Prepare for 1.0.1h release

Check session_cert is not NULL before dereferencing it.

.cvsignore

@@ -3,6 +3,8 @@ libcrypto.pc
 libssl.pc
 MINFO
 makefile.one
+tmp
+out
 outinc
 rehash.time
 testlog

.gitignore

@@ -0,0 +1,77 @@
+# Object files
+*.o
+
+# editor artefacts
+*.swp
+.#*
+#*#
+*~
+
+# Top level excludes
+/Makefile.bak
+/Makefile
+/*.a
+/include
+/*.pc
+/rehash.time
+
+# Most *.c files under test/ are symlinks
+/test/*.c
+# Apart from these
+!/test/asn1test.c
+!/test/methtest.c
+!/test/dummytest.c
+!/test/igetest.c
+!/test/r160test.c
+!/test/fips_algvs.c
+
+/test/*.ss
+/test/*.srl
+/test/.rnd
+/test/test*.pem
+/test/newkey.pem
+
+# Certificate symbolic links
+*.0
+
+# Links under apps
+/apps/CA.pl
+/apps/md4.c
+
+
+# Auto generated headers
+/crypto/buildinf.h
+/crypto/opensslconf.h
+
+# Auto generated assembly language source files
+*.s
+!/crypto/bn/asm/pa-risc2.s
+!/crypto/bn/asm/pa-risc2W.s
+
+# Executables
+/apps/openssl
+/test/sha256t
+/test/sha512t
+/test/*test
+/test/fips_aesavs
+/test/fips_desmovs
+/test/fips_dhvs
+/test/fips_drbgvs
+/test/fips_dssvs
+/test/fips_ecdhvs
+/test/fips_ecdsavs
+/test/fips_rngvs
+/test/fips_test_suite
+*.so*
+*.dylib*
+*.dll*
+# Exceptions
+!/test/bctest
+!/crypto/des/times/486-50.sol
+
+# Misc auto generated files
+/tools/c_rehash
+/test/evptests.txt
+lib
+Makefile.save
+*.bak

ACKNOWLEDGMENTS

@@ -10,13 +10,18 @@ OpenSSL project.
 We would like to identify and thank the following such sponsors for their past
 or current significant support of the OpenSSL project:
 
+Major support:
+
+	Qualys		http://www.qualys.com/
+
 Very significant support:
 
-	OpenGear: www.opengear.com
+	OpenGear:	http://www.opengear.com/
 
 Significant support:
 
-	PSW Group: www.psw.net
+	PSW Group:	http://www.psw.net/
+	Acano Ltd.	http://acano.com/
 
 Please note that we ask permission to identify sponsors and that some sponsors
 we consider eligible for inclusion here have requested to remain anonymous.

CHANGES

@@ -2,225 +2,269 @@
  OpenSSL CHANGES
  _______________
 
- Changes between 1.0.1 and 1.1.0  [xx XXX xxxx]
+ Changes between 1.0.1g and 1.0.1h [5 Jun 2014]
 
-  *) Add perl scripts to calculate FIPS signatures for Windows
-     exectuables including WinCE. 
+  *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
+     handshake can force the use of weak keying material in OpenSSL
+     SSL/TLS clients and servers.
+
+     Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
+     researching this issue. (CVE-2014-0224)
+     [KIKUCHI Masashi, Steve Henson]
+
+  *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
+     OpenSSL DTLS client the code can be made to recurse eventually crashing
+     in a DoS attack.
+
+     Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
+     (CVE-2014-0221)
+     [Imre Rad, Steve Henson]
+
+  *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
+     be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
+     client or server. This is potentially exploitable to run arbitrary
+     code on a vulnerable client or server.
+
+     Thanks to J<>ri Aedla for reporting this issue. (CVE-2014-0195)
+     [J<>ri Aedla, Steve Henson]
+
+  *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
+     are subject to a denial of service attack.
+
+     Thanks to Felix Gr<47>bert and Ivan Fratric at Google for discovering
+     this issue. (CVE-2014-3470)
+     [Felix Gr<47>bert, Ivan Fratric, Steve Henson]
+
+  *) Harmonize version and its documentation. -f flag is used to display
+     compilation flags.
+     [mancha <mancha1@zoho.com>]
+
+  *) Fix eckey_priv_encode so it immediately returns an error upon a failure
+     in i2d_ECPrivateKey.
+     [mancha <mancha1@zoho.com>]
+
+  *) Fix some double frees. These are not thought to be exploitable.
+     [mancha <mancha1@zoho.com>]
+
+ Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
+
+  *) A missing bounds check in the handling of the TLS heartbeat extension
+     can be used to reveal up to 64k of memory to a connected client or
+     server.
+
+     Thanks for Neel Mehta of Google Security for discovering this bug and to
+     Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
+     preparing the fix (CVE-2014-0160)
+     [Adam Langley, Bodo Moeller]
+
+  *) Fix for the attack described in the paper "Recovering OpenSSL
+     ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
+     by Yuval Yarom and Naomi Benger. Details can be obtained from:
+     http://eprint.iacr.org/2014/140
+
+     Thanks to Yuval Yarom and Naomi Benger for discovering this
+     flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
+     [Yuval Yarom and Naomi Benger]
+
+  *) TLS pad extension: draft-agl-tls-padding-03
+
+     Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
+     TLS client Hello record length value would otherwise be > 255 and
+     less that 512 pad with a dummy extension containing zeroes so it
+     is at least 512 bytes long.
+
+     [Adam Langley, Steve Henson]
+
+ Changes between 1.0.1e and 1.0.1f [6 Jan 2014]
+
+  *) Fix for TLS record tampering bug. A carefully crafted invalid 
+     handshake could crash OpenSSL with a NULL pointer exception.
+     Thanks to Anton Johansson for reporting this issues.
+     (CVE-2013-4353)
+
+  *) Keep original DTLS digest and encryption contexts in retransmission
+     structures so we can use the previous session parameters if they need
+     to be resent. (CVE-2013-6450)
+     [Steve Henson]
+
+  *) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
+     avoids preferring ECDHE-ECDSA ciphers when the client appears to be
+     Safari on OS X.  Safari on OS X 10.8..10.8.3 advertises support for
+     several ECDHE-ECDSA ciphers, but fails to negotiate them.  The bug
+     is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
+     10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
+     [Rob Stradling, Adam Langley]
+
+ Changes between 1.0.1d and 1.0.1e [11 Feb 2013]
+
+  *) Correct fix for CVE-2013-0169. The original didn't work on AES-NI
+     supporting platforms or when small records were transferred.
+     [Andy Polyakov, Steve Henson]
+
+ Changes between 1.0.1c and 1.0.1d [5 Feb 2013]
+
+  *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
+
+     This addresses the flaw in CBC record processing discovered by 
+     Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
+     at: http://www.isg.rhul.ac.uk/tls/     
+
+     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
+     Security Group at Royal Holloway, University of London
+     (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
+     Emilia K<>sper for the initial patch.
+     (CVE-2013-0169)
+     [Emilia K<>sper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
+
+  *) Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode
+     ciphersuites which can be exploited in a denial of service attack.
+     Thanks go to and to Adam Langley <agl@chromium.org> for discovering
+     and detecting this bug and to Wolfgang Ettlinger
+     <wolfgang.ettlinger@gmail.com> for independently discovering this issue.
+     (CVE-2012-2686)
+     [Adam Langley]
+
+  *) Return an error when checking OCSP signatures when key is NULL.
+     This fixes a DoS attack. (CVE-2013-0166)
+     [Steve Henson]
+
+  *) Make openssl verify return errors.
+     [Chris Palmer <palmer@google.com> and Ben Laurie]
+
+  *) Call OCSP Stapling callback after ciphersuite has been chosen, so
+     the right response is stapled. Also change SSL_get_certificate()
+     so it returns the certificate actually sent.
+     See http://rt.openssl.org/Ticket/Display.html?id=2836.
+     [Rob Stradling <rob.stradling@comodo.com>]
+
+  *) Fix possible deadlock when decoding public keys.
+     [Steve Henson]
+
+  *) Don't use TLS 1.0 record version number in initial client hello
+     if renegotiating.
+     [Steve Henson]
+
+ Changes between 1.0.1b and 1.0.1c [10 May 2012]
+
+  *) Sanity check record length before skipping explicit IV in TLS
+     1.2, 1.1 and DTLS to fix DoS attack.
+
+     Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
+     fuzzing as a service testing platform.
+     (CVE-2012-2333)
+     [Steve Henson]
+
+  *) Initialise tkeylen properly when encrypting CMS messages.
+     Thanks to Solar Designer of Openwall for reporting this issue.
+     [Steve Henson]
+
+  *) In FIPS mode don't try to use composite ciphers as they are not
+     approved.
+     [Steve Henson]
+
+ Changes between 1.0.1a and 1.0.1b [26 Apr 2012]
+
+  *) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and
+     1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately
+     mean any application compiled against OpenSSL 1.0.0 headers setting
+     SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng
+     TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to
+     0x10000000L Any application which was previously compiled against
+     OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1
+     will need to be recompiled as a result. Letting be results in
+     inability to disable specifically TLS 1.1 and in client context,
+     in unlike event, limit maximum offered version to TLS 1.0 [see below].
+     [Steve Henson]
+
+  *) In order to ensure interoperabilty SSL_OP_NO_protocolX does not
+     disable just protocol X, but all protocols above X *if* there are
+     protocols *below* X still enabled. In more practical terms it means
+     that if application wants to disable TLS1.0 in favor of TLS1.1 and
+     above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass
+     SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to
+     client side.
      [Andy Polyakov]
 
-  *) Don't attempt to insert current time into AES/3DES tests, we should
-     be just copying input line across and this breaks some systems lacking
-     ctime. 
+ Changes between 1.0.1 and 1.0.1a [19 Apr 2012]
+
+  *) Check for potentially exploitable overflows in asn1_d2i_read_bio
+     BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
+     in CRYPTO_realloc_clean.
+
+     Thanks to Tavis Ormandy, Google Security Team, for discovering this
+     issue and to Adam Langley <agl@chromium.org> for fixing it.
+     (CVE-2012-2110)
+     [Adam Langley (Google), Tavis Ormandy, Google Security Team]
+
+  *) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
+     [Adam Langley]
+
+  *) Workarounds for some broken servers that "hang" if a client hello
+     record length exceeds 255 bytes.
+
+     1. Do not use record version number > TLS 1.0 in initial client
+        hello: some (but not all) hanging servers will now work.
+     2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
+	the number of ciphers sent in the client hello. This should be
+        set to an even number, such as 50, for example by passing:
+        -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
+        Most broken servers should now work.
+     3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
+	TLS 1.2 client support entirely.
      [Steve Henson]
 
-  *) Update Windows build system for FIPS. Don't compile algorithm test
-     utilties by default: the target build_tests is needed for that. Add
-     support for building fips_algvs with the build_algvs target.
+  *) Fix SEGV in Vector Permutation AES module observed in OpenSSH.
+     [Andy Polyakov]
+
+ Changes between 1.0.0h and 1.0.1  [14 Mar 2012]
+
+  *) Add compatibility with old MDC2 signatures which use an ASN1 OCTET
+     STRING form instead of a DigestInfo.
      [Steve Henson]
 
-  *) Add initial cross compilation support for Windows build. The following
-     environment variables should be set:
-
-     FIPS_SHA1_PATH: path to fips_standalone_sha1 exectutable which will
-     be used explicitly and not built.
-     FIPS_SIG: similar to other builds: path to a "get signature" script
-     which is used to obtain the signature of the target instead of
-     executing it on the host.
+  *) The format used for MDC2 RSA signatures is inconsistent between EVP
+     and the RSA_sign/RSA_verify functions. This was made more apparent when
+     OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular
+     those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect 
+     the correct format in RSA_verify so both forms transparently work.
      [Steve Henson]
 
-  *) Add flag to EC_KEY to use cofactor ECDH if set.
+  *) Some servers which support TLS 1.0 can choke if we initially indicate
+     support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
+     encrypted premaster secret. As a workaround use the maximum pemitted
+     client version in client hello, this should keep such servers happy
+     and still work with previous versions of OpenSSL.
      [Steve Henson]
 
-  *) Update fips_test_suite to support multiple command line options. New
-     test to induce all self test errors in sequence and check expected
-     failures.
-     [Steve Henson]
+  *) Add support for TLS/DTLS heartbeats.
+     [Robin Seggelmann <seggelmann@fh-muenster.de>]
 
-  *) Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and
-     sign or verify all in one operation.
-     [Steve Henson]
+  *) Add support for SCTP.
+     [Robin Seggelmann <seggelmann@fh-muenster.de>]
 
-  *) Add fips_algvs: a multicall fips utility incorporaing all the algorithm
-     test programs and fips_test_suite. Includes functionality to parse
-     the minimal script output of fipsalgest.pl directly.
-     [Steve Henson]
+  *) Improved PRNG seeding for VOS.
+     [Paul Green <Paul.Green@stratus.com>]
 
-  *) Add authorisation parameter to FIPS_module_mode_set().
-     [Steve Henson]
+  *) Extensive assembler packs updates, most notably:
 
-  *) Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves.
-     [Steve Henson]
+	- x86[_64]:     AES-NI, PCLMULQDQ, RDRAND support;
+	- x86[_64]:     SSSE3 support (SHA1, vector-permutation AES);
+	- x86_64:       bit-sliced AES implementation;
+	- ARM:          NEON support, contemporary platforms optimizations;
+	- s390x:        z196 support;
+	- *:            GHASH and GF(2^m) multiplication implementations;
 
-  *) Use separate DRBG fields for internal and external flags. New function
-     FIPS_drbg_health_check() to perform on demand health checking. Add
-     generation tests to fips_test_suite with reduced health check interval to 
-     demonstrate periodic health checking. Add "nodh" option to
-     fips_test_suite to skip very slow DH test.
-     [Steve Henson]
+     [Andy Polyakov]
 
-  *) New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers
-     based on NID.
-     [Steve Henson]
+  *) Make TLS-SRP code conformant with RFC 5054 API cleanup
+     (removal of unnecessary code)
+     [Peter Sylvester <peter.sylvester@edelweb.fr>]
 
-  *) More extensive health check for DRBG checking many more failure modes.
-     New function FIPS_selftest_drbg_all() to handle every possible DRBG
-     combination: call this in fips_test_suite.
-     [Steve Henson]
+  *) Add TLS key material exporter from RFC 5705.
+     [Eric Rescorla]
 
-  *) Add support for Dual EC DRBG from SP800-90. Update DRBG algorithm test
-     and POST to handle Dual EC cases.
-     [Steve Henson]
-
-  *) Add support for canonical generation of DSA parameter 'g'. See 
-     FIPS 186-3 A.2.3.
-
-  *) Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and
-     POST to handle HMAC cases.
-     [Steve Henson]
-
-  *) Add functions FIPS_module_version() and FIPS_module_version_text()
-     to return numberical and string versions of the FIPS module number.
-     [Steve Henson]
-
-  *) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and
-     FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implmeneted
-     outside the validated module in the FIPS capable OpenSSL.
-     [Steve Henson]
-
-  *) Minor change to DRBG entropy callback semantics. In some cases
-     there is no mutiple of the block length between min_len and
-     max_len. Allow the callback to return more than max_len bytes
-     of entropy but discard any extra: it is the callback's responsibility
-     to ensure that the extra data discarded does not impact the
-     requested amount of entropy.
-     [Steve Henson]
-
-  *) Add PRNG security strength checks to RSA, DSA and ECDSA using 
-     information in FIPS186-3, SP800-57 and SP800-131A.
-     [Steve Henson]
-
-  *) CCM support via EVP. Interface is very similar to GCM case except we
-     must supply all data in one chunk (i.e. no update, final) and the
-     message length must be supplied if AAD is used. Add algorithm test
-     support.
-     [Steve Henson]
-
-  *) Initial version of POST overhaul. Add POST callback to allow the status
-     of POST to be monitored and/or failures induced. Modify fips_test_suite
-     to use callback. Always run all selftests even if one fails.
-     [Steve Henson]
-
-  *) XTS support including algorithm test driver in the fips_gcmtest program.
-     Note: this does increase the maximum key length from 32 to 64 bytes but
-     there should be no binary compatibility issues as existing applications
-     will never use XTS mode.
-     [Steve Henson]
-
-  *) Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies
-     to OpenSSL RAND code and replace with a tiny FIPS RAND API which also
-     performs algorithm blocking for unapproved PRNG types. Also do not
-     set PRNG type in FIPS_mode_set(): leave this to the application.
-     Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with
-     the standard OpenSSL PRNG: set additional data to a date time vector.
-     [Steve Henson]
-
-  *) Rename old X9.31 PRNG functions of the form FIPS_rand* to FIPS_x931*.
-     This shouldn't present any incompatibility problems because applications
-     shouldn't be using these directly and any that are will need to rethink
-     anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
-     [Steve Henson]
-
-  *) Extensive self tests and health checking required by SP800-90 DRBG.
-     Remove strength parameter from FIPS_drbg_instantiate and always
-     instantiate at maximum supported strength.
-     [Steve Henson]
-
-  *) Add ECDH code to fips module and fips_ecdhvs for primitives only testing.
-     [Steve Henson]
-
-  *) New algorithm test program fips_dhvs to handle DH primitives only testing.
-     [Steve Henson]
-
-  *) New function DH_compute_key_padded() to compute a DH key and pad with
-     leading zeroes if needed: this complies with SP800-56A et al.
-     [Steve Henson]
-
-  *) Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
-     anything, incomplete, subject to change and largely untested at present.
-     [Steve Henson]
-
-  *) Modify fipscanisteronly build option to only build the necessary object
-     files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile.
-     [Steve Henson]
-
-  *) Add experimental option FIPSSYMS to give all symbols in
-     fipscanister.o and FIPS or fips prefix. This will avoid
-     conflicts with future versions of OpenSSL. Add perl script
-     util/fipsas.pl to preprocess assembly language source files
-     and rename any affected symbols.
-     [Steve Henson]
-
-  *) Add selftest checks and algorithm block of non-fips algorithms in
-     FIPS mode. Remove DES2 from selftests.
-     [Steve Henson]
-
-  *) Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just
-     return internal method without any ENGINE dependencies. Add new
-     tiny fips sign and verify functions.
-     [Steve Henson]
-
-  *) New build option no-ec2m to disable characteristic 2 code.
-     [Steve Henson]
-
-  *) New build option "fipscanisteronly". This only builds fipscanister.o
-     and (currently) associated fips utilities. Uses the file Makefile.fips
-     instead of Makefile.org as the prototype.
-     [Steve Henson]
-
-  *) Add some FIPS mode restrictions to GCM. Add internal IV generator.
-     Update fips_gcmtest to use IV generator.
-     [Steve Henson]
-
-  *) Initial, experimental EVP support for AES-GCM. AAD can be input by
-     setting output buffer to NULL. The *Final function must be
-     called although it will not retrieve any additional data. The tag
-     can be set or retrieved with a ctrl. The IV length is by default 12
-     bytes (96 bits) but can be set to an alternative value. If the IV
-     length exceeds the maximum IV length (currently 16 bytes) it cannot be
-     set before the key. 
-     [Steve Henson]
-
-  *) New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the
-     underlying do_cipher function handles all cipher semantics itself
-     including padding and finalisation. This is useful if (for example)
-     an ENGINE cipher handles block padding itself. The behaviour of
-     do_cipher is subtly changed if this flag is set: the return value
-     is the number of characters written to the output buffer (zero is
-     no longer an error code) or a negative error code. Also if the
-     input buffer is NULL and length 0 finalisation should be performed.
-     [Steve Henson]
-
-  *) If a candidate issuer certificate is already part of the constructed
-     path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case.
-     [Steve Henson]
-
-  *) Improve forward-security support: add functions
-
-       void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure))
-       void SSL_set_not_resumable_session_callback(SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure))
-
-     for use by SSL/TLS servers; the callback function will be called whenever a
-     new session is created, and gets to decide whether the session may be
-     cached to make it resumable (return 0) or not (return 1).  (As by the
-     SSL/TLS protocol specifications, the session_id sent by the server will be
-     empty to indicate that the session is not resumable; also, the server will
-     not generate RFC 4507 (RFC 5077) session tickets.)
-
-     A simple reasonable callback implementation is to return is_forward_secure.
-     This parameter will be set to 1 or 0 depending on the ciphersuite selected
-     by the SSL/TLS server library, indicating whether it can provide forward
-     security.
-     [Emilia K<>sper <emilia.kasper@esat.kuleuven.be> (Google)]
+  *) Add DTLS-SRTP negotiation from RFC 5764.
+     [Eric Rescorla]
 
   *) Add Next Protocol Negotiation,
      http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00. Can be
@@ -228,54 +272,6 @@
      by Google.
      [Adam Langley <agl@google.com> and Ben Laurie]
 
-  *) New function OPENSSL_gmtime_diff to find the difference in days
-     and seconds between two tm structures. This will be used to provide
-     additional functionality for ASN1_TIME.
-     [Steve Henson]
-
-  *) Add -trusted_first option which attempts to find certificates in the
-     trusted store even if an untrusted chain is also supplied.
-     [Steve Henson]
-
-  *) Initial experimental support for explicitly trusted non-root CAs. 
-     OpenSSL still tries to build a complete chain to a root but if an
-     intermediate CA has a trust setting included that is used. The first
-     setting is used: whether to trust or reject.
-     [Steve Henson]
-
-  *) New -verify_name option in command line utilities to set verification
-     parameters by name.
-     [Steve Henson]
-
-  *) Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE.
-     Add CMAC pkey methods.
-     [Steve Henson]
-
-  *) Experimental regnegotiation in s_server -www mode. If the client 
-     browses /reneg connection is renegotiated. If /renegcert it is
-     renegotiated requesting a certificate.
-     [Steve Henson]
-
-  *) Add an "external" session cache for debugging purposes to s_server. This
-     should help trace issues which normally are only apparent in deployed
-     multi-process servers.
-     [Steve Henson]
-
-  *) Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where
-     return value is ignored. NB. The functions RAND_add(), RAND_seed(),
-     BIO_set_cipher() and some obscure PEM functions were changed so they
-     can now return an error. The RAND changes required a change to the
-     RAND_METHOD structure.
-     [Steve Henson]
-
-  *) New macro __owur for "OpenSSL Warn Unused Result". This makes use of
-     a gcc attribute to warn if the result of a function is ignored. This
-     is enable if DEBUG_UNUSED is set. Add to several functions in evp.h
-     whose return value is often ignored. 
-     [Steve Henson]
-  
- Changes between 1.0.0f and 1.0.1  [xx XXX xxxx]
-
   *) Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
      NIST-P256, NIST-P521, with constant-time single point multiplication on
      typical inputs. Compiler support for the nonstandard type __uint128_t is
@@ -389,8 +385,8 @@
      keep original code iff non-FIPS operations are allowed.
      [Steve Henson]
 
-  *) Add -attime option to openssl verify.
-     [Peter Eckersley <pde@eff.org> and Ben Laurie]
+  *) Add -attime option to openssl utilities.
+     [Peter Eckersley <pde@eff.org>, Ben Laurie and Steve Henson]
 
   *) Redirect DSA and DH operations to FIPS module in FIPS mode.
      [Steve Henson]
@@ -503,7 +499,134 @@
        Add command line options to s_client/s_server.
      [Steve Henson]
 
- Changes between 1.0.0e and 1.0.0f [xx XXX xxxx]
+ Changes between 1.0.0j and 1.0.0k [5 Feb 2013]
+
+  *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
+
+     This addresses the flaw in CBC record processing discovered by 
+     Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
+     at: http://www.isg.rhul.ac.uk/tls/     
+
+     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
+     Security Group at Royal Holloway, University of London
+     (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
+     Emilia K<>sper for the initial patch.
+     (CVE-2013-0169)
+     [Emilia K<>sper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
+
+  *) Return an error when checking OCSP signatures when key is NULL.
+     This fixes a DoS attack. (CVE-2013-0166)
+     [Steve Henson]
+
+  *) Call OCSP Stapling callback after ciphersuite has been chosen, so
+     the right response is stapled. Also change SSL_get_certificate()
+     so it returns the certificate actually sent.
+     See http://rt.openssl.org/Ticket/Display.html?id=2836.
+     (This is a backport)
+     [Rob Stradling <rob.stradling@comodo.com>]
+
+  *) Fix possible deadlock when decoding public keys.
+     [Steve Henson]
+
+ Changes between 1.0.0i and 1.0.0j [10 May 2012]
+
+  [NB: OpenSSL 1.0.0i and later 1.0.0 patch levels were released after
+  OpenSSL 1.0.1.]
+
+  *) Sanity check record length before skipping explicit IV in DTLS
+     to fix DoS attack.
+
+     Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
+     fuzzing as a service testing platform.
+     (CVE-2012-2333)
+     [Steve Henson]
+
+  *) Initialise tkeylen properly when encrypting CMS messages.
+     Thanks to Solar Designer of Openwall for reporting this issue.
+     [Steve Henson]
+
+ Changes between 1.0.0h and 1.0.0i [19 Apr 2012]
+
+  *) Check for potentially exploitable overflows in asn1_d2i_read_bio
+     BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
+     in CRYPTO_realloc_clean.
+
+     Thanks to Tavis Ormandy, Google Security Team, for discovering this
+     issue and to Adam Langley <agl@chromium.org> for fixing it.
+     (CVE-2012-2110)
+     [Adam Langley (Google), Tavis Ormandy, Google Security Team]
+
+ Changes between 1.0.0g and 1.0.0h [12 Mar 2012]
+
+  *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
+     in CMS and PKCS7 code. When RSA decryption fails use a random key for
+     content decryption and always return the same error. Note: this attack
+     needs on average 2^20 messages so it only affects automated senders. The
+     old behaviour can be reenabled in the CMS code by setting the
+     CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
+     an MMA defence is not necessary.
+     Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
+     this issue. (CVE-2012-0884)
+     [Steve Henson]
+
+  *) Fix CVE-2011-4619: make sure we really are receiving a 
+     client hello before rejecting multiple SGC restarts. Thanks to
+     Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug.
+     [Steve Henson]
+
+ Changes between 1.0.0f and 1.0.0g [18 Jan 2012]
+
+  *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
+     Thanks to Antonio Martin, Enterprise Secure Access Research and
+     Development, Cisco Systems, Inc. for discovering this bug and
+     preparing a fix. (CVE-2012-0050)
+     [Antonio Martin]
+
+ Changes between 1.0.0e and 1.0.0f [4 Jan 2012]
+
+  *) Nadhem Alfardan and Kenny Paterson have discovered an extension
+     of the Vaudenay padding oracle attack on CBC mode encryption
+     which enables an efficient plaintext recovery attack against
+     the OpenSSL implementation of DTLS. Their attack exploits timing
+     differences arising during decryption processing. A research
+     paper describing this attack can be found at:
+                  http://www.isg.rhul.ac.uk/~kp/dtls.pdf
+     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
+     Security Group at Royal Holloway, University of London
+     (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
+     <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
+     for preparing the fix. (CVE-2011-4108)
+     [Robin Seggelmann, Michael Tuexen]
+
+  *) Clear bytes used for block padding of SSL 3.0 records.
+     (CVE-2011-4576)
+     [Adam Langley (Google)]
+
+  *) Only allow one SGC handshake restart for SSL/TLS. Thanks to George
+     Kadianakis <desnacked@gmail.com> for discovering this issue and
+     Adam Langley for preparing the fix. (CVE-2011-4619)
+     [Adam Langley (Google)]
+
+  *) Check parameters are not NULL in GOST ENGINE. (CVE-2012-0027)
+     [Andrey Kulikov <amdeich@gmail.com>]
+
+  *) Prevent malformed RFC3779 data triggering an assertion failure.
+     Thanks to Andrew Chi, BBN Technologies, for discovering the flaw
+     and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577)
+     [Rob Austein <sra@hactrn.net>]
+
+  *) Improved PRNG seeding for VOS.
+     [Paul Green <Paul.Green@stratus.com>]
+
+  *) Fix ssl_ciph.c set-up race.
+     [Adam Langley (Google)]
+
+  *) Fix spurious failures in ecdsatest.c.
+     [Emilia K<>sper (Google)]
+
+  *) Fix the BIO_f_buffer() implementation (which was mixing different
+     interpretations of the '..._len' fields).
+     [Adam Langley (Google)]
 
   *) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than
      BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent
@@ -1422,8 +1545,137 @@
 
   *) Change 'Configure' script to enable Camellia by default.
      [NTT]
-  
- Changes between 0.9.8r and 0.9.8s [xx XXX xxxx]
+
+ Changes between 0.9.8x and 0.9.8y [5 Feb 2013]
+
+  *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
+
+     This addresses the flaw in CBC record processing discovered by 
+     Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
+     at: http://www.isg.rhul.ac.uk/tls/     
+
+     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
+     Security Group at Royal Holloway, University of London
+     (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
+     Emilia K<>sper for the initial patch.
+     (CVE-2013-0169)
+     [Emilia K<>sper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
+
+  *) Return an error when checking OCSP signatures when key is NULL.
+     This fixes a DoS attack. (CVE-2013-0166)
+     [Steve Henson]
+
+  *) Call OCSP Stapling callback after ciphersuite has been chosen, so
+     the right response is stapled. Also change SSL_get_certificate()
+     so it returns the certificate actually sent.
+     See http://rt.openssl.org/Ticket/Display.html?id=2836.
+     (This is a backport)
+     [Rob Stradling <rob.stradling@comodo.com>]
+
+  *) Fix possible deadlock when decoding public keys.
+     [Steve Henson]
+
+ Changes between 0.9.8w and 0.9.8x [10 May 2012]
+
+  *) Sanity check record length before skipping explicit IV in DTLS
+     to fix DoS attack.
+
+     Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
+     fuzzing as a service testing platform.
+     (CVE-2012-2333)
+     [Steve Henson]
+
+  *) Initialise tkeylen properly when encrypting CMS messages.
+     Thanks to Solar Designer of Openwall for reporting this issue.
+     [Steve Henson]
+
+ Changes between 0.9.8v and 0.9.8w [23 Apr 2012]
+
+  *) The fix for CVE-2012-2110 did not take into account that the 
+     'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an
+     int in OpenSSL 0.9.8, making it still vulnerable. Fix by 
+     rejecting negative len parameter. (CVE-2012-2131)
+     [Tomas Hoger <thoger@redhat.com>]
+
+ Changes between 0.9.8u and 0.9.8v [19 Apr 2012]
+
+  *) Check for potentially exploitable overflows in asn1_d2i_read_bio
+     BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
+     in CRYPTO_realloc_clean.
+
+     Thanks to Tavis Ormandy, Google Security Team, for discovering this
+     issue and to Adam Langley <agl@chromium.org> for fixing it.
+     (CVE-2012-2110)
+     [Adam Langley (Google), Tavis Ormandy, Google Security Team]
+
+ Changes between 0.9.8t and 0.9.8u [12 Mar 2012]
+
+  *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
+     in CMS and PKCS7 code. When RSA decryption fails use a random key for
+     content decryption and always return the same error. Note: this attack
+     needs on average 2^20 messages so it only affects automated senders. The
+     old behaviour can be reenabled in the CMS code by setting the
+     CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
+     an MMA defence is not necessary.
+     Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
+     this issue. (CVE-2012-0884)
+     [Steve Henson]
+
+  *) Fix CVE-2011-4619: make sure we really are receiving a 
+     client hello before rejecting multiple SGC restarts. Thanks to
+     Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug.
+     [Steve Henson]
+
+ Changes between 0.9.8s and 0.9.8t [18 Jan 2012]
+
+  *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
+     Thanks to Antonio Martin, Enterprise Secure Access Research and
+     Development, Cisco Systems, Inc. for discovering this bug and
+     preparing a fix. (CVE-2012-0050)
+     [Antonio Martin]
+
+ Changes between 0.9.8r and 0.9.8s [4 Jan 2012]
+
+  *) Nadhem Alfardan and Kenny Paterson have discovered an extension
+     of the Vaudenay padding oracle attack on CBC mode encryption
+     which enables an efficient plaintext recovery attack against
+     the OpenSSL implementation of DTLS. Their attack exploits timing
+     differences arising during decryption processing. A research
+     paper describing this attack can be found at:
+                  http://www.isg.rhul.ac.uk/~kp/dtls.pdf
+     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
+     Security Group at Royal Holloway, University of London
+     (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
+     <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
+     for preparing the fix. (CVE-2011-4108)
+     [Robin Seggelmann, Michael Tuexen]
+
+  *) Stop policy check failure freeing same buffer twice. (CVE-2011-4109)
+     [Ben Laurie, Kasper <ekasper@google.com>]
+
+  *) Clear bytes used for block padding of SSL 3.0 records.
+     (CVE-2011-4576)
+     [Adam Langley (Google)]
+
+  *) Only allow one SGC handshake restart for SSL/TLS. Thanks to George
+     Kadianakis <desnacked@gmail.com> for discovering this issue and
+     Adam Langley for preparing the fix. (CVE-2011-4619)
+     [Adam Langley (Google)]
+ 
+  *) Prevent malformed RFC3779 data triggering an assertion failure.
+     Thanks to Andrew Chi, BBN Technologies, for discovering the flaw
+     and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577)
+     [Rob Austein <sra@hactrn.net>]
+
+  *) Fix ssl_ciph.c set-up race.
+     [Adam Langley (Google)]
+
+  *) Fix spurious failures in ecdsatest.c.
+     [Emilia K<>sper (Google)]
+
+  *) Fix the BIO_f_buffer() implementation (which was mixing different
+     interpretations of the '..._len' fields).
+     [Adam Langley (Google)]
 
   *) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than
      BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent

Configure

@@ -10,7 +10,7 @@ use strict;
 
 # see INSTALL for instructions.
 
-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
 
 # Options:
 #
@@ -56,6 +56,7 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimenta
 # [no-]zlib     [don't] compile support for zlib compression.
 # zlib-dynamic	Like "zlib", but the zlib library is expected to be a shared
 #		library and will be loaded in run-time by the OpenSSL library.
+# sctp          include SCTP support
 # 386           generate 80386 code
 # no-sse2	disables IA-32 SSE2 code, above option implies no-sse2
 # no-<cipher>   build without specified algorithm (rsa, idea, rc5, ...)
@@ -123,20 +124,19 @@ my $tlib="-lnsl -lsocket";
 my $bits1="THIRTY_TWO_BIT ";
 my $bits2="SIXTY_FOUR_BIT ";
 
-my $x86_asm="x86cpuid.o:bn-586.o co-586.o x86-mont.o x86-gf2m.o:des-586.o crypt586.o:aes-586.o vpaes-x86.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o:cmll-x86.o:ghash-x86.o:e_padlock-x86.o";
+my $x86_asm="x86cpuid.o:bn-586.o co-586.o x86-mont.o x86-gf2m.o:des-586.o crypt586.o:aes-586.o vpaes-x86.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o:cmll-x86.o:ghash-x86.o:";
 
 my $x86_elf_asm="$x86_asm:elf";
 
-my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o modexp512-x86_64.o::aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o rc4-md5-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:ghash-x86_64.o:e_padlock-x86_64.o";
+my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o modexp512-x86_64.o::aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o rc4-md5-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:ghash-x86_64.o:";
 my $ia64_asm="ia64cpuid.o:bn-ia64.o ia64-mont.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o rc4_skey.o:::::ghash-ia64.o::void";
 my $sparcv9_asm="sparcv9cap.o sparccpuid.o:bn-sparcv9.o sparcv9-mont.o sparcv9a-mont.o:des_enc-sparc.o fcrypt_b.o:aes_core.o aes_cbc.o aes-sparcv9.o:::sha1-sparcv9.o sha256-sparcv9.o sha512-sparcv9.o:::::::ghash-sparcv9.o::void";
 my $sparcv8_asm=":sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::::::void";
 my $alpha_asm="alphacpuid.o:bn_asm.o alpha-mont.o:::::sha1-alpha.o:::::::ghash-alpha.o::void";
 my $mips32_asm=":bn-mips.o::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o::::::::";
 my $mips64_asm=":bn-mips.o mips-mont.o::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o sha512-mips.o::::::::";
-my $s390x_asm="s390xcap.o s390xcpuid.o:bn-s390x.o s390x-mont.o s390x-gf2m.o::aes_ctr.o aes-s390x.o:::sha1-s390x.o sha256-s390x.o sha512-s390x.o::rc4-s390x.o:::::ghash-s390x.o:";
+my $s390x_asm="s390xcap.o s390xcpuid.o:bn-s390x.o s390x-mont.o s390x-gf2m.o::aes-s390x.o aes-ctr.o aes-xts.o:::sha1-s390x.o sha256-s390x.o sha512-s390x.o::rc4-s390x.o:::::ghash-s390x.o:";
 my $armv4_asm="armcap.o armv4cpuid.o:bn_asm.o armv4-mont.o armv4-gf2m.o::aes_cbc.o aes-armv4.o:::sha1-armv4-large.o sha256-armv4.o sha512-armv4.o:::::::ghash-armv4.o::void";
-my $aarch64_asm="armcap.o arm64cpuid.o mem_clr.o:::aes_core.o aes_cbc.o aesv8-armx.o:::sha1-armv8.o sha256-armv8.o sha512-armv8.o:::::::ghashv8-armx.o:";
 my $parisc11_asm="pariscid.o:bn_asm.o parisc-mont.o::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::32";
 my $parisc20_asm="pariscid.o:pa-risc2W.o parisc-mont.o::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::64";
 my $ppc32_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o::aes_core.o aes_cbc.o aes-ppc.o:::sha1-ppc.o sha256-ppc.o::::::::";
@@ -170,26 +170,30 @@ my %table=(
 "debug-ben",	"gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DDEBUG_SAFESTACK -O2 -pipe::(unknown):::::",
 "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
 "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
-"debug-ben-debug",	"gcc:$gcc_devteam_warn -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -g3 -O2 -pipe::(unknown)::::::",
+"debug-ben-debug",	"gcc44:$gcc_devteam_warn -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O2 -pipe::(unknown)::::::",
+"debug-ben-debug-64",	"gcc:$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-ben-macos",	"cc:$gcc_devteam_warn -arch i386 -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -DL_ENDIAN -g3 -pipe::(unknown)::-Wl,-search_paths_first::::",
+"debug-ben-macos-gcc46",	"gcc-mp-4.6:$gcc_devteam_warn -Wconversion -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -DL_ENDIAN -g3 -pipe::(unknown)::::::",
+"debug-ben-darwin64","cc:$gcc_devteam_warn -Wno-language-extension-token -Wno-extended-offsetof -arch x86_64 -O3 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "debug-ben-no-opt",	"gcc: -Wall -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG -Werror -DL_ENDIAN -DTERMIOS -Wall -g3::(unknown)::::::",
 "debug-ben-strict",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
 "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-"debug-bodo",	"gcc:$gcc_devteam_warn -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -DBIO_PAIR_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+"debug-bodo",	"gcc:$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -DBIO_PAIR_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 "debug-ulf", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DBN_DEBUG_RAND -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations:::CYGWIN32:::${no_asm}:win32:cygwin-shared:::.dll",
-"debug-steve64", "gcc:$gcc_devteam_warn -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-steve64", "gcc:$gcc_devteam_warn -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -Wno-overlength-strings -g::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-steve32", "gcc:$gcc_devteam_warn -m32 -DL_ENDIAN -DCONF_DEBUG -DDEBUG_SAFESTACK -g -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-steve-opt", "gcc:$gcc_devteam_warn -m64 -O3 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -ggdb -g3 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -ggdb -g3 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -DPEDANTIC -ggdb -g3 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -ggdb -g3 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-geoff32","gcc:-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DPURIFY -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-geoff64","gcc:-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DPURIFY -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-linux-pentium","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentium -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
 "debug-linux-ppro","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
 "debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -march=i486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -march=i486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-linux-ia32-aes", "gcc:-DAES_EXPERIMENTAL -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:x86cpuid.o:bn-586.o co-586.o x86-mont.o:des-586.o crypt586.o:aes_x86core.o aes_cbc.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o::ghash-x86.o:e_padlock-x86.o:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-linux-ia32-aes", "gcc:-DAES_EXPERIMENTAL -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:x86cpuid.o:bn-586.o co-586.o x86-mont.o:des-586.o crypt586.o:aes_x86core.o aes_cbc.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o::ghash-x86.o::elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-linux-generic32","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DTERMIO -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-linux-generic64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DTERMIO -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-linux-x86_64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -DTERMIO -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
@@ -200,8 +204,8 @@ my %table=(
 "cc",		"cc:-O::(unknown)::::::",
 
 ####VOS Configurations
-"vos-gcc","gcc:-O3 -Wall -D_POSIX_C_SOURCE=200112L -D_BSD -D_VOS_EXTENDED_NAMES -DB_ENDIAN::(unknown):VOS:-Wl,-map:BN_LLONG:${no_asm}:::::.so:",
-"debug-vos-gcc","gcc:-O0 -g -Wall -D_POSIX_C_SOURCE=200112L -D_BSD -D_VOS_EXTENDED_NAMES -DB_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG::(unknown):VOS:-Wl,-map:BN_LLONG:${no_asm}:::::.so:",
+"vos-gcc","gcc:-O3 -Wall -DOPENSSL_SYSNAME_VOS -D_POSIX_C_SOURCE=200112L -D_BSD -D_VOS_EXTENDED_NAMES -DB_ENDIAN::(unknown):VOS:-Wl,-map:BN_LLONG:${no_asm}:::::.so:",
+"debug-vos-gcc","gcc:-O0 -g -Wall -DOPENSSL_SYSNAME_VOS -D_POSIX_C_SOURCE=200112L -D_BSD -D_VOS_EXTENDED_NAMES -DB_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG::(unknown):VOS:-Wl,-map:BN_LLONG:${no_asm}:::::.so:",
 
 #### Solaris x86 with GNU C setups
 # -DOPENSSL_NO_INLINE_ASM switches off inline assembler. We have to do it
@@ -241,7 +245,7 @@ my %table=(
 "solaris-sparcv7-cc","cc:-xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${no_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "solaris-sparcv8-cc","cc:-xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-xarch=v9 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/ccs/bin/ar rs::/64",
+"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-xarch=v9 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/64",
 ####
 "debug-solaris-sparcv8-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-solaris-sparcv9-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", 
@@ -294,8 +298,8 @@ my %table=(
 # Since there is mention of this in shlib/hpux10-cc.sh
 "hpux-parisc-cc-o4","cc:-Ae +O4 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::-D_REENTRANT::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:${no_asm}:dl:hpux-shared:+Z:-b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:${no_asm}:dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"hpux-parisc1_1-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:${parisc11_asm}:dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"hpux-parisc2-gcc","gcc:-march=2.0 -O3 -DB_ENDIAN -D_REENTRANT::::-Wl,+s -ldld:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL DES_RISC1::pa-risc2.o::::::::::::::void:dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-parisc1_1-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:${parisc11_asm}:dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa1.1",
+"hpux-parisc2-gcc","gcc:-march=2.0 -O3 -DB_ENDIAN -D_REENTRANT::::-Wl,+s -ldld:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL DES_RISC1:".eval{my $asm=$parisc20_asm;$asm=~s/2W\./2\./;$asm=~s/:64/:32/;$asm}.":dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa20_32",
 "hpux64-parisc2-gcc","gcc:-O3 -DB_ENDIAN -D_REENTRANT::::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::pa-risc2W.o::::::::::::::void:dlfcn:hpux-shared:-fpic:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa20_64",
 
 # More attempts at unified 10.X and 11.X targets for HP C compiler.
@@ -304,7 +308,7 @@ my %table=(
 # Kevin Steves <ks@hp.se>
 "hpux-parisc-cc","cc:+O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:${no_asm}:dl:hpux-shared:+Z:-b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "hpux-parisc1_1-cc","cc:+DA1.1 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:${parisc11_asm}:dl:hpux-shared:+Z:-b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa1.1",
-"hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY -D_REENTRANT::::-Wl,+s -ldld:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::pa-risc2.o::::::::::::::void:dl:hpux-shared:+Z:-b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY -D_REENTRANT::::-Wl,+s -ldld:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:".eval{my $asm=$parisc20_asm;$asm=~s/2W\./2\./;$asm=~s/:64/:32/;$asm}.":dl:hpux-shared:+Z:-b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa20_32",
 "hpux64-parisc2-cc","cc:+DD64 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY -D_REENTRANT::::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:${parisc20_asm}:dlfcn:hpux-shared:+Z:+DD64 -b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa20_64",
 
 # HP/UX IA-64 targets
@@ -357,8 +361,6 @@ my %table=(
 "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-"linux-x86_64-cross",  "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DFIPS_REF_POINT_IS_CROSS_COMPILER_AWARE::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-"linux-i686-cross",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DFIPS_REF_POINT_IS_CROSS_COMPILER_AWARE::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux64-s390x",	"gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 #### So called "highgprs" target for z/Architecture CPUs
 # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
@@ -400,14 +402,11 @@ my %table=(
 "linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
 "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
-# eCos ARMv4/5
-"ecos-armv4", "gcc:-D__ECOS__ -I\$(ECOSCFG)/include -Wall -Wpointer-arith -Wstrict-prototypes -Wundef -Wno-write-strings -mno-thumb-interwork -mcpu=arm926ej-s -g -O2 -fno-exceptions::-D_REENTRANT::-nostartfiles -L\$(ECOSCFG)/lib -Ttarget.ld::".eval{my $asm=$armv4_asm;$asm=~s/armcap.o//;$asm},
 
 # Android: linux-* but without -DTERMIO and pointers to headers and libs.
 "android","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"android-armv7","gcc:-march=armv7-a -mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-pie%-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"android64-aarch64","gcc:-mandroid -fPIC -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -Wall::-D_REENTRANT::-pie%-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"android-armv7","gcc:-march=armv7-a -mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 #### *BSD [do see comment about ${BSDthreads} above!]
 "BSD-generic32","gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -415,8 +414,6 @@ my %table=(
 "BSD-x86-elf",	"gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-BSD-x86-elf",	"gcc:-DL_ENDIAN -DTERMIOS -O3 -Wall -g::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "BSD-sparcv8",	"gcc:-DB_ENDIAN -DTERMIOS -O3 -mv8 -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${sparcv8_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"BSD-ppc85xx","gcc:-DTERMIOS -O3 -fomit-frame-pointer -msoft-float -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-BSD-ppc85xx","gcc:-DTERMIOS -O0 -fomit-frame-pointer -msoft-float -Wall -g::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 "BSD-generic64","gcc:-DTERMIOS -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # -DMD32_REG_T=int doesn't actually belong in sparc64 target, it
@@ -437,7 +434,6 @@ my %table=(
 # QNX
 "qnx4",	"cc:-DL_ENDIAN -DTERMIO::(unknown):::${x86_gcc_des} ${x86_gcc_opts}:",
 "QNX6",       "gcc:-DTERMIOS::::-lsocket::${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"QNX6-armv4",	"gcc:-DTERMIOS -O2 -Wall:::::BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "QNX6-i386",  "gcc:-DL_ENDIAN -DTERMIOS -O2 -Wall::::-lsocket:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 # BeOS
@@ -470,8 +466,8 @@ my %table=(
 "aix64-gcc","gcc:-maix64 -O -DB_ENDIAN::-pthread:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR:${ppc64_asm}:aix64:dlfcn:aix-shared::-maix64 -shared -Wl,-G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X64",
 # Below targets assume AIX 5. Idea is to effectively disregard $OBJECT_MODE
 # at build time. $OBJECT_MODE is respected at ./config stage!
-"aix-cc",   "cc:-q32 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded:AIX::BN_LLONG RC4_CHAR:${ppc32_asm}:aix32:dlfcn:aix-shared::-q32 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 32",
-"aix64-cc", "cc:-q64 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR:${ppc64_asm}:aix64:dlfcn:aix-shared::-q64 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64",
+"aix-cc",   "cc:-q32 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded -D_THREAD_SAFE:AIX::BN_LLONG RC4_CHAR:${ppc32_asm}:aix32:dlfcn:aix-shared::-q32 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 32",
+"aix64-cc", "cc:-q64 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded -D_THREAD_SAFE:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR:${ppc64_asm}:aix64:dlfcn:aix-shared::-q64 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64",
 
 #
 # Cray T90 and similar (SDSC)
@@ -530,7 +526,7 @@ my %table=(
 # 'perl Configure VC-WIN32' with '-DUNICODE -D_UNICODE'
 "VC-WIN32","cl:-W3 -Gs0 -GF -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE:::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${x86_asm}:win32n:win32",
 # Unified CE target
-"debug-VC-WIN32","cl:-W3 -WX -Gs0 -GF -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE:::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${x86_asm}:win32n:win32",
+"debug-VC-WIN32","cl:-W3 -Gs0 -GF -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE:::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${x86_asm}:win32n:win32",
 "VC-CE","cl::::WINCE::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${no_asm}:win32",
 
 # Borland C++ 4.5
@@ -583,14 +579,12 @@ my %table=(
 "rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX_RHAPSODY::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}::",
 "darwin-ppc-cc","cc:-arch ppc -O3 -DB_ENDIAN -Wa,-force_cpusubtype_ALL::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc32_asm}:osx32:dlfcn:darwin-shared:-fPIC -fno-common:-arch ppc -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "darwin64-ppc-cc","cc:-arch ppc64 -O3 -DB_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc64_asm}:osx64:dlfcn:darwin-shared:-fPIC -fno-common:-arch ppc64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-"darwin-i386-cc","cc:-arch i386 -O3 -fomit-frame-pointer -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:${x86_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin-i386-cc","cc:-arch i386 -O3 -fomit-frame-pointer -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:".eval{my $asm=$x86_asm;$asm=~s/cast\-586\.o//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "debug-darwin-i386-cc","cc:-arch i386 -g3 -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:${x86_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-"darwin64-x86_64-cc","cc:-arch x86_64 -O3 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin64-x86_64-cc","cc:-arch x86_64 -O3 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "debug-darwin-ppc-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DB_ENDIAN -g -Wall -O::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc32_asm}:osx32:dlfcn:darwin-shared:-fPIC:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 # iPhoneOS/iOS
 "iphoneos-cross","llvm-gcc:-O3 -isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK) -fomit-frame-pointer -fno-common::-D_REENTRANT:iOS:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-"ios-cross","cc:-O3 -arch armv7 -mios-version-min=7.0.0 -isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK) -fno-common::-D_REENTRANT:iOS:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:armcap.o armv4cpuid_ios.o:bn_asm.o armv4-mont.o armv4-gf2m.o::aes_cbc.o aes-armv4.o:::sha1-armv4-large.o sha256-armv4.o sha512-armv4.o:::::::ghash-armv4.o::ios32:dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-"ios64-cross","cc:-O3 -arch arm64 -mios-version-min=7.0.0 -isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK) -fno-common::-D_REENTRANT:iOS:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR -RC4_CHUNK DES_INT DES_UNROLL -BF_PTR:${aarch64_asm}:ios64:dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 
 ##### A/UX
 "aux3-gcc","gcc:-O2 -DTERMIO::(unknown):AUX:-lbsd:RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
@@ -607,14 +601,12 @@ my %table=(
 ##### VxWorks for various targets
 "vxworks-ppc60x","ccppc:-D_REENTRANT -mrtp -mhard-float -mstrict-align -fno-implicit-fp -DPPC32_fp60x -O2 -fstrength-reduce -fno-builtin -fno-strict-aliasing -Wall -DCPU=PPC32 -DTOOL_FAMILY=gnu -DTOOL=gnu -I\$(WIND_BASE)/target/usr/h -I\$(WIND_BASE)/target/usr/h/wrn/coreip:::VXWORKS:-Wl,--defsym,__wrs_rtp_base=0xe0000000 -L \$(WIND_BASE)/target/usr/lib/ppc/PPC32/common:::::",
 "vxworks-ppcgen","ccppc:-D_REENTRANT -mrtp -msoft-float -mstrict-align -O1 -fno-builtin -fno-strict-aliasing -Wall -DCPU=PPC32 -DTOOL_FAMILY=gnu -DTOOL=gnu -I\$(WIND_BASE)/target/usr/h -I\$(WIND_BASE)/target/usr/h/wrn/coreip:::VXWORKS:-Wl,--defsym,__wrs_rtp_base=0xe0000000 -L \$(WIND_BASE)/target/usr/lib/ppc/PPC32/sfcommon:::::",
-"vxworks-ppcgen-kernel","ccppc:-D_REENTRANT -msoft-float -mstrict-align -O1 -fno-builtin -fno-strict-aliasing -Wall -DCPU=PPC32 -DTOOL_FAMILY=gnu -DTOOL=gnu -I\$(WIND_BASE)/target/h -I\$(WIND_BASE)/target/h/wrn/coreip:::VXWORKS::::::",
 "vxworks-ppc405","ccppc:-g -msoft-float -mlongcall -DCPU=PPC405 -I\$(WIND_BASE)/target/h:::VXWORKS:-r:::::",
 "vxworks-ppc750","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h \$(DEBUG_FLAG):::VXWORKS:-r:::::",
 "vxworks-ppc750-debug","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DDEBUG -g:::VXWORKS:-r:::::",
 "vxworks-ppc860","ccppc:-nostdinc -msoft-float -DCPU=PPC860 -DNO_STRINGS_H -I\$(WIND_BASE)/target/h:::VXWORKS:-r:::::",
 "vxworks-simlinux","ccpentium:-B\$(WIND_BASE)/host/\$(WIND_HOST_TYPE)/lib/gcc-lib/ -D_VSB_CONFIG_FILE=\"\$(WIND_BASE)/target/lib/h/config/vsbConfig.h\" -DL_ENDIAN -DCPU=SIMLINUX -DTOOL_FAMILY=gnu -DTOOL=gnu -fno-builtin -fno-defer-pop -DNO_STRINGS_H -I\$(WIND_BASE)/target/h -I\$(WIND_BASE)/target/h/wrn/coreip -DOPENSSL_NO_HW_PADLOCK:::VXWORKS:-r::${no_asm}::::::ranlibpentium:",
 "vxworks-mips","ccmips:-mrtp -mips2 -O -G 0 -B\$(WIND_BASE)/host/\$(WIND_HOST_TYPE)/lib/gcc-lib/ -D_VSB_CONFIG_FILE=\"\$(WIND_BASE)/target/lib/h/config/vsbConfig.h\" -DCPU=MIPS32 -msoft-float -mno-branch-likely -DTOOL_FAMILY=gnu -DTOOL=gnu -fno-builtin -fno-defer-pop -DNO_STRINGS_H -I\$(WIND_BASE)/target/usr/h -I\$(WIND_BASE)/target/h/wrn/coreip::-D_REENTRANT:VXWORKS:-Wl,--defsym,__wrs_rtp_base=0xe0000000 -L \$(WIND_BASE)/target/usr/lib/mips/MIPSI32/sfcommon::${mips32_asm}:o32::::::ranlibmips:",
-"vxworks-pentium","ccpentium:-Os -B\$(WIND_BASE)/host/\$(WIND_HOST_TYPE)/lib/gcc-lib/ -D_VSB_CONFIG_FILE=\"\$(WIND_BASE)/target/lib/h/config/vsbConfig.h\" -DL_ENDIAN -DCPU=PENTIUM4 -DTOOL_FAMILY=gnu -DTOOL=gnu -fno-builtin -fno-defer-pop -D_WRS_KERNEL -D_WRS_VX_SMP -I\$(WIND_BASE)/target/h -I\$(WIND_BASE)/target/h/wrn/coreip -DOPENSSL_NO_HW_PADLOCK:::VXWORKS:-r::${no_asm}::::::ranlibpentium:",
 
 ##### Compaq Non-Stop Kernel (Tandem)
 "tandem-c89","c89:-Ww -D__TANDEM -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -D_TANDEM_SOURCE -DB_ENDIAN::(unknown):::THIRTY_TWO_BIT:::",
@@ -623,14 +615,12 @@ my %table=(
 "uClinux-dist","$ENV{'CC'}:\$(CFLAGS)::-D_REENTRANT::\$(LDFLAGS) \$(LDLIBS):BN_LLONG:${no_asm}:$ENV{'LIBSSL_dlfcn'}:linux-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):$ENV{'RANLIB'}::",
 "uClinux-dist64","$ENV{'CC'}:\$(CFLAGS)::-D_REENTRANT::\$(LDFLAGS) \$(LDLIBS):SIXTY_FOUR_BIT_LONG:${no_asm}:$ENV{'LIBSSL_dlfcn'}:linux-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):$ENV{'RANLIB'}::",
 
-"c64xplus","cl6x:-mv6400+ -o2 -ox -ms -pden -DNO_SYS_TYPES_H -DGETPID_IS_MEANINGLESS -DMD32_REG_T=int -DOPENSSL_SMALL_FOOTPRINT:<c6x.h>::DSPBIOS::BN_LLONG:c64xpluscpuid.o:bn-c64xplus.o c64xplus-gf2m.o::aes-c64xplus.o aes_cbc.o aes_ctr.o:::sha1-c64xplus.o sha256-c64xplus.o sha512-c64xplus.o:::::::ghash-c64xplus.o::void:",
-
 );
 
 my @MK1MF_Builds=qw(VC-WIN64I VC-WIN64A
 		    debug-VC-WIN64I debug-VC-WIN64A
 		    VC-NT VC-CE VC-WIN32 debug-VC-WIN32
-		    BC-32 c64xplus
+		    BC-32 
 		    netware-clib netware-clib-bsdsock
 		    netware-libc netware-libc-bsdsock);
 
@@ -673,10 +663,8 @@ my $openssldir="";
 my $exe_ext="";
 my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
 my $cross_compile_prefix="";
-my $fipslibdir="/usr/local/ssl/fips-2.0/lib/";
-my $nofipscanistercheck=0;
-my $fipscanisterinternal="n";
-my $fipscanisteronly = 0;
+my $fipsdir="/usr/local/ssl/fips-2.0";
+my $fipslibdir="";
 my $baseaddr="0xFB00000";
 my $no_threads=0;
 my $threads=0;
@@ -714,6 +702,12 @@ my $default_ranlib;
 my $perl;
 my $fips=0;
 
+if (exists $ENV{FIPSDIR})
+	{
+	$fipsdir = $ENV{FIPSDIR};
+	$fipsdir =~ s/\/$//;
+	}
+
 # All of the following is disabled by default (RC5 was enabled before 0.9.8):
 
 my %disabled = ( # "what"         => "comment" [or special keyword "experimental"]
@@ -723,6 +717,7 @@ my %disabled = ( # "what"         => "comment" [or special keyword "experimental
 		 "md2"            => "default",
 		 "rc5"            => "default",
 		 "rfc3779"	  => "default",
+		 "sctp"       => "default",
 		 "shared"         => "default",
 		 "store"	  => "experimental",
 		 "zlib"           => "default",
@@ -730,24 +725,9 @@ my %disabled = ( # "what"         => "comment" [or special keyword "experimental
 	       );
 my @experimental = ();
 
-# If ssl directory missing assume truncated FIPS tarball
-if (!-d "ssl")
-	{
-	print STDERR "Auto Configuring fipsonly\n";
-	$fips = 1;
-	$nofipscanistercheck = 1;
-	$fipslibdir="";
-	$fipscanisterinternal="y";
-	$fipscanisteronly = 2;
-	if (! -f "crypto/bn/bn_gf2m.c" )
-		{
-		$disabled{ec2m} = "forced";
-		}
-	}
-
 # This is what $depflags will look like with the above defaults
 # (we need this to see if we should advise the user to run "make depend"):
-my $default_depflags = " -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_STORE";
+my $default_depflags = " -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE";
 
 # Explicit "no-..." options will be collected in %disabled along with the defaults.
 # To remove something from %disabled, use "enable-foo" (unless it's experimental).
@@ -805,6 +785,7 @@ PROCESS_ARGS:
 
 		# rewrite some options in "enable-..." form
 		s /^-?-?shared$/enable-shared/;
+		s /^sctp$/enable-sctp/;
 		s /^threads$/enable-threads/;
 		s /^zlib$/enable-zlib/;
 		s /^zlib-dynamic$/enable-zlib-dynamic/;
@@ -884,37 +865,6 @@ PROCESS_ARGS:
 			# The check for the option is there so scripts aren't
 			# broken
 			}
-		elsif (/^nofipscanistercheck$/)
-			{
-			$fips = 1;
-			$nofipscanistercheck = 1;
-			}
-		elsif (/^fipscheck$/)
-			{
-			if ($fipscanisteronly != 2)
-				{
-				print STDERR <<"EOF";
-ERROR: FIPS not autodetected. Not running from restricted tarball??
-EOF
-				exit(1);
-				}
-			}
-		elsif (/^fipscanisteronly$/)
-			{
-			$fips = 1;
-			$nofipscanistercheck = 1;
-			$fipslibdir="";
-			$fipscanisterinternal="y";
-			$fipscanisteronly = 1;
-			}
-		elsif (/^fipscanisterbuild$/)
-			{
-			$fips = 1;
-			$nofipscanistercheck = 1;
-			$fipslibdir="";
-			$fipscanisterinternal="y";
-			$fipscanisteronly = 1;
-			}
 		elsif (/^[-+]/)
 			{
 			if (/^-[lL](.*)$/ or /^-Wl,/)
@@ -954,9 +904,13 @@ EOF
 				{
 				$withargs{"zlib-include"}="-I$1";
 				}
+			elsif (/^--with-fipsdir=(.*)$/)
+				{
+				$fipsdir="$1";
+				}
 			elsif (/^--with-fipslibdir=(.*)$/)
 				{
-				$fipslibdir="$1/";
+				$fipslibdir="$1";
 				}
 			elsif (/^--with-baseaddr=(.*)$/)
 				{
@@ -1036,6 +990,17 @@ if (defined($disabled{"md5"}) || defined($disabled{"rsa"}))
 	$disabled{"ssl2"} = "forced";
 	}
 
+if ($fips && $fipslibdir eq "")
+	{
+	$fipslibdir = $fipsdir . "/lib/";
+	}
+
+# RSAX ENGINE sets default non-FIPS RSA method.
+if ($fips)
+	{
+	$disabled{"rsax"} = "forced";
+	}
+
 # SSL 3.0 and TLS requires MD5 and SHA and either RSA or DSA+DH
 if (defined($disabled{"md5"}) || defined($disabled{"sha"})
     || (defined($disabled{"rsa"})
@@ -1056,10 +1021,11 @@ if (defined($disabled{"ec"}) || defined($disabled{"dsa"})
 	$disabled{"gost"} = "forced";
 	}
 
-# SRP requires TLSEXT
+# SRP and HEARTBEATS require TLSEXT
 if (defined($disabled{"tlsext"}))
 	{
 	$disabled{"srp"} = "forced";
+	$disabled{"heartbeats"} = "forced";
 	}
 
 if ($target eq "TABLE") {
@@ -1085,10 +1051,6 @@ print "Configuring for $target\n";
 
 &usage if (!defined($table{$target}));
 
-if ($fips)
-	{
-	delete $disabled{"shared"} if ($disabled{"shared"} eq "default");
-	}
 
 foreach (sort (keys %disabled))
 	{
@@ -1135,6 +1097,8 @@ foreach (sort (keys %disabled))
 			else
 				{
 				push @skip, $algo;
+				# fix-up crypto/directory name(s)
+				@skip[$#skip]="whrlpool" if $algo eq "whirlpool";
 				print " (skip dir)";
 
 				$depflags .= " -DOPENSSL_NO_$ALGO";
@@ -1146,7 +1110,6 @@ foreach (sort (keys %disabled))
 	}
 
 my $exp_cflags = "";
-
 foreach (sort @experimental)
 	{
 	my $ALGO;
@@ -1162,24 +1125,7 @@ my $IsMK1MF=scalar grep /^$target$/,@MK1MF_Builds;
 $exe_ext=".exe" if ($target eq "Cygwin" || $target eq "DJGPP" || $target =~ /^mingw/);
 $exe_ext=".nlm" if ($target =~ /netware/);
 $exe_ext=".pm"  if ($target =~ /vos/);
-if ($openssldir eq "" and $prefix eq "")
-	{
-	if ($fips)
-		{
-		if (exists $ENV{FIPSDIR})
-			{
-			$openssldir="$ENV{FIPSDIR}";
-			}
-		else
-			{
-			$openssldir="/usr/local/ssl/fips-2.0";
-			}
-		}
-	else
-		{
-		$openssldir="/usr/local/ssl";
-		}
-	}
+$openssldir="/usr/local/ssl" if ($openssldir eq "" and $prefix eq "");
 $prefix=$openssldir if $prefix eq "";
 
 $default_ranlib= &which("ranlib") or $default_ranlib="true";
@@ -1187,10 +1133,6 @@ $perl=$ENV{'PERL'} or $perl=&which("perl5") or $perl=&which("perl")
   or $perl="perl";
 my $make = $ENV{'MAKE'} || "make";
 
-my $fips_auth_key = $ENV{'FIPS_AUTH_KEY'};
-my $fips_auth_officer = $ENV{'FIPS_AUTH_OFFICER'};
-my $fips_auth_user = $ENV{'FIPS_AUTH_USER'};
-
 $cross_compile_prefix=$ENV{'CROSS_COMPILE'} if $cross_compile_prefix eq "";
 
 chop $openssldir if $openssldir =~ /\/$/;
@@ -1390,12 +1332,6 @@ if ($no_asm)
 	$cpuid_obj=$bn_obj=
 	$des_obj=$aes_obj=$bf_obj=$cast_obj=$rc4_obj=$rc5_obj=$cmll_obj=
 	$modes_obj=$sha1_obj=$md5_obj=$rmd160_obj=$wp_obj=$engines_obj="";
-	$cflags=~s/\-D[BL]_ENDIAN//		if ($fips);
-	$thread_cflags=~s/\-D[BL]_ENDIAN//	if ($fips);
-	}
-elsif (defined($disabled{ec2m}))
-	{
-	$bn_obj =~ s/\w+-gf2m.o//;
 	}
 
 if (!$no_shared)
@@ -1433,7 +1369,7 @@ if ($zlib)
 my $shared_mark = "";
 if ($shared_target eq "")
 	{
-	$no_shared_warn = 1 if !$no_shared && !$fips;
+	$no_shared_warn = 1 if !$no_shared;
 	$no_shared = 1;
 	}
 if (!$no_shared)
@@ -1533,11 +1469,7 @@ $cflags.=" -DOPENSSL_BN_ASM_GF2m" if ($bn_obj =~ /-gf2m/);
 if ($fips)
 	{
 	$openssl_other_defines.="#define OPENSSL_FIPS\n";
-	if ($fipscanisterinternal eq "y")
-		{
-		$openssl_other_defines.="#define OPENSSL_FIPSCANISTER\n";
-		$cflags = "-DOPENSSL_FIPSCANISTER $cflags";
-		}
+	$cflags .= " -I\$(FIPSDIR)/include";
 	}
 
 $cpuid_obj="mem_clr.o"	unless ($cpuid_obj =~ /\.o$/);
@@ -1571,12 +1503,13 @@ if ($rmd160_obj =~ /\.o$/)
 	}
 if ($aes_obj =~ /\.o$/)
 	{
-	 $cflags.=" -DAES_ASM" if ($aes_obj =~ m/\baes\-/);
-	# aes_ctr.o is not a real file, only indication that assembler
+	$cflags.=" -DAES_ASM";
+	# aes-ctr.o is not a real file, only indication that assembler
 	# module implements AES_ctr32_encrypt...
-	$cflags.=" -DAES_CTR_ASM" if ($aes_obj =~ s/\s*aes_ctr\.o//);
+	$cflags.=" -DAES_CTR_ASM" if ($aes_obj =~ s/\s*aes\-ctr\.o//);
+	# aes-xts.o indicates presense of AES_xts_[en|de]crypt...
+	$cflags.=" -DAES_XTS_ASM" if ($aes_obj =~ s/\s*aes\-xts\.o//);
 	$aes_obj =~ s/\s*(vpaes|aesni)\-x86\.o//g if ($no_sse2);
-	$aes_obj =~ s/\s*(vp|bs)aes-\w*\.o//g if ($fipscanisterinternal eq "y");
 	$cflags.=" -DVPAES_ASM" if ($aes_obj =~ m/vpaes/);
 	$cflags.=" -DBSAES_ASM" if ($aes_obj =~ m/bsaes/);
 	}
@@ -1584,7 +1517,7 @@ else	{
 	$aes_obj=$aes_enc;
 	}
 $wp_obj="" if ($wp_obj =~ /mmx/ && $processor eq "386");
-if ($wp_obj =~ /\.o$/)
+if ($wp_obj =~ /\.o$/ && !$disabled{"whirlpool"})
 	{
 	$cflags.=" -DWHIRLPOOL_ASM";
 	}
@@ -1592,7 +1525,7 @@ else	{
 	$wp_obj="wp_block.o";
 	}
 $cmll_obj=$cmll_enc	unless ($cmll_obj =~ /.o$/);
-if ($modes_obj =~ /ghash\-/)
+if ($modes_obj =~ /ghash/)
 	{
 	$cflags.=" -DGHASH_ASM";
 	}
@@ -1643,35 +1576,11 @@ if ($strict_warnings)
 		}
 	}
 
-if ($fipscanisterinternal eq "y")
-	{
-	open(IN,"<fips/fips_auth.in") || die "can't open fips_auth.in";
-	open(OUT,">fips/fips_auth.h") || die "can't open fips_auth.h";
-	while(<IN>)
-		{
-		s/FIPS_AUTH_KEY.*$/FIPS_AUTH_KEY $fips_auth_key/ if defined $fips_auth_key;
-		s/FIPS_AUTH_CRYPTO_OFFICER.*$/FIPS_AUTH_CRYPTO_OFFICER $fips_auth_officer/ if defined $fips_auth_officer;
-		s/FIPS_AUTH_CRYPTO_USER.*$/FIPS_AUTH_CRYPTO_USER $fips_auth_user/ if defined $fips_auth_user;
-		print OUT $_;
-		}
-	close IN;
-	close OUT;
-	}
-
-my $mforg = $fipscanisteronly ? "Makefile.fips" : "Makefile.org";
-
-open(IN,"<$mforg") || die "unable to read $mforg:$!\n";
+open(IN,'<Makefile.org') || die "unable to read Makefile.org:$!\n";
 unlink("$Makefile.new") || die "unable to remove old $Makefile.new:$!\n" if -e "$Makefile.new";
 open(OUT,">$Makefile.new") || die "unable to create $Makefile.new:$!\n";
-print OUT "### Generated automatically from $mforg by Configure.\n\n";
+print OUT "### Generated automatically from Makefile.org by Configure.\n\n";
 my $sdirs=0;
-
-if ($fipscanisteronly)
-	{
-	$aes_obj =~ s/aesni-sha1-x86_64.o//;
-	$bn_obj =~ s/modexp512-x86_64.o//;
-	}
-
 while (<IN>)
 	{
 	chomp;
@@ -1684,7 +1593,6 @@ while (<IN>)
 			}
 		}
 	$sdirs = 0 unless /\\$/;
-        s/fips // if (/^DIRS=/ && !$fips);
         s/engines // if (/^DIRS=/ && $disabled{"engine"});
 	s/ccgost// if (/^ENGDIRS=/ && $disabled{"gost"});
 	s/^VERSION=.*/VERSION=$version/;
@@ -1745,12 +1653,12 @@ while (<IN>)
 	s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/;
 	s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/;
 	s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/;
+
+	s/^FIPSDIR=.*/FIPSDIR=$fipsdir/;
 	s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/;
 	s/^FIPSCANLIB=.*/FIPSCANLIB=libcrypto/ if $fips;
-	s/^SHARED_FIPS=.*/SHARED_FIPS=/;
-	s/^SHLIBDIRS=.*/SHLIBDIRS= crypto ssl/;
-	s/^FIPSCANISTERINTERNAL=.*/FIPSCANISTERINTERNAL=$fipscanisterinternal/;
 	s/^BASEADDR=.*/BASEADDR=$baseaddr/;
+
 	s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
 	s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
 	s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
@@ -1773,10 +1681,6 @@ while (<IN>)
 		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.\$(SHLIB_MAJOR).dylib .dylib/;
 		}
 	s/^SHARED_LDFLAGS=.*/SHARED_LDFLAGS=$shared_ldflag/;
-	if ($fipscanisteronly && exists $disabled{"ec2m"})
-		{
-		next if (/ec2_/ || /bn_gf2m/);
-		}
 	print OUT $_."\n";
 	}
 close(IN);
@@ -2015,9 +1919,7 @@ EOF
 	$make_targets .= " gentests" if $symlink;
 	(system $make_command.$make_targets) == 0 or exit $?
 		if $make_targets ne "";
-	if ( $fipscanisteronly )
-		{}
-	elsif ( $perl =~ m@^/@) {
+	if ( $perl =~ m@^/@) {
 	    &dofile("tools/c_rehash",$perl,'^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";', '^my \$prefix;$', 'my $prefix = "' . $prefix . '";');
 	    &dofile("apps/CA.pl",$perl,'^#!/', '#!%s');
 	} else {
@@ -2025,7 +1927,7 @@ EOF
 	    &dofile("tools/c_rehash",'/usr/local/bin/perl','^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";',  '^my \$prefix;$', 'my $prefix = "' . $prefix . '";');
 	    &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s');
 	}
-	if ($depflags ne $default_depflags && !$make_depend && !$fipscanisteronly) {
+	if ($depflags ne $default_depflags && !$make_depend) {
 		print <<EOF;
 
 Since you've disabled or enabled at least one algorithm, you need to do
@@ -2068,16 +1970,9 @@ BEGIN
     BEGIN
 	BLOCK "040904b0"
 	BEGIN
-#if defined(FIPS)
-	    VALUE "Comments", "WARNING: TEST VERSION ONLY ***NOT*** FIPS 140-2 VALIDATED.\\0"
-#endif
 	    // Required:	    
 	    VALUE "CompanyName", "The OpenSSL Project, http://www.openssl.org/\\0"
-#if defined(FIPS)
-	    VALUE "FileDescription", "TEST UNVALIDATED FIPS140-2 DLL\\0"
-#else
 	    VALUE "FileDescription", "OpenSSL Shared Library\\0"
-#endif
 	    VALUE "FileVersion", "$version\\0"
 #if defined(CRYPTO)
 	    VALUE "InternalName", "libeay32\\0"
@@ -2085,9 +1980,6 @@ BEGIN
 #elif defined(SSL)
 	    VALUE "InternalName", "ssleay32\\0"
 	    VALUE "OriginalFilename", "ssleay32.dll\\0"
-#elif defined(FIPS)
-	    VALUE "InternalName", "libosslfips\\0"
-	    VALUE "OriginalFilename", "libosslfips.dll\\0"
 #endif
 	    VALUE "ProductName", "The OpenSSL Toolkit\\0"
 	    VALUE "ProductVersion", "$version\\0"
@@ -2130,21 +2022,6 @@ libraries on this platform, they will at least look at it and try their best
 (but please first make sure you have tried with a current version of OpenSSL).
 EOF
 
-print <<\EOF if ($fipscanisterinternal eq "y");
-
-WARNING: OpenSSL has been configured using unsupported option(s) to internally
-generate a fipscanister.o object module for TESTING PURPOSES ONLY; that
-compiled module is NOT FIPS 140-2 validated and CANNOT be used to replace the
-OpenSSL FIPS Object Module as identified by the CMVP
-(http://csrc.nist.gov/cryptval/) in any application requiring the use of FIPS
-140-2 validated software. 
-
-This is a test OpenSSL 2.0 FIPS module.
-
-See the file README.FIPS for details of how to build a test library.
-
-EOF
-
 exit(0);
 
 sub usage

FAQ

@@ -10,6 +10,7 @@ OpenSSL  -  Frequently Asked Questions
 * Why aren't tools like 'autoconf' and 'libtool' used?
 * What is an 'engine' version?
 * How do I check the authenticity of the OpenSSL distribution?
+* How does the versioning scheme work?
 
 [LEGAL] Legal questions
 
@@ -82,11 +83,11 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 1.0.0e was released on Sep 6th, 2011.
+OpenSSL 1.0.1e was released on Feb 11th, 2013.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
-ftp://ftp.openssl.org/snapshot/>, or get it by anonymous CVS access.
+ftp://ftp.openssl.org/snapshot/>, or get it by anonymous Git access.
 
 
 * Where is the documentation?
@@ -108,7 +109,9 @@ In addition, you can read the most current versions at
 <URL: http://www.openssl.org/docs/>. Note that the online documents refer
 to the very latest development versions of OpenSSL and may include features
 not present in released versions. If in doubt refer to the documentation
-that came with the version of OpenSSL you are using.
+that came with the version of OpenSSL you are using. The pod format
+documentation is included in each OpenSSL distribution under the docs
+directory.
 
 For information on parts of libcrypto that are not yet documented, you
 might want to read Ariel Glenn's documentation on SSLeay 0.9, OpenSSL's
@@ -173,6 +176,19 @@ just do:
 
    pgp TARBALL.asc
 
+* How does the versioning scheme work?
+
+After the release of OpenSSL 1.0.0 the versioning scheme changed. Letter 
+releases (e.g. 1.0.1a) can only contain bug and security fixes and no
+new features. Minor releases change the last number (e.g. 1.0.2) and 
+can contain new features that retain binary compatibility. Changes to
+the middle number are considered major releases and neither source nor
+binary compatibility is guaranteed.
+
+Therefore the answer to the common question "when will feature X be
+backported to OpenSSL 1.0.0/0.9.8?" is "never" but it could appear
+in the next minor release.
+
 [LEGAL] =======================================================================
 
 * Do I need patent licenses to use OpenSSL?
@@ -284,7 +300,7 @@ current directory in this case, but this has changed with 0.9.6a.)
 Check out the CA.pl(1) manual page. This provides a simple wrapper round
 the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check
 out the manual pages for the individual utilities and the certificate
-extensions documentation (currently in doc/openssl.txt).
+extensions documentation (in ca(1), req(1), x509v3_config(5) )
 
 
 * Why can't I create certificate requests?
@@ -752,6 +768,9 @@ openssl-security@openssl.org if you don't get a prompt reply at least
 acknowledging receipt then resend or mail it directly to one of the
 more active team members (e.g. Steve).
 
+Note that bugs only present in the openssl utility are not in general
+considered to be security issues. 
+
 [PROG] ========================================================================
 
 * Is OpenSSL thread-safe?

INSTALL

@@ -103,6 +103,12 @@
                 define preprocessor symbols, specify additional libraries,
                 library directories or other compiler options.
 
+  -DHAVE_CRYPTODEV Enable the BSD cryptodev engine even if we are not using
+		BSD. Useful if you are running ocf-linux or something
+		similar. Once enabled you can also enable the use of
+		cryptodev digests, which is usually slower unless you have
+		large amounts data. Use -DUSE_CRYPTODEV_DIGESTS to force
+		it.
 
  Installation in Detail
  ----------------------

INSTALL.W32

@@ -29,7 +29,7 @@
   is required if you intend to utilize assembler modules. Note that NASM
   is now the only supported assembler.
 
- If you are compiling from a tarball or a CVS snapshot then the Win32 files
+ If you are compiling from a tarball or a Git snapshot then the Win32 files
  may well be not up to date. This may mean that some "tweaking" is required to
  get it all to work. See the trouble shooting section later on for if (when?)
  it goes wrong.
@@ -257,7 +257,7 @@
 
  then ms\do_XXX should not give a warning any more. However the numbers that
  get assigned by this technique may not match those that eventually get
- assigned in the CVS tree: so anything linked against this version of the
+ assigned in the Git tree: so anything linked against this version of the
  library may need to be recompiled.
 
  If you get errors about unresolved symbols there are several possible

MacOS/GUSI_Init.cpp

@@ -0,0 +1,62 @@
+/**************** BEGIN GUSI CONFIGURATION ****************************
+ *
+ * GUSI Configuration section generated by GUSI Configurator
+ * last modified: Wed Jan  5 20:33:51 2000
+ *
+ * This section will be overwritten by the next run of Configurator.
+ */
+
+#define GUSI_SOURCE
+#include <GUSIConfig.h>
+#include <sys/cdefs.h>
+
+/* Declarations of Socket Factories */
+
+__BEGIN_DECLS
+void GUSIwithInetSockets();
+void GUSIwithLocalSockets();
+void GUSIwithMTInetSockets();
+void GUSIwithMTTcpSockets();
+void GUSIwithMTUdpSockets();
+void GUSIwithOTInetSockets();
+void GUSIwithOTTcpSockets();
+void GUSIwithOTUdpSockets();
+void GUSIwithPPCSockets();
+void GUSISetupFactories();
+__END_DECLS
+
+/* Configure Socket Factories */
+
+void GUSISetupFactories()
+{
+#ifdef GUSISetupFactories_BeginHook
+	GUSISetupFactories_BeginHook
+#endif
+	GUSIwithInetSockets();
+#ifdef GUSISetupFactories_EndHook
+	GUSISetupFactories_EndHook
+#endif
+}
+
+/* Declarations of File Devices */
+
+__BEGIN_DECLS
+void GUSIwithDConSockets();
+void GUSIwithNullSockets();
+void GUSISetupDevices();
+__END_DECLS
+
+/* Configure File Devices */
+
+void GUSISetupDevices()
+{
+#ifdef GUSISetupDevices_BeginHook
+	GUSISetupDevices_BeginHook
+#endif
+	GUSIwithNullSockets();
+#ifdef GUSISetupDevices_EndHook
+	GUSISetupDevices_EndHook
+#endif
+}
+
+/**************** END GUSI CONFIGURATION *************************/

MacOS/GetHTTPS.src/CPStringUtils.hpp

@@ -0,0 +1,104 @@
+#pragma once
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+void CopyPStrToCStr(const unsigned char *thePStr,char *theCStr,const int maxCStrLength);
+void CopyPStrToPStr(const unsigned char *theSrcPStr,unsigned char *theDstPStr,const int maxDstStrLength);
+void CopyCStrToCStr(const char *theSrcCStr,char *theDstCStr,const int maxDstStrLength);
+void CopyCStrToPStr(const char *theSrcCStr,unsigned char *theDstPStr,const int maxDstStrLength);
+void ConcatPStrToCStr(const unsigned char *thePStr,char *theCStr,const int maxCStrLength);
+void ConcatPStrToPStr(const unsigned char *theSrcPStr,unsigned char *theDstPStr,const int maxDstStrLength);
+void ConcatCStrToPStr(const char *theSrcCStr,unsigned char *theDstPStr,const int maxDstStrLength);
+void ConcatCStrToCStr(const char *theSrcCStr,char *theDstCStr,const int maxCStrLength);
+
+void ConcatCharToCStr(const char theChar,char *theDstCStr,const int maxCStrLength);
+void ConcatCharToPStr(const char theChar,unsigned char *theDstPStr,const int maxPStrLength);
+
+int ComparePStrs(const unsigned char *theFirstPStr,const unsigned char *theSecondPStr,const Boolean ignoreCase = true);
+int CompareCStrs(const char *theFirstCStr,const char *theSecondCStr,const Boolean ignoreCase = true);
+int CompareCStrToPStr(const char *theCStr,const unsigned char *thePStr,const Boolean ignoreCase = true);
+
+Boolean CStrsAreEqual(const char *theFirstCStr,const char *theSecondCStr,const Boolean ignoreCase = true);
+Boolean PStrsAreEqual(const unsigned char *theFirstCStr,const unsigned char *theSecondCStr,const Boolean ignoreCase = true);
+
+void CopyLongIntToCStr(const long theNum,char *theCStr,const int maxCStrLength,const int numDigits = -1);
+void CopyUnsignedLongIntToCStr(const unsigned long theNum,char *theCStr,const int maxCStrLength);
+void ConcatLongIntToCStr(const long theNum,char *theCStr,const int maxCStrLength,const int numDigits = -1);
+void CopyCStrAndConcatLongIntToCStr(const char *theSrcCStr,const long theNum,char *theDstCStr,const int maxDstStrLength);
+
+void CopyLongIntToPStr(const long theNum,unsigned char *thePStr,const int maxPStrLength,const int numDigits = -1);
+void ConcatLongIntToPStr(const long theNum,unsigned char *thePStr,const int maxPStrLength,const int numDigits = -1);
+
+long CStrLength(const char *theCString);
+long PStrLength(const unsigned char *thePString);
+
+OSErr CopyCStrToExistingHandle(const char *theCString,Handle theHandle);
+OSErr CopyLongIntToExistingHandle(const long inTheLongInt,Handle theHandle);
+
+OSErr CopyCStrToNewHandle(const char *theCString,Handle *theHandle);
+OSErr CopyPStrToNewHandle(const unsigned char *thePString,Handle *theHandle);
+OSErr CopyLongIntToNewHandle(const long inTheLongInt,Handle *theHandle);
+
+OSErr AppendCStrToHandle(const char *theCString,Handle theHandle,long *currentLength = nil,long *maxLength = nil);
+OSErr AppendCharsToHandle(const char *theChars,const int numChars,Handle theHandle,long *currentLength = nil,long *maxLength = nil);
+OSErr AppendPStrToHandle(const unsigned char *thePString,Handle theHandle,long *currentLength = nil);
+OSErr AppendLongIntToHandle(const long inTheLongInt,Handle theHandle,long *currentLength = nil);
+
+void ZeroMem(void *theMemPtr,const unsigned long numBytes);
+
+char *FindCharInCStr(const char theChar,const char *theCString);
+long FindCharOffsetInCStr(const char theChar,const char *theCString,const Boolean inIgnoreCase = false);
+long FindCStrOffsetInCStr(const char *theCSubstring,const char *theCString,const Boolean inIgnoreCase = false);
+
+void CopyCSubstrToCStr(const char *theSrcCStr,const int maxCharsToCopy,char *theDstCStr,const int maxDstStrLength);
+void CopyCSubstrToPStr(const char *theSrcCStr,const int maxCharsToCopy,unsigned char *theDstPStr,const int maxDstStrLength);
+
+void InsertCStrIntoCStr(const char *theSrcCStr,const int theInsertionOffset,char *theDstCStr,const int maxDstStrLength);
+void InsertPStrIntoCStr(const unsigned char *theSrcPStr,const int theInsertionOffset,char *theDstCStr,const int maxDstStrLength);
+OSErr InsertCStrIntoHandle(const char *theCString,Handle theHandle,const long inInsertOffset);
+
+void CopyCStrAndInsertCStrIntoCStr(const char *theSrcCStr,const char *theInsertCStr,char *theDstCStr,const int maxDstStrLength);
+
+void CopyCStrAndInsertCStrsLongIntsIntoCStr(const char *theSrcCStr,const char **theInsertCStrs,const long *theLongInts,char *theDstCStr,const int maxDstStrLength);
+
+void CopyCStrAndInsert1LongIntIntoCStr(const char *theSrcCStr,const long theNum,char *theDstCStr,const int maxDstStrLength);
+void CopyCStrAndInsert2LongIntsIntoCStr(const char *theSrcCStr,const long long1,const long long2,char *theDstCStr,const int maxDstStrLength);
+void CopyCStrAndInsert3LongIntsIntoCStr(const char *theSrcCStr,const long long1,const long long2,const long long3,char *theDstCStr,const int maxDstStrLength);
+
+void CopyCStrAndInsertCStrLongIntIntoCStr(const char *theSrcCStr,const char *theInsertCStr,const long theNum,char *theDstCStr,const int maxDstStrLength);
+OSErr CopyCStrAndInsertCStrLongIntIntoHandle(const char *theSrcCStr,const char *theInsertCStr,const long theNum,Handle *theHandle);
+
+
+OSErr CopyIndexedWordToCStr(char *theSrcCStr,int whichWord,char *theDstCStr,int maxDstCStrLength);
+OSErr CopyIndexedWordToNewHandle(char *theSrcCStr,int whichWord,Handle *outTheHandle);
+
+OSErr CopyIndexedLineToCStr(const char *theSrcCStr,int inWhichLine,int *lineEndIndex,Boolean *gotLastLine,char *theDstCStr,const int maxDstCStrLength);
+OSErr CopyIndexedLineToNewHandle(const char *theSrcCStr,int inWhichLine,Handle *outNewHandle);
+
+OSErr ExtractIntFromCStr(const char *theSrcCStr,int *outInt,Boolean skipLeadingSpaces = true);
+OSErr ExtractIntFromPStr(const unsigned char *theSrcPStr,int *outInt,Boolean skipLeadingSpaces = true);
+
+
+void ConvertCStrToUpperCase(char *theSrcCStr);
+
+
+int CountOccurencesOfCharInCStr(const char inChar,const char *inSrcCStr);
+int CountWordsInCStr(const char *inSrcCStr);
+
+OSErr CountDigits(const char *inCStr,int *outNumIntegerDigits,int *outNumFractDigits);
+
+void ExtractCStrItemFromCStr(const char *inSrcCStr,const char inItemDelimiter,const int inItemNumber,Boolean *foundItem,char *outDstCharPtr,const int inDstCharPtrMaxLength,const Boolean inTreatMultipleDelimsAsSingleDelim = false);
+OSErr ExtractCStrItemFromCStrIntoNewHandle(const char *inSrcCStr,const char inItemDelimiter,const int inItemNumber,Boolean *foundItem,Handle *outNewHandle,const Boolean inTreatMultipleDelimsAsSingleDelim = false);
+
+
+OSErr ExtractFloatFromCStr(const char *inCString,extended80 *outFloat);
+OSErr CopyFloatToCStr(const extended80 *theFloat,char *theCStr,const int maxCStrLength,const int inMaxNumIntDigits = -1,const int inMaxNumFractDigits = -1);
+
+void SkipWhiteSpace(char **ioSrcCharPtr,const Boolean inStopAtEOL = false);
+
+
+#ifdef __cplusplus
+}
+#endif

MacOS/GetHTTPS.src/ErrorHandling.cpp

@@ -1,9 +1,5 @@
-/* fips_dsa_sign.c */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 2007.
- */
 /* ====================================================================
- * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-1999 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -20,12 +16,12 @@
  * 3. All advertising materials mentioning features or use of this
  *    software must display the following acknowledgment:
  *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  *
  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  *    endorse or promote products derived from this software without
  *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
+ *    openssl-core@openssl.org.
  *
  * 5. Products derived from this software may not be called "OpenSSL"
  *    nor may "OpenSSL" appear in their names without prior written
@@ -34,7 +30,7 @@
  * 6. Redistributions of any form whatsoever must retain the following
  *    acknowledgment:
  *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  *
  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -55,87 +51,120 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+ 
+ 
+ 
+ #include "ErrorHandling.hpp"
+#include "CPStringUtils.hpp"
 
-#define OPENSSL_FIPSAPI
+#ifdef __EXCEPTIONS_ENABLED__
+	#include "CMyException.hpp"
+#endif
 
-#include <string.h>
-#include <openssl/evp.h>
-#include <openssl/dsa.h>
-#include <openssl/err.h>
-#include <openssl/sha.h>
-#include <openssl/bn.h>
 
-#ifdef OPENSSL_FIPS
+static char					gErrorMessageBuffer[512];
 
-/* FIPS versions of DSA_sign() and DSA_verify().
- * Handle DSA_SIG structures to avoid need to handle ASN1.
- */
+char 						*gErrorMessage = gErrorMessageBuffer;
+int							gErrorMessageMaxLength = sizeof(gErrorMessageBuffer);
 
-DSA_SIG * FIPS_dsa_sign_ctx(DSA *dsa, EVP_MD_CTX *ctx)
+
+
+void SetErrorMessage(const char *theErrorMessage)
+{
+	if (theErrorMessage != nil)
 	{
-	DSA_SIG *s;
-	unsigned char dig[EVP_MAX_MD_SIZE];
-	unsigned int dlen;
-        FIPS_digestfinal(ctx, dig, &dlen);
-	s = dsa->meth->dsa_do_sign(dig,dlen,dsa);
-	OPENSSL_cleanse(dig, dlen);
-	return s;
+		CopyCStrToCStr(theErrorMessage,gErrorMessage,gErrorMessageMaxLength);
+	}
+}
+
+
+void SetErrorMessageAndAppendLongInt(const char *theErrorMessage,const long theLongInt)
+{
+	if (theErrorMessage != nil)
+	{
+		CopyCStrAndConcatLongIntToCStr(theErrorMessage,theLongInt,gErrorMessage,gErrorMessageMaxLength);
+	}
+}
+
+void SetErrorMessageAndCStrAndLongInt(const char *theErrorMessage,const char * theCStr,const long theLongInt)
+{
+	if (theErrorMessage != nil)
+	{
+		CopyCStrAndInsertCStrLongIntIntoCStr(theErrorMessage,theCStr,theLongInt,gErrorMessage,gErrorMessageMaxLength);
 	}
 
-DSA_SIG * FIPS_dsa_sign_digest(DSA *dsa, const unsigned char *dig, int dlen)
-	{
-	if (FIPS_selftest_failed())
-		{
-		FIPSerr(FIPS_F_FIPS_DSA_SIGN_DIGEST, FIPS_R_SELFTEST_FAILED);
-		return NULL;
-		}
-	return dsa->meth->dsa_do_sign(dig, dlen, dsa);
-	}
+}
 
-int FIPS_dsa_verify_ctx(DSA *dsa, EVP_MD_CTX *ctx, DSA_SIG *s)
+void SetErrorMessageAndCStr(const char *theErrorMessage,const char * theCStr)
+{
+	if (theErrorMessage != nil)
 	{
-	int ret=-1;
-	unsigned char dig[EVP_MAX_MD_SIZE];
-	unsigned int dlen;
-        FIPS_digestfinal(ctx, dig, &dlen);
-	ret=dsa->meth->dsa_do_verify(dig,dlen,s,dsa);
-	OPENSSL_cleanse(dig, dlen);
-	return ret;
+		CopyCStrAndInsertCStrLongIntIntoCStr(theErrorMessage,theCStr,-1,gErrorMessage,gErrorMessageMaxLength);
 	}
+}
 
-int FIPS_dsa_verify_digest(DSA *dsa,
-				const unsigned char *dig, int dlen, DSA_SIG *s)
-	{
-	if (FIPS_selftest_failed())
-		{
-		FIPSerr(FIPS_F_FIPS_DSA_VERIFY_DIGEST, FIPS_R_SELFTEST_FAILED);
-		return -1;
-		}
-	return dsa->meth->dsa_do_verify(dig,dlen,s,dsa);
-	}
 
-int FIPS_dsa_verify(DSA *dsa, const unsigned char *msg, size_t msglen,
-			const EVP_MD *mhash, DSA_SIG *s)
+void AppendCStrToErrorMessage(const char *theErrorMessage)
+{
+	if (theErrorMessage != nil)
 	{
-	int ret=-1;
-	unsigned char dig[EVP_MAX_MD_SIZE];
-	unsigned int dlen;
-        FIPS_digest(msg, msglen, dig, &dlen, mhash);
-	ret=FIPS_dsa_verify_digest(dsa, dig, dlen, s);
-	OPENSSL_cleanse(dig, dlen);
-	return ret;
+		ConcatCStrToCStr(theErrorMessage,gErrorMessage,gErrorMessageMaxLength);
 	}
+}
 
-DSA_SIG * FIPS_dsa_sign(DSA *dsa, const unsigned char *msg, size_t msglen,
-			const EVP_MD *mhash)
-	{
-	DSA_SIG *s;
-	unsigned char dig[EVP_MAX_MD_SIZE];
-	unsigned int dlen;
-        FIPS_digest(msg, msglen, dig, &dlen, mhash);
-	s = FIPS_dsa_sign_digest(dsa, dig, dlen);
-	OPENSSL_cleanse(dig, dlen);
-	return s;
-	}
+
+void AppendLongIntToErrorMessage(const long theLongInt)
+{
+	ConcatLongIntToCStr(theLongInt,gErrorMessage,gErrorMessageMaxLength);
+}
+
+
+
+char *GetErrorMessage(void)
+{
+	return gErrorMessage;
+}
+
+
+OSErr GetErrorMessageInNewHandle(Handle *inoutHandle)
+{
+OSErr		errCode;
+
+
+	errCode = CopyCStrToNewHandle(gErrorMessage,inoutHandle);
+	
+	return(errCode);
+}
+
+
+OSErr GetErrorMessageInExistingHandle(Handle inoutHandle)
+{
+OSErr		errCode;
+
+
+	errCode = CopyCStrToExistingHandle(gErrorMessage,inoutHandle);
+	
+	return(errCode);
+}
+
+
+
+OSErr AppendErrorMessageToHandle(Handle inoutHandle)
+{
+OSErr		errCode;
+
+
+	errCode = AppendCStrToHandle(gErrorMessage,inoutHandle,nil);
+	
+	return(errCode);
+}
+
+
+#ifdef __EXCEPTIONS_ENABLED__
+
+void ThrowErrorMessageException(void)
+{
+	ThrowDescriptiveException(gErrorMessage);
+}
 
 #endif

MacOS/GetHTTPS.src/ErrorHandling.hpp

@@ -0,0 +1,147 @@
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#ifndef kGenericError
+	#define kGenericError		-1
+#endif
+
+extern char	*gErrorMessage;
+
+
+void SetErrorMessage(const char *theErrorMessage);
+void SetErrorMessageAndAppendLongInt(const char *theErrorMessage,const long theLongInt);
+void SetErrorMessageAndCStrAndLongInt(const char *theErrorMessage,const char * theCStr,const long theLongInt);
+void SetErrorMessageAndCStr(const char *theErrorMessage,const char * theCStr);
+void AppendCStrToErrorMessage(const char *theErrorMessage);
+void AppendLongIntToErrorMessage(const long theLongInt);
+
+
+char *GetErrorMessage(void);
+OSErr GetErrorMessageInNewHandle(Handle *inoutHandle);
+OSErr GetErrorMessageInExistingHandle(Handle inoutHandle);
+OSErr AppendErrorMessageToHandle(Handle inoutHandle);
+
+
+#ifdef __EXCEPTIONS_ENABLED__
+	void ThrowErrorMessageException(void);
+#endif
+
+
+
+//	A bunch of evil macros that would be unnecessary if I were always using C++ !
+
+#define SetErrorMessageAndBailIfNil(theArg,theMessage)								\
+{																					\
+	if (theArg == nil)																\
+	{																				\
+		SetErrorMessage(theMessage);												\
+		errCode = kGenericError;													\
+		goto EXITPOINT;																\
+	}																				\
+}
+
+
+#define SetErrorMessageAndBail(theMessage)											\
+{																					\
+		SetErrorMessage(theMessage);												\
+		errCode = kGenericError;													\
+		goto EXITPOINT;																\
+}
+
+
+#define SetErrorMessageAndLongIntAndBail(theMessage,theLongInt)						\
+{																					\
+		SetErrorMessageAndAppendLongInt(theMessage,theLongInt);						\
+		errCode = kGenericError;													\
+		goto EXITPOINT;																\
+}
+
+
+#define SetErrorMessageAndLongIntAndBailIfError(theErrCode,theMessage,theLongInt)	\
+{																					\
+	if (theErrCode != noErr)														\
+	{																				\
+		SetErrorMessageAndAppendLongInt(theMessage,theLongInt);						\
+		errCode = theErrCode;														\
+		goto EXITPOINT;																\
+	}																				\
+}
+
+
+#define SetErrorMessageCStrLongIntAndBailIfError(theErrCode,theMessage,theCStr,theLongInt)	\
+{																					\
+	if (theErrCode != noErr)														\
+	{																				\
+		SetErrorMessageAndCStrAndLongInt(theMessage,theCStr,theLongInt);			\
+		errCode = theErrCode;														\
+		goto EXITPOINT;																\
+	}																				\
+}
+
+
+#define SetErrorMessageAndCStrAndBail(theMessage,theCStr)							\
+{																					\
+	SetErrorMessageAndCStr(theMessage,theCStr);										\
+	errCode = kGenericError;														\
+	goto EXITPOINT;																	\
+}
+
+
+#define SetErrorMessageAndBailIfError(theErrCode,theMessage)						\
+{																					\
+	if (theErrCode != noErr)														\
+	{																				\
+		SetErrorMessage(theMessage);												\
+		errCode = theErrCode;														\
+		goto EXITPOINT;																\
+	}																				\
+}
+
+
+#define SetErrorMessageAndLongIntAndBailIfNil(theArg,theMessage,theLongInt)			\
+{																					\
+	if (theArg == nil)																\
+	{																				\
+		SetErrorMessageAndAppendLongInt(theMessage,theLongInt);						\
+		errCode = kGenericError;													\
+		goto EXITPOINT;																\
+	}																				\
+}
+
+
+#define BailIfError(theErrCode)														\
+{																					\
+	if ((theErrCode) != noErr)														\
+	{																				\
+		goto EXITPOINT;																\
+	}																				\
+}
+
+
+#define SetErrCodeAndBail(theErrCode)												\
+{																					\
+	errCode = theErrCode;															\
+																					\
+	goto EXITPOINT;																	\
+}
+
+
+#define SetErrorCodeAndMessageAndBail(theErrCode,theMessage)						\
+{																					\
+	SetErrorMessage(theMessage);													\
+	errCode = theErrCode;															\
+	goto EXITPOINT;																	\
+}
+
+
+#define BailNow()																	\
+{																					\
+	errCode = kGenericError;														\
+	goto EXITPOINT;																	\
+}
+
+
+#ifdef __cplusplus
+}
+#endif

MacOS/GetHTTPS.src/GetHTTPS.cpp

@@ -0,0 +1,209 @@
+/*
+ *	An demo illustrating how to retrieve a URI from a secure HTTP server.
+ *
+ *	Author: 	Roy Wood
+ *	Date:		September 7, 1999
+ *	Comments:	This relies heavily on my MacSockets library.
+ *				This project is also set up so that it expects the OpenSSL source folder (0.9.4 as I write this)
+ *				to live in a folder called "OpenSSL-0.9.4" in this project's parent folder.  For example:
+ *
+ *					Macintosh HD:
+ *						Development:
+ *							OpenSSL-0.9.4:
+ *								(OpenSSL sources here)
+ *							OpenSSL Example:
+ *								(OpenSSL example junk here)
+ *
+ *
+ *				Also-- before attempting to compile this, make sure the aliases in "OpenSSL-0.9.4:include:openssl" 
+ *				are installed!  Use the AppleScript applet in the "openssl-0.9.4" folder to do this!
+ */
+/* modified to seed the PRNG */
+/* modified to use CRandomizer for seeding */
+
+
+//	Include some funky libs I've developed over time
+
+#include "CPStringUtils.hpp"
+#include "ErrorHandling.hpp"
+#include "MacSocket.h"
+#include "Randomizer.h"
+
+//	We use the OpenSSL implementation of SSL....
+//	This was a lot of work to finally get going, though you wouldn't know it by the results!
+
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+
+#include <timer.h>
+
+//	Let's try grabbing some data from here:
+
+#define kHTTPS_DNS		"www.apache-ssl.org"
+#define kHTTPS_Port		443
+#define kHTTPS_URI		"/"
+
+
+//	Forward-declare this
+
+OSErr MyMacSocket_IdleWaitCallback(void *inUserRefPtr);
+
+//	My idle-wait callback.  Doesn't do much, does it?  Silly cooperative multitasking.
+
+OSErr MyMacSocket_IdleWaitCallback(void *inUserRefPtr)
+{
+#pragma unused(inUserRefPtr)
+
+EventRecord		theEvent;
+	::EventAvail(everyEvent,&theEvent);
+	
+	CRandomizer *randomizer = (CRandomizer*)inUserRefPtr;
+	if (randomizer)
+		randomizer->PeriodicAction();
+
+	return(noErr);
+}
+
+
+//	Finally!
+
+void main(void)
+{
+	OSErr				errCode;
+	int					theSocket = -1;
+	int					theTimeout = 30;
+
+	SSL_CTX				*ssl_ctx = nil;
+	SSL					*ssl = nil;
+
+	char				tempString[256];
+	UnsignedWide		microTickCount;
+
+
+	CRandomizer randomizer;
+	
+	printf("OpenSSL Demo by Roy Wood, roy@centricsystems.ca\n\n");
+	
+	BailIfError(errCode = MacSocket_Startup());
+
+
+
+	//	Create a socket-like object
+	
+	BailIfError(errCode = MacSocket_socket(&theSocket,false,theTimeout * 60,MyMacSocket_IdleWaitCallback,&randomizer));
+
+	
+	//	Set up the connect string and try to connect
+	
+	CopyCStrAndInsertCStrLongIntIntoCStr("%s:%ld",kHTTPS_DNS,kHTTPS_Port,tempString,sizeof(tempString));
+	
+	printf("Connecting to %s....\n",tempString);
+
+	BailIfError(errCode = MacSocket_connect(theSocket,tempString));
+	
+	
+	//	Init SSL stuff
+	
+	SSL_load_error_strings();
+	
+	SSLeay_add_ssl_algorithms();
+	
+	
+	//	Pick the SSL method
+	
+//	ssl_ctx = SSL_CTX_new(SSLv2_client_method());
+	ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+//	ssl_ctx = SSL_CTX_new(SSLv3_client_method());
+			
+
+	//	Create an SSL thingey and try to negotiate the connection
+	
+	ssl = SSL_new(ssl_ctx);
+	
+	SSL_set_fd(ssl,theSocket);
+	
+	errCode = SSL_connect(ssl);
+	
+	if (errCode < 0)
+	{
+		SetErrorMessageAndLongIntAndBail("OpenSSL: Can't initiate SSL connection, SSL_connect() = ",errCode);
+	}
+	
+	//	Request the URI from the host
+	
+	CopyCStrToCStr("GET ",tempString,sizeof(tempString));
+	ConcatCStrToCStr(kHTTPS_URI,tempString,sizeof(tempString));
+	ConcatCStrToCStr(" HTTP/1.0\r\n\r\n",tempString,sizeof(tempString));
+
+	
+	errCode = SSL_write(ssl,tempString,CStrLength(tempString));
+	
+	if (errCode < 0)
+	{
+		SetErrorMessageAndLongIntAndBail("OpenSSL: Error writing data via ssl, SSL_write() = ",errCode);
+	}
+	
+
+	for (;;)
+	{
+	char	tempString[256];
+	int		bytesRead;
+		
+
+		//	Read some bytes and dump them to the console
+		
+		bytesRead = SSL_read(ssl,tempString,sizeof(tempString) - 1);
+		
+		if (bytesRead == 0 && MacSocket_RemoteEndIsClosing(theSocket))
+		{
+			break;
+		}
+		
+		else if (bytesRead < 0)
+		{
+			SetErrorMessageAndLongIntAndBail("OpenSSL: Error reading data via ssl, SSL_read() = ",bytesRead);
+		}
+		
+		
+		tempString[bytesRead] = '\0';
+		
+		printf("%s", tempString);
+	}
+	
+	printf("\n\n\n");
+	
+	//	All done!
+	
+	errCode = noErr;
+	
+	
+EXITPOINT:
+
+	//	Clean up and go home
+	
+	if (theSocket >= 0)
+	{
+		MacSocket_close(theSocket);
+	}
+	
+	if (ssl != nil)
+	{
+		SSL_free(ssl);
+	}
+	
+	if (ssl_ctx != nil)
+	{
+		SSL_CTX_free(ssl_ctx);
+	}
+	
+	
+	if (errCode != noErr)
+	{
+		printf("An error occurred:\n");
+		
+		printf("%s",GetErrorMessage());
+	}
+	
+	
+	MacSocket_Shutdown();
+}

MacOS/GetHTTPS.src/MacSocket.h

@@ -0,0 +1,103 @@
+#pragma once
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+
+enum
+{
+	kMacSocket_TimeoutErr = -2
+};
+
+
+//	Since MacSocket does busy waiting, I do a callback while waiting
+
+typedef OSErr (*MacSocket_IdleWaitCallback)(void *);
+
+
+//	Call this before anything else!
+
+OSErr MacSocket_Startup(void);
+
+
+//	Call this to cleanup before quitting
+
+OSErr MacSocket_Shutdown(void);
+
+
+//	Call this to allocate a "socket" (reference number is returned in outSocketNum)
+//	Note that inDoThreadSwitching is pretty much irrelevant right now, since I ignore it
+//	The inTimeoutTicks parameter is applied during reads/writes of data
+//	The inIdleWaitCallback parameter specifies a callback which is called during busy-waiting periods
+//	The inUserRefPtr parameter is passed back to the idle-wait callback
+
+OSErr MacSocket_socket(int *outSocketNum,const Boolean inDoThreadSwitching,const long inTimeoutTicks,MacSocket_IdleWaitCallback inIdleWaitCallback,void *inUserRefPtr);
+
+
+//	Call this to connect to an IP/DNS address
+//	Note that inTargetAddressAndPort is in "IP:port" format-- e.g. 10.1.1.1:123
+
+OSErr MacSocket_connect(const int inSocketNum,char *inTargetAddressAndPort);
+
+
+//	Call this to listen on a port
+//	Since this a low-performance implementation, I allow a maximum of 1 (one!) incoming request when I listen
+
+OSErr MacSocket_listen(const int inSocketNum,const int inPortNum);
+
+
+//	Call this to close a socket
+
+OSErr MacSocket_close(const int inSocketNum);
+
+
+//	Call this to receive data on a socket
+//	Most parameters' purpose are obvious-- except maybe "inBlock" which controls whether I wait for data or return immediately
+
+int MacSocket_recv(const int inSocketNum,void *outBuff,int outBuffLength,const Boolean inBlock);
+
+
+//	Call this to send data on a socket
+
+int MacSocket_send(const int inSocketNum,const void *inBuff,int inBuffLength);
+
+
+//	If zero bytes were read in a call to MacSocket_recv(), it may be that the remote end has done a half-close
+//	This function will let you check whether that's true or not
+
+Boolean MacSocket_RemoteEndIsClosing(const int inSocketNum);
+
+
+//	Call this to see if the listen has completed after a call to MacSocket_listen()
+
+Boolean MacSocket_ListenCompleted(const int inSocketNum);
+
+
+//	These really aren't very useful anymore
+
+Boolean MacSocket_LocalEndIsOpen(const int inSocketNum);
+Boolean MacSocket_RemoteEndIsOpen(const int inSocketNum);
+
+
+//	You may wish to change the userRefPtr for a socket callback-- use this to do it
+
+void MacSocket_SetUserRefPtr(const int inSocketNum,void *inNewRefPtr);
+
+
+//	Call these to get the socket's IP:port descriptor
+
+void MacSocket_GetLocalIPAndPort(const int inSocketNum,char *outIPAndPort,const int inIPAndPortLength);
+void MacSocket_GetRemoteIPAndPort(const int inSocketNum,char *outIPAndPort,const int inIPAndPortLength);
+
+
+//	Call this to get error info from a socket
+
+void MacSocket_GetSocketErrorInfo(const int inSocketNum,int *outSocketErrCode,char *outSocketErrString,const int inSocketErrStringMaxLength);
+
+
+#ifdef __cplusplus
+}
+#endif

MacOS/Randomizer.cpp

@@ -0,0 +1,476 @@
+/* 
+------- Strong random data generation on a Macintosh (pre - OS X) ------
+		
+--	GENERAL: We aim to generate unpredictable bits without explicit
+	user interaction. A general review of the problem may be found
+	in RFC 1750, "Randomness Recommendations for Security", and some
+	more discussion, of general and Mac-specific issues has appeared
+	in "Using and Creating Cryptographic- Quality Random Numbers" by
+	Jon Callas (www.merrymeet.com/jon/usingrandom.html).
+
+	The data and entropy estimates provided below are based on my
+	limited experimentation and estimates, rather than by any
+	rigorous study, and the entropy estimates tend to be optimistic.
+	They should not be considered absolute.
+
+	Some of the information being collected may be correlated in
+	subtle ways. That includes mouse positions, timings, and disk
+	size measurements. Some obvious correlations will be eliminated
+	by the programmer, but other, weaker ones may remain. The
+	reliability of the code depends on such correlations being
+	poorly understood, both by us and by potential interceptors.
+
+	This package has been planned to be used with OpenSSL, v. 0.9.5.
+	It requires the OpenSSL function RAND_add. 
+
+--	OTHER WORK: Some source code and other details have been
+	published elsewhere, but I haven't found any to be satisfactory
+	for the Mac per se:
+
+	* The Linux random number generator (by Theodore Ts'o, in
+	  drivers/char/random.c), is a carefully designed open-source
+	  crypto random number package. It collects data from a variety
+	  of sources, including mouse, keyboard and other interrupts.
+	  One nice feature is that it explicitly estimates the entropy
+	  of the data it collects. Some of its features (e.g. interrupt
+	  timing) cannot be reliably exported to the Mac without using
+	  undocumented APIs.
+
+	* Truerand by Don P. Mitchell and Matt Blaze uses variations
+	  between different timing mechanisms on the same system. This
+	  has not been tested on the Mac, but requires preemptive
+	  multitasking, and is hardware-dependent, and can't be relied
+	  on to work well if only one oscillator is present.
+
+	* Cryptlib's RNG for the Mac (RNDMAC.C by Peter Gutmann),
+	  gathers a lot of information about the machine and system
+	  environment. Unfortunately, much of it is constant from one
+	  startup to the next. In other words, the random seed could be
+	  the same from one day to the next. Some of the APIs are
+	  hardware-dependent, and not all are compatible with Carbon (OS
+	  X). Incidentally, the EGD library is based on the UNIX entropy
+	  gathering methods in cryptlib, and isn't suitable for MacOS
+	  either.
+
+	* Mozilla (and perhaps earlier versions of Netscape) uses the
+	  time of day (in seconds) and an uninitialized local variable
+	  to seed the random number generator. The time of day is known
+	  to an outside interceptor (to within the accuracy of the
+	  system clock). The uninitialized variable could easily be
+	  identical between subsequent launches of an application, if it
+	  is reached through the same path.
+
+	* OpenSSL provides the function RAND_screen(), by G. van
+	  Oosten, which hashes the contents of the screen to generate a
+	  seed. This is not useful for an extension or for an
+	  application which launches at startup time, since the screen
+	  is likely to look identical from one launch to the next. This
+	  method is also rather slow.
+
+	* Using variations in disk drive seek times has been proposed
+	  (Davis, Ihaka and Fenstermacher, world.std.com/~dtd/;
+	  Jakobsson, Shriver, Hillyer and Juels,
+	  www.bell-labs.com/user/shriver/random.html). These variations
+	  appear to be due to air turbulence inside the disk drive
+	  mechanism, and are very strongly unpredictable. Unfortunately
+	  this technique is slow, and some implementations of it may be
+	  patented (see Shriver's page above.) It of course cannot be
+	  used with a RAM disk.
+
+--	TIMING: On the 601 PowerPC the time base register is guaranteed
+	to change at least once every 10 addi instructions, i.e. 10
+	cycles. On a 60 MHz machine (slowest PowerPC) this translates to
+	a resolution of 1/6 usec. Newer machines seem to be using a 10
+	cycle resolution as well.
+	
+	For 68K Macs, the Microseconds() call may be used. See Develop
+	issue 29 on the Apple developer site
+	(developer.apple.com/dev/techsupport/develop/issue29/minow.html)
+	for information on its accuracy and resolution. The code below
+	has been tested only on PowerPC based machines.
+
+	The time from machine startup to the launch of an application in
+	the startup folder has a variance of about 1.6 msec on a new G4
+	machine with a defragmented and optimized disk, most extensions
+	off and no icons on the desktop. This can be reasonably taken as
+	a lower bound on the variance. Most of this variation is likely
+	due to disk seek time variability. The distribution of startup
+	times is probably not entirely even or uncorrelated. This needs
+	to be investigated, but I am guessing that it not a majpor
+	problem. Entropy = log2 (1600/0.166) ~= 13 bits on a 60 MHz
+	machine, ~16 bits for a 450 MHz machine.
+
+	User-launched application startup times will have a variance of
+	a second or more relative to machine startup time. Entropy >~22
+	bits.
+
+	Machine startup time is available with a 1-second resolution. It
+	is predictable to no better a minute or two, in the case of
+	people who show up punctually to work at the same time and
+	immediately start their computer. Using the scheduled startup
+	feature (when available) will cause the machine to start up at
+	the same time every day, making the value predictable. Entropy
+	>~7 bits, or 0 bits with scheduled startup.
+
+	The time of day is of course known to an outsider and thus has 0
+	entropy if the system clock is regularly calibrated.
+
+--	KEY TIMING: A  very fast typist (120 wpm) will have a typical
+	inter-key timing interval of 100 msec. We can assume a variance
+	of no less than 2 msec -- maybe. Do good typists have a constant
+	rhythm, like drummers? Since what we measure is not the
+	key-generated interrupt but the time at which the key event was
+	taken off the event queue, our resolution is roughly the time
+	between process switches, at best 1 tick (17 msec). I  therefore
+	consider this technique questionable and not very useful for
+	obtaining high entropy data on the Mac.
+
+--	MOUSE POSITION AND TIMING: The high bits of the mouse position
+	are far from arbitrary, since the mouse tends to stay in a few
+	limited areas of the screen. I am guessing that the position of
+	the mouse is arbitrary within a 6 pixel square. Since the mouse
+	stays still for long periods of time, it should be sampled only
+	after it was moved, to avoid correlated data. This gives an
+	entropy of log2(6*6) ~= 5 bits per measurement.
+
+	The time during which the mouse stays still can vary from zero
+	to, say, 5 seconds (occasionally longer). If the still time is
+	measured by sampling the mouse during null events, and null
+	events are received once per tick, its resolution is 1/60th of a
+	second, giving an entropy of log2 (60*5) ~= 8 bits per
+	measurement. Since the distribution of still times is uneven,
+	this estimate is on the high side.
+
+	For simplicity and compatibility across system versions, the
+	mouse is to be sampled explicitly (e.g. in the event loop),
+	rather than in a time manager task.
+
+--	STARTUP DISK TOTAL FILE SIZE: Varies typically by at least 20k
+	from one startup to the next, with 'minimal' computer use. Won't
+	vary at all if machine is started again immediately after
+	startup (unless virtual memory is on), but any application which
+	uses the web and caches information to disk is likely to cause
+	this much variation or more. The variation is probably not
+	random, but I don't know in what way. File sizes tend to be
+	divisible by 4 bytes since file format fields are often
+	long-aligned. Entropy > log2 (20000/4) ~= 12 bits.
+	
+--	STARTUP DISK FIRST AVAILABLE ALLOCATION BLOCK: As the volume
+	gets fragmented this could be anywhere in principle. In a
+	perfectly unfragmented volume this will be strongly correlated
+	with the total file size on the disk. With more fragmentation
+	comes less certainty. I took the variation in this value to be
+	1/8 of the total file size on the volume.
+
+--	SYSTEM REQUIREMENTS: The code here requires System 7.0 and above
+	(for Gestalt and Microseconds calls). All the calls used are
+	Carbon-compatible.
+*/
+
+/*------------------------------ Includes ----------------------------*/
+
+#include "Randomizer.h"
+
+// Mac OS API
+#include <Files.h>
+#include <Folders.h>
+#include <Events.h>
+#include <Processes.h>
+#include <Gestalt.h>
+#include <Resources.h>
+#include <LowMem.h>
+
+// Standard C library
+#include <stdlib.h>
+#include <math.h>
+
+/*---------------------- Function declarations -----------------------*/
+
+// declared in OpenSSL/crypto/rand/rand.h
+extern "C" void RAND_add (const void *buf, int num, double entropy);
+
+unsigned long GetPPCTimer (bool is601);	// Make it global if needed
+					// elsewhere
+
+/*---------------------------- Constants -----------------------------*/
+
+#define kMouseResolution 6		// Mouse position has to differ
+					// from the last one by this
+					// much to be entered
+#define kMousePositionEntropy 5.16	// log2 (kMouseResolution**2)
+#define kTypicalMouseIdleTicks 300.0	// I am guessing that a typical
+					// amount of time between mouse
+					// moves is 5 seconds
+#define kVolumeBytesEntropy 12.0	// about log2 (20000/4),
+					// assuming a variation of 20K
+					// in total file size and
+					// long-aligned file formats.
+#define kApplicationUpTimeEntropy 6.0	// Variance > 1 second, uptime
+					// in ticks  
+#define kSysStartupEntropy 7.0		// Entropy for machine startup
+					// time
+
+
+/*------------------------ Function definitions ----------------------*/
+
+CRandomizer::CRandomizer (void)
+{
+	long	result;
+	
+	mSupportsLargeVolumes =
+		(Gestalt(gestaltFSAttr, &result) == noErr) &&
+		((result & (1L << gestaltFSSupports2TBVols)) != 0);
+	
+	if (Gestalt (gestaltNativeCPUtype, &result) != noErr)
+	{
+		mIsPowerPC = false;
+		mIs601 = false;
+	}
+	else
+	{
+		mIs601 = (result == gestaltCPU601);
+		mIsPowerPC = (result >= gestaltCPU601);
+	}
+	mLastMouse.h = mLastMouse.v = -10;	// First mouse will
+						// always be recorded
+	mLastPeriodicTicks = TickCount();
+	GetTimeBaseResolution ();
+	
+	// Add initial entropy
+	AddTimeSinceMachineStartup ();
+	AddAbsoluteSystemStartupTime ();
+	AddStartupVolumeInfo ();
+	AddFiller ();
+}
+
+void CRandomizer::PeriodicAction (void)
+{
+	AddCurrentMouse ();
+	AddNow (0.0);	// Should have a better entropy estimate here
+	mLastPeriodicTicks = TickCount();
+}
+
+/*------------------------- Private Methods --------------------------*/
+
+void CRandomizer::AddCurrentMouse (void)
+{
+	Point mouseLoc;
+	unsigned long lastCheck;	// Ticks since mouse was last
+					// sampled
+
+#if TARGET_API_MAC_CARBON
+	GetGlobalMouse (&mouseLoc);
+#else
+	mouseLoc = LMGetMouseLocation();
+#endif
+	
+	if (labs (mLastMouse.h - mouseLoc.h) > kMouseResolution/2 &&
+	    labs (mLastMouse.v - mouseLoc.v) > kMouseResolution/2)
+		AddBytes (&mouseLoc, sizeof (mouseLoc),
+				kMousePositionEntropy);
+	
+	if (mLastMouse.h == mouseLoc.h && mLastMouse.v == mouseLoc.v)
+		mMouseStill ++;
+	else
+	{
+		double entropy;
+		
+		// Mouse has moved. Add the number of measurements for
+		// which it's been still. If the resolution is too
+		// coarse, assume the entropy is 0.
+
+		lastCheck = TickCount() - mLastPeriodicTicks;
+		if (lastCheck <= 0)
+			lastCheck = 1;
+		entropy = log2l
+			(kTypicalMouseIdleTicks/(double)lastCheck);
+		if (entropy < 0.0)
+			entropy = 0.0;
+		AddBytes (&mMouseStill, sizeof (mMouseStill), entropy);
+		mMouseStill = 0;
+	}
+	mLastMouse = mouseLoc;
+}
+
+void CRandomizer::AddAbsoluteSystemStartupTime (void)
+{
+	unsigned long	now;		// Time in seconds since
+					// 1/1/1904
+	GetDateTime (&now);
+	now -= TickCount() / 60;	// Time in ticks since machine
+					// startup
+	AddBytes (&now, sizeof (now), kSysStartupEntropy);
+}
+
+void CRandomizer::AddTimeSinceMachineStartup (void)
+{
+	AddNow (1.5);			// Uncertainty in app startup
+					// time is > 1.5 msec (for
+					// automated app startup).
+}
+
+void CRandomizer::AddAppRunningTime (void)
+{
+	ProcessSerialNumber PSN;
+	ProcessInfoRec		ProcessInfo;
+	
+	ProcessInfo.processInfoLength = sizeof (ProcessInfoRec);
+	ProcessInfo.processName = nil;
+	ProcessInfo.processAppSpec = nil;
+	
+	GetCurrentProcess (&PSN);
+	GetProcessInformation (&PSN, &ProcessInfo);
+
+	// Now add the amount of time in ticks that the current process
+	// has been active
+
+	AddBytes (&ProcessInfo, sizeof (ProcessInfoRec),
+			kApplicationUpTimeEntropy);
+}
+
+void CRandomizer::AddStartupVolumeInfo (void)
+{
+	short			vRefNum;
+	long			dirID;
+	XVolumeParam	pb;
+	OSErr			err;
+	
+	if (!mSupportsLargeVolumes)
+		return;
+		
+	FindFolder (kOnSystemDisk, kSystemFolderType, kDontCreateFolder,
+			&vRefNum, &dirID);
+	pb.ioVRefNum = vRefNum;
+	pb.ioCompletion = 0;
+	pb.ioNamePtr = 0;
+	pb.ioVolIndex = 0;
+	err = PBXGetVolInfoSync (&pb);
+	if (err != noErr)
+		return;
+		
+	// Base the entropy on the amount of space used on the disk and
+	// on the next available allocation block. A lot else might be
+	// unpredictable, so might as well toss the whole block in. See
+	// comments for entropy estimate justifications.
+
+	AddBytes (&pb, sizeof (pb),
+		kVolumeBytesEntropy +
+		log2l (((pb.ioVTotalBytes.hi - pb.ioVFreeBytes.hi)
+				* 4294967296.0D +
+			(pb.ioVTotalBytes.lo - pb.ioVFreeBytes.lo))
+				/ pb.ioVAlBlkSiz - 3.0));
+}
+
+/*
+	On a typical startup CRandomizer will come up with about 60
+	bits of good, unpredictable data. Assuming no more input will
+	be available, we'll need some more lower-quality data to give
+	OpenSSL the 128 bits of entropy it desires. AddFiller adds some
+	relatively predictable data into the soup.
+*/
+
+void CRandomizer::AddFiller (void)
+{
+	struct
+	{
+		ProcessSerialNumber psn;	// Front process serial
+						// number
+		RGBColor	hiliteRGBValue;	// User-selected
+						// highlight color
+		long		processCount;	// Number of active
+						// processes
+		long		cpuSpeed;	// Processor speed
+		long		totalMemory;	// Total logical memory
+						// (incl. virtual one)
+		long		systemVersion;	// OS version
+		short		resFile;	// Current resource file
+	} data;
+	
+	GetNextProcess ((ProcessSerialNumber*) kNoProcess);
+	while (GetNextProcess (&data.psn) == noErr)
+		data.processCount++;
+	GetFrontProcess (&data.psn);
+	LMGetHiliteRGB (&data.hiliteRGBValue);
+	Gestalt (gestaltProcClkSpeed, &data.cpuSpeed);
+	Gestalt (gestaltLogicalRAMSize, &data.totalMemory);
+	Gestalt (gestaltSystemVersion, &data.systemVersion);
+	data.resFile = CurResFile ();
+	
+	// Here we pretend to feed the PRNG completely random data. This
+	// is of course false, as much of the above data is predictable
+	// by an outsider. At this point we don't have any more
+	// randomness to add, but with OpenSSL we must have a 128 bit
+	// seed before we can start. We just add what we can, without a
+	// real entropy estimate, and hope for the best.
+
+	AddBytes (&data, sizeof(data), 8.0 * sizeof(data));
+	AddCurrentMouse ();
+	AddNow (1.0);
+}
+
+//-------------------  LOW LEVEL ---------------------
+
+void CRandomizer::AddBytes (void *data, long size, double entropy)
+{
+	RAND_add (data, size, entropy * 0.125);	// Convert entropy bits
+						// to bytes
+}
+
+void CRandomizer::AddNow (double millisecondUncertainty)
+{
+	long time = SysTimer();
+	AddBytes (&time, sizeof (time), log2l (millisecondUncertainty *
+			mTimebaseTicksPerMillisec));
+}
+
+//----------------- TIMING SUPPORT ------------------
+
+void CRandomizer::GetTimeBaseResolution (void)
+{	
+#ifdef __powerc
+	long speed;
+	
+	// gestaltProcClkSpeed available on System 7.5.2 and above
+	if (Gestalt (gestaltProcClkSpeed, &speed) != noErr)
+		// Only PowerPCs running pre-7.5.2 are 60-80 MHz
+		// machines.
+		mTimebaseTicksPerMillisec =  6000.0D;
+	// Assume 10 cycles per clock update, as in 601 spec. Seems true
+	// for later chips as well.
+	mTimebaseTicksPerMillisec = speed / 1.0e4D;
+#else
+	// 68K VIA-based machines (see Develop Magazine no. 29)
+	mTimebaseTicksPerMillisec = 783.360D;
+#endif
+}
+
+unsigned long CRandomizer::SysTimer (void)	// returns the lower 32
+						// bit of the chip timer
+{
+#ifdef __powerc
+	return GetPPCTimer (mIs601);
+#else
+	UnsignedWide usec;
+	Microseconds (&usec);
+	return usec.lo;
+#endif
+}
+
+#ifdef __powerc
+// The timebase is available through mfspr on 601, mftb on later chips.
+// Motorola recommends that an 601 implementation map mftb to mfspr
+// through an exception, but I haven't tested to see if MacOS actually
+// does this. We only sample the lower 32 bits of the timer (i.e. a
+// few minutes of resolution)
+
+asm unsigned long GetPPCTimer (register bool is601)
+{
+	cmplwi	is601, 0	// Check if 601
+	bne	_601		// if non-zero goto _601
+	mftb  	r3		// Available on 603 and later.
+	blr			// return with result in r3
+_601:
+	mfspr r3, spr5  	// Available on 601 only.
+				// blr inserted automatically
+}
+#endif

MacOS/Randomizer.h

@@ -0,0 +1,43 @@
+
+//	Gathers unpredictable system data to be used for generating
+//	random bits
+
+#include <MacTypes.h>
+
+class CRandomizer
+{
+public:
+	CRandomizer (void);
+	void PeriodicAction (void);
+	
+private:
+
+	// Private calls
+
+	void		AddTimeSinceMachineStartup (void);
+	void		AddAbsoluteSystemStartupTime (void);
+	void		AddAppRunningTime (void);
+	void		AddStartupVolumeInfo (void);
+	void		AddFiller (void);
+
+	void		AddCurrentMouse (void);
+	void		AddNow (double millisecondUncertainty);
+	void		AddBytes (void *data, long size, double entropy);
+	
+	void		GetTimeBaseResolution (void);
+	unsigned long	SysTimer (void);
+
+	// System Info	
+	bool		mSupportsLargeVolumes;
+	bool		mIsPowerPC;
+	bool		mIs601;
+	
+	// Time info
+	double		mTimebaseTicksPerMillisec;
+	unsigned long	mLastPeriodicTicks;
+	
+	// Mouse info
+	long		mSamplePeriod;
+	Point		mLastMouse;
+	long		mMouseStill;
+};

MacOS/TODO

@@ -0,0 +1,18 @@
+-------------------------------------------------------------------
+Verify server certificate
+-------------------------------------------------------------------
+Currently omitted from the project:
+
+	crypto/tmdiff.c
+	crypto/bio/bss_conn.c
+	crypto/bio/b_sock.c
+	crypto/bio/bss_acpt.c
+	crypto/bio/bss_log.h
+
+-------------------------------------------------------------------
+Build libraries to link with...
+-------------------------------------------------------------------
+Port openssl application.
+-------------------------------------------------------------------
+BN optimizations (currently PPC version is compiled with BN_LLONG)
+-------------------------------------------------------------------

MacOS/_MWERKS_GUSI_prefix.h

@@ -0,0 +1,9 @@
+#include <MacHeaders.h>
+#define B_ENDIAN
+#ifdef __POWERPC__
+#pragma longlong on
+#endif
+#if 1
+#define MAC_OS_GUSI_SOURCE
+#endif
+#define MONOLITH

MacOS/_MWERKS_prefix.h

@@ -0,0 +1,9 @@
+#include <MacHeaders.h>
+#define B_ENDIAN
+#ifdef __POWERPC__
+#pragma longlong on
+#endif
+#if 0
+#define MAC_OS_GUSI_SOURCE
+#endif
+#define MONOLITH

MacOS/buildinf.h

@@ -0,0 +1,5 @@
+#ifndef MK1MF_BUILD
+#  define CFLAGS	"-DB_ENDIAN"
+#  define PLATFORM	"macos"
+#  define DATE		"Sun Feb 27 19:44:16 MET 2000"
+#endif

MacOS/mklinks.as.hqx

@@ -0,0 +1,820 @@
+(This file must be converted with BinHex 4.0)
+
+:#QeVE'PZDh-ZBA-!39"36'&`E(3J!!!!!!!!!*LiI6m!!!!!!3!!!*G#!!#@3J!
+!!AChFQPd!!!!K3)"!3m(Fh9`F'pbG!!!!)B#!3%$"(0eFQ8!!!#(!J-%"!3("3C
+cGfPdBfJ!!!#)!J%"#39cH@jMD!!!!)N#"J%$!`-&"3-'FhPcG'9Y!!!!LJ)&"3)
+%!J8("!-#!`4dB@*X!!!!L`))!3-$!`-$!`-$"(4PE'`!!!#-!J)"#38$G'KP!!!
+!M3))(J)@!Ki#!J))!K)#!`)B!Kd%G'KPE3!!!)i#!J%&#`4dD'9j!!!!M`)#!J)
+#$3TdD(*[G@GSEh9d!!!!N!!#!3%&"(4TCQB!!!#4!J%"!`4dD@eP!!!!NJ)"!JS
+#!h4T!!!!'N!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!H!!!!!!!#!!!!!!
+!!!!!!!!!!!!!rrrrr`!!!$3!!!!N!!!!!#"[!!5JAb"[!!5K++!M6R9$9'mJFR9
+Z)(4SDA-JFf0bDA"d)'&`F'aTBf&dD@pZ,#"jEh8JEA9cG#"QDA*cG#"TER0dB@a
+X)%&`F'aP8f0bDA"d,J!!!)C8D'Pc)(0MFQP`G#"MFQ9KG'9c)#iZ,fPZBfaeC'8
+[Eh"PER0cE#"KEQ3JCQPXE(-JDA3JGfPdD#"ZC@0PFh0KFRNJB@aTBA0PFbi0$8P
+d)'eTCfKd)(4KDf8JB5"hD'PXC5"dEb"MEfe`E'9dC5"cEb"`E'9KFf8JBQ8JF'&
+dD@9ZG$SY+3!!!#S!!J!!!!!!$3!+!"!!!!!-!!!!!!!!!!!!63!0!!S!%!%!!!`
+!!!!!!!!!!!!B!!!!+!!!!!!!!!!)!!!!)!#N2c`!!DR`!!!!l!!!!!&19[ri,`0
+f!#m$-$bKVDG'*KmY52ri,`-`2+LITdBQ(b!ZrrLa`'FJ,`-J2'0`ER4"l[rm)NL
+KV5+)*Kp+3'B)5Ulrr'F#GJ%3!bBZrr41ANje6PB!!#m-@Bm[2%j29%Nr2!#!U"m
+SAb!-CJK`!cm!UFKJ+#m-UC)J9#!)d+J!'#&!!"JJ9#!)d+J!(#&!!"a9Mbm8)&q
+JAMk!9%mSE[rm6Pj1G8j@!!![$%kkre4+!'FU@Bm[2'&`E(3[2(0MF(4`)DJU+&m
+J$'F5@Bm[$#mm!!!!!A!!U#UTp&K26VVrG#KZrra1ANje!!!!('&`E(3!!!!"4P*
+&4J!!!!!!J%P$6L-!!!!!!*B!!!!"!!!!!!G"8&"-!!!!!!!"!!!"!!!!!S!!!!4
+!!!"i)!!!K"!!!3))!!)#"!!%"!)!#!J"!"!8!)!J)J"!3%%!)2#!J"#*!%!)KJ!
+J")3!)!*!!"!")!!3!K!!%!3)!"!)"!!J%!)!3#!"!)"!!S%!J!5#!3!)4!)!#%J
+%!!KB#!!%C"!!!m)J!!!"3!!!!)!!!!%!!!!$J!!!"m!!!(rJ!!$rm!!"rrJ!!rr
+m!!IrrJ!2rrm!(rrrJ$rrrm"rrrrJrrrrm2rrrrMrrrrmrrrrrRrrrrmrrrrq(rr
+rr!rrrrJ(rrr`!rrri!(rrm!$rrq!"rrr!!rrrJ!2rr`!$rri!!IRm!!$`q!!!!(
+!!!!!J!!!!!)!!!!!!!!!!!m!!!!!!!!!!!!!!!!!!!$`m!!!!!!!!!!!!!!!!!!
+2!!m!!!!!!!!!!!!!!!rrm!!!m!!!!!!!!!!!!!$`c0m!!!m!!!!!!!!!!!!2!!c
+-m!!!m!!!!!!!!!!!m!$-cI!!!!m!!!!!!!!!$`!-c0m!!!!!m!!!!!!!!2!!c-h
+`!!!!!!m!!!!!!!m!$-cIh`!!!!!!m!!!!!$`!-c0rGh`!!!!!!m!!!!2!!c-hph
+-h`!!!!!!m!!!rrr-cIhF`-h`!!!!!!m!!2lFr0rGc!`-h`!!!!!!m!$pc-rph-$
+!`-h`!!!!!!m!r-`2cF`-$!!-r3!!!!!!m!m!`-c!`-!!$0m!!!!!$-m!m!`-$!`
+!!-cI!!!!!-c`!!m!`-$!!!`-h`!!!!c2!!!!m!`-!!$!c0m!!!$-m!!!!!m!`!!
+-$-hm!!!-c`!!!!!!m!!!`-cIc!!!c2!!!!!!!!m!$!c0r-`!$-m!!!!!!!$pm-$
+-hmc!!-c`!!!!!!!2hI`-cIc-!!c2!!!!!!!!rGc2c0r-`!$-m!!!!!!!!2h-cmh
+mc!!-c`!!!!!!!!$mc!rIr-!!c2!!!!!!!!!!$m$2m!r-$-m!!!!!!!!!!!$rr`!
+!r-c`!!!!!!!!!!!!!!!!!!r2!!!!!!!!!!!!!!!!!!!!m!!!!!!!!!!!!!"!!B!
+13"%J)4"##18%Q)+3!%&!)5!L%%3BL#83*L!G3!#!!B!2`"rJ2r"rq2rmrrlrrhr
+r2riIr"ri2r!ri"h!!)!!!!#!!!!!$r!!!!!!!2r`$`!!!!!2$!m!m!!!!2$!c`!
+2!!!2$!c`!!$`!2r`cpm!!!m!rGrpc2!!!2$p$p`-c`!!$`m!`-$0m!$2!2!-$-h
+`$2!!$`$-hm$2!!!2m-hm$2!!!2h2hm$2!!!!r-rm$2!!!!!2r`r2!!!!!!!!!2!
+!!!!!!!#D8f0bDA"d)%&`F'aTBf&dD@pZ$3e8D'Pc)(0MFQP`G#"MFQ9KG'9c)#i
+Z,fPZBfaeC'8[Eh"PER0cE#"KEQ3JCQPXE(-JDA3JGfPdD#"ZC@0PFh0KFRNJB@a
+TBA0PFbi0$8Pd)'eTCfKd)(4KDf8JB5"hD'PXC5"dEb"MEfe`E'9dC5"cEb"`E'9
+KFf8JBQ8JF'&dD@9ZG$SY+3!!!")!!J!!!!!!!!!!!!%!"J!'%iN!!!!+@1!!!b!
+!!!-J!!!!!"3!+`!(!Cm#@!!V!!F"f!*B!!!!!3!!M`C'BA0N98&6)$%Z-6!a,M%
+`$J!!!!32rrm!!3!#!!-"rrm!!!d!!3!"D`!!!!!!!!!%!J!%!!)!"3!'$3!&!!*
+X!!)!!!U`!!IrrJd!"`!#6`!!!!!+X!!)!!N0!!J!!@X!!!!%#Um!#J)!#J!#!!X
+!$!d!#`!#E!!#!!3!"2rprr`"rrd!!!(rr!!!!J!-!!)!$3!1$3!0!!*X!!%!"!!
+%rrX!$`(rq`!!$!!2!&N!8b"(CA3JF'&dD#"dEb"dD'Pc)%&`F'aP8f0bDA"d)'&
+`F'aPG$XJGA0P)'Pd)(4[)'C[FQdJG'KP)("KG'JJG'mJG'KP)'PZBfaeC'8JCQp
+XC'9b!!)!!!)!$J!#!"!!%3d!%!!#E!!"!!3!"2rk!")"rrS!!!`!%J!Q!#!JB@j
+N)(4SC5"[G'KPFL"bC@aPGQ&ZG#"QEfaNCA*c,J!#!!!#!"%!!J!6!"30!"-!!R-
+!!!!%!"%!&3!@$3!9!!*M!!!!"!!1!"F!'!d!&`!#E!!&!!3!$!!CrrN0!"N!!Qi
+!!!!%!!`!'J!E$3!D!!)d!!!!"3!-rrJ!(!Vrq!!%#Q0[BQS0!"`!!Q`!"3!'!!X
+!(Irh$3!G!!0*!!)!"J!,rrB!([re#[rf!"JZC@&bFfCQC(*KE'Pc!!!!!!!!)!"
+KCQ4b$3!H!!"Q!!!!"J!(![re!!!"rrF!!!d!'`!"E3!!!!3!"3!I$`!I!6J)ER9
+XE!!!!!!!!Gq!rrm!!!!A"NCTEQ4PFJ!!(`*[Me!!ASfm!Qq,i!"HA[!!I&M!!!!
+!!!!!'mi!!JN#!Qq-1!!!Kb%#Ei`J!!!!!%C14&*038e"3e-!!"%!B@aTF`!!!!!
+!fJ!#!!!-6@&MD@jdEh0S)%K%!!!!!!!!!!!!!!!!!!!!XSA5h%*%!!!!!!!A"NC
+TEQ4PFJ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!3rLc#@a!4Nj%8Ne"3e2rrrrr!!!!!!!!!!!!!!!!!!!
+!!!!!!!e6HA0dC@dJ4QpXC'9b!!!"!!3!!!!A!!)!)8eKBfPZG'pcD#")4$T6HA0
+dC@dJ4QpXC'9b1NCTEQ4PFJ$rr`!!!Irj!!!0!"J!!@d!!!!-!!hrp!Vrp!!%#Q0
+dH(30!"B!!@m!!!!!!!$rm`[rm`!5-!!(G'KPF'&dD!!(G'KP8'&dD!)!&!!#!#!
+!)3d!)!!#E!!#!")!%[rbrr%"rr)!!!(rm3!!!J!K!!)!)J!M$3!L!!*b!!!!%J!
+A!#3!*3d!*!!#EJ!$!")!&3!Q!#F0!#B!!6%!!!!6!"Arm!Vrm!!%#R4iC'`0!#F
+!!6%!!!!5!"2rl`Vrl`!%#Q&cBh)0!#8!!@m!!!!!!!$rlJ[rlJ!F-!!-G'KPEfa
+NC'9XD@ec!!adD'92E'4%C@aTEA-#!#-!!J!S!#N0!#J!!R)!!!!B!"d!+J!V$3!
+U!!&Y!!!!'!!C!#`-!#`!"`!"1J!#!!!0!#X!!Qi!!`!!!!!!,3!Z$3!Y!!%a!!!
+!'J!Frqd+rqd!"!TdH'4X$3!Z!!%a!!!!'3!Drq`+rq`!"!TKFf0b!J!T!!)!,`!
+`$3![!!*X!!)!(J!Hrq[rkJ(rk`!!!IrU!!!#!$!!!J!a!$)0!$%!!R)!!!!H!#X
+!-`!d$3!c!!*X!!8!(J!T!$Ark3d!03!#EJ!!!"i!+3!f!$F0!$B!!cF"!!!I!#R
+rk!!i!$N+rqJ!"!TMDA4Y$3!i!!&Y!!!!)`!PrqF$rqF!!3d!13!"E3!!!#B!+2r
+Q!rrQrrd0!$F!!@m!!!!H!"rrj3[rj3!5-!!(G'KPF'&dD!!(G'KP8'&dD!(rk3!
+!$3!d!!&[!!!!!!!!rq3,rq3!)$!!$R4SCA"bEfTPBh4`BA4S!!jdD'93FQpUC@0
+d8'&dD!)!-J!#!$S!1`d!1J!#FJ!!!#`!1`!m!$d0!$`!!Q-!!!!X!$N!2J!r$3!
+q!!*X!!8!,!!h!%$ri`d!3!!#EJ!!!#`!0`""!%)0!%%!!cF"!!!Y!$IriJ"$!%3
++rq)!"!TMDA4Y$3"$!!&Y!!!!-3!crq%$rq%!!3d!4!!"E3!!!$3!0[rJ!rrJrri
+0!%)!!@m!!!!X!#hrh`[rh`!5-!!(G'KPF'&dD!!(G'KP8'&dD!(ri`!!$3!r!!&
+Y!!!!0`!irpi+rpi!"!T849K8$3!p!!&[!!!!!!!!rpd,rpd!&M!!#A4SC@ePF'&
+dD!!*G'KP6@93BA4S!J!l!!)!43"'$3"&!!*X!!)!2!!mrpcrf`(rh!!!!IrE!!!
+#!%B!!J"(!%J0!%F!!R)!!!!m!%8!53"+$3"*!!*M!!!!2!""!%X!6!d!5`!#BJ!
+!!$`!2`"0!%i0!%d!!@m!!!!m!$hrfJ[rfJ!J-!!1G'KPF(*[DQ9MG("KG'J!$R4
+SC9"bEfTPBh43BA4S$3"1!!&Y!!!!23!q!%m-!%m!$3!(D@jME(9NC3!#!!!0!%`
+!!@d!!!!r!%$rf3Vrf3!%#P4&@&30!%S!!@m!!!!!!!$rf![rf!!Q-!!4D@jME(9
+NC@C[E'4PFR"KG'J!%@PZBfaeC'9'EfaNCA*3BA4S!J")!!)!8!"4$3"3!!*b!!!
+!4J"9!&)!8`d!8J!#B`!!!%B!83"8!&80!&3!!Q)!!!"'!%m!9J"A$3"@!!*L!!!
+!4J",!&J!@3d!@!!"E`!!!%B!4rrA#rrA!#!`!!jdD'9`FQpUC@0dF'&dD!!1G'K
+P8(*[DQ9MG&"KG'J0!&N!!@d!!!"(!%S!@J`!@J!0!!GTEQ0XG@4P!!)!!!d!9`!
+"E3!!!%X!6J"E$!"E!!d!"fp`C@jcFf`!!J!!$3"9!!&Y!!!!6`"3rpB+rpB!"!T
+849K8$3"6!!&[!!!!!!!!rp8,rp8!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&
+dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S!J"4!!)!A!"G$3"F!!*b!!!!9J"
+K!&i!A`d!AJ!#B`!!!&B!A3"J!'%0!'!!!Q)!!!"@!&X!BJ"M$3"L!!&[!!!!9J"
+Arp3,rp3!)$!!$R4SCA"bEfTPBh4`BA4S!!jdD'93FQpUC@0d8'&dD!d!B`!"E3!
+!!&F!@J"N$!"N!!`!"Q0bHA"dE`!#!!!0!'%!!@d!!!"E!&crd`Vrd`!%#P4&@&3
+0!&m!!@m!!!!!!!$rdJ[rdJ!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4Qp
+XC'9b8'&dD!)!A3!#!'8!CJd!C3!#FJ!!!')!E3"R!'J0!'F!!Q-!!!"L!'N!D3"
+U$3"T!!*L!!!!BJ"R!'X!E!d!D`!"E`!!!')!Brr4#rr4!#!`!!jdD'9`FQpUC@0
+dF'&dD!!1G'KP8(*[DQ9MG&"KG'J0!'`!!@d!!!"M!'B!E3`!E3!*!!0cFf`!!J!
+!$3"U!!&Y!!!!C`"Srp!+rp!!"!T849K8$3"S!!&[!!!!!!!!rmm,rmm!(M!!$A0
+cE'C[E'4PFR"KG'J!$A0cE%C[E'4PFP"KG'J#!'B!!J"Z!'m0!'i!!R)!!!"Z!(8
+!F!"a$3"`!!*M!!!!EJ"a!()!F`d!FJ!"E`!!!'i!Err1#rr1!#!`!!jdD'9`FQp
+UC@0dF'&dD!!1G'KP8(*[DQ9MG&"KG'J0!(-!!@d!!!"[!($rc3Vrc3!%#P4&@&3
+0!(%!!@m!!!!!!!$rc![rc!!Q-!!4Eh"PER0cE'C[E'4PFR"KG'J!%@p`C@jcFfa
+'EfaNCA*3BA4S!J"[!!)!G!"e$3"d!!*X!!)!GJ"frm[rbJ(rb`!!!Ir+!!!#!(8
+!!J"f!(F0!(B!!R)!!!"f!(X!H!"j$3"i!!&[!!!!GJ"hrmN,rmN!($!!$(4SC@p
+XC'4PE'PYF`!-G'KP6faN4'9XD@ec$3"j!!*Z!!-!!!!!!(S!H`d!HJ!"-3!!!(J
+!H[r)#[r)!!3+G(KNE!d!H`!"-3!!!(F!H2r(#[r(!!3+BA0MFJ)!G`!#!(`!I3d
+!I!!#E!!#!(`!I2r'rm8"rmB!!!(ra3!!!J"p!!)!IJ"r$3"q!!*X!!%!I!"mrm3
+!J!(ra!!!$!#!!%!!1L"NC@aPG'8JEfaN)'PZBfaeC'8kEh"PER0cE#"QEfaNCA)
+JB@jN)(*PBh*PBA4P)'Pd)'0XC@&ZE(N!!J!!!J"r!!)!J3##$3#"!!*X!!)!I!"
+mrm2r`J(r``!!!Ir#!!!#!))!!J#$!)30!)-!!e%!!!"m!+8!K3#'!)F0!)8!!@X
+!!!"r!*`!L!)!L!!#!)N!LJd!L3!$53!#!(m!N[r"!)[r`!Vr`3!B,QeTFf0cE'0
+d+LSU+J!!!!!!!*!!!#SU+LS0!)X!!Qi!!!"r!)i!M!#0$3#-!!)d!!!!K`#1rlm
+!MJVr[`!%#Q0QEf`0!)i!!@d!!!#+!)d!M``!M`!0!!G[F'9ZFh0X!!)!!!d!M3!
+#0!!!!(m!Krqq!*!!#[qq!!3+BfC[E!d!N!!!!@m!!!#$!)Er[3[r[3!Q-!!4D@j
+ME(9NC@C[E'4PFR"KG'J!%@PZBfaeC'9'EfaNCA*3BA4S![r!!!!#!)S!!J#4rl`
+0!*%!!dN!!J#6!*crZ`#5rlS+rlX!'#jMEh*PC'9XEbSU+LS!!!!!!!#3!!!U+LS
+U$3#5!!%a!!!!N`#BrlN+rlN!"!TcC@aP![qk!!!#rl`!!!d!KJ!$8J!!!!!!!2q
+irlIrYJVrZ!!B,Q&cBh*PFR)J+LSU+J!!!!!!!*!!!#SU+LS"rlF!!!,rYJ!!$3#
+(!!*X!!%!T!#Nrl8!N`(rY3!!$!#6!"-!$5"TCfj[FQ8JCA*bEh)!!J!!!J#%!!)
+!P!#9$3#8!!*X!!)!TJ#Qrl6rX`(rY!!!!Iqc!!!#!*8!!J#@!*F0!*B!!dN!!J#
+Q!,lrX[qa!*J+rl)!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!Iqa!!!'!*J
+!!rq`!*N!QJVrX!!%#QY[Bf`0!*N!!@d!!!#U!+hrV`VrV`!%#Q0QEf`'!*S!!rq
+Z!*[rV3VrVJ!%#QPZFfJ0!*X!!M3!!!#`!,MrV!#F#[qX!!3+BfC[E!d!R!!"E`!
+!!,3!YrqV#rqV!#B`!"&TEQ0XG@4PCQpXC'9bF'&dD!!4D@jME(9NC8C[E'4PFP"
+KG'J'rkd!!!)!P`!#!*d!RJd!R3!#FJ!!!,m!aJ#I!+!0!*m!!Q`"!!#r!-)!SIq
+U$3#K!!%a!!!![`$#rkN+rkN!"!TbFfad!IqU!!!0!+!!!@m!!!!!!!$rU![rU!!
+Z-!!9G'KPEQ9hCQpXC'9bFQ9QCA*PEQ0P!"9dD'91CAG'EfaNCA*5C@CPFQ9ZBf8
+#!*i!!J#L!+-0!+)!!dN!!J$(!-lrT`#NrkB+rkF!'#jYDA0MFfaMG#SU+LS!!!!
+!!!#3!!!U+LSU$3#N!!&[!!!!a`$+rk8,rk8!,M!!&A4SC@jPGfC[E'4PFR*PCQ9
+bC@jMC3!9G'KP6Q9h4QpXC'9b8Q9QCA*PEQ0P![qQ!!!#!+-!!J#P!+B0!+8!!R)
+!!!$2!0`!T`#S$3#R!!&Y!!!!c`$5!+N-!+N!$3!(Eh"PER0cE!!#!!!0!+J!!Qi
+!!!!!!!!!UJ#V$3#U!!%a!!!!e`$Erk3+rk3!"!T`EQ&Y$3#V!!%a!!!!dJ$Ark-
++rk-!"!TcC@aP!J#Q!!)!V!#Y$3#X!!*X!!)!h3$Grk,rS3(rSJ!!!IqK!!!#!+d
+!!J#Z!+m0!+i!!Q`!!3$G!0hrS!#`!IqJ!!!-!,!!(`!C)&0dBA*d)'eKDfPZCb"
+dD'8JB@aTBA0PF`!#!!!#!+m!!J#a!,)0!,%!!dN!!J$G!3ArRrqH!,-+rjm!'#j
+MEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!IqH!!!'!,-!!rqG!,3!Y3VrR3!%#QY
+[Bf`0!,3!!@d!!!$K!16rR!VrR!!%#Q&XD@%'!,8!!rqE!,B!Y`VrQ`!%#QPZFfJ
+0!,B!!M3!!!$R!1rrQJ#i#[qD!!3+BfC[E!d!Z!!"E`!!!1X!l[qC#rqC!$3`!"K
+[F'9ZFh0XD@jME(9NC@C[E'4PFR"KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&
+dD!B!Y`!$rjJ!ZIqA#[qB!!3+G'mJ)!d!Z3!#EJ!!!2)!r`#k!,X0!,S!!M3!!!$
+i!2rrPJ#m#[q@!!3+CQPXC3d![!!"E3!!!2X!rJ#p$!#p!"-!$@p`C@jcFfaMEfj
+Q,QJ!!J!!$3#l!!)d!!!!mJ$irj8![JVrP3!%#Q0QEf`0!,i!!@m!!!$f!2IrP![
+rP!!@-!!*G'KPE@9`BA4S!!PdD'90C9"KG'J'rjF!!!)!XJ!#!,m!`!d![`!#E!!
+#!3B""[q6rj)"rj-!!!(rNJ!!!J$!!!)!`3$#$3$"!!*b!!!""J%4!--!a!d!``!
+#BJ!!!3B"$3$&!-B0!-8!!@m!!!%'!3RrN3[rN3!N-!!3Bh*jF(4[CQpXC'9bF'&
+dD!!3Bh*jF(4[4QpXC'9b8'&dD!d!aJ!"E3!!!3N"$!$($!$(!!X!"6TKFfia!!)
+!!!d!a!!"E`!!!!!!!2q3!![rN!!!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!)!`J!
+#!-J!b3d!b!!$53!#!4)"22q2rii!bJVrM`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!
+!!'jeE'`"rii!!!B!bJ!$rid!b`$-#[q0!!3+DfpME!d!b`!"E3!!!4B"'Iq-#[q
+-!!3+B@aTB3B!c!!$riX!c3$1#[q,!!3+D@jcD!d!c3!#0!!!!4`"*2q+!-m+riS
+!"!TMCQpX$3$2!!&[!!!")!%MriN,riN!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9
+bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J$1!!2rL!$3riF+riJ!"!T
+dEb!J$3$3!!*Z!!!"*`%f!0%!dJd!d3!#0!!!!5m"0[q'!0-+riB!"!TQD@aP$3$
+6!!&Y!!!"-J%e!03-!03!$!!'BA0Z-5jS!!)!!!d!dJ!#0!!!!5F",rq&!08+ri8
+!"!TMCQpX$3$9!!&[!!!"+`%Zri3,ri3!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!E
+rK`!!!J$*!!)!eJ$A$3$@!!0*!!)"23&Rri2rJJ$B#[q$!"JZBfpbC@0bC@`U+LS
+U!!!!!!!!N!!!ER9XE!(rJJ!!"J$B!!2rJ3$C!0S+ri%!"!TVEf0X$3$C!!&Y!!!
+"33&%ri!+ri!!"!TKE'PK"J$D!!2rI`$E!0`+rhm!"!TTER0S$3$E!!)d!!!"4`&
+2rhi!h3VrIJ!%#Q0QEf`0!0d!!@m!!!&,!8lrI3[rI3!d-!!BEh"PER0cE'PZBfa
+eC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!0`!!rpm!0l
+rH`VrI!!%#R4[)#!0!0i!!Qi!!!&5!@%!h`$J$3$I!!)d!!!"@J&KrhS!i3VrHJ!
+%#QCTE'80!1%!!@d!!!&G!@!!iJ`!iJ!3!!TKFfiaAfeKBbjS!!)!!!d!i!!#0!!
+!!9)"@[pj!1-+rhN!"!TMCQpX$3$M!!&[!!!"9J&CrhJ,rhJ!&$!!#(4PEA"`BA4
+S!!KdC@e`8'&dD!ErH`!!!J$A!!)!j!$P$3$N!!*X!!)"D!&SrhIrGJ(rG`!!!Ip
+f!!!#!18!!J$Q!1F0!1B!!R)!!!&S!A-!k!$T$3$S!!*L!!!"D!&[!1S!k`d!kJ!
+"E`!!!@J"Drpe#rpe!#3`!""MFRP`G'pQEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*
+3BA4S$3$V!!&Y!!!"D`&Z!1`-!1`!#J!%1Q*TE`!#!!!0!1N!!@m!!!!!!!$rG![
+rG!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S!J$R!!)!l3$Z$3$Y!!0*!!)"G!'Hrh2
+rFJ$[#[pc!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9XE!(rFJ!!"J$[!!2rF3$
+`!2%+rh%!"!TVEf0X$3$`!!&Y!!!"H!&lrh!+rh!!"!TKE'PK"J$a!!2rE`$b!2-
++rfm!"!TTER0S$3$b!!)d!!!"IJ''rfi!p!VrEJ!%#Q0QEf`0!23!!@m!!!'#!BA
+rE3[rE3!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9
+NC8C[E'4PFP"KG'J'!2-!!rpX!2ArD`VrE!!%#R4[)#!0!28!!Qi!!!'*!CJ!pJ$
+h$3$f!!)d!!!"N3'BrfS!q!VrDJ!%#QCTE'80!2J!!@d!!!'8!CF!q3`!q3!,!!9
+LD@mZD!!#!!!0!2F!!M3!!!'*!C(rD3$k#[pT!!3+BfC[E!d!qJ!"E`!!!Bd"N!$
+rD![rD!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S"[pV!!!#!1i!!J$l!2`0!2X!!Q`
+!!J'I!CrrCrpQ!IpR!!!"rfB!!!)!r!!#!2d!rJd!r3!#FJ!!!Cm"UJ$r!3!0!2m
+!!Q)!!!'I!DB"!3%#$3%"!!&[!!!"R`'Lrf8,rf8!*$!!%'0bHA"dEfC[E'4PFR"
+KG'J!%'0bHA"dEdC[E'4PFP"KG'J0!3)!!@d!!!'L!D8"!``"!`!*!!-kBQB!!J!
+!$3%!!!&[!!!!!!!!rf3,rf3!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!)!rJ!#!33
+""3d""!!$53!#!DX"eIpMrf)""JVrB`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'j
+eE'`"rf)!!!B""J!$rf%""`%)#[pK!!3+DfpME!d""`!"E3!!!Dm"X[pJ#[pJ!!3
++B@aTB3B"#!!$rem"#3%+#[pI!!3+D@jcD!d"#3!#0!!!!E8"[IpH!3X+rei!"!T
+MCQpX$3%,!!&[!!!"Z3'mred,red!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&
+dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J%+!!2rA!%-reX+re`!"!TdEb!
+J$3%-!!*Z!!!"`!(2!3d"$Jd"$3!#0!!!!FJ"crpD!3m+reS!"!TQD@aP$3%2!!&
+Y!!!"b`(1!4!-!4!!%!!+BQa[GfCTFfJZD!!#!!!0!3i!!M3!!!(!!FMr@3%4#[p
+C!!3+BfC[E!d"%3!"E`!!!F3"arpB#rpB!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J
+'reX!!!)""3!#!4)"%`d"%J!#E!!#!GB"e[pAreB"reF!!!(r9J!!!J%6!!)"&!%
+9$3%8!!*b!!!"eJ(K!4B"&`d"&J!#BJ!!!GB"h3%B!4N0!4J!!@m!!!(@!GRr93[
+r93!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d"'3!"E3!
+!!GN"h!%D$!%D!!N!!cTLEJ!#!!!0!4F!!@m!!!!!!!$r9![r9!!8-!!)G'9YF("
+KG'J!#(4PEA"3BA4S!J%9!!)"'`%F$3%E!!0*!!)"iJ)-re2r8J%G#[p6!"JZBfp
+bC@0bC@`U+LSU!!!!!!!!N!!!ER9XE!(r8J!!"J%G!!2r83%H!4m+re%!"!TVEf0
+X$3%H!!&Y!!!"jJ(Tre!+re!!"!TKE'PK"J%I!!2r6`%J!5%+rdm!"!TTER0S$3%
+J!!)d!!!"l!(drdi")JVr6J!%#Q0QEf`0!5)!!@m!!!(`!I2r63[r63!d-!!BEh"
+PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J
+'!5%!!rp-!52r5`Vr6!!%#R4[)#!0!5-!!Qi!!!(h!JB"*!%P$3%N!!)d!!!"r`)
+'rdS"*JVr5J!%#QCTE'80!5B!!@d!!!)#!J8"*``"*`!+!!4LELjS!!)!!!d"*3!
+#0!!!!IF"rrp*!5J+rdN!"!TMCQpX$3%S!!&[!!!"q`(qrdJ,rdJ!&$!!#(4PEA"
+`BA4S!!KdC@e`8'&dD!Er5`!!!J%F!!)"+3%U$3%T!!*X!!)#$3)0rdIr4J(r4`!
+!!Ip'!!!#!5S!!J%V!5`0!5X!!R)!!!)0!KJ",3%Z$3%Y!!*L!!!#$3)8!5m"-!d
+",`!"E`!!!Jd#%2p&#rp&!#3`!""MFRP`G'pQEfaNCA*`BA4S!""MFRP`G'p'Efa
+NCA*3BA4S$3%`!!&Y!!!#%!)6!6%-!6%!$3!(1Q*eCQCPFJ!#!!!0!5i!!@m!!!!
+!!!$r4![r4!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S!J%X!!)"-J%c$3%b!!0*!!)
+#'3*$rd2r3J%d#[p$!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9XE!(r3J!!"J%
+d!!2r33%e!6B+rd%!"!TVEf0X$3%e!!&Y!!!#(3)Jrd!+rd!!"!TKE'PK"J%f!!2
+r2`%h!6J+rcm!"!TTER0S$3%h!!)d!!!#)`)Vrci"13Vr2J!%#Q0QEf`0!6N!!@m
+!!!)R!LVr23[r23!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0
+-5@jME(9NC8C[E'4PFP"KG'J'!6J!!rmm!6Vr1`Vr2!!%#R4[)#!0!6S!!Qi!!!)
+Z!Md"1`%m$3%l!!)d!!!#0J)prcS"23Vr1J!%#QCTE'80!6d!!@d!!!)j!M`"2J`
+"2J!1!!KLG@CQCA)ZD!!#!!!0!6`!!M3!!!)Z!MEr13%r#[mj!!3+BfC[E!d"2`!
+"E`!!!M)#0Imi#rmi!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J'rcX!!!)"-`!#!8!
+"33d"3!!#E!!#!N3#42mhrcB"rcF!!!(r0J!!!J&"!!)"3J&$$3&#!!*b!!!#4!*
+2!83"43d"4!!#BJ!!!N3#5`&'!8F0!8B!!@m!!!*%!NIr03[r03!N-!!3Bh*jF(4
+[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d"4`!"E3!!!NF#5J&)$!&)!!X
+!"6TMBA0d!!)!!!d"43!"E`!!!!!!!2md#rmd!"3`!!KdC@e`F'&dD!!)G'9YF&"
+KG'J#!8-!!J&*!8S0!8N!!dN!!J*3!RVr-rmb!8X+rc-!'#jMEh*PBh*PE#SU+LS
+!!!!!!!#3!!"ZG@aX!Imb!!!'!8X!!rma!8`"63Vr-3!%#QY[Bf`0!8`!!@d!!!*
+8!PIr-!Vr-!!%#Q&XD@%'!8d!!rm[!8i"6`Vr,`!%#QPZFfJ0!8i!!M3!!!*D!Q,
+r,J&3#[mZ!!3+BfC[E!d"8!!"E`!!!Pi#BImY#rmY!$3`!"K[F'9ZFh0XD@jME(9
+NC@C[E'4PFR"KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&dD!B"6`!$rb`"8Im
+V#[mX!!3+G'mJ)!d"83!#EJ!!!Q8#G!&5!9-0!9)!!M3!!!*Y!R6r+J&8#[mU!!3
++CQPXC3d"9!!"E3!!!R!#F`&9$!&9!!`!"Q0KFh3ZD!!#!!!0!9-!!M3!!!*P!Qh
+r+3&@#[mT!!3+BfC[E!d"9J!"E`!!!QN#E2mS#rmS!"3`!!KdC@e`F'&dD!!)G'9
+YF&"KG'J'rbX!!!)"5J!#!9F"@!d"9`!#E!!#!RX#HrmRrbB"rbF!!!(r*J!!!J&
+B!!)"@3&D$3&C!!*b!!!#H`+'!9X"A!d"@`!#BJ!!!RX#JJ&G!9i0!9d!!@m!!!*
+l!Rlr*3[r*3!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d
+"AJ!"E3!!!Ri#J3&I$!&I!!X!"6TMEfe`!!)!!!d"A!!"E`!!!!!!!2mN#rmN!"3
+`!!KdC@e`F'&dD!!)G'9YF&"KG'J#!9S!!J&J!@%0!@!!!dN!!J+(!V(r)rmL!@)
++rb-!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!ImL!!!'!@)!!rmK!@-"C!V
+r)3!%#QY[Bf`0!@-!!@d!!!+,!Slr)!Vr)!!%#Q&XD@%'!@3!!rmI!@8"CJVr(`!
+%#QPZFfJ0!@8!!M3!!!+4!TRr(J&R#[mH!!3+BfC[E!d"C`!"E`!!!T8#Q2mG#rm
+G!$3`!"K[F'9ZFh0XD@jME(9NC@C[E'4PFR"KG'J!''p`C@j68da*EQ0XG@4P4Qp
+XC'9b8'&dD!B"CJ!$ra`"D2mE#[mF!!3+G'mJ)!d"D!!#EJ!!!T`#U`&T!@S0!@N
+!!M3!!!+N!U[r'J&V#[mD!!3+CQPXC3d"D`!"E3!!!UF#UJ&X$!&X!!`!"Q0[EA!
+ZD!!#!!!0!@S!!M3!!!+F!U6r'3&Y#[mC!!3+BfC[E!d"E3!"E`!!!U!#SrmB#rm
+B!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J'raX!!!)"B3!#!@i"E`d"EJ!#E!!#!V)
+#X[mAraB"raF!!!(r&J!!!J&[!!)"F!&a$3&`!!*b!!!#XJ+p!A)"F`d"FJ!#BJ!
+!!V)#Z3&d!A80!A3!!@m!!!+b!VAr&3[r&3!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!
+3Bh*jF(4[4QpXC'9b8'&dD!d"G3!"E3!!!V8#Z!&f$!&f!!X!"6TMEfjQ!!)!!!d
+"F`!"E`!!!!!!!2m8#rm8!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J#!A%!!J&h!AJ
+0!AF!!dN!!J+q!ZMr%rm5!AN+ra-!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@a
+X!Im5!!!'!AN!!rm4!AS"H`Vr%3!%#QY[Bf`0!AS!!@d!!!,#!XAr%!Vr%!!%#Q&
+XD@%'!AX!!rm2!A`"I3Vr$`!%#QPZFfJ0!A`!!M3!!!,)!Y$r$J&q#[m1!!3+BfC
+[E!d"IJ!"E`!!!X`#crm0#rm0!$3`!"K[F'9ZFh0XD@jME(9NC@C[E'4PFR"KG'J
+!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&dD!B"I3!$r``"Irm,#[m-!!3+G'mJ)!d
+"I`!#EJ!!!Y-#iJ'!!B%0!B!!!M3!!!,E!Z,r#J'##[m+!!3+CQPXC3d"JJ!"E3!
+!!Yi#i3'$$!'$!!`!"Q0[EQBZD!!#!!!0!B%!!M3!!!,6!Y[r#3'%#[m*!!3+BfC
+[E!d"K!!"E`!!!YF#f[m)#rm)!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J'r`X!!!)
+"H!!#!B8"KJd"K3!#E!!#!ZN#kIm(r`B"r`F!!!(r"J!!!J''!!)"K`')$3'(!!*
+b!!!#k3,d!BN"LJd"L3!#BJ!!!ZN#m!',!B`0!BX!!@m!!!,T!Zcr"3[r"3!N-!!
+3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d"M!!"E3!!!Z`#l`'
+0$!'0!!S!"$TNCA-!!J!!$3'+!!&[!!!!!!!!r`3,r`3!&$!!#(4PEA"`BA4S!!K
+dC@e`8'&dD!)"L!!#!Bi"M`d"MJ!$53!#![8$(rm$r`)"N!!+r`-!'#jMEh*PBh*
+PE#SU+LS!!!!!!!#3!!"ZG@aX!Im#!!!'!C!!!!2r!3'4!C)+r`%!"!TVEf0X$3'
+4!!&Y!!!#q3,mr`!+r`!!"!TKE'PK"J'5!!2qr`'6!C3+r[m!"!TTER0S$3'6!!)
+d!!!#r`-(r[i"P3VqrJ!%#Q0QEf`0!C8!!@m!!!-$!`Eqr3[qr3!d-!!BEh"PER0
+cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!C3
+!!rlm!CEqq`Vqr!!%#R4[)#!0!CB!!Qi!!!-+!aN"P`'B$3'A!!)d!!!$%J-Cr[S
+"Q3VqqJ!%#QCTE'80!CN!!@d!!!-9!aJ"QJ`"QJ!,!!9NCA-ZD!!#!!!0!CJ!!M3
+!!!-+!a,qq3'E#[lj!!3+BfC[E!d"Q`!"E`!!!`i$%Ili#rli!"3`!!KdC@e`F'&
+dD!!)G'9YF&"KG'J'r[X!!!)"M`!#!C`"R3d"R!!#E!!#!b!$)2lhr[B"r[F!!!(
+qpJ!!!J'G!!)"RJ'I$3'H!!*b!!!$)!-V!D!"S3d"S!!#BJ!!!b!$*`'L!D-0!D)
+!!@m!!!-J!b2qp3[qp3!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9
+b8'&dD!d"S`!"E3!!!b-$*J'N$!'N!!N!!cTND!!#!!!0!D%!!@m!!!!!!!$qp![
+qp!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S!J'I!!)"T3'Q$3'P!!0*!!)$,!0@r[2
+qmJ'R#[lc!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9XE!(qmJ!!"J'R!!2qm3'
+S!DN+r[%!"!TVEf0X$3'S!!&Y!!!$-!-cr[!+r[!!"!TKE'PK"J'T!!2ql`'U!DX
++rZm!"!TTER0S$3'U!!)d!!!$0J-qrZi"V!VqlJ!%#Q0QEf`0!D`!!@m!!!-k!ch
+ql3[ql3!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9
+NC8C[E'4PFP"KG'J'!DX!!rlX!Dhqk`Vql!!%#R4[)#!0!Dd!!Qi!!!0"!e!"VJ'
+[$3'Z!!)d!!!$5303rZS"X!VqkJ!%#QCTE'80!E!!!@d!!!0-!dm"X3`"X3!+!!4
+ND#jS!!)!!!d"V`!#0!!!!d%$5IlT!E)+rZN!"!TMCQpX$3'b!!&[!!!$430)rZJ
+,rZJ!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!Eqk`!!!J'Q!!)"X`'d$3'c!!*X!!)
+$9`0ArZIqjJ(qj`!!!IlQ!!!#!E3!!J'e!EB0!E8!!R)!!!0A!f)"Y`'i$3'h!!*
+L!!!$9`0H!EN"ZJd"Z3!"E`!!!eF$@[lP#rlP!#3`!""MFRP`G'pQEfaNCA*`BA4
+S!""MFRP`G'p'EfaNCA*3BA4S$3'k!!&Y!!!$@J0G!EX-!EX!#J!%1Q4cB3!#!!!
+0!EJ!!@m!!!!!!!$qj![qj!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S!J'f!!)"[!'
+p$3'm!!0*!!)$B`10rZ2qiJ'q#[lM!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9
+XE!(qiJ!!"J'q!!2qi3'r!F!+rZ%!"!TVEf0X$3'r!!&Y!!!$C`0UrZ!+rZ!!"!T
+KE'PK"J(!!!2qh`("!F)+rYm!"!TTER0S$3("!!)d!!!$E30erYi"``VqhJ!%#Q0
+QEf`0!F-!!@m!!!0a!h6qh3[qh3!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4
+S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!F)!!rlF!F6qf`Vqh!!%#R4[)#!
+0!F3!!Qi!!!0i!iF"a3('$3(&!!)d!!!$J!1(rYS"a`VqfJ!%#QCTE'80!FF!!@d
+!!!1$!iB"b!`"b!!,!!9NFf%ZD!!#!!!0!FB!!M3!!!0i!i$qf3(*#[lC!!3+BfC
+[E!d"b3!"E`!!!h`$IrlB#rlB!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J'rYX!!!)
+"[3!#!FS"b`d"bJ!#E!!#!ii$M[lArYB"rYF!!!(qeJ!!!J(,!!)"c!(0$3(-!!*
+b!!!$MJ1C!Fi"c`d"cJ!#BJ!!!ii$P3(3!G%0!G!!!@m!!!11!j(qe3[qe3!N-!!
+3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d"d3!"E3!!!j%$P!(
+5$!(5!!S!"$TPFR)!!J!!$3(2!!&[!!!!!!!!rY3,rY3!&$!!#(4PEA"`BA4S!!K
+dC@e`8'&dD!)"c3!#!G-"e!d"d`!$53!#!jS$a2l6rY)"e3Vqd`!B,Q0[FQ9MFQ9
+X+LSU+J!!!!!!!*!!!'jeE'`"rY)!!!B"e3!$rY%"eJ(A#[l4!!3+DfpME!d"eJ!
+"E3!!!ji$SIl3#[l3!!3+B@aTB3B"e`!$rXm"f!(C#[l2!!3+D@jcD!d"f!!#0!!
+!!k3$V2l1!GS+rXi!"!TMCQpX$3(D!!&[!!!$U!1VrXd,rXd!0$!!''p`C@jcFfa
+TEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J(C!!2
+qc!(ErXX+rX`!"!TdEb!J$3(E!!*Z!!!$V`1q!G`"h3d"h!!#0!!!!lF$[[l+!Gi
++rXS!"!TQD@aP$3(H!!&Y!!!$ZJ1p!Gm-!Gm!#`!&CA*b,QJ!!J!!$3(G!!)d!!!
+$V`1hrXN"i!Vqb3!%#Q0QEf`0!H!!!@m!!!1c!lEqb![qb!!8-!!)G'9YF("KG'J
+!#(4PEA"3BA4S"[l,!!!#!G3!!J(K!H)0!H%!!Q`!!J2&!mAqarl'!Il(!!!"rXB
+!!!)"iJ!#!H-"j!d"i`!#FJ!!!m8$d!(P!HB0!H8!!Q)!!!2&!m`"j`(S$3(R!!&
+[!!!$a32)rX8,rX8!*$!!%'0bHA"dEfC[E'4PFR"KG'J!%'0bHA"dEdC[E'4PFP"
+KG'J0!HJ!!@d!!!2)!mX"k3`"k3!+!!3kCAC`!!)!!!d"jJ!"E`!!!!!!!2l%#rl
+%!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J#!H3!!J(U!HX0!HS!!dN!!J24!r[q`rl
+#!H`+rX-!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!Il#!!!'!H`!!rl"!Hd
+"lJVq`3!%#QY[Bf`0!Hd!!@d!!!29!pMq`!Vq`!!%#Q&XD@%'!Hi!!rkr!Hm"m!V
+q[`!%#QPZFfJ0!Hm!!M3!!!2E!q2q[J(a#[kq!!3+BfC[E!d"m3!"E`!!!pm$i[k
+p#rkp!$3`!"K[F'9ZFh0XD@jME(9NC@C[E'4PFR"KG'J!''p`C@j68da*EQ0XG@4
+P4QpXC'9b8'&dD!B"m!!$rV`"m[kl#[km!!3+G'mJ)!d"mJ!#EJ!!!qB$p3(c!I3
+0!I-!!M3!!!2Z!rAqZJ(e#[kk!!3+CQPXC3d"p3!"E3!!!r%$p!(f$!(f!!X!"@9
+fF#jS!!)!!!d"p!!#0!!!!qB$l[kj!IF+rVN!"!TMCQpX$3(h!!&[!!!$kJ2YrVJ
+,rVJ!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!EqZ`!!!J(V!!)"q!(j$3(i!!*X!!)
+$r!2mrVIqYJ(qY`!!!Ikf!!!#!IN!!J(k!IX0!IS!!R)!!!2m"!F"r!(p$3(m!!*
+L!!!$r!3$!Ii"r`d"rJ!"E`!!!r`$rrke#rke!#3`!""MFRP`G'pQEfaNCA*`BA4
+S!""MFRP`G'p'EfaNCA*3BA4S$3(r!!&Y!!!$r`3#!J!-!J!!#`!&1QKYB@-!!J!
+!$3(p!!&[!!!!!!!!rV3,rV3!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!)"q`!#!J%
+#!Jd#!3!$53!#"!J%-[kcrV)#!`VqX`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'j
+eE'`"rV)!!!B#!`!$rV%#"!)&#[ka!!3+DfpME!d#"!!"E3!!"!`%$rk`#[k`!!3
++B@aTB3B#"3!$rUm#"J)(#[k[!!3+D@jcD!d#"J!#0!!!"")%'[kZ!JJ+rUi!"!T
+MCQpX$3))!!&[!!!%&J3CrUd,rUd!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&
+dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J)(!!2qV!)*rUX+rU`!"!TdEb!
+J$3)*!!*Z!!!%(33X!JS##`d##J!#0!!!"#8%,2kU!J`+rUS!"!TQD@aP$3)-!!&
+Y!!!%+!3V!Jd-!Jd!$!!'D'eKBbjS!!)!!!d##`!#0!!!""d%*IkT!Ji+rUN!"!T
+MCQpX$3)1!!&[!!!%)33NrUJ,rUJ!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!EqU`!
+!!J)#!!)#$`)3$3)2!!*X!!)%-`3crUIqTJ(qT`!!!IkQ!!!#!K!!!J)4!K)0!K%
+!!R)!!!3c"$i#%`)8$3)6!!*L!!!%-`3k!K8#&Jd#&3!"E`!!"$-%0[kP#rkP!#3
+`!""MFRP`G'pQEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S$3)@!!&Y!!!%0J3
+j!KF-!KF!#`!&1QPNC@%!!J!!$3)8!!&[!!!!!!!!rU3,rU3!&$!!#(4PEA"`BA4
+S!!KdC@e`8'&dD!)#%J!#!KJ#'3d#'!!$53!#"$m%DIkMrU)#'JVqS`!B,Q0[FQ9
+MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"rU)!!!B#'J!$rU%#'`)F#[kK!!3+DfpME!d
+#'`!"E3!!"%-%4[kJ#[kJ!!3+B@aTB3B#(!!$rTm#(3)H#[kI!!3+D@jcD!d#(3!
+#0!!!"%N%8IkH!Km+rTi!"!TMCQpX$3)I!!&[!!!%6343rTd,rTd!0$!!''p`C@j
+cFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J)
+H!!2qR!)JrTX+rT`!"!TdEb!J$3)J!!*Z!!!%9!4M!L%#)Jd#)3!#0!!!"&`%Brk
+D!L-+rTS!"!TQD@aP$3)M!!&Y!!!%A`4L!L3-!L3!$!!'D@4PB5jS!!)!!!d#)J!
+#0!!!"&3%A2kC!L8+rTN!"!TMCQpX$3)P!!&[!!!%@!4ErTJ,rTJ!&$!!#(4PEA"
+`BA4S!!KdC@e`8'&dD!EqQ`!!!J)C!!)#*J)R$3)Q!!*X!!)%DJ4UrTIqPJ(qP`!
+!!Ik@!!!#!LF!!J)S!LN0!LJ!!R)!!!4U"(8#+J)V$3)U!!*L!!!%DJ4a!L`#,3d
+#,!!"E`!!"'S%EIk9#rk9!#3`!""MFRP`G'pQEfaNCA*`BA4S!""MFRP`G'p'Efa
+NCA*3BA4S$3)Y!!&Y!!!%E34`!Li-!Li!$!!'1QaSBA0S!!)!!!d#+`!"E`!!!!!
+!!2k8#rk8!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J#!LN!!J)[!M!0!Lm!!dN!!J4
+f"+$qNrk5!M%+rT-!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!Ik5!!!'!M%
+!!rk4!M)#-`VqN3!%#QY[Bf`0!M)!!@d!!!4k"(hqN!!+rT!!!!3+B@aTB3B#-`!
+$rSm#0!)e#[k2!!3+D@jcD!d#0!!#0!!!")!%L2k1!MB+rSi!"!TMCQpX$3)f!!&
+[!!!%K!5(rSd,rSd!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP0
+66%PZBfaeC'9'EfaNCA*3BA4S"J)e!!2qM!)hrSX+rS`!"!TdEb!J$3)h!!*Z!!!
+%L`5D!MJ#13d#1!!#0!!!"*-%Q[k+!MS+rSS!"!TQD@aP$3)k!!&Y!!!%PJ5C!MX
+-!MX!$3!(E'KKFfJZD!!#!!!0!MN!!M3!!!5,"*2qL3)m#[k*!!3+BfC[E!d#2!!
+"E`!!")m%N[k)#rk)!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J'rSX!!!)#-!!#!Md
+#2Jd#23!#E!!#"+%%SIk(rSB"rSF!!!(qKJ!!!J)q!!)#2`*!$3)r!!*b!!!%S35
+X!N%#3Jd#33!#BJ!!"+%%U!*$!N30!N-!!@m!!!5K"+6qK3[qK3!N-!!3Bh*jF(4
+[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d#4!!"E3!!"+3%T`*&$!*&!!S
+!"$TYC$)!!J!!$3*#!!&[!!!!!!!!rS3,rS3!&$!!#(4PEA"`BA4S!!KdC@e`8'&
+dD!)#3!!#!NB#4`d#4J!$53!#"+d%erk$rS)#5!VqJ`!B,Q0[FQ9MFQ9X+LSU+J!
+!!!!!!*!!!'jeE'`"rS)!!!B#5!!$rS%#53*+#[k"!!3+DfpME!d#53!"E3!!",%
+%Y2k!#[k!!!3+B@aTB3B#5J!$rRm#5`*-#[jr!!3+D@jcD!d#5`!#0!!!",F%[rj
+q!Nd+rRi!"!TMCQpX$3*0!!&[!!!%Z`5qrRd,rRd!0$!!''p`C@jcFfaTEQ0XG@4
+PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J*-!!2qI!*1rRX
++rR`!"!TdEb!J$3*1!!*Z!!!%`J64!Nm#8!d#6`!#0!!!"-S%dIjk!P%+rRS!"!T
+QD@aP$3*4!!&Y!!!%c363!P)-!P)!#`!&E@3b,QJ!!J!!$3*3!!)d!!!%`J6+rRN
+#8`VqH3!%#Q0QEf`0!P-!!@m!!!6'"-RqH![qH!!8-!!)G'9YF("KG'J!#(4PEA"
+3BA4S"[jl!!!#!NF!!J*8!P80!P3!!Q`!!J6B"0MqGrjf!Ijh!!!"rRB!!!)#93!
+#!PB#9`d#9J!#FJ!!"0J%i`*B!PN0!PJ!!Q)!!!6B"0m#@J*E$3*D!!&[!!!%f!6
+ErR8,rR8!*$!!%'0bHA"dEfC[E'4PFR"KG'J!%'0bHA"dEdC[E'4PFP"KG'J0!PX
+!!@d!!!6E"0i#A!`#A!!+!!3kE@3e!!)!!!d#@3!"E`!!!!!!!2jd#rjd!"3`!!K
+dC@e`F'&dD!!)G'9YF&"KG'J#!PF!!J*G!Pi0!Pd!!dN!!J6N"3lqFrjb!Pm+rR-
+!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!Ijb!!!'!Pm!!rja!Q!#B3VqF3!
+%#QY[Bf`0!Q!!!@d!!!6S"1[qF!VqF!!%#Q&XD@%'!Q%!!rj[!Q)#B`VqE`!%#QP
+ZFfJ0!Q)!!M3!!!6Z"2EqEJ*N#[jZ!!3+BfC[E!d#C!!"E`!!"2)%pIjY#rjY!$3
+`!"K[F'9ZFh0XD@jME(9NC@C[E'4PFR"KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9
+b8'&dD!B#B`!$rQ`#CIjV#[jX!!3+G'mJ)!d#C3!#EJ!!"2N&#!*Q!QF0!QB!!M3
+!!!8""3MqDJ*S#[jU!!3+CQPXC3d#D!!"E3!!"33&"`*T$!*T!!X!"@eN05jS!!)
+!!!d#C`!#0!!!"2N&!IjT!QS+rQN!"!TMCQpX$3*U!!&[!!!%r38!rQJ,rQJ!&$!
+!#(4PEA"`BA4S!!KdC@e`8'&dD!EqD`!!!J*H!!)#D`*X$3*V!!*X!!)&$`82rQI
+qCJ(qC`!!!IjQ!!!#!Q`!!J*Y!Qi0!Qd!!R)!!!82"4S#E`*`$3*[!!*L!!!&$`8
+@!R%#FJd#F3!"E`!!"3m&%[jP#rjP!#3`!""MFRP`G'pQEfaNCA*`BA4S!""MFRP
+`G'p'EfaNCA*3BA4S$3*b!!&Y!!!&%J89!R--!R-!#`!&1QeNBc)!!J!!$3*`!!&
+[!!!!!!!!rQ3,rQ3!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!)#EJ!#!R3#G3d#G!!
+$53!#"4X&4IjMrQ)#GJVqB`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"rQ)
+!!!B#GJ!$rQ%#G`*i#[jK!!3+DfpME!d#G`!"E3!!"4m&)[jJ#[jJ!!3+B@aTB3B
+#H!!$rPm#H3*k#[jI!!3+D@jcD!d#H3!#0!!!"58&,IjH!RX+rPi!"!TMCQpX$3*
+l!!&[!!!&+38XrPd,rPd!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"
+PEP066%PZBfaeC'9'EfaNCA*3BA4S"J*k!!2qA!*mrPX+rP`!"!TdEb!J$3*m!!*
+Z!!!&-!8r!Rd#IJd#I3!#0!!!"6J&2rjD!Rm+rPS!"!TQD@aP$3*r!!&Y!!!&1`8
+q!S!-!S!!$!!'E@4M-LjS!!)!!!d#IJ!#0!!!"6!&12jC!S%+rPN!"!TMCQpX$3+
+"!!&[!!!&0!8hrPJ,rPJ!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!Eq@`!!!J*e!!)
+#JJ+$$3+#!!*X!!)&4J9'rPIq9J(q9`!!!Ij@!!!#!S-!!J+%!S80!S3!!R)!!!9
+'"9%#KJ+($3+'!!*L!!!&4J90!SJ#L3d#L!!"E`!!"8B&5Ij9#rj9!#3`!""MFRP
+`G'pQEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S$3+*!!&Y!!!&539-!SS-!SS
+!$J!)1QpLDQ9MG(-!!J!!$3+(!!&[!!!!!!!!rP3,rP3!&$!!#(4PEA"`BA4S!!K
+dC@e`8'&dD!)#K3!#!SX#M!d#L`!$53!#"9)&I2j6rP)#M3Vq8`!B,Q0[FQ9MFQ9
+X+LSU+J!!!!!!!*!!!'jeE'`"rP)!!!B#M3!$rP%#MJ+2#[j4!!3+DfpME!d#MJ!
+"E3!!"9B&@Ij3#[j3!!3+B@aTB3B#M`!$rNm#N!!#N3Vq6`!%#QPZFfJ0!T!!!!)
+d!!!&A!9NrNi#NJVq6J!%#Q0QEf`0!T)!!@m!!!9J"@2q63[q63!d-!!BEh"PER0
+cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!T%
+!!rj-!T2q5`Vq6!!%#R4[)#!0!T-!!Qi!!!9R"AB#P!+9$3+8!!)d!!!&E`9frNS
+#PJVq5J!%#QCTE'80!TB!!@d!!!9b"A8#P``#P`!2!!P[BQTPBh4c,QJ!!J!!$3+
+9!!)d!!!&C`9[rNN#Q!Vq53!%#Q0QEf`0!TJ!!@m!!!9V"@lq5![q5!!8-!!)G'9
+YF("KG'J!#(4PEA"3BA4S"[j,!!!#!S`!!J+C!TS0!TN!!Q`!!J9p"Ahq4rj'!Ij
+(!!!"rNB!!!)#QJ!#!TX#R!d#Q`!#FJ!!"Ad&L!+G!Ti0!Td!!Q)!!!9p"B3#R`+
+J$3+I!!&[!!!&I3@!rN8,rN8!*$!!%'0bHA"dEfC[E'4PFR"KG'J!%'0bHA"dEdC
+[E'4PFP"KG'J0!U!!!@d!!!@!"B-#S3`#S3!+!!3kF'9Y!!)!!!d#RJ!"E`!!!!!
+!!2j%#rj%!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J#!T`!!J+L!U-0!U)!!dN!!J@
+*"E2q3rj#!U3+rN-!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!Ij#!!!'!U3
+!!rj"!U8#TJVq33!%#QY[Bf`0!U8!!@d!!!@0"C!!rN!+rN!!"!TKE'PK"J+Q!!2
+q2`+R!UJ+rMm!"!TTER0S$3+R!!)d!!!&N`@ErMi#U3Vq2J!%#Q0QEf`0!UN!!@m
+!!!@A"CVq23[q23!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0
+-5@jME(9NC8C[E'4PFP"KG'J'!UJ!!rim!UVq1`Vq2!!%#R4[)#!0!US!!Qi!!!@
+H"Dd#U`+X$3+V!!)d!!!&TJ@YrMS#V3Vq1J!%#QCTE'80!Ud!!@d!!!@T"D`#VJ`
+#VJ!,!!9`C@dZD!!#!!!0!U`!!M3!!!@H"DEq13+[#[ij!!3+BfC[E!d#V`!"E`!
+!"D)&TIii#rii!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J'rMX!!!)#S`!#!V!#X3d
+#X!!$53!#"E3&h[ihrMB#XJVq0`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`
+"rMB!!!B#XJ!$rM8#X`+d#[ie!!3+DfpME!d#X`!"E3!!"EJ&Zrid#[id!!3+B@a
+TB3B#Y!!$rM-#Y3+f#[ic!!3+D@jcD!d#Y3!#0!!!"Ei&a[ib!VF+rM)!"!TMCQp
+X$3+h!!&[!!!&`JA&rM%,rM%!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!
+BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J+f!!2q-!+irLm+rM!!"!TdEb!J$3+
+i!!*Z!!!&b3AB!VN#ZJd#Z3!#0!!!"G%&f2iZ!VX+rLi!"!TQD@aP$3+l!!&Y!!!
+&e!AA!V`-!V`!$!!'F'9Y-LjS!!)!!!d#ZJ!#0!!!"FN&dIiY!Vd+rLd!"!TMCQp
+X$3+p!!&[!!!&c3A3rL`,rL`!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!Eq,`!!!J+
+a!!)#[J+r$3+q!!*X!!)&h`AIrL[q+J(q+`!!!IiU!!!#!Vm!!J,!!X%0!X!!!R)
+!!!AI"HS#`J,$$3,#!!*L!!!&h`AQ!X3#a3d#a!!"E`!!"Gm&i[iT#riT!#3`!""
+MFRP`G'pQEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S$3,&!!&Y!!!&iJAP!XB
+-!XB!$3!(1R"VBh-a-J!#!!!0!X-!!@m!!!!!!!$q+![q+!!8-!!)G'9YF("KG'J
+!#(4PEA"3BA4S!J,"!!)#a`,)$3,(!!0*!!)&k`B9rLIq*J,*#[iR!"JZBfpbC@0
+bC@`U+LSU!!!!!!!!N!!!ER9XE!(q*J!!"J,*!!2q*3,+!XX+rL8!"!TVEf0X$3,
++!!&Y!!!&l`AbrL3+rL3!"!TKE'PK"J,,!!2q)`,-!Xd+rL-!"!TTER0S$3,-!!)
+d!!!&p3AprL)#cJVq)J!%#Q0QEf`0!Xi!!@m!!!Aj"Icq)3[q)3!d-!!BEh"PER0
+cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!Xd
+!!riJ!Xrq(`Vq)!!%#R4[)#!0!Xm!!Qi!!!B!"Jm#d!,4$3,3!!)d!!!'#!B2rKi
+#dJVq(J!%#QCTE'80!Y)!!@d!!!B,"Ji#d``#d`!1!!K`Df0c-6)ZD!!#!!!0!Y%
+!!M3!!!B!"JMq(3,8#[iG!!3+BfC[E!d#e!!"E`!!"J3'"riF#riF!"3`!!KdC@e
+`F'&dD!!)G'9YF&"KG'J'rKm!!!)#b!!#!Y8#eJd#e3!#E!!#"KB'&[iErKS"rKX
+!!!(q'J!!!J,@!!)#e`,B$3,A!!*b!!!'&JBK!YN#fJd#f3!#BJ!!"KB'(3,E!Y`
+0!YX!!@m!!!B@"KRq'3[q'3!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4Qp
+XC'9b8'&dD!d#h!!"E3!!"KN'(!,G$!,G!!`!"MT`Df0c0`!#!!!0!YS!!@m!!!!
+!!!$q'![q'!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S!J,B!!)#hJ,I$3,H!!0*!!)
+')JC-rKIq&J,J#[iA!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9XE!(q&J!!"J,
+J!!2q&3,K!Z)+rK8!"!TVEf0X$3,K!!&Y!!!'*JBTrK3+rK3!"!TKE'PK"J,L!!2
+q%`,M!Z3+rK-!"!TTER0S$3,M!!)d!!!',!BdrK)#j3Vq%J!%#Q0QEf`0!Z8!!@m
+!!!B`"M2q%3[q%3!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0
+-5@jME(9NC8C[E'4PFP"KG'J'!Z3!!ri3!ZEq$`Vq%!!%#R4[)#!0!ZB!!Qi!!!B
+h"NB#j`,S$3,R!!)d!!!'2`C'rJi#k3Vq$J!%#QCTE'80!ZN!!@d!!!C#"N8#kJ`
+#kJ!0!!G`Df0c0bjS!!)!!!d#k!!#0!!!"MF'2ri0!ZX+rJd!"!TMCQpX$3,V!!&
+[!!!'1`BqrJ`,rJ`!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!Eq$`!!!J,I!!)#l!,
+Y$3,X!!*X!!)'63C0rJ[q#J(q#`!!!Ii+!!!#!Zd!!J,Z!Zm0!Zi!!R)!!!C0"PJ
+#m!,a$3,`!!*L!!!'63C8![)#m`d#mJ!"E`!!"Nd'82i*#ri*!#3`!""MFRP`G'p
+QEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S$3,c!!&Y!!!'8!C6![3-![3!#`!
+&1R*KEQ3!!J!!$3,a!!&[!!!!!!!!rJJ,rJJ!&$!!#(4PEA"`BA4S!!KdC@e`8'&
+dD!)#l`!#![8#pJd#p3!$53!#"PN'Jri(rJB#p`Vq"`!B,Q0[FQ9MFQ9X+LSU+J!
+!!!!!!*!!!'jeE'`"rJB!!!B#p`!$rJ8#q!,j#[i&!!3+DfpME!d#q!!"E3!!"Pd
+'B2i%#[i%!!3+B@aTB3B#q3!$rJ-#qJ,l#[i$!!3+D@jcD!d#qJ!#0!!!"Q-'Dri
+#![`+rJ)!"!TMCQpX$3,m!!&[!!!'C`CUrJ%,rJ%!0$!!''p`C@jcFfaTEQ0XG@4
+PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J,l!!2q!!,prIm
++rJ!!"!TdEb!J$3,p!!*Z!!!'EJCp![i#r`d#rJ!#0!!!"RB'IIhq!`!+rIi!"!T
+QD@aP$3-!!!&Y!!!'H3Cm!`%-!`%!$!!'FQ&ZC#jS!!)!!!d#r`!#0!!!"Qi'G[h
+p!`)+rId!"!TMCQpX$3-#!!&[!!!'FJCerI`,rI`!&$!!#(4PEA"`BA4S!!KdC@e
+`8'&dD!Epr`!!!J,f!!)$!`-%$3-$!!*X!!)'K!D%rI[pqJ(pq`!!!Ihk!!!#!`3
+!!J-&!`B0!`8!!R)!!!D%"Sm$"`-)$3-(!!*L!!!'K!D,!`N$#Jd$#3!"E`!!"S3
+'Krhj#rhj!#3`!""MFRP`G'pQEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S$3-
++!!&Y!!!'K`D+!`X-!`X!#J!%1R*M-J!#!!!0!`J!!@m!!!!!!!$pq![pq!!8-!!
+)G'9YF("KG'J!#(4PEA"3BA4S!J-'!!)$$!-0$3--!!0*!!)'N!!'Z[hhrIB$$JV
+pp`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"rIB!!!B$$J!$rI8$$`-3#[h
+e!!3+DfpME!d$$`!"E3!!"T3'Prhd#[hd!!3+B@aTB3B$%!!$rI-$%3-5#[hc!!3
++D@jcD!d$%3!#0!!!"TS'S[hb!a-+rI)!"!TMCQpX$3-6!!&[!!!'RJDKrI%,rI%
+!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'Efa
+NCA*3BA4S"J-5!!2pm!-8rHm+rI!!"!TdEb!J$3-8!!*Z!!!'T3Dd!a8$&Jd$&3!
+#0!!!"Ud'Y2hZ!aF+rHi!"!TQD@aP$3-A!!&Y!!!'X!Dc!aJ-!aJ!#`!&FQ-b,QJ
+!!J!!$3-@!!)d!!!'T3DYrHd$'3Vpl3!%#Q0QEf`0!aN!!@m!!!DT"Ucpl![pl!!
+8-!!)G'9YF("KG'J!#(4PEA"3BA4S"[h[!!!#!`d!!J-D!aX0!aS!!Q`!!JDl"V[
+pkrhU!IhV!!!"rHS!!!)$'`!#!a`$(3d$(!!#FJ!!"VX'aJ-H!am0!ai!!Q)!!!D
+l"X)$)!-K$3-J!!&[!!!'Z`DqrHN,rHN!*$!!%'0bHA"dEfC[E'4PFR"KG'J!%'0
+bHA"dEdC[E'4PFP"KG'J0!b%!!@d!!!Dq"X%$)J`$)J!+!!3kFQ-d!!)!!!d$(`!
+"E`!!!!!!!2hS#rhS!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J#!ad!!J-M!b30!b-
+!!dN!!JE("[(pjrhQ!b8+rHF!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!Ih
+Q!!!'!b8!!rhP!bB$*`Vpj3!%#QY[Bf`0!bB!!@d!!!E,"Xlpj!Vpj!!%#Q&XD@%
+'!bF!!rhM!bJ$+3Vpi`!%#QPZFfJ0!bJ!!M3!!!E4"YRpiJ-U#[hL!!3+BfC[E!d
+$+J!"E`!!"Y8'f2hK#rhK!$3`!"K[F'9ZFh0XD@jME(9NC@C[E'4PFR"KG'J!''p
+`C@j68da*EQ0XG@4P4QpXC'9b8'&dD!B$+3!$rH!$+rhI#[hJ!!3+G'mJ)!d$+`!
+#EJ!!"Y`'k`-X!bd0!b`!!M3!!!EN"Z[phJ-Z#[hH!!3+CQPXC3d$,J!"E3!!"ZF
+'kJ-[$!-[!!X!"A*M0#jS!!)!!!d$,3!#0!!!"Y`'j2hG!c!+rGd!"!TMCQpX$3-
+`!!&[!!!'i!EMrG`,rG`!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!Eph`!!!J-N!!)
+$-3-b$3-a!!*X!!)'mJEbrG[pfJ(pf`!!!IhD!!!#!c)!!J-c!c30!c-!!R)!!!E
+b"[d$03-f$3-e!!*L!!!'mJEj!cF$1!d$0`!"E`!!"[)'pIhC#rhC!#3`!""MFRP
+`G'pQEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S$3-i!!&Y!!!'p3Ei!cN-!cN
+!#J!%1R*M03!#!!!0!cB!!@m!!!!!!!$pf![pf!!8-!!)G'9YF("KG'J!#(4PEA"
+3BA4S!J-d!!)$1J-l$3-k!!0*!!)'rJFSrGIpeJ-m#[hA!"JZBfpbC@0bC@`U+LS
+U!!!!!!!!N!!!ER9XE!(peJ!!"J-m!!2pe3-p!ci+rG8!"!TVEf0X$3-p!!&Y!!!
+(!JF&rG3+rG3!"!TKE'PK"J-q!!2pd`-r!d!+rG-!"!TTER0S$3-r!!)d!!!(#!F
+3rG)$33VpdJ!%#Q0QEf`0!d%!!@m!!!F-"`rpd3[pd3!d-!!BEh"PER0cE'PZBfa
+eC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!d!!!rh3!d,
+pc`Vpd!!%#R4[)#!0!d)!!Qi!!!F6"b)$3`0%$30$!!)d!!!('`FLrFi$43VpcJ!
+%#QCTE'80!d8!!@d!!!FH"b%$4J`$4J!,!!9bBc8ZD!!#!!!0!d3!!M3!!!F6"a[
+pc30(#[h0!!3+BfC[E!d$4`!"E`!!"aF('[h-#rh-!"3`!!KdC@e`F'&dD!!)G'9
+YF&"KG'J'rFm!!!)$1`!#!dJ$53d$5!!#E!!#"bN(+Ih,rFS"rFX!!!(pbJ!!!J0
+*!!)$5J0,$30+!!*b!!!(+3Fd!d`$63d$6!!#BJ!!"bN(-!01!dm0!di!!@m!!!F
+T"bcpb3[pb3!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d
+$6`!"E3!!"b`(,`03$!03!!d!"cTbDA"PE@3!!J!!$300!!&[!!!!!!!!rFJ,rFJ
+!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!)$5`!#!e%$8Jd$83!$53!#"c8(Arh(rFB
+$8`Vpa`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"rFB!!!B$8`!$rF8$9!0
+9#[h&!!3+DfpME!d$9!!"E3!!"cN(22h%#[h%!!3+B@aTB3B$93!$rF-$9J0A#[h
+$!!3+D@jcD!d$9J!#0!!!"cm(4rh#!eJ+rF)!"!TMCQpX$30B!!&[!!!(3`G'rF%
+,rF%!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9
+'EfaNCA*3BA4S"J0A!!2p`!0CrEm+rF!!"!TdEb!J$30C!!*Z!!!(5JGC!eS$@`d
+$@J!#0!!!"e)(@Ifq!e`+rEi!"!TQD@aP$30F!!&Y!!!(93GB!ed-!ed!$J!)FQP
+`C@eN,QJ!!J!!$30E!!)d!!!(5JG5rEd$AJVp[3!%#Q0QEf`0!ei!!@m!!!G1"e(
+p[![p[!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S"[fr!!!#!e)!!J0I!f!0!em!!Q`
+!!JGJ"f$pZrfk!Ifl!!!"rES!!!)$B!!#!f%$BJd$B3!#FJ!!"f!(D`0M!f30!f-
+!!Q)!!!GJ"fF$C30Q$30P!!&[!!!(B!GMrEN,rEN!*$!!%'0bHA"dEfC[E'4PFR"
+KG'J!%'0bHA"dEdC[E'4PFP"KG'J0!fB!!@d!!!GM"fB$C``$C`!+!!3kFR0K!!)
+!!!d$C!!"E`!!!!!!!2fi#rfi!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J#!f)!!J0
+S!fN0!fJ!!dN!!JGX"jEpYrff!fS+rEF!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"
+ZG@aX!Iff!!!'!fS!!rfe!fX$E!VpY3!%#QY[Bf`0!fX!!@d!!!G`"h2pY!VpY!!
+%#Q&XD@%'!f`!!rfc!fd$EJVpX`!%#QPZFfJ0!fd!!M3!!!Gf"hlpXJ0[#[fb!!3
++BfC[E!d$E`!"E`!!"hS(IIfa#rfa!$3`!"K[F'9ZFh0XD@jME(9NC@C[E'4PFR"
+KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&dD!B$EJ!$rE!$F2f[#[f`!!3+G'm
+J)!d$F!!#EJ!!"i%(N!!$F30b$30a!!)d!!!(L3H3!2fZ!h-+rDi!"!TQD@aP$30
+c!!&Y!!!(M!H2!h3-!h3!#`!&FR0K,QJ!!J!!$30b!!)d!!!(J3H*rDd$G3VpV3!
+%#Q0QEf`0!h8!!@m!!!H&"iMpV![pV!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S"[f
+[!!!#!fN!!J0f!hF0!hB!!Q`!!JHA"jIpUrfU!IfV!!!"rDS!!!)$G`!#!hJ$H3d
+$H!!#FJ!!"jF(SJ0k!hX0!hS!!Q)!!!HA"ji$I!0p$30m!!&[!!!(P`HDrDN,rDN
+!*$!!%'0bHA"dEfC[E'4PFR"KG'J!%'0bHA"dEdC[E'4PFP"KG'J0!hd!!@d!!!H
+D"jd$IJ`$IJ!-!!BkFh4KBfX!!J!!$30l!!&[!!!!!!!!rDJ,rDJ!&$!!#(4PEA"
+`BA4S!!KdC@e`8'&dD!)$H3!#!hm$J!d$I`!$53!#"k-(cIfRrDB$J3VpT`!B,Q0
+[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"rDB!!!B$J3!$rD8$JJ1$#[fP!!3+Dfp
+ME!d$JJ!"E3!!"kF(U[fN#[fN!!3+B@aTB3B$J`!$rD-$K!1&#[fM!!3+D@jcD!d
+$K!!#0!!!"kd(YIfL!iB+rD)!"!TMCQpX$31'!!&[!!!(X3HdrD%,rD%!0$!!''p
+`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4
+S"J1&!!2pS!1(rCm+rD!!"!TdEb!J$31(!!*Z!!!(Z!I(!iJ$L3d$L!!#0!!!"m!
+(arfH!iS+rCi!"!TQD@aP$31+!!&Y!!!(``I'!iX-!iX!$3!(Fh4KBfXZD!!#!!!
+0!iN!!M3!!!Hi"m$pR31-#[fG!!3+BfC[E!d$M!!"E`!!"l`([rfF#rfF!"3`!!K
+dC@e`F'&dD!!)G'9YF&"KG'J'rCm!!!)$J!!#!id$MJd$M3!$53!#"mi(q2fErCS
+$M`VpQ`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"rCS!!!B$M`!$rCN$N!!
+$N3VpQ3!%#QY[Bf`0!j!!!!&Y!!!(dJI9rCJ+rCJ!"!TKE'PK"J14!!2pP`15!j-
++rCF!"!TTER0S$315!!)d!!!(f!IJrCB$P!VpPJ!%#Q0QEf`0!j3!!@m!!!IF"pr
+pP3[pP3!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9
+NC8C[E'4PFP"KG'J'!j-!!rf8!jApN`VpP!!%#R4[)#!0!j8!!Qi!!!IM"r)$PJ1
+A$31@!!)d!!!(k`IbrC)$Q!VpNJ!%#QCTE'80!jJ!!@d!!!IZ"r%$Q3`$Q3!4!!Y
+cB@CPFh4KBfXZD!!#!!!0!jF!!M3!!!IM"q[pN31D#[f4!!3+BfC[E!d$QJ!"E`!
+!"qF(k[f3!![pN!!!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!EpN`!!!J11!!)$Q`1
+F$31E!!*X!!)(q3IjrBrpMJ(pM`!!!If1!!!#!j`!!J1G!ji0!jd!!R)!!!Ij#!3
+$R`1J$31I!!*L!!!(q3J!!k%$SJd$S3!"E`!!"rN(r2f0#rf0!#3`!""MFRP`G'p
+QEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S$31L!!&Y!!!(r!Ir!k--!k-!#J!
+%1R0SB3!#!!!0!k!!!@m!!!!!!!$pM![pM!!8-!!)G'9YF("KG'J!#(4PEA"3BA4
+S!J1H!!)$T!1P$31N!!0*!!))"3J[rB[pLJ1Q#[f,!"JZBfpbC@0bC@`U+LSU!!!
+!!!!!N!!!ER9XE!(pLJ!!"J1Q!!2pL31R!kJ+rBN!"!TVEf0X$31R!!&Y!!!)#3J
+-rBJ+rBJ!"!TKE'PK"J1S!!2pK`1T!kS+rBF!"!TTER0S$31T!!)d!!!)$`JArBB
+$U`VpKJ!%#Q0QEf`0!kX!!@m!!!J6#"EpK3[pK3!d-!!BEh"PER0cE'PZBfaeC'9
+QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!kS!!rf%!kcpJ`V
+pK!!%#R4[)#!0!k`!!Qi!!!JD##N$V31Z$31Y!!)d!!!))JJTrB)$V`VpJJ!%#QC
+TE'80!km!!@d!!!JP##J$X!`$X!!,!!9cD'%ZD!!#!!!0!ki!!M3!!!JD##,pJ31
+a#[f"!!3+BfC[E!d$X3!"E`!!#"i))If!#rf!!"3`!!KdC@e`F'&dD!!)G'9YF&"
+KG'J'rB-!!!)$T3!#!l)$X`d$XJ!#E!!##$!)-2errAi"rAm!!!(pIJ!!!J1c!!)
+$Y!1e$31d!!*b!!!)-!Jl!lB$Y`d$YJ!#BJ!!#$!)0`1i!lN0!lJ!!@m!!!J`#$2
+pI3[pI3!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d$Z3!
+"E3!!#$-)0J1k$!1k!!d!"cTdH(4IC')!!J!!$31h!!&[!!!!!!!!rA`,rA`!&$!
+!#(4PEA"`BA4S!!KdC@e`8'&dD!)$Y3!#!lX$[!d$Z`!$53!##$`)C[elrAS$[3V
+pH`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"rAS!!!B$[3!$rAN$[J1r#[e
+j!!3+DfpME!d$[J!"E3!!#%!)3rei#[ei!!3+B@aTB3B$[`!$rAF$`!2"#[eh!!3
++D@jcD!d$`!!#0!!!#%B)6[ef!m)+rAB!"!TMCQpX$32#!!&[!!!)5JK0rA8,rA8
+!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'Efa
+NCA*3BA4S"J2"!!2pG!2$rA-+rA3!"!TdEb!J$32$!!*Z!!!)83KJ!m3$a3d$a!!
+#0!!!#&N)B2eb!mB+rA)!"!TQD@aP$32'!!&Y!!!)A!KI!mF-!mF!$J!)G(KdAf4
+L,QJ!!J!!$32&!!)d!!!)83KCrA%$b!VpF3!%#Q0QEf`0!mJ!!@m!!!K9#&MpF![
+pF!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S"[ec!!!#!l`!!J2*!mS0!mN!!Q`!!JK
+R#'IpEreZ!Ie[!!!"r@i!!!)$bJ!#!mX$c!d$b`!#FJ!!#'F)FJ20!mi0!md!!Q)
+!!!KR#'i$c`23$322!!&[!!!)C`KUr@d,r@d!*$!!%'0bHA"dEfC[E'4PFR"KG'J
+!%'0bHA"dEdC[E'4PFP"KG'J0!p!!!@d!!!KU#'d$d3`$d3!,!!8kH$8`13!#!!!
+0!mi!!@m!!!!!!!$pE![pE!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S!J2-!!)$dJ2
+6$325!!0*!!))F`LGr@[pDJ28#[eV!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9
+XE!(pDJ!!"J28!!2pD329!pB+r@N!"!TVEf0X$329!!&Y!!!)G`Kkr@J+r@J!"!T
+KE'PK"J2@!!2pC`2A!pJ+r@F!"!TTER0S$32A!!)d!!!)I3L&r@B$f3VpCJ!%#Q0
+QEf`0!pN!!@m!!!L"#)6pC3[pC3!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4
+S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!pJ!!reN!pVpB`VpC!!%#R4[)#!
+0!pS!!Qi!!!L)#*F$f`2F$32E!!)d!!!)N!!)PreL!pd+r@)!"!TQD@aP$32G!!&
+Y!!!)N`L@!pi-!pi!$!!'H$8`15jS!!)!!!d$h!!#0!!!#)J)N!$pB32I#[eK!!3
++BfC[E!d$h`!"E`!!#)`)MreJ#reJ!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J'r@-
+!!!)$d`!#!q!$i3d$i!!$53!##*i)b2eIr9i$iJVpA`!B,Q0[FQ9MFQ9X+LSU+J!
+!!!!!!*!!!'jeE'`"r9i!!!B$iJ!$r9d$i`2N#[eG!!3+DfpME!d$i`!"E3!!#+)
+)TIeF#[eF!!3+B@aTB3B$j!!$r9X$j32Q#[eE!!3+D@jcD!d$j3!#0!!!#+J)X2e
+D!qF+r9S!"!TMCQpX$32R!!&[!!!)V!L[r9N,r9N!0$!!''p`C@jcFfaTEQ0XG@4
+PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J2Q!!2p@!2Sr9F
++r9J!"!TdEb!J$32S!!*Z!!!)X`M#!qN$kJd$k3!#0!!!#,X)`[e@!qX+r9B!"!T
+QD@aP$32V!!&Y!!!)[JM"!q`-!q`!%!!+H$8`19pfCRNZD!!#!!!0!qS!!M3!!!L
+c#,[p932Y#[e9!!3+BfC[E!d$l3!"E`!!#,F)Z[e8#re8!"3`!!KdC@e`F'&dD!!
+)G'9YF&"KG'J'r9F!!!)$i3!#!qi$l`d$lJ!#E!!##-N)bIe6r9)"r9-!!!(p8J!
+!!J2[!!)$m!2a$32`!!*b!!!)b3M8!r)$m`d$mJ!#BJ!!#-N)d!2d!r80!r3!!@m
+!!!M*#-cp83[p83!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&
+dD!d$p3!"E3!!#-`)c`2f$!2f!!d!"cTi06!jGM-!!J!!$32c!!&[!!!!!!!!r9!
+,r9!!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!)$m3!#!rF$q!d$p`!$53!##08)rre
+2r8i$q3Vp6`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"r8i!!!B$q3!$r8d
+$qJ2l#[e0!!3+DfpME!d$qJ!"E3!!#0N)h2e-#[e-!!3+B@aTB3B$q`!$r8X$r!2
+p#[e,!!3+D@jcD!d$r!!#0!!!#0m)jre+!ri+r8S!"!TMCQpX$32q!!&[!!!)i`M
+Qr8N,r8N!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfa
+eC'9'EfaNCA*3BA4S"J2p!!2p5!2rr8F+r8J!"!TdEb!J$32r!!*Z!!!)kJMj"!!
+%!3d%!!!#0!!!#2))qIe'"!)+r8B!"!TQD@aP$33#!!&Y!!!)p3Mi"!--"!-!$J!
+)H$8`1ABc,QJ!!J!!$33"!!)d!!!)kJMbr88%"!Vp43!%#Q0QEf`0"!3!!@m!!!M
+Z#2(p4![p4!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S"[e(!!!#!rJ!!J3&"!B0"!8
+!!Q`!!JN!#3$p3re#!Ie$!!!"r8)!!!)%"J!#"!F%#!d%"`!$53!##3!*+[e"r8!
+%#3Vp33!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"r8!!!!B%#3!$r6m%#J3
+,#[dr!!3+DfpME!d%#J!"E3!!#33*"rdq#[dq!!3+B@aTB3B%#`!$r6d%$!30#[d
+p!!3+D@jcD!d%$!!#0!!!#3S*%[dm"!i+r6`!"!TMCQpX$331!!&[!!!*$JN4r6X
+,r6X!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9
+'EfaNCA*3BA4S"J30!!2p1J32r6N+r6S!"!TdEb!J$332!!*Z!!!*&3NN""!%%3d
+%%!!#0!!!#4d**2di"")+r6J!"!TQD@aP$335!!&Y!!!*)!NM""--""-!#`!&Fh0
+X,QJ!!J!!$334!!)d!!!*&3NGr6F%&!Vp0`!%#Q0QEf`0""3!!@m!!!NC#4cp0J[
+p0J!H-!!0Fh0XCQpXC'9bF'&dD!!0Fh0X4QpXC'9b8'&dD!Ep13!!!J3)!!)%&33
+@$339!!0*!!)*+`P9r6Ap0!3A#[de!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9
+XE!(p0!!!"J3A!!2p-`3B""N+r6-!"!TVEf0X$33B!!&Y!!!*,`Nbr6)+r6)!"!T
+KE'PK"J3C!!2p-33D""X+r6%!"!TTER0S$33D!!)d!!!*03Npr6!%(!Vp-!!%#Q0
+QEf`0""`!!@m!!!Nj#6cp,`[p,`!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4
+S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'""X!!rdZ""hp,3Vp,J!%#R4[)#!
+0""d!!Qi!!!P!#8m%(J3I$33H!!)d!!!*5!P2r5`%)!Vp,!!%#QCTE'80"#!!!@d
+!!!P,#8i%)3`%)3!-!!CcFf`b,QJ!!J!!$33I!!)d!!!*3!P)r5X%)JVp+`!%#Q0
+QEf`0"#)!!@m!!!P%#8Ip+J[p+J!H-!!0Fh0XCQpXC'9bF'&dD!!0Fh0X4QpXC'9
+b8'&dD!Ep,3!!!J3@!!)%)`3N$33M!!0*!!)*9JQ!r5Rp+!3P#[dT!"JZBfpbC@0
+bC@`U+LSU!!!!!!!!N!!!ER9XE!(p+!!!"J3P!!2p*`3Q"#F+r5F!"!TVEf0X$33
+Q!!&Y!!!*@JPGr5B+r5B!"!TKE'PK"J3R!!2p*33S"#N+r58!"!TTER0S$33S!!)
+d!!!*B!PSr53%+JVp*!!%#Q0QEf`0"#S!!@m!!!PN#@Ip)`[p)`!d-!!BEh"PER0
+cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'"#N
+!!rdL"#[p)3Vp)J!%#R4[)#!0"#X!!Qi!!!PV#AS%,!3Y$33X!!)d!!!*F`Pkr5!
+%,JVp)!!%#QCTE'80"#i!!@d!!!Pf#AN%,``%,`!0!!GcFf`b-bjS!!)!!!d%,3!
+#0!!!#@X*FrdI"$!+r4m!"!TMCQpX$33`!!&[!!!*E`Pbr4i,r4i!(M!!$A0cE'C
+[E'4PFR"KG'J!$A0cE%C[E'4PFP"KG'J'r5%!!!)%*!!#"$%%-Jd%-3!$53!##B%
+*UrdGr4`%-`Vp(3!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"r4`!!!B%-`!
+$r4X%0!3e#[dE!!3+DfpME!d%0!!"E3!!#B8*L2dD#[dD!!3+B@aTB3B%03!$r4N
+%0J3h#[dC!!3+D@jcD!d%0J!#0!!!#BX*NrdB"$J+r4J!"!TMCQpX$33i!!&[!!!
+*M`Q5r4F,r4F!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%P
+ZBfaeC'9'EfaNCA*3BA4S"J3h!!2p&J3jr48+r4B!"!TdEb!J$33j!!*Z!!!*PJQ
+P"$S%1`d%1J!#0!!!#Ci*TId8"$`+r43!"!TQD@aP$33m!!&Y!!!*S3QN"$d-"$d
+!$!!'Fh0X-bjS!!)!!!d%1`!#0!!!#CB*R[d6"$i+r4-!"!TMCQpX$33q!!&[!!!
+*QJQGr4),r4)!(M!!$A0cE'C[E'4PFR"KG'J!$A0cE%C[E'4PFP"KG'J'r48!!!)
+%-J!#"$m%3!d%2`!$53!##D`*e[d4r4!%33Vp%3!B,Q0[FQ9MFQ9X+LSU+J!!!!!
+!!*!!!'jeE'`"r4!!!!B%33!$r3m%3J4$#[d2!!3+DfpME!d%3J!"E3!!#E!*Xrd
+1#[d1!!3+B@aTB3B%3`!$r3d%4!4&#[d0!!3+D@jcD!d%4!!#0!!!#EB*[[d-"%B
++r3`!"!TMCQpX$34'!!&[!!!*ZJQpr3X,r3X!0$!!''p`C@jcFfaTEQ0XG@4PCQp
+XC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J4&!!2p#J4(r3N+r3S
+!"!TdEb!J$34(!!*Z!!!*`3R3"%J%53d%5!!#0!!!#FN*d2d)"%S+r3J!"!TQD@a
+P$34+!!&Y!!!*c!R2"%X-"%X!$!!'G'ac-5jS!!)!!!d%53!#0!!!#F%*bId("%`
++r3F!"!TMCQpX$34-!!&[!!!*a3R)r3B,r3B!(M!!$A0cE'C[E'4PFR"KG'J!$A0
+cE%C[E'4PFP"KG'J'r3N!!!)%3!!#"%d%6Jd%63!#E!!##GF*erd&r33"r38!!!(
+p"!!!!J41!!)%6`43$342!!0*!!)*e`S"r32p!J44#[d$!"JZBfpbC@0bC@`U+LS
+U!!!!!!!!N!!!ER9XE!(p!J!!"J44!!2p!345"&-+r3%!"!TVEf0X$345!!&Y!!!
+*f`RHr3!+r3!!"!TKE'PK"J46!!2mr`48"&8+r2m!"!TTER0S$348!!)d!!!*i3R
+Tr2i%9JVmrJ!%#Q0QEf`0"&B!!@m!!!RP#HMmr3[mr3!d-!!BEh"PER0cE'PZBfa
+eC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'"&8!!rcm"&I
+mq`Vmr!!%#R4[)#!0"&F!!Qi!!!RX#IX%@!4C$34B!!)d!!!*p!Rlr2S%@JVmqJ!
+%#QCTE'80"&S!!@d!!!Rh#IS%@``%@`!1!!KMFRP`G'mZD!!#!!!0"&N!!M3!!!R
+X#I6mq34F#[cj!!3+BfC[E!d%A!!"E`!!#I!*mrci#rci!#3`!""MFRP`G'pQEfa
+NCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S"[cl!!!#"&!!!J4G"&i0"&d!!Q`!!JS
+##J,mprcf!Ich!!!"r2B!!!)%AJ!#"&m%B!d%A`!$53!##J)+,2cer23%B3Vmp3!
+B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"r23!!!B%B3!$r2-%BJ4M#[cc!!3
++DfpME!d%BJ!"E3!!#JB+#Icb#[cb!!3+B@aTB3B%B`!$r2%%C!4P#[ca!!3+D@j
+cD!d%C!!#0!!!#J`+&2c`"'B+r2!!"!TMCQpX$34Q!!&[!!!+%!S6r1m,r1m!0$!
+!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*
+3BA4S"J4P!!2mlJ4Rr1d+r1i!"!TdEb!J$34R!!*Z!!!+&`SQ"'J%D3d%D!!#0!!
+!#Km+*[cX"'S+r1`!"!TQD@aP$34U!!&Y!!!+)JSP"'X-"'X!%!!+Eh"PER0cE(B
+ZD!!#!!!0"'N!!M3!!!SA#Krmk`4X#[cV!!3+BfC[E!d%E!!"E`!!#KX+([cU#rc
+U!#3`!""MFRP`G'pQEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S"[cY!!!#"'!
+!!J4Y"'i0"'d!!dN!!JSY#PImkIcS"'m+r1N!'#jMEh*PBh*PE#SU+LS!!!!!!!#
+3!!"ZG@aX!IcS!!!'"'m!!rcR"(!%F3Vmj`!%#QY[Bf`0"(!!!@d!!!Sa#M6mjJV
+mjJ!%#Q&XD@%'"(%!!rcP"()%F`Vmj3!%#QPZFfJ0"()!!M3!!!Sh#Mrmj!4d#[c
+N!!3+BfC[E!d%G!!"E`!!#MX+2[cM#rcM!$3`!"K[F'9ZFh0XD@jME(9NC@C[E'4
+PFR"KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&dD!B%F`!$r1)%GIcK#[cL!!3
++G'mJ)!d%G3!#EJ!!#N)+834f"(F0"(B!!M3!!!T+#P(mi!4i#[cJ!!3+CQPXC3d
+%H!!"E3!!#Nd+8!4j$!4j!!i!#(4YC'PQCLjS!!)!!!d%G`!#0!!!#N)+5[cI"(S
++r0m!"!TMCQpX$34k!!&[!!!+4JT*r0i,r0i!*$!!%'0bHA"dEfC[E'4PFR"KG'J
+!%'0bHA"dEdC[E'4PFP"KG'J'r1%!!!)%EJ!#"(X%I!d%H`!#E!!##PJ+@2cGr0`
+"r0d!!!(mh!!!!J4m!!)%I34q$34p!!*X!!)+@!TBr0[mfJ(mf`!!!IcD!!!#"(i
+!!J4r")!0"(m!!dN!!JTB#S,mfIcB")%+r0N!'#jMEh*PBh*PE#SU+LS!!!!!!!#
+3!!"ZG@aX!IcB!!!'")%!!rcA"))%J`Vme`!%#QY[Bf`0"))!!@d!!!TF#PrmeJV
+meJ!%#Q&XD@%'")-!!rc9")3%K3Vme3!%#QPZFfJ0")3!!M3!!!TL#QVme!5'#[c
+8!!3+BfC[E!d%KJ!"E`!!#QB+DIc6#rc6!$3`!"K[F'9ZFh0XD@jME(9NC@C[E'4
+PFR"KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&dD!B%K3!$r0)%Krc4#[c5!!3
++G'mJ)!d%K`!#EJ!!#Qd+I!5)")N0")J!!M3!!!Te#Rcmd!5+#[c3!!3+CQPXC3d
+%LJ!"E3!!#RJ+H`5,$!5,!!`!"Q9IEh-ZD!!#!!!0")N!!M3!!!TY#RAmc`5-#[c
+2!!3+BfC[E!d%M!!"E`!!#R%+G2c1#rc1!#B`!"&[F'9ZFh0XCQpXC'9bF'&dD!!
+4Eh"PER0cE%C[E'4PFP"KG'J'r0%!!!)%J!!#")d%MJd%M3!$53!##S-+VIc0r-`
+%M`Vmc3!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"r-`!!!B%M`!$r-X%N!!
+%N3Vmb`!%#QY[Bf`0"*!!!!&Y!!!+K`U+r-S+r-S!"!TKE'PK"J54!!2mb355"*-
++r-N!"!TTER0S$355!!)d!!!+M3U9r-J%P!Vmb!!%#Q0QEf`0"*3!!@m!!!U4#T6
+ma`[ma`!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9
+NC8C[E'4PFP"KG'J'"*-!!rc'"*Ama3VmaJ!%#R4[)#!0"*8!!Qi!!!UB#UF%PJ5
+A$35@!!)d!!!+S!URr-3%Q!Vma!!%#QCTE'80"*J!!@d!!!UM#UB%Q3`%Q3!0!!G
+PAfpc-LjS!!)!!!d%P`!#0!!!#TJ+S2c$"*S+r--!"!TMCQpX$35D!!&[!!!+R!U
+Ir-),r-)!*M!!%@p`C@jcFfaQEfaNCA*`BA4S!"&[F'9ZFh0X4QpXC'9b8'&dD!E
+ma3!!!J51!!)%Qrc"$35E!!*X!!)+VJUZr-$m[`(m`!!!!Ibr!!!#r-%!!!d!#3!
+"E3!!!!!!!3!I!Irq!!!#!!B!!J5F"*d0"*`!!Q`!!J!!!!$m[[bp!Ibq!!!"r,d
+!!!)%R3!#"*i%R`d%RJ!#E!!##V%+b!5Jr,`0"+!!!dN!!JUa#XMmZ`5K"+)+r,X
+!'#jcHA0[C'a[Cf&cDh)!!!!!!!!!!&4&@&30"+%!!@d!!!Ua#V3%S``%S`!'!!!
+!!J!!"J5L!!2mZJ5N"+8+r,S!"!TLG'jc$35N!!&+!!!+Y`Um"+B#"+B!!J5Rr,N
+0"+F!!@d!!!Uh#VS%U!`%U!!+!!4%EfjP!!)!!!,mZ3!!"J5P!!2mZ!5Tr,F+r,J
+!"!TRDACe$35T!!&Y!!!+[`V#r,B$r,B!"3EmY`!!!Ibm!!!#"*m!!J5Ur,80"+S
+!!Q`!!J!!!!$mY2bc!Ibd!!!"r,-!!!,mY3!!$J!#!!!2%!!$!",mXJ5V"+`%V35
+Z"+m%X!5a",)%X`5d",8%YJ5hr,(mX2b[r+i"r,)!!"!%U`!3r+hmV2bVr+VmUIb
+Sr+ImT[bPr+6mSrbLr+(mS2bIr*i+r+d!'#jKCACdEf&`F'jeE'`!!)!!!!#3!!!
+U+LSU#rbX!")`!!GdD'9`BA4S!!GdD'93BA4S#rbV!"``!!adD'9[E'4NC@aTEA-
+!$(4SC8pXC%4PE'PYF`[mUJ!J-!!1G'KPF(*[DQ9MG("KG'J!$R4SC9"bEfTPBh4
+3BA4S#rbT!"B`!!PdD'9YCA"KG'J!#A4SC8eP8'&dD![mU!!Q-!!4D@jME(9NC@C
+[E'4PFR"KG'J!%@PZBfaeC'9'EfaNCA*3BA4S#rbR!$3`!"K[F'9ZFh0XD@jME(9
+NC@C[E'4PFR"KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&dD![mTJ!N-!!3Bh*
+jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD![mT3!H-!!0Fh0XCQpXC'9
+bF'&dD!!0Fh0X4QpXC'9b8'&dD![mT!!Q-!!4Eh"PER0cE'C[E'4PFR"KG'J!%@p
+`C@jcFfa'EfaNCA*3BA4S#rbM!#i`!"9dD'9ZCAGQEfaNCA*bC@CPFQ9ZBf8!&A4
+SC8jPGdC[E'4PFP*PCQ9bC@jMC3[mSJ!8-!!)G'9YF("KG'J!#(4PEA"3BA4S!Ib
+K!!!"r+!!!!(mR`!!!IbH!!!1"+`!"a$mR35ir*cmQ`5j",VmQJVmR3!B,Q&PGR4
+[BA"`ER9XE!!!J!!!!*!!!#SU+LS0",J!!@X!!!!!#XJ%Z`)%Z`!#!!8%[!)%[!!
+#"*lmQ3,mQ3!!!IbF!!!#r*X!!"!%Z3!!%!5k!)B!(rbBr*ImP[b9r*6mNrb5!#c
+mNIb3!2b2r)lmMIb-!%rmL`"D!&[mLJ"Nr)N!EIb)r)ImKJ#2r)AmK2b$r),mJIb
+!r(rmI[apr(cmH`#Tr(VmHIair(F![Iaf!-ImG3$8!1)!l!$j!3-"%!%D!5F"-3%
+q!8J"93&I!@`"GJ'$!Bd"QJ'N!E%"Z`()!G)"h`(T!IB#!!)0!KF#*!)Z!MX#43*
+5!P`#D3*c!S!#LJ+A!U%#VJ+m!XB#d`,G!ZS#p!-"!`X$'!-L!bm$130'!e!$A30
+R!h3$IJ1,!jN$S`1`!lS$a`24!pi$l!2f"!-%%`3K"#m%234,"&X%D`4j")X%Q35
+Mr(3%U2acr(,mF3VmQ!!%#Q0[BQS+r*F!'#jPBA*cCQCNFQ&XDA-!!!!!!!!J!'&
+QC()+r*B!"!TMG(Kd#rb9!")`!!GdD'9`BA4S!!GdD'93BA4S#[b8!!3+BA0MFJV
+mN`!%#R4iC'`,r*)!($!!$(4SC@pXC'4PE'PYF`!-G'KP6faN4'9XD@ec#[b4!!3
++BfPdE32mN!$rr3[mM`!J-!!1G'KPF(*[DQ9MG("KG'J!$R4SC9"bEfTPBh43BA4
+S!rb1rri+r)d!"!T849K8#rb-!"B`!!PdD'9YCA"KG'J!#A4SC8eP8'&dD![mL`!
+Q-!!4D@jME(9NC@C[E'4PFR"KG'J!%@PZBfaeC'9'EfaNCA*3BA4S#rb+!$3`!"K
+[F'9ZFh0XD@jME(9NC@C[E'4PFR"KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&
+dD![mL3!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD![mL!!
+H-!!0Fh0XCQpXC'9bF'&dD!!0Fh0X4QpXC'9b8'&dD![mK`!Q-!!4Eh"PER0cE'C
+[E'4PFR"KG'J!%@p`C@jcFfa'EfaNCA*3BA4S#[b'!!3+BfC[E!VmK3!B,QeTFf0
+cE'0d+LSU+J!!!!!!!*!!!#SU+LS+r)3!"!TcC@aP#[b$!"JZBfpbC@4PE'mU+LS
+U!!!!!!!!N!!!+LSU+J(mJJ!!![b"!!!+r)!!"!TVEf0X#[ar!!3+D@jcD!2mIJ!
+%#[ap!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9XE!VmI!!%#R*cE(3,r(X!,M!
+!&A4SC@jPGfC[E'4PFR*PCQ9bC@jMC3!9G'KP6Q9h4QpXC'9b8Q9QCA*PEQ0P#[a
+k!!3+F'jKE3VmH3!%#Q&XD@%+r(J!"!TdEb!J#[ah!!3+CQPXC32mGJ!'#rae!"3
+`!!KdC@e`F'&dD!!)G'9YF&"KG'J+r(3!"!TLG'jc#[ac!!3+CfPfG32mFJ!&#[a
+a!"JZFhPcEf4XEfGKFfYb!!!!!!!!!!"849K8%IbD#XRJ%JUYi1%TDJ`!!LrM*N9
+4e%r&jLa&edrSaHBX4Nr%@qPF@eTVA&VU-NAE6m4Ek9aE@QYF@Z`bl5C&hNr,lbA
+Y*N9J!""2bf%!%59K!")Pl5C&B!!66mYK!"3Pl5C&B!!96mYK!"BPl5C&B!!A6m[
+Y*N9J!"K2amAQ,%C2&!!L+Q%!'9m!%#pK!"PK!"S[DJ`!'dmUB3!F,'S-!"eA!!K
+B!"i!(fK2+Q%!)'%!'@%!)5TK!"PI!"![B3!L$!!M6em!*%9J!#92A`!PDJ`!'dp
+K!#BUB3!F,'%!*ba'6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"R1,f%!+Q%!+bp
+K!#`-!#02A`!9B3!Y*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!,Lp
+K!#TK!#m[B3!X$!!M6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!#i[B3!UB3!
+`,f%!,!`!)dpI!"9K!$%P4@!!,NmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!
+Z,f%!+Q%!-LpK!#`-!#02A`!9B3!c*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!
+T+Q%!'9m!,LpK!#TK!$3[B3!X$!!M6em!&@%!059&B!!Z6bTK!#"K!#KK!#%UB3!
+CA`!6,f%!+5TK!"PI!#i[B3!UB3!f,f%!,!`!)dpI!"9K!$FP4@!!,NmUB3!JB3!
+SB3!K+Q%!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%!1#pK!#`-!#02A`!9B3!j*89J!#j
+2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!,LpK!#TK!$S[B3!X$!!M6em!&@%
+!1b9&B!!Z6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!#i[B3!UB3!m,f%!,!`
+!)dpI!"9K!$dP4@!!,NmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%
+!2LpK!#`-!#02A`!9B3!r*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m
+!,LpK!#TK!%![B3!X$!!M6em!&@%!359&B!!Z6bTK!#"K!#KK!#%UB3!CA`!6,f%
+!+5TK!"PI!#i[B3!UB3"#,f%!,!`!)dpI!"9K!%-P4@!!,NmUB3!JB3!SB3!K+Q%
+!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%!4#pK!#`-!#02A`!9B3"&*89J!#j2+Q%!)'%
+!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!,LpK!#TK!%B[B3!X$!!M6em!&@%!4b9&B!!
+Z6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!#i[B3!UB3"),f%!,!`!)dpI!"9
+K!%NP4@!!,NmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%!5LpK!#`
+-!#02A`!9B3",*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!,LpK!#T
+K!%`[B3!X$!!M6em!&@%!659&B!!Z6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"P
+I!#i[B3!UB3"1,f%!,!`!)dpI!"9K!%mP4@!!,NmUB3!JB3!SB3!K+Q%!'9m!%bp
+K!#NUB3!CA`!Z,f%!+Q%!8#pK!#`-!#02A`!9B3"4*89J!#j2+Q%!)'%!+'%!)5T
+K!"PI!"-[B3!T+Q%!'9m!,LpK!#TK!&)[B3!X$!!M6em!&@%!8b9&B!!Z6bTK!#"
+K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!#i[B3!UB3"8,f%!,!`!)dpI!"9K!&8P4@!
+!,NmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%!9LpK!#`-!#02A`!
+9B3"A*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!,LpK!#TK!&J[B3!
+X$!!M6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!#i[B3!UB3"C,f%!,!`!)dp
+I!"9K!&SP4@!!,NmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%!@bp
+K!#`-!#02A`!9B3"F*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!,Lp
+K!#TK!&d[B3!X$!!M6em!&@%!AL9&B!!Z6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5T
+K!"PI!#i[B3!UB3"I,f%!,!`!)dpI!"9K!'!P4@!!,NmUB3!JB3!SB3!K+Q%!'9m
+!%bpK!#NUB3!CA`!Z,f%!+Q%!B5pK!#`-!#02A`!9B3"L*89J!#j2+Q%!)'%!+'%
+!)5TK!"PI!"-[B3!T+Q%!'9m!,LpK!#TK!'-[B3!X$!!M6em!&@%!C#9&B!!Z6bT
+K!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!#i[B3!UB3"P,f%!,!`!)dpI!"9K!'B
+P4@!!,NmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%!CbpK!#`-!#0
+2A`!9B3"S*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!,LpK!#TK!'N
+[B3!X$!!M6em!&@%!DL9&B!!Z6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!#i
+[B3!UB3"V,f%!,!`!)dmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%
+!E#pK!#`-!#02A`!9B3"Y*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m
+!,LpK!#TK!'i[B3!X$!!M6em!&@%!Eb9&B!!Z6bTK!#"K!#KK!#%UB3!CA`!6,f%
+!+5TK!"PI!#i[B3!UB3"`,f%!,!`!)dpI!"9K!(%P4@!!,NmUB3!JB3!SB3!K+Q%
+!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%!FLpK!#`-!#02+Q%!)'%!+'%!)5TK!"PI!"-
+[B3!T+Q%!'9m!,LpK!#TK!(-[B3!X$!!M6em!&@%!G#9&B!!Z6bTK!#"K!#KK!#%
+UB3!CA`!6,f%!+5TK!"PI!#i[B3!UB3"e,f%!,!`!)dmUB3!JB3!SB3!K+Q%!'9m
+!%bpK!#NUB3!CA`!A,f%!+Q%!GLpK!#`-!#02+Q%!)'%!+'%!)5TK!"PI!"-[B3!
+T+Q%!'9m!&bpK!#TK!(F[B3!X$!!M6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"P
+I!"F[B3!UB3"i,f%!,!`!)dmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!A,f%
+!+Q%!H5pK!#`-!#02+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!&bpK!#TK!(S
+[B3!X$!!M6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!"8[B3!UB3"l,f%!,!`
+!)dmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!9,f%!+Q%!I#pK!#`-!#02+Q%
+!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!&5pK!#TK!(d[B3!X$!!M6bTK!#"K!#K
+K!#%UB3!CA`!6,f%!+5TK!"PI!"J[B3!UB3"q,f%!,!`!)dmUB3!JB3!SB3!K+Q%
+!'9m!%bpK!#NUB3!CA`!B,f%!+Q%!IbpK!#`-!#028&92B3#!B3#"B3##DhCK!)0
+K!)4K!#)-!)82$!5Y!&%!5deKBfPZG'pcD#")4$T%CA0VG'p`)%C[E'4PFMT*EQ0
+[E@PZCcT[F'9ZFh0X,90139!Y-6Nj16%b-6%k6@&M6e-kE@YXD@jVFbjKF`!#!!!
+1"+i!!J6mF!5p!ra`!!%1",d!!3!%[J`%[J!'!!!!!J!!$J5[!!)%r'm%[`2mE`!
+%$J5r!!3!"-!%`36#"---"-!!%J!-6@&MD@jdEh0S)%K%!!)!!!`%`3!8!!j%CA0
+VG'p`)%C[E'4PFJ!#!!!-"-)!$J!)5@jMEfeTEQF!!J!!$!6$!"X!&@p`C@jcFf`
+Y8dj"8#da16Nj-6)a-3!#!!!-",!!4J"!6@&MD@jdEh0S)%K%1N4PFfYdEh!J4Qp
+XC'9b1NPZBfpYD@jR1Qp`C@jcFf`Y8dj"8#da16Nj-6)a-6T0B@028`!#!!!-",%
+!5!"#6@&MD@jdEh0S)%K%1N4PFfYdEh!J4QpXC'9b1NPZBfpYD@jR1Qp`C@jcFf`
+Y8dj"8#da16Nj-6)a-6TTEQ0XG@4P!!)!!!`%XJ"3!%T0B@0TER4[FfJJ5%3k4'9
+cDh4[F#"'EfaNCA)k5@jMEfeTEQFkEh"PER0cE#e66N&3,6%j16Na-M%a1QPZBfa
+eC'8kEh"PER0cE!!#!!!-",-!4`""6@&MD@jdEh0S)%K%1N4PFfYdEh!J4QpXC'9
+b1NPZBfpYD@jR1Qp`C@jcFf`Y8dj"8#da16Nj-6)a-6TMFRP`G'm!!J!!$!5d!%3
+!2NeKBfPZG'pcD#")4$T%CA0VG'p`)%C[E'4PFMT*EQ0[E@PZCcT[F'9ZFh0X,90
+139!Y-6Nj16%b-6%kFh0X!!)!!!`%Y3"!!$T0B@0TER4[FfJJ5%3k4'9cDh4[F#"
+'EfaNCA)k5@jMEfeTEQFkEh"PER0cE#e66N&3,6%j16Na-M%a!!)!!!i%YJ!"&!6
+%$J6%!!-B"-AmEJ6'$J6&!!-B"-ImE36)$J6(!!-B"-RmE!6+$J6*!!-B!"rmD`6
+,#[aV!!3+BfC[E!`%b`!1!!K*EQ0[E@PZC`!#!!!+r'`!"!TMCQpX$!6+!"X!&@p
+`C@jcFf`Y8dj"8#da16Nj-6)a-3!#!!!+r'd!"!TMCQpX$!6)!!d!"fPZBfaeC'8
+!!J!!#[aZ!!3+BfC[E!`%aJ!9!!peER4TG'aPC#"QEfaNCA)!!J!!$!5h!%i!5%e
+KBfPZG'pcD#")4$T%CA0VG'p`)%C[E'4PFMT*EQ0[E@PZCcT[F'9ZFh0X,90139!
+Y-6Nj16%b-6%kBh*jF(4[1RJe-$Pf-`!#!!!"r,%!!!(mX!!!!Ib[!!!"r+i!!'&
+cBh)!!3!-qYlHV3!!!3!!!*G#!!#@3J!!!AB!!$-8-0J!!!!F!AB!$h0MFhS!!!#
+#6Np853!!!)jcBh"d!!!!QP4&@&3!!3#QFh4jE!!!!,j$6d4&!!%!bN*14%`!!!$
+LBA"XG!!!!1j'8N9'!!!!qNP$6L-!!!%'D@0X0!!!!4*TBh-M!!!"(QPMFc3!!!%
+UD'CNFJ!!!6C659T&!!!"3PG3Eh-!!!&1!!$rr`!!!!!!!!!!!)$rre!!!"i!!!!
+!!)$rr`!!"cJ#DH#m"'Mrr`!!!*S!!!!!%iRrr`!!"Pi!!!!!"'Mrr`!!!53!!!!
+!!!$rrb!!!9)!!!!!!!(rra3!!@i#DG`%!)$rr`!!!Pi#DH"X!!$rr`!!!Ri!!!!
+!!)$rr`!!!S-#DH"d!*Err`!!!Si!!!!!!*Err`!!!j)!!!!!!*Err`!!"CB#DH%
+i!*Err`!!"GS#DH%dkF$rr`!!"[`!!!!!rrrrr`!!"a)!!!!!!)$rr`!!"b!!!!!
+!*4S:

MacOS/opensslconf.h

@@ -0,0 +1,116 @@
+/* MacOS/opensslconf.h */
+
+#if !(defined(VMS) || defined(__VMS)) /* VMS uses logical names instead */
+#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
+#define OPENSSLDIR "/usr/local/ssl"
+#endif
+#endif
+
+#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
+#define IDEA_INT unsigned int
+#endif
+
+#if defined(HEADER_MD2_H) && !defined(MD2_INT)
+#define MD2_INT unsigned int
+#endif
+
+#if defined(HEADER_RC2_H) && !defined(RC2_INT)
+/* I need to put in a mod for the alpha - eay */
+#define RC2_INT unsigned int
+#endif
+
+#if defined(HEADER_RC4_H)
+#if !defined(RC4_INT)
+/* using int types make the structure larger but make the code faster
+ * on most boxes I have tested - up to %20 faster. */
+/*
+ * I don't know what does "most" mean, but declaring "int" is a must on:
+ * - Intel P6 because partial register stalls are very expensive;
+ * - elder Alpha because it lacks byte load/store instructions;
+ */
+#define RC4_INT unsigned char
+#endif
+#if !defined(RC4_CHUNK)
+/*
+ * This enables code handling data aligned at natural CPU word
+ * boundary. See crypto/rc4/rc4_enc.c for further details.
+ */
+#define RC4_CHUNK unsigned long
+#endif
+#endif
+
+#if defined(HEADER_DES_H) && !defined(DES_LONG)
+/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
+ * %20 speed up (longs are 8 bytes, int's are 4). */
+#ifndef DES_LONG
+#define DES_LONG unsigned long
+#endif
+#endif
+
+#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
+#define CONFIG_HEADER_BN_H
+#if __option(longlong)
+#  define BN_LLONG
+#else
+#  undef BN_LLONG
+#endif
+
+/* Should we define BN_DIV2W here? */
+
+/* Only one for the following should be defined */
+/* The prime number generation stuff may not work when
+ * EIGHT_BIT but I don't care since I've only used this mode
+ * for debuging the bignum libraries */
+#undef SIXTY_FOUR_BIT_LONG
+#undef SIXTY_FOUR_BIT
+#define THIRTY_TWO_BIT
+#undef SIXTEEN_BIT
+#undef EIGHT_BIT
+#endif
+
+#if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H)
+#define CONFIG_HEADER_RC4_LOCL_H
+/* if this is defined data[i] is used instead of *data, this is a %20
+ * speedup on x86 */
+#undef RC4_INDEX
+#endif
+
+#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
+#define CONFIG_HEADER_BF_LOCL_H
+#define BF_PTR
+#endif /* HEADER_BF_LOCL_H */
+
+#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
+#define CONFIG_HEADER_DES_LOCL_H
+/* the following is tweaked from a config script, that is why it is a
+ * protected undef/define */
+#ifndef DES_PTR
+#define DES_PTR
+#endif
+
+/* This helps C compiler generate the correct code for multiple functional
+ * units.  It reduces register dependancies at the expense of 2 more
+ * registers */
+#ifndef DES_RISC1
+#define DES_RISC1
+#endif
+
+#ifndef DES_RISC2
+#undef DES_RISC2
+#endif
+
+#if defined(DES_RISC1) && defined(DES_RISC2)
+YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
+#endif
+
+/* Unroll the inner loop, this sometimes helps, sometimes hinders.
+ * Very mucy CPU dependant */
+#ifndef DES_UNROLL
+#define DES_UNROLL
+#endif
+
+#endif /* HEADER_DES_LOCL_H */
+
+#ifndef __POWERPC__
+#define MD32_XARRAY
+#endif

Makefile.fips

@@ -1,638 +0,0 @@
-##
-## Makefile for OpenSSL: fipscanister.o only
-##
-
-VERSION=fips-2.0-test
-MAJOR=
-MINOR=
-SHLIB_VERSION_NUMBER=
-SHLIB_VERSION_HISTORY=
-SHLIB_MAJOR=
-SHLIB_MINOR=
-SHLIB_EXT=
-PLATFORM=dist
-OPTIONS=
-CONFIGURE_ARGS=
-SHLIB_TARGET=
-
-# HERE indicates where this Makefile lives.  This can be used to indicate
-# where sub-Makefiles are expected to be.  Currently has very limited usage,
-# and should probably not be bothered with at all.
-HERE=.
-
-# INSTALL_PREFIX is for package builders so that they can configure
-# for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/.
-# Normally it is left empty.
-INSTALL_PREFIX=
-INSTALLTOP=/usr/local/ssl
-
-# Do not edit this manually. Use Configure --openssldir=DIR do change this!
-OPENSSLDIR=/usr/local/ssl
-
-# NO_IDEA - Define to build without the IDEA algorithm
-# NO_RC4  - Define to build without the RC4 algorithm
-# NO_RC2  - Define to build without the RC2 algorithm
-# THREADS - Define when building with threads, you will probably also need any
-#           system defines as well, i.e. _REENTERANT for Solaris 2.[34]
-# TERMIO  - Define the termio terminal subsystem, needed if sgtty is missing.
-# TERMIOS - Define the termios terminal subsystem, Silicon Graphics.
-# LONGCRYPT - Define to use HPUX 10.x's long password modification to crypt(3).
-# DEVRANDOM - Give this the value of the 'random device' if your OS supports
-#           one.  32 bytes will be read from this when the random
-#           number generator is initalised.
-# SSL_FORBID_ENULL - define if you want the server to be not able to use the
-#           NULL encryption ciphers.
-#
-# LOCK_DEBUG - turns on lots of lock debug output :-)
-# REF_CHECK - turn on some xyz_free() assertions.
-# REF_PRINT - prints some stuff on structure free.
-# CRYPTO_MDEBUG - turns on my 'memory leak' detecting stuff
-# MFUNC - Make all Malloc/Free/Realloc calls call
-#       CRYPTO_malloc/CRYPTO_free/CRYPTO_realloc which can be setup to
-#       call application defined callbacks via CRYPTO_set_mem_functions()
-# MD5_ASM needs to be defined to use the x86 assembler for MD5
-# SHA1_ASM needs to be defined to use the x86 assembler for SHA1
-# RMD160_ASM needs to be defined to use the x86 assembler for RIPEMD160
-# Do not define B_ENDIAN or L_ENDIAN if 'unsigned long' == 8.  It must
-# equal 4.
-# PKCS1_CHECK - pkcs1 tests.
-
-CC= cc
-CFLAG= -O
-DEPFLAG= 
-PEX_LIBS= 
-EX_LIBS= 
-EXE_EXT= 
-ARFLAGS=
-AR=ar $(ARFLAGS) r
-RANLIB= ranlib
-NM= nm
-PERL= perl
-TAR= tar
-TARFLAGS= --no-recursion
-MAKEDEPPROG=makedepend
-LIBDIR=lib
-
-# We let the C compiler driver to take care of .s files. This is done in
-# order to be excused from maintaining a separate set of architecture
-# dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC
-# gcc, then the driver will automatically translate it to -xarch=v8plus
-# and pass it down to assembler.
-#AS=$(CC) -c
-ASFLAG=$(CFLAG)
-
-# For x86 assembler: Set PROCESSOR to 386 if you want to support
-# the 80386.
-PROCESSOR=
-
-# CPUID module collects small commonly used assembler snippets
-CPUID_OBJ= 
-BN_ASM= bn_asm.o
-DES_ENC= des_enc.o fcrypt_b.o
-AES_ENC= aes_core.o aes_cbc.o
-BF_ENC= bf_enc.o
-CAST_ENC= c_enc.o
-RC4_ENC= rc4_enc.o
-RC5_ENC= rc5_enc.o
-MD5_ASM_OBJ= 
-SHA1_ASM_OBJ= 
-RMD160_ASM_OBJ= 
-WP_ASM_OBJ=
-CMLL_ENC=
-MODES_ASM_OBJ=
-PERLASM_SCHEME=
-
-# KRB5 stuff
-KRB5_INCLUDES=
-LIBKRB5=
-
-# Zlib stuff
-ZLIB_INCLUDE=
-LIBZLIB=
-
-# This is the location of fipscanister.o and friends.
-# The FIPS module build will place it $(INSTALLTOP)/lib
-# but since $(INSTALLTOP) can only take the default value
-# when the module is built it will be in /usr/local/ssl/lib
-# $(INSTALLTOP) for this build may be different so hard
-# code the path.
-
-FIPSLIBDIR=/usr/local/ssl/$(LIBDIR)/
-
-# This is set to "y" if fipscanister.o is compiled internally as
-# opposed to coming from an external validated location.
-
-FIPSCANISTERINTERNAL=n
-
-# This is set if we only build fipscanister.o
-
-FIPSCANISTERONLY=y
-
-# The location of the library which contains fipscanister.o
-# normally it will be libcrypto unless fipsdso is set in which
-# case it will be libfips. If not compiling in FIPS mode at all
-# this is empty making it a useful test for a FIPS compile.
-
-FIPSCANLIB=
-
-# Shared library base address. Currently only used on Windows.
-#
-
-BASEADDR=
-
-DIRS=   crypto fips test 
-ENGDIRS= ccgost
-SHLIBDIRS= crypto 
-
-# dirs in crypto to build
-SDIRS=  \
-	sha hmac des aes modes \
-	bn ec rsa dsa ecdsa dh \
-	buffer evp ecdh cmac
-# keep in mind that the above list is adjusted by ./Configure
-# according to no-xxx arguments...
-
-LINKDIRS=  \
-	objects sha hmac des aes modes \
-	bn ec rsa dsa ecdh cmac ecdsa dh engine \
-	buffer bio stack lhash rand err \
-	evp asn1 ui
-
-# tests to perform.  "alltests" is a special word indicating that all tests
-# should be performed.
-TESTS = alltests
-
-MAKEFILE= Makefile
-
-MANDIR=$(OPENSSLDIR)/man
-MAN1=1
-MAN3=3
-MANSUFFIX=
-HTMLSUFFIX=html
-HTMLDIR=$(OPENSSLDIR)/html
-SHELL=/bin/sh
-
-TOP=    .
-ONEDIRS=out tmp
-EDIRS=  times doc bugs util include certs ms shlib mt demos perl sf dep VMS
-WDIRS=  windows
-LIBS=   
-SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
-SHARED_SSL=libssl$(SHLIB_EXT)
-SHARED_LIBS=
-SHARED_LIBS_LINK_EXTS=
-SHARED_LDFLAGS=
-
-GENERAL=        Makefile
-BASENAME=       openssl
-NAME=           $(BASENAME)-$(VERSION)
-TARFILE=        openssl-fips-2.0.tar
-WTARFILE=       $(NAME)-win.tar
-EXHEADER=       e_os2.h
-HEADER=         e_os.h
-
-all: Makefile build_all openssl.pc libssl.pc libcrypto.pc
-
-# as we stick to -e, CLEARENV ensures that local variables in lower
-# Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn
-# shell, which [annoyingly enough] terminates unset with error if VAR
-# is not present:-( TOP= && unset TOP is tribute to HP-UX /bin/sh,
-# which terminates unset with error if no variable was present:-(
-CLEARENV=	TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS}	\
-		$${INCLUDE+INCLUDE} $${INCLUDES+INCLUDES}	\
-		$${DIR+DIR} $${DIRS+DIRS} $${SRC+SRC}		\
-		$${LIBSRC+LIBSRC} $${LIBOBJ+LIBOBJ} $${ALL+ALL}	\
-		$${EXHEADER+EXHEADER} $${HEADER+HEADER}		\
-		$${GENERAL+GENERAL} $${CFLAGS+CFLAGS}		\
-		$${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS}		\
-		$${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS}		\
-		$${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS}	\
-		$${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS}
-
-BUILDENV=	PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)' \
-		CC='$(CC)' CFLAG='$(CFLAG)' 			\
-		ASFLAG='$(CFLAG) -c'			\
-		AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)'	\
-		CROSS_COMPILE='$(CROSS_COMPILE)'	\
-		PERL='$(PERL)' ENGDIRS='$(ENGDIRS)'		\
-		SDIRS='$(SDIRS)' LIBRPATH='$(INSTALLTOP)/$(LIBDIR)'	\
-		INSTALL_PREFIX='$(INSTALL_PREFIX)'		\
-		INSTALLTOP='$(INSTALLTOP)' OPENSSLDIR='$(OPENSSLDIR)'	\
-		LIBDIR='$(LIBDIR)'				\
-		MAKEDEPEND='$$$${TOP}/util/domd $$$${TOP} -MD $(MAKEDEPPROG)' \
-		DEPFLAG='-DOPENSSL_NO_DEPRECATED $(DEPFLAG)'	\
-		MAKEDEPPROG='$(MAKEDEPPROG)'			\
-		SHARED_LDFLAGS='$(SHARED_LDFLAGS)'		\
-		KRB5_INCLUDES='$(KRB5_INCLUDES)' LIBKRB5='$(LIBKRB5)'	\
-		ZLIB_INCLUDE='$(ZLIB_INCLUDE)' LIBZLIB='$(LIBZLIB)'	\
-		EXE_EXT='$(EXE_EXT)' SHARED_LIBS='$(SHARED_LIBS)'	\
-		SHLIB_EXT='$(SHLIB_EXT)' SHLIB_TARGET='$(SHLIB_TARGET)'	\
-		PEX_LIBS='$(PEX_LIBS)' EX_LIBS='$(EX_LIBS)'	\
-		CPUID_OBJ='$(CPUID_OBJ)'			\
-		BN_ASM='$(BN_ASM)' DES_ENC='$(DES_ENC)' 	\
-		AES_ENC='$(AES_ENC)' CMLL_ENC='$(CMLL_ENC)'	\
-		BF_ENC='$(BF_ENC)' CAST_ENC='$(CAST_ENC)'	\
-		RC4_ENC='$(RC4_ENC)' RC5_ENC='$(RC5_ENC)'	\
-		SHA1_ASM_OBJ='$(SHA1_ASM_OBJ)'			\
-		MD5_ASM_OBJ='$(MD5_ASM_OBJ)'			\
-		RMD160_ASM_OBJ='$(RMD160_ASM_OBJ)'		\
-		WP_ASM_OBJ='$(WP_ASM_OBJ)'			\
-		MODES_ASM_OBJ='$(MODES_ASM_OBJ)'		\
-		PERLASM_SCHEME='$(PERLASM_SCHEME)'		\
-		FIPSLIBDIR='${FIPSLIBDIR}'			\
-		FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}"	\
-		FIPSCANISTERINTERNAL='${FIPSCANISTERINTERNAL}'	\
-		FIPSCANISTERONLY='${FIPSCANISTERONLY}'	\
-		FIPS_EX_OBJ='${FIPS_EX_OBJ}'	\
-		THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
-# MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
-# which in turn eliminates ambiguities in variable treatment with -e.
-
-# BUILD_CMD is a generic macro to build a given target in a given
-# subdirectory.  The target must be given through the shell variable
-# `target' and the subdirectory to build in must be given through `dir'.
-# This macro shouldn't be used directly, use RECURSIVE_BUILD_CMD or
-# BUILD_ONE_CMD instead.
-#
-# BUILD_ONE_CMD is a macro to build a given target in a given
-# subdirectory if that subdirectory is part of $(DIRS).  It requires
-# exactly the same shell variables as BUILD_CMD.
-#
-# RECURSIVE_BUILD_CMD is a macro to build a given target in all
-# subdirectories defined in $(DIRS).  It requires that the target
-# is given through the shell variable `target'.
-BUILD_CMD=  if [ -d "$$dir" ]; then \
-	    (	cd $$dir && echo "making $$target in $$dir..." && \
-		$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. DIR=$$dir $$target \
-	    ) || exit 1; \
-	    fi
-RECURSIVE_BUILD_CMD=for dir in $(DIRS); do $(BUILD_CMD); done
-BUILD_ONE_CMD=\
-	if expr " $(DIRS) " : ".* $$dir " >/dev/null 2>&1; then \
-		$(BUILD_CMD); \
-	fi
-
-reflect:
-	@[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV)
-
-FIPS_EX_OBJ= ../crypto/aes/aes_cfb.o \
-	../crypto/aes/aes_ecb.o \
-	../crypto/aes/aes_ofb.o \
-	../crypto/bn/bn_add.o \
-	../crypto/bn/bn_blind.o \
-	../crypto/bn/bn_ctx.o \
-	../crypto/bn/bn_div.o \
-	../crypto/bn/bn_exp2.o \
-	../crypto/bn/bn_exp.o \
-	../crypto/bn/bn_gcd.o \
-	../crypto/bn/bn_gf2m.o \
-	../crypto/bn/bn_lib.o \
-	../crypto/bn/bn_mod.o \
-	../crypto/bn/bn_mont.o \
-	../crypto/bn/bn_mul.o \
-	../crypto/bn/bn_nist.o \
-	../crypto/bn/bn_prime.o \
-	../crypto/bn/bn_rand.o \
-	../crypto/bn/bn_recp.o \
-	../crypto/bn/bn_shift.o \
-	../crypto/bn/bn_sqr.o \
-	../crypto/bn/bn_word.o \
-	../crypto/bn/bn_x931p.o \
-	../crypto/buffer/buf_str.o \
-	../crypto/cmac/cmac.o \
-	../crypto/cryptlib.o \
-	../crypto/des/cfb64ede.o \
-	../crypto/des/cfb64enc.o \
-	../crypto/des/cfb_enc.o \
-	../crypto/des/ecb3_enc.o \
-	../crypto/des/ofb64ede.o \
-	../crypto/des/fcrypt.o \
-	../crypto/des/set_key.o \
-	../crypto/dh/dh_check.o \
-	../crypto/dh/dh_gen.o \
-	../crypto/dh/dh_key.o \
-	../crypto/dsa/dsa_gen.o \
-	../crypto/dsa/dsa_key.o \
-	../crypto/dsa/dsa_ossl.o \
-	../crypto/ec/ec_curve.o \
-	../crypto/ec/ec_cvt.o \
-	../crypto/ec/ec_key.o \
-	../crypto/ec/ec_lib.o \
-	../crypto/ec/ecp_mont.o \
-	../crypto/ec/ec_mult.o \
-	../crypto/ec/ecp_nist.o \
-	../crypto/ec/ecp_smpl.o \
-	../crypto/ec/ec2_mult.o \
-	../crypto/ec/ec2_smpl.o \
-	../crypto/ecdh/ech_key.o \
-	../crypto/ecdh/ech_ossl.o \
-	../crypto/ecdsa/ecs_ossl.o \
-	../crypto/evp/e_aes.o \
-	../crypto/evp/e_des3.o \
-	../crypto/evp/e_null.o \
-	../crypto/evp/m_sha1.o \
-	../crypto/evp/m_dss1.o \
-	../crypto/evp/m_dss.o \
-	../crypto/evp/m_ecdsa.o \
-	../crypto/hmac/hmac.o \
-	../crypto/modes/cbc128.o \
-	../crypto/modes/ccm128.o \
-	../crypto/modes/cfb128.o \
-	../crypto/modes/ctr128.o \
-	../crypto/modes/gcm128.o \
-	../crypto/modes/ofb128.o \
-	../crypto/modes/xts128.o \
-	../crypto/rsa/rsa_eay.o \
-	../crypto/rsa/rsa_gen.o \
-	../crypto/rsa/rsa_crpt.o \
-	../crypto/rsa/rsa_none.o \
-	../crypto/rsa/rsa_oaep.o \
-	../crypto/rsa/rsa_pk1.o \
-	../crypto/rsa/rsa_pss.o \
-	../crypto/rsa/rsa_ssl.o \
-	../crypto/rsa/rsa_x931.o \
-	../crypto/rsa/rsa_x931g.o \
-	../crypto/sha/sha1dgst.o \
-	../crypto/sha/sha256.o \
-	../crypto/sha/sha512.o \
-	../crypto/thr_id.o \
-	../crypto/uid.o
-
-sub_all: build_all
-build_all: build_libs
-
-build_libs: build_crypto build_fips
-
-build_fips:
-	@dir=fips; target=all; [ -z "$(FIPSCANLIB)" ] || $(BUILD_ONE_CMD)
-
-build_crypto:
-	if [ -n "$(FIPSCANLIB)" ]; then \
-		EXCL_OBJ='$(AES_ENC) $(BN_ASM) $(DES_ENC) $(CPUID_OBJ) $(SHA1_ASM_OBJ) $(MODES_ASM_OBJ) $(FIPS_EX_OBJ)' ; export EXCL_OBJ ; \
-		ARX='$(PERL) $${TOP}/util/arx.pl $(AR)' ; \
-	else \
-		ARX='${AR}' ; \
-	fi ; export ARX ; \
-	if [ $(FIPSCANISTERINTERNAL) = "y" ]; then \
-		AS='$(PERL) $${TOP}/util/fipsas.pl $${TOP} $${<} $(CC)' ; \
-	else \
-		AS='$(CC) -c' ; \
-	fi ; export AS ; \
-		dir=crypto; target=fips; $(BUILD_ONE_CMD)
-build_ssl:
-	@dir=ssl; target=all; $(BUILD_ONE_CMD)
-build_engines:
-	@dir=engines; target=all; $(BUILD_ONE_CMD)
-build_apps:
-	@dir=apps; target=all; $(BUILD_ONE_CMD)
-build_tests:
-	@dir=test; target=fipsexe; $(BUILD_ONE_CMD)
-build_algvs:
-	@dir=test; target=fipsalgvs; $(BUILD_ONE_CMD)
-build_tools:
-	@dir=tools; target=all; $(BUILD_ONE_CMD)
-
-all_testapps: build_libs build_testapps
-build_testapps:
-	@dir=crypto; target=testapps; $(BUILD_ONE_CMD)
-
-libcrypto$(SHLIB_EXT): libcrypto.a build_fips
-	@if [ "$(SHLIB_TARGET)" != "" ]; then \
-		if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
-			FIPSLD_CC="$(CC)"; CC=fips/fipsld; \
-			export CC FIPSLD_CC; \
-		fi; \
-		$(MAKE) SHLIBDIRS=crypto build-shared; \
-	else \
-		echo "There's no support for shared libraries on this platform" >&2; \
-		exit 1; \
-	fi
-
-libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a
-	@if [ "$(SHLIB_TARGET)" != "" ]; then \
-		$(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-lcrypto' build-shared; \
-	else \
-		echo "There's no support for shared libraries on this platform" >&2; \
-		exit 1; \
-	fi
-
-clean-shared:
-	@set -e; for i in $(SHLIBDIRS); do \
-		if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \
-			tmp="$(SHARED_LIBS_LINK_EXTS)"; \
-			for j in $${tmp:-x}; do \
-				( set -x; rm -f lib$$i$$j ); \
-			done; \
-		fi; \
-		( set -x; rm -f lib$$i$(SHLIB_EXT) ); \
-		if [ "$(PLATFORM)" = "Cygwin" ]; then \
-			( set -x; rm -f cyg$$i$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \
-		fi; \
-	done
-
-link-shared:
-	@ set -e; for i in $(SHLIBDIRS); do \
-		$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
-			LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
-			LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
-			symlink.$(SHLIB_TARGET); \
-		libs="$$libs -l$$i"; \
-	done
-
-build-shared: do_$(SHLIB_TARGET) link-shared
-
-do_$(SHLIB_TARGET):
-	@ set -e; libs='-L. $(SHLIBDEPS)'; for i in $(SHLIBDIRS); do \
-		if [ "$$i" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-			libs="$(LIBKRB5) $$libs"; \
-		fi; \
-		$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
-			LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
-			LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
-			LIBDEPS="$$libs $(EX_LIBS)" \
-			link_a.$(SHLIB_TARGET); \
-		libs="-l$$i $$libs"; \
-	done
-
-libcrypto.pc: Makefile
-	@ ( echo 'prefix=$(INSTALLTOP)'; \
-	    echo 'exec_prefix=$${prefix}'; \
-	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
-	    echo 'includedir=$${prefix}/include'; \
-	    echo ''; \
-	    echo 'Name: OpenSSL-libcrypto'; \
-	    echo 'Description: OpenSSL cryptography library'; \
-	    echo 'Version: '$(VERSION); \
-	    echo 'Requires: '; \
-	    echo 'Libs: -L$${libdir} -lcrypto $(EX_LIBS)'; \
-	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
-
-libssl.pc: Makefile
-	@ ( echo 'prefix=$(INSTALLTOP)'; \
-	    echo 'exec_prefix=$${prefix}'; \
-	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
-	    echo 'includedir=$${prefix}/include'; \
-	    echo ''; \
-	    echo 'Name: OpenSSL'; \
-	    echo 'Description: Secure Sockets Layer and cryptography libraries'; \
-	    echo 'Version: '$(VERSION); \
-	    echo 'Requires: '; \
-	    echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
-	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
-
-openssl.pc: Makefile
-	@ ( echo 'prefix=$(INSTALLTOP)'; \
-	    echo 'exec_prefix=$${prefix}'; \
-	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
-	    echo 'includedir=$${prefix}/include'; \
-	    echo ''; \
-	    echo 'Name: OpenSSL'; \
-	    echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
-	    echo 'Version: '$(VERSION); \
-	    echo 'Requires: '; \
-	    echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
-	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
-
-Makefile: Makefile.fips Configure config
-	@echo "Makefile is older than Makefile.org, Configure or config."
-	@echo "Reconfigure the source tree (via './config' or 'perl Configure'), please."
-	@false
-
-libclean:
-	rm -f *.map *.so *.so.* *.dll engines/*.so engines/*.dll *.a engines/*.a */lib */*/lib
-
-clean:	libclean
-	rm -f shlib/*.o *.o core a.out fluff testlog make.log cctest cctest.c
-	@set -e; target=clean; $(RECURSIVE_BUILD_CMD)
-	rm -f $(LIBS)
-	rm -f openssl.pc libssl.pc libcrypto.pc
-	rm -f speed.* .pure
-	rm -f $(TARFILE)
-	@set -e; for i in $(ONEDIRS) ;\
-	do \
-	rm -fr $$i/*; \
-	done
-
-makefile.one: files
-	$(PERL) util/mk1mf.pl >makefile.one; \
-	sh util/do_ms.sh
-
-files:
-	$(PERL) $(TOP)/util/files.pl Makefile > $(TOP)/MINFO
-	@set -e; target=files; $(RECURSIVE_BUILD_CMD)
-
-links:
-	@$(PERL) $(TOP)/util/mkdir-p.pl include/openssl
-	@$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER)
-	@set -e; dir=fips target=links; $(BUILD_ONE_CMD)
-	@(cd crypto ; TEST='' SDIRS='$(LINKDIRS)' $(MAKE) -e links)
-
-gentests:
-	@(cd test && echo "generating dummy tests (if needed)..." && \
-	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on generate );
-
-dclean:
-	rm -rf *.bak include/openssl certs/.0
-	@set -e; target=dclean; $(RECURSIVE_BUILD_CMD)
-
-test:   tests
-
-tests:
-	@echo "Not implemented in FIPS build" ; false
-
-report:
-	@$(PERL) util/selftest.pl
-
-depend:
-	@echo make depend not supported ; false
-
-lint:
-	@set -e; target=lint; $(RECURSIVE_BUILD_CMD)
-
-tags:
-	rm -f TAGS
-	find . -name '[^.]*.[ch]' | xargs etags -a
-
-errors:
-	$(PERL) util/mkerr.pl -recurse -write
-	(cd engines; $(MAKE) PERL=$(PERL) errors)
-	$(PERL) util/ck_errf.pl -strict */*.c */*/*.c
-
-stacks:
-	$(PERL) util/mkstack.pl -write
-
-util/libeay.num::
-	$(PERL) util/mkdef.pl crypto update
-
-util/ssleay.num::
-	$(PERL) util/mkdef.pl ssl update
-
-crypto/objects/obj_dat.h: crypto/objects/obj_dat.pl crypto/objects/obj_mac.h
-	$(PERL) crypto/objects/obj_dat.pl crypto/objects/obj_mac.h crypto/objects/obj_dat.h
-crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num
-	$(PERL) crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num crypto/objects/obj_mac.h
-crypto/objects/obj_xref.h: crypto/objects/objxref.pl crypto/objects/obj_xref.txt crypto/objects/obj_mac.num
-	$(PERL) crypto/objects/objxref.pl crypto/objects/obj_mac.num crypto/objects/obj_xref.txt >crypto/objects/obj_xref.h
-
-apps/openssl-vms.cnf: apps/openssl.cnf
-	$(PERL) VMS/VMSify-conf.pl < apps/openssl.cnf > apps/openssl-vms.cnf
-
-crypto/bn/bn_prime.h: crypto/bn/bn_prime.pl
-	$(PERL) crypto/bn/bn_prime.pl >crypto/bn/bn_prime.h
-
-
-TABLE: Configure
-	(echo 'Output of `Configure TABLE'"':"; \
-	$(PERL) Configure TABLE) > TABLE
-
-update: errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h crypto/objects/obj_xref.h apps/openssl-vms.cnf crypto/bn/bn_prime.h TABLE depend
-
-# Build distribution tar-file. As the list of files returned by "find" is
-# pretty long, on several platforms a "too many arguments" error or similar
-# would occur. Therefore the list of files is temporarily stored into a file
-# and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
-# tar does not support the --files-from option.
-tar:
-	find . -type d -print | xargs chmod 755
-	find . -type f -print | xargs chmod a+r
-	find . -type f -perm -0100 -print | xargs chmod a+x
-	find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | $(BUILDENV) LINKDIRS='$(LINKDIRS)' $(PERL) util/fipsdist.pl | sort > ../$(TARFILE).list; \
-	$(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \
-	tardy --user_number=0  --user_name=openssl \
-	      --group_number=0 --group_name=openssl \
-	      --prefix=openssl-$(VERSION) - |\
-	gzip --best >../$(TARFILE).gz; \
-	rm -f ../$(TARFILE).list; \
-	ls -l ../$(TARFILE).gz
-
-tar-snap:
-	@$(TAR) $(TARFLAGS) -cvf - \
-		`find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \! -name '*.so' \! -name '*.so.*'  \! -name 'openssl' \! -name '*test' \! -name '.#*' \! -name '*~' | sort` |\
-	tardy --user_number=0  --user_name=openssl \
-	      --group_number=0 --group_name=openssl \
-	      --prefix=openssl-$(VERSION) - > ../$(TARFILE);\
-	ls -l ../$(TARFILE)
-
-dist:   
-	$(PERL) Configure dist fipscanisteronly
-	@$(MAKE) dist_pem_h
-	@$(MAKE) SDIRS='$(SDIRS)' clean
-	@$(MAKE) -f Makefile.fips TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' tar
-
-dist_pem_h:
-	(cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean)
-
-install: all install_sw
-
-install_sw:
-	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
-		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
-		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl
-	@set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\
-	do \
-	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
-	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
-	done;
-	@set -e; target=install; $(RECURSIVE_BUILD_CMD)
-
-# DO NOT DELETE THIS LINE -- make depend depends on it.

Makefile.org

@@ -69,7 +69,7 @@ RANLIB= ranlib
 NM= nm
 PERL= perl
 TAR= tar
-TARFLAGS= --no-recursion
+TARFLAGS= --no-recursion --record-size=10240
 MAKEDEPPROG=makedepend
 LIBDIR=lib
 
@@ -78,7 +78,7 @@ LIBDIR=lib
 # dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC
 # gcc, then the driver will automatically translate it to -xarch=v8plus
 # and pass it down to assembler.
-#AS=$(CC) -c
+AS=$(CC) -c
 ASFLAG=$(CFLAG)
 
 # For x86 assembler: Set PROCESSOR to 386 if you want to support
@@ -111,6 +111,9 @@ LIBKRB5=
 ZLIB_INCLUDE=
 LIBZLIB=
 
+# TOP level FIPS install directory.
+FIPSDIR=
+
 # This is the location of fipscanister.o and friends.
 # The FIPS module build will place it $(INSTALLTOP)/lib
 # but since $(INSTALLTOP) can only take the default value
@@ -118,12 +121,7 @@ LIBZLIB=
 # $(INSTALLTOP) for this build may be different so hard
 # code the path.
 
-FIPSLIBDIR=/usr/local/ssl/$(LIBDIR)/
-
-# This is set to "y" if fipscanister.o is compiled internally as
-# opposed to coming from an external validated location.
-
-FIPSCANISTERINTERNAL=n
+FIPSLIBDIR=
 
 # The location of the library which contains fipscanister.o
 # normally it will be libcrypto unless fipsdso is set in which
@@ -137,7 +135,7 @@ FIPSCANLIB=
 
 BASEADDR=
 
-DIRS=   crypto fips ssl engines apps test tools
+DIRS=   crypto ssl engines apps test tools
 ENGDIRS= ccgost
 SHLIBDIRS= crypto ssl
 
@@ -200,13 +198,13 @@ CLEARENV=	TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS}	\
 		$${EXHEADER+EXHEADER} $${HEADER+HEADER}		\
 		$${GENERAL+GENERAL} $${CFLAGS+CFLAGS}		\
 		$${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS}		\
-		$${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS}		\
+		$${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS} $${SCRIPTS+SCRIPTS}	\
 		$${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS}	\
 		$${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS}
 
 BUILDENV=	PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)' \
 		CC='$(CC)' CFLAG='$(CFLAG)' 			\
-		ASFLAG='$(CFLAG) -c'			\
+		AS='$(CC)' ASFLAG='$(CFLAG) -c'			\
 		AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)'	\
 		CROSS_COMPILE='$(CROSS_COMPILE)'	\
 		PERL='$(PERL)' ENGDIRS='$(ENGDIRS)'		\
@@ -236,9 +234,8 @@ BUILDENV=	PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)' \
 		ENGINES_ASM_OBJ='$(ENGINES_ASM_OBJ)'		\
 		PERLASM_SCHEME='$(PERLASM_SCHEME)'		\
 		FIPSLIBDIR='${FIPSLIBDIR}'			\
+		FIPSDIR='${FIPSDIR}'				\
 		FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}"	\
-		FIPSCANISTERINTERNAL='${FIPSCANISTERINTERNAL}'	\
-		FIPS_EX_OBJ='${FIPS_EX_OBJ}'	\
 		THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
 # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
 # which in turn eliminates ambiguities in variable treatment with -e.
@@ -270,114 +267,17 @@ BUILD_ONE_CMD=\
 reflect:
 	@[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV)
 
-FIPS_EX_OBJ= ../crypto/aes/aes_cfb.o \
-	../crypto/aes/aes_ecb.o \
-	../crypto/aes/aes_ofb.o \
-	../crypto/bn/bn_add.o \
-	../crypto/bn/bn_blind.o \
-	../crypto/bn/bn_ctx.o \
-	../crypto/bn/bn_div.o \
-	../crypto/bn/bn_exp2.o \
-	../crypto/bn/bn_exp.o \
-	../crypto/bn/bn_gcd.o \
-	../crypto/bn/bn_gf2m.o \
-	../crypto/bn/bn_lib.o \
-	../crypto/bn/bn_mod.o \
-	../crypto/bn/bn_mont.o \
-	../crypto/bn/bn_mul.o \
-	../crypto/bn/bn_nist.o \
-	../crypto/bn/bn_prime.o \
-	../crypto/bn/bn_rand.o \
-	../crypto/bn/bn_recp.o \
-	../crypto/bn/bn_shift.o \
-	../crypto/bn/bn_sqr.o \
-	../crypto/bn/bn_word.o \
-	../crypto/bn/bn_x931p.o \
-	../crypto/buffer/buf_str.o \
-	../crypto/cmac/cmac.o \
-	../crypto/cryptlib.o \
-	../crypto/des/cfb64ede.o \
-	../crypto/des/cfb64enc.o \
-	../crypto/des/cfb_enc.o \
-	../crypto/des/ecb3_enc.o \
-	../crypto/des/ofb64ede.o \
-	../crypto/des/fcrypt.o \
-	../crypto/des/set_key.o \
-	../crypto/dh/dh_check.o \
-	../crypto/dh/dh_gen.o \
-	../crypto/dh/dh_key.o \
-	../crypto/dsa/dsa_gen.o \
-	../crypto/dsa/dsa_key.o \
-	../crypto/dsa/dsa_ossl.o \
-	../crypto/ec/ec_curve.o \
-	../crypto/ec/ec_cvt.o \
-	../crypto/ec/ec_key.o \
-	../crypto/ec/ec_lib.o \
-	../crypto/ec/ecp_mont.o \
-	../crypto/ec/ec_mult.o \
-	../crypto/ec/ecp_nist.o \
-	../crypto/ec/ecp_smpl.o \
-	../crypto/ec/ec2_mult.o \
-	../crypto/ec/ec2_smpl.o \
-	../crypto/ecdh/ech_key.o \
-	../crypto/ecdh/ech_ossl.o \
-	../crypto/ecdsa/ecs_ossl.o \
-	../crypto/evp/e_aes.o \
-	../crypto/evp/e_des3.o \
-	../crypto/evp/e_null.o \
-	../crypto/evp/m_sha1.o \
-	../crypto/evp/m_dss1.o \
-	../crypto/evp/m_dss.o \
-	../crypto/evp/m_ecdsa.o \
-	../crypto/hmac/hmac.o \
-	../crypto/modes/cbc128.o \
-	../crypto/modes/ccm128.o \
-	../crypto/modes/cfb128.o \
-	../crypto/modes/ctr128.o \
-	../crypto/modes/gcm128.o \
-	../crypto/modes/ofb128.o \
-	../crypto/modes/xts128.o \
-	../crypto/rsa/rsa_eay.o \
-	../crypto/rsa/rsa_gen.o \
-	../crypto/rsa/rsa_crpt.o \
-	../crypto/rsa/rsa_none.o \
-	../crypto/rsa/rsa_oaep.o \
-	../crypto/rsa/rsa_pk1.o \
-	../crypto/rsa/rsa_pss.o \
-	../crypto/rsa/rsa_ssl.o \
-	../crypto/rsa/rsa_x931.o \
-	../crypto/rsa/rsa_x931g.o \
-	../crypto/sha/sha1dgst.o \
-	../crypto/sha/sha256.o \
-	../crypto/sha/sha512.o \
-	../crypto/thr_id.o \
-	../crypto/uid.o
-
 sub_all: build_all
 build_all: build_libs build_apps build_tests build_tools
 
-build_libs: build_crypto build_fips build_ssl build_engines
-
-build_fips:
-	@dir=fips; target=all; [ -z "$(FIPSCANLIB)" ] || $(BUILD_ONE_CMD)
+build_libs: build_crypto build_ssl build_engines
 
 build_crypto:
-	if [ -n "$(FIPSCANLIB)" ]; then \
-		EXCL_OBJ='$(AES_ENC) $(BN_ASM) $(DES_ENC) $(CPUID_OBJ) $(SHA1_ASM_OBJ) $(MODES_ASM_OBJ) $(FIPS_EX_OBJ)' ; export EXCL_OBJ ; \
-		ARX='$(PERL) $${TOP}/util/arx.pl $(AR)' ; \
-	else \
-		ARX='${AR}' ; \
-	fi ; export ARX ; \
-	if [ $(FIPSCANISTERINTERNAL) = "y" ]; then \
-		AS='$(PERL) $${TOP}/util/fipsas.pl $${TOP} $${<} $(CC) -c' ; \
-	else \
-		AS='$(CC) -c' ; \
-	fi ; export AS ; \
-		dir=crypto; target=all; $(BUILD_ONE_CMD)
+	@dir=crypto; target=all; $(BUILD_ONE_CMD)
 build_ssl:
 	@dir=ssl; target=all; $(BUILD_ONE_CMD)
 build_engines:
-	@dir=engines; target=all; AS='$(CC) -c'; export AS; $(BUILD_ONE_CMD)
+	@dir=engines; target=all; $(BUILD_ONE_CMD)
 build_apps:
 	@dir=apps; target=all; $(BUILD_ONE_CMD)
 build_tests:
@@ -389,13 +289,21 @@ all_testapps: build_libs build_testapps
 build_testapps:
 	@dir=crypto; target=testapps; $(BUILD_ONE_CMD)
 
-libcrypto$(SHLIB_EXT): libcrypto.a build_fips
+fips_premain_dso$(EXE_EXT): libcrypto.a
+	[ -z "$(FIPSCANLIB)" ] || $(CC) $(CFLAG) -Iinclude \
+		-DFINGERPRINT_PREMAIN_DSO_LOAD -o $@  \
+		$(FIPSLIBDIR)fips_premain.c $(FIPSLIBDIR)fipscanister.o \
+		libcrypto.a $(EX_LIBS)
+
+libcrypto$(SHLIB_EXT): libcrypto.a fips_premain_dso$(EXE_EXT)
 	@if [ "$(SHLIB_TARGET)" != "" ]; then \
 		if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
-			FIPSLD_CC="$(CC)"; CC=fips/fipsld; \
-			export CC FIPSLD_CC; \
+			FIPSLD_LIBCRYPTO=libcrypto.a ; \
+			FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; \
+			export CC FIPSLD_CC FIPSLD_LIBCRYPTO; \
 		fi; \
-		$(MAKE) -e SHLIBDIRS=crypto build-shared; \
+		$(MAKE) -e SHLIBDIRS=crypto  CC="$${CC:-$(CC)}" build-shared && \
+		(touch -c fips_premain_dso$(EXE_EXT) || :); \
 	else \
 		echo "There's no support for shared libraries on this platform" >&2; \
 		exit 1; \
@@ -457,7 +365,8 @@ libcrypto.pc: Makefile
 	    echo 'Description: OpenSSL cryptography library'; \
 	    echo 'Version: '$(VERSION); \
 	    echo 'Requires: '; \
-	    echo 'Libs: -L$${libdir} -lcrypto $(EX_LIBS)'; \
+	    echo 'Libs: -L$${libdir} -lcrypto'; \
+	    echo 'Libs.private: $(EX_LIBS)'; \
 	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
 
 libssl.pc: Makefile
@@ -470,7 +379,8 @@ libssl.pc: Makefile
 	    echo 'Description: Secure Sockets Layer and cryptography libraries'; \
 	    echo 'Version: '$(VERSION); \
 	    echo 'Requires: '; \
-	    echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
+	    echo 'Libs: -L$${libdir} -lssl -lcrypto'; \
+	    echo 'Libs.private: $(EX_LIBS)'; \
 	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
 
 openssl.pc: Makefile
@@ -483,7 +393,8 @@ openssl.pc: Makefile
 	    echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
 	    echo 'Version: '$(VERSION); \
 	    echo 'Requires: '; \
-	    echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
+	    echo 'Libs: -L$${libdir} -lssl -lcrypto'; \
+	    echo 'Libs.private: $(EX_LIBS)'; \
 	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
 
 Makefile: Makefile.org Configure config
@@ -492,7 +403,7 @@ Makefile: Makefile.org Configure config
 	@false
 
 libclean:
-	rm -f *.map *.so *.so.* *.dll engines/*.so engines/*.dll *.a engines/*.a */lib */*/lib
+	rm -f *.map *.so *.so.* *.dylib *.dll engines/*.so engines/*.dll engines/*.dylib *.a engines/*.a */lib */*/lib
 
 clean:	libclean
 	rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c
@@ -518,9 +429,6 @@ links:
 	@$(PERL) $(TOP)/util/mkdir-p.pl include/openssl
 	@$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER)
 	@set -e; target=links; $(RECURSIVE_BUILD_CMD)
-	@if [ -z "$(FIPSCANLIB)" ]; then \
-		set -e; target=links; dir=fips ; $(BUILD_CMD) ; \
-	fi
 
 gentests:
 	@(cd test && echo "generating dummy tests (if needed)..." && \
@@ -537,7 +445,7 @@ rehash.time: certs apps
 		[ -x "apps/openssl.exe" ] && OPENSSL="apps/openssl.exe" || :; \
 		OPENSSL_DEBUG_MEMORY=on; \
 		export OPENSSL OPENSSL_DEBUG_MEMORY; \
-		$(PERL) tools/c_rehash certs) && \
+		$(PERL) tools/c_rehash certs/demo) && \
 		touch rehash.time; \
 	else :; fi
 
@@ -562,9 +470,9 @@ tags:
 	find . -name '[^.]*.[ch]' | xargs etags -a
 
 errors:
+	$(PERL) util/ck_errf.pl -strict */*.c */*/*.c
 	$(PERL) util/mkerr.pl -recurse -write
 	(cd engines; $(MAKE) PERL=$(PERL) errors)
-	$(PERL) util/ck_errf.pl -strict */*.c */*/*.c
 
 stacks:
 	$(PERL) util/mkstack.pl -write

NEWS

@@ -5,11 +5,113 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
-  Major changes between OpenSSL 1.0.0c and OpenSSL 1.0.0d:
+  Major changes between OpenSSL 1.0.1g and OpenSSL 1.0.1h [5 Jun 2014]
+
+      o Fix for CVE-2014-0224
+      o Fix for CVE-2014-0221
+      o Fix for CVE-2014-0195
+      o Fix for CVE-2014-3470
+      o Fix for CVE-2010-5298
+
+  Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014]
+
+      o Fix for CVE-2014-0160
+      o Add TLS padding extension workaround for broken servers.
+      o Fix for CVE-2014-0076
+
+  Major changes between OpenSSL 1.0.1e and OpenSSL 1.0.1f [6 Jan 2014]
+
+      o Don't include gmt_unix_time in TLS server and client random values
+      o Fix for TLS record tampering bug CVE-2013-4353
+      o Fix for TLS version checking bug CVE-2013-6449
+      o Fix for DTLS retransmission bug CVE-2013-6450
+
+  Major changes between OpenSSL 1.0.1d and OpenSSL 1.0.1e [11 Feb 2013]:
+
+      o Corrected fix for CVE-2013-0169
+
+  Major changes between OpenSSL 1.0.1c and OpenSSL 1.0.1d [4 Feb 2013]:
+
+      o Fix renegotiation in TLS 1.1, 1.2 by using the correct TLS version.
+      o Include the fips configuration module.
+      o Fix OCSP bad key DoS attack CVE-2013-0166
+      o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
+      o Fix for TLS AESNI record handling flaw CVE-2012-2686
+
+  Major changes between OpenSSL 1.0.1b and OpenSSL 1.0.1c [10 May 2012]:
+
+      o Fix TLS/DTLS record length checking bug CVE-2012-2333
+      o Don't attempt to use non-FIPS composite ciphers in FIPS mode.
+
+  Major changes between OpenSSL 1.0.1a and OpenSSL 1.0.1b [26 Apr 2012]:
+
+      o Fix compilation error on non-x86 platforms.
+      o Make FIPS capable OpenSSL ciphers work in non-FIPS mode.
+      o Fix SSL_OP_NO_TLSv1_1 clash with SSL_OP_ALL in OpenSSL 1.0.0
+
+  Major changes between OpenSSL 1.0.1 and OpenSSL 1.0.1a [19 Apr 2012]:
+
+      o Fix for ASN1 overflow bug CVE-2012-2110
+      o Workarounds for some servers that hang on long client hellos.
+      o Fix SEGV in AES code.
+
+  Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012]:
+
+      o TLS/DTLS heartbeat support.
+      o SCTP support.
+      o RFC 5705 TLS key material exporter.
+      o RFC 5764 DTLS-SRTP negotiation.
+      o Next Protocol Negotiation.
+      o PSS signatures in certificates, requests and CRLs.
+      o Support for password based recipient info for CMS.
+      o Support TLS v1.2 and TLS v1.1.
+      o Preliminary FIPS capability for unvalidated 2.0 FIPS module.
+      o SRP support.
+
+  Major changes between OpenSSL 1.0.0j and OpenSSL 1.0.0k [5 Feb 2013]:
+
+      o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
+      o Fix OCSP bad key DoS attack CVE-2013-0166
+
+  Major changes between OpenSSL 1.0.0i and OpenSSL 1.0.0j [10 May 2012]:
+
+      o Fix DTLS record length checking bug CVE-2012-2333
+
+  Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.0i [19 Apr 2012]:
+
+      o Fix for ASN1 overflow bug CVE-2012-2110
+
+  Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.0h [12 Mar 2012]:
+
+      o Fix for CMS/PKCS#7 MMA CVE-2012-0884
+      o Corrected fix for CVE-2011-4619
+      o Various DTLS fixes.
+
+  Major changes between OpenSSL 1.0.0f and OpenSSL 1.0.0g [18 Jan 2012]:
+
+      o Fix for DTLS DoS issue CVE-2012-0050
+
+  Major changes between OpenSSL 1.0.0e and OpenSSL 1.0.0f [4 Jan 2012]:
+
+      o Fix for DTLS plaintext recovery attack CVE-2011-4108
+      o Clear block padding bytes of SSL 3.0 records CVE-2011-4576
+      o Only allow one SGC handshake restart for SSL/TLS CVE-2011-4619
+      o Check parameters are not NULL in GOST ENGINE CVE-2012-0027
+      o Check for malformed RFC3779 data CVE-2011-4577
+
+  Major changes between OpenSSL 1.0.0d and OpenSSL 1.0.0e [6 Sep 2011]:
+
+      o Fix for CRL vulnerability issue CVE-2011-3207
+      o Fix for ECDH crashes CVE-2011-3210
+      o Protection against EC timing attacks.
+      o Support ECDH ciphersuites for certificates using SHA2 algorithms.
+      o Various DTLS fixes.
+
+  Major changes between OpenSSL 1.0.0c and OpenSSL 1.0.0d [8 Feb 2011]:
 
       o Fix for security issue CVE-2011-0014
 
-  Major changes between OpenSSL 1.0.0b and OpenSSL 1.0.0c:
+  Major changes between OpenSSL 1.0.0b and OpenSSL 1.0.0c [2 Dec 2010]:
 
       o Fix for security issue CVE-2010-4180
       o Fix for CVE-2010-4252
@@ -17,18 +119,18 @@
       o Fix various platform compilation issues.
       o Corrected fix for security issue CVE-2010-3864.
 
-  Major changes between OpenSSL 1.0.0a and OpenSSL 1.0.0b:
+  Major changes between OpenSSL 1.0.0a and OpenSSL 1.0.0b [16 Nov 2010]:
 
       o Fix for security issue CVE-2010-3864.
       o Fix for CVE-2010-2939
       o Fix WIN32 build system for GOST ENGINE.
 
-  Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a:
+  Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a [1 Jun 2010]:
 
       o Fix for security issue CVE-2010-1633.
       o GOST MAC and CFB fixes.
 
-  Major changes between OpenSSL 0.9.8n and OpenSSL 1.0.0:
+  Major changes between OpenSSL 0.9.8n and OpenSSL 1.0.0 [29 Mar 2010]:
 
       o RFC3280 path validation: sufficient to process PKITS tests.
       o Integrated support for PVK files and keyblobs.
@@ -51,20 +153,55 @@
       o Opaque PRF Input TLS extension support.
       o Updated time routines to avoid OS limitations.
 
-  Major changes between OpenSSL 0.9.8q and OpenSSL 0.9.8r:
+  Major changes between OpenSSL 0.9.8x and OpenSSL 0.9.8y [5 Feb 2013]:
+
+      o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
+      o Fix OCSP bad key DoS attack CVE-2013-0166
+
+  Major changes between OpenSSL 0.9.8w and OpenSSL 0.9.8x [10 May 2012]:
+
+      o Fix DTLS record length checking bug CVE-2012-2333
+
+  Major changes between OpenSSL 0.9.8v and OpenSSL 0.9.8w [23 Apr 2012]:
+
+      o Fix for CVE-2012-2131 (corrected fix for 0.9.8 and CVE-2012-2110)
+
+  Major changes between OpenSSL 0.9.8u and OpenSSL 0.9.8v [19 Apr 2012]:
+
+      o Fix for ASN1 overflow bug CVE-2012-2110
+
+  Major changes between OpenSSL 0.9.8t and OpenSSL 0.9.8u [12 Mar 2012]:
+
+      o Fix for CMS/PKCS#7 MMA CVE-2012-0884
+      o Corrected fix for CVE-2011-4619
+      o Various DTLS fixes.
+
+  Major changes between OpenSSL 0.9.8s and OpenSSL 0.9.8t [18 Jan 2012]:
+
+      o Fix for DTLS DoS issue CVE-2012-0050
+
+  Major changes between OpenSSL 0.9.8r and OpenSSL 0.9.8s [4 Jan 2012]:
+
+      o Fix for DTLS plaintext recovery attack CVE-2011-4108
+      o Fix policy check double free error CVE-2011-4109
+      o Clear block padding bytes of SSL 3.0 records CVE-2011-4576
+      o Only allow one SGC handshake restart for SSL/TLS CVE-2011-4619
+      o Check for malformed RFC3779 data CVE-2011-4577
+
+  Major changes between OpenSSL 0.9.8q and OpenSSL 0.9.8r [8 Feb 2011]:
 
       o Fix for security issue CVE-2011-0014
 
-  Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q:
+  Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q [2 Dec 2010]:
 
       o Fix for security issue CVE-2010-4180
       o Fix for CVE-2010-4252
 
-  Major changes between OpenSSL 0.9.8o and OpenSSL 0.9.8p:
+  Major changes between OpenSSL 0.9.8o and OpenSSL 0.9.8p [16 Nov 2010]:
 
       o Fix for security issue CVE-2010-3864.
 
-  Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o:
+  Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o [1 Jun 2010]:
 
       o Fix for security issue CVE-2010-0742.
       o Various DTLS fixes.
@@ -72,12 +209,12 @@
       o Fix for no-rc4 compilation.
       o Chil ENGINE unload workaround.
 
-  Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n:
+  Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n [24 Mar 2010]:
 
       o CFB cipher definition fixes.
       o Fix security issues CVE-2010-0740 and CVE-2010-0433.
 
-  Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m:
+  Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m [25 Feb 2010]:
 
       o Cipher definition fixes.
       o Workaround for slow RAND_poll() on some WIN32 versions.
@@ -89,33 +226,33 @@
       o Ticket and SNI coexistence fixes.
       o Many fixes to DTLS handling. 
 
-  Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l:
+  Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l [5 Nov 2009]:
 
       o Temporary work around for CVE-2009-3555: disable renegotiation.
 
-  Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k:
+  Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k [25 Mar 2009]:
 
       o Fix various build issues.
       o Fix security issues (CVE-2009-0590, CVE-2009-0591, CVE-2009-0789)
 
-  Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j:
+  Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j [7 Jan 2009]:
 
       o Fix security issue (CVE-2008-5077)
       o Merge FIPS 140-2 branch code.
 
-  Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h:
+  Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h [28 May 2008]:
 
       o CryptoAPI ENGINE support.
       o Various precautionary measures.
       o Fix for bugs affecting certificate request creation.
       o Support for local machine keyset attribute in PKCS#12 files.
 
-  Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g:
+  Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g [19 Oct 2007]:
 
       o Backport of CMS functionality to 0.9.8.
       o Fixes for bugs introduced with 0.9.8f.
 
-  Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f:
+  Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f [11 Oct 2007]:
 
       o Add gcc 4.2 support.
       o Add support for AES and SSE2 assembly lanugauge optimization
@@ -126,23 +263,23 @@
       o RFC4507bis support.
       o TLS Extensions support.
 
-  Major changes between OpenSSL 0.9.8d and OpenSSL 0.9.8e:
+  Major changes between OpenSSL 0.9.8d and OpenSSL 0.9.8e [23 Feb 2007]:
 
       o Various ciphersuite selection fixes.
       o RFC3779 support.
 
-  Major changes between OpenSSL 0.9.8c and OpenSSL 0.9.8d:
+  Major changes between OpenSSL 0.9.8c and OpenSSL 0.9.8d [28 Sep 2006]:
 
       o Introduce limits to prevent malicious key DoS  (CVE-2006-2940)
       o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343)
       o Changes to ciphersuite selection algorithm
 
-  Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c:
+  Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c [5 Sep 2006]:
 
       o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339
       o New cipher Camellia
 
-  Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b:
+  Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b [4 May 2006]:
 
       o Cipher string fixes.
       o Fixes for VC++ 2005.
@@ -152,12 +289,12 @@
       o Built in dynamic engine compilation support on Win32.
       o Fixes auto dynamic engine loading in Win32.
 
-  Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a:
+  Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a [11 Oct 2005]:
 
       o Fix potential SSL 2.0 rollback, CVE-2005-2969
       o Extended Windows CE support
 
-  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8:
+  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8 [5 Jul 2005]:
 
       o Major work on the BIGNUM library for higher efficiency and to
         make operations more streamlined and less contradictory.  This
@@ -231,36 +368,36 @@
       o Added initial support for Win64.
       o Added alternate pkg-config files.
 
-  Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m:
+  Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m [23 Feb 2007]:
 
       o FIPS 1.1.1 module linking.
       o Various ciphersuite selection fixes.
 
-  Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l:
+  Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l [28 Sep 2006]:
 
       o Introduce limits to prevent malicious key DoS  (CVE-2006-2940)
       o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343)
 
-  Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k:
+  Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k [5 Sep 2006]:
 
       o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339
 
-  Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j:
+  Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j [4 May 2006]:
 
       o Visual C++ 2005 fixes.
       o Update Windows build system for FIPS.
 
-  Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i:
+  Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i [14 Oct 2005]:
 
       o Give EVP_MAX_MD_SIZE it's old value, except for a FIPS build.
 
-  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h:
+  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h [11 Oct 2005]:
 
       o Fix SSL 2.0 Rollback, CVE-2005-2969
       o Allow use of fixed-length exponent on DSA signing
       o Default fixed-window RSA, DSA, DH private-key operations
 
-  Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g:
+  Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g [11 Apr 2005]:
 
       o More compilation issues fixed.
       o Adaptation to more modern Kerberos API.
@@ -269,7 +406,7 @@
       o More constification.
       o Added processing of proxy certificates (RFC 3820).
 
-  Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f:
+  Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f [22 Mar 2005]:
 
       o Several compilation issues fixed.
       o Many memory allocation failure checks added.
@@ -277,12 +414,12 @@
       o Mandatory basic checks on certificates.
       o Performance improvements.
 
-  Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e:
+  Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e [25 Oct 2004]:
 
       o Fix race condition in CRL checking code.
       o Fixes to PKCS#7 (S/MIME) code.
 
-  Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d:
+  Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d [17 Mar 2004]:
 
       o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug
       o Security: Fix null-pointer assignment in do_change_cipher_spec()
@@ -290,14 +427,14 @@
       o Multiple X509 verification fixes
       o Speed up HMAC and other operations
 
-  Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c:
+  Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c [30 Sep 2003]:
 
       o Security: fix various ASN1 parsing bugs.
       o New -ignore_err option to OCSP utility.
       o Various interop and bug fixes in S/MIME code.
       o SSL/TLS protocol fix for unrequested client certificates.
 
-  Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b:
+  Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b [10 Apr 2003]:
 
       o Security: counter the Klima-Pokorny-Rosa extension of
         Bleichbacher's attack 
@@ -308,7 +445,7 @@
       o ASN.1: treat domainComponent correctly.
       o Documentation: fixes and additions.
 
-  Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a:
+  Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a [19 Feb 2003]:
 
       o Security: Important security related bugfixes.
       o Enhanced compatibility with MIT Kerberos.
@@ -319,7 +456,7 @@
       o SSL/TLS: now handles manual certificate chain building.
       o SSL/TLS: certain session ID malfunctions corrected.
 
-  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7:
+  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7 [30 Dec 2002]:
 
       o New library section OCSP.
       o Complete rewrite of ASN1 code.
@@ -365,23 +502,23 @@
       o SSL/TLS: add callback to retrieve SSL/TLS messages.
       o SSL/TLS: support AES cipher suites (RFC3268).
 
-  Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k:
+  Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k [30 Sep 2003]:
 
       o Security: fix various ASN1 parsing bugs.
       o SSL/TLS protocol fix for unrequested client certificates.
 
-  Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j:
+  Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j [10 Apr 2003]:
 
       o Security: counter the Klima-Pokorny-Rosa extension of
         Bleichbacher's attack 
       o Security: make RSA blinding default.
       o Build: shared library support fixes.
 
-  Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i:
+  Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i [19 Feb 2003]:
 
       o Important security related bugfixes.
 
-  Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h:
+  Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h [5 Dec 2002]:
 
       o New configuration targets for Tandem OSS and A/UX.
       o New OIDs for Microsoft attributes.
@@ -395,25 +532,25 @@
       o Fixes for smaller building problems.
       o Updates of manuals, FAQ and other instructive documents.
 
-  Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g:
+  Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g [9 Aug 2002]:
 
       o Important building fixes on Unix.
 
-  Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f:
+  Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f [8 Aug 2002]:
 
       o Various important bugfixes.
 
-  Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e:
+  Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e [30 Jul 2002]:
 
       o Important security related bugfixes.
       o Various SSL/TLS library bugfixes.
 
-  Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d:
+  Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d [9 May 2002]:
 
       o Various SSL/TLS library bugfixes.
       o Fix DH parameter generation for 'non-standard' generators.
 
-  Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c:
+  Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c [21 Dec 2001]:
 
       o Various SSL/TLS library bugfixes.
       o BIGNUM library fixes.
@@ -426,7 +563,7 @@
         Broadcom and Cryptographic Appliance's keyserver
         [in 0.9.6c-engine release].
 
-  Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b:
+  Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b [9 Jul 2001]:
 
       o Security fix: PRNG improvements.
       o Security fix: RSA OAEP check.
@@ -443,7 +580,7 @@
       o Increase default size for BIO buffering filter.
       o Compatibility fixes in some scripts.
 
-  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a:
+  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a [5 Apr 2001]:
 
       o Security fix: change behavior of OpenSSL to avoid using
         environment variables when running as root.
@@ -468,7 +605,7 @@
       o New function BN_rand_range().
       o Add "-rand" option to openssl s_client and s_server.
 
-  Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6:
+  Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6 [10 Oct 2000]:
 
       o Some documentation for BIO and SSL libraries.
       o Enhanced chain verification using key identifiers.
@@ -483,7 +620,7 @@
     [1] The support for external crypto devices is currently a separate
         distribution.  See the file README.ENGINE.
 
-  Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a:
+  Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a [1 Apr 2000]:
 
       o Bug fixes for Win32, SuSE Linux, NeXTSTEP and FreeBSD 2.2.8 
       o Shared library support for HPUX and Solaris-gcc
@@ -492,7 +629,7 @@
       o New 'rand' application
       o New way to check for existence of algorithms from scripts
 
-  Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5:
+  Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5 [25 May 2000]:
 
       o S/MIME support in new 'smime' command
       o Documentation for the OpenSSL command line application
@@ -528,7 +665,7 @@
       o Enhanced support for Alpha Linux
       o Experimental MacOS support
 
-  Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4:
+  Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4 [9 Aug 1999]:
 
       o Transparent support for PKCS#8 format private keys: these are used
         by several software packages and are more secure than the standard
@@ -539,7 +676,7 @@
       o New pipe-like BIO that allows using the SSL library when actual I/O
         must be handled by the application (BIO pair)
 
-  Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3:
+  Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3 [24 May 1999]:
       o Lots of enhancements and cleanups to the Configuration mechanism
       o RSA OEAP related fixes
       o Added `openssl ca -revoke' option for revoking a certificate
@@ -553,7 +690,7 @@
       o Sparc assembler bignum implementation, optimized hash functions
       o Option to disable selected ciphers
 
-  Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b:
+  Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b [22 Mar 1999]:
       o Fixed a security hole related to session resumption
       o Fixed RSA encryption routines for the p < q case
       o "ALL" in cipher lists now means "everything except NULL ciphers"
@@ -575,7 +712,7 @@
       o Lots of memory leak fixes.
       o Lots of bug fixes.
 
-  Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c:
+  Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c [23 Dec 1998]:
       o Integration of the popular NO_RSA/NO_DSA patches
       o Initial support for compression inside the SSL record layer
       o Added BIO proxy and filtering functionality

PROBLEMS

@@ -197,3 +197,17 @@ reconfigure with additional no-sse2 [or 386] option passed to ./config.
 We don't have framework to associate -ldl with no-dso, therefore the only
 way is to edit Makefile right after ./config no-dso and remove -ldl from
 EX_LIBS line.
+
+* hpux-parisc2-cc no-asm build fails with SEGV in ECDSA/DH.
+
+Compiler bug, presumably at particular patch level. Remaining
+hpux*-parisc*-cc configurations can be affected too. Drop optimization
+level to +O2 when compiling bn_nist.o.
+
+* solaris64-sparcv9-cc link failure
+
+Solaris 8 ar can fail to maintain symbol table in .a, which results in
+link failures. Apply 109147-09 or later or modify Makefile generated
+by ./Configure solaris64-sparcv9-cc and replace RANLIB assignment with
+
+	RANLIB= /usr/ccs/bin/ar rs

README

@@ -1,5 +1,5 @@
 
- OpenSSL 1.1.0-dev
+ OpenSSL 1.0.1h 5 Jun 2014
 
  Copyright (c) 1998-2011 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
@@ -190,7 +190,7 @@
  reason as to why that feature isn't implemented.
 
  Patches should be as up to date as possible, preferably relative to the
- current CVS or the last snapshot. They should follow the coding style of
+ current Git or the last snapshot. They should follow the coding style of
  OpenSSL and compile without warnings. Some of the core team developer targets
  can be used for testing purposes, (debug-steve64, debug-geoff etc). OpenSSL
  compiles on many varied platforms: try to ensure you only use portable

README.ECC

@@ -1,61 +0,0 @@
-NOTE: The OpenSSL Software Foundation has executed a sublicense agreement
-entitled "Elliptic Curve Cryptography Patent License Agreement" with the
-National Security Agency/ Central Security Service Commercial Solutions
-Center (NCSC) dated 2010-11-04. That agreement permits implementation and
-distribution of software containing features covered by any or all of the
-following patents:
-
-1.) U.S. Pat. No. 5,761,305 entitled "Key Agreement and Transport Protocol 
-    with Implicit Signatures" issued on June 2, 1998;
-2.) Can. Pat. Appl. Ser. No. 2176972 entitled "Key Agreement and Transport 
-    Protocol with Implicit Signature and Reduced Bandwidth" filed on May 
-    16, 1996;
-3.) U.S. Pat. No. 5,889,865 entitled "Key Agreement and Transport Protocol 
-    with Implicit Signatures" issued on March 30, 1999;
-4.) U.S. Pat. No. 5,896,455 entitled "Key Agreement and Transport Protocol 
-    with Implicit Signatures" issued on April 20, 1999;
-5.) U.S. Pat. No. 5,933,504 entitled "Strengthened Public Key Protocol" 
-    issued on August 3, 1999;
-6.) Can. Pat. Appl. Ser. No. 2176866 entitled "Strengthened Public Key 
-    Protocol" filed on May 17, 1996;
-7.) E.P. Pat. Appl. Ser. No. 96201322.3 entitled "Strengthened Public Key 
-    Protocol" filed on May 17, 1996;
-8.) U.S. Pat. No. 5,999,626 entitled "Digital Signatures on a Smartcard" 
-    issued on December 7, 1999;
-9.) Can. Pat. Appl. Ser. No. 2202566 entitled "Digital Signatures on a 
-    Smartcard" filed on April 14, 1997;
-10.) E.P. Pat. Appl. No. 97106114.8 entitled "Digital Signatures on a 
-     Smartcard" filed on April 15, 1997;
-11.) U.S Pat. No. 6,122,736 entitled "Key Agreement and Transport Protocol 
-     with Implicit Signatures" issued on September 19, 2000;
-12.) Can. Pat. Appl. Ser. No. 2174261 entitled "Key Agreement and Transport 
-     Protocol with Implicit Signatures" filed on April 16, 1996;
-13.) E.P. Pat. Appl. Ser. No. 96105920.1 entitled "Key Agreement and 
-     Transport Protocol with Implicit Signatures" filed on April 16, 1996;
-14.) U.S. Pat. No. 6,141,420 entitled "Elliptic Curve Encryption Systems" 
-     issued on October 31, 2000;
-15.) Can. Pat. Appl. Ser. No. 2155038 entitled "Elliptic Curve Encryption 
-     Systems" filed on July 31, 1995;
-16.) E.P. Pat. Appl. Ser. No. 95926348.4 entitled "Elliptic Curve Encryption 
-     Systems" filed on July 31, 1995;
-17.) U.S. Pat. No. 6,336,188 entitled "Authenticated Key Agreement" issued 
-     on January 1, 2002;
-18.) U.S. Pat. No. 6,487,661 entitled "Key Agreement and Transport Protocol" 
-     issued on November 26, 2002;
-19.) Can. Pat. Appl. Ser. No. 2174260 entitled "Key Agreement and Transport 
-     Protocol" filed on April 16, 1996;
-20.) E.P. Pat. Appl. Ser. No. 96105921.9 entitled "Key Agreement and 
-     Transport Protocol" filed on April 21, 1996;
-21.) U.S. Pat. No. 6,563,928 entitled "Strengthened Public Key Protocol" 
-     issued on May 13, 2003;
-22.) U.S. Pat. No. 6,618,483 entitled "Elliptic Curve Encryption Systems" 
-     issued September 9, 2003;
-23.) U.S. Pat. Appl. Ser. No. 09/434,247 entitled "Digital Signatures on a 
-     Smartcard" filed on November 5, 1999;
-24.) U.S. Pat. Appl. Ser. No. 09/558,256 entitled "Key Agreement and 
-     Transport Protocol with Implicit Signatures" filed on April 25, 2000;
-25.) U.S. Pat. Appl. Ser. No. 09/942,492 entitled "Digital Signatures on a 
-     Smartcard" filed on August 29, 2001 and published on July 18, 2002; and,
-26.) U.S. Pat. Appl. Ser. No. 10/185,735 entitled "Strengthened Public Key 
-     Protocol" filed on July 1, 2000.
-

README.FIPS

@@ -1,130 +0,0 @@
-Preliminary status and build information for FIPS module v2.0 
-
-NB: if you are cross compiling you now need to use the latest "incore" script
-this can be found at util/incore in the tarballs.
-
-If you have any object files from a previous build do:
-
-make clean
-
-To build the module do:
-
-./config fipscanisteronly
-make
-
-Build should complete without errors.
-
-Build test utilities:
-
-make build_tests
-
-Run test suite:
-
-test/fips_test_suite
-
-again should complete without errors.
-
-Run test vectors: 
-
-1. Download an appropriate set of testvectors from www.openssl.org/docs/fips
-   only the fips-2.0 testvector files are usable for complete tests.
-
-2. Extract the files to a suitable directory.
-
-3. Run the test vector perl script, for example:
-
-   cd fips
-   perl fipsalgtest.pl --dir=/wherever/stuff/was/extracted
-
-4. It should say "passed all tests" at the end. Report full details of any
-   failures.
-
-If you wish to use the older 1.2.x testvectors (for example those from 2007)
-you need the command line switch --disable-v2 to fipsalgtest.pl
-
-Examine the external symbols in fips/fipscanister.o they should all begin
-with FIPS or fips. One way to check with GNU nm is:
-
-	nm -g --defined-only fips/fipscanister.o | grep -v -i fips
-
-If you get *any* output at all from this test (i.e. symbols not starting with
-fips or FIPS) please report it.
-
-Restricted tarball tests.
-
-The validated module will have its own tarball containing sufficient code to
-build fipscanister.o and the associated algorithm tests. You can create a
-similar tarball yourself for testing purposes using the commands below.
-
-Standard restricted tarball:
-
-make -f Makefile.fips dist
-
-Prime field field only ECC tarball:
-
-make NOEC2M=1 -f Makefile.fips dist
-
-Once you've created the tarball extract into a fresh directory and do:
-
-./config
-make
-
-You can then run the algorithm tests as above. This build automatically uses
-fipscanisterbuild and no-ec2m as appropriate.
-
-FIPS capable OpenSSL test: WARNING PRELIMINARY INSTRUCTIONS, SUBJECT TO CHANGE.
-
-At least initially the test module and FIPS capable OpenSSL may change and
-by out of sync. You are advised to check for any changes and pull the latest
-source from CVS if you have problems. See anon CVS and rsync instructions at:
-
-http://www.openssl.org/source/repos.html
-
-Make or download a restricted tarball from ftp://ftp.openssl.org/snapshot/
-
-If required set the environment variable FIPSDIR to an appropriate location
-to install the test module. If cross compiling set other environment
-variables too.
-
-In this restricted tarball on a Linux or U*ix like system run:
-
-./config
-make
-make install
-
-On Windows from a VC++ environment do:
-
-ms\do_fips
-
-This will build and install the test module and some associated files.
-
-Now download the latest version of the OpenSSL 1.0.1 branch from either a
-snapshot or preferably CVS. For Linux do:
-
-./config fips [other args]
-make
-
-For Windows:
-
-perl Configure VC-WIN32 fips [other args]
-ms\do_nasm
-nmake -f ms\ntdll.mak
-
-(or ms\nt.mak for a static build).
-
-Where [other args] can be any other arguments you use for an OpenSSL build
-such as "shared" or "zlib".
-
-This will build the fips capable OpenSSL and link it to the test module. You
-can now try linking and testing applications against the FIPS capable OpenSSL.
-
-Please report any problems to either the openssl-dev mailing list or directly
-to me steve@openssl.org . Check the mailing lists regularly to avoid duplicate
-reports.
-
-Known issues:
-
-Code needs extensively reviewing to ensure it builds correctly on 
-supported platforms and is compliant with FIPS 140-2.
-The "FIPS capable OpenSSL" is still largely untested, it builds and runs
-some simple tests OK on some systems but needs far more "real world" testing.

STATUS

@@ -1,148 +0,0 @@
-
-  OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2011/02/08 17:48:56 $
-
-  DEVELOPMENT STATE
-
-    o  OpenSSL 1.1.0:  Under development...
-    o  OpenSSL 1.0.1:  Under development...
-    o  OpenSSL 1.0.0d: Released on February   8nd, 2011
-    o  OpenSSL 1.0.0c: Released on December   2nd, 2010
-    o  OpenSSL 1.0.0b: Released on November  16th, 2010
-    o  OpenSSL 1.0.0a: Released on June      1st,  2010
-    o  OpenSSL 1.0.0:  Released on March     29th, 2010
-    o  OpenSSL 0.9.8r: Released on February   8nd, 2011
-    o  OpenSSL 0.9.8q: Released on December   2nd, 2010
-    o  OpenSSL 0.9.8p: Released on November  16th, 2010
-    o  OpenSSL 0.9.8o: Released on June       1st, 2010
-    o  OpenSSL 0.9.8n: Released on March     24th, 2010
-    o  OpenSSL 0.9.8m: Released on February  25th, 2010
-    o  OpenSSL 0.9.8l: Released on November   5th, 2009
-    o  OpenSSL 0.9.8k: Released on March     25th, 2009
-    o  OpenSSL 0.9.8j: Released on January    7th, 2009
-    o  OpenSSL 0.9.8i: Released on September 15th, 2008
-    o  OpenSSL 0.9.8h: Released on May       28th, 2008
-    o  OpenSSL 0.9.8g: Released on October   19th, 2007
-    o  OpenSSL 0.9.8f: Released on October   11th, 2007
-    o  OpenSSL 0.9.8e: Released on February  23rd, 2007
-    o  OpenSSL 0.9.8d: Released on September 28th, 2006
-    o  OpenSSL 0.9.8c: Released on September  5th, 2006
-    o  OpenSSL 0.9.8b: Released on May        4th, 2006
-    o  OpenSSL 0.9.8a: Released on October   11th, 2005
-    o  OpenSSL 0.9.8:  Released on July       5th, 2005
-    o  OpenSSL 0.9.7m: Released on February  23rd, 2007
-    o  OpenSSL 0.9.7l: Released on September 28th, 2006
-    o  OpenSSL 0.9.7k: Released on September  5th, 2006
-    o  OpenSSL 0.9.7j: Released on May        4th, 2006
-    o  OpenSSL 0.9.7i: Released on October   14th, 2005
-    o  OpenSSL 0.9.7h: Released on October   11th, 2005
-    o  OpenSSL 0.9.7g: Released on April     11th, 2005
-    o  OpenSSL 0.9.7f: Released on March     22nd, 2005
-    o  OpenSSL 0.9.7e: Released on October   25th, 2004
-    o  OpenSSL 0.9.7d: Released on March     17th, 2004
-    o  OpenSSL 0.9.7c: Released on September 30th, 2003
-    o  OpenSSL 0.9.7b: Released on April     10th, 2003
-    o  OpenSSL 0.9.7a: Released on February  19th, 2003
-    o  OpenSSL 0.9.7:  Released on December  31st, 2002
-    o  OpenSSL 0.9.6m: Released on March     17th, 2004
-    o  OpenSSL 0.9.6l: Released on November   4th, 2003
-    o  OpenSSL 0.9.6k: Released on September 30th, 2003
-    o  OpenSSL 0.9.6j: Released on April     10th, 2003
-    o  OpenSSL 0.9.6i: Released on February  19th, 2003
-    o  OpenSSL 0.9.6h: Released on December   5th, 2002
-    o  OpenSSL 0.9.6g: Released on August     9th, 2002
-    o  OpenSSL 0.9.6f: Released on August     8th, 2002
-    o  OpenSSL 0.9.6e: Released on July      30th, 2002
-    o  OpenSSL 0.9.6d: Released on May        9th, 2002
-    o  OpenSSL 0.9.6c: Released on December  21st, 2001
-    o  OpenSSL 0.9.6b: Released on July       9th, 2001
-    o  OpenSSL 0.9.6a: Released on April      5th, 2001
-    o  OpenSSL 0.9.6:  Released on September 24th, 2000
-    o  OpenSSL 0.9.5a: Released on April      1st, 2000
-    o  OpenSSL 0.9.5:  Released on February  28th, 2000
-    o  OpenSSL 0.9.4:  Released on August    09th, 1999
-    o  OpenSSL 0.9.3a: Released on May       29th, 1999
-    o  OpenSSL 0.9.3:  Released on May       25th, 1999
-    o  OpenSSL 0.9.2b: Released on March     22th, 1999
-    o  OpenSSL 0.9.1c: Released on December  23th, 1998
-
-  [See also http://www.openssl.org/support/rt.html]
-
-  RELEASE SHOWSTOPPERS
-
-    o The Makefiles fail with some SysV makes.
-    o 
-
-  AVAILABLE PATCHES
-
-    o 
-
-  IN PROGRESS
-
-    o Steve is currently working on (in no particular order):
-        ASN1 code redesign, butchery, replacement.
-        OCSP
-        EVP cipher enhancement.
-        Enhanced certificate chain verification.
-	Private key, certificate and CRL API and implementation.
-	Developing and bugfixing PKCS#7 (S/MIME code).
-        Various X509 issues: character sets, certificate request extensions.
-    o Richard is currently working on:
-	Constification
-	Attribute Certificate support
-	Certificate Pair support
-	Storage Engines (primarly an LDAP storage engine)
-	Certificate chain validation with full RFC 3280 compatibility
-
-  NEEDS PATCH
-
-    o  0.9.8-dev: COMPLEMENTOFALL and COMPLEMENTOFDEFAULT do not
-       handle ECCdraft cipher suites correctly.
-
-    o  apps/ca.c: "Sign the certificate?" - "n" creates empty certificate file
-
-    o  "OpenSSL STATUS" is never up-to-date.
-
-  OPEN ISSUES
-
-    o  The Makefile hierarchy and build mechanism is still not a round thing:
-
-       1. The config vs. Configure scripts
-          It's the same nasty situation as for Apache with APACI vs.
-          src/Configure. It confuses.
-          Suggestion: Merge Configure and config into a single configure
-                      script with a Autoconf style interface ;-) and remove
-                      Configure and config. Or even let us use GNU Autoconf
-                      itself. Then we can avoid a lot of those platform checks
-                      which are currently in Configure.
-
-    o  Support for Shared Libraries has to be added at least
-       for the major Unix platforms. The details we can rip from the stuff
-       Ralf has done for the Apache src/Configure script. Ben wants the
-       solution to be really simple.
-
-       Status: Ralf will look how we can easily incorporate the
-               compiler PIC and linker DSO flags from Apache
-               into the OpenSSL Configure script.
-
-               Ulf: +1 for using GNU autoconf and libtool (but not automake,
-                    which apparently is not flexible enough to generate
-                    libcrypto)
-
-  WISHES
-
-    o  Add variants of DH_generate_parameters() and BN_generate_prime() [etc?]
-       where the callback function can request that the function be aborted.
-       [Gregory Stark <ghstark@pobox.com>, <rayyang2000@yahoo.com>]
-
-    o  SRP in TLS.
-       [wished by:
-        Dj <derek@yo.net>, Tom Wu <tom@arcot.com>,
-        Tom Holroyd <tomh@po.crl.go.jp>]
-
-       See http://search.ietf.org/internet-drafts/draft-ietf-tls-srp-00.txt
-       as well as http://www-cs-students.stanford.edu/~tjw/srp/.
-
-       Tom Holroyd tells us there is a SRP patch for OpenSSH at
-       http://members.tripod.com/professor_tom/archives/, that could
-       be useful.

TABLE

@@ -253,7 +253,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = a.out
 $dso_scheme   = dlfcn
 $shared_target= bsd-shared
@@ -286,7 +286,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = dlfcn
 $shared_target= bsd-shared
@@ -319,7 +319,7 @@ $rc5_obj      =
 $wp_obj       = wp-x86_64.o
 $cmll_obj     = cmll-x86_64.o cmll_misc.o
 $modes_obj    = ghash-x86_64.o
-$engines_obj  = e_padlock-x86_64.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = dlfcn
 $shared_target= bsd-gcc-shared
@@ -352,7 +352,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = coff
 $dso_scheme   = dlfcn
 $shared_target= cygwin-shared
@@ -418,7 +418,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = a.out
 $dso_scheme   = 
 $shared_target= 
@@ -583,7 +583,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = dlfcn
 $shared_target= bsd-gcc-shared
@@ -781,7 +781,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = win32n
 $dso_scheme   = win32
 $shared_target= 
@@ -814,7 +814,7 @@ $rc5_obj      =
 $wp_obj       = wp-x86_64.o
 $cmll_obj     = cmll-x86_64.o cmll_misc.o
 $modes_obj    = ghash-x86_64.o
-$engines_obj  = e_padlock-x86_64.o
+$engines_obj  = 
 $perlasm_scheme = auto
 $dso_scheme   = win32
 $shared_target= 
@@ -862,7 +862,7 @@ $multilib     =
 $cc           = cc
 $cflags       = -q32 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst
 $unistd       = 
-$thread_cflag = -qthreaded
+$thread_cflag = -qthreaded -D_THREAD_SAFE
 $sys_id       = AIX
 $lflags       = 
 $bn_ops       = BN_LLONG RC4_CHAR
@@ -961,7 +961,7 @@ $multilib     =
 $cc           = cc
 $cflags       = -q64 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst
 $unistd       = 
-$thread_cflag = -qthreaded
+$thread_cflag = -qthreaded -D_THREAD_SAFE
 $sys_id       = AIX
 $lflags       = 
 $bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHAR
@@ -1111,7 +1111,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = android
 $dso_scheme   = dlfcn
 $shared_target= linux-shared
@@ -1177,7 +1177,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = beos
 $shared_target= beos-shared
@@ -1210,7 +1210,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = beos
 $shared_target= beos-shared
@@ -1243,7 +1243,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = dlfcn
 $shared_target= bsd-gcc-shared
@@ -1368,14 +1368,14 @@ $aes_obj      = aes-586.o vpaes-x86.o aesni-x86.o
 $bf_obj       = bf-586.o
 $md5_obj      = md5-586.o
 $sha1_obj     = sha1-586.o sha256-586.o sha512-586.o
-$cast_obj     = cast-586.o
+$cast_obj     = 
 $rc4_obj      = rc4-586.o
 $rmd160_obj   = rmd-586.o
 $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = macosx
 $dso_scheme   = dlfcn
 $shared_target= darwin-shared
@@ -1468,13 +1468,13 @@ $bf_obj       =
 $md5_obj      = md5-x86_64.o
 $sha1_obj     = sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o
 $cast_obj     = 
-$rc4_obj      = rc4-x86_64.o rc4-md5-x86_64.o
+$rc4_obj      = 
 $rmd160_obj   = 
 $rc5_obj      = 
 $wp_obj       = wp-x86_64.o
 $cmll_obj     = cmll-x86_64.o cmll_misc.o
 $modes_obj    = ghash-x86_64.o
-$engines_obj  = e_padlock-x86_64.o
+$engines_obj  = 
 $perlasm_scheme = macosx
 $dso_scheme   = dlfcn
 $shared_target= darwin-shared
@@ -1540,7 +1540,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = dlfcn
 $shared_target= bsd-shared
@@ -1586,7 +1586,7 @@ $multilib     =
 
 *** debug-VC-WIN32
 $cc           = cl
-$cflags       = -W3 -WX -Gs0 -GF -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE
+$cflags       = -W3 -Gs0 -GF -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE
 $unistd       = 
 $thread_cflag = 
 $sys_id       = WIN32
@@ -1606,7 +1606,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = win32n
 $dso_scheme   = win32
 $shared_target= 
@@ -1639,7 +1639,7 @@ $rc5_obj      =
 $wp_obj       = wp-x86_64.o
 $cmll_obj     = cmll-x86_64.o cmll_misc.o
 $modes_obj    = ghash-x86_64.o
-$engines_obj  = e_padlock-x86_64.o
+$engines_obj  = 
 $perlasm_scheme = auto
 $dso_scheme   = win32
 $shared_target= 
@@ -1716,9 +1716,141 @@ $ranlib       =
 $arflags      = 
 $multilib     = 
 
+*** debug-ben-darwin64
+$cc           = cc
+$cflags       = -Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED -Wno-language-extension-token -Wno-extended-offsetof -arch x86_64 -O3 -DL_ENDIAN -Wall
+$unistd       = 
+$thread_cflag = -D_REENTRANT
+$sys_id       = MACOSX
+$lflags       = -Wl,-search_paths_first%
+$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL
+$cpuid_obj    = x86_64cpuid.o
+$bn_obj       = x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o modexp512-x86_64.o
+$des_obj      = 
+$aes_obj      = aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o
+$bf_obj       = 
+$md5_obj      = md5-x86_64.o
+$sha1_obj     = sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$wp_obj       = wp-x86_64.o
+$cmll_obj     = cmll-x86_64.o cmll_misc.o
+$modes_obj    = ghash-x86_64.o
+$engines_obj  = 
+$perlasm_scheme = macosx
+$dso_scheme   = dlfcn
+$shared_target= darwin-shared
+$shared_cflag = -fPIC -fno-common
+$shared_ldflag = -arch x86_64 -dynamiclib
+$shared_extension = .$(SHLIB_MAJOR).$(SHLIB_MINOR).dylib
+$ranlib       = 
+$arflags      = 
+$multilib     = 
+
 *** debug-ben-debug
+$cc           = gcc44
+$cflags       = -Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O2 -pipe
+$unistd       = 
+$thread_cflag = (unknown)
+$sys_id       = 
+$lflags       = 
+$bn_ops       = 
+$cpuid_obj    = 
+$bn_obj       = 
+$des_obj      = 
+$aes_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$wp_obj       = 
+$cmll_obj     = 
+$modes_obj    = 
+$engines_obj  = 
+$perlasm_scheme = 
+$dso_scheme   = 
+$shared_target= 
+$shared_cflag = 
+$shared_ldflag = 
+$shared_extension = 
+$ranlib       = 
+$arflags      = 
+$multilib     = 
+
+*** debug-ben-debug-64
 $cc           = gcc
-$cflags       = -Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -g3 -O2 -pipe
+$cflags       = -Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED -Wno-error=overlength-strings -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe
+$unistd       = 
+$thread_cflag = -pthread -D_THREAD_SAFE -D_REENTRANT
+$sys_id       = 
+$lflags       = 
+$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL
+$cpuid_obj    = x86_64cpuid.o
+$bn_obj       = x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o modexp512-x86_64.o
+$des_obj      = 
+$aes_obj      = aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o
+$bf_obj       = 
+$md5_obj      = md5-x86_64.o
+$sha1_obj     = sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o
+$cast_obj     = 
+$rc4_obj      = rc4-x86_64.o rc4-md5-x86_64.o
+$rmd160_obj   = 
+$rc5_obj      = 
+$wp_obj       = wp-x86_64.o
+$cmll_obj     = cmll-x86_64.o cmll_misc.o
+$modes_obj    = ghash-x86_64.o
+$engines_obj  = 
+$perlasm_scheme = elf
+$dso_scheme   = dlfcn
+$shared_target= bsd-gcc-shared
+$shared_cflag = -fPIC
+$shared_ldflag = 
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+$ranlib       = 
+$arflags      = 
+$multilib     = 
+
+*** debug-ben-macos
+$cc           = cc
+$cflags       = -Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED -arch i386 -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -DL_ENDIAN -g3 -pipe
+$unistd       = 
+$thread_cflag = (unknown)
+$sys_id       = 
+$lflags       = -Wl,-search_paths_first
+$bn_ops       = 
+$cpuid_obj    = 
+$bn_obj       = 
+$des_obj      = 
+$aes_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$wp_obj       = 
+$cmll_obj     = 
+$modes_obj    = 
+$engines_obj  = 
+$perlasm_scheme = 
+$dso_scheme   = 
+$shared_target= 
+$shared_cflag = 
+$shared_ldflag = 
+$shared_extension = 
+$ranlib       = 
+$arflags      = 
+$multilib     = 
+
+*** debug-ben-macos-gcc46
+$cc           = gcc-mp-4.6
+$cflags       = -Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED -Wconversion -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -DL_ENDIAN -g3 -pipe
 $unistd       = 
 $thread_cflag = (unknown)
 $sys_id       = 
@@ -1883,7 +2015,7 @@ $multilib     =
 
 *** debug-bodo
 $cc           = gcc
-$cflags       = -Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -DBIO_PAIR_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int
+$cflags       = -Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED -Wno-error=overlength-strings -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -DBIO_PAIR_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -1903,7 +2035,7 @@ $rc5_obj      =
 $wp_obj       = wp-x86_64.o
 $cmll_obj     = cmll-x86_64.o cmll_misc.o
 $modes_obj    = ghash-x86_64.o
-$engines_obj  = e_padlock-x86_64.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = dlfcn
 $shared_target= linux-shared
@@ -1936,7 +2068,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = macosx
 $dso_scheme   = dlfcn
 $shared_target= darwin-shared
@@ -2048,7 +2180,7 @@ $multilib     =
 
 *** debug-levitte-linux-elf
 $cc           = gcc
-$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe
+$cflags       = -DLEVITTE_DEBUG -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -ggdb -g3 -Wall
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -2068,7 +2200,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = dlfcn
 $shared_target= linux-shared
@@ -2081,7 +2213,7 @@ $multilib     =
 
 *** debug-levitte-linux-elf-extreme
 $cc           = gcc
-$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe
+$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -DPEDANTIC -ggdb -g3 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -2101,7 +2233,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = dlfcn
 $shared_target= linux-shared
@@ -2114,7 +2246,7 @@ $multilib     =
 
 *** debug-levitte-linux-noasm
 $cc           = gcc
-$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe
+$cflags       = -DLEVITTE_DEBUG -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -ggdb -g3 -Wall
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -2147,7 +2279,7 @@ $multilib     =
 
 *** debug-levitte-linux-noasm-extreme
 $cc           = gcc
-$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe
+$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -ggdb -g3 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -2200,7 +2332,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = dlfcn
 $shared_target= linux-shared
@@ -2233,7 +2365,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = dlfcn
 $shared_target= linux-shared
@@ -2332,7 +2464,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = 
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = dlfcn
 $shared_target= linux-shared
@@ -2365,7 +2497,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = dlfcn
 $shared_target= 
@@ -2398,7 +2530,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = dlfcn
 $shared_target= 
@@ -2431,7 +2563,7 @@ $rc5_obj      =
 $wp_obj       = wp-x86_64.o
 $cmll_obj     = cmll-x86_64.o cmll_misc.o
 $modes_obj    = ghash-x86_64.o
-$engines_obj  = e_padlock-x86_64.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = dlfcn
 $shared_target= linux-shared
@@ -2464,7 +2596,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = 
 $shared_target= 
@@ -2629,7 +2761,7 @@ $rc5_obj      =
 $wp_obj       = wp-x86_64.o
 $cmll_obj     = cmll-x86_64.o cmll_misc.o
 $modes_obj    = ghash-x86_64.o
-$engines_obj  = e_padlock-x86_64.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = dlfcn
 $shared_target= linux-shared
@@ -2662,7 +2794,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = dlfcn
 $shared_target= linux-shared
@@ -2675,7 +2807,7 @@ $multilib     =
 
 *** debug-steve64
 $cc           = gcc
-$cflags       = -Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g
+$cflags       = -Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -Wno-overlength-strings -g
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -2695,7 +2827,7 @@ $rc5_obj      =
 $wp_obj       = wp-x86_64.o
 $cmll_obj     = cmll-x86_64.o cmll_misc.o
 $modes_obj    = ghash-x86_64.o
-$engines_obj  = e_padlock-x86_64.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = dlfcn
 $shared_target= linux-shared
@@ -2741,7 +2873,7 @@ $multilib     =
 
 *** debug-vos-gcc
 $cc           = gcc
-$cflags       = -O0 -g -Wall -D_POSIX_C_SOURCE=200112L -D_BSD -D_VOS_EXTENDED_NAMES -DB_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG
+$cflags       = -O0 -g -Wall -DOPENSSL_SYSNAME_VOS -D_POSIX_C_SOURCE=200112L -D_BSD -D_VOS_EXTENDED_NAMES -DB_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG
 $unistd       = 
 $thread_cflag = (unknown)
 $sys_id       = VOS
@@ -2860,7 +2992,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = 
 $shared_target= 
@@ -3232,7 +3364,7 @@ $shared_ldflag = -shared
 $shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
-$multilib     = 
+$multilib     = /pa1.1
 
 *** hpux-parisc2-cc
 $cc           = cc
@@ -3242,22 +3374,22 @@ $thread_cflag =
 $sys_id       = 
 $lflags       = -Wl,+s -ldld
 $bn_ops       = SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT
-$cpuid_obj    = 
-$bn_obj       = pa-risc2.o
+$cpuid_obj    = pariscid.o
+$bn_obj       = pa-risc2.o parisc-mont.o
 $des_obj      = 
-$aes_obj      = 
+$aes_obj      = aes_core.o aes_cbc.o aes-parisc.o
 $bf_obj       = 
 $md5_obj      = 
-$sha1_obj     = 
+$sha1_obj     = sha1-parisc.o sha256-parisc.o sha512-parisc.o
 $cast_obj     = 
-$rc4_obj      = 
+$rc4_obj      = rc4-parisc.o
 $rmd160_obj   = 
 $rc5_obj      = 
 $wp_obj       = 
 $cmll_obj     = 
-$modes_obj    = 
+$modes_obj    = ghash-parisc.o
 $engines_obj  = 
-$perlasm_scheme = void
+$perlasm_scheme = 32
 $dso_scheme   = dl
 $shared_target= hpux-shared
 $shared_cflag = +Z
@@ -3265,7 +3397,7 @@ $shared_ldflag = -b
 $shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
-$multilib     = 
+$multilib     = /pa20_32
 
 *** hpux-parisc2-gcc
 $cc           = gcc
@@ -3275,22 +3407,22 @@ $thread_cflag =
 $sys_id       = 
 $lflags       = -Wl,+s -ldld
 $bn_ops       = SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL DES_RISC1
-$cpuid_obj    = 
-$bn_obj       = pa-risc2.o
+$cpuid_obj    = pariscid.o
+$bn_obj       = pa-risc2.o parisc-mont.o
 $des_obj      = 
-$aes_obj      = 
+$aes_obj      = aes_core.o aes_cbc.o aes-parisc.o
 $bf_obj       = 
 $md5_obj      = 
-$sha1_obj     = 
+$sha1_obj     = sha1-parisc.o sha256-parisc.o sha512-parisc.o
 $cast_obj     = 
-$rc4_obj      = 
+$rc4_obj      = rc4-parisc.o
 $rmd160_obj   = 
 $rc5_obj      = 
 $wp_obj       = 
 $cmll_obj     = 
-$modes_obj    = 
+$modes_obj    = ghash-parisc.o
 $engines_obj  = 
-$perlasm_scheme = void
+$perlasm_scheme = 32
 $dso_scheme   = dl
 $shared_target= hpux-shared
 $shared_cflag = -fPIC
@@ -3298,7 +3430,7 @@ $shared_ldflag = -shared
 $shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
-$multilib     = 
+$multilib     = /pa20_32
 
 *** hpux64-ia64-cc
 $cc           = cc
@@ -3454,7 +3586,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = dlfcn
 $shared_target= linux-shared
@@ -3850,7 +3982,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = a.out
 $dso_scheme   = 
 $shared_target= 
@@ -3916,7 +4048,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = dlfcn
 $shared_target= linux-shared
@@ -4015,7 +4147,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = dlfcn
 $shared_target= linux-shared
@@ -4279,7 +4411,7 @@ $rc5_obj      =
 $wp_obj       = wp-x86_64.o
 $cmll_obj     = cmll-x86_64.o cmll_misc.o
 $modes_obj    = ghash-x86_64.o
-$engines_obj  = e_padlock-x86_64.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = dlfcn
 $shared_target= linux-shared
@@ -4301,7 +4433,7 @@ $bn_ops       = BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL
 $cpuid_obj    = s390xcap.o s390xcpuid.o
 $bn_obj       = bn_asm.o s390x-mont.o s390x-gf2m.o
 $des_obj      = 
-$aes_obj      = aes_ctr.o aes-s390x.o
+$aes_obj      = aes-s390x.o aes-ctr.o aes-xts.o
 $bf_obj       = 
 $md5_obj      = 
 $sha1_obj     = sha1-s390x.o sha256-s390x.o sha512-s390x.o
@@ -4334,7 +4466,7 @@ $bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL
 $cpuid_obj    = s390xcap.o s390xcpuid.o
 $bn_obj       = bn-s390x.o s390x-mont.o s390x-gf2m.o
 $des_obj      = 
-$aes_obj      = aes_ctr.o aes-s390x.o
+$aes_obj      = aes-s390x.o aes-ctr.o aes-xts.o
 $bf_obj       = 
 $md5_obj      = 
 $sha1_obj     = sha1-s390x.o sha256-s390x.o sha512-s390x.o
@@ -4411,7 +4543,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = coff
 $dso_scheme   = win32
 $shared_target= cygwin-shared
@@ -4444,7 +4576,7 @@ $rc5_obj      =
 $wp_obj       = wp-x86_64.o
 $cmll_obj     = cmll-x86_64.o cmll_misc.o
 $modes_obj    = ghash-x86_64.o
-$engines_obj  = e_padlock-x86_64.o
+$engines_obj  = 
 $perlasm_scheme = mingw64
 $dso_scheme   = win32
 $shared_target= cygwin-shared
@@ -5038,7 +5170,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = dlfcn
 $shared_target= svr3-shared
@@ -5071,7 +5203,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = dlfcn
 $shared_target= svr3-shared
@@ -5335,7 +5467,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
@@ -5375,7 +5507,7 @@ $shared_target= solaris-shared
 $shared_cflag = -KPIC
 $shared_ldflag = -xarch=v9 -G -dy -z text
 $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
-$ranlib       = /usr/ccs/bin/ar rs
+$ranlib       = 
 $arflags      = 
 $multilib     = /64
 
@@ -5434,7 +5566,7 @@ $rc5_obj      =
 $wp_obj       = wp-x86_64.o
 $cmll_obj     = cmll-x86_64.o cmll_misc.o
 $modes_obj    = ghash-x86_64.o
-$engines_obj  = e_padlock-x86_64.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
@@ -5467,7 +5599,7 @@ $rc5_obj      =
 $wp_obj       = wp-x86_64.o
 $cmll_obj     = cmll-x86_64.o cmll_misc.o
 $modes_obj    = ghash-x86_64.o
-$engines_obj  = e_padlock-x86_64.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
@@ -5797,7 +5929,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = dlfcn
 $shared_target= svr5-shared
@@ -5830,7 +5962,7 @@ $rc5_obj      = rc5-586.o
 $wp_obj       = wp_block.o wp-mmx.o
 $cmll_obj     = cmll-x86.o
 $modes_obj    = ghash-x86.o
-$engines_obj  = e_padlock-x86.o
+$engines_obj  = 
 $perlasm_scheme = elf
 $dso_scheme   = dlfcn
 $shared_target= gnu-shared
@@ -5843,7 +5975,7 @@ $multilib     =
 
 *** vos-gcc
 $cc           = gcc
-$cflags       = -O3 -Wall -D_POSIX_C_SOURCE=200112L -D_BSD -D_VOS_EXTENDED_NAMES -DB_ENDIAN
+$cflags       = -O3 -Wall -DOPENSSL_SYSNAME_VOS -D_POSIX_C_SOURCE=200112L -D_BSD -D_VOS_EXTENDED_NAMES -DB_ENDIAN
 $unistd       = 
 $thread_cflag = (unknown)
 $sys_id       = VOS

VMS/mkshared.com

@@ -6,6 +6,7 @@ $! P2: Zlib object library path (optional).
 $!
 $! Input:	[.UTIL]LIBEAY.NUM,[.xxx.EXE.CRYPTO]SSL_LIBCRYPTO[32].OLB
 $!		[.UTIL]SSLEAY.NUM,[.xxx.EXE.SSL]SSL_LIBSSL[32].OLB
+$!		[.CRYPTO.xxx]OPENSSLCONF.H
 $! Output:	[.xxx.EXE.CRYPTO]SSL_LIBCRYPTO_SHR[32].OPT,.MAP,.EXE
 $!		[.xxx.EXE.SSL]SSL_LIBSSL_SRH[32].OPT,.MAP,.EXE
 $!
@@ -70,6 +71,9 @@ $     endif
 $   endif
 $ endif
 $!
+$! ----- Prepare info for processing: disabled algorithms info
+$ gosub read_disabled_algorithms_info
+$!
 $ ZLIB = p2
 $ zlib_lib = ""
 $ if (ZLIB .nes. "")
@@ -384,8 +388,7 @@ $	alg_i = alg_i + 1
 $       if alg_entry .eqs. "" then goto loop2
 $       if alg_entry .nes. ","
 $       then
-$         if alg_entry .eqs. "KRB5" then goto loop ! Special for now
-$	  if alg_entry .eqs. "STATIC_ENGINE" then goto loop ! Special for now
+$	  if disabled_algorithms - ("," + alg_entry + ",") .nes disabled_algorithms then goto loop
 $         if f$trnlnm("OPENSSL_NO_"+alg_entry) .nes. "" then goto loop
 $	  goto loop2
 $       endif
@@ -452,3 +455,22 @@ $     endif
 $   endloop_rvi:
 $   close vf
 $   return
+$
+$! The disabled algorithms reader
+$ read_disabled_algorithms_info:
+$   disabled_algorithms = ","
+$   open /read cf [.CRYPTO.'ARCH']OPENSSLCONF.H
+$   loop_rci:
+$     read/err=endloop_rci/end=endloop_rci cf rci_line
+$     rci_line = f$edit(rci_line,"TRIM,COMPRESS")
+$     rci_ei = 0
+$     if f$extract(0,9,rci_line) .eqs. "# define " then rci_ei = 2
+$     if f$extract(0,8,rci_line) .eqs. "#define " then rci_ei = 1
+$     if rci_ei .eq. 0 then goto loop_rci
+$     rci_e = f$element(rci_ei," ",rci_line)
+$     if f$extract(0,11,rci_e) .nes. "OPENSSL_NO_" then goto loop_rci
+$     disabled_algorithms = disabled_algorithms + f$extract(11,999,rci_e) + ","
+$     goto loop_rci
+$   endloop_rci:
+$   close cf
+$   return

apps/Makefile

@@ -153,6 +153,8 @@ $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL)
 	$(RM) $(EXE)
 	shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
 		shlib_target="$(SHLIB_TARGET)"; \
+	elif [ -n "$(FIPSCANLIB)" ]; then \
+	  FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; export CC FIPSLD_CC; \
 	fi; \
 	LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \
 	$(MAKE) -f $(TOP)/Makefile.shared -e \
@@ -245,13 +247,13 @@ ciphers.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 ciphers.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
 ciphers.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
 ciphers.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
-ciphers.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-ciphers.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-ciphers.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ciphers.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ciphers.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-ciphers.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-ciphers.o: ciphers.c
+ciphers.o: ../include/openssl/sha.h ../include/openssl/srtp.h
+ciphers.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ciphers.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ciphers.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ciphers.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+ciphers.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ciphers.o: ../include/openssl/x509v3.h apps.h ciphers.c
 cms.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 cms.o: ../include/openssl/buffer.h ../include/openssl/cms.h
 cms.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -427,13 +429,13 @@ engine.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 engine.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
 engine.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
 engine.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
-engine.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-engine.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-engine.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-engine.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-engine.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-engine.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-engine.o: engine.c
+engine.o: ../include/openssl/sha.h ../include/openssl/srtp.h
+engine.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+engine.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+engine.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+engine.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+engine.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+engine.o: ../include/openssl/x509v3.h apps.h engine.c
 errstr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 errstr.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 errstr.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -448,13 +450,13 @@ errstr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 errstr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
 errstr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
 errstr.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
-errstr.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-errstr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-errstr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-errstr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-errstr.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-errstr.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-errstr.o: errstr.c
+errstr.o: ../include/openssl/sha.h ../include/openssl/srtp.h
+errstr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+errstr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+errstr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+errstr.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+errstr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+errstr.o: ../include/openssl/x509v3.h apps.h errstr.c
 gendh.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 gendh.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 gendh.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -556,12 +558,12 @@ ocsp.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 ocsp.o: ../include/openssl/pem.h ../include/openssl/pem2.h
 ocsp.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 ocsp.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-ocsp.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ocsp.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-ocsp.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ocsp.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
-ocsp.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-ocsp.o: ../include/openssl/x509v3.h apps.h ocsp.c
+ocsp.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+ocsp.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ocsp.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ocsp.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ocsp.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+ocsp.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h ocsp.c
 openssl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 openssl.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 openssl.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -575,8 +577,9 @@ openssl.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
 openssl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 openssl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
 openssl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-openssl.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
-openssl.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+openssl.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+openssl.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+openssl.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
 openssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
 openssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
 openssl.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
@@ -791,12 +794,13 @@ s_cb.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
 s_cb.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
 s_cb.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
 s_cb.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s_cb.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s_cb.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s_cb.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s_cb.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
-s_cb.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-s_cb.o: ../include/openssl/x509v3.h apps.h s_apps.h s_cb.c
+s_cb.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+s_cb.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s_cb.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s_cb.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s_cb.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+s_cb.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+s_cb.o: s_apps.h s_cb.c
 s_client.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s_client.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s_client.o: ../include/openssl/comp.h ../include/openssl/conf.h
@@ -813,12 +817,13 @@ s_client.o: ../include/openssl/pem.h ../include/openssl/pem2.h
 s_client.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 s_client.o: ../include/openssl/rand.h ../include/openssl/safestack.h
 s_client.o: ../include/openssl/sha.h ../include/openssl/srp.h
-s_client.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s_client.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s_client.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s_client.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
-s_client.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-s_client.o: ../include/openssl/x509v3.h apps.h s_apps.h s_client.c timeouts.h
+s_client.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+s_client.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s_client.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s_client.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s_client.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+s_client.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+s_client.o: s_apps.h s_client.c timeouts.h
 s_server.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 s_server.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 s_server.o: ../include/openssl/comp.h ../include/openssl/conf.h
@@ -836,27 +841,29 @@ s_server.o: ../include/openssl/pem.h ../include/openssl/pem2.h
 s_server.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
 s_server.o: ../include/openssl/rand.h ../include/openssl/rsa.h
 s_server.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s_server.o: ../include/openssl/srp.h ../include/openssl/ssl.h
-s_server.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s_server.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s_server.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s_server.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
-s_server.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-s_server.o: ../include/openssl/x509v3.h apps.h s_apps.h s_server.c timeouts.h
-s_socket.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-s_socket.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-s_socket.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-s_socket.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-s_socket.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-s_socket.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
-s_socket.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-s_socket.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s_socket.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s_socket.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-s_socket.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s_socket.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s_socket.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-s_socket.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s_server.o: ../include/openssl/srp.h ../include/openssl/srtp.h
+s_server.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s_server.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s_server.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s_server.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+s_server.o: ../include/openssl/ui.h ../include/openssl/x509.h
+s_server.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+s_server.o: s_apps.h s_server.c timeouts.h
+s_socket.o: ../e_os.h ../e_os2.h ../include/openssl/asn1.h
+s_socket.o: ../include/openssl/bio.h ../include/openssl/buffer.h
+s_socket.o: ../include/openssl/comp.h ../include/openssl/conf.h
+s_socket.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
+s_socket.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s_socket.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+s_socket.o: ../include/openssl/engine.h ../include/openssl/evp.h
+s_socket.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+s_socket.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+s_socket.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+s_socket.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s_socket.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s_socket.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s_socket.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
+s_socket.o: ../include/openssl/sha.h ../include/openssl/srtp.h
 s_socket.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
 s_socket.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
 s_socket.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
@@ -877,13 +884,13 @@ s_time.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 s_time.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
 s_time.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
 s_time.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
-s_time.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s_time.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s_time.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s_time.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s_time.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-s_time.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-s_time.o: s_apps.h s_time.c
+s_time.o: ../include/openssl/sha.h ../include/openssl/srtp.h
+s_time.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s_time.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s_time.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s_time.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+s_time.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+s_time.o: ../include/openssl/x509v3.h apps.h s_apps.h s_time.c
 sess_id.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 sess_id.o: ../include/openssl/buffer.h ../include/openssl/comp.h
 sess_id.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -898,13 +905,13 @@ sess_id.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 sess_id.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
 sess_id.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
 sess_id.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
-sess_id.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-sess_id.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-sess_id.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-sess_id.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-sess_id.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-sess_id.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-sess_id.o: sess_id.c
+sess_id.o: ../include/openssl/sha.h ../include/openssl/srtp.h
+sess_id.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+sess_id.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+sess_id.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+sess_id.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+sess_id.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+sess_id.o: ../include/openssl/x509v3.h apps.h sess_id.c
 smime.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 smime.o: ../include/openssl/buffer.h ../include/openssl/conf.h
 smime.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h

apps/apps.c

@@ -109,7 +109,7 @@
  *
  */
 
-#ifndef _POSIX_C_SOURCE
+#if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS)
 #define _POSIX_C_SOURCE 2	/* On VMS, you need to define this to get
 				   the declaration of fileno().  The value
 				   2 is to make sure no function defined
@@ -586,12 +586,12 @@ int password_callback(char *buf, int bufsiz, int verify,
 
 		if (ok >= 0)
 			ok = UI_add_input_string(ui,prompt,ui_flags,buf,
-				PW_MIN_LENGTH,BUFSIZ-1);
+				PW_MIN_LENGTH,bufsiz-1);
 		if (ok >= 0 && verify)
 			{
 			buff = (char *)OPENSSL_malloc(bufsiz);
 			ok = UI_add_verify_string(ui,prompt,ui_flags,buff,
-				PW_MIN_LENGTH,BUFSIZ-1, buf);
+				PW_MIN_LENGTH,bufsiz-1, buf);
 			}
 		if (ok >= 0)
 			do
@@ -1215,7 +1215,8 @@ STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
 	const char *pass, ENGINE *e, const char *desc)
 	{
 	STACK_OF(X509) *certs;
-	load_certs_crls(err, file, format, pass, e, desc, &certs, NULL);
+	if (!load_certs_crls(err, file, format, pass, e, desc, &certs, NULL))
+		return NULL;
 	return certs;
 	}	
 
@@ -1223,7 +1224,8 @@ STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format,
 	const char *pass, ENGINE *e, const char *desc)
 	{
 	STACK_OF(X509_CRL) *crls;
-	load_certs_crls(err, file, format, pass, e, desc, NULL, &crls);
+	if (!load_certs_crls(err, file, format, pass, e, desc, NULL, &crls))
+		return NULL;
 	return crls;
 	}	
 
@@ -2130,7 +2132,7 @@ X509_NAME *parse_name(char *subject, long chtype, int multirdn)
 	X509_NAME *n = NULL;
 	int nid;
 
-	if (!buf || !ne_types || !ne_values)
+	if (!buf || !ne_types || !ne_values || !mval)
 		{
 		BIO_printf(bio_err, "malloc error\n");
 		goto error;
@@ -2234,6 +2236,7 @@ X509_NAME *parse_name(char *subject, long chtype, int multirdn)
 	OPENSSL_free(ne_values);
 	OPENSSL_free(ne_types);
 	OPENSSL_free(buf);
+	OPENSSL_free(mval);
 	return n;
 
 error:
@@ -2242,6 +2245,8 @@ error:
 		OPENSSL_free(ne_values);
 	if (ne_types)
 		OPENSSL_free(ne_types);
+	if (mval)
+		OPENSSL_free(mval);
 	if (buf)
 		OPENSSL_free(buf);
 	return NULL;
@@ -2256,7 +2261,7 @@ int args_verify(char ***pargs, int *pargc,
 	int purpose = 0, depth = -1;
 	char **oldargs = *pargs;
 	char *arg = **pargs, *argn = (*pargs)[1];
-	const X509_VERIFY_PARAM *vpm = NULL;
+	time_t at_time = 0;
 	if (!strcmp(arg, "-policy"))
 		{
 		if (!argn)
@@ -2294,21 +2299,6 @@ int args_verify(char ***pargs, int *pargc,
 			}
 		(*pargs)++;
 		}
-	else if (strcmp(arg,"-verify_name") == 0)
-		{
-		if (!argn)
-			*badarg = 1;
-		else
-			{
-			vpm = X509_VERIFY_PARAM_lookup(argn);
-			if(!vpm)
-				{
-				BIO_printf(err, "unrecognized verify name\n");
-				*badarg = 1;
-				}
-			}
-		(*pargs)++;
-		}
 	else if (strcmp(arg,"-verify_depth") == 0)
 		{
 		if (!argn)
@@ -2324,6 +2314,27 @@ int args_verify(char ***pargs, int *pargc,
 			}
 		(*pargs)++;
 		}
+	else if (strcmp(arg,"-attime") == 0)
+		{
+		if (!argn)
+			*badarg = 1;
+		else
+			{
+			long timestamp;
+			/* interpret the -attime argument as seconds since
+			 * Epoch */
+			if (sscanf(argn, "%li", &timestamp) != 1)
+				{
+				BIO_printf(bio_err,
+						"Error parsing timestamp %s\n",
+					   	argn);
+				*badarg = 1;
+				}
+			/* on some platforms time_t may be a float */
+			at_time = (time_t) timestamp;
+			}
+		(*pargs)++;
+		}
 	else if (!strcmp(arg, "-ignore_critical"))
 		flags |= X509_V_FLAG_IGNORE_CRITICAL;
 	else if (!strcmp(arg, "-issuer_checks"))
@@ -2350,8 +2361,6 @@ int args_verify(char ***pargs, int *pargc,
 		flags |= X509_V_FLAG_NOTIFY_POLICY;
 	else if (!strcmp(arg, "-check_ss_sig"))
 		flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
-	else if (!strcmp(arg, "-trusted_first"))
-		flags |= X509_V_FLAG_TRUSTED_FIRST;
 	else
 		return 0;
 
@@ -2369,9 +2378,6 @@ int args_verify(char ***pargs, int *pargc,
 		goto end;
 		}
 
-	if (vpm)
-		X509_VERIFY_PARAM_set1(*pm, vpm);
-
 	if (otmp)
 		X509_VERIFY_PARAM_add0_policy(*pm, otmp);
 	if (flags)
@@ -2383,6 +2389,9 @@ int args_verify(char ***pargs, int *pargc,
 	if (depth >= 0)
 		X509_VERIFY_PARAM_set_depth(*pm, depth);
 
+	if (at_time) 
+		X509_VERIFY_PARAM_set_time(*pm, at_time);
+
 	end:
 
 	(*pargs)++;
@@ -2714,6 +2723,50 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
 
 #endif
 
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+/* next_protos_parse parses a comma separated list of strings into a string
+ * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
+ *   outlen: (output) set to the length of the resulting buffer on success.
+ *   err: (maybe NULL) on failure, an error message line is written to this BIO.
+ *   in: a NUL termianted string like "abc,def,ghi"
+ *
+ *   returns: a malloced buffer or NULL on failure.
+ */
+unsigned char *next_protos_parse(unsigned short *outlen, const char *in)
+	{
+	size_t len;
+	unsigned char *out;
+	size_t i, start = 0;
+
+	len = strlen(in);
+	if (len >= 65535)
+		return NULL;
+
+	out = OPENSSL_malloc(strlen(in) + 1);
+	if (!out)
+		return NULL;
+
+	for (i = 0; i <= len; ++i)
+		{
+		if (i == len || in[i] == ',')
+			{
+			if (i - start > 255)
+				{
+				OPENSSL_free(out);
+				return NULL;
+				}
+			out[start] = i - start;
+			start = i + 1;
+			}
+		else
+			out[i+1] = in[i];
+		}
+
+	*outlen = len + 1;
+	return out;
+	}
+#endif  /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */
+
 /*
  * Platform-specific sections
  */
@@ -2788,7 +2841,7 @@ double app_tminterval(int stop,int usertime)
 
 	if (proc==NULL)
 		{
-		if (GetVersion() < 0x80000000)
+		if (check_winnt())
 			proc = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,
 						GetCurrentProcessId());
 		if (proc==NULL) proc = (HANDLE)-1;
@@ -3039,46 +3092,3 @@ int raw_write_stdout(const void *buf,int siz)
 int raw_write_stdout(const void *buf,int siz)
 	{	return write(fileno(stdout),buf,siz);	}
 #endif
-
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
-/* next_protos_parse parses a comma separated list of strings into a string
- * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
- *   outlen: (output) set to the length of the resulting buffer on success.
- *   in: a NUL termianted string like "abc,def,ghi"
- *
- *   returns: a malloced buffer or NULL on failure.
- */
-unsigned char *next_protos_parse(unsigned short *outlen, const char *in)
-	{
-	size_t len;
-	unsigned char *out;
-	size_t i, start = 0;
-
-	len = strlen(in);
-	if (len >= 65535)
-		return NULL;
-
-	out = OPENSSL_malloc(strlen(in) + 1);
-	if (!out)
-		return NULL;
-
-	for (i = 0; i <= len; ++i)
-		{
-		if (i == len || in[i] == ',')
-			{
-			if (i - start > 255)
-				{
-				OPENSSL_free(out);
-				return NULL;
-				}
-			out[start] = i - start;
-			start = i + 1;
-			}
-		else
-			out[i+1] = in[i];
-		}
-
-	*outlen = len + 1;
-	return out;
-	}
-#endif  /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */

apps/apps.h

@@ -188,6 +188,7 @@ extern BIO *bio_err;
 			do { CONF_modules_unload(1); destroy_ui_method(); \
 			OBJ_cleanup(); EVP_cleanup(); ENGINE_cleanup(); \
 			CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \
+			RAND_cleanup(); \
 			ERR_free_strings(); zlib_cleanup();} while(0)
 #  else
 #    define apps_startup() \
@@ -198,6 +199,7 @@ extern BIO *bio_err;
 			do { CONF_modules_unload(1); destroy_ui_method(); \
 			OBJ_cleanup(); EVP_cleanup(); \
 			CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \
+			RAND_cleanup(); \
 			ERR_free_strings(); zlib_cleanup(); } while(0)
 #  endif
 #endif
@@ -331,6 +333,10 @@ void jpake_client_auth(BIO *out, BIO *conn, const char *secret);
 void jpake_server_auth(BIO *out, BIO *conn, const char *secret);
 #endif
 
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+unsigned char *next_protos_parse(unsigned short *outlen, const char *in);
+#endif  /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */
+
 #define FORMAT_UNDEF    0
 #define FORMAT_ASN1     1
 #define FORMAT_TEXT     2
@@ -363,10 +369,7 @@ int raw_write_stdout(const void *,int);
 #define TM_START	0
 #define TM_STOP		1
 double app_tminterval (int stop,int usertime);
-#endif
 
 #define OPENSSL_NO_SSL_INTERN
 
-#ifndef OPENSSL_NO_NEXTPROTONEG
-unsigned char *next_protos_parse(unsigned short *outlen, const char *in);
 #endif

apps/ca.c

@@ -2561,7 +2561,7 @@ static int get_certificate_status(const char *serial, CA_DB *db)
 			
 	/* Make it Upper Case */
 	for (i=0; row[DB_serial][i] != '\0'; i++)
-		row[DB_serial][i] = toupper(row[DB_serial][i]);
+		row[DB_serial][i] = toupper((unsigned char)row[DB_serial][i]);
 	
 
 	ok=1;

apps/client.pem

@@ -1,24 +1,52 @@
-issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
-subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Client test cert (512 bit)
+subject= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = Test Client Cert
+issuer= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = OpenSSL Test Intermediate CA
 -----BEGIN CERTIFICATE-----
-MIIB6TCCAVICAQIwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV
-BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD
-VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNOTcwNjA5MTM1NzU2WhcNOTgwNjA5
-MTM1NzU2WjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG
-A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGkNsaWVudCB0ZXN0IGNl
-cnQgKDUxMiBiaXQpMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALtv55QyzG6i2Plw
-Z1pah7++Gv8L5j6Hnyr/uTZE1NLG0ABDDexmq/R4KedLjFEIYjocDui+IXs62NNt
-XrT8odkCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBwtMmI7oGUG8nKmftQssATViH5
-NRRtoEw07DxJp/LfatHdrhqQB73eGdL5WILZJXk46Xz2e9WMSUjVCSYhdKxtflU3
-UR2Ajv1Oo0sTNdfz0wDqJNirLNtzyhhsaq8qMTrLwXrCP31VxBiigFSQSUFnZyTE
-9TKwhS4GlwbtCfxSKQ==
+MIID5zCCAs+gAwIBAgIJALnu1NlVpZ6yMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
+BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMSIwIAYDVQQLDBlGT1IgVEVT
+VElORyBQVVJQT1NFUyBPTkxZMSUwIwYDVQQDDBxPcGVuU1NMIFRlc3QgSW50ZXJt
+ZWRpYXRlIENBMB4XDTExMTIwODE0MDE0OFoXDTIxMTAxNjE0MDE0OFowZDELMAkG
+A1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxIjAgBgNVBAsMGUZPUiBU
+RVNUSU5HIFBVUlBPU0VTIE9OTFkxGTAXBgNVBAMMEFRlc3QgQ2xpZW50IENlcnQw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0ranbHRLcLVqN+0BzcZpY
++yOLqxzDWT1LD9eW1stC4NzXX9/DCtSIVyN7YIHdGLrIPr64IDdXXaMRzgZ2rOKs
+lmHCAiFpO/ja99gGCJRxH0xwQatqAULfJVHeUhs7OEGOZc2nWifjqKvGfNTilP7D
+nwi69ipQFq9oS19FmhwVHk2wg7KZGHI1qDyG04UrfCZMRitvS9+UVhPpIPjuiBi2
+x3/FZIpL5gXJvvFK6xHY63oq2asyzBATntBgnP4qJFWWcvRx24wF1PnZabxuVoL2
+bPnQ/KvONDrw3IdqkKhYNTul7jEcu3OlcZIMw+7DiaKJLAzKb/bBF5gm/pwW6As9
+AgMBAAGjgY8wgYwwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwLAYJYIZI
+AYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQW
+BBSZHKyLoTh7Mb409Zn/mK1ceSDAjDAfBgNVHSMEGDAWgBQ2w2yI55X+sL3szj49
+hqshgYfa2jANBgkqhkiG9w0BAQUFAAOCAQEAD0mL7PtPYgCEuDyOQSbLpeND5hVS
+curxQdGnrJ6Acrhodb7E9ccATokeb0PLx6HBLQUicxhTZIQ9FbO43YkQcOU6C3BB
+IlwskqmtN6+VmrQzNolHCDzvxNZs9lYL2VbGPGqVRyjZeHpoAlf9cQr8PgDb4d4b
+vUx2KAhHQvV2nkmYvKyXcgnRuHggumF87mkxidriGAEFwH4qfOqetUg64WyxP7P2
+QLipm04SyQa7ONtIApfVXgHcE42Py4/f4arzCzMjKe3VyhGkS7nsT55X/fWgTaRm
+CQPkO+H94P958WTvQDt77bQ+D3IvYaVvfil8n6HJMOJfFT0LJuSUbpSXJg==
 -----END CERTIFICATE-----
 -----BEGIN RSA PRIVATE KEY-----
-MIIBOwIBAAJBALtv55QyzG6i2PlwZ1pah7++Gv8L5j6Hnyr/uTZE1NLG0ABDDexm
-q/R4KedLjFEIYjocDui+IXs62NNtXrT8odkCAwEAAQJAbwXq0vJ/+uyEvsNgxLko
-/V86mGXQ/KrSkeKlL0r4ENxjcyeMAGoKu6J9yMY7+X9+Zm4nxShNfTsf/+Freoe1
-HQIhAPOSm5Q1YI+KIsII2GeVJx1U69+wnd71OasIPakS1L1XAiEAxQAW+J3/JWE0
-ftEYakbhUOKL8tD1OaFZS71/5GdG7E8CIQCefUMmySSvwd6kC0VlATSWbW+d+jp/
-nWmM1KvqnAo5uQIhALqEADu5U1Wvt8UN8UDGBRPQulHWNycuNV45d3nnskWPAiAw
-ueTyr6WsZ5+SD8g/Hy3xuvF3nPmJRH+rwvVihlcFOg==
+MIIEpQIBAAKCAQEAtK2p2x0S3C1ajftAc3GaWPsji6scw1k9Sw/XltbLQuDc11/f
+wwrUiFcje2CB3Ri6yD6+uCA3V12jEc4GdqzirJZhwgIhaTv42vfYBgiUcR9McEGr
+agFC3yVR3lIbOzhBjmXNp1on46irxnzU4pT+w58IuvYqUBavaEtfRZocFR5NsIOy
+mRhyNag8htOFK3wmTEYrb0vflFYT6SD47ogYtsd/xWSKS+YFyb7xSusR2Ot6Ktmr
+MswQE57QYJz+KiRVlnL0cduMBdT52Wm8blaC9mz50PyrzjQ68NyHapCoWDU7pe4x
+HLtzpXGSDMPuw4miiSwMym/2wReYJv6cFugLPQIDAQABAoIBAAZOyc9MhIwLSU4L
+p4RgQvM4UVVe8/Id+3XTZ8NsXExJbWxXfIhiqGjaIfL8u4vsgRjcl+v1s/jo2/iT
+KMab4o4D8gXD7UavQVDjtjb/ta79WL3SjRl2Uc9YjjMkyq6WmDNQeo2NKDdafCTB
+1uzSJtLNipB8Z53ELPuHJhxX9QMHrMnuha49riQgXZ7buP9iQrHJFhImBjSzbxJx
+L+TI6rkyLSf9Wi0Pd3L27Ob3QWNfNRYNSeTE+08eSRChkur5W0RuXAcuAICdQlCl
+LBvWO/LmmvbzCqiDcgy/TliSb6CGGwgiNG7LJZmlkYNj8laGwalNlYZs3UrVv6NO
+Br2loAECgYEA2kvCvPGj0Dg/6g7WhXDvAkEbcaL1tSeCxBbNH+6HS2UWMWvyTtCn
+/bbD519QIdkvayy1QjEf32GV/UjUVmlULMLBcDy0DGjtL3+XpIhLKWDNxN1v1/ai
+1oz23ZJCOgnk6K4qtFtlRS1XtynjA+rBetvYvLP9SKeFrnpzCgaA2r0CgYEA0+KX
+1ACXDTNH5ySX3kMjSS9xdINf+OOw4CvPHFwbtc9aqk2HePlEsBTz5I/W3rKwXva3
+NqZ/bRqVVeZB/hHKFywgdUQk2Uc5z/S7Lw70/w1HubNTXGU06Ngb6zOFAo/o/TwZ
+zTP1BMIKSOB6PAZPS3l+aLO4FRIRotfFhgRHOoECgYEAmiZbqt8cJaJDB/5YYDzC
+mp3tSk6gIb936Q6M5VqkMYp9pIKsxhk0N8aDCnTU+kIK6SzWBpr3/d9Ecmqmfyq7
+5SvWO3KyVf0WWK9KH0abhOm2BKm2HBQvI0DB5u8sUx2/hsvOnjPYDISbZ11t0MtK
+u35Zy89yMYcSsIYJjG/ROCUCgYEAgI2P9G5PNxEP5OtMwOsW84Y3Xat/hPAQFlI+
+HES+AzbFGWJkeT8zL2nm95tVkFP1sggZ7Kxjz3w7cpx7GX0NkbWSE9O+T51pNASV
+tN1sQ3p5M+/a+cnlqgfEGJVvc7iAcXQPa3LEi5h2yPR49QYXAgG6cifn3dDSpmwn
+SUI7PQECgYEApGCIIpSRPLAEHTGmP87RBL1smurhwmy2s/pghkvUkWehtxg0sGHh
+kuaqDWcskogv+QC0sVdytiLSz8G0DwcEcsHK1Fkyb8A+ayiw6jWJDo2m9+IF4Fww
+1Te6jFPYDESnbhq7+TLGgHGhtwcu5cnb4vSuYXGXKupZGzoLOBbv1Zw=
 -----END RSA PRIVATE KEY-----

apps/cms.c

@@ -233,6 +233,8 @@ int MAIN(int argc, char **argv)
 		else if (!strcmp(*args,"-camellia256"))
 				cipher = EVP_camellia_256_cbc();
 #endif
+		else if (!strcmp (*args, "-debug_decrypt")) 
+				flags |= CMS_DEBUG_DECRYPT;
 		else if (!strcmp (*args, "-text")) 
 				flags |= CMS_TEXT;
 		else if (!strcmp (*args, "-nointern")) 
@@ -626,7 +628,7 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-certsout file certificate output file\n");
 		BIO_printf (bio_err, "-signer file   signer certificate file\n");
 		BIO_printf (bio_err, "-recip  file   recipient certificate file for decryption\n");
-		BIO_printf (bio_err, "-keyid        use subject key identifier\n");
+		BIO_printf (bio_err, "-keyid         use subject key identifier\n");
 		BIO_printf (bio_err, "-in file       input file\n");
 		BIO_printf (bio_err, "-inform arg    input format SMIME (default), PEM or DER\n");
 		BIO_printf (bio_err, "-inkey file    input private key (if not signer or recipient)\n");
@@ -1039,6 +1041,8 @@ int MAIN(int argc, char **argv)
 	ret = 4;
 	if (operation == SMIME_DECRYPT)
 		{
+		if (flags & CMS_DEBUG_DECRYPT)
+			CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags);
 
 		if (secret_key)
 			{

apps/crl.c

@@ -81,6 +81,9 @@ static const char *crl_usage[]={
 " -in arg         - input file - default stdin\n",
 " -out arg        - output file - default stdout\n",
 " -hash           - print hash value\n",
+#ifndef OPENSSL_NO_MD5
+" -hash_old       - print old-style (MD5) hash value\n",
+#endif
 " -fingerprint    - print the crl fingerprint\n",
 " -issuer         - print issuer DN\n",
 " -lastupdate     - lastUpdate field\n",
@@ -108,6 +111,9 @@ int MAIN(int argc, char **argv)
 	int informat,outformat;
 	char *infile=NULL,*outfile=NULL;
 	int hash=0,issuer=0,lastupdate=0,nextupdate=0,noout=0,text=0;
+#ifndef OPENSSL_NO_MD5
+       int hash_old=0;
+#endif
 	int fingerprint = 0, crlnumber = 0;
 	const char **pp;
 	X509_STORE *store = NULL;
@@ -192,6 +198,10 @@ int MAIN(int argc, char **argv)
 			text = 1;
 		else if (strcmp(*argv,"-hash") == 0)
 			hash= ++num;
+#ifndef OPENSSL_NO_MD5
+		else if (strcmp(*argv,"-hash_old") == 0)
+			hash_old= ++num;
+#endif
 		else if (strcmp(*argv,"-nameopt") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -304,6 +314,14 @@ bad:
 				BIO_printf(bio_out,"%08lx\n",
 					X509_NAME_hash(X509_CRL_get_issuer(x)));
 				}
+#ifndef OPENSSL_NO_MD5
+			if (hash_old == i)
+				{
+				BIO_printf(bio_out,"%08lx\n",
+					X509_NAME_hash_old(
+						X509_CRL_get_issuer(x)));
+				}
+#endif
 			if (lastupdate == i)
 				{
 				BIO_printf(bio_out,"lastUpdate=");

apps/dgst.c

@@ -103,7 +103,7 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 	{
-	ENGINE *e = NULL, *impl = NULL;
+	ENGINE *e = NULL;
 	unsigned char *buf=NULL;
 	int i,err=1;
 	const EVP_MD *md=NULL,*m;
@@ -124,10 +124,10 @@ int MAIN(int argc, char **argv)
 	char *passargin = NULL, *passin = NULL;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
-	int engine_impl = 0;
 #endif
 	char *hmac_key=NULL;
 	char *mac_name=NULL;
+	int non_fips_allow = 0;
 	STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL;
 
 	apps_startup();
@@ -209,8 +209,6 @@ int MAIN(int argc, char **argv)
 			engine= *(++argv);
         		e = setup_engine(bio_err, engine, 0);
 			}
-		else if (strcmp(*argv,"-engine_impl") == 0)
-			engine_impl = 1;
 #endif
 		else if (strcmp(*argv,"-hex") == 0)
 			out_bin = 0;
@@ -220,6 +218,8 @@ int MAIN(int argc, char **argv)
 			debug=1;
 		else if (!strcmp(*argv,"-fips-fingerprint"))
 			hmac_key = "etaonrishdlcupfm";
+		else if (strcmp(*argv,"-non-fips-allow") == 0)
+			non_fips_allow=1;
 		else if (!strcmp(*argv,"-hmac"))
 			{
 			if (--argc < 1)
@@ -291,11 +291,6 @@ int MAIN(int argc, char **argv)
 		goto end;
 		}
 
-#ifndef OPENSSL_NO_ENGINE
-	if (engine_impl)
-		impl = e;
-#endif
-
 	in=BIO_new(BIO_s_file());
 	bmd=BIO_new(BIO_f_md());
 	if (debug)
@@ -373,7 +368,7 @@ int MAIN(int argc, char **argv)
 		{
 		EVP_PKEY_CTX *mac_ctx = NULL;
 		int r = 0;
-		if (!init_gen_str(bio_err, &mac_ctx, mac_name, impl, 0))
+		if (!init_gen_str(bio_err, &mac_ctx, mac_name,e, 0))
 			goto mac_end;
 		if (macopts)
 			{
@@ -405,9 +400,16 @@ int MAIN(int argc, char **argv)
 			goto end;
 		}
 
+	if (non_fips_allow)
+		{
+		EVP_MD_CTX *md_ctx;
+		BIO_get_md_ctx(bmd,&md_ctx);
+		EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+		}
+
 	if (hmac_key)
 		{
-		sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, impl,
+		sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, e,
 					(unsigned char *)hmac_key, -1);
 		if (!sigkey)
 			goto end;
@@ -425,9 +427,9 @@ int MAIN(int argc, char **argv)
 			goto end;
 			}
 		if (do_verify)
-			r = EVP_DigestVerifyInit(mctx, &pctx, md, impl, sigkey);
+			r = EVP_DigestVerifyInit(mctx, &pctx, md, NULL, sigkey);
 		else
-			r = EVP_DigestSignInit(mctx, &pctx, md, impl, sigkey);
+			r = EVP_DigestSignInit(mctx, &pctx, md, NULL, sigkey);
 		if (!r)
 			{
 			BIO_printf(bio_err, "Error setting context\n");
@@ -454,16 +456,9 @@ int MAIN(int argc, char **argv)
 	/* we use md as a filter, reading from 'in' */
 	else
 		{
-		EVP_MD_CTX *mctx = NULL;
-		if (!BIO_get_md_ctx(bmd, &mctx))
-			{
-			BIO_printf(bio_err, "Error getting context\n");
-			ERR_print_errors(bio_err);
-			goto end;
-			}
 		if (md == NULL)
 			md = EVP_md5(); 
-		if (!EVP_DigestInit_ex(mctx, md, impl))
+		if (!BIO_set_md(bmd,md))
 			{
 			BIO_printf(bio_err, "Error setting digest %s\n", pname);
 			ERR_print_errors(bio_err);

apps/dhparam.c

@@ -332,7 +332,6 @@ bad:
 			BIO_printf(bio_err,"This is going to take a long time\n");
 			if(!dh || !DH_generate_parameters_ex(dh, num, g, &cb))
 				{
-				if(dh) DH_free(dh);
 				ERR_print_errors(bio_err);
 				goto end;
 				}

apps/dsaparam.c

@@ -118,7 +118,6 @@ int MAIN(int argc, char **argv)
 	char *infile,*outfile,*prog,*inrand=NULL;
 	int numbits= -1,num,genkey=0;
 	int need_rand=0;
-	int non_fips_allow = 0;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
@@ -196,8 +195,6 @@ int MAIN(int argc, char **argv)
 			}
 		else if (strcmp(*argv,"-noout") == 0)
 			noout=1;
-		else if (strcmp(*argv,"-non-fips-allow") == 0)
-			non_fips_allow = 1;
 		else if (sscanf(*argv,"%d",&num) == 1)
 			{
 			/* generate a key */
@@ -300,8 +297,6 @@ bad:
 			BIO_printf(bio_err,"Error allocating DSA object\n");
 			goto end;
 			}
-		if (non_fips_allow)
-			dsa->flags |= DSA_FLAG_NON_FIPS_ALLOW;
 		BIO_printf(bio_err,"Generating DSA parameters, %d bit long prime\n",num);
 	        BIO_printf(bio_err,"This could take some time\n");
 #ifdef GENCB_TEST
@@ -435,8 +430,6 @@ bad:
 
 		assert(need_rand);
 		if ((dsakey=DSAparams_dup(dsa)) == NULL) goto end;
-		if (non_fips_allow)
-			dsakey->flags |= DSA_FLAG_NON_FIPS_ALLOW;
 		if (!DSA_generate_key(dsakey))
 			{
 			ERR_print_errors(bio_err);

apps/ecparam.c

@@ -105,7 +105,7 @@
  *                    in the asn1 der encoding
  *                    possible values: named_curve (default)
  *                                     explicit
- * -no_seed         - if 'explicit' parameters are choosen do not use the seed
+ * -no_seed         - if 'explicit' parameters are chosen do not use the seed
  * -genkey          - generate ec key
  * -rand file       - files to use for random number input
  * -engine e        - use engine e, possibly a hardware device
@@ -286,7 +286,7 @@ bad:
 		BIO_printf(bio_err, "                                   "
 				" explicit\n");
 		BIO_printf(bio_err, " -no_seed          if 'explicit'"
-				" parameters are choosen do not"
+				" parameters are chosen do not"
 				" use the seed\n");
 		BIO_printf(bio_err, " -genkey           generate ec"
 				" key\n");

apps/enc.c

@@ -129,6 +129,7 @@ int MAIN(int argc, char **argv)
 	char *engine = NULL;
 #endif
 	const EVP_MD *dgst=NULL;
+	int non_fips_allow = 0;
 
 	apps_startup();
 
@@ -281,6 +282,8 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			md= *(++argv);
 			}
+		else if (strcmp(*argv,"-non-fips-allow") == 0)
+			non_fips_allow = 1;
 		else if	((argv[0][0] == '-') &&
 			((c=EVP_get_cipherbyname(&(argv[0][1]))) != NULL))
 			{
@@ -328,6 +331,12 @@ bad:
         setup_engine(bio_err, engine, 0);
 #endif
 
+	if (cipher && EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)
+		{
+		BIO_printf(bio_err, "AEAD ciphers not supported by the enc utility\n");
+		goto end;
+		}
+
 	if (md && (dgst=EVP_get_digestbyname(md)) == NULL)
 		{
 		BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
@@ -589,6 +598,11 @@ bad:
 		 */
 
 		BIO_get_cipher_ctx(benc, &ctx);
+
+		if (non_fips_allow)
+			EVP_CIPHER_CTX_set_flags(ctx,
+				EVP_CIPH_FLAG_NON_FIPS_ALLOW);
+
 		if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc))
 			{
 			BIO_printf(bio_err, "Error setting cipher %s\n",

apps/genrsa.c

@@ -78,7 +78,7 @@
 #include <openssl/pem.h>
 #include <openssl/rand.h>
 
-#define DEFBITS	512
+#define DEFBITS	1024
 #undef PROG
 #define PROG genrsa_main
 
@@ -93,7 +93,6 @@ int MAIN(int argc, char **argv)
 	ENGINE *e = NULL;
 #endif
 	int ret=1;
-	int non_fips_allow = 0;
 	int i,num=DEFBITS;
 	long l;
 	const EVP_CIPHER *enc=NULL;
@@ -186,8 +185,6 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 			}
-		else if (strcmp(*argv,"-non-fips-allow") == 0)
-			non_fips_allow = 1;
 		else
 			break;
 		argv++;
@@ -276,9 +273,6 @@ bad:
 	if (!rsa)
 		goto err;
 
-	if (non_fips_allow)
-		rsa->flags |= RSA_FLAG_NON_FIPS_ALLOW;
-
 	if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
 		goto err;
 		

apps/ocsp.c

@@ -127,6 +127,7 @@ int MAIN(int argc, char **argv)
 	ENGINE *e = NULL;
 	char **args;
 	char *host = NULL, *port = NULL, *path = "/";
+	char *thost = NULL, *tport = NULL, *tpath = NULL;
 	char *reqin = NULL, *respin = NULL;
 	char *reqout = NULL, *respout = NULL;
 	char *signfile = NULL, *keyfile = NULL;
@@ -204,6 +205,12 @@ int MAIN(int argc, char **argv)
 			}
 		else if (!strcmp(*args, "-url"))
 			{
+			if (thost)
+				OPENSSL_free(thost);
+			if (tport)
+				OPENSSL_free(tport);
+			if (tpath)
+				OPENSSL_free(tpath);
 			if (args[1])
 				{
 				args++;
@@ -212,6 +219,9 @@ int MAIN(int argc, char **argv)
 					BIO_printf(bio_err, "Error parsing URL\n");
 					badarg = 1;
 					}
+				thost = host;
+				tport = port;
+				tpath = path;
 				}
 			else badarg = 1;
 			}
@@ -617,7 +627,7 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-ndays n	 	 number of days before next update\n");
 		BIO_printf (bio_err, "-resp_key_id       identify reponse by signing certificate key ID\n");
 		BIO_printf (bio_err, "-nrequest n        number of requests to accept (default unlimited)\n");
-		BIO_printf (bio_err, "-<dgst alg>     use specified digest in the request");
+		BIO_printf (bio_err, "-<dgst alg>     use specified digest in the request\n");
 		goto end;
 		}
 
@@ -920,12 +930,12 @@ end:
 	sk_X509_pop_free(verify_other, X509_free);
 	sk_CONF_VALUE_pop_free(headers, X509V3_conf_free);
 
-	if (use_ssl != -1)
-		{
-		OPENSSL_free(host);
-		OPENSSL_free(port);
-		OPENSSL_free(path);
-		}
+	if (thost)
+		OPENSSL_free(thost);
+	if (tport)
+		OPENSSL_free(tport);
+	if (tpath)
+		OPENSSL_free(tpath);
 
 	OPENSSL_EXIT(ret);
 }

apps/openssl-vms.cnf

@@ -145,7 +145,7 @@ localityName			= Locality Name (eg, city)
 organizationalUnitName		= Organizational Unit Name (eg, section)
 #organizationalUnitName_default	=
 
-commonName			= Common Name (eg, YOUR name)
+commonName			= Common Name (e.g. server FQDN or YOUR name)
 commonName_max			= 64
 
 emailAddress			= Email Address

apps/openssl.c

@@ -117,6 +117,7 @@
 #include "apps.h"
 #include <openssl/bio.h>
 #include <openssl/crypto.h>
+#include <openssl/rand.h>
 #include <openssl/lhash.h>
 #include <openssl/conf.h>
 #include <openssl/x509.h>

apps/openssl.cnf

@@ -145,7 +145,7 @@ localityName			= Locality Name (eg, city)
 organizationalUnitName		= Organizational Unit Name (eg, section)
 #organizationalUnitName_default	=
 
-commonName			= Common Name (eg, YOUR name)
+commonName			= Common Name (e.g. server FQDN or YOUR name)
 commonName_max			= 64
 
 emailAddress			= Email Address

apps/pkcs12.c

@@ -112,7 +112,7 @@ int MAIN(int argc, char **argv)
     int maciter = PKCS12_DEFAULT_ITER;
     int twopass = 0;
     int keytype = 0;
-    int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+    int cert_pbe;
     int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
     int ret = 1;
     int macver = 1;
@@ -130,6 +130,13 @@ int MAIN(int argc, char **argv)
 
     apps_startup();
 
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode())
+	cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+    else
+#endif
+    cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+
     enc = EVP_des_ede3_cbc();
     if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
 

apps/privkey.pem

@@ -1,16 +1,18 @@
------BEGIN PRIVATE KEY-----
-MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAMo7DFNMqywUA1O/
-qvWqCOm6rGrUAcR+dKsSXw6y2qiKO7APDDyotc0b4Mxwqjga98npex2RBIwUoCGJ
-iEmMXo/a8RbXVUZ+ZwcAX7PC+XeXVC5qoajaBBkd2MvYmib/2PqnNrgvhHsUL5dO
-xhC7cRqxLM/g45k3Yyw+nGa+WkTdAgMBAAECgYBMBT5w4dVG0I8foGFnz+9hzWab
-Ee9IKjE5TcKmB93ilXQyjrWO5+zPmbc7ou6aAKk9IaPCTY1kCyzW7pho7Xdt+RFq
-TgVXGZZfqtixO7f2/5oqZAkd00eOn9ZrhBpVMu4yXbbDvhDyFe4/oy0HGDjRUhxa
-Lf6ZlBuTherxm4eFkQJBAPBQwRs9UtqaMAQlagA9pV5UsQjV1WT4IxDURMPfXgCd
-ETNkB6pP0SmxQm5xhv9N2HY1UtoWpug9s0OU5IJB15sCQQDXbfbjiujNbuOxCFNw
-68JZaCFVdNovyOWORkpenQLNEjVkmTCS9OayK09ADEYtsdpUGKeF+2EYBNkFr5px
-CajnAkBMYI4PNz1HBuwt1SpMa0tMoMQnV7bbwVV7usskKbC5pzHZUHhzM6z5gEHp
-0iEisT4Ty7zKXZqsgzefSgoaMAzzAkEAoCIaUhtwXzwdPfvNYnOs3J6doJMimECB
-+lbfcyLM8TimvadtRt+KGEg/OYGmLNM2UiqdY+duzdbUpvhYGcwvYwJAQvaoi9z2
-CkiwSs/PFrLaNlfLJmXRsUBzmiWYoh6+IQJJorEXz7ewI72ee9RBO4s746cgUFwH
-Ri+qO+HhZFUBqQ==
------END PRIVATE KEY-----
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,BA26229A1653B7FF
+
+6nhWG8PKhTPO/s3ZvjUa6226NlKdvPDZFsNXOOoSUs9ejxpb/aj5huhs6qRYzsz9
+Year47uaAZYhGD0vAagnNiBnYmjWEpN9G/wQxG7pgZThK1ZxDi63qn8aQ8UjuGHo
+F6RpnnBQIAnWTWqr/Qsybtc5EoNkrj/Cpx0OfbSr6gZsFBCxwX1R1hT3/mhJ45f3
+XMofY32Vdfx9/vtw1O7HmlHXQnXaqnbd9/nn1EpvFJG9+UjPoW7gV4jCOLuR4deE
+jS8hm+cpkwXmFtk3VGjT9tQXPpMv3JpYfBqgGQoMAJ5Toq0DWcHi6Wg08PsD8lgy
+vmTioPsRg+JGkJkJ8GnusgLpQdlQJbjzd7wGE6ElUFLfOxLo8bLlRHoriHNdWYhh
+JjY0LyeTkovcmWxVjImc6ZyBz5Ly4t0BYf1gq3OkjsV91Q1taBxnhiavfizqMCAf
+PPB3sLQnlXG77TOXkNxpqbZfEYrVZW2Nsqqdn8s07Uj4IMONZyq2odYKWFPMJBiM
+POYwXjMAOcmFMTHYsVlhcUJuV6LOuipw/FEbTtPH/MYMxLe4zx65dYo1rb4iLKLS
+gMtB0o/Wl4Xno3ZXh1ucicYnV2J7NpVcjVq+3SFiCRu2SrSkZHZ23EPS13Ec6fcz
+8X/YGA2vTJ8MAOozAzQUwHQYvLk7bIoQVekqDq4p0AZQbhdspHpArCk0Ifqqzg/v
+Uyky/zZiQYanzDenTSRVI/8wac3olxpU8QvbySxYqmbkgq6bTpXJfYFQfnAttEsC
+dA4S5UFgyOPZluxCAM4yaJF3Ft6neutNwftuJQMbgCUi9vYg2tGdSw==
+-----END RSA PRIVATE KEY-----

apps/progs.h

@@ -44,9 +44,9 @@ extern int smime_main(int argc,char *argv[]);
 extern int rand_main(int argc,char *argv[]);
 extern int engine_main(int argc,char *argv[]);
 extern int ocsp_main(int argc,char *argv[]);
-extern int srp_main(int argc,char *argv[]);
 extern int prime_main(int argc,char *argv[]);
 extern int ts_main(int argc,char *argv[]);
+extern int srp_main(int argc,char *argv[]);
 
 #define FUNC_TYPE_GENERAL	1
 #define FUNC_TYPE_MD		2
@@ -146,11 +146,11 @@ FUNCTION functions[] = {
 #ifndef OPENSSL_NO_OCSP
 	{FUNC_TYPE_GENERAL,"ocsp",ocsp_main},
 #endif
+	{FUNC_TYPE_GENERAL,"prime",prime_main},
+	{FUNC_TYPE_GENERAL,"ts",ts_main},
 #ifndef OPENSSL_NO_SRP
 	{FUNC_TYPE_GENERAL,"srp",srp_main},
 #endif
-	{FUNC_TYPE_GENERAL,"prime",prime_main},
-	{FUNC_TYPE_GENERAL,"ts",ts_main},
 #ifndef OPENSSL_NO_MD2
 	{FUNC_TYPE_MD,"md2",dgst_main},
 #endif

apps/progs.pl

@@ -51,6 +51,8 @@ foreach (@ARGV)
 		{ print "#ifndef OPENSSL_NO_CMS\n${str}#endif\n"; }
 	elsif ( ($_ =~ /^ocsp$/))
 		{ print "#ifndef OPENSSL_NO_OCSP\n${str}#endif\n"; }
+	elsif ( ($_ =~ /^srp$/))
+		{ print "#ifndef OPENSSL_NO_SRP\n${str}#endif\n"; }
 	else
 		{ print $str; }
 	}

apps/req.c

@@ -644,6 +644,11 @@ bad:
 		if (inrand)
 			app_RAND_load_files(inrand);
 
+		if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey))
+			{
+			newkey=DEFAULT_KEY_LENGTH;
+			}
+
 		if (keyalg)
 			{
 			genctx = set_keygen_ctx(bio_err, keyalg, &pkey_type, &newkey,
@@ -652,12 +657,6 @@ bad:
 				goto end;
 			}
 	
-		if (newkey <= 0)
-			{
-			if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey))
-				newkey=DEFAULT_KEY_LENGTH;
-			}
-
 		if (newkey < MIN_KEY_LENGTH && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA))
 			{
 			BIO_printf(bio_err,"private key length is too short,\n");
@@ -1490,7 +1489,13 @@ start:
 #ifdef CHARSET_EBCDIC
 	ebcdic2ascii(buf, buf, i);
 #endif
-	if(!req_check_len(i, n_min, n_max)) goto start;
+	if(!req_check_len(i, n_min, n_max))
+		{
+		if (batch || value)
+			return 0;
+		goto start;
+		}
+
 	if (!X509_NAME_add_entry_by_NID(n,nid, chtype,
 				(unsigned char *) buf, -1,-1,mval)) goto err;
 	ret=1;
@@ -1549,7 +1554,12 @@ start:
 #ifdef CHARSET_EBCDIC
 	ebcdic2ascii(buf, buf, i);
 #endif
-	if(!req_check_len(i, n_min, n_max)) goto start;
+	if(!req_check_len(i, n_min, n_max))
+		{
+		if (batch || value)
+			return 0;
+		goto start;
+		}
 
 	if(!X509_REQ_add1_attr_by_NID(req, nid, chtype,
 					(unsigned char *)buf, -1)) {
@@ -1649,6 +1659,8 @@ static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, int *pkey_type,
 				keylen = atol(p + 1);
 				*pkeylen = keylen;
 				}
+			else
+				keylen = *pkeylen;
 			}
 		else if (p)
 			paramfile = p + 1;

apps/s_cb.c

@@ -237,8 +237,8 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file)
 
 		/* If we are using DSA, we can copy the parameters from
 		 * the private key */
-		
-		
+
+
 		/* Now we know that a key and cert have been set against
 		 * the SSL context */
 		if (!SSL_CTX_check_private_key(ctx))
@@ -360,6 +360,9 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *
 	case TLS1_1_VERSION:
 		str_version = "TLS 1.1 ";
 		break;
+	case TLS1_2_VERSION:
+		str_version = "TLS 1.2 ";
+		break;
 	case DTLS1_VERSION:
 		str_version = "DTLS 1.0 ";
 		break;
@@ -433,6 +436,8 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *
 
 	if (version == SSL3_VERSION ||
 	    version == TLS1_VERSION ||
+	    version == TLS1_1_VERSION ||
+	    version == TLS1_2_VERSION ||
 	    version == DTLS1_VERSION ||
 	    version == DTLS1_BAD_VER)
 		{
@@ -552,6 +557,9 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *
 				case 114:
 					str_details2 = " bad_certificate_hash_value";
 					break;
+				case 115:
+					str_details2 = " unknown_psk_identity";
+					break;
 					}
 				}
 			}
@@ -600,6 +608,26 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *
 					}
 				}
 			}
+
+#ifndef OPENSSL_NO_HEARTBEATS
+		if (content_type == 24) /* Heartbeat */
+			{
+			str_details1 = ", Heartbeat";
+			
+			if (len > 0)
+				{
+				switch (((const unsigned char*)buf)[0])
+					{
+				case 1:
+					str_details1 = ", HeartbeatRequest";
+					break;
+				case 2:
+					str_details1 = ", HeartbeatResponse";
+					break;
+					}
+				}
+			}
+#endif
 		}
 
 	BIO_printf(bio, "%s %s%s [length %04lx]%s%s\n", str_write_p, str_version, str_content_type, (unsigned long)len, str_details1, str_details2);
@@ -660,6 +688,22 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type,
 		extname = "status request";
 		break;
 
+		case TLSEXT_TYPE_user_mapping:
+		extname = "user mapping";
+		break;
+
+		case TLSEXT_TYPE_client_authz:
+		extname = "client authz";
+		break;
+
+		case TLSEXT_TYPE_server_authz:
+		extname = "server authz";
+		break;
+
+		case TLSEXT_TYPE_cert_type:
+		extname = "cert type";
+		break;
+
 		case TLSEXT_TYPE_elliptic_curves:
 		extname = "elliptic curves";
 		break;
@@ -668,23 +712,44 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type,
 		extname = "EC point formats";
 		break;
 
-		case TLSEXT_TYPE_session_ticket:
-		extname = "server ticket";
-		break;
-
-		case TLSEXT_TYPE_renegotiate:
-		extname = "renegotiate";
+		case TLSEXT_TYPE_srp:
+		extname = "SRP";
 		break;
 
 		case TLSEXT_TYPE_signature_algorithms:
 		extname = "signature algorithms";
 		break;
 
+		case TLSEXT_TYPE_use_srtp:
+		extname = "use SRTP";
+		break;
+
+		case TLSEXT_TYPE_heartbeat:
+		extname = "heartbeat";
+		break;
+
+		case TLSEXT_TYPE_session_ticket:
+		extname = "session ticket";
+		break;
+
+		case TLSEXT_TYPE_renegotiate: 
+		extname = "renegotiation info";
+		break;
+
 #ifdef TLSEXT_TYPE_opaque_prf_input
 		case TLSEXT_TYPE_opaque_prf_input:
 		extname = "opaque PRF input";
 		break;
 #endif
+#ifdef TLSEXT_TYPE_next_proto_neg
+		case TLSEXT_TYPE_next_proto_neg:
+		extname = "next protocol";
+		break;
+#endif
+
+		case TLSEXT_TYPE_padding:
+		extname = "TLS padding";
+		break;
 
 		default:
 		extname = "unknown";

apps/s_client.c

@@ -206,6 +206,9 @@ static int c_status_req=0;
 static int c_msg=0;
 static int c_showcerts=0;
 
+static char *keymatexportlabel=NULL;
+static int keymatexportlen=20;
+
 static void sc_usage(void);
 static void print_stuff(BIO *berr,SSL *con,int full);
 #ifndef OPENSSL_NO_TLSEXT
@@ -359,6 +362,11 @@ static void sc_usage(void)
 # endif
 #endif
 	BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
+#ifndef OPENSSL_NO_SRTP
+	BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
+#endif
+ 	BIO_printf(bio_err," -keymatexport label   - Export keying material using label\n");
+ 	BIO_printf(bio_err," -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
 	}
 
 #ifndef OPENSSL_NO_TLSEXT
@@ -397,18 +405,18 @@ typedef struct srp_arg_st
 
 #define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
 
-static int SRP_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
+static int srp_Verify_N_and_g(BIGNUM *N, BIGNUM *g)
 	{
 	BN_CTX *bn_ctx = BN_CTX_new();
 	BIGNUM *p = BN_new();
 	BIGNUM *r = BN_new();
 	int ret =
 		g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
-		BN_is_prime_ex(N,SRP_NUMBER_ITERATIONS_FOR_PRIME,bn_ctx,NULL) &&
+		BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
 		p != NULL && BN_rshift1(p, N) &&
 
 		/* p = (N-1)/2 */
-		BN_is_prime_ex(p,SRP_NUMBER_ITERATIONS_FOR_PRIME,bn_ctx,NULL) &&
+		BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) &&
 		r != NULL &&
 
 		/* verify g^((N-1)/2) == -1 (mod N) */
@@ -425,6 +433,21 @@ static int SRP_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
 	return ret;
 	}
 
+/* This callback is used here for two purposes:
+   - extended debugging
+   - making some primality tests for unknown groups
+   The callback is only called for a non default group.
+
+   An application does not need the call back at all if
+   only the stanard groups are used.  In real life situations, 
+   client and server already share well known groups, 
+   thus there is no need to verify them. 
+   Furthermore, in case that a server actually proposes a group that
+   is not one of those defined in RFC 5054, it is more appropriate 
+   to add the group to a static list and then compare since 
+   primality tests are rather cpu consuming.
+*/
+
 static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
 	{
 	SRP_ARG *srp_arg = (SRP_ARG *)arg;
@@ -447,11 +470,11 @@ static int MS_CALLBACK ssl_srp_verify_param_cb(SSL *s, void *arg)
 		if (srp_arg->debug)
 			BIO_printf(bio_err, "SRP param N and g are not known params, going to check deeper.\n");
 
-/* The srp_moregroups must be used with caution, testing primes costs time. 
+/* The srp_moregroups is a real debugging feature.
    Implementors should rather add the value to the known ones.
    The minimal size has already been tested.
 */
-		if (BN_num_bits(g) <= BN_BITS && SRP_Verify_N_and_g(N,g))
+		if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N,g))
 			return 1;
 		}	
 	BIO_printf(bio_err, "SRP param N and g rejected.\n");
@@ -480,12 +503,9 @@ static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
 	return pass;
 	}
 
-static char * MS_CALLBACK missing_srp_username_callback(SSL *s, void *arg)
-	{
-	SRP_ARG *srp_arg = (SRP_ARG *)arg;
-	return BUF_strdup(srp_arg->srplogin);
-	}
-
+#endif
+#ifndef OPENSSL_NO_SRTP
+	char *srtp_profiles = NULL;
 #endif
 
 # ifndef OPENSSL_NO_NEXTPROTONEG
@@ -606,13 +626,7 @@ int MAIN(int argc, char **argv)
 	SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
 #endif
 
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
 	meth=SSLv23_client_method();
-#elif !defined(OPENSSL_NO_SSL3)
-	meth=SSLv3_client_method();
-#elif !defined(OPENSSL_NO_SSL2)
-	meth=SSLv2_client_method();
-#endif
 
 	apps_startup();
 	c_Pause=0;
@@ -747,7 +761,7 @@ int MAIN(int argc, char **argv)
 			psk_key=*(++argv);
 			for (j = 0; j < strlen(psk_key); j++)
                                 {
-                                if (isxdigit((int)psk_key[j]))
+                                if (isxdigit((unsigned char)psk_key[j]))
                                         continue;
                                 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
                                 goto bad;
@@ -935,7 +949,25 @@ int MAIN(int argc, char **argv)
 			jpake_secret = *++argv;
 			}
 #endif
-		else
+#ifndef OPENSSL_NO_SRTP
+		else if (strcmp(*argv,"-use_srtp") == 0)
+			{
+			if (--argc < 1) goto bad;
+			srtp_profiles = *(++argv);
+			}
+#endif
+		else if (strcmp(*argv,"-keymatexport") == 0)
+			{
+			if (--argc < 1) goto bad;
+			keymatexportlabel= *(++argv);
+			}
+		else if (strcmp(*argv,"-keymatexportlen") == 0)
+			{
+			if (--argc < 1) goto bad;
+			keymatexportlen=atoi(*(++argv));
+			if (keymatexportlen == 0) goto bad;
+			}
+                else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
 			badop=1;
@@ -961,14 +993,13 @@ bad:
 			goto end;
 			}
 		psk_identity = "JPAKE";
+		if (cipher)
+			{
+			BIO_printf(bio_err, "JPAKE sets cipher to PSK\n");
+			goto end;
+			}
+		cipher = "PSK";
 		}
-
-	if (cipher)
-		{
-		BIO_printf(bio_err, "JPAKE sets cipher to PSK\n");
-		goto end;
-		}
-	cipher = "PSK";
 #endif
 
 	OpenSSL_add_ssl_algorithms();
@@ -1105,6 +1136,10 @@ bad:
 			BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n");
 		SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
 		}
+#endif
+#ifndef OPENSSL_NO_SRTP
+	if (srtp_profiles != NULL)
+		SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
 #endif
 	if (bugs)
 		SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
@@ -1157,9 +1192,7 @@ bad:
 #ifndef OPENSSL_NO_SRP
         if (srp_arg.srplogin)
 		{
-		if (srp_lateuser) 
-			SSL_CTX_set_srp_missing_srp_username_callback(ctx,missing_srp_username_callback);
-		else if (!SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
+		if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin))
 			{
 			BIO_printf(bio_err,"Unable to set SRP username\n");
 			goto end;
@@ -1830,6 +1863,14 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240
 				SSL_renegotiate(con);
 				cbuf_len=0;
 				}
+#ifndef OPENSSL_NO_HEARTBEATS
+			else if ((!c_ign_eof) && (cbuf[0] == 'B'))
+ 				{
+				BIO_printf(bio_err,"HEARTBEATING\n");
+				SSL_heartbeat(con);
+				cbuf_len=0;
+				}
+#endif
 			else
 				{
 				cbuf_len=i;
@@ -1857,6 +1898,10 @@ end:
 			print_stuff(bio_c_out,con,1);
 		SSL_free(con);
 		}
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+	if (next_proto.data)
+		OPENSSL_free(next_proto.data);
+#endif
 	if (ctx != NULL) SSL_CTX_free(ctx);
 	if (cert)
 		X509_free(cert);
@@ -1864,6 +1909,8 @@ end:
 		EVP_PKEY_free(key);
 	if (pass)
 		OPENSSL_free(pass);
+	if (vpm)
+		X509_VERIFY_PARAM_free(vpm);
 	if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
 	if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
 	if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
@@ -1891,6 +1938,7 @@ static void print_stuff(BIO *bio, SSL *s, int full)
 #ifndef OPENSSL_NO_COMP
 	const COMP_METHOD *comp, *expansion;
 #endif
+	unsigned char *exportedkeymat;
 
 	if (full)
 		{
@@ -2003,18 +2051,7 @@ static void print_stuff(BIO *bio, SSL *s, int full)
 	BIO_printf(bio,"Expansion: %s\n",
 		expansion ? SSL_COMP_get_name(expansion) : "NONE");
 #endif
-
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
-	if (next_proto.status != -1) {
-		const unsigned char *proto;
-		unsigned int proto_len;
-		SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
-		BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
-		BIO_write(bio, proto, proto_len);
-		BIO_write(bio, "\n", 1);
-	}
-#endif
-
+ 
 #ifdef SSL_DEBUG
 	{
 	/* Print out local port of connection: useful for debugging */
@@ -2027,7 +2064,55 @@ static void print_stuff(BIO *bio, SSL *s, int full)
 	}
 #endif
 
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+	if (next_proto.status != -1) {
+		const unsigned char *proto;
+		unsigned int proto_len;
+		SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
+		BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
+		BIO_write(bio, proto, proto_len);
+		BIO_write(bio, "\n", 1);
+	}
+#endif
+
+#ifndef OPENSSL_NO_SRTP
+ 	{
+ 	SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
+ 
+	if(srtp_profile)
+		BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n",
+			   srtp_profile->name);
+	}
+#endif
+ 
 	SSL_SESSION_print(bio,SSL_get_session(s));
+	if (keymatexportlabel != NULL)
+		{
+		BIO_printf(bio, "Keying material exporter:\n");
+		BIO_printf(bio, "    Label: '%s'\n", keymatexportlabel);
+		BIO_printf(bio, "    Length: %i bytes\n", keymatexportlen);
+		exportedkeymat = OPENSSL_malloc(keymatexportlen);
+		if (exportedkeymat != NULL)
+			{
+			if (!SSL_export_keying_material(s, exportedkeymat,
+						        keymatexportlen,
+						        keymatexportlabel,
+						        strlen(keymatexportlabel),
+						        NULL, 0, 0))
+				{
+				BIO_printf(bio, "    Error\n");
+				}
+			else
+				{
+				BIO_printf(bio, "    Keying material: ");
+				for (i=0; i<keymatexportlen; i++)
+					BIO_printf(bio, "%02X",
+						   exportedkeymat[i]);
+				BIO_printf(bio, "\n");
+				}
+			OPENSSL_free(exportedkeymat);
+			}
+		}
 	BIO_printf(bio,"---\n");
 	if (peer != NULL)
 		X509_free(peer);

apps/s_server.c

@@ -204,7 +204,6 @@ typedef unsigned int u_int;
 #ifndef OPENSSL_NO_RSA
 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
 #endif
-static int not_resumable_sess_cb(SSL *s, int is_forward_secure);
 static int sv_body(char *hostname, int s, unsigned char *context);
 static int www_body(char *hostname, int s, unsigned char *context);
 static void close_accept_socket(void );
@@ -213,8 +212,6 @@ static int init_ssl_connection(SSL *s);
 static void print_stats(BIO *bp,SSL_CTX *ctx);
 static int generate_session_id(const SSL *ssl, unsigned char *id,
 				unsigned int *id_len);
-static void init_session_cache_ctx(SSL_CTX *sctx);
-static void free_sessions(void);
 #ifndef OPENSSL_NO_DH
 static DH *load_dh_param(const char *dhfile);
 static DH *get_dh512(void);
@@ -293,10 +290,12 @@ static int s_tlsextdebug=0;
 static int s_tlsextstatus=0;
 static int cert_status_cb(SSL *s, void *arg);
 #endif
-static int no_resume_ephemeral = 0;
 static int s_msg=0;
 static int s_quiet=0;
 
+static char *keymatexportlabel=NULL;
+static int keymatexportlen=20;
+
 static int hack=0;
 #ifndef OPENSSL_NO_ENGINE
 static char *engine_id=NULL;
@@ -309,6 +308,7 @@ static long socket_mtu;
 static int cert_chain = 0;
 #endif
 
+
 #ifndef OPENSSL_NO_PSK
 static char *psk_identity="Client_identity";
 char *psk_key=NULL; /* by default PSK is not used */
@@ -380,31 +380,43 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity,
 /* This is a context that we pass to callbacks */
 typedef struct srpsrvparm_st
 	{
-	int verbose;
 	char *login;
 	SRP_VBASE *vb;
+	SRP_user_pwd *user;
 	} srpsrvparm;
 
+/* This callback pretends to require some asynchronous logic in order to obtain
+   a verifier. When the callback is called for a new connection we return
+   with a negative value. This will provoke the accept etc to return with
+   an LOOKUP_X509. The main logic of the reinvokes the suspended call 
+   (which would normally occur after a worker has finished) and we
+   set the user parameters. 
+*/
 static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
 	{
-	srpsrvparm *p = arg;
-	SRP_user_pwd *user;
+	srpsrvparm *p = (srpsrvparm *)arg;
+	if (p->login == NULL && p->user == NULL )
+		{
+		p->login = SSL_get_srp_username(s);
+		BIO_printf(bio_err, "SRP username = \"%s\"\n", p->login);
+		return (-1) ;
+		}
 
-	p->login = BUF_strdup(SSL_get_srp_username(s));
-	BIO_printf(bio_err, "SRP username = \"%s\"\n", p->login);
-
-	user = SRP_VBASE_get_by_user(p->vb, p->login);	
-	if (user == NULL)
+	if (p->user == NULL)
 		{
 		BIO_printf(bio_err, "User %s doesn't exist\n", p->login);
 		return SSL3_AL_FATAL;
 		}
-	if (SSL_set_srp_server_param(s, user->N, user->g, user->s, user->v,
-				     user->info) < 0)
+	if (SSL_set_srp_server_param(s, p->user->N, p->user->g, p->user->s, p->user->v,
+				     p->user->info) < 0)
 		{
 		*ad = SSL_AD_INTERNAL_ERROR;
 		return SSL3_AL_FATAL;
 		}
+	BIO_printf(bio_err, "SRP parameters set: username = \"%s\" info=\"%s\" \n", p->login,p->user->info);
+	/* need to check whether there are memory leaks */
+	p->user = NULL;
+	p->login = NULL;
 	return SSL_ERROR_NONE;
 	}
 
@@ -521,7 +533,6 @@ static void sv_usage(void)
 #ifndef OPENSSL_NO_ECDH
 	BIO_printf(bio_err," -no_ecdhe     - Disable ephemeral ECDH\n");
 #endif
-	BIO_printf(bio_err, "-no_resume_ephemeral - Disable caching and tickets if ephemeral (EC)DH is used\n");
 	BIO_printf(bio_err," -bugs         - Turn on SSL bug compatibility\n");
 	BIO_printf(bio_err," -www          - Respond to a 'GET /' with a status page\n");
 	BIO_printf(bio_err," -WWW          - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
@@ -545,7 +556,12 @@ static void sv_usage(void)
 # ifndef OPENSSL_NO_NEXTPROTONEG
 	BIO_printf(bio_err," -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)\n");
 # endif
+# ifndef OPENSSL_NO_SRTP
+        BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
+# endif
 #endif
+	BIO_printf(bio_err," -keymatexport label   - Export keying material using label\n");
+	BIO_printf(bio_err," -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
 	}
 
 static int local_argc=0;
@@ -896,20 +912,22 @@ static int next_proto_cb(SSL *s, const unsigned char **data, unsigned int *len,
 
 	return SSL_TLSEXT_ERR_OK;
 	}
-# endif  /* ndef OPENSSL_NO_NPN */
-#endif
+# endif  /* ndef OPENSSL_NO_NEXTPROTONEG */
 
-static int not_resumable_sess_cb(SSL *s, int is_forward_secure)
-	{
-	/* disable resumption for sessions with forward secure ciphers */
-	return is_forward_secure;
-	}
+
+#endif
 
 int MAIN(int, char **);
 
 #ifndef OPENSSL_NO_JPAKE
 static char *jpake_secret = NULL;
 #endif
+#ifndef OPENSSL_NO_SRP
+	static srpsrvparm srp_callback_parm;
+#endif
+#ifndef OPENSSL_NO_SRTP
+static char *srtp_profiles = NULL;
+#endif
 
 int MAIN(int argc, char *argv[])
 	{
@@ -937,12 +955,10 @@ int MAIN(int argc, char *argv[])
 	int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
 	X509 *s_cert = NULL, *s_dcert = NULL;
 	EVP_PKEY *s_key = NULL, *s_dkey = NULL;
-	int no_cache = 0, ext_cache = 0;
+	int no_cache = 0;
 #ifndef OPENSSL_NO_TLSEXT
 	EVP_PKEY *s_key2 = NULL;
 	X509 *s_cert2 = NULL;
-#endif
-#ifndef OPENSSL_NO_TLSEXT
         tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING};
 # ifndef OPENSSL_NO_NEXTPROTONEG
 	const char *next_proto_neg_in = NULL;
@@ -956,19 +972,8 @@ int MAIN(int argc, char *argv[])
 #ifndef OPENSSL_NO_SRP
 	char *srpuserseed = NULL;
 	char *srp_verifier_file = NULL;
-	srpsrvparm p;
 #endif
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
 	meth=SSLv23_server_method();
-#elif !defined(OPENSSL_NO_SSL3)
-	meth=SSLv3_server_method();
-#elif !defined(OPENSSL_NO_SSL2)
-	meth=SSLv2_server_method();
-#elif !defined(OPENSSL_NO_TLS1)
-	meth=TLSv1_server_method();
-#else
-  /*  #error no SSL version enabled */
-#endif
 
 	local_argc=argc;
 	local_argv=argv;
@@ -1095,8 +1100,6 @@ int MAIN(int argc, char *argv[])
 			}
 		else if (strcmp(*argv,"-no_cache") == 0)
 			no_cache = 1;
-		else if (strcmp(*argv,"-ext_cache") == 0)
-			ext_cache = 1;
 		else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
 			{
 			if (badarg)
@@ -1181,8 +1184,6 @@ int MAIN(int argc, char *argv[])
 			{ no_dhe=1; }
 		else if	(strcmp(*argv,"-no_ecdhe") == 0)
 			{ no_ecdhe=1; }
-		else if (strcmp(*argv,"-no_resume_ephemeral") == 0)
-			{ no_resume_ephemeral = 1; }
 #ifndef OPENSSL_NO_PSK
                 else if (strcmp(*argv,"-psk_hint") == 0)
 			{
@@ -1197,7 +1198,7 @@ int MAIN(int argc, char *argv[])
 			psk_key=*(++argv);
 			for (i=0; i<strlen(psk_key); i++)
 				{
-				if (isxdigit((int)psk_key[i]))
+				if (isxdigit((unsigned char)psk_key[i]))
 					continue;
 				BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
 				goto bad;
@@ -1228,12 +1229,12 @@ int MAIN(int argc, char *argv[])
 			{ off|=SSL_OP_NO_SSLv2; }
 		else if	(strcmp(*argv,"-no_ssl3") == 0)
 			{ off|=SSL_OP_NO_SSLv3; }
-		else if	(strcmp(*argv,"-no_tls1_2") == 0)
-			{ off|=SSL_OP_NO_TLSv1_2; }
-		else if	(strcmp(*argv,"-no_tls1_1") == 0)
-			{ off|=SSL_OP_NO_TLSv1_1; }
 		else if	(strcmp(*argv,"-no_tls1") == 0)
 			{ off|=SSL_OP_NO_TLSv1; }
+		else if	(strcmp(*argv,"-no_tls1_1") == 0)
+			{ off|=SSL_OP_NO_TLSv1_1; }
+		else if	(strcmp(*argv,"-no_tls1_2") == 0)
+			{ off|=SSL_OP_NO_TLSv1_2; }
 		else if	(strcmp(*argv,"-no_comp") == 0)
 			{ off|=SSL_OP_NO_COMPRESSION; }
 #ifndef OPENSSL_NO_TLSEXT
@@ -1249,14 +1250,12 @@ int MAIN(int argc, char *argv[])
 			{ meth=SSLv3_server_method(); }
 #endif
 #ifndef OPENSSL_NO_TLS1
-		else if	(strcmp(*argv,"-tls1_2") == 0)
-			{ meth=TLSv1_2_server_method(); }
-		else if	(strcmp(*argv,"-tls1_1") == 0)
-			{ meth=TLSv1_1_server_method(); }
 		else if	(strcmp(*argv,"-tls1") == 0)
 			{ meth=TLSv1_server_method(); }
 		else if	(strcmp(*argv,"-tls1_1") == 0)
 			{ meth=TLSv1_1_server_method(); }
+		else if	(strcmp(*argv,"-tls1_2") == 0)
+			{ meth=TLSv1_2_server_method(); }
 #endif
 #ifndef OPENSSL_NO_DTLS1
 		else if	(strcmp(*argv,"-dtls1") == 0)
@@ -1324,6 +1323,24 @@ int MAIN(int argc, char *argv[])
 			jpake_secret = *(++argv);
 			}
 #endif
+#ifndef OPENSSL_NO_SRTP
+		else if (strcmp(*argv,"-use_srtp") == 0)
+			{
+			if (--argc < 1) goto bad;
+			srtp_profiles = *(++argv);
+			}
+#endif
+		else if (strcmp(*argv,"-keymatexport") == 0)
+			{
+			if (--argc < 1) goto bad;
+			keymatexportlabel= *(++argv);
+			}
+		else if (strcmp(*argv,"-keymatexportlen") == 0)
+			{
+			if (--argc < 1) goto bad;
+			keymatexportlen=atoi(*(++argv));
+			if (keymatexportlen == 0) goto bad;
+			}
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
@@ -1420,24 +1437,24 @@ bad:
 				goto end;
 				}
 			}
-# ifndef OPENSSL_NO_NEXTPROTONEG
-		if (next_proto_neg_in)
-			{
-			unsigned short len;
-			next_proto.data = next_protos_parse(&len,
-				next_proto_neg_in);
-			if (next_proto.data == NULL)
-				goto end;
-			next_proto.len = len;
-			}
-		else
-			{
-			next_proto.data = NULL;
-			}
-# endif
 #endif
 		}
 
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 
+	if (next_proto_neg_in)
+		{
+		unsigned short len;
+		next_proto.data = next_protos_parse(&len, next_proto_neg_in);
+		if (next_proto.data == NULL)
+			goto end;
+		next_proto.len = len;
+		}
+	else
+		{
+		next_proto.data = NULL;
+		}
+#endif
+
 
 	if (s_dcert_file)
 		{
@@ -1535,11 +1552,14 @@ bad:
 	if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
 	if (no_cache)
 		SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
-	else if (ext_cache)
-		init_session_cache_ctx(ctx);
 	else
 		SSL_CTX_sess_set_cache_size(ctx,128);
 
+#ifndef OPENSSL_NO_SRTP
+	if (srtp_profiles != NULL)
+		SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
+#endif
+
 #if 0
 	if (cipher == NULL) cipher=getenv("SSL_CIPHER");
 #endif
@@ -1606,8 +1626,6 @@ bad:
 
 		if (no_cache)
 			SSL_CTX_set_session_cache_mode(ctx2,SSL_SESS_CACHE_OFF);
-		else if (ext_cache)
-			init_session_cache_ctx(ctx2);
 		else
 			SSL_CTX_sess_set_cache_size(ctx2,128);
 
@@ -1719,7 +1737,7 @@ bad:
 		}
 #endif
 	
-	if (!set_cert_key_stuff(ctx,s_cert,s_key))
+	if (!set_cert_key_stuff(ctx, s_cert, s_key))
 		goto end;
 #ifndef OPENSSL_NO_TLSEXT
 	if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2))
@@ -1727,7 +1745,7 @@ bad:
 #endif
 	if (s_dcert != NULL)
 		{
-		if (!set_cert_key_stuff(ctx,s_dcert,s_dkey))
+		if (!set_cert_key_stuff(ctx, s_dcert, s_dkey))
 			goto end;
 		}
 
@@ -1772,15 +1790,6 @@ bad:
 #endif
 #endif
 
-	if (no_resume_ephemeral)
-		{
-		SSL_CTX_set_not_resumable_session_callback(ctx, not_resumable_sess_cb);
-#ifndef OPENSSL_NO_TLSEXT
-		if (ctx2)
-			SSL_CTX_set_not_resumable_session_callback(ctx2, not_resumable_sess_cb);
-#endif
-		}
-
 #ifndef OPENSSL_NO_PSK
 #ifdef OPENSSL_NO_JPAKE
 	if (psk_key != NULL)
@@ -1844,16 +1853,18 @@ bad:
 #ifndef OPENSSL_NO_SRP
 	if (srp_verifier_file != NULL)
 		{
-		p.vb = SRP_VBASE_new(srpuserseed);
-		if ((ret = SRP_VBASE_init(p.vb, srp_verifier_file)) != SRP_NO_ERROR)
+		srp_callback_parm.vb = SRP_VBASE_new(srpuserseed);
+		srp_callback_parm.user = NULL;
+		srp_callback_parm.login = NULL;
+		if ((ret = SRP_VBASE_init(srp_callback_parm.vb, srp_verifier_file)) != SRP_NO_ERROR)
 			{
 			BIO_printf(bio_err,
-					   "Cannot initialize SRP verifier file \"%s\":ret=%d\n",
-					   srp_verifier_file,ret);
+				   "Cannot initialize SRP verifier file \"%s\":ret=%d\n",
+				   srp_verifier_file, ret);
 				goto end;
 			}
 		SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE,verify_callback);
-		SSL_CTX_set_srp_cb_arg(ctx, &p);  			
+		SSL_CTX_set_srp_cb_arg(ctx, &srp_callback_parm);  			
 		SSL_CTX_set_srp_username_callback(ctx, ssl_srp_server_param_cb);
 		}
 	else
@@ -1889,8 +1900,15 @@ end:
 		OPENSSL_free(pass);
 	if (dpass)
 		OPENSSL_free(dpass);
-	free_sessions();
+	if (vpm)
+		X509_VERIFY_PARAM_free(vpm);
 #ifndef OPENSSL_NO_TLSEXT
+	if (tlscstatp.host)
+		OPENSSL_free(tlscstatp.host);
+	if (tlscstatp.port)
+		OPENSSL_free(tlscstatp.port);
+	if (tlscstatp.path)
+		OPENSSL_free(tlscstatp.path);
 	if (ctx2 != NULL) SSL_CTX_free(ctx2);
 	if (s_cert2)
 		X509_free(s_cert2);
@@ -2179,6 +2197,16 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 					goto err;
 					}
 
+#ifndef OPENSSL_NO_HEARTBEATS
+				if ((buf[0] == 'B') &&
+					((buf[1] == '\n') || (buf[1] == '\r')))
+					{
+					BIO_printf(bio_err,"HEARTBEATING\n");
+					SSL_heartbeat(con);
+					i=0;
+					continue;
+					}
+#endif
 				if ((buf[0] == 'r') && 
 					((buf[1] == '\n') || (buf[1] == '\r')))
 					{
@@ -2222,6 +2250,18 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 { static count=0; if (++count == 100) { count=0; SSL_renegotiate(con); } }
 #endif
 				k=SSL_write(con,&(buf[l]),(unsigned int)i);
+#ifndef OPENSSL_NO_SRP
+				while (SSL_get_error(con,k) == SSL_ERROR_WANT_X509_LOOKUP)
+					{
+					BIO_printf(bio_s_out,"LOOKUP renego during write\n");
+					srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login); 
+					if (srp_callback_parm.user) 
+						BIO_printf(bio_s_out,"LOOKUP done %s\n",srp_callback_parm.user->info);
+					else 
+						BIO_printf(bio_s_out,"LOOKUP not successful\n");
+						k=SSL_write(con,&(buf[l]),(unsigned int)i);
+					}
+#endif
 				switch (SSL_get_error(con,k))
 					{
 				case SSL_ERROR_NONE:
@@ -2269,6 +2309,18 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 				{
 again:	
 				i=SSL_read(con,(char *)buf,bufsize);
+#ifndef OPENSSL_NO_SRP
+				while (SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP)
+					{
+					BIO_printf(bio_s_out,"LOOKUP renego during read\n");
+					srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login); 
+					if (srp_callback_parm.user) 
+						BIO_printf(bio_s_out,"LOOKUP done %s\n",srp_callback_parm.user->info);
+					else 
+						BIO_printf(bio_s_out,"LOOKUP not successful\n");
+					i=SSL_read(con,(char *)buf,bufsize);
+					}
+#endif
 				switch (SSL_get_error(con,i))
 					{
 				case SSL_ERROR_NONE:
@@ -2281,7 +2333,6 @@ again:
 					break;
 				case SSL_ERROR_WANT_WRITE:
 				case SSL_ERROR_WANT_READ:
-				case SSL_ERROR_WANT_X509_LOOKUP:
 					BIO_printf(bio_s_out,"Read BLOCK\n");
 					break;
 				case SSL_ERROR_SYSCALL:
@@ -2336,15 +2387,30 @@ static int init_ssl_connection(SSL *con)
 	X509 *peer;
 	long verify_error;
 	MS_STATIC char buf[BUFSIZ];
+#ifndef OPENSSL_NO_KRB5
+	char *client_princ;
+#endif
 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
 	const unsigned char *next_proto_neg;
 	unsigned next_proto_neg_len;
 #endif
-#ifndef OPENSSL_NO_KRB5
-	char *client_princ;
-#endif
+	unsigned char *exportedkeymat;
 
-	if ((i=SSL_accept(con)) <= 0)
+
+	i=SSL_accept(con);
+#ifndef OPENSSL_NO_SRP
+	while (i <= 0 &&  SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP) 
+		{
+			BIO_printf(bio_s_out,"LOOKUP during accept %s\n",srp_callback_parm.login);
+			srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login); 
+			if (srp_callback_parm.user) 
+				BIO_printf(bio_s_out,"LOOKUP done %s\n",srp_callback_parm.user->info);
+			else 
+				BIO_printf(bio_s_out,"LOOKUP not successful\n");
+			i=SSL_accept(con);
+		}
+#endif
+	if (i <= 0)
 		{
 		if (BIO_sock_should_retry(i))
 			{
@@ -2382,6 +2448,7 @@ static int init_ssl_connection(SSL *con)
 		BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
 	str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
 	BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
+
 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
 	SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len);
 	if (next_proto_neg)
@@ -2390,11 +2457,22 @@ static int init_ssl_connection(SSL *con)
 		BIO_write(bio_s_out, next_proto_neg, next_proto_neg_len);
 		BIO_printf(bio_s_out, "\n");
 		}
+#endif
+#ifndef OPENSSL_NO_SRTP
+	{
+	SRTP_PROTECTION_PROFILE *srtp_profile
+	  = SSL_get_selected_srtp_profile(con);
+
+	if(srtp_profile)
+		BIO_printf(bio_s_out,"SRTP Extension negotiated, profile=%s\n",
+			   srtp_profile->name);
+	}
 #endif
 	if (SSL_cache_hit(con)) BIO_printf(bio_s_out,"Reused session-id\n");
 	if (SSL_ctrl(con,SSL_CTRL_GET_FLAGS,0,NULL) &
 		TLS1_FLAGS_TLS_PADDING_BUG)
-		BIO_printf(bio_s_out,"Peer has incorrect TLSv1 block padding\n");
+		BIO_printf(bio_s_out,
+			   "Peer has incorrect TLSv1 block padding\n");
 #ifndef OPENSSL_NO_KRB5
 	client_princ = kssl_ctx_get0_client_princ(SSL_get0_kssl_ctx(con));
 	if (client_princ != NULL)
@@ -2405,6 +2483,35 @@ static int init_ssl_connection(SSL *con)
 #endif /* OPENSSL_NO_KRB5 */
 	BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
 		      SSL_get_secure_renegotiation_support(con) ? "" : " NOT");
+	if (keymatexportlabel != NULL)
+		{
+		BIO_printf(bio_s_out, "Keying material exporter:\n");
+		BIO_printf(bio_s_out, "    Label: '%s'\n", keymatexportlabel);
+		BIO_printf(bio_s_out, "    Length: %i bytes\n",
+			   keymatexportlen);
+		exportedkeymat = OPENSSL_malloc(keymatexportlen);
+		if (exportedkeymat != NULL)
+			{
+			if (!SSL_export_keying_material(con, exportedkeymat,
+						        keymatexportlen,
+						        keymatexportlabel,
+						        strlen(keymatexportlabel),
+						        NULL, 0, 0))
+				{
+				BIO_printf(bio_s_out, "    Error\n");
+				}
+			else
+				{
+				BIO_printf(bio_s_out, "    Keying material: ");
+				for (i=0; i<keymatexportlen; i++)
+					BIO_printf(bio_s_out, "%02X",
+						   exportedkeymat[i]);
+				BIO_printf(bio_s_out, "\n");
+				}
+			OPENSSL_free(exportedkeymat);
+			}
+		}
+
 	return(1);
 	}
 
@@ -2422,6 +2529,9 @@ err:
 	return(ret);
 	}
 #endif
+#ifndef OPENSSL_NO_KRB5
+	char *client_princ;
+#endif
 
 #if 0
 static int load_CA(SSL_CTX *ctx, char *file)
@@ -2505,6 +2615,7 @@ static int www_body(char *hostname, int s, unsigned char *context)
 		}
 	SSL_set_bio(con,sbio,sbio);
 	SSL_set_accept_state(con);
+
 	/* SSL_set_fd(con,s); */
 	BIO_set_ssl(ssl_bio,con,BIO_CLOSE);
 	BIO_push(io,ssl_bio);
@@ -2529,7 +2640,18 @@ static int www_body(char *hostname, int s, unsigned char *context)
 		if (hack)
 			{
 			i=SSL_accept(con);
-
+#ifndef OPENSSL_NO_SRP
+			while (i <= 0 &&  SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP) 
+		{
+			BIO_printf(bio_s_out,"LOOKUP during accept %s\n",srp_callback_parm.login);
+			srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login); 
+			if (srp_callback_parm.user) 
+				BIO_printf(bio_s_out,"LOOKUP done %s\n",srp_callback_parm.user->info);
+			else 
+				BIO_printf(bio_s_out,"LOOKUP not successful\n");
+			i=SSL_accept(con);
+		}
+#endif
 			switch (SSL_get_error(con,i))
 				{
 			case SSL_ERROR_NONE:
@@ -2585,32 +2707,6 @@ static int www_body(char *hostname, int s, unsigned char *context)
 			STACK_OF(SSL_CIPHER) *sk;
 			static const char *space="                          ";
 
-		if (www == 1 && strncmp("GET /reneg", buf, 10) == 0)
-			{
-			if (strncmp("GET /renegcert", buf, 14) == 0)
-				SSL_set_verify(con,
-				SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,NULL);
-			i=SSL_renegotiate(con);
-			BIO_printf(bio_s_out, "SSL_renegotiate -> %d\n",i);
-			i=SSL_do_handshake(con);
-			if (i <= 0)
-				{
-				BIO_printf(bio_s_out, "SSL_do_handshake() Retval %d\n", SSL_get_error(con, i));
-				ERR_print_errors(bio_err);
-				goto err;
-				}
-			/* EVIL HACK! */
-			SSL_set_state(con, SSL_ST_ACCEPT);
-			i=SSL_do_handshake(con);
-			BIO_printf(bio_s_out, "SSL_do_handshake -> %d\n",i);
-			if (i <= 0)
-				{
-				BIO_printf(bio_s_out, "SSL_do_handshake() Retval %d\n", SSL_get_error(con, i));
-				ERR_print_errors(bio_err);
-				goto err;
-				}
-			}
-
 			BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
 			BIO_puts(io,"<HTML><BODY BGCOLOR=\"#ffffff\">\n");
 			BIO_puts(io,"<pre>\n");
@@ -2913,115 +3009,3 @@ static int generate_session_id(const SSL *ssl, unsigned char *id,
 		return 0;
 	return 1;
 	}
-
-/* By default s_server uses an in-memory cache which caches SSL_SESSION
- * structures without any serialisation. This hides some bugs which only
- * become apparent in deployed servers. By implementing a basic external
- * session cache some issues can be debugged using s_server.
- */
-
-typedef struct simple_ssl_session_st
-	{
-	unsigned char *id;
-	unsigned int idlen;
-	unsigned char *der;
-	int derlen;
-	struct simple_ssl_session_st *next;
-	} simple_ssl_session;
-
-static simple_ssl_session *first = NULL;
-
-static int add_session(SSL *ssl, SSL_SESSION *session)
-	{
-	simple_ssl_session *sess;
-	unsigned char *p;
-
-	sess = OPENSSL_malloc(sizeof(simple_ssl_session));
-
-	sess->idlen = SSL_SESSION_get_id_len(session);
-	sess->derlen = i2d_SSL_SESSION(session, NULL);
-
-	sess->id = BUF_memdup(SSL_SESSION_get0_id(session), sess->idlen);
-
-	sess->der = OPENSSL_malloc(sess->derlen);
-	p = sess->der;
-	i2d_SSL_SESSION(session, &p);
-
-	sess->next = first;
-	first = sess;
-	BIO_printf(bio_err, "New session added to external cache\n");
-	return 0;
-	}
-
-static SSL_SESSION *get_session(SSL *ssl, unsigned char *id, int idlen,
-					int *do_copy)
-	{
-	simple_ssl_session *sess;
-	*do_copy = 0;
-	for (sess = first; sess; sess = sess->next)
-		{
-		if (idlen == (int)sess->idlen && !memcmp(sess->id, id, idlen))
-			{
-			const unsigned char *p = sess->der;
-			BIO_printf(bio_err, "Lookup session: cache hit\n");
-			return d2i_SSL_SESSION(NULL, &p, sess->derlen);
-			}
-		}
-	BIO_printf(bio_err, "Lookup session: cache miss\n");
-	return NULL;
-	}
-
-static void del_session(SSL_CTX *sctx, SSL_SESSION *session)
-	{
-	simple_ssl_session *sess, *prev = NULL;
-	const unsigned char *id = SSL_SESSION_get0_id(session);
-	unsigned int idlen = SSL_SESSION_get_id_len(session);
-	for (sess = first; sess; sess = sess->next)
-		{
-		if (idlen == sess->idlen && !memcmp(sess->id, id, idlen))
-			{
-			if(prev)
-				prev->next = sess->next;
-			else
-				first = sess->next;
-			OPENSSL_free(sess->id);
-			OPENSSL_free(sess->der);
-			OPENSSL_free(sess);
-			return;
-			}
-		prev = sess;
-		}
-	}
-
-static void init_session_cache_ctx(SSL_CTX *sctx)
-	{
-	SSL_CTX_set_session_cache_mode(sctx,
-			SSL_SESS_CACHE_NO_INTERNAL|SSL_SESS_CACHE_SERVER);
-	SSL_CTX_sess_set_new_cb(sctx, add_session);
-        SSL_CTX_sess_set_get_cb(sctx, get_session);
-        SSL_CTX_sess_set_remove_cb(sctx, del_session);
-	}
-
-static void free_sessions(void)
-	{
-	simple_ssl_session *sess, *tsess;
-	for (sess = first; sess;)
-		{
-		OPENSSL_free(sess->id);
-		OPENSSL_free(sess->der);
-		tsess = sess;
-		sess = sess->next;
-		OPENSSL_free(tsess);
-		}
-	first = NULL;
-	}
-	
-
-
-
-
-
-
-	
-
-

apps/s_socket.c

@@ -62,6 +62,12 @@
 #include <errno.h>
 #include <signal.h>
 
+#ifdef FLAT_INC
+#include "e_os2.h"
+#else
+#include "../e_os2.h"
+#endif
+
 /* With IPv6, it looks like Digital has mixed up the proper order of
    recursive header file inclusion, resulting in the compiler complaining
    that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
@@ -96,8 +102,7 @@ static struct hostent *GetHostByName(char *name);
 static void ssl_sock_cleanup(void);
 #endif
 static int ssl_sock_init(void);
-static int init_client_ip(int *sock, const unsigned char ip[4], int port,
-			  int type);
+static int init_client_ip(int *sock,unsigned char ip[4], int port, int type);
 static int init_server(int *sock, int port, int type);
 static int init_server_long(int *sock, int port,char *ip, int type);
 static int do_accept(int acc_sock, int *sock, char **host);
@@ -233,16 +238,13 @@ int init_client(int *sock, char *host, int port, int type)
 	{
 	unsigned char ip[4];
 
-	ip[0] = ip[1] = ip[2] = ip[3] = 0;
+	memset(ip, '\0', sizeof ip);
 	if (!host_ip(host,&(ip[0])))
-		{
-		return(0);
-		}
-	return(init_client_ip(sock,ip,port,type));
+		return 0;
+	return init_client_ip(sock,ip,port,type);
 	}
 
-static int init_client_ip(int *sock, const unsigned char ip[4], int port,
-			  int type)
+static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
 	{
 	unsigned long addr;
 	struct sockaddr_in them;
@@ -272,7 +274,7 @@ static int init_client_ip(int *sock, const unsigned char ip[4], int port,
 		{
 		i=0;
 		i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
-		if (i < 0) { perror("keepalive"); return(0); }
+		if (i < 0) { closesocket(s); perror("keepalive"); return(0); }
 		}
 #endif
 
@@ -448,6 +450,7 @@ redoit:
 		if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL)
 			{
 			perror("OPENSSL_malloc");
+			closesocket(ret);
 			return(0);
 			}
 		BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1);
@@ -456,11 +459,13 @@ redoit:
 		if (h2 == NULL)
 			{
 			BIO_printf(bio_err,"gethostbyname failure\n");
+			closesocket(ret);
 			return(0);
 			}
 		if (h2->h_addrtype != AF_INET)
 			{
 			BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
+			closesocket(ret);
 			return(0);
 			}
 		}

apps/server.pem

@@ -1,369 +1,52 @@
-issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
-subject= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit)
+subject= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = Test Server Cert
+issuer= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = OpenSSL Test Intermediate CA
 -----BEGIN CERTIFICATE-----
-MIIB6TCCAVICAQYwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV
-BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD
-VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNMDAxMDE2MjIzMTAzWhcNMDMwMTE0
-MjIzMTAzWjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG
-A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGlNlcnZlciB0ZXN0IGNl
-cnQgKDUxMiBiaXQpMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ+zw4Qnlf8SMVIP
-Fe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVDTGiXav6ooKXfX3j/7tdkuD8Ey2//
-Kv7+ue0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQCT0grFQeZaqYb5EYfk20XixZV4
-GmyAbXMftG1Eo7qGiMhYzRwGNWxEYojf5PZkYZXvSqZ/ZXHXa4g59jK/rJNnaVGM
-k+xIX8mxQvlV0n5O9PIha5BX5teZnkHKgL8aKKLKW1BK7YTngsfSzzaeame5iKfz
-itAE+OjGF+PFKbwX8Q==
+MIID5zCCAs+gAwIBAgIJALnu1NlVpZ6zMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
+BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMSIwIAYDVQQLDBlGT1IgVEVT
+VElORyBQVVJQT1NFUyBPTkxZMSUwIwYDVQQDDBxPcGVuU1NMIFRlc3QgSW50ZXJt
+ZWRpYXRlIENBMB4XDTExMTIwODE0MDE0OFoXDTIxMTAxNjE0MDE0OFowZDELMAkG
+A1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxIjAgBgNVBAsMGUZPUiBU
+RVNUSU5HIFBVUlBPU0VTIE9OTFkxGTAXBgNVBAMMEFRlc3QgU2VydmVyIENlcnQw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDzhPOSNtyyRspmeuUpxfNJ
+KCLTuf7g3uQ4zu4iHOmRO5TQci+HhVlLZrHF9XqFXcIP0y4pWDbMSGuiorUmzmfi
+R7bfSdI/+qIQt8KXRH6HNG1t8ou0VSvWId5TS5Dq/er5ODUr9OaaDva7EquHIcMv
+vPQGuI+OEAcnleVCy9HVEIySrO4P3CNIicnGkwwiAud05yUAq/gPXBC1hTtmlPD7
+TVcGVSEiJdvzqqlgv02qedGrkki6GY4S7GjZxrrf7Foc2EP+51LJzwLQx3/JfrCU
+41NEWAsu/Sl0tQabXESN+zJ1pDqoZ3uHMgpQjeGiE0olr+YcsSW/tJmiU9OiAr8R
+AgMBAAGjgY8wgYwwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwLAYJYIZI
+AYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQW
+BBSCvM8AABPR9zklmifnr9LvIBturDAfBgNVHSMEGDAWgBQ2w2yI55X+sL3szj49
+hqshgYfa2jANBgkqhkiG9w0BAQUFAAOCAQEAqb1NV0B0/pbpK9Z4/bNjzPQLTRLK
+WnSNm/Jh5v0GEUOE/Beg7GNjNrmeNmqxAlpqWz9qoeoFZax+QBpIZYjROU3TS3fp
+yLsrnlr0CDQ5R7kCCDGa8dkXxemmpZZLbUCpW2Uoy8sAA4JjN9OtsZY7dvUXFgJ7
+vVNTRnI01ghknbtD+2SxSQd3CWF6QhcRMAzZJ1z1cbbwGDDzfvGFPzJ+Sq+zEPds
+xoVLLSetCiBc+40ZcDS5dV98h9XD7JMTQfxzA7mNGv73JoZJA6nFgj+ADSlJsY/t
+JBv+z1iQRueoh9Qeee+ZbRifPouCB8FDx+AltvHTANdAq0t/K3o+pplMVA==
 -----END CERTIFICATE-----
 -----BEGIN RSA PRIVATE KEY-----
-MIIBPAIBAAJBAJ+zw4Qnlf8SMVIPFe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVD
-TGiXav6ooKXfX3j/7tdkuD8Ey2//Kv7+ue0CAwEAAQJAN6W31vDEP2DjdqhzCDDu
-OA4NACqoiFqyblo7yc2tM4h4xMbC3Yx5UKMN9ZkCtX0gzrz6DyF47bdKcWBzNWCj
-gQIhANEoojVt7hq+SQ6MCN6FTAysGgQf56Q3TYoJMoWvdiXVAiEAw3e3rc+VJpOz
-rHuDo6bgpjUAAXM+v3fcpsfZSNO6V7kCIQCtbVjanpUwvZkMI9by02oUk9taki3b
-PzPfAfNPYAbCJQIhAJXNQDWyqwn/lGmR11cqY2y9nZ1+5w3yHGatLrcDnQHxAiEA
-vnlEGo8K85u+KwIOimM48ZG8oTk7iFdkqLJR1utT3aU=
+MIIEpAIBAAKCAQEA84TzkjbcskbKZnrlKcXzSSgi07n+4N7kOM7uIhzpkTuU0HIv
+h4VZS2axxfV6hV3CD9MuKVg2zEhroqK1Js5n4ke230nSP/qiELfCl0R+hzRtbfKL
+tFUr1iHeU0uQ6v3q+Tg1K/Tmmg72uxKrhyHDL7z0BriPjhAHJ5XlQsvR1RCMkqzu
+D9wjSInJxpMMIgLndOclAKv4D1wQtYU7ZpTw+01XBlUhIiXb86qpYL9NqnnRq5JI
+uhmOEuxo2ca63+xaHNhD/udSyc8C0Md/yX6wlONTRFgLLv0pdLUGm1xEjfsydaQ6
+qGd7hzIKUI3hohNKJa/mHLElv7SZolPTogK/EQIDAQABAoIBAADq9FwNtuE5IRQn
+zGtO4q7Y5uCzZ8GDNYr9RKp+P2cbuWDbvVAecYq2NV9QoIiWJOAYZKklOvekIju3
+r0UZLA0PRiIrTg6NrESx3JrjWDK8QNlUO7CPTZ39/K+FrmMkV9lem9yxjJjyC34D
+AQB+YRTx+l14HppjdxNwHjAVQpIx/uO2F5xAMuk32+3K+pq9CZUtrofe1q4Agj9R
+5s8mSy9pbRo9kW9wl5xdEotz1LivFOEiqPUJTUq5J5PeMKao3vdK726XI4Z455Nm
+W2/MA0YV0ug2FYinHcZdvKM6dimH8GLfa3X8xKRfzjGjTiMSwsdjgMa4awY3tEHH
+674jhAECgYEA/zqMrc0zsbNk83sjgaYIug5kzEpN4ic020rSZsmQxSCerJTgNhmg
+utKSCt0Re09Jt3LqG48msahX8ycqDsHNvlEGPQSbMu9IYeO3Wr3fAm75GEtFWePY
+BhM73I7gkRt4s8bUiUepMG/wY45c5tRF23xi8foReHFFe9MDzh8fJFECgYEA9EFX
+4qAik1pOJGNei9BMwmx0I0gfVEIgu0tzeVqT45vcxbxr7RkTEaDoAG6PlbWP6D9a
+WQNLp4gsgRM90ZXOJ4up5DsAWDluvaF4/omabMA+MJJ5kGZ0gCj5rbZbKqUws7x8
+bp+6iBfUPJUbcqNqFmi/08Yt7vrDnMnyMw2A/sECgYEAiiuRMxnuzVm34hQcsbhH
+6ymVqf7j0PW2qK0F4H1ocT9qhzWFd+RB3kHWrCjnqODQoI6GbGr/4JepHUpre1ex
+4UEN5oSS3G0ru0rC3U4C59dZ5KwDHFm7ffZ1pr52ljfQDUsrjjIMRtuiwNK2OoRa
+WSsqiaL+SDzSB+nBmpnAizECgYBdt/y6rerWUx4MhDwwtTnel7JwHyo2MDFS6/5g
+n8qC2Lj6/fMDRE22w+CA2esp7EJNQJGv+b27iFpbJEDh+/Lf5YzIT4MwVskQ5bYB
+JFcmRxUVmf4e09D7o705U/DjCgMH09iCsbLmqQ38ONIRSHZaJtMDtNTHD1yi+jF+
+OT43gQKBgQC/2OHZoko6iRlNOAQ/tMVFNq7fL81GivoQ9F1U0Qr+DH3ZfaH8eIkX
+xT0ToMPJUzWAn8pZv0snA0um6SIgvkCuxO84OkANCVbttzXImIsL7pFzfcwV/ERK
+UM6j0ZuSMFOCr/lGPAoOQU0fskidGEHi1/kW+suSr28TqsyYZpwBDQ==
 -----END RSA PRIVATE KEY-----
-subject=/C=US/O=AT&T Bell Laboratories/OU=Prototype Research CA
-issuer= /C=US/O=AT&T Bell Laboratories/OU=Prototype Research CA
-notBefore=950413210656Z
-notAfter =970412210656Z
------BEGIN X509 CERTIFICATE-----
-
-MIICCDCCAXECAQAwDQYJKoZIhvcNAQEEBQAwTjELMAkGA1UEBhMCVVMxHzAdBgNV
-BAoUFkFUJlQgQmVsbCBMYWJvcmF0b3JpZXMxHjAcBgNVBAsUFVByb3RvdHlwZSBS
-ZXNlYXJjaCBDQTAeFw05NTA0MTMyMTA2NTZaFw05NzA0MTIyMTA2NTZaME4xCzAJ
-BgNVBAYTAlVTMR8wHQYDVQQKFBZBVCZUIEJlbGwgTGFib3JhdG9yaWVzMR4wHAYD
-VQQLFBVQcm90b3R5cGUgUmVzZWFyY2ggQ0EwgZwwDQYJKoZIhvcNAQEBBQADgYoA
-MIGGAoGAebOmgtSCl+wCYZc86UGYeTLY8cjmW2P0FN8ToT/u2pECCoFdrlycX0OR
-3wt0ZhpFXLVNeDnHwEE9veNUih7pCL2ZBFqoIoQkB1lZmXRiVtjGonz8BLm/qrFM
-YHb0lme/Ol+s118mwKVxnn6bSAeI/OXKhLaVdYZWk+aEaxEDkVkCAQ8wDQYJKoZI
-hvcNAQEEBQADgYEAAZMG14lZmZ8bahkaHaTV9dQf4p2FZiQTFwHP9ZyGsXPC+LT5
-dG5iTaRmyjNIJdPWohZDl97kAci79aBndvuEvRKOjLHs3WRGBIwERnAcnY9Mz8u/
-zIHK23PjYVxGGaZd669OJwD0CYyqH22HH9nFUGaoJdsv39ChW0NRdLE9+y8=
------END X509 CERTIFICATE-----
-issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit)
-subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
------BEGIN CERTIFICATE-----
-MIICJjCCAY8CAQAwDQYJKoZIhvcNAQEEBQAwXDELMAkGA1UEBhMCQVUxEzARBgNV
-BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYD
-VQQDExNUZXN0IFBDQSAoMTAyNCBiaXQpMB4XDTk3MDYwOTEzNTc0M1oXDTAxMDYw
-OTEzNTc0M1owWzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAY
-BgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYDVQQDExJUZXN0IENBICgxMDI0
-IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKO7o8t116VP6cgybTsZ
-DCZhr95nYlZuya3aCi1IKoztqwWnjbmDFIriOqGFPrZQ+moMETC9D59iRW/dFXSv
-1F65ka/XY2hLh9exCCo7XuUcDs53Qp3bI3AmMqHjgzE8oO3ajyJAzJkTTOUecQU2
-mw/gI4tMM0LqWMQS7luTy4+xAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAM7achv3v
-hLQJcv/65eGEpBXM40ZDVoFQFFJWaY5p883HTqLB1x4FdzsXHH0QKBTcKpWwqyu4
-YDm3fb8oDugw72bCzfyZK/zVZPR/hVlqI/fvU109Qoc+7oPvIXWky71HfcK6ZBCA
-q30KIqGM/uoM60INq97qjDmCJapagcNBGQs=
------END CERTIFICATE-----
------BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQCju6PLddelT+nIMm07GQwmYa/eZ2JWbsmt2gotSCqM7asFp425
-gxSK4jqhhT62UPpqDBEwvQ+fYkVv3RV0r9ReuZGv12NoS4fXsQgqO17lHA7Od0Kd
-2yNwJjKh44MxPKDt2o8iQMyZE0zlHnEFNpsP4COLTDNC6ljEEu5bk8uPsQIDAQAB
-AoGAVZmpFZsDZfr0l2S9tLLwpjRWNOlKATQkno6q2WesT0eGLQufTciY+c8ypfU6
-hyio8r5iUl/VhhdjhAtKx1mRpiotftHo/eYf8rtsrnprOnWG0bWjLjtIoMbcxGn2
-J3bN6LJmbJMjDs0eJ3KnTu646F3nDUw2oGAwmpzKXA1KAP0CQQDRvQhxk2D3Pehs
-HvG665u2pB5ipYQngEFlZO7RHJZzJOZEWSLuuMqaF/7pTfA5jiBvWqCgJeCRRInL
-21ru4dlPAkEAx9jj7BgKn5TYnMoBSSe0afjsV9oApVpN1Nacb1YDtCwy+scp3++s
-nFxlv98wxIlSdpwMUn+AUWfjiWR7Tu/G/wJBAJ/KjwZIrFVxewP0x2ILYsTRYLzz
-MS4PDsO7FB+I0i7DbBOifXS2oNSpd3I0CNMwrxFnUHzynpbOStVfN3ZL5w0CQQCa
-pwFahxBRhkJKsxhjoFJBX9yl75JoY4Wvm5Tbo9ih6UJaRx3kqfkN14L2BKYcsZgb
-KY9vmDOYy6iNfjDeWTfJAkBkfPUb8oTJ/nSP5zN6sqGxSY4krc4xLxpRmxoJ8HL2
-XfhqXkTzbU13RX9JJ/NZ8vQN9Vm2NhxRGJocQkmcdVtJ
------END RSA PRIVATE KEY-----
------BEGIN X509 CERTIFICATE-----
-MIICYDCCAiACAgEoMAkGBSsOAwINBQAwfDELMAkGA1UEBhMCVVMxNjA0BgNVBAoT
-LU5hdGlvbmFsIEFlcm9uYXV0aWNzIGFuZCBTcGFjZSBBZG1pbmlzdHJhdGlvbjEZ
-MBcGA1UECxMQVGVzdCBFbnZpcm9ubWVudDEaMBgGA1UECxMRRFNTLU5BU0EtUGls
-b3QtQ0EwHhcNOTYwMjI2MTYzMjQ1WhcNOTcwMjI1MTYzMjQ1WjB8MQswCQYDVQQG
-EwJVUzE2MDQGA1UEChMtTmF0aW9uYWwgQWVyb25hdXRpY3MgYW5kIFNwYWNlIEFk
-bWluaXN0cmF0aW9uMRkwFwYDVQQLExBUZXN0IEVudmlyb25tZW50MRowGAYDVQQL
-ExFEU1MtTkFTQS1QaWxvdC1DQTCB8jAJBgUrDgMCDAUAA4HkADCB4AJBAMA/ssKb
-hPNUG7ZlASfVwEJU21O5OyF/iyBzgHI1O8eOhJGUYO8cc8wDMjR508Mr9cp6Uhl/
-ZB7FV5GkLNEnRHYCQQDUEaSg45P2qrDwixTRhFhmWz5Nvc4lRFQ/42XPcchiJBLb
-bn3QK74T2IxY1yY+kCNq8XrIqf5fJJzIH0J/xUP3AhUAsg2wsQHfDGYk/BOSulX3
-fVd0geUCQQCzCFUQAh+ZkEmp5804cs6ZWBhrUAfnra8lJItYo9xPcXgdIfLfibcX
-R71UsyO77MRD7B0+Ag2tq794IleCVcEEMAkGBSsOAwINBQADLwAwLAIUUayDfreR
-Yh2WeU86/pHNdkUC1IgCFEfxe1f0oMpxJyrJ5XIxTi7vGdoK
------END X509 CERTIFICATE-----
------BEGIN X509 CERTIFICATE-----
-
-MIICGTCCAdgCAwCqTDAJBgUrDgMCDQUAMHwxCzAJBgNVBAYTAlVTMTYwNAYDVQQK
-Ey1OYXRpb25hbCBBZXJvbmF1dGljcyBhbmQgU3BhY2UgQWRtaW5pc3RyYXRpb24x
-GTAXBgNVBAsTEFRlc3QgRW52aXJvbm1lbnQxGjAYBgNVBAsTEURTUy1OQVNBLVBp
-bG90LUNBMB4XDTk2MDUxNDE3MDE0MVoXDTk3MDUxNDE3MDE0MVowMzELMAkGA1UE
-BhMCQVUxDzANBgNVBAoTBk1pbmNvbTETMBEGA1UEAxMKRXJpYyBZb3VuZzCB8jAJ
-BgUrDgMCDAUAA4HkADCB4AJBAKbfHz6vE6pXXMTpswtGUec2tvnfLJUsoxE9qs4+
-ObZX7LmLvragNPUeiTJx7UOWZ5DfBj6bXLc8eYne0lP1g3ACQQDUEaSg45P2qrDw
-ixTRhFhmWz5Nvc4lRFQ/42XPcchiJBLbbn3QK74T2IxY1yY+kCNq8XrIqf5fJJzI
-H0J/xUP3AhUAsg2wsQHfDGYk/BOSulX3fVd0geUCQQCzCFUQAh+ZkEmp5804cs6Z
-WBhrUAfnra8lJItYo9xPcXgdIfLfibcXR71UsyO77MRD7B0+Ag2tq794IleCVcEE
-MAkGBSsOAwINBQADMAAwLQIUWsuuJRE3VT4ueWkWMAJMJaZjj1ECFQCYY0zX4bzM
-LC7obsrHD8XAHG+ZRG==
------END X509 CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIICTTCCAbagAwIBAgIBADANBgkqhkiG9w0BAQQFADBMMQswCQYDVQQGEwJHQjEM
-MAoGA1UEChMDVUNMMRgwFgYDVQQLEw9JQ0UtVEVMIFByb2plY3QxFTATBgNVBAMT
-DFRydXN0RmFjdG9yeTAeFw05NzA0MjIxNDM5MTRaFw05ODA0MjIxNDM5MTRaMEwx
-CzAJBgNVBAYTAkdCMQwwCgYDVQQKEwNVQ0wxGDAWBgNVBAsTD0lDRS1URUwgUHJv
-amVjdDEVMBMGA1UEAxMMVHJ1c3RGYWN0b3J5MIGcMAoGBFUIAQECAgQAA4GNADCB
-iQKBgQCEieR8NcXkUW1f0G6aC6u0i8q/98JqS6RxK5YmHIGKCkuTWAUjzLfUa4dt
-U9igGCjTuxaDqlzEim+t/02pmiBZT9HaX++35MjQPUWmsChcYU5WyzGErXi+rQaw
-zlwS73zM8qiPj/97lXYycWhgL0VaiDSPxRXEUdWoaGruom4mNQIDAQABo0IwQDAd
-BgNVHQ4EFgQUHal1LZr7oVg5z6lYzrhTgZRCmcUwDgYDVR0PAQH/BAQDAgH2MA8G
-A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAfaggfl6FZoioecjv0dq8
-/DXo/u11iMZvXn08gjX/zl2b4wtPbShOSY5FhkSm8GeySasz+/Nwb/uzfnIhokWi
-lfPZHtlCWtXbIy/TN51eJyq04ceDCQDWvLC2enVg9KB+GJ34b5c5VaPRzq8MBxsA
-S7ELuYGtmYgYm9NZOIr7yU0=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB6jCCAZQCAgEtMA0GCSqGSIb3DQEBBAUAMIGAMQswCQYDVQQGEwJVUzE2MDQG
-A1UEChMtTmF0aW9uYWwgQWVyb25hdXRpY3MgYW5kIFNwYWNlIEFkbWluaXN0cmF0
-aW9uMRkwFwYDVQQLExBUZXN0IEVudmlyb25tZW50MR4wHAYDVQQLExVNRDUtUlNB
-LU5BU0EtUGlsb3QtQ0EwHhcNOTYwNDMwMjIwNTAwWhcNOTcwNDMwMjIwNTAwWjCB
-gDELMAkGA1UEBhMCVVMxNjA0BgNVBAoTLU5hdGlvbmFsIEFlcm9uYXV0aWNzIGFu
-ZCBTcGFjZSBBZG1pbmlzdHJhdGlvbjEZMBcGA1UECxMQVGVzdCBFbnZpcm9ubWVu
-dDEeMBwGA1UECxMVTUQ1LVJTQS1OQVNBLVBpbG90LUNBMFkwCgYEVQgBAQICAgAD
-SwAwSAJBALmmX5+GqAvcrWK13rfDrNX9UfeA7f+ijyBgeFQjYUoDpFqapw4nzQBL
-bAXug8pKkRwa2Zh8YODhXsRWu2F/UckCAwEAATANBgkqhkiG9w0BAQQFAANBAH9a
-OBA+QCsjxXgnSqHx04gcU8S49DVUb1f2XVoLnHlIb8RnX0k5O6mpHT5eti9bLkiW
-GJNMJ4L0AJ/ac+SmHZc=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIICajCCAdMCBDGA0QUwDQYJKoZIhvcNAQEEBQAwfTELMAkGA1UEBhMCQ2ExDzAN
-BgNVBAcTBk5lcGVhbjEeMBwGA1UECxMVTm8gTGlhYmlsaXR5IEFjY2VwdGVkMR8w
-HQYDVQQKExZGb3IgRGVtbyBQdXJwb3NlcyBPbmx5MRwwGgYDVQQDExNFbnRydXN0
-IERlbW8gV2ViIENBMB4XDTk2MDQyNjEzMzUwMVoXDTA2MDQyNjEzMzUwMVowfTEL
-MAkGA1UEBhMCQ2ExDzANBgNVBAcTBk5lcGVhbjEeMBwGA1UECxMVTm8gTGlhYmls
-aXR5IEFjY2VwdGVkMR8wHQYDVQQKExZGb3IgRGVtbyBQdXJwb3NlcyBPbmx5MRww
-GgYDVQQDExNFbnRydXN0IERlbW8gV2ViIENBMIGdMA0GCSqGSIb3DQEBAQUAA4GL
-ADCBhwKBgQCaroS7O1DA0hm4IefNYU1cx/nqOmzEnk291d1XqznDeF4wEgakbkCc
-zTKxK791yNpXG5RmngqH7cygDRTHZJ6mfCRn0wGC+AI00F2vYTGqPGRQL1N3lZT0
-YDKFC0SQeMMjFIZ1aeQigroFQnHo0VB3zWIMpNkka8PY9lxHZAmWwQIBAzANBgkq
-hkiG9w0BAQQFAAOBgQBAx0UMVA1s54lMQyXjMX5kj99FJN5itb8bK1Rk+cegPQPF
-cWO9SEWyEjjBjIkjjzAwBkaEszFsNGxemxtXvwjIm1xEUMTVlPEWTs2qnDvAUA9W
-YqhWbhH0toGT36236QAsqCZ76rbTRVSSX2BHyJwJMG2tCRv7kRJ//NIgxj3H4w==
------END CERTIFICATE-----
-
-issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit)
-subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit)
------BEGIN CERTIFICATE-----
-MIICJzCCAZACAQAwDQYJKoZIhvcNAQEEBQAwXDELMAkGA1UEBhMCQVUxEzARBgNV
-BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYD
-VQQDExNUZXN0IFBDQSAoMTAyNCBiaXQpMB4XDTk3MDYwOTEzNTczN1oXDTAxMDYw
-OTEzNTczN1owXDELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAY
-BgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYDVQQDExNUZXN0IFBDQSAoMTAy
-NCBiaXQpMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdoWk/3+WcMlfjIrkg
-40ketmnQaEogQe1LLcuOJV6rKfUSAsPgwgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp
-22Jp85PmemiDzyUIStwk72qhp1imbANZvlmlCFKiQrjUyuDfu4TABmn+kkt3vR1Y
-BEOGt+IFye1UBVSATVdRJ2UVhwIDAQABMA0GCSqGSIb3DQEBBAUAA4GBABNA1u/S
-Cg/LJZWb7GliiKJsvuhxlE4E5JxQF2zMub/CSNbF97//tYSyj96sxeFQxZXbcjm9
-xt6mr/xNLA4szNQMJ4P+L7b5e/jC5DSqlwS+CUYJgaFs/SP+qJoCSu1bR3IM9XWO
-cRBpDmcBbYLkSyB92WURvsZ1LtjEcn+cdQVI
------END CERTIFICATE-----
------BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQCdoWk/3+WcMlfjIrkg40ketmnQaEogQe1LLcuOJV6rKfUSAsPg
-wgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp22Jp85PmemiDzyUIStwk72qhp1imbANZ
-vlmlCFKiQrjUyuDfu4TABmn+kkt3vR1YBEOGt+IFye1UBVSATVdRJ2UVhwIDAQAB
-AoGAba4fTtuap5l7/8ZsbE7Z1O32KJY4ZcOZukLOLUUhXxXduT+FTgGWujc0/rgc
-z9qYCLlNZHOouMYTgtSfYvuMuLZ11VIt0GYH+nRioLShE59Yy+zCRyC+gPigS1kz
-xvo14AsOIPYV14Tk/SsHyq6E0eTk7VzaIE197giiINUERPECQQDSKmtPTh/lRKw7
-HSZSM0I1mFWn/1zqrAbontRQY5w98QWIOe5qmzYyFbPXYT3d9BzlsMyhgiRNoBbD
-yvohSHXJAkEAwAHx6ezAZeWWzD5yXD36nyjpkVCw7Tk7TSmOceLJMWt1QcrCfqlS
-xA5jjpQ6Z8suU5DdtWAryM2sAir1WisYzwJAd6Zcx56jvAQ3xcPXsE6scBTVFzrj
-7FqZ6E+cclPzfLQ+QQsyOBE7bpI6e/FJppY26XGZXo3YGzV8IGXrt40oOQJALETG
-h86EFXo3qGOFbmsDy4pdP5nBERCu8X1xUCSfintiD4c2DInxgS5oGclnJeMcjTvL
-QjQoJCX3UJCi/OUO1QJBAKgcDHWjMvt+l1pjJBsSEZ0HX9AAIIVx0RQmbFGS+F2Q
-hhu5l77WnnZOQ9vvhV5u7NPCUF9nhU3jh60qWWO8mkc=
------END RSA PRIVATE KEY-----
-subject=/C=US/O=RSA Data Security, Inc./OU=Commercial Certification Authority
-issuer= /C=US/O=RSA Data Security, Inc./OU=Commercial Certification Authority
-notBefore=941104185834Z
-notAfter =991103185834Z
------BEGIN X509 CERTIFICATE-----
-
-MIICIzCCAZACBQJBAAAWMA0GCSqGSIb3DQEBAgUAMFwxCzAJBgNVBAYTAlVTMSAw
-HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjErMCkGA1UECxMiQ29tbWVy
-Y2lhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NDExMDQxODU4MzRaFw05
-OTExMDMxODU4MzRaMFwxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0YSBT
-ZWN1cml0eSwgSW5jLjErMCkGA1UECxMiQ29tbWVyY2lhbCBDZXJ0aWZpY2F0aW9u
-IEF1dGhvcml0eTCBmzANBgkqhkiG9w0BAQEFAAOBiQAwgYUCfgCk+4Fie84QJ93o
-975sbsZwmdu41QUDaSiCnHJ/lj+O7Kwpkj+KFPhCdr69XQO5kNTQvAayUTNfxMK/
-touPmbZiImDd298ggrTKoi8tUO2UMt7gVY3UaOLgTNLNBRYulWZcYVI4HlGogqHE
-7yXpCuaLK44xZtn42f29O2nZ6wIDAQABMA0GCSqGSIb3DQEBAgUAA34AdrW2EP4j
-9/dZYkuwX5zBaLxJu7NJbyFHXSudVMQAKD+YufKKg5tgf+tQx6sFEC097TgCwaVI
-0v5loMC86qYjFmZsGySp8+x5NRhPJsjjr1BKx6cxa9B8GJ1Qv6km+iYrRpwUqbtb
-MJhCKLVLU7tDCZJAuqiqWqTGtotXTcU=
------END X509 CERTIFICATE-----
-subject=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
-issuer= /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
-notBefore=941109235417Z
-notAfter =991231235417Z
------BEGIN X509 CERTIFICATE-----
-
-MIICKTCCAZYCBQJBAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMSAw
-HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJl
-IFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NDExMDkyMzU0MTda
-Fw05OTEyMzEyMzU0MTdaMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0
-YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJlIFNlcnZlciBDZXJ0aWZp
-Y2F0aW9uIEF1dGhvcml0eTCBmzANBgkqhkiG9w0BAQEFAAOBiQAwgYUCfgCSznrB
-roM+WqqJg1esJQF2DK2ujiw3zus1eGRUA+WEQFHJv48I4oqCCNIWhjdV6bEhAq12
-aIGaBaJLyUslZiJWbIgHj/eBWW2EB2VwE3F2Ppt3TONQiVaYSLkdpykaEy5KEVmc
-HhXVSVQsczppgrGXOZxtcGdI5d0t1sgeewIDAQABMA0GCSqGSIb3DQEBAgUAA34A
-iNHReSHO4ovo+MF9NFM/YYPZtgs4F7boviGNjwC4i1N+RGceIr2XJ+CchcxK9oU7
-suK+ktPlDemvXA4MRpX/oRxePug2WHpzpgr4IhFrwwk4fia7c+8AvQKk8xQNMD9h
-cHsg/jKjn7P0Z1LctO6EjJY2IN6BCINxIYoPnqk=
------END X509 CERTIFICATE-----
-subject=/C=ZA/SP=Western Cape/L=Cape Town/O=Thawte Consulting cc
-	/OU=Certification Services Division/CN=Thawte Server CA
-	/Email=server-certs@thawte.com
-issuer= /C=ZA/SP=Western Cape/L=Cape Town/O=Thawte Consulting cc
-	/OU=Certification Services Division/CN=Thawte Server CA
-	/Email=server-certs@thawte.com
------BEGIN CERTIFICATE-----
-MIIC+TCCAmICAQAwDQYJKoZIhvcNAQEEBQAwgcQxCzAJBgNVBAYTAlpBMRUwEwYD
-VQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMU
-VGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vy
-dmljZXMgRGl2aXNpb24xGTAXBgNVBAMTEFRoYXd0ZSBTZXJ2ZXIgQ0ExJjAkBgkq
-hkiG9w0BCQEWF3NlcnZlci1jZXJ0c0B0aGF3dGUuY29tMB4XDTk2MDcyNzE4MDc1
-N1oXDTk4MDcyNzE4MDc1N1owgcQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0
-ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMUVGhhd3RlIENv
-bnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2
-aXNpb24xGTAXBgNVBAMTEFRoYXd0ZSBTZXJ2ZXIgQ0ExJjAkBgkqhkiG9w0BCQEW
-F3NlcnZlci1jZXJ0c0B0aGF3dGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
-iQKBgQDTpFBuyP9Wa+bPXbbqDGh1R6KqwtqEJfyo9EdR2oW1IHSUhh4PdcnpCGH1
-Bm0wbhUZAulSwGLbTZme4moMRDjN/r7jZAlwxf6xaym2L0nIO9QnBCUQly/nkG3A
-KEKZ10xD3sP1IW1Un13DWOHA5NlbsLjctHvfNjrCtWYiEtaHDQIDAQABMA0GCSqG
-SIb3DQEBBAUAA4GBAIsvn7ifX3RUIrvYXtpI4DOfARkTogwm6o7OwVdl93yFhDcX
-7h5t0XZ11MUAMziKdde3rmTvzUYIUCYoY5b032IwGMTvdiclK+STN6NP2m5nvFAM
-qJT5gC5O+j/jBuZRQ4i0AMYQr5F4lT8oBJnhgafw6PL8aDY2vMHGSPl9+7uf
------END CERTIFICATE-----
-
------BEGIN CERTIFICATE-----
-MIIDDTCCAnYCAQAwDQYJKoZIhvcNAQEEBQAwgc4xCzAJBgNVBAYTAlpBMRUwEwYD
-VQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMU
-VGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vy
-dmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNlcnZlciBD
-QTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNvbTAeFw05
-NjA3MjcxODA3MTRaFw05ODA3MjcxODA3MTRaMIHOMQswCQYDVQQGEwJaQTEVMBMG
-A1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAbBgNVBAoT
-FFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNl
-cnZpY2VzIERpdmlzaW9uMSEwHwYDVQQDExhUaGF3dGUgUHJlbWl1bSBTZXJ2ZXIg
-Q0ExKDAmBgkqhkiG9w0BCQEWGXByZW1pdW0tc2VydmVyQHRoYXd0ZS5jb20wgZ8w
-DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANI2NmqL18JbntqBQWKPOO5JBFXW0O8c
-G5UWR+8YSDU6UvQragaPOy/qVuOvho2eF/eetGV1Ak3vywmiIVHYm9Bn0LoNkgYU
-c9STy5cqAJxcTgy8+hVS/PJEbtoRSm4Iny8t4/mqOoZztkZTWMiJBb2DEbhzP6oH
-jfRCTedAnRw3AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAutFIgTRZVYerIZfL9lvR
-w9Eifvvo5KTZ3h+Bj+VzNnyw4Qc/IyXkPOu6SIiH9LQ3sCmWBdxpe+qr4l77rLj2
-GYuMtESFfn1XVALzkYgC7JcPuTOjMfIiMByt+uFf8AV8x0IW/Qkuv+hEQcyM9vxK
-3VZdLbCVIhNoEsysrxCpxcI=
------END CERTIFICATE-----
-Tims test GCI CA
-
------BEGIN CERTIFICATE-----
-MIIB8DCCAZoCAQAwDQYJKoZIhvcNAQEEBQAwgYIxCzAJBgNVBAYTAkFVMRMwEQYD
-VQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5
-cHRTb2Z0IFB0eSBMdGQxFDASBgNVBAsTC2RldmVsb3BtZW50MRkwFwYDVQQDExBD
-cnlwdFNvZnQgRGV2IENBMB4XDTk3MDMyMjEzMzQwNFoXDTk4MDMyMjEzMzQwNFow
-gYIxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhC
-cmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxFDASBgNVBAsTC2Rl
-dmVsb3BtZW50MRkwFwYDVQQDExBDcnlwdFNvZnQgRGV2IENBMFwwDQYJKoZIhvcN
-AQEBBQADSwAwSAJBAOAOAqogG5QwAmLhzyO4CoRnx/wVy4NZP4dxJy83O1EnL0rw
-OdsamJKvPOLHgSXo3gDu9uVyvCf/QJmZAmC5ml8CAwEAATANBgkqhkiG9w0BAQQF
-AANBADRRS/GVdd7rAqRW6SdmgLJduOU2yq3avBu99kRqbp9A/dLu6r6jU+eP4oOA
-TfdbFZtAAD2Hx9jUtY3tfdrJOb8= 
------END CERTIFICATE-----
-
------BEGIN CERTIFICATE-----
-MIICVjCCAgACAQAwDQYJKoZIhvcNAQEEBQAwgbUxCzAJBgNVBAYTAkFVMRMwEQYD
-VQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5
-cHRTb2Z0IFB0eSBMdGQxLDAqBgNVBAsTI1dPUlRITEVTUyBDRVJUSUZJQ0FUSU9O
-IEFVVEhPUklUSUVTMTQwMgYDVQQDEytaRVJPIFZBTFVFIENBIC0gREVNT05TVFJB
-VElPTiBQVVJQT1NFUyBPTkxZMB4XDTk3MDQwMzEzMjI1NFoXDTk4MDQwMzEzMjI1
-NFowgbUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQH
-EwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxLDAqBgNVBAsT
-I1dPUlRITEVTUyBDRVJUSUZJQ0FUSU9OIEFVVEhPUklUSUVTMTQwMgYDVQQDEyta
-RVJPIFZBTFVFIENBIC0gREVNT05TVFJBVElPTiBQVVJQT1NFUyBPTkxZMFwwDQYJ
-KoZIhvcNAQEBBQADSwAwSAJBAOZ7T7yqP/tyspcko3yPY1y0Cm2EmwNvzW4QgVXR
-Fjs3HmJ4xtSpXdo6mwcGezL3Abt/aQXaxv9PU8xt+Jr0OFUCAwEAATANBgkqhkiG
-9w0BAQQFAANBAOQpYmGgyCqCy1OljgJhCqQOu627oVlHzK1L+t9vBaMfn40AVUR4
-WzQVWO31KTgi5vTK1U+3h46fgUWqQ0h+6rU=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIAwgKADAgECAgEAMA0GCSqGSIb3DQEBBAUAMGIxETAPBgNVBAcTCEludGVybmV0
-MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xh
-c3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NjA0MDgxMDIwMjda
-Fw05NzA0MDgxMDIwMjdaMGIxETAPBgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5W
-ZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xhc3MgMSBDQSAtIElu
-ZGl2aWR1YWwgU3Vic2NyaWJlcjCAMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2
-FKbPTdAFDdjKI9BvqrQpkmOOLPhvltcunXZLEbE2jVfJw/0cxrr+Hgi6M8qV6r7j
-W80GqLd5HUQq7XPysVKDaBBwZJHXPmv5912dFEObbpdFmIFH0S3L3bty10w/cari
-QPJUObwW7s987LrbP2wqsxaxhhKdrpM01bjV0Pc+qQIDAQABAAAAADANBgkqhkiG
-9w0BAQQFAAOBgQA+1nJryNt8VBRjRr07ArDAV/3jAH7GjDc9jsrxZS68ost9v06C
-TvTNKGL+LISNmFLXl+JXhgGB0JZ9fvyYzNgHQ46HBUng1H6voalfJgS2KdEo50wW
-8EFZYMDkT1k4uynwJqkVN2QJK/2q4/A/VCov5h6SlM8Affg2W+1TLqvqkwAA
------END CERTIFICATE-----
-
- subject=/L=Internet/O=VeriSign, Inc./OU=VeriSign Class 2 CA - Individual Subscriber
- issuer= /L=Internet/O=VeriSign, Inc./OU=VeriSign Class 2 CA - Individual Subscriber
-
------BEGIN CERTIFICATE-----
-MIIEkzCCA/ygAwIBAgIRANDTUpSRL3nTFeMrMayFSPAwDQYJKoZIhvcNAQECBQAw
-YjERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQw
-MgYDVQQLEytWZXJpU2lnbiBDbGFzcyAyIENBIC0gSW5kaXZpZHVhbCBTdWJzY3Jp
-YmVyMB4XDTk2MDYwNDAwMDAwMFoXDTk4MDYwNDIzNTk1OVowYjERMA8GA1UEBxMI
-SW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJp
-U2lnbiBDbGFzcyAyIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyMIGfMA0GCSqG
-SIb3DQEBAQUAA4GNADCBiQKBgQC6A+2czKGRcYMfm8gdnk+0de99TDDzsqo0v5nb
-RsbUmMcdRQ7nsMbRWe0SAb/9QoLTZ/cJ0iOBqdrkz7UpqqKarVoTSdlSMVM92tWp
-3bJncZHQD1t4xd6lQVdI1/T6R+5J0T1ukOdsI9Jmf+F28S6g3R3L1SFwiHKeZKZv
-z+793wIDAQABo4ICRzCCAkMwggIpBgNVHQMBAf8EggIdMIICGTCCAhUwggIRBgtg
-hkgBhvhFAQcBATCCAgAWggGrVGhpcyBjZXJ0aWZpY2F0ZSBpbmNvcnBvcmF0ZXMg
-YnkgcmVmZXJlbmNlLCBhbmQgaXRzIHVzZSBpcyBzdHJpY3RseSBzdWJqZWN0IHRv
-LCB0aGUgVmVyaVNpZ24gQ2VydGlmaWNhdGlvbiBQcmFjdGljZSBTdGF0ZW1lbnQg
-KENQUyksIGF2YWlsYWJsZSBhdDogaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQ
-Uy0xLjA7IGJ5IEUtbWFpbCBhdCBDUFMtcmVxdWVzdHNAdmVyaXNpZ24uY29tOyBv
-ciBieSBtYWlsIGF0IFZlcmlTaWduLCBJbmMuLCAyNTkzIENvYXN0IEF2ZS4sIE1v
-dW50YWluIFZpZXcsIENBIDk0MDQzIFVTQSBUZWwuICsxICg0MTUpIDk2MS04ODMw
-IENvcHlyaWdodCAoYykgMTk5NiBWZXJpU2lnbiwgSW5jLiAgQWxsIFJpZ2h0cyBS
-ZXNlcnZlZC4gQ0VSVEFJTiBXQVJSQU5USUVTIERJU0NMQUlNRUQgYW5kIExJQUJJ
-TElUWSBMSU1JVEVELqAOBgxghkgBhvhFAQcBAQGhDgYMYIZIAYb4RQEHAQECMC8w
-LRYraHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTLTEuMDAU
-BglghkgBhvhCAQEBAf8EBAMCAgQwDQYJKoZIhvcNAQECBQADgYEApRJRkNBqLLgs
-53IR/d18ODdLOWMTZ+QOOxBrq460iBEdUwgF8vmPRX1ku7UiDeNzaLlurE6eFqHq
-2zPyK5j60zfTLVJMWKcQWwTJLjHtXrW8pxhNtFc6Fdvy5ZkHnC/9NIl7/t4U6WqB
-p4y+p7SdMIkEwIZfds0VbnQyX5MRUJY=
------END CERTIFICATE-----
-
- subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
- issuer= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
------BEGIN CERTIFICATE-----
-MIICMTCCAZoCBQKhAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcw
-FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMg
-UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBa
-Fw05OTEyMzEyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2ln
-biwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZp
-Y2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyVxZ
-nvIbigEUtBDfBEDb41evakVAj4QMC9Ez2dkRz+4CWB8l9yqoRAWq7AMfeH+ek7ma
-AKojfdashaJjRcdyJ8z0TMZ1cdI5709C8HXfCpDGjiBvmA/4rCNfcCk2pMmG57Ga
-IMtTpYXnPb59mv4kRTPcdhXtD6JxZExlLoFoRacCAwEAATANBgkqhkiG9w0BAQIF
-AAOBgQB1Zmw+0c2B27X4LzZRtvdCvM1Cr9wO+hVs+GeTVzrrtpLotgHKjLeOQ7RJ
-Zfk+7r11Ri7J/CVdqMcvi5uPaM+0nJcYwE3vH9mvgrPmZLiEXIqaB1JDYft0nls6
-NvxMsvwaPxUupVs8G5DsiCnkWRb5zget7Ond2tIxik/W2O8XjQ==
------END CERTIFICATE-----
- subject=/C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority
- issuer= /C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority
------BEGIN CERTIFICATE-----
-MIICMTCCAZoCBQKmAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcw
-FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgNCBQdWJsaWMg
-UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBa
-Fw05OTEyMzEyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2ln
-biwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgNCBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZp
-Y2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0LJ1
-9njQrlpQ9OlQqZ+M1++RlHDo0iSQdomF1t+s5gEXMoDwnZNHvJplnR+Xrr/phnVj
-IIm9gFidBAydqMEk6QvlMXi9/C0MN2qeeIDpRnX57aP7E3vIwUzSo+/1PLBij0pd
-O92VZ48TucE81qcmm+zDO3rZTbxtm+gVAePwR6kCAwEAATANBgkqhkiG9w0BAQIF
-AAOBgQBT3dPwnCR+QKri/AAa19oM/DJhuBUNlvP6Vxt/M3yv6ZiaYch6s7f/sdyZ
-g9ysEvxwyR84Qu1E9oAuW2szaayc01znX1oYx7EteQSWQZGZQbE8DbqEOcY7l/Am
-yY7uvcxClf8exwI/VAx49byqYHwCaejcrOICdmHEPgPq0ook0Q==
------END CERTIFICATE-----

apps/server2.pem

@@ -1,376 +1,52 @@
-issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
-subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (1024 bit)
+subject= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = Test Server Cert #2
+issuer= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = OpenSSL Test Intermediate CA
 -----BEGIN CERTIFICATE-----
-MIICLjCCAZcCAQEwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV
-BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD
-VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNOTcwNjA5MTM1NzU0WhcNOTgwNjA5
-MTM1NzU0WjBkMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG
-A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxJDAiBgNVBAMTG1NlcnZlciB0ZXN0IGNl
-cnQgKDEwMjQgYml0KTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsxH1PBPm
-RkxrR11eV4bzNi4N9n11CI8nV29+ARlT1+qDe/mjVUvXlmsr1v/vf71G9GgqopSa
-6RXrICLVdk/FYYYzhPvl1M+OrjaXDFO8BzBAF1Lnz6c7aRZvGRJNrRSr2nZEkqDf
-JW9dY7r2VZEpD5QeuaRYUnuECkqeieB65GMCAwEAATANBgkqhkiG9w0BAQQFAAOB
-gQCWsOta6C0wiVzXz8wPmJKyTrurMlgUss2iSuW9366iwofZddsNg7FXniMzkIf6
-dp7jnmWZwKZ9cXsNUS2o4OL07qOk2HOywC0YsNZQsOBu1CBTYYkIefDiKFL1zQHh
-8lwwNd4NP+OE3NzUNkCfh4DnFfg9WHkXUlD5UpxNRJ4gJA==
+MIID6jCCAtKgAwIBAgIJALnu1NlVpZ60MA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
+BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMSIwIAYDVQQLDBlGT1IgVEVT
+VElORyBQVVJQT1NFUyBPTkxZMSUwIwYDVQQDDBxPcGVuU1NMIFRlc3QgSW50ZXJt
+ZWRpYXRlIENBMB4XDTExMTIwODE0MDE0OFoXDTIxMTAxNjE0MDE0OFowZzELMAkG
+A1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxIjAgBgNVBAsMGUZPUiBU
+RVNUSU5HIFBVUlBPU0VTIE9OTFkxHDAaBgNVBAMME1Rlc3QgU2VydmVyIENlcnQg
+IzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrdi7j9yctG+L4EjBy
+gjPmEqZzOJEQba26MoQGzglU7e5Xf59Rb/hgVQuKAoiZe7/R8rK4zJ4W7iXdXw0L
+qBpyG8B5aGKeI32w+A9TcBApoXXL2CrYQEQjZwUIpLlYBIi2NkJj3nVkq5dgl1gO
+ALiQ+W8jg3kzg5Ec9rimp9r93N8wsSL3awsafurmYCvOf7leHaMP1WJ/zDRGUNHG
+/WtDjXc8ZUG1+6EXU9Jc2Fs+2Omf7fcN0l00AK/wPg8OaNS0rKyGq9JdIT9FRGV1
+bXe/rx58FaE5CItdwCSYhJvF/O95LWQoxJXye5bCFLmvDTEyVq9FMSCptfsmbXjE
+ZGsXAgMBAAGjgY8wgYwwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwLAYJ
+YIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1Ud
+DgQWBBR52UaWWTKzZGDH/X4mWNcuqeQVazAfBgNVHSMEGDAWgBQ2w2yI55X+sL3s
+zj49hqshgYfa2jANBgkqhkiG9w0BAQUFAAOCAQEANBW+XYLlHBqVY/31ie+3gRlS
+LPfy4SIqn0t3RJjagT29MXprblBO2cbMO8VGjkQdKGpmMXjxbht2arOOUXRHX4n/
+XTyn/QHEf0bcwIITMReO3DZUPAEw8hSjn9xEOM0IRVOCP+mH5fi74QzzQaZVCyYg
+5VtLKdww/+sc0nCbKl2KWgDluriH0nfVx95qgW3mg9dhXRr0zmf1w2zkBHYpARYL
+Dew6Z8EE4tS3HJu8/qM6meWzNtrfonQ3eiiMxjZBxzV46jchBwa2z9XYhP6AmpPb
+oeTSzcQNbWsxaGYzWo46oLDUZmJOwSBawbS31bZNMCoPIY6ukoesCzFSsUKZww==
 -----END CERTIFICATE-----
 -----BEGIN RSA PRIVATE KEY-----
-MIICXgIBAAKBgQCzEfU8E+ZGTGtHXV5XhvM2Lg32fXUIjydXb34BGVPX6oN7+aNV
-S9eWayvW/+9/vUb0aCqilJrpFesgItV2T8VhhjOE++XUz46uNpcMU7wHMEAXUufP
-pztpFm8ZEk2tFKvadkSSoN8lb11juvZVkSkPlB65pFhSe4QKSp6J4HrkYwIDAQAB
-AoGBAKy8jvb0Lzby8q11yNLf7+78wCVdYi7ugMHcYA1JVFK8+zb1WfSm44FLQo/0
-dSChAjgz36TTexeLODPYxleJndjVcOMVzsLJjSM8dLpXsTS4FCeMbhw2s2u+xqKY
-bbPWfk+HOTyJjfnkcC5Nbg44eOmruq0gSmBeUXVM5UntlTnxAkEA7TGCA3h7kx5E
-Bl4zl2pc3gPAGt+dyfk5Po9mGJUUXhF5p2zueGmYWW74TmOWB1kzt4QRdYMzFePq
-zfDNXEa1CwJBAMFErdY0xp0UJ13WwBbUTk8rujqQdHtjw0klhpbuKkjxu2hN0wwM
-6p0D9qxF7JHaghqVRI0fAW/EE0OzdHMR9QkCQQDNR26dMFXKsoPu+vItljj/UEGf
-QG7gERiQ4yxaFBPHgdpGo0kT31eh9x9hQGDkxTe0GNG/YSgCRvm8+C3TMcKXAkBD
-dhGn36wkUFCddMSAM4NSJ1VN8/Z0y5HzCmI8dM3VwGtGMUQlxKxwOl30LEQzdS5M
-0SWojNYXiT2gOBfBwtbhAkEAhafl5QEOIgUz+XazS/IlZ8goNKdDVfYgK3mHHjvv
-nY5G+AuGebdNkXJr4KSWxDcN+C2i47zuj4QXA16MAOandA==
+MIIEowIBAAKCAQEA63Yu4/cnLRvi+BIwcoIz5hKmcziREG2tujKEBs4JVO3uV3+f
+UW/4YFULigKImXu/0fKyuMyeFu4l3V8NC6gachvAeWhiniN9sPgPU3AQKaF1y9gq
+2EBEI2cFCKS5WASItjZCY951ZKuXYJdYDgC4kPlvI4N5M4ORHPa4pqfa/dzfMLEi
+92sLGn7q5mArzn+5Xh2jD9Vif8w0RlDRxv1rQ413PGVBtfuhF1PSXNhbPtjpn+33
+DdJdNACv8D4PDmjUtKyshqvSXSE/RURldW13v68efBWhOQiLXcAkmISbxfzveS1k
+KMSV8nuWwhS5rw0xMlavRTEgqbX7Jm14xGRrFwIDAQABAoIBAHLsTPihIfLnYIE5
+x4GsQQ5zXeBw5ITDM37ktwHnQDC+rIzyUl1aLD1AZRBoKinXd4lOTqLZ4/NHKx4A
+DYr58mZtWyUmqLOMmQVuHXTZBlp7XtYuXMMNovQwjQlp9LicBeoBU6gQ5PVMtubD
+F4xGF89Sn0cTHW3iMkqTtQ5KcR1j57OcJO0FEb1vPvk2MXI5ZyAatUYE7YacbEzd
+rg02uIwx3FqNSkuSI79uz4hMdV5TPtuhxx9nTwj9aLUhXFeZ0mn2PVgVzEnnMoJb
++znlsZDgzDlJqdaD744YGWh8Z3OEssB35KfzFcdOeO6yH8lmv2Zfznk7pNPT7LTb
+Lae9VgkCgYEA92p1qnAB3NtJtNcaW53i0S5WJgS1hxWKvUDx3lTB9s8X9fHpqL1a
+E94fDfWzp/hax6FefUKIvBOukPLQ6bYjTMiFoOHzVirghAIuIUoMI5VtLhwD1hKs
+Lr7l/dptMgKb1nZHyXoKHRBthsy3K4+udsPi8TzMvYElgEqyQIe/Rk0CgYEA86GL
+8HC6zLszzKERDPBxrboRmoFvVUCTQDhsfj1M8aR3nQ8V5LkdIJc7Wqm/Ggfk9QRf
+rJ8M2WUMlU5CNnCn/KCrKzCNZIReze3fV+HnKdbcXGLvgbHPrhnz8yYehUFG+RGq
+bVyDWRU94T38izy2s5qMYrMJWZEYyXncSPbfcPMCgYAtaXfxcZ+V5xYPQFARMtiX
+5nZfggvDoJuXgx0h3tK/N2HBfcaSdzbaYLG4gTmZggc/jwnl2dl5E++9oSPhUdIG
+3ONSFUbxsOsGr9PBvnKd8WZZyUCXAVRjPBzAzF+whzQNWCZy/5htnz9LN7YDI9s0
+5113Q96cheDZPFydZY0hHQKBgQDVbEhNukM5xCiNcu+f2SaMnLp9EjQ4h5g3IvaP
+5B16daw/Dw8LzcohWboqIxeAsze0GD/D1ZUJAEd0qBjC3g+a9BjefervCjKOzXng
+38mEUm+6EwVjJSQcjSmycEs+Sr/kwr/8i5WYvU32+jk4tFgMoC+o6tQe/Uesf68k
+z/dPVwKBgGbF7Vv1/3SmhlOy+zYyvJ0CrWtKxH9QP6tLIEgEpd8x7YTSuCH94yok
+kToMXYA3sWNPt22GbRDZ+rcp4c7HkDx6I6vpdP9aQEwJTp0EPy0sgWr2XwYmreIQ
+NFmkk8Itn9EY2R9VBaP7GLv5kvwxDdLAnmwGmzVtbmaVdxCaBwUk
 -----END RSA PRIVATE KEY-----
-subject=/C=US/O=AT&T Bell Laboratories/OU=Prototype Research CA
-issuer= /C=US/O=AT&T Bell Laboratories/OU=Prototype Research CA
-notBefore=950413210656Z
-notAfter =970412210656Z
------BEGIN X509 CERTIFICATE-----
-
-MIICCDCCAXECAQAwDQYJKoZIhvcNAQEEBQAwTjELMAkGA1UEBhMCVVMxHzAdBgNV
-BAoUFkFUJlQgQmVsbCBMYWJvcmF0b3JpZXMxHjAcBgNVBAsUFVByb3RvdHlwZSBS
-ZXNlYXJjaCBDQTAeFw05NTA0MTMyMTA2NTZaFw05NzA0MTIyMTA2NTZaME4xCzAJ
-BgNVBAYTAlVTMR8wHQYDVQQKFBZBVCZUIEJlbGwgTGFib3JhdG9yaWVzMR4wHAYD
-VQQLFBVQcm90b3R5cGUgUmVzZWFyY2ggQ0EwgZwwDQYJKoZIhvcNAQEBBQADgYoA
-MIGGAoGAebOmgtSCl+wCYZc86UGYeTLY8cjmW2P0FN8ToT/u2pECCoFdrlycX0OR
-3wt0ZhpFXLVNeDnHwEE9veNUih7pCL2ZBFqoIoQkB1lZmXRiVtjGonz8BLm/qrFM
-YHb0lme/Ol+s118mwKVxnn6bSAeI/OXKhLaVdYZWk+aEaxEDkVkCAQ8wDQYJKoZI
-hvcNAQEEBQADgYEAAZMG14lZmZ8bahkaHaTV9dQf4p2FZiQTFwHP9ZyGsXPC+LT5
-dG5iTaRmyjNIJdPWohZDl97kAci79aBndvuEvRKOjLHs3WRGBIwERnAcnY9Mz8u/
-zIHK23PjYVxGGaZd669OJwD0CYyqH22HH9nFUGaoJdsv39ChW0NRdLE9+y8=
------END X509 CERTIFICATE-----
-issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit)
-subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
------BEGIN CERTIFICATE-----
-MIICJjCCAY8CAQAwDQYJKoZIhvcNAQEEBQAwXDELMAkGA1UEBhMCQVUxEzARBgNV
-BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYD
-VQQDExNUZXN0IFBDQSAoMTAyNCBiaXQpMB4XDTk3MDYwOTEzNTc0M1oXDTAxMDYw
-OTEzNTc0M1owWzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAY
-BgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYDVQQDExJUZXN0IENBICgxMDI0
-IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKO7o8t116VP6cgybTsZ
-DCZhr95nYlZuya3aCi1IKoztqwWnjbmDFIriOqGFPrZQ+moMETC9D59iRW/dFXSv
-1F65ka/XY2hLh9exCCo7XuUcDs53Qp3bI3AmMqHjgzE8oO3ajyJAzJkTTOUecQU2
-mw/gI4tMM0LqWMQS7luTy4+xAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAM7achv3v
-hLQJcv/65eGEpBXM40ZDVoFQFFJWaY5p883HTqLB1x4FdzsXHH0QKBTcKpWwqyu4
-YDm3fb8oDugw72bCzfyZK/zVZPR/hVlqI/fvU109Qoc+7oPvIXWky71HfcK6ZBCA
-q30KIqGM/uoM60INq97qjDmCJapagcNBGQs=
------END CERTIFICATE-----
------BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQCju6PLddelT+nIMm07GQwmYa/eZ2JWbsmt2gotSCqM7asFp425
-gxSK4jqhhT62UPpqDBEwvQ+fYkVv3RV0r9ReuZGv12NoS4fXsQgqO17lHA7Od0Kd
-2yNwJjKh44MxPKDt2o8iQMyZE0zlHnEFNpsP4COLTDNC6ljEEu5bk8uPsQIDAQAB
-AoGAVZmpFZsDZfr0l2S9tLLwpjRWNOlKATQkno6q2WesT0eGLQufTciY+c8ypfU6
-hyio8r5iUl/VhhdjhAtKx1mRpiotftHo/eYf8rtsrnprOnWG0bWjLjtIoMbcxGn2
-J3bN6LJmbJMjDs0eJ3KnTu646F3nDUw2oGAwmpzKXA1KAP0CQQDRvQhxk2D3Pehs
-HvG665u2pB5ipYQngEFlZO7RHJZzJOZEWSLuuMqaF/7pTfA5jiBvWqCgJeCRRInL
-21ru4dlPAkEAx9jj7BgKn5TYnMoBSSe0afjsV9oApVpN1Nacb1YDtCwy+scp3++s
-nFxlv98wxIlSdpwMUn+AUWfjiWR7Tu/G/wJBAJ/KjwZIrFVxewP0x2ILYsTRYLzz
-MS4PDsO7FB+I0i7DbBOifXS2oNSpd3I0CNMwrxFnUHzynpbOStVfN3ZL5w0CQQCa
-pwFahxBRhkJKsxhjoFJBX9yl75JoY4Wvm5Tbo9ih6UJaRx3kqfkN14L2BKYcsZgb
-KY9vmDOYy6iNfjDeWTfJAkBkfPUb8oTJ/nSP5zN6sqGxSY4krc4xLxpRmxoJ8HL2
-XfhqXkTzbU13RX9JJ/NZ8vQN9Vm2NhxRGJocQkmcdVtJ
------END RSA PRIVATE KEY-----
------BEGIN X509 CERTIFICATE-----
-MIICYDCCAiACAgEoMAkGBSsOAwINBQAwfDELMAkGA1UEBhMCVVMxNjA0BgNVBAoT
-LU5hdGlvbmFsIEFlcm9uYXV0aWNzIGFuZCBTcGFjZSBBZG1pbmlzdHJhdGlvbjEZ
-MBcGA1UECxMQVGVzdCBFbnZpcm9ubWVudDEaMBgGA1UECxMRRFNTLU5BU0EtUGls
-b3QtQ0EwHhcNOTYwMjI2MTYzMjQ1WhcNOTcwMjI1MTYzMjQ1WjB8MQswCQYDVQQG
-EwJVUzE2MDQGA1UEChMtTmF0aW9uYWwgQWVyb25hdXRpY3MgYW5kIFNwYWNlIEFk
-bWluaXN0cmF0aW9uMRkwFwYDVQQLExBUZXN0IEVudmlyb25tZW50MRowGAYDVQQL
-ExFEU1MtTkFTQS1QaWxvdC1DQTCB8jAJBgUrDgMCDAUAA4HkADCB4AJBAMA/ssKb
-hPNUG7ZlASfVwEJU21O5OyF/iyBzgHI1O8eOhJGUYO8cc8wDMjR508Mr9cp6Uhl/
-ZB7FV5GkLNEnRHYCQQDUEaSg45P2qrDwixTRhFhmWz5Nvc4lRFQ/42XPcchiJBLb
-bn3QK74T2IxY1yY+kCNq8XrIqf5fJJzIH0J/xUP3AhUAsg2wsQHfDGYk/BOSulX3
-fVd0geUCQQCzCFUQAh+ZkEmp5804cs6ZWBhrUAfnra8lJItYo9xPcXgdIfLfibcX
-R71UsyO77MRD7B0+Ag2tq794IleCVcEEMAkGBSsOAwINBQADLwAwLAIUUayDfreR
-Yh2WeU86/pHNdkUC1IgCFEfxe1f0oMpxJyrJ5XIxTi7vGdoK
------END X509 CERTIFICATE-----
------BEGIN X509 CERTIFICATE-----
-
-MIICGTCCAdgCAwCqTDAJBgUrDgMCDQUAMHwxCzAJBgNVBAYTAlVTMTYwNAYDVQQK
-Ey1OYXRpb25hbCBBZXJvbmF1dGljcyBhbmQgU3BhY2UgQWRtaW5pc3RyYXRpb24x
-GTAXBgNVBAsTEFRlc3QgRW52aXJvbm1lbnQxGjAYBgNVBAsTEURTUy1OQVNBLVBp
-bG90LUNBMB4XDTk2MDUxNDE3MDE0MVoXDTk3MDUxNDE3MDE0MVowMzELMAkGA1UE
-BhMCQVUxDzANBgNVBAoTBk1pbmNvbTETMBEGA1UEAxMKRXJpYyBZb3VuZzCB8jAJ
-BgUrDgMCDAUAA4HkADCB4AJBAKbfHz6vE6pXXMTpswtGUec2tvnfLJUsoxE9qs4+
-ObZX7LmLvragNPUeiTJx7UOWZ5DfBj6bXLc8eYne0lP1g3ACQQDUEaSg45P2qrDw
-ixTRhFhmWz5Nvc4lRFQ/42XPcchiJBLbbn3QK74T2IxY1yY+kCNq8XrIqf5fJJzI
-H0J/xUP3AhUAsg2wsQHfDGYk/BOSulX3fVd0geUCQQCzCFUQAh+ZkEmp5804cs6Z
-WBhrUAfnra8lJItYo9xPcXgdIfLfibcXR71UsyO77MRD7B0+Ag2tq794IleCVcEE
-MAkGBSsOAwINBQADMAAwLQIUWsuuJRE3VT4ueWkWMAJMJaZjj1ECFQCYY0zX4bzM
-LC7obsrHD8XAHG+ZRG==
------END X509 CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIICTTCCAbagAwIBAgIBADANBgkqhkiG9w0BAQQFADBMMQswCQYDVQQGEwJHQjEM
-MAoGA1UEChMDVUNMMRgwFgYDVQQLEw9JQ0UtVEVMIFByb2plY3QxFTATBgNVBAMT
-DFRydXN0RmFjdG9yeTAeFw05NzA0MjIxNDM5MTRaFw05ODA0MjIxNDM5MTRaMEwx
-CzAJBgNVBAYTAkdCMQwwCgYDVQQKEwNVQ0wxGDAWBgNVBAsTD0lDRS1URUwgUHJv
-amVjdDEVMBMGA1UEAxMMVHJ1c3RGYWN0b3J5MIGcMAoGBFUIAQECAgQAA4GNADCB
-iQKBgQCEieR8NcXkUW1f0G6aC6u0i8q/98JqS6RxK5YmHIGKCkuTWAUjzLfUa4dt
-U9igGCjTuxaDqlzEim+t/02pmiBZT9HaX++35MjQPUWmsChcYU5WyzGErXi+rQaw
-zlwS73zM8qiPj/97lXYycWhgL0VaiDSPxRXEUdWoaGruom4mNQIDAQABo0IwQDAd
-BgNVHQ4EFgQUHal1LZr7oVg5z6lYzrhTgZRCmcUwDgYDVR0PAQH/BAQDAgH2MA8G
-A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAfaggfl6FZoioecjv0dq8
-/DXo/u11iMZvXn08gjX/zl2b4wtPbShOSY5FhkSm8GeySasz+/Nwb/uzfnIhokWi
-lfPZHtlCWtXbIy/TN51eJyq04ceDCQDWvLC2enVg9KB+GJ34b5c5VaPRzq8MBxsA
-S7ELuYGtmYgYm9NZOIr7yU0=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIIB6jCCAZQCAgEtMA0GCSqGSIb3DQEBBAUAMIGAMQswCQYDVQQGEwJVUzE2MDQG
-A1UEChMtTmF0aW9uYWwgQWVyb25hdXRpY3MgYW5kIFNwYWNlIEFkbWluaXN0cmF0
-aW9uMRkwFwYDVQQLExBUZXN0IEVudmlyb25tZW50MR4wHAYDVQQLExVNRDUtUlNB
-LU5BU0EtUGlsb3QtQ0EwHhcNOTYwNDMwMjIwNTAwWhcNOTcwNDMwMjIwNTAwWjCB
-gDELMAkGA1UEBhMCVVMxNjA0BgNVBAoTLU5hdGlvbmFsIEFlcm9uYXV0aWNzIGFu
-ZCBTcGFjZSBBZG1pbmlzdHJhdGlvbjEZMBcGA1UECxMQVGVzdCBFbnZpcm9ubWVu
-dDEeMBwGA1UECxMVTUQ1LVJTQS1OQVNBLVBpbG90LUNBMFkwCgYEVQgBAQICAgAD
-SwAwSAJBALmmX5+GqAvcrWK13rfDrNX9UfeA7f+ijyBgeFQjYUoDpFqapw4nzQBL
-bAXug8pKkRwa2Zh8YODhXsRWu2F/UckCAwEAATANBgkqhkiG9w0BAQQFAANBAH9a
-OBA+QCsjxXgnSqHx04gcU8S49DVUb1f2XVoLnHlIb8RnX0k5O6mpHT5eti9bLkiW
-GJNMJ4L0AJ/ac+SmHZc=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIICajCCAdMCBDGA0QUwDQYJKoZIhvcNAQEEBQAwfTELMAkGA1UEBhMCQ2ExDzAN
-BgNVBAcTBk5lcGVhbjEeMBwGA1UECxMVTm8gTGlhYmlsaXR5IEFjY2VwdGVkMR8w
-HQYDVQQKExZGb3IgRGVtbyBQdXJwb3NlcyBPbmx5MRwwGgYDVQQDExNFbnRydXN0
-IERlbW8gV2ViIENBMB4XDTk2MDQyNjEzMzUwMVoXDTA2MDQyNjEzMzUwMVowfTEL
-MAkGA1UEBhMCQ2ExDzANBgNVBAcTBk5lcGVhbjEeMBwGA1UECxMVTm8gTGlhYmls
-aXR5IEFjY2VwdGVkMR8wHQYDVQQKExZGb3IgRGVtbyBQdXJwb3NlcyBPbmx5MRww
-GgYDVQQDExNFbnRydXN0IERlbW8gV2ViIENBMIGdMA0GCSqGSIb3DQEBAQUAA4GL
-ADCBhwKBgQCaroS7O1DA0hm4IefNYU1cx/nqOmzEnk291d1XqznDeF4wEgakbkCc
-zTKxK791yNpXG5RmngqH7cygDRTHZJ6mfCRn0wGC+AI00F2vYTGqPGRQL1N3lZT0
-YDKFC0SQeMMjFIZ1aeQigroFQnHo0VB3zWIMpNkka8PY9lxHZAmWwQIBAzANBgkq
-hkiG9w0BAQQFAAOBgQBAx0UMVA1s54lMQyXjMX5kj99FJN5itb8bK1Rk+cegPQPF
-cWO9SEWyEjjBjIkjjzAwBkaEszFsNGxemxtXvwjIm1xEUMTVlPEWTs2qnDvAUA9W
-YqhWbhH0toGT36236QAsqCZ76rbTRVSSX2BHyJwJMG2tCRv7kRJ//NIgxj3H4w==
------END CERTIFICATE-----
-
-issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit)
-subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit)
------BEGIN CERTIFICATE-----
-MIICJzCCAZACAQAwDQYJKoZIhvcNAQEEBQAwXDELMAkGA1UEBhMCQVUxEzARBgNV
-BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYD
-VQQDExNUZXN0IFBDQSAoMTAyNCBiaXQpMB4XDTk3MDYwOTEzNTczN1oXDTAxMDYw
-OTEzNTczN1owXDELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAY
-BgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYDVQQDExNUZXN0IFBDQSAoMTAy
-NCBiaXQpMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdoWk/3+WcMlfjIrkg
-40ketmnQaEogQe1LLcuOJV6rKfUSAsPgwgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp
-22Jp85PmemiDzyUIStwk72qhp1imbANZvlmlCFKiQrjUyuDfu4TABmn+kkt3vR1Y
-BEOGt+IFye1UBVSATVdRJ2UVhwIDAQABMA0GCSqGSIb3DQEBBAUAA4GBABNA1u/S
-Cg/LJZWb7GliiKJsvuhxlE4E5JxQF2zMub/CSNbF97//tYSyj96sxeFQxZXbcjm9
-xt6mr/xNLA4szNQMJ4P+L7b5e/jC5DSqlwS+CUYJgaFs/SP+qJoCSu1bR3IM9XWO
-cRBpDmcBbYLkSyB92WURvsZ1LtjEcn+cdQVI
------END CERTIFICATE-----
------BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQCdoWk/3+WcMlfjIrkg40ketmnQaEogQe1LLcuOJV6rKfUSAsPg
-wgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp22Jp85PmemiDzyUIStwk72qhp1imbANZ
-vlmlCFKiQrjUyuDfu4TABmn+kkt3vR1YBEOGt+IFye1UBVSATVdRJ2UVhwIDAQAB
-AoGAba4fTtuap5l7/8ZsbE7Z1O32KJY4ZcOZukLOLUUhXxXduT+FTgGWujc0/rgc
-z9qYCLlNZHOouMYTgtSfYvuMuLZ11VIt0GYH+nRioLShE59Yy+zCRyC+gPigS1kz
-xvo14AsOIPYV14Tk/SsHyq6E0eTk7VzaIE197giiINUERPECQQDSKmtPTh/lRKw7
-HSZSM0I1mFWn/1zqrAbontRQY5w98QWIOe5qmzYyFbPXYT3d9BzlsMyhgiRNoBbD
-yvohSHXJAkEAwAHx6ezAZeWWzD5yXD36nyjpkVCw7Tk7TSmOceLJMWt1QcrCfqlS
-xA5jjpQ6Z8suU5DdtWAryM2sAir1WisYzwJAd6Zcx56jvAQ3xcPXsE6scBTVFzrj
-7FqZ6E+cclPzfLQ+QQsyOBE7bpI6e/FJppY26XGZXo3YGzV8IGXrt40oOQJALETG
-h86EFXo3qGOFbmsDy4pdP5nBERCu8X1xUCSfintiD4c2DInxgS5oGclnJeMcjTvL
-QjQoJCX3UJCi/OUO1QJBAKgcDHWjMvt+l1pjJBsSEZ0HX9AAIIVx0RQmbFGS+F2Q
-hhu5l77WnnZOQ9vvhV5u7NPCUF9nhU3jh60qWWO8mkc=
------END RSA PRIVATE KEY-----
-subject=/C=US/O=RSA Data Security, Inc./OU=Commercial Certification Authority
-issuer= /C=US/O=RSA Data Security, Inc./OU=Commercial Certification Authority
-notBefore=941104185834Z
-notAfter =991103185834Z
------BEGIN X509 CERTIFICATE-----
-
-MIICIzCCAZACBQJBAAAWMA0GCSqGSIb3DQEBAgUAMFwxCzAJBgNVBAYTAlVTMSAw
-HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjErMCkGA1UECxMiQ29tbWVy
-Y2lhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NDExMDQxODU4MzRaFw05
-OTExMDMxODU4MzRaMFwxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0YSBT
-ZWN1cml0eSwgSW5jLjErMCkGA1UECxMiQ29tbWVyY2lhbCBDZXJ0aWZpY2F0aW9u
-IEF1dGhvcml0eTCBmzANBgkqhkiG9w0BAQEFAAOBiQAwgYUCfgCk+4Fie84QJ93o
-975sbsZwmdu41QUDaSiCnHJ/lj+O7Kwpkj+KFPhCdr69XQO5kNTQvAayUTNfxMK/
-touPmbZiImDd298ggrTKoi8tUO2UMt7gVY3UaOLgTNLNBRYulWZcYVI4HlGogqHE
-7yXpCuaLK44xZtn42f29O2nZ6wIDAQABMA0GCSqGSIb3DQEBAgUAA34AdrW2EP4j
-9/dZYkuwX5zBaLxJu7NJbyFHXSudVMQAKD+YufKKg5tgf+tQx6sFEC097TgCwaVI
-0v5loMC86qYjFmZsGySp8+x5NRhPJsjjr1BKx6cxa9B8GJ1Qv6km+iYrRpwUqbtb
-MJhCKLVLU7tDCZJAuqiqWqTGtotXTcU=
------END X509 CERTIFICATE-----
-subject=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
-issuer= /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
-notBefore=941109235417Z
-notAfter =991231235417Z
------BEGIN X509 CERTIFICATE-----
-
-MIICKTCCAZYCBQJBAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMSAw
-HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJl
-IFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NDExMDkyMzU0MTda
-Fw05OTEyMzEyMzU0MTdaMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0
-YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJlIFNlcnZlciBDZXJ0aWZp
-Y2F0aW9uIEF1dGhvcml0eTCBmzANBgkqhkiG9w0BAQEFAAOBiQAwgYUCfgCSznrB
-roM+WqqJg1esJQF2DK2ujiw3zus1eGRUA+WEQFHJv48I4oqCCNIWhjdV6bEhAq12
-aIGaBaJLyUslZiJWbIgHj/eBWW2EB2VwE3F2Ppt3TONQiVaYSLkdpykaEy5KEVmc
-HhXVSVQsczppgrGXOZxtcGdI5d0t1sgeewIDAQABMA0GCSqGSIb3DQEBAgUAA34A
-iNHReSHO4ovo+MF9NFM/YYPZtgs4F7boviGNjwC4i1N+RGceIr2XJ+CchcxK9oU7
-suK+ktPlDemvXA4MRpX/oRxePug2WHpzpgr4IhFrwwk4fia7c+8AvQKk8xQNMD9h
-cHsg/jKjn7P0Z1LctO6EjJY2IN6BCINxIYoPnqk=
------END X509 CERTIFICATE-----
-subject=/C=ZA/SP=Western Cape/L=Cape Town/O=Thawte Consulting cc
-	/OU=Certification Services Division/CN=Thawte Server CA
-	/Email=server-certs@thawte.com
-issuer= /C=ZA/SP=Western Cape/L=Cape Town/O=Thawte Consulting cc
-	/OU=Certification Services Division/CN=Thawte Server CA
-	/Email=server-certs@thawte.com
------BEGIN CERTIFICATE-----
-MIIC+TCCAmICAQAwDQYJKoZIhvcNAQEEBQAwgcQxCzAJBgNVBAYTAlpBMRUwEwYD
-VQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMU
-VGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vy
-dmljZXMgRGl2aXNpb24xGTAXBgNVBAMTEFRoYXd0ZSBTZXJ2ZXIgQ0ExJjAkBgkq
-hkiG9w0BCQEWF3NlcnZlci1jZXJ0c0B0aGF3dGUuY29tMB4XDTk2MDcyNzE4MDc1
-N1oXDTk4MDcyNzE4MDc1N1owgcQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0
-ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMUVGhhd3RlIENv
-bnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2
-aXNpb24xGTAXBgNVBAMTEFRoYXd0ZSBTZXJ2ZXIgQ0ExJjAkBgkqhkiG9w0BCQEW
-F3NlcnZlci1jZXJ0c0B0aGF3dGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
-iQKBgQDTpFBuyP9Wa+bPXbbqDGh1R6KqwtqEJfyo9EdR2oW1IHSUhh4PdcnpCGH1
-Bm0wbhUZAulSwGLbTZme4moMRDjN/r7jZAlwxf6xaym2L0nIO9QnBCUQly/nkG3A
-KEKZ10xD3sP1IW1Un13DWOHA5NlbsLjctHvfNjrCtWYiEtaHDQIDAQABMA0GCSqG
-SIb3DQEBBAUAA4GBAIsvn7ifX3RUIrvYXtpI4DOfARkTogwm6o7OwVdl93yFhDcX
-7h5t0XZ11MUAMziKdde3rmTvzUYIUCYoY5b032IwGMTvdiclK+STN6NP2m5nvFAM
-qJT5gC5O+j/jBuZRQ4i0AMYQr5F4lT8oBJnhgafw6PL8aDY2vMHGSPl9+7uf
------END CERTIFICATE-----
-
------BEGIN CERTIFICATE-----
-MIIDDTCCAnYCAQAwDQYJKoZIhvcNAQEEBQAwgc4xCzAJBgNVBAYTAlpBMRUwEwYD
-VQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMU
-VGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vy
-dmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNlcnZlciBD
-QTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNvbTAeFw05
-NjA3MjcxODA3MTRaFw05ODA3MjcxODA3MTRaMIHOMQswCQYDVQQGEwJaQTEVMBMG
-A1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAbBgNVBAoT
-FFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNl
-cnZpY2VzIERpdmlzaW9uMSEwHwYDVQQDExhUaGF3dGUgUHJlbWl1bSBTZXJ2ZXIg
-Q0ExKDAmBgkqhkiG9w0BCQEWGXByZW1pdW0tc2VydmVyQHRoYXd0ZS5jb20wgZ8w
-DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANI2NmqL18JbntqBQWKPOO5JBFXW0O8c
-G5UWR+8YSDU6UvQragaPOy/qVuOvho2eF/eetGV1Ak3vywmiIVHYm9Bn0LoNkgYU
-c9STy5cqAJxcTgy8+hVS/PJEbtoRSm4Iny8t4/mqOoZztkZTWMiJBb2DEbhzP6oH
-jfRCTedAnRw3AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAutFIgTRZVYerIZfL9lvR
-w9Eifvvo5KTZ3h+Bj+VzNnyw4Qc/IyXkPOu6SIiH9LQ3sCmWBdxpe+qr4l77rLj2
-GYuMtESFfn1XVALzkYgC7JcPuTOjMfIiMByt+uFf8AV8x0IW/Qkuv+hEQcyM9vxK
-3VZdLbCVIhNoEsysrxCpxcI=
------END CERTIFICATE-----
-Tims test GCI CA
-
------BEGIN CERTIFICATE-----
-MIIB8DCCAZoCAQAwDQYJKoZIhvcNAQEEBQAwgYIxCzAJBgNVBAYTAkFVMRMwEQYD
-VQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5
-cHRTb2Z0IFB0eSBMdGQxFDASBgNVBAsTC2RldmVsb3BtZW50MRkwFwYDVQQDExBD
-cnlwdFNvZnQgRGV2IENBMB4XDTk3MDMyMjEzMzQwNFoXDTk4MDMyMjEzMzQwNFow
-gYIxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhC
-cmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxFDASBgNVBAsTC2Rl
-dmVsb3BtZW50MRkwFwYDVQQDExBDcnlwdFNvZnQgRGV2IENBMFwwDQYJKoZIhvcN
-AQEBBQADSwAwSAJBAOAOAqogG5QwAmLhzyO4CoRnx/wVy4NZP4dxJy83O1EnL0rw
-OdsamJKvPOLHgSXo3gDu9uVyvCf/QJmZAmC5ml8CAwEAATANBgkqhkiG9w0BAQQF
-AANBADRRS/GVdd7rAqRW6SdmgLJduOU2yq3avBu99kRqbp9A/dLu6r6jU+eP4oOA
-TfdbFZtAAD2Hx9jUtY3tfdrJOb8= 
------END CERTIFICATE-----
-
------BEGIN CERTIFICATE-----
-MIICVjCCAgACAQAwDQYJKoZIhvcNAQEEBQAwgbUxCzAJBgNVBAYTAkFVMRMwEQYD
-VQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5
-cHRTb2Z0IFB0eSBMdGQxLDAqBgNVBAsTI1dPUlRITEVTUyBDRVJUSUZJQ0FUSU9O
-IEFVVEhPUklUSUVTMTQwMgYDVQQDEytaRVJPIFZBTFVFIENBIC0gREVNT05TVFJB
-VElPTiBQVVJQT1NFUyBPTkxZMB4XDTk3MDQwMzEzMjI1NFoXDTk4MDQwMzEzMjI1
-NFowgbUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQH
-EwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxLDAqBgNVBAsT
-I1dPUlRITEVTUyBDRVJUSUZJQ0FUSU9OIEFVVEhPUklUSUVTMTQwMgYDVQQDEyta
-RVJPIFZBTFVFIENBIC0gREVNT05TVFJBVElPTiBQVVJQT1NFUyBPTkxZMFwwDQYJ
-KoZIhvcNAQEBBQADSwAwSAJBAOZ7T7yqP/tyspcko3yPY1y0Cm2EmwNvzW4QgVXR
-Fjs3HmJ4xtSpXdo6mwcGezL3Abt/aQXaxv9PU8xt+Jr0OFUCAwEAATANBgkqhkiG
-9w0BAQQFAANBAOQpYmGgyCqCy1OljgJhCqQOu627oVlHzK1L+t9vBaMfn40AVUR4
-WzQVWO31KTgi5vTK1U+3h46fgUWqQ0h+6rU=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIAwgKADAgECAgEAMA0GCSqGSIb3DQEBBAUAMGIxETAPBgNVBAcTCEludGVybmV0
-MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xh
-c3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NjA0MDgxMDIwMjda
-Fw05NzA0MDgxMDIwMjdaMGIxETAPBgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5W
-ZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xhc3MgMSBDQSAtIElu
-ZGl2aWR1YWwgU3Vic2NyaWJlcjCAMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2
-FKbPTdAFDdjKI9BvqrQpkmOOLPhvltcunXZLEbE2jVfJw/0cxrr+Hgi6M8qV6r7j
-W80GqLd5HUQq7XPysVKDaBBwZJHXPmv5912dFEObbpdFmIFH0S3L3bty10w/cari
-QPJUObwW7s987LrbP2wqsxaxhhKdrpM01bjV0Pc+qQIDAQABAAAAADANBgkqhkiG
-9w0BAQQFAAOBgQA+1nJryNt8VBRjRr07ArDAV/3jAH7GjDc9jsrxZS68ost9v06C
-TvTNKGL+LISNmFLXl+JXhgGB0JZ9fvyYzNgHQ46HBUng1H6voalfJgS2KdEo50wW
-8EFZYMDkT1k4uynwJqkVN2QJK/2q4/A/VCov5h6SlM8Affg2W+1TLqvqkwAA
------END CERTIFICATE-----
-
- subject=/L=Internet/O=VeriSign, Inc./OU=VeriSign Class 2 CA - Individual Subscriber
- issuer= /L=Internet/O=VeriSign, Inc./OU=VeriSign Class 2 CA - Individual Subscriber
-
------BEGIN CERTIFICATE-----
-MIIEkzCCA/ygAwIBAgIRANDTUpSRL3nTFeMrMayFSPAwDQYJKoZIhvcNAQECBQAw
-YjERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQw
-MgYDVQQLEytWZXJpU2lnbiBDbGFzcyAyIENBIC0gSW5kaXZpZHVhbCBTdWJzY3Jp
-YmVyMB4XDTk2MDYwNDAwMDAwMFoXDTk4MDYwNDIzNTk1OVowYjERMA8GA1UEBxMI
-SW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJp
-U2lnbiBDbGFzcyAyIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyMIGfMA0GCSqG
-SIb3DQEBAQUAA4GNADCBiQKBgQC6A+2czKGRcYMfm8gdnk+0de99TDDzsqo0v5nb
-RsbUmMcdRQ7nsMbRWe0SAb/9QoLTZ/cJ0iOBqdrkz7UpqqKarVoTSdlSMVM92tWp
-3bJncZHQD1t4xd6lQVdI1/T6R+5J0T1ukOdsI9Jmf+F28S6g3R3L1SFwiHKeZKZv
-z+793wIDAQABo4ICRzCCAkMwggIpBgNVHQMBAf8EggIdMIICGTCCAhUwggIRBgtg
-hkgBhvhFAQcBATCCAgAWggGrVGhpcyBjZXJ0aWZpY2F0ZSBpbmNvcnBvcmF0ZXMg
-YnkgcmVmZXJlbmNlLCBhbmQgaXRzIHVzZSBpcyBzdHJpY3RseSBzdWJqZWN0IHRv
-LCB0aGUgVmVyaVNpZ24gQ2VydGlmaWNhdGlvbiBQcmFjdGljZSBTdGF0ZW1lbnQg
-KENQUyksIGF2YWlsYWJsZSBhdDogaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQ
-Uy0xLjA7IGJ5IEUtbWFpbCBhdCBDUFMtcmVxdWVzdHNAdmVyaXNpZ24uY29tOyBv
-ciBieSBtYWlsIGF0IFZlcmlTaWduLCBJbmMuLCAyNTkzIENvYXN0IEF2ZS4sIE1v
-dW50YWluIFZpZXcsIENBIDk0MDQzIFVTQSBUZWwuICsxICg0MTUpIDk2MS04ODMw
-IENvcHlyaWdodCAoYykgMTk5NiBWZXJpU2lnbiwgSW5jLiAgQWxsIFJpZ2h0cyBS
-ZXNlcnZlZC4gQ0VSVEFJTiBXQVJSQU5USUVTIERJU0NMQUlNRUQgYW5kIExJQUJJ
-TElUWSBMSU1JVEVELqAOBgxghkgBhvhFAQcBAQGhDgYMYIZIAYb4RQEHAQECMC8w
-LRYraHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTLTEuMDAU
-BglghkgBhvhCAQEBAf8EBAMCAgQwDQYJKoZIhvcNAQECBQADgYEApRJRkNBqLLgs
-53IR/d18ODdLOWMTZ+QOOxBrq460iBEdUwgF8vmPRX1ku7UiDeNzaLlurE6eFqHq
-2zPyK5j60zfTLVJMWKcQWwTJLjHtXrW8pxhNtFc6Fdvy5ZkHnC/9NIl7/t4U6WqB
-p4y+p7SdMIkEwIZfds0VbnQyX5MRUJY=
------END CERTIFICATE-----
-
- subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
- issuer= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
------BEGIN CERTIFICATE-----
-MIICMTCCAZoCBQKhAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcw
-FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMg
-UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBa
-Fw05OTEyMzEyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2ln
-biwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZp
-Y2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyVxZ
-nvIbigEUtBDfBEDb41evakVAj4QMC9Ez2dkRz+4CWB8l9yqoRAWq7AMfeH+ek7ma
-AKojfdashaJjRcdyJ8z0TMZ1cdI5709C8HXfCpDGjiBvmA/4rCNfcCk2pMmG57Ga
-IMtTpYXnPb59mv4kRTPcdhXtD6JxZExlLoFoRacCAwEAATANBgkqhkiG9w0BAQIF
-AAOBgQB1Zmw+0c2B27X4LzZRtvdCvM1Cr9wO+hVs+GeTVzrrtpLotgHKjLeOQ7RJ
-Zfk+7r11Ri7J/CVdqMcvi5uPaM+0nJcYwE3vH9mvgrPmZLiEXIqaB1JDYft0nls6
-NvxMsvwaPxUupVs8G5DsiCnkWRb5zget7Ond2tIxik/W2O8XjQ==
------END CERTIFICATE-----
- subject=/C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority
- issuer= /C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority
------BEGIN CERTIFICATE-----
-MIICMTCCAZoCBQKmAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcw
-FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgNCBQdWJsaWMg
-UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBa
-Fw05OTEyMzEyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2ln
-biwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgNCBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZp
-Y2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0LJ1
-9njQrlpQ9OlQqZ+M1++RlHDo0iSQdomF1t+s5gEXMoDwnZNHvJplnR+Xrr/phnVj
-IIm9gFidBAydqMEk6QvlMXi9/C0MN2qeeIDpRnX57aP7E3vIwUzSo+/1PLBij0pd
-O92VZ48TucE81qcmm+zDO3rZTbxtm+gVAePwR6kCAwEAATANBgkqhkiG9w0BAQIF
-AAOBgQBT3dPwnCR+QKri/AAa19oM/DJhuBUNlvP6Vxt/M3yv6ZiaYch6s7f/sdyZ
-g9ysEvxwyR84Qu1E9oAuW2szaayc01znX1oYx7EteQSWQZGZQbE8DbqEOcY7l/Am
-yY7uvcxClf8exwI/VAx49byqYHwCaejcrOICdmHEPgPq0ook0Q==
------END CERTIFICATE-----

apps/smime.c

@@ -541,8 +541,8 @@ int MAIN(int argc, char **argv)
 		{
 		if (!cipher)
 			{
-#ifndef OPENSSL_NO_RC2			
-			cipher = EVP_rc2_40_cbc();
+#ifndef OPENSSL_NO_DES			
+			cipher = EVP_des_ede3_cbc();
 #else
 			BIO_printf(bio_err, "No cipher selected\n");
 			goto end;

apps/speed.c

@@ -108,8 +108,14 @@
 #include <signal.h>
 #endif
 
-#ifdef _WIN32
+#if defined(_WIN32) || defined(__CYGWIN__)
 #include <windows.h>
+# if defined(__CYGWIN__) && !defined(_WIN32)
+  /* <windows.h> should define _WIN32, which normally is mutually
+   * exclusive with __CYGWIN__, but if it didn't... */
+#  define _WIN32
+  /* this is done because Cygwin alarm() fails sometimes. */
+# endif
 #endif
 
 #include <openssl/bn.h>
@@ -185,6 +191,24 @@
 #endif
 #include <openssl/modes.h>
 
+#ifdef OPENSSL_FIPS
+#ifdef OPENSSL_DOING_MAKEDEPEND
+#undef AES_set_encrypt_key
+#undef AES_set_decrypt_key
+#undef DES_set_key_unchecked
+#endif
+#define BF_set_key	private_BF_set_key
+#define CAST_set_key	private_CAST_set_key
+#define idea_set_encrypt_key	private_idea_set_encrypt_key
+#define SEED_set_key	private_SEED_set_key
+#define RC2_set_key	private_RC2_set_key
+#define RC4_set_key	private_RC4_set_key
+#define DES_set_key_unchecked	private_DES_set_key_unchecked
+#define AES_set_encrypt_key	private_AES_set_encrypt_key
+#define AES_set_decrypt_key	private_AES_set_decrypt_key
+#define Camellia_set_key	private_Camellia_set_key
+#endif
+
 #ifndef HAVE_FORK
 # if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_NETWARE)
 #  define HAVE_FORK 0
@@ -274,9 +298,12 @@ static SIGRETTYPE sig_done(int sig)
 
 #if defined(_WIN32)
 
-#define SIGALRM
+#if !defined(SIGALRM)
+# define SIGALRM
+#endif
 static unsigned int lapse,schlock;
-static void alarm(unsigned int secs) { lapse = secs*1000; }
+static void alarm_win32(unsigned int secs) { lapse = secs*1000; }
+#define alarm alarm_win32
 
 static DWORD WINAPI sleepy(VOID *arg)
 	{
@@ -288,11 +315,9 @@ static DWORD WINAPI sleepy(VOID *arg)
 
 static double Time_F(int s)
 	{
-	double ret;
-	static HANDLE thr;
-
 	if (s == START)
 		{
+		HANDLE	thr;
 		schlock = 0;
 		thr = CreateThread(NULL,4096,sleepy,NULL,0,NULL);
 		if (thr==NULL)
@@ -301,25 +326,17 @@ static double Time_F(int s)
 			BIO_printf(bio_err,"unable to CreateThread (%d)",ret);
 			ExitProcess(ret);
 			}
+		CloseHandle(thr);		/* detach the thread	*/
 		while (!schlock) Sleep(0);	/* scheduler spinlock	*/
-		ret = app_tminterval(s,usertime);
-		}
-	else
-		{
-		ret = app_tminterval(s,usertime);
-		if (run) TerminateThread(thr,0);
-		CloseHandle(thr);
 		}
 
-	return ret;
+	return app_tminterval(s,usertime);
 	}
 #else
 
 static double Time_F(int s)
 	{
-	double ret = app_tminterval(s,usertime);
-	if (s == STOP) alarm(0);
-	return ret;
+	return app_tminterval(s,usertime);
 	}
 #endif
 
@@ -480,7 +497,7 @@ int MAIN(int argc, char **argv)
 #define D_IGE_128_AES   26
 #define D_IGE_192_AES   27
 #define D_IGE_256_AES   28
-#define D_GHASH         29
+#define D_GHASH		29
 	double d=0.0;
 	long c[ALGOR_NUM][SIZE_NUM];
 #define	R_DSA_512	0
@@ -1574,11 +1591,7 @@ int MAIN(int argc, char **argv)
 			print_message(names[D_SHA1],c[D_SHA1][j],lengths[j]);
 			Time_F(START);
 			for (count=0,run=1; COND(c[D_SHA1][j]); count++)
-#if 0
 				EVP_Digest(buf,(unsigned long)lengths[j],&(sha[0]),NULL,EVP_sha1(),NULL);
-#else
-				SHA1(buf,lengths[j],sha);
-#endif
 			d=Time_F(STOP);
 			print_result(D_SHA1,j,count,d);
 			}
@@ -2584,7 +2597,7 @@ static void pkey_print_message(const char *str, const char *str2, long num,
 	BIO_printf(bio_err,mr ? "+DTP:%d:%s:%s:%d\n"
 			   : "Doing %d bit %s %s's for %ds: ",bits,str,str2,tm);
 	(void)BIO_flush(bio_err);
-	alarm(RSA_SECONDS);
+	alarm(tm);
 #else
 	BIO_printf(bio_err,mr ? "+DNP:%ld:%d:%s:%s\n"
 			   : "Doing %ld %d bit %s %s's: ",num,bits,str,str2);

apps/srp.c

@@ -125,13 +125,13 @@ static int get_index(CA_DB *db, char* id, char type)
 	if (type == DB_SRP_INDEX) 
 	for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
 		{
-		pp=sk_OPENSSL_PSTRING_value(db->db->data,i);
+		pp = sk_OPENSSL_PSTRING_value(db->db->data,i);
 		if (pp[DB_srptype][0] == DB_SRP_INDEX  && !strcmp(id,pp[DB_srpid])) 
 			return i;
 		}
 	else for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
 		{
-		pp=sk_OPENSSL_PSTRING_value(db->db->data,i);
+		pp = sk_OPENSSL_PSTRING_value(db->db->data,i);
 
 		if (pp[DB_srptype][0] != DB_SRP_INDEX && !strcmp(id,pp[DB_srpid])) 
 			return i;
@@ -140,41 +140,41 @@ static int get_index(CA_DB *db, char* id, char type)
 	return -1 ; 
 	}
 
-static void print_entry(CA_DB *db, BIO * bio, int indx, int verbose, char * s)
+static void print_entry(CA_DB *db, BIO *bio, int indx, int verbose, char *s)
 	{
 	if (indx >= 0 && verbose)
 		{
 		int j;
-		char **pp=sk_OPENSSL_PSTRING_value(db->db->data,indx);
-		BIO_printf(bio,"%s \"%s\"\n",s,pp[DB_srpid]);
+		char **pp = sk_OPENSSL_PSTRING_value(db->db->data, indx);
+		BIO_printf(bio, "%s \"%s\"\n", s, pp[DB_srpid]);
 		for (j = 0; j < DB_NUMBER; j++)
 			{
-			BIO_printf(bio_err,"  %d = \"%s\"\n",j,pp[j]);
+			BIO_printf(bio_err,"  %d = \"%s\"\n", j, pp[j]);
 			}
 		}
 	}
 
-static void print_index(CA_DB *db, BIO * bio, int indexindex, int verbose)
+static void print_index(CA_DB *db, BIO *bio, int indexindex, int verbose)
 	{
-	print_entry(db,bio,indexindex, verbose, "g N entry") ;
+	print_entry(db, bio, indexindex, verbose, "g N entry") ;
 	}
 
-static void print_user(CA_DB *db, BIO * bio, int userindex, int verbose)
+static void print_user(CA_DB *db, BIO *bio, int userindex, int verbose)
 	{
 	if (verbose > 0)
 		{
-		char **pp= sk_OPENSSL_PSTRING_value(db->db->data,userindex);
+		char **pp = sk_OPENSSL_PSTRING_value(db->db->data,userindex);
 
 		if (pp[DB_srptype][0] != 'I')
 			{
-			print_entry(db,bio,userindex, verbose, "User entry");
-			print_entry(db,bio,get_index(db, pp[DB_srpgN],'I'),verbose,"g N entry") ;
+			print_entry(db, bio, userindex, verbose, "User entry");
+			print_entry(db, bio, get_index(db, pp[DB_srpgN], 'I'), verbose, "g N entry");
 			}
 
 		}
 	}
 
-static int update_index(CA_DB *db, BIO * bio, char ** row)
+static int update_index(CA_DB *db, BIO *bio, char **row)
 	{
 	char ** irow;
 	int i;
@@ -202,18 +202,17 @@ static int update_index(CA_DB *db, BIO * bio, char ** row)
 	return 1;
 	}
 
-static void lookup_fail(const char *name, const char *tag)
+static void lookup_fail(const char *name, char *tag)
 	{
 	BIO_printf(bio_err,"variable lookup failed for %s::%s\n",name,tag);
 	}
 
 
 static char *srp_verify_user(const char *user, const char *srp_verifier,
-							 char *srp_usersalt, const char *g,
-							 const char * N, const char *passin, BIO *bio,
-							 int verbose)
+			     char *srp_usersalt, const char *g, const char *N,
+			     const char *passin, BIO *bio, int verbose)
 	{
- 	char password[1024];
+	char password[1024];
 	PW_CB_DATA cb_tmp;
 	char *verifier = NULL;
 	char *gNid = NULL;
@@ -223,14 +222,12 @@ static char *srp_verify_user(const char *user, const char *srp_verifier,
 
  	if (password_callback(password, 1024, 0, &cb_tmp) >0)
 		{
-		VERBOSE BIO_printf(bio,"Validating\n   user=\"%s\"\n srp_verifier=\"%s\"\n srp_usersalt=\"%s\"\n g=\"%s\"\n N=\"%s\"\n",user,srp_verifier,srp_usersalt,g,N);
-		BIO_printf(bio,"Pass %s\n",password);
+		VERBOSE BIO_printf(bio,"Validating\n   user=\"%s\"\n srp_verifier=\"%s\"\n srp_usersalt=\"%s\"\n g=\"%s\"\n N=\"%s\"\n",user,srp_verifier,srp_usersalt, g, N);
+		BIO_printf(bio, "Pass %s\n", password);
 
-		OPENSSL_assert(srp_usersalt != NULL);
-		if (!(gNid=SRP_create_verifier(user, password, &srp_usersalt, &verifier,
-									   N, g)))
+		if (!(gNid=SRP_create_verifier(user, password, &srp_usersalt, &verifier, N, g)))
 			{
-			BIO_printf(bio,"Internal error validating SRP verifier\n");
+			BIO_printf(bio, "Internal error validating SRP verifier\n");
 			}
 		else
 			{
@@ -242,9 +239,9 @@ static char *srp_verify_user(const char *user, const char *srp_verifier,
 	return gNid;
 	}
 
-static char *srp_create_user(char * user, char **srp_verifier,
-							 char **srp_usersalt,char *g, char *N,
-							 char *passout, BIO *bio, int verbose)
+static char *srp_create_user(char *user, char **srp_verifier,
+			     char **srp_usersalt, char *g, char *N,
+			     char *passout, BIO *bio, int verbose)
 	{
  	char password[1024];
         PW_CB_DATA cb_tmp;
@@ -518,9 +515,9 @@ bad:
 	if (db == NULL) goto err;
 
 	/* Lets check some fields */
-	for (i=0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
+	for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
 		{
-		pp=sk_OPENSSL_PSTRING_value(db->db->data, i);
+		pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
 	
 		if (pp[DB_srptype][0] == DB_SRP_INDEX)
 			{
@@ -528,25 +525,25 @@ bad:
 			if (gNindex < 0 && gN != NULL && !strcmp(gN, pp[DB_srpid]))
 				gNindex = i;
 
-			print_index(db, bio_err, i, verbose > 1) ;
+			print_index(db, bio_err, i, verbose > 1);
 			}
 		}
 	
-	VERBOSE BIO_printf(bio_err,"Database initialised\n");
+	VERBOSE BIO_printf(bio_err, "Database initialised\n");
 
 	if (gNindex >= 0)
 		{
-		gNrow=sk_OPENSSL_PSTRING_value(db->db->data,gNindex);
-		print_entry(db,bio_err,gNindex,verbose>1,"Default g and N") ;
+		gNrow = sk_OPENSSL_PSTRING_value(db->db->data,gNindex);
+		print_entry(db, bio_err, gNindex, verbose > 1, "Default g and N");
 		}
 	else if (maxgN > 0 && !SRP_get_default_gN(gN))
 		{
-		BIO_printf(bio_err,"No g and N value for index \"%s\"\n",gN);
+		BIO_printf(bio_err, "No g and N value for index \"%s\"\n", gN);
 		goto err;
 		}
 	else
 		{
-		VERBOSE BIO_printf(bio_err,"Database has no g N information.\n");
+		VERBOSE BIO_printf(bio_err, "Database has no g N information.\n");
 		gNrow = NULL;
 		}
 	
@@ -560,10 +557,10 @@ bad:
 		{
 		int userindex = -1;
 		if (user) 
-			VVERBOSE BIO_printf(bio_err, "Processing user \"%s\"\n",user);
+			VVERBOSE BIO_printf(bio_err, "Processing user \"%s\"\n", user);
 		if ((userindex = get_index(db, user, 'U')) >= 0)
 			{
-			print_user(db,bio_err,userindex,(verbose > 0) || list_user) ;
+			print_user(db, bio_err, userindex, (verbose > 0) || list_user);
 			}
 		
 		if (list_user)
@@ -572,16 +569,16 @@ bad:
 				{
 				BIO_printf(bio_err,"List all users\n");
 
-				for (i=0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
+				for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
 					{
-					print_user(db,bio_err,i,1) ;
+					print_user(db,bio_err, i, 1);
 					}
 				list_user = 0;
 				}
 			else if (userindex < 0)
 				{
 				BIO_printf(bio_err, "user \"%s\" does not exist, ignored. t\n",
-						   user);
+					   user);
 				errors++;
 				}
 			}
@@ -591,21 +588,21 @@ bad:
 				{
 				/* reactivation of a new user */
 				char **row = sk_OPENSSL_PSTRING_value(db->db->data, userindex);
-				BIO_printf(bio_err,"user \"%s\" reactivated.\n", user);
-				row[DB_srptype][0] = 'V' ;
+				BIO_printf(bio_err, "user \"%s\" reactivated.\n", user);
+				row[DB_srptype][0] = 'V';
 
 				doupdatedb = 1;
 				}
 			else
 				{
-				char *row[DB_NUMBER] ; char * gNid;
+				char *row[DB_NUMBER] ; char *gNid;
 				row[DB_srpverifier] = NULL;
 				row[DB_srpsalt] = NULL;
 				row[DB_srpinfo] = NULL;
 				if (!(gNid = srp_create_user(user,&(row[DB_srpverifier]), &(row[DB_srpsalt]),gNrow?gNrow[DB_srpsalt]:gN,gNrow?gNrow[DB_srpverifier]:NULL, passout, bio_err,verbose)))
 					{
-						BIO_printf(bio_err,"Cannot create srp verifier for user \"%s\", operation abandoned .\n",user);
-						errors++ ;
+						BIO_printf(bio_err, "Cannot create srp verifier for user \"%s\", operation abandoned .\n", user);
+						errors++;
 						goto err;
 					}
 				row[DB_srpid] = BUF_strdup(user);
@@ -629,38 +626,37 @@ bad:
 			}
 		else if (modify_user)
 			{
-			if (userindex<0)
+			if (userindex < 0)
 				{
 				BIO_printf(bio_err,"user \"%s\" does not exist, operation ignored.\n",user);
-				errors++ ;
+				errors++;
 				}
 			else
 				{
 
-				char **row=sk_OPENSSL_PSTRING_value(db->db->data, userindex);
-				char type = row[DB_srptype][0] ;
+				char **row = sk_OPENSSL_PSTRING_value(db->db->data, userindex);
+				char type = row[DB_srptype][0];
 				if (type == 'v')
 					{
 					BIO_printf(bio_err,"user \"%s\" already updated, operation ignored.\n",user);
-					errors++ ;
+					errors++;
 					}
 				else
 					{
-					char * gNid ;
+					char *gNid;
 
 					if (row[DB_srptype][0] == 'V')
 						{
-						int user_gN ;
-						char ** irow = NULL;
+						int user_gN;
+						char **irow = NULL;
 						VERBOSE BIO_printf(bio_err,"Verifying password for user \"%s\"\n",user);
-						if ( (user_gN = get_index(db, row[DB_srpgN],DB_SRP_INDEX)) >= 0)
-							irow = sk_OPENSSL_PSTRING_value(db->db->data,
-															userindex);
+						if ( (user_gN = get_index(db, row[DB_srpgN], DB_SRP_INDEX)) >= 0)
+							irow = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex);
 
- 						if (!srp_verify_user(user,row[DB_srpverifier], row[DB_srpsalt],irow?irow[DB_srpsalt]:row[DB_srpgN], irow?irow[DB_srpverifier]:NULL, passin, bio_err,verbose))
+ 						if (!srp_verify_user(user, row[DB_srpverifier], row[DB_srpsalt], irow ? irow[DB_srpsalt] : row[DB_srpgN], irow ? irow[DB_srpverifier] : NULL, passin, bio_err, verbose))
 							{
-							BIO_printf(bio_err,"Invalid password for user \"%s\", operation abandoned.\n",user);
-							errors++ ;
+							BIO_printf(bio_err, "Invalid password for user \"%s\", operation abandoned.\n", user);
+							errors++;
 							goto err;
 							}
 						} 
@@ -668,12 +664,9 @@ bad:
 
 					if (!(gNid=srp_create_user(user,&(row[DB_srpverifier]), &(row[DB_srpsalt]),gNrow?gNrow[DB_srpsalt]:NULL, gNrow?gNrow[DB_srpverifier]:NULL, passout, bio_err,verbose)))
 						{
-							BIO_printf(bio_err,
-									   "Cannot create srp verifier for user "
-									   "\"%s\", operation abandonned .\n",
-									   user);
-							errors++;
-							goto err;
+						BIO_printf(bio_err, "Cannot create srp verifier for user \"%s\", operation abandoned.\n", user);
+						errors++;
+						goto err;
 						}
 
 					row[DB_srptype][0] = 'v';
@@ -696,10 +689,10 @@ bad:
 				}
 			else
 				{
-				char ** xpp = sk_OPENSSL_PSTRING_value(db->db->data,userindex);
-				BIO_printf(bio_err,"user \"%s\" revoked. t\n",user);
+				char **xpp = sk_OPENSSL_PSTRING_value(db->db->data,userindex);
+				BIO_printf(bio_err, "user \"%s\" revoked. t\n", user);
 
-				xpp[DB_srptype][0] = 'R' ;
+				xpp[DB_srptype][0] = 'R';
 				
 				doupdatedb = 1;
 				}
@@ -719,24 +712,24 @@ bad:
 	if (doupdatedb)
 		{
 		/* Lets check some fields */
-		for (i=0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
+		for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
 			{
-			pp=sk_OPENSSL_PSTRING_value(db->db->data,i);
+			pp = sk_OPENSSL_PSTRING_value(db->db->data,i);
 	
 			if (pp[DB_srptype][0] == 'v')
 				{
 				pp[DB_srptype][0] = 'V';
-				print_user(db,bio_err,i,verbose) ;
+				print_user(db, bio_err, i, verbose);
 				}
 			}
 
-		VERBOSE BIO_printf(bio_err,"Trying to update srpvfile.\n");
-		if (!save_index(dbfile,"new",db)) goto err;
+		VERBOSE BIO_printf(bio_err, "Trying to update srpvfile.\n");
+		if (!save_index(dbfile, "new", db)) goto err;
 				
-		VERBOSE BIO_printf(bio_err,"Temporary srpvfile created.\n");
-		if (!rotate_index(dbfile,"new","old")) goto err;
+		VERBOSE BIO_printf(bio_err, "Temporary srpvfile created.\n");
+		if (!rotate_index(dbfile, "new", "old")) goto err;
 
-		VERBOSE BIO_printf(bio_err,"srpvfile updated.\n");
+		VERBOSE BIO_printf(bio_err, "srpvfile updated.\n");
 		}
 
 	ret = (errors != 0);

apps/tsget

@@ -1,7 +1,7 @@
 #!/usr/bin/perl -w
 # Written by Zoltan Glozik <zglozik@stones.com>.
 # Copyright (c) 2002 The OpenTSA Project.  All rights reserved.
-$::version = '$Id: tsget,v 1.3 2009/09/07 17:57:18 steve Exp $';
+$::version = '$Id: tsget,v 1.1.2.2 2009/09/07 17:57:02 steve Exp $';
 
 use strict;
 use IO::Handle;

apps/verify.c

@@ -222,14 +222,23 @@ int MAIN(int argc, char **argv)
 			goto end;
 		}
 
-	if (argc < 1) check(cert_ctx, NULL, untrusted, trusted, crls, e);
+	ret = 0;
+	if (argc < 1)
+		{ 
+		if (1 != check(cert_ctx, NULL, untrusted, trusted, crls, e))
+			ret = -1;
+		}
 	else
+		{
 		for (i=0; i<argc; i++)
-			check(cert_ctx,argv[i], untrusted, trusted, crls, e);
-	ret=0;
+			if (1 != check(cert_ctx,argv[i], untrusted, trusted, crls, e))
+				ret = -1;
+		}
+
 end:
 	if (ret == 1) {
 		BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
+		BIO_printf(bio_err," [-attime timestamp]");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," [-engine e]");
 #endif
@@ -241,19 +250,9 @@ end:
 			X509_PURPOSE *ptmp;
 			ptmp = X509_PURPOSE_get0(i);
 			BIO_printf(bio_err, "\t%-10s\t%s\n",
-					X509_PURPOSE_get0_sname(ptmp),
-					X509_PURPOSE_get0_name(ptmp));
+				   X509_PURPOSE_get0_sname(ptmp),
+				   X509_PURPOSE_get0_name(ptmp));
 			}
-
-		BIO_printf(bio_err,"recognized verify names:\n");
-		for(i = 0; i < X509_VERIFY_PARAM_get_count(); i++)
-			{
-			const X509_VERIFY_PARAM *vptmp;
-			vptmp = X509_VERIFY_PARAM_get0(i);
-			BIO_printf(bio_err, "\t%-10s\n",
-					X509_VERIFY_PARAM_get0_name(vptmp));
-			}
-
 	}
 	if (vpm) X509_VERIFY_PARAM_free(vpm);
 	if (cert_ctx != NULL) X509_STORE_free(cert_ctx);
@@ -261,7 +260,7 @@ end:
 	sk_X509_pop_free(trusted, X509_free);
 	sk_X509_CRL_pop_free(crls, X509_CRL_free);
 	apps_shutdown();
-	OPENSSL_EXIT(ret);
+	OPENSSL_EXIT(ret < 0 ? 2 : ret);
 	}
 
 static int check(X509_STORE *ctx, char *file,

apps/x509.c

@@ -174,7 +174,7 @@ int MAIN(int argc, char **argv)
 	X509 *x=NULL,*xca=NULL;
 	ASN1_OBJECT *objtmp;
 	STACK_OF(OPENSSL_STRING) *sigopts = NULL;
-	EVP_PKEY *Upkey=NULL,*CApkey=NULL, *fkey = NULL;
+	EVP_PKEY *Upkey=NULL,*CApkey=NULL;
 	ASN1_INTEGER *sno = NULL;
 	int i,num,badops=0;
 	BIO *out=NULL;
@@ -183,7 +183,6 @@ int MAIN(int argc, char **argv)
 	int informat,outformat,keyformat,CAformat,CAkeyformat;
 	char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL;
 	char *CAkeyfile=NULL,*CAserial=NULL;
-	char *fkeyfile=NULL;
 	char *alias=NULL;
 	int text=0,serial=0,subject=0,issuer=0,startdate=0,enddate=0;
 	int next_serial=0;
@@ -348,11 +347,6 @@ int MAIN(int argc, char **argv)
 			if (!(sno = s2i_ASN1_INTEGER(NULL, *(++argv))))
 				goto bad;
 			}
-		else if (strcmp(*argv,"-force_pubkey") == 0)
-			{
-			if (--argc < 1) goto bad;
-			fkeyfile= *(++argv);
-			}
 		else if (strcmp(*argv,"-addtrust") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -523,13 +517,6 @@ bad:
 		goto end;
 		}
 
-	if (fkeyfile)
-		{
-		fkey = load_pubkey(bio_err, fkeyfile, keyformat, 0,
-						NULL, e, "Forced key");
-		if (fkey == NULL) goto end;
-		}
-
 	if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM))
 		{ CAkeyfile=CAfile; }
 	else if ((CA_flag) && (CAkeyfile == NULL))
@@ -666,14 +653,10 @@ bad:
 
 		X509_gmtime_adj(X509_get_notBefore(x),0);
 	        X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL);
-		if (fkey)
-			X509_set_pubkey(x, fkey);
-		else
-			{
-			pkey = X509_REQ_get_pubkey(req);
-			X509_set_pubkey(x,pkey);
-			EVP_PKEY_free(pkey);
-			}
+
+		pkey = X509_REQ_get_pubkey(req);
+		X509_set_pubkey(x,pkey);
+		EVP_PKEY_free(pkey);
 		}
 	else
 		x=load_cert(bio_err,infile,informat,NULL,e,"Certificate");
@@ -1110,7 +1093,6 @@ end:
 	X509_free(xca);
 	EVP_PKEY_free(Upkey);
 	EVP_PKEY_free(CApkey);
-	EVP_PKEY_free(fkey);
 	if (sigopts)
 		sk_OPENSSL_STRING_free(sigopts);
 	X509_REQ_free(rq);

c6x/do_fips

@@ -1,7 +0,0 @@
-#!/bin/sh
-
-perl Configure c64xplus fipscanisteronly no-engine
-perl util/mkfiles.pl > MINFO
-perl util/mk1mf.pl auto > c6x/fips.mak
-make -f c6x/fips.mak
-make -f c6x/fips_algvs.mak

c6x/env

@@ -1,7 +0,0 @@
-# MSYS-style PATH
-export PATH=/c/CCStudio_v3.3/c6000/cgtools/bin:/c/Program\ Files/ActivePerl58/bin:$PATH
-
-# Windows-style variables
-export C6X_C_DIR='C:\CCStudio_v3.3\c6000\cgtools\include;C:\CCStudio_v3.3\c6000\cgtools\lib'
-
-export PERL5LIB=C:/CCStudio_v3.3/bin/utilities/ccs_scripting

c6x/fips_standalone_sha1

@@ -1,32 +0,0 @@
-#!/usr/bin/env perl
-#
-$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-
-unshift(@INC,$dir);
-require "hmac_sha1.pl";
-
-(!@ARV[0] && -f @ARGV[$#ARGV]) || die "usage: $0 [-verify] file";
-
-$verify=shift	if (@ARGV[0] eq "-verify");
-
-sysopen(FD,@ARGV[0],0) || die "$!";
-binmode(FD);
-
-my $ctx = HMAC->Init("etaonrishdlcupfm");
-
-while (read(FD,$blob,4*1024)) { $ctx->Update($blob); }
-
-close(FD);
-
-my $signature = unpack("H*",$ctx->Final());
-
-print "HMAC-SHA1(@ARGV[0])= $signature\n";
-
-if ($verify) {
-	open(FD,"<@ARGV[0].sha1") || die "$!";
-	$line = <FD>;
-	close(FD);
-	exit(0)	if ($line =~ /HMAC\-SHA1\([^\)]*\)=\s*([0-9a-f]+)/i &&
-				$1 eq $signature);
-	die "signature mismatch";
-}

c6x/fipscanister.cmd

@@ -1,19 +0,0 @@
-SECTIONS
-{
-    .text:
-    {
-	*(.fips_text:start)
-	*(.text)
-	*(.const:aes_asm)
-	*(.const:sha_asm)
-	*(.const:des_sptrans)
-	*(.switch)
-	*(.fips_text:end)
-    }
-    .const:
-    {
-	*(.fips_const:start)
-	*(.const)
-	*(.fips_const:end)
-    }
-}

c6x/hmac_sha1.pl

@@ -1,196 +0,0 @@
-#!/usr/bin/env perl
-#
-# Copyright (c) 2011 The OpenSSL Project.
-#
-######################################################################
-#
-# SHA1 and HMAC in Perl by <appro@openssl.org>.
-#
-{ package SHA1;
-  use integer;
-
-    {
-    ################################### SHA1 block code generator
-    my @V = ('$A','$B','$C','$D','$E');
-    my $i;
-
-    sub XUpdate {
-      my $ret;
-	$ret="(\$T=\$W[($i-16)%16]^\$W[($i-14)%16]^\$W[($i-8)%16]^\$W[($i-3)%16],\n\t";
-	if ((1<<31)<<1) {
-	    $ret.="    \$W[$i%16]=((\$T<<1)|(\$T>>31))&0xffffffff)\n\t  ";
-	} else {
-	    $ret.="    \$W[$i%16]=(\$T<<1)|((\$T>>31)&1))\n\t  ";
-	}
-    }
-    sub tail {
-      my ($a,$b,$c,$d,$e)=@V;
-      my $ret;
-	if ((1<<31)<<1) {
-	    $ret.="(($a<<5)|($a>>27));\n\t";
-	    $ret.="$b=($b<<30)|($b>>2);	$e&=0xffffffff;	#$b&=0xffffffff;\n\t";
-	} else {
-	    $ret.="(($a<<5)|($a>>27)&0x1f);\n\t";
-	    $ret.="$b=($b<<30)|($b>>2)&0x3fffffff;\n\t";
-	}
-      $ret;
-    }
-    sub BODY_00_15 {
-	my ($a,$b,$c,$d,$e)=@V;
-	"$e+=\$W[$i]+0x5a827999+((($c^$d)&$b)^$d)+".tail();
-    }
-    sub BODY_16_19 {
-	my ($a,$b,$c,$d,$e)=@V;
-	"$e+=".XUpdate()."+0x5a827999+((($c^$d)&$b)^$d)+".tail();
-    }
-    sub BODY_20_39 {
-	my ($a,$b,$c,$d,$e)=@V;
-	"$e+=".XUpdate()."+0x6ed9eba1+($b^$c^$d)+".tail();
-    }
-    sub BODY_40_59 {
-	my ($a,$b,$c,$d,$e)=@V;
-	"$e+=".XUpdate()."+0x8f1bbcdc+(($b&$c)|(($b|$c)&$d))+".tail();
-    }
-    sub BODY_60_79 {
-	my ($a,$b,$c,$d,$e)=@V;
-	"$e+=".XUpdate()."+0xca62c1d6+($b^$c^$d)+".tail();
-    }
-
-    my $sha1_impl =
-    'sub block {
-	my $self = @_[0];
-	my @W    = unpack("N16",@_[1]);
-	my ($A,$B,$C,$D,$E,$T) = @{$self->{H}};
-	';
-
-	$sha1_impl.='
-	$A &= 0xffffffff;
-	$B &= 0xffffffff;
-	' if ((1<<31)<<1);
-
-	for($i=0;$i<16;$i++){ $sha1_impl.=BODY_00_15(); unshift(@V,pop(@V)); }
-	for(;$i<20;$i++)    { $sha1_impl.=BODY_16_19(); unshift(@V,pop(@V)); }
-	for(;$i<40;$i++)    { $sha1_impl.=BODY_20_39(); unshift(@V,pop(@V)); }
-	for(;$i<60;$i++)    { $sha1_impl.=BODY_40_59(); unshift(@V,pop(@V)); }
-	for(;$i<80;$i++)    { $sha1_impl.=BODY_60_79(); unshift(@V,pop(@V)); }
-
-	$sha1_impl.='
-	$self->{H}[0]+=$A;	$self->{H}[1]+=$B;	$self->{H}[2]+=$C;
-	$self->{H}[3]+=$D;	$self->{H}[4]+=$E;	}';
-
-    #print $sha1_impl,"\n";
-    eval($sha1_impl);		# generate code
-    }
-
-    sub Init {
-	my $class = shift;	# multiple instances...
-	my $self  = {};
-
-	bless $self,$class;
-	$self->{H} = [0x67452301,0xefcdab89,0x98badcfe,0x10325476,0xc3d2e1f0];
-	$self->{N} = 0;
-	return $self;
-    }
-
-    sub Update {
-	my $self = shift;
-	my $msg;
-
-	foreach $msg (@_) {
-	    my $len  = length($msg);
-	    my $num  = length($self->{buf});
-	    my $off  = 0;
-
-	    $self->{N} += $len;
-
-	    if (($num+$len)<64)
-	    {	$self->{buf} .= $msg; next;	}
-	    elsif ($num)
-	    {	$self->{buf} .= substr($msg,0,($off=64-$num));
-		$self->block($self->{buf});
-	    }
-
-	    while(($off+64) <= $len)
-	    {	$self->block(substr($msg,$off,64));
-		$off += 64;
-	    }
-
-	    $self->{buf} = substr($msg,$off);
-	}
-	return $self;
-    }
-
-    sub Final {
-	my $self = shift;
-	my $num  = length($self->{buf});
-
-	$self->{buf} .= chr(0x80); $num++;
-	if ($num>56)
-	{   $self->{buf} .= chr(0)x(64-$num);
-	    $self->block($self->{buf});
-	    $self->{buf}=undef;
-	    $num=0;
-	}
-	$self->{buf} .= chr(0)x(56-$num);
-	$self->{buf} .= pack("N2",($self->{N}>>29)&0x7,$self->{N}<<3);
-	$self->block($self->{buf});
-
-	return pack("N*",@{$self->{H}});
-    }
-
-    sub Selftest {
-	my $hash;
-
-	$hash=SHA1->Init()->Update('abc')->Final();
-	die "SHA1 test#1" if (unpack("H*",$hash) ne 'a9993e364706816aba3e25717850c26c9cd0d89d');
-
-	$hash=SHA1->Init()->Update('abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq')->Final();
-	die "SHA1 test#2" if (unpack("H*",$hash) ne '84983e441c3bd26ebaae4aa1f95129e5e54670f1');
-
-	#$hash=SHA1->Init()->Update('a'x1000000)->Final();
-	#die "SHA1 test#3" if (unpack("H*",$hash) ne '34aa973cd4c4daa4f61eeb2bdbad27316534016f');
-    }
-}
-
-{ package HMAC;
-
-    sub Init {
-	my $class = shift;
-	my $key   = shift;
-	my $self  = {};
-
-	bless $self,$class;
-
-	if (length($key)>64) {
-	    $key = SHA1->Init()->Update($key)->Final();
-	}
-	$key .= chr(0x00)x(64-length($key));
-
-	my @ikey = map($_^=0x36,unpack("C*",$key));
-	($self->{hash} = SHA1->Init())->Update(pack("C*",@ikey));
-	 $self->{okey} = pack("C*",map($_^=0x36^0x5c,@ikey));
-
-	return $self;
-    }
-
-    sub Update {
-	my $self = shift;
-	$self->{hash}->Update(@_);
-	return $self;
-    }
-
-    sub Final {
-	my $self  = shift;
-	my $ihash = $self->{hash}->Final();
-	return SHA1->Init()->Update($self->{okey},$ihash)->Final();
-    }
-
-    sub Selftest {
-	my $hmac;
-
-	$hmac = HMAC->Init('0123456789:;<=>?@ABC')->Update('Sample #2')->Final();
-	die "HMAC test" if (unpack("H*",$hmac) ne '0922d3405faa3d194f82a45830737d5cc6c75d24');
-    }
-}
-
-1;

c6x/incore6x

@@ -1,241 +0,0 @@
-#!/usr/bin/env perl
-#
-# Copyright (c) 2011 The OpenSSL Project.
-#
-# The script embeds fingerprint into TI-COFF executable object.
-
-$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-
-unshift(@INC,$dir);
-require "hmac_sha1.pl";
-
-######################################################################
-#
-# COFF symbol table parser by <appro@openssl.org>. The table entries
-# are extended with offset within executable file...
-#
-{ package COFF;
-  use FileHandle;
-
-    sub dup  { my %copy=map {$_} @_; return \%copy; }
-
-    sub Load {
-	my $class = shift;
-	my $self  = {};
-	my $FD    = FileHandle->new();	# autoclose
-
-	bless $self,$class;
-
-	sysopen($FD,shift,0) or die "$!";
-	binmode($FD);
-
-	#################################################
-	# read and parse COFF header...
-	#
-	read($FD,my $coff,22) or die "$!";
-
-	my %coff_header;
-	@coff_header{version,nsects,date,syms_off,nsyms,opt,flags,magic}=
-		unpack("v2V3v3",$coff);
-
-	$!=42;		# signal fipsld to revert to two-step link
-	die "not TI-COFF file" if ($coff_header{version} != 0xC2);
-
-	my $big_endian = ($coff_header{flags}>>9)&1;	# 0 or 1
-
-	my $strings;
-	my $symsize;
-
-	#################################################
-	# load strings table
-	#
-	seek($FD,$coff_header{syms_off}+18*$coff_header{nsyms},0) or die "$!";
-	read($FD,$strings,4) or die "$!";
-	$symsize = unpack("V",$strings);
-	read($FD,$strings,$symsize,4) or die "$!";
-
-	#################################################
-	# read sections
-	#
-	my $i;
-	my @sections;
-
-	# seek to section headers
-	seek($FD,22+@coff_header{opt},0) or die "$!";
-	for ($i=0;$i<$coff_header{nsects};$i++) {
-	    my %coff_shdr;
-	    my $name;
-
-	    read($FD,my $section,48) or die "$!";
-
-	    @coff_shdr{sh_name,sh_phaddr,sh_vaddr,
-			sh_size,sh_offset,sh_relocs,sh_reserved,
-			sh_relocoff,sh_lines,sh_flags} =
-		unpack("a8V9",$section);
-
-	    $name = $coff_shdr{sh_name};
-	    # see if sh_name is a an offset in $strings
-	    my ($hi,$lo) = unpack("V2",$name);
-	    if ($hi==0 && $lo<$symsize) {
-		$name = substr($strings,$lo,64);
-	    }
-	    $coff_shdr{sh_name} = (split(chr(0),$name))[0];
-
-	    push(@sections,dup(%coff_shdr));
-	}
-
-	#################################################
-	# load symbols table
-	#
-	seek($FD,$coff_header{syms_off},0) or die "$!";
-	for ($i=0;$i<$coff_header{nsyms};$i++) {
-	    my %coff_sym;
-	    my $name;
-
-	    read($FD,my $blob,18) or die "$!";
-
-	    @coff_sym{st_name,st_value,st_shndx,reserved,class,aux} =
-		unpack("a8Vv2C2",$blob);
-
-	    # skip aux entries
-	    if ($coff_sym{aux}) {
-		seek($FD,18*$coff_sym{aux},1) or die "$!";
-		$i+=$coff_sym{aux};
-	    }
-
-	    $name = $coff_sym{st_name};
-	    # see if st_name is a an offset in $strings
-	    my ($hi,$lo) = unpack("V2",$name);
-	    if ($hi==0 && $lo<$symsize) {
-		$name = substr($strings,$lo,64);
-	    }
-	    $coff_sym{st_name} = $name = (split(chr(0),$name))[0];
-
-	    my $st_secn = $coff_sym{st_shndx}-1;
-	    if ($st_secn>=0 && $st_secn<=$#sections
-		&& @sections[$st_secn]->{sh_offset}
-		&& $name =~ m/^_[a-z]+/i) {
-		# synthesize st_offset, ...
-		$coff_sym{st_offset} = $coff_sym{st_value}
-				- @sections[$st_secn]->{sh_vaddr}
-				+ @sections[$st_secn]->{sh_offset};
-		$coff_sym{st_section} = @sections[$st_secn]->{sh_name};
-		# ... and add to lookup table
-		$self->{symbols}{$name} = dup(%coff_sym);
-	    }
-	}
-
-	return $self;
-    }
-
-    sub Lookup {
-	my $self = shift;
-	my $name = shift;
-	return $self->{symbols}{"_$name"};
-    }
-
-    sub Traverse {
-	my $self = shift;
-	my $code = shift;
-
-	if (ref($code) eq 'CODE') {
-	    for (keys(%{$self->{symbols}})) { &$code($self->{symbols}{$_}); }
-	}
-    }
-}
-
-######################################################################
-#
-# main()
-#
-my $legacy_mode;
-
-if ($#ARGV<0 || ($#ARGV>0 && !($legacy_mode=(@ARGV[0] =~ /^\-(dso|exe)$/)))) {
-	print STDERR "usage: $0 [-dso|-exe] ti-coff-binary\n";
-	exit(1);
-}
-
-$exe = COFF->Load(@ARGV[$#ARGV]);
-
-$FIPS_text_start	= $exe->Lookup("FIPS_text_start")		or die;
-$FIPS_text_end		= $exe->Lookup("FIPS_text_end")			or die;
-$FIPS_rodata_start	= $exe->Lookup("FIPS_rodata_start")		or die;
-$FIPS_rodata_end	= $exe->Lookup("FIPS_rodata_end")		or die;
-$FIPS_signature		= $exe->Lookup("FIPS_signature")		or die;
-
-# new cross-compile support
-$FIPS_text_startX	= $exe->Lookup("FIPS_text_startX");
-$FIPS_text_endX		= $exe->Lookup("FIPS_text_endX");
-
-if (!$legacy_mode) {
-    if (!$FIPS_text_startX || !$FIPS_text_endX) {
-	print STDERR "@ARGV[$#ARGV] is not cross-compiler aware.\n";
-	exit(42);	# signal fipsld to revert to two-step link
-    }
-
-    $FINGERPRINT_ascii_value
-			= $exe->Lookup("FINGERPRINT_ascii_value");
-}
-if ($FIPS_text_startX && $FIPS_text_endX) {
-    $FIPS_text_start = $FIPS_text_startX;
-    $FIPS_text_end   = $FIPS_text_endX;
-}
-
-sysopen(FD,@ARGV[$#ARGV],$legacy_mode?0:2) or die "$!";	# 2 is read/write
-binmode(FD);
-
-sub HMAC_Update {
-  my ($hmac,$off,$len) = @_;
-  my $blob;
-
-    seek(FD,$off,0)	or die "$!";
-    read(FD,$blob,$len)	or die "$!";
-    $$hmac->Update($blob);
-}
-
-# fips/fips.c:FIPS_incore_fingerprint's Perl twin
-#
-sub FIPS_incore_fingerprint {
-  my $p1  = $FIPS_text_start->{st_offset};
-  my $p2  = $FIPS_text_end->{st_offset};
-  my $p3  = $FIPS_rodata_start->{st_offset};
-  my $p4  = $FIPS_rodata_end->{st_offset};
-  my $sig = $FIPS_signature->{st_offset};
-  my $ctx = HMAC->Init("etaonrishdlcupfm");
-
-    # detect overlapping regions
-    if ($p1<=$p3 && $p2>=$p3) {
-	$p3 = $p1; $p4 = $p2>$p4?$p2:$p4; $p1 = 0; $p2 = 0;
-    } elsif ($p3<=$p1 && $p4>=$p1) {
-	$p3 = $p3; $p4 = $p2>$p4?$p2:$p4; $p1 = 0; $p2 = 0;
-    }
-
-    if ($p1) {
-	HMAC_Update (\$ctx,$p1,$p2-$p1);
-    }
-
-    if ($sig>=$p3 && $sig<$p4) {
-	# "punch" hole
-	HMAC_Update(\$ctx,$p3,$sig-$p3);
-	$p3 = $sig+20;
-	HMAC_Update(\$ctx,$p3,$p4-$p3);
-    } else {
-	HMAC_Update(\$ctx,$p3,$p4-$p3);
-    }
-
-    return $ctx->Final();
-}
-
-$fingerprint = FIPS_incore_fingerprint();
-
-if ($legacy_mode) {
-    print unpack("H*",$fingerprint);
-} elsif ($FINGERPRINT_ascii_value) {
-    seek(FD,$FINGERPRINT_ascii_value->{st_offset},0)	or die "$!";
-    print FD unpack("H*",$fingerprint)			or die "$!";
-} else {
-    seek(FD,$FIPS_signature->{st_offset},0)		or die "$!";
-    print FD $fingerprint				or die "$!";
-}
-
-close (FD);

c6x/run6x

@@ -1,43 +0,0 @@
-#!/usr/bin/env perl
-
-$exe  = @ARGV[0];
-$exe .= ".out" if (! -f $exe);
-die if (! -f $exe);
-
-use CCS_SCRIPTING_PERL;
-
-my $studio=new CCS_SCRIPTING_PERL::CCS_Scripting();
-
-$studio->CCSOpenNamed("*","*",1);	# connect to board
-$studio->TargetReset();
-
-print "loading $exe\n";
-$studio->ProgramLoad($exe);
-
-sub write_string {
-    my ($studio,$addr,$str) = @_;
-    my $len = length($str);
-    my $i;
-
-    for ($i=0; $i<$len; $i++) {
-	$studio->MemoryWrite($CCS_SCRIPTING_PERL::PAGE_DATA,$addr+$i,8,vec($str,$i,8));
-    }
-    $studio->MemoryWrite($CCS_SCRIPTING_PERL::PAGE_DATA,$addr+$i,8,0);
-
-    return $i+1;
-}
-
-$addr= $studio->SymbolGetAddress("__c_args");
-printf "setting up __c_args at 0x%X\n",$addr;#\n";
-
-$studio->MemoryWrite($CCS_SCRIPTING_PERL::PAGE_DATA,$addr,32,$#ARGV+1);
-
-for ($i=0,$strings=$addr+($#ARGV+3)*4; $i<=$#ARGV; $i++) {
-    $off = write_string($studio,$strings,@ARGV[$i]);
-    $studio->MemoryWrite($CCS_SCRIPTING_PERL::PAGE_DATA,$addr+4*($i+1),32,$strings);
-    $strings += $off;
-}
-$studio->MemoryWrite($SCC_SCRIPTING_PERL::PAGE_DATA,$addr+4*($i+1),32,0);
-
-print "running...\n";
-$studio->TargetRun();

config

@@ -134,10 +134,6 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
 	echo "${MACHINE}-dg-dgux"; exit 0
 	;;
 
-    ecos:*)
-	echo "${MACHINE}-whatever-ecos"; exit 0
-	;;
-
     HI-UX:*)
 	echo "${MACHINE}-hi-hiux"; exit 0
 	;;
@@ -166,14 +162,6 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
 	echo "mips4-sgi-irix64"; exit 0
 	;;
 
-    Linux:*:cross:i686)
-	echo "${MACHINE}-cross-linux"; exit 0
-	;;
-
-    Linux:[2-9].*:cross:x86_64)
-	echo "${MACHINE}-cross-linux"; exit 0
-	;;
-
     Linux:[2-9].*)
 	echo "${MACHINE}-whatever-linux2"; exit 0
 	;;
@@ -231,11 +219,7 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
 	;;
 
     NetBSD:*:*:*386*)
-	if [ -z ${CROSS_COMPILE} ]; then
-           echo "`(/usr/sbin/sysctl -n hw.model || /sbin/sysctl -n hw.model) | sed 's,.*\(.\)86-class.*,i\186,'`-whatever-netbsd"; exit 0
-        else
-           echo "${MACHINE}-whatever-netbsd"; exit 0
-	fi
+        echo "`(/usr/sbin/sysctl -n hw.model || /sbin/sysctl -n hw.model) | sed 's,.*\(.\)86-class.*,i\186,'`-whatever-netbsd"; exit 0
 	;;
 
     NetBSD:*)
@@ -387,10 +371,6 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
        echo "nsr-tandem-nsk"; exit 0;
        ;;
 
-    vxworks:kernel*)
-       echo "${MACHINE}-kernel-vxworks"; exit 0;
-       ;;
-
     vxworks*)
        echo "${MACHINE}-whatever-vxworks"; exit 0;
        ;;
@@ -592,10 +572,6 @@ case "$GUESSOS" in
   *-*-iphoneos)
 	options="$options -arch%20${MACHINE}"
 	OUT="iphoneos-cross" ;;
-  armv7-*-ios)
-	OUT="ios-cross" ;;
-  arm64-*-ios*)
-	OUT="ios64-cross" ;;
   alpha-*-linux2)
         ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo`
 	case ${ISA:-generic} in
@@ -621,7 +597,6 @@ case "$GUESSOS" in
 	;;
   ppc-*-linux2) OUT="linux-ppc" ;;
   ppc60x-*-vxworks*) OUT="vxworks-ppc60x" ;;
-  ppcgen-kernel-vxworks*) OUT="vxworks-ppcgen-kernel" ;;
   ppcgen-*-vxworks*) OUT="vxworks-ppcgen" ;;
   pentium-*-vxworks*) OUT="vxworks-pentium" ;;
   simlinux-*-vxworks*) OUT="vxworks-simlinux" ;;
@@ -666,7 +641,6 @@ case "$GUESSOS" in
 
 	options="$options -DB_ENDIAN -mschedule=$CPUSCHEDULE -march=$CPUARCH"
 	OUT="linux-generic32" ;;
-  armv[45]*-*-ecos) OUT="ecos-armv4" ;;
   armv[1-3]*-*-linux2) OUT="linux-generic32" ;;
   armv[7-9]*-*-linux2) OUT="linux-armv4"; options="$options -march=armv7-a" ;;
   arm*-*-linux2) OUT="linux-armv4" ;;
@@ -701,8 +675,6 @@ case "$GUESSOS" in
         fi ;;
   *-*-linux1) OUT="linux-aout" ;;
   *-*-linux2) OUT="linux-generic32" ;;
-  i686-cross-linux) OUT="linux-i686-cross" ;;
-  *-cross-linux) OUT="linux-x86_64-cross" ;;
   sun4[uv]*-*-solaris2)
 	OUT="solaris-sparcv9-$CC"
 	ISA64=`(isalist) 2>/dev/null | grep sparcv9`
@@ -762,23 +734,17 @@ case "$GUESSOS" in
   sparc64-*-*bsd*)	OUT="BSD-sparc64" ;;
   ia64-*-*bsd*)		OUT="BSD-ia64" ;;
   amd64-*-*bsd*)	OUT="BSD-x86_64" ;;
-  *86*-*-*bsd*)		if [ -z ${CROSS_COMPILE} ]; then 
-			   # mimic ld behaviour when it's looking for libc...
-			   if [ -L /usr/lib/libc.so ]; then	# [Free|Net]BSD
-			       libc=/usr/lib/libc.so
-			   else					# OpenBSD
-			       # ld searches for highest libc.so.* and so do we
-			       libc=`(ls /usr/lib/libc.so.* | tail -1) 2>/dev/null`
-			   fi
-			   echo "libc = $libc"
-			   case "`(file -L $libc) 2>/dev/null`" in
-			   *ELF*)	OUT="BSD-x86-elf" ;;
-			   *)	OUT="BSD-x86"; options="$options no-sse2" ;;
-			  esac 
-			else
-			   OUT="BSD-x86-elf"
-			fi;;
-  ppc85xx-*-*bsd*)      OUT="BSD-ppc85xx" ;;  # MPC85XX has no hardware FP accelerator
+  *86*-*-*bsd*)		# mimic ld behaviour when it's looking for libc...
+			if [ -L /usr/lib/libc.so ]; then	# [Free|Net]BSD
+			    libc=/usr/lib/libc.so
+			else					# OpenBSD
+			    # ld searches for highest libc.so.* and so do we
+			    libc=`(ls /usr/lib/libc.so.* /lib/libc.so.* | tail -1) 2>/dev/null`
+			fi
+			case "`(file -L $libc) 2>/dev/null`" in
+			*ELF*)	OUT="BSD-x86-elf" ;;
+			*)	OUT="BSD-x86"; options="$options no-sse2" ;;
+			esac ;;
   *-*-*bsd*)		OUT="BSD-generic32" ;;
 
   *-*-osf)		OUT="osf1-alpha-cc" ;;
@@ -872,12 +838,10 @@ case "$GUESSOS" in
   j90-cray-unicos) OUT="cray-j90" ;;
   nsr-tandem-nsk) OUT="tandem-c89" ;;
   beos-*) OUT="$GUESSOS" ;;
-  armv4-*-qnx6) OUT="QNX6-armv4" ;;
   x86pc-*-qnx6) OUT="QNX6-i386" ;;
   *-*-qnx6) OUT="QNX6" ;;
   x86-*-android|i?86-*-android) OUT="android-x86" ;;
   armv[7-9]*-*-android) OUT="android-armv7" ;;
-  aarch64-*-android) OUT="android64-aarch64" ;;
   *) OUT=`echo $GUESSOS | awk -F- '{print $3}'`;;
 esac
 
@@ -893,10 +857,6 @@ esac
 #  options="$options -DATALLA"
 #fi
 
-if [ -n "$CONFIG_OPTIONS" ]; then
-  options="$options $CONFIG_OPTIONS"
-fi
-
 if expr "$options" : '.*no\-asm' > /dev/null; then :; else
   sh -c "$CROSS_COMPILE${CC:-gcc} -Wa,--help -c -o /tmp/null.$$.o -x assembler /dev/null && rm /tmp/null.$$.o" 2>&1 | \
   grep \\--noexecstack >/dev/null && \

crypto/Makefile

@@ -35,11 +35,9 @@ GENERAL=Makefile README crypto-lib.com install.com
 LIB= $(TOP)/libcrypto.a
 SHARED_LIB= libcrypto$(SHLIB_EXT)
 LIBSRC=	cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c \
-	ebcdic.c uid.c o_time.c o_str.c o_dir.c thr_id.c lock.c fips_ers.c \
-	o_init.c o_fips.c
-LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o \
-	ebcdic.o uid.o o_time.o o_str.o o_dir.o thr_id.o lock.o fips_ers.o \
-	o_init.o o_fips.o $(CPUID_OBJ)
+	ebcdic.c uid.c o_time.c o_str.c o_dir.c o_fips.c o_init.c fips_ers.c
+LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o ebcdic.o \
+	uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o fips_ers.o $(CPUID_OBJ)
 
 SRC= $(LIBSRC)
 
@@ -54,13 +52,6 @@ top:
 
 all: shared
 
-fips: cryptlib.o thr_id.o uid.o $(CPUID_OBJ)
-	[ -n "$(SDIRS)" ] && for i in $(SDIRS) ; do \
-		    ( obj=`$(PERL) $(TOP)/util/fipsobj.pl $$i` && \
-			cd $$i && echo "making fips in $(DIR)/$$i..." && \
-		    $(MAKE) -e TOP=../.. DIR=$$i INCLUDES='$(INCLUDES)' $$obj ) || exit 1; \
-		done;
-
 buildinf.h: ../Makefile
 	( echo "#ifndef MK1MF_BUILD"; \
 	echo '  /* auto-generated by crypto/Makefile for crypto/cversion.c */'; \
@@ -81,13 +72,20 @@ uplink.o:	$(TOP)/ms/uplink.c applink.o
 uplink-x86.s:	$(TOP)/ms/uplink-x86.pl
 	$(PERL) $(TOP)/ms/uplink-x86.pl $(PERLASM_SCHEME) > $@
 
-x86_64cpuid.s:	x86_64cpuid.pl;	$(PERL) x86_64cpuid.pl $(PERLASM_SCHEME) > $@
-ia64cpuid.s:	ia64cpuid.S;	$(CC) $(CFLAGS) -E ia64cpuid.S > $@
+x86_64cpuid.s: x86_64cpuid.pl;	$(PERL) x86_64cpuid.pl $(PERLASM_SCHEME) > $@
+ia64cpuid.s: ia64cpuid.S;	$(CC) $(CFLAGS) -E ia64cpuid.S > $@
 ppccpuid.s:	ppccpuid.pl;	$(PERL) ppccpuid.pl $(PERLASM_SCHEME) $@
 pariscid.s:	pariscid.pl;	$(PERL) pariscid.pl $(PERLASM_SCHEME) $@
 alphacpuid.s:	alphacpuid.pl
-	$(PERL) $< | $(CC) -E - | tee $@ > /dev/null
-arm64cpuid.S:	arm64cpuid.pl;	$(PERL) arm64cpuid.pl $(PERLASM_SCHEME) > $@
+	(preproc=/tmp/$$$$.$@; trap "rm $$preproc" INT; \
+	$(PERL) alphacpuid.pl > $$preproc && \
+	$(CC) -E $$preproc > $@ && rm $$preproc)
+
+testapps:
+	[ -z "$(THIS)" ] || (	if echo $(SDIRS) | fgrep ' des '; \
+				then cd des && $(MAKE) -e des; fi )
+	[ -z "$(THIS)" ] || ( cd pkcs7 && $(MAKE) -e testapps );
+	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
 
 subdirs:
 	@target=all; $(RECURSIVE_MAKE)
@@ -106,7 +104,8 @@ links:
 lib:	$(LIB)
 	@touch lib
 $(LIB):	$(LIBOBJ)
-	$(ARX) $(LIB) $(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
+	[ -z "$(FIPSLIBDIR)" ] || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
 	$(RANLIB) $(LIB) || echo Never mind.
 
 shared: buildinf.h lib subdirs
@@ -177,13 +176,6 @@ ex_data.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h
 ex_data.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
 ex_data.o: ex_data.c
 fips_ers.o: ../include/openssl/opensslconf.h fips_ers.c
-lock.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
-lock.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-lock.o: ../include/openssl/err.h ../include/openssl/lhash.h
-lock.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-lock.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h
-lock.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
-lock.o: lock.c
 mem.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
 mem.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 mem.o: ../include/openssl/err.h ../include/openssl/lhash.h
@@ -221,13 +213,6 @@ o_str.o: ../e_os.h ../include/openssl/e_os2.h ../include/openssl/opensslconf.h
 o_str.o: o_str.c o_str.h
 o_time.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h o_time.c
 o_time.o: o_time.h
-thr_id.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
-thr_id.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-thr_id.o: ../include/openssl/err.h ../include/openssl/lhash.h
-thr_id.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-thr_id.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h
-thr_id.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
-thr_id.o: thr_id.c
 uid.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 uid.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 uid.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h

crypto/aes/Makefile

@@ -24,8 +24,8 @@ APPS=
 
 LIB=$(TOP)/libcrypto.a
 LIBSRC=aes_core.c aes_misc.c aes_ecb.c aes_cbc.c aes_cfb.c aes_ofb.c \
-       aes_ige.c aes_wrap.c
-LIBOBJ=aes_misc.o aes_ecb.o aes_cfb.o aes_ofb.o aes_ige.o aes_wrap.o \
+       aes_ctr.c aes_ige.c aes_wrap.c
+LIBOBJ=aes_misc.o aes_ecb.o aes_cfb.o aes_ofb.o aes_ctr.o aes_ige.o aes_wrap.o \
        $(AES_ENC)
 
 SRC= $(LIBSRC)
@@ -41,7 +41,7 @@ top:
 all:	lib
 
 lib:	$(LIBOBJ)
-	$(ARX) $(LIB) $(LIBOBJ)
+	$(AR) $(LIB) $(LIBOBJ)
 	$(RANLIB) $(LIB) || echo Never mind.
 	@touch lib
 
@@ -78,12 +78,8 @@ aes-parisc.s:	asm/aes-parisc.pl
 aes-mips.S:	asm/aes-mips.pl
 	$(PERL) asm/aes-mips.pl $(PERLASM_SCHEME) $@
 
-aesv8-armx.S:	asm/aesv8-armx.pl
-	$(PERL) asm/aesv8-armx.pl $(PERLASM_SCHEME) $@
-aesv8-armx.o:	aesv8-armx.S
-
 # GNU make "catch all"
-aes-%.S:	asm/aes-%.pl;	$(PERL) $< $(PERLASM_SCHEME) $@
+aes-%.S:	asm/aes-%.pl;	$(PERL) $< $(PERLASM_SCHEME) > $@
 aes-armv4.o:	aes-armv4.S
 
 files:
@@ -123,28 +119,16 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-aes_cbc.o: ../../include/openssl/aes.h ../../include/openssl/crypto.h
-aes_cbc.o: ../../include/openssl/e_os2.h ../../include/openssl/modes.h
-aes_cbc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-aes_cbc.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-aes_cbc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-aes_cbc.o: aes_cbc.c
-aes_cfb.o: ../../include/openssl/aes.h ../../include/openssl/crypto.h
-aes_cfb.o: ../../include/openssl/e_os2.h ../../include/openssl/modes.h
-aes_cfb.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-aes_cfb.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-aes_cfb.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-aes_cfb.o: aes_cfb.c
-aes_core.o: ../../include/openssl/aes.h ../../include/openssl/crypto.h
-aes_core.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-aes_core.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-aes_core.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-aes_core.o: ../../include/openssl/symhacks.h aes_core.c aes_locl.h
-aes_ecb.o: ../../include/openssl/aes.h ../../include/openssl/crypto.h
-aes_ecb.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-aes_ecb.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-aes_ecb.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-aes_ecb.o: ../../include/openssl/symhacks.h aes_ecb.c aes_locl.h
+aes_cbc.o: ../../include/openssl/aes.h ../../include/openssl/modes.h
+aes_cbc.o: ../../include/openssl/opensslconf.h aes_cbc.c
+aes_cfb.o: ../../include/openssl/aes.h ../../include/openssl/modes.h
+aes_cfb.o: ../../include/openssl/opensslconf.h aes_cfb.c
+aes_core.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
+aes_core.o: ../../include/openssl/opensslconf.h aes_core.c aes_locl.h
+aes_ctr.o: ../../include/openssl/aes.h ../../include/openssl/modes.h
+aes_ctr.o: ../../include/openssl/opensslconf.h aes_ctr.c
+aes_ecb.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
+aes_ecb.o: ../../include/openssl/opensslconf.h aes_ecb.c aes_locl.h
 aes_ige.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/bio.h
 aes_ige.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 aes_ige.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
@@ -152,15 +136,13 @@ aes_ige.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 aes_ige.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 aes_ige.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 aes_ige.o: ../../include/openssl/symhacks.h ../cryptlib.h aes_ige.c aes_locl.h
-aes_misc.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
-aes_misc.o: ../../include/openssl/opensslconf.h
-aes_misc.o: ../../include/openssl/opensslv.h aes_locl.h aes_misc.c
-aes_ofb.o: ../../include/openssl/aes.h ../../include/openssl/crypto.h
-aes_ofb.o: ../../include/openssl/e_os2.h ../../include/openssl/modes.h
-aes_ofb.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-aes_ofb.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-aes_ofb.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-aes_ofb.o: aes_ofb.c
+aes_misc.o: ../../include/openssl/aes.h ../../include/openssl/crypto.h
+aes_misc.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+aes_misc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+aes_misc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+aes_misc.o: ../../include/openssl/symhacks.h aes_locl.h aes_misc.c
+aes_ofb.o: ../../include/openssl/aes.h ../../include/openssl/modes.h
+aes_ofb.o: ../../include/openssl/opensslconf.h aes_ofb.c
 aes_wrap.o: ../../e_os.h ../../include/openssl/aes.h
 aes_wrap.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 aes_wrap.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h

crypto/aes/aes.h

@@ -90,6 +90,11 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
 int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
 	AES_KEY *key);
 
+int private_AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+	AES_KEY *key);
+int private_AES_set_decrypt_key(const unsigned char *userKey, const int bits,
+	AES_KEY *key);
+
 void AES_encrypt(const unsigned char *in, unsigned char *out,
 	const AES_KEY *key);
 void AES_decrypt(const unsigned char *in, unsigned char *out,
@@ -112,13 +117,11 @@ void AES_cfb8_encrypt(const unsigned char *in, unsigned char *out,
 void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out,
 	size_t length, const AES_KEY *key,
 	unsigned char *ivec, int *num);
-#if 0
 void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
 	size_t length, const AES_KEY *key,
 	unsigned char ivec[AES_BLOCK_SIZE],
 	unsigned char ecount_buf[AES_BLOCK_SIZE],
 	unsigned int *num);
-#endif
 /* NB: the IV is _two_ blocks long */
 void AES_ige_encrypt(const unsigned char *in, unsigned char *out,
 		     size_t length, const AES_KEY *key,

crypto/aes/aes_cbc.c

@@ -49,7 +49,6 @@
  *
  */
 
-#include <openssl/crypto.h>
 #include <openssl/aes.h>
 #include <openssl/modes.h>
 

crypto/aes/aes_cfb.c

@@ -49,7 +49,6 @@
  *
  */
 
-#include <openssl/crypto.h>
 #include <openssl/aes.h>
 #include <openssl/modes.h>
 

crypto/aes/aes_core.c

@@ -36,7 +36,6 @@
 #include <assert.h>
 
 #include <stdlib.h>
-#include <openssl/crypto.h>
 #include <openssl/aes.h>
 #include "aes_locl.h"
 
@@ -54,7 +53,6 @@ Td3[x] = Si[x].[09, 0d, 0b, 0e];
 Td4[x] = Si[x].[01];
 */
 
-__fips_constseg
 static const u32 Te0[256] = {
     0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU,
     0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U,
@@ -121,7 +119,6 @@ static const u32 Te0[256] = {
     0x824141c3U, 0x299999b0U, 0x5a2d2d77U, 0x1e0f0f11U,
     0x7bb0b0cbU, 0xa85454fcU, 0x6dbbbbd6U, 0x2c16163aU,
 };
-__fips_constseg
 static const u32 Te1[256] = {
     0xa5c66363U, 0x84f87c7cU, 0x99ee7777U, 0x8df67b7bU,
     0x0dfff2f2U, 0xbdd66b6bU, 0xb1de6f6fU, 0x5491c5c5U,
@@ -188,7 +185,6 @@ static const u32 Te1[256] = {
     0xc3824141U, 0xb0299999U, 0x775a2d2dU, 0x111e0f0fU,
     0xcb7bb0b0U, 0xfca85454U, 0xd66dbbbbU, 0x3a2c1616U,
 };
-__fips_constseg
 static const u32 Te2[256] = {
     0x63a5c663U, 0x7c84f87cU, 0x7799ee77U, 0x7b8df67bU,
     0xf20dfff2U, 0x6bbdd66bU, 0x6fb1de6fU, 0xc55491c5U,
@@ -255,7 +251,6 @@ static const u32 Te2[256] = {
     0x41c38241U, 0x99b02999U, 0x2d775a2dU, 0x0f111e0fU,
     0xb0cb7bb0U, 0x54fca854U, 0xbbd66dbbU, 0x163a2c16U,
 };
-__fips_constseg
 static const u32 Te3[256] = {
     0x6363a5c6U, 0x7c7c84f8U, 0x777799eeU, 0x7b7b8df6U,
     0xf2f20dffU, 0x6b6bbdd6U, 0x6f6fb1deU, 0xc5c55491U,
@@ -323,7 +318,6 @@ static const u32 Te3[256] = {
     0xb0b0cb7bU, 0x5454fca8U, 0xbbbbd66dU, 0x16163a2cU,
 };
 
-__fips_constseg
 static const u32 Td0[256] = {
     0x51f4a750U, 0x7e416553U, 0x1a17a4c3U, 0x3a275e96U,
     0x3bab6bcbU, 0x1f9d45f1U, 0xacfa58abU, 0x4be30393U,
@@ -390,7 +384,6 @@ static const u32 Td0[256] = {
     0x39a80171U, 0x080cb3deU, 0xd8b4e49cU, 0x6456c190U,
     0x7bcb8461U, 0xd532b670U, 0x486c5c74U, 0xd0b85742U,
 };
-__fips_constseg
 static const u32 Td1[256] = {
     0x5051f4a7U, 0x537e4165U, 0xc31a17a4U, 0x963a275eU,
     0xcb3bab6bU, 0xf11f9d45U, 0xabacfa58U, 0x934be303U,
@@ -457,7 +450,6 @@ static const u32 Td1[256] = {
     0x7139a801U, 0xde080cb3U, 0x9cd8b4e4U, 0x906456c1U,
     0x617bcb84U, 0x70d532b6U, 0x74486c5cU, 0x42d0b857U,
 };
-__fips_constseg
 static const u32 Td2[256] = {
     0xa75051f4U, 0x65537e41U, 0xa4c31a17U, 0x5e963a27U,
     0x6bcb3babU, 0x45f11f9dU, 0x58abacfaU, 0x03934be3U,
@@ -524,7 +516,6 @@ static const u32 Td2[256] = {
     0x017139a8U, 0xb3de080cU, 0xe49cd8b4U, 0xc1906456U,
     0x84617bcbU, 0xb670d532U, 0x5c74486cU, 0x5742d0b8U,
 };
-__fips_constseg
 static const u32 Td3[256] = {
     0xf4a75051U, 0x4165537eU, 0x17a4c31aU, 0x275e963aU,
     0xab6bcb3bU, 0x9d45f11fU, 0xfa58abacU, 0xe303934bU,
@@ -591,7 +582,6 @@ static const u32 Td3[256] = {
     0xa8017139U, 0x0cb3de08U, 0xb4e49cd8U, 0x56c19064U,
     0xcb84617bU, 0x32b670d5U, 0x6c5c7448U, 0xb85742d0U,
 };
-__fips_constseg
 static const u8 Td4[256] = {
     0x52U, 0x09U, 0x6aU, 0xd5U, 0x30U, 0x36U, 0xa5U, 0x38U,
     0xbfU, 0x40U, 0xa3U, 0x9eU, 0x81U, 0xf3U, 0xd7U, 0xfbU,
@@ -626,7 +616,6 @@ static const u8 Td4[256] = {
     0x17U, 0x2bU, 0x04U, 0x7eU, 0xbaU, 0x77U, 0xd6U, 0x26U,
     0xe1U, 0x69U, 0x14U, 0x63U, 0x55U, 0x21U, 0x0cU, 0x7dU,
 };
-__fips_constseg
 static const u32 rcon[] = {
 	0x01000000, 0x02000000, 0x04000000, 0x08000000,
 	0x10000000, 0x20000000, 0x40000000, 0x80000000,
@@ -636,7 +625,7 @@ static const u32 rcon[] = {
 /**
  * Expand the cipher key into the encryption key schedule.
  */
-int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+int private_AES_set_encrypt_key(const unsigned char *userKey, const int bits,
 			AES_KEY *key) {
 
 	u32 *rk;
@@ -737,7 +726,7 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
 /**
  * Expand the cipher key into the decryption key schedule.
  */
-int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
+int private_AES_set_decrypt_key(const unsigned char *userKey, const int bits,
 			 AES_KEY *key) {
 
         u32 *rk;
@@ -745,7 +734,7 @@ int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
 	u32 temp;
 
 	/* first, start with an encryption schedule */
-	status = AES_set_encrypt_key(userKey, bits, key);
+	status = private_AES_set_encrypt_key(userKey, bits, key);
 	if (status < 0)
 		return status;
 
@@ -1212,7 +1201,7 @@ static const u32 rcon[] = {
 /**
  * Expand the cipher key into the encryption key schedule.
  */
-int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+int private_AES_set_encrypt_key(const unsigned char *userKey, const int bits,
 			AES_KEY *key) {
 	u32 *rk;
    	int i = 0;
@@ -1312,7 +1301,7 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
 /**
  * Expand the cipher key into the decryption key schedule.
  */
-int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
+int private_AES_set_decrypt_key(const unsigned char *userKey, const int bits,
 			 AES_KEY *key) {
 
         u32 *rk;
@@ -1320,7 +1309,7 @@ int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
 	u32 temp;
 
 	/* first, start with an encryption schedule */
-	status = AES_set_encrypt_key(userKey, bits, key);
+	status = private_AES_set_encrypt_key(userKey, bits, key);
 	if (status < 0)
 		return status;
 

crypto/aes/aes_ctr.c

@@ -1,9 +1,6 @@
-/* fips_dsa_lib.c */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 2007.
- */
+/* crypto/aes/aes_ctr.c -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
- * Copyright (c) 2007 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -20,12 +17,12 @@
  * 3. All advertising materials mentioning features or use of this
  *    software must display the following acknowledgment:
  *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  *
  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  *    endorse or promote products derived from this software without
  *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
+ *    openssl-core@openssl.org.
  *
  * 5. Products derived from this software may not be called "OpenSSL"
  *    nor may "OpenSSL" appear in their names without prior written
@@ -34,7 +31,7 @@
  * 6. Redistributions of any form whatsoever must retain the following
  *    acknowledgment:
  *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  *
  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -50,44 +47,15 @@
  * OF THE POSSIBILITY OF SUCH DAMAGE.
  * ====================================================================
  *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
  */
 
-#define OPENSSL_FIPSAPI
-
-#include <string.h>
-#include <openssl/ecdsa.h>
-#include <openssl/bn.h>
-#include <openssl/fips.h>
-
-ECDSA_SIG *FIPS_ecdsa_sig_new(void)
-	{
-	ECDSA_SIG *sig;
-	sig = OPENSSL_malloc(sizeof(ECDSA_SIG));
-	if (!sig)
-		return NULL;
-	sig->r = BN_new();
-	sig->s = BN_new();
-	if (!sig->r || !sig->s)
-		{
-		FIPS_ecdsa_sig_free(sig);
-		return NULL;
-		}
-	return sig;
-	}
-
-void FIPS_ecdsa_sig_free(ECDSA_SIG *sig)
-	{
-	if (sig)
-		{
-		if (sig->r)
-			BN_free(sig->r);
-		if (sig->s)
-			BN_free(sig->s);
-		OPENSSL_free(sig);
-		}
-	}
+#include <openssl/aes.h>
+#include <openssl/modes.h>
 
+void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
+			size_t length, const AES_KEY *key,
+			unsigned char ivec[AES_BLOCK_SIZE],
+			unsigned char ecount_buf[AES_BLOCK_SIZE],
+			unsigned int *num) {
+	CRYPTO_ctr128_encrypt(in,out,length,key,ivec,ecount_buf,num,(block128_f)AES_encrypt);
+}

crypto/aes/aes_ecb.c

@@ -56,7 +56,6 @@
 #endif
 #include <assert.h>
 
-#include <openssl/crypto.h>
 #include <openssl/aes.h>
 #include "aes_locl.h"
 

crypto/aes/aes_misc.c

@@ -50,6 +50,7 @@
  */
 
 #include <openssl/opensslv.h>
+#include <openssl/crypto.h>
 #include <openssl/aes.h>
 #include "aes_locl.h"
 
@@ -62,3 +63,23 @@ const char *AES_options(void) {
         return "aes(partial)";
 #endif
 }
+
+/* FIPS wrapper functions to block low level AES calls in FIPS mode */
+
+int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+			AES_KEY *key)
+	{
+#ifdef OPENSSL_FIPS
+	fips_cipher_abort(AES);
+#endif
+	return private_AES_set_encrypt_key(userKey, bits, key);
+	}
+
+int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
+			AES_KEY *key)
+	{
+#ifdef OPENSSL_FIPS
+	fips_cipher_abort(AES);
+#endif
+	return private_AES_set_decrypt_key(userKey, bits, key);
+	}

crypto/aes/aes_ofb.c

@@ -49,7 +49,6 @@
  *
  */
 
-#include <openssl/crypto.h>
 #include <openssl/aes.h>
 #include <openssl/modes.h>
 

crypto/aes/aes_x86core.c

@@ -43,7 +43,6 @@
 #include <assert.h>
 
 #include <stdlib.h>
-#include <crypto/aes.h>
 #include <openssl/aes.h>
 #include "aes_locl.h"
 

crypto/aes/asm/aes-586.pl

@@ -39,7 +39,7 @@
 # but exhibits up to 10% improvement on other cores.
 #
 # Second version is "monolithic" replacement for aes_core.c, which in
-# addition to AES_[de|en]crypt implements AES_set_[de|en]cryption_key.
+# addition to AES_[de|en]crypt implements private_AES_set_[de|en]cryption_key.
 # This made it possible to implement little-endian variant of the
 # algorithm without modifying the base C code. Motivating factor for
 # the undertaken effort was that it appeared that in tight IA-32
@@ -2854,12 +2854,12 @@ sub enckey()
     &set_label("exit");
 &function_end("_x86_AES_set_encrypt_key");
 
-# int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+# int private_AES_set_encrypt_key(const unsigned char *userKey, const int bits,
 #                        AES_KEY *key)
-&function_begin_B("AES_set_encrypt_key");
+&function_begin_B("private_AES_set_encrypt_key");
 	&call	("_x86_AES_set_encrypt_key");
 	&ret	();
-&function_end_B("AES_set_encrypt_key");
+&function_end_B("private_AES_set_encrypt_key");
 
 sub deckey()
 { my ($i,$key,$tp1,$tp2,$tp4,$tp8) = @_;
@@ -2916,9 +2916,9 @@ sub deckey()
 	&mov	(&DWP(4*$i,$key),$tp1);
 }
 
-# int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
+# int private_AES_set_decrypt_key(const unsigned char *userKey, const int bits,
 #                        AES_KEY *key)
-&function_begin_B("AES_set_decrypt_key");
+&function_begin_B("private_AES_set_decrypt_key");
 	&call	("_x86_AES_set_encrypt_key");
 	&cmp	("eax",0);
 	&je	(&label("proceed"));
@@ -2974,7 +2974,7 @@ sub deckey()
 	&jb	(&label("permute"));
 
 	&xor	("eax","eax");			# return success
-&function_end("AES_set_decrypt_key");
+&function_end("private_AES_set_decrypt_key");
 &asciz("AES for x86, CRYPTOGAMS by <appro\@openssl.org>");
 
 &asm_finish();

crypto/aes/asm/aes-armv4.pl

@@ -32,20 +32,8 @@
 # Profiler-assisted and platform-specific optimization resulted in 16%
 # improvement on Cortex A8 core and ~21.5 cycles per byte.
 
-$flavour = shift;
-if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; }
-else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} }
-
-if ($flavour && $flavour ne "void") {
-    $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-    ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
-    ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
-    die "can't locate arm-xlate.pl";
-
-    open STDOUT,"| \"$^X\" $xlate $flavour $output";
-} else {
-    open STDOUT,">$output";
-}
+while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {}
+open STDOUT,">$output";
 
 $s0="r0";
 $s1="r1";
@@ -183,12 +171,7 @@ AES_encrypt:
 	stmdb   sp!,{r1,r4-r12,lr}
 	mov	$rounds,r0		@ inp
 	mov	$key,r2
-#ifdef	__APPLE__
-	mov	$tbl,#AES_encrypt-AES_Te
-	sub	$tbl,r3,$tbl			@ Te
-#else
 	sub	$tbl,r3,#AES_encrypt-AES_Te	@ Te
-#endif
 #if __ARM_ARCH__<7
 	ldrb	$s0,[$rounds,#3]	@ load input data in endian-neutral
 	ldrb	$t1,[$rounds,#2]	@ manner...
@@ -421,10 +404,11 @@ _armv4_AES_encrypt:
 	ldr	pc,[sp],#4		@ pop and return
 .size	_armv4_AES_encrypt,.-_armv4_AES_encrypt
 
-.global AES_set_encrypt_key
-.type   AES_set_encrypt_key,%function
+.global private_AES_set_encrypt_key
+.type   private_AES_set_encrypt_key,%function
 .align	5
-AES_set_encrypt_key:
+private_AES_set_encrypt_key:
+_armv4_AES_set_encrypt_key:
 	sub	r3,pc,#8		@ AES_set_encrypt_key
 	teq	r0,#0
 	moveq	r0,#-1
@@ -442,12 +426,7 @@ AES_set_encrypt_key:
 	bne	.Labrt
 
 .Lok:	stmdb   sp!,{r4-r12,lr}
-#ifdef	__APPLE__
-	mov	$tbl,#AES_set_encrypt_key-AES_Te-1024
-	sub	$tbl,r3,$tbl					@ Te4
-#else
-	sub	$tbl,r3,#AES_set_encrypt_key-AES_Te-1024	@ Te4
-#endif
+	sub	$tbl,r3,#_armv4_AES_set_encrypt_key-AES_Te-1024	@ Te4
 
 	mov	$rounds,r0		@ inp
 	mov	lr,r1			@ bits
@@ -700,14 +679,14 @@ AES_set_encrypt_key:
 .Labrt:	tst	lr,#1
 	moveq	pc,lr			@ be binary compatible with V4, yet
 	bx	lr			@ interoperable with Thumb ISA:-)
-.size	AES_set_encrypt_key,.-AES_set_encrypt_key
+.size	private_AES_set_encrypt_key,.-private_AES_set_encrypt_key
 
-.global AES_set_decrypt_key
-.type   AES_set_decrypt_key,%function
+.global private_AES_set_decrypt_key
+.type   private_AES_set_decrypt_key,%function
 .align	5
-AES_set_decrypt_key:
+private_AES_set_decrypt_key:
 	str	lr,[sp,#-4]!            @ push lr
-	bl	AES_set_encrypt_key
+	bl	_armv4_AES_set_encrypt_key
 	teq	r0,#0
 	ldrne	lr,[sp],#4              @ pop lr
 	bne	.Labrt
@@ -794,7 +773,7 @@ $code.=<<___;
 	moveq	pc,lr			@ be binary compatible with V4, yet
 	bx	lr			@ interoperable with Thumb ISA:-)
 #endif
-.size	AES_set_decrypt_key,.-AES_set_decrypt_key
+.size	private_AES_set_decrypt_key,.-private_AES_set_decrypt_key
 
 .type	AES_Td,%object
 .align	5
@@ -908,12 +887,7 @@ AES_decrypt:
 	stmdb   sp!,{r1,r4-r12,lr}
 	mov	$rounds,r0		@ inp
 	mov	$key,r2
-#ifdef	__APPLE__
-	mov	$tbl,#AES_decrypt-AES_Td
-	sub	$tbl,r3,$tbl				@ Td
-#else
 	sub	$tbl,r3,#AES_decrypt-AES_Td		@ Td
-#endif
 #if __ARM_ARCH__<7
 	ldrb	$s0,[$rounds,#3]	@ load input data in endian-neutral
 	ldrb	$t1,[$rounds,#2]	@ manner...

crypto/aes/asm/aes-mips.pl

@@ -1036,9 +1036,9 @@ _mips_AES_set_encrypt_key:
 	nop
 .end	_mips_AES_set_encrypt_key
 
-.globl	AES_set_encrypt_key
-.ent	AES_set_encrypt_key
-AES_set_encrypt_key:
+.globl	private_AES_set_encrypt_key
+.ent	private_AES_set_encrypt_key
+private_AES_set_encrypt_key:
 	.frame	$sp,$FRAMESIZE,$ra
 	.mask	$SAVED_REGS_MASK,-$SZREG
 	.set	noreorder
@@ -1060,7 +1060,7 @@ $code.=<<___ if ($flavour =~ /nubi/i);	# optimize non-nubi prologue
 ___
 $code.=<<___ if ($flavour !~ /o32/i);	# non-o32 PIC-ification
 	.cplocal	$Tbl
-	.cpsetup	$pf,$zero,AES_set_encrypt_key
+	.cpsetup	$pf,$zero,private_AES_set_encrypt_key
 ___
 $code.=<<___;
 	.set	reorder
@@ -1083,7 +1083,7 @@ ___
 $code.=<<___;
 	jr	$ra
 	$PTR_ADD $sp,$FRAMESIZE
-.end	AES_set_encrypt_key
+.end	private_AES_set_encrypt_key
 ___
 
 my ($head,$tail)=($inp,$bits);
@@ -1091,9 +1091,9 @@ my ($tp1,$tp2,$tp4,$tp8,$tp9,$tpb,$tpd,$tpe)=($a4,$a5,$a6,$a7,$s0,$s1,$s2,$s3);
 my ($m,$x80808080,$x7f7f7f7f,$x1b1b1b1b)=($at,$t0,$t1,$t2);
 $code.=<<___;
 .align	5
-.globl	AES_set_decrypt_key
-.ent	AES_set_decrypt_key
-AES_set_decrypt_key:
+.globl	private_AES_set_decrypt_key
+.ent	private_AES_set_decrypt_key
+private_AES_set_decrypt_key:
 	.frame	$sp,$FRAMESIZE,$ra
 	.mask	$SAVED_REGS_MASK,-$SZREG
 	.set	noreorder
@@ -1115,7 +1115,7 @@ $code.=<<___ if ($flavour =~ /nubi/i);	# optimize non-nubi prologue
 ___
 $code.=<<___ if ($flavour !~ /o32/i);	# non-o32 PIC-ification
 	.cplocal	$Tbl
-	.cpsetup	$pf,$zero,AES_set_decrypt_key
+	.cpsetup	$pf,$zero,private_AES_set_decrypt_key
 ___
 $code.=<<___;
 	.set	reorder
@@ -1226,7 +1226,7 @@ ___
 $code.=<<___;
 	jr	$ra
 	$PTR_ADD $sp,$FRAMESIZE
-.end	AES_set_decrypt_key
+.end	private_AES_set_decrypt_key
 ___
 }}}
 

crypto/aes/asm/aes-parisc.pl

@@ -1015,7 +1015,8 @@ foreach (split("\n",$code)) {
 		$SIZE_T==4 ? sprintf("extru%s,%d,8,",$1,31-$2)
 		:            sprintf("extrd,u%s,%d,8,",$1,63-$2)/e;
 
-	s/,\*/,/ if ($SIZE_T==4);
+	s/,\*/,/			if ($SIZE_T==4);
+	s/\bbv\b(.*\(%r2\))/bve$1/	if ($SIZE_T==8);
 	print $_,"\n";
 }
 close STDOUT;

crypto/aes/asm/aes-s390x.pl

@@ -779,10 +779,11 @@ ___
 $code.=<<___;
 # void AES_set_encrypt_key(const unsigned char *in, int bits,
 # 		 AES_KEY *key) {
-.globl	AES_set_encrypt_key
-.type	AES_set_encrypt_key,\@function
+.globl	private_AES_set_encrypt_key
+.type	private_AES_set_encrypt_key,\@function
 .align	16
-AES_set_encrypt_key:
+private_AES_set_encrypt_key:
+_s390x_AES_set_encrypt_key:
 	lghi	$t0,0
 	cl${g}r	$inp,$t0
 	je	.Lminus1
@@ -836,7 +837,8 @@ $code.=<<___ if (!$softonly);
 	je	1f
 	lg	%r1,24($inp)
 	stg	%r1,24($key)
-1:	st	$bits,236($key)	# save bits
+1:	st	$bits,236($key)	# save bits [for debugging purposes]
+	lgr	$t0,%r5
 	st	%r5,240($key)	# save km code
 	lghi	%r2,0
 	br	%r14
@@ -844,7 +846,7 @@ ___
 $code.=<<___;
 .align	16
 .Lekey_internal:
-	stm${g}	%r6,%r13,6*$SIZE_T($sp)	# all non-volatile regs
+	stm${g}	%r4,%r13,4*$SIZE_T($sp)	# all non-volatile regs and $key
 
 	larl	$tbl,AES_Te+2048
 
@@ -904,8 +906,9 @@ $code.=<<___;
 	la	$key,16($key)		# key+=4
 	la	$t3,4($t3)		# i++
 	brct	$rounds,.L128_loop
+	lghi	$t0,10
 	lghi	%r2,0
-	lm${g}	%r6,%r13,6*$SIZE_T($sp)
+	lm${g}	%r4,%r13,4*$SIZE_T($sp)
 	br	$ra
 
 .align	16
@@ -952,8 +955,9 @@ $code.=<<___;
 	st	$s2,32($key)
 	st	$s3,36($key)
 	brct	$rounds,.L192_continue
+	lghi	$t0,12
 	lghi	%r2,0
-	lm${g}	%r6,%r13,6*$SIZE_T($sp)
+	lm${g}	%r4,%r13,4*$SIZE_T($sp)
 	br	$ra
 
 .align	16
@@ -1014,8 +1018,9 @@ $code.=<<___;
 	st	$s2,40($key)
 	st	$s3,44($key)
 	brct	$rounds,.L256_continue
+	lghi	$t0,14
 	lghi	%r2,0
-	lm${g}	%r6,%r13,6*$SIZE_T($sp)
+	lm${g}	%r4,%r13,4*$SIZE_T($sp)
 	br	$ra
 
 .align	16
@@ -1058,42 +1063,34 @@ $code.=<<___;
 .Lminus1:
 	lghi	%r2,-1
 	br	$ra
-.size	AES_set_encrypt_key,.-AES_set_encrypt_key
+.size	private_AES_set_encrypt_key,.-private_AES_set_encrypt_key
 
 # void AES_set_decrypt_key(const unsigned char *in, int bits,
 # 		 AES_KEY *key) {
-.globl	AES_set_decrypt_key
-.type	AES_set_decrypt_key,\@function
+.globl	private_AES_set_decrypt_key
+.type	private_AES_set_decrypt_key,\@function
 .align	16
-AES_set_decrypt_key:
-	st${g}	$key,4*$SIZE_T($sp)	# I rely on AES_set_encrypt_key to
-	st${g}	$ra,14*$SIZE_T($sp)	# save non-volatile registers!
-	bras	$ra,AES_set_encrypt_key
-	l${g}	$key,4*$SIZE_T($sp)
+private_AES_set_decrypt_key:
+	#st${g}	$key,4*$SIZE_T($sp)	# I rely on AES_set_encrypt_key to
+	st${g}	$ra,14*$SIZE_T($sp)	# save non-volatile registers and $key!
+	bras	$ra,_s390x_AES_set_encrypt_key
+	#l${g}	$key,4*$SIZE_T($sp)
 	l${g}	$ra,14*$SIZE_T($sp)
 	ltgr	%r2,%r2
 	bnzr	$ra
 ___
 $code.=<<___ if (!$softonly);
-	l	$t0,240($key)
+	#l	$t0,240($key)
 	lhi	$t1,16
 	cr	$t0,$t1
 	jl	.Lgo
 	oill	$t0,0x80	# set "decrypt" bit
 	st	$t0,240($key)
 	br	$ra
-
-.align	16
-.Ldkey_internal:
-	st${g}	$key,4*$SIZE_T($sp)
-	st${g}	$ra,14*$SIZE_T($sp)
-	bras	$ra,.Lekey_internal
-	l${g}	$key,4*$SIZE_T($sp)
-	l${g}	$ra,14*$SIZE_T($sp)
 ___
 $code.=<<___;
-
-.Lgo:	llgf	$rounds,240($key)
+.align	16
+.Lgo:	lgr	$rounds,$t0	#llgf	$rounds,240($key)
 	la	$i1,0($key)
 	sllg	$i2,$rounds,4
 	la	$i2,0($i2,$key)
@@ -1173,7 +1170,7 @@ $code.=<<___;
 	lm${g}	%r6,%r13,6*$SIZE_T($sp)# as was saved by AES_set_encrypt_key!
 	lghi	%r2,0
 	br	$ra
-.size	AES_set_decrypt_key,.-AES_set_decrypt_key
+.size	private_AES_set_decrypt_key,.-private_AES_set_decrypt_key
 ___
 
 ########################################################################
@@ -1601,11 +1598,11 @@ $code.=<<___ if(1);
 	lghi	$s1,0x7f
 	nr	$s1,%r0
 	lghi	%r0,0			# query capability vector
-	la	%r1,2*$SIZE_T($sp)
+	la	%r1,$tweak-16($sp)
 	.long	0xb92e0042		# km %r4,%r2
 	llihh	%r1,0x8000
 	srlg	%r1,%r1,32($s1)		# check for 32+function code
-	ng	%r1,2*$SIZE_T($sp)
+	ng	%r1,$tweak-16($sp)
 	lgr	%r0,$s0			# restore the function code
 	la	%r1,0($key1)		# restore $key1
 	jz	.Lxts_km_vanilla
@@ -1631,7 +1628,7 @@ $code.=<<___ if(1);
 
 	lrvg	$s0,$tweak+0($sp)	# load the last tweak
 	lrvg	$s1,$tweak+8($sp)
-	stmg	%r0,%r3,$tweak-32(%r1)	# wipe copy of the key
+	stmg	%r0,%r3,$tweak-32($sp)	# wipe copy of the key
 
 	nill	%r0,0xffdf		# switch back to original function code
 	la	%r1,0($key1)		# restore pointer to $key1
@@ -1687,11 +1684,9 @@ $code.=<<___;
 	lghi	$i1,0x87
 	srag	$i2,$s1,63		# broadcast upper bit
 	ngr	$i1,$i2			# rem
-	srlg	$i2,$s0,63		# carry bit from lower half
-	sllg	$s0,$s0,1
-	sllg	$s1,$s1,1
+	algr	$s0,$s0
+	alcgr	$s1,$s1
 	xgr	$s0,$i1
-	ogr	$s1,$i2
 .Lxts_km_start:
 	lrvgr	$i1,$s0			# flip byte order
 	lrvgr	$i2,$s1
@@ -1748,11 +1743,9 @@ $code.=<<___;
 	lghi	$i1,0x87
 	srag	$i2,$s1,63		# broadcast upper bit
 	ngr	$i1,$i2			# rem
-	srlg	$i2,$s0,63		# carry bit from lower half
-	sllg	$s0,$s0,1
-	sllg	$s1,$s1,1
+	algr	$s0,$s0
+	alcgr	$s1,$s1
 	xgr	$s0,$i1
-	ogr	$s1,$i2
 
 	ltr	$len,$len		# clear zero flag
 	br	$ra
@@ -1784,8 +1777,8 @@ $code.=<<___ if (!$softonly);
 	clr	%r0,%r1
 	jl	.Lxts_enc_software
 
+	st${g}	$ra,5*$SIZE_T($sp)
 	stm${g}	%r6,$s3,6*$SIZE_T($sp)
-	st${g}	$ra,14*$SIZE_T($sp)
 
 	sllg	$len,$len,4		# $len&=~15
 	slgr	$out,$inp
@@ -1833,9 +1826,9 @@ $code.=<<___ if (!$softonly);
 	stg	$i2,8($i3)
 
 .Lxts_enc_km_done:
-	l${g}	$ra,14*$SIZE_T($sp)
-	st${g}	$sp,$tweak($sp)		# wipe tweak
-	st${g}	$sp,$tweak($sp)
+	stg	$sp,$tweak+0($sp)	# wipe tweak
+	stg	$sp,$tweak+8($sp)
+	l${g}	$ra,5*$SIZE_T($sp)
 	lm${g}	%r6,$s3,6*$SIZE_T($sp)
 	br	$ra
 .align	16
@@ -1846,12 +1839,11 @@ $code.=<<___;
 
 	slgr	$out,$inp
 
-	xgr	$s0,$s0			# clear upper half
-	xgr	$s1,$s1
-	lrv	$s0,$stdframe+4($sp)	# load secno
-	lrv	$s1,$stdframe+0($sp)
-	xgr	$s2,$s2
-	xgr	$s3,$s3
+	l${g}	$s3,$stdframe($sp)	# ivp
+	llgf	$s0,0($s3)		# load iv
+	llgf	$s1,4($s3)
+	llgf	$s2,8($s3)
+	llgf	$s3,12($s3)
 	stm${g}	%r2,%r5,2*$SIZE_T($sp)
 	la	$key,0($key2)
 	larl	$tbl,AES_Te
@@ -1867,11 +1859,9 @@ $code.=<<___;
 	lghi	%r1,0x87
 	srag	%r0,$s3,63		# broadcast upper bit
 	ngr	%r1,%r0			# rem
-	srlg	%r0,$s1,63		# carry bit from lower half
-	sllg	$s1,$s1,1
-	sllg	$s3,$s3,1
+	algr	$s1,$s1
+	alcgr	$s3,$s3
 	xgr	$s1,%r1
-	ogr	$s3,%r0
 	lrvgr	$s1,$s1			# flip byte order
 	lrvgr	$s3,$s3
 	srlg	$s0,$s1,32		# smash the tweak to 4x32-bits 
@@ -1920,11 +1910,9 @@ $code.=<<___;
 	lghi	%r1,0x87
 	srag	%r0,$s3,63		# broadcast upper bit
 	ngr	%r1,%r0			# rem
-	srlg	%r0,$s1,63		# carry bit from lower half
-	sllg	$s1,$s1,1
-	sllg	$s3,$s3,1
+	algr	$s1,$s1
+	alcgr	$s3,$s3
 	xgr	$s1,%r1
-	ogr	$s3,%r0
 	lrvgr	$s1,$s1			# flip byte order
 	lrvgr	$s3,$s3
 	srlg	$s0,$s1,32		# smash the tweak to 4x32-bits 
@@ -1959,7 +1947,8 @@ $code.=<<___;
 .size	AES_xts_encrypt,.-AES_xts_encrypt
 ___
 # void AES_xts_decrypt(const char *inp,char *out,size_t len,
-#	const AES_KEY *key1, const AES_KEY *key2,u64 secno);
+#	const AES_KEY *key1, const AES_KEY *key2,
+#	const unsigned char iv[16]);
 #
 $code.=<<___;
 .globl	AES_xts_decrypt
@@ -1991,8 +1980,8 @@ $code.=<<___ if (!$softonly);
 	clr	%r0,%r1
 	jl	.Lxts_dec_software
 
+	st${g}	$ra,5*$SIZE_T($sp)
 	stm${g}	%r6,$s3,6*$SIZE_T($sp)
-	st${g}	$ra,14*$SIZE_T($sp)
 
 	nill	$len,0xfff0		# $len&=~15
 	slgr	$out,$inp
@@ -2031,11 +2020,9 @@ $code.=<<___ if (!$softonly);
 	lghi	$i1,0x87
 	srag	$i2,$s1,63		# broadcast upper bit
 	ngr	$i1,$i2			# rem
-	srlg	$i2,$s0,63		# carry bit from lower half
-	sllg	$s0,$s0,1
-	sllg	$s1,$s1,1
+	algr	$s0,$s0
+	alcgr	$s1,$s1
 	xgr	$s0,$i1
-	ogr	$s1,$i2
 	lrvgr	$i1,$s0			# flip byte order
 	lrvgr	$i2,$s1
 
@@ -2078,9 +2065,9 @@ $code.=<<___ if (!$softonly);
 	stg	$s2,0($i3)
 	stg	$s3,8($i3)
 .Lxts_dec_km_done:
-	l${g}	$ra,14*$SIZE_T($sp)
-	st${g}	$sp,$tweak($sp)		# wipe tweak
-	st${g}	$sp,$tweak($sp)
+	stg	$sp,$tweak+0($sp)	# wipe tweak
+	stg	$sp,$tweak+8($sp)
+	l${g}	$ra,5*$SIZE_T($sp)
 	lm${g}	%r6,$s3,6*$SIZE_T($sp)
 	br	$ra
 .align	16
@@ -2092,12 +2079,11 @@ $code.=<<___;
 	srlg	$len,$len,4
 	slgr	$out,$inp
 
-	xgr	$s0,$s0			# clear upper half
-	xgr	$s1,$s1
-	lrv	$s0,$stdframe+4($sp)	# load secno
-	lrv	$s1,$stdframe+0($sp)
-	xgr	$s2,$s2
-	xgr	$s3,$s3
+	l${g}	$s3,$stdframe($sp)	# ivp
+	llgf	$s0,0($s3)		# load iv
+	llgf	$s1,4($s3)
+	llgf	$s2,8($s3)
+	llgf	$s3,12($s3)
 	stm${g}	%r2,%r5,2*$SIZE_T($sp)
 	la	$key,0($key2)
 	larl	$tbl,AES_Te
@@ -2116,11 +2102,9 @@ $code.=<<___;
 	lghi	%r1,0x87
 	srag	%r0,$s3,63		# broadcast upper bit
 	ngr	%r1,%r0			# rem
-	srlg	%r0,$s1,63		# carry bit from lower half
-	sllg	$s1,$s1,1
-	sllg	$s3,$s3,1
+	algr	$s1,$s1
+	alcgr	$s3,$s3
 	xgr	$s1,%r1
-	ogr	$s3,%r0
 	lrvgr	$s1,$s1			# flip byte order
 	lrvgr	$s3,$s3
 	srlg	$s0,$s1,32		# smash the tweak to 4x32-bits 
@@ -2159,11 +2143,9 @@ $code.=<<___;
 	lghi	%r1,0x87
 	srag	%r0,$s3,63		# broadcast upper bit
 	ngr	%r1,%r0			# rem
-	srlg	%r0,$s1,63		# carry bit from lower half
-	sllg	$s1,$s1,1
-	sllg	$s3,$s3,1
+	algr	$s1,$s1
+	alcgr	$s3,$s3
 	xgr	$s1,%r1
-	ogr	$s3,%r0
 	lrvgr	$i2,$s1			# flip byte order
 	lrvgr	$i3,$s3
 	stmg	$i2,$i3,$tweak($sp)	# save the 1st tweak
@@ -2179,11 +2161,9 @@ $code.=<<___;
 	lghi	%r1,0x87
 	srag	%r0,$s3,63		# broadcast upper bit
 	ngr	%r1,%r0			# rem
-	srlg	%r0,$s1,63		# carry bit from lower half
-	sllg	$s1,$s1,1
-	sllg	$s3,$s3,1
+	algr	$s1,$s1
+	alcgr	$s3,$s3
 	xgr	$s1,%r1
-	ogr	$s3,%r0
 	lrvgr	$s1,$s1			# flip byte order
 	lrvgr	$s3,$s3
 	srlg	$s0,$s1,32		# smash the tweak to 4x32-bits

crypto/aes/asm/aes-sparcv9.pl

@@ -1176,6 +1176,7 @@ ___
 # As UltraSPARC T1, a.k.a. Niagara, has shared FPU, FP nops can have
 # undesired effect, so just omit them and sacrifice some portion of
 # percent in performance...
-$code =~ s/fmovs.*$//gem;
+$code =~ s/fmovs.*$//gm;
 
 print $code;
+close STDOUT;	# ensure flush

crypto/aes/asm/aes-x86_64.pl

@@ -36,7 +36,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 $verticalspin=1;	# unlike 32-bit version $verticalspin performs
 			# ~15% better on both AMD and Intel cores
@@ -588,6 +589,9 @@ $code.=<<___;
 .globl	AES_encrypt
 .type	AES_encrypt,\@function,3
 .align	16
+.globl	asm_AES_encrypt
+.hidden	asm_AES_encrypt
+asm_AES_encrypt:
 AES_encrypt:
 	push	%rbx
 	push	%rbp
@@ -1184,6 +1188,9 @@ $code.=<<___;
 .globl	AES_decrypt
 .type	AES_decrypt,\@function,3
 .align	16
+.globl	asm_AES_decrypt
+.hidden	asm_AES_decrypt
+asm_AES_decrypt:
 AES_decrypt:
 	push	%rbx
 	push	%rbp
@@ -1277,13 +1284,13 @@ $code.=<<___;
 ___
 }
 
-# int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+# int private_AES_set_encrypt_key(const unsigned char *userKey, const int bits,
 #                        AES_KEY *key)
 $code.=<<___;
-.globl	AES_set_encrypt_key
-.type	AES_set_encrypt_key,\@function,3
+.globl	private_AES_set_encrypt_key
+.type	private_AES_set_encrypt_key,\@function,3
 .align	16
-AES_set_encrypt_key:
+private_AES_set_encrypt_key:
 	push	%rbx
 	push	%rbp
 	push	%r12			# redundant, but allows to share 
@@ -1295,12 +1302,16 @@ AES_set_encrypt_key:
 
 	call	_x86_64_AES_set_encrypt_key
 
+	mov	8(%rsp),%r15
+	mov	16(%rsp),%r14
+	mov	24(%rsp),%r13
+	mov	32(%rsp),%r12
 	mov	40(%rsp),%rbp
 	mov	48(%rsp),%rbx
 	add	\$56,%rsp
 .Lenc_key_epilogue:
 	ret
-.size	AES_set_encrypt_key,.-AES_set_encrypt_key
+.size	private_AES_set_encrypt_key,.-private_AES_set_encrypt_key
 
 .type	_x86_64_AES_set_encrypt_key,\@abi-omnipotent
 .align	16
@@ -1543,13 +1554,13 @@ $code.=<<___;
 ___
 }
 
-# int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
+# int private_AES_set_decrypt_key(const unsigned char *userKey, const int bits,
 #                        AES_KEY *key)
 $code.=<<___;
-.globl	AES_set_decrypt_key
-.type	AES_set_decrypt_key,\@function,3
+.globl	private_AES_set_decrypt_key
+.type	private_AES_set_decrypt_key,\@function,3
 .align	16
-AES_set_decrypt_key:
+private_AES_set_decrypt_key:
 	push	%rbx
 	push	%rbp
 	push	%r12
@@ -1618,7 +1629,7 @@ $code.=<<___;
 	add	\$56,%rsp
 .Ldec_key_epilogue:
 	ret
-.size	AES_set_decrypt_key,.-AES_set_decrypt_key
+.size	private_AES_set_decrypt_key,.-private_AES_set_decrypt_key
 ___
 
 # void AES_cbc_encrypt (const void char *inp, unsigned char *out,
@@ -1644,6 +1655,9 @@ $code.=<<___;
 .type	AES_cbc_encrypt,\@function,6
 .align	16
 .extern	OPENSSL_ia32cap_P
+.globl	asm_AES_cbc_encrypt
+.hidden	asm_AES_cbc_encrypt
+asm_AES_cbc_encrypt:
 AES_cbc_encrypt:
 	cmp	\$0,%rdx	# check length
 	je	.Lcbc_epilogue
@@ -2762,13 +2776,13 @@ cbc_se_handler:
 	.rva	.LSEH_end_AES_decrypt
 	.rva	.LSEH_info_AES_decrypt
 
-	.rva	.LSEH_begin_AES_set_encrypt_key
-	.rva	.LSEH_end_AES_set_encrypt_key
-	.rva	.LSEH_info_AES_set_encrypt_key
+	.rva	.LSEH_begin_private_AES_set_encrypt_key
+	.rva	.LSEH_end_private_AES_set_encrypt_key
+	.rva	.LSEH_info_private_AES_set_encrypt_key
 
-	.rva	.LSEH_begin_AES_set_decrypt_key
-	.rva	.LSEH_end_AES_set_decrypt_key
-	.rva	.LSEH_info_AES_set_decrypt_key
+	.rva	.LSEH_begin_private_AES_set_decrypt_key
+	.rva	.LSEH_end_private_AES_set_decrypt_key
+	.rva	.LSEH_info_private_AES_set_decrypt_key
 
 	.rva	.LSEH_begin_AES_cbc_encrypt
 	.rva	.LSEH_end_AES_cbc_encrypt
@@ -2784,11 +2798,11 @@ cbc_se_handler:
 	.byte	9,0,0,0
 	.rva	block_se_handler
 	.rva	.Ldec_prologue,.Ldec_epilogue	# HandlerData[]
-.LSEH_info_AES_set_encrypt_key:
+.LSEH_info_private_AES_set_encrypt_key:
 	.byte	9,0,0,0
 	.rva	key_se_handler
 	.rva	.Lenc_key_prologue,.Lenc_key_epilogue	# HandlerData[]
-.LSEH_info_AES_set_decrypt_key:
+.LSEH_info_private_AES_set_decrypt_key:
 	.byte	9,0,0,0
 	.rva	key_se_handler
 	.rva	.Ldec_key_prologue,.Ldec_key_epilogue	# HandlerData[]

crypto/aes/asm/aesni-sha1-x86_64.pl

@@ -69,7 +69,8 @@ $avx=1 if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
 	   `ml64 2>&1` =~ /Version ([0-9]+)\./ &&
 	   $1>=10);
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 # void aesni_cbc_sha1_enc(const void *inp,
 #			void *out,

crypto/aes/asm/aesni-x86_64.pl

@@ -172,7 +172,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 $movkey = $PREFIX eq "aesni" ? "movups" : "movups";
 @_4args=$win64?	("%rcx","%rdx","%r8", "%r9") :	# Win64 order

crypto/aes/asm/aesv8-armx.pl

@@ -1,968 +0,0 @@
-#!/usr/bin/env perl
-#
-# ====================================================================
-# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
-# project. The module is, however, dual licensed under OpenSSL and
-# CRYPTOGAMS licenses depending on where you obtain it. For further
-# details see http://www.openssl.org/~appro/cryptogams/.
-# ====================================================================
-#
-# This module implements support for ARMv8 AES instructions. The
-# module is endian-agnostic in sense that it supports both big- and
-# little-endian cases. As does it support both 32- and 64-bit modes
-# of operation. Latter is achieved by limiting amount of utilized
-# registers to 16, which implies additional NEON load and integer
-# instructions. This has no effect on mighty Apple A7, where results
-# are literally equal to the theoretical estimates based on AES
-# instruction latencies and issue rates. On Cortex-A53, an in-order
-# execution core, this costs up to 10-15%, which is partially
-# compensated by implementing dedicated code path for 128-bit
-# CBC encrypt case. On Cortex-A57 parallelizable mode performance
-# seems to be limited by sheer amount of NEON instructions...
-#
-# Performance in cycles per byte processed with 128-bit key:
-#
-#		CBC enc		CBC dec		CTR
-# Apple A7	2.39		1.20		1.20
-# Cortex-A53	2.45		1.87		1.94
-# Cortex-A57	3.64		1.34		1.32
-
-$flavour = shift;
-$output  = shift;
-
-$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
-( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
-die "can't locate arm-xlate.pl";
-
-open OUT,"| \"$^X\" $xlate $flavour $output";
-*STDOUT=*OUT;
-
-$prefix="aes_v8";
-
-$code=<<___;
-#include "arm_arch.h"
-
-#if __ARM_ARCH__>=7
-.text
-___
-$code.=".arch	armv8-a+crypto\n"	if ($flavour =~ /64/);
-$code.=".fpu	neon\n.code	32\n"	if ($flavour !~ /64/);
-
-# Assembler mnemonics are an eclectic mix of 32- and 64-bit syntax,
-# NEON is mostly 32-bit mnemonics, integer - mostly 64. Goal is to
-# maintain both 32- and 64-bit codes within single module and
-# transliterate common code to either flavour with regex vodoo.
-#
-{{{
-my ($inp,$bits,$out,$ptr,$rounds)=("x0","w1","x2","x3","w12");
-my ($zero,$rcon,$mask,$in0,$in1,$tmp,$key)=
-	$flavour=~/64/? map("q$_",(0..6)) : map("q$_",(0..3,8..10));
-
-
-$code.=<<___;
-.align	5
-.Lrcon:
-.long	0x01,0x01,0x01,0x01
-.long	0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d	// rotate-n-splat
-.long	0x1b,0x1b,0x1b,0x1b
-
-.globl	${prefix}_set_encrypt_key
-.type	${prefix}_set_encrypt_key,%function
-.align	5
-${prefix}_set_encrypt_key:
-.Lenc_key:
-___
-$code.=<<___	if ($flavour =~ /64/);
-	stp	x29,x30,[sp,#-16]!
-	add	x29,sp,#0
-___
-$code.=<<___;
-	mov	$ptr,#-1
-	cmp	$inp,#0
-	b.eq	.Lenc_key_abort
-	cmp	$out,#0
-	b.eq	.Lenc_key_abort
-	mov	$ptr,#-2
-	cmp	$bits,#128
-	b.lt	.Lenc_key_abort
-	cmp	$bits,#256
-	b.gt	.Lenc_key_abort
-	tst	$bits,#0x3f
-	b.ne	.Lenc_key_abort
-
-	adr	$ptr,.Lrcon
-	cmp	$bits,#192
-
-	veor	$zero,$zero,$zero
-	vld1.8	{$in0},[$inp],#16
-	mov	$bits,#8		// reuse $bits
-	vld1.32	{$rcon,$mask},[$ptr],#32
-
-	b.lt	.Loop128
-	b.eq	.L192
-	b	.L256
-
-.align	4
-.Loop128:
-	vtbl.8	$key,{$in0},$mask
-	vext.8	$tmp,$zero,$in0,#12
-	vst1.32	{$in0},[$out],#16
-	aese	$key,$zero
-	subs	$bits,$bits,#1
-
-	veor	$in0,$in0,$tmp
-	vext.8	$tmp,$zero,$tmp,#12
-	veor	$in0,$in0,$tmp
-	vext.8	$tmp,$zero,$tmp,#12
-	 veor	$key,$key,$rcon
-	veor	$in0,$in0,$tmp
-	vshl.u8	$rcon,$rcon,#1
-	veor	$in0,$in0,$key
-	b.ne	.Loop128
-
-	vld1.32	{$rcon},[$ptr]
-
-	vtbl.8	$key,{$in0},$mask
-	vext.8	$tmp,$zero,$in0,#12
-	vst1.32	{$in0},[$out],#16
-	aese	$key,$zero
-
-	veor	$in0,$in0,$tmp
-	vext.8	$tmp,$zero,$tmp,#12
-	veor	$in0,$in0,$tmp
-	vext.8	$tmp,$zero,$tmp,#12
-	 veor	$key,$key,$rcon
-	veor	$in0,$in0,$tmp
-	vshl.u8	$rcon,$rcon,#1
-	veor	$in0,$in0,$key
-
-	vtbl.8	$key,{$in0},$mask
-	vext.8	$tmp,$zero,$in0,#12
-	vst1.32	{$in0},[$out],#16
-	aese	$key,$zero
-
-	veor	$in0,$in0,$tmp
-	vext.8	$tmp,$zero,$tmp,#12
-	veor	$in0,$in0,$tmp
-	vext.8	$tmp,$zero,$tmp,#12
-	 veor	$key,$key,$rcon
-	veor	$in0,$in0,$tmp
-	veor	$in0,$in0,$key
-	vst1.32	{$in0},[$out]
-	add	$out,$out,#0x50
-
-	mov	$rounds,#10
-	b	.Ldone
-
-.align	4
-.L192:
-	vld1.8	{$in1},[$inp],#8
-	vmov.i8	$key,#8			// borrow $key
-	vst1.32	{$in0},[$out],#16
-	vsub.i8	$mask,$mask,$key	// adjust the mask
-
-.Loop192:
-	vtbl.8	$key,{$in1},$mask
-	vext.8	$tmp,$zero,$in0,#12
-	vst1.32	{$in1},[$out],#8
-	aese	$key,$zero
-	subs	$bits,$bits,#1
-
-	veor	$in0,$in0,$tmp
-	vext.8	$tmp,$zero,$tmp,#12
-	veor	$in0,$in0,$tmp
-	vext.8	$tmp,$zero,$tmp,#12
-	veor	$in0,$in0,$tmp
-
-	vdup.32	$tmp,${in0}[3]
-	veor	$tmp,$tmp,$in1
-	 veor	$key,$key,$rcon
-	vext.8	$in1,$zero,$in1,#12
-	vshl.u8	$rcon,$rcon,#1
-	veor	$in1,$in1,$tmp
-	veor	$in0,$in0,$key
-	veor	$in1,$in1,$key
-	vst1.32	{$in0},[$out],#16
-	b.ne	.Loop192
-
-	mov	$rounds,#12
-	add	$out,$out,#0x20
-	b	.Ldone
-
-.align	4
-.L256:
-	vld1.8	{$in1},[$inp]
-	mov	$bits,#7
-	mov	$rounds,#14
-	vst1.32	{$in0},[$out],#16
-
-.Loop256:
-	vtbl.8	$key,{$in1},$mask
-	vext.8	$tmp,$zero,$in0,#12
-	vst1.32	{$in1},[$out],#16
-	aese	$key,$zero
-	subs	$bits,$bits,#1
-
-	veor	$in0,$in0,$tmp
-	vext.8	$tmp,$zero,$tmp,#12
-	veor	$in0,$in0,$tmp
-	vext.8	$tmp,$zero,$tmp,#12
-	 veor	$key,$key,$rcon
-	veor	$in0,$in0,$tmp
-	vshl.u8	$rcon,$rcon,#1
-	veor	$in0,$in0,$key
-	vst1.32	{$in0},[$out],#16
-	b.eq	.Ldone
-
-	vdup.32	$key,${in0}[3]		// just splat
-	vext.8	$tmp,$zero,$in1,#12
-	aese	$key,$zero
-
-	veor	$in1,$in1,$tmp
-	vext.8	$tmp,$zero,$tmp,#12
-	veor	$in1,$in1,$tmp
-	vext.8	$tmp,$zero,$tmp,#12
-	veor	$in1,$in1,$tmp
-
-	veor	$in1,$in1,$key
-	b	.Loop256
-
-.Ldone:
-	str	$rounds,[$out]
-	mov	$ptr,#0
-
-.Lenc_key_abort:
-	mov	x0,$ptr			// return value
-	`"ldr	x29,[sp],#16"		if ($flavour =~ /64/)`
-	ret
-.size	${prefix}_set_encrypt_key,.-${prefix}_set_encrypt_key
-
-.globl	${prefix}_set_decrypt_key
-.type	${prefix}_set_decrypt_key,%function
-.align	5
-${prefix}_set_decrypt_key:
-___
-$code.=<<___	if ($flavour =~ /64/);
-	stp	x29,x30,[sp,#-16]!
-	add	x29,sp,#0
-___
-$code.=<<___	if ($flavour !~ /64/);
-	stmdb	sp!,{r4,lr}
-___
-$code.=<<___;
-	bl	.Lenc_key
-
-	cmp	x0,#0
-	b.ne	.Ldec_key_abort
-
-	sub	$out,$out,#240		// restore original $out
-	mov	x4,#-16
-	add	$inp,$out,x12,lsl#4	// end of key schedule
-
-	vld1.32	{v0.16b},[$out]
-	vld1.32	{v1.16b},[$inp]
-	vst1.32	{v0.16b},[$inp],x4
-	vst1.32	{v1.16b},[$out],#16
-
-.Loop_imc:
-	vld1.32	{v0.16b},[$out]
-	vld1.32	{v1.16b},[$inp]
-	aesimc	v0.16b,v0.16b
-	aesimc	v1.16b,v1.16b
-	vst1.32	{v0.16b},[$inp],x4
-	vst1.32	{v1.16b},[$out],#16
-	cmp	$inp,$out
-	b.hi	.Loop_imc
-
-	vld1.32	{v0.16b},[$out]
-	aesimc	v0.16b,v0.16b
-	vst1.32	{v0.16b},[$inp]
-
-	eor	x0,x0,x0		// return value
-.Ldec_key_abort:
-___
-$code.=<<___	if ($flavour !~ /64/);
-	ldmia	sp!,{r4,pc}
-___
-$code.=<<___	if ($flavour =~ /64/);
-	ldp	x29,x30,[sp],#16
-	ret
-___
-$code.=<<___;
-.size	${prefix}_set_decrypt_key,.-${prefix}_set_decrypt_key
-___
-}}}
-{{{
-sub gen_block () {
-my $dir = shift;
-my ($e,$mc) = $dir eq "en" ? ("e","mc") : ("d","imc");
-my ($inp,$out,$key)=map("x$_",(0..2));
-my $rounds="w3";
-my ($rndkey0,$rndkey1,$inout)=map("q$_",(0..3));
-
-$code.=<<___;
-.globl	${prefix}_${dir}crypt
-.type	${prefix}_${dir}crypt,%function
-.align	5
-${prefix}_${dir}crypt:
-	ldr	$rounds,[$key,#240]
-	vld1.32	{$rndkey0},[$key],#16
-	vld1.8	{$inout},[$inp]
-	sub	$rounds,$rounds,#2
-	vld1.32	{$rndkey1},[$key],#16
-
-.Loop_${dir}c:
-	aes$e	$inout,$rndkey0
-	vld1.32	{$rndkey0},[$key],#16
-	aes$mc	$inout,$inout
-	subs	$rounds,$rounds,#2
-	aes$e	$inout,$rndkey1
-	vld1.32	{$rndkey1},[$key],#16
-	aes$mc	$inout,$inout
-	b.gt	.Loop_${dir}c
-
-	aes$e	$inout,$rndkey0
-	vld1.32	{$rndkey0},[$key]
-	aes$mc	$inout,$inout
-	aes$e	$inout,$rndkey1
-	veor	$inout,$inout,$rndkey0
-
-	vst1.8	{$inout},[$out]
-	ret
-.size	${prefix}_${dir}crypt,.-${prefix}_${dir}crypt
-___
-}
-&gen_block("en");
-&gen_block("de");
-}}}
-{{{
-my ($inp,$out,$len,$key,$ivp)=map("x$_",(0..4)); my $enc="w5";
-my ($rounds,$cnt,$key_,$step,$step1)=($enc,"w6","x7","x8","x12");
-my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$ivec,$rndlast)=map("q$_",(0..7));
-
-my ($dat,$tmp,$rndzero_n_last)=($dat0,$tmp0,$tmp1);
-
-### q8-q15	preloaded key schedule
-
-$code.=<<___;
-.globl	${prefix}_cbc_encrypt
-.type	${prefix}_cbc_encrypt,%function
-.align	5
-${prefix}_cbc_encrypt:
-___
-$code.=<<___	if ($flavour =~ /64/);
-	stp	x29,x30,[sp,#-16]!
-	add	x29,sp,#0
-___
-$code.=<<___	if ($flavour !~ /64/);
-	mov	ip,sp
-	stmdb	sp!,{r4-r8,lr}
-	vstmdb	sp!,{d8-d15}            @ ABI specification says so
-	ldmia	ip,{r4-r5}		@ load remaining args
-___
-$code.=<<___;
-	subs	$len,$len,#16
-	mov	$step,#16
-	b.lo	.Lcbc_abort
-	cclr	$step,eq
-
-	cmp	$enc,#0			// en- or decrypting?
-	ldr	$rounds,[$key,#240]
-	and	$len,$len,#-16
-	vld1.8	{$ivec},[$ivp]
-	vld1.8	{$dat},[$inp],$step
-
-	vld1.32	{q8-q9},[$key]		// load key schedule...
-	sub	$rounds,$rounds,#6
-	add	$key_,$key,x5,lsl#4	// pointer to last 7 round keys
-	sub	$rounds,$rounds,#2
-	vld1.32	{q10-q11},[$key_],#32
-	vld1.32	{q12-q13},[$key_],#32
-	vld1.32	{q14-q15},[$key_],#32
-	vld1.32	{$rndlast},[$key_]
-
-	add	$key_,$key,#32
-	mov	$cnt,$rounds
-	b.eq	.Lcbc_dec
-
-	cmp	$rounds,#2
-	veor	$dat,$dat,$ivec
-	veor	$rndzero_n_last,q8,$rndlast
-	b.eq	.Lcbc_enc128
-
-.Loop_cbc_enc:
-	aese	$dat,q8
-	vld1.32	{q8},[$key_],#16
-	aesmc	$dat,$dat
-	subs	$cnt,$cnt,#2
-	aese	$dat,q9
-	vld1.32	{q9},[$key_],#16
-	aesmc	$dat,$dat
-	b.gt	.Loop_cbc_enc
-
-	aese	$dat,q8
-	aesmc	$dat,$dat
-	 subs	$len,$len,#16
-	aese	$dat,q9
-	aesmc	$dat,$dat
-	 cclr	$step,eq
-	aese	$dat,q10
-	aesmc	$dat,$dat
-	 add	$key_,$key,#16
-	aese	$dat,q11
-	aesmc	$dat,$dat
-	 vld1.8	{q8},[$inp],$step
-	aese	$dat,q12
-	aesmc	$dat,$dat
-	 veor	q8,q8,$rndzero_n_last
-	aese	$dat,q13
-	aesmc	$dat,$dat
-	 vld1.32 {q9},[$key_],#16	// re-pre-load rndkey[1]
-	aese	$dat,q14
-	aesmc	$dat,$dat
-	aese	$dat,q15
-
-	 mov	$cnt,$rounds
-	veor	$ivec,$dat,$rndlast
-	vst1.8	{$ivec},[$out],#16
-	b.hs	.Loop_cbc_enc
-
-	b	.Lcbc_done
-
-.align	5
-.Lcbc_enc128:
-	vld1.32	{$in0-$in1},[$key_]
-	aese	$dat,q8
-	aesmc	$dat,$dat
-	b	.Lenter_cbc_enc128
-.Loop_cbc_enc128:
-	aese	$dat,q8
-	aesmc	$dat,$dat
-	 vst1.8	{$ivec},[$out],#16
-.Lenter_cbc_enc128:
-	aese	$dat,q9
-	aesmc	$dat,$dat
-	 subs	$len,$len,#16
-	aese	$dat,$in0
-	aesmc	$dat,$dat
-	 cclr	$step,eq
-	aese	$dat,$in1
-	aesmc	$dat,$dat
-	aese	$dat,q10
-	aesmc	$dat,$dat
-	aese	$dat,q11
-	aesmc	$dat,$dat
-	 vld1.8	{q8},[$inp],$step
-	aese	$dat,q12
-	aesmc	$dat,$dat
-	aese	$dat,q13
-	aesmc	$dat,$dat
-	aese	$dat,q14
-	aesmc	$dat,$dat
-	 veor	q8,q8,$rndzero_n_last
-	aese	$dat,q15
-	veor	$ivec,$dat,$rndlast
-	b.hs	.Loop_cbc_enc128
-
-	vst1.8	{$ivec},[$out],#16
-	b	.Lcbc_done
-___
-{
-my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9));
-$code.=<<___;
-.align	5
-.Lcbc_dec:
-	vld1.8	{$dat2},[$inp],#16
-	subs	$len,$len,#32		// bias
-	add	$cnt,$rounds,#2
-	vorr	$in1,$dat,$dat
-	vorr	$dat1,$dat,$dat
-	vorr	$in2,$dat2,$dat2
-	b.lo	.Lcbc_dec_tail
-
-	vorr	$dat1,$dat2,$dat2
-	vld1.8	{$dat2},[$inp],#16
-	vorr	$in0,$dat,$dat
-	vorr	$in1,$dat1,$dat1
-	vorr	$in2,$dat2,$dat2
-
-.Loop3x_cbc_dec:
-	aesd	$dat0,q8
-	aesd	$dat1,q8
-	aesd	$dat2,q8
-	vld1.32	{q8},[$key_],#16
-	aesimc	$dat0,$dat0
-	aesimc	$dat1,$dat1
-	aesimc	$dat2,$dat2
-	subs	$cnt,$cnt,#2
-	aesd	$dat0,q9
-	aesd	$dat1,q9
-	aesd	$dat2,q9
-	vld1.32	{q9},[$key_],#16
-	aesimc	$dat0,$dat0
-	aesimc	$dat1,$dat1
-	aesimc	$dat2,$dat2
-	b.gt	.Loop3x_cbc_dec
-
-	aesd	$dat0,q8
-	aesd	$dat1,q8
-	aesd	$dat2,q8
-	 veor	$tmp0,$ivec,$rndlast
-	aesimc	$dat0,$dat0
-	aesimc	$dat1,$dat1
-	aesimc	$dat2,$dat2
-	 veor	$tmp1,$in0,$rndlast
-	aesd	$dat0,q9
-	aesd	$dat1,q9
-	aesd	$dat2,q9
-	 veor	$tmp2,$in1,$rndlast
-	 subs	$len,$len,#0x30
-	aesimc	$dat0,$dat0
-	aesimc	$dat1,$dat1
-	aesimc	$dat2,$dat2
-	 vorr	$ivec,$in2,$in2
-	 mov.lo	x6,$len			// x6, $cnt, is zero at this point
-	aesd	$dat0,q12
-	aesd	$dat1,q12
-	aesd	$dat2,q12
-	 add	$inp,$inp,x6		// $inp is adjusted in such way that
-					// at exit from the loop $dat1-$dat2
-					// are loaded with last "words"
-	aesimc	$dat0,$dat0
-	aesimc	$dat1,$dat1
-	aesimc	$dat2,$dat2
-	 mov	$key_,$key
-	aesd	$dat0,q13
-	aesd	$dat1,q13
-	aesd	$dat2,q13
-	 vld1.8	{$in0},[$inp],#16
-	aesimc	$dat0,$dat0
-	aesimc	$dat1,$dat1
-	aesimc	$dat2,$dat2
-	 vld1.8	{$in1},[$inp],#16
-	aesd	$dat0,q14
-	aesd	$dat1,q14
-	aesd	$dat2,q14
-	 vld1.8	{$in2},[$inp],#16
-	aesimc	$dat0,$dat0
-	aesimc	$dat1,$dat1
-	aesimc	$dat2,$dat2
-	 vld1.32 {q8},[$key_],#16	// re-pre-load rndkey[0]
-	aesd	$dat0,q15
-	aesd	$dat1,q15
-	aesd	$dat2,q15
-
-	 add	$cnt,$rounds,#2
-	veor	$tmp0,$tmp0,$dat0
-	veor	$tmp1,$tmp1,$dat1
-	veor	$dat2,$dat2,$tmp2
-	 vld1.32 {q9},[$key_],#16	// re-pre-load rndkey[1]
-	 vorr	$dat0,$in0,$in0
-	vst1.8	{$tmp0},[$out],#16
-	 vorr	$dat1,$in1,$in1
-	vst1.8	{$tmp1},[$out],#16
-	vst1.8	{$dat2},[$out],#16
-	 vorr	$dat2,$in2,$in2
-	b.hs	.Loop3x_cbc_dec
-
-	cmn	$len,#0x30
-	b.eq	.Lcbc_done
-	nop
-
-.Lcbc_dec_tail:
-	aesd	$dat1,q8
-	aesd	$dat2,q8
-	vld1.32	{q8},[$key_],#16
-	aesimc	$dat1,$dat1
-	aesimc	$dat2,$dat2
-	subs	$cnt,$cnt,#2
-	aesd	$dat1,q9
-	aesd	$dat2,q9
-	vld1.32	{q9},[$key_],#16
-	aesimc	$dat1,$dat1
-	aesimc	$dat2,$dat2
-	b.gt	.Lcbc_dec_tail
-
-	aesd	$dat1,q8
-	aesd	$dat2,q8
-	aesimc	$dat1,$dat1
-	aesimc	$dat2,$dat2
-	aesd	$dat1,q9
-	aesd	$dat2,q9
-	aesimc	$dat1,$dat1
-	aesimc	$dat2,$dat2
-	aesd	$dat1,q12
-	aesd	$dat2,q12
-	aesimc	$dat1,$dat1
-	aesimc	$dat2,$dat2
-	 cmn	$len,#0x20
-	aesd	$dat1,q13
-	aesd	$dat2,q13
-	aesimc	$dat1,$dat1
-	aesimc	$dat2,$dat2
-	 veor	$tmp1,$ivec,$rndlast
-	aesd	$dat1,q14
-	aesd	$dat2,q14
-	aesimc	$dat1,$dat1
-	aesimc	$dat2,$dat2
-	 veor	$tmp2,$in1,$rndlast
-	aesd	$dat1,q15
-	aesd	$dat2,q15
-	b.eq	.Lcbc_dec_one
-	veor	$tmp1,$tmp1,$dat1
-	veor	$tmp2,$tmp2,$dat2
-	 vorr	$ivec,$in2,$in2
-	vst1.8	{$tmp1},[$out],#16
-	vst1.8	{$tmp2},[$out],#16
-	b	.Lcbc_done
-
-.Lcbc_dec_one:
-	veor	$tmp1,$tmp1,$dat2
-	 vorr	$ivec,$in2,$in2
-	vst1.8	{$tmp1},[$out],#16
-
-.Lcbc_done:
-	vst1.8	{$ivec},[$ivp]
-.Lcbc_abort:
-___
-}
-$code.=<<___	if ($flavour !~ /64/);
-	vldmia	sp!,{d8-d15}
-	ldmia	sp!,{r4-r8,pc}
-___
-$code.=<<___	if ($flavour =~ /64/);
-	ldr	x29,[sp],#16
-	ret
-___
-$code.=<<___;
-.size	${prefix}_cbc_encrypt,.-${prefix}_cbc_encrypt
-___
-}}}
-{{{
-my ($inp,$out,$len,$key,$ivp)=map("x$_",(0..4));
-my ($rounds,$cnt,$key_)=("w5","w6","x7");
-my ($ctr,$tctr0,$tctr1,$tctr2)=map("w$_",(8..10,12));
-my $step="x12";		# aliases with $tctr2
-
-my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$ivec,$rndlast)=map("q$_",(0..7));
-my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9));
-
-my ($dat,$tmp)=($dat0,$tmp0);
-
-### q8-q15	preloaded key schedule
-
-$code.=<<___;
-.globl	${prefix}_ctr32_encrypt_blocks
-.type	${prefix}_ctr32_encrypt_blocks,%function
-.align	5
-${prefix}_ctr32_encrypt_blocks:
-___
-$code.=<<___	if ($flavour =~ /64/);
-	stp		x29,x30,[sp,#-16]!
-	add		x29,sp,#0
-___
-$code.=<<___	if ($flavour !~ /64/);
-	mov		ip,sp
-	stmdb		sp!,{r4-r10,lr}
-	vstmdb		sp!,{d8-d15}            @ ABI specification says so
-	ldr		r4, [ip]		@ load remaining arg
-___
-$code.=<<___;
-	ldr		$rounds,[$key,#240]
-
-	ldr		$ctr, [$ivp, #12]
-	vld1.32		{$dat0},[$ivp]
-
-	vld1.32		{q8-q9},[$key]		// load key schedule...
-	sub		$rounds,$rounds,#4
-	mov		$step,#16
-	cmp		$len,#2
-	add		$key_,$key,x5,lsl#4	// pointer to last 5 round keys
-	sub		$rounds,$rounds,#2
-	vld1.32		{q12-q13},[$key_],#32
-	vld1.32		{q14-q15},[$key_],#32
-	vld1.32		{$rndlast},[$key_]
-	add		$key_,$key,#32
-	mov		$cnt,$rounds
-	cclr		$step,lo
-#ifndef __ARMEB__
-	rev		$ctr, $ctr
-#endif
-	vorr		$dat1,$dat0,$dat0
-	add		$tctr1, $ctr, #1
-	vorr		$dat2,$dat0,$dat0
-	add		$ctr, $ctr, #2
-	vorr		$ivec,$dat0,$dat0
-	rev		$tctr1, $tctr1
-	vmov.32		${dat1}[3],$tctr1
-	b.ls		.Lctr32_tail
-	rev		$tctr2, $ctr
-	sub		$len,$len,#3		// bias
-	vmov.32		${dat2}[3],$tctr2
-	b		.Loop3x_ctr32
-
-.align	4
-.Loop3x_ctr32:
-	aese		$dat0,q8
-	aese		$dat1,q8
-	aese		$dat2,q8
-	vld1.32		{q8},[$key_],#16
-	aesmc		$dat0,$dat0
-	aesmc		$dat1,$dat1
-	aesmc		$dat2,$dat2
-	subs		$cnt,$cnt,#2
-	aese		$dat0,q9
-	aese		$dat1,q9
-	aese		$dat2,q9
-	vld1.32		{q9},[$key_],#16
-	aesmc		$dat0,$dat0
-	aesmc		$dat1,$dat1
-	aesmc		$dat2,$dat2
-	b.gt		.Loop3x_ctr32
-
-	aese		$dat0,q8
-	aese		$dat1,q8
-	aese		$dat2,q8
-	 mov		$key_,$key
-	aesmc		$tmp0,$dat0
-	 vld1.8		{$in0},[$inp],#16
-	aesmc		$tmp1,$dat1
-	aesmc		$dat2,$dat2
-	 vorr		$dat0,$ivec,$ivec
-	aese		$tmp0,q9
-	 vld1.8		{$in1},[$inp],#16
-	aese		$tmp1,q9
-	aese		$dat2,q9
-	 vorr		$dat1,$ivec,$ivec
-	aesmc		$tmp0,$tmp0
-	 vld1.8		{$in2},[$inp],#16
-	aesmc		$tmp1,$tmp1
-	aesmc		$tmp2,$dat2
-	 vorr		$dat2,$ivec,$ivec
-	 add		$tctr0,$ctr,#1
-	aese		$tmp0,q12
-	aese		$tmp1,q12
-	aese		$tmp2,q12
-	 veor		$in0,$in0,$rndlast
-	 add		$tctr1,$ctr,#2
-	aesmc		$tmp0,$tmp0
-	aesmc		$tmp1,$tmp1
-	aesmc		$tmp2,$tmp2
-	 veor		$in1,$in1,$rndlast
-	 add		$ctr,$ctr,#3
-	aese		$tmp0,q13
-	aese		$tmp1,q13
-	aese		$tmp2,q13
-	 veor		$in2,$in2,$rndlast
-	 rev		$tctr0,$tctr0
-	aesmc		$tmp0,$tmp0
-	 vld1.32	 {q8},[$key_],#16	// re-pre-load rndkey[0]
-	aesmc		$tmp1,$tmp1
-	aesmc		$tmp2,$tmp2
-	 vmov.32	${dat0}[3], $tctr0
-	 rev		$tctr1,$tctr1
-	aese		$tmp0,q14
-	aese		$tmp1,q14
-	aese		$tmp2,q14
-	 vmov.32	${dat1}[3], $tctr1
-	 rev		$tctr2,$ctr
-	aesmc		$tmp0,$tmp0
-	aesmc		$tmp1,$tmp1
-	aesmc		$tmp2,$tmp2
-	 vmov.32	${dat2}[3], $tctr2
-	 subs		$len,$len,#3
-	aese		$tmp0,q15
-	aese		$tmp1,q15
-	aese		$tmp2,q15
-
-	 mov		$cnt,$rounds
-	veor		$in0,$in0,$tmp0
-	veor		$in1,$in1,$tmp1
-	veor		$in2,$in2,$tmp2
-	 vld1.32	 {q9},[$key_],#16	// re-pre-load rndkey[1]
-	vst1.8		{$in0},[$out],#16
-	vst1.8		{$in1},[$out],#16
-	vst1.8		{$in2},[$out],#16
-	b.hs		.Loop3x_ctr32
-
-	adds		$len,$len,#3
-	b.eq		.Lctr32_done
-	cmp		$len,#1
-	mov		$step,#16
-	cclr		$step,eq
-
-.Lctr32_tail:
-	aese		$dat0,q8
-	aese		$dat1,q8
-	vld1.32		{q8},[$key_],#16
-	aesmc		$dat0,$dat0
-	aesmc		$dat1,$dat1
-	subs		$cnt,$cnt,#2
-	aese		$dat0,q9
-	aese		$dat1,q9
-	vld1.32		{q9},[$key_],#16
-	aesmc		$dat0,$dat0
-	aesmc		$dat1,$dat1
-	b.gt		.Lctr32_tail
-
-	aese		$dat0,q8
-	aese		$dat1,q8
-	aesmc		$dat0,$dat0
-	aesmc		$dat1,$dat1
-	aese		$dat0,q9
-	aese		$dat1,q9
-	aesmc		$dat0,$dat0
-	aesmc		$dat1,$dat1
-	 vld1.8		{$in0},[$inp],$step
-	aese		$dat0,q12
-	aese		$dat1,q12
-	 vld1.8		{$in1},[$inp]
-	aesmc		$dat0,$dat0
-	aesmc		$dat1,$dat1
-	aese		$dat0,q13
-	aese		$dat1,q13
-	aesmc		$dat0,$dat0
-	aesmc		$dat1,$dat1
-	aese		$dat0,q14
-	aese		$dat1,q14
-	 veor		$in0,$in0,$rndlast
-	aesmc		$dat0,$dat0
-	aesmc		$dat1,$dat1
-	 veor		$in1,$in1,$rndlast
-	aese		$dat0,q15
-	aese		$dat1,q15
-
-	cmp		$len,#1
-	veor		$in0,$in0,$dat0
-	veor		$in1,$in1,$dat1
-	vst1.8		{$in0},[$out],#16
-	b.eq		.Lctr32_done
-	vst1.8		{$in1},[$out]
-
-.Lctr32_done:
-___
-$code.=<<___	if ($flavour !~ /64/);
-	vldmia		sp!,{d8-d15}
-	ldmia		sp!,{r4-r10,pc}
-___
-$code.=<<___	if ($flavour =~ /64/);
-	ldr		x29,[sp],#16
-	ret
-___
-$code.=<<___;
-.size	${prefix}_ctr32_encrypt_blocks,.-${prefix}_ctr32_encrypt_blocks
-___
-}}}
-$code.=<<___;
-#endif
-___
-########################################
-if ($flavour =~ /64/) {			######## 64-bit code
-    my %opcode = (
-	"aesd"	=>	0x4e285800,	"aese"	=>	0x4e284800,
-	"aesimc"=>	0x4e287800,	"aesmc"	=>	0x4e286800	);
-
-    local *unaes = sub {
-	my ($mnemonic,$arg)=@_;
-
-	$arg =~ m/[qv]([0-9]+)[^,]*,\s*[qv]([0-9]+)/o	&&
-	sprintf ".inst\t0x%08x\t//%s %s",
-			$opcode{$mnemonic}|$1|($2<<5),
-			$mnemonic,$arg;
-    };
-
-    foreach(split("\n",$code)) {
-	s/\`([^\`]*)\`/eval($1)/geo;
-
-	s/\bq([0-9]+)\b/"v".($1<8?$1:$1+8).".16b"/geo;	# old->new registers
-	s/@\s/\/\//o;			# old->new style commentary
-
-	#s/[v]?(aes\w+)\s+([qv].*)/unaes($1,$2)/geo	or
-	s/cclr\s+([wx])([^,]+),\s*([a-z]+)/csel	$1$2,$1zr,$1$2,$3/o	or
-	s/mov\.([a-z]+)\s+([wx][0-9]+),\s*([wx][0-9]+)/csel	$2,$3,$2,$1/o	or
-	s/vmov\.i8/movi/o	or	# fix up legacy mnemonics
-	s/vext\.8/ext/o		or
-	s/vrev32\.8/rev32/o	or
-	s/vtst\.8/cmtst/o	or
-	s/vshr/ushr/o		or
-	s/^(\s+)v/$1/o		or	# strip off v prefix
-	s/\bbx\s+lr\b/ret/o;
-
-	# fix up remainig legacy suffixes
-	s/\.[ui]?8//o;
-	m/\],#8/o and s/\.16b/\.8b/go;
-	s/\.[ui]?32//o and s/\.16b/\.4s/go;
-	s/\.[ui]?64//o and s/\.16b/\.2d/go;
-	s/\.[42]([sd])\[([0-3])\]/\.$1\[$2\]/o;
-
-	print $_,"\n";
-    }
-} else {				######## 32-bit code
-    my %opcode = (
-	"aesd"	=>	0xf3b00340,	"aese"	=>	0xf3b00300,
-	"aesimc"=>	0xf3b003c0,	"aesmc"	=>	0xf3b00380	);
-
-    local *unaes = sub {
-	my ($mnemonic,$arg)=@_;
-
-	if ($arg =~ m/[qv]([0-9]+)[^,]*,\s*[qv]([0-9]+)/o) {
-	    my $word = $opcode{$mnemonic}|(($1&7)<<13)|(($1&8)<<19)
-					 |(($2&7)<<1) |(($2&8)<<2);
-	    # since ARMv7 instructions are always encoded little-endian.
-	    # correct solution is to use .inst directive, but older
-	    # assemblers don't implement it:-(
-	    sprintf ".byte\t0x%02x,0x%02x,0x%02x,0x%02x\t@ %s %s",
-			$word&0xff,($word>>8)&0xff,
-			($word>>16)&0xff,($word>>24)&0xff,
-			$mnemonic,$arg;
-	}
-    };
-
-    sub unvtbl {
-	my $arg=shift;
-
-	$arg =~ m/q([0-9]+),\s*\{q([0-9]+)\},\s*q([0-9]+)/o &&
-	sprintf	"vtbl.8	d%d,{q%d},d%d\n\t".
-		"vtbl.8	d%d,{q%d},d%d", 2*$1,$2,2*$3, 2*$1+1,$2,2*$3+1;	
-    }
-
-    sub unvdup32 {
-	my $arg=shift;
-
-	$arg =~ m/q([0-9]+),\s*q([0-9]+)\[([0-3])\]/o &&
-	sprintf	"vdup.32	q%d,d%d[%d]",$1,2*$2+($3>>1),$3&1;	
-    }
-
-    sub unvmov32 {
-	my $arg=shift;
-
-	$arg =~ m/q([0-9]+)\[([0-3])\],(.*)/o &&
-	sprintf	"vmov.32	d%d[%d],%s",2*$1+($2>>1),$2&1,$3;	
-    }
-
-    foreach(split("\n",$code)) {
-	s/\`([^\`]*)\`/eval($1)/geo;
-
-	s/\b[wx]([0-9]+)\b/r$1/go;		# new->old registers
-	s/\bv([0-9])\.[12468]+[bsd]\b/q$1/go;	# new->old registers
-	s/\/\/\s?/@ /o;				# new->old style commentary
-
-	# fix up remainig new-style suffixes
-	s/\{q([0-9]+)\},\s*\[(.+)\],#8/sprintf "{d%d},[$2]!",2*$1/eo	or
-	s/\],#[0-9]+/]!/o;
-
-	s/[v]?(aes\w+)\s+([qv].*)/unaes($1,$2)/geo	or
-	s/cclr\s+([^,]+),\s*([a-z]+)/mov$2	$1,#0/o	or
-	s/vtbl\.8\s+(.*)/unvtbl($1)/geo			or
-	s/vdup\.32\s+(.*)/unvdup32($1)/geo		or
-	s/vmov\.32\s+(.*)/unvmov32($1)/geo		or
-	s/^(\s+)b\./$1b/o				or
-	s/^(\s+)mov\./$1mov/o				or
-	s/^(\s+)ret/$1bx\tlr/o;
-
-	print $_,"\n";
-    }
-}
-
-close STDOUT;