Prepare for 1.0.1g release

Treat a zero length passed to ssleay_rand_add a no op: the existing logic
zeroes the md value which is very bad. OpenSSL itself never does this
internally and the actual call doesn't make sense as it would be passing
zero bytes of entropy.

Thanks to Marcus Meissner <meissner@suse.de> for reporting this bug.

CHANGES

@@ -2,9 +2,60 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
+
+  *) A missing bounds check in the handling of the TLS heartbeat extension
+     can be used to reveal up to 64k of memory to a connected client or
+     server.
+
+     Thanks for Neel Mehta of Google Security for discovering this bug and to
+     Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
+     preparing the fix (CVE-2014-0160)
+     [Adam Langley, Bodo Moeller]
+
+  *) Fix for the attack described in the paper "Recovering OpenSSL
+     ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
+     by Yuval Yarom and Naomi Benger. Details can be obtained from:
+     http://eprint.iacr.org/2014/140
+
+     Thanks to Yuval Yarom and Naomi Benger for discovering this
+     flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
+     [Yuval Yarom and Naomi Benger]
+
+  *) TLS pad extension: draft-agl-tls-padding-03
+
+     Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
+     TLS client Hello record length value would otherwise be > 255 and
+     less that 512 pad with a dummy extension containing zeroes so it
+     is at least 512 bytes long.
+
+     [Adam Langley, Steve Henson]
+
+ Changes between 1.0.1e and 1.0.1f [6 Jan 2014]
+
+  *) Fix for TLS record tampering bug. A carefully crafted invalid 
+     handshake could crash OpenSSL with a NULL pointer exception.
+     Thanks to Anton Johansson for reporting this issues.
+     (CVE-2013-4353)
+
+  *) Keep original DTLS digest and encryption contexts in retransmission
+     structures so we can use the previous session parameters if they need
+     to be resent. (CVE-2013-6450)
+     [Steve Henson]
+
+  *) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
+     avoids preferring ECDHE-ECDSA ciphers when the client appears to be
+     Safari on OS X.  Safari on OS X 10.8..10.8.3 advertises support for
+     several ECDHE-ECDSA ciphers, but fails to negotiate them.  The bug
+     is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
+     10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
+     [Rob Stradling, Adam Langley]
+
  Changes between 1.0.1d and 1.0.1e [11 Feb 2013]
 
-  *)
+  *) Correct fix for CVE-2013-0169. The original didn't work on AES-NI
+     supporting platforms or when small records were transferred.
+     [Andy Polyakov, Steve Henson]
 
  Changes between 1.0.1c and 1.0.1d [5 Feb 2013]
 
@@ -404,6 +455,63 @@
        Add command line options to s_client/s_server.
      [Steve Henson]
 
+ Changes between 1.0.0j and 1.0.0k [5 Feb 2013]
+
+  *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
+
+     This addresses the flaw in CBC record processing discovered by 
+     Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
+     at: http://www.isg.rhul.ac.uk/tls/     
+
+     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
+     Security Group at Royal Holloway, University of London
+     (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
+     Emilia K<>sper for the initial patch.
+     (CVE-2013-0169)
+     [Emilia K<>sper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
+
+  *) Return an error when checking OCSP signatures when key is NULL.
+     This fixes a DoS attack. (CVE-2013-0166)
+     [Steve Henson]
+
+  *) Call OCSP Stapling callback after ciphersuite has been chosen, so
+     the right response is stapled. Also change SSL_get_certificate()
+     so it returns the certificate actually sent.
+     See http://rt.openssl.org/Ticket/Display.html?id=2836.
+     (This is a backport)
+     [Rob Stradling <rob.stradling@comodo.com>]
+
+  *) Fix possible deadlock when decoding public keys.
+     [Steve Henson]
+
+ Changes between 1.0.0i and 1.0.0j [10 May 2012]
+
+  [NB: OpenSSL 1.0.0i and later 1.0.0 patch levels were released after
+  OpenSSL 1.0.1.]
+
+  *) Sanity check record length before skipping explicit IV in DTLS
+     to fix DoS attack.
+
+     Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
+     fuzzing as a service testing platform.
+     (CVE-2012-2333)
+     [Steve Henson]
+
+  *) Initialise tkeylen properly when encrypting CMS messages.
+     Thanks to Solar Designer of Openwall for reporting this issue.
+     [Steve Henson]
+
+ Changes between 1.0.0h and 1.0.0i [19 Apr 2012]
+
+  *) Check for potentially exploitable overflows in asn1_d2i_read_bio
+     BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
+     in CRYPTO_realloc_clean.
+
+     Thanks to Tavis Ormandy, Google Security Team, for discovering this
+     issue and to Adam Langley <agl@chromium.org> for fixing it.
+     (CVE-2012-2110)
+     [Adam Langley (Google), Tavis Ormandy, Google Security Team]
+
  Changes between 1.0.0g and 1.0.0h [12 Mar 2012]
 
   *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
@@ -1394,6 +1502,86 @@
   *) Change 'Configure' script to enable Camellia by default.
      [NTT]
 
+ Changes between 0.9.8x and 0.9.8y [5 Feb 2013]
+
+  *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
+
+     This addresses the flaw in CBC record processing discovered by 
+     Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
+     at: http://www.isg.rhul.ac.uk/tls/     
+
+     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
+     Security Group at Royal Holloway, University of London
+     (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
+     Emilia K<>sper for the initial patch.
+     (CVE-2013-0169)
+     [Emilia K<>sper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
+
+  *) Return an error when checking OCSP signatures when key is NULL.
+     This fixes a DoS attack. (CVE-2013-0166)
+     [Steve Henson]
+
+  *) Call OCSP Stapling callback after ciphersuite has been chosen, so
+     the right response is stapled. Also change SSL_get_certificate()
+     so it returns the certificate actually sent.
+     See http://rt.openssl.org/Ticket/Display.html?id=2836.
+     (This is a backport)
+     [Rob Stradling <rob.stradling@comodo.com>]
+
+  *) Fix possible deadlock when decoding public keys.
+     [Steve Henson]
+
+ Changes between 0.9.8w and 0.9.8x [10 May 2012]
+
+  *) Sanity check record length before skipping explicit IV in DTLS
+     to fix DoS attack.
+
+     Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
+     fuzzing as a service testing platform.
+     (CVE-2012-2333)
+     [Steve Henson]
+
+  *) Initialise tkeylen properly when encrypting CMS messages.
+     Thanks to Solar Designer of Openwall for reporting this issue.
+     [Steve Henson]
+
+ Changes between 0.9.8v and 0.9.8w [23 Apr 2012]
+
+  *) The fix for CVE-2012-2110 did not take into account that the 
+     'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an
+     int in OpenSSL 0.9.8, making it still vulnerable. Fix by 
+     rejecting negative len parameter. (CVE-2012-2131)
+     [Tomas Hoger <thoger@redhat.com>]
+
+ Changes between 0.9.8u and 0.9.8v [19 Apr 2012]
+
+  *) Check for potentially exploitable overflows in asn1_d2i_read_bio
+     BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
+     in CRYPTO_realloc_clean.
+
+     Thanks to Tavis Ormandy, Google Security Team, for discovering this
+     issue and to Adam Langley <agl@chromium.org> for fixing it.
+     (CVE-2012-2110)
+     [Adam Langley (Google), Tavis Ormandy, Google Security Team]
+
+ Changes between 0.9.8t and 0.9.8u [12 Mar 2012]
+
+  *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
+     in CMS and PKCS7 code. When RSA decryption fails use a random key for
+     content decryption and always return the same error. Note: this attack
+     needs on average 2^20 messages so it only affects automated senders. The
+     old behaviour can be reenabled in the CMS code by setting the
+     CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
+     an MMA defence is not necessary.
+     Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
+     this issue. (CVE-2012-0884)
+     [Steve Henson]
+
+  *) Fix CVE-2011-4619: make sure we really are receiving a 
+     client hello before rejecting multiple SGC restarts. Thanks to
+     Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug.
+     [Steve Henson]
+
  Changes between 0.9.8s and 0.9.8t [18 Jan 2012]
 
   *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
@@ -1401,7 +1589,7 @@
      Development, Cisco Systems, Inc. for discovering this bug and
      preparing a fix. (CVE-2012-0050)
      [Antonio Martin]
-  
+
  Changes between 0.9.8r and 0.9.8s [4 Jan 2012]
 
   *) Nadhem Alfardan and Kenny Paterson have discovered an extension

Configure

@@ -178,7 +178,7 @@ my %table=(
 "debug-ben-no-opt",	"gcc: -Wall -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG -Werror -DL_ENDIAN -DTERMIOS -Wall -g3::(unknown)::::::",
 "debug-ben-strict",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
 "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-"debug-bodo",	"gcc:$gcc_devteam_warn -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -DBIO_PAIR_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+"debug-bodo",	"gcc:$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -DBIO_PAIR_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 "debug-ulf", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DBN_DEBUG_RAND -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations:::CYGWIN32:::${no_asm}:win32:cygwin-shared:::.dll",
 "debug-steve64", "gcc:$gcc_devteam_warn -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -Wno-overlength-strings -g::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-steve32", "gcc:$gcc_devteam_warn -m32 -DL_ENDIAN -DCONF_DEBUG -DDEBUG_SAFESTACK -g -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -526,7 +526,7 @@ my %table=(
 # 'perl Configure VC-WIN32' with '-DUNICODE -D_UNICODE'
 "VC-WIN32","cl:-W3 -Gs0 -GF -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE:::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${x86_asm}:win32n:win32",
 # Unified CE target
-"debug-VC-WIN32","cl:-W3 -WX -Gs0 -GF -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE:::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${x86_asm}:win32n:win32",
+"debug-VC-WIN32","cl:-W3 -Gs0 -GF -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE:::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${x86_asm}:win32n:win32",
 "VC-CE","cl::::WINCE::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${no_asm}:win32",
 
 # Borland C++ 4.5

FAQ

@@ -768,6 +768,9 @@ openssl-security@openssl.org if you don't get a prompt reply at least
 acknowledging receipt then resend or mail it directly to one of the
 more active team members (e.g. Steve).
 
+Note that bugs only present in the openssl utility are not in general
+considered to be security issues. 
+
 [PROG] ========================================================================
 
 * Is OpenSSL thread-safe?

Makefile.org

@@ -302,7 +302,8 @@ libcrypto$(SHLIB_EXT): libcrypto.a fips_premain_dso$(EXE_EXT)
 			FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; \
 			export CC FIPSLD_CC FIPSLD_LIBCRYPTO; \
 		fi; \
-		$(MAKE) -e SHLIBDIRS=crypto build-shared; \
+		$(MAKE) -e SHLIBDIRS=crypto  CC="$${CC:-$(CC)}" build-shared && \
+		(touch -c fips_premain_dso$(EXE_EXT) || :); \
 	else \
 		echo "There's no support for shared libraries on this platform" >&2; \
 		exit 1; \

NEWS

@@ -5,11 +5,24 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
-  Major changes between OpenSSL 1.0.1d and OpenSSL 1.0.1e:
+  Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014]
+
+      o Fix for CVE-2014-0160
+      o Add TLS padding extension workaround for broken servers.
+      o Fix for CVE-2014-0076
+
+  Major changes between OpenSSL 1.0.1e and OpenSSL 1.0.1f [6 Jan 2014]
+
+      o Don't include gmt_unix_time in TLS server and client random values
+      o Fix for TLS record tampering bug CVE-2013-4353
+      o Fix for TLS version checking bug CVE-2013-6449
+      o Fix for DTLS retransmission bug CVE-2013-6450
+
+  Major changes between OpenSSL 1.0.1d and OpenSSL 1.0.1e [11 Feb 2013]:
 
       o Corrected fix for CVE-2013-0169
 
-  Major changes between OpenSSL 1.0.1c and OpenSSL 1.0.1d:
+  Major changes between OpenSSL 1.0.1c and OpenSSL 1.0.1d [4 Feb 2013]:
 
       o Fix renegotiation in TLS 1.1, 1.2 by using the correct TLS version.
       o Include the fips configuration module.
@@ -17,24 +30,24 @@
       o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
       o Fix for TLS AESNI record handling flaw CVE-2012-2686
 
-  Major changes between OpenSSL 1.0.1b and OpenSSL 1.0.1c:
+  Major changes between OpenSSL 1.0.1b and OpenSSL 1.0.1c [10 May 2012]:
 
       o Fix TLS/DTLS record length checking bug CVE-2012-2333
       o Don't attempt to use non-FIPS composite ciphers in FIPS mode.
 
-  Major changes between OpenSSL 1.0.1a and OpenSSL 1.0.1b:
+  Major changes between OpenSSL 1.0.1a and OpenSSL 1.0.1b [26 Apr 2012]:
 
       o Fix compilation error on non-x86 platforms.
       o Make FIPS capable OpenSSL ciphers work in non-FIPS mode.
       o Fix SSL_OP_NO_TLSv1_1 clash with SSL_OP_ALL in OpenSSL 1.0.0
 
-  Major changes between OpenSSL 1.0.1 and OpenSSL 1.0.1a:
+  Major changes between OpenSSL 1.0.1 and OpenSSL 1.0.1a [19 Apr 2012]:
 
       o Fix for ASN1 overflow bug CVE-2012-2110
       o Workarounds for some servers that hang on long client hellos.
       o Fix SEGV in AES code.
 
-  Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1:
+  Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012]:
 
       o TLS/DTLS heartbeat support.
       o SCTP support.
@@ -47,17 +60,30 @@
       o Preliminary FIPS capability for unvalidated 2.0 FIPS module.
       o SRP support.
 
-  Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.0h:
+  Major changes between OpenSSL 1.0.0j and OpenSSL 1.0.0k [5 Feb 2013]:
+
+      o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
+      o Fix OCSP bad key DoS attack CVE-2013-0166
+
+  Major changes between OpenSSL 1.0.0i and OpenSSL 1.0.0j [10 May 2012]:
+
+      o Fix DTLS record length checking bug CVE-2012-2333
+
+  Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.0i [19 Apr 2012]:
+
+      o Fix for ASN1 overflow bug CVE-2012-2110
+
+  Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.0h [12 Mar 2012]:
 
       o Fix for CMS/PKCS#7 MMA CVE-2012-0884
       o Corrected fix for CVE-2011-4619
       o Various DTLS fixes.
 
-  Major changes between OpenSSL 1.0.0f and OpenSSL 1.0.0g:
+  Major changes between OpenSSL 1.0.0f and OpenSSL 1.0.0g [18 Jan 2012]:
 
       o Fix for DTLS DoS issue CVE-2012-0050
 
-  Major changes between OpenSSL 1.0.0e and OpenSSL 1.0.0f:
+  Major changes between OpenSSL 1.0.0e and OpenSSL 1.0.0f [4 Jan 2012]:
 
       o Fix for DTLS plaintext recovery attack CVE-2011-4108
       o Clear block padding bytes of SSL 3.0 records CVE-2011-4576
@@ -65,7 +91,7 @@
       o Check parameters are not NULL in GOST ENGINE CVE-2012-0027
       o Check for malformed RFC3779 data CVE-2011-4577
 
-  Major changes between OpenSSL 1.0.0d and OpenSSL 1.0.0e:
+  Major changes between OpenSSL 1.0.0d and OpenSSL 1.0.0e [6 Sep 2011]:
 
       o Fix for CRL vulnerability issue CVE-2011-3207
       o Fix for ECDH crashes CVE-2011-3210
@@ -73,11 +99,11 @@
       o Support ECDH ciphersuites for certificates using SHA2 algorithms.
       o Various DTLS fixes.
 
-  Major changes between OpenSSL 1.0.0c and OpenSSL 1.0.0d:
+  Major changes between OpenSSL 1.0.0c and OpenSSL 1.0.0d [8 Feb 2011]:
 
       o Fix for security issue CVE-2011-0014
 
-  Major changes between OpenSSL 1.0.0b and OpenSSL 1.0.0c:
+  Major changes between OpenSSL 1.0.0b and OpenSSL 1.0.0c [2 Dec 2010]:
 
       o Fix for security issue CVE-2010-4180
       o Fix for CVE-2010-4252
@@ -85,18 +111,18 @@
       o Fix various platform compilation issues.
       o Corrected fix for security issue CVE-2010-3864.
 
-  Major changes between OpenSSL 1.0.0a and OpenSSL 1.0.0b:
+  Major changes between OpenSSL 1.0.0a and OpenSSL 1.0.0b [16 Nov 2010]:
 
       o Fix for security issue CVE-2010-3864.
       o Fix for CVE-2010-2939
       o Fix WIN32 build system for GOST ENGINE.
 
-  Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a:
+  Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a [1 Jun 2010]:
 
       o Fix for security issue CVE-2010-1633.
       o GOST MAC and CFB fixes.
 
-  Major changes between OpenSSL 0.9.8n and OpenSSL 1.0.0:
+  Major changes between OpenSSL 0.9.8n and OpenSSL 1.0.0 [29 Mar 2010]:
 
       o RFC3280 path validation: sufficient to process PKITS tests.
       o Integrated support for PVK files and keyblobs.
@@ -119,20 +145,55 @@
       o Opaque PRF Input TLS extension support.
       o Updated time routines to avoid OS limitations.
 
-  Major changes between OpenSSL 0.9.8q and OpenSSL 0.9.8r:
+  Major changes between OpenSSL 0.9.8x and OpenSSL 0.9.8y [5 Feb 2013]:
+
+      o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
+      o Fix OCSP bad key DoS attack CVE-2013-0166
+
+  Major changes between OpenSSL 0.9.8w and OpenSSL 0.9.8x [10 May 2012]:
+
+      o Fix DTLS record length checking bug CVE-2012-2333
+
+  Major changes between OpenSSL 0.9.8v and OpenSSL 0.9.8w [23 Apr 2012]:
+
+      o Fix for CVE-2012-2131 (corrected fix for 0.9.8 and CVE-2012-2110)
+
+  Major changes between OpenSSL 0.9.8u and OpenSSL 0.9.8v [19 Apr 2012]:
+
+      o Fix for ASN1 overflow bug CVE-2012-2110
+
+  Major changes between OpenSSL 0.9.8t and OpenSSL 0.9.8u [12 Mar 2012]:
+
+      o Fix for CMS/PKCS#7 MMA CVE-2012-0884
+      o Corrected fix for CVE-2011-4619
+      o Various DTLS fixes.
+
+  Major changes between OpenSSL 0.9.8s and OpenSSL 0.9.8t [18 Jan 2012]:
+
+      o Fix for DTLS DoS issue CVE-2012-0050
+
+  Major changes between OpenSSL 0.9.8r and OpenSSL 0.9.8s [4 Jan 2012]:
+
+      o Fix for DTLS plaintext recovery attack CVE-2011-4108
+      o Fix policy check double free error CVE-2011-4109
+      o Clear block padding bytes of SSL 3.0 records CVE-2011-4576
+      o Only allow one SGC handshake restart for SSL/TLS CVE-2011-4619
+      o Check for malformed RFC3779 data CVE-2011-4577
+
+  Major changes between OpenSSL 0.9.8q and OpenSSL 0.9.8r [8 Feb 2011]:
 
       o Fix for security issue CVE-2011-0014
 
-  Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q:
+  Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q [2 Dec 2010]:
 
       o Fix for security issue CVE-2010-4180
       o Fix for CVE-2010-4252
 
-  Major changes between OpenSSL 0.9.8o and OpenSSL 0.9.8p:
+  Major changes between OpenSSL 0.9.8o and OpenSSL 0.9.8p [16 Nov 2010]:
 
       o Fix for security issue CVE-2010-3864.
 
-  Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o:
+  Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o [1 Jun 2010]:
 
       o Fix for security issue CVE-2010-0742.
       o Various DTLS fixes.
@@ -140,12 +201,12 @@
       o Fix for no-rc4 compilation.
       o Chil ENGINE unload workaround.
 
-  Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n:
+  Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n [24 Mar 2010]:
 
       o CFB cipher definition fixes.
       o Fix security issues CVE-2010-0740 and CVE-2010-0433.
 
-  Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m:
+  Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m [25 Feb 2010]:
 
       o Cipher definition fixes.
       o Workaround for slow RAND_poll() on some WIN32 versions.
@@ -157,33 +218,33 @@
       o Ticket and SNI coexistence fixes.
       o Many fixes to DTLS handling. 
 
-  Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l:
+  Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l [5 Nov 2009]:
 
       o Temporary work around for CVE-2009-3555: disable renegotiation.
 
-  Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k:
+  Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k [25 Mar 2009]:
 
       o Fix various build issues.
       o Fix security issues (CVE-2009-0590, CVE-2009-0591, CVE-2009-0789)
 
-  Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j:
+  Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j [7 Jan 2009]:
 
       o Fix security issue (CVE-2008-5077)
       o Merge FIPS 140-2 branch code.
 
-  Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h:
+  Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h [28 May 2008]:
 
       o CryptoAPI ENGINE support.
       o Various precautionary measures.
       o Fix for bugs affecting certificate request creation.
       o Support for local machine keyset attribute in PKCS#12 files.
 
-  Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g:
+  Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g [19 Oct 2007]:
 
       o Backport of CMS functionality to 0.9.8.
       o Fixes for bugs introduced with 0.9.8f.
 
-  Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f:
+  Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f [11 Oct 2007]:
 
       o Add gcc 4.2 support.
       o Add support for AES and SSE2 assembly lanugauge optimization
@@ -194,23 +255,23 @@
       o RFC4507bis support.
       o TLS Extensions support.
 
-  Major changes between OpenSSL 0.9.8d and OpenSSL 0.9.8e:
+  Major changes between OpenSSL 0.9.8d and OpenSSL 0.9.8e [23 Feb 2007]:
 
       o Various ciphersuite selection fixes.
       o RFC3779 support.
 
-  Major changes between OpenSSL 0.9.8c and OpenSSL 0.9.8d:
+  Major changes between OpenSSL 0.9.8c and OpenSSL 0.9.8d [28 Sep 2006]:
 
       o Introduce limits to prevent malicious key DoS  (CVE-2006-2940)
       o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343)
       o Changes to ciphersuite selection algorithm
 
-  Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c:
+  Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c [5 Sep 2006]:
 
       o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339
       o New cipher Camellia
 
-  Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b:
+  Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b [4 May 2006]:
 
       o Cipher string fixes.
       o Fixes for VC++ 2005.
@@ -220,12 +281,12 @@
       o Built in dynamic engine compilation support on Win32.
       o Fixes auto dynamic engine loading in Win32.
 
-  Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a:
+  Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a [11 Oct 2005]:
 
       o Fix potential SSL 2.0 rollback, CVE-2005-2969
       o Extended Windows CE support
 
-  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8:
+  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8 [5 Jul 2005]:
 
       o Major work on the BIGNUM library for higher efficiency and to
         make operations more streamlined and less contradictory.  This
@@ -299,36 +360,36 @@
       o Added initial support for Win64.
       o Added alternate pkg-config files.
 
-  Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m:
+  Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m [23 Feb 2007]:
 
       o FIPS 1.1.1 module linking.
       o Various ciphersuite selection fixes.
 
-  Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l:
+  Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l [28 Sep 2006]:
 
       o Introduce limits to prevent malicious key DoS  (CVE-2006-2940)
       o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343)
 
-  Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k:
+  Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k [5 Sep 2006]:
 
       o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339
 
-  Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j:
+  Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j [4 May 2006]:
 
       o Visual C++ 2005 fixes.
       o Update Windows build system for FIPS.
 
-  Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i:
+  Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i [14 Oct 2005]:
 
       o Give EVP_MAX_MD_SIZE it's old value, except for a FIPS build.
 
-  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h:
+  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h [11 Oct 2005]:
 
       o Fix SSL 2.0 Rollback, CVE-2005-2969
       o Allow use of fixed-length exponent on DSA signing
       o Default fixed-window RSA, DSA, DH private-key operations
 
-  Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g:
+  Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g [11 Apr 2005]:
 
       o More compilation issues fixed.
       o Adaptation to more modern Kerberos API.
@@ -337,7 +398,7 @@
       o More constification.
       o Added processing of proxy certificates (RFC 3820).
 
-  Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f:
+  Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f [22 Mar 2005]:
 
       o Several compilation issues fixed.
       o Many memory allocation failure checks added.
@@ -345,12 +406,12 @@
       o Mandatory basic checks on certificates.
       o Performance improvements.
 
-  Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e:
+  Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e [25 Oct 2004]:
 
       o Fix race condition in CRL checking code.
       o Fixes to PKCS#7 (S/MIME) code.
 
-  Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d:
+  Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d [17 Mar 2004]:
 
       o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug
       o Security: Fix null-pointer assignment in do_change_cipher_spec()
@@ -358,14 +419,14 @@
       o Multiple X509 verification fixes
       o Speed up HMAC and other operations
 
-  Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c:
+  Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c [30 Sep 2003]:
 
       o Security: fix various ASN1 parsing bugs.
       o New -ignore_err option to OCSP utility.
       o Various interop and bug fixes in S/MIME code.
       o SSL/TLS protocol fix for unrequested client certificates.
 
-  Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b:
+  Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b [10 Apr 2003]:
 
       o Security: counter the Klima-Pokorny-Rosa extension of
         Bleichbacher's attack 
@@ -376,7 +437,7 @@
       o ASN.1: treat domainComponent correctly.
       o Documentation: fixes and additions.
 
-  Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a:
+  Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a [19 Feb 2003]:
 
       o Security: Important security related bugfixes.
       o Enhanced compatibility with MIT Kerberos.
@@ -387,7 +448,7 @@
       o SSL/TLS: now handles manual certificate chain building.
       o SSL/TLS: certain session ID malfunctions corrected.
 
-  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7:
+  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7 [30 Dec 2002]:
 
       o New library section OCSP.
       o Complete rewrite of ASN1 code.
@@ -433,23 +494,23 @@
       o SSL/TLS: add callback to retrieve SSL/TLS messages.
       o SSL/TLS: support AES cipher suites (RFC3268).
 
-  Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k:
+  Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k [30 Sep 2003]:
 
       o Security: fix various ASN1 parsing bugs.
       o SSL/TLS protocol fix for unrequested client certificates.
 
-  Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j:
+  Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j [10 Apr 2003]:
 
       o Security: counter the Klima-Pokorny-Rosa extension of
         Bleichbacher's attack 
       o Security: make RSA blinding default.
       o Build: shared library support fixes.
 
-  Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i:
+  Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i [19 Feb 2003]:
 
       o Important security related bugfixes.
 
-  Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h:
+  Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h [5 Dec 2002]:
 
       o New configuration targets for Tandem OSS and A/UX.
       o New OIDs for Microsoft attributes.
@@ -463,25 +524,25 @@
       o Fixes for smaller building problems.
       o Updates of manuals, FAQ and other instructive documents.
 
-  Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g:
+  Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g [9 Aug 2002]:
 
       o Important building fixes on Unix.
 
-  Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f:
+  Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f [8 Aug 2002]:
 
       o Various important bugfixes.
 
-  Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e:
+  Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e [30 Jul 2002]:
 
       o Important security related bugfixes.
       o Various SSL/TLS library bugfixes.
 
-  Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d:
+  Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d [9 May 2002]:
 
       o Various SSL/TLS library bugfixes.
       o Fix DH parameter generation for 'non-standard' generators.
 
-  Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c:
+  Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c [21 Dec 2001]:
 
       o Various SSL/TLS library bugfixes.
       o BIGNUM library fixes.
@@ -494,7 +555,7 @@
         Broadcom and Cryptographic Appliance's keyserver
         [in 0.9.6c-engine release].
 
-  Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b:
+  Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b [9 Jul 2001]:
 
       o Security fix: PRNG improvements.
       o Security fix: RSA OAEP check.
@@ -511,7 +572,7 @@
       o Increase default size for BIO buffering filter.
       o Compatibility fixes in some scripts.
 
-  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a:
+  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a [5 Apr 2001]:
 
       o Security fix: change behavior of OpenSSL to avoid using
         environment variables when running as root.
@@ -536,7 +597,7 @@
       o New function BN_rand_range().
       o Add "-rand" option to openssl s_client and s_server.
 
-  Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6:
+  Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6 [10 Oct 2000]:
 
       o Some documentation for BIO and SSL libraries.
       o Enhanced chain verification using key identifiers.
@@ -551,7 +612,7 @@
     [1] The support for external crypto devices is currently a separate
         distribution.  See the file README.ENGINE.
 
-  Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a:
+  Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a [1 Apr 2000]:
 
       o Bug fixes for Win32, SuSE Linux, NeXTSTEP and FreeBSD 2.2.8 
       o Shared library support for HPUX and Solaris-gcc
@@ -560,7 +621,7 @@
       o New 'rand' application
       o New way to check for existence of algorithms from scripts
 
-  Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5:
+  Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5 [25 May 2000]:
 
       o S/MIME support in new 'smime' command
       o Documentation for the OpenSSL command line application
@@ -596,7 +657,7 @@
       o Enhanced support for Alpha Linux
       o Experimental MacOS support
 
-  Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4:
+  Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4 [9 Aug 1999]:
 
       o Transparent support for PKCS#8 format private keys: these are used
         by several software packages and are more secure than the standard
@@ -607,7 +668,7 @@
       o New pipe-like BIO that allows using the SSL library when actual I/O
         must be handled by the application (BIO pair)
 
-  Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3:
+  Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3 [24 May 1999]:
       o Lots of enhancements and cleanups to the Configuration mechanism
       o RSA OEAP related fixes
       o Added `openssl ca -revoke' option for revoking a certificate
@@ -621,7 +682,7 @@
       o Sparc assembler bignum implementation, optimized hash functions
       o Option to disable selected ciphers
 
-  Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b:
+  Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b [22 Mar 1999]:
       o Fixed a security hole related to session resumption
       o Fixed RSA encryption routines for the p < q case
       o "ALL" in cipher lists now means "everything except NULL ciphers"
@@ -643,7 +704,7 @@
       o Lots of memory leak fixes.
       o Lots of bug fixes.
 
-  Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c:
+  Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c [23 Dec 1998]:
       o Integration of the popular NO_RSA/NO_DSA patches
       o Initial support for compression inside the SSL record layer
       o Added BIO proxy and filtering functionality

README

@@ -1,5 +1,5 @@
 
- OpenSSL 1.0.1e 11 Feb 2013
+ OpenSSL 1.0.1g 7 Apr 2014
 
  Copyright (c) 1998-2011 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

STATUS

@@ -1,160 +0,0 @@
-
-  OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2012/05/10 15:16:36 $
-
-  DEVELOPMENT STATE
-
-    o  OpenSSL 1.1.0:  Under development...
-    o  OpenSSL 1.0.1e: Released on February  11th, 2013
-    o  OpenSSL 1.0.1d: Released on February   5th, 2013
-    o  OpenSSL 1.0.1c: Released on May       10th, 2012
-    o  OpenSSL 1.0.1b: Released on April     26th, 2012
-    o  OpenSSL 1.0.1a: Released on April     19th, 2012
-    o  OpenSSL 1.0.1:  Released on March     14th, 2012
-    o  OpenSSL 1.0.0h: Released on March     12th, 2012
-    o  OpenSSL 1.0.0g: Released on January   18th, 2012
-    o  OpenSSL 1.0.0f: Released on January    4th, 2012
-    o  OpenSSL 1.0.0e: Released on September  6th, 2011
-    o  OpenSSL 1.0.0d: Released on February   8nd, 2011
-    o  OpenSSL 1.0.0c: Released on December   2nd, 2010
-    o  OpenSSL 1.0.0b: Released on November  16th, 2010
-    o  OpenSSL 1.0.0a: Released on June      1st,  2010
-    o  OpenSSL 1.0.0:  Released on March     29th, 2010
-    o  OpenSSL 0.9.8u: Released on March     12th, 2012
-    o  OpenSSL 0.9.8t: Released on January   18th, 2012
-    o  OpenSSL 0.9.8s: Released on January    4th, 2012
-    o  OpenSSL 0.9.8r: Released on February   8nd, 2011
-    o  OpenSSL 0.9.8q: Released on December   2nd, 2010
-    o  OpenSSL 0.9.8p: Released on November  16th, 2010
-    o  OpenSSL 0.9.8o: Released on June       1st, 2010
-    o  OpenSSL 0.9.8n: Released on March     24th, 2010
-    o  OpenSSL 0.9.8m: Released on February  25th, 2010
-    o  OpenSSL 0.9.8l: Released on November   5th, 2009
-    o  OpenSSL 0.9.8k: Released on March     25th, 2009
-    o  OpenSSL 0.9.8j: Released on January    7th, 2009
-    o  OpenSSL 0.9.8i: Released on September 15th, 2008
-    o  OpenSSL 0.9.8h: Released on May       28th, 2008
-    o  OpenSSL 0.9.8g: Released on October   19th, 2007
-    o  OpenSSL 0.9.8f: Released on October   11th, 2007
-    o  OpenSSL 0.9.8e: Released on February  23rd, 2007
-    o  OpenSSL 0.9.8d: Released on September 28th, 2006
-    o  OpenSSL 0.9.8c: Released on September  5th, 2006
-    o  OpenSSL 0.9.8b: Released on May        4th, 2006
-    o  OpenSSL 0.9.8a: Released on October   11th, 2005
-    o  OpenSSL 0.9.8:  Released on July       5th, 2005
-    o  OpenSSL 0.9.7m: Released on February  23rd, 2007
-    o  OpenSSL 0.9.7l: Released on September 28th, 2006
-    o  OpenSSL 0.9.7k: Released on September  5th, 2006
-    o  OpenSSL 0.9.7j: Released on May        4th, 2006
-    o  OpenSSL 0.9.7i: Released on October   14th, 2005
-    o  OpenSSL 0.9.7h: Released on October   11th, 2005
-    o  OpenSSL 0.9.7g: Released on April     11th, 2005
-    o  OpenSSL 0.9.7f: Released on March     22nd, 2005
-    o  OpenSSL 0.9.7e: Released on October   25th, 2004
-    o  OpenSSL 0.9.7d: Released on March     17th, 2004
-    o  OpenSSL 0.9.7c: Released on September 30th, 2003
-    o  OpenSSL 0.9.7b: Released on April     10th, 2003
-    o  OpenSSL 0.9.7a: Released on February  19th, 2003
-    o  OpenSSL 0.9.7:  Released on December  31st, 2002
-    o  OpenSSL 0.9.6m: Released on March     17th, 2004
-    o  OpenSSL 0.9.6l: Released on November   4th, 2003
-    o  OpenSSL 0.9.6k: Released on September 30th, 2003
-    o  OpenSSL 0.9.6j: Released on April     10th, 2003
-    o  OpenSSL 0.9.6i: Released on February  19th, 2003
-    o  OpenSSL 0.9.6h: Released on December   5th, 2002
-    o  OpenSSL 0.9.6g: Released on August     9th, 2002
-    o  OpenSSL 0.9.6f: Released on August     8th, 2002
-    o  OpenSSL 0.9.6e: Released on July      30th, 2002
-    o  OpenSSL 0.9.6d: Released on May        9th, 2002
-    o  OpenSSL 0.9.6c: Released on December  21st, 2001
-    o  OpenSSL 0.9.6b: Released on July       9th, 2001
-    o  OpenSSL 0.9.6a: Released on April      5th, 2001
-    o  OpenSSL 0.9.6:  Released on September 24th, 2000
-    o  OpenSSL 0.9.5a: Released on April      1st, 2000
-    o  OpenSSL 0.9.5:  Released on February  28th, 2000
-    o  OpenSSL 0.9.4:  Released on August    09th, 1999
-    o  OpenSSL 0.9.3a: Released on May       29th, 1999
-    o  OpenSSL 0.9.3:  Released on May       25th, 1999
-    o  OpenSSL 0.9.2b: Released on March     22th, 1999
-    o  OpenSSL 0.9.1c: Released on December  23th, 1998
-
-  [See also http://www.openssl.org/support/rt.html]
-
-  RELEASE SHOWSTOPPERS
-
-    o The Makefiles fail with some SysV makes.
-    o 
-
-  AVAILABLE PATCHES
-
-    o 
-
-  IN PROGRESS
-
-    o Steve is currently working on (in no particular order):
-        ASN1 code redesign, butchery, replacement.
-        OCSP
-        EVP cipher enhancement.
-        Enhanced certificate chain verification.
-	Private key, certificate and CRL API and implementation.
-	Developing and bugfixing PKCS#7 (S/MIME code).
-        Various X509 issues: character sets, certificate request extensions.
-    o Richard is currently working on:
-	Constification
-	Attribute Certificate support
-	Certificate Pair support
-	Storage Engines (primarly an LDAP storage engine)
-	Certificate chain validation with full RFC 3280 compatibility
-
-  NEEDS PATCH
-
-    o  0.9.8-dev: COMPLEMENTOFALL and COMPLEMENTOFDEFAULT do not
-       handle ECCdraft cipher suites correctly.
-
-    o  apps/ca.c: "Sign the certificate?" - "n" creates empty certificate file
-
-    o  "OpenSSL STATUS" is never up-to-date.
-
-  OPEN ISSUES
-
-    o  The Makefile hierarchy and build mechanism is still not a round thing:
-
-       1. The config vs. Configure scripts
-          It's the same nasty situation as for Apache with APACI vs.
-          src/Configure. It confuses.
-          Suggestion: Merge Configure and config into a single configure
-                      script with a Autoconf style interface ;-) and remove
-                      Configure and config. Or even let us use GNU Autoconf
-                      itself. Then we can avoid a lot of those platform checks
-                      which are currently in Configure.
-
-    o  Support for Shared Libraries has to be added at least
-       for the major Unix platforms. The details we can rip from the stuff
-       Ralf has done for the Apache src/Configure script. Ben wants the
-       solution to be really simple.
-
-       Status: Ralf will look how we can easily incorporate the
-               compiler PIC and linker DSO flags from Apache
-               into the OpenSSL Configure script.
-
-               Ulf: +1 for using GNU autoconf and libtool (but not automake,
-                    which apparently is not flexible enough to generate
-                    libcrypto)
-
-  WISHES
-
-    o  Add variants of DH_generate_parameters() and BN_generate_prime() [etc?]
-       where the callback function can request that the function be aborted.
-       [Gregory Stark <ghstark@pobox.com>, <rayyang2000@yahoo.com>]
-
-    o  SRP in TLS.
-       [wished by:
-        Dj <derek@yo.net>, Tom Wu <tom@arcot.com>,
-        Tom Holroyd <tomh@po.crl.go.jp>]
-
-       See http://search.ietf.org/internet-drafts/draft-ietf-tls-srp-00.txt
-       as well as http://www-cs-students.stanford.edu/~tjw/srp/.
-
-       Tom Holroyd tells us there is a SRP patch for OpenSSH at
-       http://members.tripod.com/professor_tom/archives/, that could
-       be useful.

TABLE

@@ -1716,6 +1716,39 @@ $ranlib       =
 $arflags      = 
 $multilib     = 
 
+*** debug-ben-darwin64
+$cc           = cc
+$cflags       = -Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED -Wno-language-extension-token -Wno-extended-offsetof -arch x86_64 -O3 -DL_ENDIAN -Wall
+$unistd       = 
+$thread_cflag = -D_REENTRANT
+$sys_id       = MACOSX
+$lflags       = -Wl,-search_paths_first%
+$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL
+$cpuid_obj    = x86_64cpuid.o
+$bn_obj       = x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o modexp512-x86_64.o
+$des_obj      = 
+$aes_obj      = aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o
+$bf_obj       = 
+$md5_obj      = md5-x86_64.o
+$sha1_obj     = sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$wp_obj       = wp-x86_64.o
+$cmll_obj     = cmll-x86_64.o cmll_misc.o
+$modes_obj    = ghash-x86_64.o
+$engines_obj  = 
+$perlasm_scheme = macosx
+$dso_scheme   = dlfcn
+$shared_target= darwin-shared
+$shared_cflag = -fPIC -fno-common
+$shared_ldflag = -arch x86_64 -dynamiclib
+$shared_extension = .$(SHLIB_MAJOR).$(SHLIB_MINOR).dylib
+$ranlib       = 
+$arflags      = 
+$multilib     = 
+
 *** debug-ben-debug
 $cc           = gcc44
 $cflags       = -Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O2 -pipe
@@ -1749,6 +1782,39 @@ $ranlib       =
 $arflags      = 
 $multilib     = 
 
+*** debug-ben-debug-64
+$cc           = gcc
+$cflags       = -Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED -Wno-error=overlength-strings -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe
+$unistd       = 
+$thread_cflag = -pthread -D_THREAD_SAFE -D_REENTRANT
+$sys_id       = 
+$lflags       = 
+$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL
+$cpuid_obj    = x86_64cpuid.o
+$bn_obj       = x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o modexp512-x86_64.o
+$des_obj      = 
+$aes_obj      = aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o
+$bf_obj       = 
+$md5_obj      = md5-x86_64.o
+$sha1_obj     = sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o
+$cast_obj     = 
+$rc4_obj      = rc4-x86_64.o rc4-md5-x86_64.o
+$rmd160_obj   = 
+$rc5_obj      = 
+$wp_obj       = wp-x86_64.o
+$cmll_obj     = cmll-x86_64.o cmll_misc.o
+$modes_obj    = ghash-x86_64.o
+$engines_obj  = 
+$perlasm_scheme = elf
+$dso_scheme   = dlfcn
+$shared_target= bsd-gcc-shared
+$shared_cflag = -fPIC
+$shared_ldflag = 
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+$ranlib       = 
+$arflags      = 
+$multilib     = 
+
 *** debug-ben-macos
 $cc           = cc
 $cflags       = -Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED -arch i386 -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -DL_ENDIAN -g3 -pipe
@@ -1949,7 +2015,7 @@ $multilib     =
 
 *** debug-bodo
 $cc           = gcc
-$cflags       = -Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -DBIO_PAIR_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int
+$cflags       = -Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED -Wno-error=overlength-strings -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -DBIO_PAIR_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -2741,7 +2807,7 @@ $multilib     =
 
 *** debug-steve64
 $cc           = gcc
-$cflags       = -Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g
+$cflags       = -Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -Wno-overlength-strings -g
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 

apps/Makefile

@@ -577,14 +577,15 @@ openssl.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
 openssl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 openssl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
 openssl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-openssl.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
-openssl.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-openssl.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-openssl.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-openssl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-openssl.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
-openssl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-openssl.o: ../include/openssl/x509v3.h apps.h openssl.c progs.h s_apps.h
+openssl.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+openssl.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+openssl.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+openssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+openssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+openssl.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+openssl.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
+openssl.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+openssl.o: openssl.c progs.h s_apps.h
 passwd.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 passwd.o: ../include/openssl/buffer.h ../include/openssl/conf.h
 passwd.o: ../include/openssl/crypto.h ../include/openssl/des.h

apps/apps.c

@@ -586,12 +586,12 @@ int password_callback(char *buf, int bufsiz, int verify,
 
 		if (ok >= 0)
 			ok = UI_add_input_string(ui,prompt,ui_flags,buf,
-				PW_MIN_LENGTH,BUFSIZ-1);
+				PW_MIN_LENGTH,bufsiz-1);
 		if (ok >= 0 && verify)
 			{
 			buff = (char *)OPENSSL_malloc(bufsiz);
 			ok = UI_add_verify_string(ui,prompt,ui_flags,buff,
-				PW_MIN_LENGTH,BUFSIZ-1, buf);
+				PW_MIN_LENGTH,bufsiz-1, buf);
 			}
 		if (ok >= 0)
 			do
@@ -2841,7 +2841,7 @@ double app_tminterval(int stop,int usertime)
 
 	if (proc==NULL)
 		{
-		if (GetVersion() < 0x80000000)
+		if (check_winnt())
 			proc = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,
 						GetCurrentProcessId());
 		if (proc==NULL) proc = (HANDLE)-1;

apps/apps.h

@@ -188,6 +188,7 @@ extern BIO *bio_err;
 			do { CONF_modules_unload(1); destroy_ui_method(); \
 			OBJ_cleanup(); EVP_cleanup(); ENGINE_cleanup(); \
 			CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \
+			RAND_cleanup(); \
 			ERR_free_strings(); zlib_cleanup();} while(0)
 #  else
 #    define apps_startup() \
@@ -198,6 +199,7 @@ extern BIO *bio_err;
 			do { CONF_modules_unload(1); destroy_ui_method(); \
 			OBJ_cleanup(); EVP_cleanup(); \
 			CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \
+			RAND_cleanup(); \
 			ERR_free_strings(); zlib_cleanup(); } while(0)
 #  endif
 #endif

apps/crl.c

@@ -81,6 +81,9 @@ static const char *crl_usage[]={
 " -in arg         - input file - default stdin\n",
 " -out arg        - output file - default stdout\n",
 " -hash           - print hash value\n",
+#ifndef OPENSSL_NO_MD5
+" -hash_old       - print old-style (MD5) hash value\n",
+#endif
 " -fingerprint    - print the crl fingerprint\n",
 " -issuer         - print issuer DN\n",
 " -lastupdate     - lastUpdate field\n",
@@ -108,6 +111,9 @@ int MAIN(int argc, char **argv)
 	int informat,outformat;
 	char *infile=NULL,*outfile=NULL;
 	int hash=0,issuer=0,lastupdate=0,nextupdate=0,noout=0,text=0;
+#ifndef OPENSSL_NO_MD5
+       int hash_old=0;
+#endif
 	int fingerprint = 0, crlnumber = 0;
 	const char **pp;
 	X509_STORE *store = NULL;
@@ -192,6 +198,10 @@ int MAIN(int argc, char **argv)
 			text = 1;
 		else if (strcmp(*argv,"-hash") == 0)
 			hash= ++num;
+#ifndef OPENSSL_NO_MD5
+		else if (strcmp(*argv,"-hash_old") == 0)
+			hash_old= ++num;
+#endif
 		else if (strcmp(*argv,"-nameopt") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -304,6 +314,14 @@ bad:
 				BIO_printf(bio_out,"%08lx\n",
 					X509_NAME_hash(X509_CRL_get_issuer(x)));
 				}
+#ifndef OPENSSL_NO_MD5
+			if (hash_old == i)
+				{
+				BIO_printf(bio_out,"%08lx\n",
+					X509_NAME_hash_old(
+						X509_CRL_get_issuer(x)));
+				}
+#endif
 			if (lastupdate == i)
 				{
 				BIO_printf(bio_out,"lastUpdate=");

apps/dgst.c

@@ -427,9 +427,9 @@ int MAIN(int argc, char **argv)
 			goto end;
 			}
 		if (do_verify)
-			r = EVP_DigestVerifyInit(mctx, &pctx, md, e, sigkey);
+			r = EVP_DigestVerifyInit(mctx, &pctx, md, NULL, sigkey);
 		else
-			r = EVP_DigestSignInit(mctx, &pctx, md, e, sigkey);
+			r = EVP_DigestSignInit(mctx, &pctx, md, NULL, sigkey);
 		if (!r)
 			{
 			BIO_printf(bio_err, "Error setting context\n");

apps/ecparam.c

@@ -105,7 +105,7 @@
  *                    in the asn1 der encoding
  *                    possible values: named_curve (default)
  *                                     explicit
- * -no_seed         - if 'explicit' parameters are choosen do not use the seed
+ * -no_seed         - if 'explicit' parameters are chosen do not use the seed
  * -genkey          - generate ec key
  * -rand file       - files to use for random number input
  * -engine e        - use engine e, possibly a hardware device
@@ -286,7 +286,7 @@ bad:
 		BIO_printf(bio_err, "                                   "
 				" explicit\n");
 		BIO_printf(bio_err, " -no_seed          if 'explicit'"
-				" parameters are choosen do not"
+				" parameters are chosen do not"
 				" use the seed\n");
 		BIO_printf(bio_err, " -genkey           generate ec"
 				" key\n");

apps/openssl.c

@@ -117,6 +117,7 @@
 #include "apps.h"
 #include <openssl/bio.h>
 #include <openssl/crypto.h>
+#include <openssl/rand.h>
 #include <openssl/lhash.h>
 #include <openssl/conf.h>
 #include <openssl/x509.h>

apps/pkcs12.c

@@ -112,7 +112,7 @@ int MAIN(int argc, char **argv)
     int maciter = PKCS12_DEFAULT_ITER;
     int twopass = 0;
     int keytype = 0;
-    int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+    int cert_pbe;
     int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
     int ret = 1;
     int macver = 1;
@@ -130,6 +130,13 @@ int MAIN(int argc, char **argv)
 
     apps_startup();
 
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode())
+	cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+    else
+#endif
+    cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+
     enc = EVP_des_ede3_cbc();
     if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
 

apps/req.c

@@ -644,6 +644,11 @@ bad:
 		if (inrand)
 			app_RAND_load_files(inrand);
 
+		if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey))
+			{
+			newkey=DEFAULT_KEY_LENGTH;
+			}
+
 		if (keyalg)
 			{
 			genctx = set_keygen_ctx(bio_err, keyalg, &pkey_type, &newkey,
@@ -652,12 +657,6 @@ bad:
 				goto end;
 			}
 	
-		if (newkey <= 0)
-			{
-			if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey))
-				newkey=DEFAULT_KEY_LENGTH;
-			}
-
 		if (newkey < MIN_KEY_LENGTH && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA))
 			{
 			BIO_printf(bio_err,"private key length is too short,\n");
@@ -1649,6 +1648,8 @@ static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, int *pkey_type,
 				keylen = atol(p + 1);
 				*pkeylen = keylen;
 				}
+			else
+				keylen = *pkeylen;
 			}
 		else if (p)
 			paramfile = p + 1;

config

@@ -739,7 +739,7 @@ case "$GUESSOS" in
 			    libc=/usr/lib/libc.so
 			else					# OpenBSD
 			    # ld searches for highest libc.so.* and so do we
-			    libc=`(ls /usr/lib/libc.so.* | tail -1) 2>/dev/null`
+			    libc=`(ls /usr/lib/libc.so.* /lib/libc.so.* | tail -1) 2>/dev/null`
 			fi
 			case "`(file -L $libc) 2>/dev/null`" in
 			*ELF*)	OUT="BSD-x86-elf" ;;

crypto/Makefile

@@ -77,7 +77,9 @@ ia64cpuid.s: ia64cpuid.S;	$(CC) $(CFLAGS) -E ia64cpuid.S > $@
 ppccpuid.s:	ppccpuid.pl;	$(PERL) ppccpuid.pl $(PERLASM_SCHEME) $@
 pariscid.s:	pariscid.pl;	$(PERL) pariscid.pl $(PERLASM_SCHEME) $@
 alphacpuid.s:	alphacpuid.pl
-	$(PERL) $< | $(CC) -E - | tee $@ > /dev/null
+	(preproc=/tmp/$$$$.$@; trap "rm $$preproc" INT; \
+	$(PERL) alphacpuid.pl > $$preproc && \
+	$(CC) -E $$preproc > $@ && rm $$preproc)
 
 testapps:
 	[ -z "$(THIS)" ] || (	if echo $(SDIRS) | fgrep ' des '; \

crypto/aes/asm/aes-parisc.pl

@@ -1015,7 +1015,8 @@ foreach (split("\n",$code)) {
 		$SIZE_T==4 ? sprintf("extru%s,%d,8,",$1,31-$2)
 		:            sprintf("extrd,u%s,%d,8,",$1,63-$2)/e;
 
-	s/,\*/,/ if ($SIZE_T==4);
+	s/,\*/,/			if ($SIZE_T==4);
+	s/\bbv\b(.*\(%r2\))/bve$1/	if ($SIZE_T==8);
 	print $_,"\n";
 }
 close STDOUT;

crypto/aes/asm/bsaes-x86_64.pl

@@ -83,9 +83,9 @@
 # Add decryption procedure. Performance in CPU cycles spent to decrypt
 # one byte out of 4096-byte buffer with 128-bit key is:
 #
-# Core 2	11.0
-# Nehalem	9.16
-# Atom		20.9
+# Core 2	9.83
+# Nehalem	7.74
+# Atom		19.0
 #
 # November 2011.
 #
@@ -456,6 +456,7 @@ sub MixColumns {
 # modified to emit output in order suitable for feeding back to aesenc[last]
 my @x=@_[0..7];
 my @t=@_[8..15];
+my $inv=@_[16];	# optional
 $code.=<<___;
 	pshufd	\$0x93, @x[0], @t[0]	# x0 <<< 32
 	pshufd	\$0x93, @x[1], @t[1]
@@ -497,7 +498,8 @@ $code.=<<___;
 	pxor	@t[4], @t[0]
 	 pshufd	\$0x4E, @x[2], @x[6]
 	pxor	@t[5], @t[1]
-
+___
+$code.=<<___ if (!$inv);
 	pxor	@t[3], @x[4]
 	pxor	@t[7], @x[5]
 	pxor	@t[6], @x[3]
@@ -505,9 +507,20 @@ $code.=<<___;
 	pxor	@t[2], @x[6]
 	 movdqa	@t[1], @x[7]
 ___
+$code.=<<___ if ($inv);
+	pxor	@x[4], @t[3]
+	pxor	@t[7], @x[5]
+	pxor	@x[3], @t[6]
+	 movdqa	@t[0], @x[3]
+	pxor	@t[2], @x[6]
+	 movdqa	@t[6], @x[2]
+	 movdqa	@t[1], @x[7]
+	 movdqa	@x[6], @x[4]
+	 movdqa	@t[3], @x[6]
+___
 }
 
-sub InvMixColumns {
+sub InvMixColumns_orig {
 my @x=@_[0..7];
 my @t=@_[8..15];
 
@@ -661,6 +674,54 @@ $code.=<<___;
 ___
 }
 
+sub InvMixColumns {
+my @x=@_[0..7];
+my @t=@_[8..15];
+
+# Thanks to Jussi Kivilinna for providing pointer to
+#
+# | 0e 0b 0d 09 |   | 02 03 01 01 |   | 05 00 04 00 |
+# | 09 0e 0b 0d | = | 01 02 03 01 | x | 00 05 00 04 |
+# | 0d 09 0e 0b |   | 01 01 02 03 |   | 04 00 05 00 |
+# | 0b 0d 09 0e |   | 03 01 01 02 |   | 00 04 00 05 |
+
+$code.=<<___;
+	# multiplication by 0x05-0x00-0x04-0x00
+	pshufd	\$0x4E, @x[0], @t[0]
+	pshufd	\$0x4E, @x[6], @t[6]
+	pxor	@x[0], @t[0]
+	pshufd	\$0x4E, @x[7], @t[7]
+	pxor	@x[6], @t[6]
+	pshufd	\$0x4E, @x[1], @t[1]
+	pxor	@x[7], @t[7]
+	pshufd	\$0x4E, @x[2], @t[2]
+	pxor	@x[1], @t[1]
+	pshufd	\$0x4E, @x[3], @t[3]
+	pxor	@x[2], @t[2]
+	 pxor	@t[6], @x[0]
+	 pxor	@t[6], @x[1]
+	pshufd	\$0x4E, @x[4], @t[4]
+	pxor	@x[3], @t[3]
+	 pxor	@t[0], @x[2]
+	 pxor	@t[1], @x[3]
+	pshufd	\$0x4E, @x[5], @t[5]
+	pxor	@x[4], @t[4]
+	 pxor	@t[7], @x[1]
+	 pxor	@t[2], @x[4]
+	pxor	@x[5], @t[5]
+
+	 pxor	@t[7], @x[2]
+	 pxor	@t[6], @x[3]
+	 pxor	@t[6], @x[4]
+	 pxor	@t[3], @x[5]
+	 pxor	@t[4], @x[6]
+	 pxor	@t[7], @x[4]
+	 pxor	@t[7], @x[5]
+	 pxor	@t[5], @x[7]
+___
+	&MixColumns	(@x,@t,1);	# flipped 2<->3 and 4<->6
+}
+
 sub aesenc {				# not used
 my @b=@_[0..7];
 my @t=@_[8..15];
@@ -2028,6 +2089,8 @@ ___
 #	const unsigned char iv[16]);
 #
 my ($twmask,$twres,$twtmp)=@XMM[13..15];
+$arg6=~s/d$//;
+
 $code.=<<___;
 .globl	bsaes_xts_encrypt
 .type	bsaes_xts_encrypt,\@abi-omnipotent

crypto/aes/asm/vpaes-x86_64.pl

@@ -1060,7 +1060,7 @@ _vpaes_consts:
 .Lk_dsbo:	# decryption sbox final output
 	.quad	0x1387EA537EF94000, 0xC7AA6DB9D4943E2D
 	.quad	0x12D7560F93441D00, 0xCA4B8159D8C58E9C
-.asciz	"Vector Permutaion AES for x86_64/SSSE3, Mike Hamburg (Stanford University)"
+.asciz	"Vector Permutation AES for x86_64/SSSE3, Mike Hamburg (Stanford University)"
 .align	64
 .size	_vpaes_consts,.-_vpaes_consts
 ___

crypto/armcap.c

@@ -23,7 +23,7 @@ unsigned int _armv7_tick(void);
 
 unsigned int OPENSSL_rdtsc(void)
 	{
-	if (OPENSSL_armcap_P|ARMV7_TICK)
+	if (OPENSSL_armcap_P & ARMV7_TICK)
 		return _armv7_tick();
 	else
 		return 0;

crypto/asn1/a_int.c

@@ -116,7 +116,7 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp)
 	int pad=0,ret,i,neg;
 	unsigned char *p,*n,pb=0;
 
-	if ((a == NULL) || (a->data == NULL)) return(0);
+	if (a == NULL) return(0);
 	neg=a->type & V_ASN1_NEG;
 	if (a->length == 0)
 		ret=1;

crypto/asn1/asn1_err.c

@@ -305,7 +305,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ERR_REASON(ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE),"unknown public key type"},
 {ERR_REASON(ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM),"unknown signature algorithm"},
 {ERR_REASON(ASN1_R_UNKNOWN_TAG)          ,"unknown tag"},
-{ERR_REASON(ASN1_R_UNKOWN_FORMAT)        ,"unkown format"},
+{ERR_REASON(ASN1_R_UNKOWN_FORMAT)        ,"unknown format"},
 {ERR_REASON(ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE),"unsupported any defined by type"},
 {ERR_REASON(ASN1_R_UNSUPPORTED_CIPHER)   ,"unsupported cipher"},
 {ERR_REASON(ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM),"unsupported encryption algorithm"},

crypto/bio/bss_dgram.c

@@ -906,8 +906,8 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag)
 	memset(authchunks, 0, sizeof(sockopt_len));
 	ret = getsockopt(fd, IPPROTO_SCTP, SCTP_LOCAL_AUTH_CHUNKS, authchunks, &sockopt_len);
 	OPENSSL_assert(ret >= 0);
-	
-	for (p = (unsigned char*) authchunks + sizeof(sctp_assoc_t);
+
+	for (p = (unsigned char*) authchunks->gauth_chunks;
 	     p < (unsigned char*) authchunks + sockopt_len;
 	     p += sizeof(uint8_t))
 		{
@@ -1197,7 +1197,7 @@ static int dgram_sctp_read(BIO *b, char *out, int outl)
 			ii = getsockopt(b->num, IPPROTO_SCTP, SCTP_PEER_AUTH_CHUNKS, authchunks, &optlen);
 			OPENSSL_assert(ii >= 0);
 
-			for (p = (unsigned char*) authchunks + sizeof(sctp_assoc_t);
+			for (p = (unsigned char*) authchunks->gauth_chunks;
 				 p < (unsigned char*) authchunks + optlen;
 				 p += sizeof(uint8_t))
 				{

crypto/bio/bss_log.c

@@ -245,7 +245,7 @@ static int MS_CALLBACK slg_puts(BIO *bp, const char *str)
 
 static void xopenlog(BIO* bp, char* name, int level)
 {
-	if (GetVersion() < 0x80000000)
+	if (check_winnt())
 		bp->ptr = RegisterEventSourceA(NULL,name);
 	else
 		bp->ptr = NULL;

crypto/bn/Makefile

@@ -125,7 +125,9 @@ ppc-mont.s:	asm/ppc-mont.pl;$(PERL) asm/ppc-mont.pl $(PERLASM_SCHEME) $@
 ppc64-mont.s:	asm/ppc64-mont.pl;$(PERL) asm/ppc64-mont.pl $(PERLASM_SCHEME) $@
 
 alpha-mont.s:	asm/alpha-mont.pl
-	$(PERL) $< | $(CC) -E - | tee $@ > /dev/null
+	(preproc=/tmp/$$$$.$@; trap "rm $$preproc" INT; \
+	$(PERL) asm/alpha-mont.pl > $$preproc && \
+	$(CC) -E $$preproc > $@ && rm $$preproc)
 
 # GNU make "catch all"
 %-mont.s:	asm/%-mont.pl;	$(PERL) $< $(PERLASM_SCHEME) $@

crypto/bn/asm/mips-mont.pl

@@ -133,7 +133,7 @@ $code.=<<___;
 	bnez	$at,1f
 	li	$t0,0
 	slt	$at,$num,17	# on in-order CPU
-	bnezl	$at,bn_mul_mont_internal
+	bnez	$at,bn_mul_mont_internal
 	nop
 1:	jr	$ra
 	li	$a0,0

crypto/bn/asm/mips.pl

@@ -140,10 +140,10 @@ $code.=<<___;
 	.set	reorder
 	li	$minus4,-4
 	and	$ta0,$a2,$minus4
-	$LD	$t0,0($a1)
 	beqz	$ta0,.L_bn_mul_add_words_tail
 
 .L_bn_mul_add_words_loop:
+	$LD	$t0,0($a1)
 	$MULTU	$t0,$a3
 	$LD	$t1,0($a0)
 	$LD	$t2,$BNSZ($a1)
@@ -200,10 +200,9 @@ $code.=<<___;
 	$ADDU	$v0,$ta2
 	sltu	$at,$ta3,$at
 	$ST	$ta3,-$BNSZ($a0)
-	$ADDU	$v0,$at
 	.set	noreorder
-	bgtzl	$ta0,.L_bn_mul_add_words_loop
-	$LD	$t0,0($a1)
+	bgtz	$ta0,.L_bn_mul_add_words_loop
+	$ADDU	$v0,$at
 
 	beqz	$a2,.L_bn_mul_add_words_return
 	nop
@@ -300,10 +299,10 @@ $code.=<<___;
 	.set	reorder
 	li	$minus4,-4
 	and	$ta0,$a2,$minus4
-	$LD	$t0,0($a1)
 	beqz	$ta0,.L_bn_mul_words_tail
 
 .L_bn_mul_words_loop:
+	$LD	$t0,0($a1)
 	$MULTU	$t0,$a3
 	$LD	$t2,$BNSZ($a1)
 	$LD	$ta0,2*$BNSZ($a1)
@@ -341,10 +340,9 @@ $code.=<<___;
 	$ADDU	$v0,$at
 	sltu	$ta3,$v0,$at
 	$ST	$v0,-$BNSZ($a0)
-	$ADDU	$v0,$ta3,$ta2
 	.set	noreorder
-	bgtzl	$ta0,.L_bn_mul_words_loop
-	$LD	$t0,0($a1)
+	bgtz	$ta0,.L_bn_mul_words_loop
+	$ADDU	$v0,$ta3,$ta2
 
 	beqz	$a2,.L_bn_mul_words_return
 	nop
@@ -429,10 +427,10 @@ $code.=<<___;
 	.set	reorder
 	li	$minus4,-4
 	and	$ta0,$a2,$minus4
-	$LD	$t0,0($a1)
 	beqz	$ta0,.L_bn_sqr_words_tail
 
 .L_bn_sqr_words_loop:
+	$LD	$t0,0($a1)
 	$MULTU	$t0,$t0
 	$LD	$t2,$BNSZ($a1)
 	$LD	$ta0,2*$BNSZ($a1)
@@ -463,11 +461,10 @@ $code.=<<___;
 	mflo	$ta3
 	mfhi	$ta2
 	$ST	$ta3,-2*$BNSZ($a0)
-	$ST	$ta2,-$BNSZ($a0)
 
 	.set	noreorder
-	bgtzl	$ta0,.L_bn_sqr_words_loop
-	$LD	$t0,0($a1)
+	bgtz	$ta0,.L_bn_sqr_words_loop
+	$ST	$ta2,-$BNSZ($a0)
 
 	beqz	$a2,.L_bn_sqr_words_return
 	nop
@@ -547,10 +544,10 @@ $code.=<<___;
 	.set	reorder
 	li	$minus4,-4
 	and	$at,$a3,$minus4
-	$LD	$t0,0($a1)
 	beqz	$at,.L_bn_add_words_tail
 
 .L_bn_add_words_loop:
+	$LD	$t0,0($a1)
 	$LD	$ta0,0($a2)
 	subu	$a3,4
 	$LD	$t1,$BNSZ($a1)
@@ -589,11 +586,10 @@ $code.=<<___;
 	$ADDU	$t3,$ta3,$v0
 	sltu	$v0,$t3,$ta3
 	$ST	$t3,-$BNSZ($a0)
-	$ADDU	$v0,$t9
 	
 	.set	noreorder
-	bgtzl	$at,.L_bn_add_words_loop
-	$LD	$t0,0($a1)
+	bgtz	$at,.L_bn_add_words_loop
+	$ADDU	$v0,$t9
 
 	beqz	$a3,.L_bn_add_words_return
 	nop
@@ -679,10 +675,10 @@ $code.=<<___;
 	.set	reorder
 	li	$minus4,-4
 	and	$at,$a3,$minus4
-	$LD	$t0,0($a1)
 	beqz	$at,.L_bn_sub_words_tail
 
 .L_bn_sub_words_loop:
+	$LD	$t0,0($a1)
 	$LD	$ta0,0($a2)
 	subu	$a3,4
 	$LD	$t1,$BNSZ($a1)
@@ -722,11 +718,10 @@ $code.=<<___;
 	$SUBU	$t3,$ta3,$v0
 	sgtu	$v0,$t3,$ta3
 	$ST	$t3,-$BNSZ($a0)
-	$ADDU	$v0,$t9
 
 	.set	noreorder
-	bgtzl	$at,.L_bn_sub_words_loop
-	$LD	$t0,0($a1)
+	bgtz	$at,.L_bn_sub_words_loop
+	$ADDU	$v0,$t9
 
 	beqz	$a3,.L_bn_sub_words_return
 	nop
@@ -840,8 +835,9 @@ $code.=<<___;
 	sltu	$ta0,$a1,$a2
 	or	$t8,$ta0
 	.set	noreorder
-	beqzl	$at,.L_bn_div_3_words_inner_loop
+	beqz	$at,.L_bn_div_3_words_inner_loop
 	$SUBU	$v0,1
+	$ADDU	$v0,1
 	.set	reorder
 .L_bn_div_3_words_inner_loop_done:
 	.set	noreorder
@@ -902,7 +898,8 @@ $code.=<<___;
 	and	$t2,$a0
 	$SRL	$at,$a1,$t1
 	.set	noreorder
-	bnezl	$t2,.+8
+	beqz	$t2,.+12
+	nop
 	break	6		# signal overflow
 	.set	reorder
 	$SLL	$a0,$t9
@@ -917,7 +914,8 @@ $code.=<<___;
 	$SRL	$DH,$a2,4*$BNSZ	# bits
 	sgeu	$at,$a0,$a2
 	.set	noreorder
-	bnezl	$at,.+8
+	beqz	$at,.+12
+	nop
 	$SUBU	$a0,$a2
 	.set	reorder
 

crypto/bn/asm/parisc-mont.pl

@@ -40,7 +40,7 @@
 # of arithmetic operations, most notably multiplications. It requires
 # more memory references, most notably to tp[num], but this doesn't
 # seem to exhaust memory port capacity. And indeed, dedicated PA-RISC
-# 2.0 code path, provides virtually same performance as pa-risc2[W].s:
+# 2.0 code path provides virtually same performance as pa-risc2[W].s:
 # it's ~10% better for shortest key length and ~10% worse for longest
 # one.
 #
@@ -988,6 +988,8 @@ foreach (split("\n",$code)) {
 	# assemble 2.0 instructions in 32-bit mode...
 	s/^\s+([a-z]+)([\S]*)\s+([\S]*)/&assemble($1,$2,$3)/e if ($BN_SZ==4);
 
+	s/\bbv\b/bve/gm	if ($SIZE_T==8);
+
 	print $_,"\n";
 }
 close STDOUT;

crypto/bn/asm/x86_64-gf2m.pl

@@ -31,7 +31,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
 
-open STDOUT,"| \"$^X\" $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 ($lo,$hi)=("%rax","%rdx");	$a=$lo;
 ($i0,$i1)=("%rsi","%rdi");

crypto/bn/asm/x86_64-mont5.pl

@@ -901,8 +901,8 @@ $code.=<<___;
 	jnz	.Lgather
 ___
 $code.=<<___ if ($win64);
-	movaps	%xmm6,(%rsp)
-	movaps	%xmm7,0x10(%rsp)
+	movaps	(%rsp),%xmm6
+	movaps	0x10(%rsp),%xmm7
 	lea	0x28(%rsp),%rsp
 ___
 $code.=<<___;

crypto/bn/bn.h

@@ -538,6 +538,8 @@ BIGNUM *BN_mod_inverse(BIGNUM *ret,
 BIGNUM *BN_mod_sqrt(BIGNUM *ret,
 	const BIGNUM *a, const BIGNUM *n,BN_CTX *ctx);
 
+void	BN_consttime_swap(BN_ULONG swap, BIGNUM *a, BIGNUM *b, int nwords);
+
 /* Deprecated versions */
 #ifndef OPENSSL_NO_DEPRECATED
 BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe,
@@ -774,11 +776,20 @@ int RAND_pseudo_bytes(unsigned char *buf,int num);
 
 #define bn_fix_top(a)		bn_check_top(a)
 
+#define bn_check_size(bn, bits) bn_wcheck_size(bn, ((bits+BN_BITS2-1))/BN_BITS2)
+#define bn_wcheck_size(bn, words) \
+	do { \
+		const BIGNUM *_bnum2 = (bn); \
+		assert(words <= (_bnum2)->dmax && words >= (_bnum2)->top); \
+	} while(0)
+
 #else /* !BN_DEBUG */
 
 #define bn_pollute(a)
 #define bn_check_top(a)
 #define bn_fix_top(a)		bn_correct_top(a)
+#define bn_check_size(bn, bits)
+#define bn_wcheck_size(bn, words)
 
 #endif
 

crypto/bn/bn_lib.c

@@ -824,3 +824,55 @@ int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b,
 		}
 	return bn_cmp_words(a,b,cl);
 	}
+
+/* 
+ * Constant-time conditional swap of a and b.  
+ * a and b are swapped if condition is not 0.  The code assumes that at most one bit of condition is set.
+ * nwords is the number of words to swap.  The code assumes that at least nwords are allocated in both a and b,
+ * and that no more than nwords are used by either a or b.
+ * a and b cannot be the same number
+ */
+void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
+	{
+	BN_ULONG t;
+	int i;
+
+	bn_wcheck_size(a, nwords);
+	bn_wcheck_size(b, nwords);
+
+	assert(a != b);
+	assert((condition & (condition - 1)) == 0);
+	assert(sizeof(BN_ULONG) >= sizeof(int));
+
+	condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
+
+	t = (a->top^b->top) & condition;
+	a->top ^= t;
+	b->top ^= t;
+
+#define BN_CONSTTIME_SWAP(ind) \
+	do { \
+		t = (a->d[ind] ^ b->d[ind]) & condition; \
+		a->d[ind] ^= t; \
+		b->d[ind] ^= t; \
+	} while (0)
+
+
+	switch (nwords) {
+	default:
+		for (i = 10; i < nwords; i++) 
+			BN_CONSTTIME_SWAP(i);
+		/* Fallthrough */
+	case 10: BN_CONSTTIME_SWAP(9); /* Fallthrough */
+	case 9: BN_CONSTTIME_SWAP(8); /* Fallthrough */
+	case 8: BN_CONSTTIME_SWAP(7); /* Fallthrough */
+	case 7: BN_CONSTTIME_SWAP(6); /* Fallthrough */
+	case 6: BN_CONSTTIME_SWAP(5); /* Fallthrough */
+	case 5: BN_CONSTTIME_SWAP(4); /* Fallthrough */
+	case 4: BN_CONSTTIME_SWAP(3); /* Fallthrough */
+	case 3: BN_CONSTTIME_SWAP(2); /* Fallthrough */
+	case 2: BN_CONSTTIME_SWAP(1); /* Fallthrough */
+	case 1: BN_CONSTTIME_SWAP(0);
+	}
+#undef BN_CONSTTIME_SWAP
+}

crypto/bn/bn_nist.c

@@ -286,26 +286,25 @@ const BIGNUM *BN_get0_nist_prime_521(void)
 	}
 
 
-static void nist_cp_bn_0(BN_ULONG *buf, BN_ULONG *a, int top, int max)
+static void nist_cp_bn_0(BN_ULONG *dst, const BN_ULONG *src, int top, int max)
 	{
 	int i;
-	BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
 
 #ifdef BN_DEBUG
 	OPENSSL_assert(top <= max);
 #endif
-	for (i = (top); i != 0; i--)
-		*_tmp1++ = *_tmp2++;
-	for (i = (max) - (top); i != 0; i--)
-		*_tmp1++ = (BN_ULONG) 0;
+	for (i = 0; i < top; i++)
+		dst[i] = src[i];
+	for (; i < max; i++)
+		dst[i] = 0;
 	}
 
-static void nist_cp_bn(BN_ULONG *buf, BN_ULONG *a, int top)
+static void nist_cp_bn(BN_ULONG *dst, const BN_ULONG *src, int top)
 	{ 
 	int i;
-	BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
-	for (i = (top); i != 0; i--)
-		*_tmp1++ = *_tmp2++;
+
+	for (i = 0; i < top; i++)
+		dst[i] = src[i];
 	}
 
 #if BN_BITS2 == 64
@@ -451,8 +450,9 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 	 */
 	mask  = 0-(PTR_SIZE_INT)bn_sub_words(c_d,r_d,_nist_p_192[0],BN_NIST_192_TOP);
 	mask &= 0-(PTR_SIZE_INT)carry;
+	res   = c_d;
 	res   = (BN_ULONG *)
-	 (((PTR_SIZE_INT)c_d&~mask) | ((PTR_SIZE_INT)r_d&mask));
+	 (((PTR_SIZE_INT)res&~mask) | ((PTR_SIZE_INT)r_d&mask));
 	nist_cp_bn(r_d, res, BN_NIST_192_TOP);
 	r->top = BN_NIST_192_TOP;
 	bn_correct_top(r);
@@ -479,8 +479,11 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 	int	top = a->top, i;
 	int	carry;
 	BN_ULONG *r_d, *a_d = a->d;
-	BN_ULONG buf[BN_NIST_224_TOP],
-		 c_d[BN_NIST_224_TOP],
+	union	{
+		BN_ULONG	bn[BN_NIST_224_TOP];
+		unsigned int	ui[BN_NIST_224_TOP*sizeof(BN_ULONG)/sizeof(unsigned int)];
+		} buf;
+	BN_ULONG c_d[BN_NIST_224_TOP],
 		*res;
 	PTR_SIZE_INT mask;
 	union { bn_addsub_f f; PTR_SIZE_INT p; } u;
@@ -519,18 +522,18 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 	/* copy upper 256 bits of 448 bit number ... */
 	nist_cp_bn_0(c_d, a_d + (BN_NIST_224_TOP-1), top - (BN_NIST_224_TOP-1), BN_NIST_224_TOP);
 	/* ... and right shift by 32 to obtain upper 224 bits */
-	nist_set_224(buf, c_d, 14, 13, 12, 11, 10, 9, 8);
+	nist_set_224(buf.bn, c_d, 14, 13, 12, 11, 10, 9, 8);
 	/* truncate lower part to 224 bits too */
 	r_d[BN_NIST_224_TOP-1] &= BN_MASK2l;
 #else
-	nist_cp_bn_0(buf, a_d + BN_NIST_224_TOP, top - BN_NIST_224_TOP, BN_NIST_224_TOP);
+	nist_cp_bn_0(buf.bn, a_d + BN_NIST_224_TOP, top - BN_NIST_224_TOP, BN_NIST_224_TOP);
 #endif
 
 #if defined(NIST_INT64) && BN_BITS2!=64
 	{
 	NIST_INT64		acc;	/* accumulator */
 	unsigned int		*rp=(unsigned int *)r_d;
-	const unsigned int	*bp=(const unsigned int *)buf;
+	const unsigned int	*bp=(const unsigned int *)buf.ui;
 
 	acc  = rp[0];	acc -= bp[7-7];
 			acc -= bp[11-7]; rp[0] = (unsigned int)acc; acc >>= 32;
@@ -565,13 +568,13 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 	{
 	BN_ULONG t_d[BN_NIST_224_TOP];
 
-	nist_set_224(t_d, buf, 10, 9, 8, 7, 0, 0, 0);
+	nist_set_224(t_d, buf.bn, 10, 9, 8, 7, 0, 0, 0);
 	carry = (int)bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP);
-	nist_set_224(t_d, buf, 0, 13, 12, 11, 0, 0, 0);
+	nist_set_224(t_d, buf.bn, 0, 13, 12, 11, 0, 0, 0);
 	carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP);
-	nist_set_224(t_d, buf, 13, 12, 11, 10, 9, 8, 7);
+	nist_set_224(t_d, buf.bn, 13, 12, 11, 10, 9, 8, 7);
 	carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_224_TOP);
-	nist_set_224(t_d, buf, 0, 0, 0, 0, 13, 12, 11);
+	nist_set_224(t_d, buf.bn, 0, 0, 0, 0, 13, 12, 11);
 	carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_224_TOP);
 
 #if BN_BITS2==64
@@ -606,7 +609,8 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 	/* otherwise it's effectively same as in BN_nist_mod_192... */
 	mask  = 0-(PTR_SIZE_INT)(*u.f)(c_d,r_d,_nist_p_224[0],BN_NIST_224_TOP);
 	mask &= 0-(PTR_SIZE_INT)carry;
-	res   = (BN_ULONG *)(((PTR_SIZE_INT)c_d&~mask) |
+	res   = c_d;
+	res   = (BN_ULONG *)(((PTR_SIZE_INT)res&~mask) |
 	 ((PTR_SIZE_INT)r_d&mask));
 	nist_cp_bn(r_d, res, BN_NIST_224_TOP);
 	r->top = BN_NIST_224_TOP;
@@ -805,7 +809,8 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 
 	mask  = 0-(PTR_SIZE_INT)(*u.f)(c_d,r_d,_nist_p_256[0],BN_NIST_256_TOP);
 	mask &= 0-(PTR_SIZE_INT)carry;
-	res   = (BN_ULONG *)(((PTR_SIZE_INT)c_d&~mask) |
+	res   = c_d;
+	res   = (BN_ULONG *)(((PTR_SIZE_INT)res&~mask) |
 	 ((PTR_SIZE_INT)r_d&mask));
 	nist_cp_bn(r_d, res, BN_NIST_256_TOP);
 	r->top = BN_NIST_256_TOP;
@@ -1026,7 +1031,8 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 
 	mask  = 0-(PTR_SIZE_INT)(*u.f)(c_d,r_d,_nist_p_384[0],BN_NIST_384_TOP);
 	mask &= 0-(PTR_SIZE_INT)carry;
-	res   = (BN_ULONG *)(((PTR_SIZE_INT)c_d&~mask) |
+	res   = c_d;
+	res   = (BN_ULONG *)(((PTR_SIZE_INT)res&~mask) |
 	 ((PTR_SIZE_INT)r_d&mask));
 	nist_cp_bn(r_d, res, BN_NIST_384_TOP);
 	r->top = BN_NIST_384_TOP;
@@ -1092,7 +1098,8 @@ int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 
 	bn_add_words(r_d,r_d,t_d,BN_NIST_521_TOP);
 	mask = 0-(PTR_SIZE_INT)bn_sub_words(t_d,r_d,_nist_p_521,BN_NIST_521_TOP);
-	res  = (BN_ULONG *)(((PTR_SIZE_INT)t_d&~mask) |
+	res  = t_d;
+	res  = (BN_ULONG *)(((PTR_SIZE_INT)res&~mask) |
 	 ((PTR_SIZE_INT)r_d&mask));
 	nist_cp_bn(r_d,res,BN_NIST_521_TOP);
 	r->top = BN_NIST_521_TOP;

crypto/buffer/buffer.c

@@ -179,14 +179,14 @@ int BUF_MEM_grow_clean(BUF_MEM *str, size_t len)
 	return(len);
 	}
 
-void BUF_reverse(unsigned char *out, unsigned char *in, size_t size)
+void BUF_reverse(unsigned char *out, const unsigned char *in, size_t size)
 	{
 	size_t i;
 	if (in)
 		{
 		out += size - 1;
 		for (i = 0; i < size; i++)
-			*in++ = *out--;
+			*out-- = *in++;
 		}
 	else
 		{

crypto/buffer/buffer.h

@@ -88,7 +88,7 @@ int	BUF_MEM_grow_clean(BUF_MEM *str, size_t len);
 char *	BUF_strdup(const char *str);
 char *	BUF_strndup(const char *str, size_t siz);
 void *	BUF_memdup(const void *data, size_t siz);
-void	BUF_reverse(unsigned char *out, unsigned char *in, size_t siz);
+void	BUF_reverse(unsigned char *out, const unsigned char *in, size_t siz);
 
 /* safe string functions */
 size_t BUF_strlcpy(char *dst,const char *src,size_t siz);

crypto/cms/cms_lib.c

@@ -463,8 +463,6 @@ int CMS_add0_cert(CMS_ContentInfo *cms, X509 *cert)
 	STACK_OF(CMS_CertificateChoices) **pcerts;
 	int i;
 	pcerts = cms_get0_certificate_choices(cms);
-	if (!pcerts)
-		return 0;
 	if (!pcerts)
 		return 0;
 	for (i = 0; i < sk_CMS_CertificateChoices_num(*pcerts); i++)

crypto/cryptlib.c

@@ -889,7 +889,7 @@ void OPENSSL_showfatal (const char *fmta,...)
 
 #if defined(_WIN32_WINNT) && _WIN32_WINNT>=0x0333
     /* this -------------v--- guards NT-specific calls */
-    if (GetVersion() < 0x80000000 && OPENSSL_isservice() > 0)
+    if (check_winnt() && OPENSSL_isservice() > 0)
     {	HANDLE h = RegisterEventSource(0,_T("OPENSSL"));
 	const TCHAR *pmsg=buf;
 	ReportEvent(h,EVENTLOG_ERROR_TYPE,0,0,0,1,0,&pmsg,0);

crypto/ec/ec2_mult.c

@@ -208,11 +208,15 @@ static int gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIG
 	return ret;
 	}
 
+
 /* Computes scalar*point and stores the result in r.
  * point can not equal r.
- * Uses algorithm 2P of
+ * Uses a modified algorithm 2P of
  *     Lopez, J. and Dahab, R.  "Fast multiplication on elliptic curves over 
  *     GF(2^m) without precomputation" (CHES '99, LNCS 1717).
+ *
+ * To protect against side-channel attack the function uses constant time swap,
+ * avoiding conditional branches.
  */
 static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 	const EC_POINT *point, BN_CTX *ctx)
@@ -246,6 +250,11 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
 	x2 = &r->X;
 	z2 = &r->Y;
 
+	bn_wexpand(x1, group->field.top);
+	bn_wexpand(z1, group->field.top);
+	bn_wexpand(x2, group->field.top);
+	bn_wexpand(z2, group->field.top);
+
 	if (!BN_GF2m_mod_arr(x1, &point->X, group->poly)) goto err; /* x1 = x */
 	if (!BN_one(z1)) goto err; /* z1 = 1 */
 	if (!group->meth->field_sqr(group, z2, x1, ctx)) goto err; /* z2 = x1^2 = x^2 */
@@ -270,16 +279,12 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
 		word = scalar->d[i];
 		while (mask)
 			{
-			if (word & mask)
-				{
-				if (!gf2m_Madd(group, &point->X, x1, z1, x2, z2, ctx)) goto err;
-				if (!gf2m_Mdouble(group, x2, z2, ctx)) goto err;
-				}
-			else
-				{
-				if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err;
-				if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err;
-				}
+			BN_consttime_swap(word & mask, x1, x2, group->field.top);
+			BN_consttime_swap(word & mask, z1, z2, group->field.top);
+			if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err;
+			if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err;
+			BN_consttime_swap(word & mask, x1, x2, group->field.top);
+			BN_consttime_swap(word & mask, z1, z2, group->field.top);
 			mask >>= 1;
 			}
 		mask = BN_TBIT;

crypto/ec/ec_ameth.c

@@ -88,7 +88,7 @@ static int eckey_param2type(int *pptype, void **ppval, EC_KEY *ec_key)
 		if (!pstr)
 			return 0;
 		pstr->length = i2d_ECParameters(ec_key, &pstr->data);
-		if (pstr->length < 0)
+		if (pstr->length <= 0)
 			{
 			ASN1_STRING_free(pstr);
 			ECerr(EC_F_ECKEY_PARAM2TYPE, ERR_R_EC_LIB);

crypto/ec/ec_asn1.c

@@ -89,7 +89,8 @@ int EC_GROUP_get_trinomial_basis(const EC_GROUP *group, unsigned int *k)
 	if (group == NULL)
 		return 0;
 
-	if (EC_GROUP_method_of(group)->group_set_curve != ec_GF2m_simple_group_set_curve
+	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
+	    NID_X9_62_characteristic_two_field
 	    || !((group->poly[0] != 0) && (group->poly[1] != 0) && (group->poly[2] == 0)))
 		{
 		ECerr(EC_F_EC_GROUP_GET_TRINOMIAL_BASIS, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
@@ -107,7 +108,8 @@ int EC_GROUP_get_pentanomial_basis(const EC_GROUP *group, unsigned int *k1,
 	if (group == NULL)
 		return 0;
 
-	if (EC_GROUP_method_of(group)->group_set_curve != ec_GF2m_simple_group_set_curve
+	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
+	    NID_X9_62_characteristic_two_field
 	    || !((group->poly[0] != 0) && (group->poly[1] != 0) && (group->poly[2] != 0) && (group->poly[3] != 0) && (group->poly[4] == 0)))
 		{
 		ECerr(EC_F_EC_GROUP_GET_PENTANOMIAL_BASIS, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);

crypto/ec/ec_lib.c

@@ -480,10 +480,10 @@ int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ctx)
 	if (EC_METHOD_get_field_type(EC_GROUP_method_of(a)) !=
 	    EC_METHOD_get_field_type(EC_GROUP_method_of(b)))
 		return 1;
-	/* compare the curve name (if present) */
+	/* compare the curve name (if present in both) */
 	if (EC_GROUP_get_curve_name(a) && EC_GROUP_get_curve_name(b) &&
-	    EC_GROUP_get_curve_name(a) == EC_GROUP_get_curve_name(b))
-		return 0;
+	    EC_GROUP_get_curve_name(a) != EC_GROUP_get_curve_name(b))
+		return 1;
 
 	if (!ctx)
 		ctx_new = ctx = BN_CTX_new();
@@ -993,12 +993,12 @@ int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN
 	if (group->meth->point_cmp == 0)
 		{
 		ECerr(EC_F_EC_POINT_CMP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-		return 0;
+		return -1;
 		}
 	if ((group->meth != a->meth) || (a->meth != b->meth))
 		{
 		ECerr(EC_F_EC_POINT_CMP, EC_R_INCOMPATIBLE_OBJECTS);
-		return 0;
+		return -1;
 		}
 	return group->meth->point_cmp(group, a, b, ctx);
 	}

crypto/engine/eng_list.c

@@ -408,6 +408,7 @@ ENGINE *ENGINE_by_id(const char *id)
 				!ENGINE_ctrl_cmd_string(iterator, "DIR_LOAD", "2", 0) ||
 				!ENGINE_ctrl_cmd_string(iterator, "DIR_ADD",
 					load_dir, 0) ||
+				!ENGINE_ctrl_cmd_string(iterator, "LIST_ADD", "1", 0) ||
 				!ENGINE_ctrl_cmd_string(iterator, "LOAD", NULL, 0))
 				goto notfound;
 		return iterator;

crypto/engine/eng_rdrand.c

@@ -104,6 +104,7 @@ static int bind_helper(ENGINE *e)
 	{
 	if (!ENGINE_set_id(e, engine_e_rdrand_id) ||
 	    !ENGINE_set_name(e, engine_e_rdrand_name) ||
+            !ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL) ||
 	    !ENGINE_set_init_function(e, rdrand_init) ||
 	    !ENGINE_set_RAND(e, &rdrand_meth) )
 		return 0;

crypto/evp/Makefile

@@ -67,7 +67,7 @@ files:
 links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
 	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
-	[ ! -f $(TESTDATA) ] || cp $(TESTDATA) ../../test
+	@[ -f $(TESTDATA) ] && cp $(TESTDATA) ../../test && echo "$(TESTDATA) -> ../../test/$(TESTDATA)"
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:

crypto/evp/bio_b64.c

@@ -264,7 +264,7 @@ static int b64_read(BIO *b, char *out, int outl)
 				}
 
 			/* we fell off the end without starting */
-			if (j == i)
+			if ((j == i) && (num == 0))
 				{
 				/* Is this is one long chunk?, if so, keep on
 				 * reading until a new line. */

crypto/evp/digest.c

@@ -366,8 +366,11 @@ int EVP_Digest(const void *data, size_t count,
 
 void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx)
 	{
-	EVP_MD_CTX_cleanup(ctx);
-	OPENSSL_free(ctx);
+	if (ctx)
+		{
+		EVP_MD_CTX_cleanup(ctx);
+		OPENSSL_free(ctx);
+		}
 	}
 
 /* This call frees resources associated with the context */

crypto/evp/e_aes.c

@@ -842,7 +842,10 @@ static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 			gctx->ctr = NULL;
 			break;
 			}
+		else
 #endif
+		(void)0;	/* terminate potentially open 'else' */
+
 		AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
 		CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt);
 #ifdef AES_CTR_ASM
@@ -1083,14 +1086,17 @@ static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 			xctx->xts.block1 = (block128_f)vpaes_decrypt;
 			}
 
-		vpaes_set_encrypt_key(key + ctx->key_len/2,
+		    vpaes_set_encrypt_key(key + ctx->key_len/2,
 						ctx->key_len * 4, &xctx->ks2);
-		xctx->xts.block2 = (block128_f)vpaes_encrypt;
+		    xctx->xts.block2 = (block128_f)vpaes_encrypt;
 
-		xctx->xts.key1 = &xctx->ks1;
-		break;
-		}
+		    xctx->xts.key1 = &xctx->ks1;
+		    break;
+		    }
+		else
 #endif
+		(void)0;	/* terminate potentially open 'else' */
+
 		if (enc)
 			{
 			AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);

crypto/evp/e_aes_cbc_hmac_sha1.c

@@ -328,10 +328,11 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 
 				if (res!=SHA_CBLOCK) continue;
 
-				mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
+				/* j is not incremented yet */
+				mask = 0-((inp_len+7-j)>>(sizeof(j)*8-1));
 				data->u[SHA_LBLOCK-1] |= bitlen&mask;
 				sha1_block_data_order(&key->md,data,1);
-				mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
+				mask &= 0-((j-inp_len-72)>>(sizeof(j)*8-1));
 				pmac->u[0] |= key->md.h0 & mask;
 				pmac->u[1] |= key->md.h1 & mask;
 				pmac->u[2] |= key->md.h2 & mask;

crypto/evp/e_des3.c

@@ -101,7 +101,7 @@ static int des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 static int des_ede_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 			      const unsigned char *in, size_t inl)
 {
-	if (inl>=EVP_MAXCHUNK)
+	while (inl>=EVP_MAXCHUNK)
 		{
 		DES_ede3_ofb64_encrypt(in, out, (long)EVP_MAXCHUNK,
 			       &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3,
@@ -132,7 +132,7 @@ static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 	printf("\n");
 	}
 #endif    /* KSSL_DEBUG */
-	if (inl>=EVP_MAXCHUNK)
+	while (inl>=EVP_MAXCHUNK)
 		{
 		DES_ede3_cbc_encrypt(in, out, (long)EVP_MAXCHUNK,
 			     &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3,
@@ -151,7 +151,7 @@ static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 static int des_ede_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 			      const unsigned char *in, size_t inl)
 {
-	if (inl>=EVP_MAXCHUNK)
+	while (inl>=EVP_MAXCHUNK)
 		{
 		DES_ede3_cfb64_encrypt(in, out, (long)EVP_MAXCHUNK, 
 			       &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3,

crypto/evp/p5_crpt2.c

@@ -85,19 +85,24 @@ int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
 	unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4];
 	int cplen, j, k, tkeylen, mdlen;
 	unsigned long i = 1;
-	HMAC_CTX hctx;
+	HMAC_CTX hctx_tpl, hctx;
 
 	mdlen = EVP_MD_size(digest);
 	if (mdlen < 0)
 		return 0;
 
-	HMAC_CTX_init(&hctx);
+	HMAC_CTX_init(&hctx_tpl);
 	p = out;
 	tkeylen = keylen;
 	if(!pass)
 		passlen = 0;
 	else if(passlen == -1)
 		passlen = strlen(pass);
+	if (!HMAC_Init_ex(&hctx_tpl, pass, passlen, digest, NULL))
+		{
+		HMAC_CTX_cleanup(&hctx_tpl);
+		return 0;
+		}
 	while(tkeylen)
 		{
 		if(tkeylen > mdlen)
@@ -111,19 +116,36 @@ int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
 		itmp[1] = (unsigned char)((i >> 16) & 0xff);
 		itmp[2] = (unsigned char)((i >> 8) & 0xff);
 		itmp[3] = (unsigned char)(i & 0xff);
-		if (!HMAC_Init_ex(&hctx, pass, passlen, digest, NULL)
-			|| !HMAC_Update(&hctx, salt, saltlen)
-			|| !HMAC_Update(&hctx, itmp, 4)
-			|| !HMAC_Final(&hctx, digtmp, NULL))
+		if (!HMAC_CTX_copy(&hctx, &hctx_tpl))
 			{
+			HMAC_CTX_cleanup(&hctx_tpl);
+			return 0;
+			}
+		if (!HMAC_Update(&hctx, salt, saltlen)
+		    || !HMAC_Update(&hctx, itmp, 4)
+		    || !HMAC_Final(&hctx, digtmp, NULL))
+			{
+			HMAC_CTX_cleanup(&hctx_tpl);
 			HMAC_CTX_cleanup(&hctx);
 			return 0;
 			}
+		HMAC_CTX_cleanup(&hctx);
 		memcpy(p, digtmp, cplen);
 		for(j = 1; j < iter; j++)
 			{
-			HMAC(digest, pass, passlen,
-				 digtmp, mdlen, digtmp, NULL);
+			if (!HMAC_CTX_copy(&hctx, &hctx_tpl))
+				{
+				HMAC_CTX_cleanup(&hctx_tpl);
+				return 0;
+				}
+			if (!HMAC_Update(&hctx, digtmp, mdlen)
+			    || !HMAC_Final(&hctx, digtmp, NULL))
+				{
+				HMAC_CTX_cleanup(&hctx_tpl);
+				HMAC_CTX_cleanup(&hctx);
+				return 0;
+				}
+			HMAC_CTX_cleanup(&hctx);
 			for(k = 0; k < cplen; k++)
 				p[k] ^= digtmp[k];
 			}
@@ -131,7 +153,7 @@ int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
 		i++;
 		p+= cplen;
 		}
-	HMAC_CTX_cleanup(&hctx);
+	HMAC_CTX_cleanup(&hctx_tpl);
 #ifdef DEBUG_PKCS5V2
 	fprintf(stderr, "Password:\n");
 	h__dump (pass, passlen);

crypto/modes/Makefile

@@ -53,7 +53,10 @@ ghash-x86_64.s:	asm/ghash-x86_64.pl
 ghash-sparcv9.s:	asm/ghash-sparcv9.pl
 	$(PERL) asm/ghash-sparcv9.pl $@ $(CFLAGS)
 ghash-alpha.s:	asm/ghash-alpha.pl
-	$(PERL) $< | $(CC) -E - | tee $@ > /dev/null
+	(preproc=/tmp/$$$$.$@; trap "rm $$preproc" INT; \
+	$(PERL) asm/ghash-alpha.pl > $$preproc && \
+	$(CC) -E $$preproc > $@ && rm $$preproc)
+
 ghash-parisc.s:	asm/ghash-parisc.pl
 	$(PERL) asm/ghash-parisc.pl $(PERLASM_SCHEME) $@
 

crypto/modes/asm/ghash-alpha.pl

@@ -266,8 +266,8 @@ gcm_gmult_4bit:
 	ldq	$Xlo,8($Xi)
 	ldq	$Xhi,0($Xi)
 
-	br	$rem_4bit,.Lpic1
-.Lpic1:	lda	$rem_4bit,rem_4bit-.Lpic1($rem_4bit)
+	bsr	$t0,picmeup
+	nop
 ___
 
 	&loop();
@@ -341,8 +341,8 @@ gcm_ghash_4bit:
 	ldq	$Xhi,0($Xi)
 	ldq	$Xlo,8($Xi)
 
-	br	$rem_4bit,.Lpic2
-.Lpic2:	lda	$rem_4bit,rem_4bit-.Lpic2($rem_4bit)
+	bsr	$t0,picmeup
+	nop
 
 .Louter:
 	extql	$inhi,$inp,$inhi
@@ -436,11 +436,20 @@ $code.=<<___;
 .end	gcm_ghash_4bit
 
 .align	4
+.ent	picmeup
+picmeup:
+	.frame	sp,0,$t0
+	.prologue 0
+	br	$rem_4bit,.Lpic
+.Lpic:	lda	$rem_4bit,12($rem_4bit)
+	ret	($t0)
+.end	picmeup
+	nop
 rem_4bit:
-	.quad	0x0000<<48, 0x1C20<<48, 0x3840<<48, 0x2460<<48
-	.quad	0x7080<<48, 0x6CA0<<48, 0x48C0<<48, 0x54E0<<48
-	.quad	0xE100<<48, 0xFD20<<48, 0xD940<<48, 0xC560<<48
-	.quad	0x9180<<48, 0x8DA0<<48, 0xA9C0<<48, 0xB5E0<<48
+	.long	0,0x0000<<16, 0,0x1C20<<16, 0,0x3840<<16, 0,0x2460<<16
+	.long	0,0x7080<<16, 0,0x6CA0<<16, 0,0x48C0<<16, 0,0x54E0<<16
+	.long	0,0xE100<<16, 0,0xFD20<<16, 0,0xD940<<16, 0,0xC560<<16
+	.long	0,0x9180<<16, 0,0x8DA0<<16, 0,0xA9C0<<16, 0,0xB5E0<<16
 .ascii	"GHASH for Alpha, CRYPTOGAMS by <appro\@openssl.org>"
 .align	4
 

crypto/modes/asm/ghash-parisc.pl

@@ -724,6 +724,7 @@ foreach (split("\n",$code)) {
 		s/cmpb,\*/comb,/;
 		s/,\*/,/;
 	}
+	s/\bbv\b/bve/	if ($SIZE_T==8);
 	print $_,"\n";
 }
 

crypto/modes/cbc128.c

@@ -117,7 +117,7 @@ void CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out,
 			unsigned char ivec[16], block128_f block)
 {
 	size_t n;
-	union { size_t align; unsigned char c[16]; } tmp;
+	union { size_t t[16/sizeof(size_t)]; unsigned char c[16]; } tmp;
 
 	assert(in && out && key && ivec);
 
@@ -137,11 +137,13 @@ void CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out,
 				out += 16;
 			}
 		}
-		else {
+		else  if (16%sizeof(size_t) == 0) { /* always true */
 			while (len>=16) {
+				size_t *out_t=(size_t *)out, *iv_t=(size_t *)iv;
+
 				(*block)(in, out, key);
-				for(n=0; n<16; n+=sizeof(size_t))
-					*(size_t *)(out+n) ^= *(size_t *)(iv+n);
+				for(n=0; n<16/sizeof(size_t); n++)
+					out_t[n] ^= iv_t[n];
 				iv = in;
 				len -= 16;
 				in  += 16;
@@ -165,15 +167,16 @@ void CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out,
 				out += 16;
 			}
 		}
-		else {
-			size_t c;
+		else if (16%sizeof(size_t) == 0) { /* always true */
 			while (len>=16) {
+				size_t c, *out_t=(size_t *)out, *ivec_t=(size_t *)ivec;
+				const size_t *in_t=(const size_t *)in;
+
 				(*block)(in, tmp.c, key);
-				for(n=0; n<16; n+=sizeof(size_t)) {
-					c = *(size_t *)(in+n);
-					*(size_t *)(out+n) =
-					*(size_t *)(tmp.c+n) ^ *(size_t *)(ivec+n);
-					*(size_t *)(ivec+n) = c;
+				for(n=0; n<16/sizeof(size_t); n++) {
+					c = in_t[n];
+					out_t[n] = tmp.t[n] ^ ivec_t[n];
+					ivec_t[n] = c;
 				}
 				len -= 16;
 				in  += 16;

crypto/modes/ccm128.c

@@ -87,7 +87,7 @@ int CRYPTO_ccm128_setiv(CCM128_CONTEXT *ctx,
 		ctx->nonce.c[11] = (u8)(mlen>>(32%(sizeof(mlen)*8)));
 	}
 	else
-		*(u32*)(&ctx->nonce.c[8]) = 0;
+		ctx->nonce.u[1] = 0;
 
 	ctx->nonce.c[12] = (u8)(mlen>>24);
 	ctx->nonce.c[13] = (u8)(mlen>>16);

crypto/modes/cts128.c

@@ -108,12 +108,8 @@ size_t CRYPTO_cts128_encrypt(const unsigned char *in, unsigned char *out,
 	(*cbc)(in,out-16,residue,key,ivec,1);
 	memcpy(out,tmp.c,residue);
 #else
-	{
-	size_t n;
-	for (n=0; n<16; n+=sizeof(size_t))
-		*(size_t *)(tmp.c+n) = 0;
+	memset(tmp.c,0,sizeof(tmp));
 	memcpy(tmp.c,in,residue);
-	}
 	memcpy(out,out-16,residue);
 	(*cbc)(tmp.c,out-16,16,key,ivec,1);
 #endif
@@ -144,12 +140,8 @@ size_t CRYPTO_nistcts128_encrypt(const unsigned char *in, unsigned char *out,
 #if defined(CBC_HANDLES_TRUNCATED_IO)
 	(*cbc)(in,out-16+residue,residue,key,ivec,1);
 #else
-	{
-	size_t n;
-	for (n=0; n<16; n+=sizeof(size_t))
-		*(size_t *)(tmp.c+n) = 0;
+	memset(tmp.c,0,sizeof(tmp));
 	memcpy(tmp.c,in,residue);
-	}
 	(*cbc)(tmp.c,out-16+residue,16,key,ivec,1);
 #endif
 	return len+residue;
@@ -177,8 +169,7 @@ size_t CRYPTO_cts128_decrypt_block(const unsigned char *in, unsigned char *out,
 
 	(*block)(in,tmp.c+16,key);
 
-	for (n=0; n<16; n+=sizeof(size_t))
-		*(size_t *)(tmp.c+n) = *(size_t *)(tmp.c+16+n);
+	memcpy(tmp.c,tmp.c+16,16);
 	memcpy(tmp.c,in+16,residue);
 	(*block)(tmp.c,tmp.c,key);
 
@@ -220,8 +211,7 @@ size_t CRYPTO_nistcts128_decrypt_block(const unsigned char *in, unsigned char *o
 
 	(*block)(in+residue,tmp.c+16,key);
 
-	for (n=0; n<16; n+=sizeof(size_t))
-		*(size_t *)(tmp.c+n) = *(size_t *)(tmp.c+16+n);
+	memcpy(tmp.c,tmp.c+16,16);
 	memcpy(tmp.c,in,residue);
 	(*block)(tmp.c,tmp.c,key);
 
@@ -240,7 +230,7 @@ size_t CRYPTO_nistcts128_decrypt_block(const unsigned char *in, unsigned char *o
 size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out,
 			size_t len, const void *key,
 			unsigned char ivec[16], cbc128_f cbc)
-{	size_t residue, n;
+{	size_t residue;
 	union { size_t align; unsigned char c[32]; } tmp;
 
 	assert (in && out && key && ivec);
@@ -257,8 +247,7 @@ size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out,
 		out += len;
 	}
 
-	for (n=16; n<32; n+=sizeof(size_t))
-		*(size_t *)(tmp.c+n) = 0;
+	memset(tmp.c,0,sizeof(tmp));
 	/* this places in[16] at &tmp.c[16] and decrypted block at &tmp.c[0] */
 	(*cbc)(in,tmp.c,16,key,tmp.c+16,0);
 
@@ -275,7 +264,7 @@ size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out,
 size_t CRYPTO_nistcts128_decrypt(const unsigned char *in, unsigned char *out,
 			size_t len, const void *key,
 			unsigned char ivec[16], cbc128_f cbc)
-{	size_t residue, n;
+{	size_t residue;
 	union { size_t align; unsigned char c[32]; } tmp;
 
 	assert (in && out && key && ivec);
@@ -297,8 +286,7 @@ size_t CRYPTO_nistcts128_decrypt(const unsigned char *in, unsigned char *out,
 		out += len;
 	}
 
-	for (n=16; n<32; n+=sizeof(size_t))
-		*(size_t *)(tmp.c+n) = 0;
+	memset(tmp.c,0,sizeof(tmp));
 	/* this places in[16] at &tmp.c[16] and decrypted block at &tmp.c[0] */
 	(*cbc)(in+residue,tmp.c,16,key,tmp.c+16,0);
 

crypto/modes/gcm128.c

@@ -810,7 +810,11 @@ void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx,const unsigned char *iv,size_t len)
 		GCM_MUL(ctx,Yi);
 
 		if (is_endian.little)
+#ifdef BSWAP4
+			ctr = BSWAP4(ctx->Yi.d[3]);
+#else
 			ctr = GETU32(ctx->Yi.c+12);
+#endif
 		else
 			ctr = ctx->Yi.d[3];
 	}
@@ -818,7 +822,11 @@ void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx,const unsigned char *iv,size_t len)
 	(*ctx->block)(ctx->Yi.c,ctx->EK0.c,ctx->key);
 	++ctr;
 	if (is_endian.little)
+#ifdef BSWAP4
+		ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 		PUTU32(ctx->Yi.c+12,ctr);
+#endif
 	else
 		ctx->Yi.d[3] = ctr;
 }
@@ -913,7 +921,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
 	}
 
 	if (is_endian.little)
+#ifdef BSWAP4
+		ctr = BSWAP4(ctx->Yi.d[3]);
+#else
 		ctr = GETU32(ctx->Yi.c+12);
+#endif
 	else
 		ctr = ctx->Yi.d[3];
 
@@ -941,15 +953,21 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
 		    size_t j=GHASH_CHUNK;
 
 		    while (j) {
+		    	size_t *out_t=(size_t *)out;
+		    	const size_t *in_t=(const size_t *)in;
+
 			(*block)(ctx->Yi.c,ctx->EKi.c,key);
 			++ctr;
 			if (is_endian.little)
+#ifdef BSWAP4
+				ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 				PUTU32(ctx->Yi.c+12,ctr);
+#endif
 			else
 				ctx->Yi.d[3] = ctr;
-			for (i=0; i<16; i+=sizeof(size_t))
-				*(size_t *)(out+i) =
-				*(size_t *)(in+i)^*(size_t *)(ctx->EKi.c+i);
+			for (i=0; i<16/sizeof(size_t); ++i)
+				out_t[i] = in_t[i] ^ ctx->EKi.t[i];
 			out += 16;
 			in  += 16;
 			j   -= 16;
@@ -961,15 +979,21 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
 		    size_t j=i;
 
 		    while (len>=16) {
+		    	size_t *out_t=(size_t *)out;
+		    	const size_t *in_t=(const size_t *)in;
+
 			(*block)(ctx->Yi.c,ctx->EKi.c,key);
 			++ctr;
 			if (is_endian.little)
+#ifdef BSWAP4
+				ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 				PUTU32(ctx->Yi.c+12,ctr);
+#endif
 			else
 				ctx->Yi.d[3] = ctr;
-			for (i=0; i<16; i+=sizeof(size_t))
-				*(size_t *)(out+i) =
-				*(size_t *)(in+i)^*(size_t *)(ctx->EKi.c+i);
+			for (i=0; i<16/sizeof(size_t); ++i)
+				out_t[i] = in_t[i] ^ ctx->EKi.t[i];
 			out += 16;
 			in  += 16;
 			len -= 16;
@@ -978,16 +1002,22 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
 		}
 #else
 		while (len>=16) {
+		    	size_t *out_t=(size_t *)out;
+		    	const size_t *in_t=(const size_t *)in;
+
 			(*block)(ctx->Yi.c,ctx->EKi.c,key);
 			++ctr;
 			if (is_endian.little)
+#ifdef BSWAP4
+				ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 				PUTU32(ctx->Yi.c+12,ctr);
+#endif
 			else
 				ctx->Yi.d[3] = ctr;
-			for (i=0; i<16; i+=sizeof(size_t))
-				*(size_t *)(ctx->Xi.c+i) ^=
-				*(size_t *)(out+i) =
-				*(size_t *)(in+i)^*(size_t *)(ctx->EKi.c+i);
+			for (i=0; i<16/sizeof(size_t); ++i)
+				ctx->Xi.t[i] ^=
+				out_t[i] = in_t[i]^ctx->EKi.t[i];
 			GCM_MUL(ctx,Xi);
 			out += 16;
 			in  += 16;
@@ -998,7 +1028,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
 			(*block)(ctx->Yi.c,ctx->EKi.c,key);
 			++ctr;
 			if (is_endian.little)
+#ifdef BSWAP4
+				ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 				PUTU32(ctx->Yi.c+12,ctr);
+#endif
 			else
 				ctx->Yi.d[3] = ctr;
 			while (len--) {
@@ -1016,7 +1050,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
 			(*block)(ctx->Yi.c,ctx->EKi.c,key);
 			++ctr;
 			if (is_endian.little)
+#ifdef BSWAP4
+				ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 				PUTU32(ctx->Yi.c+12,ctr);
+#endif
 			else
 				ctx->Yi.d[3] = ctr;
 		}
@@ -1060,7 +1098,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
 	}
 
 	if (is_endian.little)
+#ifdef BSWAP4
+		ctr = BSWAP4(ctx->Yi.d[3]);
+#else
 		ctr = GETU32(ctx->Yi.c+12);
+#endif
 	else
 		ctr = ctx->Yi.d[3];
 
@@ -1091,15 +1133,21 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
 
 		    GHASH(ctx,in,GHASH_CHUNK);
 		    while (j) {
+		    	size_t *out_t=(size_t *)out;
+		    	const size_t *in_t=(const size_t *)in;
+
 			(*block)(ctx->Yi.c,ctx->EKi.c,key);
 			++ctr;
 			if (is_endian.little)
+#ifdef BSWAP4
+				ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 				PUTU32(ctx->Yi.c+12,ctr);
+#endif
 			else
 				ctx->Yi.d[3] = ctr;
-			for (i=0; i<16; i+=sizeof(size_t))
-				*(size_t *)(out+i) =
-				*(size_t *)(in+i)^*(size_t *)(ctx->EKi.c+i);
+			for (i=0; i<16/sizeof(size_t); ++i)
+				out_t[i] = in_t[i]^ctx->EKi.t[i];
 			out += 16;
 			in  += 16;
 			j   -= 16;
@@ -1109,15 +1157,21 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
 		if ((i = (len&(size_t)-16))) {
 		    GHASH(ctx,in,i);
 		    while (len>=16) {
+		    	size_t *out_t=(size_t *)out;
+		    	const size_t *in_t=(const size_t *)in;
+
 			(*block)(ctx->Yi.c,ctx->EKi.c,key);
 			++ctr;
 			if (is_endian.little)
+#ifdef BSWAP4
+				ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 				PUTU32(ctx->Yi.c+12,ctr);
+#endif
 			else
 				ctx->Yi.d[3] = ctr;
-			for (i=0; i<16; i+=sizeof(size_t))
-				*(size_t *)(out+i) =
-				*(size_t *)(in+i)^*(size_t *)(ctx->EKi.c+i);
+			for (i=0; i<16/sizeof(size_t); ++i)
+				out_t[i] = in_t[i]^ctx->EKi.t[i];
 			out += 16;
 			in  += 16;
 			len -= 16;
@@ -1125,16 +1179,23 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
 		}
 #else
 		while (len>=16) {
+		    	size_t *out_t=(size_t *)out;
+		    	const size_t *in_t=(const size_t *)in;
+
 			(*block)(ctx->Yi.c,ctx->EKi.c,key);
 			++ctr;
 			if (is_endian.little)
+#ifdef BSWAP4
+				ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 				PUTU32(ctx->Yi.c+12,ctr);
+#endif
 			else
 				ctx->Yi.d[3] = ctr;
-			for (i=0; i<16; i+=sizeof(size_t)) {
-				size_t c = *(size_t *)(in+i);
-				*(size_t *)(out+i) = c^*(size_t *)(ctx->EKi.c+i);
-				*(size_t *)(ctx->Xi.c+i) ^= c;
+			for (i=0; i<16/sizeof(size_t); ++i) {
+				size_t c = in[i];
+				out[i] = c^ctx->EKi.t[i];
+				ctx->Xi.t[i] ^= c;
 			}
 			GCM_MUL(ctx,Xi);
 			out += 16;
@@ -1146,7 +1207,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
 			(*block)(ctx->Yi.c,ctx->EKi.c,key);
 			++ctr;
 			if (is_endian.little)
+#ifdef BSWAP4
+				ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 				PUTU32(ctx->Yi.c+12,ctr);
+#endif
 			else
 				ctx->Yi.d[3] = ctr;
 			while (len--) {
@@ -1167,7 +1232,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
 			(*block)(ctx->Yi.c,ctx->EKi.c,key);
 			++ctr;
 			if (is_endian.little)
+#ifdef BSWAP4
+				ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 				PUTU32(ctx->Yi.c+12,ctr);
+#endif
 			else
 				ctx->Yi.d[3] = ctr;
 		}
@@ -1212,7 +1281,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
 	}
 
 	if (is_endian.little)
+#ifdef BSWAP4
+		ctr = BSWAP4(ctx->Yi.d[3]);
+#else
 		ctr = GETU32(ctx->Yi.c+12);
+#endif
 	else
 		ctr = ctx->Yi.d[3];
 
@@ -1234,7 +1307,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
 		(*stream)(in,out,GHASH_CHUNK/16,key,ctx->Yi.c);
 		ctr += GHASH_CHUNK/16;
 		if (is_endian.little)
+#ifdef BSWAP4
+			ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 			PUTU32(ctx->Yi.c+12,ctr);
+#endif
 		else
 			ctx->Yi.d[3] = ctr;
 		GHASH(ctx,out,GHASH_CHUNK);
@@ -1249,7 +1326,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
 		(*stream)(in,out,j,key,ctx->Yi.c);
 		ctr += (unsigned int)j;
 		if (is_endian.little)
+#ifdef BSWAP4
+			ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 			PUTU32(ctx->Yi.c+12,ctr);
+#endif
 		else
 			ctx->Yi.d[3] = ctr;
 		in  += i;
@@ -1269,7 +1350,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
 		(*ctx->block)(ctx->Yi.c,ctx->EKi.c,key);
 		++ctr;
 		if (is_endian.little)
+#ifdef BSWAP4
+			ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 			PUTU32(ctx->Yi.c+12,ctr);
+#endif
 		else
 			ctx->Yi.d[3] = ctr;
 		while (len--) {
@@ -1311,7 +1396,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
 	}
 
 	if (is_endian.little)
+#ifdef BSWAP4
+		ctr = BSWAP4(ctx->Yi.d[3]);
+#else
 		ctr = GETU32(ctx->Yi.c+12);
+#endif
 	else
 		ctr = ctx->Yi.d[3];
 
@@ -1336,7 +1425,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
 		(*stream)(in,out,GHASH_CHUNK/16,key,ctx->Yi.c);
 		ctr += GHASH_CHUNK/16;
 		if (is_endian.little)
+#ifdef BSWAP4
+			ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 			PUTU32(ctx->Yi.c+12,ctr);
+#endif
 		else
 			ctx->Yi.d[3] = ctr;
 		out += GHASH_CHUNK;
@@ -1362,7 +1455,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
 		(*stream)(in,out,j,key,ctx->Yi.c);
 		ctr += (unsigned int)j;
 		if (is_endian.little)
+#ifdef BSWAP4
+			ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 			PUTU32(ctx->Yi.c+12,ctr);
+#endif
 		else
 			ctx->Yi.d[3] = ctr;
 		out += i;
@@ -1373,7 +1470,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
 		(*ctx->block)(ctx->Yi.c,ctx->EKi.c,key);
 		++ctr;
 		if (is_endian.little)
+#ifdef BSWAP4
+			ctx->Yi.d[3] = BSWAP4(ctr);
+#else
 			PUTU32(ctx->Yi.c+12,ctr);
+#endif
 		else
 			ctx->Yi.d[3] = ctr;
 		while (len--) {
@@ -1669,6 +1770,46 @@ static const u8	IV18[]={0x93,0x13,0x22,0x5d,0xf8,0x84,0x06,0xe5,0x55,0x90,0x9c,0
 			0xa2,0x41,0x89,0x97,0x20,0x0e,0xf8,0x2e,0x44,0xae,0x7e,0x3f},
 		T18[]= {0xa4,0x4a,0x82,0x66,0xee,0x1c,0x8e,0xb0,0xc8,0xb5,0xd4,0xcf,0x5a,0xe9,0xf1,0x9a};
 
+/* Test Case 19 */
+#define K19 K1
+#define P19 P1
+#define IV19 IV1
+#define C19 C1
+static const u8 A19[]= {0xd9,0x31,0x32,0x25,0xf8,0x84,0x06,0xe5,0xa5,0x59,0x09,0xc5,0xaf,0xf5,0x26,0x9a,
+			0x86,0xa7,0xa9,0x53,0x15,0x34,0xf7,0xda,0x2e,0x4c,0x30,0x3d,0x8a,0x31,0x8a,0x72,
+			0x1c,0x3c,0x0c,0x95,0x95,0x68,0x09,0x53,0x2f,0xcf,0x0e,0x24,0x49,0xa6,0xb5,0x25,
+			0xb1,0x6a,0xed,0xf5,0xaa,0x0d,0xe6,0x57,0xba,0x63,0x7b,0x39,0x1a,0xaf,0xd2,0x55,
+			0x52,0x2d,0xc1,0xf0,0x99,0x56,0x7d,0x07,0xf4,0x7f,0x37,0xa3,0x2a,0x84,0x42,0x7d,
+			0x64,0x3a,0x8c,0xdc,0xbf,0xe5,0xc0,0xc9,0x75,0x98,0xa2,0xbd,0x25,0x55,0xd1,0xaa,
+			0x8c,0xb0,0x8e,0x48,0x59,0x0d,0xbb,0x3d,0xa7,0xb0,0x8b,0x10,0x56,0x82,0x88,0x38,
+			0xc5,0xf6,0x1e,0x63,0x93,0xba,0x7a,0x0a,0xbc,0xc9,0xf6,0x62,0x89,0x80,0x15,0xad},
+		T19[]= {0x5f,0xea,0x79,0x3a,0x2d,0x6f,0x97,0x4d,0x37,0xe6,0x8e,0x0c,0xb8,0xff,0x94,0x92};
+
+/* Test Case 20 */
+#define K20 K1
+#define A20 A1
+static const u8 IV20[64]={0xff,0xff,0xff,0xff},	/* this results in 0xff in counter LSB */
+		P20[288],
+		C20[]= {0x56,0xb3,0x37,0x3c,0xa9,0xef,0x6e,0x4a,0x2b,0x64,0xfe,0x1e,0x9a,0x17,0xb6,0x14,
+			0x25,0xf1,0x0d,0x47,0xa7,0x5a,0x5f,0xce,0x13,0xef,0xc6,0xbc,0x78,0x4a,0xf2,0x4f,
+			0x41,0x41,0xbd,0xd4,0x8c,0xf7,0xc7,0x70,0x88,0x7a,0xfd,0x57,0x3c,0xca,0x54,0x18,
+			0xa9,0xae,0xff,0xcd,0x7c,0x5c,0xed,0xdf,0xc6,0xa7,0x83,0x97,0xb9,0xa8,0x5b,0x49,
+			0x9d,0xa5,0x58,0x25,0x72,0x67,0xca,0xab,0x2a,0xd0,0xb2,0x3c,0xa4,0x76,0xa5,0x3c,
+			0xb1,0x7f,0xb4,0x1c,0x4b,0x8b,0x47,0x5c,0xb4,0xf3,0xf7,0x16,0x50,0x94,0xc2,0x29,
+			0xc9,0xe8,0xc4,0xdc,0x0a,0x2a,0x5f,0xf1,0x90,0x3e,0x50,0x15,0x11,0x22,0x13,0x76,
+			0xa1,0xcd,0xb8,0x36,0x4c,0x50,0x61,0xa2,0x0c,0xae,0x74,0xbc,0x4a,0xcd,0x76,0xce,
+			0xb0,0xab,0xc9,0xfd,0x32,0x17,0xef,0x9f,0x8c,0x90,0xbe,0x40,0x2d,0xdf,0x6d,0x86,
+			0x97,0xf4,0xf8,0x80,0xdf,0xf1,0x5b,0xfb,0x7a,0x6b,0x28,0x24,0x1e,0xc8,0xfe,0x18,
+			0x3c,0x2d,0x59,0xe3,0xf9,0xdf,0xff,0x65,0x3c,0x71,0x26,0xf0,0xac,0xb9,0xe6,0x42,
+			0x11,0xf4,0x2b,0xae,0x12,0xaf,0x46,0x2b,0x10,0x70,0xbe,0xf1,0xab,0x5e,0x36,0x06,
+			0x87,0x2c,0xa1,0x0d,0xee,0x15,0xb3,0x24,0x9b,0x1a,0x1b,0x95,0x8f,0x23,0x13,0x4c,
+			0x4b,0xcc,0xb7,0xd0,0x32,0x00,0xbc,0xe4,0x20,0xa2,0xf8,0xeb,0x66,0xdc,0xf3,0x64,
+			0x4d,0x14,0x23,0xc1,0xb5,0x69,0x90,0x03,0xc1,0x3e,0xce,0xf4,0xbf,0x38,0xa3,0xb6,
+			0x0e,0xed,0xc3,0x40,0x33,0xba,0xc1,0x90,0x27,0x83,0xdc,0x6d,0x89,0xe2,0xe7,0x74,
+			0x18,0x8a,0x43,0x9c,0x7e,0xbc,0xc0,0x67,0x2d,0xbd,0xa4,0xdd,0xcf,0xb2,0x79,0x46,
+			0x13,0xb0,0xbe,0x41,0x31,0x5e,0xf7,0x78,0x70,0x8a,0x70,0xee,0x7d,0x75,0x16,0x5c},
+		T20[]= {0x8b,0x30,0x7f,0x6b,0x33,0x28,0x6d,0x0a,0xb0,0x26,0xa9,0xed,0x3f,0xe1,0xe8,0x5f};
+
 #define TEST_CASE(n)	do {					\
 	u8 out[sizeof(P##n)];					\
 	AES_set_encrypt_key(K##n,sizeof(K##n)*8,&key);		\
@@ -1713,6 +1854,8 @@ int main()
 	TEST_CASE(16);
 	TEST_CASE(17);
 	TEST_CASE(18);
+	TEST_CASE(19);
+	TEST_CASE(20);
 
 #ifdef OPENSSL_CPUID_OBJ
 	{
@@ -1743,11 +1886,16 @@ int main()
 			ctr_t/(double)sizeof(buf),
 			(gcm_t-ctr_t)/(double)sizeof(buf));
 #ifdef GHASH
-	GHASH(&ctx,buf.c,sizeof(buf));
+	{
+	void (*gcm_ghash_p)(u64 Xi[2],const u128 Htable[16],
+				const u8 *inp,size_t len)	= ctx.ghash;
+
+	GHASH((&ctx),buf.c,sizeof(buf));
 	start = OPENSSL_rdtsc();
-	for (i=0;i<100;++i) GHASH(&ctx,buf.c,sizeof(buf));
+	for (i=0;i<100;++i) GHASH((&ctx),buf.c,sizeof(buf));
 	gcm_t = OPENSSL_rdtsc() - start;
 	printf("%.2f\n",gcm_t/(double)sizeof(buf)/(double)i);
+	}
 #endif
 	}
 #endif

crypto/modes/modes_lcl.h

@@ -29,10 +29,7 @@ typedef unsigned char u8;
 #if defined(__i386)	|| defined(__i386__)	|| \
     defined(__x86_64)	|| defined(__x86_64__)	|| \
     defined(_M_IX86)	|| defined(_M_AMD64)	|| defined(_M_X64) || \
-    defined(__s390__)	|| defined(__s390x__)	|| \
-    ( (defined(__arm__)	|| defined(__arm)) && \
-      (defined(__ARM_ARCH_7__)	|| defined(__ARM_ARCH_7A__) || \
-       defined(__ARM_ARCH_7R__)	|| defined(__ARM_ARCH_7M__)) )
+    defined(__s390__)	|| defined(__s390x__)
 # undef STRICT_ALIGNMENT
 #endif
 
@@ -101,8 +98,8 @@ typedef struct { u64 hi,lo; } u128;
 
 struct gcm128_context {
 	/* Following 6 names follow names in GCM specification */
-	union { u64 u[2]; u32 d[4]; u8 c[16]; }	Yi,EKi,EK0,len,
-						Xi,H;
+	union { u64 u[2]; u32 d[4]; u8 c[16]; size_t t[16/sizeof(size_t)]; }
+	  Yi,EKi,EK0,len,Xi,H;
 	/* Relative position of Xi, H and pre-computed Htable is used
 	 * in some assembler modules, i.e. don't change the order! */
 #if TABLE_BITS==8

crypto/opensslv.h

@@ -25,11 +25,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER	0x1000105fL
+#define OPENSSL_VERSION_NUMBER	0x1000107fL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.1e-fips 11 Feb 2013"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.1g-fips 7 Apr 2014"
 #else
-#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.1e 11 Feb 2013"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.1g 7 Apr 2014"
 #endif
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
 

crypto/pariscid.pl

@@ -97,33 +97,33 @@ OPENSSL_cleanse
 	.PROC
 	.CALLINFO	NO_CALLS
 	.ENTRY
-	cmpib,*=	0,$len,Ldone
+	cmpib,*=	0,$len,L\$done
 	nop
-	cmpib,*>>=	15,$len,Little
+	cmpib,*>>=	15,$len,L\$ittle
 	ldi		$SIZE_T-1,%r1
 
-Lalign
+L\$align
 	and,*<>		$inp,%r1,%r28
-	b,n		Laligned
+	b,n		L\$aligned
 	stb		%r0,0($inp)
 	ldo		-1($len),$len
-	b		Lalign
+	b		L\$align
 	ldo		1($inp),$inp
 
-Laligned
+L\$aligned
 	andcm		$len,%r1,%r28
-Lot
+L\$ot
 	$ST		%r0,0($inp)
-	addib,*<>	-$SIZE_T,%r28,Lot
+	addib,*<>	-$SIZE_T,%r28,L\$ot
 	ldo		$SIZE_T($inp),$inp
 
 	and,*<>		$len,%r1,$len
-	b,n		Ldone
-Little
+	b,n		L\$done
+L\$ittle
 	stb		%r0,0($inp)
-	addib,*<>	-1,$len,Little
+	addib,*<>	-1,$len,L\$ittle
 	ldo		1($inp),$inp
-Ldone
+L\$done
 	bv		($rp)
 	.EXIT
 	nop
@@ -151,7 +151,7 @@ OPENSSL_instrument_bus
 	ldw		0($out),$tick
 	add		$diff,$tick,$tick
 	stw		$tick,0($out)
-Loop
+L\$oop
 	mfctl		%cr16,$tick
 	sub		$tick,$lasttick,$diff
 	copy		$tick,$lasttick
@@ -161,7 +161,7 @@ Loop
 	add		$diff,$tick,$tick
 	stw		$tick,0($out)
 
-	addib,<>	-1,$cnt,Loop
+	addib,<>	-1,$cnt,L\$oop
 	addi		4,$out,$out
 
 	bv		($rp)
@@ -190,14 +190,14 @@ OPENSSL_instrument_bus2
 	mfctl		%cr16,$tick
 	sub		$tick,$lasttick,$diff
 	copy		$tick,$lasttick
-Loop2
+L\$oop2
 	copy		$diff,$lastdiff
 	fdc		0($out)
 	ldw		0($out),$tick
 	add		$diff,$tick,$tick
 	stw		$tick,0($out)
 
-	addib,=		-1,$max,Ldone2
+	addib,=		-1,$max,L\$done2
 	nop
 
 	mfctl		%cr16,$tick
@@ -208,17 +208,18 @@ Loop2
 
 	ldi		1,%r1
 	xor		%r1,$tick,$tick
-	addb,<>		$tick,$cnt,Loop2
+	addb,<>		$tick,$cnt,L\$oop2
 	shladd,l	$tick,2,$out,$out
-Ldone2
+L\$done2
 	bv		($rp)
 	.EXIT
 	add		$rv,$cnt,$rv
 	.PROCEND
 ___
 }
-$code =~ s/cmpib,\*/comib,/gm if ($SIZE_T==4);
-$code =~ s/,\*/,/gm if ($SIZE_T==4);
+$code =~ s/cmpib,\*/comib,/gm	if ($SIZE_T==4);
+$code =~ s/,\*/,/gm		if ($SIZE_T==4);
+$code =~ s/\bbv\b/bve/gm	if ($SIZE_T==8);
 print $code;
 close STDOUT;
 

crypto/pem/pem_info.c

@@ -167,6 +167,7 @@ start:
 #ifndef OPENSSL_NO_RSA
 			if (strcmp(name,PEM_STRING_RSA) == 0)
 			{
+			d2i=(D2I_OF(void))d2i_RSAPrivateKey;
 			if (xi->x_pkey != NULL) 
 				{
 				if (!sk_X509_INFO_push(ret,xi)) goto err;

crypto/pkcs12/p12_crt.c

@@ -90,7 +90,14 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
 
 	/* Set defaults */
 	if (!nid_cert)
+		{
+#ifdef OPENSSL_FIPS
+		if (FIPS_mode())
+			nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+		else
+#endif
 		nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
+		}
 	if (!nid_key)
 		nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
 	if (!iter)

crypto/rand/md_rand.c

@@ -198,6 +198,9 @@ static void ssleay_rand_add(const void *buf, int num, double add)
 	EVP_MD_CTX m;
 	int do_not_lock;
 
+	if (!num)
+		return;
+
 	/*
 	 * (Based on the rand(3) manpage)
 	 *
@@ -380,8 +383,11 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
 	 * are fed into the hash function and the results are kept in the
 	 * global 'md'.
 	 */
-
-	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+#ifdef OPENSSL_FIPS
+	/* NB: in FIPS mode we are already under a lock */
+	if (!FIPS_mode())
+#endif
+		CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 
 	/* prevent ssleay_rand_bytes() from trying to obtain the lock again */
 	CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
@@ -460,7 +466,10 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
 
 	/* before unlocking, we must clear 'crypto_lock_rand' */
 	crypto_lock_rand = 0;
-	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+#ifdef OPENSSL_FIPS
+	if (!FIPS_mode())
+#endif
+		CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 
 	while (num > 0)
 		{
@@ -512,10 +521,16 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
 	MD_Init(&m);
 	MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
 	MD_Update(&m,local_md,MD_DIGEST_LENGTH);
-	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+#ifdef OPENSSL_FIPS
+	if (!FIPS_mode())
+#endif
+		CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 	MD_Update(&m,md,MD_DIGEST_LENGTH);
 	MD_Final(&m,md);
-	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+#ifdef OPENSSL_FIPS
+	if (!FIPS_mode())
+#endif
+		CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 
 	EVP_MD_CTX_cleanup(&m);
 	if (ok)

crypto/rand/rand.h

@@ -138,6 +138,7 @@ void ERR_load_RAND_strings(void);
 #define RAND_F_SSLEAY_RAND_BYTES			 100
 
 /* Reason codes. */
+#define RAND_R_DUAL_EC_DRBG_DISABLED			 104
 #define RAND_R_ERROR_INITIALISING_DRBG			 102
 #define RAND_R_ERROR_INSTANTIATING_DRBG			 103
 #define RAND_R_NO_FIPS_RANDOM_METHOD_SET		 101

crypto/rand/rand_err.c

@@ -78,6 +78,7 @@ static ERR_STRING_DATA RAND_str_functs[]=
 
 static ERR_STRING_DATA RAND_str_reasons[]=
 	{
+{ERR_REASON(RAND_R_DUAL_EC_DRBG_DISABLED),"dual ec drbg disabled"},
 {ERR_REASON(RAND_R_ERROR_INITIALISING_DRBG),"error initialising drbg"},
 {ERR_REASON(RAND_R_ERROR_INSTANTIATING_DRBG),"error instantiating drbg"},
 {ERR_REASON(RAND_R_NO_FIPS_RANDOM_METHOD_SET),"no fips random method set"},

crypto/rand/rand_lib.c

@@ -269,6 +269,14 @@ int RAND_init_fips(void)
 	DRBG_CTX *dctx;
 	size_t plen;
 	unsigned char pers[32], *p;
+#ifndef OPENSSL_ALLOW_DUAL_EC_DRBG
+	if (fips_drbg_type >> 16)
+		{
+		RANDerr(RAND_F_RAND_INIT_FIPS, RAND_R_DUAL_EC_DRBG_DISABLED);
+		return 0;
+		}
+#endif
+		
 	dctx = FIPS_get_default_drbg();
         if (FIPS_drbg_init(dctx, fips_drbg_type, fips_drbg_flags) <= 0)
 		{

crypto/rand/rand_win.c

@@ -750,7 +750,7 @@ static void readscreen(void)
   int		y;		/* y-coordinate of screen lines to grab */
   int		n = 16;		/* number of screen lines to grab at a time */
 
-  if (GetVersion() < 0x80000000 && OPENSSL_isservice()>0)
+  if (check_winnt() && OPENSSL_isservice()>0)
     return;
 
   /* Create a screen DC and a memory DC compatible to screen DC */

crypto/rc4/asm/rc4-parisc.pl

@@ -307,7 +307,8 @@ L\$opts
 	.STRINGZ "RC4 for PA-RISC, CRYPTOGAMS by <appro\@openssl.org>"
 ___
 $code =~ s/\`([^\`]*)\`/eval $1/gem;
-$code =~ s/cmpib,\*/comib,/gm if ($SIZE_T==4);
+$code =~ s/cmpib,\*/comib,/gm	if ($SIZE_T==4);
+$code =~ s/\bbv\b/bve/gm	if ($SIZE_T==8);
 
 print $code;
 close STDOUT;

crypto/rsa/rsa_ameth.c

@@ -351,27 +351,27 @@ static int rsa_pss_param_print(BIO *bp, RSA_PSS_PARAMS *pss,
 
 	if (!BIO_indent(bp, indent, 128))
 		goto err;
-	if (BIO_puts(bp, "Salt Length: ") <= 0)
+	if (BIO_puts(bp, "Salt Length: 0x") <= 0)
 			goto err;
 	if (pss->saltLength)
 		{
 		if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0)
 			goto err;
 		}
-	else if (BIO_puts(bp, "20 (default)") <= 0)
+	else if (BIO_puts(bp, "0x14 (default)") <= 0)
 		goto err;
 	BIO_puts(bp, "\n");
 
 	if (!BIO_indent(bp, indent, 128))
 		goto err;
-	if (BIO_puts(bp, "Trailer Field: ") <= 0)
+	if (BIO_puts(bp, "Trailer Field: 0x") <= 0)
 			goto err;
 	if (pss->trailerField)
 		{
 		if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0)
 			goto err;
 		}
-	else if (BIO_puts(bp, "0xbc (default)") <= 0)
+	else if (BIO_puts(bp, "BC (default)") <= 0)
 		goto err;
 	BIO_puts(bp, "\n");
 	

crypto/rsa/rsa_chk.c

@@ -59,6 +59,12 @@ int RSA_check_key(const RSA *key)
 	BN_CTX *ctx;
 	int r;
 	int ret=1;
+
+	if (!key->p || !key->q || !key->n || !key->e || !key->d)
+		{
+		RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_VALUE_MISSING);
+		return 0;
+		}
 	
 	i = BN_new();
 	j = BN_new();

crypto/rsa/rsa_pmeth.c

@@ -611,6 +611,8 @@ static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
 			pm = RSA_NO_PADDING;
 		else if (!strcmp(value, "oeap"))
 			pm = RSA_PKCS1_OAEP_PADDING;
+		else if (!strcmp(value, "oaep"))
+			pm = RSA_PKCS1_OAEP_PADDING;
 		else if (!strcmp(value, "x931"))
 			pm = RSA_X931_PADDING;
 		else if (!strcmp(value, "pss"))

crypto/sha/Makefile

@@ -60,7 +60,9 @@ sha256-armv4.S: asm/sha256-armv4.pl
 	$(PERL) $< $(PERLASM_SCHEME) $@
 
 sha1-alpha.s:	asm/sha1-alpha.pl
-	$(PERL) $< | $(CC) -E - | tee $@ > /dev/null
+	(preproc=/tmp/$$$$.$@; trap "rm $$preproc" INT; \
+	$(PERL) asm/sha1-alpha.pl > $$preproc && \
+	$(CC) -E $$preproc > $@ && rm $$preproc)
 
 # Solaris make has to be explicitly told
 sha1-x86_64.s:	asm/sha1-x86_64.pl;	$(PERL) asm/sha1-x86_64.pl $(PERLASM_SCHEME) > $@

crypto/sha/asm/sha1-parisc.pl

@@ -254,6 +254,7 @@ $code.=<<___;
 ___
 
 $code =~ s/\`([^\`]*)\`/eval $1/gem;
-$code =~ s/,\*/,/gm if ($SIZE_T==4);
+$code =~ s/,\*/,/gm		if ($SIZE_T==4);
+$code =~ s/\bbv\b/bve/gm	if ($SIZE_T==8);
 print $code;
 close STDOUT;

crypto/sha/asm/sha1-x86_64.pl

@@ -745,7 +745,7 @@ $code.=<<___;
 	mov	%rdi,$ctx	# reassigned argument
 	mov	%rsi,$inp	# reassigned argument
 	mov	%rdx,$num	# reassigned argument
-	vzeroall
+	vzeroupper
 
 	shl	\$6,$num
 	add	$inp,$num
@@ -1038,7 +1038,7 @@ ___
 	&Xtail_avx(\&body_20_39);
 
 $code.=<<___;
-	vzeroall
+	vzeroupper
 
 	add	0($ctx),$A			# update context
 	add	4($ctx),@T[0]

crypto/sha/asm/sha512-mips.pl

@@ -351,7 +351,7 @@ $code.=<<___;
 	$ST	$G,6*$SZ($ctx)
 	$ST	$H,7*$SZ($ctx)
 
-	bnel	$inp,@X[15],.Loop
+	bne	$inp,@X[15],.Loop
 	$PTR_SUB $Ktbl,`($rounds-16)*$SZ`	# rewind $Ktbl
 
 	$REG_L	$ra,$FRAMESIZE-1*$SZREG($sp)

crypto/sha/asm/sha512-parisc.pl

@@ -785,6 +785,8 @@ foreach (split("\n",$code)) {
 
 	s/cmpb,\*/comb,/ if ($SIZE_T==4);
 
+	s/\bbv\b/bve/    if ($SIZE_T==8);
+
 	print $_,"\n";
 }
 

crypto/sha/sha512.c

@@ -232,7 +232,14 @@ int SHA384_Update (SHA512_CTX *c, const void *data, size_t len)
 {   return SHA512_Update (c,data,len);   }
 
 void SHA512_Transform (SHA512_CTX *c, const unsigned char *data)
-{   sha512_block_data_order (c,data,1);  }
+	{
+#ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
+	if ((size_t)data%sizeof(c->u.d[0]) != 0)
+		memcpy(c->u.p,data,sizeof(c->u.p)),
+		data = c->u.p;
+#endif
+	sha512_block_data_order (c,data,1);
+	}
 
 unsigned char *SHA384(const unsigned char *d, size_t n, unsigned char *md)
 	{

crypto/srp/srp_grps.h

@@ -1,22 +1,22 @@
 /* start of generated data */
 
 static BN_ULONG bn_group_1024_value[] = {
-	bn_pack4(9FC6,1D2F,C0EB,06E3),
-	bn_pack4(FD51,38FE,8376,435B),
-	bn_pack4(2FD4,CBF4,976E,AA9A),
-	bn_pack4(68ED,BC3C,0572,6CC0),
-	bn_pack4(C529,F566,660E,57EC),
-	bn_pack4(8255,9B29,7BCF,1885),
-	bn_pack4(CE8E,F4AD,69B1,5D49),
-	bn_pack4(5DC7,D7B4,6154,D6B6),
-	bn_pack4(8E49,5C1D,6089,DAD1),
-	bn_pack4(E0D5,D8E2,50B9,8BE4),
-	bn_pack4(383B,4813,D692,C6E0),
-	bn_pack4(D674,DF74,96EA,81D3),
-	bn_pack4(9EA2,314C,9C25,6576),
-	bn_pack4(6072,6187,75FF,3C0B),
-	bn_pack4(9C33,F80A,FA8F,C5E8),
-	bn_pack4(EEAF,0AB9,ADB3,8DD6)
+	bn_pack4(0x9FC6,0x1D2F,0xC0EB,0x06E3),
+	bn_pack4(0xFD51,0x38FE,0x8376,0x435B),
+	bn_pack4(0x2FD4,0xCBF4,0x976E,0xAA9A),
+	bn_pack4(0x68ED,0xBC3C,0x0572,0x6CC0),
+	bn_pack4(0xC529,0xF566,0x660E,0x57EC),
+	bn_pack4(0x8255,0x9B29,0x7BCF,0x1885),
+	bn_pack4(0xCE8E,0xF4AD,0x69B1,0x5D49),
+	bn_pack4(0x5DC7,0xD7B4,0x6154,0xD6B6),
+	bn_pack4(0x8E49,0x5C1D,0x6089,0xDAD1),
+	bn_pack4(0xE0D5,0xD8E2,0x50B9,0x8BE4),
+	bn_pack4(0x383B,0x4813,0xD692,0xC6E0),
+	bn_pack4(0xD674,0xDF74,0x96EA,0x81D3),
+	bn_pack4(0x9EA2,0x314C,0x9C25,0x6576),
+	bn_pack4(0x6072,0x6187,0x75FF,0x3C0B),
+	bn_pack4(0x9C33,0xF80A,0xFA8F,0xC5E8),
+	bn_pack4(0xEEAF,0x0AB9,0xADB3,0x8DD6)
 };
 static BIGNUM bn_group_1024 = {
 	bn_group_1024_value,
@@ -27,30 +27,30 @@ static BIGNUM bn_group_1024 = {
 };
 
 static BN_ULONG bn_group_1536_value[] = {
-	bn_pack4(CF76,E3FE,D135,F9BB),
-	bn_pack4(1518,0F93,499A,234D),
-	bn_pack4(8CE7,A28C,2442,C6F3),
-	bn_pack4(5A02,1FFF,5E91,479E),
-	bn_pack4(7F8A,2FE9,B8B5,292E),
-	bn_pack4(837C,264A,E3A9,BEB8),
-	bn_pack4(E442,734A,F7CC,B7AE),
-	bn_pack4(6577,2E43,7D6C,7F8C),
-	bn_pack4(DB2F,D53D,24B7,C486),
-	bn_pack4(6EDF,0195,3934,9627),
-	bn_pack4(158B,FD3E,2B9C,8CF5),
-	bn_pack4(764E,3F4B,53DD,9DA1),
-	bn_pack4(4754,8381,DBC5,B1FC),
-	bn_pack4(9B60,9E0B,E3BA,B63D),
-	bn_pack4(8134,B1C8,B979,8914),
-	bn_pack4(DF02,8A7C,EC67,F0D0),
-	bn_pack4(80B6,55BB,9A22,E8DC),
-	bn_pack4(1558,903B,A0D0,F843),
-	bn_pack4(51C6,A94B,E460,7A29),
-	bn_pack4(5F4F,5F55,6E27,CBDE),
-	bn_pack4(BEEE,A961,4B19,CC4D),
-	bn_pack4(DBA5,1DF4,99AC,4C80),
-	bn_pack4(B1F1,2A86,17A4,7BBB),
-	bn_pack4(9DEF,3CAF,B939,277A)
+	bn_pack4(0xCF76,0xE3FE,0xD135,0xF9BB),
+	bn_pack4(0x1518,0x0F93,0x499A,0x234D),
+	bn_pack4(0x8CE7,0xA28C,0x2442,0xC6F3),
+	bn_pack4(0x5A02,0x1FFF,0x5E91,0x479E),
+	bn_pack4(0x7F8A,0x2FE9,0xB8B5,0x292E),
+	bn_pack4(0x837C,0x264A,0xE3A9,0xBEB8),
+	bn_pack4(0xE442,0x734A,0xF7CC,0xB7AE),
+	bn_pack4(0x6577,0x2E43,0x7D6C,0x7F8C),
+	bn_pack4(0xDB2F,0xD53D,0x24B7,0xC486),
+	bn_pack4(0x6EDF,0x0195,0x3934,0x9627),
+	bn_pack4(0x158B,0xFD3E,0x2B9C,0x8CF5),
+	bn_pack4(0x764E,0x3F4B,0x53DD,0x9DA1),
+	bn_pack4(0x4754,0x8381,0xDBC5,0xB1FC),
+	bn_pack4(0x9B60,0x9E0B,0xE3BA,0xB63D),
+	bn_pack4(0x8134,0xB1C8,0xB979,0x8914),
+	bn_pack4(0xDF02,0x8A7C,0xEC67,0xF0D0),
+	bn_pack4(0x80B6,0x55BB,0x9A22,0xE8DC),
+	bn_pack4(0x1558,0x903B,0xA0D0,0xF843),
+	bn_pack4(0x51C6,0xA94B,0xE460,0x7A29),
+	bn_pack4(0x5F4F,0x5F55,0x6E27,0xCBDE),
+	bn_pack4(0xBEEE,0xA961,0x4B19,0xCC4D),
+	bn_pack4(0xDBA5,0x1DF4,0x99AC,0x4C80),
+	bn_pack4(0xB1F1,0x2A86,0x17A4,0x7BBB),
+	bn_pack4(0x9DEF,0x3CAF,0xB939,0x277A)
 };
 static BIGNUM bn_group_1536 = {
 	bn_group_1536_value,
@@ -61,38 +61,38 @@ static BIGNUM bn_group_1536 = {
 };
 
 static BN_ULONG bn_group_2048_value[] = {
-	bn_pack4(0FA7,111F,9E4A,FF73),
-	bn_pack4(9B65,E372,FCD6,8EF2),
-	bn_pack4(35DE,236D,525F,5475),
-	bn_pack4(94B5,C803,D89F,7AE4),
-	bn_pack4(71AE,35F8,E9DB,FBB6),
-	bn_pack4(2A56,98F3,A8D0,C382),
-	bn_pack4(9CCC,041C,7BC3,08D8),
-	bn_pack4(AF87,4E73,03CE,5329),
-	bn_pack4(6160,2790,04E5,7AE6),
-	bn_pack4(032C,FBDB,F52F,B378),
-	bn_pack4(5EA7,7A27,75D2,ECFA),
-	bn_pack4(5445,23B5,24B0,D57D),
-	bn_pack4(5B9D,32E6,88F8,7748),
-	bn_pack4(F1D2,B907,8717,461A),
-	bn_pack4(76BD,207A,436C,6481),
-	bn_pack4(CA97,B43A,23FB,8016),
-	bn_pack4(1D28,1E44,6B14,773B),
-	bn_pack4(7359,D041,D5C3,3EA7),
-	bn_pack4(A80D,740A,DBF4,FF74),
-	bn_pack4(55F9,7993,EC97,5EEA),
-	bn_pack4(2918,A996,2F0B,93B8),
-	bn_pack4(661A,05FB,D5FA,AAE8),
-	bn_pack4(CF60,9517,9A16,3AB3),
-	bn_pack4(E808,3969,EDB7,67B0),
-	bn_pack4(CD7F,48A9,DA04,FD50),
-	bn_pack4(D523,12AB,4B03,310D),
-	bn_pack4(8193,E075,7767,A13D),
-	bn_pack4(A373,29CB,B4A0,99ED),
-	bn_pack4(FC31,9294,3DB5,6050),
-	bn_pack4(AF72,B665,1987,EE07),
-	bn_pack4(F166,DE5E,1389,582F),
-	bn_pack4(AC6B,DB41,324A,9A9B)
+	bn_pack4(0x0FA7,0x111F,0x9E4A,0xFF73),
+	bn_pack4(0x9B65,0xE372,0xFCD6,0x8EF2),
+	bn_pack4(0x35DE,0x236D,0x525F,0x5475),
+	bn_pack4(0x94B5,0xC803,0xD89F,0x7AE4),
+	bn_pack4(0x71AE,0x35F8,0xE9DB,0xFBB6),
+	bn_pack4(0x2A56,0x98F3,0xA8D0,0xC382),
+	bn_pack4(0x9CCC,0x041C,0x7BC3,0x08D8),
+	bn_pack4(0xAF87,0x4E73,0x03CE,0x5329),
+	bn_pack4(0x6160,0x2790,0x04E5,0x7AE6),
+	bn_pack4(0x032C,0xFBDB,0xF52F,0xB378),
+	bn_pack4(0x5EA7,0x7A27,0x75D2,0xECFA),
+	bn_pack4(0x5445,0x23B5,0x24B0,0xD57D),
+	bn_pack4(0x5B9D,0x32E6,0x88F8,0x7748),
+	bn_pack4(0xF1D2,0xB907,0x8717,0x461A),
+	bn_pack4(0x76BD,0x207A,0x436C,0x6481),
+	bn_pack4(0xCA97,0xB43A,0x23FB,0x8016),
+	bn_pack4(0x1D28,0x1E44,0x6B14,0x773B),
+	bn_pack4(0x7359,0xD041,0xD5C3,0x3EA7),
+	bn_pack4(0xA80D,0x740A,0xDBF4,0xFF74),
+	bn_pack4(0x55F9,0x7993,0xEC97,0x5EEA),
+	bn_pack4(0x2918,0xA996,0x2F0B,0x93B8),
+	bn_pack4(0x661A,0x05FB,0xD5FA,0xAAE8),
+	bn_pack4(0xCF60,0x9517,0x9A16,0x3AB3),
+	bn_pack4(0xE808,0x3969,0xEDB7,0x67B0),
+	bn_pack4(0xCD7F,0x48A9,0xDA04,0xFD50),
+	bn_pack4(0xD523,0x12AB,0x4B03,0x310D),
+	bn_pack4(0x8193,0xE075,0x7767,0xA13D),
+	bn_pack4(0xA373,0x29CB,0xB4A0,0x99ED),
+	bn_pack4(0xFC31,0x9294,0x3DB5,0x6050),
+	bn_pack4(0xAF72,0xB665,0x1987,0xEE07),
+	bn_pack4(0xF166,0xDE5E,0x1389,0x582F),
+	bn_pack4(0xAC6B,0xDB41,0x324A,0x9A9B)
 };
 static BIGNUM bn_group_2048 = {
 	bn_group_2048_value,
@@ -103,54 +103,54 @@ static BIGNUM bn_group_2048 = {
 };
 
 static BN_ULONG bn_group_3072_value[] = {
-	bn_pack4(FFFF,FFFF,FFFF,FFFF),
-	bn_pack4(4B82,D120,A93A,D2CA),
-	bn_pack4(43DB,5BFC,E0FD,108E),
-	bn_pack4(08E2,4FA0,74E5,AB31),
-	bn_pack4(7709,88C0,BAD9,46E2),
-	bn_pack4(BBE1,1757,7A61,5D6C),
-	bn_pack4(521F,2B18,177B,200C),
-	bn_pack4(D876,0273,3EC8,6A64),
-	bn_pack4(F12F,FA06,D98A,0864),
-	bn_pack4(CEE3,D226,1AD2,EE6B),
-	bn_pack4(1E8C,94E0,4A25,619D),
-	bn_pack4(ABF5,AE8C,DB09,33D7),
-	bn_pack4(B397,0F85,A6E1,E4C7),
-	bn_pack4(8AEA,7157,5D06,0C7D),
-	bn_pack4(ECFB,8504,58DB,EF0A),
-	bn_pack4(A855,21AB,DF1C,BA64),
-	bn_pack4(AD33,170D,0450,7A33),
-	bn_pack4(1572,8E5A,8AAA,C42D),
-	bn_pack4(15D2,2618,98FA,0510),
-	bn_pack4(3995,497C,EA95,6AE5),
-	bn_pack4(DE2B,CBF6,9558,1718),
-	bn_pack4(B5C5,5DF0,6F4C,52C9),
-	bn_pack4(9B27,83A2,EC07,A28F),
-	bn_pack4(E39E,772C,180E,8603),
-	bn_pack4(3290,5E46,2E36,CE3B),
-	bn_pack4(F174,6C08,CA18,217C),
-	bn_pack4(670C,354E,4ABC,9804),
-	bn_pack4(9ED5,2907,7096,966D),
-	bn_pack4(1C62,F356,2085,52BB),
-	bn_pack4(8365,5D23,DCA3,AD96),
-	bn_pack4(6916,3FA8,FD24,CF5F),
-	bn_pack4(98DA,4836,1C55,D39A),
-	bn_pack4(C200,7CB8,A163,BF05),
-	bn_pack4(4928,6651,ECE4,5B3D),
-	bn_pack4(AE9F,2411,7C4B,1FE6),
-	bn_pack4(EE38,6BFB,5A89,9FA5),
-	bn_pack4(0BFF,5CB6,F406,B7ED),
-	bn_pack4(F44C,42E9,A637,ED6B),
-	bn_pack4(E485,B576,625E,7EC6),
-	bn_pack4(4FE1,356D,6D51,C245),
-	bn_pack4(302B,0A6D,F25F,1437),
-	bn_pack4(EF95,19B3,CD3A,431B),
-	bn_pack4(514A,0879,8E34,04DD),
-	bn_pack4(020B,BEA6,3B13,9B22),
-	bn_pack4(2902,4E08,8A67,CC74),
-	bn_pack4(C4C6,628B,80DC,1CD1),
-	bn_pack4(C90F,DAA2,2168,C234),
-	bn_pack4(FFFF,FFFF,FFFF,FFFF)
+	bn_pack4(0xFFFF,0xFFFF,0xFFFF,0xFFFF),
+	bn_pack4(0x4B82,0xD120,0xA93A,0xD2CA),
+	bn_pack4(0x43DB,0x5BFC,0xE0FD,0x108E),
+	bn_pack4(0x08E2,0x4FA0,0x74E5,0xAB31),
+	bn_pack4(0x7709,0x88C0,0xBAD9,0x46E2),
+	bn_pack4(0xBBE1,0x1757,0x7A61,0x5D6C),
+	bn_pack4(0x521F,0x2B18,0x177B,0x200C),
+	bn_pack4(0xD876,0x0273,0x3EC8,0x6A64),
+	bn_pack4(0xF12F,0xFA06,0xD98A,0x0864),
+	bn_pack4(0xCEE3,0xD226,0x1AD2,0xEE6B),
+	bn_pack4(0x1E8C,0x94E0,0x4A25,0x619D),
+	bn_pack4(0xABF5,0xAE8C,0xDB09,0x33D7),
+	bn_pack4(0xB397,0x0F85,0xA6E1,0xE4C7),
+	bn_pack4(0x8AEA,0x7157,0x5D06,0x0C7D),
+	bn_pack4(0xECFB,0x8504,0x58DB,0xEF0A),
+	bn_pack4(0xA855,0x21AB,0xDF1C,0xBA64),
+	bn_pack4(0xAD33,0x170D,0x0450,0x7A33),
+	bn_pack4(0x1572,0x8E5A,0x8AAA,0xC42D),
+	bn_pack4(0x15D2,0x2618,0x98FA,0x0510),
+	bn_pack4(0x3995,0x497C,0xEA95,0x6AE5),
+	bn_pack4(0xDE2B,0xCBF6,0x9558,0x1718),
+	bn_pack4(0xB5C5,0x5DF0,0x6F4C,0x52C9),
+	bn_pack4(0x9B27,0x83A2,0xEC07,0xA28F),
+	bn_pack4(0xE39E,0x772C,0x180E,0x8603),
+	bn_pack4(0x3290,0x5E46,0x2E36,0xCE3B),
+	bn_pack4(0xF174,0x6C08,0xCA18,0x217C),
+	bn_pack4(0x670C,0x354E,0x4ABC,0x9804),
+	bn_pack4(0x9ED5,0x2907,0x7096,0x966D),
+	bn_pack4(0x1C62,0xF356,0x2085,0x52BB),
+	bn_pack4(0x8365,0x5D23,0xDCA3,0xAD96),
+	bn_pack4(0x6916,0x3FA8,0xFD24,0xCF5F),
+	bn_pack4(0x98DA,0x4836,0x1C55,0xD39A),
+	bn_pack4(0xC200,0x7CB8,0xA163,0xBF05),
+	bn_pack4(0x4928,0x6651,0xECE4,0x5B3D),
+	bn_pack4(0xAE9F,0x2411,0x7C4B,0x1FE6),
+	bn_pack4(0xEE38,0x6BFB,0x5A89,0x9FA5),
+	bn_pack4(0x0BFF,0x5CB6,0xF406,0xB7ED),
+	bn_pack4(0xF44C,0x42E9,0xA637,0xED6B),
+	bn_pack4(0xE485,0xB576,0x625E,0x7EC6),
+	bn_pack4(0x4FE1,0x356D,0x6D51,0xC245),
+	bn_pack4(0x302B,0x0A6D,0xF25F,0x1437),
+	bn_pack4(0xEF95,0x19B3,0xCD3A,0x431B),
+	bn_pack4(0x514A,0x0879,0x8E34,0x04DD),
+	bn_pack4(0x020B,0xBEA6,0x3B13,0x9B22),
+	bn_pack4(0x2902,0x4E08,0x8A67,0xCC74),
+	bn_pack4(0xC4C6,0x628B,0x80DC,0x1CD1),
+	bn_pack4(0xC90F,0xDAA2,0x2168,0xC234),
+	bn_pack4(0xFFFF,0xFFFF,0xFFFF,0xFFFF)
 };
 static BIGNUM bn_group_3072 = {
 	bn_group_3072_value,
@@ -161,70 +161,70 @@ static BIGNUM bn_group_3072 = {
 };
 
 static BN_ULONG bn_group_4096_value[] = {
-	bn_pack4(FFFF,FFFF,FFFF,FFFF),
-	bn_pack4(4DF4,35C9,3406,3199),
-	bn_pack4(86FF,B7DC,90A6,C08F),
-	bn_pack4(93B4,EA98,8D8F,DDC1),
-	bn_pack4(D006,9127,D5B0,5AA9),
-	bn_pack4(B81B,DD76,2170,481C),
-	bn_pack4(1F61,2970,CEE2,D7AF),
-	bn_pack4(233B,A186,515B,E7ED),
-	bn_pack4(99B2,964F,A090,C3A2),
-	bn_pack4(287C,5947,4E6B,C05D),
-	bn_pack4(2E8E,FC14,1FBE,CAA6),
-	bn_pack4(DBBB,C2DB,04DE,8EF9),
-	bn_pack4(2583,E9CA,2AD4,4CE8),
-	bn_pack4(1A94,6834,B615,0BDA),
-	bn_pack4(99C3,2718,6AF4,E23C),
-	bn_pack4(8871,9A10,BDBA,5B26),
-	bn_pack4(1A72,3C12,A787,E6D7),
-	bn_pack4(4B82,D120,A921,0801),
-	bn_pack4(43DB,5BFC,E0FD,108E),
-	bn_pack4(08E2,4FA0,74E5,AB31),
-	bn_pack4(7709,88C0,BAD9,46E2),
-	bn_pack4(BBE1,1757,7A61,5D6C),
-	bn_pack4(521F,2B18,177B,200C),
-	bn_pack4(D876,0273,3EC8,6A64),
-	bn_pack4(F12F,FA06,D98A,0864),
-	bn_pack4(CEE3,D226,1AD2,EE6B),
-	bn_pack4(1E8C,94E0,4A25,619D),
-	bn_pack4(ABF5,AE8C,DB09,33D7),
-	bn_pack4(B397,0F85,A6E1,E4C7),
-	bn_pack4(8AEA,7157,5D06,0C7D),
-	bn_pack4(ECFB,8504,58DB,EF0A),
-	bn_pack4(A855,21AB,DF1C,BA64),
-	bn_pack4(AD33,170D,0450,7A33),
-	bn_pack4(1572,8E5A,8AAA,C42D),
-	bn_pack4(15D2,2618,98FA,0510),
-	bn_pack4(3995,497C,EA95,6AE5),
-	bn_pack4(DE2B,CBF6,9558,1718),
-	bn_pack4(B5C5,5DF0,6F4C,52C9),
-	bn_pack4(9B27,83A2,EC07,A28F),
-	bn_pack4(E39E,772C,180E,8603),
-	bn_pack4(3290,5E46,2E36,CE3B),
-	bn_pack4(F174,6C08,CA18,217C),
-	bn_pack4(670C,354E,4ABC,9804),
-	bn_pack4(9ED5,2907,7096,966D),
-	bn_pack4(1C62,F356,2085,52BB),
-	bn_pack4(8365,5D23,DCA3,AD96),
-	bn_pack4(6916,3FA8,FD24,CF5F),
-	bn_pack4(98DA,4836,1C55,D39A),
-	bn_pack4(C200,7CB8,A163,BF05),
-	bn_pack4(4928,6651,ECE4,5B3D),
-	bn_pack4(AE9F,2411,7C4B,1FE6),
-	bn_pack4(EE38,6BFB,5A89,9FA5),
-	bn_pack4(0BFF,5CB6,F406,B7ED),
-	bn_pack4(F44C,42E9,A637,ED6B),
-	bn_pack4(E485,B576,625E,7EC6),
-	bn_pack4(4FE1,356D,6D51,C245),
-	bn_pack4(302B,0A6D,F25F,1437),
-	bn_pack4(EF95,19B3,CD3A,431B),
-	bn_pack4(514A,0879,8E34,04DD),
-	bn_pack4(020B,BEA6,3B13,9B22),
-	bn_pack4(2902,4E08,8A67,CC74),
-	bn_pack4(C4C6,628B,80DC,1CD1),
-	bn_pack4(C90F,DAA2,2168,C234),
-	bn_pack4(FFFF,FFFF,FFFF,FFFF)
+	bn_pack4(0xFFFF,0xFFFF,0xFFFF,0xFFFF),
+	bn_pack4(0x4DF4,0x35C9,0x3406,0x3199),
+	bn_pack4(0x86FF,0xB7DC,0x90A6,0xC08F),
+	bn_pack4(0x93B4,0xEA98,0x8D8F,0xDDC1),
+	bn_pack4(0xD006,0x9127,0xD5B0,0x5AA9),
+	bn_pack4(0xB81B,0xDD76,0x2170,0x481C),
+	bn_pack4(0x1F61,0x2970,0xCEE2,0xD7AF),
+	bn_pack4(0x233B,0xA186,0x515B,0xE7ED),
+	bn_pack4(0x99B2,0x964F,0xA090,0xC3A2),
+	bn_pack4(0x287C,0x5947,0x4E6B,0xC05D),
+	bn_pack4(0x2E8E,0xFC14,0x1FBE,0xCAA6),
+	bn_pack4(0xDBBB,0xC2DB,0x04DE,0x8EF9),
+	bn_pack4(0x2583,0xE9CA,0x2AD4,0x4CE8),
+	bn_pack4(0x1A94,0x6834,0xB615,0x0BDA),
+	bn_pack4(0x99C3,0x2718,0x6AF4,0xE23C),
+	bn_pack4(0x8871,0x9A10,0xBDBA,0x5B26),
+	bn_pack4(0x1A72,0x3C12,0xA787,0xE6D7),
+	bn_pack4(0x4B82,0xD120,0xA921,0x0801),
+	bn_pack4(0x43DB,0x5BFC,0xE0FD,0x108E),
+	bn_pack4(0x08E2,0x4FA0,0x74E5,0xAB31),
+	bn_pack4(0x7709,0x88C0,0xBAD9,0x46E2),
+	bn_pack4(0xBBE1,0x1757,0x7A61,0x5D6C),
+	bn_pack4(0x521F,0x2B18,0x177B,0x200C),
+	bn_pack4(0xD876,0x0273,0x3EC8,0x6A64),
+	bn_pack4(0xF12F,0xFA06,0xD98A,0x0864),
+	bn_pack4(0xCEE3,0xD226,0x1AD2,0xEE6B),
+	bn_pack4(0x1E8C,0x94E0,0x4A25,0x619D),
+	bn_pack4(0xABF5,0xAE8C,0xDB09,0x33D7),
+	bn_pack4(0xB397,0x0F85,0xA6E1,0xE4C7),
+	bn_pack4(0x8AEA,0x7157,0x5D06,0x0C7D),
+	bn_pack4(0xECFB,0x8504,0x58DB,0xEF0A),
+	bn_pack4(0xA855,0x21AB,0xDF1C,0xBA64),
+	bn_pack4(0xAD33,0x170D,0x0450,0x7A33),
+	bn_pack4(0x1572,0x8E5A,0x8AAA,0xC42D),
+	bn_pack4(0x15D2,0x2618,0x98FA,0x0510),
+	bn_pack4(0x3995,0x497C,0xEA95,0x6AE5),
+	bn_pack4(0xDE2B,0xCBF6,0x9558,0x1718),
+	bn_pack4(0xB5C5,0x5DF0,0x6F4C,0x52C9),
+	bn_pack4(0x9B27,0x83A2,0xEC07,0xA28F),
+	bn_pack4(0xE39E,0x772C,0x180E,0x8603),
+	bn_pack4(0x3290,0x5E46,0x2E36,0xCE3B),
+	bn_pack4(0xF174,0x6C08,0xCA18,0x217C),
+	bn_pack4(0x670C,0x354E,0x4ABC,0x9804),
+	bn_pack4(0x9ED5,0x2907,0x7096,0x966D),
+	bn_pack4(0x1C62,0xF356,0x2085,0x52BB),
+	bn_pack4(0x8365,0x5D23,0xDCA3,0xAD96),
+	bn_pack4(0x6916,0x3FA8,0xFD24,0xCF5F),
+	bn_pack4(0x98DA,0x4836,0x1C55,0xD39A),
+	bn_pack4(0xC200,0x7CB8,0xA163,0xBF05),
+	bn_pack4(0x4928,0x6651,0xECE4,0x5B3D),
+	bn_pack4(0xAE9F,0x2411,0x7C4B,0x1FE6),
+	bn_pack4(0xEE38,0x6BFB,0x5A89,0x9FA5),
+	bn_pack4(0x0BFF,0x5CB6,0xF406,0xB7ED),
+	bn_pack4(0xF44C,0x42E9,0xA637,0xED6B),
+	bn_pack4(0xE485,0xB576,0x625E,0x7EC6),
+	bn_pack4(0x4FE1,0x356D,0x6D51,0xC245),
+	bn_pack4(0x302B,0x0A6D,0xF25F,0x1437),
+	bn_pack4(0xEF95,0x19B3,0xCD3A,0x431B),
+	bn_pack4(0x514A,0x0879,0x8E34,0x04DD),
+	bn_pack4(0x020B,0xBEA6,0x3B13,0x9B22),
+	bn_pack4(0x2902,0x4E08,0x8A67,0xCC74),
+	bn_pack4(0xC4C6,0x628B,0x80DC,0x1CD1),
+	bn_pack4(0xC90F,0xDAA2,0x2168,0xC234),
+	bn_pack4(0xFFFF,0xFFFF,0xFFFF,0xFFFF)
 };
 static BIGNUM bn_group_4096 = {
 	bn_group_4096_value,
@@ -235,102 +235,102 @@ static BIGNUM bn_group_4096 = {
 };
 
 static BN_ULONG bn_group_6144_value[] = {
-	bn_pack4(FFFF,FFFF,FFFF,FFFF),
-	bn_pack4(E694,F91E,6DCC,4024),
-	bn_pack4(12BF,2D5B,0B74,74D6),
-	bn_pack4(043E,8F66,3F48,60EE),
-	bn_pack4(387F,E8D7,6E3C,0468),
-	bn_pack4(DA56,C9EC,2EF2,9632),
-	bn_pack4(EB19,CCB1,A313,D55C),
-	bn_pack4(F550,AA3D,8A1F,BFF0),
-	bn_pack4(06A1,D58B,B7C5,DA76),
-	bn_pack4(A797,15EE,F29B,E328),
-	bn_pack4(14CC,5ED2,0F80,37E0),
-	bn_pack4(CC8F,6D7E,BF48,E1D8),
-	bn_pack4(4BD4,07B2,2B41,54AA),
-	bn_pack4(0F1D,45B7,FF58,5AC5),
-	bn_pack4(23A9,7A7E,36CC,88BE),
-	bn_pack4(59E7,C97F,BEC7,E8F3),
-	bn_pack4(B5A8,4031,900B,1C9E),
-	bn_pack4(D55E,702F,4698,0C82),
-	bn_pack4(F482,D7CE,6E74,FEF6),
-	bn_pack4(F032,EA15,D172,1D03),
-	bn_pack4(5983,CA01,C64B,92EC),
-	bn_pack4(6FB8,F401,378C,D2BF),
-	bn_pack4(3320,5151,2BD7,AF42),
-	bn_pack4(DB7F,1447,E6CC,254B),
-	bn_pack4(44CE,6CBA,CED4,BB1B),
-	bn_pack4(DA3E,DBEB,CF9B,14ED),
-	bn_pack4(1797,27B0,865A,8918),
-	bn_pack4(B06A,53ED,9027,D831),
-	bn_pack4(E5DB,382F,4130,01AE),
-	bn_pack4(F8FF,9406,AD9E,530E),
-	bn_pack4(C975,1E76,3DBA,37BD),
-	bn_pack4(C1D4,DCB2,6026,46DE),
-	bn_pack4(36C3,FAB4,D27C,7026),
-	bn_pack4(4DF4,35C9,3402,8492),
-	bn_pack4(86FF,B7DC,90A6,C08F),
-	bn_pack4(93B4,EA98,8D8F,DDC1),
-	bn_pack4(D006,9127,D5B0,5AA9),
-	bn_pack4(B81B,DD76,2170,481C),
-	bn_pack4(1F61,2970,CEE2,D7AF),
-	bn_pack4(233B,A186,515B,E7ED),
-	bn_pack4(99B2,964F,A090,C3A2),
-	bn_pack4(287C,5947,4E6B,C05D),
-	bn_pack4(2E8E,FC14,1FBE,CAA6),
-	bn_pack4(DBBB,C2DB,04DE,8EF9),
-	bn_pack4(2583,E9CA,2AD4,4CE8),
-	bn_pack4(1A94,6834,B615,0BDA),
-	bn_pack4(99C3,2718,6AF4,E23C),
-	bn_pack4(8871,9A10,BDBA,5B26),
-	bn_pack4(1A72,3C12,A787,E6D7),
-	bn_pack4(4B82,D120,A921,0801),
-	bn_pack4(43DB,5BFC,E0FD,108E),
-	bn_pack4(08E2,4FA0,74E5,AB31),
-	bn_pack4(7709,88C0,BAD9,46E2),
-	bn_pack4(BBE1,1757,7A61,5D6C),
-	bn_pack4(521F,2B18,177B,200C),
-	bn_pack4(D876,0273,3EC8,6A64),
-	bn_pack4(F12F,FA06,D98A,0864),
-	bn_pack4(CEE3,D226,1AD2,EE6B),
-	bn_pack4(1E8C,94E0,4A25,619D),
-	bn_pack4(ABF5,AE8C,DB09,33D7),
-	bn_pack4(B397,0F85,A6E1,E4C7),
-	bn_pack4(8AEA,7157,5D06,0C7D),
-	bn_pack4(ECFB,8504,58DB,EF0A),
-	bn_pack4(A855,21AB,DF1C,BA64),
-	bn_pack4(AD33,170D,0450,7A33),
-	bn_pack4(1572,8E5A,8AAA,C42D),
-	bn_pack4(15D2,2618,98FA,0510),
-	bn_pack4(3995,497C,EA95,6AE5),
-	bn_pack4(DE2B,CBF6,9558,1718),
-	bn_pack4(B5C5,5DF0,6F4C,52C9),
-	bn_pack4(9B27,83A2,EC07,A28F),
-	bn_pack4(E39E,772C,180E,8603),
-	bn_pack4(3290,5E46,2E36,CE3B),
-	bn_pack4(F174,6C08,CA18,217C),
-	bn_pack4(670C,354E,4ABC,9804),
-	bn_pack4(9ED5,2907,7096,966D),
-	bn_pack4(1C62,F356,2085,52BB),
-	bn_pack4(8365,5D23,DCA3,AD96),
-	bn_pack4(6916,3FA8,FD24,CF5F),
-	bn_pack4(98DA,4836,1C55,D39A),
-	bn_pack4(C200,7CB8,A163,BF05),
-	bn_pack4(4928,6651,ECE4,5B3D),
-	bn_pack4(AE9F,2411,7C4B,1FE6),
-	bn_pack4(EE38,6BFB,5A89,9FA5),
-	bn_pack4(0BFF,5CB6,F406,B7ED),
-	bn_pack4(F44C,42E9,A637,ED6B),
-	bn_pack4(E485,B576,625E,7EC6),
-	bn_pack4(4FE1,356D,6D51,C245),
-	bn_pack4(302B,0A6D,F25F,1437),
-	bn_pack4(EF95,19B3,CD3A,431B),
-	bn_pack4(514A,0879,8E34,04DD),
-	bn_pack4(020B,BEA6,3B13,9B22),
-	bn_pack4(2902,4E08,8A67,CC74),
-	bn_pack4(C4C6,628B,80DC,1CD1),
-	bn_pack4(C90F,DAA2,2168,C234),
-	bn_pack4(FFFF,FFFF,FFFF,FFFF)
+	bn_pack4(0xFFFF,0xFFFF,0xFFFF,0xFFFF),
+	bn_pack4(0xE694,0xF91E,0x6DCC,0x4024),
+	bn_pack4(0x12BF,0x2D5B,0x0B74,0x74D6),
+	bn_pack4(0x043E,0x8F66,0x3F48,0x60EE),
+	bn_pack4(0x387F,0xE8D7,0x6E3C,0x0468),
+	bn_pack4(0xDA56,0xC9EC,0x2EF2,0x9632),
+	bn_pack4(0xEB19,0xCCB1,0xA313,0xD55C),
+	bn_pack4(0xF550,0xAA3D,0x8A1F,0xBFF0),
+	bn_pack4(0x06A1,0xD58B,0xB7C5,0xDA76),
+	bn_pack4(0xA797,0x15EE,0xF29B,0xE328),
+	bn_pack4(0x14CC,0x5ED2,0x0F80,0x37E0),
+	bn_pack4(0xCC8F,0x6D7E,0xBF48,0xE1D8),
+	bn_pack4(0x4BD4,0x07B2,0x2B41,0x54AA),
+	bn_pack4(0x0F1D,0x45B7,0xFF58,0x5AC5),
+	bn_pack4(0x23A9,0x7A7E,0x36CC,0x88BE),
+	bn_pack4(0x59E7,0xC97F,0xBEC7,0xE8F3),
+	bn_pack4(0xB5A8,0x4031,0x900B,0x1C9E),
+	bn_pack4(0xD55E,0x702F,0x4698,0x0C82),
+	bn_pack4(0xF482,0xD7CE,0x6E74,0xFEF6),
+	bn_pack4(0xF032,0xEA15,0xD172,0x1D03),
+	bn_pack4(0x5983,0xCA01,0xC64B,0x92EC),
+	bn_pack4(0x6FB8,0xF401,0x378C,0xD2BF),
+	bn_pack4(0x3320,0x5151,0x2BD7,0xAF42),
+	bn_pack4(0xDB7F,0x1447,0xE6CC,0x254B),
+	bn_pack4(0x44CE,0x6CBA,0xCED4,0xBB1B),
+	bn_pack4(0xDA3E,0xDBEB,0xCF9B,0x14ED),
+	bn_pack4(0x1797,0x27B0,0x865A,0x8918),
+	bn_pack4(0xB06A,0x53ED,0x9027,0xD831),
+	bn_pack4(0xE5DB,0x382F,0x4130,0x01AE),
+	bn_pack4(0xF8FF,0x9406,0xAD9E,0x530E),
+	bn_pack4(0xC975,0x1E76,0x3DBA,0x37BD),
+	bn_pack4(0xC1D4,0xDCB2,0x6026,0x46DE),
+	bn_pack4(0x36C3,0xFAB4,0xD27C,0x7026),
+	bn_pack4(0x4DF4,0x35C9,0x3402,0x8492),
+	bn_pack4(0x86FF,0xB7DC,0x90A6,0xC08F),
+	bn_pack4(0x93B4,0xEA98,0x8D8F,0xDDC1),
+	bn_pack4(0xD006,0x9127,0xD5B0,0x5AA9),
+	bn_pack4(0xB81B,0xDD76,0x2170,0x481C),
+	bn_pack4(0x1F61,0x2970,0xCEE2,0xD7AF),
+	bn_pack4(0x233B,0xA186,0x515B,0xE7ED),
+	bn_pack4(0x99B2,0x964F,0xA090,0xC3A2),
+	bn_pack4(0x287C,0x5947,0x4E6B,0xC05D),
+	bn_pack4(0x2E8E,0xFC14,0x1FBE,0xCAA6),
+	bn_pack4(0xDBBB,0xC2DB,0x04DE,0x8EF9),
+	bn_pack4(0x2583,0xE9CA,0x2AD4,0x4CE8),
+	bn_pack4(0x1A94,0x6834,0xB615,0x0BDA),
+	bn_pack4(0x99C3,0x2718,0x6AF4,0xE23C),
+	bn_pack4(0x8871,0x9A10,0xBDBA,0x5B26),
+	bn_pack4(0x1A72,0x3C12,0xA787,0xE6D7),
+	bn_pack4(0x4B82,0xD120,0xA921,0x0801),
+	bn_pack4(0x43DB,0x5BFC,0xE0FD,0x108E),
+	bn_pack4(0x08E2,0x4FA0,0x74E5,0xAB31),
+	bn_pack4(0x7709,0x88C0,0xBAD9,0x46E2),
+	bn_pack4(0xBBE1,0x1757,0x7A61,0x5D6C),
+	bn_pack4(0x521F,0x2B18,0x177B,0x200C),
+	bn_pack4(0xD876,0x0273,0x3EC8,0x6A64),
+	bn_pack4(0xF12F,0xFA06,0xD98A,0x0864),
+	bn_pack4(0xCEE3,0xD226,0x1AD2,0xEE6B),
+	bn_pack4(0x1E8C,0x94E0,0x4A25,0x619D),
+	bn_pack4(0xABF5,0xAE8C,0xDB09,0x33D7),
+	bn_pack4(0xB397,0x0F85,0xA6E1,0xE4C7),
+	bn_pack4(0x8AEA,0x7157,0x5D06,0x0C7D),
+	bn_pack4(0xECFB,0x8504,0x58DB,0xEF0A),
+	bn_pack4(0xA855,0x21AB,0xDF1C,0xBA64),
+	bn_pack4(0xAD33,0x170D,0x0450,0x7A33),
+	bn_pack4(0x1572,0x8E5A,0x8AAA,0xC42D),
+	bn_pack4(0x15D2,0x2618,0x98FA,0x0510),
+	bn_pack4(0x3995,0x497C,0xEA95,0x6AE5),
+	bn_pack4(0xDE2B,0xCBF6,0x9558,0x1718),
+	bn_pack4(0xB5C5,0x5DF0,0x6F4C,0x52C9),
+	bn_pack4(0x9B27,0x83A2,0xEC07,0xA28F),
+	bn_pack4(0xE39E,0x772C,0x180E,0x8603),
+	bn_pack4(0x3290,0x5E46,0x2E36,0xCE3B),
+	bn_pack4(0xF174,0x6C08,0xCA18,0x217C),
+	bn_pack4(0x670C,0x354E,0x4ABC,0x9804),
+	bn_pack4(0x9ED5,0x2907,0x7096,0x966D),
+	bn_pack4(0x1C62,0xF356,0x2085,0x52BB),
+	bn_pack4(0x8365,0x5D23,0xDCA3,0xAD96),
+	bn_pack4(0x6916,0x3FA8,0xFD24,0xCF5F),
+	bn_pack4(0x98DA,0x4836,0x1C55,0xD39A),
+	bn_pack4(0xC200,0x7CB8,0xA163,0xBF05),
+	bn_pack4(0x4928,0x6651,0xECE4,0x5B3D),
+	bn_pack4(0xAE9F,0x2411,0x7C4B,0x1FE6),
+	bn_pack4(0xEE38,0x6BFB,0x5A89,0x9FA5),
+	bn_pack4(0x0BFF,0x5CB6,0xF406,0xB7ED),
+	bn_pack4(0xF44C,0x42E9,0xA637,0xED6B),
+	bn_pack4(0xE485,0xB576,0x625E,0x7EC6),
+	bn_pack4(0x4FE1,0x356D,0x6D51,0xC245),
+	bn_pack4(0x302B,0x0A6D,0xF25F,0x1437),
+	bn_pack4(0xEF95,0x19B3,0xCD3A,0x431B),
+	bn_pack4(0x514A,0x0879,0x8E34,0x04DD),
+	bn_pack4(0x020B,0xBEA6,0x3B13,0x9B22),
+	bn_pack4(0x2902,0x4E08,0x8A67,0xCC74),
+	bn_pack4(0xC4C6,0x628B,0x80DC,0x1CD1),
+	bn_pack4(0xC90F,0xDAA2,0x2168,0xC234),
+	bn_pack4(0xFFFF,0xFFFF,0xFFFF,0xFFFF)
 };
 static BIGNUM bn_group_6144 = {
 	bn_group_6144_value,
@@ -341,134 +341,134 @@ static BIGNUM bn_group_6144 = {
 };
 
 static BN_ULONG bn_group_8192_value[] = {
-	bn_pack4(FFFF,FFFF,FFFF,FFFF),
-	bn_pack4(60C9,80DD,98ED,D3DF),
-	bn_pack4(C81F,56E8,80B9,6E71),
-	bn_pack4(9E30,50E2,7656,94DF),
-	bn_pack4(9558,E447,5677,E9AA),
-	bn_pack4(C919,0DA6,FC02,6E47),
-	bn_pack4(889A,002E,D5EE,382B),
-	bn_pack4(4009,438B,481C,6CD7),
-	bn_pack4(3590,46F4,EB87,9F92),
-	bn_pack4(FAF3,6BC3,1ECF,A268),
-	bn_pack4(B1D5,10BD,7EE7,4D73),
-	bn_pack4(F9AB,4819,5DED,7EA1),
-	bn_pack4(64F3,1CC5,0846,851D),
-	bn_pack4(4597,E899,A025,5DC1),
-	bn_pack4(DF31,0EE0,74AB,6A36),
-	bn_pack4(6D2A,13F8,3F44,F82D),
-	bn_pack4(062B,3CF5,B3A2,78A6),
-	bn_pack4(7968,3303,ED5B,DD3A),
-	bn_pack4(FA9D,4B7F,A2C0,87E8),
-	bn_pack4(4BCB,C886,2F83,85DD),
-	bn_pack4(3473,FC64,6CEA,306B),
-	bn_pack4(13EB,57A8,1A23,F0C7),
-	bn_pack4(2222,2E04,A403,7C07),
-	bn_pack4(E3FD,B8BE,FC84,8AD9),
-	bn_pack4(238F,16CB,E39D,652D),
-	bn_pack4(3423,B474,2BF1,C978),
-	bn_pack4(3AAB,639C,5AE4,F568),
-	bn_pack4(2576,F693,6BA4,2466),
-	bn_pack4(741F,A7BF,8AFC,47ED),
-	bn_pack4(3BC8,32B6,8D9D,D300),
-	bn_pack4(D8BE,C4D0,73B9,31BA),
-	bn_pack4(3877,7CB6,A932,DF8C),
-	bn_pack4(74A3,926F,12FE,E5E4),
-	bn_pack4(E694,F91E,6DBE,1159),
-	bn_pack4(12BF,2D5B,0B74,74D6),
-	bn_pack4(043E,8F66,3F48,60EE),
-	bn_pack4(387F,E8D7,6E3C,0468),
-	bn_pack4(DA56,C9EC,2EF2,9632),
-	bn_pack4(EB19,CCB1,A313,D55C),
-	bn_pack4(F550,AA3D,8A1F,BFF0),
-	bn_pack4(06A1,D58B,B7C5,DA76),
-	bn_pack4(A797,15EE,F29B,E328),
-	bn_pack4(14CC,5ED2,0F80,37E0),
-	bn_pack4(CC8F,6D7E,BF48,E1D8),
-	bn_pack4(4BD4,07B2,2B41,54AA),
-	bn_pack4(0F1D,45B7,FF58,5AC5),
-	bn_pack4(23A9,7A7E,36CC,88BE),
-	bn_pack4(59E7,C97F,BEC7,E8F3),
-	bn_pack4(B5A8,4031,900B,1C9E),
-	bn_pack4(D55E,702F,4698,0C82),
-	bn_pack4(F482,D7CE,6E74,FEF6),
-	bn_pack4(F032,EA15,D172,1D03),
-	bn_pack4(5983,CA01,C64B,92EC),
-	bn_pack4(6FB8,F401,378C,D2BF),
-	bn_pack4(3320,5151,2BD7,AF42),
-	bn_pack4(DB7F,1447,E6CC,254B),
-	bn_pack4(44CE,6CBA,CED4,BB1B),
-	bn_pack4(DA3E,DBEB,CF9B,14ED),
-	bn_pack4(1797,27B0,865A,8918),
-	bn_pack4(B06A,53ED,9027,D831),
-	bn_pack4(E5DB,382F,4130,01AE),
-	bn_pack4(F8FF,9406,AD9E,530E),
-	bn_pack4(C975,1E76,3DBA,37BD),
-	bn_pack4(C1D4,DCB2,6026,46DE),
-	bn_pack4(36C3,FAB4,D27C,7026),
-	bn_pack4(4DF4,35C9,3402,8492),
-	bn_pack4(86FF,B7DC,90A6,C08F),
-	bn_pack4(93B4,EA98,8D8F,DDC1),
-	bn_pack4(D006,9127,D5B0,5AA9),
-	bn_pack4(B81B,DD76,2170,481C),
-	bn_pack4(1F61,2970,CEE2,D7AF),
-	bn_pack4(233B,A186,515B,E7ED),
-	bn_pack4(99B2,964F,A090,C3A2),
-	bn_pack4(287C,5947,4E6B,C05D),
-	bn_pack4(2E8E,FC14,1FBE,CAA6),
-	bn_pack4(DBBB,C2DB,04DE,8EF9),
-	bn_pack4(2583,E9CA,2AD4,4CE8),
-	bn_pack4(1A94,6834,B615,0BDA),
-	bn_pack4(99C3,2718,6AF4,E23C),
-	bn_pack4(8871,9A10,BDBA,5B26),
-	bn_pack4(1A72,3C12,A787,E6D7),
-	bn_pack4(4B82,D120,A921,0801),
-	bn_pack4(43DB,5BFC,E0FD,108E),
-	bn_pack4(08E2,4FA0,74E5,AB31),
-	bn_pack4(7709,88C0,BAD9,46E2),
-	bn_pack4(BBE1,1757,7A61,5D6C),
-	bn_pack4(521F,2B18,177B,200C),
-	bn_pack4(D876,0273,3EC8,6A64),
-	bn_pack4(F12F,FA06,D98A,0864),
-	bn_pack4(CEE3,D226,1AD2,EE6B),
-	bn_pack4(1E8C,94E0,4A25,619D),
-	bn_pack4(ABF5,AE8C,DB09,33D7),
-	bn_pack4(B397,0F85,A6E1,E4C7),
-	bn_pack4(8AEA,7157,5D06,0C7D),
-	bn_pack4(ECFB,8504,58DB,EF0A),
-	bn_pack4(A855,21AB,DF1C,BA64),
-	bn_pack4(AD33,170D,0450,7A33),
-	bn_pack4(1572,8E5A,8AAA,C42D),
-	bn_pack4(15D2,2618,98FA,0510),
-	bn_pack4(3995,497C,EA95,6AE5),
-	bn_pack4(DE2B,CBF6,9558,1718),
-	bn_pack4(B5C5,5DF0,6F4C,52C9),
-	bn_pack4(9B27,83A2,EC07,A28F),
-	bn_pack4(E39E,772C,180E,8603),
-	bn_pack4(3290,5E46,2E36,CE3B),
-	bn_pack4(F174,6C08,CA18,217C),
-	bn_pack4(670C,354E,4ABC,9804),
-	bn_pack4(9ED5,2907,7096,966D),
-	bn_pack4(1C62,F356,2085,52BB),
-	bn_pack4(8365,5D23,DCA3,AD96),
-	bn_pack4(6916,3FA8,FD24,CF5F),
-	bn_pack4(98DA,4836,1C55,D39A),
-	bn_pack4(C200,7CB8,A163,BF05),
-	bn_pack4(4928,6651,ECE4,5B3D),
-	bn_pack4(AE9F,2411,7C4B,1FE6),
-	bn_pack4(EE38,6BFB,5A89,9FA5),
-	bn_pack4(0BFF,5CB6,F406,B7ED),
-	bn_pack4(F44C,42E9,A637,ED6B),
-	bn_pack4(E485,B576,625E,7EC6),
-	bn_pack4(4FE1,356D,6D51,C245),
-	bn_pack4(302B,0A6D,F25F,1437),
-	bn_pack4(EF95,19B3,CD3A,431B),
-	bn_pack4(514A,0879,8E34,04DD),
-	bn_pack4(020B,BEA6,3B13,9B22),
-	bn_pack4(2902,4E08,8A67,CC74),
-	bn_pack4(C4C6,628B,80DC,1CD1),
-	bn_pack4(C90F,DAA2,2168,C234),
-	bn_pack4(FFFF,FFFF,FFFF,FFFF)
+	bn_pack4(0xFFFF,0xFFFF,0xFFFF,0xFFFF),
+	bn_pack4(0x60C9,0x80DD,0x98ED,0xD3DF),
+	bn_pack4(0xC81F,0x56E8,0x80B9,0x6E71),
+	bn_pack4(0x9E30,0x50E2,0x7656,0x94DF),
+	bn_pack4(0x9558,0xE447,0x5677,0xE9AA),
+	bn_pack4(0xC919,0x0DA6,0xFC02,0x6E47),
+	bn_pack4(0x889A,0x002E,0xD5EE,0x382B),
+	bn_pack4(0x4009,0x438B,0x481C,0x6CD7),
+	bn_pack4(0x3590,0x46F4,0xEB87,0x9F92),
+	bn_pack4(0xFAF3,0x6BC3,0x1ECF,0xA268),
+	bn_pack4(0xB1D5,0x10BD,0x7EE7,0x4D73),
+	bn_pack4(0xF9AB,0x4819,0x5DED,0x7EA1),
+	bn_pack4(0x64F3,0x1CC5,0x0846,0x851D),
+	bn_pack4(0x4597,0xE899,0xA025,0x5DC1),
+	bn_pack4(0xDF31,0x0EE0,0x74AB,0x6A36),
+	bn_pack4(0x6D2A,0x13F8,0x3F44,0xF82D),
+	bn_pack4(0x062B,0x3CF5,0xB3A2,0x78A6),
+	bn_pack4(0x7968,0x3303,0xED5B,0xDD3A),
+	bn_pack4(0xFA9D,0x4B7F,0xA2C0,0x87E8),
+	bn_pack4(0x4BCB,0xC886,0x2F83,0x85DD),
+	bn_pack4(0x3473,0xFC64,0x6CEA,0x306B),
+	bn_pack4(0x13EB,0x57A8,0x1A23,0xF0C7),
+	bn_pack4(0x2222,0x2E04,0xA403,0x7C07),
+	bn_pack4(0xE3FD,0xB8BE,0xFC84,0x8AD9),
+	bn_pack4(0x238F,0x16CB,0xE39D,0x652D),
+	bn_pack4(0x3423,0xB474,0x2BF1,0xC978),
+	bn_pack4(0x3AAB,0x639C,0x5AE4,0xF568),
+	bn_pack4(0x2576,0xF693,0x6BA4,0x2466),
+	bn_pack4(0x741F,0xA7BF,0x8AFC,0x47ED),
+	bn_pack4(0x3BC8,0x32B6,0x8D9D,0xD300),
+	bn_pack4(0xD8BE,0xC4D0,0x73B9,0x31BA),
+	bn_pack4(0x3877,0x7CB6,0xA932,0xDF8C),
+	bn_pack4(0x74A3,0x926F,0x12FE,0xE5E4),
+	bn_pack4(0xE694,0xF91E,0x6DBE,0x1159),
+	bn_pack4(0x12BF,0x2D5B,0x0B74,0x74D6),
+	bn_pack4(0x043E,0x8F66,0x3F48,0x60EE),
+	bn_pack4(0x387F,0xE8D7,0x6E3C,0x0468),
+	bn_pack4(0xDA56,0xC9EC,0x2EF2,0x9632),
+	bn_pack4(0xEB19,0xCCB1,0xA313,0xD55C),
+	bn_pack4(0xF550,0xAA3D,0x8A1F,0xBFF0),
+	bn_pack4(0x06A1,0xD58B,0xB7C5,0xDA76),
+	bn_pack4(0xA797,0x15EE,0xF29B,0xE328),
+	bn_pack4(0x14CC,0x5ED2,0x0F80,0x37E0),
+	bn_pack4(0xCC8F,0x6D7E,0xBF48,0xE1D8),
+	bn_pack4(0x4BD4,0x07B2,0x2B41,0x54AA),
+	bn_pack4(0x0F1D,0x45B7,0xFF58,0x5AC5),
+	bn_pack4(0x23A9,0x7A7E,0x36CC,0x88BE),
+	bn_pack4(0x59E7,0xC97F,0xBEC7,0xE8F3),
+	bn_pack4(0xB5A8,0x4031,0x900B,0x1C9E),
+	bn_pack4(0xD55E,0x702F,0x4698,0x0C82),
+	bn_pack4(0xF482,0xD7CE,0x6E74,0xFEF6),
+	bn_pack4(0xF032,0xEA15,0xD172,0x1D03),
+	bn_pack4(0x5983,0xCA01,0xC64B,0x92EC),
+	bn_pack4(0x6FB8,0xF401,0x378C,0xD2BF),
+	bn_pack4(0x3320,0x5151,0x2BD7,0xAF42),
+	bn_pack4(0xDB7F,0x1447,0xE6CC,0x254B),
+	bn_pack4(0x44CE,0x6CBA,0xCED4,0xBB1B),
+	bn_pack4(0xDA3E,0xDBEB,0xCF9B,0x14ED),
+	bn_pack4(0x1797,0x27B0,0x865A,0x8918),
+	bn_pack4(0xB06A,0x53ED,0x9027,0xD831),
+	bn_pack4(0xE5DB,0x382F,0x4130,0x01AE),
+	bn_pack4(0xF8FF,0x9406,0xAD9E,0x530E),
+	bn_pack4(0xC975,0x1E76,0x3DBA,0x37BD),
+	bn_pack4(0xC1D4,0xDCB2,0x6026,0x46DE),
+	bn_pack4(0x36C3,0xFAB4,0xD27C,0x7026),
+	bn_pack4(0x4DF4,0x35C9,0x3402,0x8492),
+	bn_pack4(0x86FF,0xB7DC,0x90A6,0xC08F),
+	bn_pack4(0x93B4,0xEA98,0x8D8F,0xDDC1),
+	bn_pack4(0xD006,0x9127,0xD5B0,0x5AA9),
+	bn_pack4(0xB81B,0xDD76,0x2170,0x481C),
+	bn_pack4(0x1F61,0x2970,0xCEE2,0xD7AF),
+	bn_pack4(0x233B,0xA186,0x515B,0xE7ED),
+	bn_pack4(0x99B2,0x964F,0xA090,0xC3A2),
+	bn_pack4(0x287C,0x5947,0x4E6B,0xC05D),
+	bn_pack4(0x2E8E,0xFC14,0x1FBE,0xCAA6),
+	bn_pack4(0xDBBB,0xC2DB,0x04DE,0x8EF9),
+	bn_pack4(0x2583,0xE9CA,0x2AD4,0x4CE8),
+	bn_pack4(0x1A94,0x6834,0xB615,0x0BDA),
+	bn_pack4(0x99C3,0x2718,0x6AF4,0xE23C),
+	bn_pack4(0x8871,0x9A10,0xBDBA,0x5B26),
+	bn_pack4(0x1A72,0x3C12,0xA787,0xE6D7),
+	bn_pack4(0x4B82,0xD120,0xA921,0x0801),
+	bn_pack4(0x43DB,0x5BFC,0xE0FD,0x108E),
+	bn_pack4(0x08E2,0x4FA0,0x74E5,0xAB31),
+	bn_pack4(0x7709,0x88C0,0xBAD9,0x46E2),
+	bn_pack4(0xBBE1,0x1757,0x7A61,0x5D6C),
+	bn_pack4(0x521F,0x2B18,0x177B,0x200C),
+	bn_pack4(0xD876,0x0273,0x3EC8,0x6A64),
+	bn_pack4(0xF12F,0xFA06,0xD98A,0x0864),
+	bn_pack4(0xCEE3,0xD226,0x1AD2,0xEE6B),
+	bn_pack4(0x1E8C,0x94E0,0x4A25,0x619D),
+	bn_pack4(0xABF5,0xAE8C,0xDB09,0x33D7),
+	bn_pack4(0xB397,0x0F85,0xA6E1,0xE4C7),
+	bn_pack4(0x8AEA,0x7157,0x5D06,0x0C7D),
+	bn_pack4(0xECFB,0x8504,0x58DB,0xEF0A),
+	bn_pack4(0xA855,0x21AB,0xDF1C,0xBA64),
+	bn_pack4(0xAD33,0x170D,0x0450,0x7A33),
+	bn_pack4(0x1572,0x8E5A,0x8AAA,0xC42D),
+	bn_pack4(0x15D2,0x2618,0x98FA,0x0510),
+	bn_pack4(0x3995,0x497C,0xEA95,0x6AE5),
+	bn_pack4(0xDE2B,0xCBF6,0x9558,0x1718),
+	bn_pack4(0xB5C5,0x5DF0,0x6F4C,0x52C9),
+	bn_pack4(0x9B27,0x83A2,0xEC07,0xA28F),
+	bn_pack4(0xE39E,0x772C,0x180E,0x8603),
+	bn_pack4(0x3290,0x5E46,0x2E36,0xCE3B),
+	bn_pack4(0xF174,0x6C08,0xCA18,0x217C),
+	bn_pack4(0x670C,0x354E,0x4ABC,0x9804),
+	bn_pack4(0x9ED5,0x2907,0x7096,0x966D),
+	bn_pack4(0x1C62,0xF356,0x2085,0x52BB),
+	bn_pack4(0x8365,0x5D23,0xDCA3,0xAD96),
+	bn_pack4(0x6916,0x3FA8,0xFD24,0xCF5F),
+	bn_pack4(0x98DA,0x4836,0x1C55,0xD39A),
+	bn_pack4(0xC200,0x7CB8,0xA163,0xBF05),
+	bn_pack4(0x4928,0x6651,0xECE4,0x5B3D),
+	bn_pack4(0xAE9F,0x2411,0x7C4B,0x1FE6),
+	bn_pack4(0xEE38,0x6BFB,0x5A89,0x9FA5),
+	bn_pack4(0x0BFF,0x5CB6,0xF406,0xB7ED),
+	bn_pack4(0xF44C,0x42E9,0xA637,0xED6B),
+	bn_pack4(0xE485,0xB576,0x625E,0x7EC6),
+	bn_pack4(0x4FE1,0x356D,0x6D51,0xC245),
+	bn_pack4(0x302B,0x0A6D,0xF25F,0x1437),
+	bn_pack4(0xEF95,0x19B3,0xCD3A,0x431B),
+	bn_pack4(0x514A,0x0879,0x8E34,0x04DD),
+	bn_pack4(0x020B,0xBEA6,0x3B13,0x9B22),
+	bn_pack4(0x2902,0x4E08,0x8A67,0xCC74),
+	bn_pack4(0xC4C6,0x628B,0x80DC,0x1CD1),
+	bn_pack4(0xC90F,0xDAA2,0x2168,0xC234),
+	bn_pack4(0xFFFF,0xFFFF,0xFFFF,0xFFFF)
 };
 static BIGNUM bn_group_8192 = {
 	bn_group_8192_value,

crypto/srp/srp_lib.c

@@ -63,13 +63,17 @@
 #include <openssl/evp.h>
 
 #if (BN_BYTES == 8)
-#define bn_pack4(a1,a2,a3,a4) 0x##a1##a2##a3##a4##ul
-#endif
-#if (BN_BYTES == 4)
-#define bn_pack4(a1,a2,a3,a4)  0x##a3##a4##ul, 0x##a1##a2##ul
-#endif
-#if (BN_BYTES == 2)
-#define bn_pack4(a1,a2,a3,a4) 0x##a4##u,0x##a3##u,0x##a2##u,0x##a1##u
+# if (defined(_WIN32) || defined(_WIN64)) && !defined(__MINGW32__)
+#  define bn_pack4(a1,a2,a3,a4) ((a1##UI64<<48)|(a2##UI64<<32)|(a3##UI64<<16)|a4##UI64)
+# elif defined(__arch64__)
+#  define bn_pack4(a1,a2,a3,a4) ((a1##UL<<48)|(a2##UL<<32)|(a3##UL<<16)|a4##UL)
+# else
+#  define bn_pack4(a1,a2,a3,a4) ((a1##ULL<<48)|(a2##ULL<<32)|(a3##ULL<<16)|a4##ULL)
+# endif
+#elif (BN_BYTES == 4)
+# define bn_pack4(a1,a2,a3,a4)  ((a3##UL<<16)|a4##UL), ((a1##UL<<16)|a2##UL)
+#else
+# error "unsupported BN_BYTES"
 #endif
 
 

crypto/symhacks.h

@@ -204,6 +204,12 @@
 #define SSL_CTX_set_next_protos_advertised_cb	SSL_CTX_set_next_protos_adv_cb
 #undef SSL_CTX_set_next_proto_select_cb
 #define SSL_CTX_set_next_proto_select_cb	SSL_CTX_set_next_proto_sel_cb
+#undef ssl3_cbc_record_digest_supported
+#define ssl3_cbc_record_digest_supported        ssl3_cbc_record_digest_support
+#undef ssl_check_clienthello_tlsext_late
+#define ssl_check_clienthello_tlsext_late       ssl_check_clihello_tlsext_late
+#undef ssl_check_clienthello_tlsext_early
+#define ssl_check_clienthello_tlsext_early      ssl_check_clihello_tlsext_early
 
 /* Hack some long ENGINE names */
 #undef ENGINE_get_default_BN_mod_exp_crt

crypto/x509/by_dir.c

@@ -218,7 +218,7 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
 
 	s=dir;
 	p=s;
-	for (;;p++)
+	do
 		{
 		if ((*p == LIST_SEPARATOR_CHAR) || (*p == '\0'))
 			{
@@ -264,9 +264,7 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
 				return 0;
 				}
 			}
-		if (*p == '\0')
-			break;
-		}
+		} while (*p++ != '\0');
 	return 1;
 	}
 

crypto/x509/x509_vfy.c

@@ -694,6 +694,7 @@ static int check_cert(X509_STORE_CTX *ctx)
 	X509_CRL *crl = NULL, *dcrl = NULL;
 	X509 *x;
 	int ok, cnum;
+	unsigned int last_reasons;
 	cnum = ctx->error_depth;
 	x = sk_X509_value(ctx->chain, cnum);
 	ctx->current_cert = x;
@@ -702,6 +703,7 @@ static int check_cert(X509_STORE_CTX *ctx)
 	ctx->current_reasons = 0;
 	while (ctx->current_reasons != CRLDP_ALL_REASONS)
 		{
+		last_reasons = ctx->current_reasons;
 		/* Try to retrieve relevant CRL */
 		if (ctx->get_crl)
 			ok = ctx->get_crl(ctx, &crl, x);
@@ -745,6 +747,15 @@ static int check_cert(X509_STORE_CTX *ctx)
 		X509_CRL_free(dcrl);
 		crl = NULL;
 		dcrl = NULL;
+		/* If reasons not updated we wont get anywhere by
+		 * another iteration, so exit loop.
+		 */
+		if (last_reasons == ctx->current_reasons)
+			{
+			ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
+			ok = ctx->verify_cb(0, ctx);
+			goto err;
+			}
 		}
 	err:
 	X509_CRL_free(crl);
@@ -1451,10 +1462,9 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
 	 * a certificate was revoked. This has since been changed since 
 	 * critical extension can change the meaning of CRL entries.
 	 */
-	if (crl->flags & EXFLAG_CRITICAL)
+	if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
+		&& (crl->flags & EXFLAG_CRITICAL))
 		{
-		if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
-			return 1;
 		ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
 		ok = ctx->verify_cb(0, ctx);
 		if(!ok)

crypto/x509/x_all.c

@@ -97,6 +97,7 @@ int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
 
 int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
 	{
+	x->cert_info->enc.modified = 1;
 	return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF),
 		x->cert_info->signature,
 		x->sig_alg, x->signature, x->cert_info, ctx);
@@ -123,6 +124,7 @@ int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
 
 int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
 	{
+	x->crl->enc.modified = 1;
 	return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO),
 		x->crl->sig_alg, x->sig_alg, x->signature, x->crl, ctx);
 	}

crypto/x86cpuid.pl

@@ -67,6 +67,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
 	&inc	("esi");		# number of cores
 
 	&mov	("eax",1);
+	&xor	("ecx","ecx");
 	&cpuid	();
 	&bt	("edx",28);
 	&jnc	(&label("generic"));
@@ -91,6 +92,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
 
 &set_label("nocacheinfo");
 	&mov	("eax",1);
+	&xor	("ecx","ecx");
 	&cpuid	();
 	&and	("edx",0xbfefffff);	# force reserved bits #20, #30 to 0
 	&cmp	("ebp",0);

demos/cms/cms_comp.c

@@ -10,7 +10,7 @@ int main(int argc, char **argv)
 	int ret = 1;
 
 	/*
-	 * On OpenSSL 0.9.9 only:
+	 * On OpenSSL 1.0.0+ only:
 	 * for streaming set CMS_STREAM
 	 */
 	int flags = CMS_STREAM;

demos/cms/cms_dec.c

@@ -47,7 +47,7 @@ int main(int argc, char **argv)
 		goto err;
 
 	/* Decrypt S/MIME message */
-	if (!CMS_decrypt(cms, rkey, rcert, out, NULL, 0))
+	if (!CMS_decrypt(cms, rkey, rcert, NULL, out, 0))
 		goto err;
 
 	ret = 0;

demos/cms/cms_sign.c

@@ -12,7 +12,7 @@ int main(int argc, char **argv)
 	int ret = 1;
 
 	/* For simple S/MIME signing use CMS_DETACHED.
-	 * On OpenSSL 0.9.9 only:
+	 * On OpenSSL 1.0.0 only:
 	 * for streaming detached set CMS_DETACHED|CMS_STREAM
 	 * for streaming non-detached set CMS_STREAM
 	 */

demos/x509/mkreq.c

@@ -7,13 +7,14 @@
 
 #include <openssl/pem.h>
 #include <openssl/conf.h>
+#include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
 
 int mkreq(X509_REQ **x509p, EVP_PKEY **pkeyp, int bits, int serial, int days);
-int add_ext(STACK_OF(X509_REQUEST) *sk, int nid, char *value);
+int add_ext(STACK_OF(X509_EXTENSION) *sk, int nid, char *value);
 
 int main(int argc, char **argv)
 	{
@@ -148,7 +149,7 @@ err:
  * because we wont reference any other sections.
  */
 
-int add_ext(STACK_OF(X509_REQUEST) *sk, int nid, char *value)
+int add_ext(STACK_OF(X509_EXTENSION) *sk, int nid, char *value)
 	{
 	X509_EXTENSION *ex;
 	ex = X509V3_EXT_conf_nid(NULL, NULL, nid, value);

doc/apps/config.pod

@@ -119,7 +119,7 @@ variable points to a section containing further ENGINE configuration
 information.
 
 The section pointed to by B<engines> is a table of engine names (though see
-B<engine_id> below) and further sections containing configuration informations
+B<engine_id> below) and further sections containing configuration information
 specific to each ENGINE.
 
 Each ENGINE specific section is used to set default algorithms, load

doc/apps/crl.pod

@@ -62,6 +62,11 @@ don't output the encoded version of the CRL.
 output a hash of the issuer name. This can be use to lookup CRLs in
 a directory by issuer name.
 
+=item B<-hash_old>
+
+outputs the "hash" of the CRL issuer name using the older algorithm
+as used by OpenSSL versions before 1.0.0.
+
 =item B<-issuer>
 
 output the issuer name.

doc/apps/ec.pod

@@ -41,7 +41,7 @@ PKCS#8 private key format use the B<pkcs8> command.
 
 This specifies the input format. The B<DER> option with a private key uses
 an ASN.1 DER encoded SEC1 private key. When used with a public key it
-uses the SubjectPublicKeyInfo structur as specified in RFC 3280.
+uses the SubjectPublicKeyInfo structure as specified in RFC 3280.
 The B<PEM> form is the default format: it consists of the B<DER> format base64
 encoded with additional header and footer lines. In the case of a private key
 PKCS#8 format is also accepted.

doc/apps/pkcs12.pod

@@ -67,7 +67,7 @@ by default.
 The filename to write certificates and private keys to, standard output by
 default.  They are all written in PEM format.
 
-=item B<-pass arg>, B<-passin arg>
+=item B<-passin arg>
 
 the PKCS#12 file (i.e. input file) password source. For more information about
 the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
@@ -75,10 +75,15 @@ L<openssl(1)|openssl(1)>.
 
 =item B<-passout arg>
 
-pass phrase source to encrypt any outputed private keys with. For more
+pass phrase source to encrypt any outputted private keys with. For more
 information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section
 in L<openssl(1)|openssl(1)>.
 
+=item B<-password arg>
+
+With -export, -password is equivalent to -passout.
+Otherwise, -password is equivalent to -passin.
+
 =item B<-noout>
 
 this option inhibits output of the keys and certificates to the output file

doc/apps/req.pod

@@ -303,7 +303,7 @@ Reverses effect of B<-asn1-kludge>
 
 =item B<-newhdr>
 
-Adds the word B<NEW> to the PEM file header and footer lines on the outputed
+Adds the word B<NEW> to the PEM file header and footer lines on the outputted
 request. Some software (Netscape certificate server) and some CAs need this.
 
 =item B<-batch>

doc/apps/rsa.pod

@@ -24,6 +24,8 @@ B<openssl> B<rsa>
 [B<-check>]
 [B<-pubin>]
 [B<-pubout>]
+[B<-RSAPublicKey_in>]
+[B<-RSAPublicKey_out>]
 [B<-engine id>]
 
 =head1 DESCRIPTION
@@ -118,6 +120,10 @@ by default a private key is output: with this option a public
 key will be output instead. This option is automatically set if
 the input is a public key.
 
+=item B<-RSAPublicKey_in>, B<-RSAPublicKey_out>
+
+like B<-pubin> and B<-pubout> except B<RSAPublicKey> format is used instead.
+
 =item B<-engine id>
 
 specifying an engine (by its unique B<id> string) will cause B<rsa>
@@ -139,6 +145,11 @@ The PEM public key format uses the header and footer lines:
  -----BEGIN PUBLIC KEY-----
  -----END PUBLIC KEY-----
 
+The PEM B<RSAPublicKey> format uses the header and footer lines:
+
+ -----BEGIN RSA PUBLIC KEY-----
+ -----END RSA PUBLIC KEY-----
+
 The B<NET> form is a format compatible with older Netscape servers
 and Microsoft IIS .key files, this uses unsalted RC4 for its encryption.
 It is not very secure and so should only be used when necessary.
@@ -173,6 +184,10 @@ To just output the public part of a private key:
 
  openssl rsa -in key.pem -pubout -out pubkey.pem
 
+Output the public part of a private key in B<RSAPublicKey> format:
+
+ openssl rsa -in key.pem -RSAPublicKey_out -out pubkey.pem
+
 =head1 BUGS
 
 The command line password arguments don't currently work with

doc/apps/s_client.pod

@@ -10,6 +10,7 @@ s_client - SSL/TLS client program
 B<openssl> B<s_client>
 [B<-connect host:port>]
 [B<-verify depth>]
+[B<-verify_return_error>]
 [B<-cert filename>]
 [B<-certform DER|PEM>]
 [B<-key filename>]
@@ -90,6 +91,11 @@ Currently the verify operation continues after errors so all the problems
 with a certificate chain can be seen. As a side effect the connection
 will never fail due to a server certificate verify failure.
 
+=item B<-verify_return_error>
+
+Return verification errors instead of continuing. This will typically
+abort the handshake with a fatal error.
+
 =item B<-CApath directory>
 
 The directory to use for server certificate verification. This directory
@@ -286,6 +292,13 @@ Since the SSLv23 client hello cannot include compression methods or extensions
 these will only be supported if its use is disabled, for example by using the
 B<-no_sslv2> option.
 
+The B<s_client> utility is a test tool and is designed to continue the
+handshake after any certificate verification errors. As a result it will
+accept any certificate chain (trusted or not) sent by the peer. None test
+applications should B<not> do this as it makes them vulnerable to a MITM
+attack. This behaviour can be changed by with the B<-verify_return_error>
+option: any verify errors are then returned aborting the handshake.
+
 =head1 BUGS
 
 Because this program has a lot of options and also because some of
@@ -293,9 +306,6 @@ the techniques used are rather old, the C source of s_client is rather
 hard to read and not a model of how things should be done. A typical
 SSL client program would be much simpler.
 
-The B<-verify> option should really exit if the server verification
-fails.
-
 The B<-prexit> option is a bit of a hack. We should really report
 information whenever a session is renegotiated.
 

doc/apps/s_server.pod

@@ -111,7 +111,7 @@ by using an appropriate certificate.
 
 =item B<-dcertform format>, B<-dkeyform format>, B<-dpass arg>
 
-addtional certificate and private key format and passphrase respectively.
+additional certificate and private key format and passphrase respectively.
 
 =item B<-nocert>
 

doc/apps/ts.pod

@@ -352,7 +352,7 @@ switch always overrides the settings in the config file.
 
 This is the main section and it specifies the name of another section
 that contains all the options for the B<-reply> command. This default
-section can be overriden with the B<-section> command line switch. (Optional)
+section can be overridden with the B<-section> command line switch. (Optional)
 
 =item B<oid_file>
 
@@ -453,7 +453,7 @@ included. Default is no. (Optional)
 =head1 ENVIRONMENT VARIABLES
 
 B<OPENSSL_CONF> contains the path of the configuration file and can be
-overriden by the B<-config> command line option.
+overridden by the B<-config> command line option.
 
 =head1 EXAMPLES