),
+    ADB_ENTRY(NID_id_it_keyPairParamRep,
+              ASN1_OPT(OSSL_CMP_ITAV, infoValue.keyPairParamRep,
+                       X509_ALGOR)),
+    ADB_ENTRY(NID_id_it_revPassphrase,
+              ASN1_OPT(OSSL_CMP_ITAV, infoValue.revPassphrase,
+                       OSSL_CRMF_ENCRYPTEDVALUE)),
+    ADB_ENTRY(NID_id_it_implicitConfirm,
+              ASN1_OPT(OSSL_CMP_ITAV, infoValue.implicitConfirm,
+                       ASN1_NULL)),
+    ADB_ENTRY(NID_id_it_confirmWaitTime,
+              ASN1_OPT(OSSL_CMP_ITAV, infoValue.confirmWaitTime,
+                       ASN1_GENERALIZEDTIME)),
+    ADB_ENTRY(NID_id_it_origPKIMessage,
+              ASN1_OPT(OSSL_CMP_ITAV, infoValue.origPKIMessage,
+                       OSSL_CMP_MSGS)),
+    ADB_ENTRY(NID_id_it_suppLangTags,
+              ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV, infoValue.suppLangTagsValue,
+                                   ASN1_UTF8STRING)),
+} ASN1_ADB_END(OSSL_CMP_ITAV, 0, infoType, 0,
+               &infotypeandvalue_default_tt, NULL);
+
+
+ASN1_SEQUENCE(OSSL_CMP_ITAV) = {
+    ASN1_SIMPLE(OSSL_CMP_ITAV, infoType, ASN1_OBJECT),
+    ASN1_ADB_OBJECT(OSSL_CMP_ITAV)
+} ASN1_SEQUENCE_END(OSSL_CMP_ITAV)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_ITAV)
+IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_ITAV)
+
+OSSL_CMP_ITAV *OSSL_CMP_ITAV_create(ASN1_OBJECT *type, ASN1_TYPE *value)
+{
+    OSSL_CMP_ITAV *itav;
+
+    if (type == NULL || (itav = OSSL_CMP_ITAV_new()) == NULL)
+        return NULL;
+    OSSL_CMP_ITAV_set0(itav, type, value);
+    return itav;
+}
+
+void OSSL_CMP_ITAV_set0(OSSL_CMP_ITAV *itav, ASN1_OBJECT *type,
+                        ASN1_TYPE *value)
+{
+    itav->infoType = type;
+    itav->infoValue.other = value;
+}
+
+ASN1_OBJECT *OSSL_CMP_ITAV_get0_type(const OSSL_CMP_ITAV *itav)
+{
+    if (itav == NULL)
+        return NULL;
+    return itav->infoType;
+}
+
+ASN1_TYPE *OSSL_CMP_ITAV_get0_value(const OSSL_CMP_ITAV *itav)
+{
+    if (itav == NULL)
+        return NULL;
+    return itav->infoValue.other;
+}
+
+int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p,
+                                   OSSL_CMP_ITAV *itav)
+{
+    int created = 0;
+
+    if (itav_sk_p == NULL)
+        goto err;
+
+    if (*itav_sk_p == NULL) {
+        if ((*itav_sk_p = sk_OSSL_CMP_ITAV_new_null()) == NULL)
+            goto err;
+        created = 1;
+    }
+    if (itav != NULL) {
+        if (!sk_OSSL_CMP_ITAV_push(*itav_sk_p, itav))
+            goto err;
+    }
+    return 1;
+ err:
+    if (created != 0) {
+        sk_OSSL_CMP_ITAV_free(*itav_sk_p);
+        *itav_sk_p = NULL;
+    }
+    return 0;
+}
+
+ASN1_CHOICE(OSSL_CMP_CERTORENCCERT) = {
+    /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
+    ASN1_EXP(OSSL_CMP_CERTORENCCERT, value.certificate, X509, 0),
+    ASN1_EXP(OSSL_CMP_CERTORENCCERT, value.encryptedCert,
+             OSSL_CRMF_ENCRYPTEDVALUE, 1),
+} ASN1_CHOICE_END(OSSL_CMP_CERTORENCCERT)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTORENCCERT)
+
+
+ASN1_SEQUENCE(OSSL_CMP_CERTIFIEDKEYPAIR) = {
+    ASN1_SIMPLE(OSSL_CMP_CERTIFIEDKEYPAIR, certOrEncCert,
+                OSSL_CMP_CERTORENCCERT),
+    ASN1_EXP_OPT(OSSL_CMP_CERTIFIEDKEYPAIR, privateKey,
+                 OSSL_CRMF_ENCRYPTEDVALUE, 0),
+    ASN1_EXP_OPT(OSSL_CMP_CERTIFIEDKEYPAIR, publicationInfo,
+                 OSSL_CRMF_PKIPUBLICATIONINFO, 1)
+} ASN1_SEQUENCE_END(OSSL_CMP_CERTIFIEDKEYPAIR)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTIFIEDKEYPAIR)
+
+
+ASN1_SEQUENCE(OSSL_CMP_REVDETAILS) = {
+    ASN1_SIMPLE(OSSL_CMP_REVDETAILS, certDetails, OSSL_CRMF_CERTTEMPLATE),
+    ASN1_OPT(OSSL_CMP_REVDETAILS, crlEntryDetails, X509_EXTENSIONS)
+} ASN1_SEQUENCE_END(OSSL_CMP_REVDETAILS)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_REVDETAILS)
+
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_REVREQCONTENT) =
+    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_REVREQCONTENT,
+                          OSSL_CMP_REVDETAILS)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_REVREQCONTENT)
+
+
+ASN1_SEQUENCE(OSSL_CMP_REVREPCONTENT) = {
+    ASN1_SEQUENCE_OF(OSSL_CMP_REVREPCONTENT, status, OSSL_CMP_PKISI),
+    ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_REVREPCONTENT, revCerts, OSSL_CRMF_CERTID,
+                             0),
+    ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_REVREPCONTENT, crls, X509_CRL, 1)
+} ASN1_SEQUENCE_END(OSSL_CMP_REVREPCONTENT)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_REVREPCONTENT)
+
+
+ASN1_SEQUENCE(OSSL_CMP_KEYRECREPCONTENT) = {
+    ASN1_SIMPLE(OSSL_CMP_KEYRECREPCONTENT, status, OSSL_CMP_PKISI),
+    ASN1_EXP_OPT(OSSL_CMP_KEYRECREPCONTENT, newSigCert, X509, 0),
+    ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_KEYRECREPCONTENT, caCerts, X509, 1),
+    ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_KEYRECREPCONTENT, keyPairHist,
+                             OSSL_CMP_CERTIFIEDKEYPAIR, 2)
+} ASN1_SEQUENCE_END(OSSL_CMP_KEYRECREPCONTENT)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_KEYRECREPCONTENT)
+
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_PKISTATUS) =
+    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_UNIVERSAL, 0, status, ASN1_INTEGER)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_PKISTATUS)
+
+ASN1_SEQUENCE(OSSL_CMP_PKISI) = {
+    ASN1_SIMPLE(OSSL_CMP_PKISI, status, OSSL_CMP_PKISTATUS),
+    /*
+     * CMP_PKIFREETEXT is effectively a sequence of ASN1_UTF8STRING
+     * so it is used directly
+     */
+    ASN1_SEQUENCE_OF_OPT(OSSL_CMP_PKISI, statusString, ASN1_UTF8STRING),
+    /*
+     * OSSL_CMP_PKIFAILUREINFO is effectively ASN1_BIT_STRING so used directly
+     */
+    ASN1_OPT(OSSL_CMP_PKISI, failInfo, ASN1_BIT_STRING)
+} ASN1_SEQUENCE_END(OSSL_CMP_PKISI)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PKISI)
+IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_PKISI)
+
+ASN1_SEQUENCE(OSSL_CMP_CERTSTATUS) = {
+    ASN1_SIMPLE(OSSL_CMP_CERTSTATUS, certHash, ASN1_OCTET_STRING),
+    ASN1_SIMPLE(OSSL_CMP_CERTSTATUS, certReqId, ASN1_INTEGER),
+    ASN1_OPT(OSSL_CMP_CERTSTATUS, statusInfo, OSSL_CMP_PKISI)
+} ASN1_SEQUENCE_END(OSSL_CMP_CERTSTATUS)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTSTATUS)
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_CERTCONFIRMCONTENT) =
+    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_CERTCONFIRMCONTENT,
+                          OSSL_CMP_CERTSTATUS)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_CERTCONFIRMCONTENT)
+
+ASN1_SEQUENCE(OSSL_CMP_CERTRESPONSE) = {
+    ASN1_SIMPLE(OSSL_CMP_CERTRESPONSE, certReqId, ASN1_INTEGER),
+    ASN1_SIMPLE(OSSL_CMP_CERTRESPONSE, status, OSSL_CMP_PKISI),
+    ASN1_OPT(OSSL_CMP_CERTRESPONSE, certifiedKeyPair,
+             OSSL_CMP_CERTIFIEDKEYPAIR),
+    ASN1_OPT(OSSL_CMP_CERTRESPONSE, rspInfo, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END(OSSL_CMP_CERTRESPONSE)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTRESPONSE)
+
+ASN1_SEQUENCE(OSSL_CMP_POLLREQ) = {
+    ASN1_SIMPLE(OSSL_CMP_POLLREQ, certReqId, ASN1_INTEGER)
+} ASN1_SEQUENCE_END(OSSL_CMP_POLLREQ)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_POLLREQ)
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_POLLREQCONTENT) =
+    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_POLLREQCONTENT,
+                          OSSL_CMP_POLLREQ)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POLLREQCONTENT)
+
+ASN1_SEQUENCE(OSSL_CMP_POLLREP) = {
+    ASN1_SIMPLE(OSSL_CMP_POLLREP, certReqId, ASN1_INTEGER),
+    ASN1_SIMPLE(OSSL_CMP_POLLREP, checkAfter, ASN1_INTEGER),
+    ASN1_SEQUENCE_OF_OPT(OSSL_CMP_POLLREP, reason, ASN1_UTF8STRING),
+} ASN1_SEQUENCE_END(OSSL_CMP_POLLREP)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_POLLREP)
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_POLLREPCONTENT) =
+    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
+                          OSSL_CMP_POLLREPCONTENT,
+                          OSSL_CMP_POLLREP)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POLLREPCONTENT)
+
+ASN1_SEQUENCE(OSSL_CMP_CERTREPMESSAGE) = {
+    /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
+    ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_CERTREPMESSAGE, caPubs, X509, 1),
+    ASN1_SEQUENCE_OF(OSSL_CMP_CERTREPMESSAGE, response, OSSL_CMP_CERTRESPONSE)
+} ASN1_SEQUENCE_END(OSSL_CMP_CERTREPMESSAGE)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTREPMESSAGE)
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_GENMSGCONTENT) =
+    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_GENMSGCONTENT,
+                          OSSL_CMP_ITAV)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_GENMSGCONTENT)
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_GENREPCONTENT) =
+    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_GENREPCONTENT,
+                          OSSL_CMP_ITAV)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_GENREPCONTENT)
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_CRLANNCONTENT) =
+    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
+                          OSSL_CMP_CRLANNCONTENT, X509_CRL)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_CRLANNCONTENT)
+
+ASN1_CHOICE(OSSL_CMP_PKIBODY) = {
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.ir, OSSL_CRMF_MSGS, 0),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.ip, OSSL_CMP_CERTREPMESSAGE, 1),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.cr, OSSL_CRMF_MSGS, 2),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.cp, OSSL_CMP_CERTREPMESSAGE, 3),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.p10cr, X509_REQ, 4),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.popdecc, OSSL_CMP_POPODECKEYCHALLCONTENT, 5),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.popdecr, OSSL_CMP_POPODECKEYRESPCONTENT, 6),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.kur, OSSL_CRMF_MSGS, 7),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.kup, OSSL_CMP_CERTREPMESSAGE, 8),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.krr, OSSL_CRMF_MSGS, 9),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.krp, OSSL_CMP_KEYRECREPCONTENT, 10),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.rr, OSSL_CMP_REVREQCONTENT, 11),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.rp, OSSL_CMP_REVREPCONTENT, 12),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.ccr, OSSL_CRMF_MSGS, 13),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.ccp, OSSL_CMP_CERTREPMESSAGE, 14),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.ckuann, OSSL_CMP_CAKEYUPDANNCONTENT, 15),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.cann, X509, 16),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.rann, OSSL_CMP_REVANNCONTENT, 17),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.crlann, OSSL_CMP_CRLANNCONTENT, 18),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.pkiconf, ASN1_ANY, 19),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.nested, OSSL_CMP_MSGS, 20),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.genm, OSSL_CMP_GENMSGCONTENT, 21),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.genp, OSSL_CMP_GENREPCONTENT, 22),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.error, OSSL_CMP_ERRORMSGCONTENT, 23),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.certConf, OSSL_CMP_CERTCONFIRMCONTENT, 24),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.pollReq, OSSL_CMP_POLLREQCONTENT, 25),
+    ASN1_EXP(OSSL_CMP_PKIBODY, value.pollRep, OSSL_CMP_POLLREPCONTENT, 26),
+} ASN1_CHOICE_END(OSSL_CMP_PKIBODY)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PKIBODY)
+
+ASN1_SEQUENCE(OSSL_CMP_PKIHEADER) = {
+    ASN1_SIMPLE(OSSL_CMP_PKIHEADER, pvno, ASN1_INTEGER),
+    ASN1_SIMPLE(OSSL_CMP_PKIHEADER, sender, GENERAL_NAME),
+    ASN1_SIMPLE(OSSL_CMP_PKIHEADER, recipient, GENERAL_NAME),
+    ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, messageTime, ASN1_GENERALIZEDTIME, 0),
+    ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, protectionAlg, X509_ALGOR, 1),
+    ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, senderKID, ASN1_OCTET_STRING, 2),
+    ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, recipKID, ASN1_OCTET_STRING, 3),
+    ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, transactionID, ASN1_OCTET_STRING, 4),
+    ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, senderNonce, ASN1_OCTET_STRING, 5),
+    ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, recipNonce, ASN1_OCTET_STRING, 6),
+    /*
+     * OSSL_CMP_PKIFREETEXT is effectively a sequence of ASN1_UTF8STRING
+     * so it is used directly
+     */
+    ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_PKIHEADER, freeText, ASN1_UTF8STRING, 7),
+    ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_PKIHEADER, generalInfo,
+                             OSSL_CMP_ITAV, 8)
+} ASN1_SEQUENCE_END(OSSL_CMP_PKIHEADER)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PKIHEADER)
+
+ASN1_SEQUENCE(CMP_PROTECTEDPART) = {
+    ASN1_SIMPLE(OSSL_CMP_MSG, header, OSSL_CMP_PKIHEADER),
+    ASN1_SIMPLE(OSSL_CMP_MSG, body, OSSL_CMP_PKIBODY)
+} ASN1_SEQUENCE_END(CMP_PROTECTEDPART)
+IMPLEMENT_ASN1_FUNCTIONS(CMP_PROTECTEDPART)
+
+ASN1_SEQUENCE(OSSL_CMP_MSG) = {
+    ASN1_SIMPLE(OSSL_CMP_MSG, header, OSSL_CMP_PKIHEADER),
+    ASN1_SIMPLE(OSSL_CMP_MSG, body, OSSL_CMP_PKIBODY),
+    ASN1_EXP_OPT(OSSL_CMP_MSG, protection, ASN1_BIT_STRING, 0),
+    /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
+    ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_MSG, extraCerts, X509, 1)
+} ASN1_SEQUENCE_END(OSSL_CMP_MSG)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_MSG)
+IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_MSG)
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_MSGS) =
+    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_MSGS,
+                          OSSL_CMP_MSG)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_MSGS)
diff --git a/crypto/cmp/cmp_err.c b/crypto/cmp/cmp_err.c
new file mode 100644
index 0000000..b85b8ba
--- /dev/null
+++ b/crypto/cmp/cmp_err.c
@@ -0,0 +1,35 @@
+/*
+ * Generated by util/mkerr.pl DO NOT EDIT
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/err.h>
+#include <openssl/cmperr.h>
+
+#ifndef OPENSSL_NO_ERR
+
+static const ERR_STRING_DATA CMP_str_functs[] = {
+    {0, NULL}
+};
+
+static const ERR_STRING_DATA CMP_str_reasons[] = {
+    {0, NULL}
+};
+
+#endif
+
+int ERR_load_CMP_strings(void)
+{
+#ifndef OPENSSL_NO_ERR
+    if (ERR_func_error_string(CMP_str_functs[0].error) == NULL) {
+        ERR_load_strings_const(CMP_str_functs);
+        ERR_load_strings_const(CMP_str_reasons);
+    }
+#endif
+    return 1;
+}
diff --git a/crypto/cmp/cmp_int.h b/crypto/cmp/cmp_int.h
new file mode 100644
index 0000000..e78968a
--- /dev/null
+++ b/crypto/cmp/cmp_int.h
@@ -0,0 +1,589 @@
+/*
+ * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright Nokia 2007-2019
+ * Copyright Siemens AG 2015-2019
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ *
+ * CMP implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
+ */
+
+#ifndef OSSL_HEADER_CMP_INT_H
+# define OSSL_HEADER_CMP_INT_H
+
+# include "internal/cryptlib.h"
+
+# include <openssl/cmp.h>
+# include <openssl/err.h>
+
+/* explicit #includes not strictly needed since implied by the above: */
+# include <openssl/crmf.h>
+# include <openssl/ossl_typ.h>
+# include <openssl/safestack.h>
+# include <openssl/x509.h>
+# include <openssl/x509v3.h>
+
+/*
+ * ##########################################################################
+ * ASN.1 DECLARATIONS
+ * ##########################################################################
+ */
+
+/*-
+ *   RevAnnContent ::= SEQUENCE {
+ *       status              PKIStatus,
+ *       certId              CertId,
+ *       willBeRevokedAt     GeneralizedTime,
+ *       badSinceDate        GeneralizedTime,
+ *       crlDetails          Extensions  OPTIONAL
+ *       -- extra CRL details (e.g., crl number, reason, location, etc.)
+ *   }
+ */
+typedef struct OSSL_cmp_revanncontent_st {
+    ASN1_INTEGER *status;
+    OSSL_CRMF_CERTID *certId;
+    ASN1_GENERALIZEDTIME *willBeRevokedAt;
+    ASN1_GENERALIZEDTIME *badSinceDate;
+    X509_EXTENSIONS *crlDetails;
+} OSSL_CMP_REVANNCONTENT;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVANNCONTENT)
+
+/*-
+ *   Challenge ::= SEQUENCE {
+ *       owf                 AlgorithmIdentifier  OPTIONAL,
+ *
+ *       -- MUST be present in the first Challenge; MAY be omitted in
+ *       -- any subsequent Challenge in POPODecKeyChallContent (if
+ *       -- omitted, then the owf used in the immediately preceding
+ *       -- Challenge is to be used).
+ *
+ *       witness             OCTET STRING,
+ *       -- the result of applying the one-way function (owf) to a
+ *       -- randomly-generated INTEGER, A.  [Note that a different
+ *       -- INTEGER MUST be used for each Challenge.]
+ *       challenge           OCTET STRING
+ *       -- the encryption (under the public key for which the cert.
+ *       -- request is being made) of Rand, where Rand is specified as
+ *       --   Rand ::= SEQUENCE {
+ *       --      int      INTEGER,
+ *       --       - the randomly-generated INTEGER A (above)
+ *       --      sender   GeneralName
+ *       --       - the sender's name (as included in PKIHeader)
+ *       --   }
+ *   }
+ */
+typedef struct OSSL_cmp_challenge_st {
+    X509_ALGOR *owf;
+    ASN1_OCTET_STRING *witness;
+    ASN1_OCTET_STRING *challenge;
+} OSSL_CMP_CHALLENGE;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CHALLENGE)
+
+/*-
+ *  CAKeyUpdAnnContent ::= SEQUENCE {
+ *     oldWithNew         Certificate,
+ *     newWithOld         Certificate,
+ *     newWithNew         Certificate
+ *  }
+ */
+typedef struct OSSL_cmp_cakeyupdanncontent_st {
+    X509 *oldWithNew;
+    X509 *newWithOld;
+    X509 *newWithNew;
+} OSSL_CMP_CAKEYUPDANNCONTENT;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CAKEYUPDANNCONTENT)
+
+/*-
+ * declared already here as it will be used in OSSL_CMP_MSG (nested) and
+ * infoType and infoValue
+ */
+typedef STACK_OF(OSSL_CMP_MSG) OSSL_CMP_MSGS;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSGS)
+
+/*-
+ *   InfoTypeAndValue ::= SEQUENCE {
+ *       infoType               OBJECT IDENTIFIER,
+ *       infoValue              ANY DEFINED BY infoType  OPTIONAL
+ *   }
+ */
+struct OSSL_cmp_itav_st {
+    ASN1_OBJECT *infoType;
+    union {
+        char *ptr;
+        /* NID_id_it_caProtEncCert - CA Protocol Encryption Certificate */
+        X509 *caProtEncCert;
+        /* NID_id_it_signKeyPairTypes - Signing Key Pair Types */
+        STACK_OF(X509_ALGOR) *signKeyPairTypes;
+        /* NID_id_it_encKeyPairTypes - Encryption/Key Agreement Key Pair Types */
+        STACK_OF(X509_ALGOR) *encKeyPairTypes;
+        /* NID_id_it_preferredSymmAlg - Preferred Symmetric Algorithm */
+        X509_ALGOR *preferredSymmAlg;
+        /* NID_id_it_caKeyUpdateInfo - Updated CA Key Pair */
+        OSSL_CMP_CAKEYUPDANNCONTENT *caKeyUpdateInfo;
+        /* NID_id_it_currentCRL - CRL */
+        X509_CRL *currentCRL;
+        /* NID_id_it_unsupportedOIDs - Unsupported Object Identifiers */
+        STACK_OF(ASN1_OBJECT) *unsupportedOIDs;
+        /* NID_id_it_keyPairParamReq - Key Pair Parameters Request */
+        ASN1_OBJECT *keyPairParamReq;
+        /* NID_id_it_keyPairParamRep - Key Pair Parameters Response */
+        X509_ALGOR *keyPairParamRep;
+        /* NID_id_it_revPassphrase - Revocation Passphrase */
+        OSSL_CRMF_ENCRYPTEDVALUE *revPassphrase;
+        /* NID_id_it_implicitConfirm - ImplicitConfirm */
+        ASN1_NULL *implicitConfirm;
+        /* NID_id_it_confirmWaitTime - ConfirmWaitTime */
+        ASN1_GENERALIZEDTIME *confirmWaitTime;
+        /* NID_id_it_origPKIMessage - origPKIMessage */
+        OSSL_CMP_MSGS *origPKIMessage;
+        /* NID_id_it_suppLangTags - Supported Language Tags */
+        STACK_OF(ASN1_UTF8STRING) *suppLangTagsValue;
+        /* this is to be used for so far undeclared objects */
+        ASN1_TYPE *other;
+    } infoValue;
+} /* OSSL_CMP_ITAV */;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ITAV)
+DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_ITAV)
+
+
+typedef struct OSSL_cmp_certorenccert_st {
+    int type;
+    union {
+        X509 *certificate;
+        OSSL_CRMF_ENCRYPTEDVALUE *encryptedCert;
+    } value;
+} OSSL_CMP_CERTORENCCERT;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTORENCCERT)
+
+/*-
+ *   CertifiedKeyPair ::= SEQUENCE {
+ *       certOrEncCert       CertOrEncCert,
+ *       privateKey      [0] EncryptedValue      OPTIONAL,
+ *       -- see [CRMF] for comment on encoding
+ *       publicationInfo [1] PKIPublicationInfo  OPTIONAL
+ *   }
+ */
+typedef struct OSSL_cmp_certifiedkeypair_st {
+    OSSL_CMP_CERTORENCCERT *certOrEncCert;
+    OSSL_CRMF_ENCRYPTEDVALUE *privateKey;
+    OSSL_CRMF_PKIPUBLICATIONINFO *publicationInfo;
+} OSSL_CMP_CERTIFIEDKEYPAIR;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTIFIEDKEYPAIR)
+
+/*-
+ *   PKIStatusInfo ::= SEQUENCE {
+ *       status        PKIStatus,
+ *       statusString  PKIFreeText     OPTIONAL,
+ *       failInfo      PKIFailureInfo  OPTIONAL
+ *   }
+ */
+struct OSSL_cmp_pkisi_st {
+    OSSL_CMP_PKISTATUS *status;
+    OSSL_CMP_PKIFREETEXT *statusString;
+    OSSL_CMP_PKIFAILUREINFO *failInfo;
+} /* OSSL_CMP_PKISI */;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKISI)
+DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_PKISI)
+
+/*-
+ *  RevReqContent ::= SEQUENCE OF RevDetails
+ *
+ *  RevDetails ::= SEQUENCE {
+ *      certDetails         CertTemplate,
+ *      crlEntryDetails     Extensions       OPTIONAL
+ *  }
+ */
+typedef struct OSSL_cmp_revdetails_st {
+    OSSL_CRMF_CERTTEMPLATE *certDetails;
+    X509_EXTENSIONS *crlEntryDetails;
+} OSSL_CMP_REVDETAILS;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVDETAILS)
+DEFINE_STACK_OF(OSSL_CMP_REVDETAILS)
+
+/*-
+ *   RevRepContent ::= SEQUENCE {
+ *       status       SEQUENCE SIZE (1..MAX) OF PKIStatusInfo,
+ *       -- in same order as was sent in RevReqContent
+ *       revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId
+ *                                           OPTIONAL,
+ *       -- IDs for which revocation was requested
+ *       -- (same order as status)
+ *       crls     [1] SEQUENCE SIZE (1..MAX) OF CertificateList
+ *                                           OPTIONAL
+ *       -- the resulting CRLs (there may be more than one)
+ *   }
+ */
+struct OSSL_cmp_revrepcontent_st {
+    STACK_OF(OSSL_CMP_PKISI) *status;
+    STACK_OF(OSSL_CRMF_CERTID) *revCerts;
+    STACK_OF(X509_CRL) *crls;
+} /* OSSL_CMP_REVREPCONTENT */;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVREPCONTENT)
+
+/*-
+ *  KeyRecRepContent ::= SEQUENCE {
+ *      status          PKIStatusInfo,
+ *      newSigCert  [0] Certificate                   OPTIONAL,
+ *      caCerts     [1] SEQUENCE SIZE (1..MAX) OF
+ *                                   Certificate      OPTIONAL,
+ *      keyPairHist [2] SEQUENCE SIZE (1..MAX) OF
+ *                                   CertifiedKeyPair OPTIONAL
+ *   }
+ */
+typedef struct OSSL_cmp_keyrecrepcontent_st {
+    OSSL_CMP_PKISI *status;
+    X509 *newSigCert;
+    STACK_OF(X509) *caCerts;
+    STACK_OF(OSSL_CMP_CERTIFIEDKEYPAIR) *keyPairHist;
+} OSSL_CMP_KEYRECREPCONTENT;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_KEYRECREPCONTENT)
+
+/*-
+ *   ErrorMsgContent ::= SEQUENCE {
+ *       pKIStatusInfo          PKIStatusInfo,
+ *       errorCode              INTEGER           OPTIONAL,
+ *       -- implementation-specific error codes
+ *       errorDetails           PKIFreeText       OPTIONAL
+ *       -- implementation-specific error details
+ *   }
+ */
+typedef struct OSSL_cmp_errormsgcontent_st {
+    OSSL_CMP_PKISI *pKIStatusInfo;
+    ASN1_INTEGER *errorCode;
+    OSSL_CMP_PKIFREETEXT *errorDetails;
+} OSSL_CMP_ERRORMSGCONTENT;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ERRORMSGCONTENT)
+
+/*-
+ *   CertConfirmContent ::= SEQUENCE OF CertStatus
+ *
+ *   CertStatus ::= SEQUENCE {
+ *      certHash    OCTET STRING,
+ *      -- the hash of the certificate, using the same hash algorithm
+ *      -- as is used to create and verify the certificate signature
+ *      certReqId   INTEGER,
+ *      -- to match this confirmation with the corresponding req/rep
+ *      statusInfo  PKIStatusInfo OPTIONAL
+ *   }
+ */
+struct OSSL_cmp_certstatus_st {
+    ASN1_OCTET_STRING *certHash;
+    ASN1_INTEGER *certReqId;
+    OSSL_CMP_PKISI *statusInfo;
+} /* OSSL_CMP_CERTSTATUS */;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTSTATUS)
+
+typedef STACK_OF(OSSL_CMP_CERTSTATUS) OSSL_CMP_CERTCONFIRMCONTENT;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTCONFIRMCONTENT)
+
+/*-
+ *   CertResponse ::= SEQUENCE {
+ *       certReqId           INTEGER,
+ *       -- to match this response with corresponding request (a value
+ *       -- of -1 is to be used if certReqId is not specified in the
+ *       -- corresponding request)
+ *       status              PKIStatusInfo,
+ *       certifiedKeyPair    CertifiedKeyPair    OPTIONAL,
+ *       rspInfo             OCTET STRING        OPTIONAL
+ *       -- analogous to the id-regInfo-utf8Pairs string defined
+ *       -- for regInfo in CertReqMsg [CRMF]
+ *   }
+ */
+struct OSSL_cmp_certresponse_st {
+    ASN1_INTEGER *certReqId;
+    OSSL_CMP_PKISI *status;
+    OSSL_CMP_CERTIFIEDKEYPAIR *certifiedKeyPair;
+    ASN1_OCTET_STRING *rspInfo;
+} /* OSSL_CMP_CERTRESPONSE */;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTRESPONSE)
+
+/*-
+ *   CertRepMessage ::= SEQUENCE {
+ *       caPubs       [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate
+ *                        OPTIONAL,
+ *       response         SEQUENCE OF CertResponse
+ *   }
+ */
+struct OSSL_cmp_certrepmessage_st {
+    STACK_OF(X509) *caPubs;
+    STACK_OF(OSSL_CMP_CERTRESPONSE) *response;
+} /* OSSL_CMP_CERTREPMESSAGE */;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTREPMESSAGE)
+
+/*-
+ *   PollReqContent ::= SEQUENCE OF SEQUENCE {
+ *         certReqId                              INTEGER
+ *   }
+ */
+typedef struct OSSL_cmp_pollreq_st {
+    ASN1_INTEGER *certReqId;
+} OSSL_CMP_POLLREQ;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQ)
+DEFINE_STACK_OF(OSSL_CMP_POLLREQ)
+typedef STACK_OF(OSSL_CMP_POLLREQ) OSSL_CMP_POLLREQCONTENT;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQCONTENT)
+
+/*-
+ * PollRepContent ::= SEQUENCE OF SEQUENCE {
+ *         certReqId                              INTEGER,
+ *         checkAfter                             INTEGER,  -- time in seconds
+ *         reason                                 PKIFreeText OPTIONAL
+ * }
+ */
+struct OSSL_cmp_pollrep_st {
+    ASN1_INTEGER *certReqId;
+    ASN1_INTEGER *checkAfter;
+    OSSL_CMP_PKIFREETEXT *reason;
+} /* OSSL_CMP_POLLREP */;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREP)
+DEFINE_STACK_OF(OSSL_CMP_POLLREP)
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREPCONTENT)
+
+/*-
+ * PKIHeader ::= SEQUENCE {
+ *     pvno                INTEGER     { cmp1999(1), cmp2000(2) },
+ *     sender              GeneralName,
+ *     -- identifies the sender
+ *     recipient           GeneralName,
+ *     -- identifies the intended recipient
+ *     messageTime     [0] GeneralizedTime         OPTIONAL,
+ *     -- time of production of this message (used when sender
+ *     -- believes that the transport will be "suitable"; i.e.,
+ *     -- that the time will still be meaningful upon receipt)
+ *     protectionAlg   [1] AlgorithmIdentifier     OPTIONAL,
+ *     -- algorithm used for calculation of protection bits
+ *     senderKID       [2] KeyIdentifier           OPTIONAL,
+ *     recipKID        [3] KeyIdentifier           OPTIONAL,
+ *     -- to identify specific keys used for protection
+ *     transactionID   [4] OCTET STRING            OPTIONAL,
+ *     -- identifies the transaction; i.e., this will be the same in
+ *     -- corresponding request, response, certConf, and PKIConf
+ *     -- messages
+ *     senderNonce     [5] OCTET STRING            OPTIONAL,
+ *     recipNonce      [6] OCTET STRING            OPTIONAL,
+ *     -- nonces used to provide replay protection, senderNonce
+ *     -- is inserted by the creator of this message; recipNonce
+ *     -- is a nonce previously inserted in a related message by
+ *     -- the intended recipient of this message
+ *     freeText        [7] PKIFreeText             OPTIONAL,
+ *     -- this may be used to indicate context-specific instructions
+ *     -- (this field is intended for human consumption)
+ *     generalInfo     [8] SEQUENCE SIZE (1..MAX) OF
+ *                            InfoTypeAndValue     OPTIONAL
+ *     -- this may be used to convey context-specific information
+ *     -- (this field not primarily intended for human consumption)
+ *   }
+ */
+struct OSSL_cmp_pkiheader_st {
+    ASN1_INTEGER *pvno;
+    GENERAL_NAME *sender;
+    GENERAL_NAME *recipient;
+    ASN1_GENERALIZEDTIME *messageTime; /* 0 */
+    X509_ALGOR *protectionAlg; /* 1 */
+    ASN1_OCTET_STRING *senderKID; /* 2 */
+    ASN1_OCTET_STRING *recipKID; /* 3 */
+    ASN1_OCTET_STRING *transactionID; /* 4 */
+    ASN1_OCTET_STRING *senderNonce; /* 5 */
+    ASN1_OCTET_STRING *recipNonce; /* 6 */
+    OSSL_CMP_PKIFREETEXT *freeText; /* 7 */
+    STACK_OF(OSSL_CMP_ITAV) *generalInfo; /* 8 */
+} /* OSSL_CMP_PKIHEADER */;
+
+typedef STACK_OF(OSSL_CMP_CHALLENGE) OSSL_CMP_POPODECKEYCHALLCONTENT;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POPODECKEYCHALLCONTENT)
+typedef STACK_OF(ASN1_INTEGER) OSSL_CMP_POPODECKEYRESPCONTENT;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POPODECKEYRESPCONTENT)
+typedef STACK_OF(OSSL_CMP_REVDETAILS) OSSL_CMP_REVREQCONTENT;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVREQCONTENT)
+typedef STACK_OF(X509_CRL) OSSL_CMP_CRLANNCONTENT;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CRLANNCONTENT)
+typedef STACK_OF(OSSL_CMP_ITAV) OSSL_CMP_GENMSGCONTENT;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_GENMSGCONTENT)
+typedef STACK_OF(OSSL_CMP_ITAV) OSSL_CMP_GENREPCONTENT;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_GENREPCONTENT)
+
+/*-
+ *   PKIBody ::= CHOICE {           -- message-specific body elements
+ *           ir       [0]  CertReqMessages,            --Initialization Request
+ *           ip       [1]  CertRepMessage,             --Initialization Response
+ *           cr       [2]  CertReqMessages,            --Certification Request
+ *           cp       [3]  CertRepMessage,             --Certification Response
+ *           p10cr    [4]  CertificationRequest,       --imported from [PKCS10]
+ *           popdecc  [5]  POPODecKeyChallContent,     --pop Challenge
+ *           popdecr  [6]  POPODecKeyRespContent,      --pop Response
+ *           kur      [7]  CertReqMessages,            --Key Update Request
+ *           kup      [8]  CertRepMessage,             --Key Update Response
+ *           krr      [9]  CertReqMessages,            --Key Recovery Request
+ *           krp      [10] KeyRecRepContent,           --Key Recovery Response
+ *           rr       [11] RevReqContent,              --Revocation Request
+ *           rp       [12] RevRepContent,              --Revocation Response
+ *           ccr      [13] CertReqMessages,            --Cross-Cert. Request
+ *           ccp      [14] CertRepMessage,             --Cross-Cert. Response
+ *           ckuann   [15] CAKeyUpdAnnContent,         --CA Key Update Ann.
+ *           cann     [16] CertAnnContent,             --Certificate Ann.
+ *           rann     [17] RevAnnContent,              --Revocation Ann.
+ *           crlann   [18] CRLAnnContent,              --CRL Announcement
+ *           pkiconf  [19] PKIConfirmContent,          --Confirmation
+ *           nested   [20] NestedMessageContent,       --Nested Message
+ *           genm     [21] GenMsgContent,              --General Message
+ *           genp     [22] GenRepContent,              --General Response
+ *           error    [23] ErrorMsgContent,            --Error Message
+ *           certConf [24] CertConfirmContent,         --Certificate confirm
+ *           pollReq  [25] PollReqContent,             --Polling request
+ *           pollRep  [26] PollRepContent              --Polling response
+ */
+typedef struct OSSL_cmp_pkibody_st {
+    int type;
+    union {
+        OSSL_CRMF_MSGS *ir; /* 0 */
+        OSSL_CMP_CERTREPMESSAGE *ip; /* 1 */
+        OSSL_CRMF_MSGS *cr; /* 2 */
+        OSSL_CMP_CERTREPMESSAGE *cp; /* 3 */
+        /* p10cr      [4]  CertificationRequest,     --imported from [PKCS10] */
+        /*
+         * PKCS10_CERTIFICATIONREQUEST is effectively X509_REQ
+         * so it is used directly
+         */
+        X509_REQ *p10cr; /* 4 */
+        /* popdecc    [5]  POPODecKeyChallContent, --pop Challenge */
+        /* POPODecKeyChallContent ::= SEQUENCE OF Challenge */
+        OSSL_CMP_POPODECKEYCHALLCONTENT *popdecc; /* 5 */
+        /* popdecr    [6]  POPODecKeyRespContent,  --pop Response */
+        /* POPODecKeyRespContent ::= SEQUENCE OF INTEGER */
+        OSSL_CMP_POPODECKEYRESPCONTENT *popdecr; /* 6 */
+        OSSL_CRMF_MSGS *kur; /* 7 */
+        OSSL_CMP_CERTREPMESSAGE *kup; /* 8 */
+        OSSL_CRMF_MSGS *krr; /* 9 */
+
+        /* krp        [10] KeyRecRepContent,         --Key Recovery Response */
+        OSSL_CMP_KEYRECREPCONTENT *krp; /* 10 */
+        /* rr         [11] RevReqContent,            --Revocation Request */
+        OSSL_CMP_REVREQCONTENT *rr; /* 11 */
+        /* rp         [12] RevRepContent,            --Revocation Response */
+        OSSL_CMP_REVREPCONTENT *rp; /* 12 */
+        /* ccr        [13] CertReqMessages,          --Cross-Cert. Request */
+        OSSL_CRMF_MSGS *ccr; /* 13 */
+        /* ccp        [14] CertRepMessage,           --Cross-Cert. Response */
+        OSSL_CMP_CERTREPMESSAGE *ccp; /* 14 */
+        /* ckuann     [15] CAKeyUpdAnnContent,       --CA Key Update Ann. */
+        OSSL_CMP_CAKEYUPDANNCONTENT *ckuann; /* 15 */
+        /* cann       [16] CertAnnContent,           --Certificate Ann. */
+        /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
+        X509 *cann;         /* 16 */
+        /* rann       [17] RevAnnContent,            --Revocation Ann. */
+        OSSL_CMP_REVANNCONTENT *rann; /* 17 */
+        /* crlann     [18] CRLAnnContent,            --CRL Announcement */
+        /* CRLAnnContent ::= SEQUENCE OF CertificateList */
+        OSSL_CMP_CRLANNCONTENT *crlann;
+        /* PKIConfirmContent ::= NULL */
+        /* pkiconf    [19] PKIConfirmContent,        --Confirmation */
+        /* OSSL_CMP_PKICONFIRMCONTENT would be only a typedef of ASN1_NULL */
+        /* OSSL_CMP_CONFIRMCONTENT *pkiconf; */
+        /*
+         * NOTE: this should ASN1_NULL according to the RFC
+         * but there might be a struct in it when sent from faulty servers...
+         */
+        ASN1_TYPE *pkiconf; /* 19 */
+        /* nested     [20] NestedMessageContent,     --Nested Message */
+        /* NestedMessageContent ::= PKIMessages */
+        OSSL_CMP_MSGS *nested; /* 20 */
+        /* genm       [21] GenMsgContent,            --General Message */
+        /* GenMsgContent ::= SEQUENCE OF InfoTypeAndValue */
+        OSSL_CMP_GENMSGCONTENT *genm; /* 21 */
+        /* genp       [22] GenRepContent,            --General Response */
+        /* GenRepContent ::= SEQUENCE OF InfoTypeAndValue */
+        OSSL_CMP_GENREPCONTENT *genp; /* 22 */
+        /* error      [23] ErrorMsgContent,          --Error Message */
+        OSSL_CMP_ERRORMSGCONTENT *error; /* 23 */
+        /* certConf [24] CertConfirmContent,     --Certificate confirm */
+        OSSL_CMP_CERTCONFIRMCONTENT *certConf; /* 24 */
+        /* pollReq    [25] PollReqContent,           --Polling request */
+        OSSL_CMP_POLLREQCONTENT *pollReq;
+        /* pollRep    [26] PollRepContent            --Polling response */
+        OSSL_CMP_POLLREPCONTENT *pollRep;
+    } value;
+} OSSL_CMP_PKIBODY;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKIBODY)
+
+/*-
+ *   PKIProtection ::= BIT STRING
+ *
+ *   PKIMessages ::= SEQUENCE SIZE (1..MAX) OF PKIMessage
+ *
+ *    PKIMessage ::= SEQUENCE {
+ *           header           PKIHeader,
+ *           body             PKIBody,
+ *           protection   [0] PKIProtection OPTIONAL,
+ *           extraCerts   [1] SEQUENCE SIZE (1..MAX) OF CMPCertificate
+ *                                            OPTIONAL
+ *   }
+ */
+struct OSSL_cmp_msg_st {
+    OSSL_CMP_PKIHEADER *header;
+    OSSL_CMP_PKIBODY *body;
+    ASN1_BIT_STRING *protection; /* 0 */
+    /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
+    STACK_OF(X509) *extraCerts; /* 1 */
+} /* OSSL_CMP_MSG */;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSG)
+
+/*-
+ * ProtectedPart ::= SEQUENCE {
+ * header    PKIHeader,
+ * body      PKIBody
+ * }
+ */
+typedef struct cmp_protectedpart_st {
+    OSSL_CMP_PKIHEADER *header;
+    OSSL_CMP_PKIBODY *body;
+} CMP_PROTECTEDPART;
+DECLARE_ASN1_FUNCTIONS(CMP_PROTECTEDPART)
+
+/*-
+ *  this is not defined here as it is already in CRMF:
+ *   id-PasswordBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 13}
+ *   PBMParameter ::= SEQUENCE {
+ *           salt                OCTET STRING,
+ *           -- note:  implementations MAY wish to limit acceptable sizes
+ *           -- of this string to values appropriate for their environment
+ *           -- in order to reduce the risk of denial-of-service attacks
+ *           owf                 AlgorithmIdentifier,
+ *           -- AlgId for a One-Way Function (SHA-1 recommended)
+ *           iterationCount      INTEGER,
+ *           -- number of times the OWF is applied
+ *           -- note:  implementations MAY wish to limit acceptable sizes
+ *           -- of this integer to values appropriate for their environment
+ *           -- in order to reduce the risk of denial-of-service attacks
+ *           mac                 AlgorithmIdentifier
+ *           -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
+ *   }       -- or HMAC [RFC2104, RFC2202])
+ */
+/*-
+ *  TODO: this is not yet defined here - but DH is anyway not used yet
+ *
+ *   id-DHBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 30}
+ *   DHBMParameter ::= SEQUENCE {
+ *           owf                 AlgorithmIdentifier,
+ *           -- AlgId for a One-Way Function (SHA-1 recommended)
+ *           mac                 AlgorithmIdentifier
+ *           -- the MAC AlgId (e.g., DES-MAC, Triple-DES-MAC [PKCS11],
+ *   }       -- or HMAC [RFC2104, RFC2202])
+ */
+/*-
+ * The following is not cared for, because it is described in section 5.2.5
+ * that this is beyond the scope of CMP
+ *   OOBCert ::= CMPCertificate
+ *
+ *   OOBCertHash ::= SEQUENCE {
+ *           hashAlg         [0] AlgorithmIdentifier         OPTIONAL,
+ *           certId          [1] CertId                      OPTIONAL,
+ *           hashVal             BIT STRING
+ *           -- hashVal is calculated over the DER encoding of the
+ *           -- self-signed certificate with the identifier certID.
+ *   }
+ */
+
+#endif /* !defined OSSL_HEADER_CMP_INT_H */
diff --git a/crypto/crmf/crmf_asn.c b/crypto/crmf/crmf_asn.c
index 8810cb4..05442c2 100644
--- a/crypto/crmf/crmf_asn.c
+++ b/crypto/crmf/crmf_asn.c
@@ -1,7 +1,7 @@
 /*-
- * Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright Nokia 2007-2018
- * Copyright Siemens AG 2015-2018
+ * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright Nokia 2007-2019
+ * Copyright Siemens AG 2015-2019
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/crypto/crmf/crmf_int.h b/crypto/crmf/crmf_int.h
index f908eac..b762057 100644
--- a/crypto/crmf/crmf_int.h
+++ b/crypto/crmf/crmf_int.h
@@ -1,7 +1,7 @@
 /*-
- * Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright Nokia 2007-2018
- * Copyright Siemens AG 2015-2018
+ * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright Nokia 2007-2019
+ * Copyright Siemens AG 2015-2019
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/crypto/crmf/crmf_lib.c b/crypto/crmf/crmf_lib.c
index 6a259f9..55f1f38 100644
--- a/crypto/crmf/crmf_lib.c
+++ b/crypto/crmf/crmf_lib.c
@@ -1,7 +1,7 @@
 /*-
- * Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright Nokia 2007-2018
- * Copyright Siemens AG 2015-2018
+ * Copyright Siemens AG 2015-2019
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/crypto/crmf/crmf_pbm.c b/crypto/crmf/crmf_pbm.c
index 09e4ffa..7b29166 100644
--- a/crypto/crmf/crmf_pbm.c
+++ b/crypto/crmf/crmf_pbm.c
@@ -1,7 +1,7 @@
 /*-
- * Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright Nokia 2007-2018
- * Copyright Siemens AG 2015-2018
+ * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright Nokia 2007-2019
+ * Copyright Siemens AG 2015-2019
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/crypto/err/err.c b/crypto/err/err.c
index 345d230..57399f8 100644
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -59,6 +59,7 @@ static ERR_STRING_DATA ERR_str_libraries[] = {
     {ERR_PACK(ERR_LIB_FIPS, 0, 0), "FIPS routines"},
     {ERR_PACK(ERR_LIB_CMS, 0, 0), "CMS routines"},
     {ERR_PACK(ERR_LIB_CRMF, 0, 0), "CRMF routines"},
+    {ERR_PACK(ERR_LIB_CMP, 0, 0), "CMP routines"},
     {ERR_PACK(ERR_LIB_HMAC, 0, 0), "HMAC routines"},
     {ERR_PACK(ERR_LIB_CT, 0, 0), "CT routines"},
     {ERR_PACK(ERR_LIB_ASYNC, 0, 0), "ASYNC routines"},
diff --git a/crypto/err/err_all.c b/crypto/err/err_all.c
index a56cf9c..8962fe5 100644
--- a/crypto/err/err_all.c
+++ b/crypto/err/err_all.c
@@ -35,6 +35,7 @@
 #include <openssl/tserr.h>
 #include <openssl/cmserr.h>
 #include <openssl/crmferr.h>
+#include <openssl/cmperr.h>
 #include <openssl/cterr.h>
 #include <openssl/asyncerr.h>
 #include <openssl/kdferr.h>
@@ -94,6 +95,7 @@ int err_load_crypto_strings_int(void)
 # endif
 # ifndef OPENSSL_NO_CRMF
         ERR_load_CRMF_strings() == 0 ||
+        ERR_load_CMP_strings() == 0 ||
 # endif
 # ifndef OPENSSL_NO_CT
         ERR_load_CT_strings() == 0 ||
diff --git a/crypto/err/openssl.ec b/crypto/err/openssl.ec
index 0c362b2..04e76df 100644
--- a/crypto/err/openssl.ec
+++ b/crypto/err/openssl.ec
@@ -30,6 +30,7 @@ L COMP          include/openssl/comp.h          crypto/comp/comp_err.c
 L TS            include/openssl/ts.h            crypto/ts/ts_err.c
 L CMS           include/openssl/cms.h           crypto/cms/cms_err.c
 L CRMF          include/openssl/crmf.h          crypto/crmf/crmf_err.c
+L CMP           include/openssl/cmp.h           crypto/cmp/cmp_err.c
 L CT            include/openssl/ct.h            crypto/ct/ct_err.c
 L ASYNC         include/openssl/async.h         crypto/async/async_err.c
 L KDF           include/openssl/kdf.h           crypto/kdf/kdf_err.c
diff --git a/doc/man3/OSSL_CMP_ITAV_set0.pod b/doc/man3/OSSL_CMP_ITAV_set0.pod
new file mode 100644
index 0000000..082b0bf
--- /dev/null
+++ b/doc/man3/OSSL_CMP_ITAV_set0.pod
@@ -0,0 +1,105 @@
+=pod
+
+=head1 NAME
+
+OSSL_CMP_ITAV_create,
+OSSL_CMP_ITAV_set0,
+OSSL_CMP_ITAV_get0_type,
+OSSL_CMP_ITAV_get0_value,
+OSSL_CMP_ITAV_push0_stack_item
+- OSSL_CMP_ITAV utility functions
+
+=head1 SYNOPSIS
+
+  #include <openssl/cmp.h>
+  OSSL_CMP_ITAV *OSSL_CMP_ITAV_create(ASN1_OBJECT *type, ASN1_TYPE *value);
+  void OSSL_CMP_ITAV_set0(OSSL_CMP_ITAV *itav, ASN1_OBJECT *type,
+                          ASN1_TYPE *value);
+  ASN1_OBJECT *OSSL_CMP_ITAV_get0_type(const OSSL_CMP_ITAV *itav);
+  ASN1_TYPE *OSSL_CMP_ITAV_get0_value(const OSSL_CMP_ITAV *itav);
+
+  int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p,
+                                     OSSL_CMP_ITAV *itav);
+
+=head1 DESCRIPTION
+
+ITAV is short for InfoTypeAndValue. This type is defined in RFC 4210
+section 5.3.19 and Appendix F. It is used at various places in CMP messages,
+e.g., in the generalInfo PKIHeader field, to hold a key-value pair.
+
+OSSL_CMP_ITAV_create() creates a new OSSL_CMP_ITAV structure and fills it in.
+It combines B<OSSL_CMP_ITAV_new()> and B<OSSL_CMP_ITAV_set0>.
+
+OSSL_CMP_ITAV_set0() sets the B<itav> with an infoType of B<type> and an
+infoValue of B<value>. This function uses the pointers B<type> and B<value>
+internally, so they must B<not> be freed up after the call.
+
+OSSL_CMP_ITAV_get0_type() returns a direct pointer to the infoType in the
+B<itav>.
+
+OSSL_CMP_ITAV_get0_value() returns a direct pointer to the infoValue in
+the B<itav> as generic ASN1_TYPE*.
+
+OSSL_CMP_ITAV_push0_stack_item() pushes B<itav> to the stack pointed to
+by B<*itav_sk_p>. It creates a new stack if B<*itav_sk_p> points to NULL.
+
+=head1 NOTES
+
+CMP is defined in RFC 4210 (and CRMF in RFC 4211).
+
+=head1 RETURN VALUES
+
+OSSL_CMP_ITAV_create() returns a pointer to the ITAV structure on success,
+or NULL on error.
+
+OSSL_CMP_ITAV_set0() does not return a value.
+
+OSSL_CMP_ITAV_get0_type() and OSSL_CMP_ITAV_get0_value()
+return the respective pointer or NULL if their input is NULL.
+
+OSSL_CMP_ITAV_push0_stack_item() returns 1 on success, 0 on error.
+
+=head1 EXAMPLE
+
+The following code creates and sets a structure representing a generic
+InfoTypeAndValue sequence, using an OID created from text as type, and an
+integer as value. Afterwards, it is pushed to the OSSL_CMP_CTX to be later
+included in the requests' PKIHeader's genInfo field.
+
+    ASN1_OBJECT *type = OBJ_txt2obj("1.2.3.4.5", 1);
+    if (type == NULL) ...
+
+    ASN1_INTEGER *asn1int = ASN1_INTEGER_new();
+    if (asn1int == NULL || !ASN1_INTEGER_set(asn1int, 12345)) ...
+
+    ASN1_TYPE *val = ASN1_TYPE_new();
+    if (val == NULL) ...
+    ASN1_TYPE_set(val, V_ASN1_INTEGER, asn1int);
+
+    OSSL_CMP_ITAV *itav = OSSL_CMP_ITAV_create(type, val);
+    if (itav == NULL) ...
+
+    OSSL_CMP_CTX *ctx = OSSL_CMP_CTX_new();
+    if (ctx == NULL || !OSSL_CMP_CTX_geninfo_push0_ITAV(ctx, itav)) {
+        OSSL_CMP_ITAV_free(itav); /* also frees type and val */
+        goto err;
+    }
+
+    ...
+
+    OSSL_CMP_CTX_free(ctx); /* also frees itav */
+
+=head1 SEE ALSO
+
+L<OSSL_CMP_CTX_new(3)>, L<OSSL_CMP_CTX_free(3)>, L<ASN1_TYPE_set(3)>
+
+=head1 COPYRIGHT
+
+Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod
index 0ddfc71..1ca79bc 100644
--- a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod
+++ b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod
@@ -56,7 +56,7 @@ B<RFC 4211>
 
 =head1 COPYRIGHT
 
-Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod b/doc/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod
index 5709b17..e73a490 100644
--- a/doc/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod
+++ b/doc/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod
@@ -96,7 +96,7 @@ RFC 4211
 
 =head1 COPYRIGHT
 
-Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.pod b/doc/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.pod
index cad175c..3d895a4 100644
--- a/doc/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.pod
+++ b/doc/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.pod
@@ -39,7 +39,7 @@ RFC 4211
 
 =head1 COPYRIGHT
 
-Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/OSSL_CRMF_MSG_set_validity.pod b/doc/man3/OSSL_CRMF_MSG_set_validity.pod
index 588c8b7..80f2366 100644
--- a/doc/man3/OSSL_CRMF_MSG_set_validity.pod
+++ b/doc/man3/OSSL_CRMF_MSG_set_validity.pod
@@ -95,7 +95,7 @@ RFC 4211
 
 =head1 COPYRIGHT
 
-Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/OSSL_CRMF_pbmp_new.pod b/doc/man3/OSSL_CRMF_pbmp_new.pod
index 651c430..877fee6 100644
--- a/doc/man3/OSSL_CRMF_pbmp_new.pod
+++ b/doc/man3/OSSL_CRMF_pbmp_new.pod
@@ -68,7 +68,7 @@ RFC 4211 section 4.4
 
 =head1 COPYRIGHT
 
-Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/X509_dup.pod b/doc/man3/X509_dup.pod
index 2f51e45..526a6d6 100644
--- a/doc/man3/X509_dup.pod
+++ b/doc/man3/X509_dup.pod
@@ -116,20 +116,39 @@ OCSP_SIGNATURE_free,
 OCSP_SIGNATURE_new,
 OCSP_SINGLERESP_free,
 OCSP_SINGLERESP_new,
+OSSL_CMP_ITAV_free,
+OSSL_CMP_MSG_dup,
+OSSL_CMP_MSG_it,
+OSSL_CMP_MSG_free,
+OSSL_CMP_PKIHEADER_free,
+OSSL_CMP_PKIHEADER_it,
+OSSL_CMP_PKIHEADER_new,
+OSSL_CMP_PKISI_free,
+OSSL_CMP_PKISTATUS_it,
 OSSL_CRMF_CERTID_free,
+OSSL_CRMF_CERTID_it,
 OSSL_CRMF_CERTID_new,
 OSSL_CRMF_CERTTEMPLATE_free,
+OSSL_CRMF_CERTTEMPLATE_it,
 OSSL_CRMF_CERTTEMPLATE_new,
 OSSL_CRMF_ENCRYPTEDVALUE_free,
+OSSL_CRMF_ENCRYPTEDVALUE_it,
 OSSL_CRMF_ENCRYPTEDVALUE_new,
+OSSL_CRMF_MSGS_free,
+OSSL_CRMF_MSGS_it,
+OSSL_CRMF_MSGS_new,
 OSSL_CRMF_MSG_free,
+OSSL_CRMF_MSG_it,
 OSSL_CRMF_MSG_new,
 OSSL_CRMF_PBMPARAMETER_free,
+OSSL_CRMF_PBMPARAMETER_it,
 OSSL_CRMF_PBMPARAMETER_new,
 OSSL_CRMF_PKIPUBLICATIONINFO_free,
+OSSL_CRMF_PKIPUBLICATIONINFO_it,
 OSSL_CRMF_PKIPUBLICATIONINFO_new,
-OSSL_CRMF_MSGS_free,
-OSSL_CRMF_MSGS_new,
+OSSL_CRMF_SINGLEPUBINFO_free,
+OSSL_CRMF_SINGLEPUBINFO_it,
+OSSL_CRMF_SINGLEPUBINFO_new,
 OTHERNAME_free,
 OTHERNAME_new,
 PBE2PARAM_free,
diff --git a/doc/man3/d2i_X509.pod b/doc/man3/d2i_X509.pod
index cad7877..30e6ad0 100644
--- a/doc/man3/d2i_X509.pod
+++ b/doc/man3/d2i_X509.pod
@@ -93,6 +93,16 @@ d2i_OCSP_REVOKEDINFO,
 d2i_OCSP_SERVICELOC,
 d2i_OCSP_SIGNATURE,
 d2i_OCSP_SINGLERESP,
+d2i_OSSL_CMP_MSG,
+d2i_OSSL_CMP_PKIHEADER,
+d2i_OSSL_CRMF_CERTID,
+d2i_OSSL_CRMF_CERTTEMPLATE,
+d2i_OSSL_CRMF_ENCRYPTEDVALUE,
+d2i_OSSL_CRMF_MSG,
+d2i_OSSL_CRMF_MSGS,
+d2i_OSSL_CRMF_PBMPARAMETER,
+d2i_OSSL_CRMF_PKIPUBLICATIONINFO,
+d2i_OSSL_CRMF_SINGLEPUBINFO,
 d2i_OTHERNAME,
 d2i_PBE2PARAM,
 d2i_PBEPARAM,
@@ -269,6 +279,16 @@ i2d_OCSP_REVOKEDINFO,
 i2d_OCSP_SERVICELOC,
 i2d_OCSP_SIGNATURE,
 i2d_OCSP_SINGLERESP,
+i2d_OSSL_CMP_MSG,
+i2d_OSSL_CMP_PKIHEADER,
+i2d_OSSL_CRMF_CERTID,
+i2d_OSSL_CRMF_CERTTEMPLATE,
+i2d_OSSL_CRMF_ENCRYPTEDVALUE,
+i2d_OSSL_CRMF_MSG,
+i2d_OSSL_CRMF_MSGS,
+i2d_OSSL_CRMF_PBMPARAMETER,
+i2d_OSSL_CRMF_PKIPUBLICATIONINFO,
+i2d_OSSL_CRMF_SINGLEPUBINFO,
 i2d_OTHERNAME,
 i2d_PBE2PARAM,
 i2d_PBEPARAM,
diff --git a/include/openssl/cmp.h b/include/openssl/cmp.h
new file mode 100644
index 0000000..3d9c3d4
--- /dev/null
+++ b/include/openssl/cmp.h
@@ -0,0 +1,243 @@
+/*-
+ * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright Nokia 2007-2019
+ * Copyright Siemens AG 2015-2019
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ *
+ * CMP (RFC 4210) implementation by M. Peylo, M. Viljanen, and D. von Oheimb.
+ */
+
+#ifndef OSSL_HEADER_CMP_H
+# define OSSL_HEADER_CMP_H
+
+# include <openssl/opensslconf.h>
+# ifndef OPENSSL_NO_CMP
+
+#  include <openssl/crmf.h>
+#  include <openssl/cmperr.h>
+
+/* explicit #includes not strictly needed since implied by the above: */
+#  include <openssl/ossl_typ.h>
+#  include <openssl/safestack.h>
+#  include <openssl/x509.h>
+#  include <openssl/x509v3.h>
+
+#  ifdef  __cplusplus
+extern "C" {
+#  endif
+
+#  define OSSL_CMP_PVNO 2
+
+/*-
+ *   PKIFailureInfo ::= BIT STRING {
+ *   -- since we can fail in more than one way!
+ *   -- More codes may be added in the future if/when required.
+ *       badAlg              (0),
+ *       -- unrecognized or unsupported Algorithm Identifier
+ *       badMessageCheck     (1),
+ *       -- integrity check failed (e.g., signature did not verify)
+ *       badRequest          (2),
+ *       -- transaction not permitted or supported
+ *       badTime             (3),
+ *       -- messageTime was not sufficiently close to the system time,
+ *       -- as defined by local policy
+ *       badCertId           (4),
+ *       -- no certificate could be found matching the provided criteria
+ *       badDataFormat       (5),
+ *       -- the data submitted has the wrong format
+ *       wrongAuthority      (6),
+ *       -- the authority indicated in the request is different from the
+ *       -- one creating the response token
+ *       incorrectData       (7),
+ *       -- the requester's data is incorrect (for notary services)
+ *       missingTimeStamp    (8),
+ *       -- when the timestamp is missing but should be there
+ *       -- (by policy)
+ *       badPOP              (9),
+ *       -- the proof-of-possession failed
+ *       certRevoked         (10),
+ *          -- the certificate has already been revoked
+ *       certConfirmed       (11),
+ *          -- the certificate has already been confirmed
+ *       wrongIntegrity      (12),
+ *          -- invalid integrity, password based instead of signature or
+ *          -- vice versa
+ *       badRecipientNonce   (13),
+ *          -- invalid recipient nonce, either missing or wrong value
+ *       timeNotAvailable    (14),
+ *          -- the TSA's time source is not available
+ *       unacceptedPolicy    (15),
+ *          -- the requested TSA policy is not supported by the TSA.
+ *       unacceptedExtension (16),
+ *          -- the requested extension is not supported by the TSA.
+ *       addInfoNotAvailable (17),
+ *          -- the additional information requested could not be
+ *          -- understood or is not available
+ *       badSenderNonce      (18),
+ *          -- invalid sender nonce, either missing or wrong size
+ *       badCertTemplate     (19),
+ *          -- invalid cert. template or missing mandatory information
+ *       signerNotTrusted    (20),
+ *          -- signer of the message unknown or not trusted
+ *       transactionIdInUse  (21),
+ *          -- the transaction identifier is already in use
+ *       unsupportedVersion  (22),
+ *          -- the version of the message is not supported
+ *       notAuthorized       (23),
+ *          -- the sender was not authorized to make the preceding
+ *          -- request or perform the preceding action
+ *       systemUnavail       (24),
+ *       -- the request cannot be handled due to system unavailability
+ *       systemFailure       (25),
+ *       -- the request cannot be handled due to system failure
+ *       duplicateCertReq    (26)
+ *       -- certificate cannot be issued because a duplicate
+ *       -- certificate already exists
+ *   }
+ */
+#  define OSSL_CMP_PKIFAILUREINFO_badAlg 0
+#  define OSSL_CMP_PKIFAILUREINFO_badMessageCheck 1
+#  define OSSL_CMP_PKIFAILUREINFO_badRequest 2
+#  define OSSL_CMP_PKIFAILUREINFO_badTime 3
+#  define OSSL_CMP_PKIFAILUREINFO_badCertId 4
+#  define OSSL_CMP_PKIFAILUREINFO_badDataFormat 5
+#  define OSSL_CMP_PKIFAILUREINFO_wrongAuthority 6
+#  define OSSL_CMP_PKIFAILUREINFO_incorrectData 7
+#  define OSSL_CMP_PKIFAILUREINFO_missingTimeStamp 8
+#  define OSSL_CMP_PKIFAILUREINFO_badPOP 9
+#  define OSSL_CMP_PKIFAILUREINFO_certRevoked 10
+#  define OSSL_CMP_PKIFAILUREINFO_certConfirmed 11
+#  define OSSL_CMP_PKIFAILUREINFO_wrongIntegrity 12
+#  define OSSL_CMP_PKIFAILUREINFO_badRecipientNonce 13
+#  define OSSL_CMP_PKIFAILUREINFO_timeNotAvailable 14
+#  define OSSL_CMP_PKIFAILUREINFO_unacceptedPolicy 15
+#  define OSSL_CMP_PKIFAILUREINFO_unacceptedExtension 16
+#  define OSSL_CMP_PKIFAILUREINFO_addInfoNotAvailable 17
+#  define OSSL_CMP_PKIFAILUREINFO_badSenderNonce 18
+#  define OSSL_CMP_PKIFAILUREINFO_badCertTemplate 19
+#  define OSSL_CMP_PKIFAILUREINFO_signerNotTrusted 20
+#  define OSSL_CMP_PKIFAILUREINFO_transactionIdInUse 21
+#  define OSSL_CMP_PKIFAILUREINFO_unsupportedVersion 22
+#  define OSSL_CMP_PKIFAILUREINFO_notAuthorized 23
+#  define OSSL_CMP_PKIFAILUREINFO_systemUnavail 24
+#  define OSSL_CMP_PKIFAILUREINFO_systemFailure 25
+#  define OSSL_CMP_PKIFAILUREINFO_duplicateCertReq 26
+#  define OSSL_CMP_PKIFAILUREINFO_MAX 26
+#  define OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN \
+    ( (1<<(OSSL_CMP_PKIFAILUREINFO_MAX+1)) - 1)
+#  if OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN > INT_MAX
+#   error  CMP_PKIFAILUREINFO_MAX bit pattern does not fit in type int
+#  endif
+
+typedef ASN1_BIT_STRING OSSL_CMP_PKIFAILUREINFO;
+
+#  define OSSL_CMP_CTX_FAILINFO_badAlg (1 << 0)
+#  define OSSL_CMP_CTX_FAILINFO_badMessageCheck (1 << 1)
+#  define OSSL_CMP_CTX_FAILINFO_badRequest (1 << 2)
+#  define OSSL_CMP_CTX_FAILINFO_badTime (1 << 3)
+#  define OSSL_CMP_CTX_FAILINFO_badCertId (1 << 4)
+#  define OSSL_CMP_CTX_FAILINFO_badDataFormat (1 << 5)
+#  define OSSL_CMP_CTX_FAILINFO_wrongAuthority (1 << 6)
+#  define OSSL_CMP_CTX_FAILINFO_incorrectData (1 << 7)
+#  define OSSL_CMP_CTX_FAILINFO_missingTimeStamp (1 << 8)
+#  define OSSL_CMP_CTX_FAILINFO_badPOP (1 << 9)
+#  define OSSL_CMP_CTX_FAILINFO_certRevoked (1 << 10)
+#  define OSSL_CMP_CTX_FAILINFO_certConfirmed (1 << 11)
+#  define OSSL_CMP_CTX_FAILINFO_wrongIntegrity (1 << 12)
+#  define OSSL_CMP_CTX_FAILINFO_badRecipientNonce (1 << 13)
+#  define OSSL_CMP_CTX_FAILINFO_timeNotAvailable (1 << 14)
+#  define OSSL_CMP_CTX_FAILINFO_unacceptedPolicy (1 << 15)
+#  define OSSL_CMP_CTX_FAILINFO_unacceptedExtension (1 << 16)
+#  define OSSL_CMP_CTX_FAILINFO_addInfoNotAvailable (1 << 17)
+#  define OSSL_CMP_CTX_FAILINFO_badSenderNonce (1 << 18)
+#  define OSSL_CMP_CTX_FAILINFO_badCertTemplate (1 << 19)
+#  define OSSL_CMP_CTX_FAILINFO_signerNotTrusted (1 << 20)
+#  define OSSL_CMP_CTX_FAILINFO_transactionIdInUse (1 << 21)
+#  define OSSL_CMP_CTX_FAILINFO_unsupportedVersion (1 << 22)
+#  define OSSL_CMP_CTX_FAILINFO_notAuthorized (1 << 23)
+#  define OSSL_CMP_CTX_FAILINFO_systemUnavail (1 << 24)
+#  define OSSL_CMP_CTX_FAILINFO_systemFailure (1 << 25)
+#  define OSSL_CMP_CTX_FAILINFO_duplicateCertReq (1 << 26)
+
+/*-
+ *   PKIStatus ::= INTEGER {
+ *       accepted                (0),
+ *       -- you got exactly what you asked for
+ *       grantedWithMods        (1),
+ *       -- you got something like what you asked for; the
+ *       -- requester is responsible for ascertaining the differences
+ *       rejection              (2),
+ *       -- you don't get it, more information elsewhere in the message
+ *       waiting                (3),
+ *       -- the request body part has not yet been processed; expect to
+ *       -- hear more later (note: proper handling of this status
+ *       -- response MAY use the polling req/rep PKIMessages specified
+ *       -- in Section 5.3.22; alternatively, polling in the underlying
+ *       -- transport layer MAY have some utility in this regard)
+ *       revocationWarning      (4),
+ *       -- this message contains a warning that a revocation is
+ *       -- imminent
+ *       revocationNotification (5),
+ *       -- notification that a revocation has occurred
+ *       keyUpdateWarning       (6)
+ *       -- update already done for the oldCertId specified in
+ *       -- CertReqMsg
+ *   }
+ */
+#  define OSSL_CMP_PKISTATUS_accepted 0
+#  define OSSL_CMP_PKISTATUS_grantedWithMods 1
+#  define OSSL_CMP_PKISTATUS_rejection 2
+#  define OSSL_CMP_PKISTATUS_waiting 3
+#  define OSSL_CMP_PKISTATUS_revocationWarning 4
+#  define OSSL_CMP_PKISTATUS_revocationNotification 5
+#  define OSSL_CMP_PKISTATUS_keyUpdateWarning 6
+
+typedef ASN1_INTEGER OSSL_CMP_PKISTATUS;
+DECLARE_ASN1_ITEM(OSSL_CMP_PKISTATUS)
+
+#  define OSSL_CMP_CERTORENCCERT_CERTIFICATE 0
+#  define OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT 1
+
+/* data type declarations */
+typedef struct OSSL_cmp_ctx_st OSSL_CMP_CTX;
+typedef struct OSSL_cmp_pkiheader_st OSSL_CMP_PKIHEADER;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKIHEADER)
+typedef struct OSSL_cmp_msg_st OSSL_CMP_MSG;
+DECLARE_ASN1_ENCODE_FUNCTIONS(OSSL_CMP_MSG, OSSL_CMP_MSG, OSSL_CMP_MSG)
+typedef struct OSSL_cmp_certstatus_st OSSL_CMP_CERTSTATUS;
+DEFINE_STACK_OF(OSSL_CMP_CERTSTATUS)
+typedef struct OSSL_cmp_itav_st OSSL_CMP_ITAV;
+DEFINE_STACK_OF(OSSL_CMP_ITAV)
+typedef struct OSSL_cmp_revrepcontent_st OSSL_CMP_REVREPCONTENT;
+typedef struct OSSL_cmp_pkisi_st OSSL_CMP_PKISI;
+DEFINE_STACK_OF(OSSL_CMP_PKISI)
+typedef struct OSSL_cmp_certrepmessage_st OSSL_CMP_CERTREPMESSAGE;
+DEFINE_STACK_OF(OSSL_CMP_CERTREPMESSAGE)
+typedef struct OSSL_cmp_pollrep_st OSSL_CMP_POLLREP;
+typedef STACK_OF(OSSL_CMP_POLLREP) OSSL_CMP_POLLREPCONTENT;
+typedef struct OSSL_cmp_certresponse_st OSSL_CMP_CERTRESPONSE;
+DEFINE_STACK_OF(OSSL_CMP_CERTRESPONSE)
+typedef STACK_OF(ASN1_UTF8STRING) OSSL_CMP_PKIFREETEXT;
+
+/* from cmp_asn.c */
+OSSL_CMP_ITAV *OSSL_CMP_ITAV_create(ASN1_OBJECT *type, ASN1_TYPE *value);
+void OSSL_CMP_ITAV_set0(OSSL_CMP_ITAV *itav, ASN1_OBJECT *type,
+                        ASN1_TYPE *value);
+ASN1_OBJECT *OSSL_CMP_ITAV_get0_type(const OSSL_CMP_ITAV *itav);
+ASN1_TYPE *OSSL_CMP_ITAV_get0_value(const OSSL_CMP_ITAV *itav);
+int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p,
+                                   OSSL_CMP_ITAV *itav);
+void OSSL_CMP_ITAV_free(OSSL_CMP_ITAV *itav);
+void OSSL_CMP_MSG_free(OSSL_CMP_MSG *msg);
+void OSSL_CMP_PKISI_free(OSSL_CMP_PKISI *si);
+DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_MSG)
+
+#   ifdef  __cplusplus
+}
+#   endif
+# endif /* !defined OPENSSL_NO_CMP */
+#endif /* !defined OSSL_HEADER_CMP_H */
diff --git a/include/openssl/buffererr.h b/include/openssl/cmperr.h
similarity index 51%
copy from include/openssl/buffererr.h
copy to include/openssl/cmperr.h
index 7f2af2a..7c1402c 100644
--- a/include/openssl/buffererr.h
+++ b/include/openssl/cmperr.h
@@ -8,27 +8,25 @@
  * https://www.openssl.org/source/license.html
  */
 
-#ifndef HEADER_BUFERR_H
-# define HEADER_BUFERR_H
+#ifndef HEADER_CMPERR_H
+# define HEADER_CMPERR_H
 
-# ifndef HEADER_SYMHACKS_H
-#  include <openssl/symhacks.h>
-# endif
+# include <openssl/opensslconf.h>
+
+# ifndef OPENSSL_NO_CMP
 
-# ifdef  __cplusplus
+#  ifdef  __cplusplus
 extern "C"
-# endif
-int ERR_load_BUF_strings(void);
+#  endif
+int ERR_load_CMP_strings(void);
 
 /*
- * BUF function codes.
+ * CMP function codes.
  */
-# define BUF_F_BUF_MEM_GROW                               100
-# define BUF_F_BUF_MEM_GROW_CLEAN                         105
-# define BUF_F_BUF_MEM_NEW                                101
 
 /*
- * BUF reason codes.
+ * CMP reason codes.
  */
 
+# endif
 #endif
diff --git a/include/openssl/crmf.h b/include/openssl/crmf.h
index 737a49d..bc0c891 100644
--- a/include/openssl/crmf.h
+++ b/include/openssl/crmf.h
@@ -1,7 +1,7 @@
 /*-
- * Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright Nokia 2007-2018
- * Copyright Siemens AG 2015-2018
+ * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright Nokia 2007-2019
+ * Copyright Siemens AG 2015-2019
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
diff --git a/include/openssl/err.h b/include/openssl/err.h
index 7398029..f601eaf 100644
--- a/include/openssl/err.h
+++ b/include/openssl/err.h
@@ -99,6 +99,7 @@ typedef struct err_state_st {
 # define ERR_LIB_PROP            55
 # define ERR_LIB_CRMF            56
 # define ERR_LIB_PROV            57
+# define ERR_LIB_CMP             58
 
 # define ERR_LIB_USER            128
 
@@ -133,6 +134,7 @@ typedef struct err_state_st {
 # define FIPSerr(f,r) ERR_PUT_error(ERR_LIB_FIPS,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
 # define CMSerr(f,r) ERR_PUT_error(ERR_LIB_CMS,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
 # define CRMFerr(f,r) ERR_PUT_error(ERR_LIB_CRMF,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
+# define CMPerr(f,r) ERR_PUT_error(ERR_LIB_CMP,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
 # define TSerr(f,r) ERR_PUT_error(ERR_LIB_TS,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
 # define HMACerr(f,r) ERR_PUT_error(ERR_LIB_HMAC,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
 # define CTerr(f,r) ERR_PUT_error(ERR_LIB_CT,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 8af98df..e5799d2 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4664,147 +4664,161 @@ d2i_OSSL_CRMF_ENCRYPTEDVALUE            4619	3_0_0	EXIST::FUNCTION:CRMF
 i2d_OSSL_CRMF_ENCRYPTEDVALUE            4620	3_0_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_ENCRYPTEDVALUE_free           4621	3_0_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_ENCRYPTEDVALUE_new            4622	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_ENCRYPTEDVALUE_it             4623	3_0_0	NOEXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:CMP
-OSSL_CRMF_ENCRYPTEDVALUE_it             4624	3_0_0	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:CRMF
-OSSL_CRMF_ENCRYPTEDVALUE_it             4624	3_0_0	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:CRMF
-d2i_OSSL_CRMF_MSG                       4625	3_0_0	EXIST::FUNCTION:CRMF
-i2d_OSSL_CRMF_MSG                       4626	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_MSG_free                      4627	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_MSG_new                       4628	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_MSG_it                        4629	3_0_0	NOEXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:CMP
-OSSL_CRMF_MSG_it                        4630	3_0_0	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:CRMF
-OSSL_CRMF_MSG_it                        4630	3_0_0	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:CRMF
-d2i_OSSL_CRMF_PBMPARAMETER              4631	3_0_0	EXIST::FUNCTION:CRMF
-i2d_OSSL_CRMF_PBMPARAMETER              4632	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_PBMPARAMETER_free             4633	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_PBMPARAMETER_new              4634	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_PBMPARAMETER_it               4635	3_0_0	NOEXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:CMP
-OSSL_CRMF_PBMPARAMETER_it               4636	3_0_0	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:CRMF
-OSSL_CRMF_PBMPARAMETER_it               4636	3_0_0	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:CRMF
-d2i_OSSL_CRMF_CERTID                    4637	3_0_0	EXIST::FUNCTION:CRMF
-i2d_OSSL_CRMF_CERTID                    4638	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_CERTID_free                   4639	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_CERTID_new                    4640	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_CERTID_it                     4641	3_0_0	NOEXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:CMP
-OSSL_CRMF_CERTID_it                     4642	3_0_0	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:CRMF
-OSSL_CRMF_CERTID_it                     4642	3_0_0	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:CRMF
-d2i_OSSL_CRMF_PKIPUBLICATIONINFO        4643	3_0_0	EXIST::FUNCTION:CRMF
-i2d_OSSL_CRMF_PKIPUBLICATIONINFO        4644	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_PKIPUBLICATIONINFO_free       4645	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_PKIPUBLICATIONINFO_new        4646	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_PKIPUBLICATIONINFO_it         4647	3_0_0	NOEXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:CMP
-OSSL_CRMF_PKIPUBLICATIONINFO_it         4648	3_0_0	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:CRMF
-OSSL_CRMF_PKIPUBLICATIONINFO_it         4648	3_0_0	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:CRMF
-d2i_OSSL_CRMF_SINGLEPUBINFO             4649	3_0_0	EXIST::FUNCTION:CRMF
-i2d_OSSL_CRMF_SINGLEPUBINFO             4650	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_SINGLEPUBINFO_free            4651	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_SINGLEPUBINFO_new             4652	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_SINGLEPUBINFO_it              4653	3_0_0	NOEXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:CMP
-OSSL_CRMF_SINGLEPUBINFO_it              4654	3_0_0	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:CRMF
-OSSL_CRMF_SINGLEPUBINFO_it              4654	3_0_0	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:CRMF
-d2i_OSSL_CRMF_CERTTEMPLATE              4655	3_0_0	EXIST::FUNCTION:CRMF
-i2d_OSSL_CRMF_CERTTEMPLATE              4656	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_CERTTEMPLATE_free             4657	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_CERTTEMPLATE_new              4658	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_CERTTEMPLATE_it               4659	3_0_0	NOEXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:CMP
-OSSL_CRMF_CERTTEMPLATE_it               4660	3_0_0	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:CRMF
-OSSL_CRMF_CERTTEMPLATE_it               4660	3_0_0	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:CRMF
-d2i_OSSL_CRMF_MSGS                      4661	3_0_0	EXIST::FUNCTION:CRMF
-i2d_OSSL_CRMF_MSGS                      4662	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_MSGS_free                     4663	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_MSGS_new                      4664	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_MSGS_it                       4665	3_0_0	NOEXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:CMP
-OSSL_CRMF_MSGS_it                       4666	3_0_0	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:CRMF
-OSSL_CRMF_MSGS_it                       4666	3_0_0	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:CRMF
-OSSL_CRMF_pbmp_new                      4667	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_pbm_new                       4668	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_MSG_set1_regCtrl_regToken     4669	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_MSG_set1_regCtrl_authenticator 4670	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_MSG_PKIPublicationInfo_push0_SinglePubInfo 4671	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_MSG_set0_SinglePubInfo        4672	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_MSG_set_PKIPublicationInfo_action 4673	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_MSG_set1_regCtrl_pkiPublicationInfo 4674	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_MSG_set1_regCtrl_protocolEncrKey 4675	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_MSG_set1_regCtrl_oldCertID    4676	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_CERTID_gen                    4677	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_MSG_set1_regInfo_utf8Pairs    4678	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_MSG_set1_regInfo_certReq      4679	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_MSG_set_validity              4680	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_MSG_set_certReqId             4681	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_MSG_get_certReqId             4682	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_MSG_set0_extensions           4683	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_MSG_push0_extension           4684	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_MSG_create_popo               4685	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_MSGS_verify_popo              4686	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_MSG_get0_tmpl                 4687	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_CERTTEMPLATE_get0_serialNumber 4688	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_CERTTEMPLATE_get0_issuer      4689	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_CERTTEMPLATE_fill             4690	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert   4691	3_0_0	EXIST::FUNCTION:CRMF
-ERR_load_CRMF_strings                   4692	3_0_0	EXIST::FUNCTION:CRMF
-OSSL_PARAM_locate                       4693	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_construct_int                4694	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_construct_uint               4695	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_construct_long               4696	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_construct_ulong              4697	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_construct_int32              4698	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_construct_uint32             4699	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_construct_int64              4700	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_construct_uint64             4701	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_construct_size_t             4702	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_construct_BN                 4703	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_construct_double             4704	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_construct_utf8_string        4705	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_construct_utf8_ptr           4706	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_construct_octet_string       4707	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_construct_octet_ptr          4708	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_get_int                      4709	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_get_uint                     4710	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_get_long                     4711	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_get_ulong                    4712	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_get_int32                    4713	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_get_uint32                   4714	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_get_int64                    4715	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_get_uint64                   4716	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_get_size_t                   4717	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_set_int                      4718	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_set_uint                     4719	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_set_long                     4720	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_set_ulong                    4721	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_set_int32                    4722	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_set_uint32                   4723	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_set_int64                    4724	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_set_uint64                   4725	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_set_size_t                   4726	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_get_double                   4727	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_set_double                   4728	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_get_BN                       4729	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_set_BN                       4730	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_get_utf8_string              4731	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_set_utf8_string              4732	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_get_octet_string             4733	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_set_octet_string             4734	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_get_utf8_ptr                 4735	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_set_utf8_ptr                 4736	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_get_octet_ptr                4737	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_set_octet_ptr                4738	3_0_0	EXIST::FUNCTION:
-X509_set0_sm2_id                        4739	3_0_0	EXIST::FUNCTION:SM2
-X509_get0_sm2_id                        4740	3_0_0	EXIST::FUNCTION:SM2
-EVP_PKEY_get0_engine                    4741	3_0_0	EXIST::FUNCTION:ENGINE
-EVP_MD_upref                            4742	3_0_0	EXIST::FUNCTION:
-EVP_MD_fetch                            4743	3_0_0	EXIST::FUNCTION:
-EVP_set_default_properties              4744	3_0_0	EXIST::FUNCTION:
-OSSL_PARAM_construct_end                4745	3_0_0	EXIST::FUNCTION:
-EC_GROUP_check_named_curve              4746	3_0_0	EXIST::FUNCTION:EC
-EVP_CIPHER_upref                        4747	3_0_0	EXIST::FUNCTION:
-EVP_CIPHER_fetch                        4748	3_0_0	EXIST::FUNCTION:
-EVP_CIPHER_mode                         4749	3_0_0	EXIST::FUNCTION:
-OPENSSL_info                            4750	3_0_0	EXIST::FUNCTION:
-EVP_KDF_CTX_new                         4751	3_0_0	EXIST::FUNCTION:
-EVP_KDF_CTX_kdf                         4752	3_0_0	EXIST::FUNCTION:
-EVP_KDF_nid                             4753	3_0_0	EXIST::FUNCTION:
-EVP_get_kdfbyname                       4754	3_0_0	EXIST::FUNCTION:
-i2d_KeyParams                           4755	3_0_0	EXIST::FUNCTION:
-d2i_KeyParams                           4756	3_0_0	EXIST::FUNCTION:
-i2d_KeyParams_bio                       4757	3_0_0	EXIST::FUNCTION:
-d2i_KeyParams_bio                       4758	3_0_0	EXIST::FUNCTION:
+OSSL_CRMF_ENCRYPTEDVALUE_it             4623	3_0_0	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:CRMF
+OSSL_CRMF_ENCRYPTEDVALUE_it             4623	3_0_0	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:CRMF
+d2i_OSSL_CRMF_MSG                       4624	3_0_0	EXIST::FUNCTION:CRMF
+i2d_OSSL_CRMF_MSG                       4625	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_free                      4626	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_new                       4627	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_it                        4628	3_0_0	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:CRMF
+OSSL_CRMF_MSG_it                        4628	3_0_0	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:CRMF
+d2i_OSSL_CRMF_PBMPARAMETER              4629	3_0_0	EXIST::FUNCTION:CRMF
+i2d_OSSL_CRMF_PBMPARAMETER              4630	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_PBMPARAMETER_free             4631	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_PBMPARAMETER_new              4632	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_PBMPARAMETER_it               4633	3_0_0	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:CRMF
+OSSL_CRMF_PBMPARAMETER_it               4633	3_0_0	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:CRMF
+d2i_OSSL_CRMF_CERTID                    4634	3_0_0	EXIST::FUNCTION:CRMF
+i2d_OSSL_CRMF_CERTID                    4635	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_CERTID_free                   4636	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_CERTID_new                    4637	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_CERTID_it                     4638	3_0_0	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:CRMF
+OSSL_CRMF_CERTID_it                     4638	3_0_0	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:CRMF
+d2i_OSSL_CRMF_PKIPUBLICATIONINFO        4639	3_0_0	EXIST::FUNCTION:CRMF
+i2d_OSSL_CRMF_PKIPUBLICATIONINFO        4640	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_PKIPUBLICATIONINFO_free       4641	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_PKIPUBLICATIONINFO_new        4642	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_PKIPUBLICATIONINFO_it         4643	3_0_0	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:CRMF
+OSSL_CRMF_PKIPUBLICATIONINFO_it         4643	3_0_0	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:CRMF
+d2i_OSSL_CRMF_SINGLEPUBINFO             4644	3_0_0	EXIST::FUNCTION:CRMF
+i2d_OSSL_CRMF_SINGLEPUBINFO             4645	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_SINGLEPUBINFO_free            4646	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_SINGLEPUBINFO_new             4647	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_SINGLEPUBINFO_it              4648	3_0_0	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:CRMF
+OSSL_CRMF_SINGLEPUBINFO_it              4648	3_0_0	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:CRMF
+d2i_OSSL_CRMF_CERTTEMPLATE              4649	3_0_0	EXIST::FUNCTION:CRMF
+i2d_OSSL_CRMF_CERTTEMPLATE              4650	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_CERTTEMPLATE_free             4651	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_CERTTEMPLATE_new              4652	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_CERTTEMPLATE_it               4653	3_0_0	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:CRMF
+OSSL_CRMF_CERTTEMPLATE_it               4653	3_0_0	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:CRMF
+d2i_OSSL_CRMF_MSGS                      4654	3_0_0	EXIST::FUNCTION:CRMF
+i2d_OSSL_CRMF_MSGS                      4655	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSGS_free                     4656	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSGS_new                      4657	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSGS_it                       4658	3_0_0	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:CRMF
+OSSL_CRMF_MSGS_it                       4658	3_0_0	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:CRMF
+OSSL_CRMF_pbmp_new                      4659	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_pbm_new                       4660	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_set1_regCtrl_regToken     4661	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_set1_regCtrl_authenticator 4662	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_PKIPublicationInfo_push0_SinglePubInfo 4663	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_set0_SinglePubInfo        4664	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_set_PKIPublicationInfo_action 4665	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_set1_regCtrl_pkiPublicationInfo 4666	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_set1_regCtrl_protocolEncrKey 4667	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_set1_regCtrl_oldCertID    4668	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_CERTID_gen                    4669	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_set1_regInfo_utf8Pairs    4670	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_set1_regInfo_certReq      4671	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_set_validity              4672	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_set_certReqId             4673	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_get_certReqId             4674	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_set0_extensions           4675	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_push0_extension           4676	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_create_popo               4677	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSGS_verify_popo              4678	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_MSG_get0_tmpl                 4679	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_CERTTEMPLATE_get0_serialNumber 4680	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_CERTTEMPLATE_get0_issuer      4681	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_CERTTEMPLATE_fill             4682	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert   4683	3_0_0	EXIST::FUNCTION:CRMF
+ERR_load_CRMF_strings                   4684	3_0_0	EXIST::FUNCTION:CRMF
+OSSL_PARAM_locate                       4685	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_construct_int                4686	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_construct_uint               4687	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_construct_long               4688	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_construct_ulong              4689	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_construct_int32              4690	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_construct_uint32             4691	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_construct_int64              4692	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_construct_uint64             4693	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_construct_size_t             4694	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_construct_BN                 4695	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_construct_double             4696	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_construct_utf8_string        4697	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_construct_utf8_ptr           4698	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_construct_octet_string       4699	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_construct_octet_ptr          4700	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_get_int                      4701	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_get_uint                     4702	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_get_long                     4703	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_get_ulong                    4704	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_get_int32                    4705	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_get_uint32                   4706	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_get_int64                    4707	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_get_uint64                   4708	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_get_size_t                   4709	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_set_int                      4710	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_set_uint                     4711	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_set_long                     4712	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_set_ulong                    4713	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_set_int32                    4714	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_set_uint32                   4715	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_set_int64                    4716	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_set_uint64                   4717	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_set_size_t                   4718	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_get_double                   4719	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_set_double                   4720	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_get_BN                       4721	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_set_BN                       4722	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_get_utf8_string              4723	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_set_utf8_string              4724	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_get_octet_string             4725	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_set_octet_string             4726	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_get_utf8_ptr                 4727	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_set_utf8_ptr                 4728	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_get_octet_ptr                4729	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_set_octet_ptr                4730	3_0_0	EXIST::FUNCTION:
+X509_set0_sm2_id                        4731	3_0_0	EXIST::FUNCTION:SM2
+X509_get0_sm2_id                        4732	3_0_0	EXIST::FUNCTION:SM2
+EVP_PKEY_get0_engine                    4733	3_0_0	EXIST::FUNCTION:ENGINE
+EVP_MD_upref                            4734	3_0_0	EXIST::FUNCTION:
+EVP_MD_fetch                            4735	3_0_0	EXIST::FUNCTION:
+EVP_set_default_properties              4736	3_0_0	EXIST::FUNCTION:
+OSSL_PARAM_construct_end                4737	3_0_0	EXIST::FUNCTION:
+EC_GROUP_check_named_curve              4738	3_0_0	EXIST::FUNCTION:EC
+EVP_CIPHER_upref                        4739	3_0_0	EXIST::FUNCTION:
+EVP_CIPHER_fetch                        4740	3_0_0	EXIST::FUNCTION:
+EVP_CIPHER_mode                         4741	3_0_0	EXIST::FUNCTION:
+OPENSSL_info                            4742	3_0_0	EXIST::FUNCTION:
+EVP_KDF_CTX_new                         4743	3_0_0	EXIST::FUNCTION:
+EVP_KDF_CTX_kdf                         4744	3_0_0	EXIST::FUNCTION:
+EVP_KDF_nid                             4745	3_0_0	EXIST::FUNCTION:
+EVP_get_kdfbyname                       4746	3_0_0	EXIST::FUNCTION:
+i2d_KeyParams                           4747	3_0_0	EXIST::FUNCTION:
+d2i_KeyParams                           4748	3_0_0	EXIST::FUNCTION:
+i2d_KeyParams_bio                       4749	3_0_0	EXIST::FUNCTION:
+d2i_KeyParams_bio                       4750	3_0_0	EXIST::FUNCTION:
+OSSL_CMP_PKISTATUS_it                   4751	3_0_0	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:CMP
+OSSL_CMP_PKISTATUS_it                   4751	3_0_0	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:CMP
+d2i_OSSL_CMP_PKIHEADER                  4752	3_0_0	EXIST::FUNCTION:CMP
+i2d_OSSL_CMP_PKIHEADER                  4753	3_0_0	EXIST::FUNCTION:CMP
+OSSL_CMP_PKIHEADER_free                 4754	3_0_0	EXIST::FUNCTION:CMP
+OSSL_CMP_PKIHEADER_new                  4755	3_0_0	EXIST::FUNCTION:CMP
+OSSL_CMP_PKIHEADER_it                   4756	3_0_0	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:CMP
+OSSL_CMP_PKIHEADER_it                   4756	3_0_0	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:CMP
+d2i_OSSL_CMP_MSG                        4757	3_0_0	EXIST::FUNCTION:CMP
+i2d_OSSL_CMP_MSG                        4758	3_0_0	EXIST::FUNCTION:CMP
+OSSL_CMP_MSG_it                         4759	3_0_0	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:CMP
+OSSL_CMP_MSG_it                         4759	3_0_0	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:CMP
+OSSL_CMP_ITAV_create                    4760	3_0_0	EXIST::FUNCTION:CMP
+OSSL_CMP_ITAV_set0                      4761	3_0_0	EXIST::FUNCTION:CMP
+OSSL_CMP_ITAV_get0_type                 4762	3_0_0	EXIST::FUNCTION:CMP
+OSSL_CMP_ITAV_get0_value                4763	3_0_0	EXIST::FUNCTION:CMP
+OSSL_CMP_ITAV_push0_stack_item          4764	3_0_0	EXIST::FUNCTION:CMP
+OSSL_CMP_ITAV_free                      4765	3_0_0	EXIST::FUNCTION:CMP
+OSSL_CMP_MSG_free                       4766	3_0_0	EXIST::FUNCTION:CMP
+OSSL_CMP_PKISI_free                     4767	3_0_0	EXIST::FUNCTION:CMP
+OSSL_CMP_MSG_dup                        4768	3_0_0	EXIST::FUNCTION:CMP
+ERR_load_CMP_strings                    4769	3_0_0	EXIST::FUNCTION:CMP


More information about the openssl-commits mailing list