Prepare for 1.0.2-beta3 release

Reviewed-by: Stephen Henson <steve@openssl.org>
make update
2014-09-25 21:31:40 +01:00 · 2014-09-25 21:31:40 +01:00 · 2014-09-25 21:29:25 +01:00 · 2014-09-25 13:46:55 +02:00 · 2014-09-25 08:08:51 +02:00 · 2014-09-25 08:07:54 +02:00
868 changed files with 105603 additions and 19001 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,84 @@
 # Object files
 *.o
 # editor artefacts
 *.swp
 .#*
 #*#
 *~
 # Top level excludes
 /Makefile.bak
 /Makefile
 /MINFO
 /*.a
 /include
 /*.pc
 /rehash.time
 /inc.*
 /makefile.*
 /out.*
 /tmp.*
 # Most *.c files under test/ are symlinks
 /test/*.c
 # Apart from these
 !/test/asn1test.c
 !/test/methtest.c
 !/test/dummytest.c
 !/test/igetest.c
 !/test/r160test.c
 !/test/fips_algvs.c
 /test/*.ss
 /test/*.srl
 /test/.rnd
 /test/test*.pem
 /test/newkey.pem
 # Certificate symbolic links
 *.0
 # Links under apps
 /apps/CA.pl
 /apps/md4.c
 # Auto generated headers
 /crypto/buildinf.h
 /crypto/opensslconf.h
 # Auto generated assembly language source files
 *.s
 !/crypto/bn/asm/pa-risc2.s
 !/crypto/bn/asm/pa-risc2W.s
 # Executables
 /apps/openssl
 /test/sha256t
 /test/sha512t
 /test/*test
 /test/fips_aesavs
 /test/fips_desmovs
 /test/fips_dhvs
 /test/fips_drbgvs
 /test/fips_dssvs
 /test/fips_ecdhvs
 /test/fips_ecdsavs
 /test/fips_rngvs
 /test/fips_test_suite
 *.so*
 *.dylib*
 *.dll*
 # Exceptions
 !/test/bctest
 !/crypto/des/times/486-50.sol
 # Misc auto generated files
 /tools/c_rehash
 /test/evptests.txt
 lib
 Makefile.save
 *.bak
 tags
 TAGS
--- a/9
+++ b/9
@ -10,13 +10,18 @@ OpenSSL project.
 We would like to identify and thank the following such sponsors for their past
 or current significant support of the OpenSSL project:
 Major support:
 	Qualys		http://www.qualys.com/
 Very significant support:
-	OpenGear: www.opengear.com
+	OpenGear:	http://www.opengear.com/
 Significant support:
-	PSW Group: www.psw.net
+	PSW Group:	http://www.psw.net/
 	Acano Ltd.	http://acano.com/
 Please note that we ask permission to identify sponsors and that some sponsors
 we consider eligible for inclusion here have requested to remain anonymous.
--- a/767
+++ b/767
@ -2,6 +2,623 @@
 OpenSSL CHANGES
 _______________
 Changes between 1.0.1i and 1.0.2 [xx XXX xxxx]
  *) Accelerated NIST P-256 elliptic curve implementation for x86_64
     (other platforms pending).
     [Shay Gueron (Intel Corp), Andy Polyakov]
  *) Add support for the SignedCertificateTimestampList certificate and
     OCSP response extensions from RFC6962.
     [Rob Stradling]
  *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
     for corner cases. (Certain input points at infinity could lead to
     bogus results, with non-infinity inputs mapped to infinity too.)
     [Bodo Moeller]
  *) Initial support for PowerISA 2.0.7, first implemented in POWER8.
     This covers AES, SHA256/512 and GHASH. "Initial" means that most
     common cases are optimized and there still is room for further
     improvements. Vector Permutation AES for Altivec is also added.
     [Andy Polyakov]
  *) Add support for little-endian ppc64 Linux target.
     [Marcelo Cerri (IBM)]
  *) Initial support for AMRv8 ISA crypto extensions. This covers AES,
     SHA1, SHA256 and GHASH. "Initial" means that most common cases
     are optimized and there still is room for further improvements.
     Both 32- and 64-bit modes are supported.
     [Andy Polyakov, Ard Biesheuvel (Linaro)]
  *) Improved ARMv7 NEON support.
     [Andy Polyakov]
  *) Support for SPARC Architecture 2011 crypto extensions, first
     implemented in SPARC T4. This covers AES, DES, Camellia, SHA1,
     SHA256/512, MD5, GHASH and modular exponentiation.
     [Andy Polyakov, David Miller]
  *) Accelerated modular exponentiation for Intel processors, a.k.a.
     RSAZ.
     [Shay Gueron (Intel Corp)]
  *) Support for new and upcoming Intel processors, including AVX2,
     BMI and SHA ISA extensions. This includes additional "stitched"
     implementations, AESNI-SHA256 and GCM, and multi-buffer support
     for TLS encrypt.
     This work was sponsored by Intel Corp.
     [Andy Polyakov]
  *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
     this fixes a limiation in previous versions of OpenSSL.
     [Steve Henson]
  *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
     MGF1 digest and OAEP label.
     [Steve Henson]
  *) Add EVP support for key wrapping algorithms, to avoid problems with
     existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
     the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
     algorithms and include tests cases.
     [Steve Henson]
  *) Add functions to allocate and set the fields of an ECDSA_METHOD
     structure.
     [Douglas E. Engert, Steve Henson]
  *) New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the
     difference in days and seconds between two tm or ASN1_TIME structures.
     [Steve Henson]
  *) Add -rev test option to s_server to just reverse order of characters
     received by client and send back to server. Also prints an abbreviated
     summary of the connection parameters.
     [Steve Henson]
  *) New option -brief for s_client and s_server to print out a brief summary
     of connection parameters.
     [Steve Henson]
  *) Add callbacks for arbitrary TLS extensions.
     [Trevor Perrin <trevp@trevp.net> and Ben Laurie]
  *) New option -crl_download in several openssl utilities to download CRLs
     from CRLDP extension in certificates.
     [Steve Henson]
  *) New options -CRL and -CRLform for s_client and s_server for CRLs.
     [Steve Henson]
  *) New function X509_CRL_diff to generate a delta CRL from the difference
     of two full CRLs. Add support to "crl" utility.
     [Steve Henson]
  *) New functions to set lookup_crls function and to retrieve
     X509_STORE from X509_STORE_CTX.
     [Steve Henson]
  *) Print out deprecated issuer and subject unique ID fields in
     certificates.
     [Steve Henson]
  *) Extend OCSP I/O functions so they can be used for simple general purpose
     HTTP as well as OCSP. New wrapper function which can be used to download
     CRLs using the OCSP API.
     [Steve Henson]
  *) Delegate command line handling in s_client/s_server to SSL_CONF APIs.
     [Steve Henson]
  *) SSL_CONF* functions. These provide a common framework for application
     configuration using configuration files or command lines.
     [Steve Henson]
  *) SSL/TLS tracing code. This parses out SSL/TLS records using the
     message callback and prints the results. Needs compile time option
     "enable-ssl-trace". New options to s_client and s_server to enable
     tracing.
     [Steve Henson]
  *) New ctrl and macro to retrieve supported points extensions.
     Print out extension in s_server and s_client.
     [Steve Henson]
  *) New functions to retrieve certificate signature and signature
     OID NID.
     [Steve Henson]
  *) Add functions to retrieve and manipulate the raw cipherlist sent by a
     client to OpenSSL.
     [Steve Henson]
  *) New Suite B modes for TLS code. These use and enforce the requirements
     of RFC6460: restrict ciphersuites, only permit Suite B algorithms and
     only use Suite B curves. The Suite B modes can be set by using the
     strings "SUITEB128", "SUITEB192" or "SUITEB128ONLY" for the cipherstring.
     [Steve Henson]
  *) New chain verification flags for Suite B levels of security. Check
     algorithms are acceptable when flags are set in X509_verify_cert.
     [Steve Henson]
  *) Make tls1_check_chain return a set of flags indicating checks passed
     by a certificate chain. Add additional tests to handle client
     certificates: checks for matching certificate type and issuer name
     comparison.
     [Steve Henson]
  *) If an attempt is made to use a signature algorithm not in the peer
     preference list abort the handshake. If client has no suitable
     signature algorithms in response to a certificate request do not
     use the certificate.
     [Steve Henson]
  *) If server EC tmp key is not in client preference list abort handshake.
     [Steve Henson]
  *) Add support for certificate stores in CERT structure. This makes it
     possible to have different stores per SSL structure or one store in
     the parent SSL_CTX. Include distint stores for certificate chain
     verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
     to build and store a certificate chain in CERT structure: returing
     an error if the chain cannot be built: this will allow applications
     to test if a chain is correctly configured.
     Note: if the CERT based stores are not set then the parent SSL_CTX
     store is used to retain compatibility with existing behaviour.
     [Steve Henson]
  *) New function ssl_set_client_disabled to set a ciphersuite disabled
     mask based on the current session, check mask when sending client
     hello and checking the requested ciphersuite.
     [Steve Henson]
  *) New ctrls to retrieve and set certificate types in a certificate
     request message. Print out received values in s_client. If certificate
     types is not set with custom values set sensible values based on
     supported signature algorithms.
     [Steve Henson]
  *) Support for distinct client and server supported signature algorithms.
     [Steve Henson]
  *) Add certificate callback. If set this is called whenever a certificate
     is required by client or server. An application can decide which
     certificate chain to present based on arbitrary criteria: for example
     supported signature algorithms. Add very simple example to s_server.
     This fixes many of the problems and restrictions of the existing client
     certificate callback: for example you can now clear an existing
     certificate and specify the whole chain.
     [Steve Henson]
  *) Add new "valid_flags" field to CERT_PKEY structure which determines what
     the certificate can be used for (if anything). Set valid_flags field 
     in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
     to have similar checks in it.
     Add new "cert_flags" field to CERT structure and include a "strict mode".
     This enforces some TLS certificate requirements (such as only permitting
     certificate signature algorithms contained in the supported algorithms
     extension) which some implementations ignore: this option should be used
     with caution as it could cause interoperability issues.
     [Steve Henson]
  *) Update and tidy signature algorithm extension processing. Work out
     shared signature algorithms based on preferences and peer algorithms
     and print them out in s_client and s_server. Abort handshake if no
     shared signature algorithms.
     [Steve Henson]
  *) Add new functions to allow customised supported signature algorithms
     for SSL and SSL_CTX structures. Add options to s_client and s_server
     to support them.
     [Steve Henson]
  *) New function SSL_certs_clear() to delete all references to certificates
     from an SSL structure. Before this once a certificate had been added
     it couldn't be removed.
     [Steve Henson]
  *) Integrate hostname, email address and IP address checking with certificate
     verification. New verify options supporting checking in opensl utility.
     [Steve Henson]
  *) Fixes and wildcard matching support to hostname and email checking
     functions. Add manual page.
     [Florian Weimer (Red Hat Product Security Team)]
  *) New functions to check a hostname email or IP address against a
     certificate. Add options x509 utility to print results of checks against
     a certificate.
     [Steve Henson]
  *) Fix OCSP checking.
     [Rob Stradling <rob.stradling@comodo.com> and Ben Laurie]
  *) Initial experimental support for explicitly trusted non-root CAs. 
     OpenSSL still tries to build a complete chain to a root but if an
     intermediate CA has a trust setting included that is used. The first
     setting is used: whether to trust (e.g., -addtrust option to the x509
     utility) or reject.
     [Steve Henson]
  *) Add -trusted_first option which attempts to find certificates in the
     trusted store even if an untrusted chain is also supplied.
     [Steve Henson]
  *) MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE,
     platform support for Linux and Android.
     [Andy Polyakov]
  *) Support for linux-x32, ILP32 environment in x86_64 framework.
     [Andy Polyakov]
  *) Experimental multi-implementation support for FIPS capable OpenSSL.
     When in FIPS mode the approved implementations are used as normal,
     when not in FIPS mode the internal unapproved versions are used instead.
     This means that the FIPS capable OpenSSL isn't forced to use the
     (often lower perfomance) FIPS implementations outside FIPS mode.
     [Steve Henson]
  *) Transparently support X9.42 DH parameters when calling
     PEM_read_bio_DHparameters. This means existing applications can handle
     the new parameter format automatically.
     [Steve Henson]
  *) Initial experimental support for X9.42 DH parameter format: mainly
     to support use of 'q' parameter for RFC5114 parameters.
     [Steve Henson]
  *) Add DH parameters from RFC5114 including test data to dhtest.
     [Steve Henson]
  *) Support for automatic EC temporary key parameter selection. If enabled
     the most preferred EC parameters are automatically used instead of
     hardcoded fixed parameters. Now a server just has to call:
     SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
     support ECDH and use the most appropriate parameters.
     [Steve Henson]
  *) Enhance and tidy EC curve and point format TLS extension code. Use
     static structures instead of allocation if default values are used.
     New ctrls to set curves we wish to support and to retrieve shared curves.
     Print out shared curves in s_server. New options to s_server and s_client
     to set list of supported curves.
     [Steve Henson]
  *) New ctrls to retrieve supported signature algorithms and 
     supported curve values as an array of NIDs. Extend openssl utility
     to print out received values.
     [Steve Henson]
  *) Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
     between NIDs and the more common NIST names such as "P-256". Enhance
     ecparam utility and ECC method to recognise the NIST names for curves.
     [Steve Henson]
  *) Enhance SSL/TLS certificate chain handling to support different
     chains for each certificate instead of one chain in the parent SSL_CTX.
     [Steve Henson]
  *) Support for fixed DH ciphersuite client authentication: where both
     server and client use DH certificates with common parameters.
     [Steve Henson]
  *) Support for fixed DH ciphersuites: those requiring DH server
     certificates.
     [Steve Henson]
  *) New function i2d_re_X509_tbs for re-encoding the TBS portion of
     the certificate.
     Note: Related 1.0.2-beta specific macros X509_get_cert_info,
     X509_CINF_set_modified, X509_CINF_get_issuer, X509_CINF_get_extensions and
     X509_CINF_get_signature were reverted post internal team review.
 Changes between 1.0.1h and 1.0.1i [6 Aug 2014]
  *) Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
     SRP code can be overrun an internal buffer. Add sanity check that
     g, A, B < N to SRP code.
     Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
     Group for discovering this issue.
     (CVE-2014-3512)
     [Steve Henson]
  *) A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
     TLS 1.0 instead of higher protocol versions when the ClientHello message
     is badly fragmented. This allows a man-in-the-middle attacker to force a
     downgrade to TLS 1.0 even if both the server and the client support a
     higher protocol version, by modifying the client's TLS records.
     Thanks to David Benjamin and Adam Langley (Google) for discovering and
     researching this issue.
     (CVE-2014-3511)
     [David Benjamin]
  *) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
     to a denial of service attack. A malicious server can crash the client
     with a null pointer dereference (read) by specifying an anonymous (EC)DH
     ciphersuite and sending carefully crafted handshake messages.
     Thanks to Felix Gröbert (Google) for discovering and researching this
     issue.
     (CVE-2014-3510)
     [Emilia Käsper]
  *) By sending carefully crafted DTLS packets an attacker could cause openssl
     to leak memory. This can be exploited through a Denial of Service attack.
     Thanks to Adam Langley for discovering and researching this issue.
     (CVE-2014-3507)
     [Adam Langley]
  *) An attacker can force openssl to consume large amounts of memory whilst
     processing DTLS handshake messages. This can be exploited through a
     Denial of Service attack.
     Thanks to Adam Langley for discovering and researching this issue.
     (CVE-2014-3506)
     [Adam Langley]
  *) An attacker can force an error condition which causes openssl to crash
     whilst processing DTLS packets due to memory being freed twice. This
     can be exploited through a Denial of Service attack.
     Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
     this issue.
     (CVE-2014-3505)
     [Adam Langley]
  *) If a multithreaded client connects to a malicious server using a resumed
     session and the server sends an ec point format extension it could write
     up to 255 bytes to freed memory.
     Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
     issue.
     (CVE-2014-3509)
     [Gabor Tyukasz]
  *) A malicious server can crash an OpenSSL client with a null pointer
     dereference (read) by specifying an SRP ciphersuite even though it was not
     properly negotiated with the client. This can be exploited through a
     Denial of Service attack.
     Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for
     discovering and researching this issue.
     (CVE-2014-5139)
     [Steve Henson]
  *) A flaw in OBJ_obj2txt may cause pretty printing functions such as
     X509_name_oneline, X509_name_print_ex et al. to leak some information
     from the stack. Applications may be affected if they echo pretty printing
     output to the attacker.
     Thanks to Ivan Fratric (Google) for discovering this issue.
     (CVE-2014-3508)
     [Emilia Käsper, and Steve Henson]
  *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
     for corner cases. (Certain input points at infinity could lead to
     bogus results, with non-infinity inputs mapped to infinity too.)
     [Bodo Moeller]
 Changes between 1.0.1g and 1.0.1h [5 Jun 2014]
  *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
     handshake can force the use of weak keying material in OpenSSL
     SSL/TLS clients and servers.
     Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
     researching this issue. (CVE-2014-0224)
     [KIKUCHI Masashi, Steve Henson]
  *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
     OpenSSL DTLS client the code can be made to recurse eventually crashing
     in a DoS attack.
     Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
     (CVE-2014-0221)
     [Imre Rad, Steve Henson]
  *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
     be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
     client or server. This is potentially exploitable to run arbitrary
     code on a vulnerable client or server.
     Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195)
     [Jüri Aedla, Steve Henson]
  *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
     are subject to a denial of service attack.
     Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
     this issue. (CVE-2014-3470)
     [Felix Gröbert, Ivan Fratric, Steve Henson]
  *) Harmonize version and its documentation. -f flag is used to display
     compilation flags.
     [mancha <mancha1@zoho.com>]
  *) Fix eckey_priv_encode so it immediately returns an error upon a failure
     in i2d_ECPrivateKey.
     [mancha <mancha1@zoho.com>]
  *) Fix some double frees. These are not thought to be exploitable.
     [mancha <mancha1@zoho.com>]
 Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
  *) A missing bounds check in the handling of the TLS heartbeat extension
     can be used to reveal up to 64k of memory to a connected client or
     server.
     Thanks for Neel Mehta of Google Security for discovering this bug and to
     Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
     preparing the fix (CVE-2014-0160)
     [Adam Langley, Bodo Moeller]
  *) Fix for the attack described in the paper "Recovering OpenSSL
     ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
     by Yuval Yarom and Naomi Benger. Details can be obtained from:
     http://eprint.iacr.org/2014/140
     Thanks to Yuval Yarom and Naomi Benger for discovering this
     flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
     [Yuval Yarom and Naomi Benger]
  *) TLS pad extension: draft-agl-tls-padding-03
     Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
     TLS client Hello record length value would otherwise be > 255 and
     less that 512 pad with a dummy extension containing zeroes so it
     is at least 512 bytes long.
     [Adam Langley, Steve Henson]
 Changes between 1.0.1e and 1.0.1f [6 Jan 2014]
  *) Fix for TLS record tampering bug. A carefully crafted invalid 
     handshake could crash OpenSSL with a NULL pointer exception.
     Thanks to Anton Johansson for reporting this issues.
     (CVE-2013-4353)
  *) Keep original DTLS digest and encryption contexts in retransmission
     structures so we can use the previous session parameters if they need
     to be resent. (CVE-2013-6450)
     [Steve Henson]
  *) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
     avoids preferring ECDHE-ECDSA ciphers when the client appears to be
     Safari on OS X.  Safari on OS X 10.8..10.8.3 advertises support for
     several ECDHE-ECDSA ciphers, but fails to negotiate them.  The bug
     is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
     10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
     [Rob Stradling, Adam Langley]
 Changes between 1.0.1d and 1.0.1e [11 Feb 2013]
  *) Correct fix for CVE-2013-0169. The original didn't work on AES-NI
     supporting platforms or when small records were transferred.
     [Andy Polyakov, Steve Henson]
 Changes between 1.0.1c and 1.0.1d [5 Feb 2013]
  *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
     This addresses the flaw in CBC record processing discovered by 
     Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
     at: http://www.isg.rhul.ac.uk/tls/     
     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
     Security Group at Royal Holloway, University of London
     (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
     Emilia Käsper for the initial patch.
     (CVE-2013-0169)
     [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
  *) Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode
     ciphersuites which can be exploited in a denial of service attack.
     Thanks go to and to Adam Langley <agl@chromium.org> for discovering
     and detecting this bug and to Wolfgang Ettlinger
     <wolfgang.ettlinger@gmail.com> for independently discovering this issue.
     (CVE-2012-2686)
     [Adam Langley]
  *) Return an error when checking OCSP signatures when key is NULL.
     This fixes a DoS attack. (CVE-2013-0166)
     [Steve Henson]
  *) Make openssl verify return errors.
     [Chris Palmer <palmer@google.com> and Ben Laurie]
  *) Call OCSP Stapling callback after ciphersuite has been chosen, so
     the right response is stapled. Also change SSL_get_certificate()
     so it returns the certificate actually sent.
     See http://rt.openssl.org/Ticket/Display.html?id=2836.
     [Rob Stradling <rob.stradling@comodo.com>]
  *) Fix possible deadlock when decoding public keys.
     [Steve Henson]
  *) Don't use TLS 1.0 record version number in initial client hello
     if renegotiating.
     [Steve Henson]
 Changes between 1.0.1b and 1.0.1c [10 May 2012]
  *) Sanity check record length before skipping explicit IV in TLS
     1.2, 1.1 and DTLS to fix DoS attack.
     Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
     fuzzing as a service testing platform.
     (CVE-2012-2333)
     [Steve Henson]
  *) Initialise tkeylen properly when encrypting CMS messages.
     Thanks to Solar Designer of Openwall for reporting this issue.
     [Steve Henson]
  *) In FIPS mode don't try to use composite ciphers as they are not
     approved.
     [Steve Henson]
 Changes between 1.0.1a and 1.0.1b [26 Apr 2012]
  *) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and
     1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately
     mean any application compiled against OpenSSL 1.0.0 headers setting
     SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng
     TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to
     0x10000000L Any application which was previously compiled against
     OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1
     will need to be recompiled as a result. Letting be results in
     inability to disable specifically TLS 1.1 and in client context,
     in unlike event, limit maximum offered version to TLS 1.0 [see below].
     [Steve Henson]
  *) In order to ensure interoperabilty SSL_OP_NO_protocolX does not
     disable just protocol X, but all protocols above X *if* there are
     protocols *below* X still enabled. In more practical terms it means
     that if application wants to disable TLS1.0 in favor of TLS1.1 and
     above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass
     SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to
     client side.
     [Andy Polyakov]
 Changes between 1.0.1 and 1.0.1a [19 Apr 2012]
  *) Check for potentially exploitable overflows in asn1_d2i_read_bio
     BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
     in CRYPTO_realloc_clean.
     Thanks to Tavis Ormandy, Google Security Team, for discovering this
     issue and to Adam Langley <agl@chromium.org> for fixing it.
     (CVE-2012-2110)
     [Adam Langley (Google), Tavis Ormandy, Google Security Team]
  *) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
     [Adam Langley]
  *) Workarounds for some broken servers that "hang" if a client hello
     record length exceeds 255 bytes.
     1. Do not use record version number > TLS 1.0 in initial client
        hello: some (but not all) hanging servers will now work.
     2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
 	the number of ciphers sent in the client hello. This should be
        set to an even number, such as 50, for example by passing:
        -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
        Most broken servers should now work.
     3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
 	TLS 1.2 client support entirely.
     [Steve Henson]
  *) Fix SEGV in Vector Permutation AES module observed in OpenSSH.
     [Andy Polyakov]
 Changes between 1.0.0h and 1.0.1  [14 Mar 2012]
  *) Add compatibility with old MDC2 signatures which use an ASN1 OCTET
@ -285,7 +902,75 @@
       Add command line options to s_client/s_server.
     [Steve Henson]
- Changes between 1.0.0g and 1.0.0h [xx XXX xxxx]
+ Changes between 1.0.0j and 1.0.0k [5 Feb 2013]
  *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
     This addresses the flaw in CBC record processing discovered by 
     Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
     at: http://www.isg.rhul.ac.uk/tls/     
     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
     Security Group at Royal Holloway, University of London
     (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
     Emilia Käsper for the initial patch.
     (CVE-2013-0169)
     [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
  *) Return an error when checking OCSP signatures when key is NULL.
     This fixes a DoS attack. (CVE-2013-0166)
     [Steve Henson]
  *) Call OCSP Stapling callback after ciphersuite has been chosen, so
     the right response is stapled. Also change SSL_get_certificate()
     so it returns the certificate actually sent.
     See http://rt.openssl.org/Ticket/Display.html?id=2836.
     (This is a backport)
     [Rob Stradling <rob.stradling@comodo.com>]
  *) Fix possible deadlock when decoding public keys.
     [Steve Henson]
 Changes between 1.0.0i and 1.0.0j [10 May 2012]
  [NB: OpenSSL 1.0.0i and later 1.0.0 patch levels were released after
  OpenSSL 1.0.1.]
  *) Sanity check record length before skipping explicit IV in DTLS
     to fix DoS attack.
     Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
     fuzzing as a service testing platform.
     (CVE-2012-2333)
     [Steve Henson]
  *) Initialise tkeylen properly when encrypting CMS messages.
     Thanks to Solar Designer of Openwall for reporting this issue.
     [Steve Henson]
 Changes between 1.0.0h and 1.0.0i [19 Apr 2012]
  *) Check for potentially exploitable overflows in asn1_d2i_read_bio
     BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
     in CRYPTO_realloc_clean.
     Thanks to Tavis Ormandy, Google Security Team, for discovering this
     issue and to Adam Langley <agl@chromium.org> for fixing it.
     (CVE-2012-2110)
     [Adam Langley (Google), Tavis Ormandy, Google Security Team]
 Changes between 1.0.0g and 1.0.0h [12 Mar 2012]
  *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
     in CMS and PKCS7 code. When RSA decryption fails use a random key for
     content decryption and always return the same error. Note: this attack
     needs on average 2^20 messages so it only affects automated senders. The
     old behaviour can be reenabled in the CMS code by setting the
     CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
     an MMA defence is not necessary.
     Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
     this issue. (CVE-2012-0884)
     [Steve Henson]
  *) Fix CVE-2011-4619: make sure we really are receiving a 
     client hello before rejecting multiple SGC restarts. Thanks to
@ -1264,6 +1949,86 @@
  *) Change 'Configure' script to enable Camellia by default.
     [NTT]
 Changes between 0.9.8x and 0.9.8y [5 Feb 2013]
  *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
     This addresses the flaw in CBC record processing discovered by 
     Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
     at: http://www.isg.rhul.ac.uk/tls/     
     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
     Security Group at Royal Holloway, University of London
     (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
     Emilia Käsper for the initial patch.
     (CVE-2013-0169)
     [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
  *) Return an error when checking OCSP signatures when key is NULL.
     This fixes a DoS attack. (CVE-2013-0166)
     [Steve Henson]
  *) Call OCSP Stapling callback after ciphersuite has been chosen, so
     the right response is stapled. Also change SSL_get_certificate()
     so it returns the certificate actually sent.
     See http://rt.openssl.org/Ticket/Display.html?id=2836.
     (This is a backport)
     [Rob Stradling <rob.stradling@comodo.com>]
  *) Fix possible deadlock when decoding public keys.
     [Steve Henson]
 Changes between 0.9.8w and 0.9.8x [10 May 2012]
  *) Sanity check record length before skipping explicit IV in DTLS
     to fix DoS attack.
     Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
     fuzzing as a service testing platform.
     (CVE-2012-2333)
     [Steve Henson]
  *) Initialise tkeylen properly when encrypting CMS messages.
     Thanks to Solar Designer of Openwall for reporting this issue.
     [Steve Henson]
 Changes between 0.9.8v and 0.9.8w [23 Apr 2012]
  *) The fix for CVE-2012-2110 did not take into account that the 
     'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an
     int in OpenSSL 0.9.8, making it still vulnerable. Fix by 
     rejecting negative len parameter. (CVE-2012-2131)
     [Tomas Hoger <thoger@redhat.com>]
 Changes between 0.9.8u and 0.9.8v [19 Apr 2012]
  *) Check for potentially exploitable overflows in asn1_d2i_read_bio
     BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
     in CRYPTO_realloc_clean.
     Thanks to Tavis Ormandy, Google Security Team, for discovering this
     issue and to Adam Langley <agl@chromium.org> for fixing it.
     (CVE-2012-2110)
     [Adam Langley (Google), Tavis Ormandy, Google Security Team]
 Changes between 0.9.8t and 0.9.8u [12 Mar 2012]
  *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
     in CMS and PKCS7 code. When RSA decryption fails use a random key for
     content decryption and always return the same error. Note: this attack
     needs on average 2^20 messages so it only affects automated senders. The
     old behaviour can be reenabled in the CMS code by setting the
     CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
     an MMA defence is not necessary.
     Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
     this issue. (CVE-2012-0884)
     [Steve Henson]
  *) Fix CVE-2011-4619: make sure we really are receiving a 
     client hello before rejecting multiple SGC restarts. Thanks to
     Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug.
     [Steve Henson]
 Changes between 0.9.8s and 0.9.8t [18 Jan 2012]
  *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
--- a/174
+++ b/174
@ -124,24 +124,25 @@ my $tlib="-lnsl -lsocket";
 my $bits1="THIRTY_TWO_BIT ";
 my $bits2="SIXTY_FOUR_BIT ";
-my $x86_asm="x86cpuid.o:bn-586.o co-586.o x86-mont.o x86-gf2m.o:des-586.o crypt586.o:aes-586.o vpaes-x86.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o:cmll-x86.o:ghash-x86.o:";
+my $x86_asm="x86cpuid.o:bn-586.o co-586.o x86-mont.o x86-gf2m.o::des-586.o crypt586.o:aes-586.o vpaes-x86.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o:cmll-x86.o:ghash-x86.o:";
 my $x86_elf_asm="$x86_asm:elf";
-my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o modexp512-x86_64.o::aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o rc4-md5-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:ghash-x86_64.o:";
+my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o:ecp_nistz256.o ecp_nistz256-x86_64.o::aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o::rc4-x86_64.o rc4-md5-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:ghash-x86_64.o aesni-gcm-x86_64.o:";
-my $ia64_asm="ia64cpuid.o:bn-ia64.o ia64-mont.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o rc4_skey.o:::::ghash-ia64.o::void";
+my $ia64_asm="ia64cpuid.o:bn-ia64.o ia64-mont.o:::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o rc4_skey.o:::::ghash-ia64.o::void";
-my $sparcv9_asm="sparcv9cap.o sparccpuid.o:bn-sparcv9.o sparcv9-mont.o sparcv9a-mont.o:des_enc-sparc.o fcrypt_b.o:aes_core.o aes_cbc.o aes-sparcv9.o:::sha1-sparcv9.o sha256-sparcv9.o sha512-sparcv9.o:::::::ghash-sparcv9.o::void";
+my $sparcv9_asm="sparcv9cap.o sparccpuid.o:bn-sparcv9.o sparcv9-mont.o sparcv9a-mont.o vis3-mont.o sparct4-mont.o sparcv9-gf2m.o::des_enc-sparc.o fcrypt_b.o dest4-sparcv9.o:aes_core.o aes_cbc.o aes-sparcv9.o aest4-sparcv9.o::md5-sparcv9.o:sha1-sparcv9.o sha256-sparcv9.o sha512-sparcv9.o::::::camellia.o cmll_misc.o cmll_cbc.o cmllt4-sparcv9.o:ghash-sparcv9.o::void";
-my $sparcv8_asm=":sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::::::void";
+my $sparcv8_asm=":sparcv8.o::des_enc-sparc.o fcrypt_b.o:::::::::::::void";
-my $alpha_asm="alphacpuid.o:bn_asm.o alpha-mont.o:::::sha1-alpha.o:::::::ghash-alpha.o::void";
+my $alpha_asm="alphacpuid.o:bn_asm.o alpha-mont.o::::::sha1-alpha.o:::::::ghash-alpha.o::void";
-my $mips32_asm=":bn-mips.o::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o::::::::";
+my $mips64_asm=":bn-mips.o mips-mont.o:::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o sha512-mips.o::::::::";
-my $mips64_asm=":bn-mips.o mips-mont.o::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o sha512-mips.o::::::::";
+my $mips32_asm=$mips64_asm; $mips32_asm =~ s/\s*sha512\-mips\.o//;
-my $s390x_asm="s390xcap.o s390xcpuid.o:bn-s390x.o s390x-mont.o s390x-gf2m.o::aes-s390x.o aes-ctr.o aes-xts.o:::sha1-s390x.o sha256-s390x.o sha512-s390x.o::rc4-s390x.o:::::ghash-s390x.o:";
+my $s390x_asm="s390xcap.o s390xcpuid.o:bn-s390x.o s390x-mont.o s390x-gf2m.o:::aes-s390x.o aes-ctr.o aes-xts.o:::sha1-s390x.o sha256-s390x.o sha512-s390x.o::rc4-s390x.o:::::ghash-s390x.o:";
-my $armv4_asm="armcap.o armv4cpuid.o:bn_asm.o armv4-mont.o armv4-gf2m.o::aes_cbc.o aes-armv4.o:::sha1-armv4-large.o sha256-armv4.o sha512-armv4.o:::::::ghash-armv4.o::void";
+my $armv4_asm="armcap.o armv4cpuid.o:bn_asm.o armv4-mont.o armv4-gf2m.o:::aes_cbc.o aes-armv4.o bsaes-armv7.o aesv8-armx.o:::sha1-armv4-large.o sha256-armv4.o sha512-armv4.o:::::::ghash-armv4.o ghashv8-armx.o::void";
-my $parisc11_asm="pariscid.o:bn_asm.o parisc-mont.o::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::32";
+my $aarch64_asm="armcap.o arm64cpuid.o mem_clr.o::::aes_core.o aes_cbc.o aesv8-armx.o:::sha1-armv8.o sha256-armv8.o sha512-armv8.o:::::::ghashv8-armx.o:";
-my $parisc20_asm="pariscid.o:pa-risc2W.o parisc-mont.o::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::64";
+my $parisc11_asm="pariscid.o:bn_asm.o parisc-mont.o:::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::32";
-my $ppc32_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o::aes_core.o aes_cbc.o aes-ppc.o:::sha1-ppc.o sha256-ppc.o::::::::";
+my $parisc20_asm="pariscid.o:pa-risc2W.o parisc-mont.o:::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::64";
-my $ppc64_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o::aes_core.o aes_cbc.o aes-ppc.o:::sha1-ppc.o sha256-ppc.o sha512-ppc.o::::::::";
+my $ppc64_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o:::aes_core.o aes_cbc.o aes-ppc.o vpaes-ppc.o aesp8-ppc.o:::sha1-ppc.o sha256-ppc.o sha512-ppc.o sha256p8-ppc.o sha512p8-ppc.o:::::::ghashp8-ppc.o:";
-my $no_asm=":::::::::::::::void";
+my $ppc32_asm=$ppc64_asm;
 my $no_asm="::::::::::::::::void";
 # As for $BSDthreads. Idea is to maintain "collective" set of flags,
 # which would cover all BSD flavors. -pthread applies to them all, 
@ -152,7 +153,7 @@ my $no_asm=":::::::::::::::void";
 # seems to be sufficient?
 my $BSDthreads="-pthread -D_THREAD_SAFE -D_REENTRANT";
-#config-string	$cc : $cflags : $unistd : $thread_cflag : $sys_id : $lflags : $bn_ops : $cpuid_obj : $bn_obj : $des_obj : $aes_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj : $wp_obj : $cmll_obj : $modes_obj : $engines_obj : $dso_scheme : $shared_target : $shared_cflag : $shared_ldflag : $shared_extension : $ranlib : $arflags : $multilib
+#config-string	$cc : $cflags : $unistd : $thread_cflag : $sys_id : $lflags : $bn_ops : $cpuid_obj : $bn_obj : $ec_obj : $des_obj : $aes_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj : $wp_obj : $cmll_obj : $modes_obj : $engines_obj : $dso_scheme : $shared_target : $shared_cflag : $shared_ldflag : $shared_extension : $ranlib : $arflags : $multilib
 my %table=(
 # File 'TABLE' (created by 'make TABLE') contains the data from this list,
@ -171,27 +172,30 @@ my %table=(
 "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
 "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
 "debug-ben-debug",	"gcc44:$gcc_devteam_warn -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O2 -pipe::(unknown)::::::",
 "debug-ben-debug-64",	"gcc:$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-ben-macos",	"cc:$gcc_devteam_warn -arch i386 -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -DL_ENDIAN -g3 -pipe::(unknown)::-Wl,-search_paths_first::::",
 "debug-ben-macos-gcc46",	"gcc-mp-4.6:$gcc_devteam_warn -Wconversion -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -DL_ENDIAN -g3 -pipe::(unknown)::::::",
 "debug-ben-darwin64","cc:$gcc_devteam_warn -g -Wno-language-extension-token -Wno-extended-offsetof -arch x86_64 -O3 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "debug-ben-debug-64-clang",	"clang:$gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-ben-no-opt",	"gcc: -Wall -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG -Werror -DL_ENDIAN -DTERMIOS -Wall -g3::(unknown)::::::",
 "debug-ben-strict",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
 "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-"debug-bodo",	"gcc:$gcc_devteam_warn -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -DBIO_PAIR_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+"debug-bodo",	"gcc:$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -DBIO_PAIR_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 "debug-ulf", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DBN_DEBUG_RAND -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations:::CYGWIN32:::${no_asm}:win32:cygwin-shared:::.dll",
-"debug-steve64", "gcc:$gcc_devteam_warn -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-steve64", "gcc:$gcc_devteam_warn -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -Wno-overlength-strings -g::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-steve32", "gcc:$gcc_devteam_warn -m32 -DL_ENDIAN -DCONF_DEBUG -DDEBUG_SAFESTACK -g -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-steve32", "gcc:$gcc_devteam_warn -m32 -DL_ENDIAN -DCONF_DEBUG -DDEBUG_SAFESTACK -Wno-overlength-strings -g -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-steve-opt", "gcc:$gcc_devteam_warn -m64 -O3 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -ggdb -g3 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -ggdb -g3 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -DPEDANTIC -ggdb -g3 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -ggdb -g3 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-geoff32","gcc:-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DPURIFY -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-geoff64","gcc:-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DPURIFY -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-linux-pentium","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentium -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
 "debug-linux-ppro","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
 "debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -march=i486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -march=i486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-linux-ia32-aes", "gcc:-DAES_EXPERIMENTAL -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:x86cpuid.o:bn-586.o co-586.o x86-mont.o:des-586.o crypt586.o:aes_x86core.o aes_cbc.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o::ghash-x86.o::elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-linux-ia32-aes", "gcc:-DAES_EXPERIMENTAL -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:x86cpuid.o:bn-586.o co-586.o x86-mont.o::des-586.o crypt586.o:aes_x86core.o aes_cbc.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o::ghash-x86.o::elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-linux-generic32","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DTERMIO -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-linux-generic64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DTERMIO -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-linux-x86_64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -DTERMIO -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
@ -223,7 +227,7 @@ my %table=(
 "solaris64-x86_64-gcc","gcc:-m64 -O3 -Wall -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:solaris-shared:-fPIC:-m64 -shared -static-libgcc:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/64",
 #### Solaris x86 with Sun C setups
-"solaris-x86-cc","cc:-fast -O -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:${no_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-x86-cc","cc:-fast -xarch=generic -O -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:${no_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "solaris64-x86_64-cc","cc:-fast -xarch=amd64 -xstrconst -Xa -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:solaris-shared:-KPIC:-xarch=amd64 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/64",
 #### SPARC Solaris with GNU C setups
@ -243,7 +247,7 @@ my %table=(
 "solaris-sparcv7-cc","cc:-xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${no_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "solaris-sparcv8-cc","cc:-xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-xarch=v9 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/ccs/bin/ar rs::/64",
+"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-xarch=v9 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/64",
 ####
 "debug-solaris-sparcv8-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-solaris-sparcv9-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", 
@ -298,7 +302,7 @@ my %table=(
 "hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:${no_asm}:dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "hpux-parisc1_1-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:${parisc11_asm}:dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa1.1",
 "hpux-parisc2-gcc","gcc:-march=2.0 -O3 -DB_ENDIAN -D_REENTRANT::::-Wl,+s -ldld:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL DES_RISC1:".eval{my $asm=$parisc20_asm;$asm=~s/2W\./2\./;$asm=~s/:64/:32/;$asm}.":dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa20_32",
-"hpux64-parisc2-gcc","gcc:-O3 -DB_ENDIAN -D_REENTRANT::::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::pa-risc2W.o::::::::::::::void:dlfcn:hpux-shared:-fpic:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa20_64",
+"hpux64-parisc2-gcc","gcc:-O3 -DB_ENDIAN -D_REENTRANT::::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::pa-risc2W.o:::::::::::::::void:dlfcn:hpux-shared:-fpic:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa20_64",
 # More attempts at unified 10.X and 11.X targets for HP C compiler.
 #
@ -348,17 +352,27 @@ my %table=(
 # It's believed that majority of ARM toolchains predefine appropriate -march.
 # If you compiler does not, do complement config command line with one!
 "linux-armv4",	"gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-aarch64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # Configure script adds minimally required -march for assembly support,
 # if no -march was specified at command line. mips32 and mips64 below
 # refer to contemporary MIPS Architecture specifications, MIPS32 and
 # MIPS64, rather than to kernel bitness.
 "linux-mips32",	"gcc:-mabi=32 -DTERMIO -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-mips64",   "gcc:-mabi=n32 -DTERMIO -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:n32:dlfcn:linux-shared:-fPIC:-mabi=n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::32",
 "linux64-mips64",   "gcc:-mabi=64 -DTERMIO -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 #### IA-32 targets...
-"linux-ia32-icc",	"icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-ia32-icc",	"icc:-DL_ENDIAN -DTERMIO -O2::-D_REENTRANT::-ldl -no_cpprt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out",
 ####
 "linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-ppc64",	"gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 "linux-ppc64le","gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
 "linux-ia64",	"gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 "linux-x86_64-icc", "icc:-DL_ENDIAN -DTERMIO -O2::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 "linux-x32",	"gcc:-mx32 -DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32",
 "linux64-s390x",	"gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 #### So called "highgprs" target for z/Architecture CPUs
 # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
@ -405,6 +419,7 @@ my %table=(
 "android","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "android-armv7","gcc:-march=armv7-a -mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "android-mips","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 #### *BSD [do see comment about ${BSDthreads} above!]
 "BSD-generic32","gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@ -452,11 +467,11 @@ my %table=(
 # UnixWare 2.0x fails destest with -O.
 "unixware-2.0","cc:-DFILIO_H -DNO_STRINGS_H::-Kthread::-lsocket -lnsl -lresolv -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
 "unixware-2.1","cc:-O -DFILIO_H::-Kthread::-lsocket -lnsl -lresolv -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
-"unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}:${x86_elf_asm}:dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}:${x86_elf_asm}-1:dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"unixware-7-gcc","gcc:-DL_ENDIAN -DFILIO_H -O3 -fomit-frame-pointer -march=pentium -Wall::-D_REENTRANT::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:gnu-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"unixware-7-gcc","gcc:-DL_ENDIAN -DFILIO_H -O3 -fomit-frame-pointer -march=pentium -Wall::-D_REENTRANT::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}-1:dlfcn:gnu-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # SCO 5 - Ben Laurie <ben@algroup.co.uk> says the -O breaks the SCO cc.
-"sco5-cc",  "cc:-belf::(unknown)::-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"sco5-cc",  "cc:-belf::(unknown)::-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}-1:dlfcn:svr3-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"sco5-gcc",  "gcc:-O3 -fomit-frame-pointer::(unknown)::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"sco5-gcc",  "gcc:-O3 -fomit-frame-pointer::(unknown)::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}-1:dlfcn:svr3-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 #### IBM's AIX.
 "aix3-cc",  "cc:-O -DB_ENDIAN -qmaxmem=16384::(unknown):AIX::BN_LLONG RC4_CHAR:::",
@ -464,8 +479,8 @@ my %table=(
 "aix64-gcc","gcc:-maix64 -O -DB_ENDIAN::-pthread:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR:${ppc64_asm}:aix64:dlfcn:aix-shared::-maix64 -shared -Wl,-G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X64",
 # Below targets assume AIX 5. Idea is to effectively disregard $OBJECT_MODE
 # at build time. $OBJECT_MODE is respected at ./config stage!
-"aix-cc",   "cc:-q32 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded:AIX::BN_LLONG RC4_CHAR:${ppc32_asm}:aix32:dlfcn:aix-shared::-q32 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 32",
+"aix-cc",   "cc:-q32 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded -D_THREAD_SAFE:AIX::BN_LLONG RC4_CHAR:${ppc32_asm}:aix32:dlfcn:aix-shared::-q32 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 32",
-"aix64-cc", "cc:-q64 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR:${ppc64_asm}:aix64:dlfcn:aix-shared::-q64 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64",
+"aix64-cc", "cc:-q64 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded -D_THREAD_SAFE:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR:${ppc64_asm}:aix64:dlfcn:aix-shared::-q64 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64",
 #
 # Cray T90 and similar (SDSC)
@ -516,15 +531,15 @@ my %table=(
 # Visual C targets
 #
 # Win64 targets, WIN64I denotes IA-64 and WIN64A - AMD64
-"VC-WIN64I","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o ia64-mont.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o:::::::ghash-ia64.o::ias:win32",
+"VC-WIN64I","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o ia64-mont.o:::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o:::::::ghash-ia64.o::ias:win32",
 "VC-WIN64A","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:".eval{my $asm=$x86_64_asm;$asm=~s/x86_64-gcc\.o/bn_asm.o/;$asm}.":auto:win32",
-"debug-VC-WIN64I","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o:::::::ghash-ia64.o::ias:win32",
+"debug-VC-WIN64I","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o:::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o:::::::ghash-ia64.o::ias:win32",
 "debug-VC-WIN64A","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:".eval{my $asm=$x86_64_asm;$asm=~s/x86_64-gcc\.o/bn_asm.o/;$asm}.":auto:win32",
 # x86 Win32 target defaults to ANSI API, if you want UNICODE, complement
 # 'perl Configure VC-WIN32' with '-DUNICODE -D_UNICODE'
 "VC-WIN32","cl:-W3 -Gs0 -GF -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE:::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${x86_asm}:win32n:win32",
 # Unified CE target
-"debug-VC-WIN32","cl:-W3 -WX -Gs0 -GF -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE:::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${x86_asm}:win32n:win32",
+"debug-VC-WIN32","cl:-W3 -Gs0 -GF -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE:::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${x86_asm}:win32n:win32",
 "VC-CE","cl::::WINCE::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${no_asm}:win32",
 # Borland C++ 4.5
@ -547,6 +562,7 @@ my %table=(
 # Cygwin
 "Cygwin-pre1.3", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:win32",
 "Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:coff:dlfcn:cygwin-shared:-D_WINDLL:-shared:.dll.a",
 "Cygwin-x86_64", "gcc:-DTERMIOS -DL_ENDIAN -O3 -Wall:::CYGWIN32::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:mingw64:dlfcn:cygwin-shared:-D_WINDLL:-shared:.dll.a",
 "debug-Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror:::CYGWIN32:::${no_asm}:dlfcn:cygwin-shared:-D_WINDLL:-shared:.dll.a",
 # NetWare from David Ward (dsward@novell.com)
@ -579,7 +595,8 @@ my %table=(
 "darwin64-ppc-cc","cc:-arch ppc64 -O3 -DB_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc64_asm}:osx64:dlfcn:darwin-shared:-fPIC -fno-common:-arch ppc64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "darwin-i386-cc","cc:-arch i386 -O3 -fomit-frame-pointer -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:".eval{my $asm=$x86_asm;$asm=~s/cast\-586\.o//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "debug-darwin-i386-cc","cc:-arch i386 -g3 -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:${x86_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-"darwin64-x86_64-cc","cc:-arch x86_64 -O3 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin64-x86_64-cc","cc:-arch x86_64 -O3 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "debug-darwin64-x86_64-cc","cc:-arch x86_64 -ggdb -g2 -O0 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "debug-darwin-ppc-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DB_ENDIAN -g -Wall -O::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc32_asm}:osx32:dlfcn:darwin-shared:-fPIC:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 # iPhoneOS/iOS
 "iphoneos-cross","llvm-gcc:-O3 -isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK) -fomit-frame-pointer -fno-common::-D_REENTRANT:iOS:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
@ -632,6 +649,7 @@ my $idx_lflags = $idx++;
 my $idx_bn_ops = $idx++;
 my $idx_cpuid_obj = $idx++;
 my $idx_bn_obj = $idx++;
 my $idx_ec_obj = $idx++;
 my $idx_des_obj = $idx++;
 my $idx_aes_obj = $idx++;
 my $idx_bf_obj = $idx++;
@ -712,12 +730,15 @@ my %disabled = ( # "what"         => "comment" [or special keyword "experimental
 		 "ec_nistp_64_gcc_128" => "default",
 		 "gmp"		  => "default",
 		 "jpake"          => "experimental",
 		 "libunbound"     => "experimental",
 		 "md2"            => "default",
 		 "rc5"            => "default",
 		 "rfc3779"	  => "default",
 		 "sctp"       => "default",
 		 "shared"         => "default",
 		 "ssl-trace"	  => "default",
 		 "store"	  => "experimental",
 		 "unit-test"	  => "default",
 		 "zlib"           => "default",
 		 "zlib-dynamic"   => "default"
 	       );
@ -725,7 +746,7 @@ my @experimental = ();
 # This is what $depflags will look like with the above defaults
 # (we need this to see if we should advise the user to run "make depend"):
-my $default_depflags = " -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE";
+my $default_depflags = " -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_LIBUNBOUND -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST";
 # Explicit "no-..." options will be collected in %disabled along with the defaults.
 # To remove something from %disabled, use "enable-foo" (unless it's experimental).
@ -865,16 +886,7 @@ PROCESS_ARGS:
 			}
 		elsif (/^[-+]/)
 			{
-			if (/^-[lL](.*)$/ or /^-Wl,/)
+			if (/^--prefix=(.*)$/)
 				{
 				$libs.=$_." ";
 				}
 			elsif (/^-[^-]/ or /^\+/)
 				{
 				$_ =~ s/%([0-9a-f]{1,2})/chr(hex($1))/gei;
 				$flags.=$_." ";
 				}
 			elsif (/^--prefix=(.*)$/)
 				{
 				$prefix=$1;
 				}
@ -918,10 +930,14 @@ PROCESS_ARGS:
 				{
 				$cross_compile_prefix=$1;
 				}
-			else
+			elsif (/^-[lL](.*)$/ or /^-Wl,/)
 				{
-				print STDERR $usage;
+				$libs.=$_." ";
-				exit(1);
+				}
 			else	# common if (/^[-+]/), just pass down...
 				{
 				$_ =~ s/%([0-9a-f]{1,2})/chr(hex($1))/gei;
 				$flags.=$_." ";
 				}
 			}
 		elsif ($_ =~ /^([^:]+):(.+)$/)
@ -1156,6 +1172,7 @@ my $lflags = $fields[$idx_lflags];
 my $bn_ops = $fields[$idx_bn_ops];
 my $cpuid_obj = $fields[$idx_cpuid_obj];
 my $bn_obj = $fields[$idx_bn_obj];
 my $ec_obj = $fields[$idx_ec_obj];
 my $des_obj = $fields[$idx_des_obj];
 my $aes_obj = $fields[$idx_aes_obj];
 my $bf_obj = $fields[$idx_bf_obj];
@ -1201,6 +1218,12 @@ if ($target =~ /^mingw/ && `$cc --target-help 2>&1` !~ m/\-mno\-cygwin/m)
 	$shared_ldflag =~ s/\-mno\-cygwin\s*//;
 	}
 if ($target =~ /linux.*\-mips/ && !$no_asm && $flags !~ /\-m(ips|arch=)/) {
 	# minimally required architecture flags for assembly modules
 	$cflags="-mips2 $cflags" if ($target =~ /mips32/);
 	$cflags="-mips3 $cflags" if ($target =~ /mips64/);
 }
 my $no_shared_warn=0;
 my $no_user_cflags=0;
@ -1327,7 +1350,7 @@ $lflags="$libs$lflags" if ($libs ne "");
 if ($no_asm)
 	{
-	$cpuid_obj=$bn_obj=
+	$cpuid_obj=$bn_obj=$ec_obj=
 	$des_obj=$aes_obj=$bf_obj=$cast_obj=$rc4_obj=$rc5_obj=$cmll_obj=
 	$modes_obj=$sha1_obj=$md5_obj=$rmd160_obj=$wp_obj=$engines_obj="";
 	}
@ -1408,6 +1431,7 @@ if ($target =~ /\-icc$/)	# Intel C compiler
 		}
 	if ($iccver>=8)
 		{
 		$cflags=~s/\-KPIC/-fPIC/;
 		# Eliminate unnecessary dependency from libirc.a. This is
 		# essential for shared library support, as otherwise
 		# apps/openssl can end up in endless loop upon startup...
@ -1415,12 +1439,17 @@ if ($target =~ /\-icc$/)	# Intel C compiler
 		}
 	if ($iccver>=9)
 		{
-		$cflags.=" -i-static";
+		$lflags.=" -i-static";
-		$cflags=~s/\-no_cpprt/-no-cpprt/;
+		$lflags=~s/\-no_cpprt/-no-cpprt/;
 		}
 	if ($iccver>=10)
 		{
-		$cflags=~s/\-i\-static/-static-intel/;
+		$lflags=~s/\-i\-static/-static-intel/;
 		}
 	if ($iccver>=11)
 		{
 		$cflags.=" -no-intel-extensions";	# disable Cilk
 		$lflags=~s/\-no\-cpprt/-no-cxxlib/;
 		}
 	}
@ -1501,7 +1530,7 @@ if ($rmd160_obj =~ /\.o$/)
 	}
 if ($aes_obj =~ /\.o$/)
 	{
-	$cflags.=" -DAES_ASM";
+	$cflags.=" -DAES_ASM" if ($aes_obj =~ m/\baes\-/);;
 	# aes-ctr.o is not a real file, only indication that assembler
 	# module implements AES_ctr32_encrypt...
 	$cflags.=" -DAES_CTR_ASM" if ($aes_obj =~ s/\s*aes\-ctr\.o//);
@ -1523,10 +1552,14 @@ else	{
 	$wp_obj="wp_block.o";
 	}
 $cmll_obj=$cmll_enc	unless ($cmll_obj =~ /.o$/);
-if ($modes_obj =~ /ghash/)
+if ($modes_obj =~ /ghash\-/)
 	{
 	$cflags.=" -DGHASH_ASM";
 	}
 if ($ec_obj =~ /ecp_nistz256/)
 	{
 	$cflags.=" -DECP_NISTZ256_ASM";
 	}
 # "Stringify" the C flags string.  This permits it to be made part of a string
 # and works as well on command lines.
@ -1630,6 +1663,7 @@ while (<IN>)
 	s/^EXE_EXT=.*$/EXE_EXT= $exe_ext/;
 	s/^CPUID_OBJ=.*$/CPUID_OBJ= $cpuid_obj/;
 	s/^BN_ASM=.*$/BN_ASM= $bn_obj/;
 	s/^EC_ASM=.*$/EC_ASM= $ec_obj/;
 	s/^DES_ENC=.*$/DES_ENC= $des_obj/;
 	s/^AES_ENC=.*$/AES_ENC= $aes_obj/;
 	s/^BF_ENC=.*$/BF_ENC= $bf_obj/;
@ -1691,6 +1725,7 @@ print "CFLAG         =$cflags\n";
 print "EX_LIBS       =$lflags\n";
 print "CPUID_OBJ     =$cpuid_obj\n";
 print "BN_ASM        =$bn_obj\n";
 print "EC_ASM        =$ec_obj\n";
 print "DES_ENC       =$des_obj\n";
 print "AES_ENC       =$aes_obj\n";
 print "BF_ENC        =$bf_obj\n";
@ -1764,6 +1799,9 @@ open(OUT,'>crypto/opensslconf.h.new') || die "unable to create crypto/opensslcon
 print OUT "/* opensslconf.h */\n";
 print OUT "/* WARNING: Generated automatically from opensslconf.h.in by Configure. */\n\n";
 print OUT "#ifdef  __cplusplus\n";
 print OUT "extern \"C\" {\n";
 print OUT "#endif\n";
 print OUT "/* OpenSSL was configured with the following options: */\n";
 my $openssl_algorithm_defines_trans = $openssl_algorithm_defines;
 $openssl_experimental_defines =~ s/^\s*#\s*define\s+OPENSSL_NO_(.*)/#ifndef OPENSSL_EXPERIMENTAL_$1\n# ifndef OPENSSL_NO_$1\n#  define OPENSSL_NO_$1\n# endif\n#endif/mg;
@ -1868,6 +1906,9 @@ while (<IN>)
 		{ print OUT $_; }
 	}
 close(IN);
 print OUT "#ifdef  __cplusplus\n";
 print OUT "}\n";
 print OUT "#endif\n";
 close(OUT);
 rename("crypto/opensslconf.h","crypto/opensslconf.h.bak") || die "unable to rename crypto/opensslconf.h\n" if -e "crypto/opensslconf.h";
 rename("crypto/opensslconf.h.new","crypto/opensslconf.h") || die "unable to rename crypto/opensslconf.h.new\n";
@ -2092,12 +2133,12 @@ sub print_table_entry
 	{
 	my $target = shift;
-	(my $cc,my $cflags,my $unistd,my $thread_cflag,my $sys_id,my $lflags,
+	my ($cc, $cflags, $unistd, $thread_cflag, $sys_id, $lflags,
-	my $bn_ops,my $cpuid_obj,my $bn_obj,my $des_obj,my $aes_obj, my $bf_obj,
+	    $bn_ops, $cpuid_obj, $bn_obj, $ec_obj, $des_obj, $aes_obj, $bf_obj,
-	my $md5_obj,my $sha1_obj,my $cast_obj,my $rc4_obj,my $rmd160_obj,
+	    $md5_obj, $sha1_obj, $cast_obj, $rc4_obj, $rmd160_obj,
-	my $rc5_obj,my $wp_obj,my $cmll_obj,my $modes_obj, my $engines_obj,
+	    $rc5_obj, $wp_obj, $cmll_obj, $modes_obj, $engines_obj,
-	my $perlasm_scheme,my $dso_scheme,my $shared_target,my $shared_cflag,
+	    $perlasm_scheme, $dso_scheme, $shared_target, $shared_cflag,
-	my $shared_ldflag,my $shared_extension,my $ranlib,my $arflags,my $multilib)=
+	    $shared_ldflag, $shared_extension, $ranlib, $arflags, $multilib)=
 	split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
 	print <<EOF
@ -2112,6 +2153,7 @@ sub print_table_entry
 \$bn_ops       = $bn_ops
 \$cpuid_obj    = $cpuid_obj
 \$bn_obj       = $bn_obj
 \$ec_obj       = $ec_obj
 \$des_obj      = $des_obj
 \$aes_obj      = $aes_obj
 \$bf_obj       = $bf_obj
--- a/70
+++ b/70
@ -10,6 +10,7 @@ OpenSSL  -  Frequently Asked Questions
 * Why aren't tools like 'autoconf' and 'libtool' used?
 * What is an 'engine' version?
 * How do I check the authenticity of the OpenSSL distribution?
 * How does the versioning scheme work?
 [LEGAL] Legal questions
@ -82,11 +83,11 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 1.0.1 was released on Mar 14th, 2012.
+OpenSSL 1.0.1a was released on Apr 19th, 2012.
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
-ftp://ftp.openssl.org/snapshot/>, or get it by anonymous CVS access.
+ftp://ftp.openssl.org/snapshot/>, or get it by anonymous Git access.
 * Where is the documentation?
@ -108,12 +109,9 @@ In addition, you can read the most current versions at
 <URL: http://www.openssl.org/docs/>. Note that the online documents refer
 to the very latest development versions of OpenSSL and may include features
 not present in released versions. If in doubt refer to the documentation
-that came with the version of OpenSSL you are using.
+that came with the version of OpenSSL you are using. The pod format
-
+documentation is included in each OpenSSL distribution under the docs
-For information on parts of libcrypto that are not yet documented, you
+directory.
 might want to read Ariel Glenn's documentation on SSLeay 0.9, OpenSSL's
 predecessor, at <URL: http://www.columbia.edu/~ariel/ssleay/>.  Much
 of this still applies to OpenSSL.
 There is some documentation about certificate extensions and PKCS#12
 in doc/openssl.txt
@ -173,14 +171,31 @@ just do:
   pgp TARBALL.asc
 * How does the versioning scheme work?
 After the release of OpenSSL 1.0.0 the versioning scheme changed. Letter 
 releases (e.g. 1.0.1a) can only contain bug and security fixes and no
 new features. Minor releases change the last number (e.g. 1.0.2) and 
 can contain new features that retain binary compatibility. Changes to
 the middle number are considered major releases and neither source nor
 binary compatibility is guaranteed.
 Therefore the answer to the common question "when will feature X be
 backported to OpenSSL 1.0.0/0.9.8?" is "never" but it could appear
 in the next minor release.
 * What happens when the letter release reaches z?
 It was decided after the release of OpenSSL 0.9.8y the next version should
 be 0.9.8za then 0.9.8zb and so on.
 [LEGAL] =======================================================================
 * Do I need patent licenses to use OpenSSL?
-The patents section of the README file lists patents that may apply to
+For information on intellectual property rights, please consult a lawyer.
-you if you want to use OpenSSL.  For information on intellectual
+The OpenSSL team does not offer legal advice.
 property rights, please consult a lawyer.  The OpenSSL team does not
 offer legal advice.
 You can configure OpenSSL so as not to use IDEA, MDC2 and RC5 by using
 ./config no-idea no-mdc2 no-rc5
@ -284,7 +299,7 @@ current directory in this case, but this has changed with 0.9.6a.)
 Check out the CA.pl(1) manual page. This provides a simple wrapper round
 the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check
 out the manual pages for the individual utilities and the certificate
-extensions documentation (currently in doc/openssl.txt).
+extensions documentation (in ca(1), req(1), x509v3_config(5) )
 * Why can't I create certificate requests?
@ -597,8 +612,8 @@ valid for the current DOS session.
 * What is special about OpenSSL on Redhat?
 Red Hat Linux (release 7.0 and later) include a preinstalled limited
-version of OpenSSL. For patent reasons, support for IDEA, RC5 and MDC2
+version of OpenSSL. Red Hat has chosen to disable support for IDEA, RC5 and
-is disabled in this version. The same may apply to other Linux distributions.
+MDC2 in this version. The same may apply to other Linux distributions.
 Users may therefore wish to install more or all of the features left out.
 To do this you MUST ensure that you do not overwrite the openssl that is in
@ -621,11 +636,6 @@ relevant updates in packages up to and including 0.9.6b.
 A possible way around this is to persuade Red Hat to produce a non-US
 version of Red Hat Linux.
 FYI: Patent numbers and expiry dates of US patents:
 MDC-2: 4,908,861 13/03/2007
 IDEA:  5,214,703 25/05/2010
 RC5:   5,724,428 03/03/2015
 * Why does the OpenSSL compilation fail on MacOS X?
@ -752,6 +762,9 @@ openssl-security@openssl.org if you don't get a prompt reply at least
 acknowledging receipt then resend or mail it directly to one of the
 more active team members (e.g. Steve).
 Note that bugs only present in the openssl utility are not in general
 considered to be security issues. 
 [PROG] ========================================================================
 * Is OpenSSL thread-safe?
@ -848,7 +861,7 @@ The opposite assumes we already have len bytes in buf:
 p = buf;
 p7 = d2i_PKCS7(NULL, &p, len);
-At this point p7 contains a valid PKCS7 structure of NULL if an error
+At this point p7 contains a valid PKCS7 structure or NULL if an error
 occurred. If an error occurred ERR_print_errors(bio) should give more
 information.
@ -860,6 +873,21 @@ that has been read or written. This may well be uninitialized data
 and attempts to free the buffer will have unpredictable results
 because it no longer points to the same address.
 Memory allocation and encoding can also be combined in a single
 operation by the ASN1 routines:
 unsigned char *buf = NULL;	/* mandatory */
 int len;
 len = i2d_PKCS7(p7, &buf);
 if (len < 0)
 	/* Error */
 /* Do some things with 'buf' */
 /* Finished with buf: free it */
 OPENSSL_free(buf);
 In this special case the "buf" parameter is *not* incremented, it points
 to the start of the encoding.
 * OpenSSL uses DER but I need BER format: does OpenSSL support BER?
--- a/8
+++ b/8
@ -0,0 +1,8 @@
 #!/bin/sh
 BRANCH=`git rev-parse --abbrev-ref HEAD`
 ./Configure $@ no-symlinks
 make files
 util/mk1mf.pl OUT=out.$BRANCH TMP=tmp.$BRANCH INC=inc.$BRANCH copy > makefile.$BRANCH
 make -f makefile.$BRANCH init
--- a/5
+++ b/5
@ -0,0 +1,5 @@
 #!/bin/sh
 BRANCH=`git rev-parse --abbrev-ref HEAD`
 make -f makefile.$BRANCH $@
--- a/INSTALL.W32
+++ b/INSTALL.W32
@ -29,7 +29,7 @@
  is required if you intend to utilize assembler modules. Note that NASM
  is now the only supported assembler.
- If you are compiling from a tarball or a CVS snapshot then the Win32 files
+ If you are compiling from a tarball or a Git snapshot then the Win32 files
 may well be not up to date. This may mean that some "tweaking" is required to
 get it all to work. See the trouble shooting section later on for if (when?)
 it goes wrong.
@ -257,7 +257,7 @@
 then ms\do_XXX should not give a warning any more. However the numbers that
 get assigned by this technique may not match those that eventually get
- assigned in the CVS tree: so anything linked against this version of the
+ assigned in the Git tree: so anything linked against this version of the
 library may need to be recompiled.
 If you get errors about unresolved symbols there are several possible
--- a/Makefile.org
+++ b/Makefile.org
@ -88,6 +88,7 @@ PROCESSOR=
 # CPUID module collects small commonly used assembler snippets
 CPUID_OBJ= 
 BN_ASM= bn_asm.o
 EC_ASM=
 DES_ENC= des_enc.o fcrypt_b.o
 AES_ENC= aes_core.o aes_cbc.o
 BF_ENC= bf_enc.o
@ -198,7 +199,7 @@ CLEARENV=	TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS}	\
 		$${EXHEADER+EXHEADER} $${HEADER+HEADER}		\
 		$${GENERAL+GENERAL} $${CFLAGS+CFLAGS}		\
 		$${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS}		\
-		$${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS}		\
+		$${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS} $${SCRIPTS+SCRIPTS}	\
 		$${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS}	\
 		$${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS}
@ -221,8 +222,8 @@ BUILDENV=	PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)' \
 		EXE_EXT='$(EXE_EXT)' SHARED_LIBS='$(SHARED_LIBS)'	\
 		SHLIB_EXT='$(SHLIB_EXT)' SHLIB_TARGET='$(SHLIB_TARGET)'	\
 		PEX_LIBS='$(PEX_LIBS)' EX_LIBS='$(EX_LIBS)'	\
-		CPUID_OBJ='$(CPUID_OBJ)'			\
+		CPUID_OBJ='$(CPUID_OBJ)' BN_ASM='$(BN_ASM)'	\
-		BN_ASM='$(BN_ASM)' DES_ENC='$(DES_ENC)' 	\
+		EC_ASM='$(EC_ASM)' DES_ENC='$(DES_ENC)' 	\
 		AES_ENC='$(AES_ENC)' CMLL_ENC='$(CMLL_ENC)'	\
 		BF_ENC='$(BF_ENC)' CAST_ENC='$(CAST_ENC)'	\
 		RC4_ENC='$(RC4_ENC)' RC5_ENC='$(RC5_ENC)'	\
@ -302,7 +303,8 @@ libcrypto$(SHLIB_EXT): libcrypto.a fips_premain_dso$(EXE_EXT)
 			FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; \
 			export CC FIPSLD_CC FIPSLD_LIBCRYPTO; \
 		fi; \
-		$(MAKE) -e SHLIBDIRS=crypto build-shared; \
+		$(MAKE) -e SHLIBDIRS=crypto  CC="$${CC:-$(CC)}" build-shared && \
 		(touch -c fips_premain_dso$(EXE_EXT) || :); \
 	else \
 		echo "There's no support for shared libraries on this platform" >&2; \
 		exit 1; \
@ -325,7 +327,7 @@ clean-shared:
 			done; \
 		fi; \
 		( set -x; rm -f lib$$i$(SHLIB_EXT) ); \
-		if [ "$(PLATFORM)" = "Cygwin" ]; then \
+		if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
 			( set -x; rm -f cyg$$i$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \
 		fi; \
 	done
@ -374,11 +376,11 @@ libssl.pc: Makefile
 	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
 	    echo 'includedir=$${prefix}/include'; \
 	    echo ''; \
-	    echo 'Name: OpenSSL'; \
+	    echo 'Name: OpenSSL-libssl'; \
 	    echo 'Description: Secure Sockets Layer and cryptography libraries'; \
 	    echo 'Version: '$(VERSION); \
-	    echo 'Requires: '; \
+	    echo 'Requires.private: libcrypto'; \
-	    echo 'Libs: -L$${libdir} -lssl -lcrypto'; \
+	    echo 'Libs: -L$${libdir} -lssl'; \
 	    echo 'Libs.private: $(EX_LIBS)'; \
 	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
@ -391,10 +393,7 @@ openssl.pc: Makefile
 	    echo 'Name: OpenSSL'; \
 	    echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
 	    echo 'Version: '$(VERSION); \
-	    echo 'Requires: '; \
+	    echo 'Requires: libssl libcrypto' ) > openssl.pc
 	    echo 'Libs: -L$${libdir} -lssl -lcrypto'; \
 	    echo 'Libs.private: $(EX_LIBS)'; \
 	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
 Makefile: Makefile.org Configure config
 	@echo "Makefile is older than Makefile.org, Configure or config."
@ -444,7 +443,7 @@ rehash.time: certs apps
 		[ -x "apps/openssl.exe" ] && OPENSSL="apps/openssl.exe" || :; \
 		OPENSSL_DEBUG_MEMORY=on; \
 		export OPENSSL OPENSSL_DEBUG_MEMORY; \
-		$(PERL) tools/c_rehash certs) && \
+		$(PERL) tools/c_rehash certs/demo) && \
 		touch rehash.time; \
 	else :; fi
@ -469,9 +468,9 @@ tags:
 	find . -name '[^.]*.[ch]' | xargs etags -a
 errors:
 	$(PERL) util/ck_errf.pl -strict */*.c */*/*.c
 	$(PERL) util/mkerr.pl -recurse -write
 	(cd engines; $(MAKE) PERL=$(PERL) errors)
 	$(PERL) util/ck_errf.pl -strict */*.c */*/*.c
 stacks:
 	$(PERL) util/mkstack.pl -write
@ -570,11 +569,7 @@ install_sw:
 		do \
 			if [ -f "$$i" -o -f "$$i.a" ]; then \
 			(       echo installing $$i; \
-				if [ "$(PLATFORM)" != "Cygwin" ]; then \
+				if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
 					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
 					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
 					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 				else \
 					c=`echo $$i | sed 's/^lib\(.*\)\.dll\.a/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
 					cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
 					chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
@ -582,6 +577,10 @@ install_sw:
 					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
 					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
 					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 				else \
 					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
 					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
 					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 				fi ); \
 				if expr $(PLATFORM) : 'mingw' > /dev/null; then \
 				(	case $$i in \
@ -614,6 +613,10 @@ install_sw:
 install_html_docs:
 	here="`pwd`"; \
 	filecase=; \
 	case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
 		filecase=-i; \
 	esac; \
 	for subdir in apps crypto ssl; do \
 		mkdir -p $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir; \
 		for i in doc/$$subdir/*.pod; do \
@ -642,9 +645,9 @@ install_docs:
 	@pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \
 	here="`pwd`"; \
 	filecase=; \
-	if [ "$(PLATFORM)" = "DJGPP" -o "$(PLATFORM)" = "Cygwin" -o "$(PLATFORM)" = "mingw" ]; then \
+	case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
 		filecase=-i; \
-	fi; \
+	esac; \
 	set -e; for i in doc/apps/*.pod; do \
 		fn=`basename $$i .pod`; \
 		sec=`$(PERL) util/extract-section.pl 1 < $$i`; \
--- a/241
+++ b/241
@ -5,7 +5,80 @@
  This file gives a brief overview of the major changes between each OpenSSL
  release. For more details please read the CHANGES file.
-  Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1:
+  Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.2 [in beta]:
      o Suite B support for TLS 1.2 and DTLS 1.2
      o Support for DTLS 1.2
      o TLS automatic EC curve selection.
      o API to set TLS supported signature algorithms and curves
      o SSL_CONF configuration API.
      o TLS Brainpool support.
      o ALPN support.
      o CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.
  Major changes between OpenSSL 1.0.1h and OpenSSL 1.0.1i [6 Aug 2014]
      o Fix for CVE-2014-3512
      o Fix for CVE-2014-3511
      o Fix for CVE-2014-3510
      o Fix for CVE-2014-3507
      o Fix for CVE-2014-3506
      o Fix for CVE-2014-3505
      o Fix for CVE-2014-3509
      o Fix for CVE-2014-5139
      o Fix for CVE-2014-3508
  Major changes between OpenSSL 1.0.1g and OpenSSL 1.0.1h [5 Jun 2014]
      o Fix for CVE-2014-0224
      o Fix for CVE-2014-0221
      o Fix for CVE-2014-0195
      o Fix for CVE-2014-3470
      o Fix for CVE-2010-5298
  Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014]
      o Fix for CVE-2014-0160
      o Add TLS padding extension workaround for broken servers.
      o Fix for CVE-2014-0076
  Major changes between OpenSSL 1.0.1e and OpenSSL 1.0.1f [6 Jan 2014]
      o Don't include gmt_unix_time in TLS server and client random values
      o Fix for TLS record tampering bug CVE-2013-4353
      o Fix for TLS version checking bug CVE-2013-6449
      o Fix for DTLS retransmission bug CVE-2013-6450
  Major changes between OpenSSL 1.0.1d and OpenSSL 1.0.1e [11 Feb 2013]:
      o Corrected fix for CVE-2013-0169
  Major changes between OpenSSL 1.0.1c and OpenSSL 1.0.1d [4 Feb 2013]:
      o Fix renegotiation in TLS 1.1, 1.2 by using the correct TLS version.
      o Include the fips configuration module.
      o Fix OCSP bad key DoS attack CVE-2013-0166
      o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
      o Fix for TLS AESNI record handling flaw CVE-2012-2686
  Major changes between OpenSSL 1.0.1b and OpenSSL 1.0.1c [10 May 2012]:
      o Fix TLS/DTLS record length checking bug CVE-2012-2333
      o Don't attempt to use non-FIPS composite ciphers in FIPS mode.
  Major changes between OpenSSL 1.0.1a and OpenSSL 1.0.1b [26 Apr 2012]:
      o Fix compilation error on non-x86 platforms.
      o Make FIPS capable OpenSSL ciphers work in non-FIPS mode.
      o Fix SSL_OP_NO_TLSv1_1 clash with SSL_OP_ALL in OpenSSL 1.0.0
  Major changes between OpenSSL 1.0.1 and OpenSSL 1.0.1a [19 Apr 2012]:
      o Fix for ASN1 overflow bug CVE-2012-2110
      o Workarounds for some servers that hang on long client hellos.
      o Fix SEGV in AES code.
  Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012]:
      o TLS/DTLS heartbeat support.
      o SCTP support.
@ -18,17 +91,30 @@
      o Preliminary FIPS capability for unvalidated 2.0 FIPS module.
      o SRP support.
-  Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.0h:
+  Major changes between OpenSSL 1.0.0j and OpenSSL 1.0.0k [5 Feb 2013]:
      o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
      o Fix OCSP bad key DoS attack CVE-2013-0166
  Major changes between OpenSSL 1.0.0i and OpenSSL 1.0.0j [10 May 2012]:
      o Fix DTLS record length checking bug CVE-2012-2333
  Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.0i [19 Apr 2012]:
      o Fix for ASN1 overflow bug CVE-2012-2110
  Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.0h [12 Mar 2012]:
      o Fix for CMS/PKCS#7 MMA CVE-2012-0884
      o Corrected fix for CVE-2011-4619
      o Various DTLS fixes.
-  Major changes between OpenSSL 1.0.0f and OpenSSL 1.0.0g:
+  Major changes between OpenSSL 1.0.0f and OpenSSL 1.0.0g [18 Jan 2012]:
      o Fix for DTLS DoS issue CVE-2012-0050
-  Major changes between OpenSSL 1.0.0e and OpenSSL 1.0.0f:
+  Major changes between OpenSSL 1.0.0e and OpenSSL 1.0.0f [4 Jan 2012]:
      o Fix for DTLS plaintext recovery attack CVE-2011-4108
      o Clear block padding bytes of SSL 3.0 records CVE-2011-4576
@ -36,7 +122,7 @@
      o Check parameters are not NULL in GOST ENGINE CVE-2012-0027
      o Check for malformed RFC3779 data CVE-2011-4577
-  Major changes between OpenSSL 1.0.0d and OpenSSL 1.0.0e:
+  Major changes between OpenSSL 1.0.0d and OpenSSL 1.0.0e [6 Sep 2011]:
      o Fix for CRL vulnerability issue CVE-2011-3207
      o Fix for ECDH crashes CVE-2011-3210
@ -44,11 +130,11 @@
      o Support ECDH ciphersuites for certificates using SHA2 algorithms.
      o Various DTLS fixes.
-  Major changes between OpenSSL 1.0.0c and OpenSSL 1.0.0d:
+  Major changes between OpenSSL 1.0.0c and OpenSSL 1.0.0d [8 Feb 2011]:
      o Fix for security issue CVE-2011-0014
-  Major changes between OpenSSL 1.0.0b and OpenSSL 1.0.0c:
+  Major changes between OpenSSL 1.0.0b and OpenSSL 1.0.0c [2 Dec 2010]:
      o Fix for security issue CVE-2010-4180
      o Fix for CVE-2010-4252
@ -56,18 +142,18 @@
      o Fix various platform compilation issues.
      o Corrected fix for security issue CVE-2010-3864.
-  Major changes between OpenSSL 1.0.0a and OpenSSL 1.0.0b:
+  Major changes between OpenSSL 1.0.0a and OpenSSL 1.0.0b [16 Nov 2010]:
      o Fix for security issue CVE-2010-3864.
      o Fix for CVE-2010-2939
      o Fix WIN32 build system for GOST ENGINE.
-  Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a:
+  Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a [1 Jun 2010]:
      o Fix for security issue CVE-2010-1633.
      o GOST MAC and CFB fixes.
-  Major changes between OpenSSL 0.9.8n and OpenSSL 1.0.0:
+  Major changes between OpenSSL 0.9.8n and OpenSSL 1.0.0 [29 Mar 2010]:
      o RFC3280 path validation: sufficient to process PKITS tests.
      o Integrated support for PVK files and keyblobs.
@ -90,20 +176,55 @@
      o Opaque PRF Input TLS extension support.
      o Updated time routines to avoid OS limitations.
-  Major changes between OpenSSL 0.9.8q and OpenSSL 0.9.8r:
+  Major changes between OpenSSL 0.9.8x and OpenSSL 0.9.8y [5 Feb 2013]:
      o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
      o Fix OCSP bad key DoS attack CVE-2013-0166
  Major changes between OpenSSL 0.9.8w and OpenSSL 0.9.8x [10 May 2012]:
      o Fix DTLS record length checking bug CVE-2012-2333
  Major changes between OpenSSL 0.9.8v and OpenSSL 0.9.8w [23 Apr 2012]:
      o Fix for CVE-2012-2131 (corrected fix for 0.9.8 and CVE-2012-2110)
  Major changes between OpenSSL 0.9.8u and OpenSSL 0.9.8v [19 Apr 2012]:
      o Fix for ASN1 overflow bug CVE-2012-2110
  Major changes between OpenSSL 0.9.8t and OpenSSL 0.9.8u [12 Mar 2012]:
      o Fix for CMS/PKCS#7 MMA CVE-2012-0884
      o Corrected fix for CVE-2011-4619
      o Various DTLS fixes.
  Major changes between OpenSSL 0.9.8s and OpenSSL 0.9.8t [18 Jan 2012]:
      o Fix for DTLS DoS issue CVE-2012-0050
  Major changes between OpenSSL 0.9.8r and OpenSSL 0.9.8s [4 Jan 2012]:
      o Fix for DTLS plaintext recovery attack CVE-2011-4108
      o Fix policy check double free error CVE-2011-4109
      o Clear block padding bytes of SSL 3.0 records CVE-2011-4576
      o Only allow one SGC handshake restart for SSL/TLS CVE-2011-4619
      o Check for malformed RFC3779 data CVE-2011-4577
  Major changes between OpenSSL 0.9.8q and OpenSSL 0.9.8r [8 Feb 2011]:
      o Fix for security issue CVE-2011-0014
-  Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q:
+  Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q [2 Dec 2010]:
      o Fix for security issue CVE-2010-4180
      o Fix for CVE-2010-4252
-  Major changes between OpenSSL 0.9.8o and OpenSSL 0.9.8p:
+  Major changes between OpenSSL 0.9.8o and OpenSSL 0.9.8p [16 Nov 2010]:
      o Fix for security issue CVE-2010-3864.
-  Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o:
+  Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o [1 Jun 2010]:
      o Fix for security issue CVE-2010-0742.
      o Various DTLS fixes.
@ -111,12 +232,12 @@
      o Fix for no-rc4 compilation.
      o Chil ENGINE unload workaround.
-  Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n:
+  Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n [24 Mar 2010]:
      o CFB cipher definition fixes.
      o Fix security issues CVE-2010-0740 and CVE-2010-0433.
-  Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m:
+  Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m [25 Feb 2010]:
      o Cipher definition fixes.
      o Workaround for slow RAND_poll() on some WIN32 versions.
@ -128,33 +249,33 @@
      o Ticket and SNI coexistence fixes.
      o Many fixes to DTLS handling. 
-  Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l:
+  Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l [5 Nov 2009]:
      o Temporary work around for CVE-2009-3555: disable renegotiation.
-  Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k:
+  Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k [25 Mar 2009]:
      o Fix various build issues.
      o Fix security issues (CVE-2009-0590, CVE-2009-0591, CVE-2009-0789)
-  Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j:
+  Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j [7 Jan 2009]:
      o Fix security issue (CVE-2008-5077)
      o Merge FIPS 140-2 branch code.
-  Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h:
+  Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h [28 May 2008]:
      o CryptoAPI ENGINE support.
      o Various precautionary measures.
      o Fix for bugs affecting certificate request creation.
      o Support for local machine keyset attribute in PKCS#12 files.
-  Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g:
+  Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g [19 Oct 2007]:
      o Backport of CMS functionality to 0.9.8.
      o Fixes for bugs introduced with 0.9.8f.
-  Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f:
+  Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f [11 Oct 2007]:
      o Add gcc 4.2 support.
      o Add support for AES and SSE2 assembly lanugauge optimization
@ -165,23 +286,23 @@
      o RFC4507bis support.
      o TLS Extensions support.
-  Major changes between OpenSSL 0.9.8d and OpenSSL 0.9.8e:
+  Major changes between OpenSSL 0.9.8d and OpenSSL 0.9.8e [23 Feb 2007]:
      o Various ciphersuite selection fixes.
      o RFC3779 support.
-  Major changes between OpenSSL 0.9.8c and OpenSSL 0.9.8d:
+  Major changes between OpenSSL 0.9.8c and OpenSSL 0.9.8d [28 Sep 2006]:
      o Introduce limits to prevent malicious key DoS  (CVE-2006-2940)
      o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343)
      o Changes to ciphersuite selection algorithm
-  Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c:
+  Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c [5 Sep 2006]:
      o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339
      o New cipher Camellia
-  Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b:
+  Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b [4 May 2006]:
      o Cipher string fixes.
      o Fixes for VC++ 2005.
@ -191,12 +312,12 @@
      o Built in dynamic engine compilation support on Win32.
      o Fixes auto dynamic engine loading in Win32.
-  Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a:
+  Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a [11 Oct 2005]:
      o Fix potential SSL 2.0 rollback, CVE-2005-2969
      o Extended Windows CE support
-  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8:
+  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8 [5 Jul 2005]:
      o Major work on the BIGNUM library for higher efficiency and to
        make operations more streamlined and less contradictory.  This
@ -270,36 +391,36 @@
      o Added initial support for Win64.
      o Added alternate pkg-config files.
-  Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m:
+  Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m [23 Feb 2007]:
      o FIPS 1.1.1 module linking.
      o Various ciphersuite selection fixes.
-  Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l:
+  Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l [28 Sep 2006]:
      o Introduce limits to prevent malicious key DoS  (CVE-2006-2940)
      o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343)
-  Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k:
+  Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k [5 Sep 2006]:
      o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339
-  Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j:
+  Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j [4 May 2006]:
      o Visual C++ 2005 fixes.
      o Update Windows build system for FIPS.
-  Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i:
+  Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i [14 Oct 2005]:
      o Give EVP_MAX_MD_SIZE it's old value, except for a FIPS build.
-  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h:
+  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h [11 Oct 2005]:
      o Fix SSL 2.0 Rollback, CVE-2005-2969
      o Allow use of fixed-length exponent on DSA signing
      o Default fixed-window RSA, DSA, DH private-key operations
-  Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g:
+  Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g [11 Apr 2005]:
      o More compilation issues fixed.
      o Adaptation to more modern Kerberos API.
@ -308,7 +429,7 @@
      o More constification.
      o Added processing of proxy certificates (RFC 3820).
-  Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f:
+  Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f [22 Mar 2005]:
      o Several compilation issues fixed.
      o Many memory allocation failure checks added.
@ -316,12 +437,12 @@
      o Mandatory basic checks on certificates.
      o Performance improvements.
-  Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e:
+  Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e [25 Oct 2004]:
      o Fix race condition in CRL checking code.
      o Fixes to PKCS#7 (S/MIME) code.
-  Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d:
+  Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d [17 Mar 2004]:
      o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug
      o Security: Fix null-pointer assignment in do_change_cipher_spec()
@ -329,14 +450,14 @@
      o Multiple X509 verification fixes
      o Speed up HMAC and other operations
-  Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c:
+  Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c [30 Sep 2003]:
      o Security: fix various ASN1 parsing bugs.
      o New -ignore_err option to OCSP utility.
      o Various interop and bug fixes in S/MIME code.
      o SSL/TLS protocol fix for unrequested client certificates.
-  Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b:
+  Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b [10 Apr 2003]:
      o Security: counter the Klima-Pokorny-Rosa extension of
        Bleichbacher's attack 
@ -347,7 +468,7 @@
      o ASN.1: treat domainComponent correctly.
      o Documentation: fixes and additions.
-  Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a:
+  Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a [19 Feb 2003]:
      o Security: Important security related bugfixes.
      o Enhanced compatibility with MIT Kerberos.
@ -358,7 +479,7 @@
      o SSL/TLS: now handles manual certificate chain building.
      o SSL/TLS: certain session ID malfunctions corrected.
-  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7:
+  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7 [30 Dec 2002]:
      o New library section OCSP.
      o Complete rewrite of ASN1 code.
@ -404,23 +525,23 @@
      o SSL/TLS: add callback to retrieve SSL/TLS messages.
      o SSL/TLS: support AES cipher suites (RFC3268).
-  Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k:
+  Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k [30 Sep 2003]:
      o Security: fix various ASN1 parsing bugs.
      o SSL/TLS protocol fix for unrequested client certificates.
-  Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j:
+  Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j [10 Apr 2003]:
      o Security: counter the Klima-Pokorny-Rosa extension of
        Bleichbacher's attack 
      o Security: make RSA blinding default.
      o Build: shared library support fixes.
-  Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i:
+  Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i [19 Feb 2003]:
      o Important security related bugfixes.
-  Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h:
+  Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h [5 Dec 2002]:
      o New configuration targets for Tandem OSS and A/UX.
      o New OIDs for Microsoft attributes.
@ -434,25 +555,25 @@
      o Fixes for smaller building problems.
      o Updates of manuals, FAQ and other instructive documents.
-  Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g:
+  Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g [9 Aug 2002]:
      o Important building fixes on Unix.
-  Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f:
+  Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f [8 Aug 2002]:
      o Various important bugfixes.
-  Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e:
+  Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e [30 Jul 2002]:
      o Important security related bugfixes.
      o Various SSL/TLS library bugfixes.
-  Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d:
+  Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d [9 May 2002]:
      o Various SSL/TLS library bugfixes.
      o Fix DH parameter generation for 'non-standard' generators.
-  Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c:
+  Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c [21 Dec 2001]:
      o Various SSL/TLS library bugfixes.
      o BIGNUM library fixes.
@ -465,7 +586,7 @@
        Broadcom and Cryptographic Appliance's keyserver
        [in 0.9.6c-engine release].
-  Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b:
+  Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b [9 Jul 2001]:
      o Security fix: PRNG improvements.
      o Security fix: RSA OAEP check.
@ -482,7 +603,7 @@
      o Increase default size for BIO buffering filter.
      o Compatibility fixes in some scripts.
-  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a:
+  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a [5 Apr 2001]:
      o Security fix: change behavior of OpenSSL to avoid using
        environment variables when running as root.
@ -507,7 +628,7 @@
      o New function BN_rand_range().
      o Add "-rand" option to openssl s_client and s_server.
-  Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6:
+  Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6 [10 Oct 2000]:
      o Some documentation for BIO and SSL libraries.
      o Enhanced chain verification using key identifiers.
@ -522,7 +643,7 @@
    [1] The support for external crypto devices is currently a separate
        distribution.  See the file README.ENGINE.
-  Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a:
+  Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a [1 Apr 2000]:
      o Bug fixes for Win32, SuSE Linux, NeXTSTEP and FreeBSD 2.2.8 
      o Shared library support for HPUX and Solaris-gcc
@ -531,7 +652,7 @@
      o New 'rand' application
      o New way to check for existence of algorithms from scripts
-  Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5:
+  Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5 [25 May 2000]:
      o S/MIME support in new 'smime' command
      o Documentation for the OpenSSL command line application
@ -567,7 +688,7 @@
      o Enhanced support for Alpha Linux
      o Experimental MacOS support
-  Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4:
+  Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4 [9 Aug 1999]:
      o Transparent support for PKCS#8 format private keys: these are used
        by several software packages and are more secure than the standard
@ -578,7 +699,7 @@
      o New pipe-like BIO that allows using the SSL library when actual I/O
        must be handled by the application (BIO pair)
-  Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3:
+  Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3 [24 May 1999]:
      o Lots of enhancements and cleanups to the Configuration mechanism
      o RSA OEAP related fixes
      o Added `openssl ca -revoke' option for revoking a certificate
@ -592,7 +713,7 @@
      o Sparc assembler bignum implementation, optimized hash functions
      o Option to disable selected ciphers
-  Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b:
+  Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b [22 Mar 1999]:
      o Fixed a security hole related to session resumption
      o Fixed RSA encryption routines for the p < q case
      o "ALL" in cipher lists now means "everything except NULL ciphers"
@ -614,7 +735,7 @@
      o Lots of memory leak fixes.
      o Lots of bug fixes.
-  Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c:
+  Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c [23 Dec 1998]:
      o Integration of the popular NO_RSA/NO_DSA patches
      o Initial support for compression inside the SSL record layer
      o Added BIO proxy and filtering functionality
--- a/14
+++ b/14
@ -197,3 +197,17 @@ reconfigure with additional no-sse2 [or 386] option passed to ./config.
 We don't have framework to associate -ldl with no-dso, therefore the only
 way is to edit Makefile right after ./config no-dso and remove -ldl from
 EX_LIBS line.
 * hpux-parisc2-cc no-asm build fails with SEGV in ECDSA/DH.
 Compiler bug, presumably at particular patch level. Remaining
 hpux*-parisc*-cc configurations can be affected too. Drop optimization
 level to +O2 when compiling bn_nist.o.
 * solaris64-sparcv9-cc link failure
 Solaris 8 ar can fail to maintain symbol table in .a, which results in
 link failures. Apply 109147-09 or later or modify Makefile generated
 by ./Configure solaris64-sparcv9-cc and replace RANLIB assignment with
 	RANLIB= /usr/ccs/bin/ar rs
--- a/42
+++ b/42
@ -1,5 +1,5 @@
- OpenSSL 1.0.1 14 Mar 2012
+ OpenSSL 1.0.2-beta3 25 Sep 2014
 Copyright (c) 1998-2011 The OpenSSL Project
 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
@ -90,32 +90,6 @@
        SSL/TLS Client and Server Tests
        Handling of S/MIME signed or encrypted mail
 PATENTS
 -------
 Various companies hold various patents for various algorithms in various
 locations around the world. _YOU_ are responsible for ensuring that your use
 of any algorithms is legal by checking if there are any patents in your
 country.  The file contains some of the patents that we know about or are
 rumored to exist. This is not a definitive list.
 RSA Security holds software patents on the RC5 algorithm.  If you
 intend to use this cipher, you must contact RSA Security for
 licensing conditions. Their web page is http://www.rsasecurity.com/.
 RC4 is a trademark of RSA Security, so use of this label should perhaps
 only be used with RSA Security's permission.
 The IDEA algorithm is patented by Ascom in Austria, France, Germany, Italy,
 Japan, the Netherlands, Spain, Sweden, Switzerland, UK and the USA.  They
 should be contacted if that algorithm is to be used; their web page is
 http://www.ascom.ch/.
 NTT and Mitsubishi have patents and pending patents on the Camellia
 algorithm, but allow use at no charge without requiring an explicit
 licensing agreement: http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html
 INSTALLATION
 ------------
@ -161,8 +135,7 @@
    - Problem Description (steps that will reproduce the problem, if known)
    - Stack Traceback (if the application dumps core)
- Report the bug to the OpenSSL project via the Request Tracker
+ Email the report to:
 (http://www.openssl.org/support/rt.html) by mail to:
    openssl-bugs@openssl.org
@ -170,10 +143,11 @@
 or support queries. Just because something doesn't work the way you expect
 does not mean it is necessarily a bug in OpenSSL.
- Note that mail to openssl-bugs@openssl.org is recorded in the publicly
+ Note that mail to openssl-bugs@openssl.org is recorded in the public
- readable request tracker database and is forwarded to a public
+ request tracker database (see https://www.openssl.org/support/rt.html
- mailing list. Confidential mail may be sent to openssl-security@openssl.org
+ for details) and also forwarded to a public mailing list. Confidential
- (PGP key available from the key servers).
+ mail may be sent to openssl-security@openssl.org (PGP key available from
 the key servers).
 HOW TO CONTRIBUTE TO OpenSSL
 ----------------------------
@ -190,7 +164,7 @@
 reason as to why that feature isn't implemented.
 Patches should be as up to date as possible, preferably relative to the
- current CVS or the last snapshot. They should follow the coding style of
+ current Git or the last snapshot. They should follow the coding style of
 OpenSSL and compile without warnings. Some of the core team developer targets
 can be used for testing purposes, (debug-steve64, debug-geoff etc). OpenSSL
 compiles on many varied platforms: try to ensure you only use portable
--- a/155
+++ b/155
@ -1,155 +0,0 @@
  OpenSSL STATUS                           Last modified at
  ______________                           $Date: 2012/03/14 12:14:06 $
  DEVELOPMENT STATE
    o  OpenSSL 1.1.0:  Under development...
    o  OpenSSL 1.0.1:  Released on March     14th, 2012
    o  OpenSSL 1.0.0h: Released on March     12th, 2012
    o  OpenSSL 1.0.0g: Released on January   18th, 2012
    o  OpenSSL 1.0.0f: Released on January    4th, 2012
    o  OpenSSL 1.0.0e: Released on September  6th, 2011
    o  OpenSSL 1.0.0d: Released on February   8nd, 2011
    o  OpenSSL 1.0.0c: Released on December   2nd, 2010
    o  OpenSSL 1.0.0b: Released on November  16th, 2010
    o  OpenSSL 1.0.0a: Released on June      1st,  2010
    o  OpenSSL 1.0.0:  Released on March     29th, 2010
    o  OpenSSL 0.9.8u: Released on March     12th, 2012
    o  OpenSSL 0.9.8t: Released on January   18th, 2012
    o  OpenSSL 0.9.8s: Released on January    4th, 2012
    o  OpenSSL 0.9.8r: Released on February   8nd, 2011
    o  OpenSSL 0.9.8q: Released on December   2nd, 2010
    o  OpenSSL 0.9.8p: Released on November  16th, 2010
    o  OpenSSL 0.9.8o: Released on June       1st, 2010
    o  OpenSSL 0.9.8n: Released on March     24th, 2010
    o  OpenSSL 0.9.8m: Released on February  25th, 2010
    o  OpenSSL 0.9.8l: Released on November   5th, 2009
    o  OpenSSL 0.9.8k: Released on March     25th, 2009
    o  OpenSSL 0.9.8j: Released on January    7th, 2009
    o  OpenSSL 0.9.8i: Released on September 15th, 2008
    o  OpenSSL 0.9.8h: Released on May       28th, 2008
    o  OpenSSL 0.9.8g: Released on October   19th, 2007
    o  OpenSSL 0.9.8f: Released on October   11th, 2007
    o  OpenSSL 0.9.8e: Released on February  23rd, 2007
    o  OpenSSL 0.9.8d: Released on September 28th, 2006
    o  OpenSSL 0.9.8c: Released on September  5th, 2006
    o  OpenSSL 0.9.8b: Released on May        4th, 2006
    o  OpenSSL 0.9.8a: Released on October   11th, 2005
    o  OpenSSL 0.9.8:  Released on July       5th, 2005
    o  OpenSSL 0.9.7m: Released on February  23rd, 2007
    o  OpenSSL 0.9.7l: Released on September 28th, 2006
    o  OpenSSL 0.9.7k: Released on September  5th, 2006
    o  OpenSSL 0.9.7j: Released on May        4th, 2006
    o  OpenSSL 0.9.7i: Released on October   14th, 2005
    o  OpenSSL 0.9.7h: Released on October   11th, 2005
    o  OpenSSL 0.9.7g: Released on April     11th, 2005
    o  OpenSSL 0.9.7f: Released on March     22nd, 2005
    o  OpenSSL 0.9.7e: Released on October   25th, 2004
    o  OpenSSL 0.9.7d: Released on March     17th, 2004
    o  OpenSSL 0.9.7c: Released on September 30th, 2003
    o  OpenSSL 0.9.7b: Released on April     10th, 2003
    o  OpenSSL 0.9.7a: Released on February  19th, 2003
    o  OpenSSL 0.9.7:  Released on December  31st, 2002
    o  OpenSSL 0.9.6m: Released on March     17th, 2004
    o  OpenSSL 0.9.6l: Released on November   4th, 2003
    o  OpenSSL 0.9.6k: Released on September 30th, 2003
    o  OpenSSL 0.9.6j: Released on April     10th, 2003
    o  OpenSSL 0.9.6i: Released on February  19th, 2003
    o  OpenSSL 0.9.6h: Released on December   5th, 2002
    o  OpenSSL 0.9.6g: Released on August     9th, 2002
    o  OpenSSL 0.9.6f: Released on August     8th, 2002
    o  OpenSSL 0.9.6e: Released on July      30th, 2002
    o  OpenSSL 0.9.6d: Released on May        9th, 2002
    o  OpenSSL 0.9.6c: Released on December  21st, 2001
    o  OpenSSL 0.9.6b: Released on July       9th, 2001
    o  OpenSSL 0.9.6a: Released on April      5th, 2001
    o  OpenSSL 0.9.6:  Released on September 24th, 2000
    o  OpenSSL 0.9.5a: Released on April      1st, 2000
    o  OpenSSL 0.9.5:  Released on February  28th, 2000
    o  OpenSSL 0.9.4:  Released on August    09th, 1999
    o  OpenSSL 0.9.3a: Released on May       29th, 1999
    o  OpenSSL 0.9.3:  Released on May       25th, 1999
    o  OpenSSL 0.9.2b: Released on March     22th, 1999
    o  OpenSSL 0.9.1c: Released on December  23th, 1998
  [See also http://www.openssl.org/support/rt.html]
  RELEASE SHOWSTOPPERS
    o The Makefiles fail with some SysV makes.
    o 
  AVAILABLE PATCHES
    o 
  IN PROGRESS
    o Steve is currently working on (in no particular order):
        ASN1 code redesign, butchery, replacement.
        OCSP
        EVP cipher enhancement.
        Enhanced certificate chain verification.
 	Private key, certificate and CRL API and implementation.
 	Developing and bugfixing PKCS#7 (S/MIME code).
        Various X509 issues: character sets, certificate request extensions.
    o Richard is currently working on:
 	Constification
 	Attribute Certificate support
 	Certificate Pair support
 	Storage Engines (primarly an LDAP storage engine)
 	Certificate chain validation with full RFC 3280 compatibility
  NEEDS PATCH
    o  0.9.8-dev: COMPLEMENTOFALL and COMPLEMENTOFDEFAULT do not
       handle ECCdraft cipher suites correctly.
    o  apps/ca.c: "Sign the certificate?" - "n" creates empty certificate file
    o  "OpenSSL STATUS" is never up-to-date.
  OPEN ISSUES
    o  The Makefile hierarchy and build mechanism is still not a round thing:
       1. The config vs. Configure scripts
          It's the same nasty situation as for Apache with APACI vs.
          src/Configure. It confuses.
          Suggestion: Merge Configure and config into a single configure
                      script with a Autoconf style interface ;-) and remove
                      Configure and config. Or even let us use GNU Autoconf
                      itself. Then we can avoid a lot of those platform checks
                      which are currently in Configure.
    o  Support for Shared Libraries has to be added at least
       for the major Unix platforms. The details we can rip from the stuff
       Ralf has done for the Apache src/Configure script. Ben wants the
       solution to be really simple.
       Status: Ralf will look how we can easily incorporate the
               compiler PIC and linker DSO flags from Apache
               into the OpenSSL Configure script.
               Ulf: +1 for using GNU autoconf and libtool (but not automake,
                    which apparently is not flexible enough to generate
                    libcrypto)
  WISHES
    o  Add variants of DH_generate_parameters() and BN_generate_prime() [etc?]
       where the callback function can request that the function be aborted.
       [Gregory Stark <ghstark@pobox.com>, <rayyang2000@yahoo.com>]
    o  SRP in TLS.
       [wished by:
        Dj <derek@yo.net>, Tom Wu <tom@arcot.com>,
        Tom Holroyd <tomh@po.crl.go.jp>]
       See http://search.ietf.org/internet-drafts/draft-ietf-tls-srp-00.txt
       as well as http://www-cs-students.stanford.edu/~tjw/srp/.
       Tom Holroyd tells us there is a SRP patch for OpenSSH at
       http://members.tripod.com/professor_tom/archives/, that could
       be useful.
--- a/958
+++ b/958
--- a/apps/Makefile
+++ b/apps/Makefile
@ -577,14 +577,15 @@ openssl.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
 openssl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 openssl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
 openssl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-openssl.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
+openssl.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
-openssl.o: ../include/openssl/sha.h ../include/openssl/srtp.h
+openssl.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-openssl.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+openssl.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-openssl.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+openssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-openssl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+openssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-openssl.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+openssl.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-openssl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+openssl.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-openssl.o: ../include/openssl/x509v3.h apps.h openssl.c progs.h s_apps.h
+openssl.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
 openssl.o: openssl.c progs.h s_apps.h
 passwd.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 passwd.o: ../include/openssl/buffer.h ../include/openssl/conf.h
 passwd.o: ../include/openssl/crypto.h ../include/openssl/des.h
--- a/apps/apps.c
+++ b/apps/apps.c
@ -118,7 +118,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#if !defined(OPENSSL_SYSNAME_WIN32) && !defined(NETWARE_CLIB)
+#if !defined(OPENSSL_SYSNAME_WIN32) && !defined(OPENSSL_SYSNAME_WINCE) && !defined(NETWARE_CLIB)
 #include <strings.h>
 #endif
 #include <sys/types.h>
@ -275,6 +275,8 @@ int str2fmt(char *s)
 		return(FORMAT_PKCS12);
 	else if ((*s == 'E') || (*s == 'e'))
 		return(FORMAT_ENGINE);
 	else if ((*s == 'H') || (*s == 'h'))
 		return FORMAT_HTTP;
 	else if ((*s == 'P') || (*s == 'p'))
 		{
 		if (s[1] == 'V' || s[1] == 'v')
@ -390,6 +392,8 @@ int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[])
 		{
 		arg->count=20;
 		arg->data=(char **)OPENSSL_malloc(sizeof(char *)*arg->count);
 		if (arg->data == NULL)
 			return 0;
 		}
 	for (i=0; i<arg->count; i++)
 		arg->data[i]=NULL;
@ -586,12 +590,12 @@ int password_callback(char *buf, int bufsiz, int verify,
 		if (ok >= 0)
 			ok = UI_add_input_string(ui,prompt,ui_flags,buf,
-				PW_MIN_LENGTH,BUFSIZ-1);
+				PW_MIN_LENGTH,bufsiz-1);
 		if (ok >= 0 && verify)
 			{
 			buff = (char *)OPENSSL_malloc(bufsiz);
 			ok = UI_add_verify_string(ui,prompt,ui_flags,buff,
-				PW_MIN_LENGTH,BUFSIZ-1, buf);
+				PW_MIN_LENGTH,bufsiz-1, buf);
 			}
 		if (ok >= 0)
 			do
@ -783,12 +787,80 @@ static int load_pkcs12(BIO *err, BIO *in, const char *desc,
 	return ret;
 	}
 int load_cert_crl_http(const char *url, BIO *err,
 					X509 **pcert, X509_CRL **pcrl)
 	{
 	char *host = NULL, *port = NULL, *path = NULL;
 	BIO *bio = NULL;
 	OCSP_REQ_CTX *rctx = NULL;
 	int use_ssl, rv = 0;
 	if (!OCSP_parse_url(url, &host, &port, &path, &use_ssl))
 		goto err;
 	if (use_ssl)
 		{
 		if (err)
 			BIO_puts(err, "https not supported\n");
 		goto err;
 		}
 	bio = BIO_new_connect(host);
 	if (!bio || !BIO_set_conn_port(bio, port))
 		goto err;
 	rctx = OCSP_REQ_CTX_new(bio, 1024);
 	if (!rctx)
 		goto err;
 	if (!OCSP_REQ_CTX_http(rctx, "GET", path))
 		goto err;
 	if (!OCSP_REQ_CTX_add1_header(rctx, "Host", host))
 		goto err;
 	if (pcert)
 		{
 		do
 			{
 			rv = X509_http_nbio(rctx, pcert);
 			}
 		while (rv == -1);
 		}
 	else
 		{
 		do
 			{
 			rv = X509_CRL_http_nbio(rctx, pcrl);
 			} while (rv == -1);
 		}
 	err:
 	if (host)
 		OPENSSL_free(host);
 	if (path)
 		OPENSSL_free(path);
 	if (port)
 		OPENSSL_free(port);
 	if (bio)
 		BIO_free_all(bio);
 	if (rctx)
 		OCSP_REQ_CTX_free(rctx);
 	if (rv != 1)
 		{
 		if (bio && err)
 			BIO_printf(bio_err, "Error loading %s from %s\n",
 					pcert ? "certificate" : "CRL", url);
 		ERR_print_errors(bio_err);
 		}
 	return rv;
 	}
 X509 *load_cert(BIO *err, const char *file, int format,
 	const char *pass, ENGINE *e, const char *cert_descrip)
 	{
 	X509 *x=NULL;
 	BIO *cert;
 	if (format == FORMAT_HTTP)
 		{
 		load_cert_crl_http(file, err, &x, NULL);
 		return x;
 		}
 	if ((cert=BIO_new(BIO_s_file())) == NULL)
 		{
 		ERR_print_errors(err);
@ -859,6 +931,55 @@ end:
 	return(x);
 	}
 X509_CRL *load_crl(const char *infile, int format)
 	{
 	X509_CRL *x=NULL;
 	BIO *in=NULL;
 	if (format == FORMAT_HTTP)
 		{
 		load_cert_crl_http(infile, bio_err, NULL, &x);
 		return x;
 		}
 	in=BIO_new(BIO_s_file());
 	if (in == NULL)
 		{
 		ERR_print_errors(bio_err);
 		goto end;
 		}
 	if (infile == NULL)
 		BIO_set_fp(in,stdin,BIO_NOCLOSE);
 	else
 		{
 		if (BIO_read_filename(in,infile) <= 0)
 			{
 			perror(infile);
 			goto end;
 			}
 		}
 	if 	(format == FORMAT_ASN1)
 		x=d2i_X509_CRL_bio(in,NULL);
 	else if (format == FORMAT_PEM)
 		x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
 	else	{
 		BIO_printf(bio_err,"bad input format specified for input crl\n");
 		goto end;
 		}
 	if (x == NULL)
 		{
 		BIO_printf(bio_err,"unable to load CRL\n");
 		ERR_print_errors(bio_err);
 		goto end;
 		}
 end:
 	BIO_free(in);
 	return(x);
 	}
 EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
 	const char *pass, ENGINE *e, const char *key_descrip)
 	{
@ -1542,6 +1663,8 @@ char *make_config_name()
 	len=strlen(t)+strlen(OPENSSL_CONF)+2;
 	p=OPENSSL_malloc(len);
 	if (p == NULL)
 		return NULL;
 	BUF_strlcpy(p,t,len);
 #ifndef OPENSSL_SYS_VMS
 	BUF_strlcat(p,"/",len);
@ -2132,7 +2255,7 @@ X509_NAME *parse_name(char *subject, long chtype, int multirdn)
 	X509_NAME *n = NULL;
 	int nid;
-	if (!buf || !ne_types || !ne_values)
+	if (!buf || !ne_types || !ne_values || !mval)
 		{
 		BIO_printf(bio_err, "malloc error\n");
 		goto error;
@ -2236,6 +2359,7 @@ X509_NAME *parse_name(char *subject, long chtype, int multirdn)
 	OPENSSL_free(ne_values);
 	OPENSSL_free(ne_types);
 	OPENSSL_free(buf);
 	OPENSSL_free(mval);
 	return n;
 error:
@ -2244,6 +2368,8 @@ error:
 		OPENSSL_free(ne_values);
 	if (ne_types)
 		OPENSSL_free(ne_types);
 	if (mval)
 		OPENSSL_free(mval);
 	if (buf)
 		OPENSSL_free(buf);
 	return NULL;
@ -2259,6 +2385,9 @@ int args_verify(char ***pargs, int *pargc,
 	char **oldargs = *pargs;
 	char *arg = **pargs, *argn = (*pargs)[1];
 	time_t at_time = 0;
 	char *hostname = NULL;
 	char *email = NULL;
 	char *ipasc = NULL;
 	if (!strcmp(arg, "-policy"))
 		{
 		if (!argn)
@ -2332,6 +2461,27 @@ int args_verify(char ***pargs, int *pargc,
 			}
 		(*pargs)++;
 		}
 	else if (strcmp(arg,"-verify_hostname") == 0)
 		{
 		if (!argn)
 			*badarg = 1;
 		hostname = argn;
 		(*pargs)++;
 		}
 	else if (strcmp(arg,"-verify_email") == 0)
 		{
 		if (!argn)
 			*badarg = 1;
 		email = argn;
 		(*pargs)++;
 		}
 	else if (strcmp(arg,"-verify_ip") == 0)
 		{
 		if (!argn)
 			*badarg = 1;
 		ipasc = argn;
 		(*pargs)++;
 		}
 	else if (!strcmp(arg, "-ignore_critical"))
 		flags |= X509_V_FLAG_IGNORE_CRITICAL;
 	else if (!strcmp(arg, "-issuer_checks"))
@ -2358,6 +2508,16 @@ int args_verify(char ***pargs, int *pargc,
 		flags |= X509_V_FLAG_NOTIFY_POLICY;
 	else if (!strcmp(arg, "-check_ss_sig"))
 		flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
 	else if (!strcmp(arg, "-trusted_first"))
 		flags |= X509_V_FLAG_TRUSTED_FIRST;
 	else if (!strcmp(arg, "-suiteB_128_only"))
 		flags |= X509_V_FLAG_SUITEB_128_LOS_ONLY;
 	else if (!strcmp(arg, "-suiteB_128"))
 		flags |= X509_V_FLAG_SUITEB_128_LOS;
 	else if (!strcmp(arg, "-suiteB_192"))
 		flags |= X509_V_FLAG_SUITEB_192_LOS;
 	else if (!strcmp(arg, "-partial_chain"))
 		flags |= X509_V_FLAG_PARTIAL_CHAIN;
 	else
 		return 0;
@ -2389,6 +2549,15 @@ int args_verify(char ***pargs, int *pargc,
 	if (at_time) 
 		X509_VERIFY_PARAM_set_time(*pm, at_time);
 	if (hostname && !X509_VERIFY_PARAM_set1_host(*pm, hostname, 0))
 		*badarg = 1;
 	if (email && !X509_VERIFY_PARAM_set1_email(*pm, email, 0))
 		*badarg = 1;
 	if (ipasc && !X509_VERIFY_PARAM_set1_ip_asc(*pm, ipasc))
 		*badarg = 1;
 	end:
 	(*pargs)++;
@ -2681,6 +2850,9 @@ void jpake_client_auth(BIO *out, BIO *conn, const char *secret)
 	BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
 	if (psk_key)
 		OPENSSL_free(psk_key);
 	psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
 	BIO_pop(bconn);
@ -2710,6 +2882,9 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
 	BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
 	if (psk_key)
 		OPENSSL_free(psk_key);
 	psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
 	BIO_pop(bconn);
@ -2720,7 +2895,7 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
 #endif
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+#ifndef OPENSSL_NO_TLSEXT
 /* next_protos_parse parses a comma separated list of strings into a string
 * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
 *   outlen: (output) set to the length of the resulting buffer on success.
@ -2762,7 +2937,114 @@ unsigned char *next_protos_parse(unsigned short *outlen, const char *in)
 	*outlen = len + 1;
 	return out;
 	}
-#endif  /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */
+#endif  /* ndef OPENSSL_NO_TLSEXT */
 void print_cert_checks(BIO *bio, X509 *x,
 				const char *checkhost,
 				const char *checkemail,
 				const char *checkip)
 	{
 	if (x == NULL)
 		return;
 	if (checkhost)
 		{
 		BIO_printf(bio, "Hostname %s does%s match certificate\n",
 				checkhost,
 				X509_check_host(x, checkhost, 0, 0, NULL)
 						? "" : " NOT");
 		}
 	if (checkemail)
 		{
 		BIO_printf(bio, "Email %s does%s match certificate\n",
 				checkemail, X509_check_email(x, checkemail, 0,
 						0) ? "" : " NOT");
 		}
 	if (checkip)
 		{
 		BIO_printf(bio, "IP %s does%s match certificate\n",
 				checkip, X509_check_ip_asc(x, checkip,
 						0) ? "" : " NOT");
 		}
 	}
 /* Get first http URL from a DIST_POINT structure */
 static const char *get_dp_url(DIST_POINT *dp)
 	{
 	GENERAL_NAMES *gens;
 	GENERAL_NAME *gen;
 	int i, gtype;
 	ASN1_STRING *uri;
 	if (!dp->distpoint || dp->distpoint->type != 0)
 		return NULL;
 	gens = dp->distpoint->name.fullname;
 	for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
 		{
 		gen = sk_GENERAL_NAME_value(gens, i);
 		uri = GENERAL_NAME_get0_value(gen, &gtype);
 		if (gtype == GEN_URI && ASN1_STRING_length(uri) > 6)
 			{
 			char *uptr = (char *)ASN1_STRING_data(uri);
 			if (!strncmp(uptr, "http://", 7))
 				return uptr;
 			}
 		}		
 	return NULL;
 	}
 /* Look through a CRLDP structure and attempt to find an http URL to downloads
 * a CRL from.
 */
 static X509_CRL *load_crl_crldp(STACK_OF(DIST_POINT) *crldp)
 	{
 	int i;
 	const char *urlptr = NULL;
 	for (i = 0; i < sk_DIST_POINT_num(crldp); i++)
 		{
 		DIST_POINT *dp = sk_DIST_POINT_value(crldp, i);
 		urlptr = get_dp_url(dp);
 		if (urlptr)
 			return load_crl(urlptr, FORMAT_HTTP);
 		}
 	return NULL;
 	}
 /* Example of downloading CRLs from CRLDP: not usable for real world
 * as it always downloads, doesn't support non-blocking I/O and doesn't
 * cache anything.
 */
 static STACK_OF(X509_CRL) *crls_http_cb(X509_STORE_CTX *ctx, X509_NAME *nm)
 	{
 	X509 *x;
 	STACK_OF(X509_CRL) *crls = NULL;
 	X509_CRL *crl;
 	STACK_OF(DIST_POINT) *crldp;
 	x = X509_STORE_CTX_get_current_cert(ctx);
 	crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
 	crl = load_crl_crldp(crldp);
 	sk_DIST_POINT_pop_free(crldp, DIST_POINT_free);
 	if (!crl)
 		return NULL;
 	crls = sk_X509_CRL_new_null();
 	sk_X509_CRL_push(crls, crl);
 	/* Try to download delta CRL */
 	crldp = X509_get_ext_d2i(x, NID_freshest_crl, NULL, NULL);
 	crl = load_crl_crldp(crldp);
 	sk_DIST_POINT_pop_free(crldp, DIST_POINT_free);
 	if (crl)
 		sk_X509_CRL_push(crls, crl);
 	return crls;
 	}
 void store_setup_crl_download(X509_STORE *st)
 	{
 	X509_STORE_set_lookup_crls_cb(st, crls_http_cb);
 	}
 /*
 * Platform-specific sections
@ -2838,7 +3120,7 @@ double app_tminterval(int stop,int usertime)
 	if (proc==NULL)
 		{
-		if (GetVersion() < 0x80000000)
+		if (check_winnt())
 			proc = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,
 						GetCurrentProcessId());
 		if (proc==NULL) proc = (HANDLE)-1;
--- a/apps/apps.h
+++ b/apps/apps.h
@ -188,6 +188,7 @@ extern BIO *bio_err;
 			do { CONF_modules_unload(1); destroy_ui_method(); \
 			OBJ_cleanup(); EVP_cleanup(); ENGINE_cleanup(); \
 			CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \
 			RAND_cleanup(); \
 			ERR_free_strings(); zlib_cleanup();} while(0)
 #  else
 #    define apps_startup() \
@ -198,11 +199,12 @@ extern BIO *bio_err;
 			do { CONF_modules_unload(1); destroy_ui_method(); \
 			OBJ_cleanup(); EVP_cleanup(); \
 			CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \
 			RAND_cleanup(); \
 			ERR_free_strings(); zlib_cleanup(); } while(0)
 #  endif
 #endif
-#ifdef OPENSSL_SYSNAME_WIN32
+#if defined(OPENSSL_SYSNAME_WIN32) || defined(OPENSSL_SYSNAME_WINCE)
 #  define openssl_fdset(a,b) FD_SET((unsigned int)a, b)
 #else
 #  define openssl_fdset(a,b) FD_SET(a, b)
@ -245,6 +247,9 @@ int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2);
 int add_oid_section(BIO *err, CONF *conf);
 X509 *load_cert(BIO *err, const char *file, int format,
 	const char *pass, ENGINE *e, const char *cert_descrip);
 X509_CRL *load_crl(const char *infile, int format);
 int load_cert_crl_http(const char *url, BIO *err,
 					X509 **pcert, X509_CRL **pcrl);
 EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
 	const char *pass, ENGINE *e, const char *key_descrip);
 EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
@ -260,8 +265,9 @@ ENGINE *setup_engine(BIO *err, const char *engine, int debug);
 #ifndef OPENSSL_NO_OCSP
 OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
-			char *host, char *path, char *port, int use_ssl,
+				 const char *host, const char *path,
-			STACK_OF(CONF_VALUE) *headers,
+				 const char *port, int use_ssl,
 				 const STACK_OF(CONF_VALUE) *headers,
 				 int req_timeout);
 #endif
@ -331,9 +337,16 @@ void jpake_client_auth(BIO *out, BIO *conn, const char *secret);
 void jpake_server_auth(BIO *out, BIO *conn, const char *secret);
 #endif
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+#ifndef OPENSSL_NO_TLSEXT
 unsigned char *next_protos_parse(unsigned short *outlen, const char *in);
-#endif  /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */
+#endif  /* ndef OPENSSL_NO_TLSEXT */
 void print_cert_checks(BIO *bio, X509 *x,
 				const char *checkhost,
 				const char *checkemail,
 				const char *checkip);
 void store_setup_crl_download(X509_STORE *st);
 #define FORMAT_UNDEF    0
 #define FORMAT_ASN1     1
@ -349,6 +362,7 @@ unsigned char *next_protos_parse(unsigned short *outlen, const char *in);
 #define FORMAT_ASN1RSA	10	/* DER RSAPubicKey format */
 #define FORMAT_MSBLOB	11	/* MS Key blob format */
 #define FORMAT_PVK	12	/* MS PVK file format */
 #define FORMAT_HTTP	13	/* Download using HTTP */
 #define EXT_COPY_NONE	0
 #define EXT_COPY_ADD	1
--- a/apps/ca.c
+++ b/apps/ca.c
@ -501,6 +501,12 @@ EF_ALIGNMENT=0;
 			infile= *(++argv);
 			dorevoke=1;
 			}
 		else if (strcmp(*argv,"-valid") == 0)
 			{
 			if (--argc < 1) goto bad;
 			infile= *(++argv);
 			dorevoke=2;
 			}
 		else if (strcmp(*argv,"-extensions") == 0)
 			{
 			if (--argc < 1) goto bad;
@ -1408,6 +1414,7 @@ bad:
 			if (!NCONF_get_number(conf,section,
 				ENV_DEFAULT_CRL_HOURS, &crlhours))
 				crlhours = 0;
 			ERR_clear_error();
 			}
 		if ((crldays == 0) && (crlhours == 0) && (crlsec == 0))
 			{
@ -1522,6 +1529,8 @@ bad:
 				NULL, e, infile);
 			if (revcert == NULL)
 				goto err;
 			if (dorevoke == 2)
 				rev_type = -1;
 			j=do_revoke(revcert,db, rev_type, rev_arg);
 			if (j <= 0) goto err;
 			X509_free(revcert);
@ -1619,12 +1628,14 @@ static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
 		{
 		ok=0;
 		BIO_printf(bio_err,"Signature verification problems....\n");
 		ERR_print_errors(bio_err);
 		goto err;
 		}
 	if (i == 0)
 		{
 		ok=0;
 		BIO_printf(bio_err,"Signature did not match the certificate request\n");
 		ERR_print_errors(bio_err);
 		goto err;
 		}
 	else
@ -2043,7 +2054,13 @@ again2:
 	if (enddate == NULL)
 		X509_time_adj_ex(X509_get_notAfter(ret),days, 0, NULL);
-	else ASN1_TIME_set_string(X509_get_notAfter(ret),enddate);
+	else
 		{
 		int tdays;
 		ASN1_TIME_set_string(X509_get_notAfter(ret),enddate);
 		ASN1_TIME_diff(&tdays, NULL, NULL, X509_get_notAfter(ret));
 		days = tdays;
 		}
 	if (!X509_set_subject_name(ret,subject)) goto err;
@ -2485,6 +2502,9 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)
 			}
 		/* Revoke Certificate */
 		if (type == -1)
 			ok = 1;
 		else
 			ok = do_revoke(x509,db, type, value);
 		goto err;
@ -2496,6 +2516,12 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)
 			   row[DB_name]);
 		goto err;
 		}
 	else if (type == -1)
 		{
 		BIO_printf(bio_err,"ERROR:Already present, serial number %s\n",
 			   row[DB_serial]);
 		goto err;
 		}
 	else if (rrow[DB_type][0]=='R')
 		{
 		BIO_printf(bio_err,"ERROR:Already revoked, serial number %s\n",
@ -2776,6 +2802,9 @@ char *make_revocation_str(int rev_type, char *rev_arg)
 	revtm = X509_gmtime_adj(NULL, 0);
 	if (!revtm)
 		return NULL;
 	i = revtm->length + 1;
 	if (reason) i += strlen(reason) + 1;
--- a/apps/ciphers.c
+++ b/apps/ciphers.c
@ -85,6 +85,9 @@ int MAIN(int argc, char **argv)
 	{
 	int ret=1,i;
 	int verbose=0,Verbose=0;
 #ifndef OPENSSL_NO_SSL_TRACE
 	int stdname = 0;
 #endif
 	const char **pp;
 	const char *p;
 	int badops=0;
@ -96,13 +99,7 @@ int MAIN(int argc, char **argv)
 	char buf[512];
 	BIO *STDout=NULL;
 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
 	meth=SSLv23_server_method();
 #elif !defined(OPENSSL_NO_SSL3)
 	meth=SSLv3_server_method();
 #elif !defined(OPENSSL_NO_SSL2)
 	meth=SSLv2_server_method();
 #endif
 	apps_startup();
@ -126,6 +123,10 @@ int MAIN(int argc, char **argv)
 			verbose=1;
 		else if (strcmp(*argv,"-V") == 0)
 			verbose=Verbose=1;
 #ifndef OPENSSL_NO_SSL_TRACE
 		else if (strcmp(*argv,"-stdname") == 0)
 			stdname=verbose=1;
 #endif
 #ifndef OPENSSL_NO_SSL2
 		else if (strcmp(*argv,"-ssl2") == 0)
 			meth=SSLv2_client_method();
@ -209,7 +210,15 @@ int MAIN(int argc, char **argv)
 				else
 					BIO_printf(STDout, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0, id1, id2, id3); /* whatever */
 				}
-
+#ifndef OPENSSL_NO_SSL_TRACE
 			if (stdname)
 				{
 				const char *nm = SSL_CIPHER_standard_name(c);
 				if (nm == NULL)
 					nm = "UNKNOWN";
 				BIO_printf(STDout, "%s - ", nm);
 				}
 #endif
 			BIO_puts(STDout,SSL_CIPHER_description(c,buf,sizeof buf));
 			}
 		}
--- a/apps/cms.c
+++ b/apps/cms.c
@ -74,6 +74,8 @@ static void receipt_request_print(BIO *out, CMS_ContentInfo *cms);
 static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to,
 						int rr_allorfirst,
 					STACK_OF(OPENSSL_STRING) *rr_from);
 static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
 			STACK_OF(OPENSSL_STRING) *param);
 #define SMIME_OP	0x10
 #define SMIME_IP	0x20
@ -97,6 +99,15 @@ static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to,
 int verify_err = 0;
 typedef struct cms_key_param_st cms_key_param;
 struct cms_key_param_st
 	{
 	int idx;
 	STACK_OF(OPENSSL_STRING)*param;
 	cms_key_param *next;
 	};
 int MAIN(int, char **);
 int MAIN(int argc, char **argv)
@ -111,7 +122,7 @@ int MAIN(int argc, char **argv)
 	STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL;
 	char *certfile = NULL, *keyfile = NULL, *contfile=NULL;
 	char *certsoutfile = NULL;
-	const EVP_CIPHER *cipher = NULL;
+	const EVP_CIPHER *cipher = NULL, *wrap_cipher = NULL;
 	CMS_ContentInfo *cms = NULL, *rcms = NULL;
 	X509_STORE *store = NULL;
 	X509 *cert = NULL, *recip = NULL, *signer = NULL;
@ -139,6 +150,8 @@ int MAIN(int argc, char **argv)
 	unsigned char *pwri_pass = NULL, *pwri_tmp = NULL;
 	size_t secret_keylen = 0, secret_keyidlen = 0;
 	cms_key_param *key_first = NULL, *key_param = NULL;
 	ASN1_OBJECT *econtent_type = NULL;
 	X509_VERIFY_PARAM *vpm = NULL;
@ -204,6 +217,8 @@ int MAIN(int argc, char **argv)
 				cipher = EVP_des_ede3_cbc();
 		else if (!strcmp (*args, "-des")) 
 				cipher = EVP_des_cbc();
 		else if (!strcmp (*args, "-des3-wrap")) 
 				wrap_cipher = EVP_des_ede3_wrap();
 #endif
 #ifndef OPENSSL_NO_SEED
 		else if (!strcmp (*args, "-seed")) 
@ -224,6 +239,12 @@ int MAIN(int argc, char **argv)
 				cipher = EVP_aes_192_cbc();
 		else if (!strcmp(*args,"-aes256"))
 				cipher = EVP_aes_256_cbc();
 		else if (!strcmp(*args,"-aes128-wrap"))
 				wrap_cipher = EVP_aes_128_wrap();
 		else if (!strcmp(*args,"-aes192-wrap"))
 				wrap_cipher = EVP_aes_192_wrap();
 		else if (!strcmp(*args,"-aes256-wrap"))
 				wrap_cipher = EVP_aes_256_wrap();
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
 		else if (!strcmp(*args,"-camellia128"))
@ -233,6 +254,8 @@ int MAIN(int argc, char **argv)
 		else if (!strcmp(*args,"-camellia256"))
 				cipher = EVP_camellia_256_cbc();
 #endif
 		else if (!strcmp (*args, "-debug_decrypt")) 
 				flags |= CMS_DEBUG_DECRYPT;
 		else if (!strcmp (*args, "-text")) 
 				flags |= CMS_TEXT;
 		else if (!strcmp (*args, "-nointern")) 
@ -410,6 +433,19 @@ int MAIN(int argc, char **argv)
 			{
 			if (!args[1])
 				goto argerr;
 			if (operation == SMIME_ENCRYPT)
 				{
 				if (!encerts)
 					encerts = sk_X509_new_null();
 				cert = load_cert(bio_err,*++args,FORMAT_PEM,
 						NULL, e,
 						"recipient certificate file");
 				if (!cert)
 					goto end;
 				sk_X509_push(encerts, cert);
 				cert = NULL;
 				}
 			else	
 				recipfile = *++args;
 			}
 		else if (!strcmp (*args, "-certsout"))
@ -458,6 +494,43 @@ int MAIN(int argc, char **argv)
 				goto argerr;
 			keyform = str2fmt(*++args);
 			}
 		else if (!strcmp (*args, "-keyopt"))
 			{
 			int keyidx = -1;
 			if (!args[1])
 				goto argerr;
 			if (operation == SMIME_ENCRYPT)
 				{
 				if (encerts)
 					keyidx += sk_X509_num(encerts);
 				}
 			else
 				{
 				if (keyfile || signerfile)
 					keyidx++;
 				if (skkeys)
 					keyidx += sk_OPENSSL_STRING_num(skkeys);
 				}
 			if (keyidx < 0)
 				{
 				BIO_printf(bio_err, "No key specified\n");
 				goto argerr;
 				}
 			if (key_param == NULL || key_param->idx != keyidx)
 				{
 				cms_key_param *nparam;
 				nparam = OPENSSL_malloc(sizeof(cms_key_param));
 				nparam->idx = keyidx;
 				nparam->param = sk_OPENSSL_STRING_new_null();
 				nparam->next = NULL;
 				if (key_first == NULL)
 					key_first = nparam;
 				else
 					key_param->next = nparam;
 				key_param = nparam;
 				}
 			sk_OPENSSL_STRING_push(key_param->param, *++args);
 			}
 		else if (!strcmp (*args, "-rctform"))
 			{
 			if (!args[1])
@ -575,7 +648,7 @@ int MAIN(int argc, char **argv)
 		}
 	else if (operation == SMIME_ENCRYPT)
 		{
-		if (!*args && !secret_key && !pwri_pass)
+		if (!*args && !secret_key && !pwri_pass && !encerts)
 			{
 			BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n");
 			badarg = 1;
@ -631,6 +704,7 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-inform arg    input format SMIME (default), PEM or DER\n");
 		BIO_printf (bio_err, "-inkey file    input private key (if not signer or recipient)\n");
 		BIO_printf (bio_err, "-keyform arg   input private key format (PEM or ENGINE)\n");
 		BIO_printf (bio_err, "-keyopt nm:v   set public key parameters\n");
 		BIO_printf (bio_err, "-out file      output file\n");
 		BIO_printf (bio_err, "-outform arg   output format SMIME (default), PEM or DER\n");
 		BIO_printf (bio_err, "-content file  supply or override content for detached signature\n");
@ -716,7 +790,7 @@ int MAIN(int argc, char **argv)
 			goto end;
 			}
-		if (*args)
+		if (*args && !encerts)
 			encerts = sk_X509_new_null();
 		while (*args)
 			{
@ -910,10 +984,45 @@ int MAIN(int argc, char **argv)
 		}
 	else if (operation == SMIME_ENCRYPT)
 		{
 		int i;
 		flags |= CMS_PARTIAL;
-		cms = CMS_encrypt(encerts, in, cipher, flags);
+		cms = CMS_encrypt(NULL, in, cipher, flags);
 		if (!cms)
 			goto end;
 		for (i = 0; i < sk_X509_num(encerts); i++)
 			{
 			CMS_RecipientInfo *ri;
 			cms_key_param *kparam;
 			int tflags = flags;
 			X509 *x = sk_X509_value(encerts, i);
 			for(kparam = key_first; kparam; kparam = kparam->next)
 				{
 				if(kparam->idx == i)
 					{
 					tflags |= CMS_KEY_PARAM;
 					break;
 					}
 				}
 			ri = CMS_add1_recipient_cert(cms, x, tflags);
 			if (!ri)
 				goto end;
 			if (kparam)
 				{
 				EVP_PKEY_CTX *pctx;
 				pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
 				if (!cms_set_pkey_param(pctx, kparam->param))
 					goto end;
 				}
 			if (CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_AGREE
 				&& wrap_cipher)
 				{
 				EVP_CIPHER_CTX *wctx;
 				wctx = CMS_RecipientInfo_kari_get0_ctx(ri);
 				EVP_EncryptInit_ex(wctx, wrap_cipher,
 							NULL, NULL, NULL);
 				}
 			}
 		if (secret_key)
 			{
 			if (!CMS_add0_recipient_key(cms, NID_undef, 
@ -1002,8 +1111,11 @@ int MAIN(int argc, char **argv)
 		for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++)
 			{
 			CMS_SignerInfo *si;
 			cms_key_param *kparam;
 			int tflags = flags;
 			signerfile = sk_OPENSSL_STRING_value(sksigners, i);
 			keyfile = sk_OPENSSL_STRING_value(skkeys, i);
 			signer = load_cert(bio_err, signerfile,FORMAT_PEM, NULL,
 					e, "signer certificate");
 			if (!signer)
@ -1012,9 +1124,24 @@ int MAIN(int argc, char **argv)
 			       "signing key file");
 			if (!key)
 				goto end;
-			si = CMS_add1_signer(cms, signer, key, sign_md, flags);
+			for(kparam = key_first; kparam; kparam = kparam->next)
 				{
 				if(kparam->idx == i)
 					{
 					tflags |= CMS_KEY_PARAM;
 					break;
 					}
 				}
 			si = CMS_add1_signer(cms, signer, key, sign_md, tflags);
 			if (!si)
 				goto end;
 			if (kparam)
 				{
 				EVP_PKEY_CTX *pctx;
 				pctx = CMS_SignerInfo_get0_pkey_ctx(si);
 				if (!cms_set_pkey_param(pctx, kparam->param))
 					goto end;
 				}
 			if (rr && !CMS_add1_ReceiptRequest(si, rr))
 				goto end;
 			X509_free(signer);
@ -1039,6 +1166,8 @@ int MAIN(int argc, char **argv)
 	ret = 4;
 	if (operation == SMIME_DECRYPT)
 		{
 		if (flags & CMS_DEBUG_DECRYPT)
 			CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags);
 		if (secret_key)
 			{
@ -1206,6 +1335,14 @@ end:
 		sk_OPENSSL_STRING_free(rr_to);
 	if (rr_from)
 		sk_OPENSSL_STRING_free(rr_from);
 	for(key_param = key_first; key_param;)
 		{
 		cms_key_param *tparam;
 		sk_OPENSSL_STRING_free(key_param->param);
 		tparam = key_param->next;
 		OPENSSL_free(key_param);
 		key_param = tparam;
 		}
 	X509_STORE_free(store);
 	X509_free(cert);
 	X509_free(recip);
@ -1390,4 +1527,25 @@ static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to,
 	return NULL;
 	}
 static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
 			STACK_OF(OPENSSL_STRING) *param)
 	{
 	char *keyopt;
 	int i;
 	if (sk_OPENSSL_STRING_num(param) <= 0)
 		return 1;
 	for (i = 0; i < sk_OPENSSL_STRING_num(param); i++)
 		{
 		keyopt = sk_OPENSSL_STRING_value(param, i);
 		if (pkey_ctrl_string(pctx, keyopt) <= 0)
 			{
 			BIO_printf(bio_err, "parameter error \"%s\"\n",
 						keyopt);
 			ERR_print_errors(bio_err);
 			return 0;
 			}
 		}
 	return 1;
 	}
 #endif
--- a/apps/crl.c
+++ b/apps/crl.c
@ -81,6 +81,9 @@ static const char *crl_usage[]={
 " -in arg         - input file - default stdin\n",
 " -out arg        - output file - default stdout\n",
 " -hash           - print hash value\n",
 #ifndef OPENSSL_NO_MD5
 " -hash_old       - print old-style (MD5) hash value\n",
 #endif
 " -fingerprint    - print the crl fingerprint\n",
 " -issuer         - print issuer DN\n",
 " -lastupdate     - lastUpdate field\n",
@ -93,7 +96,6 @@ static const char *crl_usage[]={
 NULL
 };
 static X509_CRL *load_crl(char *file, int format);
 static BIO *bio_out=NULL;
 int MAIN(int, char **);
@ -103,11 +105,14 @@ int MAIN(int argc, char **argv)
 	unsigned long nmflag = 0;
 	X509_CRL *x=NULL;
 	char *CAfile = NULL, *CApath = NULL;
-	int ret=1,i,num,badops=0;
+	int ret=1,i,num,badops=0,badsig=0;
 	BIO *out=NULL;
-	int informat,outformat;
+	int informat,outformat, keyformat;
-	char *infile=NULL,*outfile=NULL;
+	char *infile=NULL,*outfile=NULL, *crldiff = NULL, *keyfile = NULL;
 	int hash=0,issuer=0,lastupdate=0,nextupdate=0,noout=0,text=0;
 #ifndef OPENSSL_NO_MD5
       int hash_old=0;
 #endif
 	int fingerprint = 0, crlnumber = 0;
 	const char **pp;
 	X509_STORE *store = NULL;
@ -141,6 +146,7 @@ int MAIN(int argc, char **argv)
 	informat=FORMAT_PEM;
 	outformat=FORMAT_PEM;
 	keyformat=FORMAT_PEM;
 	argc--;
 	argv++;
@ -169,6 +175,21 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			infile= *(++argv);
 			}
 		else if (strcmp(*argv,"-gendelta") == 0)
 			{
 			if (--argc < 1) goto bad;
 			crldiff= *(++argv);
 			}
 		else if (strcmp(*argv,"-key") == 0)
 			{
 			if (--argc < 1) goto bad;
 			keyfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-keyform") == 0)
 			{
 			if (--argc < 1) goto bad;
 			keyformat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) goto bad;
@ -192,6 +213,10 @@ int MAIN(int argc, char **argv)
 			text = 1;
 		else if (strcmp(*argv,"-hash") == 0)
 			hash= ++num;
 #ifndef OPENSSL_NO_MD5
 		else if (strcmp(*argv,"-hash_old") == 0)
 			hash_old= ++num;
 #endif
 		else if (strcmp(*argv,"-nameopt") == 0)
 			{
 			if (--argc < 1) goto bad;
@ -209,6 +234,8 @@ int MAIN(int argc, char **argv)
 			fingerprint= ++num;
 		else if (strcmp(*argv,"-crlnumber") == 0)
 			crlnumber= ++num;
 		else if (strcmp(*argv,"-badsig") == 0)
 			badsig = 1;
 		else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
 			{
 			/* ok */
@ -276,6 +303,39 @@ bad:
 		else BIO_printf(bio_err, "verify OK\n");
 	}
 	if (crldiff)
 		{
 		X509_CRL *newcrl, *delta;
 		if (!keyfile)
 			{
 			BIO_puts(bio_err, "Missing CRL signing key\n");
 			goto end;
 			}
 		newcrl = load_crl(crldiff,informat);
 		if (!newcrl)
 			goto end;
 		pkey = load_key(bio_err, keyfile, keyformat, 0, NULL, NULL,
 					"CRL signing key");
 		if (!pkey)
 			{
 			X509_CRL_free(newcrl);
 			goto end;
 			}	
 		delta = X509_CRL_diff(x, newcrl, pkey, digest, 0);
 		X509_CRL_free(newcrl);
 		EVP_PKEY_free(pkey);
 		if (delta)
 			{
 			X509_CRL_free(x);
 			x = delta;
 			}
 		else
 			{
 			BIO_puts(bio_err, "Error creating delta CRL\n");
 			goto end;
 			}
 		}
 	if (num)
 		{
 		for (i=1; i<=num; i++)
@ -304,6 +364,14 @@ bad:
 				BIO_printf(bio_out,"%08lx\n",
 					X509_NAME_hash(X509_CRL_get_issuer(x)));
 				}
 #ifndef OPENSSL_NO_MD5
 			if (hash_old == i)
 				{
 				BIO_printf(bio_out,"%08lx\n",
 					X509_NAME_hash_old(
 						X509_CRL_get_issuer(x)));
 				}
 #endif
 			if (lastupdate == i)
 				{
 				BIO_printf(bio_out,"lastUpdate=");
@ -378,6 +446,9 @@ bad:
 		goto end;
 		}
 	if (badsig)
 		x->signature->data[x->signature->length - 1] ^= 0x1;
 	if 	(outformat == FORMAT_ASN1)
 		i=(int)i2d_X509_CRL_bio(out,x);
 	else if (outformat == FORMAT_PEM)
@ -390,6 +461,8 @@ bad:
 	if (!i) { BIO_printf(bio_err,"unable to write CRL\n"); goto end; }
 	ret=0;
 end:
 	if (ret != 0)
 		ERR_print_errors(bio_err);
 	BIO_free_all(out);
 	BIO_free_all(bio_out);
 	bio_out=NULL;
@ -401,46 +474,3 @@ end:
 	apps_shutdown();
 	OPENSSL_EXIT(ret);
 	}
 static X509_CRL *load_crl(char *infile, int format)
 	{
 	X509_CRL *x=NULL;
 	BIO *in=NULL;
 	in=BIO_new(BIO_s_file());
 	if (in == NULL)
 		{
 		ERR_print_errors(bio_err);
 		goto end;
 		}
 	if (infile == NULL)
 		BIO_set_fp(in,stdin,BIO_NOCLOSE);
 	else
 		{
 		if (BIO_read_filename(in,infile) <= 0)
 			{
 			perror(infile);
 			goto end;
 			}
 		}
 	if 	(format == FORMAT_ASN1)
 		x=d2i_X509_CRL_bio(in,NULL);
 	else if (format == FORMAT_PEM)
 		x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
 	else	{
 		BIO_printf(bio_err,"bad input format specified for input crl\n");
 		goto end;
 		}
 	if (x == NULL)
 		{
 		BIO_printf(bio_err,"unable to load CRL\n");
 		ERR_print_errors(bio_err);
 		goto end;
 		}
 end:
 	BIO_free(in);
 	return(x);
 	}
--- a/apps/crl2p7.c
+++ b/apps/crl2p7.c
@ -141,7 +141,13 @@ int MAIN(int argc, char **argv)
 			{
 			if (--argc < 1) goto bad;
 			if(!certflst) certflst = sk_OPENSSL_STRING_new_null();
-			sk_OPENSSL_STRING_push(certflst,*(++argv));
+			if (!certflst)
 				goto end;
 			if (!sk_OPENSSL_STRING_push(certflst,*(++argv)))
 				{
 				sk_OPENSSL_STRING_free(certflst);
 				goto end;
 				}
 			}
 		else
 			{
--- a/apps/dgst.c
+++ b/apps/dgst.c
@ -103,7 +103,7 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
-	ENGINE *e = NULL;
+	ENGINE *e = NULL, *impl = NULL;
 	unsigned char *buf=NULL;
 	int i,err=1;
 	const EVP_MD *md=NULL,*m;
@ -124,6 +124,7 @@ int MAIN(int argc, char **argv)
 	char *passargin = NULL, *passin = NULL;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 	int engine_impl = 0;
 #endif
 	char *hmac_key=NULL;
 	char *mac_name=NULL;
@ -209,6 +210,8 @@ int MAIN(int argc, char **argv)
 			engine= *(++argv);
        		e = setup_engine(bio_err, engine, 0);
 			}
 		else if (strcmp(*argv,"-engine_impl") == 0)
 			engine_impl = 1;
 #endif
 		else if (strcmp(*argv,"-hex") == 0)
 			out_bin = 0;
@ -216,10 +219,10 @@ int MAIN(int argc, char **argv)
 			out_bin = 1;
 		else if (strcmp(*argv,"-d") == 0)
 			debug=1;
 		else if (strcmp(*argv,"-non-fips-allow") == 0)
 			non_fips_allow=1;
 		else if (!strcmp(*argv,"-fips-fingerprint"))
 			hmac_key = "etaonrishdlcupfm";
 		else if (strcmp(*argv,"-non-fips-allow") == 0)
 			non_fips_allow=1;
 		else if (!strcmp(*argv,"-hmac"))
 			{
 			if (--argc < 1)
@ -291,6 +294,11 @@ int MAIN(int argc, char **argv)
 		goto end;
 		}
 #ifndef OPENSSL_NO_ENGINE
 	if (engine_impl)
 		impl = e;
 #endif
 	in=BIO_new(BIO_s_file());
 	bmd=BIO_new(BIO_f_md());
 	if (debug)
@ -368,7 +376,7 @@ int MAIN(int argc, char **argv)
 		{
 		EVP_PKEY_CTX *mac_ctx = NULL;
 		int r = 0;
-		if (!init_gen_str(bio_err, &mac_ctx, mac_name,e, 0))
+		if (!init_gen_str(bio_err, &mac_ctx, mac_name, impl, 0))
 			goto mac_end;
 		if (macopts)
 			{
@ -409,7 +417,7 @@ int MAIN(int argc, char **argv)
 	if (hmac_key)
 		{
-		sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, e,
+		sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, impl,
 					(unsigned char *)hmac_key, -1);
 		if (!sigkey)
 			goto end;
@ -427,9 +435,9 @@ int MAIN(int argc, char **argv)
 			goto end;
 			}
 		if (do_verify)
-			r = EVP_DigestVerifyInit(mctx, &pctx, md, e, sigkey);
+			r = EVP_DigestVerifyInit(mctx, &pctx, md, impl, sigkey);
 		else
-			r = EVP_DigestSignInit(mctx, &pctx, md, e, sigkey);
+			r = EVP_DigestSignInit(mctx, &pctx, md, impl, sigkey);
 		if (!r)
 			{
 			BIO_printf(bio_err, "Error setting context\n");
@ -456,9 +464,16 @@ int MAIN(int argc, char **argv)
 	/* we use md as a filter, reading from 'in' */
 	else
 		{
 		EVP_MD_CTX *mctx = NULL;
 		if (!BIO_get_md_ctx(bmd, &mctx))
 			{
 			BIO_printf(bio_err, "Error getting context\n");
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 		if (md == NULL)
 			md = EVP_md5(); 
-		if (!BIO_set_md(bmd,md))
+		if (!EVP_DigestInit_ex(mctx, md, impl))
 			{
 			BIO_printf(bio_err, "Error setting digest %s\n", pname);
 			ERR_print_errors(bio_err);
@ -514,6 +529,7 @@ int MAIN(int argc, char **argv)
 					EVP_PKEY_asn1_get0_info(NULL, NULL,
 						NULL, NULL, &sig_name, ameth);
 				}
 			if (md)
 				md_name = EVP_MD_name(md);
 			}
 		err = 0;
@ -626,7 +642,12 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 	else 
 		{
 		if (sig_name)
-			BIO_printf(out, "%s-%s(%s)= ", sig_name, md_name, file);
+			{
 			BIO_puts(out, sig_name);
 			if (md_name)
 				BIO_printf(out, "-%s", md_name);
 			BIO_printf(out, "(%s)= ", file);
 			}
 		else if (md_name)
 			BIO_printf(out, "%s(%s)= ", md_name, file);
 		else
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@ -130,7 +130,7 @@
 #undef PROG
 #define PROG	dhparam_main
-#define DEFBITS	512
+#define DEFBITS	2048
 /* -inform arg	- input format - default PEM (DER or PEM)
 * -outform arg - output format - default PEM
@ -253,7 +253,7 @@ bad:
 		BIO_printf(bio_err," -C            Output C code\n");
 		BIO_printf(bio_err," -2            generate parameters using  2 as the generator value\n");
 		BIO_printf(bio_err," -5            generate parameters using  5 as the generator value\n");
-		BIO_printf(bio_err," numbits       number of bits in to generate (default 512)\n");
+		BIO_printf(bio_err," numbits       number of bits in to generate (default 2048)\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 #endif
@ -332,7 +332,6 @@ bad:
 			BIO_printf(bio_err,"This is going to take a long time\n");
 			if(!dh || !DH_generate_parameters_ex(dh, num, g, &cb))
 				{
 				if(dh) DH_free(dh);
 				ERR_print_errors(bio_err);
 				goto end;
 				}
@ -513,7 +512,12 @@ bad:
 		if 	(outformat == FORMAT_ASN1)
 			i=i2d_DHparams_bio(out,dh);
 		else if (outformat == FORMAT_PEM)
 			{
 			if (dh->q)
 				i=PEM_write_bio_DHxparams(out,dh);
 			else
 				i=PEM_write_bio_DHparams(out,dh);
 			}
 		else	{
 			BIO_printf(bio_err,"bad output format specified for outfile\n");
 			goto end;
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@ -326,6 +326,7 @@ bad:
 				goto end;
 				}
 #endif
 			ERR_print_errors(bio_err);
 			BIO_printf(bio_err,"Error, DSA key generation failed\n");
 			goto end;
 			}
@ -429,13 +430,19 @@ bad:
 		assert(need_rand);
 		if ((dsakey=DSAparams_dup(dsa)) == NULL) goto end;
-		if (!DSA_generate_key(dsakey)) goto end;
+		if (!DSA_generate_key(dsakey))
 			{
 			ERR_print_errors(bio_err);
 			DSA_free(dsakey);
 			goto end;
 			}
 		if 	(outformat == FORMAT_ASN1)
 			i=i2d_DSAPrivateKey_bio(out,dsakey);
 		else if (outformat == FORMAT_PEM)
 			i=PEM_write_bio_DSAPrivateKey(out,dsakey,NULL,NULL,0,NULL,NULL);
 		else	{
 			BIO_printf(bio_err,"bad output format specified for outfile\n");
 			DSA_free(dsakey);
 			goto end;
 			}
 		DSA_free(dsakey);
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
@ -105,7 +105,7 @@
 *                    in the asn1 der encoding
 *                    possible values: named_curve (default)
 *                                     explicit
- * -no_seed         - if 'explicit' parameters are choosen do not use the seed
+ * -no_seed         - if 'explicit' parameters are chosen do not use the seed
 * -genkey          - generate ec key
 * -rand file       - files to use for random number input
 * -engine e        - use engine e, possibly a hardware device
@ -286,7 +286,7 @@ bad:
 		BIO_printf(bio_err, "                                   "
 				" explicit\n");
 		BIO_printf(bio_err, " -no_seed          if 'explicit'"
-				" parameters are choosen do not"
+				" parameters are chosen do not"
 				" use the seed\n");
 		BIO_printf(bio_err, " -genkey           generate ec"
 				" key\n");
@ -403,6 +403,9 @@ bad:
 		else
 			nid = OBJ_sn2nid(curve_name);
 		if (nid == 0)
 			nid = EC_curve_nist2nid(curve_name);
 		if (nid == 0)
 			{
 			BIO_printf(bio_err, "unknown curve name (%s)\n", 
--- a/apps/enc.c
+++ b/apps/enc.c
@ -67,7 +67,9 @@
 #include <openssl/x509.h>
 #include <openssl/rand.h>
 #include <openssl/pem.h>
 #ifndef OPENSSL_NO_COMP
 #include <openssl/comp.h>
 #endif
 #include <ctype.h>
 int set_hex(char *in,unsigned char *out,int size);
@ -331,6 +333,18 @@ bad:
        setup_engine(bio_err, engine, 0);
 #endif
 	if (cipher && EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)
 		{
 		BIO_printf(bio_err, "AEAD ciphers not supported by the enc utility\n");
 		goto end;
 		}
 	if (cipher && (EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE))
 		{
 		BIO_printf(bio_err, "Ciphers in XTS mode are not supported by the enc utility\n");
 		goto end;
 		}
 	if (md && (dgst=EVP_get_digestbyname(md)) == NULL)
 		{
 		BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
--- a/apps/gendh.c
+++ b/apps/gendh.c
@ -78,7 +78,7 @@
 #include <openssl/x509.h>
 #include <openssl/pem.h>
-#define DEFBITS	512
+#define DEFBITS	2048
 #undef PROG
 #define PROG gendh_main
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@ -78,7 +78,7 @@
 #include <openssl/pem.h>
 #include <openssl/rand.h>
-#define DEFBITS	512
+#define DEFBITS	2048
 #undef PROG
 #define PROG genrsa_main
--- a/apps/makeapps.com
+++ b/apps/makeapps.com
@ -773,9 +773,12 @@ $ CCDEFS = "MONOLITH"
 $ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
 $ CCEXTRAFLAGS = ""
 $ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
-$ CCDISABLEWARNINGS = "" !!! "LONGLONGTYPE,LONGLONGSUFX,FOUNDCR"
+$ CCDISABLEWARNINGS = "" !!! "MAYLOSEDATA3" !!! "LONGLONGTYPE,LONGLONGSUFX,FOUNDCR"
-$ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
+$ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. ""
-	CCDISABLEWARNINGS = CCDISABLEWARNINGS + "," + USER_CCDISABLEWARNINGS
+$ THEN
 $     IF CCDISABLEWARNINGS .NES. THEN CCDISABLEWARNINGS = CCDISABLEWARNINGS + ","
 $     CCDISABLEWARNINGS = CCDISABLEWARNINGS + USER_CCDISABLEWARNINGS
 $ ENDIF
 $!
 $! Check To See If We Have A ZLIB Option.
 $!
@ -1064,6 +1067,18 @@ $! Finish up the definition of CC.
 $!
 $ IF COMPILER .EQS. "DECC"
 $ THEN
 $!  Not all compiler versions support MAYLOSEDATA3.
 $   OPT_TEST = "MAYLOSEDATA3"
 $   DEFINE /USER_MODE SYS$ERROR NL:
 $   DEFINE /USER_MODE SYS$OUTPUT NL:
 $   'CC' /NOCROSS_REFERENCE /NOLIST /NOOBJECT -
      /WARNINGS = DISABLE = ('OPT_TEST', EMPTYFILE) NL:
 $   IF ($SEVERITY)
 $   THEN
 $     IF CCDISABLEWARNINGS .NES. "" THEN -
        CCDISABLEWARNINGS = CCDISABLEWARNINGS+ ","
 $     CCDISABLEWARNINGS = CCDISABLEWARNINGS+ OPT_TEST
 $   ENDIF
 $   IF CCDISABLEWARNINGS .NES. ""
 $   THEN
 $     CCDISABLEWARNINGS = " /WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))"
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@ -105,16 +105,16 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
 			      long maxage);
 static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
-			X509 *ca, X509 *rcert, EVP_PKEY *rkey,
+			X509 *ca, X509 *rcert, EVP_PKEY *rkey, const EVP_MD *md,
 			STACK_OF(X509) *rother, unsigned long flags,
-			int nmin, int ndays);
+			int nmin, int ndays, int badsig);
 static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);
-static BIO *init_responder(char *port);
+static BIO *init_responder(const char *port);
-static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port);
+static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, const char *port);
 static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
-static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
+static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, const char *path,
-				STACK_OF(CONF_VALUE) *headers,
+				      const STACK_OF(CONF_VALUE) *headers,
 				      OCSP_REQUEST *req, int req_timeout);
 #undef PROG
@ -127,6 +127,7 @@ int MAIN(int argc, char **argv)
 	ENGINE *e = NULL;
 	char **args;
 	char *host = NULL, *port = NULL, *path = "/";
 	char *thost = NULL, *tport = NULL, *tpath = NULL;
 	char *reqin = NULL, *respin = NULL;
 	char *reqout = NULL, *respout = NULL;
 	char *signfile = NULL, *keyfile = NULL;
@ -148,12 +149,14 @@ int MAIN(int argc, char **argv)
 	long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
 	char *CAfile = NULL, *CApath = NULL;
 	X509_STORE *store = NULL;
 	X509_VERIFY_PARAM *vpm = NULL;
 	STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL;
 	char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;
 	unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
 	int ret = 1;
 	int accept_count = -1;
 	int badarg = 0;
 	int badsig = 0;
 	int i;
 	int ignore_err = 0;
 	STACK_OF(OPENSSL_STRING) *reqnames = NULL;
@ -164,7 +167,7 @@ int MAIN(int argc, char **argv)
 	char *rca_filename = NULL;
 	CA_DB *rdb = NULL;
 	int nmin = 0, ndays = -1;
-	const EVP_MD *cert_id_md = NULL;
+	const EVP_MD *cert_id_md = NULL, *rsign_md = NULL;
 	if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
@ -204,6 +207,12 @@ int MAIN(int argc, char **argv)
 			}
 		else if (!strcmp(*args, "-url"))
 			{
 			if (thost)
 				OPENSSL_free(thost);
 			if (tport)
 				OPENSSL_free(tport);
 			if (tpath)
 				OPENSSL_free(tpath);
 			if (args[1])
 				{
 				args++;
@ -212,6 +221,9 @@ int MAIN(int argc, char **argv)
 					BIO_printf(bio_err, "Error parsing URL\n");
 					badarg = 1;
 					}
 				thost = host;
 				tport = port;
 				tpath = path;
 				}
 			else badarg = 1;
 			}
@ -271,6 +283,8 @@ int MAIN(int argc, char **argv)
 			verify_flags |= OCSP_TRUSTOTHER;
 		else if (!strcmp(*args, "-no_intern"))
 			verify_flags |= OCSP_NOINTERN;
 		else if (!strcmp(*args, "-badsig"))
 			badsig = 1;
 		else if (!strcmp(*args, "-text"))
 			{
 			req_text = 1;
@ -353,6 +367,12 @@ int MAIN(int argc, char **argv)
 				}
 			else badarg = 1;
 			}
 		else if (args_verify(&args, NULL, &badarg, bio_err, &vpm))
 			{
 			if (badarg)
 				goto end;
 			continue;
 			}
 		else if (!strcmp (*args, "-validity_period"))
 			{
 			if (args[1])
@ -558,6 +578,17 @@ int MAIN(int argc, char **argv)
 				}
 			else badarg = 1;
 			}
 		else if (!strcmp(*args, "-rmd"))
 			{
 			if (args[1])
 				{
 				args++;
 				rsign_md = EVP_get_digestbyname(*args);
 				if (!rsign_md)
 					badarg = 1;
 				}
 			else badarg = 1;
 			}
 		else if ((cert_id_md = EVP_get_digestbyname((*args)+1))==NULL)
 			{
 			badarg = 1;
@ -617,7 +648,7 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-ndays n	 	 number of days before next update\n");
 		BIO_printf (bio_err, "-resp_key_id       identify reponse by signing certificate key ID\n");
 		BIO_printf (bio_err, "-nrequest n        number of requests to accept (default unlimited)\n");
-		BIO_printf (bio_err, "-<dgst alg>     use specified digest in the request");
+		BIO_printf (bio_err, "-<dgst alg>     use specified digest in the request\n");
 		goto end;
 		}
@ -634,6 +665,9 @@ int MAIN(int argc, char **argv)
 	if (!req && reqin)
 		{
 		if (!strcmp(reqin, "-"))
 			derbio = BIO_new_fp(stdin, BIO_NOCLOSE);
 		else
 			derbio = BIO_new_file(reqin, "rb");
 		if (!derbio)
 			{
@ -736,6 +770,9 @@ int MAIN(int argc, char **argv)
 	if (reqout)
 		{
 		if (!strcmp(reqout, "-"))
 			derbio = BIO_new_fp(stdout, BIO_NOCLOSE);
 		else
 			derbio = BIO_new_file(reqout, "wb");
 		if(!derbio)
 			{
@ -761,7 +798,7 @@ int MAIN(int argc, char **argv)
 	if (rdb)
 		{
-		i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey, rother, rflags, nmin, ndays);
+		i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey,rsign_md, rother, rflags, nmin, ndays, badsig);
 		if (cbio)
 			send_ocsp_response(cbio, resp);
 		}
@ -779,6 +816,9 @@ int MAIN(int argc, char **argv)
 		}
 	else if (respin)
 		{
 		if (!strcmp(respin, "-"))
 			derbio = BIO_new_fp(stdin, BIO_NOCLOSE);
 		else
 			derbio = BIO_new_file(respin, "rb");
 		if (!derbio)
 			{
@ -804,6 +844,9 @@ int MAIN(int argc, char **argv)
 	if (respout)
 		{
 		if (!strcmp(respout, "-"))
 			derbio = BIO_new_fp(stdout, BIO_NOCLOSE);
 		else
 			derbio = BIO_new_file(respout, "wb");
 		if(!derbio)
 			{
@ -844,6 +887,12 @@ int MAIN(int argc, char **argv)
 			resp = NULL;
 			goto redo_accept;
 			}
 		ret = 0;
 		goto end;
 		}
 	else if (ridx_filename)
 		{
 		ret = 0;
 		goto end;
 		}
@ -851,6 +900,8 @@ int MAIN(int argc, char **argv)
 		store = setup_verify(bio_err, CAfile, CApath);
 	if (!store)
 		goto end;
 	if (vpm)
 		X509_STORE_set1_param(store, vpm);
 	if (verify_certfile)
 		{
 		verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM,
@ -866,6 +917,8 @@ int MAIN(int argc, char **argv)
 		goto end;
 		}
 	ret = 0;
 	if (!noverify)
 		{
 		if (req && ((i = OCSP_check_nonce(req, bs)) <= 0))
@ -875,17 +928,17 @@ int MAIN(int argc, char **argv)
 			else
 				{
 				BIO_printf(bio_err, "Nonce Verify error\n");
 				ret = 1;
 				goto end;
 				}
 			}
 		i = OCSP_basic_verify(bs, verify_other, store, verify_flags);
                if (i < 0) i = OCSP_basic_verify(bs, NULL, store, 0);
 		if(i <= 0)
 			{
 			BIO_printf(bio_err, "Response Verify Failure\n");
 			ERR_print_errors(bio_err);
 			ret = 1;
 			}
 		else
 			BIO_printf(bio_err, "Response verify OK\n");
@ -893,14 +946,14 @@ int MAIN(int argc, char **argv)
 		}
 	if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage))
-		goto end;
+		ret = 1;
 	ret = 0;
 end:
 	ERR_print_errors(bio_err);
 	X509_free(signer);
 	X509_STORE_free(store);
 	if (vpm)
 		X509_VERIFY_PARAM_free(vpm);
 	EVP_PKEY_free(key);
 	EVP_PKEY_free(rkey);
 	X509_free(issuer);
@ -920,12 +973,12 @@ end:
 	sk_X509_pop_free(verify_other, X509_free);
 	sk_CONF_VALUE_pop_free(headers, X509V3_conf_free);
-	if (use_ssl != -1)
+	if (thost)
-		{
+		OPENSSL_free(thost);
-		OPENSSL_free(host);
+	if (tport)
-		OPENSSL_free(port);
+		OPENSSL_free(tport);
-		OPENSSL_free(path);
+	if (tpath)
-		}
+		OPENSSL_free(tpath);
 	OPENSSL_EXIT(ret);
 }
@ -1051,9 +1104,10 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
 static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
-			X509 *ca, X509 *rcert, EVP_PKEY *rkey,
+			X509 *ca, X509 *rcert,
 			EVP_PKEY *rkey, const EVP_MD *rmd,
 			STACK_OF(X509) *rother, unsigned long flags,
-			int nmin, int ndays)
+			int nmin, int ndays, int badsig)
 	{
 	ASN1_TIME *thisupd = NULL, *nextupd = NULL;
 	OCSP_CERTID *cid, *ca_id = NULL;
@ -1142,7 +1196,10 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db
 	OCSP_copy_nonce(bs, req);
-	OCSP_basic_sign(bs, rcert, rkey, NULL, rother, flags);
+	OCSP_basic_sign(bs, rcert, rkey, rmd, rother, flags);
 	if (badsig)
 		bs->signature->data[bs->signature->length -1] ^= 0x1;
 	*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
@ -1176,7 +1233,7 @@ static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser)
 /* Quick and dirty OCSP server: read in and parse input request */
-static BIO *init_responder(char *port)
+static BIO *init_responder(const char *port)
 	{
 	BIO *acbio = NULL, *bufbio = NULL;
 	bufbio = BIO_new(BIO_f_buffer());
@ -1207,7 +1264,8 @@ static BIO *init_responder(char *port)
 	return NULL;
 	}
-static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port)
+static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
 			const char *port)
 	{
 	int have_post = 0, len;
 	OCSP_REQUEST *req = NULL;
@ -1273,8 +1331,8 @@ static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
 	return 1;
 	}
-static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
+static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, const char *path,
-				STACK_OF(CONF_VALUE) *headers,
+				      const STACK_OF(CONF_VALUE) *headers,
 				      OCSP_REQUEST *req, int req_timeout)
 	{
 	int fd;
@ -1371,8 +1429,9 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
 	}
 OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
-			char *host, char *path, char *port, int use_ssl,
+				 const char *host, const char *path,
-			STACK_OF(CONF_VALUE) *headers,
+				 const char *port, int use_ssl,
 				 const STACK_OF(CONF_VALUE) *headers,
 				 int req_timeout)
 	{
 	BIO *cbio = NULL;
@ -1409,7 +1468,7 @@ OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
 		}
 	resp = query_responder(err, cbio, path, headers, req, req_timeout);
 	if (!resp)
-		BIO_printf(bio_err, "Error querying OCSP responsder\n");
+		BIO_printf(bio_err, "Error querying OCSP responder\n");
 	end:
 	if (cbio)
 		BIO_free_all(cbio);
--- a/apps/openssl-vms.cnf
+++ b/apps/openssl-vms.cnf
@ -103,7 +103,7 @@ emailAddress		= optional
 ####################################################################
 [ req ]
-default_bits		= 1024
+default_bits		= 2048
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
--- a/apps/openssl.c
+++ b/apps/openssl.c
@ -117,6 +117,7 @@
 #include "apps.h"
 #include <openssl/bio.h>
 #include <openssl/crypto.h>
 #include <openssl/rand.h>
 #include <openssl/lhash.h>
 #include <openssl/conf.h>
 #include <openssl/x509.h>
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@ -103,7 +103,7 @@ emailAddress		= optional
 ####################################################################
 [ req ]
-default_bits		= 1024
+default_bits		= 2048
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@ -112,7 +112,7 @@ int MAIN(int argc, char **argv)
    int maciter = PKCS12_DEFAULT_ITER;
    int twopass = 0;
    int keytype = 0;
-    int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+    int cert_pbe;
    int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
    int ret = 1;
    int macver = 1;
@ -130,6 +130,13 @@ int MAIN(int argc, char **argv)
    apps_startup();
 #ifdef OPENSSL_FIPS
    if (FIPS_mode())
 	cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
    else
 #endif
    cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
    enc = EVP_des_ede3_cbc();
    if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@ -135,6 +135,22 @@ int MAIN(int argc, char **argv)
 			else
 				badarg = 1;
 			}
 		else if (!strcmp(*args,"-v2prf"))
 			{
 			if (args[1])
 				{
 				args++;
 				pbe_nid=OBJ_txt2nid(*args);
 				if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0))
 					{
 					BIO_printf(bio_err,
 						 "Unknown PRF algorithm %s\n", *args);
 					badarg = 1;
 					}
 				}
 			else
 				badarg = 1;
 			}
 		else if (!strcmp(*args,"-inform"))
 			{
 			if (args[1])
--- a/apps/progs.h
+++ b/apps/progs.h
@ -107,16 +107,16 @@ FUNCTION functions[] = {
 	{FUNC_TYPE_GENERAL,"gendsa",gendsa_main},
 #endif
 	{FUNC_TYPE_GENERAL,"genpkey",genpkey_main},
-#if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3))
+#if !defined(OPENSSL_NO_SOCK)
 	{FUNC_TYPE_GENERAL,"s_server",s_server_main},
 #endif
-#if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3))
+#if !defined(OPENSSL_NO_SOCK)
 	{FUNC_TYPE_GENERAL,"s_client",s_client_main},
 #endif
 #ifndef OPENSSL_NO_SPEED
 	{FUNC_TYPE_GENERAL,"speed",speed_main},
 #endif
-#if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3))
+#if !defined(OPENSSL_NO_SOCK)
 	{FUNC_TYPE_GENERAL,"s_time",s_time_main},
 #endif
 	{FUNC_TYPE_GENERAL,"version",version_main},
@ -126,7 +126,7 @@ FUNCTION functions[] = {
 #endif
 	{FUNC_TYPE_GENERAL,"crl2pkcs7",crl2pkcs7_main},
 	{FUNC_TYPE_GENERAL,"sess_id",sess_id_main},
-#if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3))
+#if !defined(OPENSSL_NO_SOCK)
 	{FUNC_TYPE_GENERAL,"ciphers",ciphers_main},
 #endif
 	{FUNC_TYPE_GENERAL,"nseq",nseq_main},
--- a/apps/progs.pl
+++ b/apps/progs.pl
@ -32,7 +32,7 @@ foreach (@ARGV)
 	push(@files,$_);
 	$str="\t{FUNC_TYPE_GENERAL,\"$_\",${_}_main},\n";
 	if (($_ =~ /^s_/) || ($_ =~ /^ciphers$/))
-		{ print "#if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3))\n${str}#endif\n"; } 
+		{ print "#if !defined(OPENSSL_NO_SOCK)\n${str}#endif\n"; } 
 	elsif ( ($_ =~ /^speed$/))
 		{ print "#ifndef OPENSSL_NO_SPEED\n${str}#endif\n"; }
 	elsif ( ($_ =~ /^engine$/))
--- a/apps/req.c
+++ b/apps/req.c
@ -644,6 +644,11 @@ bad:
 		if (inrand)
 			app_RAND_load_files(inrand);
 		if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey))
 			{
 			newkey=DEFAULT_KEY_LENGTH;
 			}
 		if (keyalg)
 			{
 			genctx = set_keygen_ctx(bio_err, keyalg, &pkey_type, &newkey,
@ -652,12 +657,6 @@ bad:
 				goto end;
 			}
 		if (newkey <= 0)
 			{
 			if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey))
 				newkey=DEFAULT_KEY_LENGTH;
 			}
 		if (newkey < MIN_KEY_LENGTH && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA))
 			{
 			BIO_printf(bio_err,"private key length is too short,\n");
@ -1490,7 +1489,13 @@ start:
 #ifdef CHARSET_EBCDIC
 	ebcdic2ascii(buf, buf, i);
 #endif
-	if(!req_check_len(i, n_min, n_max)) goto start;
+	if(!req_check_len(i, n_min, n_max))
 		{
 		if (batch || value)
 			return 0;
 		goto start;
 		}
 	if (!X509_NAME_add_entry_by_NID(n,nid, chtype,
 				(unsigned char *) buf, -1,-1,mval)) goto err;
 	ret=1;
@ -1549,7 +1554,12 @@ start:
 #ifdef CHARSET_EBCDIC
 	ebcdic2ascii(buf, buf, i);
 #endif
-	if(!req_check_len(i, n_min, n_max)) goto start;
+	if(!req_check_len(i, n_min, n_max))
 		{
 		if (batch || value)
 			return 0;
 		goto start;
 		}
 	if(!X509_REQ_add1_attr_by_NID(req, nid, chtype,
 					(unsigned char *)buf, -1)) {
@ -1649,6 +1659,8 @@ static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, int *pkey_type,
 				keylen = atol(p + 1);
 				*pkeylen = keylen;
 				}
 			else
 				keylen = *pkeylen;
 			}
 		else if (p)
 			paramfile = p + 1;
--- a/apps/s_apps.h
+++ b/apps/s_apps.h
@ -148,14 +148,19 @@ typedef fd_mask fd_set;
 #define PORT_STR        "4433"
 #define PROTOCOL        "tcp"
-int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context);
+int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, int stype, unsigned char *context), unsigned char *context, int naccept);
 #ifdef HEADER_X509_H
 int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
 #endif
 #ifdef HEADER_SSL_H
 int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
-int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
+int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
 					STACK_OF(X509) *chain, int build_chain);
 int ssl_print_sigalgs(BIO *out, SSL *s);
 int ssl_print_point_formats(BIO *out, SSL *s);
 int ssl_print_curves(BIO *out, SSL *s, int noshared);
 #endif
 int ssl_print_tmp_key(BIO *out, SSL *s);
 int init_client(int *sock, char *server, int port, int type);
 int should_retry(int i);
 int extract_port(char *str, short *port_ptr);
@ -174,3 +179,23 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type,
 int MS_CALLBACK generate_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len);
 int MS_CALLBACK verify_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int cookie_len);
 typedef struct ssl_excert_st SSL_EXCERT;
 void ssl_ctx_set_excert(SSL_CTX *ctx, SSL_EXCERT *exc);
 void ssl_excert_free(SSL_EXCERT *exc);
 int args_excert(char ***pargs, int *pargc,
 			int *badarg, BIO *err, SSL_EXCERT **pexc);
 int load_excert(SSL_EXCERT **pexc, BIO *err);
 void print_ssl_summary(BIO *bio, SSL *s);
 #ifdef HEADER_SSL_H
 int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
 			int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr);
 int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
 		STACK_OF(OPENSSL_STRING) *str, int no_ecdhe, int no_jpake);
 int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls, int crl_download);
 int ssl_load_stores(SSL_CTX *ctx,
 			const char *vfyCApath, const char *vfyCAfile,
 			const char *chCApath, const char *chCAfile,
 			STACK_OF(X509_CRL) *crls, int crl_download);
 #endif
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@ -125,6 +125,7 @@
 #define	COOKIE_SECRET_LENGTH	16
 int verify_depth=0;
 int verify_quiet=0;
 int verify_error=X509_V_OK;
 int verify_return_error=0;
 unsigned char cookie_secret[COOKIE_SECRET_LENGTH];
@ -139,15 +140,19 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
 	err=	X509_STORE_CTX_get_error(ctx);
 	depth=	X509_STORE_CTX_get_error_depth(ctx);
 	if (!verify_quiet || !ok)
 		{
 		BIO_printf(bio_err,"depth=%d ",depth);
 		if (err_cert)
 			{
-		X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert),
+			X509_NAME_print_ex(bio_err,
 					X509_get_subject_name(err_cert),
 					0, XN_FLAG_ONELINE);
 			BIO_puts(bio_err, "\n");
 			}
 		else
 			BIO_puts(bio_err, "<no cert>\n");
 		}
 	if (!ok)
 		{
 		BIO_printf(bio_err,"verify error:num=%d:%s\n",err,
@ -185,12 +190,13 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
 		BIO_printf(bio_err,"\n");
 		break;
 	case X509_V_ERR_NO_EXPLICIT_POLICY:
 		if (!verify_quiet)
 			policies_print(bio_err, ctx);
 		break;
 		}
-	if (err == X509_V_OK && ok == 2)
+	if (err == X509_V_OK && ok == 2 && !verify_quiet)
 		policies_print(bio_err, ctx);
-
+	if (ok && !verify_quiet)
 		BIO_printf(bio_err,"verify return:%d\n",ok);
 	return(ok);
 	}
@ -250,8 +256,10 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file)
 	return(1);
 	}
-int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key)
+int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
 		       STACK_OF(X509) *chain, int build_chain)
 	{
 	int chflags = chain ? SSL_BUILD_CHAIN_FLAG_CHECK : 0;
 	if (cert == NULL)
 		return 1;
 	if (SSL_CTX_use_certificate(ctx,cert) <= 0)
@ -260,6 +268,7 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key)
 		ERR_print_errors(bio_err);
 		return 0;
 		}
 	if (SSL_CTX_use_PrivateKey(ctx,key) <= 0)
 		{
 		BIO_printf(bio_err,"error setting private key\n");
@ -267,7 +276,6 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key)
 		return 0;
 		}
 	/* Now we know that a key and cert have been set against
 	 * the SSL context */
 	if (!SSL_CTX_check_private_key(ctx))
@ -275,9 +283,276 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key)
 		BIO_printf(bio_err,"Private key does not match the certificate public key\n");
 		return 0;
 		}
 	if (chain && !SSL_CTX_set1_chain(ctx, chain))
 		{
 		BIO_printf(bio_err,"error setting certificate chain\n");
 		ERR_print_errors(bio_err);
 		return 0;
 		}
 	if (build_chain && !SSL_CTX_build_cert_chain(ctx, chflags))
 		{
 		BIO_printf(bio_err,"error building certificate chain\n");
 		ERR_print_errors(bio_err);
 		return 0;
 		}
 	return 1;
 	}
 static void ssl_print_client_cert_types(BIO *bio, SSL *s)
 	{
 	const unsigned char *p;
 	int i;
 	int cert_type_num = SSL_get0_certificate_types(s, &p);
 	if (!cert_type_num)
 		return;
 	BIO_puts(bio, "Client Certificate Types: ");
 	for (i = 0; i < cert_type_num; i++)
 		{
 		unsigned char cert_type = p[i];
 		char *cname;
 		switch(cert_type)
 			{
 		case TLS_CT_RSA_SIGN:
 			cname = "RSA sign";
 			break;
 		case TLS_CT_DSS_SIGN:
 			cname = "DSA sign";
 			break;
 		case TLS_CT_RSA_FIXED_DH:
 			cname = "RSA fixed DH";
 			break;
 		case TLS_CT_DSS_FIXED_DH:
 			cname = "DSS fixed DH";
 			break;
 		case TLS_CT_ECDSA_SIGN:
 			cname = "ECDSA sign";
 			break;
 		case TLS_CT_RSA_FIXED_ECDH:
 			cname = "RSA fixed ECDH";
 			break;
 		case TLS_CT_ECDSA_FIXED_ECDH:
 			cname = "ECDSA fixed ECDH";
 			break;
 		case TLS_CT_GOST94_SIGN:
 			cname = "GOST94 Sign";
 			break;
 		case TLS_CT_GOST01_SIGN:
 			cname = "GOST01 Sign";
 			break;
 		default:
 			 cname = NULL;
 			}
 		if (i)
 			BIO_puts(bio, ", ");
 		if (cname)
 			BIO_puts(bio, cname);
 		else
 			BIO_printf(bio, "UNKNOWN (%d),", cert_type);
 		}
 	BIO_puts(bio, "\n");
 	}
 static int do_print_sigalgs(BIO *out, SSL *s, int shared)
 	{
 	int i, nsig, client;
 	client = SSL_is_server(s) ? 0 : 1;
 	if (shared)
 		nsig = SSL_get_shared_sigalgs(s, -1, NULL, NULL, NULL,
 							NULL, NULL);
 	else
 		nsig = SSL_get_sigalgs(s, -1, NULL, NULL, NULL, NULL, NULL);
 	if (nsig == 0)
 		return 1;
 	if (shared)
 		BIO_puts(out, "Shared ");
 	if (client)
 		BIO_puts(out, "Requested ");
 	BIO_puts(out, "Signature Algorithms: ");
 	for (i = 0; i < nsig; i++)
 		{
 		int hash_nid, sign_nid;
 		unsigned char rhash, rsign;
 		const char *sstr = NULL;
 		if (shared)
 			SSL_get_shared_sigalgs(s, i, &sign_nid, &hash_nid, NULL,
 							&rsign, &rhash);
 		else
 			SSL_get_sigalgs(s, i, &sign_nid, &hash_nid, NULL,
 							&rsign, &rhash);
 		if (i)
 			BIO_puts(out, ":");
 		if (sign_nid == EVP_PKEY_RSA)
 			sstr = "RSA";
 		else if(sign_nid == EVP_PKEY_DSA)
 			sstr = "DSA";
 		else if(sign_nid == EVP_PKEY_EC)
 			sstr = "ECDSA";
 		if (sstr)
 			BIO_printf(out,"%s+", sstr);
 		else
 			BIO_printf(out,"0x%02X+", (int)rsign);
 		if (hash_nid != NID_undef)
 			BIO_printf(out, "%s", OBJ_nid2sn(hash_nid));
 		else
 			BIO_printf(out,"0x%02X", (int)rhash);
 		}
 	BIO_puts(out, "\n");
 	return 1;
 	}
 int ssl_print_sigalgs(BIO *out, SSL *s)
 	{
 	int mdnid;
 	if (!SSL_is_server(s))
 		ssl_print_client_cert_types(out, s);
 	do_print_sigalgs(out, s, 0);
 	do_print_sigalgs(out, s, 1);
 	if (SSL_get_peer_signature_nid(s, &mdnid))
 		BIO_printf(out, "Peer signing digest: %s\n", OBJ_nid2sn(mdnid));
 	return 1;
 	}
 #ifndef OPENSSL_NO_EC
 int ssl_print_point_formats(BIO *out, SSL *s)
 	{
 	int i, nformats;
 	const char *pformats;
 	nformats = SSL_get0_ec_point_formats(s, &pformats);
 	if (nformats <= 0)
 		return 1;
 	BIO_puts(out, "Supported Elliptic Curve Point Formats: ");
 	for (i = 0; i < nformats; i++, pformats++)
 		{
 		if (i)
 			BIO_puts(out, ":");
 		switch(*pformats)
 			{
 		case TLSEXT_ECPOINTFORMAT_uncompressed:
 			BIO_puts(out, "uncompressed");
 			break;
 		case TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime:
 			BIO_puts(out, "ansiX962_compressed_prime");
 			break;
 		case TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2:
 			BIO_puts(out, "ansiX962_compressed_char2");
 			break;
 		default:
 			BIO_printf(out, "unknown(%d)", (int)*pformats);
 			break;
 			}
 		}
 	if (nformats <= 0)
 		BIO_puts(out, "NONE");
 	BIO_puts(out, "\n");
 	return 1;
 	}
 int ssl_print_curves(BIO *out, SSL *s, int noshared)
 	{
 	int i, ncurves, *curves, nid;
 	const char *cname;
 	ncurves = SSL_get1_curves(s, NULL);
 	if (ncurves <= 0)
 		return 1;
 	curves = OPENSSL_malloc(ncurves * sizeof(int));
 	SSL_get1_curves(s, curves);
 	BIO_puts(out, "Supported Elliptic Curves: ");
 	for (i = 0; i < ncurves; i++)
 		{
 		if (i)
 			BIO_puts(out, ":");
 		nid = curves[i];
 		/* If unrecognised print out hex version */
 		if (nid & TLSEXT_nid_unknown)
 			BIO_printf(out, "0x%04X", nid & 0xFFFF);
 		else
 			{
 			/* Use NIST name for curve if it exists */
 			cname = EC_curve_nid2nist(nid);
 			if (!cname)
 				cname = OBJ_nid2sn(nid);
 			BIO_printf(out, "%s", cname);
 			}
 		}
 	if (ncurves == 0)
 		BIO_puts(out, "NONE");
 	OPENSSL_free(curves);
 	if (noshared)
 		{
 		BIO_puts(out, "\n");
 		return 1;
 		}
 	BIO_puts(out, "\nShared Elliptic curves: ");
 	ncurves = SSL_get_shared_curve(s, -1);
 	for (i = 0; i < ncurves; i++)
 		{
 		if (i)
 			BIO_puts(out, ":");
 		nid = SSL_get_shared_curve(s, i);
 		cname = EC_curve_nid2nist(nid);
 		if (!cname)
 			cname = OBJ_nid2sn(nid);
 		BIO_printf(out, "%s", cname);
 		}
 	if (ncurves == 0)
 		BIO_puts(out, "NONE");
 	BIO_puts(out, "\n");
 	return 1;
 	}
 #endif
 int ssl_print_tmp_key(BIO *out, SSL *s)
 	{
 	EVP_PKEY *key;
 	if (!SSL_get_server_tmp_key(s, &key))
 		return 1;
 	BIO_puts(out, "Server Temp Key: ");
 	switch (EVP_PKEY_id(key))
 		{
 	case EVP_PKEY_RSA:
 		BIO_printf(out, "RSA, %d bits\n", EVP_PKEY_bits(key));
 		break;
 	case EVP_PKEY_DH:
 		BIO_printf(out, "DH, %d bits\n", EVP_PKEY_bits(key));
 		break;
 #ifndef OPENSSL_NO_ECDH
 	case EVP_PKEY_EC:
 			{
 			EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key);
 			int nid;
 			const char *cname;
 			nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
 			EC_KEY_free(ec);
 			cname = EC_curve_nid2nist(nid);
 			if (!cname)
 				cname = OBJ_nid2sn(nid);
 			BIO_printf(out, "ECDH, %s, %d bits\n",
 						cname, EVP_PKEY_bits(key));
 			}
 #endif
 		}
 	EVP_PKEY_free(key);
 	return 1;
 	}
 long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
 				   int argi, long argl, long ret)
 	{
@ -436,6 +711,8 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *
 	if (version == SSL3_VERSION ||
 	    version == TLS1_VERSION ||
 	    version == TLS1_1_VERSION ||
 	    version == TLS1_2_VERSION ||
 	    version == DTLS1_VERSION ||
 	    version == DTLS1_BAD_VER)
 		{
@ -745,6 +1022,10 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type,
 		break;
 #endif
 		case TLSEXT_TYPE_padding:
 		extname = "TLS padding";
 		break;
 		default:
 		extname = "unknown";
 		break;
@ -926,3 +1207,551 @@ int MS_CALLBACK verify_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned
 	return 0;
 	}
 /* Example of extended certificate handling. Where the standard support
 * of one certificate per algorithm is not sufficient an application
 * can decide which certificate(s) to use at runtime based on whatever
 * criteria it deems appropriate.
 */
 /* Linked list of certificates, keys and chains */
 struct  ssl_excert_st
 	{
 	int certform;
 	const char *certfile;
 	int keyform;
 	const char *keyfile;
 	const char *chainfile;
 	X509 *cert;
 	EVP_PKEY *key;
 	STACK_OF(X509) *chain;
 	int build_chain;
 	struct ssl_excert_st *next, *prev;
 	};
 struct chain_flags
 	{
 	int flag;
 	const char *name;
 	};
 struct chain_flags chain_flags_list[] =
 	{
 		{CERT_PKEY_VALID, "Overall Validity"},
 		{CERT_PKEY_SIGN,  "Sign with EE key"},
 		{CERT_PKEY_EE_SIGNATURE, "EE signature"},
 		{CERT_PKEY_CA_SIGNATURE, "CA signature"},
 		{CERT_PKEY_EE_PARAM, "EE key parameters"},
 		{CERT_PKEY_CA_PARAM, "CA key parameters"},
 		{CERT_PKEY_EXPLICIT_SIGN,  "Explicity sign with EE key"},
 		{CERT_PKEY_ISSUER_NAME,  "Issuer Name"},
 		{CERT_PKEY_CERT_TYPE,  "Certificate Type"},
 		{0, NULL}
 	};
 static void print_chain_flags(BIO *out, int flags)
 	{
 	struct chain_flags *ctmp = chain_flags_list;
 	while(ctmp->name)
 		{
 		BIO_printf(out, "\t%s: %s\n", ctmp->name,
 				flags & ctmp->flag ? "OK" : "NOT OK");
 		ctmp++;
 		}
 	}
 /* Very basic selection callback: just use any certificate chain
 * reported as valid. More sophisticated could prioritise according
 * to local policy.
 */
 static int set_cert_cb(SSL *ssl, void *arg)
 	{
 	int i, rv;
 	SSL_EXCERT *exc = arg;
 #ifdef CERT_CB_TEST_RETRY
 	static int retry_cnt;
 	if (retry_cnt < 5)
 		{
 		retry_cnt++;
 		fprintf(stderr, "Certificate callback retry test: count %d\n",
 								retry_cnt);
 		return -1;
 		}
 #endif
 	SSL_certs_clear(ssl);
 	if (!exc)
 		return 1;
 	/* Go to end of list and traverse backwards since we prepend
 	 * newer entries this retains the original order.
 	 */
 	while (exc->next)
 		exc = exc->next;
 	i = 0;	
 	while(exc)
 		{
 		i++;
 		rv = SSL_check_chain(ssl, exc->cert, exc->key, exc->chain);
 		BIO_printf(bio_err, "Checking cert chain %d:\nSubject: ", i);
 		X509_NAME_print_ex(bio_err, X509_get_subject_name(exc->cert), 0,
 							XN_FLAG_ONELINE);
 		BIO_puts(bio_err, "\n");
 		print_chain_flags(bio_err, rv);
 		if (rv & CERT_PKEY_VALID)
 			{
 			SSL_use_certificate(ssl, exc->cert);
 			SSL_use_PrivateKey(ssl, exc->key);
 			/* NB: we wouldn't normally do this as it is
 			 * not efficient building chains on each connection
 			 * better to cache the chain in advance.
 			 */
 			if (exc->build_chain)
 				{
 				if (!SSL_build_cert_chain(ssl, 0))
 					return 0;
 				}
 			else if (exc->chain)
 				SSL_set1_chain(ssl, exc->chain);
 			}
 		exc = exc->prev;
 		}
 	return 1;
 	}
 void ssl_ctx_set_excert(SSL_CTX *ctx, SSL_EXCERT *exc)
 	{
 	SSL_CTX_set_cert_cb(ctx, set_cert_cb, exc);
 	}
 static int ssl_excert_prepend(SSL_EXCERT **pexc)
 	{
 	SSL_EXCERT *exc;
 	exc = OPENSSL_malloc(sizeof(SSL_EXCERT));
 	if (!exc)
 		return 0;
 	exc->certfile = NULL;
 	exc->keyfile = NULL;
 	exc->chainfile = NULL;
 	exc->cert = NULL;
 	exc->key = NULL;
 	exc->chain = NULL;
 	exc->prev = NULL;
 	exc->build_chain = 0;
 	exc->next = *pexc;
 	*pexc = exc;
 	if (exc->next)
 		{
 		exc->certform = exc->next->certform;
 		exc->keyform = exc->next->keyform;
 		exc->next->prev = exc;
 		}
 	else
 		{
 		exc->certform = FORMAT_PEM;
 		exc->keyform = FORMAT_PEM;
 		}
 	return 1;
 	}
 void ssl_excert_free(SSL_EXCERT *exc)
 	{
 	SSL_EXCERT *curr;
 	while (exc)
 		{
 		if (exc->cert)
 			X509_free(exc->cert);
 		if (exc->key)
 			EVP_PKEY_free(exc->key);
 		if (exc->chain)
 			sk_X509_pop_free(exc->chain, X509_free);
 		curr = exc;
 		exc = exc->next;
 		OPENSSL_free(curr);
 		}
 	}
 int load_excert(SSL_EXCERT **pexc, BIO *err)
 	{
 	SSL_EXCERT *exc = *pexc;
 	if (!exc)
 		return 1;
 	/* If nothing in list, free and set to NULL */
 	if (!exc->certfile && !exc->next)
 		{
 		ssl_excert_free(exc);
 		*pexc = NULL;
 		return 1;
 		}
 	for(; exc; exc=exc->next)
 		{
 		if (!exc->certfile)
 			{
 			BIO_printf(err, "Missing filename\n");
 			return 0;
 			}
 		exc->cert = load_cert(err, exc->certfile, exc->certform,
 					NULL, NULL, "Server Certificate");
 		if (!exc->cert)
 			return 0;
 		if (exc->keyfile)
 			exc->keyfile = exc->certfile;
 		exc->key = load_key(err, exc->certfile, exc->certform, 0,
 					NULL, NULL, "Server Certificate");
 		if (!exc->key)
 			return 0;
 		if (exc->chainfile)
 			{
 			exc->chain = load_certs(err,
 						exc->chainfile, FORMAT_PEM,
 						NULL, NULL,
 						"Server Chain");
 			if (!exc->chainfile)
 				return 0;
 			}
 		}
 	return 1;
 	}
 int args_excert(char ***pargs, int *pargc,
 			int *badarg, BIO *err, SSL_EXCERT **pexc)
 	{
 	char *arg = **pargs, *argn = (*pargs)[1];
 	SSL_EXCERT *exc = *pexc;
 	int narg = 2;
 	if (!exc)
 		{
 		if (ssl_excert_prepend(&exc))
 			*pexc = exc;
 		else
 			{
 			BIO_printf(err, "Error initialising xcert\n");
 			*badarg = 1;
 			goto err;
 			}
 		}
 	if (strcmp(arg, "-xcert") == 0)
 		{
 		if (!argn)
 			{
 			*badarg = 1;
 			return 1;
 			}
 		if (exc->certfile && !ssl_excert_prepend(&exc))
 			{
 			BIO_printf(err, "Error adding xcert\n");
 			*badarg = 1;
 			goto err;
 			}
 		exc->certfile = argn;
 		}
 	else if (strcmp(arg,"-xkey") == 0)
 		{
 		if (!argn)
 			{
 			*badarg = 1;
 			return 1;
 			}
 		if (exc->keyfile)
 			{
 			BIO_printf(err, "Key already specified\n");
 			*badarg = 1;
 			return 1;
 			}
 		exc->keyfile = argn;
 		}
 	else if (strcmp(arg,"-xchain") == 0)
 		{
 		if (!argn)
 			{
 			*badarg = 1;
 			return 1;
 			}
 		if (exc->chainfile)
 			{
 			BIO_printf(err, "Chain already specified\n");
 			*badarg = 1;
 			return 1;
 			}
 		exc->chainfile = argn;
 		}
 	else if (strcmp(arg,"-xchain_build") == 0)
 		{
 		narg = 1;
 		exc->build_chain = 1;
 		}
 	else if (strcmp(arg,"-xcertform") == 0)
 		{
 		if (!argn)
 			{
 			*badarg = 1;
 			goto err;
 			}
 		exc->certform = str2fmt(argn);
 		}
 	else if (strcmp(arg,"-xkeyform") == 0)
 		{
 		if (!argn)
 			{
 			*badarg = 1;
 			goto err;
 			}
 		exc->keyform = str2fmt(argn);
 		}
 	else
 		return 0;
 	(*pargs) += narg;
 	if (pargc)
 		*pargc -= narg;
 	*pexc = exc;
 	return 1;
 	err:
 	ERR_print_errors(err);
 	ssl_excert_free(exc);
 	*pexc = NULL;
 	return 1;
 	}
 static void print_raw_cipherlist(BIO *bio, SSL *s)
 	{
 	const unsigned char *rlist;
 	static const unsigned char scsv_id[] = {0, 0, 0xFF};
 	size_t i, rlistlen, num;
 	if (!SSL_is_server(s))
 		return;
 	num = SSL_get0_raw_cipherlist(s, NULL);
 	rlistlen = SSL_get0_raw_cipherlist(s, &rlist);
 	BIO_puts(bio, "Client cipher list: ");
 	for (i = 0; i < rlistlen; i += num, rlist += num)
 		{
 		const SSL_CIPHER *c = SSL_CIPHER_find(s, rlist);
 		if (i)
 			BIO_puts(bio, ":");
 		if (c)
 			BIO_puts(bio, SSL_CIPHER_get_name(c));
 		else if (!memcmp(rlist, scsv_id - num + 3, num))
 			BIO_puts(bio, "SCSV");
 		else
 			{
 			size_t j;
 			BIO_puts(bio, "0x");
 			for (j = 0; j < num; j++)
 				BIO_printf(bio, "%02X", rlist[j]);
 			}
 		}
 	BIO_puts(bio, "\n");
 	}
 void print_ssl_summary(BIO *bio, SSL *s)
 	{
 	const SSL_CIPHER *c;
 	X509 *peer;
 	/*const char *pnam = SSL_is_server(s) ? "client" : "server";*/
 	BIO_printf(bio, "Protocol version: %s\n", SSL_get_version(s));
 	print_raw_cipherlist(bio, s);
 	c = SSL_get_current_cipher(s);
 	BIO_printf(bio,"Ciphersuite: %s\n", SSL_CIPHER_get_name(c));
 	do_print_sigalgs(bio, s, 0);
 	peer = SSL_get_peer_certificate(s);
 	if (peer)
 		{
 		int nid;
 		BIO_puts(bio, "Peer certificate: ");
 		X509_NAME_print_ex(bio, X509_get_subject_name(peer),
 					0, XN_FLAG_ONELINE);
 		BIO_puts(bio, "\n");
 		if (SSL_get_peer_signature_nid(s, &nid))
 			BIO_printf(bio, "Hash used: %s\n", OBJ_nid2sn(nid));
 		}
 	else
 		BIO_puts(bio, "No peer certificate\n");
 	if (peer)
 		X509_free(peer);
 #ifndef OPENSSL_NO_EC
 	ssl_print_point_formats(bio, s);
 	if (SSL_is_server(s))
 		ssl_print_curves(bio, s, 1);
 	else
 		ssl_print_tmp_key(bio, s);
 #else
 	if (!SSL_is_server(s))
 		ssl_print_tmp_key(bio, s);
 #endif
 	}
 int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
 			int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr)
 	{
 	char *arg = **pargs, *argn = (*pargs)[1];
 	int rv;
 	/* Attempt to run SSL configuration command */
 	rv = SSL_CONF_cmd_argv(cctx, pargc, pargs);
 	/* If parameter not recognised just return */
 	if (rv == 0)
 		return 0;
 	/* see if missing argument error */
 	if (rv == -3)
 		{
 		BIO_printf(err, "%s needs an argument\n", arg);
 		*badarg = 1;
 		goto end;
 		}
 	/* Check for some other error */
 	if (rv < 0)
 		{
 		BIO_printf(err, "Error with command: \"%s %s\"\n",
 						arg, argn ? argn : "");
 		*badarg = 1;
 		goto end;
 		}
 	/* Store command and argument */
 	/* If only one argument processed store value as NULL */
 	if (rv == 1)
 		argn = NULL;
 	if (!*pstr)
 		*pstr = sk_OPENSSL_STRING_new_null();
 	if (!*pstr || !sk_OPENSSL_STRING_push(*pstr, arg) ||
 				!sk_OPENSSL_STRING_push(*pstr, argn))
 		{
 		BIO_puts(err, "Memory allocation failure\n");
 		goto end;
 		}
 	end:
 	if (*badarg)
 		ERR_print_errors(err);
 	return 1;
 	}
 int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
 		STACK_OF(OPENSSL_STRING) *str, int no_ecdhe, int no_jpake)
 	{
 	int i;
 	SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
 	for (i = 0; i < sk_OPENSSL_STRING_num(str); i+= 2)
 		{
 		const char *param = sk_OPENSSL_STRING_value(str, i);
 		const char *value = sk_OPENSSL_STRING_value(str, i + 1);
 		/* If no_ecdhe or named curve already specified don't need
 		 * a default.
 		 */
 		if (!no_ecdhe && !strcmp(param, "-named_curve"))
 			no_ecdhe = 1;
 #ifndef OPENSSL_NO_JPAKE
 		if (!no_jpake && !strcmp(param, "-cipher"))
 			{
 			BIO_puts(err, "JPAKE sets cipher to PSK\n");
 			return 0;
 			}
 #endif
 		if (SSL_CONF_cmd(cctx, param, value) <= 0)
 			{
 			BIO_printf(err, "Error with command: \"%s %s\"\n",
 						param, value ? value : "");
 			ERR_print_errors(err);
 			return 0;
 			}
 		}
 	/* This is a special case to keep existing s_server functionality:
 	 * if we don't have any curve specified *and* we haven't disabled
 	 * ECDHE then use P-256.
 	 */
 	if (!no_ecdhe)
 		{
 		if (SSL_CONF_cmd(cctx, "-named_curve", "P-256") <= 0)
 			{
 			BIO_puts(err, "Error setting EC curve\n");
 			ERR_print_errors(err);
 			return 0;
 			}
 		}
 #ifndef OPENSSL_NO_JPAKE
 	if (!no_jpake)
 		{
 		if (SSL_CONF_cmd(cctx, "-cipher", "PSK") <= 0)
 			{
 			BIO_puts(err, "Error setting cipher to PSK\n");
 			ERR_print_errors(err);
 			return 0;
 			}
 		}
 #endif
 	if (!SSL_CONF_CTX_finish(cctx))
 		{
 		BIO_puts(err, "Error finishing context\n");
 		ERR_print_errors(err);
 		return 0;
 		}
 	return 1;
 	}
 static int add_crls_store(X509_STORE *st, STACK_OF(X509_CRL) *crls)
 	{
 	X509_CRL *crl;
 	int i;
 	for (i = 0; i < sk_X509_CRL_num(crls); i++)
 		{
 		crl = sk_X509_CRL_value(crls, i);
 		X509_STORE_add_crl(st, crl);
 		}
 	return 1;
 	}
 int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls, int crl_download)
 	{
 	X509_STORE *st;
 	st = SSL_CTX_get_cert_store(ctx);
 	add_crls_store(st, crls);
 	if (crl_download)
 		store_setup_crl_download(st);
 	return 1;
 	}
 int ssl_load_stores(SSL_CTX *ctx,
 			const char *vfyCApath, const char *vfyCAfile,
 			const char *chCApath, const char *chCAfile,
 			STACK_OF(X509_CRL) *crls, int crl_download)
 	{
 	X509_STORE *vfy = NULL, *ch = NULL;
 	int rv = 0;
 	if (vfyCApath || vfyCAfile)
 		{
 		vfy = X509_STORE_new();
 		if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath))
 			goto err;
 		add_crls_store(vfy, crls);
 		SSL_CTX_set1_verify_cert_store(ctx, vfy);
 		if (crl_download)
 			store_setup_crl_download(vfy);
 		}
 	if (chCApath || chCAfile)
 		{
 		ch = X509_STORE_new();
 		if (!X509_STORE_load_locations(ch, chCAfile, chCApath))
 			goto err;
 		SSL_CTX_set1_chain_cert_store(ctx, ch);
 		}
 	rv = 1;
 	err:
 	if (vfy)
 		X509_STORE_free(vfy);
 	if (ch)
 		X509_STORE_free(ch);
 	return rv;
 	}
--- a/apps/s_client.c
+++ b/apps/s_client.c
@ -193,6 +193,7 @@ typedef unsigned int u_int;
 extern int verify_depth;
 extern int verify_error;
 extern int verify_return_error;
 extern int verify_quiet;
 #ifdef FIONBIO
 static int c_nbio=0;
@ -215,8 +216,10 @@ static void print_stuff(BIO *berr,SSL *con,int full);
 static int ocsp_resp_cb(SSL *s, void *arg);
 #endif
 static BIO *bio_c_out=NULL;
 static BIO *bio_c_msg=NULL;
 static int c_quiet=0;
 static int c_ign_eof=0;
 static int c_brief=0;
 #ifndef OPENSSL_NO_PSK
 /* Default PSK identity and key */
@ -288,8 +291,12 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -host host     - use -connect instead\n");
 	BIO_printf(bio_err," -port port     - use -connect instead\n");
 	BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
 	BIO_printf(bio_err," -checkhost host - check peer certificate matches \"host\"\n");
 	BIO_printf(bio_err," -checkemail email - check peer certificate matches \"email\"\n");
 	BIO_printf(bio_err," -checkip ipaddr - check peer certificate matches \"ipaddr\"\n");
 	BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
 	BIO_printf(bio_err," -verify_return_error - return verification errors\n");
 	BIO_printf(bio_err," -cert arg     - certificate file to use, PEM format assumed\n");
 	BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
 	BIO_printf(bio_err," -key arg      - Private key file to use, in cert file if\n");
@ -300,6 +307,7 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
 	BIO_printf(bio_err," -reconnect    - Drop and re-make the connection with the same Session-ID\n");
 	BIO_printf(bio_err," -pause        - sleep(1) after each read(2) and write(2) system call\n");
 	BIO_printf(bio_err," -prexit       - print session information even on connection failure\n");
 	BIO_printf(bio_err," -showcerts    - show all certificates in the chain\n");
 	BIO_printf(bio_err," -debug        - extra output\n");
 #ifdef WATT32
@ -357,10 +365,12 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -tlsextdebug      - hex dump of all TLS extensions received\n");
 	BIO_printf(bio_err," -status           - request certificate status from server\n");
 	BIO_printf(bio_err," -no_ticket        - disable use of RFC4507bis session tickets\n");
-# if !defined(OPENSSL_NO_NEXTPROTONEG)
+	BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");
 #endif
 # ifndef OPENSSL_NO_NEXTPROTONEG
 	BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
 # endif
-#endif
+	BIO_printf(bio_err," -alpn arg         - enable ALPN extension, considering named protocols supported (comma-separated list)\n");
 	BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
 	BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
 	BIO_printf(bio_err," -keymatexport label   - Export keying material using label\n");
@ -536,7 +546,28 @@ static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, con
 	ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
 	return SSL_TLSEXT_ERR_OK;
 	}
-# endif
+# endif  /* ndef OPENSSL_NO_NEXTPROTONEG */
 static int serverinfo_cli_parse_cb(SSL* s, unsigned int ext_type,
 				   const unsigned char* in, size_t inlen, 
 				   int* al, void* arg)
 	{
 	char pem_name[100];
 	unsigned char ext_buf[4 + 65536];
 	/* Reconstruct the type/len fields prior to extension data */
 	ext_buf[0] = ext_type >> 8;
 	ext_buf[1] = ext_type & 0xFF;
 	ext_buf[2] = inlen >> 8;
 	ext_buf[3] = inlen & 0xFF;
 	memcpy(ext_buf+4, in, inlen);
 	BIO_snprintf(pem_name, sizeof(pem_name), "SERVERINFO FOR EXTENSION %d",
 		     ext_type);
 	PEM_write_bio(bio_c_out, pem_name, "", ext_buf, 4 + inlen);
 	return 1;
 	}
 #endif
 enum
@ -553,7 +584,7 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
-	unsigned int off=0, clr=0;
+	int build_chain = 0;
 	SSL *con=NULL;
 #ifndef OPENSSL_NO_KRB5
 	KSSL_CTX *kctx;
@ -566,13 +597,16 @@ int MAIN(int argc, char **argv)
 	short port=PORT;
 	int full_log=1;
 	char *host=SSL_HOST_NAME;
-	char *cert_file=NULL,*key_file=NULL;
+	char *cert_file=NULL,*key_file=NULL,*chain_file=NULL;
 	int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
 	char *passarg = NULL, *pass = NULL;
 	X509 *cert = NULL;
 	EVP_PKEY *key = NULL;
-	char *CApath=NULL,*CAfile=NULL,*cipher=NULL;
+	STACK_OF(X509) *chain = NULL;
-	int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0;
+	char *CApath=NULL,*CAfile=NULL;
 	char *chCApath=NULL,*chCAfile=NULL;
 	char *vfyCApath=NULL,*vfyCAfile=NULL;
 	int reconnect=0,badop=0,verify=SSL_VERIFY_NONE;
 	int crlf=0;
 	int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
 	SSL_CTX *ctx=NULL;
@ -606,6 +640,10 @@ int MAIN(int argc, char **argv)
 # ifndef OPENSSL_NO_NEXTPROTONEG
 	const char *next_proto_neg_in = NULL;
 # endif
 	const char *alpn_in = NULL;
 # define MAX_SI_TYPES 100
 	unsigned short serverinfo_types[MAX_SI_TYPES];
 	int serverinfo_types_count = 0;
 #endif
 	char *sess_in = NULL;
 	char *sess_out = NULL;
@ -614,13 +652,25 @@ int MAIN(int argc, char **argv)
 	int enable_timeouts = 0 ;
 	long socket_mtu = 0;
 #ifndef OPENSSL_NO_JPAKE
-	char *jpake_secret = NULL;
+static char *jpake_secret = NULL;
 #define no_jpake !jpake_secret
 #else
 #define no_jpake 1
 #endif
 #ifndef OPENSSL_NO_SRP
 	char * srppass = NULL;
 	int srp_lateuser = 0;
 	SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
 #endif
 	SSL_EXCERT *exc = NULL;
 	SSL_CONF_CTX *cctx = NULL;
 	STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
 	char *crl_file = NULL;
 	int crl_format = FORMAT_PEM;
 	int crl_download = 0;
 	STACK_OF(X509_CRL) *crls = NULL;
 	meth=SSLv23_client_method();
@ -638,6 +688,12 @@ int MAIN(int argc, char **argv)
 	if (!load_config(bio_err, NULL))
 		goto end;
 	cctx = SSL_CONF_CTX_new();
 	if (!cctx)
 		goto end;
 	SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
 	SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE);
 	if (	((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
 		((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
 		((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
@ -678,6 +734,7 @@ int MAIN(int argc, char **argv)
 			verify=SSL_VERIFY_PEER;
 			if (--argc < 1) goto bad;
 			verify_depth=atoi(*(++argv));
 			if (!c_quiet)
 				BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
 			}
 		else if	(strcmp(*argv,"-cert") == 0)
@ -685,6 +742,13 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			cert_file= *(++argv);
 			}
 		else if	(strcmp(*argv,"-CRL") == 0)
 			{
 			if (--argc < 1) goto bad;
 			crl_file= *(++argv);
 			}
 		else if	(strcmp(*argv,"-crl_download") == 0)
 			crl_download = 1;
 		else if	(strcmp(*argv,"-sess_out") == 0)
 			{
 			if (--argc < 1) goto bad;
@ -700,6 +764,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			cert_format = str2fmt(*(++argv));
 			}
 		else if	(strcmp(*argv,"-CRLform") == 0)
 			{
 			if (--argc < 1) goto bad;
 			crl_format = str2fmt(*(++argv));
 			}
 		else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
 			{
 			if (badarg)
@ -708,6 +777,26 @@ int MAIN(int argc, char **argv)
 			}
 		else if (strcmp(*argv,"-verify_return_error") == 0)
 			verify_return_error = 1;
 		else if (strcmp(*argv,"-verify_quiet") == 0)
 			verify_quiet = 1;
 		else if (strcmp(*argv,"-brief") == 0)
 			{
 			c_brief = 1;
 			verify_quiet = 1;
 			c_quiet = 1;
 			}
 		else if (args_excert(&argv, &argc, &badarg, bio_err, &exc))
 			{
 			if (badarg)
 				goto bad;
 			continue;
 			}
 		else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args))
 			{
 			if (badarg)
 				goto bad;
 			continue;
 			}
 		else if	(strcmp(*argv,"-prexit") == 0)
 			prexit=1;
 		else if	(strcmp(*argv,"-crlf") == 0)
@ -737,6 +826,15 @@ int MAIN(int argc, char **argv)
 #endif
 		else if	(strcmp(*argv,"-msg") == 0)
 			c_msg=1;
 		else if	(strcmp(*argv,"-msgfile") == 0)
 			{
 			if (--argc < 1) goto bad;
 			bio_c_msg = BIO_new_file(*(++argv), "w");
 			}
 #ifndef OPENSSL_NO_SSL_TRACE
 		else if	(strcmp(*argv,"-trace") == 0)
 			c_msg=2;
 #endif
 		else if	(strcmp(*argv,"-showcerts") == 0)
 			c_showcerts=1;
 		else if	(strcmp(*argv,"-nbio_test") == 0)
@ -812,11 +910,21 @@ int MAIN(int argc, char **argv)
 			meth=TLSv1_client_method();
 #endif
 #ifndef OPENSSL_NO_DTLS1
 		else if	(strcmp(*argv,"-dtls") == 0)
 			{
 			meth=DTLS_client_method();
 			socket_type=SOCK_DGRAM;
 			}
 		else if	(strcmp(*argv,"-dtls1") == 0)
 			{
 			meth=DTLSv1_client_method();
 			socket_type=SOCK_DGRAM;
 			}
 		else if	(strcmp(*argv,"-dtls1_2") == 0)
 			{
 			meth=DTLSv1_2_client_method();
 			socket_type=SOCK_DGRAM;
 			}
 		else if (strcmp(*argv,"-timeout") == 0)
 			enable_timeouts=1;
 		else if (strcmp(*argv,"-mtu") == 0)
@ -825,8 +933,6 @@ int MAIN(int argc, char **argv)
 			socket_mtu = atol(*(++argv));
 			}
 #endif
 		else if (strcmp(*argv,"-bugs") == 0)
 			bugs=1;
 		else if	(strcmp(*argv,"-keyform") == 0)
 			{
 			if (--argc < 1) goto bad;
@ -837,6 +943,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			passarg = *(++argv);
 			}
 		else if	(strcmp(*argv,"-cert_chain") == 0)
 			{
 			if (--argc < 1) goto bad;
 			chain_file= *(++argv);
 			}
 		else if	(strcmp(*argv,"-key") == 0)
 			{
 			if (--argc < 1) goto bad;
@ -851,26 +962,34 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			CApath= *(++argv);
 			}
 		else if	(strcmp(*argv,"-chainCApath") == 0)
 			{
 			if (--argc < 1) goto bad;
 			chCApath= *(++argv);
 			}
 		else if	(strcmp(*argv,"-verifyCApath") == 0)
 			{
 			if (--argc < 1) goto bad;
 			vfyCApath= *(++argv);
 			}
 		else if	(strcmp(*argv,"-build_chain") == 0)
 			build_chain = 1;
 		else if	(strcmp(*argv,"-CAfile") == 0)
 			{
 			if (--argc < 1) goto bad;
 			CAfile= *(++argv);
 			}
-		else if (strcmp(*argv,"-no_tls1_2") == 0)
+		else if	(strcmp(*argv,"-chainCAfile") == 0)
-			off|=SSL_OP_NO_TLSv1_2;
+			{
-		else if (strcmp(*argv,"-no_tls1_1") == 0)
+			if (--argc < 1) goto bad;
-			off|=SSL_OP_NO_TLSv1_1;
+			chCAfile= *(++argv);
-		else if (strcmp(*argv,"-no_tls1") == 0)
+			}
-			off|=SSL_OP_NO_TLSv1;
+		else if	(strcmp(*argv,"-verifyCAfile") == 0)
-		else if (strcmp(*argv,"-no_ssl3") == 0)
+			{
-			off|=SSL_OP_NO_SSLv3;
+			if (--argc < 1) goto bad;
-		else if (strcmp(*argv,"-no_ssl2") == 0)
+			vfyCAfile= *(++argv);
-			off|=SSL_OP_NO_SSLv2;
+			}
 		else if	(strcmp(*argv,"-no_comp") == 0)
 			{ off|=SSL_OP_NO_COMPRESSION; }
 #ifndef OPENSSL_NO_TLSEXT
 		else if	(strcmp(*argv,"-no_ticket") == 0)
 			{ off|=SSL_OP_NO_TICKET; }
 # ifndef OPENSSL_NO_NEXTPROTONEG
 		else if (strcmp(*argv,"-nextprotoneg") == 0)
 			{
@ -878,20 +997,35 @@ int MAIN(int argc, char **argv)
 			next_proto_neg_in = *(++argv);
 			}
 # endif
-#endif
+		else if (strcmp(*argv,"-alpn") == 0)
 		else if (strcmp(*argv,"-serverpref") == 0)
 			off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
 		else if (strcmp(*argv,"-legacy_renegotiation") == 0)
 			off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
 		else if	(strcmp(*argv,"-legacy_server_connect") == 0)
 			{ off|=SSL_OP_LEGACY_SERVER_CONNECT; }
 		else if	(strcmp(*argv,"-no_legacy_server_connect") == 0)
 			{ clr|=SSL_OP_LEGACY_SERVER_CONNECT; }
 		else if	(strcmp(*argv,"-cipher") == 0)
 			{
 			if (--argc < 1) goto bad;
-			cipher= *(++argv);
+			alpn_in = *(++argv);
 			}
 		else if (strcmp(*argv,"-serverinfo") == 0)
 			{
 			char *c;
 			int start = 0;
 			int len;
 			if (--argc < 1) goto bad;
 			c = *(++argv);
 			serverinfo_types_count = 0;
 			len = strlen(c);
 			for (i = 0; i <= len; ++i)
 				{
 				if (i == len || c[i] == ',')
 					{
 					serverinfo_types[serverinfo_types_count]
 					    = atoi(c+start);
 					serverinfo_types_count++;
 					start = i+1;
 					}
 				if (serverinfo_types_count == MAX_SI_TYPES)
 					break;
 				}
 			}
 #endif
 #ifdef FIONBIO
 		else if (strcmp(*argv,"-nbio") == 0)
 			{ c_nbio=1; }
@ -987,12 +1121,6 @@ bad:
 			goto end;
 			}
 		psk_identity = "JPAKE";
 		if (cipher)
 			{
 			BIO_printf(bio_err, "JPAKE sets cipher to PSK\n");
 			goto end;
 			}
 		cipher = "PSK";
 		}
 #endif
@ -1065,6 +1193,37 @@ bad:
 			}
 		}
 	if (chain_file)
 		{
 		chain = load_certs(bio_err, chain_file,FORMAT_PEM,
 					NULL, e, "client certificate chain");
 		if (!chain)
 			goto end;
 		}
 	if (crl_file)
 		{
 		X509_CRL *crl;
 		crl = load_crl(crl_file, crl_format);
 		if (!crl)
 			{
 			BIO_puts(bio_err, "Error loading CRL\n");
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 		crls = sk_X509_CRL_new_null();
 		if (!crls || !sk_X509_CRL_push(crls, crl))
 			{
 			BIO_puts(bio_err, "Error adding CRL\n");
 			ERR_print_errors(bio_err);
 			X509_CRL_free(crl);
 			goto end;
 			}
 		}
 	if (!load_excert(&exc, bio_err))
 		goto end;
 	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
 		&& !RAND_status())
 		{
@ -1076,9 +1235,11 @@ bad:
 	if (bio_c_out == NULL)
 		{
-		if (c_quiet && !c_debug && !c_msg)
+		if (c_quiet && !c_debug)
 			{
 			bio_c_out=BIO_new(BIO_s_null());
 			if (c_msg && !bio_c_msg)
 				bio_c_msg=BIO_new_fp(stdout,BIO_NOCLOSE);
 			}
 		else
 			{
@ -1105,6 +1266,20 @@ bad:
 	if (vpm)
 		SSL_CTX_set1_param(ctx, vpm);
 	if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1, no_jpake))
 		{
 		ERR_print_errors(bio_err);
 		goto end;
 		}
 	if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
 						crls, crl_download))
 		{
 		BIO_printf(bio_err, "Error loading store locations\n");
 		ERR_print_errors(bio_err);
 		goto end;
 		}
 #ifndef OPENSSL_NO_ENGINE
 	if (ssl_client_engine)
 		{
@ -1133,38 +1308,49 @@ bad:
 	if (srtp_profiles != NULL)
 		SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
 #endif
-	if (bugs)
+	if (exc) ssl_ctx_set_excert(ctx, exc);
 		SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
 	else
 		SSL_CTX_set_options(ctx,off);
 	if (clr)
 		SSL_CTX_clear_options(ctx, clr);
 	/* DTLS: partial reads end up discarding unread UDP bytes :-( 
 	 * Setting read ahead solves this problem.
 	 */
 	if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+#if !defined(OPENSSL_NO_TLSEXT)
 # if !defined(OPENSSL_NO_NEXTPROTONEG)
 	if (next_proto.data)
 		SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
 # endif
 	if (alpn_in)
 		{
 		unsigned short alpn_len;
 		unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
-	if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
+		if (alpn == NULL)
-	if (cipher != NULL)
+			{
-		if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
+			BIO_printf(bio_err, "Error parsing -alpn argument\n");
 		BIO_printf(bio_err,"error setting cipher list\n");
 		ERR_print_errors(bio_err);
 			goto end;
 			}
 		SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len);
 		OPENSSL_free(alpn);
 		}
 #endif
 #ifndef OPENSSL_NO_TLSEXT
 		for (i = 0; i < serverinfo_types_count; i++)
 			{
 			SSL_CTX_add_client_custom_ext(ctx,
 						      serverinfo_types[i],
 						      NULL, NULL, NULL,
 						      serverinfo_cli_parse_cb,
 						      NULL);
 			}
 #endif
 	if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
 #if 0
 	else
 		SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
 #endif
 	SSL_CTX_set_verify(ctx,verify,verify_callback);
 	if (!set_cert_key_stuff(ctx,cert,key))
 		goto end;
 	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
 		(!SSL_CTX_set_default_verify_paths(ctx)))
@ -1174,6 +1360,10 @@ bad:
 		/* goto end; */
 		}
 	ssl_ctx_add_crls(ctx, crls, crl_download);
 	if (!set_cert_key_stuff(ctx,cert,key,chain,build_chain))
 		goto end;
 #ifndef OPENSSL_NO_TLSEXT
 	if (servername != NULL)
 		{
@ -1274,7 +1464,7 @@ re_start:
 #endif                                              
 	if (c_Pause & 0x01) SSL_set_debug(con, 1);
-	if ( SSL_version(con) == DTLS1_VERSION)
+	if (socket_type == SOCK_DGRAM)
 		{
 		sbio=BIO_new_dgram(s,BIO_NOCLOSE);
@ -1327,8 +1517,13 @@ re_start:
 		}
 	if (c_msg)
 		{
 #ifndef OPENSSL_NO_SSL_TRACE
 		if (c_msg == 2)
 			SSL_set_msg_callback(con, SSL_trace);
 		else
 #endif
 			SSL_set_msg_callback(con, msg_cb);
-		SSL_set_msg_callback_arg(con, bio_c_out);
+		SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out);
 		}
 #ifndef OPENSSL_NO_TLSEXT
 	if (c_tlsextdebug)
@ -1528,6 +1723,13 @@ SSL_set_tlsext_status_ids(con, ids);
 					else 
 						BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
 					}
 				if (c_brief)
 					{
 					BIO_puts(bio_err,
 						"CONNECTION ESTABLISHED\n");
 					print_ssl_summary(bio_err, con);
 					}
 				print_stuff(bio_c_out,con,full_log);
 				if (full_log > 0) full_log--;
@ -1790,6 +1992,9 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240
 				break;
 			case SSL_ERROR_SYSCALL:
 				ret=get_last_socket_error();
 				if (c_brief)
 					BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n");
 				else
 					BIO_printf(bio_err,"read:errno=%d\n",ret);
 				goto shut;
 			case SSL_ERROR_ZERO_RETURN:
@ -1890,13 +2095,32 @@ end:
 			print_stuff(bio_c_out,con,1);
 		SSL_free(con);
 		}
 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
 	if (next_proto.data)
 		OPENSSL_free(next_proto.data);
 #endif
 	if (ctx != NULL) SSL_CTX_free(ctx);
 	if (cert)
 		X509_free(cert);
 	if (crls)
 		sk_X509_CRL_pop_free(crls, X509_CRL_free);
 	if (key)
 		EVP_PKEY_free(key);
 	if (chain)
 		sk_X509_pop_free(chain, X509_free);
 	if (pass)
 		OPENSSL_free(pass);
 	if (vpm)
 		X509_VERIFY_PARAM_free(vpm);
 	ssl_excert_free(exc);
 	if (ssl_args)
 		sk_OPENSSL_STRING_free(ssl_args);
 	if (cctx)
 		SSL_CONF_CTX_free(cctx);
 #ifndef OPENSSL_NO_JPAKE
 	if (jpake_secret && psk_key)
 		OPENSSL_free(psk_key);
 #endif
 	if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
 	if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
 	if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
@ -1905,6 +2129,11 @@ end:
 		BIO_free(bio_c_out);
 		bio_c_out=NULL;
 		}
 	if (bio_c_msg != NULL)
 		{
 		BIO_free(bio_c_msg);
 		bio_c_msg=NULL;
 		}
 	apps_shutdown();
 	OPENSSL_EXIT(ret);
 	}
@ -2011,6 +2240,9 @@ static void print_stuff(BIO *bio, SSL *s, int full)
 			BIO_write(bio,"\n",1);
 			}
 		ssl_print_sigalgs(bio, s);
 		ssl_print_tmp_key(bio, s);
 		BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
 			BIO_number_read(SSL_get_rbio(s)),
 			BIO_number_written(SSL_get_wbio(s)));
@ -2050,7 +2282,8 @@ static void print_stuff(BIO *bio, SSL *s, int full)
 	}
 #endif
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+#if !defined(OPENSSL_NO_TLSEXT)
 # if !defined(OPENSSL_NO_NEXTPROTONEG)
 	if (next_proto.status != -1) {
 		const unsigned char *proto;
 		unsigned int proto_len;
@ -2060,6 +2293,20 @@ static void print_stuff(BIO *bio, SSL *s, int full)
 		BIO_write(bio, "\n", 1);
 	}
 # endif
 	{
 		const unsigned char *proto;
 		unsigned int proto_len;
 		SSL_get0_alpn_selected(s, &proto, &proto_len);
 		if (proto_len > 0)
 			{
 			BIO_printf(bio, "ALPN protocol: ");
 			BIO_write(bio, proto, proto_len);
 			BIO_write(bio, "\n", 1);
 			}
 		else
 			BIO_printf(bio, "No ALPN negotiated\n");
 	}
 #endif
 	{
 	SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s);
--- a/apps/s_server.c
+++ b/apps/s_server.c
--- a/apps/s_socket.c
+++ b/apps/s_socket.c
@ -274,7 +274,7 @@ static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
 		{
 		i=0;
 		i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
-		if (i < 0) { perror("keepalive"); return(0); }
+		if (i < 0) { closesocket(s); perror("keepalive"); return(0); }
 		}
 #endif
@ -284,7 +284,7 @@ static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
 	return(1);
 	}
-int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context)
+int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, int stype, unsigned char *context), unsigned char *context, int naccept)
 	{
 	int sock;
 	char *name = NULL;
@ -310,11 +310,13 @@ int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, uns
 			}
 		else
 			sock = accept_socket;
-		i=(*cb)(name,sock, context);
+		i=(*cb)(name,sock, type, context);
 		if (name != NULL) OPENSSL_free(name);
 		if (type==SOCK_STREAM)
 			SHUTDOWN2(sock);
-		if (i < 0)
+		if (naccept != -1)
 			naccept--;
 		if (i < 0 || naccept == 0)
 			{
 			SHUTDOWN2(accept_socket);
 			return(i);
@ -450,6 +452,7 @@ redoit:
 		if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL)
 			{
 			perror("OPENSSL_malloc");
 			closesocket(ret);
 			return(0);
 			}
 		BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1);
@ -458,11 +461,13 @@ redoit:
 		if (h2 == NULL)
 			{
 			BIO_printf(bio_err,"gethostbyname failure\n");
 			closesocket(ret);
 			return(0);
 			}
 		if (h2->h_addrtype != AF_INET)
 			{
 			BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
 			closesocket(ret);
 			return(0);
 			}
 		}
--- a/apps/smime.c
+++ b/apps/smime.c
@ -541,8 +541,8 @@ int MAIN(int argc, char **argv)
 		{
 		if (!cipher)
 			{
-#ifndef OPENSSL_NO_RC2			
+#ifndef OPENSSL_NO_DES			
-			cipher = EVP_rc2_40_cbc();
+			cipher = EVP_des_ede3_cbc();
 #else
 			BIO_printf(bio_err, "No cipher selected\n");
 			goto end;
@ -704,6 +704,14 @@ int MAIN(int argc, char **argv)
 			p7 = PKCS7_sign(NULL, NULL, other, in, flags);
 			if (!p7)
 				goto end;
 			if (flags & PKCS7_NOCERTS)
 				{
 				for (i = 0; i < sk_X509_num(other); i++)
 					{
 					X509 *x = sk_X509_value(other, i);
 					PKCS7_add_certificate(p7, x);
 					}
 				}
 			}
 		else
 			flags |= PKCS7_REUSE_DIGEST;
--- a/apps/speed.c
+++ b/apps/speed.c
@ -357,6 +357,7 @@ static void *KDF1_SHA1(const void *in, size_t inlen, void *out, size_t *outlen)
 	}
 #endif	/* OPENSSL_NO_ECDH */
 static void multiblock_speed(const EVP_CIPHER *evp_cipher);
 int MAIN(int, char **);
@ -629,6 +630,7 @@ int MAIN(int argc, char **argv)
 #ifndef NO_FORK
 	int multi=0;
 #endif
 	int multiblock=0;
 #ifndef TIMES
 	usertime=-1;
@ -777,6 +779,11 @@ int MAIN(int argc, char **argv)
 			j--;	/* Otherwise, -mr gets confused with
 				   an algorithm. */
 			}
 		else if (argc > 0 && !strcmp(*argv,"-mb"))
 			{
 			multiblock=1;
 			j--;
 			}
 		else
 #ifndef OPENSSL_NO_MD2
 		if	(strcmp(*argv,"md2") == 0) doit[D_MD2]=1;
@ -1949,6 +1956,19 @@ int MAIN(int argc, char **argv)
 	if (doit[D_EVP])
 		{
 #ifdef EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
 		if (multiblock && evp_cipher)
 			{
 			if (!(EVP_CIPHER_flags(evp_cipher)&EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK))
 				{
 				fprintf(stderr,"%s is not multi-block capable\n",OBJ_nid2ln(evp_cipher->nid));
 				goto end;
 				}
 			multiblock_speed(evp_cipher);
 			mret=0;
 			goto end;
 			}
 #endif
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			if (evp_cipher)
@ -2839,4 +2859,109 @@ static int do_multi(int multi)
 	return 1;
 	}
 #endif
 static void multiblock_speed(const EVP_CIPHER *evp_cipher)
 	{
 	static int mblengths[]={8*1024,2*8*1024,4*8*1024,8*8*1024,8*16*1024};
 	int j,count,num=sizeof(lengths)/sizeof(lengths[0]);
 	const char *alg_name;
 	unsigned char *inp,*out,no_key[32],no_iv[16];
 	EVP_CIPHER_CTX ctx;
 	double d=0.0;
 	inp = OPENSSL_malloc(mblengths[num-1]);
 	out = OPENSSL_malloc(mblengths[num-1]+1024);
 	EVP_CIPHER_CTX_init(&ctx);
 	EVP_EncryptInit_ex(&ctx,evp_cipher,NULL,no_key,no_iv);
 	EVP_CIPHER_CTX_ctrl(&ctx,EVP_CTRL_AEAD_SET_MAC_KEY,sizeof(no_key),no_key);
 	alg_name=OBJ_nid2ln(evp_cipher->nid);
 	for (j=0; j<num; j++)
 		{
 		print_message(alg_name,0,mblengths[j]);
 		Time_F(START);
 		for (count=0,run=1; run && count<0x7fffffff; count++)
 			{
 			unsigned char aad[13];
 			EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param;
 			size_t len = mblengths[j];
 			int packlen;
 			memset(aad,0,8);/* avoid uninitialized values */
 			aad[8] = 23;	/* SSL3_RT_APPLICATION_DATA */
 			aad[9] = 3;	/* version */
 			aad[10] = 2;
 			aad[11] = 0;	/* length */
 			aad[12] = 0;
 			mb_param.out = NULL;
 			mb_param.inp = aad;
 			mb_param.len = len;
 			mb_param.interleave = 8;
 			packlen=EVP_CIPHER_CTX_ctrl(&ctx,
 					EVP_CTRL_TLS1_1_MULTIBLOCK_AAD,
 					sizeof(mb_param),&mb_param);
 			if (packlen>0)
 				{
 				mb_param.out = out;
 				mb_param.inp = inp;
 				mb_param.len = len;
 				EVP_CIPHER_CTX_ctrl(&ctx,
 					EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT,
 					sizeof(mb_param),&mb_param);
 				}
 			else
 				{
 				int pad;
 				RAND_bytes(out,16);
 				len+=16;
 				aad[11] = len>>8;
 				aad[12] = len;
 				pad=EVP_CIPHER_CTX_ctrl(&ctx,
 					EVP_CTRL_AEAD_TLS1_AAD,13,aad);
 				EVP_Cipher(&ctx,out,inp,len+pad);
 				}
 			}
 		d=Time_F(STOP);
 		BIO_printf(bio_err,mr ? "+R:%d:%s:%f\n"
 			: "%d %s's in %.2fs\n",count,"evp",d);
 		results[D_EVP][j]=((double)count)/d*mblengths[j];
 		}
 	if (mr)
 		{
 		fprintf(stdout,"+H");
 		for (j=0; j<num; j++)
 			fprintf(stdout,":%d",mblengths[j]);
 		fprintf(stdout,"\n");
 		fprintf(stdout,"+F:%d:%s",D_EVP,alg_name);
 		for (j=0; j<num; j++)
 			fprintf(stdout,":%.2f",results[D_EVP][j]);
 		fprintf(stdout,"\n");
 		}
 	else
 		{
 		fprintf(stdout,"The 'numbers' are in 1000s of bytes per second processed.\n"); 
 		fprintf(stdout,"type                    ");
 		for (j=0;  j<num; j++)
 			fprintf(stdout,"%7d bytes",mblengths[j]);
 		fprintf(stdout,"\n");
 		fprintf(stdout,"%-24s",alg_name);
 		for (j=0; j<num; j++)
 			{
 			if (results[D_EVP][j] > 10000)
 				fprintf(stdout," %11.2fk",results[D_EVP][j]/1e3);
 			else
 				fprintf(stdout," %11.2f ",results[D_EVP][j]);
 			}
 		fprintf(stdout,"\n");
 		}
 	OPENSSL_free(inp);
 	OPENSSL_free(out);
 	}
 #endif
--- a/apps/srp.c
+++ b/apps/srp.c
@ -125,13 +125,13 @@ static int get_index(CA_DB *db, char* id, char type)
 	if (type == DB_SRP_INDEX) 
 	for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
 		{
-		pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i);
+		pp = sk_OPENSSL_PSTRING_value(db->db->data,i);
 		if (pp[DB_srptype][0] == DB_SRP_INDEX  && !strcmp(id,pp[DB_srpid])) 
 			return i;
 		}
 	else for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
 		{
-		pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i);
+		pp = sk_OPENSSL_PSTRING_value(db->db->data,i);
 		if (pp[DB_srptype][0] != DB_SRP_INDEX && !strcmp(id,pp[DB_srpid])) 
 			return i;
@ -145,7 +145,7 @@ static void print_entry(CA_DB *db, BIO *bio, int indx, int verbose, char *s)
 	if (indx >= 0 && verbose)
 		{
 		int j;
-		char **pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, indx);
+		char **pp = sk_OPENSSL_PSTRING_value(db->db->data, indx);
 		BIO_printf(bio, "%s \"%s\"\n", s, pp[DB_srpid]);
 		for (j = 0; j < DB_NUMBER; j++)
 			{
@ -163,7 +163,7 @@ static void print_user(CA_DB *db, BIO *bio, int userindex, int verbose)
 	{
 	if (verbose > 0)
 		{
-		char **pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex);
+		char **pp = sk_OPENSSL_PSTRING_value(db->db->data,userindex);
 		if (pp[DB_srptype][0] != 'I')
 			{
@ -517,7 +517,7 @@ bad:
 	/* Lets check some fields */
 	for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
 		{
-		pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i);
+		pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
 		if (pp[DB_srptype][0] == DB_SRP_INDEX)
 			{
@ -533,7 +533,7 @@ bad:
 	if (gNindex >= 0)
 		{
-		gNrow = (char **)sk_OPENSSL_PSTRING_value(db->db->data, gNindex);
+		gNrow = sk_OPENSSL_PSTRING_value(db->db->data,gNindex);
 		print_entry(db, bio_err, gNindex, verbose > 1, "Default g and N");
 		}
 	else if (maxgN > 0 && !SRP_get_default_gN(gN))
@ -587,7 +587,7 @@ bad:
 			if (userindex >= 0)
 				{
 				/* reactivation of a new user */
-				char **row = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex);
+				char **row = sk_OPENSSL_PSTRING_value(db->db->data, userindex);
 				BIO_printf(bio_err, "user \"%s\" reactivated.\n", user);
 				row[DB_srptype][0] = 'V';
@ -634,7 +634,7 @@ bad:
 			else
 				{
-				char **row = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex);
+				char **row = sk_OPENSSL_PSTRING_value(db->db->data, userindex);
 				char type = row[DB_srptype][0];
 				if (type == 'v')
 					{
@ -689,7 +689,7 @@ bad:
 				}
 			else
 				{
-				char **xpp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex);
+				char **xpp = sk_OPENSSL_PSTRING_value(db->db->data,userindex);
 				BIO_printf(bio_err, "user \"%s\" revoked. t\n", user);
 				xpp[DB_srptype][0] = 'R';
@ -714,7 +714,7 @@ bad:
 		/* Lets check some fields */
 		for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
 			{
-			pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i);
+			pp = sk_OPENSSL_PSTRING_value(db->db->data,i);
 			if (pp[DB_srptype][0] == 'v')
 				{
--- a/apps/verify.c
+++ b/apps/verify.c
@ -88,6 +88,7 @@ int MAIN(int argc, char **argv)
 	X509_STORE *cert_ctx=NULL;
 	X509_LOOKUP *lookup=NULL;
 	X509_VERIFY_PARAM *vpm = NULL;
 	int crl_download = 0;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
@ -145,6 +146,8 @@ int MAIN(int argc, char **argv)
 				if (argc-- < 1) goto end;
 				crlfile= *(++argv);
 				}
 			else if (strcmp(*argv,"-crl_download") == 0)
 				crl_download = 1;
 #ifndef OPENSSL_NO_ENGINE
 			else if (strcmp(*argv,"-engine") == 0)
 				{
@ -222,11 +225,22 @@ int MAIN(int argc, char **argv)
 			goto end;
 		}
 	if (argc < 1) check(cert_ctx, NULL, untrusted, trusted, crls, e);
 	else
 		for (i=0; i<argc; i++)
 			check(cert_ctx,argv[i], untrusted, trusted, crls, e);
 	ret = 0;
 	if (crl_download)
 		store_setup_crl_download(cert_ctx);
 	if (argc < 1)
 		{ 
 		if (1 != check(cert_ctx, NULL, untrusted, trusted, crls, e))
 			ret = -1;
 		}
 	else
 		{
 		for (i=0; i<argc; i++)
 			if (1 != check(cert_ctx,argv[i], untrusted, trusted, crls, e))
 				ret = -1;
 		}
 end:
 	if (ret == 1) {
 		BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
@ -235,11 +249,14 @@ end:
 		BIO_printf(bio_err," [-engine e]");
 #endif
 		BIO_printf(bio_err," cert1 cert2 ...\n");
 		BIO_printf(bio_err,"recognized usages:\n");
-		for(i = 0; i < X509_PURPOSE_get_count(); i++) {
+		for(i = 0; i < X509_PURPOSE_get_count(); i++)
 			{
 			X509_PURPOSE *ptmp;
 			ptmp = X509_PURPOSE_get0(i);
-			BIO_printf(bio_err, "\t%-10s\t%s\n", X509_PURPOSE_get0_sname(ptmp),
+			BIO_printf(bio_err, "\t%-10s\t%s\n",
 				   X509_PURPOSE_get0_sname(ptmp),
 				   X509_PURPOSE_get0_name(ptmp));
 			}
 	}
@ -249,7 +266,7 @@ end:
 	sk_X509_pop_free(trusted, X509_free);
 	sk_X509_CRL_pop_free(crls, X509_CRL_free);
 	apps_shutdown();
-	OPENSSL_EXIT(ret);
+	OPENSSL_EXIT(ret < 0 ? 2 : ret);
 	}
 static int check(X509_STORE *ctx, char *file,
--- a/apps/x509.c
+++ b/apps/x509.c
@ -150,6 +150,9 @@ static const char *x509_usage[]={
 " -engine e       - use engine e, possibly a hardware device.\n",
 #endif
 " -certopt arg    - various certificate text options\n",
 " -checkhost host - check certificate matches \"host\"\n",
 " -checkemail email - check certificate matches \"email\"\n",
 " -checkip ipaddr - check certificate matches \"ipaddr\"\n",
 NULL
 };
@ -163,6 +166,9 @@ static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD *digest,
 			 CONF *conf, char *section, ASN1_INTEGER *sno);
 static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
 static int reqfile=0;
 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
 static int force_version=2;
 #endif
 int MAIN(int, char **);
@ -174,15 +180,16 @@ int MAIN(int argc, char **argv)
 	X509 *x=NULL,*xca=NULL;
 	ASN1_OBJECT *objtmp;
 	STACK_OF(OPENSSL_STRING) *sigopts = NULL;
-	EVP_PKEY *Upkey=NULL,*CApkey=NULL;
+	EVP_PKEY *Upkey=NULL,*CApkey=NULL, *fkey = NULL;
 	ASN1_INTEGER *sno = NULL;
-	int i,num,badops=0;
+	int i,num,badops=0, badsig=0;
 	BIO *out=NULL;
 	BIO *STDout=NULL;
 	STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL;
 	int informat,outformat,keyformat,CAformat,CAkeyformat;
 	char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL;
 	char *CAkeyfile=NULL,*CAserial=NULL;
 	char *fkeyfile=NULL;
 	char *alias=NULL;
 	int text=0,serial=0,subject=0,issuer=0,startdate=0,enddate=0;
 	int next_serial=0;
@ -207,6 +214,9 @@ int MAIN(int argc, char **argv)
 	int need_rand = 0;
 	int checkend=0,checkoffset=0;
 	unsigned long nmflag = 0, certflag = 0;
 	char *checkhost = NULL;
 	char *checkemail = NULL;
 	char *checkip = NULL;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
@ -282,13 +292,20 @@ int MAIN(int argc, char **argv)
 			if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
 				goto bad;
 			}
 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
 		else if (strcmp(*argv,"-force_version") == 0)
 			{
 			if (--argc < 1) goto bad;
 			force_version=atoi(*(++argv)) - 1;
 			}
 #endif
 		else if (strcmp(*argv,"-days") == 0)
 			{
 			if (--argc < 1) goto bad;
 			days=atoi(*(++argv));
 			if (days == 0)
 				{
-				BIO_printf(STDout,"bad number of days\n");
+				BIO_printf(bio_err,"bad number of days\n");
 				goto bad;
 				}
 			}
@ -347,6 +364,11 @@ int MAIN(int argc, char **argv)
 			if (!(sno = s2i_ASN1_INTEGER(NULL, *(++argv))))
 				goto bad;
 			}
 		else if (strcmp(*argv,"-force_pubkey") == 0)
 			{
 			if (--argc < 1) goto bad;
 			fkeyfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-addtrust") == 0)
 			{
 			if (--argc < 1) goto bad;
@ -450,6 +472,21 @@ int MAIN(int argc, char **argv)
 			checkoffset=atoi(*(++argv));
 			checkend=1;
 			}
 		else if (strcmp(*argv,"-checkhost") == 0)
 			{
 			if (--argc < 1) goto bad;
 			checkhost=*(++argv);
 			}
 		else if (strcmp(*argv,"-checkemail") == 0)
 			{
 			if (--argc < 1) goto bad;
 			checkemail=*(++argv);
 			}
 		else if (strcmp(*argv,"-checkip") == 0)
 			{
 			if (--argc < 1) goto bad;
 			checkip=*(++argv);
 			}
 		else if (strcmp(*argv,"-noout") == 0)
 			noout= ++num;
 		else if (strcmp(*argv,"-trustout") == 0)
@ -473,6 +510,8 @@ int MAIN(int argc, char **argv)
 #endif
 		else if (strcmp(*argv,"-ocspid") == 0)
 			ocspid= ++num;
 		else if (strcmp(*argv,"-badsig") == 0)
 			badsig = 1;
 		else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
 			{
 			/* ok */
@ -517,6 +556,13 @@ bad:
 		goto end;
 		}
 	if (fkeyfile)
 		{
 		fkey = load_pubkey(bio_err, fkeyfile, keyformat, 0,
 						NULL, e, "Forced key");
 		if (fkey == NULL) goto end;
 		}
 	if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM))
 		{ CAkeyfile=CAfile; }
 	else if ((CA_flag) && (CAkeyfile == NULL))
@ -653,11 +699,15 @@ bad:
 		X509_gmtime_adj(X509_get_notBefore(x),0);
 	        X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL);
-
+		if (fkey)
 			X509_set_pubkey(x, fkey);
 		else
 			{
 			pkey = X509_REQ_get_pubkey(req);
 			X509_set_pubkey(x,pkey);
 			EVP_PKEY_free(pkey);
 			}
 		}
 	else
 		x=load_cert(bio_err,infile,informat,NULL,e,"Certificate");
@ -912,7 +962,7 @@ bad:
 				}
 			else if (text == i)
 				{
-				X509_print_ex(out,x,nmflag, certflag);
+				X509_print_ex(STDout,x,nmflag, certflag);
 				}
 			else if (startdate == i)
 				{
@ -1044,12 +1094,17 @@ bad:
 		goto end;
 		}
 	print_cert_checks(STDout, x, checkhost, checkemail, checkip);
 	if (noout)
 		{
 		ret=0;
 		goto end;
 		}
 	if (badsig)
 		x->signature->data[x->signature->length - 1] ^= 0x1;
 	if 	(outformat == FORMAT_ASN1)
 		i=i2d_X509_bio(out,x);
 	else if (outformat == FORMAT_PEM)
@ -1093,6 +1148,7 @@ end:
 	X509_free(xca);
 	EVP_PKEY_free(Upkey);
 	EVP_PKEY_free(CApkey);
 	EVP_PKEY_free(fkey);
 	if (sigopts)
 		sk_OPENSSL_STRING_free(sigopts);
 	X509_REQ_free(rq);
@ -1202,7 +1258,11 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
 	if (conf)
 		{
 		X509V3_CTX ctx2;
 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
 		X509_set_version(x, force_version);
 #else
 		X509_set_version(x,2); /* version 3 certificate */
 #endif
                X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0);
                X509V3_set_nconf(&ctx2, conf);
                if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x)) goto end;
@ -1280,7 +1340,11 @@ static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *dig
 	if (conf)
 		{
 		X509V3_CTX ctx;
 #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
 		X509_set_version(x, force_version);
 #else
 		X509_set_version(x,2); /* version 3 certificate */
 #endif
                X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0);
                X509V3_set_nconf(&ctx, conf);
                if (!X509V3_EXT_add_nconf(conf, &ctx, section, x)) goto err;
--- a/21
+++ b/21
@ -587,15 +587,33 @@ case "$GUESSOS" in
 	fi
 	;;
  ppc64-*-linux2)
 	if [ -z "$KERNEL_BITS" ]; then
 	    echo "WARNING! If you wish to build 64-bit library, then you have to"
 	    echo "         invoke './Configure linux-ppc64' *manually*."
 	    if [ "$TEST" = "false" -a -t 1 ]; then
 		echo "         You have about 5 seconds to press Ctrl-C to abort."
 		(trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
 	    fi
 	fi
 	if [ "$KERNEL_BITS" = "64" ]; then
 	    OUT="linux-ppc64"
 	else
 	    OUT="linux-ppc"
 	    (echo "__LP64__" | gcc -E -x c - 2>/dev/null | grep "^__LP64__" 2>&1 > /dev/null) || options="$options -m32"
 	fi
 	;;
  ppc64le-*-linux2) OUT="linux-ppc64le" ;;
  ppc-*-linux2) OUT="linux-ppc" ;;
  mips64*-*-linux2)
 	echo "WARNING! If you wish to build 64-bit library, then you have to"
 	echo "         invoke './Configure linux64-mips64' *manually*."
 	if [ "$TEST" = "false" -a -t 1 ]; then
 	    echo "         You have about 5 seconds to press Ctrl-C to abort."
 	    (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
 	fi
 	OUT="linux-mips64"
 	;;
  mips*-*-linux2) OUT="linux-mips32" ;;
  ppc60x-*-vxworks*) OUT="vxworks-ppc60x" ;;
  ppcgen-*-vxworks*) OUT="vxworks-ppcgen" ;;
  pentium-*-vxworks*) OUT="vxworks-pentium" ;;
@ -644,6 +662,7 @@ case "$GUESSOS" in
  armv[1-3]*-*-linux2) OUT="linux-generic32" ;;
  armv[7-9]*-*-linux2) OUT="linux-armv4"; options="$options -march=armv7-a" ;;
  arm*-*-linux2) OUT="linux-armv4" ;;
  aarch64-*-linux2) OUT="linux-aarch64" ;;
  sh*b-*-linux2) OUT="linux-generic32"; options="$options -DB_ENDIAN" ;;
  sh*-*-linux2)  OUT="linux-generic32"; options="$options -DL_ENDIAN" ;;
  m68k*-*-linux2) OUT="linux-generic32"; options="$options -DB_ENDIAN" ;;
@ -739,7 +758,7 @@ case "$GUESSOS" in
 			    libc=/usr/lib/libc.so
 			else					# OpenBSD
 			    # ld searches for highest libc.so.* and so do we
-			    libc=`(ls /usr/lib/libc.so.* | tail -1) 2>/dev/null`
+			    libc=`(ls /usr/lib/libc.so.* /lib/libc.so.* | tail -1) 2>/dev/null`
 			fi
 			case "`(file -L $libc) 2>/dev/null`" in
 			*ELF*)	OUT="BSD-x86-elf" ;;
--- a/crypto/LPdir_vms.c
+++ b/crypto/LPdir_vms.c
@ -1,4 +1,3 @@
 /* $LP: LPlib/source/LPdir_vms.c,v 1.20 2004/08/26 13:36:05 _cvs_levitte Exp $ */
 /*
 * Copyright (c) 2004, Richard Levitte <richard@levitte.org>
 * All rights reserved.
@ -88,6 +87,12 @@ const char *LP_find_file(LP_DIR_CTX **ctx, const char *directory)
      size_t filespeclen = strlen(directory);
      char *filespec = NULL;
      if (filespeclen == 0)
 	{
 	  errno = ENOENT;
 	  return 0;
 	}
      /* MUST be a VMS directory specification!  Let's estimate if it is. */
      if (directory[filespeclen-1] != ']'
 	  && directory[filespeclen-1] != '>'
--- a/crypto/LPdir_win.c
+++ b/crypto/LPdir_win.c
@ -1,4 +1,3 @@
 /* $LP: LPlib/source/LPdir_win.c,v 1.10 2004/08/26 13:36:05 _cvs_levitte Exp $ */
 /*
 * Copyright (c) 2004, Richard Levitte <richard@levitte.org>
 * All rights reserved.
@ -63,6 +62,16 @@ const char *LP_find_file(LP_DIR_CTX **ctx, const char *directory)
  errno = 0;
  if (*ctx == NULL)
    {
      const char *extdir = directory;
      char *extdirbuf = NULL;
      size_t dirlen = strlen (directory);
      if (dirlen == 0)
 	{
 	  errno = ENOENT;
 	  return 0;
 	}
      *ctx = (LP_DIR_CTX *)malloc(sizeof(LP_DIR_CTX));
      if (*ctx == NULL)
 	{
@ -71,15 +80,35 @@ const char *LP_find_file(LP_DIR_CTX **ctx, const char *directory)
 	}
      memset(*ctx, '\0', sizeof(LP_DIR_CTX));
      if (directory[dirlen-1] != '*')
 	{
 	  extdirbuf = (char *)malloc(dirlen + 3);
 	  if (extdirbuf == NULL)
 	    {
 	      free(*ctx);
 	      *ctx = NULL;
 	      errno = ENOMEM;
 	      return 0;
 	    }
 	  if (directory[dirlen-1] != '/' && directory[dirlen-1] != '\\')
 	    extdir = strcat(strcpy (extdirbuf,directory),"/*");
 	  else
 	    extdir = strcat(strcpy (extdirbuf,directory),"*");
 	}
      if (sizeof(TCHAR) != sizeof(char))
 	{
 	  TCHAR *wdir = NULL;
 	  /* len_0 denotes string length *with* trailing 0 */ 
-	  size_t index = 0,len_0 = strlen(directory) + 1;
+	  size_t index = 0,len_0 = strlen(extdir) + 1;
-	  wdir = (TCHAR *)malloc(len_0 * sizeof(TCHAR));
+	  wdir = (TCHAR *)calloc(len_0, sizeof(TCHAR));
 	  if (wdir == NULL)
 	    {
 	      if (extdirbuf != NULL)
 		{
 		  free (extdirbuf);
 		}
 	      free(*ctx);
 	      *ctx = NULL;
 	      errno = ENOMEM;
@ -87,17 +116,23 @@ const char *LP_find_file(LP_DIR_CTX **ctx, const char *directory)
 	    }
 #ifdef LP_MULTIBYTE_AVAILABLE
-	  if (!MultiByteToWideChar(CP_ACP, 0, directory, len_0, (WCHAR *)wdir, len_0))
+	  if (!MultiByteToWideChar(CP_ACP, 0, extdir, len_0, (WCHAR *)wdir, len_0))
 #endif
 	    for (index = 0; index < len_0; index++)
-	      wdir[index] = (TCHAR)directory[index];
+	      wdir[index] = (TCHAR)extdir[index];
 	  (*ctx)->handle = FindFirstFile(wdir, &(*ctx)->ctx);
 	  free(wdir);
 	}
      else
-	(*ctx)->handle = FindFirstFile((TCHAR *)directory, &(*ctx)->ctx);
+	{
 	  (*ctx)->handle = FindFirstFile((TCHAR *)extdir, &(*ctx)->ctx);
 	}
      if (extdirbuf != NULL)
 	{
 	  free (extdirbuf);
 	}
      if ((*ctx)->handle == INVALID_HANDLE_VALUE)
 	{
@ -114,7 +149,6 @@ const char *LP_find_file(LP_DIR_CTX **ctx, const char *directory)
 	  return 0;
 	}
    }
  if (sizeof(TCHAR) != sizeof(char))
    {
      TCHAR *wdir = (*ctx)->ctx.cFileName;
--- a/crypto/Makefile
+++ b/crypto/Makefile
@ -31,6 +31,7 @@ CPUID_OBJ=mem_clr.o
 LIBS=
 GENERAL=Makefile README crypto-lib.com install.com
 TEST=constant_time_test.c
 LIB= $(TOP)/libcrypto.a
 SHARED_LIB= libcrypto$(SHLIB_EXT)
@ -43,7 +44,8 @@ SRC= $(LIBSRC)
 EXHEADER= crypto.h opensslv.h opensslconf.h ebcdic.h symhacks.h \
 	ossl_typ.h
-HEADER=	cryptlib.h buildinf.h md32_common.h o_time.h o_str.h o_dir.h $(EXHEADER)
+HEADER=	cryptlib.h buildinf.h md32_common.h o_time.h o_str.h o_dir.h \
 	constant_time_locl.h $(EXHEADER)
 ALL=    $(GENERAL) $(SRC) $(HEADER)
@ -77,7 +79,9 @@ ia64cpuid.s: ia64cpuid.S;	$(CC) $(CFLAGS) -E ia64cpuid.S > $@
 ppccpuid.s:	ppccpuid.pl;	$(PERL) ppccpuid.pl $(PERLASM_SCHEME) $@
 pariscid.s:	pariscid.pl;	$(PERL) pariscid.pl $(PERLASM_SCHEME) $@
 alphacpuid.s:	alphacpuid.pl
-	$(PERL) $< | $(CC) -E - | tee $@ > /dev/null
+	(preproc=$$$$.$@.S; trap "rm $$preproc" INT; \
 	$(PERL) alphacpuid.pl > $$preproc && \
 	$(CC) -E -P $$preproc > $@ && rm $$preproc)
 testapps:
 	[ -z "$(THIS)" ] || (	if echo $(SDIRS) | fgrep ' des '; \
@ -89,7 +93,7 @@ subdirs:
 	@target=all; $(RECURSIVE_MAKE)
 files:
-	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+	$(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> $(TOP)/MINFO
 	@target=files; $(RECURSIVE_MAKE)
 links:
@ -103,7 +107,7 @@ lib:	$(LIB)
 	@touch lib
 $(LIB):	$(LIBOBJ)
 	$(AR) $(LIB) $(LIBOBJ)
-	[ -z "$(FIPSLIBDIR)" ] || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
+	test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
 	$(RANLIB) $(LIB) || echo Never mind.
 shared: buildinf.h lib subdirs
--- a/crypto/aes/.cvsignore
+++ b/crypto/aes/.cvsignore
@ -3,3 +3,6 @@ Makefile.save
 *.flc
 semantic.cache
 aes-*.s
 aesni-*.s
 bsaes-*.s
 vpaes-*.s
--- a/crypto/aes/Makefile
+++ b/crypto/aes/Makefile
@ -65,12 +65,22 @@ aesni-x86_64.s: asm/aesni-x86_64.pl
 	$(PERL) asm/aesni-x86_64.pl $(PERLASM_SCHEME) > $@
 aesni-sha1-x86_64.s:	asm/aesni-sha1-x86_64.pl
 	$(PERL) asm/aesni-sha1-x86_64.pl $(PERLASM_SCHEME) > $@
 aesni-sha256-x86_64.s:	asm/aesni-sha256-x86_64.pl
 	$(PERL) asm/aesni-sha256-x86_64.pl $(PERLASM_SCHEME) > $@
 aesni-mb-x86_64.s:	asm/aesni-mb-x86_64.pl
 	$(PERL) asm/aesni-mb-x86_64.pl $(PERLASM_SCHEME) > $@
 aes-sparcv9.s: asm/aes-sparcv9.pl
 	$(PERL) asm/aes-sparcv9.pl $(CFLAGS) > $@
 aest4-sparcv9.s: asm/aest4-sparcv9.pl
 	$(PERL) asm/aest4-sparcv9.pl $(CFLAGS) > $@
 aes-ppc.s:	asm/aes-ppc.pl
 	$(PERL) asm/aes-ppc.pl $(PERLASM_SCHEME) $@
 vpaes-ppc.s:	asm/vpaes-ppc.pl
 	$(PERL) asm/vpaes-ppc.pl $(PERLASM_SCHEME) $@
 aesp8-ppc.s:	asm/aesp8-ppc.pl
 	$(PERL) asm/aesp8-ppc.pl $(PERLASM_SCHEME) $@
 aes-parisc.s:	asm/aes-parisc.pl
 	$(PERL) asm/aes-parisc.pl $(PERLASM_SCHEME) $@
@ -78,12 +88,18 @@ aes-parisc.s:	asm/aes-parisc.pl
 aes-mips.S:	asm/aes-mips.pl
 	$(PERL) asm/aes-mips.pl $(PERLASM_SCHEME) $@
 aesv8-armx.S:	asm/aesv8-armx.pl
 	$(PERL) asm/aesv8-armx.pl $(PERLASM_SCHEME) $@
 aesv8-armx.o:	aesv8-armx.S
 # GNU make "catch all"
 aes-%.S:	asm/aes-%.pl;	$(PERL) $< $(PERLASM_SCHEME) > $@
 aes-armv4.o:	aes-armv4.S
 bsaes-%.S:	asm/bsaes-%.pl;	$(PERL) $< $(PERLASM_SCHEME) $@
 bsaes-armv7.o:	bsaes-armv7.S
 files:
-	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+	$(PERL) $(TOP)/util/files.pl "AES_ENC=$(AES_ENC)" Makefile >> $(TOP)/MINFO
 links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
@ -147,7 +163,7 @@ aes_wrap.o: ../../e_os.h ../../include/openssl/aes.h
 aes_wrap.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 aes_wrap.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 aes_wrap.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-aes_wrap.o: ../../include/openssl/opensslconf.h
+aes_wrap.o: ../../include/openssl/modes.h ../../include/openssl/opensslconf.h
 aes_wrap.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 aes_wrap.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 aes_wrap.o: ../../include/openssl/symhacks.h ../cryptlib.h aes_wrap.c
--- a/crypto/aes/aes_wrap.c
+++ b/crypto/aes/aes_wrap.c
@ -53,207 +53,18 @@
 #include "cryptlib.h"
 #include <openssl/aes.h>
-#include <openssl/bio.h>
+#include <openssl/modes.h>
 static const unsigned char default_iv[] = {
  0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6,
 };
 int AES_wrap_key(AES_KEY *key, const unsigned char *iv,
 		unsigned char *out,
 		const unsigned char *in, unsigned int inlen)
 	{
-	unsigned char *A, B[16], *R;
+	return CRYPTO_128_wrap(key, iv, out, in, inlen, (block128_f)AES_encrypt);
 	unsigned int i, j, t;
 	if ((inlen & 0x7) || (inlen < 8))
 		return -1;
 	A = B;
 	t = 1;
 	memcpy(out + 8, in, inlen);
 	if (!iv)
 		iv = default_iv;
 	memcpy(A, iv, 8);
 	for (j = 0; j < 6; j++)
 		{
 		R = out + 8;
 		for (i = 0; i < inlen; i += 8, t++, R += 8)
 			{
 			memcpy(B + 8, R, 8);
 			AES_encrypt(B, B, key);
 			A[7] ^= (unsigned char)(t & 0xff);
 			if (t > 0xff)	
 				{
 				A[6] ^= (unsigned char)((t >> 8) & 0xff);
 				A[5] ^= (unsigned char)((t >> 16) & 0xff);
 				A[4] ^= (unsigned char)((t >> 24) & 0xff);
 				}
 			memcpy(R, B + 8, 8);
 			}
 		}
 	memcpy(out, A, 8);
 	return inlen + 8;
 	}
 int AES_unwrap_key(AES_KEY *key, const unsigned char *iv,
 		unsigned char *out,
 		const unsigned char *in, unsigned int inlen)
 	{
-	unsigned char *A, B[16], *R;
+	return CRYPTO_128_unwrap(key, iv, out, in, inlen, (block128_f)AES_decrypt);
 	unsigned int i, j, t;
 	inlen -= 8;
 	if (inlen & 0x7)
 		return -1;
 	if (inlen < 8)
 		return -1;
 	A = B;
 	t =  6 * (inlen >> 3);
 	memcpy(A, in, 8);
 	memcpy(out, in + 8, inlen);
 	for (j = 0; j < 6; j++)
 		{
 		R = out + inlen - 8;
 		for (i = 0; i < inlen; i += 8, t--, R -= 8)
 			{
 			A[7] ^= (unsigned char)(t & 0xff);
 			if (t > 0xff)	
 				{
 				A[6] ^= (unsigned char)((t >> 8) & 0xff);
 				A[5] ^= (unsigned char)((t >> 16) & 0xff);
 				A[4] ^= (unsigned char)((t >> 24) & 0xff);
 	}
 			memcpy(B + 8, R, 8);
 			AES_decrypt(B, B, key);
 			memcpy(R, B + 8, 8);
 			}
 		}
 	if (!iv)
 		iv = default_iv;
 	if (memcmp(A, iv, 8))
 		{
 		OPENSSL_cleanse(out, inlen);
 		return 0;
 		}
 	return inlen;
 	}
 #ifdef AES_WRAP_TEST
 int AES_wrap_unwrap_test(const unsigned char *kek, int keybits,
 			 const unsigned char *iv,
 			 const unsigned char *eout,
 			 const unsigned char *key, int keylen)
 	{
 	unsigned char *otmp = NULL, *ptmp = NULL;
 	int r, ret = 0;
 	AES_KEY wctx;
 	otmp = OPENSSL_malloc(keylen + 8);
 	ptmp = OPENSSL_malloc(keylen);
 	if (!otmp || !ptmp)
 		return 0;
 	if (AES_set_encrypt_key(kek, keybits, &wctx))
 		goto err;
 	r = AES_wrap_key(&wctx, iv, otmp, key, keylen);
 	if (r <= 0)
 		goto err;
 	if (eout && memcmp(eout, otmp, keylen))
 		goto err;
 	if (AES_set_decrypt_key(kek, keybits, &wctx))
 		goto err;
 	r = AES_unwrap_key(&wctx, iv, ptmp, otmp, r);
 	if (memcmp(key, ptmp, keylen))
 		goto err;
 	ret = 1;
 	err:
 	if (otmp)
 		OPENSSL_free(otmp);
 	if (ptmp)
 		OPENSSL_free(ptmp);
 	return ret;
 	}
 int main(int argc, char **argv)
 {
 static const unsigned char kek[] = {
  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
  0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
  0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
  0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
 };
 static const unsigned char key[] = {
  0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
  0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
  0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
 };
 static const unsigned char e1[] = {
  0x1f, 0xa6, 0x8b, 0x0a, 0x81, 0x12, 0xb4, 0x47,
  0xae, 0xf3, 0x4b, 0xd8, 0xfb, 0x5a, 0x7b, 0x82,
  0x9d, 0x3e, 0x86, 0x23, 0x71, 0xd2, 0xcf, 0xe5
 };
 static const unsigned char e2[] = {
  0x96, 0x77, 0x8b, 0x25, 0xae, 0x6c, 0xa4, 0x35,
  0xf9, 0x2b, 0x5b, 0x97, 0xc0, 0x50, 0xae, 0xd2,
  0x46, 0x8a, 0xb8, 0xa1, 0x7a, 0xd8, 0x4e, 0x5d
 };
 static const unsigned char e3[] = {
  0x64, 0xe8, 0xc3, 0xf9, 0xce, 0x0f, 0x5b, 0xa2,
  0x63, 0xe9, 0x77, 0x79, 0x05, 0x81, 0x8a, 0x2a,
  0x93, 0xc8, 0x19, 0x1e, 0x7d, 0x6e, 0x8a, 0xe7
 };
 static const unsigned char e4[] = {
  0x03, 0x1d, 0x33, 0x26, 0x4e, 0x15, 0xd3, 0x32,
  0x68, 0xf2, 0x4e, 0xc2, 0x60, 0x74, 0x3e, 0xdc,
  0xe1, 0xc6, 0xc7, 0xdd, 0xee, 0x72, 0x5a, 0x93,
  0x6b, 0xa8, 0x14, 0x91, 0x5c, 0x67, 0x62, 0xd2
 };
 static const unsigned char e5[] = {
  0xa8, 0xf9, 0xbc, 0x16, 0x12, 0xc6, 0x8b, 0x3f,
  0xf6, 0xe6, 0xf4, 0xfb, 0xe3, 0x0e, 0x71, 0xe4,
  0x76, 0x9c, 0x8b, 0x80, 0xa3, 0x2c, 0xb8, 0x95,
  0x8c, 0xd5, 0xd1, 0x7d, 0x6b, 0x25, 0x4d, 0xa1
 };
 static const unsigned char e6[] = {
  0x28, 0xc9, 0xf4, 0x04, 0xc4, 0xb8, 0x10, 0xf4,
  0xcb, 0xcc, 0xb3, 0x5c, 0xfb, 0x87, 0xf8, 0x26,
  0x3f, 0x57, 0x86, 0xe2, 0xd8, 0x0e, 0xd3, 0x26,
  0xcb, 0xc7, 0xf0, 0xe7, 0x1a, 0x99, 0xf4, 0x3b,
  0xfb, 0x98, 0x8b, 0x9b, 0x7a, 0x02, 0xdd, 0x21
 };
 	AES_KEY wctx, xctx;
 	int ret;
 	ret = AES_wrap_unwrap_test(kek, 128, NULL, e1, key, 16);
 	fprintf(stderr, "Key test result %d\n", ret);
 	ret = AES_wrap_unwrap_test(kek, 192, NULL, e2, key, 16);
 	fprintf(stderr, "Key test result %d\n", ret);
 	ret = AES_wrap_unwrap_test(kek, 256, NULL, e3, key, 16);
 	fprintf(stderr, "Key test result %d\n", ret);
 	ret = AES_wrap_unwrap_test(kek, 192, NULL, e4, key, 24);
 	fprintf(stderr, "Key test result %d\n", ret);
 	ret = AES_wrap_unwrap_test(kek, 256, NULL, e5, key, 24);
 	fprintf(stderr, "Key test result %d\n", ret);
 	ret = AES_wrap_unwrap_test(kek, 256, NULL, e6, key, 32);
 	fprintf(stderr, "Key test result %d\n", ret);
 }
 #endif
--- a/crypto/aes/aes_x86core.c
+++ b/crypto/aes/aes_x86core.c
@ -89,8 +89,10 @@ typedef unsigned long long u64;
 #endif
 #undef ROTATE
-#if defined(_MSC_VER) || defined(__ICC)
+#if defined(_MSC_VER)
 # define ROTATE(a,n)	_lrotl(a,n)
 #elif defined(__ICC)
 # define ROTATE(a,n)	_rotl(a,n)
 #elif defined(__GNUC__) && __GNUC__>=2
 # if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__)
 #   define ROTATE(a,n)	({ register unsigned int ret;	\
--- a/crypto/aes/asm/aes-586.pl
+++ b/crypto/aes/asm/aes-586.pl
@ -39,7 +39,7 @@
 # but exhibits up to 10% improvement on other cores.
 #
 # Second version is "monolithic" replacement for aes_core.c, which in
-# addition to AES_[de|en]crypt implements private_AES_set_[de|en]cryption_key.
+# addition to AES_[de|en]crypt implements AES_set_[de|en]cryption_key.
 # This made it possible to implement little-endian variant of the
 # algorithm without modifying the base C code. Motivating factor for
 # the undertaken effort was that it appeared that in tight IA-32
@ -103,11 +103,12 @@
 # byte for 128-bit key.
 #
 #		ECB encrypt	ECB decrypt	CBC large chunk
-# P4		56[60]		84[100]		23
+# P4		52[54]		83[95]		23
-# AMD K8	48[44]		70[79]		18
+# AMD K8	46[41]		66[70]		18
-# PIII		41[50]		61[91]		24
+# PIII		41[50]		60[77]		24
-# Core 2	32[38]		45[70]		18.5
+# Core 2	31[36]		45[64]		18.5
-# Pentium	120		160		77
+# Atom		76[100]		96[138]		60
 # Pentium	115		150		77
 #
 # Version 4.1 switches to compact S-box even in key schedule setup.
 #
@ -242,7 +243,7 @@ $vertical_spin=0;	# shift "verticaly" defaults to 0, because of
 sub encvert()
 { my ($te,@s) = @_;
-  my $v0 = $acc, $v1 = $key;
+  my ($v0,$v1) = ($acc,$key);
 	&mov	($v0,$s[3]);				# copy s3
 	&mov	(&DWP(4,"esp"),$s[2]);			# save s2
@ -299,7 +300,7 @@ sub encvert()
 # Another experimental routine, which features "horizontal spin," but
 # eliminates one reference to stack. Strangely enough runs slower...
 sub enchoriz()
-{ my $v0 = $key, $v1 = $acc;
+{ my ($v0,$v1) = ($key,$acc);
 	&movz	($v0,&LB($s0));			#  3, 2, 1, 0*
 	&rotr	($s2,8);			#  8,11,10, 9
@ -427,7 +428,7 @@ sub sse_encbody()
 ######################################################################
 sub enccompact()
-{ my $Fn = mov;
+{ my $Fn = \&mov;
  while ($#_>5) { pop(@_); $Fn=sub{}; }
  my ($i,$te,@s)=@_;
  my $tmp = $key;
@ -476,24 +477,25 @@ sub enctransform()
  my $tmp = $tbl;
  my $r2  = $key ;
-	&mov	($acc,$s[$i]);
+	&and	($tmp,$s[$i]);
 	&and	($acc,0x80808080);
 	&mov	($tmp,$acc);
 	&shr	($tmp,7);
 	&lea	($r2,&DWP(0,$s[$i],$s[$i]));
-	&sub	($acc,$tmp);
+	&mov	($acc,$tmp);
 	&shr	($tmp,7);
 	&and	($r2,0xfefefefe);
-	&and	($acc,0x1b1b1b1b);
+	&sub	($acc,$tmp);
 	&mov	($tmp,$s[$i]);
 	&and	($acc,0x1b1b1b1b);
 	&rotr	($tmp,16);
 	&xor	($acc,$r2);	# r2
 	&mov	($r2,$s[$i]);
 	&xor	($s[$i],$acc);	# r0 ^ r2
 	&rotr	($r2,16+8);
 	&xor	($acc,$tmp);
 	&rotl	($s[$i],24);
-	&xor	($s[$i],$acc)	# ROTATE(r2^r0,24) ^ r2
+	&xor	($acc,$r2);
-	&rotr	($tmp,16);
+	&mov	($tmp,0x80808080)	if ($i!=1);
-	&xor	($s[$i],$tmp);
+	&xor	($s[$i],$acc);	# ROTATE(r2^r0,24) ^ r2
 	&rotr	($tmp,8);
 	&xor	($s[$i],$tmp);
 }
 &function_begin_B("_x86_AES_encrypt_compact");
@ -526,6 +528,7 @@ sub enctransform()
 		&enccompact(1,$tbl,$s1,$s2,$s3,$s0,1);
 		&enccompact(2,$tbl,$s2,$s3,$s0,$s1,1);
 		&enccompact(3,$tbl,$s3,$s0,$s1,$s2,1);
 		&mov	($tbl,0x80808080);
 		&enctransform(2);
 		&enctransform(3);
 		&enctransform(0);
@ -607,82 +610,84 @@ sub sse_enccompact()
 	&pshufw	("mm5","mm4",0x0d);		# 15,14,11,10
 	&movd	("eax","mm1");			#  5, 4, 1, 0
 	&movd	("ebx","mm5");			# 15,14,11,10
 	&mov	($__key,$key);
 	&movz	($acc,&LB("eax"));		#  0
 	&movz	("ecx",&BP(-128,$tbl,$acc,1));	#  0
 	&pshufw	("mm2","mm0",0x0d);		#  7, 6, 3, 2
 	&movz	("edx",&HB("eax"));		#  1
 	&pshufw	("mm2","mm0",0x0d);		#  7, 6, 3, 2
 	&movz	("ecx",&BP(-128,$tbl,$acc,1));	#  0
 	&movz	($key,&LB("ebx"));		# 10
 	&movz	("edx",&BP(-128,$tbl,"edx",1));	#  1
 	&shl	("edx",8);			#  1
 	&shr	("eax",16);			#  5, 4
 	&shl	("edx",8);			#  1
-	&movz	($acc,&LB("ebx"));		# 10
+	&movz	($acc,&BP(-128,$tbl,$key,1));	# 10
-	&movz	($acc,&BP(-128,$tbl,$acc,1));	# 10
+	&movz	($key,&HB("ebx"));		# 11
 	&shl	($acc,16);			# 10
 	&or	("ecx",$acc);			# 10
 	&pshufw	("mm6","mm4",0x08);		# 13,12, 9, 8
-	&movz	($acc,&HB("ebx"));		# 11
+	&or	("ecx",$acc);			# 10
-	&movz	($acc,&BP(-128,$tbl,$acc,1));	# 11
+	&movz	($acc,&BP(-128,$tbl,$key,1));	# 11
 	&movz	($key,&HB("eax"));		#  5
 	&shl	($acc,24);			# 11
 	&or	("edx",$acc);			# 11
 	&shr	("ebx",16);			# 15,14
 	&or	("edx",$acc);			# 11
-	&movz	($acc,&HB("eax"));		#  5
+	&movz	($acc,&BP(-128,$tbl,$key,1));	#  5
-	&movz	($acc,&BP(-128,$tbl,$acc,1));	#  5
+	&movz	($key,&HB("ebx"));		# 15
 	&shl	($acc,8);			#  5
 	&or	("ecx",$acc);			#  5
-	&movz	($acc,&HB("ebx"));		# 15
+	&movz	($acc,&BP(-128,$tbl,$key,1));	# 15
-	&movz	($acc,&BP(-128,$tbl,$acc,1));	# 15
+	&movz	($key,&LB("eax"));		#  4
 	&shl	($acc,24);			# 15
 	&or	("ecx",$acc);			# 15
 	&movd	("mm0","ecx");			# t[0] collected
-	&movz	($acc,&LB("eax"));		#  4
+	&movz	($acc,&BP(-128,$tbl,$key,1));	#  4
-	&movz	("ecx",&BP(-128,$tbl,$acc,1));	#  4
+	&movz	($key,&LB("ebx"));		# 14
 	&movd	("eax","mm2");			#  7, 6, 3, 2
-	&movz	($acc,&LB("ebx"));		# 14
+	&movd	("mm0","ecx");			# t[0] collected
-	&movz	($acc,&BP(-128,$tbl,$acc,1));	# 14
+	&movz	("ecx",&BP(-128,$tbl,$key,1));	# 14
-	&shl	($acc,16);			# 14
+	&movz	($key,&HB("eax"));		#  3
 	&shl	("ecx",16);			# 14
 	&movd	("ebx","mm6");			# 13,12, 9, 8
 	&or	("ecx",$acc);			# 14
-	&movd	("ebx","mm6");			# 13,12, 9, 8
+	&movz	($acc,&BP(-128,$tbl,$key,1));	#  3
-	&movz	($acc,&HB("eax"));		#  3
+	&movz	($key,&HB("ebx"));		#  9
 	&movz	($acc,&BP(-128,$tbl,$acc,1));	#  3
 	&shl	($acc,24);			#  3
 	&or	("ecx",$acc);			#  3
-	&movz	($acc,&HB("ebx"));		#  9
+	&movz	($acc,&BP(-128,$tbl,$key,1));	#  9
-	&movz	($acc,&BP(-128,$tbl,$acc,1));	#  9
+	&movz	($key,&LB("ebx"));		#  8
 	&shl	($acc,8);			#  9
 	&or	("ecx",$acc);			#  9
 	&movd	("mm1","ecx");			# t[1] collected
 	&movz	($acc,&LB("ebx"));		#  8
 	&movz	("ecx",&BP(-128,$tbl,$acc,1));	#  8
 	&shr	("ebx",16);			# 13,12
-	&movz	($acc,&LB("eax"));		#  2
+	&or	("ecx",$acc);			#  9
-	&movz	($acc,&BP(-128,$tbl,$acc,1));	#  2
+
-	&shl	($acc,16);			#  2
+	&movz	($acc,&BP(-128,$tbl,$key,1));	#  8
-	&or	("ecx",$acc);			#  2
+	&movz	($key,&LB("eax"));		#  2
 	&shr	("eax",16);			#  7, 6
 	&movd	("mm1","ecx");			# t[1] collected
 	&movz	("ecx",&BP(-128,$tbl,$key,1));	#  2
 	&movz	($key,&HB("eax"));		#  7
 	&shl	("ecx",16);			#  2
 	&and	("eax",0xff);			#  6
 	&or	("ecx",$acc);			#  2
 	&punpckldq	("mm0","mm1");		# t[0,1] collected
-	&movz	($acc,&HB("eax"));		#  7
+	&movz	($acc,&BP(-128,$tbl,$key,1));	#  7
-	&movz	($acc,&BP(-128,$tbl,$acc,1));	#  7
+	&movz	($key,&HB("ebx"));		# 13
 	&shl	($acc,24);			#  7
 	&or	("ecx",$acc);			#  7
 	&and	("eax",0xff);			#  6
 	&movz	("eax",&BP(-128,$tbl,"eax",1));	#  6
 	&shl	("eax",16);			#  6
 	&or	("edx","eax");			#  6
 	&movz	($acc,&HB("ebx"));		# 13
 	&movz	($acc,&BP(-128,$tbl,$acc,1));	# 13
 	&shl	($acc,8);			# 13
 	&or	("ecx",$acc);			# 13
 	&movd	("mm4","ecx");			# t[2] collected
 	&and	("ebx",0xff);			# 12
 	&movz	("eax",&BP(-128,$tbl,"eax",1));	#  6
 	&or	("ecx",$acc);			#  7
 	&shl	("eax",16);			#  6
 	&movz	($acc,&BP(-128,$tbl,$key,1));	# 13
 	&or	("edx","eax");			#  6
 	&shl	($acc,8);			# 13
 	&movz	("ebx",&BP(-128,$tbl,"ebx",1));	# 12
 	&or	("ecx",$acc);			# 13
 	&or	("edx","ebx");			# 12
 	&mov	($key,$__key);
 	&movd	("mm4","ecx");			# t[2] collected
 	&movd	("mm5","edx");			# t[3] collected
 	&punpckldq	("mm4","mm5");		# t[2,3] collected
@ -1222,7 +1227,7 @@ sub enclast()
 ######################################################################
 sub deccompact()
-{ my $Fn = mov;
+{ my $Fn = \&mov;
  while ($#_>5) { pop(@_); $Fn=sub{}; }
  my ($i,$td,@s)=@_;
  my $tmp = $key;
@ -1270,30 +1275,30 @@ sub dectransform()
  my $tp4 = @s[($i+3)%4]; $tp4 = @s[3] if ($i==1);
  my $tp8 = $tbl;
-	&mov	($acc,$s[$i]);
+	&mov	($tmp,0x80808080);
-	&and	($acc,0x80808080);
+	&and	($tmp,$s[$i]);
-	&mov	($tmp,$acc);
+	&mov	($acc,$tmp);
 	&shr	($tmp,7);
 	&lea	($tp2,&DWP(0,$s[$i],$s[$i]));
 	&sub	($acc,$tmp);
 	&and	($tp2,0xfefefefe);
 	&and	($acc,0x1b1b1b1b);
-	&xor	($acc,$tp2);
+	&xor	($tp2,$acc);
-	&mov	($tp2,$acc);
+	&mov	($tmp,0x80808080);
-	&and	($acc,0x80808080);
+	&and	($tmp,$tp2);
-	&mov	($tmp,$acc);
+	&mov	($acc,$tmp);
 	&shr	($tmp,7);
 	&lea	($tp4,&DWP(0,$tp2,$tp2));
 	&sub	($acc,$tmp);
 	&and	($tp4,0xfefefefe);
 	&and	($acc,0x1b1b1b1b);
 	 &xor	($tp2,$s[$i]);	# tp2^tp1
-	&xor	($acc,$tp4);
+	&xor	($tp4,$acc);
-	&mov	($tp4,$acc);
+	&mov	($tmp,0x80808080);
-	&and	($acc,0x80808080);
+	&and	($tmp,$tp4);
-	&mov	($tmp,$acc);
+	&mov	($acc,$tmp);
 	&shr	($tmp,7);
 	&lea	($tp8,&DWP(0,$tp4,$tp4));
 	&sub	($acc,$tmp);
@ -1305,13 +1310,13 @@ sub dectransform()
 	&xor	($s[$i],$tp2);
 	&xor	($tp2,$tp8);
 	&rotl	($tp2,24);
 	&xor	($s[$i],$tp4);
 	&xor	($tp4,$tp8);
-	&rotl	($tp4,16);
+	&rotl	($tp2,24);
 	&xor	($s[$i],$tp8);	# ^= tp8^(tp4^tp1)^(tp2^tp1)
-	&rotl	($tp8,8);
+	&rotl	($tp4,16);
 	&xor	($s[$i],$tp2);	# ^= ROTATE(tp8^tp2^tp1,24)
 	&rotl	($tp8,8);
 	&xor	($s[$i],$tp4);	# ^= ROTATE(tp8^tp4^tp1,16)
 	 &mov	($s[0],$__s0)			if($i==2); #prefetch $s0
 	 &mov	($s[1],$__s1)			if($i==3); #prefetch $s1
@ -1389,85 +1394,87 @@ sub dectransform()
 sub sse_deccompact()
 {
 	&pshufw	("mm1","mm0",0x0c);		#  7, 6, 1, 0
 	&movd	("eax","mm1");			#  7, 6, 1, 0
 	&pshufw	("mm5","mm4",0x09);		# 13,12,11,10
-	&movz	($acc,&LB("eax"));		#  0
+	&movd	("eax","mm1");			#  7, 6, 1, 0
 	&movz	("ecx",&BP(-128,$tbl,$acc,1));	#  0
 	&movd	("ebx","mm5");			# 13,12,11,10
 	&mov	($__key,$key);
 	&movz	($acc,&LB("eax"));		#  0
 	&movz	("edx",&HB("eax"));		#  1
 	&pshufw	("mm2","mm0",0x06);		#  3, 2, 5, 4
 	&movz	("ecx",&BP(-128,$tbl,$acc,1));	#  0
 	&movz	($key,&LB("ebx"));		# 10
 	&movz	("edx",&BP(-128,$tbl,"edx",1));	#  1
 	&shr	("eax",16);			#  7, 6
 	&shl	("edx",8);			#  1
-	&pshufw	("mm2","mm0",0x06);		#  3, 2, 5, 4
+	&movz	($acc,&BP(-128,$tbl,$key,1));	# 10
-	&movz	($acc,&LB("ebx"));		# 10
+	&movz	($key,&HB("ebx"));		# 11
 	&movz	($acc,&BP(-128,$tbl,$acc,1));	# 10
 	&shl	($acc,16);			# 10
 	&or	("ecx",$acc);			# 10
 	&shr	("eax",16);			#  7, 6
 	&movz	($acc,&HB("ebx"));		# 11
 	&movz	($acc,&BP(-128,$tbl,$acc,1));	# 11
 	&shl	($acc,24);			# 11
 	&or	("edx",$acc);			# 11
 	&shr	("ebx",16);			# 13,12
 	&pshufw	("mm6","mm4",0x03);		# 9, 8,15,14
-	&movz	($acc,&HB("eax"));		#  7
+	&or	("ecx",$acc);			# 10
-	&movz	($acc,&BP(-128,$tbl,$acc,1));	#  7
+	&movz	($acc,&BP(-128,$tbl,$key,1));	# 11
 	&movz	($key,&HB("eax"));		#  7
 	&shl	($acc,24);			# 11
 	&shr	("ebx",16);			# 13,12
 	&or	("edx",$acc);			# 11
 	&movz	($acc,&BP(-128,$tbl,$key,1));	#  7
 	&movz	($key,&HB("ebx"));		# 13
 	&shl	($acc,24);			#  7
 	&or	("ecx",$acc);			#  7
-	&movz	($acc,&HB("ebx"));		# 13
+	&movz	($acc,&BP(-128,$tbl,$key,1));	# 13
-	&movz	($acc,&BP(-128,$tbl,$acc,1));	# 13
+	&movz	($key,&LB("eax"));		#  6
 	&shl	($acc,8);			# 13
 	&or	("ecx",$acc);			# 13
 	&movd	("mm0","ecx");			# t[0] collected
 	&movz	($acc,&LB("eax"));		#  6
 	&movd	("eax","mm2");			#  3, 2, 5, 4
-	&movz	("ecx",&BP(-128,$tbl,$acc,1));	#  6
+	&or	("ecx",$acc);			# 13
-	&shl	("ecx",16);			#  6
+
-	&movz	($acc,&LB("ebx"));		# 12
+	&movz	($acc,&BP(-128,$tbl,$key,1));	#  6
 	&movz	($key,&LB("ebx"));		# 12
 	&shl	($acc,16);			#  6
 	&movd	("ebx","mm6");			#  9, 8,15,14
-	&movz	($acc,&BP(-128,$tbl,$acc,1));	# 12
+	&movd	("mm0","ecx");			# t[0] collected
 	&movz	("ecx",&BP(-128,$tbl,$key,1));	# 12
 	&movz	($key,&LB("eax"));		#  4
 	&or	("ecx",$acc);			# 12
-	&movz	($acc,&LB("eax"));		#  4
+	&movz	($acc,&BP(-128,$tbl,$key,1));	#  4
-	&movz	($acc,&BP(-128,$tbl,$acc,1));	#  4
+	&movz	($key,&LB("ebx"));		# 14
 	&or	("edx",$acc);			#  4
-	&movz	($acc,&LB("ebx"));		# 14
+	&movz	($acc,&BP(-128,$tbl,$key,1));	# 14
-	&movz	($acc,&BP(-128,$tbl,$acc,1));	# 14
+	&movz	($key,&HB("eax"));		#  5
 	&shl	($acc,16);			# 14
 	&or	("edx",$acc);			# 14
 	&movd	("mm1","edx");			# t[1] collected
 	&movz	($acc,&HB("eax"));		#  5
 	&movz	("edx",&BP(-128,$tbl,$acc,1));	#  5
 	&shl	("edx",8);			#  5
 	&movz	($acc,&HB("ebx"));		# 15
 	&shr	("eax",16);			#  3, 2
-	&movz	($acc,&BP(-128,$tbl,$acc,1));	# 15
+	&or	("edx",$acc);			# 14
-	&shl	($acc,24);			# 15
+
-	&or	("edx",$acc);			# 15
+	&movz	($acc,&BP(-128,$tbl,$key,1));	#  5
 	&movz	($key,&HB("ebx"));		# 15
 	&shr	("ebx",16);			#  9, 8
 	&shl	($acc,8);			#  5
 	&movd	("mm1","edx");			# t[1] collected
 	&movz	("edx",&BP(-128,$tbl,$key,1));	# 15
 	&movz	($key,&HB("ebx"));		#  9
 	&shl	("edx",24);			# 15
 	&and	("ebx",0xff);			#  8
 	&or	("edx",$acc);			# 15
 	&punpckldq	("mm0","mm1");		# t[0,1] collected
-	&movz	($acc,&HB("ebx"));		#  9
+	&movz	($acc,&BP(-128,$tbl,$key,1));	#  9
-	&movz	($acc,&BP(-128,$tbl,$acc,1));	#  9
+	&movz	($key,&LB("eax"));		#  2
 	&shl	($acc,8);			#  9
 	&or	("ecx",$acc);			#  9
 	&and	("ebx",0xff);			#  8
 	&movz	("ebx",&BP(-128,$tbl,"ebx",1));	#  8
 	&or	("edx","ebx");			#  8
 	&movz	($acc,&LB("eax"));		#  2
 	&movz	($acc,&BP(-128,$tbl,$acc,1));	#  2
 	&shl	($acc,16);			#  2
 	&or	("edx",$acc);			#  2
 	&movd	("mm4","edx");			# t[2] collected
 	&movz	("eax",&HB("eax"));		#  3
 	&movz	("ebx",&BP(-128,$tbl,"ebx",1));	#  8
 	&or	("ecx",$acc);			#  9
 	&movz	($acc,&BP(-128,$tbl,$key,1));	#  2
 	&or	("edx","ebx");			#  8
 	&shl	($acc,16);			#  2
 	&movz	("eax",&BP(-128,$tbl,"eax",1));	#  3
 	&or	("edx",$acc);			#  2
 	&shl	("eax",24);			#  3
 	&or	("ecx","eax");			#  3
 	&mov	($key,$__key);
 	&movd	("mm4","edx");			# t[2] collected
 	&movd	("mm5","ecx");			# t[3] collected
 	&punpckldq	("mm4","mm5");		# t[2,3] collected
@ -2182,7 +2189,7 @@ my $mark=&DWP(76+240,"esp");	# copy of aes_key->rounds
 	&xor	("eax","eax");
 	&align	(4);
 	&data_word(0xABF3F689);		# rep stosd
-	&set_label("skip_ezero")
+	&set_label("skip_ezero");
 	&mov	("esp",$_esp);
 	&popf	();
    &set_label("drop_out");
@ -2302,7 +2309,7 @@ my $mark=&DWP(76+240,"esp");	# copy of aes_key->rounds
 	&xor	("eax","eax");
 	&align	(4);
 	&data_word(0xABF3F689);		# rep stosd
-	&set_label("skip_dzero")
+	&set_label("skip_dzero");
 	&mov	("esp",$_esp);
 	&popf	();
 	&function_end_A();
@ -2865,32 +2872,32 @@ sub deckey()
 { my ($i,$key,$tp1,$tp2,$tp4,$tp8) = @_;
  my $tmp = $tbl;
-	&mov	($acc,$tp1);
+	&mov	($tmp,0x80808080);
-	&and	($acc,0x80808080);
+	&and	($tmp,$tp1);
 	&mov	($tmp,$acc);
 	&shr	($tmp,7);
 	&lea	($tp2,&DWP(0,$tp1,$tp1));
 	&mov	($acc,$tmp);
 	&shr	($tmp,7);
 	&sub	($acc,$tmp);
 	&and	($tp2,0xfefefefe);
 	&and	($acc,0x1b1b1b1b);
-	&xor	($acc,$tp2);
+	&xor	($tp2,$acc);
-	&mov	($tp2,$acc);
+	&mov	($tmp,0x80808080);
-	&and	($acc,0x80808080);
+	&and	($tmp,$tp2);
 	&mov	($tmp,$acc);
 	&shr	($tmp,7);
 	&lea	($tp4,&DWP(0,$tp2,$tp2));
 	&mov	($acc,$tmp);
 	&shr	($tmp,7);
 	&sub	($acc,$tmp);
 	&and	($tp4,0xfefefefe);
 	&and	($acc,0x1b1b1b1b);
 	 &xor	($tp2,$tp1);	# tp2^tp1
-	&xor	($acc,$tp4);
+	&xor	($tp4,$acc);
-	&mov	($tp4,$acc);
+	&mov	($tmp,0x80808080);
-	&and	($acc,0x80808080);
+	&and	($tmp,$tp4);
 	&mov	($tmp,$acc);
 	&shr	($tmp,7);
 	&lea	($tp8,&DWP(0,$tp4,$tp4));
 	&mov	($acc,$tmp);
 	&shr	($tmp,7);
 	 &xor	($tp4,$tp1);	# tp4^tp1
 	&sub	($acc,$tmp);
 	&and	($tp8,0xfefefefe);
--- a/crypto/aes/asm/aes-armv4.pl
+++ b/crypto/aes/asm/aes-armv4.pl
@ -1,7 +1,7 @@
 #!/usr/bin/env perl
 # ====================================================================
-# Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
 # project. The module is, however, dual licensed under OpenSSL and
 # CRYPTOGAMS licenses depending on where you obtain it. For further
 # details see http://www.openssl.org/~appro/cryptogams/.
@ -51,9 +51,23 @@ $key="r11";
 $rounds="r12";
 $code=<<___;
 #ifndef __KERNEL__
 # include "arm_arch.h"
 #else
 # define __ARM_ARCH__ __LINUX_ARM_ARCH__
 #endif
 .text
 #if __ARM_ARCH__<7
 .code	32
 #else
 .syntax	unified
 # ifdef __thumb2__
 .thumb
 # else
 .code	32
 # endif
 #endif
 .type	AES_Te,%object
 .align	5
@ -167,7 +181,11 @@ AES_Te:
 .type   AES_encrypt,%function
 .align	5
 AES_encrypt:
 #if __ARM_ARCH__<7
 	sub	r3,pc,#8		@ AES_encrypt
 #else
 	adr	r3,AES_encrypt
 #endif
 	stmdb   sp!,{r1,r4-r12,lr}
 	mov	$rounds,r0		@ inp
 	mov	$key,r2
@ -408,11 +426,22 @@ _armv4_AES_encrypt:
 .type   private_AES_set_encrypt_key,%function
 .align	5
 private_AES_set_encrypt_key:
 _armv4_AES_set_encrypt_key:
 #if __ARM_ARCH__<7
 	sub	r3,pc,#8		@ AES_set_encrypt_key
 #else
 	adr	r3,private_AES_set_encrypt_key
 #endif
 	teq	r0,#0
 #if __ARM_ARCH__>=7
 	itt	eq			@ Thumb2 thing, sanity check in ARM
 #endif
 	moveq	r0,#-1
 	beq	.Labrt
 	teq	r2,#0
 #if __ARM_ARCH__>=7
 	itt	eq			@ Thumb2 thing, sanity check in ARM
 #endif
 	moveq	r0,#-1
 	beq	.Labrt
@ -421,11 +450,14 @@ private_AES_set_encrypt_key:
 	teq	r1,#192
 	beq	.Lok
 	teq	r1,#256
 #if __ARM_ARCH__>=7
 	itt	ne			@ Thumb2 thing, sanity check in ARM
 #endif
 	movne	r0,#-1
 	bne	.Labrt
 .Lok:	stmdb   sp!,{r4-r12,lr}
-	sub	$tbl,r3,#private_AES_set_encrypt_key-AES_Te-1024	@ Te4
+	sub	$tbl,r3,#_armv4_AES_set_encrypt_key-AES_Te-1024	@ Te4
 	mov	$rounds,r0		@ inp
 	mov	lr,r1			@ bits
@ -575,6 +607,9 @@ private_AES_set_encrypt_key:
 	str	$s2,[$key,#-16]
 	subs	$rounds,$rounds,#1
 	str	$s3,[$key,#-12]
 #if __ARM_ARCH__>=7
 	itt	eq				@ Thumb2 thing, sanity check in ARM
 #endif
 	subeq	r2,$key,#216
 	beq	.Ldone
@ -644,6 +679,9 @@ private_AES_set_encrypt_key:
 	str	$s2,[$key,#-24]
 	subs	$rounds,$rounds,#1
 	str	$s3,[$key,#-20]
 #if __ARM_ARCH__>=7
 	itt	eq				@ Thumb2 thing, sanity check in ARM
 #endif
 	subeq	r2,$key,#256
 	beq	.Ldone
@ -673,11 +711,17 @@ private_AES_set_encrypt_key:
 	str	$i3,[$key,#-4]
 	b	.L256_loop
 .align	2
 .Ldone:	mov	r0,#0
 	ldmia   sp!,{r4-r12,lr}
-.Labrt:	tst	lr,#1
+.Labrt:
 #if __ARM_ARCH__>=5
 	ret				@ bx lr
 #else
 	tst	lr,#1
 	moveq	pc,lr			@ be binary compatible with V4, yet
 	bx	lr			@ interoperable with Thumb ISA:-)
 #endif
 .size	private_AES_set_encrypt_key,.-private_AES_set_encrypt_key
 .global private_AES_set_decrypt_key
@ -685,36 +729,59 @@ private_AES_set_encrypt_key:
 .align	5
 private_AES_set_decrypt_key:
 	str	lr,[sp,#-4]!            @ push lr
-	bl	private_AES_set_encrypt_key
+	bl	_armv4_AES_set_encrypt_key
 	teq	r0,#0
-	ldrne	lr,[sp],#4              @ pop lr
+	ldr	lr,[sp],#4              @ pop lr
 	bne	.Labrt
-	stmdb   sp!,{r4-r12}
+	mov	r0,r2			@ AES_set_encrypt_key preserves r2,
 	mov	r1,r2			@ which is AES_KEY *key
 	b	_armv4_AES_set_enc2dec_key
 .size	private_AES_set_decrypt_key,.-private_AES_set_decrypt_key
-	ldr	$rounds,[r2,#240]	@ AES_set_encrypt_key preserves r2,
+@ void AES_set_enc2dec_key(const AES_KEY *inp,AES_KEY *out)
-	mov	$key,r2			@ which is AES_KEY *key
+.global	AES_set_enc2dec_key
-	mov	$i1,r2
+.type	AES_set_enc2dec_key,%function
-	add	$i2,r2,$rounds,lsl#4
+.align	5
 AES_set_enc2dec_key:
 _armv4_AES_set_enc2dec_key:
 	stmdb   sp!,{r4-r12,lr}
-.Linv:	ldr	$s0,[$i1]
+	ldr	$rounds,[r0,#240]
 	mov	$i1,r0			@ input
 	add	$i2,r0,$rounds,lsl#4
 	mov	$key,r1			@ ouput
 	add	$tbl,r1,$rounds,lsl#4
 	str	$rounds,[r1,#240]
 .Linv:	ldr	$s0,[$i1],#16
 	ldr	$s1,[$i1,#-12]
 	ldr	$s2,[$i1,#-8]
 	ldr	$s3,[$i1,#-4]
 	ldr	$t1,[$i2],#-16
 	ldr	$t2,[$i2,#16+4]
 	ldr	$t3,[$i2,#16+8]
 	ldr	$i3,[$i2,#16+12]
 	str	$s0,[$tbl],#-16
 	str	$s1,[$tbl,#16+4]
 	str	$s2,[$tbl,#16+8]
 	str	$s3,[$tbl,#16+12]
 	str	$t1,[$key],#16
 	str	$t2,[$key,#-12]
 	str	$t3,[$key,#-8]
 	str	$i3,[$key,#-4]
 	teq	$i1,$i2
 	bne	.Linv
 	ldr	$s0,[$i1]
 	ldr	$s1,[$i1,#4]
 	ldr	$s2,[$i1,#8]
 	ldr	$s3,[$i1,#12]
-	ldr	$t1,[$i2]
+	str	$s0,[$key]
-	ldr	$t2,[$i2,#4]
+	str	$s1,[$key,#4]
-	ldr	$t3,[$i2,#8]
+	str	$s2,[$key,#8]
-	ldr	$i3,[$i2,#12]
+	str	$s3,[$key,#12]
-	str	$s0,[$i2],#-16
+	sub	$key,$key,$rounds,lsl#3
 	str	$s1,[$i2,#16+4]
 	str	$s2,[$i2,#16+8]
 	str	$s3,[$i2,#16+12]
 	str	$t1,[$i1],#16
 	str	$t2,[$i1,#-12]
 	str	$t3,[$i1,#-8]
 	str	$i3,[$i1,#-4]
 	teq	$i1,$i2
 	bne	.Linv
 ___
 $mask80=$i1;
 $mask1b=$i2;
@ -772,7 +839,7 @@ $code.=<<___;
 	moveq	pc,lr			@ be binary compatible with V4, yet
 	bx	lr			@ interoperable with Thumb ISA:-)
 #endif
-.size	private_AES_set_decrypt_key,.-private_AES_set_decrypt_key
+.size	AES_set_enc2dec_key,.-AES_set_enc2dec_key
 .type	AES_Td,%object
 .align	5
@ -882,7 +949,11 @@ AES_Td:
 .type   AES_decrypt,%function
 .align	5
 AES_decrypt:
 #if __ARM_ARCH__<7
 	sub	r3,pc,#8		@ AES_decrypt
 #else
 	adr	r3,AES_decrypt
 #endif
 	stmdb   sp!,{r1,r4-r12,lr}
 	mov	$rounds,r0		@ inp
 	mov	$key,r2
@ -1079,8 +1150,9 @@ _armv4_AES_decrypt:
 	ldrb	$t3,[$tbl,$i3]		@ Td4[s0>>0]
 	and	$i3,lr,$s1,lsr#8
 	add	$s1,$tbl,$s1,lsr#24
 	ldrb	$i1,[$tbl,$i1]		@ Td4[s1>>0]
-	ldrb	$s1,[$tbl,$s1,lsr#24]	@ Td4[s1>>24]
+	ldrb	$s1,[$s1]		@ Td4[s1>>24]
 	ldrb	$i2,[$tbl,$i2]		@ Td4[s1>>16]
 	eor	$s0,$i1,$s0,lsl#24
 	ldrb	$i3,[$tbl,$i3]		@ Td4[s1>>8]
@ -1093,7 +1165,8 @@ _armv4_AES_decrypt:
 	ldrb	$i2,[$tbl,$i2]		@ Td4[s2>>0]
 	and	$i3,lr,$s2,lsr#16
-	ldrb	$s2,[$tbl,$s2,lsr#24]	@ Td4[s2>>24]
+	add	$s2,$tbl,$s2,lsr#24
 	ldrb	$s2,[$s2]		@ Td4[s2>>24]
 	eor	$s0,$s0,$i1,lsl#8
 	ldrb	$i3,[$tbl,$i3]		@ Td4[s2>>16]
 	eor	$s1,$i2,$s1,lsl#16
@ -1105,8 +1178,9 @@ _armv4_AES_decrypt:
 	ldrb	$i2,[$tbl,$i2]		@ Td4[s3>>8]
 	and	$i3,lr,$s3		@ i2
 	add	$s3,$tbl,$s3,lsr#24
 	ldrb	$i3,[$tbl,$i3]		@ Td4[s3>>0]
-	ldrb	$s3,[$tbl,$s3,lsr#24]	@ Td4[s3>>24]
+	ldrb	$s3,[$s3]		@ Td4[s3>>24]
 	eor	$s0,$s0,$i1,lsl#16
 	ldr	$i1,[$key,#0]
 	eor	$s1,$s1,$i2,lsl#8
@ -1129,5 +1203,15 @@ _armv4_AES_decrypt:
 ___
 $code =~ s/\bbx\s+lr\b/.word\t0xe12fff1e/gm;	# make it possible to compile with -march=armv4
 $code =~ s/\bret\b/bx\tlr/gm;
 open SELF,$0;
 while(<SELF>) {
 	next if (/^#!/);
 	last if (!s/^#/@/ and !/^$/);
 	print;
 }
 close SELF;
 print $code;
 close STDOUT;	# enforce flush
--- a/crypto/aes/asm/aes-mips.pl
+++ b/crypto/aes/asm/aes-mips.pl
--- a/crypto/aes/asm/aes-parisc.pl
+++ b/crypto/aes/asm/aes-parisc.pl
@ -1016,6 +1016,7 @@ foreach (split("\n",$code)) {
 		:            sprintf("extrd,u%s,%d,8,",$1,63-$2)/e;
 	s/,\*/,/			if ($SIZE_T==4);
 	s/\bbv\b(.*\(%r2\))/bve$1/	if ($SIZE_T==8);
 	print $_,"\n";
 }
 close STDOUT;
--- a/crypto/aes/asm/aes-ppc.pl
+++ b/crypto/aes/asm/aes-ppc.pl
@ -45,6 +45,8 @@ if ($flavour =~ /64/) {
 	$PUSH	="stw";
 } else { die "nonsense $flavour"; }
 $LITTLE_ENDIAN = ($flavour=~/le$/) ? $SIZE_T : 0;
 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
 ( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
@ -68,7 +70,7 @@ $key="r5";
 $Tbl0="r3";
 $Tbl1="r6";
 $Tbl2="r7";
-$Tbl3="r2";
+$Tbl3=$out;	# stay away from "r2"; $out is offloaded to stack
 $s0="r8";
 $s1="r9";
@ -76,7 +78,7 @@ $s2="r10";
 $s3="r11";
 $t0="r12";
-$t1="r13";
+$t1="r0";	# stay away from "r13";
 $t2="r14";
 $t3="r15";
@ -100,9 +102,6 @@ $acc13="r29";
 $acc14="r30";
 $acc15="r31";
 # stay away from TLS pointer
 if ($SIZE_T==8)	{ die if ($t1 ne "r13");  $t1="r0";		}
 else		{ die if ($Tbl3 ne "r2"); $Tbl3=$t0; $t0="r0";	}
 $mask80=$Tbl2;
 $mask1b=$Tbl3;
@ -337,8 +336,7 @@ $code.=<<___;
 	$STU	$sp,-$FRAME($sp)
 	mflr	r0
-	$PUSH	$toc,`$FRAME-$SIZE_T*20`($sp)
+	$PUSH	$out,`$FRAME-$SIZE_T*19`($sp)
 	$PUSH	r13,`$FRAME-$SIZE_T*19`($sp)
 	$PUSH	r14,`$FRAME-$SIZE_T*18`($sp)
 	$PUSH	r15,`$FRAME-$SIZE_T*17`($sp)
 	$PUSH	r16,`$FRAME-$SIZE_T*16`($sp)
@ -365,16 +363,61 @@ $code.=<<___;
 	bne	Lenc_unaligned
 Lenc_unaligned_ok:
 ___
 $code.=<<___ if (!$LITTLE_ENDIAN);
 	lwz	$s0,0($inp)
 	lwz	$s1,4($inp)
 	lwz	$s2,8($inp)
 	lwz	$s3,12($inp)
 ___
 $code.=<<___ if ($LITTLE_ENDIAN);
 	lwz	$t0,0($inp)
 	lwz	$t1,4($inp)
 	lwz	$t2,8($inp)
 	lwz	$t3,12($inp)
 	rotlwi	$s0,$t0,8
 	rotlwi	$s1,$t1,8
 	rotlwi	$s2,$t2,8
 	rotlwi	$s3,$t3,8
 	rlwimi	$s0,$t0,24,0,7
 	rlwimi	$s1,$t1,24,0,7
 	rlwimi	$s2,$t2,24,0,7
 	rlwimi	$s3,$t3,24,0,7
 	rlwimi	$s0,$t0,24,16,23
 	rlwimi	$s1,$t1,24,16,23
 	rlwimi	$s2,$t2,24,16,23
 	rlwimi	$s3,$t3,24,16,23
 ___
 $code.=<<___;
 	bl	LAES_Te
 	bl	Lppc_AES_encrypt_compact
 	$POP	$out,`$FRAME-$SIZE_T*19`($sp)
 ___
 $code.=<<___ if ($LITTLE_ENDIAN);
 	rotlwi	$t0,$s0,8
 	rotlwi	$t1,$s1,8
 	rotlwi	$t2,$s2,8
 	rotlwi	$t3,$s3,8
 	rlwimi	$t0,$s0,24,0,7
 	rlwimi	$t1,$s1,24,0,7
 	rlwimi	$t2,$s2,24,0,7
 	rlwimi	$t3,$s3,24,0,7
 	rlwimi	$t0,$s0,24,16,23
 	rlwimi	$t1,$s1,24,16,23
 	rlwimi	$t2,$s2,24,16,23
 	rlwimi	$t3,$s3,24,16,23
 	stw	$t0,0($out)
 	stw	$t1,4($out)
 	stw	$t2,8($out)
 	stw	$t3,12($out)
 ___
 $code.=<<___ if (!$LITTLE_ENDIAN);
 	stw	$s0,0($out)
 	stw	$s1,4($out)
 	stw	$s2,8($out)
 	stw	$s3,12($out)
 ___
 $code.=<<___;
 	b	Lenc_done
 Lenc_unaligned:
@ -417,6 +460,7 @@ Lenc_xpage:
 	bl	LAES_Te
 	bl	Lppc_AES_encrypt_compact
 	$POP	$out,`$FRAME-$SIZE_T*19`($sp)
 	extrwi	$acc00,$s0,8,0
 	extrwi	$acc01,$s0,8,8
@ -449,8 +493,6 @@ Lenc_xpage:
 Lenc_done:
 	$POP	r0,`$FRAME+$LRSAVE`($sp)
 	$POP	$toc,`$FRAME-$SIZE_T*20`($sp)
 	$POP	r13,`$FRAME-$SIZE_T*19`($sp)
 	$POP	r14,`$FRAME-$SIZE_T*18`($sp)
 	$POP	r15,`$FRAME-$SIZE_T*17`($sp)
 	$POP	r16,`$FRAME-$SIZE_T*16`($sp)
@ -764,6 +806,7 @@ Lenc_compact_done:
 	blr
 	.long	0
 	.byte	0,12,0x14,0,0,0,0,0
 .size	.AES_encrypt,.-.AES_encrypt
 .globl	.AES_decrypt
 .align	7
@ -771,8 +814,7 @@ Lenc_compact_done:
 	$STU	$sp,-$FRAME($sp)
 	mflr	r0
-	$PUSH	$toc,`$FRAME-$SIZE_T*20`($sp)
+	$PUSH	$out,`$FRAME-$SIZE_T*19`($sp)
 	$PUSH	r13,`$FRAME-$SIZE_T*19`($sp)
 	$PUSH	r14,`$FRAME-$SIZE_T*18`($sp)
 	$PUSH	r15,`$FRAME-$SIZE_T*17`($sp)
 	$PUSH	r16,`$FRAME-$SIZE_T*16`($sp)
@ -799,16 +841,61 @@ Lenc_compact_done:
 	bne	Ldec_unaligned
 Ldec_unaligned_ok:
 ___
 $code.=<<___ if (!$LITTLE_ENDIAN);
 	lwz	$s0,0($inp)
 	lwz	$s1,4($inp)
 	lwz	$s2,8($inp)
 	lwz	$s3,12($inp)
 ___
 $code.=<<___ if ($LITTLE_ENDIAN);
 	lwz	$t0,0($inp)
 	lwz	$t1,4($inp)
 	lwz	$t2,8($inp)
 	lwz	$t3,12($inp)
 	rotlwi	$s0,$t0,8
 	rotlwi	$s1,$t1,8
 	rotlwi	$s2,$t2,8
 	rotlwi	$s3,$t3,8
 	rlwimi	$s0,$t0,24,0,7
 	rlwimi	$s1,$t1,24,0,7
 	rlwimi	$s2,$t2,24,0,7
 	rlwimi	$s3,$t3,24,0,7
 	rlwimi	$s0,$t0,24,16,23
 	rlwimi	$s1,$t1,24,16,23
 	rlwimi	$s2,$t2,24,16,23
 	rlwimi	$s3,$t3,24,16,23
 ___
 $code.=<<___;
 	bl	LAES_Td
 	bl	Lppc_AES_decrypt_compact
 	$POP	$out,`$FRAME-$SIZE_T*19`($sp)
 ___
 $code.=<<___ if ($LITTLE_ENDIAN);
 	rotlwi	$t0,$s0,8
 	rotlwi	$t1,$s1,8
 	rotlwi	$t2,$s2,8
 	rotlwi	$t3,$s3,8
 	rlwimi	$t0,$s0,24,0,7
 	rlwimi	$t1,$s1,24,0,7
 	rlwimi	$t2,$s2,24,0,7
 	rlwimi	$t3,$s3,24,0,7
 	rlwimi	$t0,$s0,24,16,23
 	rlwimi	$t1,$s1,24,16,23
 	rlwimi	$t2,$s2,24,16,23
 	rlwimi	$t3,$s3,24,16,23
 	stw	$t0,0($out)
 	stw	$t1,4($out)
 	stw	$t2,8($out)
 	stw	$t3,12($out)
 ___
 $code.=<<___ if (!$LITTLE_ENDIAN);
 	stw	$s0,0($out)
 	stw	$s1,4($out)
 	stw	$s2,8($out)
 	stw	$s3,12($out)
 ___
 $code.=<<___;
 	b	Ldec_done
 Ldec_unaligned:
@ -851,6 +938,7 @@ Ldec_xpage:
 	bl	LAES_Td
 	bl	Lppc_AES_decrypt_compact
 	$POP	$out,`$FRAME-$SIZE_T*19`($sp)
 	extrwi	$acc00,$s0,8,0
 	extrwi	$acc01,$s0,8,8
@ -883,8 +971,6 @@ Ldec_xpage:
 Ldec_done:
 	$POP	r0,`$FRAME+$LRSAVE`($sp)
 	$POP	$toc,`$FRAME-$SIZE_T*20`($sp)
 	$POP	r13,`$FRAME-$SIZE_T*19`($sp)
 	$POP	r14,`$FRAME-$SIZE_T*18`($sp)
 	$POP	r15,`$FRAME-$SIZE_T*17`($sp)
 	$POP	r16,`$FRAME-$SIZE_T*16`($sp)
@ -1355,6 +1441,7 @@ Ldec_compact_done:
 	blr
 	.long	0
 	.byte	0,12,0x14,0,0,0,0,0
 .size	.AES_decrypt,.-.AES_decrypt
 .asciz	"AES for PPC, CRYPTOGAMS by <appro\@openssl.org>"
 .align	7
--- a/crypto/aes/asm/aes-s390x.pl
+++ b/crypto/aes/asm/aes-s390x.pl
@ -783,6 +783,7 @@ $code.=<<___;
 .type	private_AES_set_encrypt_key,\@function
 .align	16
 private_AES_set_encrypt_key:
 _s390x_AES_set_encrypt_key:
 	lghi	$t0,0
 	cl${g}r	$inp,$t0
 	je	.Lminus1
@ -836,7 +837,8 @@ $code.=<<___ if (!$softonly);
 	je	1f
 	lg	%r1,24($inp)
 	stg	%r1,24($key)
-1:	st	$bits,236($key)	# save bits
+1:	st	$bits,236($key)	# save bits [for debugging purposes]
 	lgr	$t0,%r5
 	st	%r5,240($key)	# save km code
 	lghi	%r2,0
 	br	%r14
@ -844,7 +846,7 @@ ___
 $code.=<<___;
 .align	16
 .Lekey_internal:
-	stm${g}	%r6,%r13,6*$SIZE_T($sp)	# all non-volatile regs
+	stm${g}	%r4,%r13,4*$SIZE_T($sp)	# all non-volatile regs and $key
 	larl	$tbl,AES_Te+2048
@ -904,8 +906,9 @@ $code.=<<___;
 	la	$key,16($key)		# key+=4
 	la	$t3,4($t3)		# i++
 	brct	$rounds,.L128_loop
 	lghi	$t0,10
 	lghi	%r2,0
-	lm${g}	%r6,%r13,6*$SIZE_T($sp)
+	lm${g}	%r4,%r13,4*$SIZE_T($sp)
 	br	$ra
 .align	16
@ -952,8 +955,9 @@ $code.=<<___;
 	st	$s2,32($key)
 	st	$s3,36($key)
 	brct	$rounds,.L192_continue
 	lghi	$t0,12
 	lghi	%r2,0
-	lm${g}	%r6,%r13,6*$SIZE_T($sp)
+	lm${g}	%r4,%r13,4*$SIZE_T($sp)
 	br	$ra
 .align	16
@ -1014,8 +1018,9 @@ $code.=<<___;
 	st	$s2,40($key)
 	st	$s3,44($key)
 	brct	$rounds,.L256_continue
 	lghi	$t0,14
 	lghi	%r2,0
-	lm${g}	%r6,%r13,6*$SIZE_T($sp)
+	lm${g}	%r4,%r13,4*$SIZE_T($sp)
 	br	$ra
 .align	16
@ -1066,34 +1071,26 @@ $code.=<<___;
 .type	private_AES_set_decrypt_key,\@function
 .align	16
 private_AES_set_decrypt_key:
-	st${g}	$key,4*$SIZE_T($sp)	# I rely on AES_set_encrypt_key to
+	#st${g}	$key,4*$SIZE_T($sp)	# I rely on AES_set_encrypt_key to
-	st${g}	$ra,14*$SIZE_T($sp)	# save non-volatile registers!
+	st${g}	$ra,14*$SIZE_T($sp)	# save non-volatile registers and $key!
-	bras	$ra,AES_set_encrypt_key
+	bras	$ra,_s390x_AES_set_encrypt_key
-	l${g}	$key,4*$SIZE_T($sp)
+	#l${g}	$key,4*$SIZE_T($sp)
 	l${g}	$ra,14*$SIZE_T($sp)
 	ltgr	%r2,%r2
 	bnzr	$ra
 ___
 $code.=<<___ if (!$softonly);
-	l	$t0,240($key)
+	#l	$t0,240($key)
 	lhi	$t1,16
 	cr	$t0,$t1
 	jl	.Lgo
 	oill	$t0,0x80	# set "decrypt" bit
 	st	$t0,240($key)
 	br	$ra
 .align	16
 .Ldkey_internal:
 	st${g}	$key,4*$SIZE_T($sp)
 	st${g}	$ra,14*$SIZE_T($sp)
 	bras	$ra,.Lekey_internal
 	l${g}	$key,4*$SIZE_T($sp)
 	l${g}	$ra,14*$SIZE_T($sp)
 ___
 $code.=<<___;
-
+.align	16
-.Lgo:	llgf	$rounds,240($key)
+.Lgo:	lgr	$rounds,$t0	#llgf	$rounds,240($key)
 	la	$i1,0($key)
 	sllg	$i2,$rounds,4
 	la	$i2,0($i2,$key)
@ -1601,11 +1598,11 @@ $code.=<<___ if(1);
 	lghi	$s1,0x7f
 	nr	$s1,%r0
 	lghi	%r0,0			# query capability vector
-	la	%r1,2*$SIZE_T($sp)
+	la	%r1,$tweak-16($sp)
 	.long	0xb92e0042		# km %r4,%r2
 	llihh	%r1,0x8000
 	srlg	%r1,%r1,32($s1)		# check for 32+function code
-	ng	%r1,2*$SIZE_T($sp)
+	ng	%r1,$tweak-16($sp)
 	lgr	%r0,$s0			# restore the function code
 	la	%r1,0($key1)		# restore $key1
 	jz	.Lxts_km_vanilla
@ -1631,7 +1628,7 @@ $code.=<<___ if(1);
 	lrvg	$s0,$tweak+0($sp)	# load the last tweak
 	lrvg	$s1,$tweak+8($sp)
-	stmg	%r0,%r3,$tweak-32(%r1)	# wipe copy of the key
+	stmg	%r0,%r3,$tweak-32($sp)	# wipe copy of the key
 	nill	%r0,0xffdf		# switch back to original function code
 	la	%r1,0($key1)		# restore pointer to $key1
@ -1687,11 +1684,9 @@ $code.=<<___;
 	lghi	$i1,0x87
 	srag	$i2,$s1,63		# broadcast upper bit
 	ngr	$i1,$i2			# rem
-	srlg	$i2,$s0,63		# carry bit from lower half
+	algr	$s0,$s0
-	sllg	$s0,$s0,1
+	alcgr	$s1,$s1
 	sllg	$s1,$s1,1
 	xgr	$s0,$i1
 	ogr	$s1,$i2
 .Lxts_km_start:
 	lrvgr	$i1,$s0			# flip byte order
 	lrvgr	$i2,$s1
@ -1748,11 +1743,9 @@ $code.=<<___;
 	lghi	$i1,0x87
 	srag	$i2,$s1,63		# broadcast upper bit
 	ngr	$i1,$i2			# rem
-	srlg	$i2,$s0,63		# carry bit from lower half
+	algr	$s0,$s0
-	sllg	$s0,$s0,1
+	alcgr	$s1,$s1
 	sllg	$s1,$s1,1
 	xgr	$s0,$i1
 	ogr	$s1,$i2
 	ltr	$len,$len		# clear zero flag
 	br	$ra
@ -1784,8 +1777,8 @@ $code.=<<___ if (!$softonly);
 	clr	%r0,%r1
 	jl	.Lxts_enc_software
 	st${g}	$ra,5*$SIZE_T($sp)
 	stm${g}	%r6,$s3,6*$SIZE_T($sp)
 	st${g}	$ra,14*$SIZE_T($sp)
 	sllg	$len,$len,4		# $len&=~15
 	slgr	$out,$inp
@ -1833,9 +1826,9 @@ $code.=<<___ if (!$softonly);
 	stg	$i2,8($i3)
 .Lxts_enc_km_done:
-	l${g}	$ra,14*$SIZE_T($sp)
+	stg	$sp,$tweak+0($sp)	# wipe tweak
-	st${g}	$sp,$tweak($sp)		# wipe tweak
+	stg	$sp,$tweak+8($sp)
-	st${g}	$sp,$tweak($sp)
+	l${g}	$ra,5*$SIZE_T($sp)
 	lm${g}	%r6,$s3,6*$SIZE_T($sp)
 	br	$ra
 .align	16
@ -1846,12 +1839,11 @@ $code.=<<___;
 	slgr	$out,$inp
-	xgr	$s0,$s0			# clear upper half
+	l${g}	$s3,$stdframe($sp)	# ivp
-	xgr	$s1,$s1
+	llgf	$s0,0($s3)		# load iv
-	lrv	$s0,$stdframe+4($sp)	# load secno
+	llgf	$s1,4($s3)
-	lrv	$s1,$stdframe+0($sp)
+	llgf	$s2,8($s3)
-	xgr	$s2,$s2
+	llgf	$s3,12($s3)
 	xgr	$s3,$s3
 	stm${g}	%r2,%r5,2*$SIZE_T($sp)
 	la	$key,0($key2)
 	larl	$tbl,AES_Te
@ -1867,11 +1859,9 @@ $code.=<<___;
 	lghi	%r1,0x87
 	srag	%r0,$s3,63		# broadcast upper bit
 	ngr	%r1,%r0			# rem
-	srlg	%r0,$s1,63		# carry bit from lower half
+	algr	$s1,$s1
-	sllg	$s1,$s1,1
+	alcgr	$s3,$s3
 	sllg	$s3,$s3,1
 	xgr	$s1,%r1
 	ogr	$s3,%r0
 	lrvgr	$s1,$s1			# flip byte order
 	lrvgr	$s3,$s3
 	srlg	$s0,$s1,32		# smash the tweak to 4x32-bits 
@ -1920,11 +1910,9 @@ $code.=<<___;
 	lghi	%r1,0x87
 	srag	%r0,$s3,63		# broadcast upper bit
 	ngr	%r1,%r0			# rem
-	srlg	%r0,$s1,63		# carry bit from lower half
+	algr	$s1,$s1
-	sllg	$s1,$s1,1
+	alcgr	$s3,$s3
 	sllg	$s3,$s3,1
 	xgr	$s1,%r1
 	ogr	$s3,%r0
 	lrvgr	$s1,$s1			# flip byte order
 	lrvgr	$s3,$s3
 	srlg	$s0,$s1,32		# smash the tweak to 4x32-bits 
@ -1959,7 +1947,8 @@ $code.=<<___;
 .size	AES_xts_encrypt,.-AES_xts_encrypt
 ___
 # void AES_xts_decrypt(const char *inp,char *out,size_t len,
-#	const AES_KEY *key1, const AES_KEY *key2,u64 secno);
+#	const AES_KEY *key1, const AES_KEY *key2,
 #	const unsigned char iv[16]);
 #
 $code.=<<___;
 .globl	AES_xts_decrypt
@ -1991,8 +1980,8 @@ $code.=<<___ if (!$softonly);
 	clr	%r0,%r1
 	jl	.Lxts_dec_software
 	st${g}	$ra,5*$SIZE_T($sp)
 	stm${g}	%r6,$s3,6*$SIZE_T($sp)
 	st${g}	$ra,14*$SIZE_T($sp)
 	nill	$len,0xfff0		# $len&=~15
 	slgr	$out,$inp
@ -2031,11 +2020,9 @@ $code.=<<___ if (!$softonly);
 	lghi	$i1,0x87
 	srag	$i2,$s1,63		# broadcast upper bit
 	ngr	$i1,$i2			# rem
-	srlg	$i2,$s0,63		# carry bit from lower half
+	algr	$s0,$s0
-	sllg	$s0,$s0,1
+	alcgr	$s1,$s1
 	sllg	$s1,$s1,1
 	xgr	$s0,$i1
 	ogr	$s1,$i2
 	lrvgr	$i1,$s0			# flip byte order
 	lrvgr	$i2,$s1
@ -2078,9 +2065,9 @@ $code.=<<___ if (!$softonly);
 	stg	$s2,0($i3)
 	stg	$s3,8($i3)
 .Lxts_dec_km_done:
-	l${g}	$ra,14*$SIZE_T($sp)
+	stg	$sp,$tweak+0($sp)	# wipe tweak
-	st${g}	$sp,$tweak($sp)		# wipe tweak
+	stg	$sp,$tweak+8($sp)
-	st${g}	$sp,$tweak($sp)
+	l${g}	$ra,5*$SIZE_T($sp)
 	lm${g}	%r6,$s3,6*$SIZE_T($sp)
 	br	$ra
 .align	16
@ -2092,12 +2079,11 @@ $code.=<<___;
 	srlg	$len,$len,4
 	slgr	$out,$inp
-	xgr	$s0,$s0			# clear upper half
+	l${g}	$s3,$stdframe($sp)	# ivp
-	xgr	$s1,$s1
+	llgf	$s0,0($s3)		# load iv
-	lrv	$s0,$stdframe+4($sp)	# load secno
+	llgf	$s1,4($s3)
-	lrv	$s1,$stdframe+0($sp)
+	llgf	$s2,8($s3)
-	xgr	$s2,$s2
+	llgf	$s3,12($s3)
 	xgr	$s3,$s3
 	stm${g}	%r2,%r5,2*$SIZE_T($sp)
 	la	$key,0($key2)
 	larl	$tbl,AES_Te
@ -2116,11 +2102,9 @@ $code.=<<___;
 	lghi	%r1,0x87
 	srag	%r0,$s3,63		# broadcast upper bit
 	ngr	%r1,%r0			# rem
-	srlg	%r0,$s1,63		# carry bit from lower half
+	algr	$s1,$s1
-	sllg	$s1,$s1,1
+	alcgr	$s3,$s3
 	sllg	$s3,$s3,1
 	xgr	$s1,%r1
 	ogr	$s3,%r0
 	lrvgr	$s1,$s1			# flip byte order
 	lrvgr	$s3,$s3
 	srlg	$s0,$s1,32		# smash the tweak to 4x32-bits 
@ -2159,11 +2143,9 @@ $code.=<<___;
 	lghi	%r1,0x87
 	srag	%r0,$s3,63		# broadcast upper bit
 	ngr	%r1,%r0			# rem
-	srlg	%r0,$s1,63		# carry bit from lower half
+	algr	$s1,$s1
-	sllg	$s1,$s1,1
+	alcgr	$s3,$s3
 	sllg	$s3,$s3,1
 	xgr	$s1,%r1
 	ogr	$s3,%r0
 	lrvgr	$i2,$s1			# flip byte order
 	lrvgr	$i3,$s3
 	stmg	$i2,$i3,$tweak($sp)	# save the 1st tweak
@ -2179,11 +2161,9 @@ $code.=<<___;
 	lghi	%r1,0x87
 	srag	%r0,$s3,63		# broadcast upper bit
 	ngr	%r1,%r0			# rem
-	srlg	%r0,$s1,63		# carry bit from lower half
+	algr	$s1,$s1
-	sllg	$s1,$s1,1
+	alcgr	$s3,$s3
 	sllg	$s3,$s3,1
 	xgr	$s1,%r1
 	ogr	$s3,%r0
 	lrvgr	$s1,$s1			# flip byte order
 	lrvgr	$s3,$s3
 	srlg	$s0,$s1,32		# smash the tweak to 4x32-bits
--- a/crypto/aes/asm/aes-x86_64.pl
+++ b/crypto/aes/asm/aes-x86_64.pl
@ -19,9 +19,10 @@
 # Performance in number of cycles per processed byte for 128-bit key:
 #
 #		ECB encrypt	ECB decrypt	CBC large chunk
-# AMD64		33		41		13.0
+# AMD64		33		43		13.0
-# EM64T		38		59		18.6(*)
+# EM64T		38		56		18.6(*)
-# Core 2	30		43		14.5(*)
+# Core 2	30		42		14.5(*)
 # Atom		65		86		32.1(*)
 #
 # (*) with hyper-threading off
@ -36,7 +37,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
 *STDOUT=*OUT;
 $verticalspin=1;	# unlike 32-bit version $verticalspin performs
 			# ~15% better on both AMD and Intel cores
@ -365,68 +367,66 @@ $code.=<<___;
 	movzb	`&lo("$s0")`,$t0
 	movzb	`&lo("$s1")`,$t1
 	movzb	`&lo("$s2")`,$t2
 	movzb	($sbox,$t0,1),$t0
 	movzb	($sbox,$t1,1),$t1
 	movzb	($sbox,$t2,1),$t2
 	movzb	`&lo("$s3")`,$t3
 	movzb	`&hi("$s1")`,$acc0
 	movzb	`&hi("$s2")`,$acc1
 	movzb	($sbox,$t3,1),$t3
 	movzb	($sbox,$acc0,1),$t4	#$t0
 	movzb	($sbox,$acc1,1),$t5	#$t1
 	movzb	`&hi("$s3")`,$acc2
 	movzb	`&hi("$s0")`,$acc0
 	shr	\$16,$s2
 	movzb	`&hi("$s3")`,$acc2
 	movzb	($sbox,$t0,1),$t0
 	movzb	($sbox,$t1,1),$t1
 	movzb	($sbox,$t2,1),$t2
 	movzb	($sbox,$t3,1),$t3
 	movzb	($sbox,$acc0,1),$t4	#$t0
 	movzb	`&hi("$s0")`,$acc0
 	movzb	($sbox,$acc1,1),$t5	#$t1
 	movzb	`&lo("$s2")`,$acc1
 	movzb	($sbox,$acc2,1),$acc2	#$t2
 	movzb	($sbox,$acc0,1),$acc0	#$t3
 	shr	\$16,$s3
 	movzb	`&lo("$s2")`,$acc1
 	shl	\$8,$t4
 	shr	\$16,$s3
 	shl	\$8,$t5
 	movzb	($sbox,$acc1,1),$acc1	#$t0
 	xor	$t4,$t0
 	xor	$t5,$t1
 	movzb	`&lo("$s3")`,$t4
 	shr	\$16,$s0
 	movzb	`&lo("$s3")`,$t4
 	shr	\$16,$s1
-	movzb	`&lo("$s0")`,$t5
+	xor	$t5,$t1
 	shl	\$8,$acc2
-	shl	\$8,$acc0
+	movzb	`&lo("$s0")`,$t5
-	movzb	($sbox,$t4,1),$t4	#$t1
+	movzb	($sbox,$acc1,1),$acc1	#$t0
 	movzb	($sbox,$t5,1),$t5	#$t2
 	xor	$acc2,$t2
 	xor	$acc0,$t3
 	shl	\$8,$acc0
 	movzb	`&lo("$s1")`,$acc2
 	movzb	`&hi("$s3")`,$acc0
 	shl	\$16,$acc1
-	movzb	($sbox,$acc2,1),$acc2	#$t3
+	xor	$acc0,$t3
-	movzb	($sbox,$acc0,1),$acc0	#$t0
+	movzb	($sbox,$t4,1),$t4	#$t1
 	movzb	`&hi("$s3")`,$acc0
 	movzb	($sbox,$t5,1),$t5	#$t2
 	xor	$acc1,$t0
 	movzb	`&hi("$s0")`,$acc1
 	shr	\$8,$s2
 	movzb	`&hi("$s0")`,$acc1
 	shl	\$16,$t4
 	shr	\$8,$s1
 	shl	\$16,$t5
 	xor	$t4,$t1
 	movzb	($sbox,$acc2,1),$acc2	#$t3
 	movzb	($sbox,$acc0,1),$acc0	#$t0
 	movzb	($sbox,$acc1,1),$acc1	#$t1
 	movzb	($sbox,$s2,1),$s3	#$t3
 	movzb	($sbox,$s1,1),$s2	#$t2
 	shl	\$16,$t4
 	shl	\$16,$t5
 	shl	\$16,$acc2
 	xor	$t4,$t1
 	xor	$t5,$t2
 	xor	$acc2,$t3
 	shl	\$16,$acc2
 	xor	$t5,$t2
 	shl	\$24,$acc0
 	xor	$acc2,$t3
 	shl	\$24,$acc1
 	shl	\$24,$s3
 	xor	$acc0,$t0
-	shl	\$24,$s2
+	shl	\$24,$s3
 	xor	$acc1,$t1
 	shl	\$24,$s2
 	mov	$t0,$s0
 	mov	$t1,$s1
 	xor	$t2,$s2
@ -465,12 +465,12 @@ sub enctransform()
 { my ($t3,$r20,$r21)=($acc2,"%r8d","%r9d");
 $code.=<<___;
-	mov	$s0,$acc0
+	mov	\$0x80808080,$t0
-	mov	$s1,$acc1
+	mov	\$0x80808080,$t1
-	and	\$0x80808080,$acc0
+	and	$s0,$t0
-	and	\$0x80808080,$acc1
+	and	$s1,$t1
-	mov	$acc0,$t0
+	mov	$t0,$acc0
-	mov	$acc1,$t1
+	mov	$t1,$acc1
 	shr	\$7,$t0
 	lea	($s0,$s0),$r20
 	shr	\$7,$t1
@ -488,25 +488,25 @@ $code.=<<___;
 	xor	$r20,$s0
 	xor	$r21,$s1
-	 mov	$s2,$acc0
+	 mov	\$0x80808080,$t2
 	 mov	$s3,$acc1
 	rol	\$24,$s0
 	 mov	\$0x80808080,$t3
 	rol	\$24,$s1
-	 and	\$0x80808080,$acc0
+	 and	$s2,$t2
-	 and	\$0x80808080,$acc1
+	 and	$s3,$t3
 	xor	$r20,$s0
 	xor	$r21,$s1
-	 mov	$acc0,$t2
+	 mov	$t2,$acc0
 	 mov	$acc1,$t3
 	ror	\$16,$t0
 	 mov	$t3,$acc1
 	ror	\$16,$t1
 	 shr	\$7,$t2
 	 lea	($s2,$s2),$r20
 	 shr	\$7,$t2
 	xor	$t0,$s0
 	xor	$t1,$s1
 	 shr	\$7,$t3
-	 lea	($s3,$s3),$r21
+	xor	$t1,$s1
 	ror	\$8,$t0
 	 lea	($s3,$s3),$r21
 	ror	\$8,$t1
 	 sub	$t2,$acc0
 	 sub	$t3,$acc1
@ -522,23 +522,23 @@ $code.=<<___;
 	xor	$acc0,$r20
 	xor	$acc1,$r21
 	ror	\$16,$t2
 	xor	$r20,$s2
 	ror	\$16,$t3
 	xor	$r21,$s3
 	rol	\$24,$s2
 	mov	0($sbox),$acc0			# prefetch Te4
 	rol	\$24,$s3
 	xor	$r20,$s2
 	xor	$r21,$s3
 	mov	0($sbox),$acc0			# prefetch Te4
 	ror	\$16,$t2
 	ror	\$16,$t3
 	mov	64($sbox),$acc1
-	xor	$t2,$s2
+	xor	$r21,$s3
 	xor	$t3,$s3
 	mov	128($sbox),$r20
 	ror	\$8,$t2
 	ror	\$8,$t3
 	mov	192($sbox),$r21
 	xor	$t2,$s2
 	ror	\$8,$t2
 	xor	$t3,$s3
 	ror	\$8,$t3
 	xor	$t2,$s2
 	mov	192($sbox),$r21
 	xor	$t3,$s3
 ___
 }
@ -935,70 +935,69 @@ $code.=<<___;
 	movzb	`&lo("$s0")`,$t0
 	movzb	`&lo("$s1")`,$t1
 	movzb	`&lo("$s2")`,$t2
 	movzb	($sbox,$t0,1),$t0
 	movzb	($sbox,$t1,1),$t1
 	movzb	($sbox,$t2,1),$t2
 	movzb	`&lo("$s3")`,$t3
 	movzb	`&hi("$s3")`,$acc0
 	movzb	`&hi("$s0")`,$acc1
-	movzb	($sbox,$t3,1),$t3
+	shr	\$16,$s3
 	movzb	($sbox,$acc0,1),$t4	#$t0
 	movzb	($sbox,$acc1,1),$t5	#$t1
 	movzb	`&hi("$s1")`,$acc2
 	movzb	($sbox,$t0,1),$t0
 	movzb	($sbox,$t1,1),$t1
 	movzb	($sbox,$t2,1),$t2
 	movzb	($sbox,$t3,1),$t3
 	movzb	($sbox,$acc0,1),$t4	#$t0
 	movzb	`&hi("$s2")`,$acc0
-	shr	\$16,$s2
+	movzb	($sbox,$acc1,1),$t5	#$t1
 	movzb	($sbox,$acc2,1),$acc2	#$t2
 	movzb	($sbox,$acc0,1),$acc0	#$t3
 	shr	\$16,$s3
-	movzb	`&lo("$s2")`,$acc1
+	shr	\$16,$s2
 	shl	\$8,$t4
 	shl	\$8,$t5
-	movzb	($sbox,$acc1,1),$acc1	#$t0
+	shl	\$8,$t4
-	xor	$t4,$t0
+	movzb	`&lo("$s2")`,$acc1
 	xor	$t5,$t1
 	movzb	`&lo("$s3")`,$t4
 	shr	\$16,$s0
 	xor	$t4,$t0
 	shr	\$16,$s1
-	movzb	`&lo("$s0")`,$t5
+	movzb	`&lo("$s3")`,$t4
 	shl	\$8,$acc2
 	xor	$t5,$t1
 	shl	\$8,$acc0
-	movzb	($sbox,$t4,1),$t4	#$t1
+	movzb	`&lo("$s0")`,$t5
-	movzb	($sbox,$t5,1),$t5	#$t2
+	movzb	($sbox,$acc1,1),$acc1	#$t0
 	xor	$acc2,$t2
 	xor	$acc0,$t3
 	movzb	`&lo("$s1")`,$acc2
 	movzb	`&hi("$s1")`,$acc0
 	shl	\$16,$acc1
 	movzb	($sbox,$acc2,1),$acc2	#$t3
 	movzb	($sbox,$acc0,1),$acc0	#$t0
 	xor	$acc1,$t0
 	shl	\$16,$acc1
 	xor	$acc0,$t3
 	movzb	($sbox,$t4,1),$t4	#$t1
 	movzb	`&hi("$s1")`,$acc0
 	movzb	($sbox,$acc2,1),$acc2	#$t3
 	xor	$acc1,$t0
 	movzb	($sbox,$t5,1),$t5	#$t2
 	movzb	`&hi("$s2")`,$acc1
 	shl	\$16,$acc2
 	shl	\$16,$t4
 	shl	\$16,$t5
-	movzb	($sbox,$acc1,1),$s1	#$t1
+	xor	$acc2,$t3
 	movzb	`&hi("$s3")`,$acc2
 	xor	$t4,$t1
 	shr	\$8,$s0
 	xor	$t5,$t2
-	movzb	`&hi("$s3")`,$acc1
+	movzb	($sbox,$acc0,1),$acc0	#$t0
-	shr	\$8,$s0
+	movzb	($sbox,$acc1,1),$s1	#$t1
-	shl	\$16,$acc2
+	movzb	($sbox,$acc2,1),$s2	#$t2
 	movzb	($sbox,$acc1,1),$s2	#$t2
 	movzb	($sbox,$s0,1),$s3	#$t3
 	xor	$acc2,$t3
 	mov	$t0,$s0
 	shl	\$24,$acc0
 	shl	\$24,$s1
 	shl	\$24,$s2
-	xor	$acc0,$t0
+	xor	$acc0,$s0
 	shl	\$24,$s3
 	xor	$t1,$s1
 	mov	$t0,$s0
 	xor	$t2,$s2
 	xor	$t3,$s3
 ___
@ -1013,12 +1012,12 @@ sub dectransform()
  my $prefetch = shift;
 $code.=<<___;
-	mov	$tp10,$acc0
+	mov	$mask80,$tp40
-	mov	$tp18,$acc8
+	mov	$mask80,$tp48
-	and	$mask80,$acc0
+	and	$tp10,$tp40
-	and	$mask80,$acc8
+	and	$tp18,$tp48
-	mov	$acc0,$tp40
+	mov	$tp40,$acc0
-	mov	$acc8,$tp48
+	mov	$tp48,$acc8
 	shr	\$7,$tp40
 	lea	($tp10,$tp10),$tp20
 	shr	\$7,$tp48
@ -1029,15 +1028,15 @@ $code.=<<___;
 	and	$maskfe,$tp28
 	and	$mask1b,$acc0
 	and	$mask1b,$acc8
-	xor	$tp20,$acc0
+	xor	$acc0,$tp20
-	xor	$tp28,$acc8
+	xor	$acc8,$tp28
-	mov	$acc0,$tp20
+	mov	$mask80,$tp80
-	mov	$acc8,$tp28
+	mov	$mask80,$tp88
-	and	$mask80,$acc0
+	and	$tp20,$tp80
-	and	$mask80,$acc8
+	and	$tp28,$tp88
-	mov	$acc0,$tp80
+	mov	$tp80,$acc0
-	mov	$acc8,$tp88
+	mov	$tp88,$acc8
 	shr	\$7,$tp80
 	lea	($tp20,$tp20),$tp40
 	shr	\$7,$tp88
@ -1048,15 +1047,15 @@ $code.=<<___;
 	and	$maskfe,$tp48
 	and	$mask1b,$acc0
 	and	$mask1b,$acc8
-	xor	$tp40,$acc0
+	xor	$acc0,$tp40
-	xor	$tp48,$acc8
+	xor	$acc8,$tp48
-	mov	$acc0,$tp40
+	mov	$mask80,$tp80
-	mov	$acc8,$tp48
+	mov	$mask80,$tp88
-	and	$mask80,$acc0
+	and	$tp40,$tp80
-	and	$mask80,$acc8
+	and	$tp48,$tp88
-	mov	$acc0,$tp80
+	mov	$tp80,$acc0
-	mov	$acc8,$tp88
+	mov	$tp88,$acc8
 	shr	\$7,$tp80
 	 xor	$tp10,$tp20		# tp2^=tp1
 	shr	\$7,$tp88
@ -1081,51 +1080,51 @@ $code.=<<___;
 	mov	$tp10,$acc0
 	mov	$tp18,$acc8
 	xor	$tp80,$tp40		# tp4^tp1^=tp8
 	xor	$tp88,$tp48		# tp4^tp1^=tp8
 	shr	\$32,$acc0
 	xor	$tp88,$tp48		# tp4^tp1^=tp8
 	shr	\$32,$acc8
 	xor	$tp20,$tp80		# tp8^=tp8^tp2^tp1=tp2^tp1
 	xor	$tp28,$tp88		# tp8^=tp8^tp2^tp1=tp2^tp1
 	rol	\$8,`&LO("$tp10")`	# ROTATE(tp1^tp8,8)
 	xor	$tp28,$tp88		# tp8^=tp8^tp2^tp1=tp2^tp1
 	rol	\$8,`&LO("$tp18")`	# ROTATE(tp1^tp8,8)
 	xor	$tp40,$tp80		# tp2^tp1^=tp8^tp4^tp1=tp8^tp4^tp2
 	rol	\$8,`&LO("$acc0")`	# ROTATE(tp1^tp8,8)
 	xor	$tp48,$tp88		# tp2^tp1^=tp8^tp4^tp1=tp8^tp4^tp2
 	rol	\$8,`&LO("$acc0")`	# ROTATE(tp1^tp8,8)
 	rol	\$8,`&LO("$acc8")`	# ROTATE(tp1^tp8,8)
 	xor	`&LO("$tp80")`,`&LO("$tp10")`
 	xor	`&LO("$tp88")`,`&LO("$tp18")`
 	shr	\$32,$tp80
 	xor	`&LO("$tp88")`,`&LO("$tp18")`
 	shr	\$32,$tp88
 	xor	`&LO("$tp80")`,`&LO("$acc0")`
 	xor	`&LO("$tp88")`,`&LO("$acc8")`
 	mov	$tp20,$tp80
 	mov	$tp28,$tp88
 	shr	\$32,$tp80
 	shr	\$32,$tp88
 	rol	\$24,`&LO("$tp20")`	# ROTATE(tp2^tp1^tp8,24)
 	mov	$tp28,$tp88
 	rol	\$24,`&LO("$tp28")`	# ROTATE(tp2^tp1^tp8,24)
-	rol	\$24,`&LO("$tp80")`	# ROTATE(tp2^tp1^tp8,24)
+	shr	\$32,$tp80
 	rol	\$24,`&LO("$tp88")`	# ROTATE(tp2^tp1^tp8,24)
 	xor	`&LO("$tp20")`,`&LO("$tp10")`
 	shr	\$32,$tp88
 	xor	`&LO("$tp28")`,`&LO("$tp18")`
 	rol	\$24,`&LO("$tp80")`	# ROTATE(tp2^tp1^tp8,24)
 	mov	$tp40,$tp20
 	rol	\$24,`&LO("$tp88")`	# ROTATE(tp2^tp1^tp8,24)
 	mov	$tp48,$tp28
 	shr	\$32,$tp20
 	xor	`&LO("$tp80")`,`&LO("$acc0")`
 	shr	\$32,$tp28
 	xor	`&LO("$tp88")`,`&LO("$acc8")`
 	`"mov	0($sbox),$mask80"	if ($prefetch)`
 	shr	\$32,$tp20
 	shr	\$32,$tp28
 	`"mov	64($sbox),$maskfe"	if ($prefetch)`
 	rol	\$16,`&LO("$tp40")`	# ROTATE(tp4^tp1^tp8,16)
 	`"mov	64($sbox),$maskfe"	if ($prefetch)`
 	rol	\$16,`&LO("$tp48")`	# ROTATE(tp4^tp1^tp8,16)
 	`"mov	128($sbox),$mask1b"	if ($prefetch)`
 	rol	\$16,`&LO("$tp20")`	# ROTATE(tp4^tp1^tp8,16)
 	rol	\$16,`&LO("$tp28")`	# ROTATE(tp4^tp1^tp8,16)
 	`"mov	192($sbox),$tp80"	if ($prefetch)`
 	xor	`&LO("$tp40")`,`&LO("$tp10")`
 	rol	\$16,`&LO("$tp28")`	# ROTATE(tp4^tp1^tp8,16)
 	xor	`&LO("$tp48")`,`&LO("$tp18")`
 	`"mov	256($sbox),$tp88"	if ($prefetch)`
 	xor	`&LO("$tp20")`,`&LO("$acc0")`
@ -1301,10 +1300,6 @@ private_AES_set_encrypt_key:
 	call	_x86_64_AES_set_encrypt_key
 	mov	8(%rsp),%r15
 	mov	16(%rsp),%r14
 	mov	24(%rsp),%r13
 	mov	32(%rsp),%r12
 	mov	40(%rsp),%rbp
 	mov	48(%rsp),%rbx
 	add	\$56,%rsp
--- a/crypto/aes/asm/aesni-mb-x86_64.pl
+++ b/crypto/aes/asm/aesni-mb-x86_64.pl
--- a/crypto/aes/asm/aesni-sha1-x86_64.pl
+++ b/crypto/aes/asm/aesni-sha1-x86_64.pl
--- a/crypto/aes/asm/aesni-sha256-x86_64.pl
+++ b/crypto/aes/asm/aesni-sha256-x86_64.pl
--- a/crypto/aes/asm/aesni-x86.pl
+++ b/crypto/aes/asm/aesni-x86.pl
@ -1,7 +1,7 @@
 #!/usr/bin/env perl
 # ====================================================================
-# Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
 # project. The module is, however, dual licensed under OpenSSL and
 # CRYPTOGAMS licenses depending on where you obtain it. For further
 # details see http://www.openssl.org/~appro/cryptogams/.
@ -43,6 +43,17 @@
 # Add aesni_xts_[en|de]crypt. Westmere spends 1.50 cycles processing
 # one byte out of 8KB with 128-bit key, Sandy Bridge - 1.09.
 ######################################################################
 # Current large-block performance in cycles per byte processed with
 # 128-bit key (less is better).
 #
 #		CBC en-/decrypt	CTR	XTS	ECB
 # Westmere	3.77/1.37	1.37	1.52	1.27
 # * Bridge	5.07/0.98	0.99	1.09	0.91
 # Haswell	4.44/0.80	0.97	1.03	0.72
 # Atom		5.77/3.56	3.67	4.03	3.46
 # Bulldozer	5.80/0.98	1.05	1.24	0.93
 $PREFIX="aesni";	# if $PREFIX is set to "AES", the script
 			# generates drop-in replacement for
 			# crypto/aes/asm/aes-586.pl:-)
@ -54,8 +65,8 @@ require "x86asm.pl";
 &asm_init($ARGV[0],$0);
-if ($PREFIX eq "aesni")	{ $movekey=*movups; }
+if ($PREFIX eq "aesni")	{ $movekey=\&movups; }
-else			{ $movekey=*movups; }
+else			{ $movekey=\&movups; }
 $len="eax";
 $rounds="ecx";
@ -196,37 +207,71 @@ sub aesni_generate1	# fully unrolled loop
 # every *2nd* cycle. Thus 3x interleave was the one providing optimal
 # utilization, i.e. when subroutine's throughput is virtually same as
 # of non-interleaved subroutine [for number of input blocks up to 3].
-# This is why it makes no sense to implement 2x subroutine.
+# This is why it originally made no sense to implement 2x subroutine.
-# aes[enc|dec] latency in next processor generation is 8, but the
+# But times change and it became appropriate to spend extra 192 bytes
-# instructions can be scheduled every cycle. Optimal interleave for
+# on 2x subroutine on Atom Silvermont account. For processors that
-# new processor is therefore 8x, but it's unfeasible to accommodate it
+# can schedule aes[enc|dec] every cycle optimal interleave factor
-# in XMM registers addreassable in 32-bit mode and therefore 6x is
+# equals to corresponding instructions latency. 8x is optimal for
-# used instead...
+# * Bridge, but it's unfeasible to accommodate such implementation
 # in XMM registers addreassable in 32-bit mode and therefore maximum
 # of 6x is used instead...
 sub aesni_generate2
 { my $p=shift;
    &function_begin_B("_aesni_${p}rypt2");
 	&$movekey	($rndkey0,&QWP(0,$key));
 	&shl		($rounds,4);
 	&$movekey	($rndkey1,&QWP(16,$key));
 	&xorps		($inout0,$rndkey0);
 	&pxor		($inout1,$rndkey0);
 	&$movekey	($rndkey0,&QWP(32,$key));
 	&lea		($key,&DWP(32,$key,$rounds));
 	&neg		($rounds);
 	&add		($rounds,16);
    &set_label("${p}2_loop");
 	eval"&aes${p}	($inout0,$rndkey1)";
 	eval"&aes${p}	($inout1,$rndkey1)";
 	&$movekey	($rndkey1,&QWP(0,$key,$rounds));
 	&add		($rounds,32);
 	eval"&aes${p}	($inout0,$rndkey0)";
 	eval"&aes${p}	($inout1,$rndkey0)";
 	&$movekey	($rndkey0,&QWP(-16,$key,$rounds));
 	&jnz		(&label("${p}2_loop"));
    eval"&aes${p}	($inout0,$rndkey1)";
    eval"&aes${p}	($inout1,$rndkey1)";
    eval"&aes${p}last	($inout0,$rndkey0)";
    eval"&aes${p}last	($inout1,$rndkey0)";
    &ret();
    &function_end_B("_aesni_${p}rypt2");
 }
 sub aesni_generate3
 { my $p=shift;
    &function_begin_B("_aesni_${p}rypt3");
 	&$movekey	($rndkey0,&QWP(0,$key));
-	&shr		($rounds,1);
+	&shl		($rounds,4);
 	&$movekey	($rndkey1,&QWP(16,$key));
 	&lea		($key,&DWP(32,$key));
 	&xorps		($inout0,$rndkey0);
 	&pxor		($inout1,$rndkey0);
 	&pxor		($inout2,$rndkey0);
-	&$movekey	($rndkey0,&QWP(0,$key));
+	&$movekey	($rndkey0,&QWP(32,$key));
 	&lea		($key,&DWP(32,$key,$rounds));
 	&neg		($rounds);
 	&add		($rounds,16);
    &set_label("${p}3_loop");
 	eval"&aes${p}	($inout0,$rndkey1)";
 	eval"&aes${p}	($inout1,$rndkey1)";
 	&dec		($rounds);
 	eval"&aes${p}	($inout2,$rndkey1)";
-	&$movekey	($rndkey1,&QWP(16,$key));
+	&$movekey	($rndkey1,&QWP(0,$key,$rounds));
 	&add		($rounds,32);
 	eval"&aes${p}	($inout0,$rndkey0)";
 	eval"&aes${p}	($inout1,$rndkey0)";
 	&lea		($key,&DWP(32,$key));
 	eval"&aes${p}	($inout2,$rndkey0)";
-	&$movekey	($rndkey0,&QWP(0,$key));
+	&$movekey	($rndkey0,&QWP(-16,$key,$rounds));
 	&jnz		(&label("${p}3_loop"));
    eval"&aes${p}	($inout0,$rndkey1)";
    eval"&aes${p}	($inout1,$rndkey1)";
@ -248,27 +293,29 @@ sub aesni_generate4
    &function_begin_B("_aesni_${p}rypt4");
 	&$movekey	($rndkey0,&QWP(0,$key));
 	&$movekey	($rndkey1,&QWP(16,$key));
-	&shr		($rounds,1);
+	&shl		($rounds,4);
 	&lea		($key,&DWP(32,$key));
 	&xorps		($inout0,$rndkey0);
 	&pxor		($inout1,$rndkey0);
 	&pxor		($inout2,$rndkey0);
 	&pxor		($inout3,$rndkey0);
-	&$movekey	($rndkey0,&QWP(0,$key));
+	&$movekey	($rndkey0,&QWP(32,$key));
 	&lea		($key,&DWP(32,$key,$rounds));
 	&neg		($rounds);
 	&data_byte	(0x0f,0x1f,0x40,0x00);
 	&add		($rounds,16);
    &set_label("${p}4_loop");
 	eval"&aes${p}	($inout0,$rndkey1)";
 	eval"&aes${p}	($inout1,$rndkey1)";
 	&dec		($rounds);
 	eval"&aes${p}	($inout2,$rndkey1)";
 	eval"&aes${p}	($inout3,$rndkey1)";
-	&$movekey	($rndkey1,&QWP(16,$key));
+	&$movekey	($rndkey1,&QWP(0,$key,$rounds));
 	&add		($rounds,32);
 	eval"&aes${p}	($inout0,$rndkey0)";
 	eval"&aes${p}	($inout1,$rndkey0)";
 	&lea		($key,&DWP(32,$key));
 	eval"&aes${p}	($inout2,$rndkey0)";
 	eval"&aes${p}	($inout3,$rndkey0)";
-	&$movekey	($rndkey0,&QWP(0,$key));
+	&$movekey	($rndkey0,&QWP(-16,$key,$rounds));
    &jnz		(&label("${p}4_loop"));
    eval"&aes${p}	($inout0,$rndkey1)";
@ -289,43 +336,43 @@ sub aesni_generate6
    &function_begin_B("_aesni_${p}rypt6");
    &static_label("_aesni_${p}rypt6_enter");
 	&$movekey	($rndkey0,&QWP(0,$key));
-	&shr		($rounds,1);
+	&shl		($rounds,4);
 	&$movekey	($rndkey1,&QWP(16,$key));
 	&lea		($key,&DWP(32,$key));
 	&xorps		($inout0,$rndkey0);
 	&pxor		($inout1,$rndkey0);	# pxor does better here
 	eval"&aes${p}	($inout0,$rndkey1)";
 	&pxor		($inout2,$rndkey0);
-	eval"&aes${p}	($inout1,$rndkey1)";
+	eval"&aes${p}	($inout0,$rndkey1)";
 	&pxor		($inout3,$rndkey0);
 	&dec		($rounds);
 	eval"&aes${p}	($inout2,$rndkey1)";
 	&pxor		($inout4,$rndkey0);
-	eval"&aes${p}	($inout3,$rndkey1)";
+	eval"&aes${p}	($inout1,$rndkey1)";
 	&lea		($key,&DWP(32,$key,$rounds));
 	&neg		($rounds);
 	eval"&aes${p}	($inout2,$rndkey1)";
 	&pxor		($inout5,$rndkey0);
 	&add		($rounds,16);
 	eval"&aes${p}	($inout3,$rndkey1)";
 	eval"&aes${p}	($inout4,$rndkey1)";
 	&$movekey	($rndkey0,&QWP(0,$key));
 	eval"&aes${p}	($inout5,$rndkey1)";
 	&$movekey	($rndkey0,&QWP(-16,$key,$rounds));
 	&jmp		(&label("_aesni_${p}rypt6_enter"));
    &set_label("${p}6_loop",16);
 	eval"&aes${p}	($inout0,$rndkey1)";
 	eval"&aes${p}	($inout1,$rndkey1)";
 	&dec		($rounds);
 	eval"&aes${p}	($inout2,$rndkey1)";
 	eval"&aes${p}	($inout3,$rndkey1)";
 	eval"&aes${p}	($inout4,$rndkey1)";
 	eval"&aes${p}	($inout5,$rndkey1)";
-    &set_label("_aesni_${p}rypt6_enter",16);
+    &set_label("_aesni_${p}rypt6_enter");
-	&$movekey	($rndkey1,&QWP(16,$key));
+	&$movekey	($rndkey1,&QWP(0,$key,$rounds));
 	&add		($rounds,32);
 	eval"&aes${p}	($inout0,$rndkey0)";
 	eval"&aes${p}	($inout1,$rndkey0)";
 	&lea		($key,&DWP(32,$key));
 	eval"&aes${p}	($inout2,$rndkey0)";
 	eval"&aes${p}	($inout3,$rndkey0)";
 	eval"&aes${p}	($inout4,$rndkey0)";
 	eval"&aes${p}	($inout5,$rndkey0)";
-	&$movekey	($rndkey0,&QWP(0,$key));
+	&$movekey	($rndkey0,&QWP(-16,$key,$rounds));
    &jnz		(&label("${p}6_loop"));
    eval"&aes${p}	($inout0,$rndkey1)";
@ -343,6 +390,8 @@ sub aesni_generate6
    &ret();
    &function_end_B("_aesni_${p}rypt6");
 }
 &aesni_generate2("enc") if ($PREFIX eq "aesni");
 &aesni_generate2("dec");
 &aesni_generate3("enc") if ($PREFIX eq "aesni");
 &aesni_generate3("dec");
 &aesni_generate4("enc") if ($PREFIX eq "aesni");
@ -446,8 +495,7 @@ if ($PREFIX eq "aesni") {
 	&jmp	(&label("ecb_ret"));
 &set_label("ecb_enc_two",16);
-	&xorps	($inout2,$inout2);
+	&call	("_aesni_encrypt2");
 	&call	("_aesni_encrypt3");
 	&movups	(&QWP(0,$out),$inout0);
 	&movups	(&QWP(0x10,$out),$inout1);
 	&jmp	(&label("ecb_ret"));
@ -547,8 +595,7 @@ if ($PREFIX eq "aesni") {
 	&jmp	(&label("ecb_ret"));
 &set_label("ecb_dec_two",16);
-	&xorps	($inout2,$inout2);
+	&call	("_aesni_decrypt2");
 	&call	("_aesni_decrypt3");
 	&movups	(&QWP(0,$out),$inout0);
 	&movups	(&QWP(0x10,$out),$inout1);
 	&jmp	(&label("ecb_ret"));
@ -610,11 +657,13 @@ if ($PREFIX eq "aesni") {
 	&mov	(&DWP(24,"esp"),$key_);
 	&mov	(&DWP(28,"esp"),$key_);
-	&shr	($rounds,1);
+	&shl	($rounds,4);
 	&mov	($rounds_,16);
 	&lea	($key_,&DWP(0,$key));
 	&movdqa	($inout3,&QWP(0,"esp"));
 	&movdqa	($inout0,$ivec);
-	&mov	($rounds_,$rounds);
+	&lea	($key,&DWP(32,$key,$rounds));
 	&sub	($rounds_,$rounds);
 	&pshufb	($ivec,$inout3);
 &set_label("ccm64_enc_outer");
@ -625,33 +674,31 @@ if ($PREFIX eq "aesni") {
 	&xorps		($inout0,$rndkey0);
 	&$movekey	($rndkey1,&QWP(16,$key_));
 	&xorps		($rndkey0,$in0);
 	&lea		($key,&DWP(32,$key_));
 	&xorps		($cmac,$rndkey0);		# cmac^=inp
-	&$movekey	($rndkey0,&QWP(0,$key));
+	&$movekey	($rndkey0,&QWP(32,$key_));
 &set_label("ccm64_enc2_loop");
 	&aesenc		($inout0,$rndkey1);
 	&dec		($rounds);
 	&aesenc		($cmac,$rndkey1);
-	&$movekey	($rndkey1,&QWP(16,$key));
+	&$movekey	($rndkey1,&QWP(0,$key,$rounds));
 	&add		($rounds,32);
 	&aesenc		($inout0,$rndkey0);
 	&lea		($key,&DWP(32,$key));
 	&aesenc		($cmac,$rndkey0);
-	&$movekey	($rndkey0,&QWP(0,$key));
+	&$movekey	($rndkey0,&QWP(-16,$key,$rounds));
 	&jnz		(&label("ccm64_enc2_loop"));
 	&aesenc		($inout0,$rndkey1);
 	&aesenc		($cmac,$rndkey1);
 	&paddq		($ivec,&QWP(16,"esp"));
 	&dec		($len);
 	&aesenclast	($inout0,$rndkey0);
 	&aesenclast	($cmac,$rndkey0);
 	&dec	($len);
 	&lea	($inp,&DWP(16,$inp));
 	&xorps	($in0,$inout0);			# inp^=E(ivec)
 	&movdqa	($inout0,$ivec);
 	&movups	(&QWP(0,$out),$in0);		# save output
 	&lea	($out,&DWP(16,$out));
 	&pshufb	($inout0,$inout3);
 	&lea	($out,&DWP(16,$out));
 	&jnz	(&label("ccm64_enc_outer"));
 	&mov	("esp",&DWP(48,"esp"));
@ -700,15 +747,19 @@ if ($PREFIX eq "aesni") {
 	{   &aesni_inline_generate1("enc");	}
 	else
 	{   &call	("_aesni_encrypt1");	}
 	&shl	($rounds_,4);
 	&mov	($rounds,16);
 	&movups	($in0,&QWP(0,$inp));		# load inp
 	&paddq	($ivec,&QWP(16,"esp"));
 	&lea	($inp,&QWP(16,$inp));
 	&sub	($rounds,$rounds_);
 	&lea	($key,&DWP(32,$key_,$rounds_));
 	&mov	($rounds_,$rounds);
 	&jmp	(&label("ccm64_dec_outer"));
 &set_label("ccm64_dec_outer",16);
 	&xorps	($in0,$inout0);			# inp ^= E(ivec)
 	&movdqa	($inout0,$ivec);
 	&mov	($rounds,$rounds_);
 	&movups	(&QWP(0,$out),$in0);		# save output
 	&lea	($out,&DWP(16,$out));
 	&pshufb	($inout0,$inout3);
@ -717,34 +768,33 @@ if ($PREFIX eq "aesni") {
 	&jz	(&label("ccm64_dec_break"));
 	&$movekey	($rndkey0,&QWP(0,$key_));
-	&shr		($rounds,1);
+	&mov		($rounds,$rounds_);
 	&$movekey	($rndkey1,&QWP(16,$key_));
 	&xorps		($in0,$rndkey0);
 	&lea		($key,&DWP(32,$key_));
 	&xorps		($inout0,$rndkey0);
 	&xorps		($cmac,$in0);		# cmac^=out
-	&$movekey	($rndkey0,&QWP(0,$key));
+	&$movekey	($rndkey0,&QWP(32,$key_));
 &set_label("ccm64_dec2_loop");
 	&aesenc		($inout0,$rndkey1);
 	&dec		($rounds);
 	&aesenc		($cmac,$rndkey1);
-	&$movekey	($rndkey1,&QWP(16,$key));
+	&$movekey	($rndkey1,&QWP(0,$key,$rounds));
 	&add		($rounds,32);
 	&aesenc		($inout0,$rndkey0);
 	&lea		($key,&DWP(32,$key));
 	&aesenc		($cmac,$rndkey0);
-	&$movekey	($rndkey0,&QWP(0,$key));
+	&$movekey	($rndkey0,&QWP(-16,$key,$rounds));
 	&jnz		(&label("ccm64_dec2_loop"));
 	&movups		($in0,&QWP(0,$inp));	# load inp
 	&paddq		($ivec,&QWP(16,"esp"));
 	&aesenc		($inout0,$rndkey1);
 	&aesenc		($cmac,$rndkey1);
 	&lea		($inp,&QWP(16,$inp));
 	&aesenclast	($inout0,$rndkey0);
 	&aesenclast	($cmac,$rndkey0);
 	&lea		($inp,&QWP(16,$inp));
 	&jmp	(&label("ccm64_dec_outer"));
 &set_label("ccm64_dec_break",16);
 	&mov	($rounds,&DWP(240,$key_));
 	&mov	($key,$key_);
 	if ($inline)
 	{   &aesni_inline_generate1("enc",$cmac,$in0);	}
@ -763,7 +813,7 @@ if ($PREFIX eq "aesni") {
 #                         const char *ivec);
 #
 # Handles only complete blocks, operates on 32-bit counter and
-# does not update *ivec! (see engine/eng_aesni.c for details)
+# does not update *ivec! (see crypto/modes/ctr128.c for details)
 #
 # stack layout:
 #	0	pshufb mask
@ -810,66 +860,61 @@ if ($PREFIX eq "aesni") {
 	# compose 2 vectors of 3x32-bit counters
 	&bswap	($rounds_);
 	&pxor	($rndkey1,$rndkey1);
 	&pxor	($rndkey0,$rndkey0);
 	&pxor	($rndkey1,$rndkey1);
 	&movdqa	($inout0,&QWP(0,"esp"));	# load byte-swap mask
-	&pinsrd	($rndkey1,$rounds_,0);
+	&pinsrd	($rndkey0,$rounds_,0);
 	&lea	($key_,&DWP(3,$rounds_));
-	&pinsrd	($rndkey0,$key_,0);
+	&pinsrd	($rndkey1,$key_,0);
 	&inc	($rounds_);
-	&pinsrd	($rndkey1,$rounds_,1);
+	&pinsrd	($rndkey0,$rounds_,1);
 	&inc	($key_);
-	&pinsrd	($rndkey0,$key_,1);
+	&pinsrd	($rndkey1,$key_,1);
 	&inc	($rounds_);
-	&pinsrd	($rndkey1,$rounds_,2);
+	&pinsrd	($rndkey0,$rounds_,2);
 	&inc	($key_);
-	&pinsrd	($rndkey0,$key_,2);
+	&pinsrd	($rndkey1,$key_,2);
-	&movdqa	(&QWP(48,"esp"),$rndkey1);	# save 1st triplet
+	&movdqa	(&QWP(48,"esp"),$rndkey0);	# save 1st triplet
 	&pshufb	($rndkey1,$inout0);		# byte swap
 	&movdqa	(&QWP(64,"esp"),$rndkey0);	# save 2nd triplet
 	&pshufb	($rndkey0,$inout0);		# byte swap
 	&movdqu	($inout4,&QWP(0,$key));		# key[0]
 	&movdqa	(&QWP(64,"esp"),$rndkey1);	# save 2nd triplet
 	&pshufb	($rndkey1,$inout0);		# byte swap
-	&pshufd	($inout0,$rndkey1,3<<6);	# place counter to upper dword
+	&pshufd	($inout0,$rndkey0,3<<6);	# place counter to upper dword
-	&pshufd	($inout1,$rndkey1,2<<6);
+	&pshufd	($inout1,$rndkey0,2<<6);
 	&cmp	($len,6);
 	&jb	(&label("ctr32_tail"));
-	&movdqa	(&QWP(32,"esp"),$inout5);	# save counter-less ivec
+	&pxor	($inout5,$inout4);		# counter-less ivec^key[0]
-	&shr	($rounds,1);
+	&shl	($rounds,4);
 	&mov	($rounds_,16);
 	&movdqa	(&QWP(32,"esp"),$inout5);	# save counter-less ivec^key[0]
 	&mov	($key_,$key);			# backup $key
-	&mov	($rounds_,$rounds);		# backup $rounds
+	&sub	($rounds_,$rounds);		# backup twisted $rounds
 	&lea	($key,&DWP(32,$key,$rounds));
 	&sub	($len,6);
 	&jmp	(&label("ctr32_loop6"));
 &set_label("ctr32_loop6",16);
-	&pshufd	($inout2,$rndkey1,1<<6);
+	# inlining _aesni_encrypt6's prologue gives ~6% improvement...
-	&movdqa	($rndkey1,&QWP(32,"esp"));	# pull counter-less ivec
+	&pshufd	($inout2,$rndkey0,1<<6);
-	&pshufd	($inout3,$rndkey0,3<<6);
+	&movdqa	($rndkey0,&QWP(32,"esp"));	# pull counter-less ivec
-	&por	($inout0,$rndkey1);		# merge counter-less ivec
+	&pshufd	($inout3,$rndkey1,3<<6);
-	&pshufd	($inout4,$rndkey0,2<<6);
+	&pxor		($inout0,$rndkey0);	# merge counter-less ivec
-	&por	($inout1,$rndkey1);
+	&pshufd	($inout4,$rndkey1,2<<6);
 	&pshufd	($inout5,$rndkey0,1<<6);
 	&por	($inout2,$rndkey1);
 	&por	($inout3,$rndkey1);
 	&por	($inout4,$rndkey1);
 	&por	($inout5,$rndkey1);
 	# inlining _aesni_encrypt6's prologue gives ~4% improvement...
 	&$movekey	($rndkey0,&QWP(0,$key_));
 	&$movekey	($rndkey1,&QWP(16,$key_));
 	&lea		($key,&DWP(32,$key_));
 	&dec		($rounds);
 	&pxor		($inout0,$rndkey0);
 	&pxor		($inout1,$rndkey0);
-	&aesenc		($inout0,$rndkey1);
+	&pshufd	($inout5,$rndkey1,1<<6);
 	&$movekey	($rndkey1,&QWP(16,$key_));
 	&pxor		($inout2,$rndkey0);
 	&aesenc		($inout1,$rndkey1);
 	&pxor		($inout3,$rndkey0);
-	&aesenc		($inout2,$rndkey1);
+	&aesenc		($inout0,$rndkey1);
 	&pxor		($inout4,$rndkey0);
 	&aesenc		($inout3,$rndkey1);
 	&pxor		($inout5,$rndkey0);
 	&aesenc		($inout1,$rndkey1);
 	&$movekey	($rndkey0,&QWP(32,$key_));
 	&mov		($rounds,$rounds_);
 	&aesenc		($inout2,$rndkey1);
 	&aesenc		($inout3,$rndkey1);
 	&aesenc		($inout4,$rndkey1);
 	&$movekey	($rndkey0,&QWP(0,$key));
 	&aesenc		($inout5,$rndkey1);
 	&call		(&label("_aesni_encrypt6_enter"));
@ -882,12 +927,12 @@ if ($PREFIX eq "aesni") {
 	&movups	(&QWP(0,$out),$inout0);
 	&movdqa	($rndkey0,&QWP(16,"esp"));	# load increment
 	&xorps	($inout2,$rndkey1);
-	&movdqa	($rndkey1,&QWP(48,"esp"));	# load 1st triplet
+	&movdqa	($rndkey1,&QWP(64,"esp"));	# load 2nd triplet
 	&movups	(&QWP(0x10,$out),$inout1);
 	&movups	(&QWP(0x20,$out),$inout2);
-	&paddd	($rndkey1,$rndkey0);		# 1st triplet increment
+	&paddd	($rndkey1,$rndkey0);		# 2nd triplet increment
-	&paddd	($rndkey0,&QWP(64,"esp"));	# 2nd triplet increment
+	&paddd	($rndkey0,&QWP(48,"esp"));	# 1st triplet increment
 	&movdqa	($inout0,&QWP(0,"esp"));	# load byte swap mask
 	&movups	($inout1,&QWP(0x30,$inp));
@ -895,44 +940,44 @@ if ($PREFIX eq "aesni") {
 	&xorps	($inout3,$inout1);
 	&movups	($inout1,&QWP(0x50,$inp));
 	&lea	($inp,&DWP(0x60,$inp));
-	&movdqa	(&QWP(48,"esp"),$rndkey1);	# save 1st triplet
+	&movdqa	(&QWP(48,"esp"),$rndkey0);	# save 1st triplet
-	&pshufb	($rndkey1,$inout0);		# byte swap
+	&pshufb	($rndkey0,$inout0);		# byte swap
 	&xorps	($inout4,$inout2);
 	&movups	(&QWP(0x30,$out),$inout3);
 	&xorps	($inout5,$inout1);
-	&movdqa	(&QWP(64,"esp"),$rndkey0);	# save 2nd triplet
+	&movdqa	(&QWP(64,"esp"),$rndkey1);	# save 2nd triplet
-	&pshufb	($rndkey0,$inout0);		# byte swap
+	&pshufb	($rndkey1,$inout0);		# byte swap
 	&movups	(&QWP(0x40,$out),$inout4);
-	&pshufd	($inout0,$rndkey1,3<<6);
+	&pshufd	($inout0,$rndkey0,3<<6);
 	&movups	(&QWP(0x50,$out),$inout5);
 	&lea	($out,&DWP(0x60,$out));
-	&mov	($rounds,$rounds_);
+	&pshufd	($inout1,$rndkey0,2<<6);
 	&pshufd	($inout1,$rndkey1,2<<6);
 	&sub	($len,6);
 	&jnc	(&label("ctr32_loop6"));
 	&add	($len,6);
 	&jz	(&label("ctr32_ret"));
 	&movdqu	($inout5,&QWP(0,$key_));
 	&mov	($key,$key_);
-	&lea	($rounds,&DWP(1,"",$rounds,2));	# restore $rounds
+	&pxor	($inout5,&QWP(32,"esp"));	# restore count-less ivec
-	&movdqa	($inout5,&QWP(32,"esp"));	# pull count-less ivec
+	&mov	($rounds,&DWP(240,$key_));	# restore $rounds
 &set_label("ctr32_tail");
 	&por	($inout0,$inout5);
 	&cmp	($len,2);
 	&jb	(&label("ctr32_one"));
-	&pshufd	($inout2,$rndkey1,1<<6);
+	&pshufd	($inout2,$rndkey0,1<<6);
 	&por	($inout1,$inout5);
 	&je	(&label("ctr32_two"));
-	&pshufd	($inout3,$rndkey0,3<<6);
+	&pshufd	($inout3,$rndkey1,3<<6);
 	&por	($inout2,$inout5);
 	&cmp	($len,4);
 	&jb	(&label("ctr32_three"));
-	&pshufd	($inout4,$rndkey0,2<<6);
+	&pshufd	($inout4,$rndkey1,2<<6);
 	&por	($inout3,$inout5);
 	&je	(&label("ctr32_four"));
@ -970,7 +1015,7 @@ if ($PREFIX eq "aesni") {
 	&jmp	(&label("ctr32_ret"));
 &set_label("ctr32_two",16);
-	&call	("_aesni_encrypt3");
+	&call	("_aesni_encrypt2");
 	&movups	($inout3,&QWP(0,$inp));
 	&movups	($inout4,&QWP(0x10,$inp));
 	&xorps	($inout0,$inout3);
@ -1057,8 +1102,10 @@ if ($PREFIX eq "aesni") {
 	&sub	($len,16*6);
 	&jc	(&label("xts_enc_short"));
-	&shr	($rounds,1);
+	&shl	($rounds,4);
-	&mov	($rounds_,$rounds);
+	&mov	($rounds_,16);
 	&sub	($rounds_,$rounds);
 	&lea	($key,&DWP(32,$key,$rounds));
 	&jmp	(&label("xts_enc_loop6"));
 &set_label("xts_enc_loop6",16);
@ -1080,6 +1127,7 @@ if ($PREFIX eq "aesni") {
 	&pxor	($inout5,$tweak);
 	# inline _aesni_encrypt6 prologue and flip xor with tweak and key[0]
 	&mov	($rounds,$rounds_);		# restore $rounds
 	&movdqu	($inout1,&QWP(16*1,$inp));
 	 &xorps		($inout0,$rndkey0);	# input^=rndkey[0]
 	&movdqu	($inout2,&QWP(16*2,$inp));
@ -1096,19 +1144,17 @@ if ($PREFIX eq "aesni") {
 	&pxor	($inout5,$rndkey1);
 	 &$movekey	($rndkey1,&QWP(16,$key_));
 	 &lea		($key,&DWP(32,$key_));
 	&pxor	($inout1,&QWP(16*1,"esp"));
 	 &aesenc	($inout0,$rndkey1);
 	&pxor	($inout2,&QWP(16*2,"esp"));
-	 &aesenc	($inout1,$rndkey1);
+	 &aesenc	($inout0,$rndkey1);
 	&pxor	($inout3,&QWP(16*3,"esp"));
 	 &dec		($rounds);
 	 &aesenc	($inout2,$rndkey1);
 	&pxor	($inout4,&QWP(16*4,"esp"));
-	 &aesenc	($inout3,$rndkey1);
+	 &aesenc	($inout1,$rndkey1);
 	&pxor		($inout5,$rndkey0);
 	 &$movekey	($rndkey0,&QWP(32,$key_));
 	 &aesenc	($inout2,$rndkey1);
 	 &aesenc	($inout3,$rndkey1);
 	 &aesenc	($inout4,$rndkey1);
 	 &$movekey	($rndkey0,&QWP(0,$key));
 	 &aesenc	($inout5,$rndkey1);
 	&call		(&label("_aesni_encrypt6_enter"));
@ -1135,13 +1181,12 @@ if ($PREFIX eq "aesni") {
 	&paddq	($tweak,$tweak);		# &psllq($tweak,1);
 	&pand	($twres,$twmask);		# isolate carry and residue
 	&pcmpgtd($twtmp,$tweak);		# broadcast upper bits
 	&mov	($rounds,$rounds_);		# restore $rounds
 	&pxor	($tweak,$twres);
 	&sub	($len,16*6);
 	&jnc	(&label("xts_enc_loop6"));
-	&lea	($rounds,&DWP(1,"",$rounds,2));	# restore $rounds
+	&mov	($rounds,&DWP(240,$key_));	# restore $rounds
 	&mov	($key,$key_);			# restore $key
 	&mov	($rounds_,$rounds);
@ -1241,9 +1286,8 @@ if ($PREFIX eq "aesni") {
 	&lea	($inp,&DWP(16*2,$inp));
 	&xorps	($inout0,$inout3);		# input^=tweak
 	&xorps	($inout1,$inout4);
 	&xorps	($inout2,$inout2);
-	&call	("_aesni_encrypt3");
+	&call	("_aesni_encrypt2");
 	&xorps	($inout0,$inout3);		# output^=tweak
 	&xorps	($inout1,$inout4);
@ -1399,8 +1443,10 @@ if ($PREFIX eq "aesni") {
 	&sub	($len,16*6);
 	&jc	(&label("xts_dec_short"));
-	&shr	($rounds,1);
+	&shl	($rounds,4);
-	&mov	($rounds_,$rounds);
+	&mov	($rounds_,16);
 	&sub	($rounds_,$rounds);
 	&lea	($key,&DWP(32,$key,$rounds));
 	&jmp	(&label("xts_dec_loop6"));
 &set_label("xts_dec_loop6",16);
@ -1422,6 +1468,7 @@ if ($PREFIX eq "aesni") {
 	&pxor	($inout5,$tweak);
 	# inline _aesni_encrypt6 prologue and flip xor with tweak and key[0]
 	&mov	($rounds,$rounds_);
 	&movdqu	($inout1,&QWP(16*1,$inp));
 	 &xorps		($inout0,$rndkey0);	# input^=rndkey[0]
 	&movdqu	($inout2,&QWP(16*2,$inp));
@ -1438,19 +1485,17 @@ if ($PREFIX eq "aesni") {
 	&pxor	($inout5,$rndkey1);
 	 &$movekey	($rndkey1,&QWP(16,$key_));
 	 &lea		($key,&DWP(32,$key_));
 	&pxor	($inout1,&QWP(16*1,"esp"));
 	 &aesdec	($inout0,$rndkey1);
 	&pxor	($inout2,&QWP(16*2,"esp"));
-	 &aesdec	($inout1,$rndkey1);
+	 &aesdec	($inout0,$rndkey1);
 	&pxor	($inout3,&QWP(16*3,"esp"));
 	 &dec		($rounds);
 	 &aesdec	($inout2,$rndkey1);
 	&pxor	($inout4,&QWP(16*4,"esp"));
-	 &aesdec	($inout3,$rndkey1);
+	 &aesdec	($inout1,$rndkey1);
 	&pxor		($inout5,$rndkey0);
 	 &$movekey	($rndkey0,&QWP(32,$key_));
 	 &aesdec	($inout2,$rndkey1);
 	 &aesdec	($inout3,$rndkey1);
 	 &aesdec	($inout4,$rndkey1);
 	 &$movekey	($rndkey0,&QWP(0,$key));
 	 &aesdec	($inout5,$rndkey1);
 	&call		(&label("_aesni_decrypt6_enter"));
@ -1477,13 +1522,12 @@ if ($PREFIX eq "aesni") {
 	&paddq	($tweak,$tweak);		# &psllq($tweak,1);
 	&pand	($twres,$twmask);		# isolate carry and residue
 	&pcmpgtd($twtmp,$tweak);		# broadcast upper bits
 	&mov	($rounds,$rounds_);		# restore $rounds
 	&pxor	($tweak,$twres);
 	&sub	($len,16*6);
 	&jnc	(&label("xts_dec_loop6"));
-	&lea	($rounds,&DWP(1,"",$rounds,2));	# restore $rounds
+	&mov	($rounds,&DWP(240,$key_));	# restore $rounds
 	&mov	($key,$key_);			# restore $key
 	&mov	($rounds_,$rounds);
@ -1584,7 +1628,7 @@ if ($PREFIX eq "aesni") {
 	&xorps	($inout0,$inout3);		# input^=tweak
 	&xorps	($inout1,$inout4);
-	&call	("_aesni_decrypt3");
+	&call	("_aesni_decrypt2");
 	&xorps	($inout0,$inout3);		# output^=tweak
 	&xorps	($inout1,$inout4);
@ -1816,7 +1860,7 @@ if ($PREFIX eq "aesni") {
 	&movups	(&QWP(0x10,$out),$inout1);
 	&lea	($inp,&DWP(0x60,$inp));
 	&movups	(&QWP(0x20,$out),$inout2);
-	&mov	($rounds,$rounds_)		# restore $rounds
+	&mov	($rounds,$rounds_);		# restore $rounds
 	&movups	(&QWP(0x30,$out),$inout3);
 	&mov	($key,$key_);			# restore $key
 	&movups	(&QWP(0x40,$out),$inout4);
@ -1884,8 +1928,7 @@ if ($PREFIX eq "aesni") {
 	&jmp	(&label("cbc_dec_tail_collected"));
 &set_label("cbc_dec_two",16);
-	&xorps	($inout2,$inout2);
+	&call	("_aesni_decrypt2");
 	&call	("_aesni_decrypt3");
 	&xorps	($inout0,$ivec);
 	&xorps	($inout1,$in0);
 	&movups	(&QWP(0,$out),$inout0);
@ -2015,7 +2058,7 @@ if ($PREFIX eq "aesni") {
 &set_label("12rounds",16);
 	&movq		("xmm2",&QWP(16,"eax"));	# remaining 1/3 of *userKey
 	&mov		($rounds,11);
-	&$movekey	(&QWP(-16,$key),"xmm0")		# round 0
+	&$movekey	(&QWP(-16,$key),"xmm0");	# round 0
 	&aeskeygenassist("xmm1","xmm2",0x01);		# round 1,2
 	&call		(&label("key_192a_cold"));
 	&aeskeygenassist("xmm1","xmm2",0x02);		# round 2,3
@ -2152,7 +2195,7 @@ if ($PREFIX eq "aesni") {
 	&mov	($key,&wparam(2));
 	&call	("_aesni_set_encrypt_key");
 	&mov	($key,&wparam(2));
-	&shl	($rounds,4)	# rounds-1 after _aesni_set_encrypt_key
+	&shl	($rounds,4);	# rounds-1 after _aesni_set_encrypt_key
 	&test	("eax","eax");
 	&jnz	(&label("dec_key_ret"));
 	&lea	("eax",&DWP(16,$key,$rounds));	# end of key schedule
--- a/crypto/aes/asm/aesni-x86_64.pl
+++ b/crypto/aes/asm/aesni-x86_64.pl
--- a/crypto/aes/asm/aesp8-ppc.pl
+++ b/crypto/aes/asm/aesp8-ppc.pl
--- a/crypto/aes/asm/aest4-sparcv9.pl
+++ b/crypto/aes/asm/aest4-sparcv9.pl
@ -0,0 +1,919 @@
 #!/usr/bin/env perl
 # ====================================================================
 # Written by David S. Miller <davem@devemloft.net> and Andy Polyakov
 # <appro@openssl.org>. The module is licensed under 2-clause BSD
 # license. October 2012. All rights reserved.
 # ====================================================================
 ######################################################################
 # AES for SPARC T4.
 #
 # AES round instructions complete in 3 cycles and can be issued every
 # cycle. It means that round calculations should take 4*rounds cycles,
 # because any given round instruction depends on result of *both*
 # previous instructions:
 #
 #	|0 |1 |2 |3 |4
 #	|01|01|01|
 #	   |23|23|23|
 #	            |01|01|...
 #	               |23|...
 #
 # Provided that fxor [with IV] takes 3 cycles to complete, critical
 # path length for CBC encrypt would be 3+4*rounds, or in other words
 # it should process one byte in at least (3+4*rounds)/16 cycles. This
 # estimate doesn't account for "collateral" instructions, such as
 # fetching input from memory, xor-ing it with zero-round key and
 # storing the result. Yet, *measured* performance [for data aligned
 # at 64-bit boundary!] deviates from this equation by less than 0.5%:
 #
 #		128-bit key	192-		256-
 # CBC encrypt	2.70/2.90(*)	3.20/3.40	3.70/3.90
 #			 (*) numbers after slash are for
 #			     misaligned data.
 #
 # Out-of-order execution logic managed to fully overlap "collateral"
 # instructions with those on critical path. Amazing!
 #
 # As with Intel AES-NI, question is if it's possible to improve
 # performance of parallelizeable modes by interleaving round
 # instructions. Provided round instruction latency and throughput
 # optimal interleave factor is 2. But can we expect 2x performance
 # improvement? Well, as round instructions can be issued one per
 # cycle, they don't saturate the 2-way issue pipeline and therefore
 # there is room for "collateral" calculations... Yet, 2x speed-up
 # over CBC encrypt remains unattaintable:
 #
 #		128-bit key	192-		256-
 # CBC decrypt	1.64/2.11	1.89/2.37	2.23/2.61
 # CTR		1.64/2.08(*)	1.89/2.33	2.23/2.61
 #			 (*) numbers after slash are for
 #			     misaligned data.
 #
 # Estimates based on amount of instructions under assumption that
 # round instructions are not pairable with any other instruction
 # suggest that latter is the actual case and pipeline runs
 # underutilized. It should be noted that T4 out-of-order execution
 # logic is so capable that performance gain from 2x interleave is
 # not even impressive, ~7-13% over non-interleaved code, largest
 # for 256-bit keys.
 # To anchor to something else, software implementation processes
 # one byte in 29 cycles with 128-bit key on same processor. Intel
 # Sandy Bridge encrypts byte in 5.07 cycles in CBC mode and decrypts
 # in 0.93, naturally with AES-NI.
 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 push(@INC,"${dir}","${dir}../../perlasm");
 require "sparcv9_modes.pl";
 &asm_init(@ARGV);
 $::evp=1;	# if $evp is set to 0, script generates module with
 # AES_[en|de]crypt, AES_set_[en|de]crypt_key and AES_cbc_encrypt entry
 # points. These however are not fully compatible with openssl/aes.h,
 # because they expect AES_KEY to be aligned at 64-bit boundary. When
 # used through EVP, alignment is arranged at EVP layer. Second thing
 # that is arranged by EVP is at least 32-bit alignment of IV.
 ######################################################################
 # single-round subroutines
 #
 {
 my ($inp,$out,$key,$rounds,$tmp,$mask)=map("%o$_",(0..5));
 $code.=<<___ if ($::abibits==64);
 .register	%g2,#scratch
 .register	%g3,#scratch
 ___
 $code.=<<___;
 .text
 .globl	aes_t4_encrypt
 .align	32
 aes_t4_encrypt:
 	andcc		$inp, 7, %g1		! is input aligned?
 	andn		$inp, 7, $inp
 	ldx		[$key + 0], %g4
 	ldx		[$key + 8], %g5
 	ldx		[$inp + 0], %o4
 	bz,pt		%icc, 1f
 	ldx		[$inp + 8], %o5
 	ldx		[$inp + 16], $inp
 	sll		%g1, 3, %g1
 	sub		%g0, %g1, %o3
 	sllx		%o4, %g1, %o4
 	sllx		%o5, %g1, %g1
 	srlx		%o5, %o3, %o5
 	srlx		$inp, %o3, %o3
 	or		%o5, %o4, %o4
 	or		%o3, %g1, %o5
 1:
 	ld		[$key + 240], $rounds
 	ldd		[$key + 16], %f12
 	ldd		[$key + 24], %f14
 	xor		%g4, %o4, %o4
 	xor		%g5, %o5, %o5
 	movxtod		%o4, %f0
 	movxtod		%o5, %f2
 	srl		$rounds, 1, $rounds
 	ldd		[$key + 32], %f16
 	sub		$rounds, 1, $rounds
 	ldd		[$key + 40], %f18
 	add		$key, 48, $key
 .Lenc:
 	aes_eround01	%f12, %f0, %f2, %f4
 	aes_eround23	%f14, %f0, %f2, %f2
 	ldd		[$key + 0], %f12
 	ldd		[$key + 8], %f14
 	sub		$rounds,1,$rounds
 	aes_eround01	%f16, %f4, %f2, %f0
 	aes_eround23	%f18, %f4, %f2, %f2
 	ldd		[$key + 16], %f16
 	ldd		[$key + 24], %f18
 	brnz,pt		$rounds, .Lenc
 	add		$key, 32, $key
 	andcc		$out, 7, $tmp		! is output aligned?
 	aes_eround01	%f12, %f0, %f2, %f4
 	aes_eround23	%f14, %f0, %f2, %f2
 	aes_eround01_l	%f16, %f4, %f2, %f0
 	aes_eround23_l	%f18, %f4, %f2, %f2
 	bnz,pn		%icc, 2f
 	nop
 	std		%f0, [$out + 0]
 	retl
 	std		%f2, [$out + 8]
 2:	alignaddrl	$out, %g0, $out
 	mov		0xff, $mask
 	srl		$mask, $tmp, $mask
 	faligndata	%f0, %f0, %f4
 	faligndata	%f0, %f2, %f6
 	faligndata	%f2, %f2, %f8
 	stda		%f4, [$out + $mask]0xc0	! partial store
 	std		%f6, [$out + 8]
 	add		$out, 16, $out
 	orn		%g0, $mask, $mask
 	retl
 	stda		%f8, [$out + $mask]0xc0	! partial store
 .type	aes_t4_encrypt,#function
 .size	aes_t4_encrypt,.-aes_t4_encrypt
 .globl	aes_t4_decrypt
 .align	32
 aes_t4_decrypt:
 	andcc		$inp, 7, %g1		! is input aligned?
 	andn		$inp, 7, $inp
 	ldx		[$key + 0], %g4
 	ldx		[$key + 8], %g5
 	ldx		[$inp + 0], %o4
 	bz,pt		%icc, 1f
 	ldx		[$inp + 8], %o5
 	ldx		[$inp + 16], $inp
 	sll		%g1, 3, %g1
 	sub		%g0, %g1, %o3
 	sllx		%o4, %g1, %o4
 	sllx		%o5, %g1, %g1
 	srlx		%o5, %o3, %o5
 	srlx		$inp, %o3, %o3
 	or		%o5, %o4, %o4
 	or		%o3, %g1, %o5
 1:
 	ld		[$key + 240], $rounds
 	ldd		[$key + 16], %f12
 	ldd		[$key + 24], %f14
 	xor		%g4, %o4, %o4
 	xor		%g5, %o5, %o5
 	movxtod		%o4, %f0
 	movxtod		%o5, %f2
 	srl		$rounds, 1, $rounds
 	ldd		[$key + 32], %f16
 	sub		$rounds, 1, $rounds
 	ldd		[$key + 40], %f18
 	add		$key, 48, $key
 .Ldec:
 	aes_dround01	%f12, %f0, %f2, %f4
 	aes_dround23	%f14, %f0, %f2, %f2
 	ldd		[$key + 0], %f12
 	ldd		[$key + 8], %f14
 	sub		$rounds,1,$rounds
 	aes_dround01	%f16, %f4, %f2, %f0
 	aes_dround23	%f18, %f4, %f2, %f2
 	ldd		[$key + 16], %f16
 	ldd		[$key + 24], %f18
 	brnz,pt		$rounds, .Ldec
 	add		$key, 32, $key
 	andcc		$out, 7, $tmp		! is output aligned?
 	aes_dround01	%f12, %f0, %f2, %f4
 	aes_dround23	%f14, %f0, %f2, %f2
 	aes_dround01_l	%f16, %f4, %f2, %f0
 	aes_dround23_l	%f18, %f4, %f2, %f2
 	bnz,pn		%icc, 2f
 	nop
 	std		%f0, [$out + 0]
 	retl
 	std		%f2, [$out + 8]
 2:	alignaddrl	$out, %g0, $out
 	mov		0xff, $mask
 	srl		$mask, $tmp, $mask
 	faligndata	%f0, %f0, %f4
 	faligndata	%f0, %f2, %f6
 	faligndata	%f2, %f2, %f8
 	stda		%f4, [$out + $mask]0xc0	! partial store
 	std		%f6, [$out + 8]
 	add		$out, 16, $out
 	orn		%g0, $mask, $mask
 	retl
 	stda		%f8, [$out + $mask]0xc0	! partial store
 .type	aes_t4_decrypt,#function
 .size	aes_t4_decrypt,.-aes_t4_decrypt
 ___
 }
 ######################################################################
 # key setup subroutines
 #
 {
 my ($inp,$bits,$out,$tmp)=map("%o$_",(0..5));
 $code.=<<___;
 .globl	aes_t4_set_encrypt_key
 .align	32
 aes_t4_set_encrypt_key:
 .Lset_encrypt_key:
 	and		$inp, 7, $tmp
 	alignaddr	$inp, %g0, $inp
 	cmp		$bits, 192
 	ldd		[$inp + 0], %f0
 	bl,pt		%icc,.L128
 	ldd		[$inp + 8], %f2
 	be,pt		%icc,.L192
 	ldd		[$inp + 16], %f4
 	brz,pt		$tmp, .L256aligned
 	ldd		[$inp + 24], %f6
 	ldd		[$inp + 32], %f8
 	faligndata	%f0, %f2, %f0
 	faligndata	%f2, %f4, %f2
 	faligndata	%f4, %f6, %f4
 	faligndata	%f6, %f8, %f6
 .L256aligned:
 ___
 for ($i=0; $i<6; $i++) {
    $code.=<<___;
 	std		%f0, [$out + `32*$i+0`]
 	aes_kexpand1	%f0, %f6, $i, %f0
 	std		%f2, [$out + `32*$i+8`]
 	aes_kexpand2	%f2, %f0, %f2
 	std		%f4, [$out + `32*$i+16`]
 	aes_kexpand0	%f4, %f2, %f4
 	std		%f6, [$out + `32*$i+24`]
 	aes_kexpand2	%f6, %f4, %f6
 ___
 }
 $code.=<<___;
 	std		%f0, [$out + `32*$i+0`]
 	aes_kexpand1	%f0, %f6, $i, %f0
 	std		%f2, [$out + `32*$i+8`]
 	aes_kexpand2	%f2, %f0, %f2
 	std		%f4, [$out + `32*$i+16`]
 	std		%f6, [$out + `32*$i+24`]
 	std		%f0, [$out + `32*$i+32`]
 	std		%f2, [$out + `32*$i+40`]
 	mov		14, $tmp
 	st		$tmp, [$out + 240]
 	retl
 	xor		%o0, %o0, %o0
 .align	16
 .L192:
 	brz,pt		$tmp, .L192aligned
 	nop
 	ldd		[$inp + 24], %f6
 	faligndata	%f0, %f2, %f0
 	faligndata	%f2, %f4, %f2
 	faligndata	%f4, %f6, %f4
 .L192aligned:
 ___
 for ($i=0; $i<7; $i++) {
    $code.=<<___;
 	std		%f0, [$out + `24*$i+0`]
 	aes_kexpand1	%f0, %f4, $i, %f0
 	std		%f2, [$out + `24*$i+8`]
 	aes_kexpand2	%f2, %f0, %f2
 	std		%f4, [$out + `24*$i+16`]
 	aes_kexpand2	%f4, %f2, %f4
 ___
 }
 $code.=<<___;
 	std		%f0, [$out + `24*$i+0`]
 	aes_kexpand1	%f0, %f4, $i, %f0
 	std		%f2, [$out + `24*$i+8`]
 	aes_kexpand2	%f2, %f0, %f2
 	std		%f4, [$out + `24*$i+16`]
 	std		%f0, [$out + `24*$i+24`]
 	std		%f2, [$out + `24*$i+32`]
 	mov		12, $tmp
 	st		$tmp, [$out + 240]
 	retl
 	xor		%o0, %o0, %o0
 .align	16
 .L128:
 	brz,pt		$tmp, .L128aligned
 	nop
 	ldd		[$inp + 16], %f4
 	faligndata	%f0, %f2, %f0
 	faligndata	%f2, %f4, %f2
 .L128aligned:
 ___
 for ($i=0; $i<10; $i++) {
    $code.=<<___;
 	std		%f0, [$out + `16*$i+0`]
 	aes_kexpand1	%f0, %f2, $i, %f0
 	std		%f2, [$out + `16*$i+8`]
 	aes_kexpand2	%f2, %f0, %f2
 ___
 }
 $code.=<<___;
 	std		%f0, [$out + `16*$i+0`]
 	std		%f2, [$out + `16*$i+8`]
 	mov		10, $tmp
 	st		$tmp, [$out + 240]
 	retl
 	xor		%o0, %o0, %o0
 .type	aes_t4_set_encrypt_key,#function
 .size	aes_t4_set_encrypt_key,.-aes_t4_set_encrypt_key
 .globl	aes_t4_set_decrypt_key
 .align	32
 aes_t4_set_decrypt_key:
 	mov		%o7, %o5
 	call		.Lset_encrypt_key
 	nop
 	mov		%o5, %o7
 	sll		$tmp, 4, $inp		! $tmp is number of rounds
 	add		$tmp, 2, $tmp
 	add		$out, $inp, $inp	! $inp=$out+16*rounds
 	srl		$tmp, 2, $tmp		! $tmp=(rounds+2)/4
 .Lkey_flip:
 	ldd		[$out + 0],  %f0
 	ldd		[$out + 8],  %f2
 	ldd		[$out + 16], %f4
 	ldd		[$out + 24], %f6
 	ldd		[$inp + 0],  %f8
 	ldd		[$inp + 8],  %f10
 	ldd		[$inp - 16], %f12
 	ldd		[$inp - 8],  %f14
 	sub		$tmp, 1, $tmp
 	std		%f0, [$inp + 0]
 	std		%f2, [$inp + 8]
 	std		%f4, [$inp - 16]
 	std		%f6, [$inp - 8]
 	std		%f8, [$out + 0]
 	std		%f10, [$out + 8]
 	std		%f12, [$out + 16]
 	std		%f14, [$out + 24]
 	add		$out, 32, $out
 	brnz		$tmp, .Lkey_flip
 	sub		$inp, 32, $inp
 	retl
 	xor		%o0, %o0, %o0
 .type	aes_t4_set_decrypt_key,#function
 .size	aes_t4_set_decrypt_key,.-aes_t4_set_decrypt_key
 ___
 }
 {{{
 my ($inp,$out,$len,$key,$ivec,$enc)=map("%i$_",(0..5));
 my ($ileft,$iright,$ooff,$omask,$ivoff)=map("%l$_",(1..7));
 $code.=<<___;
 .align	32
 _aes128_encrypt_1x:
 ___
 for ($i=0; $i<4; $i++) {
    $code.=<<___;
 	aes_eround01	%f`16+8*$i+0`, %f0, %f2, %f4
 	aes_eround23	%f`16+8*$i+2`, %f0, %f2, %f2
 	aes_eround01	%f`16+8*$i+4`, %f4, %f2, %f0
 	aes_eround23	%f`16+8*$i+6`, %f4, %f2, %f2
 ___
 }
 $code.=<<___;
 	aes_eround01	%f48, %f0, %f2, %f4
 	aes_eround23	%f50, %f0, %f2, %f2
 	aes_eround01_l	%f52, %f4, %f2, %f0
 	retl
 	aes_eround23_l	%f54, %f4, %f2, %f2
 .type	_aes128_encrypt_1x,#function
 .size	_aes128_encrypt_1x,.-_aes128_encrypt_1x
 .align	32
 _aes128_encrypt_2x:
 ___
 for ($i=0; $i<4; $i++) {
    $code.=<<___;
 	aes_eround01	%f`16+8*$i+0`, %f0, %f2, %f8
 	aes_eround23	%f`16+8*$i+2`, %f0, %f2, %f2
 	aes_eround01	%f`16+8*$i+0`, %f4, %f6, %f10
 	aes_eround23	%f`16+8*$i+2`, %f4, %f6, %f6
 	aes_eround01	%f`16+8*$i+4`, %f8, %f2, %f0
 	aes_eround23	%f`16+8*$i+6`, %f8, %f2, %f2
 	aes_eround01	%f`16+8*$i+4`, %f10, %f6, %f4
 	aes_eround23	%f`16+8*$i+6`, %f10, %f6, %f6
 ___
 }
 $code.=<<___;
 	aes_eround01	%f48, %f0, %f2, %f8
 	aes_eround23	%f50, %f0, %f2, %f2
 	aes_eround01	%f48, %f4, %f6, %f10
 	aes_eround23	%f50, %f4, %f6, %f6
 	aes_eround01_l	%f52, %f8, %f2, %f0
 	aes_eround23_l	%f54, %f8, %f2, %f2
 	aes_eround01_l	%f52, %f10, %f6, %f4
 	retl
 	aes_eround23_l	%f54, %f10, %f6, %f6
 .type	_aes128_encrypt_2x,#function
 .size	_aes128_encrypt_2x,.-_aes128_encrypt_2x
 .align	32
 _aes128_loadkey:
 	ldx		[$key + 0], %g4
 	ldx		[$key + 8], %g5
 ___
 for ($i=2; $i<22;$i++) {			# load key schedule
    $code.=<<___;
 	ldd		[$key + `8*$i`], %f`12+2*$i`
 ___
 }
 $code.=<<___;
 	retl
 	nop
 .type	_aes128_loadkey,#function
 .size	_aes128_loadkey,.-_aes128_loadkey
 _aes128_load_enckey=_aes128_loadkey
 _aes128_load_deckey=_aes128_loadkey
 ___
 &alg_cbc_encrypt_implement("aes",128);
 if ($::evp) {
    &alg_ctr32_implement("aes",128);
    &alg_xts_implement("aes",128,"en");
    &alg_xts_implement("aes",128,"de");
 }
 &alg_cbc_decrypt_implement("aes",128);
 $code.=<<___;
 .align	32
 _aes128_decrypt_1x:
 ___
 for ($i=0; $i<4; $i++) {
    $code.=<<___;
 	aes_dround01	%f`16+8*$i+0`, %f0, %f2, %f4
 	aes_dround23	%f`16+8*$i+2`, %f0, %f2, %f2
 	aes_dround01	%f`16+8*$i+4`, %f4, %f2, %f0
 	aes_dround23	%f`16+8*$i+6`, %f4, %f2, %f2
 ___
 }
 $code.=<<___;
 	aes_dround01	%f48, %f0, %f2, %f4
 	aes_dround23	%f50, %f0, %f2, %f2
 	aes_dround01_l	%f52, %f4, %f2, %f0
 	retl
 	aes_dround23_l	%f54, %f4, %f2, %f2
 .type	_aes128_decrypt_1x,#function
 .size	_aes128_decrypt_1x,.-_aes128_decrypt_1x
 .align	32
 _aes128_decrypt_2x:
 ___
 for ($i=0; $i<4; $i++) {
    $code.=<<___;
 	aes_dround01	%f`16+8*$i+0`, %f0, %f2, %f8
 	aes_dround23	%f`16+8*$i+2`, %f0, %f2, %f2
 	aes_dround01	%f`16+8*$i+0`, %f4, %f6, %f10
 	aes_dround23	%f`16+8*$i+2`, %f4, %f6, %f6
 	aes_dround01	%f`16+8*$i+4`, %f8, %f2, %f0
 	aes_dround23	%f`16+8*$i+6`, %f8, %f2, %f2
 	aes_dround01	%f`16+8*$i+4`, %f10, %f6, %f4
 	aes_dround23	%f`16+8*$i+6`, %f10, %f6, %f6
 ___
 }
 $code.=<<___;
 	aes_dround01	%f48, %f0, %f2, %f8
 	aes_dround23	%f50, %f0, %f2, %f2
 	aes_dround01	%f48, %f4, %f6, %f10
 	aes_dround23	%f50, %f4, %f6, %f6
 	aes_dround01_l	%f52, %f8, %f2, %f0
 	aes_dround23_l	%f54, %f8, %f2, %f2
 	aes_dround01_l	%f52, %f10, %f6, %f4
 	retl
 	aes_dround23_l	%f54, %f10, %f6, %f6
 .type	_aes128_decrypt_2x,#function
 .size	_aes128_decrypt_2x,.-_aes128_decrypt_2x
 ___
 $code.=<<___;
 .align	32
 _aes192_encrypt_1x:
 ___
 for ($i=0; $i<5; $i++) {
    $code.=<<___;
 	aes_eround01	%f`16+8*$i+0`, %f0, %f2, %f4
 	aes_eround23	%f`16+8*$i+2`, %f0, %f2, %f2
 	aes_eround01	%f`16+8*$i+4`, %f4, %f2, %f0
 	aes_eround23	%f`16+8*$i+6`, %f4, %f2, %f2
 ___
 }
 $code.=<<___;
 	aes_eround01	%f56, %f0, %f2, %f4
 	aes_eround23	%f58, %f0, %f2, %f2
 	aes_eround01_l	%f60, %f4, %f2, %f0
 	retl
 	aes_eround23_l	%f62, %f4, %f2, %f2
 .type	_aes192_encrypt_1x,#function
 .size	_aes192_encrypt_1x,.-_aes192_encrypt_1x
 .align	32
 _aes192_encrypt_2x:
 ___
 for ($i=0; $i<5; $i++) {
    $code.=<<___;
 	aes_eround01	%f`16+8*$i+0`, %f0, %f2, %f8
 	aes_eround23	%f`16+8*$i+2`, %f0, %f2, %f2
 	aes_eround01	%f`16+8*$i+0`, %f4, %f6, %f10
 	aes_eround23	%f`16+8*$i+2`, %f4, %f6, %f6
 	aes_eround01	%f`16+8*$i+4`, %f8, %f2, %f0
 	aes_eround23	%f`16+8*$i+6`, %f8, %f2, %f2
 	aes_eround01	%f`16+8*$i+4`, %f10, %f6, %f4
 	aes_eround23	%f`16+8*$i+6`, %f10, %f6, %f6
 ___
 }
 $code.=<<___;
 	aes_eround01	%f56, %f0, %f2, %f8
 	aes_eround23	%f58, %f0, %f2, %f2
 	aes_eround01	%f56, %f4, %f6, %f10
 	aes_eround23	%f58, %f4, %f6, %f6
 	aes_eround01_l	%f60, %f8, %f2, %f0
 	aes_eround23_l	%f62, %f8, %f2, %f2
 	aes_eround01_l	%f60, %f10, %f6, %f4
 	retl
 	aes_eround23_l	%f62, %f10, %f6, %f6
 .type	_aes192_encrypt_2x,#function
 .size	_aes192_encrypt_2x,.-_aes192_encrypt_2x
 .align	32
 _aes256_encrypt_1x:
 	aes_eround01	%f16, %f0, %f2, %f4
 	aes_eround23	%f18, %f0, %f2, %f2
 	ldd		[$key + 208], %f16
 	ldd		[$key + 216], %f18
 	aes_eround01	%f20, %f4, %f2, %f0
 	aes_eround23	%f22, %f4, %f2, %f2
 	ldd		[$key + 224], %f20
 	ldd		[$key + 232], %f22
 ___
 for ($i=1; $i<6; $i++) {
    $code.=<<___;
 	aes_eround01	%f`16+8*$i+0`, %f0, %f2, %f4
 	aes_eround23	%f`16+8*$i+2`, %f0, %f2, %f2
 	aes_eround01	%f`16+8*$i+4`, %f4, %f2, %f0
 	aes_eround23	%f`16+8*$i+6`, %f4, %f2, %f2
 ___
 }
 $code.=<<___;
 	aes_eround01	%f16, %f0, %f2, %f4
 	aes_eround23	%f18, %f0, %f2, %f2
 	ldd		[$key + 16], %f16
 	ldd		[$key + 24], %f18
 	aes_eround01_l	%f20, %f4, %f2, %f0
 	aes_eround23_l	%f22, %f4, %f2, %f2
 	ldd		[$key + 32], %f20
 	retl
 	ldd		[$key + 40], %f22
 .type	_aes256_encrypt_1x,#function
 .size	_aes256_encrypt_1x,.-_aes256_encrypt_1x
 .align	32
 _aes256_encrypt_2x:
 	aes_eround01	%f16, %f0, %f2, %f8
 	aes_eround23	%f18, %f0, %f2, %f2
 	aes_eround01	%f16, %f4, %f6, %f10
 	aes_eround23	%f18, %f4, %f6, %f6
 	ldd		[$key + 208], %f16
 	ldd		[$key + 216], %f18
 	aes_eround01	%f20, %f8, %f2, %f0
 	aes_eround23	%f22, %f8, %f2, %f2
 	aes_eround01	%f20, %f10, %f6, %f4
 	aes_eround23	%f22, %f10, %f6, %f6
 	ldd		[$key + 224], %f20
 	ldd		[$key + 232], %f22
 ___
 for ($i=1; $i<6; $i++) {
    $code.=<<___;
 	aes_eround01	%f`16+8*$i+0`, %f0, %f2, %f8
 	aes_eround23	%f`16+8*$i+2`, %f0, %f2, %f2
 	aes_eround01	%f`16+8*$i+0`, %f4, %f6, %f10
 	aes_eround23	%f`16+8*$i+2`, %f4, %f6, %f6
 	aes_eround01	%f`16+8*$i+4`, %f8, %f2, %f0
 	aes_eround23	%f`16+8*$i+6`, %f8, %f2, %f2
 	aes_eround01	%f`16+8*$i+4`, %f10, %f6, %f4
 	aes_eround23	%f`16+8*$i+6`, %f10, %f6, %f6
 ___
 }
 $code.=<<___;
 	aes_eround01	%f16, %f0, %f2, %f8
 	aes_eround23	%f18, %f0, %f2, %f2
 	aes_eround01	%f16, %f4, %f6, %f10
 	aes_eround23	%f18, %f4, %f6, %f6
 	ldd		[$key + 16], %f16
 	ldd		[$key + 24], %f18
 	aes_eround01_l	%f20, %f8, %f2, %f0
 	aes_eround23_l	%f22, %f8, %f2, %f2
 	aes_eround01_l	%f20, %f10, %f6, %f4
 	aes_eround23_l	%f22, %f10, %f6, %f6
 	ldd		[$key + 32], %f20
 	retl
 	ldd		[$key + 40], %f22
 .type	_aes256_encrypt_2x,#function
 .size	_aes256_encrypt_2x,.-_aes256_encrypt_2x
 .align	32
 _aes192_loadkey:
 	ldx		[$key + 0], %g4
 	ldx		[$key + 8], %g5
 ___
 for ($i=2; $i<26;$i++) {			# load key schedule
    $code.=<<___;
 	ldd		[$key + `8*$i`], %f`12+2*$i`
 ___
 }
 $code.=<<___;
 	retl
 	nop
 .type	_aes192_loadkey,#function
 .size	_aes192_loadkey,.-_aes192_loadkey
 _aes256_loadkey=_aes192_loadkey
 _aes192_load_enckey=_aes192_loadkey
 _aes192_load_deckey=_aes192_loadkey
 _aes256_load_enckey=_aes192_loadkey
 _aes256_load_deckey=_aes192_loadkey
 ___
 &alg_cbc_encrypt_implement("aes",256);
 &alg_cbc_encrypt_implement("aes",192);
 if ($::evp) {
    &alg_ctr32_implement("aes",256);
    &alg_xts_implement("aes",256,"en");
    &alg_xts_implement("aes",256,"de");
    &alg_ctr32_implement("aes",192);
 }
 &alg_cbc_decrypt_implement("aes",192);
 &alg_cbc_decrypt_implement("aes",256);
 $code.=<<___;
 .align	32
 _aes256_decrypt_1x:
 	aes_dround01	%f16, %f0, %f2, %f4
 	aes_dround23	%f18, %f0, %f2, %f2
 	ldd		[$key + 208], %f16
 	ldd		[$key + 216], %f18
 	aes_dround01	%f20, %f4, %f2, %f0
 	aes_dround23	%f22, %f4, %f2, %f2
 	ldd		[$key + 224], %f20
 	ldd		[$key + 232], %f22
 ___
 for ($i=1; $i<6; $i++) {
    $code.=<<___;
 	aes_dround01	%f`16+8*$i+0`, %f0, %f2, %f4
 	aes_dround23	%f`16+8*$i+2`, %f0, %f2, %f2
 	aes_dround01	%f`16+8*$i+4`, %f4, %f2, %f0
 	aes_dround23	%f`16+8*$i+6`, %f4, %f2, %f2
 ___
 }
 $code.=<<___;
 	aes_dround01	%f16, %f0, %f2, %f4
 	aes_dround23	%f18, %f0, %f2, %f2
 	ldd		[$key + 16], %f16
 	ldd		[$key + 24], %f18
 	aes_dround01_l	%f20, %f4, %f2, %f0
 	aes_dround23_l	%f22, %f4, %f2, %f2
 	ldd		[$key + 32], %f20
 	retl
 	ldd		[$key + 40], %f22
 .type	_aes256_decrypt_1x,#function
 .size	_aes256_decrypt_1x,.-_aes256_decrypt_1x
 .align	32
 _aes256_decrypt_2x:
 	aes_dround01	%f16, %f0, %f2, %f8
 	aes_dround23	%f18, %f0, %f2, %f2
 	aes_dround01	%f16, %f4, %f6, %f10
 	aes_dround23	%f18, %f4, %f6, %f6
 	ldd		[$key + 208], %f16
 	ldd		[$key + 216], %f18
 	aes_dround01	%f20, %f8, %f2, %f0
 	aes_dround23	%f22, %f8, %f2, %f2
 	aes_dround01	%f20, %f10, %f6, %f4
 	aes_dround23	%f22, %f10, %f6, %f6
 	ldd		[$key + 224], %f20
 	ldd		[$key + 232], %f22
 ___
 for ($i=1; $i<6; $i++) {
    $code.=<<___;
 	aes_dround01	%f`16+8*$i+0`, %f0, %f2, %f8
 	aes_dround23	%f`16+8*$i+2`, %f0, %f2, %f2
 	aes_dround01	%f`16+8*$i+0`, %f4, %f6, %f10
 	aes_dround23	%f`16+8*$i+2`, %f4, %f6, %f6
 	aes_dround01	%f`16+8*$i+4`, %f8, %f2, %f0
 	aes_dround23	%f`16+8*$i+6`, %f8, %f2, %f2
 	aes_dround01	%f`16+8*$i+4`, %f10, %f6, %f4
 	aes_dround23	%f`16+8*$i+6`, %f10, %f6, %f6
 ___
 }
 $code.=<<___;
 	aes_dround01	%f16, %f0, %f2, %f8
 	aes_dround23	%f18, %f0, %f2, %f2
 	aes_dround01	%f16, %f4, %f6, %f10
 	aes_dround23	%f18, %f4, %f6, %f6
 	ldd		[$key + 16], %f16
 	ldd		[$key + 24], %f18
 	aes_dround01_l	%f20, %f8, %f2, %f0
 	aes_dround23_l	%f22, %f8, %f2, %f2
 	aes_dround01_l	%f20, %f10, %f6, %f4
 	aes_dround23_l	%f22, %f10, %f6, %f6
 	ldd		[$key + 32], %f20
 	retl
 	ldd		[$key + 40], %f22
 .type	_aes256_decrypt_2x,#function
 .size	_aes256_decrypt_2x,.-_aes256_decrypt_2x
 .align	32
 _aes192_decrypt_1x:
 ___
 for ($i=0; $i<5; $i++) {
    $code.=<<___;
 	aes_dround01	%f`16+8*$i+0`, %f0, %f2, %f4
 	aes_dround23	%f`16+8*$i+2`, %f0, %f2, %f2
 	aes_dround01	%f`16+8*$i+4`, %f4, %f2, %f0
 	aes_dround23	%f`16+8*$i+6`, %f4, %f2, %f2
 ___
 }
 $code.=<<___;
 	aes_dround01	%f56, %f0, %f2, %f4
 	aes_dround23	%f58, %f0, %f2, %f2
 	aes_dround01_l	%f60, %f4, %f2, %f0
 	retl
 	aes_dround23_l	%f62, %f4, %f2, %f2
 .type	_aes192_decrypt_1x,#function
 .size	_aes192_decrypt_1x,.-_aes192_decrypt_1x
 .align	32
 _aes192_decrypt_2x:
 ___
 for ($i=0; $i<5; $i++) {
    $code.=<<___;
 	aes_dround01	%f`16+8*$i+0`, %f0, %f2, %f8
 	aes_dround23	%f`16+8*$i+2`, %f0, %f2, %f2
 	aes_dround01	%f`16+8*$i+0`, %f4, %f6, %f10
 	aes_dround23	%f`16+8*$i+2`, %f4, %f6, %f6
 	aes_dround01	%f`16+8*$i+4`, %f8, %f2, %f0
 	aes_dround23	%f`16+8*$i+6`, %f8, %f2, %f2
 	aes_dround01	%f`16+8*$i+4`, %f10, %f6, %f4
 	aes_dround23	%f`16+8*$i+6`, %f10, %f6, %f6
 ___
 }
 $code.=<<___;
 	aes_dround01	%f56, %f0, %f2, %f8
 	aes_dround23	%f58, %f0, %f2, %f2
 	aes_dround01	%f56, %f4, %f6, %f10
 	aes_dround23	%f58, %f4, %f6, %f6
 	aes_dround01_l	%f60, %f8, %f2, %f0
 	aes_dround23_l	%f62, %f8, %f2, %f2
 	aes_dround01_l	%f60, %f10, %f6, %f4
 	retl
 	aes_dround23_l	%f62, %f10, %f6, %f6
 .type	_aes192_decrypt_2x,#function
 .size	_aes192_decrypt_2x,.-_aes192_decrypt_2x
 ___
 }}}
 if (!$::evp) {
 $code.=<<___;
 .global	AES_encrypt
 AES_encrypt=aes_t4_encrypt
 .global	AES_decrypt
 AES_decrypt=aes_t4_decrypt
 .global	AES_set_encrypt_key
 .align	32
 AES_set_encrypt_key:
 	andcc		%o2, 7, %g0		! check alignment
 	bnz,a,pn	%icc, 1f
 	mov		-1, %o0
 	brz,a,pn	%o0, 1f
 	mov		-1, %o0
 	brz,a,pn	%o2, 1f
 	mov		-1, %o0
 	andncc		%o1, 0x1c0, %g0
 	bnz,a,pn	%icc, 1f
 	mov		-2, %o0
 	cmp		%o1, 128
 	bl,a,pn		%icc, 1f
 	mov		-2, %o0
 	b		aes_t4_set_encrypt_key
 	nop
 1:	retl
 	nop
 .type	AES_set_encrypt_key,#function
 .size	AES_set_encrypt_key,.-AES_set_encrypt_key
 .global	AES_set_decrypt_key
 .align	32
 AES_set_decrypt_key:
 	andcc		%o2, 7, %g0		! check alignment
 	bnz,a,pn	%icc, 1f
 	mov		-1, %o0
 	brz,a,pn	%o0, 1f
 	mov		-1, %o0
 	brz,a,pn	%o2, 1f
 	mov		-1, %o0
 	andncc		%o1, 0x1c0, %g0
 	bnz,a,pn	%icc, 1f
 	mov		-2, %o0
 	cmp		%o1, 128
 	bl,a,pn		%icc, 1f
 	mov		-2, %o0
 	b		aes_t4_set_decrypt_key
 	nop
 1:	retl
 	nop
 .type	AES_set_decrypt_key,#function
 .size	AES_set_decrypt_key,.-AES_set_decrypt_key
 ___
 my ($inp,$out,$len,$key,$ivec,$enc)=map("%o$_",(0..5));
 $code.=<<___;
 .globl	AES_cbc_encrypt
 .align	32
 AES_cbc_encrypt:
 	ld		[$key + 240], %g1
 	nop
 	brz		$enc, .Lcbc_decrypt
 	cmp		%g1, 12
 	bl,pt		%icc, aes128_t4_cbc_encrypt
 	nop
 	be,pn		%icc, aes192_t4_cbc_encrypt
 	nop
 	ba		aes256_t4_cbc_encrypt
 	nop
 .Lcbc_decrypt:
 	bl,pt		%icc, aes128_t4_cbc_decrypt
 	nop
 	be,pn		%icc, aes192_t4_cbc_decrypt
 	nop
 	ba		aes256_t4_cbc_decrypt
 	nop
 .type	AES_cbc_encrypt,#function
 .size	AES_cbc_encrypt,.-AES_cbc_encrypt
 ___
 }
 $code.=<<___;
 .asciz	"AES for SPARC T4, David S. Miller, Andy Polyakov"
 .align	4
 ___
 &emit_assembler();
 close STDOUT;
--- a/crypto/aes/asm/aesv8-armx.pl
+++ b/crypto/aes/asm/aesv8-armx.pl
@ -0,0 +1,960 @@
 #!/usr/bin/env perl
 #
 # ====================================================================
 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
 # project. The module is, however, dual licensed under OpenSSL and
 # CRYPTOGAMS licenses depending on where you obtain it. For further
 # details see http://www.openssl.org/~appro/cryptogams/.
 # ====================================================================
 #
 # This module implements support for ARMv8 AES instructions. The
 # module is endian-agnostic in sense that it supports both big- and
 # little-endian cases. As does it support both 32- and 64-bit modes
 # of operation. Latter is achieved by limiting amount of utilized
 # registers to 16, which implies additional NEON load and integer
 # instructions. This has no effect on mighty Apple A7, where results
 # are literally equal to the theoretical estimates based on AES
 # instruction latencies and issue rates. On Cortex-A53, an in-order
 # execution core, this costs up to 10-15%, which is partially
 # compensated by implementing dedicated code path for 128-bit
 # CBC encrypt case. On Cortex-A57 parallelizable mode performance
 # seems to be limited by sheer amount of NEON instructions...
 #
 # Performance in cycles per byte processed with 128-bit key:
 #
 #		CBC enc		CBC dec		CTR
 # Apple A7	2.39		1.20		1.20
 # Cortex-A53	2.45		1.87		1.94
 # Cortex-A57	3.64		1.34		1.32
 $flavour = shift;
 open STDOUT,">".shift;
 $prefix="aes_v8";
 $code=<<___;
 #include "arm_arch.h"
 #if __ARM_ARCH__>=7
 .text
 ___
 $code.=".arch	armv8-a+crypto\n"	if ($flavour =~ /64/);
 $code.=".fpu	neon\n.code	32\n"	if ($flavour !~ /64/);
 # Assembler mnemonics are an eclectic mix of 32- and 64-bit syntax,
 # NEON is mostly 32-bit mnemonics, integer - mostly 64. Goal is to
 # maintain both 32- and 64-bit codes within single module and
 # transliterate common code to either flavour with regex vodoo.
 #
 {{{
 my ($inp,$bits,$out,$ptr,$rounds)=("x0","w1","x2","x3","w12");
 my ($zero,$rcon,$mask,$in0,$in1,$tmp,$key)=
 	$flavour=~/64/? map("q$_",(0..6)) : map("q$_",(0..3,8..10));
 $code.=<<___;
 .align	5
 rcon:
 .long	0x01,0x01,0x01,0x01
 .long	0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d	// rotate-n-splat
 .long	0x1b,0x1b,0x1b,0x1b
 .globl	${prefix}_set_encrypt_key
 .type	${prefix}_set_encrypt_key,%function
 .align	5
 ${prefix}_set_encrypt_key:
 .Lenc_key:
 ___
 $code.=<<___	if ($flavour =~ /64/);
 	stp	x29,x30,[sp,#-16]!
 	add	x29,sp,#0
 ___
 $code.=<<___;
 	mov	$ptr,#-1
 	cmp	$inp,#0
 	b.eq	.Lenc_key_abort
 	cmp	$out,#0
 	b.eq	.Lenc_key_abort
 	mov	$ptr,#-2
 	cmp	$bits,#128
 	b.lt	.Lenc_key_abort
 	cmp	$bits,#256
 	b.gt	.Lenc_key_abort
 	tst	$bits,#0x3f
 	b.ne	.Lenc_key_abort
 	adr	$ptr,rcon
 	cmp	$bits,#192
 	veor	$zero,$zero,$zero
 	vld1.8	{$in0},[$inp],#16
 	mov	$bits,#8		// reuse $bits
 	vld1.32	{$rcon,$mask},[$ptr],#32
 	b.lt	.Loop128
 	b.eq	.L192
 	b	.L256
 .align	4
 .Loop128:
 	vtbl.8	$key,{$in0},$mask
 	vext.8	$tmp,$zero,$in0,#12
 	vst1.32	{$in0},[$out],#16
 	aese	$key,$zero
 	subs	$bits,$bits,#1
 	veor	$in0,$in0,$tmp
 	vext.8	$tmp,$zero,$tmp,#12
 	veor	$in0,$in0,$tmp
 	vext.8	$tmp,$zero,$tmp,#12
 	 veor	$key,$key,$rcon
 	veor	$in0,$in0,$tmp
 	vshl.u8	$rcon,$rcon,#1
 	veor	$in0,$in0,$key
 	b.ne	.Loop128
 	vld1.32	{$rcon},[$ptr]
 	vtbl.8	$key,{$in0},$mask
 	vext.8	$tmp,$zero,$in0,#12
 	vst1.32	{$in0},[$out],#16
 	aese	$key,$zero
 	veor	$in0,$in0,$tmp
 	vext.8	$tmp,$zero,$tmp,#12
 	veor	$in0,$in0,$tmp
 	vext.8	$tmp,$zero,$tmp,#12
 	 veor	$key,$key,$rcon
 	veor	$in0,$in0,$tmp
 	vshl.u8	$rcon,$rcon,#1
 	veor	$in0,$in0,$key
 	vtbl.8	$key,{$in0},$mask
 	vext.8	$tmp,$zero,$in0,#12
 	vst1.32	{$in0},[$out],#16
 	aese	$key,$zero
 	veor	$in0,$in0,$tmp
 	vext.8	$tmp,$zero,$tmp,#12
 	veor	$in0,$in0,$tmp
 	vext.8	$tmp,$zero,$tmp,#12
 	 veor	$key,$key,$rcon
 	veor	$in0,$in0,$tmp
 	veor	$in0,$in0,$key
 	vst1.32	{$in0},[$out]
 	add	$out,$out,#0x50
 	mov	$rounds,#10
 	b	.Ldone
 .align	4
 .L192:
 	vld1.8	{$in1},[$inp],#8
 	vmov.i8	$key,#8			// borrow $key
 	vst1.32	{$in0},[$out],#16
 	vsub.i8	$mask,$mask,$key	// adjust the mask
 .Loop192:
 	vtbl.8	$key,{$in1},$mask
 	vext.8	$tmp,$zero,$in0,#12
 	vst1.32	{$in1},[$out],#8
 	aese	$key,$zero
 	subs	$bits,$bits,#1
 	veor	$in0,$in0,$tmp
 	vext.8	$tmp,$zero,$tmp,#12
 	veor	$in0,$in0,$tmp
 	vext.8	$tmp,$zero,$tmp,#12
 	veor	$in0,$in0,$tmp
 	vdup.32	$tmp,${in0}[3]
 	veor	$tmp,$tmp,$in1
 	 veor	$key,$key,$rcon
 	vext.8	$in1,$zero,$in1,#12
 	vshl.u8	$rcon,$rcon,#1
 	veor	$in1,$in1,$tmp
 	veor	$in0,$in0,$key
 	veor	$in1,$in1,$key
 	vst1.32	{$in0},[$out],#16
 	b.ne	.Loop192
 	mov	$rounds,#12
 	add	$out,$out,#0x20
 	b	.Ldone
 .align	4
 .L256:
 	vld1.8	{$in1},[$inp]
 	mov	$bits,#7
 	mov	$rounds,#14
 	vst1.32	{$in0},[$out],#16
 .Loop256:
 	vtbl.8	$key,{$in1},$mask
 	vext.8	$tmp,$zero,$in0,#12
 	vst1.32	{$in1},[$out],#16
 	aese	$key,$zero
 	subs	$bits,$bits,#1
 	veor	$in0,$in0,$tmp
 	vext.8	$tmp,$zero,$tmp,#12
 	veor	$in0,$in0,$tmp
 	vext.8	$tmp,$zero,$tmp,#12
 	 veor	$key,$key,$rcon
 	veor	$in0,$in0,$tmp
 	vshl.u8	$rcon,$rcon,#1
 	veor	$in0,$in0,$key
 	vst1.32	{$in0},[$out],#16
 	b.eq	.Ldone
 	vdup.32	$key,${in0}[3]		// just splat
 	vext.8	$tmp,$zero,$in1,#12
 	aese	$key,$zero
 	veor	$in1,$in1,$tmp
 	vext.8	$tmp,$zero,$tmp,#12
 	veor	$in1,$in1,$tmp
 	vext.8	$tmp,$zero,$tmp,#12
 	veor	$in1,$in1,$tmp
 	veor	$in1,$in1,$key
 	b	.Loop256
 .Ldone:
 	str	$rounds,[$out]
 	mov	$ptr,#0
 .Lenc_key_abort:
 	mov	x0,$ptr			// return value
 	`"ldr	x29,[sp],#16"		if ($flavour =~ /64/)`
 	ret
 .size	${prefix}_set_encrypt_key,.-${prefix}_set_encrypt_key
 .globl	${prefix}_set_decrypt_key
 .type	${prefix}_set_decrypt_key,%function
 .align	5
 ${prefix}_set_decrypt_key:
 ___
 $code.=<<___	if ($flavour =~ /64/);
 	stp	x29,x30,[sp,#-16]!
 	add	x29,sp,#0
 ___
 $code.=<<___	if ($flavour !~ /64/);
 	stmdb	sp!,{r4,lr}
 ___
 $code.=<<___;
 	bl	.Lenc_key
 	cmp	x0,#0
 	b.ne	.Ldec_key_abort
 	sub	$out,$out,#240		// restore original $out
 	mov	x4,#-16
 	add	$inp,$out,x12,lsl#4	// end of key schedule
 	vld1.32	{v0.16b},[$out]
 	vld1.32	{v1.16b},[$inp]
 	vst1.32	{v0.16b},[$inp],x4
 	vst1.32	{v1.16b},[$out],#16
 .Loop_imc:
 	vld1.32	{v0.16b},[$out]
 	vld1.32	{v1.16b},[$inp]
 	aesimc	v0.16b,v0.16b
 	aesimc	v1.16b,v1.16b
 	vst1.32	{v0.16b},[$inp],x4
 	vst1.32	{v1.16b},[$out],#16
 	cmp	$inp,$out
 	b.hi	.Loop_imc
 	vld1.32	{v0.16b},[$out]
 	aesimc	v0.16b,v0.16b
 	vst1.32	{v0.16b},[$inp]
 	eor	x0,x0,x0		// return value
 .Ldec_key_abort:
 ___
 $code.=<<___	if ($flavour !~ /64/);
 	ldmia	sp!,{r4,pc}
 ___
 $code.=<<___	if ($flavour =~ /64/);
 	ldp	x29,x30,[sp],#16
 	ret
 ___
 $code.=<<___;
 .size	${prefix}_set_decrypt_key,.-${prefix}_set_decrypt_key
 ___
 }}}
 {{{
 sub gen_block () {
 my $dir = shift;
 my ($e,$mc) = $dir eq "en" ? ("e","mc") : ("d","imc");
 my ($inp,$out,$key)=map("x$_",(0..2));
 my $rounds="w3";
 my ($rndkey0,$rndkey1,$inout)=map("q$_",(0..3));
 $code.=<<___;
 .globl	${prefix}_${dir}crypt
 .type	${prefix}_${dir}crypt,%function
 .align	5
 ${prefix}_${dir}crypt:
 	ldr	$rounds,[$key,#240]
 	vld1.32	{$rndkey0},[$key],#16
 	vld1.8	{$inout},[$inp]
 	sub	$rounds,$rounds,#2
 	vld1.32	{$rndkey1},[$key],#16
 .Loop_${dir}c:
 	aes$e	$inout,$rndkey0
 	vld1.32	{$rndkey0},[$key],#16
 	aes$mc	$inout,$inout
 	subs	$rounds,$rounds,#2
 	aes$e	$inout,$rndkey1
 	vld1.32	{$rndkey1},[$key],#16
 	aes$mc	$inout,$inout
 	b.gt	.Loop_${dir}c
 	aes$e	$inout,$rndkey0
 	vld1.32	{$rndkey0},[$key]
 	aes$mc	$inout,$inout
 	aes$e	$inout,$rndkey1
 	veor	$inout,$inout,$rndkey0
 	vst1.8	{$inout},[$out]
 	ret
 .size	${prefix}_${dir}crypt,.-${prefix}_${dir}crypt
 ___
 }
 &gen_block("en");
 &gen_block("de");
 }}}
 {{{
 my ($inp,$out,$len,$key,$ivp)=map("x$_",(0..4)); my $enc="w5";
 my ($rounds,$cnt,$key_,$step,$step1)=($enc,"w6","x7","x8","x12");
 my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$ivec,$rndlast)=map("q$_",(0..7));
 my ($dat,$tmp,$rndzero_n_last)=($dat0,$tmp0,$tmp1);
 ### q8-q15	preloaded key schedule
 $code.=<<___;
 .globl	${prefix}_cbc_encrypt
 .type	${prefix}_cbc_encrypt,%function
 .align	5
 ${prefix}_cbc_encrypt:
 ___
 $code.=<<___	if ($flavour =~ /64/);
 	stp	x29,x30,[sp,#-16]!
 	add	x29,sp,#0
 ___
 $code.=<<___	if ($flavour !~ /64/);
 	mov	ip,sp
 	stmdb	sp!,{r4-r8,lr}
 	vstmdb	sp!,{d8-d15}            @ ABI specification says so
 	ldmia	ip,{r4-r5}		@ load remaining args
 ___
 $code.=<<___;
 	subs	$len,$len,#16
 	mov	$step,#16
 	b.lo	.Lcbc_abort
 	cclr	$step,eq
 	cmp	$enc,#0			// en- or decrypting?
 	ldr	$rounds,[$key,#240]
 	and	$len,$len,#-16
 	vld1.8	{$ivec},[$ivp]
 	vld1.8	{$dat},[$inp],$step
 	vld1.32	{q8-q9},[$key]		// load key schedule...
 	sub	$rounds,$rounds,#6
 	add	$key_,$key,x5,lsl#4	// pointer to last 7 round keys
 	sub	$rounds,$rounds,#2
 	vld1.32	{q10-q11},[$key_],#32
 	vld1.32	{q12-q13},[$key_],#32
 	vld1.32	{q14-q15},[$key_],#32
 	vld1.32	{$rndlast},[$key_]
 	add	$key_,$key,#32
 	mov	$cnt,$rounds
 	b.eq	.Lcbc_dec
 	cmp	$rounds,#2
 	veor	$dat,$dat,$ivec
 	veor	$rndzero_n_last,q8,$rndlast
 	b.eq	.Lcbc_enc128
 .Loop_cbc_enc:
 	aese	$dat,q8
 	vld1.32	{q8},[$key_],#16
 	aesmc	$dat,$dat
 	subs	$cnt,$cnt,#2
 	aese	$dat,q9
 	vld1.32	{q9},[$key_],#16
 	aesmc	$dat,$dat
 	b.gt	.Loop_cbc_enc
 	aese	$dat,q8
 	aesmc	$dat,$dat
 	 subs	$len,$len,#16
 	aese	$dat,q9
 	aesmc	$dat,$dat
 	 cclr	$step,eq
 	aese	$dat,q10
 	aesmc	$dat,$dat
 	 add	$key_,$key,#16
 	aese	$dat,q11
 	aesmc	$dat,$dat
 	 vld1.8	{q8},[$inp],$step
 	aese	$dat,q12
 	aesmc	$dat,$dat
 	 veor	q8,q8,$rndzero_n_last
 	aese	$dat,q13
 	aesmc	$dat,$dat
 	 vld1.32 {q9},[$key_],#16	// re-pre-load rndkey[1]
 	aese	$dat,q14
 	aesmc	$dat,$dat
 	aese	$dat,q15
 	 mov	$cnt,$rounds
 	veor	$ivec,$dat,$rndlast
 	vst1.8	{$ivec},[$out],#16
 	b.hs	.Loop_cbc_enc
 	b	.Lcbc_done
 .align	5
 .Lcbc_enc128:
 	vld1.32	{$in0-$in1},[$key_]
 	aese	$dat,q8
 	aesmc	$dat,$dat
 	b	.Lenter_cbc_enc128
 .Loop_cbc_enc128:
 	aese	$dat,q8
 	aesmc	$dat,$dat
 	 vst1.8	{$ivec},[$out],#16
 .Lenter_cbc_enc128:
 	aese	$dat,q9
 	aesmc	$dat,$dat
 	 subs	$len,$len,#16
 	aese	$dat,$in0
 	aesmc	$dat,$dat
 	 cclr	$step,eq
 	aese	$dat,$in1
 	aesmc	$dat,$dat
 	aese	$dat,q10
 	aesmc	$dat,$dat
 	aese	$dat,q11
 	aesmc	$dat,$dat
 	 vld1.8	{q8},[$inp],$step
 	aese	$dat,q12
 	aesmc	$dat,$dat
 	aese	$dat,q13
 	aesmc	$dat,$dat
 	aese	$dat,q14
 	aesmc	$dat,$dat
 	 veor	q8,q8,$rndzero_n_last
 	aese	$dat,q15
 	veor	$ivec,$dat,$rndlast
 	b.hs	.Loop_cbc_enc128
 	vst1.8	{$ivec},[$out],#16
 	b	.Lcbc_done
 ___
 {
 my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9));
 $code.=<<___;
 .align	5
 .Lcbc_dec:
 	vld1.8	{$dat2},[$inp],#16
 	subs	$len,$len,#32		// bias
 	add	$cnt,$rounds,#2
 	vorr	$in1,$dat,$dat
 	vorr	$dat1,$dat,$dat
 	vorr	$in2,$dat2,$dat2
 	b.lo	.Lcbc_dec_tail
 	vorr	$dat1,$dat2,$dat2
 	vld1.8	{$dat2},[$inp],#16
 	vorr	$in0,$dat,$dat
 	vorr	$in1,$dat1,$dat1
 	vorr	$in2,$dat2,$dat2
 .Loop3x_cbc_dec:
 	aesd	$dat0,q8
 	aesd	$dat1,q8
 	aesd	$dat2,q8
 	vld1.32	{q8},[$key_],#16
 	aesimc	$dat0,$dat0
 	aesimc	$dat1,$dat1
 	aesimc	$dat2,$dat2
 	subs	$cnt,$cnt,#2
 	aesd	$dat0,q9
 	aesd	$dat1,q9
 	aesd	$dat2,q9
 	vld1.32	{q9},[$key_],#16
 	aesimc	$dat0,$dat0
 	aesimc	$dat1,$dat1
 	aesimc	$dat2,$dat2
 	b.gt	.Loop3x_cbc_dec
 	aesd	$dat0,q8
 	aesd	$dat1,q8
 	aesd	$dat2,q8
 	 veor	$tmp0,$ivec,$rndlast
 	aesimc	$dat0,$dat0
 	aesimc	$dat1,$dat1
 	aesimc	$dat2,$dat2
 	 veor	$tmp1,$in0,$rndlast
 	aesd	$dat0,q9
 	aesd	$dat1,q9
 	aesd	$dat2,q9
 	 veor	$tmp2,$in1,$rndlast
 	 subs	$len,$len,#0x30
 	aesimc	$dat0,$dat0
 	aesimc	$dat1,$dat1
 	aesimc	$dat2,$dat2
 	 vorr	$ivec,$in2,$in2
 	 mov.lo	x6,$len			// x6, $cnt, is zero at this point
 	aesd	$dat0,q12
 	aesd	$dat1,q12
 	aesd	$dat2,q12
 	 add	$inp,$inp,x6		// $inp is adjusted in such way that
 					// at exit from the loop $dat1-$dat2
 					// are loaded with last "words"
 	aesimc	$dat0,$dat0
 	aesimc	$dat1,$dat1
 	aesimc	$dat2,$dat2
 	 mov	$key_,$key
 	aesd	$dat0,q13
 	aesd	$dat1,q13
 	aesd	$dat2,q13
 	 vld1.8	{$in0},[$inp],#16
 	aesimc	$dat0,$dat0
 	aesimc	$dat1,$dat1
 	aesimc	$dat2,$dat2
 	 vld1.8	{$in1},[$inp],#16
 	aesd	$dat0,q14
 	aesd	$dat1,q14
 	aesd	$dat2,q14
 	 vld1.8	{$in2},[$inp],#16
 	aesimc	$dat0,$dat0
 	aesimc	$dat1,$dat1
 	aesimc	$dat2,$dat2
 	 vld1.32 {q8},[$key_],#16	// re-pre-load rndkey[0]
 	aesd	$dat0,q15
 	aesd	$dat1,q15
 	aesd	$dat2,q15
 	 add	$cnt,$rounds,#2
 	veor	$tmp0,$tmp0,$dat0
 	veor	$tmp1,$tmp1,$dat1
 	veor	$dat2,$dat2,$tmp2
 	 vld1.32 {q9},[$key_],#16	// re-pre-load rndkey[1]
 	 vorr	$dat0,$in0,$in0
 	vst1.8	{$tmp0},[$out],#16
 	 vorr	$dat1,$in1,$in1
 	vst1.8	{$tmp1},[$out],#16
 	vst1.8	{$dat2},[$out],#16
 	 vorr	$dat2,$in2,$in2
 	b.hs	.Loop3x_cbc_dec
 	cmn	$len,#0x30
 	b.eq	.Lcbc_done
 	nop
 .Lcbc_dec_tail:
 	aesd	$dat1,q8
 	aesd	$dat2,q8
 	vld1.32	{q8},[$key_],#16
 	aesimc	$dat1,$dat1
 	aesimc	$dat2,$dat2
 	subs	$cnt,$cnt,#2
 	aesd	$dat1,q9
 	aesd	$dat2,q9
 	vld1.32	{q9},[$key_],#16
 	aesimc	$dat1,$dat1
 	aesimc	$dat2,$dat2
 	b.gt	.Lcbc_dec_tail
 	aesd	$dat1,q8
 	aesd	$dat2,q8
 	aesimc	$dat1,$dat1
 	aesimc	$dat2,$dat2
 	aesd	$dat1,q9
 	aesd	$dat2,q9
 	aesimc	$dat1,$dat1
 	aesimc	$dat2,$dat2
 	aesd	$dat1,q12
 	aesd	$dat2,q12
 	aesimc	$dat1,$dat1
 	aesimc	$dat2,$dat2
 	 cmn	$len,#0x20
 	aesd	$dat1,q13
 	aesd	$dat2,q13
 	aesimc	$dat1,$dat1
 	aesimc	$dat2,$dat2
 	 veor	$tmp1,$ivec,$rndlast
 	aesd	$dat1,q14
 	aesd	$dat2,q14
 	aesimc	$dat1,$dat1
 	aesimc	$dat2,$dat2
 	 veor	$tmp2,$in1,$rndlast
 	aesd	$dat1,q15
 	aesd	$dat2,q15
 	b.eq	.Lcbc_dec_one
 	veor	$tmp1,$tmp1,$dat1
 	veor	$tmp2,$tmp2,$dat2
 	 vorr	$ivec,$in2,$in2
 	vst1.8	{$tmp1},[$out],#16
 	vst1.8	{$tmp2},[$out],#16
 	b	.Lcbc_done
 .Lcbc_dec_one:
 	veor	$tmp1,$tmp1,$dat2
 	 vorr	$ivec,$in2,$in2
 	vst1.8	{$tmp1},[$out],#16
 .Lcbc_done:
 	vst1.8	{$ivec},[$ivp]
 .Lcbc_abort:
 ___
 }
 $code.=<<___	if ($flavour !~ /64/);
 	vldmia	sp!,{d8-d15}
 	ldmia	sp!,{r4-r8,pc}
 ___
 $code.=<<___	if ($flavour =~ /64/);
 	ldr	x29,[sp],#16
 	ret
 ___
 $code.=<<___;
 .size	${prefix}_cbc_encrypt,.-${prefix}_cbc_encrypt
 ___
 }}}
 {{{
 my ($inp,$out,$len,$key,$ivp)=map("x$_",(0..4));
 my ($rounds,$cnt,$key_)=("w5","w6","x7");
 my ($ctr,$tctr0,$tctr1,$tctr2)=map("w$_",(8..10,12));
 my $step="x12";		# aliases with $tctr2
 my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$ivec,$rndlast)=map("q$_",(0..7));
 my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9));
 my ($dat,$tmp)=($dat0,$tmp0);
 ### q8-q15	preloaded key schedule
 $code.=<<___;
 .globl	${prefix}_ctr32_encrypt_blocks
 .type	${prefix}_ctr32_encrypt_blocks,%function
 .align	5
 ${prefix}_ctr32_encrypt_blocks:
 ___
 $code.=<<___	if ($flavour =~ /64/);
 	stp		x29,x30,[sp,#-16]!
 	add		x29,sp,#0
 ___
 $code.=<<___	if ($flavour !~ /64/);
 	mov		ip,sp
 	stmdb		sp!,{r4-r10,lr}
 	vstmdb		sp!,{d8-d15}            @ ABI specification says so
 	ldr		r4, [ip]		@ load remaining arg
 ___
 $code.=<<___;
 	ldr		$rounds,[$key,#240]
 	ldr		$ctr, [$ivp, #12]
 	vld1.32		{$dat0},[$ivp]
 	vld1.32		{q8-q9},[$key]		// load key schedule...
 	sub		$rounds,$rounds,#4
 	mov		$step,#16
 	cmp		$len,#2
 	add		$key_,$key,x5,lsl#4	// pointer to last 5 round keys
 	sub		$rounds,$rounds,#2
 	vld1.32		{q12-q13},[$key_],#32
 	vld1.32		{q14-q15},[$key_],#32
 	vld1.32		{$rndlast},[$key_]
 	add		$key_,$key,#32
 	mov		$cnt,$rounds
 	cclr		$step,lo
 #ifndef __ARMEB__
 	rev		$ctr, $ctr
 #endif
 	vorr		$dat1,$dat0,$dat0
 	add		$tctr1, $ctr, #1
 	vorr		$dat2,$dat0,$dat0
 	add		$ctr, $ctr, #2
 	vorr		$ivec,$dat0,$dat0
 	rev		$tctr1, $tctr1
 	vmov.32		${dat1}[3],$tctr1
 	b.ls		.Lctr32_tail
 	rev		$tctr2, $ctr
 	sub		$len,$len,#3		// bias
 	vmov.32		${dat2}[3],$tctr2
 	b		.Loop3x_ctr32
 .align	4
 .Loop3x_ctr32:
 	aese		$dat0,q8
 	aese		$dat1,q8
 	aese		$dat2,q8
 	vld1.32		{q8},[$key_],#16
 	aesmc		$dat0,$dat0
 	aesmc		$dat1,$dat1
 	aesmc		$dat2,$dat2
 	subs		$cnt,$cnt,#2
 	aese		$dat0,q9
 	aese		$dat1,q9
 	aese		$dat2,q9
 	vld1.32		{q9},[$key_],#16
 	aesmc		$dat0,$dat0
 	aesmc		$dat1,$dat1
 	aesmc		$dat2,$dat2
 	b.gt		.Loop3x_ctr32
 	aese		$dat0,q8
 	aese		$dat1,q8
 	aese		$dat2,q8
 	 mov		$key_,$key
 	aesmc		$tmp0,$dat0
 	 vld1.8		{$in0},[$inp],#16
 	aesmc		$tmp1,$dat1
 	aesmc		$dat2,$dat2
 	 vorr		$dat0,$ivec,$ivec
 	aese		$tmp0,q9
 	 vld1.8		{$in1},[$inp],#16
 	aese		$tmp1,q9
 	aese		$dat2,q9
 	 vorr		$dat1,$ivec,$ivec
 	aesmc		$tmp0,$tmp0
 	 vld1.8		{$in2},[$inp],#16
 	aesmc		$tmp1,$tmp1
 	aesmc		$tmp2,$dat2
 	 vorr		$dat2,$ivec,$ivec
 	 add		$tctr0,$ctr,#1
 	aese		$tmp0,q12
 	aese		$tmp1,q12
 	aese		$tmp2,q12
 	 veor		$in0,$in0,$rndlast
 	 add		$tctr1,$ctr,#2
 	aesmc		$tmp0,$tmp0
 	aesmc		$tmp1,$tmp1
 	aesmc		$tmp2,$tmp2
 	 veor		$in1,$in1,$rndlast
 	 add		$ctr,$ctr,#3
 	aese		$tmp0,q13
 	aese		$tmp1,q13
 	aese		$tmp2,q13
 	 veor		$in2,$in2,$rndlast
 	 rev		$tctr0,$tctr0
 	aesmc		$tmp0,$tmp0
 	 vld1.32	 {q8},[$key_],#16	// re-pre-load rndkey[0]
 	aesmc		$tmp1,$tmp1
 	aesmc		$tmp2,$tmp2
 	 vmov.32	${dat0}[3], $tctr0
 	 rev		$tctr1,$tctr1
 	aese		$tmp0,q14
 	aese		$tmp1,q14
 	aese		$tmp2,q14
 	 vmov.32	${dat1}[3], $tctr1
 	 rev		$tctr2,$ctr
 	aesmc		$tmp0,$tmp0
 	aesmc		$tmp1,$tmp1
 	aesmc		$tmp2,$tmp2
 	 vmov.32	${dat2}[3], $tctr2
 	 subs		$len,$len,#3
 	aese		$tmp0,q15
 	aese		$tmp1,q15
 	aese		$tmp2,q15
 	 mov		$cnt,$rounds
 	veor		$in0,$in0,$tmp0
 	veor		$in1,$in1,$tmp1
 	veor		$in2,$in2,$tmp2
 	 vld1.32	 {q9},[$key_],#16	// re-pre-load rndkey[1]
 	vst1.8		{$in0},[$out],#16
 	vst1.8		{$in1},[$out],#16
 	vst1.8		{$in2},[$out],#16
 	b.hs		.Loop3x_ctr32
 	adds		$len,$len,#3
 	b.eq		.Lctr32_done
 	cmp		$len,#1
 	mov		$step,#16
 	cclr		$step,eq
 .Lctr32_tail:
 	aese		$dat0,q8
 	aese		$dat1,q8
 	vld1.32		{q8},[$key_],#16
 	aesmc		$dat0,$dat0
 	aesmc		$dat1,$dat1
 	subs		$cnt,$cnt,#2
 	aese		$dat0,q9
 	aese		$dat1,q9
 	vld1.32		{q9},[$key_],#16
 	aesmc		$dat0,$dat0
 	aesmc		$dat1,$dat1
 	b.gt		.Lctr32_tail
 	aese		$dat0,q8
 	aese		$dat1,q8
 	aesmc		$dat0,$dat0
 	aesmc		$dat1,$dat1
 	aese		$dat0,q9
 	aese		$dat1,q9
 	aesmc		$dat0,$dat0
 	aesmc		$dat1,$dat1
 	 vld1.8		{$in0},[$inp],$step
 	aese		$dat0,q12
 	aese		$dat1,q12
 	 vld1.8		{$in1},[$inp]
 	aesmc		$dat0,$dat0
 	aesmc		$dat1,$dat1
 	aese		$dat0,q13
 	aese		$dat1,q13
 	aesmc		$dat0,$dat0
 	aesmc		$dat1,$dat1
 	aese		$dat0,q14
 	aese		$dat1,q14
 	 veor		$in0,$in0,$rndlast
 	aesmc		$dat0,$dat0
 	aesmc		$dat1,$dat1
 	 veor		$in1,$in1,$rndlast
 	aese		$dat0,q15
 	aese		$dat1,q15
 	cmp		$len,#1
 	veor		$in0,$in0,$dat0
 	veor		$in1,$in1,$dat1
 	vst1.8		{$in0},[$out],#16
 	b.eq		.Lctr32_done
 	vst1.8		{$in1},[$out]
 .Lctr32_done:
 ___
 $code.=<<___	if ($flavour !~ /64/);
 	vldmia		sp!,{d8-d15}
 	ldmia		sp!,{r4-r10,pc}
 ___
 $code.=<<___	if ($flavour =~ /64/);
 	ldr		x29,[sp],#16
 	ret
 ___
 $code.=<<___;
 .size	${prefix}_ctr32_encrypt_blocks,.-${prefix}_ctr32_encrypt_blocks
 ___
 }}}
 $code.=<<___;
 #endif
 ___
 ########################################
 if ($flavour =~ /64/) {			######## 64-bit code
    my %opcode = (
 	"aesd"	=>	0x4e285800,	"aese"	=>	0x4e284800,
 	"aesimc"=>	0x4e287800,	"aesmc"	=>	0x4e286800	);
    local *unaes = sub {
 	my ($mnemonic,$arg)=@_;
 	$arg =~ m/[qv]([0-9]+)[^,]*,\s*[qv]([0-9]+)/o	&&
 	sprintf ".inst\t0x%08x\t//%s %s",
 			$opcode{$mnemonic}|$1|($2<<5),
 			$mnemonic,$arg;
    };
    foreach(split("\n",$code)) {
 	s/\`([^\`]*)\`/eval($1)/geo;
 	s/\bq([0-9]+)\b/"v".($1<8?$1:$1+8).".16b"/geo;	# old->new registers
 	s/@\s/\/\//o;			# old->new style commentary
 	#s/[v]?(aes\w+)\s+([qv].*)/unaes($1,$2)/geo	or
 	s/cclr\s+([wx])([^,]+),\s*([a-z]+)/csel	$1$2,$1zr,$1$2,$3/o	or
 	s/mov\.([a-z]+)\s+([wx][0-9]+),\s*([wx][0-9]+)/csel	$2,$3,$2,$1/o	or
 	s/vmov\.i8/movi/o	or	# fix up legacy mnemonics
 	s/vext\.8/ext/o		or
 	s/vrev32\.8/rev32/o	or
 	s/vtst\.8/cmtst/o	or
 	s/vshr/ushr/o		or
 	s/^(\s+)v/$1/o		or	# strip off v prefix
 	s/\bbx\s+lr\b/ret/o;
 	# fix up remainig legacy suffixes
 	s/\.[ui]?8//o;
 	m/\],#8/o and s/\.16b/\.8b/go;
 	s/\.[ui]?32//o and s/\.16b/\.4s/go;
 	s/\.[ui]?64//o and s/\.16b/\.2d/go;
 	s/\.[42]([sd])\[([0-3])\]/\.$1\[$2\]/o;
 	print $_,"\n";
    }
 } else {				######## 32-bit code
    my %opcode = (
 	"aesd"	=>	0xf3b00340,	"aese"	=>	0xf3b00300,
 	"aesimc"=>	0xf3b003c0,	"aesmc"	=>	0xf3b00380	);
    local *unaes = sub {
 	my ($mnemonic,$arg)=@_;
 	if ($arg =~ m/[qv]([0-9]+)[^,]*,\s*[qv]([0-9]+)/o) {
 	    my $word = $opcode{$mnemonic}|(($1&7)<<13)|(($1&8)<<19)
 					 |(($2&7)<<1) |(($2&8)<<2);
 	    # since ARMv7 instructions are always encoded little-endian.
 	    # correct solution is to use .inst directive, but older
 	    # assemblers don't implement it:-(
 	    sprintf ".byte\t0x%02x,0x%02x,0x%02x,0x%02x\t@ %s %s",
 			$word&0xff,($word>>8)&0xff,
 			($word>>16)&0xff,($word>>24)&0xff,
 			$mnemonic,$arg;
 	}
    };
    sub unvtbl {
 	my $arg=shift;
 	$arg =~ m/q([0-9]+),\s*\{q([0-9]+)\},\s*q([0-9]+)/o &&
 	sprintf	"vtbl.8	d%d,{q%d},d%d\n\t".
 		"vtbl.8	d%d,{q%d},d%d", 2*$1,$2,2*$3, 2*$1+1,$2,2*$3+1;	
    }
    sub unvdup32 {
 	my $arg=shift;
 	$arg =~ m/q([0-9]+),\s*q([0-9]+)\[([0-3])\]/o &&
 	sprintf	"vdup.32	q%d,d%d[%d]",$1,2*$2+($3>>1),$3&1;	
    }
    sub unvmov32 {
 	my $arg=shift;
 	$arg =~ m/q([0-9]+)\[([0-3])\],(.*)/o &&
 	sprintf	"vmov.32	d%d[%d],%s",2*$1+($2>>1),$2&1,$3;	
    }
    foreach(split("\n",$code)) {
 	s/\`([^\`]*)\`/eval($1)/geo;
 	s/\b[wx]([0-9]+)\b/r$1/go;		# new->old registers
 	s/\bv([0-9])\.[12468]+[bsd]\b/q$1/go;	# new->old registers
 	s/\/\/\s?/@ /o;				# new->old style commentary
 	# fix up remainig new-style suffixes
 	s/\{q([0-9]+)\},\s*\[(.+)\],#8/sprintf "{d%d},[$2]!",2*$1/eo	or
 	s/\],#[0-9]+/]!/o;
 	s/[v]?(aes\w+)\s+([qv].*)/unaes($1,$2)/geo	or
 	s/cclr\s+([^,]+),\s*([a-z]+)/mov$2	$1,#0/o	or
 	s/vtbl\.8\s+(.*)/unvtbl($1)/geo			or
 	s/vdup\.32\s+(.*)/unvdup32($1)/geo		or
 	s/vmov\.32\s+(.*)/unvmov32($1)/geo		or
 	s/^(\s+)b\./$1b/o				or
 	s/^(\s+)mov\./$1mov/o				or
 	s/^(\s+)ret/$1bx\tlr/o;
 	print $_,"\n";
    }
 }
 close STDOUT;
--- a/crypto/aes/asm/bsaes-armv7.pl
+++ b/crypto/aes/asm/bsaes-armv7.pl
--- a/crypto/aes/asm/bsaes-x86_64.pl
+++ b/crypto/aes/asm/bsaes-x86_64.pl
@ -38,8 +38,9 @@
 #		Emilia's	this(*)		difference
 #
 # Core 2    	9.30		8.69		+7%
-# Nehalem(**) 	7.63		6.98		+9%
+# Nehalem(**) 	7.63		6.88		+11%
-# Atom	    	17.1		17.4		-2%(***)
+# Atom	    	17.1		16.4		+4%
 # Silvermont	-		12.9
 #
 # (*)	Comparison is not completely fair, because "this" is ECB,
 #	i.e. no extra processing such as counter values calculation
@ -50,14 +51,6 @@
 # (**)	Results were collected on Westmere, which is considered to
 #	be equivalent to Nehalem for this code.
 #
 # (***)	Slowdown on Atom is rather strange per se, because original
 #	implementation has a number of 9+-bytes instructions, which
 #	are bad for Atom front-end, and which I eliminated completely.
 #	In attempt to address deterioration sbox() was tested in FP
 #	SIMD "domain" (movaps instead of movdqa, xorps instead of
 #	pxor, etc.). While it resulted in nominal 4% improvement on
 #	Atom, it hurted Westmere by more than 2x factor.
 #
 # As for key schedule conversion subroutine. Interface to OpenSSL
 # relies on per-invocation on-the-fly conversion. This naturally
 # has impact on performance, especially for short inputs. Conversion
@ -67,7 +60,7 @@
 # 		conversion	conversion/8x block
 # Core 2	240		0.22
 # Nehalem	180		0.20
-# Atom		430		0.19
+# Atom		430		0.20
 #
 # The ratio values mean that 128-byte blocks will be processed
 # 16-18% slower, 256-byte blocks - 9-10%, 384-byte blocks - 6-7%,
@ -83,9 +76,10 @@
 # Add decryption procedure. Performance in CPU cycles spent to decrypt
 # one byte out of 4096-byte buffer with 128-bit key is:
 #
-# Core 2	11.0
+# Core 2	9.98
-# Nehalem	9.16
+# Nehalem	7.80
-# Atom		20.9
+# Atom		17.9
 # Silvermont	14.0
 #
 # November 2011.
 #
@ -105,7 +99,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
 *STDOUT=*OUT;
 my ($inp,$out,$len,$key,$ivp)=("%rdi","%rsi","%rdx","%rcx");
 my @XMM=map("%xmm$_",(15,0..14));	# best on Atom, +10% over (0..15)
@ -433,21 +428,21 @@ my $mask=pop;
 $code.=<<___;
 	pxor	0x00($key),@x[0]
 	pxor	0x10($key),@x[1]
 	pshufb	$mask,@x[0]
 	pxor	0x20($key),@x[2]
 	pshufb	$mask,@x[1]
 	pxor	0x30($key),@x[3]
-	pshufb	$mask,@x[2]
+	pshufb	$mask,@x[0]
 	pshufb	$mask,@x[1]
 	pxor	0x40($key),@x[4]
 	pshufb	$mask,@x[3]
 	pxor	0x50($key),@x[5]
-	pshufb	$mask,@x[4]
+	pshufb	$mask,@x[2]
 	pshufb	$mask,@x[3]
 	pxor	0x60($key),@x[6]
 	pshufb	$mask,@x[5]
 	pxor	0x70($key),@x[7]
 	pshufb	$mask,@x[4]
 	pshufb	$mask,@x[5]
 	pshufb	$mask,@x[6]
 	lea	0x80($key),$key
 	pshufb	$mask,@x[7]
 	lea	0x80($key),$key
 ___
 }
@ -455,6 +450,7 @@ sub MixColumns {
 # modified to emit output in order suitable for feeding back to aesenc[last]
 my @x=@_[0..7];
 my @t=@_[8..15];
 my $inv=@_[16];	# optional
 $code.=<<___;
 	pshufd	\$0x93, @x[0], @t[0]	# x0 <<< 32
 	pshufd	\$0x93, @x[1], @t[1]
@ -496,7 +492,8 @@ $code.=<<___;
 	pxor	@t[4], @t[0]
 	 pshufd	\$0x4E, @x[2], @x[6]
 	pxor	@t[5], @t[1]
-
+___
 $code.=<<___ if (!$inv);
 	pxor	@t[3], @x[4]
 	pxor	@t[7], @x[5]
 	pxor	@t[6], @x[3]
@ -504,9 +501,20 @@ $code.=<<___;
 	pxor	@t[2], @x[6]
 	 movdqa	@t[1], @x[7]
 ___
 $code.=<<___ if ($inv);
 	pxor	@x[4], @t[3]
 	pxor	@t[7], @x[5]
 	pxor	@x[3], @t[6]
 	 movdqa	@t[0], @x[3]
 	pxor	@t[2], @x[6]
 	 movdqa	@t[6], @x[2]
 	 movdqa	@t[1], @x[7]
 	 movdqa	@x[6], @x[4]
 	 movdqa	@t[3], @x[6]
 ___
 }
-sub InvMixColumns {
+sub InvMixColumns_orig {
 my @x=@_[0..7];
 my @t=@_[8..15];
@ -660,6 +668,54 @@ $code.=<<___;
 ___
 }
 sub InvMixColumns {
 my @x=@_[0..7];
 my @t=@_[8..15];
 # Thanks to Jussi Kivilinna for providing pointer to
 #
 # | 0e 0b 0d 09 |   | 02 03 01 01 |   | 05 00 04 00 |
 # | 09 0e 0b 0d | = | 01 02 03 01 | x | 00 05 00 04 |
 # | 0d 09 0e 0b |   | 01 01 02 03 |   | 04 00 05 00 |
 # | 0b 0d 09 0e |   | 03 01 01 02 |   | 00 04 00 05 |
 $code.=<<___;
 	# multiplication by 0x05-0x00-0x04-0x00
 	pshufd	\$0x4E, @x[0], @t[0]
 	pshufd	\$0x4E, @x[6], @t[6]
 	pxor	@x[0], @t[0]
 	pshufd	\$0x4E, @x[7], @t[7]
 	pxor	@x[6], @t[6]
 	pshufd	\$0x4E, @x[1], @t[1]
 	pxor	@x[7], @t[7]
 	pshufd	\$0x4E, @x[2], @t[2]
 	pxor	@x[1], @t[1]
 	pshufd	\$0x4E, @x[3], @t[3]
 	pxor	@x[2], @t[2]
 	 pxor	@t[6], @x[0]
 	 pxor	@t[6], @x[1]
 	pshufd	\$0x4E, @x[4], @t[4]
 	pxor	@x[3], @t[3]
 	 pxor	@t[0], @x[2]
 	 pxor	@t[1], @x[3]
 	pshufd	\$0x4E, @x[5], @t[5]
 	pxor	@x[4], @t[4]
 	 pxor	@t[7], @x[1]
 	 pxor	@t[2], @x[4]
 	pxor	@x[5], @t[5]
 	 pxor	@t[7], @x[2]
 	 pxor	@t[6], @x[3]
 	 pxor	@t[6], @x[4]
 	 pxor	@t[3], @x[5]
 	 pxor	@t[4], @x[6]
 	 pxor	@t[7], @x[4]
 	 pxor	@t[7], @x[5]
 	 pxor	@t[5], @x[7]
 ___
 	&MixColumns	(@x,@t,1);	# flipped 2<->3 and 4<->6
 }
 sub aesenc {				# not used
 my @b=@_[0..7];
 my @t=@_[8..15];
@ -758,18 +814,18 @@ _bsaes_encrypt8:
 	movdqa	0x50($const), @XMM[8]	# .LM0SR
 	pxor	@XMM[9], @XMM[0]	# xor with round0 key
 	pxor	@XMM[9], @XMM[1]
 	 pshufb	@XMM[8], @XMM[0]
 	pxor	@XMM[9], @XMM[2]
 	 pshufb	@XMM[8], @XMM[1]
 	pxor	@XMM[9], @XMM[3]
-	 pshufb	@XMM[8], @XMM[2]
+	 pshufb	@XMM[8], @XMM[0]
 	 pshufb	@XMM[8], @XMM[1]
 	pxor	@XMM[9], @XMM[4]
 	 pshufb	@XMM[8], @XMM[3]
 	pxor	@XMM[9], @XMM[5]
-	 pshufb	@XMM[8], @XMM[4]
+	 pshufb	@XMM[8], @XMM[2]
 	 pshufb	@XMM[8], @XMM[3]
 	pxor	@XMM[9], @XMM[6]
 	 pshufb	@XMM[8], @XMM[5]
 	pxor	@XMM[9], @XMM[7]
 	 pshufb	@XMM[8], @XMM[4]
 	 pshufb	@XMM[8], @XMM[5]
 	 pshufb	@XMM[8], @XMM[6]
 	 pshufb	@XMM[8], @XMM[7]
 _bsaes_encrypt8_bitslice:
@ -822,18 +878,18 @@ _bsaes_decrypt8:
 	movdqa	-0x30($const), @XMM[8]	# .LM0ISR
 	pxor	@XMM[9], @XMM[0]	# xor with round0 key
 	pxor	@XMM[9], @XMM[1]
 	 pshufb	@XMM[8], @XMM[0]
 	pxor	@XMM[9], @XMM[2]
 	 pshufb	@XMM[8], @XMM[1]
 	pxor	@XMM[9], @XMM[3]
-	 pshufb	@XMM[8], @XMM[2]
+	 pshufb	@XMM[8], @XMM[0]
 	 pshufb	@XMM[8], @XMM[1]
 	pxor	@XMM[9], @XMM[4]
 	 pshufb	@XMM[8], @XMM[3]
 	pxor	@XMM[9], @XMM[5]
-	 pshufb	@XMM[8], @XMM[4]
+	 pshufb	@XMM[8], @XMM[2]
 	 pshufb	@XMM[8], @XMM[3]
 	pxor	@XMM[9], @XMM[6]
 	 pshufb	@XMM[8], @XMM[5]
 	pxor	@XMM[9], @XMM[7]
 	 pshufb	@XMM[8], @XMM[4]
 	 pshufb	@XMM[8], @XMM[5]
 	 pshufb	@XMM[8], @XMM[6]
 	 pshufb	@XMM[8], @XMM[7]
 ___
@ -1875,21 +1931,21 @@ $code.=<<___;
 	movdqa	-0x10(%r11), @XMM[8]	# .LSWPUPM0SR
 	pxor	@XMM[9], @XMM[0]	# xor with round0 key
 	pxor	@XMM[9], @XMM[1]
 	 pshufb	@XMM[8], @XMM[0]
 	pxor	@XMM[9], @XMM[2]
 	 pshufb	@XMM[8], @XMM[1]
 	pxor	@XMM[9], @XMM[3]
-	 pshufb	@XMM[8], @XMM[2]
+	 pshufb	@XMM[8], @XMM[0]
 	 pshufb	@XMM[8], @XMM[1]
 	pxor	@XMM[9], @XMM[4]
 	 pshufb	@XMM[8], @XMM[3]
 	pxor	@XMM[9], @XMM[5]
-	 pshufb	@XMM[8], @XMM[4]
+	 pshufb	@XMM[8], @XMM[2]
 	 pshufb	@XMM[8], @XMM[3]
 	pxor	@XMM[9], @XMM[6]
 	 pshufb	@XMM[8], @XMM[5]
 	pxor	@XMM[9], @XMM[7]
 	 pshufb	@XMM[8], @XMM[4]
 	 pshufb	@XMM[8], @XMM[5]
 	 pshufb	@XMM[8], @XMM[6]
 	lea	.LBS0(%rip), %r11	# constants table
 	 pshufb	@XMM[8], @XMM[7]
 	lea	.LBS0(%rip), %r11	# constants table
 	mov	%ebx,%r10d		# pass rounds
 	call	_bsaes_encrypt8_bitslice
@ -2027,6 +2083,8 @@ ___
 #	const unsigned char iv[16]);
 #
 my ($twmask,$twres,$twtmp)=@XMM[13..15];
 $arg6=~s/d$//;
 $code.=<<___;
 .globl	bsaes_xts_encrypt
 .type	bsaes_xts_encrypt,\@abi-omnipotent
--- a/crypto/aes/asm/vpaes-ppc.pl
+++ b/crypto/aes/asm/vpaes-ppc.pl
--- a/crypto/aes/asm/vpaes-x86.pl
+++ b/crypto/aes/asm/vpaes-x86.pl
@ -27,9 +27,10 @@
 #
 #		aes-586.pl		vpaes-x86.pl
 #
-# Core 2(**)	29.1/42.3/18.3		22.0/25.6(***)
+# Core 2(**)	28.1/41.4/18.3		21.9/25.2(***)
-# Nehalem	27.9/40.4/18.1		10.3/12.0
+# Nehalem	27.9/40.4/18.1		10.2/11.9
-# Atom		102./119./60.1		64.5/85.3(***)
+# Atom		70.7/92.1/60.1		61.1/75.4(***)
 # Silvermont	45.4/62.9/24.1		49.2/61.1(***)
 #
 # (*)	"Hyper-threading" in the context refers rather to cache shared
 #	among multiple cores, than to specifically Intel HTT. As vast
@ -40,8 +41,8 @@
 # (**)	"Core 2" refers to initial 65nm design, a.k.a. Conroe.
 #
 # (***)	Less impressive improvement on Core 2 and Atom is due to slow
-#	pshufb,	yet it's respectable +32%/65%  improvement on Core 2
+#	pshufb,	yet it's respectable +28%/64%  improvement on Core 2
-#	and +58%/40% on Atom (as implied, over "hyper-threading-safe"
+#	and +15% on Atom (as implied, over "hyper-threading-safe"
 #	code path).
 #
 #						<appro@openssl.org>
@ -183,35 +184,35 @@ $k_dsbo=0x2c0;		# decryption sbox final output
 	&movdqa	("xmm1","xmm6")
 	&movdqa	("xmm2",&QWP($k_ipt,$const));
 	&pandn	("xmm1","xmm0");
 	&movdqu	("xmm5",&QWP(0,$key));
 	&psrld	("xmm1",4);
 	&pand	("xmm0","xmm6");
 	&movdqu	("xmm5",&QWP(0,$key));
 	&pshufb	("xmm2","xmm0");
 	&movdqa	("xmm0",&QWP($k_ipt+16,$const));
 	&pshufb	("xmm0","xmm1");
 	&pxor	("xmm2","xmm5");
-	&pxor	("xmm0","xmm2");
+	&psrld	("xmm1",4);
 	&add	($key,16);
 	&pshufb	("xmm0","xmm1");
 	&lea	($base,&DWP($k_mc_backward,$const));
 	&pxor	("xmm0","xmm2");
 	&jmp	(&label("enc_entry"));
 &set_label("enc_loop",16);
 	# middle of middle round
 	&movdqa	("xmm4",&QWP($k_sb1,$const));	# 4 : sb1u
 	&pshufb	("xmm4","xmm2");		# 4 = sb1u
 	&pxor	("xmm4","xmm5");		# 4 = sb1u + k
 	&movdqa	("xmm0",&QWP($k_sb1+16,$const));# 0 : sb1t
 	&pshufb	("xmm4","xmm2");		# 4 = sb1u
 	&pshufb	("xmm0","xmm3");		# 0 = sb1t
-	&pxor	("xmm0","xmm4");		# 0 = A
+	&pxor	("xmm4","xmm5");		# 4 = sb1u + k
 	&movdqa	("xmm5",&QWP($k_sb2,$const));	# 4 : sb2u
-	&pshufb	("xmm5","xmm2");		# 4 = sb2u
+	&pxor	("xmm0","xmm4");		# 0 = A
 	&movdqa	("xmm1",&QWP(-0x40,$base,$magic));# .Lk_mc_forward[]
 	&pshufb	("xmm5","xmm2");		# 4 = sb2u
 	&movdqa	("xmm2",&QWP($k_sb2+16,$const));# 2 : sb2t
 	&pshufb	("xmm2","xmm3");		# 2 = sb2t
 	&pxor	("xmm2","xmm5");		# 2 = 2A
 	&movdqa	("xmm4",&QWP(0,$base,$magic));	# .Lk_mc_backward[]
 	&pshufb	("xmm2","xmm3");		# 2 = sb2t
 	&movdqa	("xmm3","xmm0");		# 3 = A
 	&pxor	("xmm2","xmm5");		# 2 = 2A
 	&pshufb	("xmm0","xmm1");		# 0 = B
 	&add	($key,16);			# next key
 	&pxor	("xmm0","xmm2");		# 0 = 2A+B
@ -220,30 +221,30 @@ $k_dsbo=0x2c0;		# decryption sbox final output
 	&pxor	("xmm3","xmm0");		# 3 = 2A+B+D
 	&pshufb	("xmm0","xmm1");		# 0 = 2B+C
 	&and	($magic,0x30);			# ... mod 4
 	&pxor	("xmm0","xmm3");		# 0 = 2A+3B+C+D
 	&sub	($round,1);			# nr--
 	&pxor	("xmm0","xmm3");		# 0 = 2A+3B+C+D
 &set_label("enc_entry");
 	# top of round
 	&movdqa	("xmm1","xmm6");		# 1 : i
 	&movdqa	("xmm5",&QWP($k_inv+16,$const));# 2 : a/k
 	&pandn	("xmm1","xmm0");		# 1 = i<<4
 	&psrld	("xmm1",4);			# 1 = i
 	&pand	("xmm0","xmm6");		# 0 = k
 	&movdqa	("xmm5",&QWP($k_inv+16,$const));# 2 : a/k
 	&pshufb	("xmm5","xmm0");		# 2 = a/k
 	&pxor	("xmm0","xmm1");		# 0 = j
 	&movdqa	("xmm3","xmm7");		# 3 : 1/i
 	&pxor	("xmm0","xmm1");		# 0 = j
 	&pshufb	("xmm3","xmm1");		# 3 = 1/i
 	&pxor	("xmm3","xmm5");		# 3 = iak = 1/i + a/k
 	&movdqa	("xmm4","xmm7");		# 4 : 1/j
 	&pxor	("xmm3","xmm5");		# 3 = iak = 1/i + a/k
 	&pshufb	("xmm4","xmm0");		# 4 = 1/j
 	&pxor	("xmm4","xmm5");		# 4 = jak = 1/j + a/k
 	&movdqa	("xmm2","xmm7");		# 2 : 1/iak
 	&pxor	("xmm4","xmm5");		# 4 = jak = 1/j + a/k
 	&pshufb	("xmm2","xmm3");		# 2 = 1/iak
 	&pxor	("xmm2","xmm0");		# 2 = io
 	&movdqa	("xmm3","xmm7");		# 3 : 1/jak
-	&movdqu	("xmm5",&QWP(0,$key));
+	&pxor	("xmm2","xmm0");		# 2 = io
 	&pshufb	("xmm3","xmm4");		# 3 = 1/jak
 	&movdqu	("xmm5",&QWP(0,$key));
 	&pxor	("xmm3","xmm1");		# 3 = jo
 	&jnz	(&label("enc_loop"));
@ -265,8 +266,8 @@ $k_dsbo=0x2c0;		# decryption sbox final output
 ##  Same API as encryption core.
 ##
 &function_begin_B("_vpaes_decrypt_core");
 	&mov	($round,&DWP(240,$key));
 	&lea	($base,&DWP($k_dsbd,$const));
 	&mov	($round,&DWP(240,$key));
 	&movdqa	("xmm1","xmm6");
 	&movdqa	("xmm2",&QWP($k_dipt-$k_dsbd,$base));
 	&pandn	("xmm1","xmm0");
@ -292,62 +293,61 @@ $k_dsbo=0x2c0;		# decryption sbox final output
 ##  Inverse mix columns
 ##
 	&movdqa	("xmm4",&QWP(-0x20,$base));	# 4 : sb9u
 	&movdqa	("xmm1",&QWP(-0x10,$base));	# 0 : sb9t
 	&pshufb	("xmm4","xmm2");		# 4 = sb9u
-	&pxor	("xmm4","xmm0");
+	&pshufb	("xmm1","xmm3");		# 0 = sb9t
-	&movdqa	("xmm0",&QWP(-0x10,$base));	# 0 : sb9t
+	&pxor	("xmm0","xmm4");
 	&pshufb	("xmm0","xmm3");		# 0 = sb9t
 	&pxor	("xmm0","xmm4");		# 0 = ch
 	&add	($key,16);			# next round key
 	&pshufb	("xmm0","xmm5");		# MC ch
 	&movdqa	("xmm4",&QWP(0,$base));		# 4 : sbdu
 	&pxor	("xmm0","xmm1");		# 0 = ch
 	&movdqa	("xmm1",&QWP(0x10,$base));	# 0 : sbdt
 	&pshufb	("xmm4","xmm2");		# 4 = sbdu
 	&pxor	("xmm4","xmm0");		# 4 = ch
 	&movdqa	("xmm0",&QWP(0x10,$base));	# 0 : sbdt
 	&pshufb	("xmm0","xmm3");		# 0 = sbdt
 	&pxor	("xmm0","xmm4");		# 0 = ch
 	&sub	($round,1);			# nr--
 	&pshufb	("xmm0","xmm5");		# MC ch
 	&pshufb	("xmm1","xmm3");		# 0 = sbdt
 	&pxor	("xmm0","xmm4");		# 4 = ch
 	&movdqa	("xmm4",&QWP(0x20,$base));	# 4 : sbbu
 	&pxor	("xmm0","xmm1");		# 0 = ch
 	&movdqa	("xmm1",&QWP(0x30,$base));	# 0 : sbbt
 	&pshufb	("xmm4","xmm2");		# 4 = sbbu
 	&pxor	("xmm4","xmm0");		# 4 = ch
 	&movdqa	("xmm0",&QWP(0x30,$base));	# 0 : sbbt
 	&pshufb	("xmm0","xmm3");		# 0 = sbbt
 	&pxor	("xmm0","xmm4");		# 0 = ch
 	&pshufb	("xmm0","xmm5");		# MC ch
 	&pshufb	("xmm1","xmm3");		# 0 = sbbt
 	&pxor	("xmm0","xmm4");		# 4 = ch
 	&movdqa	("xmm4",&QWP(0x40,$base));	# 4 : sbeu
-	&pshufb	("xmm4","xmm2");		# 4 = sbeu
+	&pxor	("xmm0","xmm1");		# 0 = ch
-	&pxor	("xmm4","xmm0");		# 4 = ch
+	&movdqa	("xmm1",&QWP(0x50,$base));	# 0 : sbet
 	&movdqa	("xmm0",&QWP(0x50,$base));	# 0 : sbet
 	&pshufb	("xmm0","xmm3");		# 0 = sbet
 	&pxor	("xmm0","xmm4");		# 0 = ch
 	&pshufb	("xmm4","xmm2");		# 4 = sbeu
 	&pshufb	("xmm0","xmm5");		# MC ch
 	&pshufb	("xmm1","xmm3");		# 0 = sbet
 	&pxor	("xmm0","xmm4");		# 4 = ch
 	&add	($key,16);			# next round key
 	&palignr("xmm5","xmm5",12);
 	&pxor	("xmm0","xmm1");		# 0 = ch
 	&sub	($round,1);			# nr--
 &set_label("dec_entry");
 	# top of round
 	&movdqa	("xmm1","xmm6");		# 1 : i
 	&pandn	("xmm1","xmm0");		# 1 = i<<4
 	&psrld	("xmm1",4);			# 1 = i
 	&pand	("xmm0","xmm6");		# 0 = k
 	&movdqa	("xmm2",&QWP($k_inv+16,$const));# 2 : a/k
 	&pandn	("xmm1","xmm0");		# 1 = i<<4
 	&pand	("xmm0","xmm6");		# 0 = k
 	&psrld	("xmm1",4);			# 1 = i
 	&pshufb	("xmm2","xmm0");		# 2 = a/k
 	&pxor	("xmm0","xmm1");		# 0 = j
 	&movdqa	("xmm3","xmm7");		# 3 : 1/i
 	&pxor	("xmm0","xmm1");		# 0 = j
 	&pshufb	("xmm3","xmm1");		# 3 = 1/i
 	&pxor	("xmm3","xmm2");		# 3 = iak = 1/i + a/k
 	&movdqa	("xmm4","xmm7");		# 4 : 1/j
 	&pxor	("xmm3","xmm2");		# 3 = iak = 1/i + a/k
 	&pshufb	("xmm4","xmm0");		# 4 = 1/j
 	&pxor	("xmm4","xmm2");		# 4 = jak = 1/j + a/k
 	&movdqa	("xmm2","xmm7");		# 2 : 1/iak
 	&pshufb	("xmm2","xmm3");		# 2 = 1/iak
 	&pxor	("xmm2","xmm0");		# 2 = io
 	&movdqa	("xmm3","xmm7");		# 3 : 1/jak
 	&pxor	("xmm2","xmm0");		# 2 = io
 	&pshufb	("xmm3","xmm4");		# 3 = 1/jak
 	&pxor	("xmm3","xmm1");		# 3 = jo
 	&movdqu	("xmm0",&QWP(0,$key));
 	&pxor	("xmm3","xmm1");		# 3 = jo
 	&jnz	(&label("dec_loop"));
 	# middle of last round
@ -542,12 +542,12 @@ $k_dsbo=0x2c0;		# decryption sbox final output
 ##    %xmm0: b+c+d  b+c  b  a
 ##
 &function_begin_B("_vpaes_schedule_192_smear");
-	&pshufd	("xmm0","xmm6",0x80);		# d c 0 0 -> c 0 0 0
+	&pshufd	("xmm1","xmm6",0x80);		# d c 0 0 -> c 0 0 0
 	&pxor	("xmm6","xmm0");		# -> c+d c 0 0
 	&pshufd	("xmm0","xmm7",0xFE);		# b a _ _ -> b b b a
 	&pxor	("xmm6","xmm1");		# -> c+d c 0 0
 	&pxor	("xmm1","xmm1");
 	&pxor	("xmm6","xmm0");		# -> b+c+d b+c b a
 	&movdqa	("xmm0","xmm6");
 	&pxor	("xmm1","xmm1");
 	&movhlps("xmm6","xmm1");		# clobber low side with zeros
 	&ret	();
 &function_end_B("_vpaes_schedule_192_smear");
@ -843,6 +843,8 @@ $k_dsbo=0x2c0;		# decryption sbox final output
 	&mov	($out,&wparam(1));		# out
 	&mov	($round,&wparam(2));		# len
 	&mov	($key,&wparam(3));		# key
 	&sub	($round,16);
 	&jc	(&label("cbc_abort"));
 	&lea	($base,&DWP(-56,"esp"));
 	&mov	($const,&wparam(4));		# ivp
 	&and	($base,-16);
@ -853,7 +855,6 @@ $k_dsbo=0x2c0;		# decryption sbox final output
 	&mov	(&DWP(48,"esp"),$base);
 	&mov	(&DWP(0,"esp"),$out);		# save out
 	&sub	($round,16);
 	&mov	(&DWP(4,"esp"),$key)		# save key
 	&mov	(&DWP(8,"esp"),$const);		# save ivp
 	&mov	($out,$round);			# $out works as $len
@ -896,6 +897,7 @@ $k_dsbo=0x2c0;		# decryption sbox final output
 	&mov	($base,&DWP(8,"esp"));		# restore ivp
 	&mov	("esp",&DWP(48,"esp"));
 	&movdqu	(&QWP(0,$base),"xmm1");		# write IV
 &set_label("cbc_abort");
 &function_end("${PREFIX}_cbc_encrypt");
 &asm_finish();
--- a/crypto/aes/asm/vpaes-x86_64.pl
+++ b/crypto/aes/asm/vpaes-x86_64.pl
@ -27,9 +27,10 @@
 #
 #		aes-x86_64.pl		vpaes-x86_64.pl
 #
-# Core 2(**)	30.5/43.7/14.3		21.8/25.7(***)
+# Core 2(**)	29.6/41.1/14.3		21.9/25.2(***)
-# Nehalem	30.5/42.2/14.6		 9.8/11.8
+# Nehalem	29.6/40.3/14.6		10.0/11.8
-# Atom		63.9/79.0/32.1		64.0/84.8(***)
+# Atom		57.3/74.2/32.1		60.9/77.2(***)
 # Silvermont	52.7/64.0/19.5		48.8/60.8(***)
 #
 # (*)	"Hyper-threading" in the context refers rather to cache shared
 #	among multiple cores, than to specifically Intel HTT. As vast
@ -40,7 +41,7 @@
 # (**)	"Core 2" refers to initial 65nm design, a.k.a. Conroe.
 #
 # (***)	Less impressive improvement on Core 2 and Atom is due to slow
-#	pshufb,	yet it's respectable +40%/78% improvement on Core 2
+#	pshufb,	yet it's respectable +36%/62% improvement on Core 2
 #	(as implied, over "hyper-threading-safe" code path).
 #
 #						<appro@openssl.org>
@ -56,7 +57,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
 *STDOUT=*OUT;
 $PREFIX="vpaes";
@ -94,8 +96,8 @@ _vpaes_encrypt_core:
 	movdqa	.Lk_ipt+16(%rip), %xmm0	# ipthi
 	pshufb	%xmm1,	%xmm0
 	pxor	%xmm5,	%xmm2
 	pxor	%xmm2,	%xmm0
 	add	\$16,	%r9
 	pxor	%xmm2,	%xmm0
 	lea	.Lk_mc_backward(%rip),%r10
 	jmp	.Lenc_entry
@ -103,19 +105,19 @@ _vpaes_encrypt_core:
 .Lenc_loop:
 	# middle of middle round
 	movdqa  %xmm13,	%xmm4	# 4 : sb1u
 	pshufb  %xmm2,	%xmm4	# 4 = sb1u
 	pxor	%xmm5,	%xmm4	# 4 = sb1u + k
 	movdqa  %xmm12,	%xmm0	# 0 : sb1t
 	pshufb  %xmm2,	%xmm4	# 4 = sb1u
 	pshufb  %xmm3,	%xmm0	# 0 = sb1t
-	pxor	%xmm4,	%xmm0	# 0 = A
+	pxor	%xmm5,	%xmm4	# 4 = sb1u + k
 	movdqa  %xmm15,	%xmm5	# 4 : sb2u
-	pshufb	%xmm2,	%xmm5	# 4 = sb2u
+	pxor	%xmm4,	%xmm0	# 0 = A
 	movdqa	-0x40(%r11,%r10), %xmm1		# .Lk_mc_forward[]
 	pshufb	%xmm2,	%xmm5	# 4 = sb2u
 	movdqa	(%r11,%r10), %xmm4		# .Lk_mc_backward[]
 	movdqa	%xmm14, %xmm2	# 2 : sb2t
 	pshufb	%xmm3,  %xmm2	# 2 = sb2t
 	pxor	%xmm5,	%xmm2	# 2 = 2A
 	movdqa	(%r11,%r10), %xmm4		# .Lk_mc_backward[]
 	movdqa	%xmm0,  %xmm3	# 3 = A
 	pxor	%xmm5,	%xmm2	# 2 = 2A
 	pshufb  %xmm1,  %xmm0	# 0 = B
 	add	\$16,	%r9	# next key
 	pxor	%xmm2,  %xmm0	# 0 = 2A+B
@ -124,30 +126,30 @@ _vpaes_encrypt_core:
 	pxor	%xmm0,	%xmm3	# 3 = 2A+B+D
 	pshufb  %xmm1,	%xmm0	# 0 = 2B+C
 	and	\$0x30,	%r11	# ... mod 4
 	pxor	%xmm3,	%xmm0	# 0 = 2A+3B+C+D
 	sub	\$1,%rax	# nr--
 	pxor	%xmm3,	%xmm0	# 0 = 2A+3B+C+D
 .Lenc_entry:
 	# top of round
 	movdqa  %xmm9, 	%xmm1	# 1 : i
 	movdqa	%xmm11, %xmm5	# 2 : a/k
 	pandn	%xmm0, 	%xmm1	# 1 = i<<4
 	psrld	\$4,   	%xmm1   # 1 = i
 	pand	%xmm9, 	%xmm0   # 0 = k
 	movdqa	%xmm11, %xmm5	# 2 : a/k
 	pshufb  %xmm0,  %xmm5	# 2 = a/k
 	pxor	%xmm1,	%xmm0	# 0 = j
 	movdqa	%xmm10,	%xmm3  	# 3 : 1/i
 	pxor	%xmm1,	%xmm0	# 0 = j
 	pshufb  %xmm1, 	%xmm3  	# 3 = 1/i
 	pxor	%xmm5, 	%xmm3  	# 3 = iak = 1/i + a/k
 	movdqa	%xmm10,	%xmm4  	# 4 : 1/j
 	pxor	%xmm5, 	%xmm3  	# 3 = iak = 1/i + a/k
 	pshufb	%xmm0, 	%xmm4  	# 4 = 1/j
 	pxor	%xmm5, 	%xmm4  	# 4 = jak = 1/j + a/k
 	movdqa	%xmm10,	%xmm2  	# 2 : 1/iak
 	pxor	%xmm5, 	%xmm4  	# 4 = jak = 1/j + a/k
 	pshufb  %xmm3,	%xmm2  	# 2 = 1/iak
 	pxor	%xmm0, 	%xmm2  	# 2 = io
 	movdqa	%xmm10, %xmm3   # 3 : 1/jak
-	movdqu	(%r9),	%xmm5
+	pxor	%xmm0, 	%xmm2  	# 2 = io
 	pshufb  %xmm4,  %xmm3   # 3 = 1/jak
 	movdqu	(%r9),	%xmm5
 	pxor	%xmm1,  %xmm3   # 3 = jo
 	jnz	.Lenc_loop
@ -200,62 +202,61 @@ _vpaes_decrypt_core:
 ##  Inverse mix columns
 ##
 	movdqa  -0x20(%r10),%xmm4	# 4 : sb9u
 	movdqa  -0x10(%r10),%xmm1	# 0 : sb9t
 	pshufb	%xmm2,	%xmm4		# 4 = sb9u
-	pxor	%xmm0,	%xmm4
+	pshufb	%xmm3,	%xmm1		# 0 = sb9t
-	movdqa  -0x10(%r10),%xmm0	# 0 : sb9t
+	pxor	%xmm4,	%xmm0
 	pshufb	%xmm3,	%xmm0		# 0 = sb9t
 	pxor	%xmm4,	%xmm0		# 0 = ch
 	add	\$16, %r9		# next round key
 	pshufb	%xmm5,	%xmm0		# MC ch
 	movdqa  0x00(%r10),%xmm4	# 4 : sbdu
 	pxor	%xmm1,	%xmm0		# 0 = ch
 	movdqa  0x10(%r10),%xmm1	# 0 : sbdt
 	pshufb	%xmm2,	%xmm4		# 4 = sbdu
 	pxor	%xmm0,	%xmm4		# 4 = ch
 	movdqa  0x10(%r10),%xmm0	# 0 : sbdt
 	pshufb	%xmm3,	%xmm0		# 0 = sbdt
 	pxor	%xmm4,	%xmm0		# 0 = ch
 	sub	\$1,%rax		# nr--
 	pshufb	%xmm5,	%xmm0		# MC ch
 	pshufb	%xmm3,	%xmm1		# 0 = sbdt
 	pxor	%xmm4,	%xmm0		# 4 = ch
 	movdqa  0x20(%r10),%xmm4	# 4 : sbbu
 	pxor	%xmm1,	%xmm0		# 0 = ch
 	movdqa  0x30(%r10),%xmm1	# 0 : sbbt
 	pshufb	%xmm2,	%xmm4		# 4 = sbbu
 	pxor	%xmm0,	%xmm4		# 4 = ch
 	movdqa  0x30(%r10),%xmm0	# 0 : sbbt
 	pshufb	%xmm3,	%xmm0		# 0 = sbbt
 	pxor	%xmm4,	%xmm0		# 0 = ch
 	pshufb	%xmm5,	%xmm0		# MC ch
 	pshufb	%xmm3,	%xmm1		# 0 = sbbt
 	pxor	%xmm4,	%xmm0		# 4 = ch
 	movdqa  0x40(%r10),%xmm4	# 4 : sbeu
-	pshufb	%xmm2,	%xmm4		# 4 = sbeu
+	pxor	%xmm1,	%xmm0		# 0 = ch
-	pxor	%xmm0,	%xmm4		# 4 = ch
+	movdqa  0x50(%r10),%xmm1	# 0 : sbet
 	movdqa  0x50(%r10),%xmm0	# 0 : sbet
 	pshufb	%xmm3,	%xmm0		# 0 = sbet
 	pxor	%xmm4,	%xmm0		# 0 = ch
 	pshufb	%xmm2,	%xmm4		# 4 = sbeu
 	pshufb	%xmm5,	%xmm0		# MC ch
 	pshufb	%xmm3,	%xmm1		# 0 = sbet
 	pxor	%xmm4,	%xmm0		# 4 = ch
 	add	\$16, %r9		# next round key
 	palignr	\$12,	%xmm5,	%xmm5
 	pxor	%xmm1,	%xmm0		# 0 = ch
 	sub	\$1,%rax		# nr--
 .Ldec_entry:
 	# top of round
 	movdqa  %xmm9, 	%xmm1	# 1 : i
 	pandn	%xmm0, 	%xmm1	# 1 = i<<4
 	movdqa	%xmm11, %xmm2	# 2 : a/k
 	psrld	\$4,    %xmm1	# 1 = i
 	pand	%xmm9, 	%xmm0	# 0 = k
 	movdqa	%xmm11, %xmm2	# 2 : a/k
 	pshufb  %xmm0,  %xmm2	# 2 = a/k
 	pxor	%xmm1,	%xmm0	# 0 = j
 	movdqa	%xmm10,	%xmm3	# 3 : 1/i
 	pxor	%xmm1,	%xmm0	# 0 = j
 	pshufb  %xmm1, 	%xmm3	# 3 = 1/i
 	pxor	%xmm2, 	%xmm3	# 3 = iak = 1/i + a/k
 	movdqa	%xmm10,	%xmm4	# 4 : 1/j
 	pxor	%xmm2, 	%xmm3	# 3 = iak = 1/i + a/k
 	pshufb	%xmm0, 	%xmm4	# 4 = 1/j
 	pxor	%xmm2, 	%xmm4	# 4 = jak = 1/j + a/k
 	movdqa	%xmm10,	%xmm2	# 2 : 1/iak
 	pshufb  %xmm3,	%xmm2	# 2 = 1/iak
 	pxor	%xmm0, 	%xmm2	# 2 = io
 	movdqa	%xmm10, %xmm3	# 3 : 1/jak
 	pxor	%xmm0, 	%xmm2	# 2 = io
 	pshufb  %xmm4,  %xmm3	# 3 = 1/jak
 	pxor	%xmm1,  %xmm3	# 3 = jo
 	movdqu	(%r9),	%xmm0
 	pxor	%xmm1,  %xmm3	# 3 = jo
 	jnz	.Ldec_loop
 	# middle of last round
@ -263,7 +264,7 @@ _vpaes_decrypt_core:
 	pshufb  %xmm2,  %xmm4	# 4 = sbou
 	pxor	%xmm0,  %xmm4	# 4 = sb1u + k
 	movdqa	0x70(%r10), %xmm0	# 0 : sbot
-	movdqa	.Lk_sr-.Lk_dsbd(%r11), %xmm2
+	movdqa	-0x160(%r11), %xmm2	# .Lk_sr-.Lk_dsbd=-0x160
 	pshufb  %xmm3,	%xmm0	# 0 = sb1t
 	pxor	%xmm4,	%xmm0	# 0 = A
 	pshufb	%xmm2,	%xmm0
@ -463,12 +464,12 @@ _vpaes_schedule_core:
 .type	_vpaes_schedule_192_smear,\@abi-omnipotent
 .align	16
 _vpaes_schedule_192_smear:
-	pshufd	\$0x80,	%xmm6,	%xmm0	# d c 0 0 -> c 0 0 0
+	pshufd	\$0x80,	%xmm6,	%xmm1	# d c 0 0 -> c 0 0 0
 	pxor	%xmm0,	%xmm6		# -> c+d c 0 0
 	pshufd	\$0xFE,	%xmm7,	%xmm0	# b a _ _ -> b b b a
 	pxor	%xmm1,	%xmm6		# -> c+d c 0 0
 	pxor	%xmm1,	%xmm1
 	pxor	%xmm0,	%xmm6		# -> b+c+d b+c b a
 	movdqa	%xmm6,	%xmm0
 	pxor	%xmm1,	%xmm1
 	movhlps	%xmm1,	%xmm6		# clobber low side with zeros
 	ret
 .size	_vpaes_schedule_192_smear,.-_vpaes_schedule_192_smear
@ -869,6 +870,8 @@ ${PREFIX}_cbc_encrypt:
 ___
 ($len,$key)=($key,$len);
 $code.=<<___;
 	sub	\$16,$len
 	jc	.Lcbc_abort
 ___
 $code.=<<___ if ($win64);
 	lea	-0xb8(%rsp),%rsp
@ -887,7 +890,6 @@ ___
 $code.=<<___;
 	movdqu	($ivp),%xmm6		# load IV
 	sub	$inp,$out
 	sub	\$16,$len
 	call	_vpaes_preheat
 	cmp	\$0,${enc}d
 	je	.Lcbc_dec_loop
@ -932,6 +934,7 @@ $code.=<<___ if ($win64);
 .Lcbc_epilogue:
 ___
 $code.=<<___;
 .Lcbc_abort:
 	ret
 .size	${PREFIX}_cbc_encrypt,.-${PREFIX}_cbc_encrypt
 ___
@ -1057,7 +1060,7 @@ _vpaes_consts:
 .Lk_dsbo:	# decryption sbox final output
 	.quad	0x1387EA537EF94000, 0xC7AA6DB9D4943E2D
 	.quad	0x12D7560F93441D00, 0xCA4B8159D8C58E9C
-.asciz	"Vector Permutaion AES for x86_64/SSSE3, Mike Hamburg (Stanford University)"
+.asciz	"Vector Permutation AES for x86_64/SSSE3, Mike Hamburg (Stanford University)"
 .align	64
 .size	_vpaes_consts,.-_vpaes_consts
 ___
--- a/crypto/arm64cpuid.S
+++ b/crypto/arm64cpuid.S
@ -0,0 +1,46 @@
 #include "arm_arch.h"
 .text
 .arch	armv8-a+crypto
 .align	5
 .global	_armv7_neon_probe
 .type	_armv7_neon_probe,%function
 _armv7_neon_probe:
 	orr	v15.16b, v15.16b, v15.16b
 	ret
 .size	_armv7_neon_probe,.-_armv7_neon_probe
 .global	_armv7_tick
 .type	_armv7_tick,%function
 _armv7_tick:
 	mrs	x0, CNTVCT_EL0
 	ret
 .size	_armv7_tick,.-_armv7_tick
 .global	_armv8_aes_probe
 .type	_armv8_aes_probe,%function
 _armv8_aes_probe:
 	aese	v0.16b, v0.16b
 	ret
 .size	_armv8_aes_probe,.-_armv8_aes_probe
 .global	_armv8_sha1_probe
 .type	_armv8_sha1_probe,%function
 _armv8_sha1_probe:
 	sha1h	s0, s0
 	ret
 .size	_armv8_sha1_probe,.-_armv8_sha1_probe
 .global	_armv8_sha256_probe
 .type	_armv8_sha256_probe,%function
 _armv8_sha256_probe:
 	sha256su0	v0.4s, v0.4s
 	ret
 .size	_armv8_sha256_probe,.-_armv8_sha256_probe
 .global	_armv8_pmull_probe
 .type	_armv8_pmull_probe,%function
 _armv8_pmull_probe:
 	pmull	v0.1q, v0.1d, v0.1d
 	ret
 .size	_armv8_pmull_probe,.-_armv8_pmull_probe
--- a/crypto/arm_arch.h
+++ b/crypto/arm_arch.h
@ -10,13 +10,24 @@
 #   define __ARMEL__
 #  endif
 # elif defined(__GNUC__)
 #  if	defined(__aarch64__)
 #   define __ARM_ARCH__ 8
 #   if __BYTE_ORDER__==__ORDER_BIG_ENDIAN__
 #    define __ARMEB__
 #   else
 #    define __ARMEL__
 #   endif
  /*
   * Why doesn't gcc define __ARM_ARCH__? Instead it defines
   * bunch of below macros. See all_architectires[] table in
   * gcc/config/arm/arm.c. On a side note it defines
   * __ARMEL__/__ARMEB__ for little-/big-endian.
   */
-#  if	defined(__ARM_ARCH_7__)	|| defined(__ARM_ARCH_7A__)	|| \
+#  elif defined(__ARM_ARCH)
 #   define __ARM_ARCH__ __ARM_ARCH
 #  elif	defined(__ARM_ARCH_8A__)
 #   define __ARM_ARCH__ 8
 #  elif	defined(__ARM_ARCH_7__)	|| defined(__ARM_ARCH_7A__)	|| \
 	defined(__ARM_ARCH_7R__)|| defined(__ARM_ARCH_7M__)	|| \
 	defined(__ARM_ARCH_7EM__)
 #   define __ARM_ARCH__ 7
@ -43,9 +54,13 @@
 #if !__ASSEMBLER__
 extern unsigned int OPENSSL_armcap_P;
 #endif
 #define ARMV7_NEON      (1<<0)
 #define ARMV7_TICK      (1<<1)
-#endif
+#define ARMV8_AES       (1<<2)
 #define ARMV8_SHA1      (1<<3)
 #define ARMV8_SHA256    (1<<4)
 #define ARMV8_PMULL     (1<<5)
 #endif
--- a/crypto/armcap.c
+++ b/crypto/armcap.c
@ -19,19 +19,55 @@ static void ill_handler (int sig) { siglongjmp(ill_jmp,sig); }
 * ARM compilers support inline assembler...
 */
 void _armv7_neon_probe(void);
-unsigned int _armv7_tick(void);
+void _armv8_aes_probe(void);
 void _armv8_sha1_probe(void);
 void _armv8_sha256_probe(void);
 void _armv8_pmull_probe(void);
 unsigned long _armv7_tick(void);
-unsigned int OPENSSL_rdtsc(void)
+unsigned long OPENSSL_rdtsc(void)
 	{
-	if (OPENSSL_armcap_P|ARMV7_TICK)
+	if (OPENSSL_armcap_P & ARMV7_TICK)
 		return _armv7_tick();
 	else
 		return 0;
 	}
 /*
 * Use a weak reference to getauxval() so we can use it if it is available but
 * don't break the build if it is not.
 */
 #if defined(__GNUC__) && __GNUC__>=2
 void OPENSSL_cpuid_setup(void) __attribute__((constructor));
 extern unsigned long getauxval(unsigned long type) __attribute__((weak));
 #else
 static unsigned long (*getauxval)(unsigned long) = NULL;
 #endif
 /*
 * ARM puts the the feature bits for Crypto Extensions in AT_HWCAP2, whereas
 * AArch64 used AT_HWCAP.
 */
 #if defined(__arm__) || defined (__arm)
 # define HWCAP			16	/* AT_HWCAP */
 # define HWCAP_NEON		(1 << 12)
 # define HWCAP_CE		26	/* AT_HWCAP2 */
 # define HWCAP_CE_AES		(1 << 0)
 # define HWCAP_CE_PMULL		(1 << 1)
 # define HWCAP_CE_SHA1		(1 << 2)
 # define HWCAP_CE_SHA256	(1 << 3)
 #elif defined(__aarch64__)
 # define HWCAP			16	/* AT_HWCAP */
 # define HWCAP_NEON		(1 << 1)
 # define HWCAP_CE		HWCAP
 # define HWCAP_CE_AES		(1 << 3)
 # define HWCAP_CE_PMULL		(1 << 4)
 # define HWCAP_CE_SHA1		(1 << 5)
 # define HWCAP_CE_SHA256	(1 << 6)
 #endif
 void OPENSSL_cpuid_setup(void)
 	{
 	char *e;
@ -44,7 +80,7 @@ void OPENSSL_cpuid_setup(void)
 	if ((e=getenv("OPENSSL_armcap")))
 		{
-		OPENSSL_armcap_P=strtoul(e,NULL,0);
+		OPENSSL_armcap_P=(unsigned int)strtoul(e,NULL,0);
 		return;
 		}
@ -64,10 +100,51 @@ void OPENSSL_cpuid_setup(void)
 	sigprocmask(SIG_SETMASK,&ill_act.sa_mask,&oset);
 	sigaction(SIGILL,&ill_act,&ill_oact);
-	if (sigsetjmp(ill_jmp,1) == 0)
+	if (getauxval != NULL)
 		{
 		if (getauxval(HWCAP) & HWCAP_NEON)
 			{
 			unsigned long hwcap = getauxval(HWCAP_CE);
 			OPENSSL_armcap_P |= ARMV7_NEON;
 			if (hwcap & HWCAP_CE_AES)
 				OPENSSL_armcap_P |= ARMV8_AES;
 			if (hwcap & HWCAP_CE_PMULL)
 				OPENSSL_armcap_P |= ARMV8_PMULL;
 			if (hwcap & HWCAP_CE_SHA1)
 				OPENSSL_armcap_P |= ARMV8_SHA1;
 			if (hwcap & HWCAP_CE_SHA256)
 				OPENSSL_armcap_P |= ARMV8_SHA256;
 			}
 		}
 	else if (sigsetjmp(ill_jmp,1) == 0)
 		{
 		_armv7_neon_probe();
 		OPENSSL_armcap_P |= ARMV7_NEON;
 		if (sigsetjmp(ill_jmp,1) == 0)
 			{
 			_armv8_pmull_probe();
 			OPENSSL_armcap_P |= ARMV8_PMULL|ARMV8_AES;
 			}
 		else if (sigsetjmp(ill_jmp,1) == 0)
 			{
 			_armv8_aes_probe();
 			OPENSSL_armcap_P |= ARMV8_AES;
 			}
 		if (sigsetjmp(ill_jmp,1) == 0)
 			{
 			_armv8_sha1_probe();
 			OPENSSL_armcap_P |= ARMV8_SHA1;
 			}
 		if (sigsetjmp(ill_jmp,1) == 0)
 			{
 			_armv8_sha256_probe();
 			OPENSSL_armcap_P |= ARMV8_SHA256;
 			}
 		}
 	if (sigsetjmp(ill_jmp,1) == 0)
 		{
--- a/crypto/armv4cpuid.S
+++ b/crypto/armv4cpuid.S
@ -7,17 +7,49 @@
 .global	_armv7_neon_probe
 .type	_armv7_neon_probe,%function
 _armv7_neon_probe:
-	.word	0xf26ee1fe	@ vorr	q15,q15,q15
+	.byte	0xf0,0x01,0x60,0xf2	@ vorr	q8,q8,q8
-	.word	0xe12fff1e	@ bx	lr
+	.byte	0x1e,0xff,0x2f,0xe1	@ bx	lr
 .size	_armv7_neon_probe,.-_armv7_neon_probe
 .global	_armv7_tick
 .type	_armv7_tick,%function
 _armv7_tick:
-	mrc	p15,0,r0,c9,c13,0
+	mrrc	p15,1,r0,r1,c14		@ CNTVCT
 #if __ARM_ARCH__>=5
 	bx	lr
 #else
 	.word	0xe12fff1e		@ bx	lr
 #endif
 .size	_armv7_tick,.-_armv7_tick
 .global	_armv8_aes_probe
 .type	_armv8_aes_probe,%function
 _armv8_aes_probe:
 	.byte	0x00,0x03,0xb0,0xf3	@ aese.8	q0,q0
 	.byte	0x1e,0xff,0x2f,0xe1	@ bx	lr
 .size	_armv8_aes_probe,.-_armv8_aes_probe
 .global	_armv8_sha1_probe
 .type	_armv8_sha1_probe,%function
 _armv8_sha1_probe:
 	.byte	0x40,0x0c,0x00,0xf2	@ sha1c.32	q0,q0,q0
 	.byte	0x1e,0xff,0x2f,0xe1	@ bx	lr
 .size	_armv8_sha1_probe,.-_armv8_sha1_probe
 .global	_armv8_sha256_probe
 .type	_armv8_sha256_probe,%function
 _armv8_sha256_probe:
 	.byte	0x40,0x0c,0x00,0xf3	@ sha256h.32	q0,q0,q0
 	.byte	0x1e,0xff,0x2f,0xe1	@ bx lr
 .size	_armv8_sha256_probe,.-_armv8_sha256_probe
 .global	_armv8_pmull_probe
 .type	_armv8_pmull_probe,%function
 _armv8_pmull_probe:
 	.byte	0x00,0x0e,0xa0,0xf2	@ vmull.p64	q0,d0,d0
 	.byte	0x1e,0xff,0x2f,0xe1	@ bx	lr
 .size	_armv8_pmull_probe,.-_armv8_pmull_probe
 .align	5
 .global	OPENSSL_atomic_add
 .type	OPENSSL_atomic_add,%function
 OPENSSL_atomic_add:
@ -28,7 +60,7 @@ OPENSSL_atomic_add:
 	cmp	r2,#0
 	bne	.Ladd
 	mov	r0,r3
-	.word	0xe12fff1e	@ bx	lr
+	bx	lr
 #else
 	stmdb	sp!,{r4-r6,lr}
 	ldr	r2,.Lspinlock
@ -81,9 +113,13 @@ OPENSSL_cleanse:
 	adds	r1,r1,#4
 	bne	.Little
 .Lcleanse_done:
 #if __ARM_ARCH__>=5
 	bx	lr
 #else
 	tst	lr,#1
 	moveq	pc,lr
 	.word	0xe12fff1e	@ bx	lr
 #endif
 .size	OPENSSL_cleanse,.-OPENSSL_cleanse
 .global	OPENSSL_wipe_cpu
@ -97,41 +133,53 @@ OPENSSL_wipe_cpu:
 	eor	ip,ip,ip
 	tst	r0,#1
 	beq	.Lwipe_done
-	.word	0xf3000150	@ veor    q0, q0, q0
+	.byte	0x50,0x01,0x00,0xf3	@ veor	q0, q0, q0
-	.word	0xf3022152	@ veor    q1, q1, q1
+	.byte	0x52,0x21,0x02,0xf3	@ veor	q1, q1, q1
-	.word	0xf3044154	@ veor    q2, q2, q2
+	.byte	0x54,0x41,0x04,0xf3	@ veor	q2, q2, q2
-	.word	0xf3066156	@ veor    q3, q3, q3
+	.byte	0x56,0x61,0x06,0xf3	@ veor	q3, q3, q3
-	.word	0xf34001f0	@ veor    q8, q8, q8
+	.byte	0xf0,0x01,0x40,0xf3	@ veor	q8, q8, q8
-	.word	0xf34221f2	@ veor    q9, q9, q9
+	.byte	0xf2,0x21,0x42,0xf3	@ veor	q9, q9, q9
-	.word	0xf34441f4	@ veor    q10, q10, q10
+	.byte	0xf4,0x41,0x44,0xf3	@ veor	q10, q10, q10
-	.word	0xf34661f6	@ veor    q11, q11, q11
+	.byte	0xf6,0x61,0x46,0xf3	@ veor	q11, q11, q11
-	.word	0xf34881f8	@ veor    q12, q12, q12
+	.byte	0xf8,0x81,0x48,0xf3	@ veor	q12, q12, q12
-	.word	0xf34aa1fa	@ veor    q13, q13, q13
+	.byte	0xfa,0xa1,0x4a,0xf3	@ veor	q13, q13, q13
-	.word	0xf34cc1fc	@ veor    q14, q14, q14
+	.byte	0xfc,0xc1,0x4c,0xf3	@ veor	q14, q14, q14
-	.word	0xf34ee1fe	@ veor    q15, q15, q15
+	.byte	0xfe,0xe1,0x4e,0xf3	@ veor	q14, q14, q14
 .Lwipe_done:
 	mov	r0,sp
 #if __ARM_ARCH__>=5
 	bx	lr
 #else
 	tst	lr,#1
 	moveq	pc,lr
 	.word	0xe12fff1e	@ bx	lr
 #endif
 .size	OPENSSL_wipe_cpu,.-OPENSSL_wipe_cpu
 .global	OPENSSL_instrument_bus
 .type	OPENSSL_instrument_bus,%function
 OPENSSL_instrument_bus:
 	eor	r0,r0,r0
 #if __ARM_ARCH__>=5
 	bx	lr
 #else
 	tst	lr,#1
 	moveq	pc,lr
 	.word	0xe12fff1e	@ bx	lr
 #endif
 .size	OPENSSL_instrument_bus,.-OPENSSL_instrument_bus
 .global	OPENSSL_instrument_bus2
 .type	OPENSSL_instrument_bus2,%function
 OPENSSL_instrument_bus2:
 	eor	r0,r0,r0
 #if __ARM_ARCH__>=5
 	bx	lr
 #else
 	tst	lr,#1
 	moveq	pc,lr
 	.word	0xe12fff1e	@ bx	lr
 #endif
 .size	OPENSSL_instrument_bus2,.-OPENSSL_instrument_bus2
 .align	5
--- a/crypto/asn1/Makefile
+++ b/crypto/asn1/Makefile
@ -174,7 +174,7 @@ a_gentm.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 a_gentm.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 a_gentm.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 a_gentm.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_gentm.o: ../cryptlib.h ../o_time.h a_gentm.c
+a_gentm.o: ../cryptlib.h ../o_time.h a_gentm.c asn1_locl.h
 a_i2d_fp.o: ../../e_os.h ../../include/openssl/asn1.h
 a_i2d_fp.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 a_i2d_fp.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
@ -275,6 +275,7 @@ a_time.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 a_time.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 a_time.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 a_time.o: ../../include/openssl/symhacks.h ../cryptlib.h ../o_time.h a_time.c
 a_time.o: asn1_locl.h
 a_type.o: ../../e_os.h ../../include/openssl/asn1.h
 a_type.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 a_type.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
@ -291,7 +292,7 @@ a_utctm.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 a_utctm.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 a_utctm.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 a_utctm.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_utctm.o: ../cryptlib.h ../o_time.h a_utctm.c
+a_utctm.o: ../cryptlib.h ../o_time.h a_utctm.c asn1_locl.h
 a_utf8.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 a_utf8.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 a_utf8.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
--- a/crypto/asn1/a_d2i_fp.c
+++ b/crypto/asn1/a_d2i_fp.c
@ -57,6 +57,7 @@
 */
 #include <stdio.h>
 #include <limits.h>
 #include "cryptlib.h"
 #include <openssl/buffer.h>
 #include <openssl/asn1_mac.h>
@ -143,17 +144,11 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 	BUF_MEM *b;
 	unsigned char *p;
 	int i;
 	int ret=-1;
 	ASN1_const_CTX c;
-	int want=HEADER_SIZE;
+	size_t want=HEADER_SIZE;
 	int eos=0;
-#if defined(__GNUC__) && defined(__ia64)
+	size_t off=0;
-	/* pathetic compiler bug in all known versions as of Nov. 2002 */
+	size_t len=0;
 	long off=0;
 #else
 	int off=0;
 #endif
 	int len=0;
 	b=BUF_MEM_new();
 	if (b == NULL)
@ -169,7 +164,7 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 			{
 			want-=(len-off);
-			if (!BUF_MEM_grow_clean(b,len+want))
+			if (len + want < len || !BUF_MEM_grow_clean(b,len+want))
 				{
 				ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ERR_R_MALLOC_FAILURE);
 				goto err;
@ -181,8 +176,15 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 				goto err;
 				}
 			if (i > 0)
 				{
 				if (len+i < len)
 					{
 					ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG);
 					goto err;
 					}
 				len+=i;
 				}
 			}
 		/* else data already loaded */
 		p=(unsigned char *)&(b->data[off]);
@ -206,6 +208,11 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 			{
 			/* no data body so go round again */
 			eos++;
 			if (eos < 0)
 				{
 				ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_HEADER_TOO_LONG);
 				goto err;
 				}
 			want=HEADER_SIZE;
 			}
 		else if (eos && (c.slen == 0) && (c.tag == V_ASN1_EOC))
@ -220,10 +227,16 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 		else 
 			{
 			/* suck in c.slen bytes of data */
-			want=(int)c.slen;
+			want=c.slen;
 			if (want > (len-off))
 				{
 				want-=(len-off);
 				if (want > INT_MAX /* BIO_read takes an int length */ ||
 					len+want < len)
 						{
 						ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG);
 						goto err;
 						}
 				if (!BUF_MEM_grow_clean(b,len+want))
 					{
 					ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ERR_R_MALLOC_FAILURE);
@ -238,11 +251,18 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 						    ASN1_R_NOT_ENOUGH_DATA);
 						goto err;
 						}
 					/* This can't overflow because
 					 * |len+want| didn't overflow. */
 					len+=i;
 					want-=i;
 					}
 				}
-			off+=(int)c.slen;
+			if (off + c.slen < off)
 				{
 				ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG);
 				goto err;
 				}
 			off+=c.slen;
 			if (eos <= 0)
 				{
 				break;
@ -252,9 +272,15 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 			}
 		}
 	if (off > INT_MAX)
 		{
 		ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG);
 		goto err;
 		}
 	*pb = b;
 	return off;
 err:
 	if (b != NULL) BUF_MEM_free(b);
-	return(ret);
+	return -1;
 	}
--- a/crypto/asn1/a_gentm.c
+++ b/crypto/asn1/a_gentm.c
@ -63,6 +63,7 @@
 #include "cryptlib.h"
 #include "o_time.h"
 #include <openssl/asn1.h>
 #include "asn1_locl.h"
 #if 0
@ -115,7 +116,7 @@ err:
 #endif
-int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *d)
+int asn1_generalizedtime_to_tm(struct tm *tm, const ASN1_GENERALIZEDTIME *d)
 	{
 	static const int min[9]={ 0, 0, 1, 1, 0, 0, 0, 0, 0};
 	static const int max[9]={99, 99,12,31,23,59,59,12,59};
@ -135,7 +136,12 @@ int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *d)
 		{
 		if ((i == 6) && ((a[o] == 'Z') ||
 			(a[o] == '+') || (a[o] == '-')))
-			{ i++; break; }
+			{
 			i++;
 			if (tm)
 				tm->tm_sec = 0;
 			break;
 			}
 		if ((a[o] < '0') || (a[o] > '9')) goto err;
 		n= a[o]-'0';
 		if (++o > l) goto err;
@ -145,6 +151,33 @@ int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *d)
 		if (++o > l) goto err;
 		if ((n < min[i]) || (n > max[i])) goto err;
 		if (tm)
 			{
 			switch(i)
 				{
 			case 0:
 				tm->tm_year = n * 100 - 1900;
 				break;
 			case 1:
 				tm->tm_year += n;
 				break;
 			case 2:
 				tm->tm_mon = n - 1;
 				break;
 			case 3:
 				tm->tm_mday = n;
 				break;
 			case 4:
 				tm->tm_hour = n;
 				break;
 			case 5:
 				tm->tm_min = n;
 				break;
 			case 6:
 				tm->tm_sec = n;
 				break;
 				}
 			}
 		}
 	/* Optional fractional seconds: decimal point followed by one
 	 * or more digits.
@ -163,6 +196,7 @@ int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *d)
 		o++;
 	else if ((a[o] == '+') || (a[o] == '-'))
 		{
 		int offsign = a[o] == '-' ? -1 : 1, offset = 0;
 		o++;
 		if (o+4 > l) goto err;
 		for (i=7; i<9; i++)
@ -173,10 +207,19 @@ int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *d)
 			if ((a[o] < '0') || (a[o] > '9')) goto err;
 			n=(n*10)+ a[o]-'0';
 			if ((n < min[i]) || (n > max[i])) goto err;
 			if (tm)
 				{
 				if (i == 7)
 					offset = n * 3600;
 				else if (i == 8)
 					offset += n * 60;
 				}
 			o++;
 			}
 		if (offset && !OPENSSL_gmtime_adj(tm, 0, offset * offsign))
 			return 0;
 		}
-	else
+	else if (a[o])
 		{
 		/* Missing time zone information. */
 		goto err;
@ -186,6 +229,11 @@ err:
 	return(0);
 	}
 int ASN1_GENERALIZEDTIME_check(const ASN1_GENERALIZEDTIME *d)
 	{
 	return asn1_generalizedtime_to_tm(NULL, d);
 	}
 int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, const char *str)
 	{
 	ASN1_GENERALIZEDTIME t;
--- a/crypto/asn1/a_int.c
+++ b/crypto/asn1/a_int.c
@ -116,7 +116,7 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp)
 	int pad=0,ret,i,neg;
 	unsigned char *p,*n,pb=0;
-	if ((a == NULL) || (a->data == NULL)) return(0);
+	if (a == NULL) return(0);
 	neg=a->type & V_ASN1_NEG;
 	if (a->length == 0)
 		ret=1;
--- a/crypto/asn1/a_object.c
+++ b/crypto/asn1/a_object.c
@ -283,17 +283,29 @@ err:
 	ASN1err(ASN1_F_D2I_ASN1_OBJECT,i);
 	return(NULL);
 }
 ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
 	     long len)
 	{
 	ASN1_OBJECT *ret=NULL;
 	const unsigned char *p;
 	unsigned char *data;
-	int i;
+	int i, length;
-	/* Sanity check OID encoding: can't have leading 0x80 in
+
-	 * subidentifiers, see: X.690 8.19.2
+	/* Sanity check OID encoding.
 	 * Need at least one content octet.
 	 * MSB must be clear in the last octet.
 	 * can't have leading 0x80 in subidentifiers, see: X.690 8.19.2
 	 */
-	for (i = 0, p = *pp; i < len; i++, p++)
+	if (len <= 0 || len > INT_MAX || pp == NULL || (p = *pp) == NULL ||
 	    p[len - 1] & 0x80)
 		{
 		ASN1err(ASN1_F_C2I_ASN1_OBJECT,ASN1_R_INVALID_OBJECT_ENCODING);
 		return NULL;
 		}
 	/* Now 0 < len <= INT_MAX, so the cast is safe. */
 	length = (int)len;
 	for (i = 0; i < length; i++, p++)
 		{
 		if (*p == 0x80 && (!i || !(p[-1] & 0x80)))
 			{
@ -316,23 +328,23 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
 	data = (unsigned char *)ret->data;
 	ret->data = NULL;
 	/* once detached we can change it */
-	if ((data == NULL) || (ret->length < len))
+	if ((data == NULL) || (ret->length < length))
 		{
 		ret->length=0;
 		if (data != NULL) OPENSSL_free(data);
-		data=(unsigned char *)OPENSSL_malloc(len ? (int)len : 1);
+		data=(unsigned char *)OPENSSL_malloc(length);
 		if (data == NULL)
 			{ i=ERR_R_MALLOC_FAILURE; goto err; }
 		ret->flags|=ASN1_OBJECT_FLAG_DYNAMIC_DATA;
 		}
-	memcpy(data,p,(int)len);
+	memcpy(data,p,length);
 	/* reattach data to object, after which it remains const */
 	ret->data  =data;
-	ret->length=(int)len;
+	ret->length=length;
 	ret->sn=NULL;
 	ret->ln=NULL;
 	/* ret->flags=ASN1_OBJECT_FLAG_DYNAMIC; we know it is dynamic */
-	p+=len;
+	p+=length;
 	if (a != NULL) (*a)=ret;
 	*pp=p;
--- a/crypto/asn1/a_strex.c
+++ b/crypto/asn1/a_strex.c
@ -567,6 +567,8 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
 	if(mbflag == -1) return -1;
 	mbflag |= MBSTRING_FLAG;
 	stmp.data = NULL;
 	stmp.length = 0;
 	stmp.flags = 0;
 	ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING);
 	if(ret < 0) return ret;
 	*out = stmp.data;
--- a/crypto/asn1/a_strnid.c
+++ b/crypto/asn1/a_strnid.c
@ -74,7 +74,7 @@ static int sk_table_cmp(const ASN1_STRING_TABLE * const *a,
 * certain software (e.g. Netscape) has problems with them.
 */
-static unsigned long global_mask = 0xFFFFFFFFL;
+static unsigned long global_mask = B_ASN1_UTF8STRING;
 void ASN1_STRING_set_default_mask(unsigned long mask)
 {
--- a/crypto/asn1/a_time.c
+++ b/crypto/asn1/a_time.c
@ -66,6 +66,7 @@
 #include "cryptlib.h"
 #include "o_time.h"
 #include <openssl/asn1t.h>
 #include "asn1_locl.h"
 IMPLEMENT_ASN1_MSTRING(ASN1_TIME, B_ASN1_TIME)
@ -196,3 +197,33 @@ int ASN1_TIME_set_string(ASN1_TIME *s, const char *str)
 	return 1;
 	}
 static int asn1_time_to_tm(struct tm *tm, const ASN1_TIME *t)
 	{
 	if (t == NULL)
 		{
 		time_t now_t;
 		time(&now_t);
 		if (OPENSSL_gmtime(&now_t, tm))
 			return 1;
 		return 0;
 		}
 	if (t->type == V_ASN1_UTCTIME)
 		return asn1_utctime_to_tm(tm, t);
 	else if (t->type == V_ASN1_GENERALIZEDTIME)
 		return asn1_generalizedtime_to_tm(tm, t);
 	return 0;
 	}
 int ASN1_TIME_diff(int *pday, int *psec,
 			const ASN1_TIME *from, const ASN1_TIME *to)
 	{
 	struct tm tm_from, tm_to;
 	if (!asn1_time_to_tm(&tm_from, from))
 		return 0;
 	if (!asn1_time_to_tm(&tm_to, to))
 		return 0;
 	return OPENSSL_gmtime_diff(pday, psec, &tm_from, &tm_to);
 	}	
--- a/crypto/asn1/a_utctm.c
+++ b/crypto/asn1/a_utctm.c
@ -61,6 +61,7 @@
 #include "cryptlib.h"
 #include "o_time.h"
 #include <openssl/asn1.h>
 #include "asn1_locl.h"
 #if 0
 int i2d_ASN1_UTCTIME(ASN1_UTCTIME *a, unsigned char **pp)
@ -112,7 +113,7 @@ err:
 #endif
-int ASN1_UTCTIME_check(ASN1_UTCTIME *d)
+int asn1_utctime_to_tm(struct tm *tm, const ASN1_UTCTIME *d)
 	{
 	static const int min[8]={ 0, 1, 1, 0, 0, 0, 0, 0};
 	static const int max[8]={99,12,31,23,59,59,12,59};
@ -129,7 +130,12 @@ int ASN1_UTCTIME_check(ASN1_UTCTIME *d)
 		{
 		if ((i == 5) && ((a[o] == 'Z') ||
 			(a[o] == '+') || (a[o] == '-')))
-			{ i++; break; }
+			{
 			i++;
 			if (tm)
 				tm->tm_sec = 0;
 			break;
 			}
 		if ((a[o] < '0') || (a[o] > '9')) goto err;
 		n= a[o]-'0';
 		if (++o > l) goto err;
@ -139,11 +145,36 @@ int ASN1_UTCTIME_check(ASN1_UTCTIME *d)
 		if (++o > l) goto err;
 		if ((n < min[i]) || (n > max[i])) goto err;
 		if (tm)
 			{
 			switch(i)
 				{
 			case 0:
 				tm->tm_year = n < 50 ? n + 100 : n;
 				break;
 			case 1:
 				tm->tm_mon = n - 1;
 				break;
 			case 2:
 				tm->tm_mday = n;
 				break;
 			case 3:
 				tm->tm_hour = n;
 				break;
 			case 4:
 				tm->tm_min = n;
 				break;
 			case 5:
 				tm->tm_sec = n;
 				break;
 				}
 			}
 		}
 	if (a[o] == 'Z')
 		o++;
 	else if ((a[o] == '+') || (a[o] == '-'))
 		{
 		int offsign = a[o] == '-' ? -1 : 1, offset = 0;
 		o++;
 		if (o+4 > l) goto err;
 		for (i=6; i<8; i++)
@ -154,12 +185,26 @@ int ASN1_UTCTIME_check(ASN1_UTCTIME *d)
 			if ((a[o] < '0') || (a[o] > '9')) goto err;
 			n=(n*10)+ a[o]-'0';
 			if ((n < min[i]) || (n > max[i])) goto err;
 			if (tm)
 				{
 				if (i == 6)
 					offset = n * 3600;
 				else if (i == 7)
 					offset += n * 60;
 				}
 			o++;
 			}
 		if (offset && !OPENSSL_gmtime_adj(tm, 0, offset * offsign))
 			return 0;
 		}
-	return(o == l);
+	return o == l;
 err:
-	return(0);
+	return 0;
 	}
 int ASN1_UTCTIME_check(const ASN1_UTCTIME *d)
 	{
 	return asn1_utctime_to_tm(NULL, d);
 	}
 int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, const char *str)
@ -196,24 +241,29 @@ ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t,
 	struct tm *ts;
 	struct tm data;
 	size_t len = 20;
 	int free_s = 0;
 	if (s == NULL)
 		{
 		free_s = 1;
 		s=M_ASN1_UTCTIME_new();
 		}
 	if (s == NULL)
-		return(NULL);
+		goto err;
 	ts=OPENSSL_gmtime(&t, &data);
 	if (ts == NULL)
-		return(NULL);
+		goto err;
 	if (offset_day || offset_sec)
 		{ 
 		if (!OPENSSL_gmtime_adj(ts, offset_day, offset_sec))
-			return NULL;
+			goto err;
 		}
 	if((ts->tm_year < 50) || (ts->tm_year >= 150))
-		return NULL;
+		goto err;
 	p=(char *)s->data;
 	if ((p == NULL) || ((size_t)s->length < len))
@ -222,7 +272,7 @@ ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t,
 		if (p == NULL)
 			{
 			ASN1err(ASN1_F_ASN1_UTCTIME_ADJ,ERR_R_MALLOC_FAILURE);
-			return(NULL);
+			goto err;
 			}
 		if (s->data != NULL)
 			OPENSSL_free(s->data);
@ -237,44 +287,35 @@ ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t,
 	ebcdic2ascii(s->data, s->data, s->length);
 #endif
 	return(s);
 	err:
 	if (free_s && s)
 		M_ASN1_UTCTIME_free(s);
 	return NULL;
 	}
 int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t)
 	{
-	struct tm *tm;
+	struct tm stm, ttm;
-	struct tm data;
+	int day, sec;
 	int offset;
 	int year;
-#define g2(p) (((p)[0]-'0')*10+(p)[1]-'0')
+	if (!asn1_utctime_to_tm(&stm, s))
 		return -2;
-	if (s->data[12] == 'Z')
+	if (!OPENSSL_gmtime(&t, &ttm))
-		offset=0;
+		return -2;
 	else
 		{
 		offset = g2(s->data+13)*60+g2(s->data+15);
 		if (s->data[12] == '-')
 			offset = -offset;
 		}
-	t -= offset*60; /* FIXME: may overflow in extreme cases */
+	if (!OPENSSL_gmtime_diff(&day, &sec, &stm, &ttm))
-
+		return -2;
 	tm = OPENSSL_gmtime(&t, &data);
 #define return_cmp(a,b) if ((a)<(b)) return -1; else if ((a)>(b)) return 1
 	year = g2(s->data);
 	if (year < 50)
 		year += 100;
 	return_cmp(year,              tm->tm_year);
 	return_cmp(g2(s->data+2) - 1, tm->tm_mon);
 	return_cmp(g2(s->data+4),     tm->tm_mday);
 	return_cmp(g2(s->data+6),     tm->tm_hour);
 	return_cmp(g2(s->data+8),     tm->tm_min);
 	return_cmp(g2(s->data+10),    tm->tm_sec);
 #undef g2
 #undef return_cmp
 	if (day > 0)
 		return 1;
 	if (day < 0)
 		return -1;
 	if (sec > 0)
 		return 1;
 	if (sec < 0)
 		return -1;
 	return 0;
 	}
--- a/crypto/asn1/a_verify.c
+++ b/crypto/asn1/a_verify.c
@ -140,6 +140,12 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
 	int mdnid, pknid;
 	if (!pkey)
 		{
 		ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_PASSED_NULL_PARAMETER);
 		return -1;
 		}
 	EVP_MD_CTX_init(&ctx);
 	/* Convert signature OID into digest and public key OIDs */
--- a/crypto/asn1/ameth_lib.c
+++ b/crypto/asn1/ameth_lib.c
@ -67,6 +67,7 @@
 extern const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[];
 extern const EVP_PKEY_ASN1_METHOD dsa_asn1_meths[];
 extern const EVP_PKEY_ASN1_METHOD dh_asn1_meth;
 extern const EVP_PKEY_ASN1_METHOD dhx_asn1_meth;
 extern const EVP_PKEY_ASN1_METHOD eckey_asn1_meth;
 extern const EVP_PKEY_ASN1_METHOD hmac_asn1_meth;
 extern const EVP_PKEY_ASN1_METHOD cmac_asn1_meth;
@ -92,7 +93,10 @@ static const EVP_PKEY_ASN1_METHOD *standard_methods[] =
 	&eckey_asn1_meth,
 #endif
 	&hmac_asn1_meth,
-	&cmac_asn1_meth
+	&cmac_asn1_meth,
 #ifndef OPENSSL_NO_DH
 	&dhx_asn1_meth
 #endif
 	};
 typedef int sk_cmp_fn_type(const char * const *a, const char * const *b);
@ -258,7 +262,12 @@ int EVP_PKEY_asn1_add_alias(int to, int from)
 	if (!ameth)
 		return 0;
 	ameth->pkey_base_id = to;
-	return EVP_PKEY_asn1_add0(ameth);
+	if (!EVP_PKEY_asn1_add0(ameth))
 		{
 		EVP_PKEY_asn1_free(ameth);
 		return 0;
 		}
 	return 1;
 	}
 int EVP_PKEY_asn1_get0_info(int *ppkey_id, int *ppkey_base_id, int *ppkey_flags,
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@ -208,14 +208,14 @@ typedef struct asn1_const_ctx_st
 #define ASN1_OBJECT_FLAG_CRITICAL	 0x02	/* critical x509v3 object id */
 #define ASN1_OBJECT_FLAG_DYNAMIC_STRINGS 0x04	/* internal use */
 #define ASN1_OBJECT_FLAG_DYNAMIC_DATA 	 0x08	/* internal use */
-typedef struct asn1_object_st
+struct asn1_object_st
 	{
 	const char *sn,*ln;
 	int nid;
 	int length;
 	const unsigned char *data;	/* data remains const after init */
 	int flags;	/* Should we free this one */
-	} ASN1_OBJECT;
+	};
 #define ASN1_STRING_FLAG_BITS_LEFT 0x08 /* Set if 0x07 has bits left value */
 /* This indicates that the ASN1_STRING is not a real value but just a place
@ -839,7 +839,7 @@ int ASN1_INTEGER_cmp(const ASN1_INTEGER *x, const ASN1_INTEGER *y);
 DECLARE_ASN1_FUNCTIONS(ASN1_ENUMERATED)
-int ASN1_UTCTIME_check(ASN1_UTCTIME *a);
+int ASN1_UTCTIME_check(const ASN1_UTCTIME *a);
 ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s,time_t t);
 ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t,
 				int offset_day, long offset_sec);
@ -849,11 +849,13 @@ int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t);
 time_t ASN1_UTCTIME_get(const ASN1_UTCTIME *s);
 #endif
-int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *a);
+int ASN1_GENERALIZEDTIME_check(const ASN1_GENERALIZEDTIME *a);
 ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s,time_t t);
 ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_adj(ASN1_GENERALIZEDTIME *s,
 	     time_t t, int offset_day, long offset_sec);
 int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, const char *str);
 int ASN1_TIME_diff(int *pday, int *psec,
 			const ASN1_TIME *from, const ASN1_TIME *to);
 DECLARE_ASN1_FUNCTIONS(ASN1_OCTET_STRING)
 ASN1_OCTET_STRING *	ASN1_OCTET_STRING_dup(const ASN1_OCTET_STRING *a);
--- a/crypto/asn1/asn1_err.c
+++ b/crypto/asn1/asn1_err.c
@ -305,7 +305,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ERR_REASON(ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE),"unknown public key type"},
 {ERR_REASON(ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM),"unknown signature algorithm"},
 {ERR_REASON(ASN1_R_UNKNOWN_TAG)          ,"unknown tag"},
-{ERR_REASON(ASN1_R_UNKOWN_FORMAT)        ,"unkown format"},
+{ERR_REASON(ASN1_R_UNKOWN_FORMAT)        ,"unknown format"},
 {ERR_REASON(ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE),"unsupported any defined by type"},
 {ERR_REASON(ASN1_R_UNSUPPORTED_CIPHER)   ,"unsupported cipher"},
 {ERR_REASON(ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM),"unsupported encryption algorithm"},
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@ -131,6 +131,9 @@ int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag,
 	*pclass=xclass;
 	if (!asn1_get_length(&p,&inf,plength,(int)max)) goto err;
 	if (inf && !(ret & V_ASN1_CONSTRUCTED))
 		goto err;
 #if 0
 	fprintf(stderr,"p=%d + *plength=%ld > omax=%ld + *pp=%d  (%d > %d)\n", 
 		(int)p,*plength,omax,(int)*pp,(int)(p+ *plength),
--- a/crypto/asn1/asn1_locl.h
+++ b/crypto/asn1/asn1_locl.h
@ -58,6 +58,9 @@
 /* Internal ASN1 structures and functions: not for application use */
 int asn1_utctime_to_tm(struct tm *tm, const ASN1_UTCTIME *d);
 int asn1_generalizedtime_to_tm(struct tm *tm, const ASN1_GENERALIZEDTIME *d);
 /* ASN1 print context structure */
 struct asn1_pctx_st
--- a/crypto/asn1/asn_mime.c
+++ b/crypto/asn1/asn_mime.c
@ -667,6 +667,8 @@ static STACK_OF(MIME_HEADER) *mime_parse_hdr(BIO *bio)
 	int len, state, save_state = 0;
 	headers = sk_MIME_HEADER_new(mime_hdr_cmp);
 	if (!headers)
 		return NULL;
 	while ((len = BIO_gets(bio, linebuf, MAX_SMLEN)) > 0) {
 	/* If whitespace at line start then continuation line */
 	if(mhdr && isspace((unsigned char)linebuf[0])) state = MIME_NAME;
--- a/crypto/asn1/asn_pack.c
+++ b/crypto/asn1/asn_pack.c
@ -134,15 +134,23 @@ ASN1_STRING *ASN1_pack_string(void *obj, i2d_of_void *i2d, ASN1_STRING **oct)
 	if (!(octmp->length = i2d(obj, NULL))) {
 		ASN1err(ASN1_F_ASN1_PACK_STRING,ASN1_R_ENCODE_ERROR);
-		return NULL;
+		goto err;
 	}
 	if (!(p = OPENSSL_malloc (octmp->length))) {
 		ASN1err(ASN1_F_ASN1_PACK_STRING,ERR_R_MALLOC_FAILURE);
-		return NULL;
+		goto err;
 	}
 	octmp->data = p;
 	i2d (obj, &p);
 	return octmp;
 	err:
 	if (!oct || !*oct)
 		{
 		ASN1_STRING_free(octmp);
 		if (oct)
 			*oct = NULL;
 		}
 	return NULL;
 }
 #endif
--- a/crypto/asn1/bio_asn1.c
+++ b/crypto/asn1/bio_asn1.c
@ -154,7 +154,10 @@ static int asn1_bio_new(BIO *b)
 	if (!ctx)
 		return 0;
 	if (!asn1_bio_init(ctx, DEFAULT_ASN1_BUF_SIZE))
 		{
 		OPENSSL_free(ctx);
 		return 0;
 		}
 	b->init = 1;
 	b->ptr = (char *)ctx;
 	b->flags = 0;
--- a/crypto/asn1/charmap.pl
+++ b/crypto/asn1/charmap.pl
@ -1,5 +1,8 @@
 #!/usr/local/bin/perl -w
 # Written by Dr Stephen N Henson (steve@openssl.org).
 # Licensed under the terms of the OpenSSL license.
 use strict;
 my ($i, @arr);
--- a/Show More
+++ b/Show More