395 changed files with 3618 additions and 4860 deletions
--- a/.cvsignore
+++ b/.cvsignore
@ -0,0 +1,22 @@
 openssl.pc
 libcrypto.pc
 libssl.pc
 MINFO
 makefile.one
 tmp
 out
 outinc
 rehash.time
 testlog
 make.log
 maketest.log
 cctest
 cctest.c
 cctest.a
 *.flc
 semantic.cache
 Makefile
 *.dll*
 *.so*
 *.sl*
 *.dylib*
--- a/.gitignore
+++ b/.gitignore
@ -7,7 +7,6 @@
 .#*
 #*#
 *~
 /.dir-locals.el
 # Top level excludes
 /Makefile.bak
--- a/.travis-create-release.sh
+++ b/.travis-create-release.sh
@ -1,10 +0,0 @@
 #! /bin/sh
 # $1 is expected to be $TRAVIS_OS_NAME
 if [ "$1" == osx ]; then
    make -f Makefile.org \
 	 DISTTARVARS="NAME=_srcdist TAR_COMMAND='\$\$(TAR) \$\$(TARFLAGS) -s \"|^|\$\$(NAME)/|\" -T \$\$(TARFILE).list -cvf -' TARFLAGS='-n' TARFILE=_srcdist.tar" SHELL='sh -vx' dist
 else
    make -f Makefile.org DISTTARVARS='TARFILE=_srcdist.tar NAME=_srcdist' SHELL='sh -v' dist
 fi
--- a/.travis.yml
+++ b/.travis.yml
@ -1,60 +0,0 @@
 language: c
 addons:
    apt_packages:
        - binutils-mingw-w64
        - gcc-mingw-w64
 os:
    - linux
    - osx
 compiler:
    - clang
    - gcc
    - i686-w64-mingw32-gcc
    - x86_64-w64-mingw32-gcc
 env:
    - CONFIG_OPTS=""
    - CONFIG_OPTS="shared"
    - CONFIG_OPTS="-d --strict-warnings"
 matrix:
    exclude:
        - os: osx
          compiler: i686-w64-mingw32-gcc
        - os: osx
          compiler: x86_64-w64-mingw32-gcc
        - compiler: i686-w64-mingw32-gcc
          env: CONFIG_OPTS="-d --strict-warnings"
        - compiler: x86_64-w64-mingw32-gcc
          env: CONFIG_OPTS="-d --strict-warnings"
 before_script:
    - sh .travis-create-release.sh $TRAVIS_OS_NAME
    - tar -xvzf _srcdist.tar.gz
    - cd _srcdist
    - if [ "$CC" == i686-w64-mingw32-gcc ]; then
          export CROSS_COMPILE=${CC%%gcc}; unset CC;
          ./Configure mingw $CONFIG_OPTS;
      elif [ "$CC" == x86_64-w64-mingw32-gcc ]; then
          export CROSS_COMPILE=${CC%%gcc}; unset CC;
          ./Configure mingw64 $CONFIG_OPTS;
      else
          ./config $CONFIG_OPTS;
      fi
    - cd ..
 script:
    - cd _srcdist
    - make
    - if [ -z "$CROSS_COMPILE" ]; then make test; fi
    - cd ..
 notifications:
    recipient:
        - openssl-commits@openssl.org
    email:
        on_success: change
        on_failure: always
--- a/32
+++ b/32
@ -1,2 +1,30 @@
-Please https://www.openssl.org/community/thanks.html for the current
+The OpenSSL project depends on volunteer efforts and financial support from
-acknowledgements.
+the end user community. That support comes in the form of donations and paid
 sponsorships, software support contracts, paid consulting services
 and commissioned software development.
 Since all these activities support the continued development and improvement
 of OpenSSL we consider all these clients and customers as sponsors of the
 OpenSSL project.
 We would like to identify and thank the following such sponsors for their past
 or current significant support of the OpenSSL project:
 Major support:
 	Qualys		http://www.qualys.com/
 Very significant support:
 	OpenGear:	http://www.opengear.com/
 Significant support:
 	PSW Group:	http://www.psw.net/
 	Acano Ltd.	http://acano.com/
 Please note that we ask permission to identify sponsors and that some sponsors
 we consider eligible for inclusion here have requested to remain anonymous.
 Additional sponsorship or financial support is always welcome: for more
 information please contact the OpenSSL Software Foundation.
--- a/406
+++ b/406
@ -2,241 +2,6 @@
 OpenSSL CHANGES
 _______________
 Changes between 1.0.1s and 1.0.1t [xx XXX xxxx]
  *) Remove LOW from the DEFAULT cipher list.  This removes singles DES from the
     default.
     [Kurt Roeckx]
  *) Only remove the SSLv2 methods with the no-ssl2-method option. When the
     methods are enabled and ssl2 is disabled the methods return NULL.
     [Kurt Roeckx]
 Changes between 1.0.1r and 1.0.1s [1 Mar 2016]
  * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
    Builds that are not configured with "enable-weak-ssl-ciphers" will not
    provide any "EXPORT" or "LOW" strength ciphers.
    [Viktor Dukhovni]
  * Disable SSLv2 default build, default negotiation and weak ciphers.  SSLv2
    is by default disabled at build-time.  Builds that are not configured with
    "enable-ssl2" will not support SSLv2.  Even if "enable-ssl2" is used,
    users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
    will need to explicitly call either of:
        SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
    or
        SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
    as appropriate.  Even if either of those is used, or the application
    explicitly uses the version-specific SSLv2_method() or its client and
    server variants, SSLv2 ciphers vulnerable to exhaustive search key
    recovery have been removed.  Specifically, the SSLv2 40-bit EXPORT
    ciphers, and SSLv2 56-bit DES are no longer available.
    (CVE-2016-0800)
    [Viktor Dukhovni]
  *) Fix a double-free in DSA code
     A double free bug was discovered when OpenSSL parses malformed DSA private
     keys and could lead to a DoS attack or memory corruption for applications
     that receive DSA private keys from untrusted sources.  This scenario is
     considered rare.
     This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using
     libFuzzer.
     (CVE-2016-0705)
     [Stephen Henson]
  *) Disable SRP fake user seed to address a server memory leak.
     Add a new method SRP_VBASE_get1_by_user that handles the seed properly.
     SRP_VBASE_get_by_user had inconsistent memory management behaviour.
     In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user
     was changed to ignore the "fake user" SRP seed, even if the seed
     is configured.
     Users should use SRP_VBASE_get1_by_user instead. Note that in
     SRP_VBASE_get1_by_user, caller must free the returned value. Note
     also that even though configuring the SRP seed attempts to hide
     invalid usernames by continuing the handshake with fake
     credentials, this behaviour is not constant time and no strong
     guarantees are made that the handshake is indistinguishable from
     that of a valid user.
     (CVE-2016-0798)
     [Emilia Käsper]
  *) Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
     In the BN_hex2bn function the number of hex digits is calculated using an
     int value |i|. Later |bn_expand| is called with a value of |i * 4|. For
     large values of |i| this can result in |bn_expand| not allocating any
     memory because |i * 4| is negative. This can leave the internal BIGNUM data
     field as NULL leading to a subsequent NULL ptr deref. For very large values
     of |i|, the calculation |i * 4| could be a positive value smaller than |i|.
     In this case memory is allocated to the internal BIGNUM data field, but it
     is insufficiently sized leading to heap corruption. A similar issue exists
     in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn
     is ever called by user applications with very large untrusted hex/dec data.
     This is anticipated to be a rare occurrence.
     All OpenSSL internal usage of these functions use data that is not expected
     to be untrusted, e.g. config file data or application command line
     arguments. If user developed applications generate config file data based
     on untrusted data then it is possible that this could also lead to security
     consequences. This is also anticipated to be rare.
     This issue was reported to OpenSSL by Guido Vranken.
     (CVE-2016-0797)
     [Matt Caswell]
  *) Fix memory issues in BIO_*printf functions
     The internal |fmtstr| function used in processing a "%s" format string in
     the BIO_*printf functions could overflow while calculating the length of a
     string and cause an OOB read when printing very long strings.
     Additionally the internal |doapr_outch| function can attempt to write to an
     OOB memory location (at an offset from the NULL pointer) in the event of a
     memory allocation failure. In 1.0.2 and below this could be caused where
     the size of a buffer to be allocated is greater than INT_MAX. E.g. this
     could be in processing a very long "%s" format string. Memory leaks can
     also occur.
     The first issue may mask the second issue dependent on compiler behaviour.
     These problems could enable attacks where large amounts of untrusted data
     is passed to the BIO_*printf functions. If applications use these functions
     in this way then they could be vulnerable. OpenSSL itself uses these
     functions when printing out human-readable dumps of ASN.1 data. Therefore
     applications that print this data could be vulnerable if the data is from
     untrusted sources. OpenSSL command line applications could also be
     vulnerable where they print out ASN.1 data, or if untrusted data is passed
     as command line arguments.
     Libssl is not considered directly vulnerable. Additionally certificates etc
     received via remote connections via libssl are also unlikely to be able to
     trigger these issues because of message size limits enforced within libssl.
     This issue was reported to OpenSSL Guido Vranken.
     (CVE-2016-0799)
     [Matt Caswell]
  *) Side channel attack on modular exponentiation
     A side-channel attack was found which makes use of cache-bank conflicts on
     the Intel Sandy-Bridge microarchitecture which could lead to the recovery
     of RSA keys.  The ability to exploit this issue is limited as it relies on
     an attacker who has control of code in a thread running on the same
     hyper-threaded core as the victim thread which is performing decryptions.
     This issue was reported to OpenSSL by Yuval Yarom, The University of
     Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and
     Nadia Heninger, University of Pennsylvania with more information at
     http://cachebleed.info.
     (CVE-2016-0702)
     [Andy Polyakov]
  *) Change the req app to generate a 2048-bit RSA/DSA key by default,
     if no keysize is specified with default_bits. This fixes an
     omission in an earlier change that changed all RSA/DSA key generation
     apps to use 2048 bits by default.
     [Emilia Käsper]
 Changes between 1.0.1q and 1.0.1r [28 Jan 2016]
  *) Protection for DH small subgroup attacks
     As a precautionary measure the SSL_OP_SINGLE_DH_USE option has been
     switched on by default and cannot be disabled. This could have some
     performance impact.
     [Matt Caswell]
  *) SSLv2 doesn't block disabled ciphers
     A malicious client can negotiate SSLv2 ciphers that have been disabled on
     the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
     been disabled, provided that the SSLv2 protocol was not also disabled via
     SSL_OP_NO_SSLv2.
     This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
     and Sebastian Schinzel.
     (CVE-2015-3197)
     [Viktor Dukhovni]
  *) Reject DH handshakes with parameters shorter than 1024 bits.
     [Kurt Roeckx]
 Changes between 1.0.1p and 1.0.1q [3 Dec 2015]
  *) Certificate verify crash with missing PSS parameter
     The signature verification routines will crash with a NULL pointer
     dereference if presented with an ASN.1 signature using the RSA PSS
     algorithm and absent mask generation function parameter. Since these
     routines are used to verify certificate signature algorithms this can be
     used to crash any certificate verification operation and exploited in a
     DoS attack. Any application which performs certificate verification is
     vulnerable including OpenSSL clients and servers which enable client
     authentication.
     This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG).
     (CVE-2015-3194)
     [Stephen Henson]
  *) X509_ATTRIBUTE memory leak
     When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
     memory. This structure is used by the PKCS#7 and CMS routines so any
     application which reads PKCS#7 or CMS data from untrusted sources is
     affected. SSL/TLS is not affected.
     This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using
     libFuzzer.
     (CVE-2015-3195)
     [Stephen Henson]
  *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
     This changes the decoding behaviour for some invalid messages,
     though the change is mostly in the more lenient direction, and
     legacy behaviour is preserved as much as possible.
     [Emilia Käsper]
  *) In DSA_generate_parameters_ex, if the provided seed is too short,
     use a random seed, as already documented.
     [Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>]
 Changes between 1.0.1o and 1.0.1p [9 Jul 2015]
  *) Alternate chains certificate forgery
     During certificate verfification, OpenSSL will attempt to find an
     alternative certificate chain if the first attempt to build such a chain
     fails. An error in the implementation of this logic can mean that an
     attacker could cause certain checks on untrusted certificates to be
     bypassed, such as the CA flag, enabling them to use a valid leaf
     certificate to act as a CA and "issue" an invalid certificate.
     This issue was reported to OpenSSL by Adam Langley/David Benjamin
     (Google/BoringSSL).
     (CVE-2015-1793)
     [Matt Caswell]
  *) Race condition handling PSK identify hint
     If PSK identity hints are received by a multi-threaded client then
     the values are wrongly updated in the parent SSL_CTX structure. This can
     result in a race condition potentially leading to a double free of the
     identify hint data.
     (CVE-2015-3196)
     [Stephen Henson]
 Changes between 1.0.1n and 1.0.1o [12 Jun 2015]
  *) Fix HMAC ABI incompatibility. The previous version introduced an ABI
     incompatibility in the handling of HMAC. The previous ABI has now been
     restored.
 Changes between 1.0.1m and 1.0.1n [11 Jun 2015]
  *) Malformed ECParameters causes infinite loop
@ -269,9 +34,9 @@
     callbacks.
     This issue was reported to OpenSSL by Robert Swiecki (Google), and
-     independently by Hanno Böck.
+     independently by Hanno Böck.
     (CVE-2015-1789)
-     [Emilia Käsper]
+     [Emilia Käsper]
  *) PKCS7 crash with missing EnvelopedContent
@ -285,7 +50,7 @@
     This issue was reported to OpenSSL by Michal Zalewski (Google).
     (CVE-2015-1790)
-     [Emilia Käsper]
+     [Emilia Käsper]
  *) CMS verify infinite loop with unknown hash function
@ -308,9 +73,6 @@
  *) Reject DH handshakes with parameters shorter than 768 bits.
     [Kurt Roeckx and Emilia Kasper]
  *) dhparam: generate 2048-bit parameters by default.
     [Kurt Roeckx and Emilia Kasper]
 Changes between 1.0.1l and 1.0.1m [19 Mar 2015]
  *) Segmentation fault in ASN1_TYPE_cmp fix
@ -349,7 +111,7 @@
     This issue was reported to OpenSSL by Michal Zalewski (Google).
     (CVE-2015-0289)
-     [Emilia Käsper]
+     [Emilia Käsper]
  *) DoS via reachable assert in SSLv2 servers fix
@ -357,10 +119,10 @@
     servers that both support SSLv2 and enable export cipher suites by sending
     a specially crafted SSLv2 CLIENT-MASTER-KEY message.
-     This issue was discovered by Sean Burford (Google) and Emilia Käsper
+     This issue was discovered by Sean Burford (Google) and Emilia Käsper
     (OpenSSL development team).
     (CVE-2015-0293)
-     [Emilia Käsper]
+     [Emilia Käsper]
  *) Use After Free following d2i_ECPrivatekey error fix
@ -505,12 +267,12 @@
      version does not match the session's version. Resuming with a different
      version, while not strictly forbidden by the RFC, is of questionable
      sanity and breaks all known clients.
-      [David Benjamin, Emilia Käsper]
+      [David Benjamin, Emilia Käsper]
   *) Tighten handling of the ChangeCipherSpec (CCS) message: reject
      early CCS messages during renegotiation. (Note that because
      renegotiation is encrypted, this early CCS was not exploitable.)
-      [Emilia Käsper]
+      [Emilia Käsper]
   *) Tighten client-side session ticket handling during renegotiation:
      ensure that the client only accepts a session ticket if the server sends
@ -521,7 +283,7 @@
      Similarly, ensure that the client requires a session ticket if one
      was advertised in the ServerHello. Previously, a TLS client would
      ignore a missing NewSessionTicket message.
-      [Emilia Käsper]
+      [Emilia Käsper]
 Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
@ -601,10 +363,10 @@
     with a null pointer dereference (read) by specifying an anonymous (EC)DH
     ciphersuite and sending carefully crafted handshake messages.
-     Thanks to Felix Gröbert (Google) for discovering and researching this
+     Thanks to Felix Gröbert (Google) for discovering and researching this
     issue.
     (CVE-2014-3510)
-     [Emilia Käsper]
+     [Emilia Käsper]
  *) By sending carefully crafted DTLS packets an attacker could cause openssl
     to leak memory. This can be exploited through a Denial of Service attack.
@ -641,7 +403,7 @@
     properly negotiated with the client. This can be exploited through a
     Denial of Service attack.
-     Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for
+     Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for
     discovering and researching this issue.
     (CVE-2014-5139)
     [Steve Henson]
@ -653,7 +415,7 @@
     Thanks to Ivan Fratric (Google) for discovering this issue.
     (CVE-2014-3508)
-     [Emilia Käsper, and Steve Henson]
+     [Emilia Käsper, and Steve Henson]
  *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
     for corner cases. (Certain input points at infinity could lead to
@ -683,15 +445,15 @@
     client or server. This is potentially exploitable to run arbitrary
     code on a vulnerable client or server.
-     Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195)
+     Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195)
-     [Jüri Aedla, Steve Henson]
+     [Jüri Aedla, Steve Henson]
  *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
     are subject to a denial of service attack.
-     Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
+     Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
     this issue. (CVE-2014-3470)
-     [Felix Gröbert, Ivan Fratric, Steve Henson]
+     [Felix Gröbert, Ivan Fratric, Steve Henson]
  *) Harmonize version and its documentation. -f flag is used to display
     compilation flags.
@ -770,9 +532,9 @@
     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
     Security Group at Royal Holloway, University of London
     (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
-     Emilia Käsper for the initial patch.
+     Emilia Käsper for the initial patch.
     (CVE-2013-0169)
-     [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
+     [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
  *) Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode
     ciphersuites which can be exploited in a denial of service attack.
@ -947,7 +709,7 @@
     EC_GROUP_new_by_curve_name() will automatically use these (while
     EC_GROUP_new_curve_GFp() currently prefers the more flexible
     implementations).
-     [Emilia Käsper, Adam Langley, Bodo Moeller (Google)]
+     [Emilia Käsper, Adam Langley, Bodo Moeller (Google)]
  *) Use type ossl_ssize_t instad of ssize_t which isn't available on
     all platforms. Move ssize_t definition from e_os.h to the public
@ -1223,7 +985,7 @@
     [Adam Langley (Google)]
  *) Fix spurious failures in ecdsatest.c.
-     [Emilia Käsper (Google)]
+     [Emilia Käsper (Google)]
  *) Fix the BIO_f_buffer() implementation (which was mixing different
     interpretations of the '..._len' fields).
@ -1237,7 +999,7 @@
     lock to call BN_BLINDING_invert_ex, and avoids one use of
     BN_BLINDING_update for each BN_BLINDING structure (previously,
     the last update always remained unused).
-     [Emilia Käsper (Google)]
+     [Emilia Käsper (Google)]
  *) In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
     [Bob Buckholz (Google)]
@ -2046,7 +1808,7 @@
  *) Add RFC 3161 compliant time stamp request creation, response generation
     and response verification functionality.
-     [Zoltán Glózik <zglozik@opentsa.org>, The OpenTSA Project]
+     [Zoltán Glózik <zglozik@opentsa.org>, The OpenTSA Project]
  *) Add initial support for TLS extensions, specifically for the server_name
     extension so far.  The SSL_SESSION, SSL_CTX, and SSL data structures now
@ -3214,7 +2976,7 @@
  *) BN_CTX_get() should return zero-valued bignums, providing the same
     initialised value as BN_new().
-     [Geoff Thorpe, suggested by Ulf Möller]
+     [Geoff Thorpe, suggested by Ulf Möller]
  *) Support for inhibitAnyPolicy certificate extension.
     [Steve Henson]
@ -3233,7 +2995,7 @@
     some point, these tighter rules will become openssl's default to improve
     maintainability, though the assert()s and other overheads will remain only
     in debugging configurations. See bn.h for more details.
-     [Geoff Thorpe, Nils Larsch, Ulf Möller]
+     [Geoff Thorpe, Nils Larsch, Ulf Möller]
  *) BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure
     that can only be obtained through BN_CTX_new() (which implicitly
@ -3300,7 +3062,7 @@
     [Douglas Stebila (Sun Microsystems Laboratories)]
  *) Add the possibility to load symbols globally with DSO.
-     [Götz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte]
+     [Götz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte]
  *) Add the functions ERR_set_mark() and ERR_pop_to_mark() for better
     control of the error stack.
@ -4015,7 +3777,7 @@
     [Steve Henson]
  *) Undo Cygwin change.
-     [Ulf Möller]
+     [Ulf Möller]
  *) Added support for proxy certificates according to RFC 3820.
     Because they may be a security thread to unaware applications,
@ -4048,11 +3810,11 @@
     [Stephen Henson, reported by UK NISCC]
  *) Use Windows randomness collection on Cygwin.
-     [Ulf Möller]
+     [Ulf Möller]
  *) Fix hang in EGD/PRNGD query when communication socket is closed
     prematurely by EGD/PRNGD.
-     [Darren Tucker <dtucker@zip.com.au> via Lutz Jänicke, resolves #1014]
+     [Darren Tucker <dtucker@zip.com.au> via Lutz Jänicke, resolves #1014]
  *) Prompt for pass phrases when appropriate for PKCS12 input format.
     [Steve Henson]
@ -4514,7 +4276,7 @@
     pointers passed to them whenever necessary. Otherwise it is possible
     the caller may have overwritten (or deallocated) the original string
     data when a later ENGINE operation tries to use the stored values.
-     [Götz Babin-Ebell <babinebell@trustcenter.de>]
+     [Götz Babin-Ebell <babinebell@trustcenter.de>]
  *) Improve diagnostics in file reading and command-line digests.
     [Ben Laurie aided and abetted by Solar Designer <solar@openwall.com>]
@ -6619,7 +6381,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     [Bodo Moeller]
  *) BN_sqr() bug fix.
-     [Ulf Möller, reported by Jim Ellis <jim.ellis@cavium.com>]
+     [Ulf Möller, reported by Jim Ellis <jim.ellis@cavium.com>]
  *) Rabin-Miller test analyses assume uniformly distributed witnesses,
     so use BN_pseudo_rand_range() instead of using BN_pseudo_rand()
@ -6779,7 +6541,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     [Bodo Moeller]
  *) Fix OAEP check.
-     [Ulf Möller, Bodo Möller]
+     [Ulf Möller, Bodo Möller]
  *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5
     RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5
@ -7041,10 +6803,10 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     [Bodo Moeller]
  *) Use better test patterns in bntest.
-     [Ulf Möller]
+     [Ulf Möller]
  *) rand_win.c fix for Borland C.
-     [Ulf Möller]
+     [Ulf Möller]
  *) BN_rshift bugfix for n == 0.
     [Bodo Moeller]
@ -7189,14 +6951,14 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
  *) New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR
     BIO_ctrl (for BIO pairs).
-     [Bodo Möller]
+     [Bodo Möller]
  *) Add DSO method for VMS.
     [Richard Levitte]
  *) Bug fix: Montgomery multiplication could produce results with the
     wrong sign.
-     [Ulf Möller]
+     [Ulf Möller]
  *) Add RPM specification openssl.spec and modify it to build three
     packages.  The default package contains applications, application
@ -7214,7 +6976,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
  *) Don't set the two most significant bits to one when generating a
     random number < q in the DSA library.
-     [Ulf Möller]
+     [Ulf Möller]
  *) New SSL API mode 'SSL_MODE_AUTO_RETRY'.  This disables the default
     behaviour that SSL_read may result in SSL_ERROR_WANT_READ (even if
@ -7480,7 +7242,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
  *) Randomness polling function for Win9x, as described in:
     Peter Gutmann, Software Generation of Practically Strong
     Random Numbers.
-     [Ulf Möller]
+     [Ulf Möller]
  *) Fix so PRNG is seeded in req if using an already existing
     DSA key.
@ -7700,7 +7462,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     [Steve Henson]
  *) Eliminate non-ANSI declarations in crypto.h and stack.h.
-     [Ulf Möller]
+     [Ulf Möller]
  *) Fix for SSL server purpose checking. Server checking was
     rejecting certificates which had extended key usage present
@ -7732,7 +7494,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     [Bodo Moeller]
  *) Bugfix for linux-elf makefile.one.
-     [Ulf Möller]
+     [Ulf Möller]
  *) RSA_get_default_method() will now cause a default
     RSA_METHOD to be chosen if one doesn't exist already.
@ -7821,7 +7583,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     [Steve Henson]
  *) des_quad_cksum() byte order bug fix.
-     [Ulf Möller, using the problem description in krb4-0.9.7, where
+     [Ulf Möller, using the problem description in krb4-0.9.7, where
      the solution is attributed to Derrick J Brashear <shadow@DEMENTIA.ORG>]
  *) Fix so V_ASN1_APP_CHOOSE works again: however its use is strongly
@ -7922,7 +7684,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     [Rolf Haberrecker <rolf@suse.de>]
  *) Assembler module support for Mingw32.
-     [Ulf Möller]
+     [Ulf Möller]
  *) Shared library support for HPUX (in shlib/).
     [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous]
@ -7941,7 +7703,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
  *) BN_mul bugfix: In bn_mul_part_recursion() only the a>a[n] && b>b[n]
     case was implemented. This caused BN_div_recp() to fail occasionally.
-     [Ulf Möller]
+     [Ulf Möller]
  *) Add an optional second argument to the set_label() in the perl
     assembly language builder. If this argument exists and is set
@ -7971,14 +7733,14 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     [Steve Henson]
  *) Fix potential buffer overrun problem in BIO_printf().
-     [Ulf Möller, using public domain code by Patrick Powell; problem
+     [Ulf Möller, using public domain code by Patrick Powell; problem
      pointed out by David Sacerdote <das33@cornell.edu>]
  *) Support EGD <http://www.lothar.com/tech/crypto/>.  New functions
     RAND_egd() and RAND_status().  In the command line application,
     the EGD socket can be specified like a seed file using RANDFILE
     or -rand.
-     [Ulf Möller]
+     [Ulf Möller]
  *) Allow the string CERTIFICATE to be tolerated in PKCS#7 structures.
     Some CAs (e.g. Verisign) distribute certificates in this form.
@ -8011,7 +7773,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
        #define OPENSSL_ALGORITHM_DEFINES
        #include <openssl/opensslconf.h>
     defines all pertinent NO_<algo> symbols, such as NO_IDEA, NO_RSA, etc.
-     [Richard Levitte, Ulf and Bodo Möller]
+     [Richard Levitte, Ulf and Bodo Möller]
  *) Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS
     record layer.
@ -8062,17 +7824,17 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
  *) Bug fix for BN_div_recp() for numerators with an even number of
     bits.
-     [Ulf Möller]
+     [Ulf Möller]
  *) More tests in bntest.c, and changed test_bn output.
-     [Ulf Möller]
+     [Ulf Möller]
  *) ./config recognizes MacOS X now.
     [Andy Polyakov]
  *) Bug fix for BN_div() when the first words of num and divsor are
     equal (it gave wrong results if (rem=(n1-q*d0)&BN_MASK2) < d0).
-     [Ulf Möller]
+     [Ulf Möller]
  *) Add support for various broken PKCS#8 formats, and command line
     options to produce them.
@ -8080,11 +7842,11 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
  *) New functions BN_CTX_start(), BN_CTX_get() and BT_CTX_end() to
     get temporary BIGNUMs from a BN_CTX.
-     [Ulf Möller]
+     [Ulf Möller]
  *) Correct return values in BN_mod_exp_mont() and BN_mod_exp2_mont()
     for p == 0.
-     [Ulf Möller]
+     [Ulf Möller]
  *) Change the SSLeay_add_all_*() functions to OpenSSL_add_all_*() and
     include a #define from the old name to the new. The original intent
@ -8108,7 +7870,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
  *) Source code cleanups: use const where appropriate, eliminate casts,
     use void * instead of char * in lhash.
-     [Ulf Möller] 
+     [Ulf Möller] 
  *) Bugfix: ssl3_send_server_key_exchange was not restartable
     (the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of
@ -8153,13 +7915,13 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     [Steve Henson]
  *) New function BN_pseudo_rand().
-     [Ulf Möller]
+     [Ulf Möller]
  *) Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable)
     bignum version of BN_from_montgomery() with the working code from
     SSLeay 0.9.0 (the word based version is faster anyway), and clean up
     the comments.
-     [Ulf Möller]
+     [Ulf Möller]
  *) Avoid a race condition in s2_clnt.c (function get_server_hello) that
     made it impossible to use the same SSL_SESSION data structure in
@ -8169,25 +7931,25 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
  *) The return value of RAND_load_file() no longer counts bytes obtained
     by stat().  RAND_load_file(..., -1) is new and uses the complete file
     to seed the PRNG (previously an explicit byte count was required).
-     [Ulf Möller, Bodo Möller]
+     [Ulf Möller, Bodo Möller]
  *) Clean up CRYPTO_EX_DATA functions, some of these didn't have prototypes
     used (char *) instead of (void *) and had casts all over the place.
     [Steve Henson]
  *) Make BN_generate_prime() return NULL on error if ret!=NULL.
-     [Ulf Möller]
+     [Ulf Möller]
  *) Retain source code compatibility for BN_prime_checks macro:
     BN_is_prime(..., BN_prime_checks, ...) now uses
     BN_prime_checks_for_size to determine the appropriate number of
     Rabin-Miller iterations.
-     [Ulf Möller]
+     [Ulf Möller]
  *) Diffie-Hellman uses "safe" primes: DH_check() return code renamed to
     DH_CHECK_P_NOT_SAFE_PRIME.
     (Check if this is true? OpenPGP calls them "strong".)
-     [Ulf Möller]
+     [Ulf Möller]
  *) Merge the functionality of "dh" and "gendh" programs into a new program
     "dhparam". The old programs are retained for now but will handle DH keys
@ -8243,7 +8005,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
  *) Add missing #ifndefs that caused missing symbols when building libssl
     as a shared library without RSA.  Use #ifndef NO_SSL2 instead of
     NO_RSA in ssl/s2*.c. 
-     [Kris Kennaway <kris@hub.freebsd.org>, modified by Ulf Möller]
+     [Kris Kennaway <kris@hub.freebsd.org>, modified by Ulf Möller]
  *) Precautions against using the PRNG uninitialized: RAND_bytes() now
     has a return value which indicates the quality of the random data
@ -8252,7 +8014,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     guaranteed to be unique but not unpredictable. RAND_add is like
     RAND_seed, but takes an extra argument for an entropy estimate
     (RAND_seed always assumes full entropy).
-     [Ulf Möller]
+     [Ulf Möller]
  *) Do more iterations of Rabin-Miller probable prime test (specifically,
     3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes
@ -8282,7 +8044,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     [Steve Henson]
  *) Honor the no-xxx Configure options when creating .DEF files.
-     [Ulf Möller]
+     [Ulf Möller]
  *) Add PKCS#10 attributes to field table: challengePassword, 
     unstructuredName and unstructuredAddress. These are taken from
@ -9116,7 +8878,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
  *) More DES library cleanups: remove references to srand/rand and
     delete an unused file.
-     [Ulf Möller]
+     [Ulf Möller]
  *) Add support for the the free Netwide assembler (NASM) under Win32,
     since not many people have MASM (ml) and it can be hard to obtain.
@ -9205,7 +8967,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     worked.
  *) Fix problems with no-hmac etc.
-     [Ulf Möller, pointed out by Brian Wellington <bwelling@tislabs.com>]
+     [Ulf Möller, pointed out by Brian Wellington <bwelling@tislabs.com>]
  *) New functions RSA_get_default_method(), RSA_set_method() and
     RSA_get_method(). These allows replacement of RSA_METHODs without having
@ -9322,7 +9084,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     [Ben Laurie]
  *) DES library cleanups.
-     [Ulf Möller]
+     [Ulf Möller]
  *) Add support for PKCS#5 v2.0 PBE algorithms. This will permit PKCS#8 to be
     used with any cipher unlike PKCS#5 v1.5 which can at most handle 64 bit
@ -9365,7 +9127,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     [Christian Forster <fo@hawo.stw.uni-erlangen.de>]
  *) config now generates no-xxx options for missing ciphers.
-     [Ulf Möller]
+     [Ulf Möller]
  *) Support the EBCDIC character set (work in progress).
     File ebcdic.c not yet included because it has a different license.
@ -9478,7 +9240,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     [Bodo Moeller]
  *) Move openssl.cnf out of lib/.
-     [Ulf Möller]
+     [Ulf Möller]
  *) Fix various things to let OpenSSL even pass ``egcc -pipe -O2 -Wall
     -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
@ -9535,10 +9297,10 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     [Ben Laurie]
  *) Support Borland C++ builder.
-     [Janez Jere <jj@void.si>, modified by Ulf Möller]
+     [Janez Jere <jj@void.si>, modified by Ulf Möller]
  *) Support Mingw32.
-     [Ulf Möller]
+     [Ulf Möller]
  *) SHA-1 cleanups and performance enhancements.
     [Andy Polyakov <appro@fy.chalmers.se>]
@ -9547,7 +9309,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     [Andy Polyakov <appro@fy.chalmers.se>]
  *) Accept any -xxx and +xxx compiler options in Configure.
-     [Ulf Möller]
+     [Ulf Möller]
  *) Update HPUX configuration.
     [Anonymous]
@ -9580,7 +9342,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     [Bodo Moeller]
  *) OAEP decoding bug fix.
-     [Ulf Möller]
+     [Ulf Möller]
  *) Support INSTALL_PREFIX for package builders, as proposed by
     David Harris.
@ -9603,21 +9365,21 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     [Niels Poppe <niels@netbox.org>]
  *) New Configure option no-<cipher> (rsa, idea, rc5, ...).
-     [Ulf Möller]
+     [Ulf Möller]
  *) Add the PKCS#12 API documentation to openssl.txt. Preliminary support for
     extension adding in x509 utility.
     [Steve Henson]
  *) Remove NOPROTO sections and error code comments.
-     [Ulf Möller]
+     [Ulf Möller]
  *) Partial rewrite of the DEF file generator to now parse the ANSI
     prototypes.
     [Steve Henson]
  *) New Configure options --prefix=DIR and --openssldir=DIR.
-     [Ulf Möller]
+     [Ulf Möller]
  *) Complete rewrite of the error code script(s). It is all now handled
     by one script at the top level which handles error code gathering,
@ -9646,7 +9408,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     [Steve Henson]
  *) Move the autogenerated header file parts to crypto/opensslconf.h.
-     [Ulf Möller]
+     [Ulf Möller]
  *) Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of
     8 of keying material. Merlin has also confirmed interop with this fix
@ -9664,13 +9426,13 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     [Andy Polyakov <appro@fy.chalmers.se>]
  *) Change functions to ANSI C.
-     [Ulf Möller]
+     [Ulf Möller]
  *) Fix typos in error codes.
-     [Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>, Ulf Möller]
+     [Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>, Ulf Möller]
  *) Remove defunct assembler files from Configure.
-     [Ulf Möller]
+     [Ulf Möller]
  *) SPARC v8 assembler BIGNUM implementation.
     [Andy Polyakov <appro@fy.chalmers.se>]
@ -9707,7 +9469,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     [Steve Henson]
  *) New Configure option "rsaref".
-     [Ulf Möller]
+     [Ulf Möller]
  *) Don't auto-generate pem.h.
     [Bodo Moeller]
@ -9755,7 +9517,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
  *) New functions DSA_do_sign and DSA_do_verify to provide access to
     the raw DSA values prior to ASN.1 encoding.
-     [Ulf Möller]
+     [Ulf Möller]
  *) Tweaks to Configure
     [Niels Poppe <niels@netbox.org>]
@ -9765,11 +9527,11 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     [Steve Henson]
  *) New variables $(RANLIB) and $(PERL) in the Makefiles.
-     [Ulf Möller]
+     [Ulf Möller]
  *) New config option to avoid instructions that are illegal on the 80386.
     The default code is faster, but requires at least a 486.
-     [Ulf Möller]
+     [Ulf Möller]
  *) Got rid of old SSL2_CLIENT_VERSION (inconsistently used) and
     SSL2_SERVER_VERSION (not used at all) macros, which are now the
@ -10308,7 +10070,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
      Hagino <itojun@kame.net>]
  *) File was opened incorrectly in randfile.c.
-     [Ulf Möller <ulf@fitug.de>]
+     [Ulf Möller <ulf@fitug.de>]
  *) Beginning of support for GeneralizedTime. d2i, i2d, check and print
     functions. Also ASN1_TIME suite which is a CHOICE of UTCTime or
@ -10318,7 +10080,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     [Steve Henson]
  *) Correct Linux 1 recognition in config.
-     [Ulf Möller <ulf@fitug.de>]
+     [Ulf Möller <ulf@fitug.de>]
  *) Remove pointless MD5 hash when using DSA keys in ca.
     [Anonymous <nobody@replay.com>]
@ -10465,7 +10227,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
  *) Fix the RSA header declarations that hid a bug I fixed in 0.9.0b but
     was already fixed by Eric for 0.9.1 it seems.
-     [Ben Laurie - pointed out by Ulf Möller <ulf@fitug.de>]
+     [Ben Laurie - pointed out by Ulf Möller <ulf@fitug.de>]
  *) Autodetect FreeBSD3.
     [Ben Laurie]
--- a/38
+++ b/38
@ -1,38 +0,0 @@
 HOW TO CONTRIBUTE TO OpenSSL
 ----------------------------
 Development is coordinated on the openssl-dev mailing list (see
 http://www.openssl.org for information on subscribing). If you
 would like to submit a patch, send it to rt@openssl.org with
 the string "[PATCH]" in the subject. Please be sure to include a
 textual explanation of what your patch does.
 You can also make GitHub pull requests. If you do this, please also send
 mail to rt@openssl.org with a brief description and a link to the PR so
 that we can more easily keep track of it.
 If you are unsure as to whether a feature will be useful for the general
 OpenSSL community please discuss it on the openssl-dev mailing list first.
 Someone may be already working on the same thing or there may be a good
 reason as to why that feature isn't implemented.
 Patches should be as up to date as possible, preferably relative to the
 current Git or the last snapshot. They should follow our coding style
 (see https://www.openssl.org/policies/codingstyle.html) and compile without
 warnings using the --strict-warnings flag.  OpenSSL compiles on many varied
 platforms: try to ensure you only use portable features.
 Our preferred format for patch files is "git format-patch" output. For example
 to provide a patch file containing the last commit in your local git repository
 use the following command:
 # git format-patch --stdout HEAD^ >mydiffs.patch
 Another method of creating an acceptable patch file without using git is as
 follows:
 # cd openssl-work
 # [your changes]
 # ./Configure dist; make clean
 # cd ..
 # diff -ur openssl-orig openssl-work > mydiffs.patch
--- a/58
+++ b/58
@ -58,10 +58,6 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimenta
 #		library and will be loaded in run-time by the OpenSSL library.
 # sctp          include SCTP support
 # 386           generate 80386 code
 # enable-weak-ssl-ciphers
 #		Enable EXPORT and LOW SSLv3 ciphers that are disabled by
 #		default.  Note, weak SSLv2 ciphers are unconditionally
 #		disabled.
 # no-sse2	disables IA-32 SSE2 code, above option implies no-sse2
 # no-<cipher>   build without specified algorithm (rsa, idea, rc5, ...)
 # -<xxx> +<xxx> compiler options are passed through 
@ -109,11 +105,6 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimenta
 my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED";
 # Warn that "make depend" should be run?
 my $warn_make_depend = 0;
 my $clang_devteam_warn = "-Wno-unused-parameter -Wno-missing-field-initializers -Wno-language-extension-token -Wno-extended-offsetof -Qunused-arguments";
 my $strict_warnings = 0;
 my $x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL";
@ -206,7 +197,6 @@ my %table=(
 "debug-linux-generic32","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-linux-generic64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-linux-x86_64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 "debug-linux-x86_64-clang","clang: -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -g -Wall -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 "dist",		"cc:-O::(unknown)::::::",
 # Basic configs that should work on any (32 and less bit) box
@ -371,7 +361,6 @@ my %table=(
 "linux-ia64-ecc","ecc:-DL_ENDIAN -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-x86_64",	"gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 "linux-x86_64-clang","clang: -m64 -DL_ENDIAN -O3 -Wall -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 "linux64-s390x",	"gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 #### So called "highgprs" target for z/Architecture CPUs
 # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
@ -728,12 +717,10 @@ my %disabled = ( # "what"         => "comment" [or special keyword "experimental
 		 "md2"            => "default",
 		 "rc5"            => "default",
 		 "rfc3779"	  => "default",
-		 "sctp"           => "default",
+		 "sctp"       => "default",
 		 "shared"         => "default",
 		 "ssl2"           => "default",
 		 "store"	  => "experimental",
 		 "unit-test"	  => "default",
 		 "weak-ssl-ciphers" => "default",
 		 "zlib"           => "default",
 		 "zlib-dynamic"   => "default"
 	       );
@ -1455,7 +1442,7 @@ if ($target =~ /\-icc$/)	# Intel C compiler
 # linker only when --prefix is not /usr.
 if ($target =~ /^BSD\-/)
 	{
-	$shared_ldflag.=" -Wl,-rpath,\$\$(LIBRPATH)" if ($prefix !~ m|^/usr[/]*$|);
+	$shared_ldflag.=" -Wl,-rpath,\$(LIBRPATH)" if ($prefix !~ m|^/usr[/]*$|);
 	}
 if ($sys_id ne "")
@ -1587,20 +1574,11 @@ if ($shlib_version_number =~ /(^[0-9]*)\.([0-9\.]*)/)
 if ($strict_warnings)
 	{
 	my $ecc = $cc;
 	$ecc = "clang" if `$cc --version 2>&1` =~ /clang/;
 	my $wopt;
-	die "ERROR --strict-warnings requires gcc or clang" unless ($ecc =~ /gcc$/ or $ecc =~ /clang$/);
+	die "ERROR --strict-warnings requires gcc" unless ($cc =~ /gcc$/);
 	foreach $wopt (split /\s+/, $gcc_devteam_warn)
 		{
-		$cflags .= " $wopt" unless ($cflags =~ /(^|\s)$wopt(\s|$)/)
+		$cflags .= " $wopt" unless ($cflags =~ /$wopt/)
 		}
 	if ($ecc eq "clang")
 		{
 		foreach $wopt (split /\s+/, $clang_devteam_warn)
 			{
 			$cflags .= " $wopt" unless ($cflags =~ /(^|\s)$wopt(\s|$)/)
 			}
 		}
 	}
@ -1962,8 +1940,14 @@ EOF
 	    &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s');
 	}
 	if ($depflags ne $default_depflags && !$make_depend) {
-            $warn_make_depend++;
+		print <<EOF;
-        }
+
 Since you've disabled or enabled at least one algorithm, you need to do
 the following before building:
 	make depend
 EOF
 	}
 }
 # create the ms/version32.rc file if needed
@ -2042,18 +2026,12 @@ EOF
 print <<\EOF if ($no_shared_warn);
-You gave the option 'shared', which is not supported on this platform, so
+You gave the option 'shared'.  Normally, that would give you shared libraries.
-we will pretend you gave the option 'no-shared'.  If you know how to implement
+Unfortunately, the OpenSSL configuration doesn't include shared library support
-shared libraries, please let us know (but please first make sure you have
+for this platform yet, so it will pretend you gave the option 'no-shared'.  If
-tried with a current version of OpenSSL).
+you can inform the developpers (openssl-dev\@openssl.org) how to support shared
-EOF
+libraries on this platform, they will at least look at it and try their best
-
+(but please first make sure you have tried with a current version of OpenSSL).
 print <<EOF if ($warn_make_depend);
 *** Because of configuration changes, you MUST do the following before
 *** building:
 	make depend
 EOF
 exit(0);
--- a/1041
+++ b/1041
--- a/8
+++ b/8
@ -164,10 +164,10 @@
     standard headers).  If it is a problem with OpenSSL itself, please
     report the problem to <openssl-bugs@openssl.org> (note that your
     message will be recorded in the request tracker publicly readable
-     at https://www.openssl.org/community/index.html#bugs and will be
+     via http://www.openssl.org/support/rt.html and will be forwarded to a
-     forwarded to a public mailing list). Include the output of "make
+     public mailing list). Include the output of "make report" in your message.
-     report" in your message.  Please check out the request tracker. Maybe
+     Please check out the request tracker. Maybe the bug was already
-     the bug was already reported or has already been fixed.
+     reported or has already been fixed.
     [If you encounter assembler error messages, try the "no-asm"
     configuration option as an immediate fix.]
--- a/2
+++ b/2
@ -12,7 +12,7 @@
  ---------------
 /* ====================================================================
- * Copyright (c) 1998-2016 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2011 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
--- a/Makefile.org
+++ b/Makefile.org
@ -179,7 +179,8 @@ SHARED_LDFLAGS=
 GENERAL=        Makefile
 BASENAME=       openssl
 NAME=           $(BASENAME)-$(VERSION)
-TARFILE=        ../$(NAME).tar
+TARFILE=        $(NAME).tar
 WTARFILE=       $(NAME)-win.tar
 EXHEADER=       e_os2.h
 HEADER=         e_os.h
@ -267,7 +268,6 @@ reflect:
 	@[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV)
 sub_all: build_all
 build_all: build_libs build_apps build_tests build_tools
 build_libs: build_libcrypto build_libssl openssl.pc
@ -277,15 +277,15 @@ build_libssl: build_ssl libssl.pc
 build_crypto:
 	@dir=crypto; target=all; $(BUILD_ONE_CMD)
-build_ssl: build_crypto
+build_ssl:
 	@dir=ssl; target=all; $(BUILD_ONE_CMD)
-build_engines: build_crypto
+build_engines:
 	@dir=engines; target=all; $(BUILD_ONE_CMD)
-build_apps: build_libs
+build_apps:
 	@dir=apps; target=all; $(BUILD_ONE_CMD)
-build_tests: build_libs
+build_tests:
 	@dir=test; target=all; $(BUILD_ONE_CMD)
-build_tools: build_libs
+build_tools:
 	@dir=tools; target=all; $(BUILD_ONE_CMD)
 all_testapps: build_libs build_testapps
@ -498,35 +498,35 @@ TABLE: Configure
 # would occur. Therefore the list of files is temporarily stored into a file
 # and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
 # tar does not support the --files-from option.
-TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from $(TARFILE).list \
+tar:
 	                       --owner 0 --group 0 \
 			       --transform 's|^|$(NAME)/|' \
 			       -cvf -
 $(TARFILE).list:
 	find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \
 	       \! -name '*.so' \! -name '*.so.*'  \! -name 'openssl' \
 	       \( \! -name '*test' -o -name bctest -o -name pod2mantest \) \
 	       \! -name '.#*' \! -name '*~' \! -type l \
 	    | sort > $(TARFILE).list
 tar: $(TARFILE).list
 	find . -type d -print | xargs chmod 755
 	find . -type f -print | xargs chmod a+r
 	find . -type f -perm -0100 -print | xargs chmod a+x
-	$(TAR_COMMAND) | gzip --best > $(TARFILE).gz
+	find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort > ../$(TARFILE).list; \
-	rm -f $(TARFILE).list
+	$(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \
-	ls -l $(TARFILE).gz
+	tardy --user_number=0  --user_name=openssl \
 	      --group_number=0 --group_name=openssl \
 	      --prefix=openssl-$(VERSION) - |\
 	gzip --best >../$(TARFILE).gz; \
 	rm -f ../$(TARFILE).list; \
 	ls -l ../$(TARFILE).gz
-tar-snap: $(TARFILE).list
+tar-snap:
-	$(TAR_COMMAND) > $(TARFILE)
+	@$(TAR) $(TARFLAGS) -cvf - \
-	rm -f $(TARFILE).list
+		`find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \! -name '*.so' \! -name '*.so.*'  \! -name 'openssl' \! -name '*test' \! -name '.#*' \! -name '*~' | sort` |\
-	ls -l $(TARFILE)
+	tardy --user_number=0  --user_name=openssl \
 	      --group_number=0 --group_name=openssl \
 	      --prefix=openssl-$(VERSION) - > ../$(TARFILE);\
 	ls -l ../$(TARFILE)
 dist:   
 	$(PERL) Configure dist
 	@$(MAKE) dist_pem_h
 	@$(MAKE) SDIRS='$(SDIRS)' clean
-	@$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
+	@$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' tar
 dist_pem_h:
 	(cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean)
 install: all install_docs install_sw
--- a/39
+++ b/39
@ -5,45 +5,6 @@
  This file gives a brief overview of the major changes between each OpenSSL
  release. For more details please read the CHANGES file.
  Major changes between OpenSSL 1.0.1s and OpenSSL 1.0.1t [under development]
      o
  Major changes between OpenSSL 1.0.1r and OpenSSL 1.0.1s [1 Mar 2016]
      o Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
      o Disable SSLv2 default build, default negotiation and weak ciphers
        (CVE-2016-0800)
      o Fix a double-free in DSA code (CVE-2016-0705)
      o Disable SRP fake user seed to address a server memory leak
        (CVE-2016-0798)
      o Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
        (CVE-2016-0797)
      o Fix memory issues in BIO_*printf functions (CVE-2016-0799)
      o Fix side channel attack on modular exponentiation (CVE-2016-0702)
  Major changes between OpenSSL 1.0.1q and OpenSSL 1.0.1r [28 Jan 2016]
      o Protection for DH small subgroup attacks
      o SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
  Major changes between OpenSSL 1.0.1p and OpenSSL 1.0.1q [3 Dec 2015]
      o Certificate verify crash with missing PSS parameter (CVE-2015-3194)
      o X509_ATTRIBUTE memory leak (CVE-2015-3195)
      o Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs
      o In DSA_generate_parameters_ex, if the provided seed is too short,
        return an error
  Major changes between OpenSSL 1.0.1o and OpenSSL 1.0.1p [9 Jul 2015]
      o Alternate chains certificate forgery (CVE-2015-1793)
      o Race condition handling PSK identify hint (CVE-2015-3196)
  Major changes between OpenSSL 1.0.1n and OpenSSL 1.0.1o [12 Jun 2015]
      o Fix HMAC ABI incompatibility
  Major changes between OpenSSL 1.0.1m and OpenSSL 1.0.1n [11 Jun 2015]
      o Malformed ECParameters causes infinite loop (CVE-2015-1788)
--- a/205
+++ b/205
@ -1,7 +1,7 @@
- OpenSSL 1.0.1t-dev
+ OpenSSL 1.0.1n 11 Jun 2015
- Copyright (c) 1998-2015 The OpenSSL Project
+ Copyright (c) 1998-2011 The OpenSSL Project
 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
 All rights reserved.
@ -10,17 +10,17 @@
 The OpenSSL Project is a collaborative effort to develop a robust,
 commercial-grade, fully featured, and Open Source toolkit implementing the
- Secure Sockets Layer (SSLv3) and Transport Layer Security (TLS) protocols as
+ Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
- well as a full-strength general purpose cryptograpic library. The project is
+ protocols as well as a full-strength general purpose cryptography library.
- managed by a worldwide community of volunteers that use the Internet to
+ The project is managed by a worldwide community of volunteers that use the
- communicate, plan, and develop the OpenSSL toolkit and its related
+ Internet to communicate, plan, and develop the OpenSSL toolkit and its
- documentation.
+ related documentation.
- OpenSSL is descended from the SSLeay library developed by Eric A. Young
+ OpenSSL is based on the excellent SSLeay library developed from Eric A. Young
 and Tim J. Hudson.  The OpenSSL toolkit is licensed under a dual-license (the
- OpenSSL license plus the SSLeay license), which means that you are free to
+ OpenSSL license plus the SSLeay license) situation, which basically means
- get and use it for commercial and non-commercial purposes as long as you
+ that you are free to get and use it for commercial and non-commercial
- fulfill the conditions of both licenses.
+ purposes as long as you fulfill the conditions of both licenses.
 OVERVIEW
 --------
@ -28,39 +28,116 @@
 The OpenSSL toolkit includes:
 libssl.a:
-     Provides the client and server-side implementations for SSLv3 and TLS.
+     Implementation of SSLv2, SSLv3, TLSv1 and the required code to support
     both SSLv2, SSLv3 and TLSv1 in the one server and client.
 libcrypto.a:
-     Provides general cryptographic and X.509 support needed by SSL/TLS but
+     General encryption and X.509 v1/v3 stuff needed by SSL/TLS but not
-     not logically part of it.
+     actually logically part of it. It includes routines for the following:
     Ciphers
        libdes - EAY's libdes DES encryption package which was floating
                 around the net for a few years, and was then relicensed by
                 him as part of SSLeay.  It includes 15 'modes/variations'
                 of DES (1, 2 and 3 key versions of ecb, cbc, cfb and ofb;
                 pcbc and a more general form of cfb and ofb) including desx
                 in cbc mode, a fast crypt(3), and routines to read
                 passwords from the keyboard.
        RC4 encryption,
        RC2 encryption      - 4 different modes, ecb, cbc, cfb and ofb.
        Blowfish encryption - 4 different modes, ecb, cbc, cfb and ofb.
        IDEA encryption     - 4 different modes, ecb, cbc, cfb and ofb.
     Digests
        MD5 and MD2 message digest algorithms, fast implementations,
        SHA (SHA-0) and SHA-1 message digest algorithms,
        MDC2 message digest. A DES based hash that is popular on smart cards.
     Public Key
        RSA encryption/decryption/generation.
            There is no limit on the number of bits.
        DSA encryption/decryption/generation.
            There is no limit on the number of bits.
        Diffie-Hellman key-exchange/key generation.
            There is no limit on the number of bits.
     X.509v3 certificates
        X509 encoding/decoding into/from binary ASN1 and a PEM
             based ASCII-binary encoding which supports encryption with a
             private key.  Program to generate RSA and DSA certificate
             requests and to generate RSA and DSA certificates.
     Systems
        The normal digital envelope routines and base64 encoding.  Higher
        level access to ciphers and digests by name.  New ciphers can be
        loaded at run time.  The BIO io system which is a simple non-blocking
        IO abstraction.  Current methods supported are file descriptors,
        sockets, socket accept, socket connect, memory buffer, buffering, SSL
        client/server, file pointer, encryption, digest, non-blocking testing
        and null.
     Data structures
        A dynamically growing hashing system
        A simple stack.
        A Configuration loader that uses a format similar to MS .ini files.
 openssl:
     A command line tool that can be used for:
-        Creation of key parameters
+        Creation of RSA, DH and DSA key parameters
        Creation of X.509 certificates, CSRs and CRLs
-        Calculation of message digests
+        Calculation of Message Digests
-        Encryption and decryption
+        Encryption and Decryption with Ciphers
-        SSL/TLS client and server tests
+        SSL/TLS Client and Server Tests
        Handling of S/MIME signed or encrypted mail
-        And more...
+
 PATENTS
 -------
 Various companies hold various patents for various algorithms in various
 locations around the world. _YOU_ are responsible for ensuring that your use
 of any algorithms is legal by checking if there are any patents in your
 country.  The file contains some of the patents that we know about or are
 rumored to exist. This is not a definitive list.
 RSA Security holds software patents on the RC5 algorithm.  If you
 intend to use this cipher, you must contact RSA Security for
 licensing conditions. Their web page is http://www.rsasecurity.com/.
 RC4 is a trademark of RSA Security, so use of this label should perhaps
 only be used with RSA Security's permission.
 The IDEA algorithm is patented by Ascom in Austria, France, Germany, Italy,
 Japan, the Netherlands, Spain, Sweden, Switzerland, UK and the USA.  They
 should be contacted if that algorithm is to be used; their web page is
 http://www.ascom.ch/.
 NTT and Mitsubishi have patents and pending patents on the Camellia
 algorithm, but allow use at no charge without requiring an explicit
 licensing agreement: http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html
 INSTALLATION
 ------------
- See the appropriate file:
+ To install this package under a Unix derivative, read the INSTALL file.  For
-        INSTALL         Linux, Unix, etc.
+ a Win32 platform, read the INSTALL.W32 file.  For OpenVMS systems, read
-        INSTALL.DJGPP   DOS platform with DJGPP
+ INSTALL.VMS.
-        INSTALL.NW      Netware
+
-        INSTALL.OS2     OS/2
+ Read the documentation in the doc/ directory.  It is quite rough, but it
-        INSTALL.VMS     VMS
+ lists the functions; you will probably have to look at the code to work out
-        INSTALL.W32     Windows (32bit)
+ how to use them. Look at the example programs.
-        INSTALL.W64     Windows (64bit)
+
-        INSTALL.WCE     Windows CE
+ PROBLEMS
 --------
 For some platforms, there are some known problems that may affect the user
 or application author.  We try to collect those in doc/PROBLEMS, with current
 thoughts on how they should be solved in a future of OpenSSL.
 SUPPORT
 -------
- See the OpenSSL website www.openssl.org for details on how to obtain
+ See the OpenSSL website www.openssl.org for details of how to obtain
 commercial technical support.
 If you have any problems with OpenSSL then please take the following steps
@ -84,36 +161,58 @@
    - Problem Description (steps that will reproduce the problem, if known)
    - Stack Traceback (if the application dumps core)
- Email the report to:
+ Report the bug to the OpenSSL project via the Request Tracker
 (http://www.openssl.org/support/rt.html) by mail to:
-    rt@openssl.org
+    openssl-bugs@openssl.org
- In order to avoid spam, this is a moderated mailing list, and it might
+ Note that the request tracker should NOT be used for general assistance
- take a day for the ticket to show up.  (We also scan posts to make sure
+ or support queries. Just because something doesn't work the way you expect
- that security disclosures aren't publically posted by mistake.) Mail
+ does not mean it is necessarily a bug in OpenSSL.
 to this address is recorded in the public RT (request tracker) database
 (see https://www.openssl.org/community/index.html#bugs for details) and
 also forwarded the public openssl-dev mailing list.  Confidential mail
 may be sent to openssl-security@openssl.org (PGP key available from the
 key servers).
- Please do NOT use this for general assistance or support queries.
+ Note that mail to openssl-bugs@openssl.org is recorded in the publicly
- Just because something doesn't work the way you expect does not mean it
+ readable request tracker database and is forwarded to a public
- is necessarily a bug in OpenSSL.
+ mailing list. Confidential mail may be sent to openssl-security@openssl.org
-
+ (PGP key available from the key servers).
 You can also make GitHub pull requests. If you do this, please also send
 mail to rt@openssl.org with a link to the PR so that we can more easily
 keep track of it.
 HOW TO CONTRIBUTE TO OpenSSL
 ----------------------------
- See CONTRIBUTING
+ Development is coordinated on the openssl-dev mailing list (see
 http://www.openssl.org for information on subscribing). If you
 would like to submit a patch, send it to openssl-bugs@openssl.org with
 the string "[PATCH]" in the subject. Please be sure to include a
 textual explanation of what your patch does.
- LEGALITIES
+ If you are unsure as to whether a feature will be useful for the general
- ----------
+ OpenSSL community please discuss it on the openssl-dev mailing list first.
 Someone may be already working on the same thing or there may be a good
 reason as to why that feature isn't implemented.
 Patches should be as up to date as possible, preferably relative to the
 current Git or the last snapshot. They should follow the coding style of
 OpenSSL and compile without warnings. Some of the core team developer targets
 can be used for testing purposes, (debug-steve64, debug-geoff etc). OpenSSL
 compiles on many varied platforms: try to ensure you only use portable
 features.
 Note: For legal reasons, contributions from the US can be accepted only
 if a TSU notification and a copy of the patch are sent to crypt@bis.doc.gov
 (formerly BXA) with a copy to the ENC Encryption Request Coordinator;
 please take some time to look at
    http://www.bis.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html [sic]
 and
    http://w3.access.gpo.gov/bis/ear/pdf/740.pdf (EAR Section 740.13(e))
 for the details. If "your encryption source code is too large to serve as
 an email attachment", they are glad to receive it by fax instead; hope you
 have a cheap long-distance plan.
 Our preferred format for changes is "diff -u" output. You might
 generate it like this:
 # cd openssl-work
 # [your changes]
 # ./Configure dist; make clean
 # cd ..
 # diff -ur openssl-orig openssl-work > mydiffs.patch
 A number of nations, in particular the U.S., restrict the use or export
 of cryptography. If you are potentially subject to such restrictions
 you should seek competent professional legal advice before attempting to
 develop or distribute cryptographic code.
--- a/apps/.cvsignore
+++ b/apps/.cvsignore
@ -0,0 +1,8 @@
 openssl
 Makefile.save
 der_chop
 der_chop.bak
 CA.pl
 *.flc
 semantic.cache
 *.dll
--- a/apps/Makefile
+++ b/apps/Makefile
@ -135,7 +135,7 @@ update: openssl-vms.cnf local_depend
 depend: local_depend
 	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
 local_depend:
-	@[ -z "$(THIS)" ] || $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC)
+	@[ -z "$(THIS)" ] || $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC); \
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
--- a/apps/apps.c
+++ b/apps/apps.c
@ -119,6 +119,9 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #if !defined(OPENSSL_SYSNAME_WIN32) && !defined(NETWARE_CLIB)
 # include <strings.h>
 #endif
 #include <sys/types.h>
 #include <ctype.h>
 #include <errno.h>
@ -1244,11 +1247,7 @@ int set_name_ex(unsigned long *flags, const char *arg)
        {"ca_default", XN_FLAG_MULTILINE, 0xffffffffL},
        {NULL, 0, 0}
    };
-    if (set_multi_opts(flags, arg, ex_tbl) == 0)
+    return set_multi_opts(flags, arg, ex_tbl);
        return 0;
    if ((*flags & XN_FLAG_SEP_MASK) == 0)
        *flags |= XN_FLAG_SEP_CPLUS_SPC;
    return 1;
 }
 int set_ext_copy(int *copy_type, const char *arg)
--- a/apps/asn1pars.c
+++ b/apps/asn1pars.c
@ -313,9 +313,9 @@ int MAIN(int argc, char **argv)
            }
            typ = ASN1_TYPE_get(at);
            if ((typ == V_ASN1_OBJECT)
                || (typ == V_ASN1_BOOLEAN)
                || (typ == V_ASN1_NULL)) {
-                BIO_printf(bio_err, "Can't parse %s type\n", ASN1_tag2str(typ));
+                BIO_printf(bio_err, "Can't parse %s type\n",
                           typ == V_ASN1_NULL ? "NULL" : "OBJECT");
                ERR_print_errors(bio_err);
                goto end;
            }
--- a/apps/ca.c
+++ b/apps/ca.c
@ -99,19 +99,25 @@
 #undef PROG
 #define PROG ca_main
-#define BASE_SECTION            "ca"
+#define BASE_SECTION    "ca"
-#define CONFIG_FILE             "openssl.cnf"
+#define CONFIG_FILE "openssl.cnf"
 #define ENV_DEFAULT_CA          "default_ca"
-#define STRING_MASK             "string_mask"
+#define STRING_MASK     "string_mask"
 #define UTF8_IN                 "utf8"
 #define ENV_DIR                 "dir"
 #define ENV_CERTS               "certs"
 #define ENV_CRL_DIR             "crl_dir"
 #define ENV_CA_DB               "CA_DB"
 #define ENV_NEW_CERTS_DIR       "new_certs_dir"
 #define ENV_CERTIFICATE         "certificate"
 #define ENV_SERIAL              "serial"
 #define ENV_CRLNUMBER           "crlnumber"
 #define ENV_CRL                 "crl"
 #define ENV_PRIVATE_KEY         "private_key"
 #define ENV_RANDFILE            "RANDFILE"
 #define ENV_DEFAULT_DAYS        "default_days"
 #define ENV_DEFAULT_STARTDATE   "default_startdate"
 #define ENV_DEFAULT_ENDDATE     "default_enddate"
@ -2514,8 +2520,6 @@ static int do_updatedb(CA_DB *db)
    char **rrow, *a_tm_s;
    a_tm = ASN1_UTCTIME_new();
    if (a_tm == NULL)
        return -1;
    /* get actual time and make a string */
    a_tm = X509_gmtime_adj(a_tm, 0);
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
@ -413,13 +413,14 @@ int MAIN(int argc, char **argv)
    }
    if (check) {
        if (group == NULL)
            BIO_printf(bio_err, "no elliptic curve parameters\n");
        BIO_printf(bio_err, "checking elliptic curve parameters: ");
        if (!EC_GROUP_check(group, NULL)) {
            BIO_printf(bio_err, "failed\n");
            ERR_print_errors(bio_err);
-            goto end;
+        } else
-        }
+            BIO_printf(bio_err, "ok\n");
        BIO_printf(bio_err, "ok\n");
    }
--- a/apps/engine.c
+++ b/apps/engine.c
@ -1,4 +1,4 @@
-/* apps/engine.c */
+/* apps/engine.c -*- mode: C; c-file-style: "eay" -*- */
 /*
 * Written by Richard Levitte <richard@levitte.org> for the OpenSSL project
 * 2000.
@ -99,6 +99,8 @@ static void identity(char *ptr)
 static int append_buf(char **buf, const char *s, int *size, int step)
 {
    int l = strlen(s);
    if (*buf == NULL) {
        *size = step;
        *buf = OPENSSL_malloc(*size);
@ -107,6 +109,9 @@ static int append_buf(char **buf, const char *s, int *size, int step)
        **buf = '\0';
    }
    if (**buf != '\0')
        l += 2;                 /* ", " */
    if (strlen(*buf) + strlen(s) >= (unsigned int)*size) {
        *size += step;
        *buf = OPENSSL_realloc(*buf, *size);
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@ -1003,7 +1003,7 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
    bs = OCSP_BASICRESP_new();
    thisupd = X509_gmtime_adj(NULL, 0);
    if (ndays != -1)
-        nextupd = X509_time_adj_ex(NULL, ndays, nmin * 60, NULL);
+        nextupd = X509_gmtime_adj(NULL, nmin * 60 + ndays * 3600 * 24);
    /* Examine each certificate id in the request */
    for (i = 0; i < id_count; i++) {
@ -1220,8 +1220,8 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
        return NULL;
    }
-    if (BIO_get_fd(cbio, &fd) < 0) {
+    if (BIO_get_fd(cbio, &fd) <= 0) {
-        BIO_puts(bio_err, "Can't get connection fd\n");
+        BIO_puts(err, "Can't get connection fd\n");
        goto err;
    }
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@ -79,8 +79,7 @@ const EVP_CIPHER *enc;
 # define CLCERTS         0x8
 # define CACERTS         0x10
-static int get_cert_chain(X509 *cert, X509_STORE *store,
+int get_cert_chain(X509 *cert, X509_STORE *store, STACK_OF(X509) **chain);
                          STACK_OF(X509) **chain);
 int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen,
                        int options, char *pempass);
 int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags,
@ -135,13 +134,6 @@ int MAIN(int argc, char **argv)
    apps_startup();
    enc = EVP_des_ede3_cbc();
    if (bio_err == NULL)
        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
    if (!load_config(bio_err, NULL))
        goto end;
 # ifdef OPENSSL_FIPS
    if (FIPS_mode())
        cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
@ -149,6 +141,13 @@ int MAIN(int argc, char **argv)
 # endif
        cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
    enc = EVP_des_ede3_cbc();
    if (bio_err == NULL)
        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
    if (!load_config(bio_err, NULL))
        goto end;
    args = argv + 1;
    while (*args) {
@ -595,7 +594,7 @@ int MAIN(int argc, char **argv)
            vret = get_cert_chain(ucert, store, &chain2);
            X509_STORE_free(store);
-            if (vret == X509_V_OK) {
+            if (!vret) {
                /* Exclude verified certificate */
                for (i = 1; i < sk_X509_num(chain2); i++)
                    sk_X509_push(certs, sk_X509_value(chain2, i));
@ -603,7 +602,7 @@ int MAIN(int argc, char **argv)
                X509_free(sk_X509_value(chain2, 0));
                sk_X509_free(chain2);
            } else {
-                if (vret != X509_V_ERR_UNSPECIFIED)
+                if (vret >= 0)
                    BIO_printf(bio_err, "Error %s getting chain.\n",
                               X509_verify_cert_error_string(vret));
                else
@ -907,25 +906,36 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
 /* Given a single certificate return a verified chain or NULL if error */
-static int get_cert_chain(X509 *cert, X509_STORE *store,
+/* Hope this is OK .... */
-                          STACK_OF(X509) **chain)
+
 int get_cert_chain(X509 *cert, X509_STORE *store, STACK_OF(X509) **chain)
 {
    X509_STORE_CTX store_ctx;
-    STACK_OF(X509) *chn = NULL;
+    STACK_OF(X509) *chn;
    int i = 0;
-    if (!X509_STORE_CTX_init(&store_ctx, store, cert, NULL)) {
+    /*
-        *chain = NULL;
+     * FIXME: Should really check the return status of X509_STORE_CTX_init
-        return X509_V_ERR_UNSPECIFIED;
+     * for an error, but how that fits into the return value of this function
-    }
+     * is less obvious.
-
+     */
-    if (X509_verify_cert(&store_ctx) > 0)
+    X509_STORE_CTX_init(&store_ctx, store, cert, NULL);
    if (X509_verify_cert(&store_ctx) <= 0) {
        i = X509_STORE_CTX_get_error(&store_ctx);
        if (i == 0)
            /*
             * avoid returning 0 if X509_verify_cert() did not set an
             * appropriate error value in the context
             */
            i = -1;
        chn = NULL;
        goto err;
    } else
        chn = X509_STORE_CTX_get1_chain(&store_ctx);
-    else if ((i = X509_STORE_CTX_get_error(&store_ctx)) == 0)
+ err:
        i = X509_V_ERR_UNSPECIFIED;
    X509_STORE_CTX_cleanup(&store_ctx);
    *chain = chn;
    return i;
 }
--- a/apps/pkcs7.c
+++ b/apps/pkcs7.c
@ -235,16 +235,12 @@ int MAIN(int argc, char **argv)
        i = OBJ_obj2nid(p7->type);
        switch (i) {
        case NID_pkcs7_signed:
-            if (p7->d.sign != NULL) {
+            certs = p7->d.sign->cert;
-                certs = p7->d.sign->cert;
+            crls = p7->d.sign->crl;
                crls = p7->d.sign->crl;
            }
            break;
        case NID_pkcs7_signedAndEnveloped:
-            if (p7->d.signed_and_enveloped != NULL) {
+            certs = p7->d.signed_and_enveloped->cert;
-                certs = p7->d.signed_and_enveloped->cert;
+            crls = p7->d.signed_and_enveloped->crl;
                crls = p7->d.signed_and_enveloped->crl;
            }
            break;
        default:
            break;
--- a/apps/s_client.c
+++ b/apps/s_client.c
@ -1884,9 +1884,6 @@ int MAIN(int argc, char **argv)
        EVP_PKEY_free(key);
    if (pass)
        OPENSSL_free(pass);
 #ifndef OPENSSL_NO_SRP
    OPENSSL_free(srp_arg.srppassin);
 #endif
    if (vpm)
        X509_VERIFY_PARAM_free(vpm);
    if (cbuf != NULL) {
--- a/apps/s_server.c
+++ b/apps/s_server.c
@ -416,8 +416,6 @@ typedef struct srpsrvparm_st {
 static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
 {
    srpsrvparm *p = (srpsrvparm *) arg;
    int ret = SSL3_AL_FATAL;
    if (p->login == NULL && p->user == NULL) {
        p->login = SSL_get_srp_username(s);
        BIO_printf(bio_err, "SRP username = \"%s\"\n", p->login);
@ -426,25 +424,21 @@ static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
    if (p->user == NULL) {
        BIO_printf(bio_err, "User %s doesn't exist\n", p->login);
-        goto err;
+        return SSL3_AL_FATAL;
    }
    if (SSL_set_srp_server_param
        (s, p->user->N, p->user->g, p->user->s, p->user->v,
         p->user->info) < 0) {
        *ad = SSL_AD_INTERNAL_ERROR;
-        goto err;
+        return SSL3_AL_FATAL;
    }
    BIO_printf(bio_err,
               "SRP parameters set: username = \"%s\" info=\"%s\" \n",
               p->login, p->user->info);
-    ret = SSL_ERROR_NONE;
+    /* need to check whether there are memory leaks */
 err:
    SRP_user_pwd_free(p->user);
    p->user = NULL;
    p->login = NULL;
-    return ret;
+    return SSL_ERROR_NONE;
 }
 #endif
@ -2250,10 +2244,9 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 #ifndef OPENSSL_NO_SRP
                while (SSL_get_error(con, k) == SSL_ERROR_WANT_X509_LOOKUP) {
                    BIO_printf(bio_s_out, "LOOKUP renego during write\n");
                    SRP_user_pwd_free(srp_callback_parm.user);
                    srp_callback_parm.user =
-                        SRP_VBASE_get1_by_user(srp_callback_parm.vb,
+                        SRP_VBASE_get_by_user(srp_callback_parm.vb,
-                                               srp_callback_parm.login);
+                                              srp_callback_parm.login);
                    if (srp_callback_parm.user)
                        BIO_printf(bio_s_out, "LOOKUP done %s\n",
                                   srp_callback_parm.user->info);
@ -2307,10 +2300,9 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 #ifndef OPENSSL_NO_SRP
                while (SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
                    BIO_printf(bio_s_out, "LOOKUP renego during read\n");
                    SRP_user_pwd_free(srp_callback_parm.user);
                    srp_callback_parm.user =
-                        SRP_VBASE_get1_by_user(srp_callback_parm.vb,
+                        SRP_VBASE_get_by_user(srp_callback_parm.vb,
-                                               srp_callback_parm.login);
+                                              srp_callback_parm.login);
                    if (srp_callback_parm.user)
                        BIO_printf(bio_s_out, "LOOKUP done %s\n",
                                   srp_callback_parm.user->info);
@ -2395,10 +2387,9 @@ static int init_ssl_connection(SSL *con)
    while (i <= 0 && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
        BIO_printf(bio_s_out, "LOOKUP during accept %s\n",
                   srp_callback_parm.login);
        SRP_user_pwd_free(srp_callback_parm.user);
        srp_callback_parm.user =
-            SRP_VBASE_get1_by_user(srp_callback_parm.vb,
+            SRP_VBASE_get_by_user(srp_callback_parm.vb,
-                                   srp_callback_parm.login);
+                                  srp_callback_parm.login);
        if (srp_callback_parm.user)
            BIO_printf(bio_s_out, "LOOKUP done %s\n",
                       srp_callback_parm.user->info);
@ -2625,10 +2616,9 @@ static int www_body(char *hostname, int s, unsigned char *context)
                   && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
                BIO_printf(bio_s_out, "LOOKUP during accept %s\n",
                           srp_callback_parm.login);
                SRP_user_pwd_free(srp_callback_parm.user);
                srp_callback_parm.user =
-                    SRP_VBASE_get1_by_user(srp_callback_parm.vb,
+                    SRP_VBASE_get_by_user(srp_callback_parm.vb,
-                                           srp_callback_parm.login);
+                                          srp_callback_parm.login);
                if (srp_callback_parm.user)
                    BIO_printf(bio_s_out, "LOOKUP done %s\n",
                               srp_callback_parm.user->info);
@ -2664,22 +2654,6 @@ static int www_body(char *hostname, int s, unsigned char *context)
                goto err;
            } else {
                BIO_printf(bio_s_out, "read R BLOCK\n");
 #ifndef OPENSSL_NO_SRP
                if (BIO_should_io_special(io)
                    && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) {
                    BIO_printf(bio_s_out, "LOOKUP renego during read\n");
                    SRP_user_pwd_free(srp_callback_parm.user);
                    srp_callback_parm.user =
                        SRP_VBASE_get1_by_user(srp_callback_parm.vb,
                                               srp_callback_parm.login);
                    if (srp_callback_parm.user)
                        BIO_printf(bio_s_out, "LOOKUP done %s\n",
                                   srp_callback_parm.user->info);
                    else
                        BIO_printf(bio_s_out, "LOOKUP not successful\n");
                    continue;
                }
 #endif
 #if defined(OPENSSL_SYS_NETWARE)
                delay(1000);
 #elif !defined(OPENSSL_SYS_MSDOS) && !defined(__DJGPP__)
--- a/apps/speed.c
+++ b/apps/speed.c
@ -1,4 +1,4 @@
-/* apps/speed.c */
+/* apps/speed.c -*- mode:C; c-file-style: "eay" -*- */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
--- a/apps/x509.c
+++ b/apps/x509.c
@ -1170,7 +1170,12 @@ static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext,
    if (X509_gmtime_adj(X509_get_notBefore(x), 0) == NULL)
        goto err;
-    if (X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL) == NULL)
+    /* Lets just make it 12:00am GMT, Jan 1 1970 */
    /* memcpy(x->cert_info->validity->notBefore,"700101120000Z",13); */
    /* 28 days to be certified */
    if (X509_gmtime_adj(X509_get_notAfter(x), (long)60 * 60 * 24 * days) ==
        NULL)
        goto err;
    if (!X509_set_pubkey(x, pkey))
--- a/appveyor.yml
+++ b/appveyor.yml
@ -1,60 +0,0 @@
 platform:
    - x86
    - x64
 environment:
    matrix:
        - VSVER: 9
        - VSVER: 10
        - VSVER: 11
        - VSVER: 12
        - VSVER: 14
 configuration:
    - plain
    - shared
 matrix:
    allow_failures:
        - platform: x64
          VSVER: 9
        - platform: x64
          VSVER: 10
        - platform: x64
          VSVER: 11
 before_build:
    - ps: >-
        If ($env:Platform -Match "x86") {
            $env:VCVARS_PLATFORM="x86"
            $env:TARGET="VC-WIN32"
            $env:DO="do_ms"
        } Else {
            $env:VCVARS_PLATFORM="amd64"
            $env:TARGET="VC-WIN64A"
            $env:DO="do_win64a"
        }
    - ps: >-
        If ($env:Configuration -Like "*shared*") {
            $env:MAK="ntdll.mak"
        } Else {
            $env:MAK="nt.mak"
        }
    - ps: $env:VSCOMNTOOLS=(Get-Content ("env:VS" + "$env:VSVER" + "0COMNTOOLS"))
    - call "%VSCOMNTOOLS%\..\..\VC\vcvarsall.bat" %VCVARS_PLATFORM%
    - perl Configure %TARGET% no-asm
    - call ms\%DO%
 build_script:
    - nmake /f ms\%MAK%
 test_script:
    - nmake /f ms\%MAK% test
 notifications:
    - provider: Email
      to:
          - openssl-commits@openssl.org
      on_build_success: false
      on_build_failure: true
      on_build_status_changed: true
--- a/crypto/.cvsignore
+++ b/crypto/.cvsignore
@ -0,0 +1,8 @@
 lib
 buildinf.h
 opensslconf.h
 Makefile.save
 *.flc
 semantic.cache
 *cpuid.s
 uplink-cof.s
--- a/crypto/aes/.cvsignore
+++ b/crypto/aes/.cvsignore
@ -0,0 +1,5 @@
 lib
 Makefile.save
 *.flc
 semantic.cache
 aes-*.s
--- a/crypto/aes/aes.h
+++ b/crypto/aes/aes.h
@ -1,4 +1,4 @@
-/* crypto/aes/aes.h */
+/* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
 * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
--- a/crypto/aes/aes_cbc.c
+++ b/crypto/aes/aes_cbc.c
@ -1,4 +1,4 @@
-/* crypto/aes/aes_cbc.c */
+/* crypto/aes/aes_cbc.c -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
 * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
--- a/crypto/aes/aes_cfb.c
+++ b/crypto/aes/aes_cfb.c
@ -1,4 +1,4 @@
-/* crypto/aes/aes_cfb.c */
+/* crypto/aes/aes_cfb.c -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
 * Copyright (c) 2002-2006 The OpenSSL Project.  All rights reserved.
 *
--- a/crypto/aes/aes_core.c
+++ b/crypto/aes/aes_core.c
@ -1,4 +1,4 @@
-/* crypto/aes/aes_core.c */
+/* crypto/aes/aes_core.c -*- mode:C; c-file-style: "eay" -*- */
 /**
 * rijndael-alg-fst.c
 *
--- a/crypto/aes/aes_ctr.c
+++ b/crypto/aes/aes_ctr.c
@ -1,4 +1,4 @@
-/* crypto/aes/aes_ctr.c */
+/* crypto/aes/aes_ctr.c -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
 * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
--- a/crypto/aes/aes_ecb.c
+++ b/crypto/aes/aes_ecb.c
@ -1,4 +1,4 @@
-/* crypto/aes/aes_ecb.c */
+/* crypto/aes/aes_ecb.c -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
 * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
--- a/crypto/aes/aes_ige.c
+++ b/crypto/aes/aes_ige.c
@ -1,4 +1,4 @@
-/* crypto/aes/aes_ige.c */
+/* crypto/aes/aes_ige.c -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
 * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
 *
--- a/crypto/aes/aes_locl.h
+++ b/crypto/aes/aes_locl.h
@ -1,4 +1,4 @@
-/* crypto/aes/aes.h */
+/* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
 * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
--- a/crypto/aes/aes_misc.c
+++ b/crypto/aes/aes_misc.c
@ -1,4 +1,4 @@
-/* crypto/aes/aes_misc.c */
+/* crypto/aes/aes_misc.c -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
 * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
--- a/crypto/aes/aes_ofb.c
+++ b/crypto/aes/aes_ofb.c
@ -1,4 +1,4 @@
-/* crypto/aes/aes_ofb.c */
+/* crypto/aes/aes_ofb.c -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
 * Copyright (c) 2002-2006 The OpenSSL Project.  All rights reserved.
 *
--- a/crypto/aes/aes_x86core.c
+++ b/crypto/aes/aes_x86core.c
@ -1,4 +1,4 @@
-/* crypto/aes/aes_core.c */
+/* crypto/aes/aes_core.c -*- mode:C; c-file-style: "eay" -*- */
 /**
 * rijndael-alg-fst.c
 *
--- a/crypto/aes/asm/aes-586.pl
+++ b/crypto/aes/asm/aes-586.pl
@ -45,7 +45,7 @@
 # the undertaken effort was that it appeared that in tight IA-32
 # register window little-endian flavor could achieve slightly higher
 # Instruction Level Parallelism, and it indeed resulted in up to 15%
-# better performance on most recent µ-archs...
+# better performance on most recent µ-archs...
 #
 # Third version adds AES_cbc_encrypt implementation, which resulted in
 # up to 40% performance imrovement of CBC benchmark results. 40% was
@ -223,7 +223,7 @@ sub _data_word() { my $i; while(defined($i=shift)) { &data_word($i,$i); } }
 $speed_limit=512;	# chunks smaller than $speed_limit are
 			# processed with compact routine in CBC mode
 $small_footprint=1;	# $small_footprint=1 code is ~5% slower [on
-			# recent µ-archs], but ~5 times smaller!
+			# recent µ-archs], but ~5 times smaller!
 			# I favor compact code to minimize cache
 			# contention and in hope to "collect" 5% back
 			# in real-life applications...
@ -562,7 +562,7 @@ sub enctransform()
 # Performance is not actually extraordinary in comparison to pure
 # x86 code. In particular encrypt performance is virtually the same.
 # Decrypt performance on the other hand is 15-20% better on newer
-# µ-archs [but we're thankful for *any* improvement here], and ~50%
+# µ-archs [but we're thankful for *any* improvement here], and ~50%
 # better on PIII:-) And additionally on the pros side this code
 # eliminates redundant references to stack and thus relieves/
 # minimizes the pressure on the memory bus.
--- a/crypto/aes/asm/aesni-x86.pl
+++ b/crypto/aes/asm/aesni-x86.pl
@ -74,7 +74,7 @@ $inout3="xmm5";	$in1="xmm5";
 $inout4="xmm6";	$in0="xmm6";
 $inout5="xmm7";	$ivec="xmm7";
-# AESNI extension
+# AESNI extenstion
 sub aeskeygenassist
 { my($dst,$src,$imm)=@_;
    if ("$dst:$src" =~ /xmm([0-7]):xmm([0-7])/)
--- a/crypto/asn1/.cvsignore
+++ b/crypto/asn1/.cvsignore
@ -0,0 +1,4 @@
 lib
 Makefile.save
 *.flc
 semantic.cache
--- a/crypto/asn1/a_bytes.c
+++ b/crypto/asn1/a_bytes.c
@ -200,13 +200,13 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, const unsigned char **pp,
    } else {
        if (len != 0) {
            if ((ret->length < len) || (ret->data == NULL)) {
                if (ret->data != NULL)
                    OPENSSL_free(ret->data);
                s = (unsigned char *)OPENSSL_malloc((int)len + 1);
                if (s == NULL) {
                    i = ERR_R_MALLOC_FAILURE;
                    goto err;
                }
                if (ret->data != NULL)
                    OPENSSL_free(ret->data);
            } else
                s = ret->data;
            memcpy(s, p, (int)len);
--- a/crypto/asn1/a_d2i_fp.c
+++ b/crypto/asn1/a_d2i_fp.c
@ -141,7 +141,6 @@ void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x)
 #endif
 #define HEADER_SIZE   8
 #define ASN1_CHUNK_INITIAL_SIZE (16 * 1024)
 static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 {
    BUF_MEM *b;
@ -218,44 +217,29 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
            /* suck in c.slen bytes of data */
            want = c.slen;
            if (want > (len - off)) {
                size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE;
                want -= (len - off);
                if (want > INT_MAX /* BIO_read takes an int length */  ||
                    len + want < len) {
                    ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG);
                    goto err;
                }
                if (!BUF_MEM_grow_clean(b, len + want)) {
                    ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE);
                    goto err;
                }
                while (want > 0) {
-                    /*
+                    i = BIO_read(in, &(b->data[len]), want);
-                     * Read content in chunks of increasing size
+                    if (i <= 0) {
-                     * so we can return an error for EOF without
+                        ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
-                     * having to allocate the entire content length
+                                ASN1_R_NOT_ENOUGH_DATA);
                     * in one go.
                     */
                    size_t chunk = want > chunk_max ? chunk_max : want;
                    if (!BUF_MEM_grow_clean(b, len + chunk)) {
                        ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE);
                        goto err;
                    }
                    want -= chunk;
                    while (chunk > 0) {
                        i = BIO_read(in, &(b->data[len]), chunk);
                        if (i <= 0) {
                            ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
                                    ASN1_R_NOT_ENOUGH_DATA);
                            goto err;
                        }
                    /*
                     * This can't overflow because |len+want| didn't
                     * overflow.
                     */
-                        len += i;
+                    len += i;
-                        chunk -= i;
+                    want -= i;
                    }
                    if (chunk_max < INT_MAX/2)
                        chunk_max *= 2;
                }
            }
            if (off + c.slen < off) {
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@ -63,7 +63,7 @@
 #include <openssl/asn1_mac.h>
 static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
-                           long max);
+                           int max);
 static void asn1_put_length(unsigned char **pp, int length);
 const char ASN1_version[] = "ASN.1" OPENSSL_VERSION_PTEXT;
@ -131,7 +131,7 @@ int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag,
    }
    *ptag = tag;
    *pclass = xclass;
-    if (!asn1_get_length(&p, &inf, plength, max))
+    if (!asn1_get_length(&p, &inf, plength, (int)max))
        goto err;
    if (inf && !(ret & V_ASN1_CONSTRUCTED))
@ -159,14 +159,14 @@ int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag,
 }
 static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
-                           long max)
+                           int max)
 {
    const unsigned char *p = *pp;
    unsigned long ret = 0;
-    unsigned long i;
+    unsigned int i;
    if (max-- < 1)
-        return 0;
+        return (0);
    if (*p == 0x80) {
        *inf = 1;
        ret = 0;
@ -175,11 +175,15 @@ static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
        *inf = 0;
        i = *p & 0x7f;
        if (*(p++) & 0x80) {
-            if (i > sizeof(ret) || max < (long)i)
+            if (i > sizeof(long))
                return 0;
            if (max-- == 0)
                return (0);
            while (i-- > 0) {
                ret <<= 8L;
                ret |= *(p++);
                if (max-- == 0)
                    return (0);
            }
        } else
            ret = i;
@ -188,7 +192,7 @@ static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
        return 0;
    *pp = p;
    *rl = (long)ret;
-    return 1;
+    return (1);
 }
 /*
--- a/crypto/asn1/asn1_par.c
+++ b/crypto/asn1/asn1_par.c
@ -62,10 +62,6 @@
 #include <openssl/objects.h>
 #include <openssl/asn1.h>
 #ifndef ASN1_PARSE_MAXDEPTH
 #define ASN1_PARSE_MAXDEPTH 128
 #endif
 static int asn1_print_info(BIO *bp, int tag, int xclass, int constructed,
                           int indent);
 static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
@ -132,12 +128,6 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
 #else
    dump_indent = 6;            /* Because we know BIO_dump_indent() */
 #endif
    if (depth > ASN1_PARSE_MAXDEPTH) {
            BIO_puts(bp, "BAD RECURSION DEPTH\n");
            return 0;
    }
    p = *pp;
    tot = p + length;
    op = p - 1;
@ -173,8 +163,6 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
        if (!asn1_print_info(bp, tag, xclass, j, (indent) ? depth : 0))
            goto end;
        if (j & V_ASN1_CONSTRUCTED) {
            const unsigned char *sp;
            ep = p + len;
            if (BIO_write(bp, "\n", 1) <= 0)
                goto end;
@ -184,7 +172,6 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
                goto end;
            }
            if ((j == 0x21) && (len == 0)) {
                sp = p;
                for (;;) {
                    r = asn1_parse2(bp, &p, (long)(tot - p),
                                    offset + (p - *pp), depth + 1,
@ -193,25 +180,19 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
                        ret = 0;
                        goto end;
                    }
-                    if ((r == 2) || (p >= tot)) {
+                    if ((r == 2) || (p >= tot))
                        len = p - sp;
                        break;
                    }
                }
-            } else {
+            } else
                long tmp = len;
                while (p < ep) {
-                    sp = p;
+                    r = asn1_parse2(bp, &p, (long)len,
-                    r = asn1_parse2(bp, &p, tmp, offset + (p - *pp), depth + 1,
+                                    offset + (p - *pp), depth + 1,
                                    indent, dump);
                    if (r == 0) {
                        ret = 0;
                        goto end;
                    }
                    tmp -= p - sp;
                }
            }
        } else if (xclass != 0) {
            p += len;
            if (BIO_write(bp, "\n", 1) <= 0)
--- a/crypto/asn1/d2i_pr.c
+++ b/crypto/asn1/d2i_pr.c
@ -72,7 +72,6 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp,
                         long length)
 {
    EVP_PKEY *ret;
    const unsigned char *p = *pp;
    if ((a == NULL) || (*a == NULL)) {
        if ((ret = EVP_PKEY_new()) == NULL) {
@ -95,23 +94,21 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp,
    }
    if (!ret->ameth->old_priv_decode ||
-        !ret->ameth->old_priv_decode(ret, &p, length)) {
+        !ret->ameth->old_priv_decode(ret, pp, length)) {
        if (ret->ameth->priv_decode) {
            PKCS8_PRIV_KEY_INFO *p8 = NULL;
-            p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, length);
+            p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, pp, length);
            if (!p8)
                goto err;
            EVP_PKEY_free(ret);
            ret = EVP_PKCS82PKEY(p8);
            PKCS8_PRIV_KEY_INFO_free(p8);
-            if (ret == NULL)
+
                goto err;
        } else {
            ASN1err(ASN1_F_D2I_PRIVATEKEY, ERR_R_ASN1_LIB);
            goto err;
        }
    }
    *pp = p;
    if (a != NULL)
        (*a) = ret;
    return (ret);
@ -139,7 +136,6 @@ EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, const unsigned char **pp,
     * input is surrounded by an ASN1 SEQUENCE.
     */
    inkey = d2i_ASN1_SEQUENCE_ANY(NULL, &p, length);
    p = *pp;
    /*
     * Since we only need to discern "traditional format" RSA and DSA keys we
     * can just count the elements.
@ -150,7 +146,7 @@ EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, const unsigned char **pp,
        keytype = EVP_PKEY_EC;
    else if (sk_ASN1_TYPE_num(inkey) == 3) { /* This seems to be PKCS8, not
                                              * traditional format */
-        PKCS8_PRIV_KEY_INFO *p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, length);
+        PKCS8_PRIV_KEY_INFO *p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, pp, length);
        EVP_PKEY *ret;
        sk_ASN1_TYPE_pop_free(inkey, ASN1_TYPE_free);
@ -161,9 +157,6 @@ EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, const unsigned char **pp,
        }
        ret = EVP_PKCS82PKEY(p8);
        PKCS8_PRIV_KEY_INFO_free(p8);
        if (ret == NULL)
            return NULL;
        *pp = p;
        if (a) {
            *a = ret;
        }
--- a/crypto/asn1/t_x509.c
+++ b/crypto/asn1/t_x509.c
@ -140,8 +140,7 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
            goto err;
        bs = X509_get_serialNumber(x);
-        if (bs->length < (int)sizeof(long)
+        if (bs->length <= (int)sizeof(long)) {
            || (bs->length == sizeof(long) && (bs->data[0] & 0x80) == 0)) {
            l = ASN1_INTEGER_get(bs);
            if (bs->type == V_ASN1_NEG_INTEGER) {
                l = -l;
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@ -180,8 +180,6 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
    int otag;
    int ret = 0;
    ASN1_VALUE **pchptr, *ptmpval;
    int combine = aclass & ASN1_TFLG_COMBINE;
    aclass &= ~ASN1_TFLG_COMBINE;
    if (!pval)
        return 0;
    if (aux && aux->asn1_cb)
@ -352,9 +350,9 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
        }
        asn1_set_choice_selector(pval, i, it);
        *in = p;
        if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL))
            goto auxerr;
        *in = p;
        return 1;
    case ASN1_ITYPE_NDEF_SEQUENCE:
@ -491,9 +489,9 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
        /* Save encoding */
        if (!asn1_enc_save(pval, *in, p - *in, it))
            goto auxerr;
        *in = p;
        if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL))
            goto auxerr;
        *in = p;
        return 1;
    default:
@ -502,8 +500,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 auxerr:
    ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
 err:
-    if (combine == 0)
+    ASN1_item_ex_free(pval, it);
        ASN1_item_ex_free(pval, it);
    if (errtt)
        ERR_add_error_data(4, "Field=", errtt->field_name,
                           ", Type=", it->sname);
@ -692,7 +689,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
    } else {
        /* Nothing special */
        ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
-                               -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
+                               -1, 0, opt, ctx);
        if (!ret) {
            ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
            goto err;
--- a/crypto/asn1/x_bignum.c
+++ b/crypto/asn1/x_bignum.c
@ -141,9 +141,8 @@ static int bn_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
                  int utype, char *free_cont, const ASN1_ITEM *it)
 {
    BIGNUM *bn;
-
+    if (!*pval)
-    if (*pval == NULL && !bn_new(pval, it))
+        bn_new(pval, it);
        return 0;
    bn = (BIGNUM *)*pval;
    if (!BN_bin2bn(cont, len, bn)) {
        bn_free(pval, it);
--- a/crypto/asn1/x_name.c
+++ b/crypto/asn1/x_name.c
@ -66,13 +66,6 @@
 typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY;
 DECLARE_STACK_OF(STACK_OF_X509_NAME_ENTRY)
 /*
 * Maximum length of X509_NAME: much larger than anything we should
 * ever see in practice.
 */
 #define X509_NAME_MAX (1024 * 1024)
 static int x509_name_ex_d2i(ASN1_VALUE **val,
                            const unsigned char **in, long len,
                            const ASN1_ITEM *it,
@ -199,10 +192,6 @@ static int x509_name_ex_d2i(ASN1_VALUE **val,
    int i, j, ret;
    STACK_OF(X509_NAME_ENTRY) *entries;
    X509_NAME_ENTRY *entry;
    if (len > X509_NAME_MAX) {
        ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG);
        return 0;
    }
    q = p;
    /* Get internal representation of Name */
--- a/crypto/asn1/x_pubkey.c
+++ b/crypto/asn1/x_pubkey.c
@ -188,16 +188,13 @@ EVP_PKEY *d2i_PUBKEY(EVP_PKEY **a, const unsigned char **pp, long length)
 {
    X509_PUBKEY *xpk;
    EVP_PKEY *pktmp;
-    const unsigned char *q;
+    xpk = d2i_X509_PUBKEY(NULL, pp, length);
    q = *pp;
    xpk = d2i_X509_PUBKEY(NULL, &q, length);
    if (!xpk)
        return NULL;
    pktmp = X509_PUBKEY_get(xpk);
    X509_PUBKEY_free(xpk);
    if (!pktmp)
        return NULL;
    *pp = q;
    if (a) {
        EVP_PKEY_free(*a);
        *a = pktmp;
--- a/crypto/asn1/x_x509.c
+++ b/crypto/asn1/x_x509.c
@ -180,15 +180,16 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)
    if (!a || *a == NULL) {
        freeret = 1;
    }
-    ret = d2i_X509(a, &q, length);
+    ret = d2i_X509(a, pp, length);
    /* If certificate unreadable then forget it */
    if (!ret)
        return NULL;
    /* update length */
-    length -= q - *pp;
+    length -= *pp - q;
-    if (length > 0 && !d2i_X509_CERT_AUX(&ret->aux, &q, length))
+    if (!length)
        return ret;
    if (!d2i_X509_CERT_AUX(&ret->aux, pp, length))
        goto err;
    *pp = q;
    return ret;
 err:
    if (freeret) {
@ -201,19 +202,9 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)
 int i2d_X509_AUX(X509 *a, unsigned char **pp)
 {
-    int length, tmplen;
+    int length;
    unsigned char *start = pp != NULL ? *pp : NULL;
    length = i2d_X509(a, pp);
-    if (length < 0 || a == NULL)
+    if (a)
-        return length;
+        length += i2d_X509_CERT_AUX(a->aux, pp);
    tmplen = i2d_X509_CERT_AUX(a->aux, pp);
    if (tmplen < 0) {
        if (start != NULL)
            *pp = start;
        return tmplen;
    }
    length += tmplen;
    return length;
 }
--- a/crypto/bf/.cvsignore
+++ b/crypto/bf/.cvsignore
@ -0,0 +1,5 @@
 lib
 Makefile.save
 *.flc
 semantic.cache
 bf-*.s
--- a/crypto/bf/asm/.cvsignore
+++ b/crypto/bf/asm/.cvsignore
@ -0,0 +1,4 @@
 bx86unix.cpp
 bx86-elf.s
 *.flc
 semantic.cache
--- a/crypto/bio/.cvsignore
+++ b/crypto/bio/.cvsignore
@ -0,0 +1,4 @@
 lib
 Makefile.save
 *.flc
 semantic.cache
--- a/crypto/bio/b_dump.c
+++ b/crypto/bio/b_dump.c
@ -104,6 +104,7 @@ int BIO_dump_indent_cb(int (*cb) (const void *data, size_t len, void *u),
    if ((rows * dump_width) < len)
        rows++;
    for (i = 0; i < rows; i++) {
        buf[0] = '\0';          /* start with empty string */
        BUF_strlcpy(buf, str, sizeof buf);
        BIO_snprintf(tmp, sizeof tmp, "%04x - ", i * dump_width);
        BUF_strlcat(buf, tmp, sizeof buf);
--- a/crypto/bio/b_print.c
+++ b/crypto/bio/b_print.c
@ -125,16 +125,16 @@
 # define LLONG long
 #endif
-static int fmtstr(char **, char **, size_t *, size_t *,
+static void fmtstr(char **, char **, size_t *, size_t *,
-                  const char *, int, int, int);
+                   const char *, int, int, int);
-static int fmtint(char **, char **, size_t *, size_t *,
+static void fmtint(char **, char **, size_t *, size_t *,
-                  LLONG, int, int, int, int);
+                   LLONG, int, int, int, int);
-static int fmtfp(char **, char **, size_t *, size_t *,
+static void fmtfp(char **, char **, size_t *, size_t *,
-                 LDOUBLE, int, int, int);
+                  LDOUBLE, int, int, int);
-static int doapr_outch(char **, char **, size_t *, size_t *, int);
+static void doapr_outch(char **, char **, size_t *, size_t *, int);
-static int _dopr(char **sbuffer, char **buffer,
+static void _dopr(char **sbuffer, char **buffer,
-                 size_t *maxlen, size_t *retlen, int *truncated,
+                  size_t *maxlen, size_t *retlen, int *truncated,
-                 const char *format, va_list args);
+                  const char *format, va_list args);
 /* format read states */
 #define DP_S_DEFAULT    0
@ -165,7 +165,7 @@ static int _dopr(char **sbuffer, char **buffer,
 #define char_to_int(p) (p - '0')
 #define OSSL_MAX(p,q) ((p >= q) ? p : q)
-static int
+static void
 _dopr(char **sbuffer,
      char **buffer,
      size_t *maxlen,
@ -196,8 +196,7 @@ _dopr(char **sbuffer,
            if (ch == '%')
                state = DP_S_FLAGS;
            else
-                if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, ch))
+                doapr_outch(sbuffer, buffer, &currlen, maxlen, ch);
                    return 0;
            ch = *format++;
            break;
        case DP_S_FLAGS:
@ -303,9 +302,8 @@ _dopr(char **sbuffer,
                    value = va_arg(args, int);
                    break;
                }
-                if (!fmtint(sbuffer, buffer, &currlen, maxlen, value, 10, min,
+                fmtint(sbuffer, buffer, &currlen, maxlen,
-                            max, flags))
+                       value, 10, min, max, flags);
                    return 0;
                break;
            case 'X':
                flags |= DP_F_UP;
@ -328,19 +326,17 @@ _dopr(char **sbuffer,
                    value = (LLONG) va_arg(args, unsigned int);
                    break;
                }
-                if (!fmtint(sbuffer, buffer, &currlen, maxlen, value,
+                fmtint(sbuffer, buffer, &currlen, maxlen, value,
-                            ch == 'o' ? 8 : (ch == 'u' ? 10 : 16),
+                       ch == 'o' ? 8 : (ch == 'u' ? 10 : 16),
-                            min, max, flags))
+                       min, max, flags);
                    return 0;
                break;
            case 'f':
                if (cflags == DP_C_LDOUBLE)
                    fvalue = va_arg(args, LDOUBLE);
                else
                    fvalue = va_arg(args, double);
-                if (!fmtfp(sbuffer, buffer, &currlen, maxlen, fvalue, min, max,
+                fmtfp(sbuffer, buffer, &currlen, maxlen,
-                           flags))
+                      fvalue, min, max, flags);
                    return 0;
                break;
            case 'E':
                flags |= DP_F_UP;
@ -359,9 +355,8 @@ _dopr(char **sbuffer,
                    fvalue = va_arg(args, double);
                break;
            case 'c':
-                if(!doapr_outch(sbuffer, buffer, &currlen, maxlen,
+                doapr_outch(sbuffer, buffer, &currlen, maxlen,
-                            va_arg(args, int)))
+                            va_arg(args, int));
                    return 0;
                break;
            case 's':
                strvalue = va_arg(args, char *);
@ -371,15 +366,13 @@ _dopr(char **sbuffer,
                    else
                        max = *maxlen;
                }
-                if (!fmtstr(sbuffer, buffer, &currlen, maxlen, strvalue,
+                fmtstr(sbuffer, buffer, &currlen, maxlen, strvalue,
-                            flags, min, max))
+                       flags, min, max);
                    return 0;
                break;
            case 'p':
                value = (long)va_arg(args, void *);
-                if (!fmtint(sbuffer, buffer, &currlen, maxlen,
+                fmtint(sbuffer, buffer, &currlen, maxlen,
-                            value, 16, min, max, flags | DP_F_NUM))
+                       value, 16, min, max, flags | DP_F_NUM);
                    return 0;
                break;
            case 'n':          /* XXX */
                if (cflags == DP_C_SHORT) {
@ -401,8 +394,7 @@ _dopr(char **sbuffer,
                }
                break;
            case '%':
-                if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, ch))
+                doapr_outch(sbuffer, buffer, &currlen, maxlen, ch);
                    return 0;
                break;
            case 'w':
                /* not supported yet, treat as next char */
@ -426,56 +418,46 @@ _dopr(char **sbuffer,
    *truncated = (currlen > *maxlen - 1);
    if (*truncated)
        currlen = *maxlen - 1;
-    if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, '\0'))
+    doapr_outch(sbuffer, buffer, &currlen, maxlen, '\0');
        return 0;
    *retlen = currlen - 1;
-    return 1;
+    return;
 }
-static int
+static void
 fmtstr(char **sbuffer,
       char **buffer,
       size_t *currlen,
       size_t *maxlen, const char *value, int flags, int min, int max)
 {
-    int padlen;
+    int padlen, strln;
    size_t strln;
    int cnt = 0;
    if (value == 0)
        value = "<NULL>";
-
+    for (strln = 0; value[strln]; ++strln) ;
    strln = strlen(value);
    if (strln > INT_MAX)
        strln = INT_MAX;
    padlen = min - strln;
-    if (min < 0 || padlen < 0)
+    if (padlen < 0)
        padlen = 0;
    if (flags & DP_F_MINUS)
        padlen = -padlen;
    while ((padlen > 0) && (cnt < max)) {
-        if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
+        doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
            return 0;
        --padlen;
        ++cnt;
    }
    while (*value && (cnt < max)) {
-        if(!doapr_outch(sbuffer, buffer, currlen, maxlen, *value++))
+        doapr_outch(sbuffer, buffer, currlen, maxlen, *value++);
            return 0;
        ++cnt;
    }
    while ((padlen < 0) && (cnt < max)) {
-        if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
+        doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
            return 0;
        ++padlen;
        ++cnt;
    }
    return 1;
 }
-static int
+static void
 fmtint(char **sbuffer,
       char **buffer,
       size_t *currlen,
@ -535,44 +517,37 @@ fmtint(char **sbuffer,
    /* spaces */
    while (spadlen > 0) {
-        if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
+        doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
            return 0;
        --spadlen;
    }
    /* sign */
    if (signvalue)
-        if(!doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue))
+        doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue);
            return 0;
    /* prefix */
    while (*prefix) {
-        if(!doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix))
+        doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix);
            return 0;
        prefix++;
    }
    /* zeros */
    if (zpadlen > 0) {
        while (zpadlen > 0) {
-            if(!doapr_outch(sbuffer, buffer, currlen, maxlen, '0'))
+            doapr_outch(sbuffer, buffer, currlen, maxlen, '0');
                return 0;
            --zpadlen;
        }
    }
    /* digits */
-    while (place > 0) {
+    while (place > 0)
-        if (!doapr_outch(sbuffer, buffer, currlen, maxlen, convert[--place]))
+        doapr_outch(sbuffer, buffer, currlen, maxlen, convert[--place]);
            return 0;
    }
    /* left justified spaces */
    while (spadlen < 0) {
-        if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
+        doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
            return 0;
        ++spadlen;
    }
-    return 1;
+    return;
 }
 static LDOUBLE abs_val(LDOUBLE value)
@ -603,7 +578,7 @@ static long roundv(LDOUBLE value)
    return intpart;
 }
-static int
+static void
 fmtfp(char **sbuffer,
      char **buffer,
      size_t *currlen,
@ -682,61 +657,47 @@ fmtfp(char **sbuffer,
    if ((flags & DP_F_ZERO) && (padlen > 0)) {
        if (signvalue) {
-            if (!doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue))
+            doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue);
                return 0;
            --padlen;
            signvalue = 0;
        }
        while (padlen > 0) {
-            if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '0'))
+            doapr_outch(sbuffer, buffer, currlen, maxlen, '0');
                return 0;
            --padlen;
        }
    }
    while (padlen > 0) {
-        if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
+        doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
            return 0;
        --padlen;
    }
-    if (signvalue && !doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue))
+    if (signvalue)
-        return 0;
+        doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue);
-    while (iplace > 0) {
+    while (iplace > 0)
-        if (!doapr_outch(sbuffer, buffer, currlen, maxlen, iconvert[--iplace]))
+        doapr_outch(sbuffer, buffer, currlen, maxlen, iconvert[--iplace]);
            return 0;
    }
    /*
     * Decimal point. This should probably use locale to find the correct
     * char to print out.
     */
    if (max > 0 || (flags & DP_F_NUM)) {
-        if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '.'))
+        doapr_outch(sbuffer, buffer, currlen, maxlen, '.');
            return 0;
-        while (fplace > 0) {
+        while (fplace > 0)
-            if(!doapr_outch(sbuffer, buffer, currlen, maxlen,
+            doapr_outch(sbuffer, buffer, currlen, maxlen, fconvert[--fplace]);
                            fconvert[--fplace]))
                return 0;
        }
    }
    while (zpadlen > 0) {
-        if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '0'))
+        doapr_outch(sbuffer, buffer, currlen, maxlen, '0');
            return 0;
        --zpadlen;
    }
    while (padlen < 0) {
-        if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
+        doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
            return 0;
        ++padlen;
    }
    return 1;
 }
-#define BUFFER_INC  1024
+static void
 static int
 doapr_outch(char **sbuffer,
            char **buffer, size_t *currlen, size_t *maxlen, int c)
 {
@ -747,25 +708,24 @@ doapr_outch(char **sbuffer,
    assert(*currlen <= *maxlen);
    if (buffer && *currlen == *maxlen) {
-        if (*maxlen > INT_MAX - BUFFER_INC)
+        *maxlen += 1024;
            return 0;
        *maxlen += BUFFER_INC;
        if (*buffer == NULL) {
            *buffer = OPENSSL_malloc(*maxlen);
-            if (*buffer == NULL)
+            if (!*buffer) {
-                return 0;
+                /* Panic! Can't really do anything sensible. Just return */
                return;
            }
            if (*currlen > 0) {
                assert(*sbuffer != NULL);
                memcpy(*buffer, *sbuffer, *currlen);
            }
            *sbuffer = NULL;
        } else {
-            char *tmpbuf;
+            *buffer = OPENSSL_realloc(*buffer, *maxlen);
-            tmpbuf = OPENSSL_realloc(*buffer, *maxlen);
+            if (!*buffer) {
-            if (tmpbuf == NULL)
+                /* Panic! Can't really do anything sensible. Just return */
-                return 0;
+                return;
-            *buffer = tmpbuf;
+            }
        }
    }
@ -776,7 +736,7 @@ doapr_outch(char **sbuffer,
            (*buffer)[(*currlen)++] = (char)c;
    }
-    return 1;
+    return;
 }
 /***************************************************************************/
@ -808,11 +768,7 @@ int BIO_vprintf(BIO *bio, const char *format, va_list args)
    dynbuf = NULL;
    CRYPTO_push_info("doapr()");
-    if (!_dopr(&hugebufp, &dynbuf, &hugebufsize, &retlen, &ignored, format,
+    _dopr(&hugebufp, &dynbuf, &hugebufsize, &retlen, &ignored, format, args);
                args)) {
        OPENSSL_free(dynbuf);
        return -1;
    }
    if (dynbuf) {
        ret = BIO_write(bio, dynbuf, (int)retlen);
        OPENSSL_free(dynbuf);
@ -847,8 +803,7 @@ int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args)
    size_t retlen;
    int truncated;
-    if(!_dopr(&buf, NULL, &n, &retlen, &truncated, format, args))
+    _dopr(&buf, NULL, &n, &retlen, &truncated, format, args);
        return -1;
    if (truncated)
        /*
--- a/crypto/bio/bio.h
+++ b/crypto/bio/bio.h
@ -290,7 +290,7 @@ void BIO_clear_flags(BIO *b, int flags);
 * BIO_CB_RETURN flag indicates if it is after the call
 */
 # define BIO_CB_RETURN   0x80
-# define BIO_CB_return(a) ((a)|BIO_CB_RETURN)
+# define BIO_CB_return(a) ((a)|BIO_CB_RETURN))
 # define BIO_cb_pre(a)   (!((a)&BIO_CB_RETURN))
 # define BIO_cb_post(a)  ((a)&BIO_CB_RETURN)
@ -478,11 +478,11 @@ struct bio_dgram_sctp_prinfo {
 # define BIO_get_conn_hostname(b)  BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,0)
 # define BIO_get_conn_port(b)      BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,1)
 # define BIO_get_conn_ip(b)               BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,2)
-# define BIO_get_conn_int_port(b) BIO_ctrl(b,BIO_C_GET_CONNECT,3,NULL)
+# define BIO_get_conn_int_port(b) BIO_int_ctrl(b,BIO_C_GET_CONNECT,3,0)
 # define BIO_set_nbio(b,n)       BIO_ctrl(b,BIO_C_SET_NBIO,(n),NULL)
-/* BIO_s_accept() */
+/* BIO_s_accept_socket() */
 # define BIO_set_accept_port(b,name) BIO_ctrl(b,BIO_C_SET_ACCEPT,0,(char *)name)
 # define BIO_get_accept_port(b)  BIO_ptr_ctrl(b,BIO_C_GET_ACCEPT,0)
 /* #define BIO_set_nbio(b,n)    BIO_ctrl(b,BIO_C_SET_NBIO,(n),NULL) */
@ -495,7 +495,6 @@ struct bio_dgram_sctp_prinfo {
 # define BIO_set_bind_mode(b,mode) BIO_ctrl(b,BIO_C_SET_BIND_MODE,mode,NULL)
 # define BIO_get_bind_mode(b,mode) BIO_ctrl(b,BIO_C_GET_BIND_MODE,0,NULL)
 /* BIO_s_accept() and BIO_s_connect() */
 # define BIO_do_connect(b)       BIO_do_handshake(b)
 # define BIO_do_accept(b)        BIO_do_handshake(b)
 # define BIO_do_handshake(b)     BIO_ctrl(b,BIO_C_DO_STATE_MACHINE,0,NULL)
@ -515,15 +514,12 @@ struct bio_dgram_sctp_prinfo {
 # define BIO_get_url(b,url)      BIO_ctrl(b,BIO_C_GET_PROXY_PARAM,2,(char *)(url))
 # define BIO_get_no_connect_return(b)    BIO_ctrl(b,BIO_C_GET_PROXY_PARAM,5,NULL)
 /* BIO_s_datagram(), BIO_s_fd(), BIO_s_socket(), BIO_s_accept() and BIO_s_connect() */
 # define BIO_set_fd(b,fd,c)      BIO_int_ctrl(b,BIO_C_SET_FD,c,fd)
 # define BIO_get_fd(b,c)         BIO_ctrl(b,BIO_C_GET_FD,0,(char *)c)
 /* BIO_s_file() */
 # define BIO_set_fp(b,fp,c)      BIO_ctrl(b,BIO_C_SET_FILE_PTR,c,(char *)fp)
 # define BIO_get_fp(b,fpp)       BIO_ctrl(b,BIO_C_GET_FILE_PTR,0,(char *)fpp)
 /* BIO_s_fd() and BIO_s_file() */
 # define BIO_seek(b,ofs) (int)BIO_ctrl(b,BIO_C_FILE_SEEK,ofs,NULL)
 # define BIO_tell(b)     (int)BIO_ctrl(b,BIO_C_FILE_TELL,0,NULL)
--- a/crypto/bio/bss_bio.c
+++ b/crypto/bio/bss_bio.c
@ -1,4 +1,4 @@
-/* crypto/bio/bss_bio.c  */
+/* crypto/bio/bss_bio.c  -*- Mode: C; c-file-style: "eay" -*- */
 /* ====================================================================
 * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
 *
--- a/crypto/bio/bss_conn.c
+++ b/crypto/bio/bss_conn.c
@ -419,7 +419,7 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
 {
    BIO *dbio;
    int *ip;
-    const char **pptr = NULL;
+    const char **pptr;
    long ret = 1;
    BIO_CONNECT *data;
@ -442,28 +442,19 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
    case BIO_C_GET_CONNECT:
        if (ptr != NULL) {
            pptr = (const char **)ptr;
-        }
+            if (num == 0) {
                *pptr = data->param_hostname;
-        if (b->init) {
+            } else if (num == 1) {
-            if (pptr != NULL) {
+                *pptr = data->param_port;
-                ret = 1;
+            } else if (num == 2) {
-                if (num == 0) {
+                *pptr = (char *)&(data->ip[0]);
-                    *pptr = data->param_hostname;
+            } else if (num == 3) {
-                } else if (num == 1) {
+                *((int *)ptr) = data->port;
                    *pptr = data->param_port;
                } else if (num == 2) {
                    *pptr = (char *)&(data->ip[0]);
                } else {
                    ret = 0;
                }
            }
-            if (num == 3) {
+            if ((!b->init) || (ptr == NULL))
                ret = data->port;
            }
        } else {
            if (pptr != NULL)
                *pptr = "not initialized";
-            ret = 0;
+            ret = 1;
        }
        break;
    case BIO_C_SET_CONNECT:
--- a/crypto/bio/bss_dgram.c
+++ b/crypto/bio/bss_dgram.c
@ -515,8 +515,10 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
    switch (cmd) {
    case BIO_CTRL_RESET:
        num = 0;
    case BIO_C_FILE_SEEK:
        ret = 0;
        break;
    case BIO_C_FILE_TELL:
    case BIO_CTRL_INFO:
        ret = 0;
        break;
--- a/crypto/bio/bss_file.c
+++ b/crypto/bio/bss_file.c
@ -115,8 +115,9 @@ static BIO_METHOD methods_filep = {
    NULL,
 };
-static FILE *file_fopen(const char *filename, const char *mode)
+BIO *BIO_new_file(const char *filename, const char *mode)
 {
    BIO *ret;
    FILE *file = NULL;
 #  if defined(_WIN32) && defined(CP_UTF8)
@ -163,14 +164,6 @@ static FILE *file_fopen(const char *filename, const char *mode)
 #  else
    file = fopen(filename, mode);
 #  endif
    return (file);
 }
 BIO *BIO_new_file(const char *filename, const char *mode)
 {
    BIO  *ret;
    FILE *file = file_fopen(filename, mode);
    if (file == NULL) {
        SYSerr(SYS_F_FOPEN, get_last_sys_error());
        ERR_add_error_data(5, "fopen('", filename, "','", mode, "')");
@ -393,7 +386,7 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
        else
            strcat(p, "t");
 #  endif
-        fp = file_fopen(ptr, p);
+        fp = fopen(ptr, p);
        if (fp == NULL) {
            SYSerr(SYS_F_FOPEN, get_last_sys_error());
            ERR_add_error_data(5, "fopen('", ptr, "','", p, "')");
--- a/crypto/bn/.cvsignore
+++ b/crypto/bn/.cvsignore
@ -0,0 +1,7 @@
 lib
 Makefile.save
 *.flc
 semantic.cache
 co-*.s
 bn-*.s
 *-mont.s
--- a/crypto/bn/Makefile
+++ b/crypto/bn/Makefile
@ -243,8 +243,7 @@ bn_exp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bn_exp.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bn_exp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 bn_exp.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-bn_exp.o: ../../include/openssl/symhacks.h ../constant_time_locl.h
+bn_exp.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_exp.c bn_lcl.h
 bn_exp.o: ../cryptlib.h bn_exp.c bn_lcl.h
 bn_exp2.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_exp2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_exp2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
--- a/crypto/bn/asm/.cvsignore
+++ b/crypto/bn/asm/.cvsignore
@ -0,0 +1,6 @@
 bn86unix.cpp
 co86unix.cpp
 bn86-elf.s
 co86-elf.s
 *.flc
 semantic.cache
--- a/crypto/bn/asm/armv4-gf2m.pl
+++ b/crypto/bn/asm/armv4-gf2m.pl
@ -41,13 +41,13 @@ $code=<<___;
 .align	5
 mul_1x1_neon:
 	vshl.u64	`&Dlo("q1")`,d16,#8	@ q1-q3 are slided $a
-	vmull.p8	`&Q("d0")`,d16,d17	@ a·bb
+	vmull.p8	`&Q("d0")`,d16,d17	@ a·bb
 	vshl.u64	`&Dlo("q2")`,d16,#16
-	vmull.p8	q1,`&Dlo("q1")`,d17	@ a<<8·bb
+	vmull.p8	q1,`&Dlo("q1")`,d17	@ a<<8·bb
 	vshl.u64	`&Dlo("q3")`,d16,#24
-	vmull.p8	q2,`&Dlo("q2")`,d17	@ a<<16·bb
+	vmull.p8	q2,`&Dlo("q2")`,d17	@ a<<16·bb
 	vshr.u64	`&Dlo("q1")`,#8
-	vmull.p8	q3,`&Dlo("q3")`,d17	@ a<<24·bb
+	vmull.p8	q3,`&Dlo("q3")`,d17	@ a<<24·bb
 	vshl.u64	`&Dhi("q1")`,#24
 	veor		d0,`&Dlo("q1")`
 	vshr.u64	`&Dlo("q2")`,#16
@ -158,7 +158,7 @@ ___
 ################
 # void	bn_GF2m_mul_2x2(BN_ULONG *r,
 #	BN_ULONG a1,BN_ULONG a0,
-#	BN_ULONG b1,BN_ULONG b0);	# r[3..0]=a1a0·b1b0
+#	BN_ULONG b1,BN_ULONG b0);	# r[3..0]=a1a0·b1b0
 ($A1,$B1,$A0,$B0,$A1B1,$A0B0)=map("d$_",(18..23));
@ -184,20 +184,20 @@ bn_GF2m_mul_2x2:
 	vmov	d16,$A1
 	vmov	d17,$B1
-	bl	mul_1x1_neon		@ a1·b1
+	bl	mul_1x1_neon		@ a1·b1
 	vmov	$A1B1,d0
 	vmov	d16,$A0
 	vmov	d17,$B0
-	bl	mul_1x1_neon		@ a0·b0
+	bl	mul_1x1_neon		@ a0·b0
 	vmov	$A0B0,d0
 	veor	d16,$A0,$A1
 	veor	d17,$B0,$B1
 	veor	$A0,$A0B0,$A1B1
-	bl	mul_1x1_neon		@ (a0+a1)·(b0+b1)
+	bl	mul_1x1_neon		@ (a0+a1)·(b0+b1)
-	veor	d0,$A0			@ (a0+a1)·(b0+b1)-a0·b0-a1·b1
+	veor	d0,$A0			@ (a0+a1)·(b0+b1)-a0·b0-a1·b1
 	vshl.u64 d1,d0,#32
 	vshr.u64 d0,d0,#32
 	veor	$A0B0,d1
@ -220,7 +220,7 @@ $code.=<<___;
 	mov	$mask,#7<<2
 	sub	sp,sp,#32		@ allocate tab[8]
-	bl	mul_1x1_ialu		@ a1·b1
+	bl	mul_1x1_ialu		@ a1·b1
 	str	$lo,[$ret,#8]
 	str	$hi,[$ret,#12]
@ -230,13 +230,13 @@ $code.=<<___;
 	 eor	r2,r2,$a
 	eor	$b,$b,r3
 	 eor	$a,$a,r2
-	bl	mul_1x1_ialu		@ a0·b0
+	bl	mul_1x1_ialu		@ a0·b0
 	str	$lo,[$ret]
 	str	$hi,[$ret,#4]
 	eor	$a,$a,r2
 	eor	$b,$b,r3
-	bl	mul_1x1_ialu		@ (a1+a0)·(b1+b0)
+	bl	mul_1x1_ialu		@ (a1+a0)·(b1+b0)
 ___
@r=map("r$_",(6..9));
 $code.=<<___;
--- a/crypto/bn/asm/ia64.S
+++ b/crypto/bn/asm/ia64.S
@ -422,7 +422,7 @@ bn_mul_add_words:
 // This loop spins in 3*(n+10) ticks on Itanium and in 2*(n+10) on
 // Itanium 2. Yes, unlike previous versions it scales:-) Previous
-// version was performing *all* additions in IALU and was starving
+// version was peforming *all* additions in IALU and was starving
 // for those even on Itanium 2. In this version one addition is
 // moved to FPU and is folded with multiplication. This is at cost
 // of propogating the result from previous call to this subroutine
@ -568,7 +568,7 @@ bn_sqr_comba8:
 // I've estimated this routine to run in ~120 ticks, but in reality
 // (i.e. according to ar.itc) it takes ~160 ticks. Are those extra
 // cycles consumed for instructions fetch? Or did I misinterpret some
-// clause in Itanium µ-architecture manual? Comments are welcomed and
+// clause in Itanium µ-architecture manual? Comments are welcomed and
 // highly appreciated.
 //
 // On Itanium 2 it takes ~190 ticks. This is because of stalls on
--- a/crypto/bn/asm/s390x-gf2m.pl
+++ b/crypto/bn/asm/s390x-gf2m.pl
@ -172,19 +172,19 @@ ___
 if ($SIZE_T==8) {
 my @r=map("%r$_",(6..9));
 $code.=<<___;
-	bras	$ra,_mul_1x1			# a1·b1
+	bras	$ra,_mul_1x1			# a1·b1
 	stmg	$lo,$hi,16($rp)
 	lg	$a,`$stdframe+128+4*$SIZE_T`($sp)
 	lg	$b,`$stdframe+128+6*$SIZE_T`($sp)
-	bras	$ra,_mul_1x1			# a0·b0
+	bras	$ra,_mul_1x1			# a0·b0
 	stmg	$lo,$hi,0($rp)
 	lg	$a,`$stdframe+128+3*$SIZE_T`($sp)
 	lg	$b,`$stdframe+128+5*$SIZE_T`($sp)
 	xg	$a,`$stdframe+128+4*$SIZE_T`($sp)
 	xg	$b,`$stdframe+128+6*$SIZE_T`($sp)
-	bras	$ra,_mul_1x1			# (a0+a1)·(b0+b1)
+	bras	$ra,_mul_1x1			# (a0+a1)·(b0+b1)
 	lmg	@r[0],@r[3],0($rp)
 	xgr	$lo,$hi
--- a/crypto/bn/asm/x86-gf2m.pl
+++ b/crypto/bn/asm/x86-gf2m.pl
@ -14,7 +14,7 @@
 # the time being... Except that it has three code paths: pure integer
 # code suitable for any x86 CPU, MMX code suitable for PIII and later
 # and PCLMULQDQ suitable for Westmere and later. Improvement varies
-# from one benchmark and µ-arch to another. Below are interval values
+# from one benchmark and µ-arch to another. Below are interval values
 # for 163- and 571-bit ECDH benchmarks relative to compiler-generated
 # code:
 #
@ -226,22 +226,22 @@ if ($sse2) {
 	&push	("edi");
 	&mov	($a,&wparam(1));
 	&mov	($b,&wparam(3));
-	&call	("_mul_1x1_mmx");	# a1·b1
+	&call	("_mul_1x1_mmx");	# a1·b1
 	&movq	("mm7",$R);
 	&mov	($a,&wparam(2));
 	&mov	($b,&wparam(4));
-	&call	("_mul_1x1_mmx");	# a0·b0
+	&call	("_mul_1x1_mmx");	# a0·b0
 	&movq	("mm6",$R);
 	&mov	($a,&wparam(1));
 	&mov	($b,&wparam(3));
 	&xor	($a,&wparam(2));
 	&xor	($b,&wparam(4));
-	&call	("_mul_1x1_mmx");	# (a0+a1)·(b0+b1)
+	&call	("_mul_1x1_mmx");	# (a0+a1)·(b0+b1)
 	&pxor	($R,"mm7");
 	&mov	($a,&wparam(0));
-	&pxor	($R,"mm6");		# (a0+a1)·(b0+b1)-a1·b1-a0·b0
+	&pxor	($R,"mm6");		# (a0+a1)·(b0+b1)-a1·b1-a0·b0
 	&movq	($A,$R);
 	&psllq	($R,32);
@ -266,13 +266,13 @@ if ($sse2) {
 	&mov	($a,&wparam(1));
 	&mov	($b,&wparam(3));
-	&call	("_mul_1x1_ialu");	# a1·b1
+	&call	("_mul_1x1_ialu");	# a1·b1
 	&mov	(&DWP(8,"esp"),$lo);
 	&mov	(&DWP(12,"esp"),$hi);
 	&mov	($a,&wparam(2));
 	&mov	($b,&wparam(4));
-	&call	("_mul_1x1_ialu");	# a0·b0
+	&call	("_mul_1x1_ialu");	# a0·b0
 	&mov	(&DWP(0,"esp"),$lo);
 	&mov	(&DWP(4,"esp"),$hi);
@ -280,7 +280,7 @@ if ($sse2) {
 	&mov	($b,&wparam(3));
 	&xor	($a,&wparam(2));
 	&xor	($b,&wparam(4));
-	&call	("_mul_1x1_ialu");	# (a0+a1)·(b0+b1)
+	&call	("_mul_1x1_ialu");	# (a0+a1)·(b0+b1)
 	&mov	("ebp",&wparam(0));
 		 @r=("ebx","ecx","edi","esi");
--- a/crypto/bn/asm/x86-mont.pl
+++ b/crypto/bn/asm/x86-mont.pl
@ -85,21 +85,6 @@ $frame=32;				# size of above frame rounded up to 16n
 	&and	("esp",-64);		# align to cache line
 	# Some OSes, *cough*-dows, insist on stack being "wired" to
 	# physical memory in strictly sequential manner, i.e. if stack
 	# allocation spans two pages, then reference to farmost one can
 	# be punishable by SEGV. But page walking can do good even on
 	# other OSes, because it guarantees that villain thread hits
 	# the guard page before it can make damage to innocent one...
 	&mov	("eax","ebp");
 	&sub	("eax","esp");
 	&and	("eax",-4096);
 &set_label("page_walk");
 	&mov	("edx",&DWP(0,"esp","eax"));
 	&sub	("eax",4096);
 	&data_byte(0x2e);
 	&jnc	(&label("page_walk"));
 	################################# load argument block...
 	&mov	("eax",&DWP(0*4,"esi"));# BN_ULONG *rp
 	&mov	("ebx",&DWP(1*4,"esi"));# const BN_ULONG *ap
--- a/crypto/bn/asm/x86_64-gcc.c
+++ b/crypto/bn/asm/x86_64-gcc.c
@ -66,7 +66,7 @@
 # undef sqr
 /*-
- * "m"(a), "+m"(r)      is the way to favor DirectPath µ-code;
+ * "m"(a), "+m"(r)      is the way to favor DirectPath µ-code;
 * "g"(0)               let the compiler to decide where does it
 *                      want to keep the value of zero;
 */
--- a/crypto/bn/asm/x86_64-gf2m.pl
+++ b/crypto/bn/asm/x86_64-gf2m.pl
@ -13,7 +13,7 @@
 # in bn_gf2m.c. It's kind of low-hanging mechanical port from C for
 # the time being... Except that it has two code paths: code suitable
 # for any x86_64 CPU and PCLMULQDQ one suitable for Westmere and
-# later. Improvement varies from one benchmark and µ-arch to another.
+# later. Improvement varies from one benchmark and µ-arch to another.
 # Vanilla code path is at most 20% faster than compiler-generated code
 # [not very impressive], while PCLMULQDQ - whole 85%-160% better on
 # 163- and 571-bit ECDH benchmarks on Intel CPUs. Keep in mind that
@ -184,13 +184,13 @@ ___
 $code.=<<___;
 	movdqa		%xmm0,%xmm4
 	movdqa		%xmm1,%xmm5
-	pclmulqdq	\$0,%xmm1,%xmm0	# a1·b1
+	pclmulqdq	\$0,%xmm1,%xmm0	# a1·b1
 	pxor		%xmm2,%xmm4
 	pxor		%xmm3,%xmm5
-	pclmulqdq	\$0,%xmm3,%xmm2	# a0·b0
+	pclmulqdq	\$0,%xmm3,%xmm2	# a0·b0
-	pclmulqdq	\$0,%xmm5,%xmm4	# (a0+a1)·(b0+b1)
+	pclmulqdq	\$0,%xmm5,%xmm4	# (a0+a1)·(b0+b1)
 	xorps		%xmm0,%xmm4
-	xorps		%xmm2,%xmm4	# (a0+a1)·(b0+b1)-a0·b0-a1·b1
+	xorps		%xmm2,%xmm4	# (a0+a1)·(b0+b1)-a0·b0-a1·b1
 	movdqa		%xmm4,%xmm5
 	pslldq		\$8,%xmm4
 	psrldq		\$8,%xmm5
@ -225,13 +225,13 @@ $code.=<<___;
 	mov	\$0xf,$mask
 	mov	$a1,$a
 	mov	$b1,$b
-	call	_mul_1x1		# a1·b1
+	call	_mul_1x1		# a1·b1
 	mov	$lo,16(%rsp)
 	mov	$hi,24(%rsp)
 	mov	48(%rsp),$a
 	mov	64(%rsp),$b
-	call	_mul_1x1		# a0·b0
+	call	_mul_1x1		# a0·b0
 	mov	$lo,0(%rsp)
 	mov	$hi,8(%rsp)
@ -239,7 +239,7 @@ $code.=<<___;
 	mov	56(%rsp),$b
 	xor	48(%rsp),$a
 	xor	64(%rsp),$b
-	call	_mul_1x1		# (a0+a1)·(b0+b1)
+	call	_mul_1x1		# (a0+a1)·(b0+b1)
 ___
 	@r=("%rbx","%rcx","%rdi","%rsi");
 $code.=<<___;
--- a/crypto/bn/asm/x86_64-mont.pl
+++ b/crypto/bn/asm/x86_64-mont.pl
@ -91,20 +91,6 @@ bn_mul_mont:
 	mov	%r11,8(%rsp,$num,8)	# tp[num+1]=%rsp
 .Lmul_body:
 	# Some OSes, *cough*-dows, insist on stack being "wired" to
 	# physical memory in strictly sequential manner, i.e. if stack
 	# allocation spans two pages, then reference to farmost one can
 	# be punishable by SEGV. But page walking can do good even on
 	# other OSes, because it guarantees that villain thread hits
 	# the guard page before it can make damage to innocent one...
 	sub	%rsp,%r11
 	and	\$-4096,%r11
 .Lmul_page_walk:
 	mov	(%rsp,%r11),%r10
 	sub	\$4096,%r11
 	.byte	0x66,0x2e		# predict non-taken
 	jnc	.Lmul_page_walk
 	mov	$bp,%r12		# reassign $bp
 ___
 		$bp="%r12";
@ -310,14 +296,6 @@ bn_mul4x_mont:
 	mov	%r11,8(%rsp,$num,8)	# tp[num+1]=%rsp
 .Lmul4x_body:
 	sub	%rsp,%r11
 	and	\$-4096,%r11
 .Lmul4x_page_walk:
 	mov	(%rsp,%r11),%r10
 	sub	\$4096,%r11
 	.byte	0x2e			# predict non-taken
 	jnc	.Lmul4x_page_walk
 	mov	$rp,16(%rsp,$num,8)	# tp[num+2]=$rp
 	mov	%rdx,%r12		# reassign $bp
 ___
@ -729,7 +707,6 @@ $code.=<<___;
 .align	16
 bn_sqr4x_mont:
 .Lsqr4x_enter:
 	mov	%rsp,%rax
 	push	%rbx
 	push	%rbp
 	push	%r12
@ -738,23 +715,12 @@ bn_sqr4x_mont:
 	push	%r15
 	shl	\$3,${num}d		# convert $num to bytes
 	xor	%r10,%r10
 	mov	%rsp,%r11		# put aside %rsp
-	neg	$num			# -$num
+	sub	$num,%r10		# -$num
 	mov	($n0),$n0		# *n0
-	lea	-72(%rsp,$num,2),%rsp	# alloca(frame+2*$num)
+	lea	-72(%rsp,%r10,2),%rsp	# alloca(frame+2*$num)
 	and	\$-1024,%rsp		# minimize TLB usage
 	sub	%rsp,%r11
 	and	\$-4096,%r11
 .Lsqr4x_page_walk:
 	mov	(%rsp,%r11),%r10
 	sub	\$4096,%r11
 	.byte	0x2e			# predict non-taken
 	jnc	.Lsqr4x_page_walk
 	mov	$num,%r10
 	neg	$num			# restore $num
 	lea	-48(%rax),%r11		# restore saved %rsp
 	##############################################################
 	# Stack layout
 	#
--- a/crypto/bn/asm/x86_64-mont5.pl
+++ b/crypto/bn/asm/x86_64-mont5.pl
@ -66,127 +66,60 @@ bn_mul_mont_gather5:
 .align	16
 .Lmul_enter:
 	mov	${num}d,${num}d
-	movd	`($win64?56:8)`(%rsp),%xmm5	# load 7th argument
+	mov	`($win64?56:8)`(%rsp),%r10d	# load 7th argument
 	lea	.Linc(%rip),%r10
 	push	%rbx
 	push	%rbp
 	push	%r12
 	push	%r13
 	push	%r14
 	push	%r15
-
+___
 $code.=<<___ if ($win64);
 	lea	-0x28(%rsp),%rsp
 	movaps	%xmm6,(%rsp)
 	movaps	%xmm7,0x10(%rsp)
 .Lmul_alloca:
 ___
 $code.=<<___;
 	mov	%rsp,%rax
 	lea	2($num),%r11
 	neg	%r11
-	lea	-264(%rsp,%r11,8),%rsp	# tp=alloca(8*(num+2)+256+8)
+	lea	(%rsp,%r11,8),%rsp	# tp=alloca(8*(num+2))
 	and	\$-1024,%rsp		# minimize TLB usage
 	mov	%rax,8(%rsp,$num,8)	# tp[num+1]=%rsp
 .Lmul_body:
-	# Some OSes, *cough*-dows, insist on stack being "wired" to
+	mov	$bp,%r12		# reassign $bp
 	# physical memory in strictly sequential manner, i.e. if stack
 	# allocation spans two pages, then reference to farmost one can
 	# be punishable by SEGV. But page walking can do good even on
 	# other OSes, because it guarantees that villain thread hits
 	# the guard page before it can make damage to innocent one...
 	sub	%rsp,%rax
 	and	\$-4096,%rax
 .Lmul_page_walk:
 	mov	(%rsp,%rax),%r11
 	sub	\$4096,%rax
 	.byte	0x2e			# predict non-taken
 	jnc	.Lmul_page_walk
 	lea	128($bp),%r12		# reassign $bp (+size optimization)
 ___
 		$bp="%r12";
 		$STRIDE=2**5*8;		# 5 is "window size"
 		$N=$STRIDE/4;		# should match cache line size
 $code.=<<___;
-	movdqa	0(%r10),%xmm0		# 00000001000000010000000000000000
+	mov	%r10,%r11
-	movdqa	16(%r10),%xmm1		# 00000002000000020000000200000002
+	shr	\$`log($N/8)/log(2)`,%r10
-	lea	24-112(%rsp,$num,8),%r10# place the mask after tp[num+3] (+ICache optimization)
+	and	\$`$N/8-1`,%r11
-	and	\$-16,%r10
+	not	%r10
 	lea	.Lmagic_masks(%rip),%rax
 	and	\$`2**5/($N/8)-1`,%r10	# 5 is "window size"
 	lea	96($bp,%r11,8),$bp	# pointer within 1st cache line
 	movq	0(%rax,%r10,8),%xmm4	# set of masks denoting which
 	movq	8(%rax,%r10,8),%xmm5	# cache line contains element
 	movq	16(%rax,%r10,8),%xmm6	# denoted by 7th argument
 	movq	24(%rax,%r10,8),%xmm7
-	pshufd	\$0,%xmm5,%xmm5		# broadcast index
+	movq	`0*$STRIDE/4-96`($bp),%xmm0
-	movdqa	%xmm1,%xmm4
+	movq	`1*$STRIDE/4-96`($bp),%xmm1
-	movdqa	%xmm1,%xmm2
+	pand	%xmm4,%xmm0
-___
+	movq	`2*$STRIDE/4-96`($bp),%xmm2
-########################################################################
+	pand	%xmm5,%xmm1
-# calculate mask by comparing 0..31 to index and save result to stack
+	movq	`3*$STRIDE/4-96`($bp),%xmm3
-#
+	pand	%xmm6,%xmm2
 $code.=<<___;
 	paddd	%xmm0,%xmm1
 	pcmpeqd	%xmm5,%xmm0		# compare to 1,0
 	.byte	0x67
 	movdqa	%xmm4,%xmm3
 ___
 for($k=0;$k<$STRIDE/16-4;$k+=4) {
 $code.=<<___;
 	paddd	%xmm1,%xmm2
 	pcmpeqd	%xmm5,%xmm1		# compare to 3,2
 	movdqa	%xmm0,`16*($k+0)+112`(%r10)
 	movdqa	%xmm4,%xmm0
 	paddd	%xmm2,%xmm3
 	pcmpeqd	%xmm5,%xmm2		# compare to 5,4
 	movdqa	%xmm1,`16*($k+1)+112`(%r10)
 	movdqa	%xmm4,%xmm1
 	paddd	%xmm3,%xmm0
 	pcmpeqd	%xmm5,%xmm3		# compare to 7,6
 	movdqa	%xmm2,`16*($k+2)+112`(%r10)
 	movdqa	%xmm4,%xmm2
 	paddd	%xmm0,%xmm1
 	pcmpeqd	%xmm5,%xmm0
 	movdqa	%xmm3,`16*($k+3)+112`(%r10)
 	movdqa	%xmm4,%xmm3
 ___
 }
 $code.=<<___;				# last iteration can be optimized
 	paddd	%xmm1,%xmm2
 	pcmpeqd	%xmm5,%xmm1
 	movdqa	%xmm0,`16*($k+0)+112`(%r10)
 	paddd	%xmm2,%xmm3
 	.byte	0x67
 	pcmpeqd	%xmm5,%xmm2
 	movdqa	%xmm1,`16*($k+1)+112`(%r10)
 	pcmpeqd	%xmm5,%xmm3
 	movdqa	%xmm2,`16*($k+2)+112`(%r10)
 	pand	`16*($k+0)-128`($bp),%xmm0	# while it's still in register
 	pand	`16*($k+1)-128`($bp),%xmm1
 	pand	`16*($k+2)-128`($bp),%xmm2
 	movdqa	%xmm3,`16*($k+3)+112`(%r10)
 	pand	`16*($k+3)-128`($bp),%xmm3
 	por	%xmm2,%xmm0
 	por	%xmm3,%xmm1
 ___
 for($k=0;$k<$STRIDE/16-4;$k+=4) {
 $code.=<<___;
 	movdqa	`16*($k+0)-128`($bp),%xmm4
 	movdqa	`16*($k+1)-128`($bp),%xmm5
 	movdqa	`16*($k+2)-128`($bp),%xmm2
 	pand	`16*($k+0)+112`(%r10),%xmm4
 	movdqa	`16*($k+3)-128`($bp),%xmm3
 	pand	`16*($k+1)+112`(%r10),%xmm5
 	por	%xmm4,%xmm0
 	pand	`16*($k+2)+112`(%r10),%xmm2
 	por	%xmm5,%xmm1
 	pand	`16*($k+3)+112`(%r10),%xmm3
 	por	%xmm2,%xmm0
 	por	%xmm3,%xmm1
 ___
 }
 $code.=<<___;
 	por	%xmm1,%xmm0
 	pshufd	\$0x4e,%xmm0,%xmm1
 	por	%xmm1,%xmm0
 	pand	%xmm7,%xmm3
 	por	%xmm2,%xmm0
 	lea	$STRIDE($bp),$bp
 	por	%xmm3,%xmm0
 	movq	%xmm0,$m0		# m0=bp[0]
 	mov	($n0),$n0		# pull n0[0] value
@ -195,14 +128,29 @@ $code.=<<___;
 	xor	$i,$i			# i=0
 	xor	$j,$j			# j=0
 	movq	`0*$STRIDE/4-96`($bp),%xmm0
 	movq	`1*$STRIDE/4-96`($bp),%xmm1
 	pand	%xmm4,%xmm0
 	movq	`2*$STRIDE/4-96`($bp),%xmm2
 	pand	%xmm5,%xmm1
 	mov	$n0,$m1
 	mulq	$m0			# ap[0]*bp[0]
 	mov	%rax,$lo0
 	mov	($np),%rax
 	movq	`3*$STRIDE/4-96`($bp),%xmm3
 	pand	%xmm6,%xmm2
 	por	%xmm1,%xmm0
 	pand	%xmm7,%xmm3
 	imulq	$lo0,$m1		# "tp[0]"*n0
 	mov	%rdx,$hi0
 	por	%xmm2,%xmm0
 	lea	$STRIDE($bp),$bp
 	por	%xmm3,%xmm0
 	mulq	$m1			# np[0]*m1
 	add	%rax,$lo0		# discarded
 	mov	8($ap),%rax
@ -235,6 +183,8 @@ $code.=<<___;
 	cmp	$num,$j
 	jne	.L1st
 	movq	%xmm0,$m0		# bp[1]
 	add	%rax,$hi1
 	mov	($ap),%rax		# ap[0]
 	adc	\$0,%rdx
@ -254,46 +204,33 @@ $code.=<<___;
 	jmp	.Louter
 .align	16
 .Louter:
 	lea	24+128(%rsp,$num,8),%rdx	# where 256-byte mask is (+size optimization)
 	and	\$-16,%rdx
 	pxor	%xmm4,%xmm4
 	pxor	%xmm5,%xmm5
 ___
 for($k=0;$k<$STRIDE/16;$k+=4) {
 $code.=<<___;
 	movdqa	`16*($k+0)-128`($bp),%xmm0
 	movdqa	`16*($k+1)-128`($bp),%xmm1
 	movdqa	`16*($k+2)-128`($bp),%xmm2
 	movdqa	`16*($k+3)-128`($bp),%xmm3
 	pand	`16*($k+0)-128`(%rdx),%xmm0
 	pand	`16*($k+1)-128`(%rdx),%xmm1
 	por	%xmm0,%xmm4
 	pand	`16*($k+2)-128`(%rdx),%xmm2
 	por	%xmm1,%xmm5
 	pand	`16*($k+3)-128`(%rdx),%xmm3
 	por	%xmm2,%xmm4
 	por	%xmm3,%xmm5
 ___
 }
 $code.=<<___;
 	por	%xmm5,%xmm4
 	pshufd	\$0x4e,%xmm4,%xmm0
 	por	%xmm4,%xmm0
 	lea	$STRIDE($bp),$bp
 	movq	%xmm0,$m0		# m0=bp[i]
 	xor	$j,$j			# j=0
 	mov	$n0,$m1
 	mov	(%rsp),$lo0
 	movq	`0*$STRIDE/4-96`($bp),%xmm0
 	movq	`1*$STRIDE/4-96`($bp),%xmm1
 	pand	%xmm4,%xmm0
 	movq	`2*$STRIDE/4-96`($bp),%xmm2
 	pand	%xmm5,%xmm1
 	mulq	$m0			# ap[0]*bp[i]
 	add	%rax,$lo0		# ap[0]*bp[i]+tp[0]
 	mov	($np),%rax
 	adc	\$0,%rdx
 	movq	`3*$STRIDE/4-96`($bp),%xmm3
 	pand	%xmm6,%xmm2
 	por	%xmm1,%xmm0
 	pand	%xmm7,%xmm3
 	imulq	$lo0,$m1		# tp[0]*n0
 	mov	%rdx,$hi0
 	por	%xmm2,%xmm0
 	lea	$STRIDE($bp),$bp
 	por	%xmm3,%xmm0
 	mulq	$m1			# np[0]*m1
 	add	%rax,$lo0		# discarded
 	mov	8($ap),%rax
@ -329,6 +266,8 @@ $code.=<<___;
 	cmp	$num,$j
 	jne	.Linner
 	movq	%xmm0,$m0		# bp[i+1]
 	add	%rax,$hi1
 	mov	($ap),%rax		# ap[0]
 	adc	\$0,%rdx
@ -382,7 +321,13 @@ $code.=<<___;
 	mov	8(%rsp,$num,8),%rsi	# restore %rsp
 	mov	\$1,%rax
-
+___
 $code.=<<___ if ($win64);
 	movaps	(%rsi),%xmm6
 	movaps	0x10(%rsi),%xmm7
 	lea	0x28(%rsi),%rsi
 ___
 $code.=<<___;
 	mov	(%rsi),%r15
 	mov	8(%rsi),%r14
 	mov	16(%rsi),%r13
@ -403,138 +348,91 @@ $code.=<<___;
 bn_mul4x_mont_gather5:
 .Lmul4x_enter:
 	mov	${num}d,${num}d
-	movd	`($win64?56:8)`(%rsp),%xmm5	# load 7th argument
+	mov	`($win64?56:8)`(%rsp),%r10d	# load 7th argument
 	lea	.Linc(%rip),%r10
 	push	%rbx
 	push	%rbp
 	push	%r12
 	push	%r13
 	push	%r14
 	push	%r15
-
+___
 $code.=<<___ if ($win64);
 	lea	-0x28(%rsp),%rsp
 	movaps	%xmm6,(%rsp)
 	movaps	%xmm7,0x10(%rsp)
 .Lmul4x_alloca:
 ___
 $code.=<<___;
 	mov	%rsp,%rax
 	lea	4($num),%r11
 	neg	%r11
-	lea	-256(%rsp,%r11,8),%rsp	# tp=alloca(8*(num+4)+256)
+	lea	(%rsp,%r11,8),%rsp	# tp=alloca(8*(num+4))
 	and	\$-1024,%rsp		# minimize TLB usage
 	mov	%rax,8(%rsp,$num,8)	# tp[num+1]=%rsp
 .Lmul4x_body:
 	sub	%rsp,%rax
 	and	\$-4096,%rax
 .Lmul4x_page_walk:
 	mov	(%rsp,%rax),%r11
 	sub	\$4096,%rax
 	.byte	0x2e			# predict non-taken
 	jnc	.Lmul4x_page_walk
 	mov	$rp,16(%rsp,$num,8)	# tp[num+2]=$rp
-	lea	128(%rdx),%r12		# reassign $bp (+size optimization)
+	mov	%rdx,%r12		# reassign $bp
 ___
 		$bp="%r12";
 		$STRIDE=2**5*8;		# 5 is "window size"
 		$N=$STRIDE/4;		# should match cache line size
 $code.=<<___;
-	movdqa	0(%r10),%xmm0		# 00000001000000010000000000000000
+	mov	%r10,%r11
-	movdqa	16(%r10),%xmm1		# 00000002000000020000000200000002
+	shr	\$`log($N/8)/log(2)`,%r10
-	lea	32-112(%rsp,$num,8),%r10# place the mask after tp[num+4] (+ICache optimization)
+	and	\$`$N/8-1`,%r11
 	not	%r10
 	lea	.Lmagic_masks(%rip),%rax
 	and	\$`2**5/($N/8)-1`,%r10	# 5 is "window size"
 	lea	96($bp,%r11,8),$bp	# pointer within 1st cache line
 	movq	0(%rax,%r10,8),%xmm4	# set of masks denoting which
 	movq	8(%rax,%r10,8),%xmm5	# cache line contains element
 	movq	16(%rax,%r10,8),%xmm6	# denoted by 7th argument
 	movq	24(%rax,%r10,8),%xmm7
-	pshufd	\$0,%xmm5,%xmm5		# broadcast index
+	movq	`0*$STRIDE/4-96`($bp),%xmm0
-	movdqa	%xmm1,%xmm4
+	movq	`1*$STRIDE/4-96`($bp),%xmm1
-	.byte	0x67,0x67
+	pand	%xmm4,%xmm0
-	movdqa	%xmm1,%xmm2
+	movq	`2*$STRIDE/4-96`($bp),%xmm2
-___
+	pand	%xmm5,%xmm1
-########################################################################
+	movq	`3*$STRIDE/4-96`($bp),%xmm3
-# calculate mask by comparing 0..31 to index and save result to stack
+	pand	%xmm6,%xmm2
 #
 $code.=<<___;
 	paddd	%xmm0,%xmm1
 	pcmpeqd	%xmm5,%xmm0		# compare to 1,0
 	.byte	0x67
 	movdqa	%xmm4,%xmm3
 ___
 for($k=0;$k<$STRIDE/16-4;$k+=4) {
 $code.=<<___;
 	paddd	%xmm1,%xmm2
 	pcmpeqd	%xmm5,%xmm1		# compare to 3,2
 	movdqa	%xmm0,`16*($k+0)+112`(%r10)
 	movdqa	%xmm4,%xmm0
 	paddd	%xmm2,%xmm3
 	pcmpeqd	%xmm5,%xmm2		# compare to 5,4
 	movdqa	%xmm1,`16*($k+1)+112`(%r10)
 	movdqa	%xmm4,%xmm1
 	paddd	%xmm3,%xmm0
 	pcmpeqd	%xmm5,%xmm3		# compare to 7,6
 	movdqa	%xmm2,`16*($k+2)+112`(%r10)
 	movdqa	%xmm4,%xmm2
 	paddd	%xmm0,%xmm1
 	pcmpeqd	%xmm5,%xmm0
 	movdqa	%xmm3,`16*($k+3)+112`(%r10)
 	movdqa	%xmm4,%xmm3
 ___
 }
 $code.=<<___;				# last iteration can be optimized
 	paddd	%xmm1,%xmm2
 	pcmpeqd	%xmm5,%xmm1
 	movdqa	%xmm0,`16*($k+0)+112`(%r10)
 	paddd	%xmm2,%xmm3
 	.byte	0x67
 	pcmpeqd	%xmm5,%xmm2
 	movdqa	%xmm1,`16*($k+1)+112`(%r10)
 	pcmpeqd	%xmm5,%xmm3
 	movdqa	%xmm2,`16*($k+2)+112`(%r10)
 	pand	`16*($k+0)-128`($bp),%xmm0	# while it's still in register
 	pand	`16*($k+1)-128`($bp),%xmm1
 	pand	`16*($k+2)-128`($bp),%xmm2
 	movdqa	%xmm3,`16*($k+3)+112`(%r10)
 	pand	`16*($k+3)-128`($bp),%xmm3
 	por	%xmm2,%xmm0
 	por	%xmm3,%xmm1
 ___
 for($k=0;$k<$STRIDE/16-4;$k+=4) {
 $code.=<<___;
 	movdqa	`16*($k+0)-128`($bp),%xmm4
 	movdqa	`16*($k+1)-128`($bp),%xmm5
 	movdqa	`16*($k+2)-128`($bp),%xmm2
 	pand	`16*($k+0)+112`(%r10),%xmm4
 	movdqa	`16*($k+3)-128`($bp),%xmm3
 	pand	`16*($k+1)+112`(%r10),%xmm5
 	por	%xmm4,%xmm0
 	pand	`16*($k+2)+112`(%r10),%xmm2
 	por	%xmm5,%xmm1
 	pand	`16*($k+3)+112`(%r10),%xmm3
 	por	%xmm2,%xmm0
 	por	%xmm3,%xmm1
 ___
 }
 $code.=<<___;
 	por	%xmm1,%xmm0
 	pshufd	\$0x4e,%xmm0,%xmm1
 	por	%xmm1,%xmm0
 	pand	%xmm7,%xmm3
 	por	%xmm2,%xmm0
 	lea	$STRIDE($bp),$bp
-	movq	%xmm0,$m0		# m0=bp[0]
+	por	%xmm3,%xmm0
 	movq	%xmm0,$m0		# m0=bp[0]
 	mov	($n0),$n0		# pull n0[0] value
 	mov	($ap),%rax
 	xor	$i,$i			# i=0
 	xor	$j,$j			# j=0
 	movq	`0*$STRIDE/4-96`($bp),%xmm0
 	movq	`1*$STRIDE/4-96`($bp),%xmm1
 	pand	%xmm4,%xmm0
 	movq	`2*$STRIDE/4-96`($bp),%xmm2
 	pand	%xmm5,%xmm1
 	mov	$n0,$m1
 	mulq	$m0			# ap[0]*bp[0]
 	mov	%rax,$A[0]
 	mov	($np),%rax
 	movq	`3*$STRIDE/4-96`($bp),%xmm3
 	pand	%xmm6,%xmm2
 	por	%xmm1,%xmm0
 	pand	%xmm7,%xmm3
 	imulq	$A[0],$m1		# "tp[0]"*n0
 	mov	%rdx,$A[1]
 	por	%xmm2,%xmm0
 	lea	$STRIDE($bp),$bp
 	por	%xmm3,%xmm0
 	mulq	$m1			# np[0]*m1
 	add	%rax,$A[0]		# discarded
 	mov	8($ap),%rax
@ -652,6 +550,8 @@ $code.=<<___;
 	mov	$N[1],-16(%rsp,$j,8)	# tp[j-1]
 	mov	%rdx,$N[0]
 	movq	%xmm0,$m0		# bp[1]
 	xor	$N[1],$N[1]
 	add	$A[0],$N[0]
 	adc	\$0,$N[1]
@ -661,34 +561,12 @@ $code.=<<___;
 	lea	1($i),$i		# i++
 .align	4
 .Louter4x:
 	lea	32+128(%rsp,$num,8),%rdx	# where 256-byte mask is (+size optimization)
 	pxor	%xmm4,%xmm4
 	pxor	%xmm5,%xmm5
 ___
 for($k=0;$k<$STRIDE/16;$k+=4) {
 $code.=<<___;
 	movdqa	`16*($k+0)-128`($bp),%xmm0
 	movdqa	`16*($k+1)-128`($bp),%xmm1
 	movdqa	`16*($k+2)-128`($bp),%xmm2
 	movdqa	`16*($k+3)-128`($bp),%xmm3
 	pand	`16*($k+0)-128`(%rdx),%xmm0
 	pand	`16*($k+1)-128`(%rdx),%xmm1
 	por	%xmm0,%xmm4
 	pand	`16*($k+2)-128`(%rdx),%xmm2
 	por	%xmm1,%xmm5
 	pand	`16*($k+3)-128`(%rdx),%xmm3
 	por	%xmm2,%xmm4
 	por	%xmm3,%xmm5
 ___
 }
 $code.=<<___;
 	por	%xmm5,%xmm4
 	pshufd	\$0x4e,%xmm4,%xmm0
 	por	%xmm4,%xmm0
 	lea	$STRIDE($bp),$bp
 	movq	%xmm0,$m0		# m0=bp[i]
 	xor	$j,$j			# j=0
 	movq	`0*$STRIDE/4-96`($bp),%xmm0
 	movq	`1*$STRIDE/4-96`($bp),%xmm1
 	pand	%xmm4,%xmm0
 	movq	`2*$STRIDE/4-96`($bp),%xmm2
 	pand	%xmm5,%xmm1
 	mov	(%rsp),$A[0]
 	mov	$n0,$m1
@ -697,9 +575,18 @@ $code.=<<___;
 	mov	($np),%rax
 	adc	\$0,%rdx
 	movq	`3*$STRIDE/4-96`($bp),%xmm3
 	pand	%xmm6,%xmm2
 	por	%xmm1,%xmm0
 	pand	%xmm7,%xmm3
 	imulq	$A[0],$m1		# tp[0]*n0
 	mov	%rdx,$A[1]
 	por	%xmm2,%xmm0
 	lea	$STRIDE($bp),$bp
 	por	%xmm3,%xmm0
 	mulq	$m1			# np[0]*m1
 	add	%rax,$A[0]		# "$N[0]", discarded
 	mov	8($ap),%rax
@ -831,6 +718,7 @@ $code.=<<___;
 	mov	$N[0],-24(%rsp,$j,8)	# tp[j-1]
 	mov	%rdx,$N[0]
 	movq	%xmm0,$m0		# bp[i+1]
 	mov	$N[1],-16(%rsp,$j,8)	# tp[j-1]
 	xor	$N[1],$N[1]
@ -921,7 +809,13 @@ ___
 $code.=<<___;
 	mov	8(%rsp,$num,8),%rsi	# restore %rsp
 	mov	\$1,%rax
-
+___
 $code.=<<___ if ($win64);
 	movaps	(%rsi),%xmm6
 	movaps	0x10(%rsi),%xmm7
 	lea	0x28(%rsi),%rsi
 ___
 $code.=<<___;
 	mov	(%rsi),%r15
 	mov	8(%rsi),%r14
 	mov	16(%rsi),%r13
@ -936,8 +830,8 @@ ___
 }}}
 {
-my ($inp,$num,$tbl,$idx)=$win64?("%rcx","%rdx","%r8", "%r9d") : # Win64 order
+my ($inp,$num,$tbl,$idx)=$win64?("%rcx","%rdx","%r8", "%r9") : # Win64 order
-				("%rdi","%rsi","%rdx","%ecx"); # Unix order
+				("%rdi","%rsi","%rdx","%rcx"); # Unix order
 my $out=$inp;
 my $STRIDE=2**5*8;
 my $N=$STRIDE/4;
@ -965,89 +859,53 @@ bn_scatter5:
 .type	bn_gather5,\@abi-omnipotent
 .align	16
 bn_gather5:
-.LSEH_begin_bn_gather5:			# Win64 thing, but harmless in other cases
+___
 $code.=<<___ if ($win64);
 .LSEH_begin_bn_gather5:
 	# I can't trust assembler to use specific encoding:-(
-	.byte	0x4c,0x8d,0x14,0x24			# lea    (%rsp),%r10
+	.byte	0x48,0x83,0xec,0x28		#sub	\$0x28,%rsp
-	.byte	0x48,0x81,0xec,0x08,0x01,0x00,0x00	# sub	$0x108,%rsp
+	.byte	0x0f,0x29,0x34,0x24		#movaps	%xmm6,(%rsp)
-	lea	.Linc(%rip),%rax
+	.byte	0x0f,0x29,0x7c,0x24,0x10	#movdqa	%xmm7,0x10(%rsp)
 	and	\$-16,%rsp		# shouldn't be formally required
 	movd	$idx,%xmm5
 	movdqa	0(%rax),%xmm0		# 00000001000000010000000000000000
 	movdqa	16(%rax),%xmm1		# 00000002000000020000000200000002
 	lea	128($tbl),%r11		# size optimization
 	lea	128(%rsp),%rax		# size optimization
 	pshufd	\$0,%xmm5,%xmm5		# broadcast $idx
 	movdqa	%xmm1,%xmm4
 	movdqa	%xmm1,%xmm2
 ___
 ########################################################################
 # calculate mask by comparing 0..31 to $idx and save result to stack
 #
 for($i=0;$i<$STRIDE/16;$i+=4) {
 $code.=<<___;
 	paddd	%xmm0,%xmm1
 	pcmpeqd	%xmm5,%xmm0		# compare to 1,0
 ___
 $code.=<<___	if ($i);
 	movdqa	%xmm3,`16*($i-1)-128`(%rax)
 ___
 $code.=<<___;
-	movdqa	%xmm4,%xmm3
+	mov	$idx,%r11
-
+	shr	\$`log($N/8)/log(2)`,$idx
-	paddd	%xmm1,%xmm2
+	and	\$`$N/8-1`,%r11
-	pcmpeqd	%xmm5,%xmm1		# compare to 3,2
+	not	$idx
-	movdqa	%xmm0,`16*($i+0)-128`(%rax)
+	lea	.Lmagic_masks(%rip),%rax
-	movdqa	%xmm4,%xmm0
+	and	\$`2**5/($N/8)-1`,$idx	# 5 is "window size"
-
+	lea	96($tbl,%r11,8),$tbl	# pointer within 1st cache line
-	paddd	%xmm2,%xmm3
+	movq	0(%rax,$idx,8),%xmm4	# set of masks denoting which
-	pcmpeqd	%xmm5,%xmm2		# compare to 5,4
+	movq	8(%rax,$idx,8),%xmm5	# cache line contains element
-	movdqa	%xmm1,`16*($i+1)-128`(%rax)
+	movq	16(%rax,$idx,8),%xmm6	# denoted by 7th argument
-	movdqa	%xmm4,%xmm1
+	movq	24(%rax,$idx,8),%xmm7
 	paddd	%xmm3,%xmm0
 	pcmpeqd	%xmm5,%xmm3		# compare to 7,6
 	movdqa	%xmm2,`16*($i+2)-128`(%rax)
 	movdqa	%xmm4,%xmm2
 ___
 }
 $code.=<<___;
 	movdqa	%xmm3,`16*($i-1)-128`(%rax)
 	jmp	.Lgather
-
+.align	16
 .align	32
 .Lgather:
-	pxor	%xmm4,%xmm4
+	movq	`0*$STRIDE/4-96`($tbl),%xmm0
-	pxor	%xmm5,%xmm5
+	movq	`1*$STRIDE/4-96`($tbl),%xmm1
-___
+	pand	%xmm4,%xmm0
-for($i=0;$i<$STRIDE/16;$i+=4) {
+	movq	`2*$STRIDE/4-96`($tbl),%xmm2
-$code.=<<___;
+	pand	%xmm5,%xmm1
-	movdqa	`16*($i+0)-128`(%r11),%xmm0
+	movq	`3*$STRIDE/4-96`($tbl),%xmm3
-	movdqa	`16*($i+1)-128`(%r11),%xmm1
+	pand	%xmm6,%xmm2
-	movdqa	`16*($i+2)-128`(%r11),%xmm2
+	por	%xmm1,%xmm0
-	pand	`16*($i+0)-128`(%rax),%xmm0
+	pand	%xmm7,%xmm3
-	movdqa	`16*($i+3)-128`(%r11),%xmm3
+	por	%xmm2,%xmm0
-	pand	`16*($i+1)-128`(%rax),%xmm1
+	lea	$STRIDE($tbl),$tbl
-	por	%xmm0,%xmm4
+	por	%xmm3,%xmm0
-	pand	`16*($i+2)-128`(%rax),%xmm2
+
 	por	%xmm1,%xmm5
 	pand	`16*($i+3)-128`(%rax),%xmm3
 	por	%xmm2,%xmm4
 	por	%xmm3,%xmm5
 ___
 }
 $code.=<<___;
 	por	%xmm5,%xmm4
 	lea	$STRIDE(%r11),%r11
 	pshufd	\$0x4e,%xmm4,%xmm0
 	por	%xmm4,%xmm0
 	movq	%xmm0,($out)		# m0=bp[0]
 	lea	8($out),$out
 	sub	\$1,$num
 	jnz	.Lgather
-
+___
-	lea	(%r10),%rsp
+$code.=<<___ if ($win64);
 	movaps	(%rsp),%xmm6
 	movaps	0x10(%rsp),%xmm7
 	lea	0x28(%rsp),%rsp
 ___
 $code.=<<___;
 	ret
 .LSEH_end_bn_gather5:
 .size	bn_gather5,.-bn_gather5
@ -1055,9 +913,9 @@ ___
 }
 $code.=<<___;
 .align	64
-.Linc:
+.Lmagic_masks:
-	.long	0,0, 1,1
+	.long	0,0, 0,0, 0,0, -1,-1
-	.long	2,2, 2,2
+	.long	0,0, 0,0, 0,0,  0,0
 .asciz	"Montgomery Multiplication with scatter/gather for x86_64, CRYPTOGAMS by <appro\@openssl.org>"
 ___
@ -1096,7 +954,7 @@ mul_handler:
 	cmp	%r10,%rbx		# context->Rip<end of prologue label
 	jb	.Lcommon_seh_tail
-	lea	48(%rax),%rax
+	lea	`40+48`(%rax),%rax
 	mov	4(%r11),%r10d		# HandlerData[1]
 	lea	(%rsi,%r10),%r10	# end of alloca label
@ -1113,7 +971,9 @@ mul_handler:
 	mov	192($context),%r10	# pull $num
 	mov	8(%rax,%r10,8),%rax	# pull saved stack pointer
-	lea	48(%rax),%rax
+	movaps	(%rax),%xmm0
 	movaps	16(%rax),%xmm1
 	lea	`40+48`(%rax),%rax
 	mov	-8(%rax),%rbx
 	mov	-16(%rax),%rbp
@ -1127,6 +987,8 @@ mul_handler:
 	mov	%r13,224($context)	# restore context->R13
 	mov	%r14,232($context)	# restore context->R14
 	mov	%r15,240($context)	# restore context->R15
 	movups	%xmm0,512($context)	# restore context->Xmm6
 	movups	%xmm1,528($context)	# restore context->Xmm7
 .Lcommon_seh_tail:
 	mov	8(%rax),%rdi
@ -1195,9 +1057,10 @@ mul_handler:
 	.rva	.Lmul4x_alloca,.Lmul4x_body,.Lmul4x_epilogue	# HandlerData[]
 .align	8
 .LSEH_info_bn_gather5:
-	.byte	0x01,0x0b,0x03,0x0a
+        .byte   0x01,0x0d,0x05,0x00
-	.byte	0x0b,0x01,0x21,0x00	# sub	rsp,0x108
+        .byte   0x0d,0x78,0x01,0x00	#movaps	0x10(rsp),xmm7
-	.byte	0x04,0xa3,0x00,0x00	# lea	r10,(rsp), set_frame r10
+        .byte   0x08,0x68,0x00,0x00	#movaps	(rsp),xmm6
        .byte   0x04,0x42,0x00,0x00	#sub	rsp,0x28
 .align	8
 ___
 }
--- a/crypto/bn/bn.h
+++ b/crypto/bn/bn.h
@ -125,7 +125,6 @@
 #ifndef HEADER_BN_H
 # define HEADER_BN_H
 # include <limits.h>
 # include <openssl/e_os2.h>
 # ifndef OPENSSL_NO_FP_API
 #  include <stdio.h>            /* FILE */
@ -740,17 +739,8 @@ const BIGNUM *BN_get0_nist_prime_521(void);
 /* library internal functions */
-# define bn_expand(a,bits) \
+# define bn_expand(a,bits) ((((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\
-    ( \
+        (a):bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2))
        bits > (INT_MAX - BN_BITS2 + 1) ? \
            NULL \
        : \
            (((bits+BN_BITS2-1)/BN_BITS2) <= (a)->dmax) ? \
                (a) \
            : \
                bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2) \
    )
 # define bn_wexpand(a,words) (((words) <= (a)->dmax)?(a):bn_expand2((a),(words)))
 BIGNUM *bn_expand2(BIGNUM *a, int words);
 # ifndef OPENSSL_NO_DEPRECATED
--- a/crypto/bn/bn_exp.c
+++ b/crypto/bn/bn_exp.c
@ -110,7 +110,6 @@
 */
 #include "cryptlib.h"
 #include "constant_time_locl.h"
 #include "bn_lcl.h"
 #include <stdlib.h>
@ -272,14 +271,9 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
    }
    bits = BN_num_bits(p);
    if (bits == 0) {
-        /* x**0 mod 1 is still zero. */
+        ret = BN_one(r);
        if (BN_is_one(m)) {
            ret = 1;
            BN_zero(r);
        } else {
            ret = BN_one(r);
        }
        return ret;
    }
@ -413,13 +407,7 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
    }
    bits = BN_num_bits(p);
    if (bits == 0) {
-        /* x**0 mod 1 is still zero. */
+        ret = BN_one(rr);
        if (BN_is_one(m)) {
            ret = 1;
            BN_zero(rr);
        } else {
            ret = BN_one(rr);
        }
        return ret;
    }
@ -547,17 +535,15 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
 static int MOD_EXP_CTIME_COPY_TO_PREBUF(const BIGNUM *b, int top,
                                        unsigned char *buf, int idx,
-                                        int window)
+                                        int width)
 {
-    int i, j;
+    size_t i, j;
    int width = 1 << window;
    BN_ULONG *table = (BN_ULONG *)buf;
    if (top > b->top)
        top = b->top;           /* this works because 'buf' is explicitly
                                 * zeroed */
-    for (i = 0, j = idx; i < top; i++, j += width) {
+    for (i = 0, j = idx; i < top * sizeof b->d[0]; i++, j += width) {
-        table[j] = b->d[i];
+        buf[j] = ((unsigned char *)b->d)[i];
    }
    return 1;
@ -565,51 +551,15 @@ static int MOD_EXP_CTIME_COPY_TO_PREBUF(const BIGNUM *b, int top,
 static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top,
                                          unsigned char *buf, int idx,
-                                          int window)
+                                          int width)
 {
-    int i, j;
+    size_t i, j;
    int width = 1 << window;
    volatile BN_ULONG *table = (volatile BN_ULONG *)buf;
    if (bn_wexpand(b, top) == NULL)
        return 0;
-    if (window <= 3) {
+    for (i = 0, j = idx; i < top * sizeof b->d[0]; i++, j += width) {
-        for (i = 0; i < top; i++, table += width) {
+        ((unsigned char *)b->d)[i] = buf[j];
            BN_ULONG acc = 0;
            for (j = 0; j < width; j++) {
                acc |= table[j] &
                       ((BN_ULONG)0 - (constant_time_eq_int(j,idx)&1));
            }
            b->d[i] = acc;
        }
    } else {
        int xstride = 1 << (window - 2);
        BN_ULONG y0, y1, y2, y3;
        i = idx >> (window - 2);        /* equivalent of idx / xstride */
        idx &= xstride - 1;             /* equivalent of idx % xstride */
        y0 = (BN_ULONG)0 - (constant_time_eq_int(i,0)&1);
        y1 = (BN_ULONG)0 - (constant_time_eq_int(i,1)&1);
        y2 = (BN_ULONG)0 - (constant_time_eq_int(i,2)&1);
        y3 = (BN_ULONG)0 - (constant_time_eq_int(i,3)&1);
        for (i = 0; i < top; i++, table += width) {
            BN_ULONG acc = 0;
            for (j = 0; j < xstride; j++) {
                acc |= ( (table[j + 0 * xstride] & y0) |
                         (table[j + 1 * xstride] & y1) |
                         (table[j + 2 * xstride] & y2) |
                         (table[j + 3 * xstride] & y3) )
                       & ((BN_ULONG)0 - (constant_time_eq_int(j,idx)&1));
            }
            b->d[i] = acc;
        }
    }
    b->top = top;
@ -629,7 +579,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top,
 * precomputation memory layout to limit data-dependency to a minimum to
 * protect secret exponents (cf. the hyper-threading timing attacks pointed
 * out by Colin Percival,
- * http://www.daemonology.net/hyperthreading-considered-harmful/)
+ * http://www.daemong-consideredperthreading-considered-harmful/)
 */
 int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
                              const BIGNUM *m, BN_CTX *ctx,
@ -649,22 +599,15 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
    bn_check_top(p);
    bn_check_top(m);
-    if (!BN_is_odd(m)) {
+    top = m->top;
    if (!(m->d[0] & 1)) {
        BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME, BN_R_CALLED_WITH_EVEN_MODULUS);
        return (0);
    }
    top = m->top;
    bits = BN_num_bits(p);
    if (bits == 0) {
-        /* x**0 mod 1 is still zero. */
+        ret = BN_one(rr);
        if (BN_is_one(m)) {
            ret = 1;
            BN_zero(rr);
        } else {
            ret = BN_one(rr);
        }
        return ret;
    }
@ -839,9 +782,9 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
    } else
 #endif
    {
-        if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 0, window))
+        if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 0, numPowers))
            goto err;
-        if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&am, top, powerbuf, 1, window))
+        if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&am, top, powerbuf, 1, numPowers))
            goto err;
        /*
@ -853,15 +796,15 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
        if (window > 1) {
            if (!BN_mod_mul_montgomery(&tmp, &am, &am, mont, ctx))
                goto err;
-            if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 2,
+            if (!MOD_EXP_CTIME_COPY_TO_PREBUF
-                                              window))
+                (&tmp, top, powerbuf, 2, numPowers))
                goto err;
            for (i = 3; i < numPowers; i++) {
                /* Calculate a^i = a^(i-1) * a */
                if (!BN_mod_mul_montgomery(&tmp, &am, &tmp, mont, ctx))
                    goto err;
-                if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, i,
+                if (!MOD_EXP_CTIME_COPY_TO_PREBUF
-                                                  window))
+                    (&tmp, top, powerbuf, i, numPowers))
                    goto err;
            }
        }
@ -869,8 +812,8 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
        bits--;
        for (wvalue = 0, i = bits % window; i >= 0; i--, bits--)
            wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);
-        if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(&tmp, top, powerbuf, wvalue,
+        if (!MOD_EXP_CTIME_COPY_FROM_PREBUF
-                                            window))
+            (&tmp, top, powerbuf, wvalue, numPowers))
            goto err;
        /*
@ -890,8 +833,8 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
            /*
             * Fetch the appropriate pre-computed value from the pre-buf
             */
-            if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(&am, top, powerbuf, wvalue,
+            if (!MOD_EXP_CTIME_COPY_FROM_PREBUF
-                                                window))
+                (&am, top, powerbuf, wvalue, numPowers))
                goto err;
            /* Multiply the result into the intermediate result */
@ -964,9 +907,8 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
        if (BN_is_one(m)) {
            ret = 1;
            BN_zero(rr);
-        } else {
+        } else
            ret = BN_one(rr);
        }
        return ret;
    }
    if (a == 0) {
@ -1080,14 +1022,9 @@ int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
    }
    bits = BN_num_bits(p);
-   if (bits == 0) {
+
-        /* x**0 mod 1 is still zero. */
+    if (bits == 0) {
-        if (BN_is_one(m)) {
+        ret = BN_one(r);
            ret = 1;
            BN_zero(r);
        } else {
            ret = BN_one(r);
        }
        return ret;
    }
--- a/crypto/bn/bn_gcd.c
+++ b/crypto/bn/bn_gcd.c
@ -583,7 +583,6 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
         * BN_div_no_branch will be called eventually.
         */
        pB = &local_B;
        local_B.flags = 0;
        BN_with_flags(pB, B, BN_FLG_CONSTTIME);
        if (!BN_nnmod(B, pB, A, ctx))
            goto err;
@ -611,7 +610,6 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
         * BN_div_no_branch will be called eventually.
         */
        pA = &local_A;
        local_A.flags = 0;
        BN_with_flags(pA, A, BN_FLG_CONSTTIME);
        /* (D, M) := (A/B, A%B) ... */
--- a/crypto/bn/bn_gf2m.c
+++ b/crypto/bn/bn_gf2m.c
@ -576,7 +576,7 @@ int BN_GF2m_mod_sqr_arr(BIGNUM *r, const BIGNUM *a, const int p[],
    bn_check_top(a);
    BN_CTX_start(ctx);
    if ((s = BN_CTX_get(ctx)) == NULL)
-        goto err;
+        return 0;
    if (!bn_wexpand(s, 2 * a->top))
        goto err;
@ -700,21 +700,18 @@ int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
        int top = p->top;
        BN_ULONG *udp, *bdp, *vdp, *cdp;
-        if (!bn_wexpand(u, top))
+        bn_wexpand(u, top);
            goto err;
        udp = u->d;
        for (i = u->top; i < top; i++)
            udp[i] = 0;
        u->top = top;
-        if (!bn_wexpand(b, top))
+        bn_wexpand(b, top);
          goto err;
        bdp = b->d;
        bdp[0] = 1;
        for (i = 1; i < top; i++)
            bdp[i] = 0;
        b->top = top;
-        if (!bn_wexpand(c, top))
+        bn_wexpand(c, top);
          goto err;
        cdp = c->d;
        for (i = 0; i < top; i++)
            cdp[i] = 0;
--- a/crypto/bn/bn_mont.c
+++ b/crypto/bn/bn_mont.c
@ -361,9 +361,9 @@ void BN_MONT_CTX_free(BN_MONT_CTX *mont)
    if (mont == NULL)
        return;
-    BN_clear_free(&(mont->RR));
+    BN_free(&(mont->RR));
-    BN_clear_free(&(mont->N));
+    BN_free(&(mont->N));
-    BN_clear_free(&(mont->Ni));
+    BN_free(&(mont->Ni));
    if (mont->flags & BN_FLG_MALLOCED)
        OPENSSL_free(mont);
 }
@ -373,9 +373,6 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
    int ret = 0;
    BIGNUM *Ri, *R;
    if (BN_is_zero(mod))
        return 0;
    BN_CTX_start(ctx);
    if ((Ri = BN_CTX_get(ctx)) == NULL)
        goto err;
--- a/crypto/bn/bn_print.c
+++ b/crypto/bn/bn_print.c
@ -58,7 +58,6 @@
 #include <stdio.h>
 #include <ctype.h>
 #include <limits.h>
 #include "cryptlib.h"
 #include <openssl/buffer.h>
 #include "bn_lcl.h"
@ -190,11 +189,7 @@ int BN_hex2bn(BIGNUM **bn, const char *a)
        a++;
    }
-    for (i = 0; i <= (INT_MAX/4) && isxdigit((unsigned char)a[i]); i++)
+    for (i = 0; isxdigit((unsigned char)a[i]); i++) ;
        continue;
    if (i > INT_MAX/4)
        goto err;
    num = i + neg;
    if (bn == NULL)
@ -209,7 +204,7 @@ int BN_hex2bn(BIGNUM **bn, const char *a)
        BN_zero(ret);
    }
-    /* i is the number of hex digits */
+    /* i is the number of hex digests; */
    if (bn_expand(ret, i * 4) == NULL)
        goto err;
@ -265,11 +260,7 @@ int BN_dec2bn(BIGNUM **bn, const char *a)
        a++;
    }
-    for (i = 0; i <= (INT_MAX/4) && isdigit((unsigned char)a[i]); i++)
+    for (i = 0; isdigit((unsigned char)a[i]); i++) ;
        continue;
    if (i > INT_MAX/4)
        goto err;
    num = i + neg;
    if (bn == NULL)
@ -287,7 +278,7 @@ int BN_dec2bn(BIGNUM **bn, const char *a)
        BN_zero(ret);
    }
-    /* i is the number of digits, a bit of an over expand */
+    /* i is the number of digests, a bit of an over expand; */
    if (bn_expand(ret, i * 4) == NULL)
        goto err;
--- a/crypto/bn/bn_recp.c
+++ b/crypto/bn/bn_recp.c
@ -65,7 +65,6 @@ void BN_RECP_CTX_init(BN_RECP_CTX *recp)
    BN_init(&(recp->N));
    BN_init(&(recp->Nr));
    recp->num_bits = 0;
    recp->shift = 0;
    recp->flags = 0;
 }
@ -153,10 +152,8 @@ int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
    if (BN_ucmp(m, &(recp->N)) < 0) {
        BN_zero(d);
-        if (!BN_copy(r, m)) {
+        if (!BN_copy(r, m))
            BN_CTX_end(ctx);
            return 0;
        }
        BN_CTX_end(ctx);
        return (1);
    }
--- a/crypto/bn/bn_x931p.c
+++ b/crypto/bn/bn_x931p.c
@ -213,14 +213,14 @@ int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx)
     * exceeded.
     */
    if (!BN_rand(Xp, nbits, 1, 0))
-        goto err;
+        return 0;
    BN_CTX_start(ctx);
    t = BN_CTX_get(ctx);
    for (i = 0; i < 1000; i++) {
        if (!BN_rand(Xq, nbits, 1, 0))
-            goto err;
+            return 0;
        /* Check that |Xp - Xq| > 2^(nbits - 100) */
        BN_sub(t, Xp, Xq);
        if (BN_num_bits(t) > (nbits - 100))
@ -234,9 +234,6 @@ int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx)
    return 0;
 err:
    BN_CTX_end(ctx);
    return 0;
 }
 /*
--- a/crypto/bn/bntest.c
+++ b/crypto/bn/bntest.c
@ -441,14 +441,6 @@ int test_div(BIO *bp, BN_CTX *ctx)
    BN_init(&d);
    BN_init(&e);
    BN_one(&a);
    BN_zero(&b);
    if (BN_div(&d, &c, &a, &b, ctx)) {
        fprintf(stderr, "Division by zero succeeded!\n");
        return 0;
    }
    for (i = 0; i < num0 + num1; i++) {
        if (i < num1) {
            BN_bntest_rand(&a, 400, 0, 0);
@ -524,9 +516,9 @@ int test_div_word(BIO *bp)
        do {
            BN_bntest_rand(&a, 512, -1, 0);
            BN_bntest_rand(&b, BN_BITS2, -1, 0);
-        } while (BN_is_zero(&b));
+            s = b.d[0];
        } while (!s);
        s = b.d[0];
        BN_copy(&b, &a);
        r = BN_div_word(&b, s);
@ -789,18 +781,6 @@ int test_mont(BIO *bp, BN_CTX *ctx)
    if (mont == NULL)
        return 0;
    BN_zero(&n);
    if (BN_MONT_CTX_set(mont, &n, ctx)) {
        fprintf(stderr, "BN_MONT_CTX_set succeeded for zero modulus!\n");
        return 0;
    }
    BN_set_word(&n, 16);
    if (BN_MONT_CTX_set(mont, &n, ctx)) {
        fprintf(stderr, "BN_MONT_CTX_set succeeded for even modulus!\n");
        return 0;
    }
    BN_bntest_rand(&a, 100, 0, 0);
    BN_bntest_rand(&b, 100, 0, 0);
    for (i = 0; i < num2; i++) {
@ -907,14 +887,6 @@ int test_mod_mul(BIO *bp, BN_CTX *ctx)
    d = BN_new();
    e = BN_new();
    BN_one(a);
    BN_one(b);
    BN_zero(c);
    if (BN_mod_mul(e, a, b, c, ctx)) {
        fprintf(stderr, "BN_mod_mul with zero modulus succeeded!\n");
        return 0;
    }
    for (j = 0; j < 3; j++) {
        BN_bntest_rand(c, 1024, 0, 0);
        for (i = 0; i < num0; i++) {
@ -980,14 +952,6 @@ int test_mod_exp(BIO *bp, BN_CTX *ctx)
    d = BN_new();
    e = BN_new();
    BN_one(a);
    BN_one(b);
    BN_zero(c);
    if (BN_mod_exp(d, a, b, c, ctx)) {
        fprintf(stderr, "BN_mod_exp with zero modulus succeeded!\n");
        return 0;
    }
    BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
    for (i = 0; i < num2; i++) {
        BN_bntest_rand(a, 20 + i * 5, 0, 0);
@ -1035,22 +999,6 @@ int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx)
    d = BN_new();
    e = BN_new();
    BN_one(a);
    BN_one(b);
    BN_zero(c);
    if (BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL)) {
        fprintf(stderr, "BN_mod_exp_mont_consttime with zero modulus "
                "succeeded\n");
        return 0;
    }
    BN_set_word(c, 16);
    if (BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL)) {
        fprintf(stderr, "BN_mod_exp_mont_consttime with even modulus "
                "succeeded\n");
        return 0;
    }
    BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
    for (i = 0; i < num2; i++) {
        BN_bntest_rand(a, 20 + i * 5, 0, 0);
--- a/crypto/bn/exptest.c
+++ b/crypto/bn/exptest.c
@ -72,25 +72,6 @@
 static const char rnd_seed[] =
    "string to make the random number generator think it has entropy";
 /*
 * Test that r == 0 in test_exp_mod_zero(). Returns one on success,
 * returns zero and prints debug output otherwise.
 */
 static int a_is_zero_mod_one(const char *method, const BIGNUM *r,
                             const BIGNUM *a) {
    if (!BN_is_zero(r)) {
        fprintf(stderr, "%s failed:\n", method);
        fprintf(stderr, "a ** 0 mod 1 = r (should be 0)\n");
        fprintf(stderr, "a = ");
        BN_print_fp(stderr, a);
        fprintf(stderr, "\nr = ");
        BN_print_fp(stderr, r);
        fprintf(stderr, "\n");
        return 0;
    }
    return 1;
 }
 /*
 * test_exp_mod_zero tests that x**0 mod 1 == 0. It returns zero on success.
 */
@ -98,9 +79,8 @@ static int test_exp_mod_zero()
 {
    BIGNUM a, p, m;
    BIGNUM r;
    BN_ULONG one_word = 1;
    BN_CTX *ctx = BN_CTX_new();
-    int ret = 1, failed = 0;
+    int ret = 1;
    BN_init(&m);
    BN_one(&m);
@ -112,65 +92,21 @@ static int test_exp_mod_zero()
    BN_zero(&p);
    BN_init(&r);
    BN_mod_exp(&r, &a, &p, &m, ctx);
    BN_CTX_free(ctx);
-    if (!BN_rand(&a, 1024, 0, 0))
+    if (BN_is_zero(&r))
-        goto err;
+        ret = 0;
-
+    else {
-    if (!BN_mod_exp(&r, &a, &p, &m, ctx))
+        printf("1**0 mod 1 = ");
-        goto err;
+        BN_print_fp(stdout, &r);
-
+        printf(", should be 0\n");
    if (!a_is_zero_mod_one("BN_mod_exp", &r, &a))
        failed = 1;
    if (!BN_mod_exp_recp(&r, &a, &p, &m, ctx))
        goto err;
    if (!a_is_zero_mod_one("BN_mod_exp_recp", &r, &a))
        failed = 1;
    if (!BN_mod_exp_simple(&r, &a, &p, &m, ctx))
        goto err;
    if (!a_is_zero_mod_one("BN_mod_exp_simple", &r, &a))
        failed = 1;
    if (!BN_mod_exp_mont(&r, &a, &p, &m, ctx, NULL))
        goto err;
    if (!a_is_zero_mod_one("BN_mod_exp_mont", &r, &a))
        failed = 1;
    if (!BN_mod_exp_mont_consttime(&r, &a, &p, &m, ctx, NULL)) {
        goto err;
    }
    if (!a_is_zero_mod_one("BN_mod_exp_mont_consttime", &r, &a))
        failed = 1;
    /*
     * A different codepath exists for single word multiplication
     * in non-constant-time only.
     */
    if (!BN_mod_exp_mont_word(&r, one_word, &p, &m, ctx, NULL))
        goto err;
    if (!BN_is_zero(&r)) {
        fprintf(stderr, "BN_mod_exp_mont_word failed:\n");
        fprintf(stderr, "1 ** 0 mod 1 = r (should be 0)\n");
        fprintf(stderr, "r = ");
        BN_print_fp(stderr, &r);
        fprintf(stderr, "\n");
        return 0;
    }
    ret = failed;
 err:
    BN_free(&r);
    BN_free(&a);
    BN_free(&p);
    BN_free(&m);
    BN_CTX_free(ctx);
    return ret;
 }
--- a/crypto/buffer/.cvsignore
+++ b/crypto/buffer/.cvsignore
@ -0,0 +1,4 @@
 lib
 Makefile.save
 *.flc
 semantic.cache
--- a/crypto/buffer/buf_str.c
+++ b/crypto/buffer/buf_str.c
@ -58,13 +58,12 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <limits.h>
 #include <openssl/buffer.h>
 char *BUF_strdup(const char *str)
 {
    if (str == NULL)
-        return NULL;
+        return (NULL);
    return BUF_strndup(str, strlen(str));
 }
@ -73,20 +72,14 @@ char *BUF_strndup(const char *str, size_t siz)
    char *ret;
    if (str == NULL)
-        return NULL;
+        return (NULL);
    if (siz >= INT_MAX)
        return NULL;
    ret = OPENSSL_malloc(siz + 1);
    if (ret == NULL) {
        BUFerr(BUF_F_BUF_STRNDUP, ERR_R_MALLOC_FAILURE);
-        return NULL;
+        return (NULL);
    }
-
+    BUF_strlcpy(ret, str, siz + 1);
    memcpy(ret, str, siz);
    ret[siz] = '\0';
    return (ret);
 }
@ -94,13 +87,13 @@ void *BUF_memdup(const void *data, size_t siz)
 {
    void *ret;
-    if (data == NULL || siz >= INT_MAX)
+    if (data == NULL)
-        return NULL;
+        return (NULL);
    ret = OPENSSL_malloc(siz);
    if (ret == NULL) {
        BUFerr(BUF_F_BUF_MEMDUP, ERR_R_MALLOC_FAILURE);
-        return NULL;
+        return (NULL);
    }
    return memcpy(ret, data, siz);
 }
--- a/crypto/buffer/buffer.h
+++ b/crypto/buffer/buffer.h
@ -85,13 +85,7 @@ void BUF_MEM_free(BUF_MEM *a);
 int BUF_MEM_grow(BUF_MEM *str, size_t len);
 int BUF_MEM_grow_clean(BUF_MEM *str, size_t len);
 char *BUF_strdup(const char *str);
 /*
 * Like strndup, but in addition, explicitly guarantees to never read past the
 * first |siz| bytes of |str|.
 */
 char *BUF_strndup(const char *str, size_t siz);
 void *BUF_memdup(const void *data, size_t siz);
 void BUF_reverse(unsigned char *out, const unsigned char *in, size_t siz);
--- a/crypto/camellia/.cvsignore
+++ b/crypto/camellia/.cvsignore
@ -0,0 +1,3 @@
 lib
 Makefile.save
 cmll-*.s
--- a/crypto/camellia/camellia.c
+++ b/crypto/camellia/camellia.c
@ -1,4 +1,4 @@
-/* crypto/camellia/camellia.c */
+/* crypto/camellia/camellia.c -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
 * Copyright 2006 NTT (Nippon Telegraph and Telephone Corporation) .
 * ALL RIGHTS RESERVED.
@ -67,7 +67,7 @@
 /*
 * Algorithm Specification
- * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
+ * http://info.isl.llia/specicrypt/eng/camellia/specifications.html
 */
 /*
--- a/crypto/camellia/camellia.h
+++ b/crypto/camellia/camellia.h
@ -1,4 +1,4 @@
-/* crypto/camellia/camellia.h */
+/* crypto/camellia/camellia.h -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
 * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
 *
--- a/crypto/camellia/cmll_cbc.c
+++ b/crypto/camellia/cmll_cbc.c
@ -1,4 +1,4 @@
-/* crypto/camellia/camellia_cbc.c */
+/* crypto/camellia/camellia_cbc.c -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
 * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
 *
--- a/crypto/camellia/cmll_cfb.c
+++ b/crypto/camellia/cmll_cfb.c
@ -1,4 +1,4 @@
-/* crypto/camellia/camellia_cfb.c */
+/* crypto/camellia/camellia_cfb.c -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
 * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
 *
--- a/crypto/camellia/cmll_ctr.c
+++ b/crypto/camellia/cmll_ctr.c
@ -1,4 +1,4 @@
-/* crypto/camellia/camellia_ctr.c */
+/* crypto/camellia/camellia_ctr.c -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
 * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
 *
--- a/crypto/camellia/cmll_ecb.c
+++ b/crypto/camellia/cmll_ecb.c
@ -1,4 +1,4 @@
-/* crypto/camellia/camellia_ecb.c */
+/* crypto/camellia/camellia_ecb.c -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
 * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
 *
--- a/crypto/camellia/cmll_locl.h
+++ b/crypto/camellia/cmll_locl.h
@ -1,4 +1,4 @@
-/* crypto/camellia/camellia_locl.h */
+/* crypto/camellia/camellia_locl.h -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
 * Copyright 2006 NTT (Nippon Telegraph and Telephone Corporation) .
 * ALL RIGHTS RESERVED.
--- a/crypto/camellia/cmll_misc.c
+++ b/crypto/camellia/cmll_misc.c
@ -1,4 +1,4 @@
-/* crypto/camellia/camellia_misc.c */
+/* crypto/camellia/camellia_misc.c -*- mode:C; c-file-style: "eay" -*- */
 /* ====================================================================
 * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
 *
--- a/Show More
+++ b/Show More