diff --git a/lib/hcrypto/aes.h b/lib/hcrypto/aes.h
index 23f8f5d0a..273f1dd56 100644
--- a/lib/hcrypto/aes.h
+++ b/lib/hcrypto/aes.h
@@ -69,7 +69,7 @@ void AES_encrypt(const unsigned char *, unsigned char *, const AES_KEY *);
 void AES_decrypt(const unsigned char *, unsigned char *, const AES_KEY *);
 
 void AES_cbc_encrypt(const unsigned char *, unsigned char *,
-		     const unsigned long, const AES_KEY *,
+		     unsigned long, const AES_KEY *,
 		     unsigned char *, int);
 
 #ifdef  __cplusplus
diff --git a/lib/hcrypto/bn.c b/lib/hcrypto/bn.c
index 545d9529d..17c1ec79b 100644
--- a/lib/hcrypto/bn.c
+++ b/lib/hcrypto/bn.c
@@ -40,6 +40,7 @@
 #include <limits.h>
 
 #include <krb5-types.h>
+#include <roken.h>
 #include <rfc2459_asn1.h> /* XXX */
 #include <der.h>
 
diff --git a/lib/hcrypto/evp.c b/lib/hcrypto/evp.c
index 006db3593..72787e185 100644
--- a/lib/hcrypto/evp.c
+++ b/lib/hcrypto/evp.c
@@ -49,6 +49,7 @@
 #include <evp-cc.h>
 
 #include <krb5-types.h>
+#include <roken.h>
 
 #ifndef HCRYPTO_DEF_PROVIDER
 #define HCRYPTO_DEF_PROVIDER hcrypto
diff --git a/lib/hcrypto/evp.h b/lib/hcrypto/evp.h
index 600f69b7a..ae92ab489 100644
--- a/lib/hcrypto/evp.h
+++ b/lib/hcrypto/evp.h
@@ -214,24 +214,24 @@ HC_CPP_BEGIN
  */
 
 const EVP_MD *EVP_md_null(void);
-const EVP_MD *EVP_md2(void) HC_DEPRECATED_CRYPTO;
-const EVP_MD *EVP_md4(void) HC_DEPRECATED_CRYPTO;
-const EVP_MD *EVP_md5(void) HC_DEPRECATED_CRYPTO;
-const EVP_MD *EVP_sha(void) HC_DEPRECATED;
+HC_DEPRECATED_CRYPTO const EVP_MD *EVP_md2(void);
+HC_DEPRECATED_CRYPTO const EVP_MD *EVP_md4(void);
+HC_DEPRECATED_CRYPTO const EVP_MD *EVP_md5(void);
+const EVP_MD *EVP_sha(void);
 const EVP_MD *EVP_sha1(void);
 const EVP_MD *EVP_sha256(void);
 
 const EVP_CIPHER * EVP_aes_128_cbc(void);
 const EVP_CIPHER * EVP_aes_192_cbc(void);
 const EVP_CIPHER * EVP_aes_256_cbc(void);
-const EVP_CIPHER * EVP_des_cbc(void) HC_DEPRECATED_CRYPTO;
+HC_DEPRECATED_CRYPTO const EVP_CIPHER * EVP_des_cbc(void);
 const EVP_CIPHER * EVP_des_ede3_cbc(void);
 const EVP_CIPHER * EVP_enc_null(void);
-const EVP_CIPHER * EVP_rc2_40_cbc(void) HC_DEPRECATED_CRYPTO;
-const EVP_CIPHER * EVP_rc2_64_cbc(void) HC_DEPRECATED_CRYPTO;
-const EVP_CIPHER * EVP_rc2_cbc(void) HC_DEPRECATED_CRYPTO;
+HC_DEPRECATED_CRYPTO const EVP_CIPHER * EVP_rc2_40_cbc(void);
+HC_DEPRECATED_CRYPTO const EVP_CIPHER * EVP_rc2_64_cbc(void);
+HC_DEPRECATED_CRYPTO const EVP_CIPHER * EVP_rc2_cbc(void);
 const EVP_CIPHER * EVP_rc4(void);
-const EVP_CIPHER * EVP_rc4_40(void) HC_DEPRECATED_CRYPTO;
+HC_DEPRECATED_CRYPTO const EVP_CIPHER * EVP_rc4_40(void);
 const EVP_CIPHER * EVP_camellia_128_cbc(void);
 const EVP_CIPHER * EVP_camellia_192_cbc(void);
 const EVP_CIPHER * EVP_camellia_256_cbc(void);
diff --git a/lib/hcrypto/hash.h b/lib/hcrypto/hash.h
index b8d5d4560..78a795f2a 100644
--- a/lib/hcrypto/hash.h
+++ b/lib/hcrypto/hash.h
@@ -43,6 +43,7 @@
 #ifdef KRB5
 #include <krb5-types.h>
 #endif
+#include <roken.h>
 
 #ifndef min
 #define min(a,b) (((a)>(b))?(b):(a))
diff --git a/lib/hcrypto/libhcrypto-exports.def b/lib/hcrypto/libhcrypto-exports.def
new file mode 100644
index 000000000..1e32eace1
--- /dev/null
+++ b/lib/hcrypto/libhcrypto-exports.def
@@ -0,0 +1,246 @@
+EXPORTS
+	hc_AES_cbc_encrypt
+	hc_AES_decrypt
+	hc_AES_decrypt_key
+	hc_BN_CTX_end
+	hc_BN_CTX_free
+	hc_BN_CTX_get
+	hc_BN_CTX_new
+	hc_BN_CTX_start
+	hc_AES_encrypt
+	hc_AES_set_encrypt_key
+	hc_BN_GENCB_call
+	hc_BN_GENCB_set
+	hc_BN_bin2bn
+	hc_BN_bn2bin
+	hc_BN_bn2hex
+	hc_BN_clear
+	hc_BN_clear_bit
+	hc_BN_clear_free
+	hc_BN_cmp
+	hc_BN_dup
+	hc_BN_free
+	hc_BN_get_word
+	hc_BN_hex2bn
+	hc_BN_is_bit_set
+	hc_BN_is_negative
+	hc_BN_new
+	hc_BN_num_bits
+	hc_BN_num_bytes
+	hc_BN_rand
+	hc_BN_set_bit
+	hc_BN_set_negative
+	hc_BN_set_word
+	hc_BN_uadd
+	hc_DES_cbc_cksum
+	hc_DES_cbc_encrypt
+	hc_DES_cfb64_encrypt
+	hc_DES_check_key_parity
+	hc_DES_ecb3_encrypt
+	hc_DES_ecb_encrypt
+	hc_DES_ede3_cbc_encrypt
+	hc_DES_encrypt
+	hc_DES_generate_random_block
+	hc_DES_init_random_number_generator
+	hc_DES_is_weak_key
+	hc_DES_key_sched
+;	hc_DES_mem_rand8
+	hc_DES_new_random_key
+	hc_DES_pcbc_encrypt
+	hc_DES_rand_data
+	hc_DES_rand_data_key
+	hc_DES_random_key
+	hc_DES_read_password
+	hc_DES_set_key
+	hc_DES_set_key_checked
+	hc_DES_set_key_unchecked
+	hc_DES_set_odd_parity
+	hc_DES_set_random_generator_seed
+	hc_DES_set_sequence_number
+	hc_DES_string_to_key
+	hc_DH_check_pubkey
+	hc_DH_compute_key
+	hc_DH_free
+	hc_DH_generate_key
+	hc_DH_generate_parameters_ex
+	hc_DH_get_default_method
+	hc_DH_get_ex_data
+	hc_DH_imath_method
+;	hc_DH_gmp_method
+	hc_DH_new
+	hc_DH_new_method
+	hc_DH_null_method
+	hc_DH_set_default_method
+	hc_DH_set_ex_data
+	hc_DH_set_method
+	hc_DH_size
+	hc_DH_up_ref
+	hc_DSA_free
+	hc_DSA_get_default_method
+	hc_DSA_new
+	hc_DSA_null_method
+	hc_DSA_set_default_method
+	hc_DSA_up_ref
+	hc_DSA_verify
+	hc_ENGINE_add_conf_module
+	hc_ENGINE_by_dso
+	hc_ENGINE_by_id
+	hc_ENGINE_finish
+	hc_ENGINE_get_DH
+	hc_ENGINE_get_RAND
+	hc_ENGINE_get_RSA
+	hc_ENGINE_get_default_DH
+	hc_ENGINE_get_default_RSA
+	hc_ENGINE_get_id
+	hc_ENGINE_get_name
+	hc_ENGINE_load_builtin_engines
+	hc_ENGINE_set_DH
+	hc_ENGINE_set_RSA
+	hc_ENGINE_set_default_DH
+	hc_ENGINE_set_default_RSA
+	hc_ENGINE_set_destroy_function
+	hc_ENGINE_set_id
+	hc_ENGINE_set_name
+	hc_ENGINE_up_ref
+	hc_EVP_BytesToKey
+	hc_EVP_CIPHER_CTX_block_size
+	hc_EVP_CIPHER_CTX_cipher
+	hc_EVP_CIPHER_CTX_cleanup
+	hc_EVP_CIPHER_CTX_flags
+	hc_EVP_CIPHER_CTX_get_app_data
+	hc_EVP_CIPHER_CTX_init
+	hc_EVP_CIPHER_CTX_iv_length
+	hc_EVP_CIPHER_CTX_key_length
+	hc_EVP_CIPHER_CTX_mode
+	hc_EVP_CIPHER_CTX_set_app_data
+	hc_EVP_CIPHER_block_size
+	hc_EVP_CIPHER_iv_length
+	hc_EVP_CIPHER_key_length
+	hc_EVP_Cipher
+	hc_EVP_CipherInit_ex
+	hc_EVP_Digest
+	hc_EVP_DigestFinal_ex
+	hc_EVP_DigestInit_ex
+	hc_EVP_DigestUpdate
+	hc_EVP_MD_CTX_block_size
+	hc_EVP_MD_CTX_cleanup
+	hc_EVP_MD_CTX_cleanup
+	hc_EVP_MD_CTX_create
+	hc_EVP_MD_CTX_create
+	hc_EVP_MD_CTX_destroy
+	hc_EVP_MD_CTX_destroy
+	hc_EVP_MD_CTX_init
+	hc_EVP_MD_CTX_init
+	hc_EVP_MD_CTX_md
+	hc_EVP_MD_CTX_size
+	hc_EVP_MD_block_size
+	hc_EVP_MD_size
+	hc_EVP_aes_128_cbc
+	hc_EVP_aes_192_cbc
+	hc_EVP_aes_256_cbc
+	hc_EVP_hcrypto_aes_128_cbc
+	hc_EVP_hcrypto_aes_192_cbc
+	hc_EVP_hcrypto_aes_256_cbc
+	hc_EVP_hcrypto_aes_128_cts
+	hc_EVP_hcrypto_aes_256_cts
+;	hc_EVP_hcrypto_aes_cts_128_cbc
+;	hc_EVP_hcrypto_aes_cts_192_cbc
+;	hc_EVP_hcrypto_aes_cts_256_cbc
+	hc_EVP_des_cbc
+	hc_EVP_des_ede3_cbc
+	hc_EVP_camellia_128_cbc
+	hc_EVP_camellia_192_cbc
+	hc_EVP_camellia_256_cbc
+	hc_EVP_enc_null
+	hc_EVP_get_cipherbyname
+	hc_EVP_md2
+	hc_EVP_md4
+	hc_EVP_md5
+	hc_EVP_md_null
+	hc_EVP_rc2_40_cbc
+	hc_EVP_rc2_64_cbc
+	hc_EVP_rc2_cbc
+	hc_EVP_rc4
+	hc_EVP_rc4_40
+	hc_EVP_sha
+	hc_EVP_sha1
+	hc_EVP_sha256
+	hc_HMAC
+	hc_HMAC_CTX_cleanup
+	hc_HMAC_CTX_init
+	hc_HMAC_Final
+	hc_HMAC_Init_ex
+	hc_HMAC_Update
+	hc_HMAC_size
+	hc_MD2_Final
+	hc_MD2_Init
+	hc_MD2_Update
+	hc_MD4_Final
+	hc_MD4_Init
+	hc_MD4_Update
+	hc_MD5_Final
+	hc_MD5_Init
+	hc_MD5_Update
+	hc_OpenSSL_add_all_algorithms
+	hc_OpenSSL_add_all_algorithms_conf
+	hc_OpenSSL_add_all_algorithms_noconf
+	hc_PKCS12_key_gen
+	hc_PKCS5_PBKDF2_HMAC_SHA1
+	hc_RAND_add
+	hc_RAND_bytes
+	hc_RAND_cleanup
+;	hc_RAND_egd
+;	hc_RAND_egd_bytes
+;	hc_RAND_egd_method
+	hc_RAND_file_name
+	hc_RAND_fortuna_method
+	hc_RAND_get_rand_method
+	hc_RAND_load_file
+	hc_RAND_pseudo_bytes
+	hc_RAND_seed
+	hc_RAND_set_rand_engine
+	hc_RAND_set_rand_method
+	hc_RAND_status
+;	hc_RAND_unix_method
+;	hc_RAND_timer_method
+	hc_RAND_write_file
+	hc_RC2_cbc_encrypt
+	hc_RC2_decryptc
+	hc_RC2_encryptc
+	hc_RC2_set_key
+	hc_RC4
+	hc_RC4_set_key
+	hc_RSA_check_key
+	hc_RSA_free
+	hc_RSA_generate_key_ex
+	hc_RSA_get_app_data
+	hc_RSA_get_default_method
+	hc_RSA_get_method
+	hc_RSA_imath_method
+	hc_RSA_new
+	hc_RSA_new_method
+	hc_RSA_null_method
+	hc_RSA_private_decrypt
+	hc_RSA_private_encrypt
+	hc_RSA_public_decrypt
+	hc_RSA_public_encrypt
+	hc_RSA_set_app_data
+	hc_RSA_set_default_method
+	hc_RSA_set_method
+	hc_RSA_sign
+	hc_RSA_size
+	hc_RSA_up_ref
+	hc_RSA_verify
+	hc_SHA1_Final
+	hc_SHA1_Init
+	hc_SHA1_Update
+	hc_SHA256_Final
+	hc_SHA256_Init
+	hc_SHA256_Update
+	hc_UI_UTIL_read_pw_string
+	hc_UI_UTIL_read_pw_string
+	hc_d2i_RSAPrivateKey
+	hc_i2d_RSAPrivateKey
+	hc_i2d_RSAPublicKey
+	hc_EVP_CIPHER_CTX_ctrl
+	hc_EVP_CIPHER_CTX_rand_key
diff --git a/lib/hcrypto/rand-fortuna.c b/lib/hcrypto/rand-fortuna.c
index c39c71390..c81eb9e2d 100644
--- a/lib/hcrypto/rand-fortuna.c
+++ b/lib/hcrypto/rand-fortuna.c
@@ -35,6 +35,9 @@
 #include <stdlib.h>
 #include <rand.h>
 
+#ifdef KRB5
+#include <krb5-types.h>
+#endif
 #include <roken.h>
 
 #include "randi.h"
@@ -451,6 +454,7 @@ fortuna_reseed(void)
     if (!init_done)
 	abort();
 
+#ifndef NO_RAND_UNIX_METHOD
     {
 	unsigned char buf[INIT_BYTES];
 	if ((*hc_rand_unix_method.bytes)(buf, sizeof(buf)) == 1) {
@@ -459,6 +463,7 @@ fortuna_reseed(void)
 	    memset(buf, 0, sizeof(buf));
 	}
     }
+#endif
 #ifdef HAVE_ARC4RANDOM
     {
 	uint32_t buf[INIT_BYTES / sizeof(uint32_t)];
@@ -470,6 +475,7 @@ fortuna_reseed(void)
 	entropy_p = 1;
     }
 #endif
+#ifndef NO_RAND_EGD_METHOD
     /*
      * Only to get egd entropy if /dev/random or arc4rand failed since
      * it can be horribly slow to generate new bits.
@@ -482,6 +488,7 @@ fortuna_reseed(void)
 	    memset(buf, 0, sizeof(buf));
 	}
     }
+#endif
     /*
      * Fall back to gattering data from timer and secret files, this
      * is really the last resort.
@@ -521,10 +528,12 @@ fortuna_reseed(void)
 	gettimeofday(&tv, NULL);
 	add_entropy(&main_state, (void *)&tv, sizeof(tv));
     }
+#ifdef HAVE_GETUID
     {
 	uid_t u = getuid();
 	add_entropy(&main_state, (void *)&u, sizeof(u));
     }
+#endif
     return entropy_p;
 }
 
diff --git a/lib/hcrypto/rijndael-alg-fst.c b/lib/hcrypto/rijndael-alg-fst.c
index 3dd255581..9a7f0fd3d 100644
--- a/lib/hcrypto/rijndael-alg-fst.c
+++ b/lib/hcrypto/rijndael-alg-fst.c
@@ -31,11 +31,12 @@
 #include "config.h"
 
 
+#include <stdlib.h>
 #ifdef KRB5
 #include <krb5-types.h>
 #endif
 
-#include <rijndael-alg-fst.h>
+#include "rijndael-alg-fst.h"
 
 /* the file should not be used from outside */
 typedef uint8_t			u8;
diff --git a/lib/hcrypto/rnd_keys.c b/lib/hcrypto/rnd_keys.c
index 9baf00212..49c7634c3 100644
--- a/lib/hcrypto/rnd_keys.c
+++ b/lib/hcrypto/rnd_keys.c
@@ -39,11 +39,11 @@
 #ifdef KRB5
 #include <krb5-types.h>
 #endif
+#include <stdlib.h>
+
 #include <des.h>
 #include <rand.h>
 
-#include <stdlib.h>
-
 #undef __attribute__
 #define __attribute__(X)
 
diff --git a/lib/hcrypto/test_crypto.in b/lib/hcrypto/test_crypto.in
index 131308ce8..5dac31d56 100644
--- a/lib/hcrypto/test_crypto.in
+++ b/lib/hcrypto/test_crypto.in
@@ -36,9 +36,9 @@
 
 srcdir="@srcdir@"
 
-rsa="${TESTS_ENVIRONMENT} ./test_rsa"
-engine="${TESTS_ENVIRONMENT} ./test_engine_dso"
-rand="${TESTS_ENVIRONMENT} ./test_rand"
+rsa="${TESTS_ENVIRONMENT} ./test_rsa@exeext@"
+engine="${TESTS_ENVIRONMENT} ./test_engine_dso@exeext@"
+rand="${TESTS_ENVIRONMENT} ./test_rand@exeext@"
 
 ${engine} --test-random > /dev/null || { echo "missing random"; exit 77; }
 
diff --git a/lib/hcrypto/test_rand.c b/lib/hcrypto/test_rand.c
index 5a73e6428..2b348c7f3 100644
--- a/lib/hcrypto/test_rand.c
+++ b/lib/hcrypto/test_rand.c
@@ -113,10 +113,14 @@ main(int argc, char **argv)
     if (rand_method) {
 	if (strcasecmp(rand_method, "fortuna") == 0)
 	    RAND_set_rand_method(RAND_fortuna_method());
+#ifndef NO_RAND_UNIX_METHOD
 	else if (strcasecmp(rand_method, "unix") == 0)
 	    RAND_set_rand_method(RAND_unix_method());
+#endif
+#ifndef NO_RAND_EGD_METHOD
 	else if (strcasecmp(rand_method, "egd") == 0)
 	    RAND_set_rand_method(RAND_egd_method());
+#endif
 	else
 	    errx(1, "unknown method %s", rand_method);
     }
diff --git a/lib/hcrypto/ui.c b/lib/hcrypto/ui.c
index ca8c8442b..de7d0fc9a 100644
--- a/lib/hcrypto/ui.c
+++ b/lib/hcrypto/ui.c
@@ -37,10 +37,15 @@
 #include <stdlib.h>
 #include <string.h>
 #include <signal.h>
+#ifdef HAVE_TERMIOS_H
 #include <termios.h>
+#endif
 #include <roken.h>
 
 #include <ui.h>
+#ifdef HAVE_CONIO_H
+#include <conio.h>
+#endif
 
 static sig_atomic_t intr_flag;
 
@@ -50,6 +55,8 @@ intr(int sig)
     intr_flag++;
 }
 
+#ifndef HAVE_CONIO_H
+
 #ifndef NSIG
 #define NSIG 47
 #endif
@@ -135,6 +142,49 @@ read_string(const char *preprompt, const char *prompt,
     return 0;
 }
 
+#else  /* CONIO_H */
+
+static int
+read_string(const char *preprompt, const char *prompt, 
+	    char *buf, size_t len, int echo)
+{
+    int of = 0;
+    int c;
+    char *p;
+    void (*oldsigintr)(int);
+
+    _cprintf("%s%s", preprompt, prompt);
+
+    oldsigintr = signal(SIGINT, intr);
+
+    p = buf;
+    while(intr_flag == 0){
+	c = ((echo)? _getche(): _getch());
+	if(c == '\n')
+	    break;
+	if(of == 0)
+	    *p++ = c;
+	of = (p == buf + len);
+    }
+    if(of)
+	p--;
+    *p = 0;
+    
+    if(echo == 0){
+	printf("\n");
+    }
+
+    signal(SIGINT, oldsigintr);
+    
+    if(intr_flag)
+	return -2;
+    if(of)
+	return -1;
+    return 0;
+}
+
+#endif
+
 int
 UI_UTIL_read_pw_string(char *buf, int length, const char *prompt, int verify)
 {