openssl-1.0.1d upgrade

Change-Id: Ie980c8834cf2c843858182d98d1f60c65a2a9b70

153 files changed, 1430 insertions, 2568 deletions

diff --git a/Crypto.mk b/Crypto.mk
index e012527..1ea3939 100644
--- a/Crypto.mk
+++ b/Crypto.mk
@@ -341,6 +341,7 @@ local_src_files := \
  crypto/evp/e_xcbc_d.c \
  crypto/evp/encode.c \
  crypto/evp/evp_acnf.c \
+ crypto/evp/evp_cnf.c \
  crypto/evp/evp_enc.c \
  crypto/evp/evp_err.c \
  crypto/evp/evp_key.c \
diff --git a/apps/apps.c b/apps/apps.c
index 4e11915..1096eee 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2132,7 +2132,7 @@ X509_NAME *parse_name(char *subject, long chtype, int multirdn)
 	X509_NAME *n = NULL;
 	int nid;
 
-	if (!buf || !ne_types || !ne_values)
+	if (!buf || !ne_types || !ne_values || !mval)
 		{
 		BIO_printf(bio_err, "malloc error\n");
 		goto error;
@@ -2236,6 +2236,7 @@ X509_NAME *parse_name(char *subject, long chtype, int multirdn)
 	OPENSSL_free(ne_values);
 	OPENSSL_free(ne_types);
 	OPENSSL_free(buf);
+	OPENSSL_free(mval);
 	return n;
 
 error:
@@ -2244,6 +2245,8 @@ error:
 		OPENSSL_free(ne_values);
 	if (ne_types)
 		OPENSSL_free(ne_types);
+	if (mval)
+		OPENSSL_free(mval);
 	if (buf)
 		OPENSSL_free(buf);
 	return NULL;
diff --git a/apps/ca.c b/apps/ca.c
index 2a83d19..1cf50e0 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1408,6 +1408,7 @@ bad:
 			if (!NCONF_get_number(conf,section,
 				ENV_DEFAULT_CRL_HOURS, &crlhours))
 				crlhours = 0;
+			ERR_clear_error();
 			}
 		if ((crldays == 0) && (crlhours == 0) && (crlsec == 0))
 			{
diff --git a/apps/cms.c b/apps/cms.c
index d754140..5f77f8f 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -233,6 +233,8 @@ int MAIN(int argc, char **argv)
 		else if (!strcmp(*args,"-camellia256"))
 				cipher = EVP_camellia_256_cbc();
 #endif
+		else if (!strcmp (*args, "-debug_decrypt")) 
+				flags |= CMS_DEBUG_DECRYPT;
 		else if (!strcmp (*args, "-text")) 
 				flags |= CMS_TEXT;
 		else if (!strcmp (*args, "-nointern")) 
@@ -1039,6 +1041,8 @@ int MAIN(int argc, char **argv)
 	ret = 4;
 	if (operation == SMIME_DECRYPT)
 		{
+		if (flags & CMS_DEBUG_DECRYPT)
+			CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags);
 
 		if (secret_key)
 			{
diff --git a/apps/dgst.c b/apps/dgst.c
index b08e9a7..81bd870 100644
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -216,10 +216,10 @@ int MAIN(int argc, char **argv)
 			out_bin = 1;
 		else if (strcmp(*argv,"-d") == 0)
 			debug=1;
-		else if (strcmp(*argv,"-non-fips-allow") == 0)
-			non_fips_allow=1;
 		else if (!strcmp(*argv,"-fips-fingerprint"))
 			hmac_key = "etaonrishdlcupfm";
+		else if (strcmp(*argv,"-non-fips-allow") == 0)
+			non_fips_allow=1;
 		else if (!strcmp(*argv,"-hmac"))
 			{
 			if (--argc < 1)
diff --git a/apps/dhparam.c b/apps/dhparam.c
index b47097c..1297d6f 100644
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -332,7 +332,6 @@ bad:
 			BIO_printf(bio_err,"This is going to take a long time\n");
 			if(!dh || !DH_generate_parameters_ex(dh, num, g, &cb))
 				{
-				if(dh) DH_free(dh);
 				ERR_print_errors(bio_err);
 				goto end;
 				}
diff --git a/apps/dsaparam.c b/apps/dsaparam.c
index fe72c1d..683d513 100644
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -326,6 +326,7 @@ bad:
 				goto end;
 				}
 #endif
+			ERR_print_errors(bio_err);
 			BIO_printf(bio_err,"Error, DSA key generation failed\n");
 			goto end;
 			}
@@ -429,13 +430,19 @@ bad:
 
 		assert(need_rand);
 		if ((dsakey=DSAparams_dup(dsa)) == NULL) goto end;
-		if (!DSA_generate_key(dsakey)) goto end;
+		if (!DSA_generate_key(dsakey))
+			{
+			ERR_print_errors(bio_err);
+			DSA_free(dsakey);
+			goto end;
+			}
 		if 	(outformat == FORMAT_ASN1)
 			i=i2d_DSAPrivateKey_bio(out,dsakey);
 		else if (outformat == FORMAT_PEM)
 			i=PEM_write_bio_DSAPrivateKey(out,dsakey,NULL,NULL,0,NULL,NULL);
 		else	{
 			BIO_printf(bio_err,"bad output format specified for outfile\n");
+			DSA_free(dsakey);
 			goto end;
 			}
 		DSA_free(dsakey);
diff --git a/apps/genrsa.c b/apps/genrsa.c
index 37e9310..ece114c 100644
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -78,7 +78,7 @@
 #include <openssl/pem.h>
 #include <openssl/rand.h>
 
-#define DEFBITS	512
+#define DEFBITS	1024
 #undef PROG
 #define PROG genrsa_main
 
diff --git a/apps/ocsp.c b/apps/ocsp.c
index 01847df..83c5a76 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -617,7 +617,7 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-ndays n	 	 number of days before next update\n");
 		BIO_printf (bio_err, "-resp_key_id       identify reponse by signing certificate key ID\n");
 		BIO_printf (bio_err, "-nrequest n        number of requests to accept (default unlimited)\n");
-		BIO_printf (bio_err, "-<dgst alg>     use specified digest in the request");
+		BIO_printf (bio_err, "-<dgst alg>     use specified digest in the request\n");
 		goto end;
 		}
 
diff --git a/apps/s_cb.c b/apps/s_cb.c
index 2cd7337..84c3b44 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -237,8 +237,8 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file)
 
 		/* If we are using DSA, we can copy the parameters from
 		 * the private key */
-		
-		
+
+
 		/* Now we know that a key and cert have been set against
 		 * the SSL context */
 		if (!SSL_CTX_check_private_key(ctx))
@@ -436,6 +436,8 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *
 
 	if (version == SSL3_VERSION ||
 	    version == TLS1_VERSION ||
+	    version == TLS1_1_VERSION ||
+	    version == TLS1_2_VERSION ||
 	    version == DTLS1_VERSION ||
 	    version == DTLS1_BAD_VER)
 		{
diff --git a/apps/s_client.c b/apps/s_client.c
index 7dce4cf..3a40a3f 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -357,7 +357,7 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -tlsextdebug      - hex dump of all TLS extensions received\n");
 	BIO_printf(bio_err," -status           - request certificate status from server\n");
 	BIO_printf(bio_err," -no_ticket        - disable use of RFC4507bis session tickets\n");
-# if !defined(OPENSSL_NO_NEXTPROTONEG)
+# ifndef OPENSSL_NO_NEXTPROTONEG
 	BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
 # endif
 #endif
@@ -537,7 +537,7 @@ static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, con
 	ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
 	return SSL_TLSEXT_ERR_OK;
 	}
-# endif
+# endif  /* ndef OPENSSL_NO_NEXTPROTONEG */
 #endif
 
 enum
@@ -1903,6 +1903,10 @@ end:
 			print_stuff(bio_c_out,con,1);
 		SSL_free(con);
 		}
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+	if (next_proto.data)
+		OPENSSL_free(next_proto.data);
+#endif
 	if (ctx != NULL) SSL_CTX_free(ctx);
 	if (cert)
 		X509_free(cert);
@@ -1910,6 +1914,8 @@ end:
 		EVP_PKEY_free(key);
 	if (pass)
 		OPENSSL_free(pass);
+	if (vpm)
+		X509_VERIFY_PARAM_free(vpm);
 	if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
 	if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
 	if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
diff --git a/apps/s_server.c b/apps/s_server.c
index 3f9b370..4720c05 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1206,13 +1206,13 @@ int MAIN(int argc, char *argv[])
 			{
 			if (--argc < 1) goto bad;
 			srp_verifier_file = *(++argv);
-			meth=TLSv1_server_method();
+			meth = TLSv1_server_method();
 			}
 		else if (strcmp(*argv, "-srpuserseed") == 0)
 			{
 			if (--argc < 1) goto bad;
 			srpuserseed = *(++argv);
-			meth=TLSv1_server_method();
+			meth = TLSv1_server_method();
 			}
 #endif
 		else if	(strcmp(*argv,"-www") == 0)
@@ -1431,25 +1431,24 @@ bad:
 				goto end;
 				}
 			}
-
-# ifndef OPENSSL_NO_NEXTPROTONEG
-		if (next_proto_neg_in)
-			{
-			unsigned short len;
-			next_proto.data = next_protos_parse(&len,
-				next_proto_neg_in);
-			if (next_proto.data == NULL)
-				goto end;
-			next_proto.len = len;
-			}
-		else
-			{
-			next_proto.data = NULL;
-			}
-# endif
 #endif
 		}
 
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 
+	if (next_proto_neg_in)
+		{
+		unsigned short len;
+		next_proto.data = next_protos_parse(&len, next_proto_neg_in);
+		if (next_proto.data == NULL)
+			goto end;
+		next_proto.len = len;
+		}
+	else
+		{
+		next_proto.data = NULL;
+		}
+#endif
+
 
 	if (s_dcert_file)
 		{
@@ -1730,7 +1729,7 @@ bad:
 		}
 #endif
 	
-	if (!set_cert_key_stuff(ctx,s_cert,s_key))
+	if (!set_cert_key_stuff(ctx, s_cert, s_key))
 		goto end;
 #ifndef OPENSSL_NO_TLSEXT
 	if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2))
@@ -1738,7 +1737,7 @@ bad:
 #endif
 	if (s_dcert != NULL)
 		{
-		if (!set_cert_key_stuff(ctx,s_dcert,s_dkey))
+		if (!set_cert_key_stuff(ctx, s_dcert, s_dkey))
 			goto end;
 		}
 
@@ -1893,7 +1892,15 @@ end:
 		OPENSSL_free(pass);
 	if (dpass)
 		OPENSSL_free(dpass);
+	if (vpm)
+		X509_VERIFY_PARAM_free(vpm);
 #ifndef OPENSSL_NO_TLSEXT
+	if (tlscstatp.host)
+		OPENSSL_free(tlscstatp.host);
+	if (tlscstatp.port)
+		OPENSSL_free(tlscstatp.port);
+	if (tlscstatp.path)
+		OPENSSL_free(tlscstatp.path);
 	if (ctx2 != NULL) SSL_CTX_free(ctx2);
 	if (s_cert2)
 		X509_free(s_cert2);
@@ -2433,6 +2440,7 @@ static int init_ssl_connection(SSL *con)
 		BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
 	str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
 	BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
+
 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
 	SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len);
 	if (next_proto_neg)
@@ -2701,6 +2709,11 @@ static int www_body(char *hostname, int s, unsigned char *context)
 				}
 			BIO_puts(io,"\n");
 
+			BIO_printf(io,
+				"Secure Renegotiation IS%s supported\n",
+		      		SSL_get_secure_renegotiation_support(con) ?
+							"" : " NOT");
+
 			/* The following is evil and should not really
 			 * be done */
 			BIO_printf(io,"Ciphers supported in s_server binary\n");
diff --git a/apps/speed.c b/apps/speed.c
index ab62e01..9c251eb 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -254,7 +254,7 @@ static const char *names[ALGOR_NUM]={
   "aes-128 cbc","aes-192 cbc","aes-256 cbc",
   "camellia-128 cbc","camellia-192 cbc","camellia-256 cbc",
   "evp","sha256","sha512","whirlpool",
-  "aes-128 ige","aes-192 ige","aes-256 ige","ghash"};
+  "aes-128 ige","aes-192 ige","aes-256 ige","ghash" };
 static double results[ALGOR_NUM][SIZE_NUM];
 static int lengths[SIZE_NUM]={16,64,256,1024,8*1024};
 #ifndef OPENSSL_NO_RSA
@@ -299,7 +299,7 @@ static SIGRETTYPE sig_done(int sig)
 #if defined(_WIN32)
 
 #if !defined(SIGALRM)
-#define SIGALRM
+# define SIGALRM
 #endif
 static unsigned int lapse,schlock;
 static void alarm_win32(unsigned int secs) { lapse = secs*1000; }
diff --git a/apps/srp.c b/apps/srp.c
index 80e1b8a..9c7ae18 100644
--- a/apps/srp.c
+++ b/apps/srp.c
@@ -125,13 +125,13 @@ static int get_index(CA_DB *db, char* id, char type)
 	if (type == DB_SRP_INDEX) 
 	for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
 		{
-		pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i);
-		if (pp[DB_srptype][0] == DB_SRP_INDEX  && !strcmp(id, pp[DB_srpid])) 
+		pp = sk_OPENSSL_PSTRING_value(db->db->data,i);
+		if (pp[DB_srptype][0] == DB_SRP_INDEX  && !strcmp(id,pp[DB_srpid])) 
 			return i;
 		}
 	else for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
 		{
-		pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i);
+		pp = sk_OPENSSL_PSTRING_value(db->db->data,i);
 
 		if (pp[DB_srptype][0] != DB_SRP_INDEX && !strcmp(id,pp[DB_srpid])) 
 			return i;
@@ -145,7 +145,7 @@ static void print_entry(CA_DB *db, BIO *bio, int indx, int verbose, char *s)
 	if (indx >= 0 && verbose)
 		{
 		int j;
-		char **pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, indx);
+		char **pp = sk_OPENSSL_PSTRING_value(db->db->data, indx);
 		BIO_printf(bio, "%s \"%s\"\n", s, pp[DB_srpid]);
 		for (j = 0; j < DB_NUMBER; j++)
 			{
@@ -163,7 +163,7 @@ static void print_user(CA_DB *db, BIO *bio, int userindex, int verbose)
 	{
 	if (verbose > 0)
 		{
-		char **pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex);
+		char **pp = sk_OPENSSL_PSTRING_value(db->db->data,userindex);
 
 		if (pp[DB_srptype][0] != 'I')
 			{
@@ -517,7 +517,7 @@ bad:
 	/* Lets check some fields */
 	for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
 		{
-		pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i);
+		pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
 	
 		if (pp[DB_srptype][0] == DB_SRP_INDEX)
 			{
@@ -533,8 +533,8 @@ bad:
 
 	if (gNindex >= 0)
 		{
-		gNrow = (char **)sk_OPENSSL_PSTRING_value(db->db->data, gNindex);
-		print_entry(db, bio_err, gNindex, verbose > 1, "Default g and N") ;
+		gNrow = sk_OPENSSL_PSTRING_value(db->db->data,gNindex);
+		print_entry(db, bio_err, gNindex, verbose > 1, "Default g and N");
 		}
 	else if (maxgN > 0 && !SRP_get_default_gN(gN))
 		{
@@ -587,7 +587,7 @@ bad:
 			if (userindex >= 0)
 				{
 				/* reactivation of a new user */
-				char **row = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex);
+				char **row = sk_OPENSSL_PSTRING_value(db->db->data, userindex);
 				BIO_printf(bio_err, "user \"%s\" reactivated.\n", user);
 				row[DB_srptype][0] = 'V';
 
@@ -634,7 +634,7 @@ bad:
 			else
 				{
 
-				char **row = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex);
+				char **row = sk_OPENSSL_PSTRING_value(db->db->data, userindex);
 				char type = row[DB_srptype][0];
 				if (type == 'v')
 					{
@@ -664,9 +664,9 @@ bad:
 
 					if (!(gNid=srp_create_user(user,&(row[DB_srpverifier]), &(row[DB_srpsalt]),gNrow?gNrow[DB_srpsalt]:NULL, gNrow?gNrow[DB_srpverifier]:NULL, passout, bio_err,verbose)))
 						{
-							BIO_printf(bio_err, "Cannot create srp verifier for user \"%s\", operation abandoned.\n", user);
-							errors++;
-							goto err;
+						BIO_printf(bio_err, "Cannot create srp verifier for user \"%s\", operation abandoned.\n", user);
+						errors++;
+						goto err;
 						}
 
 					row[DB_srptype][0] = 'v';
@@ -689,7 +689,7 @@ bad:
 				}
 			else
 				{
-				char **xpp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex);
+				char **xpp = sk_OPENSSL_PSTRING_value(db->db->data,userindex);
 				BIO_printf(bio_err, "user \"%s\" revoked. t\n", user);
 
 				xpp[DB_srptype][0] = 'R';
@@ -714,7 +714,7 @@ bad:
 		/* Lets check some fields */
 		for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
 			{
-			pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i);
+			pp = sk_OPENSSL_PSTRING_value(db->db->data,i);
 	
 			if (pp[DB_srptype][0] == 'v')
 				{
diff --git a/apps/verify.c b/apps/verify.c
index b9749dc..893670f 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -222,11 +222,19 @@ int MAIN(int argc, char **argv)
 			goto end;
 		}
 
-	if (argc < 1) check(cert_ctx, NULL, untrusted, trusted, crls, e);
+	ret = 0;
+	if (argc < 1)
+		{ 
+		if (1 != check(cert_ctx, NULL, untrusted, trusted, crls, e))
+			ret = -1;
+		}
 	else
+		{
 		for (i=0; i<argc; i++)
-			check(cert_ctx,argv[i], untrusted, trusted, crls, e);
-	ret=0;
+			if (1 != check(cert_ctx,argv[i], untrusted, trusted, crls, e))
+				ret = -1;
+		}
+
 end:
 	if (ret == 1) {
 		BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
@@ -235,13 +243,16 @@ end:
 		BIO_printf(bio_err," [-engine e]");
 #endif
 		BIO_printf(bio_err," cert1 cert2 ...\n");
+
 		BIO_printf(bio_err,"recognized usages:\n");
-		for(i = 0; i < X509_PURPOSE_get_count(); i++) {
+		for(i = 0; i < X509_PURPOSE_get_count(); i++)
+			{
 			X509_PURPOSE *ptmp;
 			ptmp = X509_PURPOSE_get0(i);
-			BIO_printf(bio_err, "\t%-10s\t%s\n", X509_PURPOSE_get0_sname(ptmp),
-								X509_PURPOSE_get0_name(ptmp));
-		}
+			BIO_printf(bio_err, "\t%-10s\t%s\n",
+				   X509_PURPOSE_get0_sname(ptmp),
+				   X509_PURPOSE_get0_name(ptmp));
+			}
 	}
 	if (vpm) X509_VERIFY_PARAM_free(vpm);
 	if (cert_ctx != NULL) X509_STORE_free(cert_ctx);
@@ -249,7 +260,7 @@ end:
 	sk_X509_pop_free(trusted, X509_free);
 	sk_X509_CRL_pop_free(crls, X509_CRL_free);
 	apps_shutdown();
-	OPENSSL_EXIT(ret);
+	OPENSSL_EXIT(ret < 0 ? 2 : ret);
 	}
 
 static int check(X509_STORE *ctx, char *file,
diff --git a/apps/x509.c b/apps/x509.c
index e6e5e0d..3863ab9 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -288,7 +288,7 @@ int MAIN(int argc, char **argv)
 			days=atoi(*(++argv));
 			if (days == 0)
 				{
-				BIO_printf(STDout,"bad number of days\n");
+				BIO_printf(bio_err,"bad number of days\n");
 				goto bad;
 				}
 			}
@@ -912,7 +912,7 @@ bad:
 				}
 			else if (text == i)
 				{
-				X509_print_ex(out,x,nmflag, certflag);
+				X509_print_ex(STDout,x,nmflag, certflag);
 				}
 			else if (startdate == i)
 				{
diff --git a/crypto/aes/asm/aes-s390x.pl b/crypto/aes/asm/aes-s390x.pl
index 445a1e6..e75dcd0 100644
--- a/crypto/aes/asm/aes-s390x.pl
+++ b/crypto/aes/asm/aes-s390x.pl
@@ -1598,11 +1598,11 @@ $code.=<<___ if(1);
 	lghi	$s1,0x7f
 	nr	$s1,%r0
 	lghi	%r0,0			# query capability vector
-	la	%r1,2*$SIZE_T($sp)
+	la	%r1,$tweak-16($sp)
 	.long	0xb92e0042		# km %r4,%r2
 	llihh	%r1,0x8000
 	srlg	%r1,%r1,32($s1)		# check for 32+function code
-	ng	%r1,2*$SIZE_T($sp)
+	ng	%r1,$tweak-16($sp)
 	lgr	%r0,$s0			# restore the function code
 	la	%r1,0($key1)		# restore $key1
 	jz	.Lxts_km_vanilla
@@ -1628,7 +1628,7 @@ $code.=<<___ if(1);
 
 	lrvg	$s0,$tweak+0($sp)	# load the last tweak
 	lrvg	$s1,$tweak+8($sp)
-	stmg	%r0,%r3,$tweak-32(%r1)	# wipe copy of the key
+	stmg	%r0,%r3,$tweak-32($sp)	# wipe copy of the key
 
 	nill	%r0,0xffdf		# switch back to original function code
 	la	%r1,0($key1)		# restore pointer to $key1
@@ -1684,11 +1684,9 @@ $code.=<<___;
 	lghi	$i1,0x87
 	srag	$i2,$s1,63		# broadcast upper bit
 	ngr	$i1,$i2			# rem
-	srlg	$i2,$s0,63		# carry bit from lower half
-	sllg	$s0,$s0,1
-	sllg	$s1,$s1,1
+	algr	$s0,$s0
+	alcgr	$s1,$s1
 	xgr	$s0,$i1
-	ogr	$s1,$i2
 .Lxts_km_start:
 	lrvgr	$i1,$s0			# flip byte order
 	lrvgr	$i2,$s1
@@ -1745,11 +1743,9 @@ $code.=<<___;
 	lghi	$i1,0x87
 	srag	$i2,$s1,63		# broadcast upper bit
 	ngr	$i1,$i2			# rem
-	srlg	$i2,$s0,63		# carry bit from lower half
-	sllg	$s0,$s0,1
-	sllg	$s1,$s1,1
+	algr	$s0,$s0
+	alcgr	$s1,$s1
 	xgr	$s0,$i1
-	ogr	$s1,$i2
 
 	ltr	$len,$len		# clear zero flag
 	br	$ra
@@ -1781,8 +1777,8 @@ $code.=<<___ if (!$softonly);
 	clr	%r0,%r1
 	jl	.Lxts_enc_software
 
+	st${g}	$ra,5*$SIZE_T($sp)
 	stm${g}	%r6,$s3,6*$SIZE_T($sp)
-	st${g}	$ra,14*$SIZE_T($sp)
 
 	sllg	$len,$len,4		# $len&=~15
 	slgr	$out,$inp
@@ -1830,9 +1826,9 @@ $code.=<<___ if (!$softonly);
 	stg	$i2,8($i3)
 
 .Lxts_enc_km_done:
-	l${g}	$ra,14*$SIZE_T($sp)
-	st${g}	$sp,$tweak($sp)		# wipe tweak
-	st${g}	$sp,$tweak($sp)
+	stg	$sp,$tweak+0($sp)	# wipe tweak
+	stg	$sp,$tweak+8($sp)
+	l${g}	$ra,5*$SIZE_T($sp)
 	lm${g}	%r6,$s3,6*$SIZE_T($sp)
 	br	$ra
 .align	16
@@ -1843,12 +1839,11 @@ $code.=<<___;
 
 	slgr	$out,$inp
 
-	xgr	$s0,$s0			# clear upper half
-	xgr	$s1,$s1
-	lrv	$s0,$stdframe+4($sp)	# load secno
-	lrv	$s1,$stdframe+0($sp)
-	xgr	$s2,$s2
-	xgr	$s3,$s3
+	l${g}	$s3,$stdframe($sp)	# ivp
+	llgf	$s0,0($s3)		# load iv
+	llgf	$s1,4($s3)
+	llgf	$s2,8($s3)
+	llgf	$s3,12($s3)
 	stm${g}	%r2,%r5,2*$SIZE_T($sp)
 	la	$key,0($key2)
 	larl	$tbl,AES_Te
@@ -1864,11 +1859,9 @@ $code.=<<___;
 	lghi	%r1,0x87
 	srag	%r0,$s3,63		# broadcast upper bit
 	ngr	%r1,%r0			# rem
-	srlg	%r0,$s1,63		# carry bit from lower half
-	sllg	$s1,$s1,1
-	sllg	$s3,$s3,1
+	algr	$s1,$s1
+	alcgr	$s3,$s3
 	xgr	$s1,%r1
-	ogr	$s3,%r0
 	lrvgr	$s1,$s1			# flip byte order
 	lrvgr	$s3,$s3
 	srlg	$s0,$s1,32		# smash the tweak to 4x32-bits 
@@ -1917,11 +1910,9 @@ $code.=<<___;
 	lghi	%r1,0x87
 	srag	%r0,$s3,63		# broadcast upper bit
 	ngr	%r1,%r0			# rem
-	srlg	%r0,$s1,63		# carry bit from lower half
-	sllg	$s1,$s1,1
-	sllg	$s3,$s3,1
+	algr	$s1,$s1
+	alcgr	$s3,$s3
 	xgr	$s1,%r1
-	ogr	$s3,%r0
 	lrvgr	$s1,$s1			# flip byte order
 	lrvgr	$s3,$s3
 	srlg	$s0,$s1,32		# smash the tweak to 4x32-bits 
@@ -1956,7 +1947,8 @@ $code.=<<___;
 .size	AES_xts_encrypt,.-AES_xts_encrypt
 ___
 # void AES_xts_decrypt(const char *inp,char *out,size_t len,
-#	const AES_KEY *key1, const AES_KEY *key2,u64 secno);
+#	const AES_KEY *key1, const AES_KEY *key2,
+#	const unsigned char iv[16]);
 #
 $code.=<<___;
 .globl	AES_xts_decrypt
@@ -1988,8 +1980,8 @@ $code.=<<___ if (!$softonly);
 	clr	%r0,%r1
 	jl	.Lxts_dec_software
 
+	st${g}	$ra,5*$SIZE_T($sp)
 	stm${g}	%r6,$s3,6*$SIZE_T($sp)
-	st${g}	$ra,14*$SIZE_T($sp)
 
 	nill	$len,0xfff0		# $len&=~15
 	slgr	$out,$inp
@@ -2028,11 +2020,9 @@ $code.=<<___ if (!$softonly);
 	lghi	$i1,0x87
 	srag	$i2,$s1,63		# broadcast upper bit
 	ngr	$i1,$i2			# rem
-	srlg	$i2,$s0,63		# carry bit from lower half
-	sllg	$s0,$s0,1
-	sllg	$s1,$s1,1
+	algr	$s0,$s0
+	alcgr	$s1,$s1
 	xgr	$s0,$i1
-	ogr	$s1,$i2
 	lrvgr	$i1,$s0			# flip byte order
 	lrvgr	$i2,$s1
 
@@ -2075,9 +2065,9 @@ $code.=<<___ if (!$softonly);
 	stg	$s2,0($i3)
 	stg	$s3,8($i3)
 .Lxts_dec_km_done:
-	l${g}	$ra,14*$SIZE_T($sp)
-	st${g}	$sp,$tweak($sp)		# wipe tweak
-	st${g}	$sp,$tweak($sp)
+	stg	$sp,$tweak+0($sp)	# wipe tweak
+	stg	$sp,$tweak+8($sp)
+	l${g}	$ra,5*$SIZE_T($sp)
 	lm${g}	%r6,$s3,6*$SIZE_T($sp)
 	br	$ra
 .align	16
@@ -2089,12 +2079,11 @@ $code.=<<___;
 	srlg	$len,$len,4
 	slgr	$out,$inp
 
-	xgr	$s0,$s0			# clear upper half
-	xgr	$s1,$s1
-	lrv	$s0,$stdframe+4($sp)	# load secno
-	lrv	$s1,$stdframe+0($sp)
-	xgr	$s2,$s2
-	xgr	$s3,$s3
+	l${g}	$s3,$stdframe($sp)	# ivp
+	llgf	$s0,0($s3)		# load iv
+	llgf	$s1,4($s3)
+	llgf	$s2,8($s3)
+	llgf	$s3,12($s3)
 	stm${g}	%r2,%r5,2*$SIZE_T($sp)
 	la	$key,0($key2)
 	larl	$tbl,AES_Te
@@ -2113,11 +2102,9 @@ $code.=<<___;
 	lghi	%r1,0x87
 	srag	%r0,$s3,63		# broadcast upper bit
 	ngr	%r1,%r0			# rem
-	srlg	%r0,$s1,63		# carry bit from lower half
-	sllg	$s1,$s1,1
-	sllg	$s3,$s3,1
+	algr	$s1,$s1
+	alcgr	$s3,$s3
 	xgr	$s1,%r1
-	ogr	$s3,%r0
 	lrvgr	$s1,$s1			# flip byte order
 	lrvgr	$s3,$s3
 	srlg	$s0,$s1,32		# smash the tweak to 4x32-bits 
@@ -2156,11 +2143,9 @@ $code.=<<___;
 	lghi	%r1,0x87
 	srag	%r0,$s3,63		# broadcast upper bit
 	ngr	%r1,%r0			# rem
-	srlg	%r0,$s1,63		# carry bit from lower half
-	sllg	$s1,$s1,1
-	sllg	$s3,$s3,1
+	algr	$s1,$s1
+	alcgr	$s3,$s3
 	xgr	$s1,%r1
-	ogr	$s3,%r0
 	lrvgr	$i2,$s1			# flip byte order
 	lrvgr	$i3,$s3
 	stmg	$i2,$i3,$tweak($sp)	# save the 1st tweak
@@ -2176,11 +2161,9 @@ $code.=<<___;
 	lghi	%r1,0x87
 	srag	%r0,$s3,63		# broadcast upper bit
 	ngr	%r1,%r0			# rem
-	srlg	%r0,$s1,63		# carry bit from lower half
-	sllg	$s1,$s1,1
-	sllg	$s3,$s3,1
+	algr	$s1,$s1
+	alcgr	$s3,$s3
 	xgr	$s1,%r1
-	ogr	$s3,%r0
 	lrvgr	$s1,$s1			# flip byte order
 	lrvgr	$s3,$s3
 	srlg	$s0,$s1,32		# smash the tweak to 4x32-bits
diff --git a/crypto/aes/asm/aes-x86_64.pl b/crypto/aes/asm/aes-x86_64.pl
index 48fa857..34cbb5d 100755
--- a/crypto/aes/asm/aes-x86_64.pl
+++ b/crypto/aes/asm/aes-x86_64.pl
@@ -36,7 +36,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 $verticalspin=1;	# unlike 32-bit version $verticalspin performs
 			# ~15% better on both AMD and Intel cores
diff --git a/crypto/aes/asm/aesni-sha1-x86_64.pl b/crypto/aes/asm/aesni-sha1-x86_64.pl
index c6f6b33..3c8f6c1 100644
--- a/crypto/aes/asm/aesni-sha1-x86_64.pl
+++ b/crypto/aes/asm/aesni-sha1-x86_64.pl
@@ -69,7 +69,8 @@ $avx=1 if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
 	   `ml64 2>&1` =~ /Version ([0-9]+)\./ &&
 	   $1>=10);
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 # void aesni_cbc_sha1_enc(const void *inp,
 #			void *out,
diff --git a/crypto/aes/asm/aesni-x86_64.pl b/crypto/aes/asm/aesni-x86_64.pl
index 499f3b3..0dbb194 100644
--- a/crypto/aes/asm/aesni-x86_64.pl
+++ b/crypto/aes/asm/aesni-x86_64.pl
@@ -172,7 +172,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 $movkey = $PREFIX eq "aesni" ? "movups" : "movups";
 @_4args=$win64?	("%rcx","%rdx","%r8", "%r9") :	# Win64 order
diff --git a/crypto/aes/asm/bsaes-x86_64.pl b/crypto/aes/asm/bsaes-x86_64.pl
index c9c6312..ceb02b5 100644
--- a/crypto/aes/asm/bsaes-x86_64.pl
+++ b/crypto/aes/asm/bsaes-x86_64.pl
@@ -105,7 +105,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 my ($inp,$out,$len,$key,$ivp)=("%rdi","%rsi","%rdx","%rcx");
 my @XMM=map("%xmm$_",(15,0..14));	# best on Atom, +10% over (0..15)
diff --git a/crypto/aes/asm/vpaes-x86_64.pl b/crypto/aes/asm/vpaes-x86_64.pl
index 37998db..41f2e46 100644
--- a/crypto/aes/asm/vpaes-x86_64.pl
+++ b/crypto/aes/asm/vpaes-x86_64.pl
@@ -56,7 +56,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 $PREFIX="vpaes";
 
diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c
index 264ebf2..ead37ac 100644
--- a/crypto/asn1/a_strex.c
+++ b/crypto/asn1/a_strex.c
@@ -567,6 +567,7 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
 	if(mbflag == -1) return -1;
 	mbflag |= MBSTRING_FLAG;
 	stmp.data = NULL;
+	stmp.length = 0;
 	ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING);
 	if(ret < 0) return ret;
 	*out = stmp.data;
diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
index 432722e..fc84cd3 100644
--- a/crypto/asn1/a_verify.c
+++ b/crypto/asn1/a_verify.c
@@ -140,6 +140,12 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
 
 	int mdnid, pknid;
 
+	if (!pkey)
+		{
+		ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_PASSED_NULL_PARAMETER);
+		return -1;
+		}
+
 	EVP_MD_CTX_init(&ctx);
 
 	/* Convert signature OID into digest and public key OIDs */
diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c
index 3c66dd1..8990909 100644
--- a/crypto/bio/bss_dgram.c
+++ b/crypto/bio/bss_dgram.c
@@ -77,10 +77,20 @@
 #define OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE 0xc0
 #endif
 
-#ifdef OPENSSL_SYS_LINUX
+#if defined(OPENSSL_SYS_LINUX) && !defined(IP_MTU)
 #define IP_MTU      14 /* linux is lame */
 #endif
 
+#if defined(__FreeBSD__) && defined(IN6_IS_ADDR_V4MAPPED)
+/* Standard definition causes type-punning problems. */
+#undef IN6_IS_ADDR_V4MAPPED
+#define s6_addr32 __u6_addr.__u6_addr32
+#define IN6_IS_ADDR_V4MAPPED(a)               \
+        (((a)->s6_addr32[0] == 0) &&          \
+         ((a)->s6_addr32[1] == 0) &&          \
+         ((a)->s6_addr32[2] == htonl(0x0000ffff)))
+#endif
+
 #ifdef WATT32
 #define sock_write SockWrite  /* Watt-32 uses same names */
 #define sock_read  SockRead
@@ -255,7 +265,7 @@ static void dgram_adjust_rcv_timeout(BIO *b)
 	{
 #if defined(SO_RCVTIMEO)
 	bio_dgram_data *data = (bio_dgram_data *)b->ptr;
-	int sz = sizeof(int);
+	union { size_t s; int i; } sz = {0};
 
 	/* Is a timer active? */
 	if (data->next_timeout.tv_sec > 0 || data->next_timeout.tv_usec > 0)
@@ -265,8 +275,10 @@ static void dgram_adjust_rcv_timeout(BIO *b)
 		/* Read current socket timeout */
 #ifdef OPENSSL_SYS_WINDOWS
 		int timeout;
+
+		sz.i = sizeof(timeout);
 		if (getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO,
-					   (void*)&timeout, &sz) < 0)
+					   (void*)&timeout, &sz.i) < 0)
 			{ perror("getsockopt"); }
 		else
 			{
@@ -274,9 +286,12 @@ static void dgram_adjust_rcv_timeout(BIO *b)
 			data->socket_timeout.tv_usec = (timeout % 1000) * 1000;
 			}
 #else
+		sz.i = sizeof(data->socket_timeout);
 		if ( getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO, 
 						&(data->socket_timeout), (void *)&sz) < 0)
 			{ perror("getsockopt"); }
+		else if (sizeof(sz.s)!=sizeof(sz.i) && sz.i==0)
+			OPENSSL_assert(sz.s<=sizeof(data->socket_timeout));
 #endif
 
 		/* Get current time */
@@ -445,11 +460,10 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
 	int *ip;
 	struct sockaddr *to = NULL;
 	bio_dgram_data *data = NULL;
-#if defined(IP_MTU_DISCOVER) || defined(IP_MTU)
-	long sockopt_val = 0;
-	socklen_t sockopt_len = 0;
-#endif
-#ifdef OPENSSL_SYS_LINUX
+#if defined(OPENSSL_SYS_LINUX) && (defined(IP_MTU_DISCOVER) || defined(IP_MTU))
+	int sockopt_val = 0;
+	socklen_t sockopt_len;	/* assume that system supporting IP_MTU is
+				 * modern enough to define socklen_t */
 	socklen_t addr_len;
 	union	{
 		struct sockaddr	sa;
@@ -531,7 +545,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
 		break;
 		/* (Linux)kernel sets DF bit on outgoing IP packets */
 	case BIO_CTRL_DGRAM_MTU_DISCOVER:
-#ifdef OPENSSL_SYS_LINUX
+#if defined(OPENSSL_SYS_LINUX) && defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DO)
 		addr_len = (socklen_t)sizeof(addr);
 		memset((void *)&addr, 0, sizeof(addr));
 		if (getsockname(b->num, &addr.sa, &addr_len) < 0)
@@ -539,7 +553,6 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
 			ret = 0;
 			break;
 			}
-		sockopt_len = sizeof(sockopt_val);
 		switch (addr.sa.sa_family)
 			{
 		case AF_INET:
@@ -548,7 +561,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
 				&sockopt_val, sizeof(sockopt_val))) < 0)
 				perror("setsockopt");
 			break;
-#if OPENSSL_USE_IPV6 && defined(IPV6_MTU_DISCOVER)
+#if OPENSSL_USE_IPV6 && defined(IPV6_MTU_DISCOVER) && defined(IPV6_PMTUDISC_DO)
 		case AF_INET6:
 			sockopt_val = IPV6_PMTUDISC_DO;
 			if ((ret = setsockopt(b->num, IPPROTO_IPV6, IPV6_MTU_DISCOVER,
@@ -565,7 +578,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
 		break;
 #endif
 	case BIO_CTRL_DGRAM_QUERY_MTU:
-#ifdef OPENSSL_SYS_LINUX
+#if defined(OPENSSL_SYS_LINUX) && defined(IP_MTU)
 		addr_len = (socklen_t)sizeof(addr);
 		memset((void *)&addr, 0, sizeof(addr));
 		if (getsockname(b->num, &addr.sa, &addr_len) < 0)
@@ -727,12 +740,15 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
 #endif
 		break;
 	case BIO_CTRL_DGRAM_GET_RECV_TIMEOUT:
-#ifdef OPENSSL_SYS_WINDOWS
 		{
-		int timeout, sz = sizeof(timeout);
+		union { size_t s; int i; } sz = {0};
+#ifdef OPENSSL_SYS_WINDOWS
+		int timeout;
 		struct timeval *tv = (struct timeval *)ptr;
+
+		sz.i = sizeof(timeout);
 		if (getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO,
-			(void*)&timeout, &sz) < 0)
+			(void*)&timeout, &sz.i) < 0)
 			{ perror("getsockopt"); ret = -1; }
 		else
 			{
@@ -740,12 +756,20 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
 			tv->tv_usec = (timeout % 1000) * 1000;
 			ret = sizeof(*tv);
 			}
-		}
 #else
+		sz.i = sizeof(struct timeval);
 		if ( getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO, 
-			ptr, (void *)&ret) < 0)
+			ptr, (void *)&sz) < 0)
 			{ perror("getsockopt"); ret = -1; }
+		else if (sizeof(sz.s)!=sizeof(sz.i) && sz.i==0)
+			{
+			OPENSSL_assert(sz.s<=sizeof(struct timeval));
+			ret = (int)sz.s;
+			}
+		else
+			ret = sz.i;
 #endif
+		}
 		break;
 #endif
 #if defined(SO_SNDTIMEO)
@@ -765,12 +789,15 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
 #endif
 		break;
 	case BIO_CTRL_DGRAM_GET_SEND_TIMEOUT:
-#ifdef OPENSSL_SYS_WINDOWS
 		{
-		int timeout, sz = sizeof(timeout);
+		union { size_t s; int i; } sz = {0};
+#ifdef OPENSSL_SYS_WINDOWS
+		int timeout;
 		struct timeval *tv = (struct timeval *)ptr;
+
+		sz.i = sizeof(timeout);
 		if (getsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO,
-			(void*)&timeout, &sz) < 0)
+			(void*)&timeout, &sz.i) < 0)
 			{ perror("getsockopt"); ret = -1; }
 		else
 			{
@@ -778,12 +805,20 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
 			tv->tv_usec = (timeout % 1000) * 1000;
 			ret = sizeof(*tv);
 			}
-		}
 #else
+		sz.i = sizeof(struct timeval);
 		if ( getsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO, 
-			ptr, (void *)&ret) < 0)
+			ptr, (void *)&sz) < 0)
 			{ perror("getsockopt"); ret = -1; }
+		else if (sizeof(sz.s)!=sizeof(sz.i) && sz.i==0)
+			{
+			OPENSSL_assert(sz.s<=sizeof(struct timeval));
+			ret = (int)sz.s;
+			}
+		else
+			ret = sz.i;
 #endif
+		}
 		break;
 #endif
 	case BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP:
@@ -955,7 +990,6 @@ static int dgram_sctp_free(BIO *a)
 #ifdef SCTP_AUTHENTICATION_EVENT
 void dgram_sctp_handle_auth_free_key_event(BIO *b, union sctp_notification *snp)
 	{
-	unsigned int sockopt_len = 0;
 	int ret;
 	struct sctp_authkey_event* authkeyevent = &snp->sn_auth_event;
 
@@ -965,9 +999,8 @@ void dgram_sctp_handle_auth_free_key_event(BIO *b, union sctp_notification *snp)
 
 		/* delete key */
 		authkeyid.scact_keynumber = authkeyevent->auth_keynumber;
-		sockopt_len = sizeof(struct sctp_authkeyid);
 		ret = setsockopt(b->num, IPPROTO_SCTP, SCTP_AUTH_DELETE_KEY,
-		      &authkeyid, sockopt_len);
+		      &authkeyid, sizeof(struct sctp_authkeyid));
 		}
 	}
 #endif
@@ -1298,7 +1331,7 @@ static long dgram_sctp_ctrl(BIO *b, int cmd, long num, void *ptr)
 	{
 	long ret=1;
 	bio_dgram_sctp_data *data = NULL;
-	unsigned int sockopt_len = 0;
+	socklen_t sockopt_len = 0;
 	struct sctp_authkeyid authkeyid;
 	struct sctp_authkey *authkey;
 
diff --git a/crypto/bn/asm/bn-mips.S b/crypto/bn/asm/bn-mips.S
index 02097fa..229c709 100644
--- a/crypto/bn/asm/bn-mips.S
+++ b/crypto/bn/asm/bn-mips.S
@@ -582,7 +582,7 @@ bn_div_3_words:
 bn_div_3_words_internal:
 	.set	reorder
 	move	$11,$31
-	bal	bn_div_words
+	bal	bn_div_words_internal
 	move	$31,$11
 	multu	$10,$2
 	lw	$14,-2*4($7)
diff --git a/crypto/bn/asm/mips.pl b/crypto/bn/asm/mips.pl
index c162a3e..38b5164 100644
--- a/crypto/bn/asm/mips.pl
+++ b/crypto/bn/asm/mips.pl
@@ -819,7 +819,7 @@ ___
 $code.=<<___;
 	.set	reorder
 	move	$ta3,$ra
-	bal	bn_div_words
+	bal	bn_div_words_internal
 	move	$ra,$ta3
 	$MULTU	$ta2,$v0
 	$LD	$t2,-2*$BNSZ($a3)
diff --git a/crypto/bn/asm/modexp512-x86_64.pl b/crypto/bn/asm/modexp512-x86_64.pl
index 54aeb01..bfd6e97 100644
--- a/crypto/bn/asm/modexp512-x86_64.pl
+++ b/crypto/bn/asm/modexp512-x86_64.pl
@@ -68,7 +68,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 use strict;
 my $code=".text\n\n";
diff --git a/crypto/bn/asm/x86_64-gf2m.pl b/crypto/bn/asm/x86_64-gf2m.pl
index 1658acb..a30d4ef 100644
--- a/crypto/bn/asm/x86_64-gf2m.pl
+++ b/crypto/bn/asm/x86_64-gf2m.pl
@@ -31,7 +31,7 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open STDOUT,"| \"$^X\" $xlate $flavour $output";
 
 ($lo,$hi)=("%rax","%rdx");	$a=$lo;
 ($i0,$i1)=("%rsi","%rdi");
diff --git a/crypto/bn/asm/x86_64-mont.pl b/crypto/bn/asm/x86_64-mont.pl
index 5d79b35..17fb94c 100755
--- a/crypto/bn/asm/x86_64-mont.pl
+++ b/crypto/bn/asm/x86_64-mont.pl
@@ -40,7 +40,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 # int bn_mul_mont(
 $rp="%rdi";	# BN_ULONG *rp,
diff --git a/crypto/bn/asm/x86_64-mont5.pl b/crypto/bn/asm/x86_64-mont5.pl
index 057cda2..8f8dc5a 100755
--- a/crypto/bn/asm/x86_64-mont5.pl
+++ b/crypto/bn/asm/x86_64-mont5.pl
@@ -28,7 +28,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 # int bn_mul_mont_gather5(
 $rp="%rdi";	# BN_ULONG *rp,
diff --git a/crypto/bn/bn_div.c b/crypto/bn/bn_div.c
index 52b3304..7b24031 100644
--- a/crypto/bn/bn_div.c
+++ b/crypto/bn/bn_div.c
@@ -141,6 +141,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
     *
     *					<appro@fy.chalmers.se>
     */
+#undef bn_div_words
 #  define bn_div_words(n0,n1,d0)		\
 	({  asm volatile (			\
 		"divl	%4"			\
@@ -155,6 +156,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
     * Same story here, but it's 128-bit by 64-bit division. Wow!
     *					<appro@fy.chalmers.se>
     */
+#  undef bn_div_words
 #  define bn_div_words(n0,n1,d0)		\
 	({  asm volatile (			\
 		"divq	%4"			\
diff --git a/crypto/bn/bn_gcd.c b/crypto/bn/bn_gcd.c
index 4a35211..a808f53 100644
--- a/crypto/bn/bn_gcd.c
+++ b/crypto/bn/bn_gcd.c
@@ -205,6 +205,7 @@ err:
 /* solves ax == 1 (mod n) */
 static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
         const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx);
+
 BIGNUM *BN_mod_inverse(BIGNUM *in,
 	const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
 	{
diff --git a/crypto/bn/bn_lcl.h b/crypto/bn/bn_lcl.h
index eecfd8c..817c773 100644
--- a/crypto/bn/bn_lcl.h
+++ b/crypto/bn/bn_lcl.h
@@ -282,16 +282,23 @@ extern "C" {
 #  endif
 # elif defined(__mips) && (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG))
 #  if defined(__GNUC__) && __GNUC__>=2
-#   define BN_UMULT_HIGH(a,b)	({	\
+#   if __GNUC__>=4 && __GNUC_MINOR__>=4 /* "h" constraint is no more since 4.4 */
+#     define BN_UMULT_HIGH(a,b)		 (((__uint128_t)(a)*(b))>>64)
+#     define BN_UMULT_LOHI(low,high,a,b) ({	\
+	__uint128_t ret=(__uint128_t)(a)*(b);	\
+	(high)=ret>>64; (low)=ret;	 })
+#   else
+#     define BN_UMULT_HIGH(a,b)	({	\
 	register BN_ULONG ret;		\
 	asm ("dmultu	%1,%2"		\
 	     : "=h"(ret)		\
 	     : "r"(a), "r"(b) : "l");	\
 	ret;			})
-#   define BN_UMULT_LOHI(low,high,a,b)	\
+#     define BN_UMULT_LOHI(low,high,a,b)\
 	asm ("dmultu	%2,%3"		\
 	     : "=l"(low),"=h"(high)	\
 	     : "r"(a), "r"(b));
+#    endif
 #  endif
 # endif		/* cpu */
 #endif		/* OPENSSL_NO_ASM */
diff --git a/crypto/bn/bn_word.c b/crypto/bn/bn_word.c
index ee7b87c..de83a15 100644
--- a/crypto/bn/bn_word.c
+++ b/crypto/bn/bn_word.c
@@ -144,26 +144,17 @@ int BN_add_word(BIGNUM *a, BN_ULONG w)
 			a->neg=!(a->neg);
 		return(i);
 		}
-	/* Only expand (and risk failing) if it's possibly necessary */
-	if (((BN_ULONG)(a->d[a->top - 1] + 1) == 0) &&
-			(bn_wexpand(a,a->top+1) == NULL))
-		return(0);
-	i=0;
-	for (;;)
+	for (i=0;w!=0 && i<a->top;i++)
 		{
-		if (i >= a->top)
-			l=w;
-		else
-			l=(a->d[i]+w)&BN_MASK2;
-		a->d[i]=l;
-		if (w > l)
-			w=1;
-		else
-			break;
-		i++;
+		a->d[i] = l = (a->d[i]+w)&BN_MASK2;
+		w = (w>l)?1:0;
 		}
-	if (i >= a->top)
+	if (w && i==a->top)
+		{
+		if (bn_wexpand(a,a->top+1) == NULL) return 0;
 		a->top++;
+		a->d[i]=w;
+		}
 	bn_check_top(a);
 	return(1);
 	}
diff --git a/crypto/conf/conf_mall.c b/crypto/conf/conf_mall.c
index c6f4cb2..213890e 100644
--- a/crypto/conf/conf_mall.c
+++ b/crypto/conf/conf_mall.c
@@ -76,5 +76,6 @@ void OPENSSL_load_builtin_modules(void)
 #ifndef OPENSSL_NO_ENGINE
 	ENGINE_add_conf_module();
 #endif
+	EVP_add_alg_module();
 	}
 
diff --git a/crypto/cryptlib.c b/crypto/cryptlib.c
index d47ab55..304c6b7 100644
--- a/crypto/cryptlib.c
+++ b/crypto/cryptlib.c
@@ -704,6 +704,7 @@ void OPENSSL_cpuid_setup(void)
     }
     else
 	vec = OPENSSL_ia32_cpuid();
+
     /*
      * |(1<<10) sets a reserved bit to signal that variable
      * was initialized already... This is to avoid interference
diff --git a/crypto/cryptlib.h b/crypto/cryptlib.h
index 1761f6b..d26f963 100644
--- a/crypto/cryptlib.h
+++ b/crypto/cryptlib.h
@@ -100,7 +100,7 @@ extern "C" {
 
 void OPENSSL_cpuid_setup(void);
 extern unsigned int OPENSSL_ia32cap_P[];
-void OPENSSL_showfatal(const char *,...);
+void OPENSSL_showfatal(const char *fmta,...);
 void *OPENSSL_stderr(void);
 extern int OPENSSL_NONPIC_relocated;
 
diff --git a/crypto/crypto.h b/crypto/crypto.h
index 793a325..f92fc51 100644
--- a/crypto/crypto.h
+++ b/crypto/crypto.h
@@ -488,10 +488,10 @@ void CRYPTO_get_mem_debug_functions(void (**m)(void *,int,const char *,int,int),
 				    long (**go)(void));
 
 void *CRYPTO_malloc_locked(int num, const char *file, int line);
-void CRYPTO_free_locked(void *);
+void CRYPTO_free_locked(void *ptr);
 void *CRYPTO_malloc(int num, const char *file, int line);
 char *CRYPTO_strdup(const char *str, const char *file, int line);
-void CRYPTO_free(void *);
+void CRYPTO_free(void *ptr);
 void *CRYPTO_realloc(void *addr,int num, const char *file, int line);
 void *CRYPTO_realloc_clean(void *addr,int old_num,int num,const char *file,
 			   int line);
diff --git a/crypto/des/set_key.c b/crypto/des/set_key.c
index d3e69ca..da4d62e 100644
--- a/crypto/des/set_key.c
+++ b/crypto/des/set_key.c
@@ -63,9 +63,8 @@
  * 1.1 added norm_expand_bits
  * 1.0 First working version
  */
-#include "des_locl.h"
-
 #include <openssl/crypto.h>
+#include "des_locl.h"
 
 OPENSSL_IMPLEMENT_GLOBAL(int,DES_check_key,0)	/* defaults to false */
 
diff --git a/crypto/des/str2key.c b/crypto/des/str2key.c
index 9c2054b..1077f99 100644
--- a/crypto/des/str2key.c
+++ b/crypto/des/str2key.c
@@ -56,8 +56,8 @@
  * [including the GNU Public Licence.]
  */
 
-#include "des_locl.h"
 #include <openssl/crypto.h>
+#include "des_locl.h"
 
 void DES_string_to_key(const char *str, DES_cblock *key)
 	{
diff --git a/crypto/ec/ec.h b/crypto/ec/ec.h
index 9d01325..dfe8710 100644
--- a/crypto/ec/ec.h
+++ b/crypto/ec/ec.h
@@ -274,10 +274,10 @@ int EC_GROUP_get_curve_name(const EC_GROUP *group);
 void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag);
 int EC_GROUP_get_asn1_flag(const EC_GROUP *group);
 
-void EC_GROUP_set_point_conversion_form(EC_GROUP *, point_conversion_form_t);
+void EC_GROUP_set_point_conversion_form(EC_GROUP *group, point_conversion_form_t form);
 point_conversion_form_t EC_GROUP_get_point_conversion_form(const EC_GROUP *);
 
-unsigned char *EC_GROUP_get0_seed(const EC_GROUP *);
+unsigned char *EC_GROUP_get0_seed(const EC_GROUP *x);
 size_t EC_GROUP_get_seed_len(const EC_GROUP *);
 size_t EC_GROUP_set_seed(EC_GROUP *, const unsigned char *, size_t len);
 
@@ -626,8 +626,8 @@ int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *c
  */
 int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx);
 
-int EC_POINT_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *);
-int EC_POINTs_make_affine(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *);
+int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx);
+int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx);
 
 /** Computes r = generator * n sum_{i=0}^num p[i] * m[i]
  *  \param  group  underlying EC_GROUP object
@@ -800,16 +800,24 @@ const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key);
 int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub);
 
 unsigned EC_KEY_get_enc_flags(const EC_KEY *key);
-void EC_KEY_set_enc_flags(EC_KEY *, unsigned int);
-point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *);
-void EC_KEY_set_conv_form(EC_KEY *, point_conversion_form_t);
+void EC_KEY_set_enc_flags(EC_KEY *eckey, unsigned int flags);
+point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key);
+void EC_KEY_set_conv_form(EC_KEY *eckey, point_conversion_form_t cform);
 /* functions to set/get method specific data  */
-void *EC_KEY_get_key_method_data(EC_KEY *, 
+void *EC_KEY_get_key_method_data(EC_KEY *key, 
 	void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
-void EC_KEY_insert_key_method_data(EC_KEY *, void *data,
+/** Sets the key method data of an EC_KEY object, if none has yet been set.
+ *  \param  key              EC_KEY object
+ *  \param  data             opaque data to install.
+ *  \param  dup_func         a function that duplicates |data|.
+ *  \param  free_func        a function that frees |data|.
+ *  \param  clear_free_func  a function that wipes and frees |data|.
+ *  \return the previously set data pointer, or NULL if |data| was inserted.
+ */
+void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data,
 	void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
 /* wrapper functions for the underlying EC_GROUP object */
-void EC_KEY_set_asn1_flag(EC_KEY *, int);
+void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag);
 
 /** Creates a table of pre-computed multiples of the generator to 
  *  accelerate further EC_KEY operations.
diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c
index bf9fd2d..7fa2475 100644
--- a/crypto/ec/ec_key.c
+++ b/crypto/ec/ec_key.c
@@ -520,18 +520,27 @@ void EC_KEY_set_conv_form(EC_KEY *key, point_conversion_form_t cform)
 void *EC_KEY_get_key_method_data(EC_KEY *key,
 	void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *))
 	{
-	return EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func);
+	void *ret;
+
+	CRYPTO_r_lock(CRYPTO_LOCK_EC);
+	ret = EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func);
+	CRYPTO_r_unlock(CRYPTO_LOCK_EC);
+
+	return ret;
 	}
 
-void EC_KEY_insert_key_method_data(EC_KEY *key, void *data,
+void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data,
 	void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *))
 	{
 	EC_EXTRA_DATA *ex_data;
+
 	CRYPTO_w_lock(CRYPTO_LOCK_EC);
 	ex_data = EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func);
 	if (ex_data == NULL)
 		EC_EX_DATA_set_data(&key->method_data, data, dup_func, free_func, clear_free_func);
 	CRYPTO_w_unlock(CRYPTO_LOCK_EC);
+
+	return ex_data;
 	}
 
 void EC_KEY_set_asn1_flag(EC_KEY *key, int flag)
diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c
index d1ed66c..66ee397 100644
--- a/crypto/ec/ec_pmeth.c
+++ b/crypto/ec/ec_pmeth.c
@@ -188,7 +188,7 @@ static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)
 
 	pubkey = EC_KEY_get0_public_key(ctx->peerkey->pkey.ec);
 
-	/* NB: unlike PKS#3 DH, if *outlen is less than maximum size this is
+	/* NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is
 	 * not an error, the result is truncated.
 	 */
 
diff --git a/crypto/ec/ecp_mont.c b/crypto/ec/ecp_mont.c
index 079e474..f04f132 100644
--- a/crypto/ec/ecp_mont.c
+++ b/crypto/ec/ecp_mont.c
@@ -114,7 +114,6 @@ const EC_METHOD *EC_GFp_mont_method(void)
 		ec_GFp_mont_field_decode,
 		ec_GFp_mont_field_set_to_one };
 
-
 	return &ret;
 #endif
 	}
diff --git a/crypto/ec/ectest.c b/crypto/ec/ectest.c
index f107782..102eaa9 100644
--- a/crypto/ec/ectest.c
+++ b/crypto/ec/ectest.c
@@ -236,7 +236,7 @@ static void group_order_tests(EC_GROUP *group)
 	}
 
 static void prime_field_tests(void)
-	{	
+	{
 	BN_CTX *ctx = NULL;
 	BIGNUM *p, *a, *b;
 	EC_GROUP *group;
diff --git a/crypto/ecdh/ech_key.c b/crypto/ecdh/ech_key.c
index f44da92..2988899 100644
--- a/crypto/ecdh/ech_key.c
+++ b/crypto/ecdh/ech_key.c
@@ -68,9 +68,6 @@
  */
 
 #include "ech_locl.h"
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
 
 int ECDH_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
 	EC_KEY *eckey,
diff --git a/crypto/ecdh/ech_lib.c b/crypto/ecdh/ech_lib.c
index dadbfd3..0644431 100644
--- a/crypto/ecdh/ech_lib.c
+++ b/crypto/ecdh/ech_lib.c
@@ -222,8 +222,15 @@ ECDH_DATA *ecdh_check(EC_KEY *key)
 		ecdh_data = (ECDH_DATA *)ecdh_data_new();
 		if (ecdh_data == NULL)
 			return NULL;
-		EC_KEY_insert_key_method_data(key, (void *)ecdh_data,
-			ecdh_data_dup, ecdh_data_free, ecdh_data_free);
+		data = EC_KEY_insert_key_method_data(key, (void *)ecdh_data,
+			   ecdh_data_dup, ecdh_data_free, ecdh_data_free);
+		if (data != NULL)
+			{
+			/* Another thread raced us to install the key_method
+			 * data and won. */
+			ecdh_data_free(ecdh_data);
+			ecdh_data = (ECDH_DATA *)data;
+			}
 	}
 	else
 		ecdh_data = (ECDH_DATA *)data;
diff --git a/crypto/ecdsa/ecs_lib.c b/crypto/ecdsa/ecs_lib.c
index e477da4..814a6bf 100644
--- a/crypto/ecdsa/ecs_lib.c
+++ b/crypto/ecdsa/ecs_lib.c
@@ -200,8 +200,15 @@ ECDSA_DATA *ecdsa_check(EC_KEY *key)
 		ecdsa_data = (ECDSA_DATA *)ecdsa_data_new();
 		if (ecdsa_data == NULL)
 			return NULL;
-		EC_KEY_insert_key_method_data(key, (void *)ecdsa_data,
-			ecdsa_data_dup, ecdsa_data_free, ecdsa_data_free);
+		data = EC_KEY_insert_key_method_data(key, (void *)ecdsa_data,
+			   ecdsa_data_dup, ecdsa_data_free, ecdsa_data_free);
+		if (data != NULL)
+			{
+			/* Another thread raced us to install the key_method
+			 * data and won. */
+			ecdsa_data_free(ecdsa_data);
+			ecdsa_data = (ECDSA_DATA *)data;
+			}
 	}
 	else
 		ecdsa_data = (ECDSA_DATA *)data;
diff --git a/crypto/err/err_all.c b/crypto/err/err_all.c
index bd8946d..8eb547d 100644
--- a/crypto/err/err_all.c
+++ b/crypto/err/err_all.c
@@ -64,7 +64,9 @@
 #endif
 #include <openssl/buffer.h>
 #include <openssl/bio.h>
+#ifndef OPENSSL_NO_COMP
 #include <openssl/comp.h>
+#endif
 #ifndef OPENSSL_NO_RSA
 #include <openssl/rsa.h>
 #endif
@@ -95,6 +97,9 @@
 #include <openssl/ui.h>
 #include <openssl/ocsp.h>
 #include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
 #include <openssl/ts.h>
 #ifndef OPENSSL_NO_CMS
 #include <openssl/cms.h>
@@ -102,11 +107,6 @@
 #ifndef OPENSSL_NO_JPAKE
 #include <openssl/jpake.h>
 #endif
-#include <openssl/comp.h>
-
-#ifdef OPENSSL_FIPS
-#include <openssl/fips.h>
-#endif
 
 void ERR_load_crypto_strings(void)
 	{
@@ -130,7 +130,9 @@ void ERR_load_crypto_strings(void)
 	ERR_load_ASN1_strings();
 	ERR_load_CONF_strings();
 	ERR_load_CRYPTO_strings();
+#ifndef OPENSSL_NO_COMP
 	ERR_load_COMP_strings();
+#endif
 #ifndef OPENSSL_NO_EC
 	ERR_load_EC_strings();
 #endif
@@ -153,15 +155,14 @@ void ERR_load_crypto_strings(void)
 #endif
 	ERR_load_OCSP_strings();
 	ERR_load_UI_strings();
+#ifdef OPENSSL_FIPS
+	ERR_load_FIPS_strings();
+#endif
 #ifndef OPENSSL_NO_CMS
 	ERR_load_CMS_strings();
 #endif
 #ifndef OPENSSL_NO_JPAKE
 	ERR_load_JPAKE_strings();
 #endif
-	ERR_load_COMP_strings();
-#endif
-#ifdef OPENSSL_FIPS
-	ERR_load_FIPS_strings();
 #endif
 	}
diff --git a/crypto/evp/c_allc.c b/crypto/evp/c_allc.c
index e230e60..2a45d43 100644
--- a/crypto/evp/c_allc.c
+++ b/crypto/evp/c_allc.c
@@ -195,13 +195,11 @@ void OpenSSL_add_all_ciphers(void)
 	EVP_add_cipher(EVP_aes_256_xts());
 	EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
 	EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
-#if 0  /* Disabled because of timing side-channel leaks. */
 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
 	EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
 	EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
 #endif
 #endif
-#endif
 
 #ifndef OPENSSL_NO_CAMELLIA
 	EVP_add_cipher(EVP_camellia_128_ecb());
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index 467e6b5..6fc469f 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -267,6 +267,7 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
 	return FIPS_digestfinal(ctx, md, size);
 #else
 	int ret;
+
 	OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
 	ret=ctx->digest->final(ctx,md);
 	if (size != NULL)
diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
index 1e4af0c..1bfb5d9 100644
--- a/crypto/evp/e_aes.c
+++ b/crypto/evp/e_aes.c
@@ -969,8 +969,6 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 
 	if (!gctx->iv_set)
 		return -1;
-	if (!ctx->encrypt && gctx->taglen < 0)
-		return -1;
 	if (in)
 		{
 		if (out == NULL)
@@ -1012,6 +1010,8 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 		{
 		if (!ctx->encrypt)
 			{
+			if (gctx->taglen < 0)
+				return -1;
 			if (CRYPTO_gcm128_finish(&gctx->gcm,
 					ctx->buf, gctx->taglen) != 0)
 				return -1;
@@ -1217,6 +1217,7 @@ static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 			vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks);
 			CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
 					&cctx->ks, (block128_f)vpaes_encrypt);
+			cctx->str = NULL;
 			cctx->key_set = 1;
 			break;
 			}
diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c
index 710fb79..b7aff44 100644
--- a/crypto/evp/e_aes_cbc_hmac_sha1.c
+++ b/crypto/evp/e_aes_cbc_hmac_sha1.c
@@ -1,5 +1,5 @@
 /* ====================================================================
- * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2011-2013 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -90,6 +90,10 @@ typedef struct
 	defined(_M_AMD64)	|| defined(_M_X64)	|| \
 	defined(__INTEL__)	)
 
+#if defined(__GNUC__) && __GNUC__>=2 && !defined(PEDANTIC)
+# define BSWAP(x) ({ unsigned int r=(x); asm ("bswapl %0":"=r"(r):"0"(r)); r; })
+#endif
+
 extern unsigned int OPENSSL_ia32cap_P[2];
 #define AESNI_CAPABLE   (1<<(57-32))
 
@@ -167,6 +171,9 @@ static void sha1_update(SHA_CTX *c,const void *data,size_t len)
 		SHA1_Update(c,ptr,res);
 }
 
+#ifdef SHA1_Update
+#undef SHA1_Update
+#endif
 #define SHA1_Update sha1_update
 
 static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
@@ -184,6 +191,8 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 	sha_off = SHA_CBLOCK-key->md.num;
 #endif
 
+	key->payload_length = NO_PAYLOAD_LENGTH;
+
 	if (len%AES_BLOCK_SIZE) return 0;
 
 	if (ctx->encrypt) {
@@ -234,47 +243,203 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 					&key->ks,ctx->iv,1);
 		}
 	} else {
-		unsigned char mac[SHA_DIGEST_LENGTH];
+		union { unsigned int  u[SHA_DIGEST_LENGTH/sizeof(unsigned int)];
+			unsigned char c[SHA_DIGEST_LENGTH]; } mac;
 
 		/* decrypt HMAC|padding at once */
 		aesni_cbc_encrypt(in,out,len,
 				&key->ks,ctx->iv,0);
 
 		if (plen) {	/* "TLS" mode of operation */
-			/* figure out payload length */
-			if (len<(size_t)(out[len-1]+1+SHA_DIGEST_LENGTH))
-				return 0;
-
-			len -= (out[len-1]+1+SHA_DIGEST_LENGTH);
+			size_t inp_len, mask, j, i;
+			unsigned int res, maxpad, pad, bitlen;
+			int ret = 1;
+			union {	unsigned int  u[SHA_LBLOCK];
+				unsigned char c[SHA_CBLOCK]; }
+				*data = (void *)key->md.data;
 
 			if ((key->aux.tls_aad[plen-4]<<8|key->aux.tls_aad[plen-3])
-			    >= TLS1_1_VERSION) {
-				len -= AES_BLOCK_SIZE;
+			    >= TLS1_1_VERSION)
 				iv = AES_BLOCK_SIZE;
-			}
 
-			key->aux.tls_aad[plen-2] = len>>8;
-			key->aux.tls_aad[plen-1] = len;
+			if (len<(iv+SHA_DIGEST_LENGTH+1))
+				return 0;
+
+			/* omit explicit iv */
+			out += iv;
+			len -= iv;
+
+			/* figure out payload length */
+			pad = out[len-1];
+			maxpad = len-(SHA_DIGEST_LENGTH+1);
+			maxpad |= (255-maxpad)>>(sizeof(maxpad)*8-8);
+			maxpad &= 255;
+
+			inp_len = len - (SHA_DIGEST_LENGTH+pad+1);
+			mask = (0-((inp_len-len)>>(sizeof(inp_len)*8-1)));
+			inp_len &= mask;
+			ret &= (int)mask;
 
-			/* calculate HMAC and verify it */
+			key->aux.tls_aad[plen-2] = inp_len>>8;
+			key->aux.tls_aad[plen-1] = inp_len;
+
+			/* calculate HMAC */
 			key->md = key->head;
 			SHA1_Update(&key->md,key->aux.tls_aad,plen);
-			SHA1_Update(&key->md,out+iv,len);
-			SHA1_Final(mac,&key->md);
 
+#if 1
+			len -= SHA_DIGEST_LENGTH;		/* amend mac */
+			if (len>=(256+SHA_CBLOCK)) {
+				j = (len-(256+SHA_CBLOCK))&(0-SHA_CBLOCK);
+				j += SHA_CBLOCK-key->md.num;
+				SHA1_Update(&key->md,out,j);
+				out += j;
+				len -= j;
+				inp_len -= j;
+			}
+
+			/* but pretend as if we hashed padded payload */
+			bitlen = key->md.Nl+(inp_len<<3);	/* at most 18 bits */
+			mac.c[0] = 0;
+			mac.c[1] = (unsigned char)(bitlen>>16);
+			mac.c[2] = (unsigned char)(bitlen>>8);
+			mac.c[3] = (unsigned char)bitlen;
+			bitlen = mac.u[0];
+
+			mac.u[0]=0;
+			mac.u[1]=0;
+			mac.u[2]=0;
+			mac.u[3]=0;
+			mac.u[4]=0;
+
+			for (res=key->md.num, j=0;j<len;j++) {
+				size_t c = out[j];
+				mask = (j-inp_len)>>(sizeof(j)*8-8);
+				c &= mask;
+				c |= 0x80&~mask&~((inp_len-j)>>(sizeof(j)*8-8));
+				data->c[res++]=(unsigned char)c;
+
+				if (res!=SHA_CBLOCK) continue;
+
+				mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
+				data->u[SHA_LBLOCK-1] |= bitlen&mask;
+				sha1_block_data_order(&key->md,data,1);
+				mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
+				mac.u[0] |= key->md.h0 & mask;
+				mac.u[1] |= key->md.h1 & mask;
+				mac.u[2] |= key->md.h2 & mask;
+				mac.u[3] |= key->md.h3 & mask;
+				mac.u[4] |= key->md.h4 & mask;
+				res=0;
+			}
+
+			for(i=res;i<SHA_CBLOCK;i++,j++) data->c[i]=0;
+
+			if (res>SHA_CBLOCK-8) {
+				mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
+				data->u[SHA_LBLOCK-1] |= bitlen&mask;
+				sha1_block_data_order(&key->md,data,1);
+				mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
+				mac.u[0] |= key->md.h0 & mask;
+				mac.u[1] |= key->md.h1 & mask;
+				mac.u[2] |= key->md.h2 & mask;
+				mac.u[3] |= key->md.h3 & mask;
+				mac.u[4] |= key->md.h4 & mask;
+
+				memset(data,0,SHA_CBLOCK);
+				j+=64;
+			}
+			data->u[SHA_LBLOCK-1] = bitlen;
+			sha1_block_data_order(&key->md,data,1);
+			mask = 0-((j-inp_len-73)>>(sizeof(j)*8-1));
+			mac.u[0] |= key->md.h0 & mask;
+			mac.u[1] |= key->md.h1 & mask;
+			mac.u[2] |= key->md.h2 & mask;
+			mac.u[3] |= key->md.h3 & mask;
+			mac.u[4] |= key->md.h4 & mask;
+
+#ifdef BSWAP
+			mac.u[0] = BSWAP(mac.u[0]);
+			mac.u[1] = BSWAP(mac.u[1]);
+			mac.u[2] = BSWAP(mac.u[2]);
+			mac.u[3] = BSWAP(mac.u[3]);
+			mac.u[4] = BSWAP(mac.u[4]);
+#else
+			for (i=0;i<5;i++) {
+				res = mac.u[i];
+				mac.c[4*i+0]=(unsigned char)(res>>24);
+				mac.c[4*i+1]=(unsigned char)(res>>16);
+				mac.c[4*i+2]=(unsigned char)(res>>8);
+				mac.c[4*i+3]=(unsigned char)res;
+			}
+#endif
+			len += SHA_DIGEST_LENGTH;
+#else
+			SHA1_Update(&key->md,out,inp_len);
+			res = key->md.num;
+			SHA1_Final(mac.c,&key->md);
+
+			{
+			unsigned int inp_blocks, pad_blocks;
+
+			/* but pretend as if we hashed padded payload */
+			inp_blocks = 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1));
+			res += (unsigned int)(len-inp_len);
+			pad_blocks = res / SHA_CBLOCK;
+			res %= SHA_CBLOCK;
+			pad_blocks += 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1));
+			for (;inp_blocks<pad_blocks;inp_blocks++)
+				sha1_block_data_order(&key->md,data,1);
+			}
+#endif
 			key->md = key->tail;
-			SHA1_Update(&key->md,mac,SHA_DIGEST_LENGTH);
-			SHA1_Final(mac,&key->md);
+			SHA1_Update(&key->md,mac.c,SHA_DIGEST_LENGTH);
+			SHA1_Final(mac.c,&key->md);
 
-			if (memcmp(out+iv+len,mac,SHA_DIGEST_LENGTH))
-				return 0;
+			/* verify HMAC */
+			out += inp_len;
+			len -= inp_len;
+#if 1
+			{
+			unsigned char *p = out+len-1-maxpad-SHA_DIGEST_LENGTH;
+			size_t off = out-p;
+			unsigned int c, cmask;
+
+			maxpad += SHA_DIGEST_LENGTH;
+			for (res=0,i=0,j=0;j<maxpad;j++) {
+				c = p[j];
+				cmask = ((int)(j-off-SHA_DIGEST_LENGTH))>>(sizeof(int)*8-1);
+				res |= (c^pad)&~cmask;	/* ... and padding */
+				cmask &= ((int)(off-1-j))>>(sizeof(int)*8-1);
+				res |= (c^mac.c[i])&cmask;
+				i += 1&cmask;
+			}
+			maxpad -= SHA_DIGEST_LENGTH;
+
+			res = 0-((0-res)>>(sizeof(res)*8-1));
+			ret &= (int)~res;
+			}
+#else
+			for (res=0,i=0;i<SHA_DIGEST_LENGTH;i++)
+				res |= out[i]^mac.c[i];
+			res = 0-((0-res)>>(sizeof(res)*8-1));
+			ret &= (int)~res;
+
+			/* verify padding */
+			pad = (pad&~res) | (maxpad&res);
+			out = out+len-1-pad;
+			for (res=0,i=0;i<pad;i++)
+				res |= out[i]^pad;
+
+			res = (0-res)>>(sizeof(res)*8-1);
+			ret &= (int)~res;
+#endif
+			return ret;
 		} else {
 			SHA1_Update(&key->md,out,len);
 		}
 	}
 
-	key->payload_length = NO_PAYLOAD_LENGTH;
-
 	return 1;
 	}
 
@@ -309,6 +474,8 @@ static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void
 		SHA1_Init(&key->tail);
 		SHA1_Update(&key->tail,hmac_key,sizeof(hmac_key));
 
+		OPENSSL_cleanse(hmac_key,sizeof(hmac_key));
+
 		return 1;
 		}
 	case EVP_CTRL_AEAD_TLS1_AAD:
diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h
index 8096a72..e43a58e 100644
--- a/crypto/evp/evp.h
+++ b/crypto/evp/evp.h
@@ -402,7 +402,6 @@ struct evp_cipher_st
 /* Length of tag for TLS */
 #define EVP_GCM_TLS_TAG_LEN				16
 
-
 typedef struct evp_cipher_info_st
 	{
 	const EVP_CIPHER *cipher;
@@ -789,8 +788,8 @@ const EVP_CIPHER *EVP_aes_128_cfb128(void);
 # define EVP_aes_128_cfb EVP_aes_128_cfb128
 const EVP_CIPHER *EVP_aes_128_ofb(void);
 const EVP_CIPHER *EVP_aes_128_ctr(void);
-const EVP_CIPHER *EVP_aes_128_gcm(void);
 const EVP_CIPHER *EVP_aes_128_ccm(void);
+const EVP_CIPHER *EVP_aes_128_gcm(void);
 const EVP_CIPHER *EVP_aes_128_xts(void);
 const EVP_CIPHER *EVP_aes_192_ecb(void);
 const EVP_CIPHER *EVP_aes_192_cbc(void);
@@ -800,8 +799,8 @@ const EVP_CIPHER *EVP_aes_192_cfb128(void);
 # define EVP_aes_192_cfb EVP_aes_192_cfb128
 const EVP_CIPHER *EVP_aes_192_ofb(void);
 const EVP_CIPHER *EVP_aes_192_ctr(void);
-const EVP_CIPHER *EVP_aes_192_gcm(void);
 const EVP_CIPHER *EVP_aes_192_ccm(void);
+const EVP_CIPHER *EVP_aes_192_gcm(void);
 const EVP_CIPHER *EVP_aes_256_ecb(void);
 const EVP_CIPHER *EVP_aes_256_cbc(void);
 const EVP_CIPHER *EVP_aes_256_cfb1(void);
@@ -810,8 +809,8 @@ const EVP_CIPHER *EVP_aes_256_cfb128(void);
 # define EVP_aes_256_cfb EVP_aes_256_cfb128
 const EVP_CIPHER *EVP_aes_256_ofb(void);
 const EVP_CIPHER *EVP_aes_256_ctr(void);
-const EVP_CIPHER *EVP_aes_256_gcm(void);
 const EVP_CIPHER *EVP_aes_256_ccm(void);
+const EVP_CIPHER *EVP_aes_256_gcm(void);
 const EVP_CIPHER *EVP_aes_256_xts(void);
 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
 const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void);
@@ -1244,6 +1243,8 @@ void EVP_PKEY_meth_set_ctrl(EVP_PKEY_METHOD *pmeth,
 	int (*ctrl_str)(EVP_PKEY_CTX *ctx,
 					const char *type, const char *value));
 
+void EVP_add_alg_module(void);
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
@@ -1258,6 +1259,7 @@ void ERR_load_EVP_strings(void);
 #define EVP_F_AES_INIT_KEY				 133
 #define EVP_F_AES_XTS					 172
 #define EVP_F_AES_XTS_CIPHER				 175
+#define EVP_F_ALG_MODULE_INIT				 177
 #define EVP_F_CAMELLIA_INIT_KEY				 159
 #define EVP_F_CMAC_INIT					 173
 #define EVP_F_D2I_PKEY					 100
@@ -1351,15 +1353,19 @@ void ERR_load_EVP_strings(void);
 #define EVP_R_DIFFERENT_PARAMETERS			 153
 #define EVP_R_DISABLED_FOR_FIPS				 163
 #define EVP_R_ENCODE_ERROR				 115
+#define EVP_R_ERROR_LOADING_SECTION			 165
+#define EVP_R_ERROR_SETTING_FIPS_MODE			 166
 #define EVP_R_EVP_PBE_CIPHERINIT_ERROR			 119
 #define EVP_R_EXPECTING_AN_RSA_KEY			 127
 #define EVP_R_EXPECTING_A_DH_KEY			 128
 #define EVP_R_EXPECTING_A_DSA_KEY			 129
 #define EVP_R_EXPECTING_A_ECDSA_KEY			 141
 #define EVP_R_EXPECTING_A_EC_KEY			 142
+#define EVP_R_FIPS_MODE_NOT_SUPPORTED			 167
 #define EVP_R_INITIALIZATION_ERROR			 134
 #define EVP_R_INPUT_NOT_INITIALIZED			 111
 #define EVP_R_INVALID_DIGEST				 152
+#define EVP_R_INVALID_FIPS_MODE				 168
 #define EVP_R_INVALID_KEY_LENGTH			 130
 #define EVP_R_INVALID_OPERATION				 148
 #define EVP_R_IV_TOO_LARGE				 102
@@ -1384,6 +1390,7 @@ void ERR_load_EVP_strings(void);
 #define EVP_R_TOO_LARGE					 164
 #define EVP_R_UNKNOWN_CIPHER				 160
 #define EVP_R_UNKNOWN_DIGEST				 161
+#define EVP_R_UNKNOWN_OPTION				 169
 #define EVP_R_UNKNOWN_PBE_ALGORITHM			 121
 #define EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS		 135
 #define EVP_R_UNSUPPORTED_ALGORITHM			 156
diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
new file mode 100644
index 0000000..2e4db30
--- /dev/null
+++ b/crypto/evp/evp_cnf.c
@@ -0,0 +1,125 @@
+/* evp_cnf.c */
+/* Written by Stephen Henson (steve@openssl.org) for the OpenSSL
+ * project 2007.
+ */
+/* ====================================================================
+ * Copyright (c) 2007 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <ctype.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/dso.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
+
+/* Algorithm configuration module. */
+
+static int alg_module_init(CONF_IMODULE *md, const CONF *cnf)
+	{
+	int i;
+	const char *oid_section;
+	STACK_OF(CONF_VALUE) *sktmp;
+	CONF_VALUE *oval;
+	oid_section = CONF_imodule_get_value(md);
+	if(!(sktmp = NCONF_get_section(cnf, oid_section)))
+		{
+		EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_ERROR_LOADING_SECTION);
+		return 0;
+		}
+	for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++)
+		{
+		oval = sk_CONF_VALUE_value(sktmp, i);
+		if (!strcmp(oval->name, "fips_mode"))
+			{
+			int m;
+			if (!X509V3_get_value_bool(oval, &m))
+				{
+				EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_INVALID_FIPS_MODE);
+				return 0;
+				}
+			if (m > 0)
+				{
+#ifdef OPENSSL_FIPS
+				if (!FIPS_mode() && !FIPS_mode_set(1))
+					{
+					EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_ERROR_SETTING_FIPS_MODE);
+					return 0;
+					}
+#else
+				EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_FIPS_MODE_NOT_SUPPORTED);
+				return 0;
+#endif
+				}
+			}
+		else
+			{
+			EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_UNKNOWN_OPTION);
+			ERR_add_error_data(4, "name=", oval->name,
+						", value=", oval->value);
+			}
+				
+		}
+	return 1;
+	}
+
+void EVP_add_alg_module(void)
+	{
+	CONF_module_add("alg_section", alg_module_init, 0);
+	}
diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c
index db0f76d..08eab98 100644
--- a/crypto/evp/evp_err.c
+++ b/crypto/evp/evp_err.c
@@ -75,6 +75,7 @@ static ERR_STRING_DATA EVP_str_functs[]=
 {ERR_FUNC(EVP_F_AES_INIT_KEY),	"AES_INIT_KEY"},
 {ERR_FUNC(EVP_F_AES_XTS),	"AES_XTS"},
 {ERR_FUNC(EVP_F_AES_XTS_CIPHER),	"AES_XTS_CIPHER"},
+{ERR_FUNC(EVP_F_ALG_MODULE_INIT),	"ALG_MODULE_INIT"},
 {ERR_FUNC(EVP_F_CAMELLIA_INIT_KEY),	"CAMELLIA_INIT_KEY"},
 {ERR_FUNC(EVP_F_CMAC_INIT),	"CMAC_INIT"},
 {ERR_FUNC(EVP_F_D2I_PKEY),	"D2I_PKEY"},
@@ -171,15 +172,19 @@ static ERR_STRING_DATA EVP_str_reasons[]=
 {ERR_REASON(EVP_R_DIFFERENT_PARAMETERS)  ,"different parameters"},
 {ERR_REASON(EVP_R_DISABLED_FOR_FIPS)     ,"disabled for fips"},
 {ERR_REASON(EVP_R_ENCODE_ERROR)          ,"encode error"},
+{ERR_REASON(EVP_R_ERROR_LOADING_SECTION) ,"error loading section"},
+{ERR_REASON(EVP_R_ERROR_SETTING_FIPS_MODE),"error setting fips mode"},
 {ERR_REASON(EVP_R_EVP_PBE_CIPHERINIT_ERROR),"evp pbe cipherinit error"},
 {ERR_REASON(EVP_R_EXPECTING_AN_RSA_KEY)  ,"expecting an rsa key"},
 {ERR_REASON(EVP_R_EXPECTING_A_DH_KEY)    ,"expecting a dh key"},
 {ERR_REASON(EVP_R_EXPECTING_A_DSA_KEY)   ,"expecting a dsa key"},
 {ERR_REASON(EVP_R_EXPECTING_A_ECDSA_KEY) ,"expecting a ecdsa key"},
 {ERR_REASON(EVP_R_EXPECTING_A_EC_KEY)    ,"expecting a ec key"},
+{ERR_REASON(EVP_R_FIPS_MODE_NOT_SUPPORTED),"fips mode not supported"},
 {ERR_REASON(EVP_R_INITIALIZATION_ERROR)  ,"initialization error"},
 {ERR_REASON(EVP_R_INPUT_NOT_INITIALIZED) ,"input not initialized"},
 {ERR_REASON(EVP_R_INVALID_DIGEST)        ,"invalid digest"},
+{ERR_REASON(EVP_R_INVALID_FIPS_MODE)     ,"invalid fips mode"},
 {ERR_REASON(EVP_R_INVALID_KEY_LENGTH)    ,"invalid key length"},
 {ERR_REASON(EVP_R_INVALID_OPERATION)     ,"invalid operation"},
 {ERR_REASON(EVP_R_IV_TOO_LARGE)          ,"iv too large"},
@@ -204,6 +209,7 @@ static ERR_STRING_DATA EVP_str_reasons[]=
 {ERR_REASON(EVP_R_TOO_LARGE)             ,"too large"},
 {ERR_REASON(EVP_R_UNKNOWN_CIPHER)        ,"unknown cipher"},
 {ERR_REASON(EVP_R_UNKNOWN_DIGEST)        ,"unknown digest"},
+{ERR_REASON(EVP_R_UNKNOWN_OPTION)        ,"unknown option"},
 {ERR_REASON(EVP_R_UNKNOWN_PBE_ALGORITHM) ,"unknown pbe algorithm"},
 {ERR_REASON(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS),"unsuported number of rounds"},
 {ERR_REASON(EVP_R_UNSUPPORTED_ALGORITHM) ,"unsupported algorithm"},
diff --git a/crypto/evp/m_dss.c b/crypto/evp/m_dss.c
index 4ad63ad..6fb7e9a 100644
--- a/crypto/evp/m_dss.c
+++ b/crypto/evp/m_dss.c
@@ -60,7 +60,7 @@
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
-#include <openssl/x509.h>
+#include <openssl/sha.h>
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
diff --git a/crypto/evp/m_dss1.c b/crypto/evp/m_dss1.c
index f80170e..2df362a 100644
--- a/crypto/evp/m_dss1.c
+++ b/crypto/evp/m_dss1.c
@@ -63,7 +63,7 @@
 
 #include <openssl/evp.h>
 #include <openssl/objects.h>
-#include <openssl/x509.h>
+#include <openssl/sha.h>
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
diff --git a/crypto/evp/m_sha1.c b/crypto/evp/m_sha1.c
index 3cb11f1..bd0c01a 100644
--- a/crypto/evp/m_sha1.c
+++ b/crypto/evp/m_sha1.c
@@ -65,7 +65,7 @@
 
 #include <openssl/evp.h>
 #include <openssl/objects.h>
-#include <openssl/x509.h>
+#include <openssl/sha.h>
 #ifndef OPENSSL_NO_RSA
 #include <openssl/rsa.h>
 #endif
diff --git a/crypto/evp/p_sign.c b/crypto/evp/p_sign.c
index dfa48c1..8afb664 100644
--- a/crypto/evp/p_sign.c
+++ b/crypto/evp/p_sign.c
@@ -80,7 +80,7 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, unsigned int *siglen,
 	{
 	unsigned char m[EVP_MAX_MD_SIZE];
 	unsigned int m_len;
-	int i=0,ok=0,v;
+	int i = 0,ok = 0,v;
 	EVP_MD_CTX tmp_ctx;
 	EVP_PKEY_CTX *pkctx = NULL;
 
diff --git a/crypto/evp/p_verify.c b/crypto/evp/p_verify.c
index 5f5c409..c66d63c 100644
--- a/crypto/evp/p_verify.c
+++ b/crypto/evp/p_verify.c
@@ -67,7 +67,7 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf,
 	{
 	unsigned char m[EVP_MAX_MD_SIZE];
 	unsigned int m_len;
-	int i=-1,ok=0,v;
+	int i = 0,ok = 0,v;
 	EVP_MD_CTX tmp_ctx;
 	EVP_PKEY_CTX *pkctx = NULL;
 
diff --git a/crypto/md4/md4_dgst.c b/crypto/md4/md4_dgst.c
index 82c2cb2..b5b165b 100644
--- a/crypto/md4/md4_dgst.c
+++ b/crypto/md4/md4_dgst.c
@@ -106,22 +106,23 @@ void md4_block_data_order (MD4_CTX *c, const void *data_, size_t num)
 
 	for (;num--;)
 		{
-	HOST_c2l(data,l); X( 0)=l;		HOST_c2l(data,l); X( 1)=l;
+	(void)HOST_c2l(data,l); X( 0)=l;
+	(void)HOST_c2l(data,l); X( 1)=l;
 	/* Round 0 */
-	R0(A,B,C,D,X( 0), 3,0);	HOST_c2l(data,l); X( 2)=l;
-	R0(D,A,B,C,X( 1), 7,0);	HOST_c2l(data,l); X( 3)=l;
-	R0(C,D,A,B,X( 2),11,0);	HOST_c2l(data,l); X( 4)=l;
-	R0(B,C,D,A,X( 3),19,0);	HOST_c2l(data,l); X( 5)=l;
-	R0(A,B,C,D,X( 4), 3,0);	HOST_c2l(data,l); X( 6)=l;
-	R0(D,A,B,C,X( 5), 7,0);	HOST_c2l(data,l); X( 7)=l;
-	R0(C,D,A,B,X( 6),11,0);	HOST_c2l(data,l); X( 8)=l;
-	R0(B,C,D,A,X( 7),19,0);	HOST_c2l(data,l); X( 9)=l;
-	R0(A,B,C,D,X( 8), 3,0);	HOST_c2l(data,l); X(10)=l;
-	R0(D,A,B,C,X( 9), 7,0);	HOST_c2l(data,l); X(11)=l;
-	R0(C,D,A,B,X(10),11,0);	HOST_c2l(data,l); X(12)=l;
-	R0(B,C,D,A,X(11),19,0);	HOST_c2l(data,l); X(13)=l;
-	R0(A,B,C,D,X(12), 3,0);	HOST_c2l(data,l); X(14)=l;
-	R0(D,A,B,C,X(13), 7,0);	HOST_c2l(data,l); X(15)=l;
+	R0(A,B,C,D,X( 0), 3,0);	(void)HOST_c2l(data,l); X( 2)=l;
+	R0(D,A,B,C,X( 1), 7,0);	(void)HOST_c2l(data,l); X( 3)=l;
+	R0(C,D,A,B,X( 2),11,0);	(void)HOST_c2l(data,l); X( 4)=l;
+	R0(B,C,D,A,X( 3),19,0);	(void)HOST_c2l(data,l); X( 5)=l;
+	R0(A,B,C,D,X( 4), 3,0);	(void)HOST_c2l(data,l); X( 6)=l;
+	R0(D,A,B,C,X( 5), 7,0);	(void)HOST_c2l(data,l); X( 7)=l;
+	R0(C,D,A,B,X( 6),11,0);	(void)HOST_c2l(data,l); X( 8)=l;
+	R0(B,C,D,A,X( 7),19,0);	(void)HOST_c2l(data,l); X( 9)=l;
+	R0(A,B,C,D,X( 8), 3,0);	(void)HOST_c2l(data,l); X(10)=l;
+	R0(D,A,B,C,X( 9), 7,0);	(void)HOST_c2l(data,l); X(11)=l;
+	R0(C,D,A,B,X(10),11,0);	(void)HOST_c2l(data,l); X(12)=l;
+	R0(B,C,D,A,X(11),19,0);	(void)HOST_c2l(data,l); X(13)=l;
+	R0(A,B,C,D,X(12), 3,0);	(void)HOST_c2l(data,l); X(14)=l;
+	R0(D,A,B,C,X(13), 7,0);	(void)HOST_c2l(data,l); X(15)=l;
 	R0(C,D,A,B,X(14),11,0);
 	R0(B,C,D,A,X(15),19,0);
 	/* Round 1 */
diff --git a/crypto/md4/md4_locl.h b/crypto/md4/md4_locl.h
index c8085b0..99c3e50 100644
--- a/crypto/md4/md4_locl.h
+++ b/crypto/md4/md4_locl.h
@@ -77,10 +77,10 @@ void md4_block_data_order (MD4_CTX *c, const void *p,size_t num);
 #define HASH_FINAL		MD4_Final
 #define	HASH_MAKE_STRING(c,s)	do {	\
 	unsigned long ll;		\
-	ll=(c)->A; HOST_l2c(ll,(s));	\
-	ll=(c)->B; HOST_l2c(ll,(s));	\
-	ll=(c)->C; HOST_l2c(ll,(s));	\
-	ll=(c)->D; HOST_l2c(ll,(s));	\
+	ll=(c)->A; (void)HOST_l2c(ll,(s));	\
+	ll=(c)->B; (void)HOST_l2c(ll,(s));	\
+	ll=(c)->C; (void)HOST_l2c(ll,(s));	\
+	ll=(c)->D; (void)HOST_l2c(ll,(s));	\
 	} while (0)
 #define	HASH_BLOCK_DATA_ORDER	md4_block_data_order
 
diff --git a/crypto/md5/asm/md5-x86_64.pl b/crypto/md5/asm/md5-x86_64.pl
index 8678854..f11224d 100755
--- a/crypto/md5/asm/md5-x86_64.pl
+++ b/crypto/md5/asm/md5-x86_64.pl
@@ -120,7 +120,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; my $dir=$1; my $xlate;
 die "can't locate x86_64-xlate.pl";
 
 no warnings qw(uninitialized);
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 $code .= <<EOF;
 .text
diff --git a/crypto/md5/md5_locl.h b/crypto/md5/md5_locl.h
index 968d577..74d63d1 100644
--- a/crypto/md5/md5_locl.h
+++ b/crypto/md5/md5_locl.h
@@ -86,10 +86,10 @@ void md5_block_data_order (MD5_CTX *c, const void *p,size_t num);
 #define HASH_FINAL		MD5_Final
 #define	HASH_MAKE_STRING(c,s)	do {	\
 	unsigned long ll;		\
-	ll=(c)->A; HOST_l2c(ll,(s));	\
-	ll=(c)->B; HOST_l2c(ll,(s));	\
-	ll=(c)->C; HOST_l2c(ll,(s));	\
-	ll=(c)->D; HOST_l2c(ll,(s));	\
+	ll=(c)->A; (void)HOST_l2c(ll,(s));	\
+	ll=(c)->B; (void)HOST_l2c(ll,(s));	\
+	ll=(c)->C; (void)HOST_l2c(ll,(s));	\
+	ll=(c)->D; (void)HOST_l2c(ll,(s));	\
 	} while (0)
 #define	HASH_BLOCK_DATA_ORDER	md5_block_data_order
 
diff --git a/crypto/mdc2/mdc2dgst.c b/crypto/mdc2/mdc2dgst.c
index b74bb1a..d66ed6a 100644
--- a/crypto/mdc2/mdc2dgst.c
+++ b/crypto/mdc2/mdc2dgst.c
@@ -59,9 +59,9 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <openssl/crypto.h>
 #include <openssl/des.h>
 #include <openssl/mdc2.h>
-#include <openssl/crypto.h>
 
 #undef c2l
 #define c2l(c,l)	(l =((DES_LONG)(*((c)++)))    , \
diff --git a/crypto/mem.c b/crypto/mem.c
index 21c0011..1cc62ea 100644
--- a/crypto/mem.c
+++ b/crypto/mem.c
@@ -121,10 +121,10 @@ static void (*set_debug_options_func)(long) = NULL;
 static long (*get_debug_options_func)(void) = NULL;
 #endif
 
-
 int CRYPTO_set_mem_functions(void *(*m)(size_t), void *(*r)(void *, size_t),
 	void (*f)(void *))
 	{
+	/* Dummy call just to ensure OPENSSL_init() gets linked in */
 	OPENSSL_init();
 	if (!allow_customize)
 		return 0;
diff --git a/crypto/modes/asm/ghash-x86.pl b/crypto/modes/asm/ghash-x86.pl
index 6b09669..83c727e 100644
--- a/crypto/modes/asm/ghash-x86.pl
+++ b/crypto/modes/asm/ghash-x86.pl
@@ -635,7 +635,7 @@ sub mmx_loop() {
     { my @lo  = ("mm0","mm1","mm2");
       my @hi  = ("mm3","mm4","mm5");
       my @tmp = ("mm6","mm7");
-      my $off1=0,$off2=0,$i;
+      my ($off1,$off2,$i) = (0,0,);
 
       &add	($Htbl,128);			# optimize for size
       &lea	("edi",&DWP(16+128,"esp"));
@@ -883,7 +883,7 @@ sub reduction_alg9 {	# 17/13 times faster than Intel version
 my ($Xhi,$Xi) = @_;
 
 	# 1st phase
-	&movdqa		($T1,$Xi)		#
+	&movdqa		($T1,$Xi);		#
 	&psllq		($Xi,1);
 	&pxor		($Xi,$T1);		#
 	&psllq		($Xi,5);		#
@@ -1019,7 +1019,7 @@ my ($Xhi,$Xi) = @_;
 	&movdqa		($Xhn,$Xn);
 	 &pxor		($Xhi,$T1);		# "Ii+Xi", consume early
 
-	  &movdqa	($T1,$Xi)		#&reduction_alg9($Xhi,$Xi); 1st phase
+	  &movdqa	($T1,$Xi);		#&reduction_alg9($Xhi,$Xi); 1st phase
 	  &psllq	($Xi,1);
 	  &pxor		($Xi,$T1);		#
 	  &psllq	($Xi,5);		#
diff --git a/crypto/modes/asm/ghash-x86_64.pl b/crypto/modes/asm/ghash-x86_64.pl
index a5ae180..38d779e 100644
--- a/crypto/modes/asm/ghash-x86_64.pl
+++ b/crypto/modes/asm/ghash-x86_64.pl
@@ -50,7 +50,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 # common register layout
 $nlo="%rax";
diff --git a/crypto/modes/gcm128.c b/crypto/modes/gcm128.c
index 7d6d034..0e6ff8b 100644
--- a/crypto/modes/gcm128.c
+++ b/crypto/modes/gcm128.c
@@ -723,7 +723,7 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx,void *key,block128_f block)
 #  endif
 	gcm_init_4bit(ctx->Htable,ctx->H.u);
 #  if	defined(GHASH_ASM_X86)			/* x86 only */
-#   if defined(OPENSSL_IA32_SSE2)
+#   if	defined(OPENSSL_IA32_SSE2)
 	if (OPENSSL_ia32cap_P[0]&(1<<25)) {	/* check SSE bit */
 #   else
 	if (OPENSSL_ia32cap_P[0]&(1<<23)) {	/* check MMX bit */
@@ -1398,7 +1398,7 @@ int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx,const unsigned char *tag,
 	void (*gcm_gmult_p)(u64 Xi[2],const u128 Htable[16])	= ctx->gmult;
 #endif
 
-	if (ctx->mres)
+	if (ctx->mres || ctx->ares)
 		GCM_MUL(ctx,Xi);
 
 	if (is_endian.little) {
diff --git a/crypto/objects/o_names.c b/crypto/objects/o_names.c
index 84380a9..4a548c2 100644
--- a/crypto/objects/o_names.c
+++ b/crypto/objects/o_names.c
@@ -73,7 +73,7 @@ int OBJ_NAME_new_index(unsigned long (*hash_func)(const char *),
 		name_funcs_stack=sk_NAME_FUNCS_new_null();
 		MemCheck_on();
 		}
-	if ((name_funcs_stack == NULL))
+	if (name_funcs_stack == NULL)
 		{
 		/* ERROR */
 		return(0);
diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index 415d67e..2767183 100644
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -91,9 +91,12 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
 		{
 		EVP_PKEY *skey;
 		skey = X509_get_pubkey(signer);
-		ret = OCSP_BASICRESP_verify(bs, skey, 0);
-		EVP_PKEY_free(skey);
-		if(ret <= 0)
+		if (skey)
+			{
+			ret = OCSP_BASICRESP_verify(bs, skey, 0);
+			EVP_PKEY_free(skey);
+			}
+		if(!skey || ret <= 0)
 			{
 			OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE);
 			goto end;
@@ -108,6 +111,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
 			init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs);
 		if(!init_res)
 			{
+			ret = -1;
 			OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB);
 			goto end;
 			}
diff --git a/crypto/opensslv.h b/crypto/opensslv.h
index 71be359..dbea4ad 100644
--- a/crypto/opensslv.h
+++ b/crypto/opensslv.h
@@ -25,11 +25,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER	0x1000103fL
+#define OPENSSL_VERSION_NUMBER	0x1000104fL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.1c-fips 10 May 2012"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.1d-fips 5 Feb 2013"
 #else
-#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.1c 10 May 2012"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.1d 5 Feb 2013"
 #endif
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
 
diff --git a/crypto/pem/pem_all.c b/crypto/pem/pem_all.c
index 3e7a609..eac0460 100644
--- a/crypto/pem/pem_all.c
+++ b/crypto/pem/pem_all.c
@@ -193,7 +193,61 @@ RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **rsa, pem_password_cb *cb,
 
 #endif
 
+#ifdef OPENSSL_FIPS
+
+int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+	if (FIPS_mode())
+		{
+		EVP_PKEY *k;
+		int ret;
+		k = EVP_PKEY_new();
+		if (!k)
+			return 0;
+		EVP_PKEY_set1_RSA(k, x);
+
+		ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
+		EVP_PKEY_free(k);
+		return ret;
+		}
+	else
+		return PEM_ASN1_write_bio((i2d_of_void *)i2d_RSAPrivateKey,
+					PEM_STRING_RSA,bp,x,enc,kstr,klen,cb,u);
+}
+
+#ifndef OPENSSL_NO_FP_API
+int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+	if (FIPS_mode())
+		{
+		EVP_PKEY *k;
+		int ret;
+		k = EVP_PKEY_new();
+		if (!k)
+			return 0;
+
+		EVP_PKEY_set1_RSA(k, x);
+
+		ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
+		EVP_PKEY_free(k);
+		return ret;
+		}
+	else
+		return PEM_ASN1_write((i2d_of_void *)i2d_RSAPrivateKey,
+					PEM_STRING_RSA,fp,x,enc,kstr,klen,cb,u);
+}
+#endif
+
+#else
+
 IMPLEMENT_PEM_write_cb_const(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey)
+
+#endif
+
 IMPLEMENT_PEM_rw_const(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey)
 IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY)
 
@@ -223,7 +277,59 @@ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **dsa, pem_password_cb *cb,
 	return pkey_get_dsa(pktmp, dsa);	/* will free pktmp */
 }
 
+#ifdef OPENSSL_FIPS
+
+int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+	if (FIPS_mode())
+		{
+		EVP_PKEY *k;
+		int ret;
+		k = EVP_PKEY_new();
+		if (!k)
+			return 0;
+		EVP_PKEY_set1_DSA(k, x);
+
+		ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
+		EVP_PKEY_free(k);
+		return ret;
+		}
+	else
+		return PEM_ASN1_write_bio((i2d_of_void *)i2d_DSAPrivateKey,
+					PEM_STRING_DSA,bp,x,enc,kstr,klen,cb,u);
+}
+
+#ifndef OPENSSL_NO_FP_API
+int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+	if (FIPS_mode())
+		{
+		EVP_PKEY *k;
+		int ret;
+		k = EVP_PKEY_new();
+		if (!k)
+			return 0;
+		EVP_PKEY_set1_DSA(k, x);
+		ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
+		EVP_PKEY_free(k);
+		return ret;
+		}
+	else
+		return PEM_ASN1_write((i2d_of_void *)i2d_DSAPrivateKey,
+					PEM_STRING_DSA,fp,x,enc,kstr,klen,cb,u);
+}
+#endif
+
+#else
+
 IMPLEMENT_PEM_write_cb_const(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey)
+
+#endif
+
 IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY)
 
 #ifndef OPENSSL_NO_FP_API
@@ -269,8 +375,63 @@ EC_KEY *PEM_read_bio_ECPrivateKey(BIO *bp, EC_KEY **key, pem_password_cb *cb,
 
 IMPLEMENT_PEM_rw_const(ECPKParameters, EC_GROUP, PEM_STRING_ECPARAMETERS, ECPKParameters)
 
+
+
+#ifdef OPENSSL_FIPS
+
+int PEM_write_bio_ECPrivateKey(BIO *bp, EC_KEY *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+	if (FIPS_mode())
+		{
+		EVP_PKEY *k;
+		int ret;
+		k = EVP_PKEY_new();
+		if (!k)
+			return 0;
+		EVP_PKEY_set1_EC_KEY(k, x);
+
+		ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
+		EVP_PKEY_free(k);
+		return ret;
+		}
+	else
+		return PEM_ASN1_write_bio((i2d_of_void *)i2d_ECPrivateKey,
+						PEM_STRING_ECPRIVATEKEY,
+						bp,x,enc,kstr,klen,cb,u);
+}
+
+#ifndef OPENSSL_NO_FP_API
+int PEM_write_ECPrivateKey(FILE *fp, EC_KEY *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+	if (FIPS_mode())
+		{
+		EVP_PKEY *k;
+		int ret;
+		k = EVP_PKEY_new();
+		if (!k)
+			return 0;
+		EVP_PKEY_set1_EC_KEY(k, x);
+		ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
+		EVP_PKEY_free(k);
+		return ret;
+		}
+	else
+		return PEM_ASN1_write((i2d_of_void *)i2d_ECPrivateKey,
+						PEM_STRING_ECPRIVATEKEY,
+						fp,x,enc,kstr,klen,cb,u);
+}
+#endif
+
+#else
+
 IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY, ECPrivateKey)
 
+#endif
+
 IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY)
 
 #ifndef OPENSSL_NO_FP_API
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
index cfc89a9..5a421fc 100644
--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
@@ -394,7 +394,8 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp,
 			goto err;
 		/* The 'iv' is used as the iv and as a salt.  It is
 		 * NOT taken from the BytesToKey function */
-		EVP_BytesToKey(enc,EVP_md5(),iv,kstr,klen,1,key,NULL);
+		if (!EVP_BytesToKey(enc,EVP_md5(),iv,kstr,klen,1,key,NULL))
+			goto err;
 
 		if (kstr == (unsigned char *)buf) OPENSSL_cleanse(buf,PEM_BUFSIZE);
 
@@ -406,12 +407,15 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp,
 		/* k=strlen(buf); */
 
 		EVP_CIPHER_CTX_init(&ctx);
-		EVP_EncryptInit_ex(&ctx,enc,NULL,key,iv);
-		EVP_EncryptUpdate(&ctx,data,&j,data,i);
-		EVP_EncryptFinal_ex(&ctx,&(data[j]),&i);
+		ret = 1;
+		if (!EVP_EncryptInit_ex(&ctx,enc,NULL,key,iv)
+			|| !EVP_EncryptUpdate(&ctx,data,&j,data,i)
+			|| !EVP_EncryptFinal_ex(&ctx,&(data[j]),&i))
+			ret = 0;
 		EVP_CIPHER_CTX_cleanup(&ctx);
+		if (ret == 0)
+			goto err;
 		i+=j;
-		ret=1;
 		}
 	else
 		{
@@ -459,14 +463,17 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen,
 	ebcdic2ascii(buf, buf, klen);
 #endif
 
-	EVP_BytesToKey(cipher->cipher,EVP_md5(),&(cipher->iv[0]),
-		(unsigned char *)buf,klen,1,key,NULL);
+	if (!EVP_BytesToKey(cipher->cipher,EVP_md5(),&(cipher->iv[0]),
+		(unsigned char *)buf,klen,1,key,NULL))
+		return 0;
 
 	j=(int)len;
 	EVP_CIPHER_CTX_init(&ctx);
-	EVP_DecryptInit_ex(&ctx,cipher->cipher,NULL, key,&(cipher->iv[0]));
-	EVP_DecryptUpdate(&ctx,data,&i,data,j);
-	o=EVP_DecryptFinal_ex(&ctx,&(data[i]),&j);
+	o = EVP_DecryptInit_ex(&ctx,cipher->cipher,NULL, key,&(cipher->iv[0]));
+	if (o)
+		o = EVP_DecryptUpdate(&ctx,data,&i,data,j);
+	if (o)
+		o = EVP_DecryptFinal_ex(&ctx,&(data[i]),&j);
 	EVP_CIPHER_CTX_cleanup(&ctx);
 	OPENSSL_cleanse((char *)buf,sizeof(buf));
 	OPENSSL_cleanse((char *)key,sizeof(key));
diff --git a/crypto/pem/pem_seal.c b/crypto/pem/pem_seal.c
index 59690b5..b6b4e13 100644
--- a/crypto/pem/pem_seal.c
+++ b/crypto/pem/pem_seal.c
@@ -96,7 +96,8 @@ int PEM_SealInit(PEM_ENCODE_SEAL_CTX *ctx, EVP_CIPHER *type, EVP_MD *md_type,
 	EVP_EncodeInit(&ctx->encode);
 
 	EVP_MD_CTX_init(&ctx->md);
-	EVP_SignInit(&ctx->md,md_type);
+	if (!EVP_SignInit(&ctx->md,md_type))
+		goto err;
 
 	EVP_CIPHER_CTX_init(&ctx->cipher);
 	ret=EVP_SealInit(&ctx->cipher,type,ek,ekl,iv,pubk,npubk);
@@ -163,7 +164,8 @@ int PEM_SealFinal(PEM_ENCODE_SEAL_CTX *ctx, unsigned char *sig, int *sigl,
 		goto err;
 		}
 
-	EVP_EncryptFinal_ex(&ctx->cipher,s,(int *)&i);
+	if (!EVP_EncryptFinal_ex(&ctx->cipher,s,(int *)&i))
+		goto err;
 	EVP_EncodeUpdate(&ctx->encode,out,&j,s,i);
 	*outl=j;
 	out+=j;
diff --git a/crypto/perlasm/cbc.pl b/crypto/perlasm/cbc.pl
index 6fc2510..24561e7 100644
--- a/crypto/perlasm/cbc.pl
+++ b/crypto/perlasm/cbc.pl
@@ -150,7 +150,7 @@ sub cbc
 &set_label("PIC_point");
 	&blindpop("edx");
 	&lea("ecx",&DWP(&label("cbc_enc_jmp_table")."-".&label("PIC_point"),"edx"));
-	&mov($count,&DWP(0,"ecx",$count,4))
+	&mov($count,&DWP(0,"ecx",$count,4));
 	&add($count,"edx");
 	&xor("ecx","ecx");
 	&xor("edx","edx");
diff --git a/crypto/perlasm/x86masm.pl b/crypto/perlasm/x86masm.pl
index 96b1b73..f937d07 100644
--- a/crypto/perlasm/x86masm.pl
+++ b/crypto/perlasm/x86masm.pl
@@ -33,6 +33,7 @@ sub ::generic
 sub ::call	{ &::emit("call",(&::islabel($_[0]) or "$nmdecor$_[0]")); }
 sub ::call_ptr	{ &::emit("call",@_);	}
 sub ::jmp_ptr	{ &::emit("jmp",@_);	}
+sub ::lock	{ &::data_byte(0xf0);	}
 
 sub get_mem
 { my($size,$addr,$reg1,$reg2,$idx)=@_;
diff --git a/crypto/pkcs12/p12_key.c b/crypto/pkcs12/p12_key.c
index c55c7b6..61d5850 100644
--- a/crypto/pkcs12/p12_key.c
+++ b/crypto/pkcs12/p12_key.c
@@ -176,24 +176,32 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
 		out += u;
 		for (j = 0; j < v; j++) B[j] = Ai[j % u];
 		/* Work out B + 1 first then can use B as tmp space */
-		if (!BN_bin2bn (B, v, Bpl1)) goto err;
-		if (!BN_add_word (Bpl1, 1)) goto err;
+		if (!BN_bin2bn (B, v, Bpl1))
+			goto err;
+		if (!BN_add_word (Bpl1, 1))
+			goto err;
 		for (j = 0; j < Ilen ; j+=v) {
-			if (!BN_bin2bn (I + j, v, Ij)) goto err;
-			if (!BN_add (Ij, Ij, Bpl1)) goto err;
-			BN_bn2bin (Ij, B);
+			if (!BN_bin2bn(I + j, v, Ij))
+				goto err;
+			if (!BN_add(Ij, Ij, Bpl1))
+				goto err;
+			if (!BN_bn2bin(Ij, B))
+				goto err;
 			Ijlen = BN_num_bytes (Ij);
 			/* If more than 2^(v*8) - 1 cut off MSB */
 			if (Ijlen > v) {
-				BN_bn2bin (Ij, B);
+				if (!BN_bn2bin (Ij, B))
+					goto err;
 				memcpy (I + j, B + 1, v);
 #ifndef PKCS12_BROKEN_KEYGEN
 			/* If less than v bytes pad with zeroes */
 			} else if (Ijlen < v) {
 				memset(I + j, 0, v - Ijlen);
-				BN_bn2bin(Ij, I + j + v - Ijlen); 
+				if (!BN_bn2bin(Ij, I + j + v - Ijlen))
+					goto err;
 #endif
-			} else BN_bn2bin (Ij, I + j);
+			} else if (!BN_bn2bin (Ij, I + j))
+				goto err;
 		}
 	}
 
diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c
index fcdd3f2..1e3bcb9 100644
--- a/crypto/rand/md_rand.c
+++ b/crypto/rand/md_rand.c
@@ -123,10 +123,10 @@
 
 #include "e_os.h"
 
+#include <openssl/crypto.h>
 #include <openssl/rand.h>
 #include "rand_lcl.h"
 
-#include <openssl/crypto.h>
 #include <openssl/err.h>
 
 #ifdef BN_DEBUG
diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
index daf1dab..476a0cd 100644
--- a/crypto/rand/rand_lib.c
+++ b/crypto/rand/rand_lib.c
@@ -210,8 +210,11 @@ static size_t drbg_get_entropy(DRBG_CTX *ctx, unsigned char **pout,
 
 static void drbg_free_entropy(DRBG_CTX *ctx, unsigned char *out, size_t olen)
 	{
-	OPENSSL_cleanse(out, olen);
-	OPENSSL_free(out);
+	if (out)
+		{
+		OPENSSL_cleanse(out, olen);
+		OPENSSL_free(out);
+		}
 	}
 
 /* Set "additional input" when generating random data. This uses the
diff --git a/crypto/rand/randfile.c b/crypto/rand/randfile.c
index 030e07f..7f14280 100644
--- a/crypto/rand/randfile.c
+++ b/crypto/rand/randfile.c
@@ -57,7 +57,9 @@
  */
 
 /* We need to define this to get macros like S_IFBLK and S_IFCHR */
+#if !defined(OPENSSL_SYS_VXWORKS)
 #define _XOPEN_SOURCE 500
+#endif
 
 #include <errno.h>
 #include <stdio.h>
diff --git a/crypto/rc4/asm/rc4-md5-x86_64.pl b/crypto/rc4/asm/rc4-md5-x86_64.pl
index 7f68409..272fa91 100644
--- a/crypto/rc4/asm/rc4-md5-x86_64.pl
+++ b/crypto/rc4/asm/rc4-md5-x86_64.pl
@@ -51,7 +51,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; my $dir=$1; my $xlate;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 my ($dat,$in0,$out,$ctx,$inp,$len, $func,$nargs);
 
diff --git a/crypto/rc4/asm/rc4-x86_64.pl b/crypto/rc4/asm/rc4-x86_64.pl
index d6eac20..75750db 100755
--- a/crypto/rc4/asm/rc4-x86_64.pl
+++ b/crypto/rc4/asm/rc4-x86_64.pl
@@ -112,7 +112,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 $dat="%rdi";	    # arg1
 $len="%rsi";	    # arg2
diff --git a/crypto/ripemd/rmd_dgst.c b/crypto/ripemd/rmd_dgst.c
index 63f0d98..d8e72da 100644
--- a/crypto/ripemd/rmd_dgst.c
+++ b/crypto/ripemd/rmd_dgst.c
@@ -105,21 +105,21 @@ void ripemd160_block_data_order (RIPEMD160_CTX *ctx, const void *p, size_t num)
 
 	A=ctx->A; B=ctx->B; C=ctx->C; D=ctx->D; E=ctx->E;
 
-	HOST_c2l(data,l); X( 0)=l;	HOST_c2l(data,l); X( 1)=l;
-	RIP1(A,B,C,D,E,WL00,SL00);	HOST_c2l(data,l); X( 2)=l;
-	RIP1(E,A,B,C,D,WL01,SL01);	HOST_c2l(data,l); X( 3)=l;
-	RIP1(D,E,A,B,C,WL02,SL02);	HOST_c2l(data,l); X( 4)=l;
-	RIP1(C,D,E,A,B,WL03,SL03);	HOST_c2l(data,l); X( 5)=l;
-	RIP1(B,C,D,E,A,WL04,SL04);	HOST_c2l(data,l); X( 6)=l;
-	RIP1(A,B,C,D,E,WL05,SL05);	HOST_c2l(data,l); X( 7)=l;
-	RIP1(E,A,B,C,D,WL06,SL06);	HOST_c2l(data,l); X( 8)=l;
-	RIP1(D,E,A,B,C,WL07,SL07);	HOST_c2l(data,l); X( 9)=l;
-	RIP1(C,D,E,A,B,WL08,SL08);	HOST_c2l(data,l); X(10)=l;
-	RIP1(B,C,D,E,A,WL09,SL09);	HOST_c2l(data,l); X(11)=l;
-	RIP1(A,B,C,D,E,WL10,SL10);	HOST_c2l(data,l); X(12)=l;
-	RIP1(E,A,B,C,D,WL11,SL11);	HOST_c2l(data,l); X(13)=l;
-	RIP1(D,E,A,B,C,WL12,SL12);	HOST_c2l(data,l); X(14)=l;
-	RIP1(C,D,E,A,B,WL13,SL13);	HOST_c2l(data,l); X(15)=l;
+	(void)HOST_c2l(data,l); X( 0)=l;(void)HOST_c2l(data,l); X( 1)=l;
+	RIP1(A,B,C,D,E,WL00,SL00);	(void)HOST_c2l(data,l); X( 2)=l;
+	RIP1(E,A,B,C,D,WL01,SL01);	(void)HOST_c2l(data,l); X( 3)=l;
+	RIP1(D,E,A,B,C,WL02,SL02);	(void)HOST_c2l(data,l); X( 4)=l;
+	RIP1(C,D,E,A,B,WL03,SL03);	(void)HOST_c2l(data,l); X( 5)=l;
+	RIP1(B,C,D,E,A,WL04,SL04);	(void)HOST_c2l(data,l); X( 6)=l;
+	RIP1(A,B,C,D,E,WL05,SL05);	(void)HOST_c2l(data,l); X( 7)=l;
+	RIP1(E,A,B,C,D,WL06,SL06);	(void)HOST_c2l(data,l); X( 8)=l;
+	RIP1(D,E,A,B,C,WL07,SL07);	(void)HOST_c2l(data,l); X( 9)=l;
+	RIP1(C,D,E,A,B,WL08,SL08);	(void)HOST_c2l(data,l); X(10)=l;
+	RIP1(B,C,D,E,A,WL09,SL09);	(void)HOST_c2l(data,l); X(11)=l;
+	RIP1(A,B,C,D,E,WL10,SL10);	(void)HOST_c2l(data,l); X(12)=l;
+	RIP1(E,A,B,C,D,WL11,SL11);	(void)HOST_c2l(data,l); X(13)=l;
+	RIP1(D,E,A,B,C,WL12,SL12);	(void)HOST_c2l(data,l); X(14)=l;
+	RIP1(C,D,E,A,B,WL13,SL13);	(void)HOST_c2l(data,l); X(15)=l;
 	RIP1(B,C,D,E,A,WL14,SL14);
 	RIP1(A,B,C,D,E,WL15,SL15);
 
diff --git a/crypto/ripemd/rmd_locl.h b/crypto/ripemd/rmd_locl.h
index f14b346..2bd8957 100644
--- a/crypto/ripemd/rmd_locl.h
+++ b/crypto/ripemd/rmd_locl.h
@@ -88,11 +88,11 @@ void ripemd160_block_data_order (RIPEMD160_CTX *c, const void *p,size_t num);
 #define HASH_FINAL              RIPEMD160_Final
 #define	HASH_MAKE_STRING(c,s)	do {	\
 	unsigned long ll;		\
-	ll=(c)->A; HOST_l2c(ll,(s));	\
-	ll=(c)->B; HOST_l2c(ll,(s));	\
-	ll=(c)->C; HOST_l2c(ll,(s));	\
-	ll=(c)->D; HOST_l2c(ll,(s));	\
-	ll=(c)->E; HOST_l2c(ll,(s));	\
+	ll=(c)->A; (void)HOST_l2c(ll,(s));	\
+	ll=(c)->B; (void)HOST_l2c(ll,(s));	\
+	ll=(c)->C; (void)HOST_l2c(ll,(s));	\
+	ll=(c)->D; (void)HOST_l2c(ll,(s));	\
+	ll=(c)->E; (void)HOST_l2c(ll,(s));	\
 	} while (0)
 #define HASH_BLOCK_DATA_ORDER   ripemd160_block_data_order
 
diff --git a/crypto/rsa/rsa.h b/crypto/rsa/rsa.h
index 4814a2f..5f269e5 100644
--- a/crypto/rsa/rsa.h
+++ b/crypto/rsa/rsa.h
@@ -280,7 +280,7 @@ struct rsa_st
 
 RSA *	RSA_new(void);
 RSA *	RSA_new_method(ENGINE *engine);
-int	RSA_size(const RSA *);
+int	RSA_size(const RSA *rsa);
 
 /* Deprecated version */
 #ifndef OPENSSL_NO_DEPRECATED
diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c
index 2e1ddd4..88ee2cb 100644
--- a/crypto/rsa/rsa_eay.c
+++ b/crypto/rsa/rsa_eay.c
@@ -847,12 +847,12 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
 	if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err;
 
 	/* If p < q it is occasionally possible for the correction of
-         * adding 'p' if r0 is negative above to leave the result still
+	 * adding 'p' if r0 is negative above to leave the result still
 	 * negative. This can break the private key operations: the following
 	 * second correction should *always* correct this rare occurrence.
 	 * This will *never* happen with OpenSSL generated keys because
-         * they ensure p > q [steve]
-         */
+	 * they ensure p > q [steve]
+	 */
 	if (BN_is_negative(r0))
 		if (!BN_add(r0,r0,rsa->p)) goto err;
 	if (!BN_mul(r1,r0,rsa->q,ctx)) goto err;
diff --git a/crypto/sha/asm/sha1-armv4-large.S b/crypto/sha/asm/sha1-armv4-large.S
index 97ad8be..639ae78 100644
--- a/crypto/sha/asm/sha1-armv4-large.S
+++ b/crypto/sha/asm/sha1-armv4-large.S
@@ -145,7 +145,7 @@ sha1_block_data_order:
 	add	r3,r3,r10			@ E+=F_00_19(B,C,D)
 	teq	r14,sp
 	bne	.L_00_15		@ [((11+4)*5+2)*3]
-	sub	sp,sp,#5*4
+	sub	sp,sp,#25*4
 #if __ARM_ARCH__<7
 	ldrb	r10,[r1,#2]
 	ldrb	r9,[r1,#3]
@@ -241,7 +241,6 @@ sha1_block_data_order:
 	add	r3,r3,r10			@ E+=F_00_19(B,C,D)
 
 	ldr	r8,.LK_20_39		@ [+15+16*4]
-	sub	sp,sp,#20*4
 	cmn	sp,#0			@ [+3], clear carry to denote 20_39
 .L_20_39_or_60_79:
 	ldr	r9,[r14,#15*4]
diff --git a/crypto/sha/asm/sha1-armv4-large.pl b/crypto/sha/asm/sha1-armv4-large.pl
index db83c51..33da3e0 100644
--- a/crypto/sha/asm/sha1-armv4-large.pl
+++ b/crypto/sha/asm/sha1-armv4-large.pl
@@ -177,7 +177,7 @@ for($i=0;$i<5;$i++) {
 $code.=<<___;
 	teq	$Xi,sp
 	bne	.L_00_15		@ [((11+4)*5+2)*3]
-	sub	sp,sp,#5*4
+	sub	sp,sp,#25*4
 ___
 	&BODY_00_15(@V);	unshift(@V,pop(@V));
 	&BODY_16_19(@V);	unshift(@V,pop(@V));
@@ -187,7 +187,6 @@ ___
 $code.=<<___;
 
 	ldr	$K,.LK_20_39		@ [+15+16*4]
-	sub	sp,sp,#20*4
 	cmn	sp,#0			@ [+3], clear carry to denote 20_39
 .L_20_39_or_60_79:
 ___
diff --git a/crypto/sha/asm/sha1-ia64.pl b/crypto/sha/asm/sha1-ia64.pl
index db28f08..02d35d1 100644
--- a/crypto/sha/asm/sha1-ia64.pl
+++ b/crypto/sha/asm/sha1-ia64.pl
@@ -271,7 +271,8 @@ tmp6=loc13;
 
 ___
 
-{ my $i,@V=($A,$B,$C,$D,$E);
+{ my $i;
+  my @V=($A,$B,$C,$D,$E);
 
 	for($i=0;$i<16;$i++)	{ &BODY_00_15(\$code,$i,@V); unshift(@V,pop(@V)); }
 	for(;$i<20;$i++)	{ &BODY_16_19(\$code,$i,@V); unshift(@V,pop(@V)); }
diff --git a/crypto/sha/asm/sha1-sparcv9a.pl b/crypto/sha/asm/sha1-sparcv9a.pl
index 85e8d68..e65291b 100644
--- a/crypto/sha/asm/sha1-sparcv9a.pl
+++ b/crypto/sha/asm/sha1-sparcv9a.pl
@@ -549,7 +549,7 @@ ___
 # programmer detect if current CPU is VIS capable at run-time.
 sub unvis {
 my ($mnemonic,$rs1,$rs2,$rd)=@_;
-my $ref,$opf;
+my ($ref,$opf);
 my %visopf = (	"fmul8ulx16"	=> 0x037,
 		"faligndata"	=> 0x048,
 		"fpadd32"	=> 0x052,
diff --git a/crypto/sha/asm/sha1-x86_64.pl b/crypto/sha/asm/sha1-x86_64.pl
index f27c1e3..cfdc45c 100755
--- a/crypto/sha/asm/sha1-x86_64.pl
+++ b/crypto/sha/asm/sha1-x86_64.pl
@@ -82,7 +82,8 @@ $avx=1 if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
 	   `ml64 2>&1` =~ /Version ([0-9]+)\./ &&
 	   $1>=10);
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 $ctx="%rdi";	# 1st arg
 $inp="%rsi";	# 2nd arg
diff --git a/crypto/sha/asm/sha512-586.pl b/crypto/sha/asm/sha512-586.pl
index 5b9f333..7eab6a5 100644
--- a/crypto/sha/asm/sha512-586.pl
+++ b/crypto/sha/asm/sha512-586.pl
@@ -142,9 +142,9 @@ sub BODY_00_15_x86 {
 	&mov	("edx",$Ehi);
 	&mov	("esi","ecx");
 
-	&shr	("ecx",9)	# lo>>9
+	&shr	("ecx",9);	# lo>>9
 	&mov	("edi","edx");
-	&shr	("edx",9)	# hi>>9
+	&shr	("edx",9);	# hi>>9
 	&mov	("ebx","ecx");
 	&shl	("esi",14);	# lo<<14
 	&mov	("eax","edx");
@@ -207,9 +207,9 @@ sub BODY_00_15_x86 {
 	&mov	($Dhi,"ebx");
 	&mov	("esi","ecx");
 
-	&shr	("ecx",2)	# lo>>2
+	&shr	("ecx",2);	# lo>>2
 	&mov	("edi","edx");
-	&shr	("edx",2)	# hi>>2
+	&shr	("edx",2);	# hi>>2
 	&mov	("ebx","ecx");
 	&shl	("esi",4);	# lo<<4
 	&mov	("eax","edx");
@@ -452,9 +452,9 @@ if ($sse2) {
 	&mov	("edx",&DWP(8*(9+15+16-1)+4,"esp"));
 	&mov	("esi","ecx");
 
-	&shr	("ecx",1)	# lo>>1
+	&shr	("ecx",1);	# lo>>1
 	&mov	("edi","edx");
-	&shr	("edx",1)	# hi>>1
+	&shr	("edx",1);	# hi>>1
 	&mov	("eax","ecx");
 	&shl	("esi",24);	# lo<<24
 	&mov	("ebx","edx");
@@ -488,9 +488,9 @@ if ($sse2) {
 	&mov	("edx",&DWP(8*(9+15+16-14)+4,"esp"));
 	&mov	("esi","ecx");
 
-	&shr	("ecx",6)	# lo>>6
+	&shr	("ecx",6);	# lo>>6
 	&mov	("edi","edx");
-	&shr	("edx",6)	# hi>>6
+	&shr	("edx",6);	# hi>>6
 	&mov	("eax","ecx");
 	&shl	("esi",3);	# lo<<3
 	&mov	("ebx","edx");
diff --git a/crypto/sha/asm/sha512-x86_64.pl b/crypto/sha/asm/sha512-x86_64.pl
index f611a2d..8d51678 100755
--- a/crypto/sha/asm/sha512-x86_64.pl
+++ b/crypto/sha/asm/sha512-x86_64.pl
@@ -51,7 +51,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 if ($output =~ /512/) {
 	$func="sha512_block_data_order";
diff --git a/crypto/sha/sha1_one.c b/crypto/sha/sha1_one.c
index 7c65b60..c56ec94 100644
--- a/crypto/sha/sha1_one.c
+++ b/crypto/sha/sha1_one.c
@@ -58,8 +58,8 @@
 
 #include <stdio.h>
 #include <string.h>
-#include <openssl/sha.h>
 #include <openssl/crypto.h>
+#include <openssl/sha.h>
 
 #ifndef OPENSSL_NO_SHA1
 unsigned char *SHA1(const unsigned char *d, size_t n, unsigned char *md)
diff --git a/crypto/sha/sha1dgst.c b/crypto/sha/sha1dgst.c
index 81219af..a986902 100644
--- a/crypto/sha/sha1dgst.c
+++ b/crypto/sha/sha1dgst.c
@@ -56,8 +56,8 @@
  * [including the GNU Public Licence.]
  */
 
-#include <openssl/opensslconf.h>
 #include <openssl/crypto.h>
+#include <openssl/opensslconf.h>
 #if !defined(OPENSSL_NO_SHA1) && !defined(OPENSSL_NO_SHA)
 
 #undef  SHA_0
diff --git a/crypto/sha/sha256.c b/crypto/sha/sha256.c
index f88d3d6..4eae074 100644
--- a/crypto/sha/sha256.c
+++ b/crypto/sha/sha256.c
@@ -88,17 +88,17 @@ int SHA224_Final (unsigned char *md, SHA256_CTX *c)
 	switch ((c)->md_len)		\
 	{   case SHA224_DIGEST_LENGTH:	\
 		for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++)	\
-		{   ll=(c)->h[nn]; HOST_l2c(ll,(s));   }	\
+		{   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }	\
 		break;			\
 	    case SHA256_DIGEST_LENGTH:	\
 		for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++)	\
-		{   ll=(c)->h[nn]; HOST_l2c(ll,(s));   }	\
+		{   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }	\
 		break;			\
 	    default:			\
 		if ((c)->md_len > SHA256_DIGEST_LENGTH)	\
 		    return 0;				\
 		for (nn=0;nn<(c)->md_len/4;nn++)		\
-		{   ll=(c)->h[nn]; HOST_l2c(ll,(s));   }	\
+		{   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }	\
 		break;			\
 	}				\
 	} while (0)
diff --git a/crypto/sha/sha_dgst.c b/crypto/sha/sha_dgst.c
index c946ad8..fb63b17 100644
--- a/crypto/sha/sha_dgst.c
+++ b/crypto/sha/sha_dgst.c
@@ -56,8 +56,8 @@
  * [including the GNU Public Licence.]
  */
 
-#include <openssl/opensslconf.h>
 #include <openssl/crypto.h>
+#include <openssl/opensslconf.h>
 #if !defined(OPENSSL_NO_SHA0) && !defined(OPENSSL_NO_SHA)
 
 #undef  SHA_1
diff --git a/crypto/sha/sha_locl.h b/crypto/sha/sha_locl.h
index 7a0c3ca..d673255 100644
--- a/crypto/sha/sha_locl.h
+++ b/crypto/sha/sha_locl.h
@@ -69,11 +69,11 @@
 #define HASH_CBLOCK             SHA_CBLOCK
 #define HASH_MAKE_STRING(c,s)   do {	\
 	unsigned long ll;		\
-	ll=(c)->h0; HOST_l2c(ll,(s));	\
-	ll=(c)->h1; HOST_l2c(ll,(s));	\
-	ll=(c)->h2; HOST_l2c(ll,(s));	\
-	ll=(c)->h3; HOST_l2c(ll,(s));	\
-	ll=(c)->h4; HOST_l2c(ll,(s));	\
+	ll=(c)->h0; (void)HOST_l2c(ll,(s));	\
+	ll=(c)->h1; (void)HOST_l2c(ll,(s));	\
+	ll=(c)->h2; (void)HOST_l2c(ll,(s));	\
+	ll=(c)->h3; (void)HOST_l2c(ll,(s));	\
+	ll=(c)->h4; (void)HOST_l2c(ll,(s));	\
 	} while (0)
 
 #if defined(SHA_0)
@@ -256,21 +256,21 @@ static void HASH_BLOCK_DATA_ORDER (SHA_CTX *c, const void *p, size_t num)
 		}
 	else
 		{
-		HOST_c2l(data,l); X( 0)=l;		HOST_c2l(data,l); X( 1)=l;
-		BODY_00_15( 0,A,B,C,D,E,T,X( 0));	HOST_c2l(data,l); X( 2)=l;
-		BODY_00_15( 1,T,A,B,C,D,E,X( 1));	HOST_c2l(data,l); X( 3)=l;
-		BODY_00_15( 2,E,T,A,B,C,D,X( 2));	HOST_c2l(data,l); X( 4)=l;
-		BODY_00_15( 3,D,E,T,A,B,C,X( 3));	HOST_c2l(data,l); X( 5)=l;
-		BODY_00_15( 4,C,D,E,T,A,B,X( 4));	HOST_c2l(data,l); X( 6)=l;
-		BODY_00_15( 5,B,C,D,E,T,A,X( 5));	HOST_c2l(data,l); X( 7)=l;
-		BODY_00_15( 6,A,B,C,D,E,T,X( 6));	HOST_c2l(data,l); X( 8)=l;
-		BODY_00_15( 7,T,A,B,C,D,E,X( 7));	HOST_c2l(data,l); X( 9)=l;
-		BODY_00_15( 8,E,T,A,B,C,D,X( 8));	HOST_c2l(data,l); X(10)=l;
-		BODY_00_15( 9,D,E,T,A,B,C,X( 9));	HOST_c2l(data,l); X(11)=l;
-		BODY_00_15(10,C,D,E,T,A,B,X(10));	HOST_c2l(data,l); X(12)=l;
-		BODY_00_15(11,B,C,D,E,T,A,X(11));	HOST_c2l(data,l); X(13)=l;
-		BODY_00_15(12,A,B,C,D,E,T,X(12));	HOST_c2l(data,l); X(14)=l;
-		BODY_00_15(13,T,A,B,C,D,E,X(13));	HOST_c2l(data,l); X(15)=l;
+		(void)HOST_c2l(data,l); X( 0)=l;	(void)HOST_c2l(data,l); X( 1)=l;
+		BODY_00_15( 0,A,B,C,D,E,T,X( 0));	(void)HOST_c2l(data,l); X( 2)=l;
+		BODY_00_15( 1,T,A,B,C,D,E,X( 1));	(void)HOST_c2l(data,l); X( 3)=l;
+		BODY_00_15( 2,E,T,A,B,C,D,X( 2));	(void)HOST_c2l(data,l); X( 4)=l;
+		BODY_00_15( 3,D,E,T,A,B,C,X( 3));	(void)HOST_c2l(data,l); X( 5)=l;
+		BODY_00_15( 4,C,D,E,T,A,B,X( 4));	(void)HOST_c2l(data,l); X( 6)=l;
+		BODY_00_15( 5,B,C,D,E,T,A,X( 5));	(void)HOST_c2l(data,l); X( 7)=l;
+		BODY_00_15( 6,A,B,C,D,E,T,X( 6));	(void)HOST_c2l(data,l); X( 8)=l;
+		BODY_00_15( 7,T,A,B,C,D,E,X( 7));	(void)HOST_c2l(data,l); X( 9)=l;
+		BODY_00_15( 8,E,T,A,B,C,D,X( 8));	(void)HOST_c2l(data,l); X(10)=l;
+		BODY_00_15( 9,D,E,T,A,B,C,X( 9));	(void)HOST_c2l(data,l); X(11)=l;
+		BODY_00_15(10,C,D,E,T,A,B,X(10));	(void)HOST_c2l(data,l); X(12)=l;
+		BODY_00_15(11,B,C,D,E,T,A,X(11));	(void)HOST_c2l(data,l); X(13)=l;
+		BODY_00_15(12,A,B,C,D,E,T,X(12));	(void)HOST_c2l(data,l); X(14)=l;
+		BODY_00_15(13,T,A,B,C,D,E,X(13));	(void)HOST_c2l(data,l); X(15)=l;
 		BODY_00_15(14,E,T,A,B,C,D,X(14));
 		BODY_00_15(15,D,E,T,A,B,C,X(15));
 		}
diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c
index c8be907..4a3d13e 100644
--- a/crypto/srp/srp_vfy.c
+++ b/crypto/srp/srp_vfy.c
@@ -390,7 +390,7 @@ int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file)
 		}
 	for (i = 0; i < sk_OPENSSL_PSTRING_num(tmpdb->data); i++)
 		{
-		pp = (char **)sk_OPENSSL_PSTRING_value(tmpdb->data,i);
+		pp = sk_OPENSSL_PSTRING_value(tmpdb->data,i);
 		if (pp[DB_srptype][0] == DB_SRP_INDEX)
 			{
 			/*we add this couple in the internal Stack */
@@ -581,7 +581,8 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt,
 	if (*salt == NULL)
 		{
 		char *tmp_salt;
-		if ((tmp_salt = (char *)OPENSSL_malloc(SRP_RANDOM_SALT_LEN * 2)) == NULL)
+
+		if ((tmp_salt = OPENSSL_malloc(SRP_RANDOM_SALT_LEN * 2)) == NULL)
 			{
 			OPENSSL_free(vf);
 			goto err;
diff --git a/crypto/symhacks.h b/crypto/symhacks.h
index 403f592..07a412f 100644
--- a/crypto/symhacks.h
+++ b/crypto/symhacks.h
@@ -193,17 +193,17 @@
 #undef SSL_CTX_set_srp_username_callback
 #define SSL_CTX_set_srp_username_callback	SSL_CTX_set_srp_un_cb
 #undef ssl_add_clienthello_use_srtp_ext
-#define ssl_add_clienthello_use_srtp_ext ssl_add_clihello_use_srtp_ext
+#define ssl_add_clienthello_use_srtp_ext	ssl_add_clihello_use_srtp_ext
 #undef ssl_add_serverhello_use_srtp_ext
-#define ssl_add_serverhello_use_srtp_ext ssl_add_serhello_use_srtp_ext
+#define ssl_add_serverhello_use_srtp_ext	ssl_add_serhello_use_srtp_ext
 #undef ssl_parse_clienthello_use_srtp_ext
-#define ssl_parse_clienthello_use_srtp_ext ssl_parse_clihello_use_srtp_ext
+#define ssl_parse_clienthello_use_srtp_ext	ssl_parse_clihello_use_srtp_ext
 #undef ssl_parse_serverhello_use_srtp_ext
-#define ssl_parse_serverhello_use_srtp_ext ssl_parse_serhello_use_srtp_ext
+#define ssl_parse_serverhello_use_srtp_ext	ssl_parse_serhello_use_srtp_ext
 #undef SSL_CTX_set_next_protos_advertised_cb
-#define SSL_CTX_set_next_protos_advertised_cb SSL_CTX_set_next_protos_adv_cb
+#define SSL_CTX_set_next_protos_advertised_cb	SSL_CTX_set_next_protos_adv_cb
 #undef SSL_CTX_set_next_proto_select_cb
-#define SSL_CTX_set_next_proto_select_cb SSL_CTX_set_next_proto_sel_cb
+#define SSL_CTX_set_next_proto_select_cb	SSL_CTX_set_next_proto_sel_cb
 
 /* Hack some long ENGINE names */
 #undef ENGINE_get_default_BN_mod_exp_crt
@@ -316,8 +316,6 @@
 #define ec_GFp_simple_point_set_to_infinity     ec_GFp_simple_pt_set_to_inf
 #undef ec_GFp_simple_points_make_affine
 #define ec_GFp_simple_points_make_affine	ec_GFp_simple_pts_make_affine
-#undef ec_GFp_simple_group_get_curve_GFp
-#define ec_GFp_simple_group_get_curve_GFp       ec_GFp_simple_grp_get_curve_GFp
 #undef ec_GFp_simple_set_Jprojective_coordinates_GFp
 #define ec_GFp_simple_set_Jprojective_coordinates_GFp \
                                                 ec_GFp_smp_set_Jproj_coords_GFp
diff --git a/crypto/ui/ui_openssl.c b/crypto/ui/ui_openssl.c
index 7165cb4..e6ccd34 100644
--- a/crypto/ui/ui_openssl.c
+++ b/crypto/ui/ui_openssl.c
@@ -122,9 +122,15 @@
  * sigaction and fileno included. -pedantic would be more appropriate for
  * the intended purposes, but we can't prevent users from adding -ansi.
  */
+#if defined(OPENSSL_SYSNAME_VXWORKS)
+#include <sys/types.h>
+#endif
+
 #if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS)
+#ifndef _POSIX_C_SOURCE
 #define _POSIX_C_SOURCE 2
 #endif
+#endif
 #include <signal.h>
 #include <stdio.h>
 #include <string.h>
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index 7c2aaee..352aa37 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -86,10 +86,9 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
 
 	EVP_MD_CTX_init(&ctx);
 	f=X509_NAME_oneline(a->cert_info->issuer,NULL,0);
-	ret=strlen(f);
 	if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))
 		goto err;
-	if (!EVP_DigestUpdate(&ctx,(unsigned char *)f,ret))
+	if (!EVP_DigestUpdate(&ctx,(unsigned char *)f,strlen(f)))
 		goto err;
 	OPENSSL_free(f);
 	if(!EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data,
@@ -249,14 +248,14 @@ unsigned long X509_NAME_hash_old(X509_NAME *x)
 	i2d_X509_NAME(x,NULL);
 	EVP_MD_CTX_init(&md_ctx);
 	EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-	EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL);
-	EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length);
-	EVP_DigestFinal_ex(&md_ctx,md,NULL);
+	if (EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL)
+	    && EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length)
+	    && EVP_DigestFinal_ex(&md_ctx,md,NULL))
+		ret=(((unsigned long)md[0]     )|((unsigned long)md[1]<<8L)|
+		     ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
+		     )&0xffffffffL;
 	EVP_MD_CTX_cleanup(&md_ctx);
 
-	ret=(	((unsigned long)md[0]     )|((unsigned long)md[1]<<8L)|
-		((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
-		)&0xffffffffL;
 	return(ret);
 	}
 #endif
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index b0779db..12d71f5 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -872,7 +872,7 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
 	{
 	ASN1_OCTET_STRING *exta, *extb;
 	int i;
-	i = X509_CRL_get_ext_by_NID(a, nid, 0);
+	i = X509_CRL_get_ext_by_NID(a, nid, -1);
 	if (i >= 0)
 		{
 		/* Can't have multiple occurrences */
@@ -883,7 +883,7 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
 	else
 		exta = NULL;
 
-	i = X509_CRL_get_ext_by_NID(b, nid, 0);
+	i = X509_CRL_get_ext_by_NID(b, nid, -1);
 
 	if (i >= 0)
 		{
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 181bd34..ad68865 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -474,11 +474,11 @@ static void x509v3_cache_extensions(X509 *x)
 	for (i = 0; i < X509_get_ext_count(x); i++)
 		{
 		ex = X509_get_ext(x, i);
-		if (!X509_EXTENSION_get_critical(ex))
-			continue;
 		if (OBJ_obj2nid(X509_EXTENSION_get_object(ex))
 					== NID_freshest_crl)
 			x->ex_flags |= EXFLAG_FRESHEST;
+		if (!X509_EXTENSION_get_critical(ex))
+			continue;
 		if (!X509_supported_extension(ex))
 			{
 			x->ex_flags |= EXFLAG_CRITICAL;
diff --git a/crypto/x86_64cpuid.pl b/crypto/x86_64cpuid.pl
index 7b7b93b..6ebfd01 100644
--- a/crypto/x86_64cpuid.pl
+++ b/crypto/x86_64cpuid.pl
@@ -11,7 +11,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 ($arg1,$arg2,$arg3,$arg4)=$win64?("%rcx","%rdx","%r8", "%r9") :	# Win64 order
 				 ("%rdi","%rsi","%rdx","%rcx");	# Unix order
diff --git a/crypto/x86cpuid.pl b/crypto/x86cpuid.pl
index 39fd8f2..c18b0e2 100644
--- a/crypto/x86cpuid.pl
+++ b/crypto/x86cpuid.pl
@@ -165,7 +165,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
 	&jnz	(&label("nohalt"));	# not enough privileges
 
 	&pushf	();
-	&pop	("eax")
+	&pop	("eax");
 	&bt	("eax",9);
 	&jnc	(&label("nohalt"));	# interrupts are disabled
 
@@ -280,7 +280,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
 #	arguments is 1 or 2!
 &function_begin_B("OPENSSL_indirect_call");
 	{
-	my $i,$max=7;		# $max has to be chosen as 4*n-1
+	my ($max,$i)=(7,);	# $max has to be chosen as 4*n-1
 				# in order to preserve eventual
 				# stack alignment
 	&push	("ebp");
diff --git a/import_openssl.sh b/import_openssl.sh
index bde07da..03e54c7 100755
--- a/import_openssl.sh
+++ b/import_openssl.sh
@@ -322,7 +322,7 @@ function applypatches () {
   for i in $OPENSSL_PATCHES; do
     if [ ! "$skip_patch" = "patches/$i" ]; then
       echo "Applying patch $i"
-      patch -p1 < ../patches/$i || die "Could not apply patches/$i. Fix source and run: $0 regenerate patches/$i"
+      patch -p1 --merge < ../patches/$i || die "Could not apply patches/$i. Fix source and run: $0 regenerate patches/$i"
     else
       echo "Skiping patch $i"
     fi
diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h
index 793a325..f92fc51 100644
--- a/include/openssl/crypto.h
+++ b/include/openssl/crypto.h
@@ -488,10 +488,10 @@ void CRYPTO_get_mem_debug_functions(void (**m)(void *,int,const char *,int,int),
 				    long (**go)(void));
 
 void *CRYPTO_malloc_locked(int num, const char *file, int line);
-void CRYPTO_free_locked(void *);
+void CRYPTO_free_locked(void *ptr);
 void *CRYPTO_malloc(int num, const char *file, int line);
 char *CRYPTO_strdup(const char *str, const char *file, int line);
-void CRYPTO_free(void *);
+void CRYPTO_free(void *ptr);
 void *CRYPTO_realloc(void *addr,int num, const char *file, int line);
 void *CRYPTO_realloc_clean(void *addr,int old_num,int num,const char *file,
 			   int line);
diff --git a/include/openssl/dtls1.h b/include/openssl/dtls1.h
index 5008bf6..e65d501 100644
--- a/include/openssl/dtls1.h
+++ b/include/openssl/dtls1.h
@@ -57,8 +57,8 @@
  *
  */
 
-#ifndef HEADER_DTLS1_H 
-#define HEADER_DTLS1_H 
+#ifndef HEADER_DTLS1_H
+#define HEADER_DTLS1_H
 
 #include <openssl/buffer.h>
 #include <openssl/pqueue.h>
@@ -72,8 +72,12 @@
 #elif defined(OPENSSL_SYS_NETWARE) && !defined(_WINSOCK2API_)
 #include <sys/timeval.h>
 #else
+#if defined(OPENSSL_SYS_VXWORKS)
+#include <sys/times.h>
+#else
 #include <sys/time.h>
 #endif
+#endif
 
 #ifdef  __cplusplus
 extern "C" {
diff --git a/include/openssl/ec.h b/include/openssl/ec.h
index 9d01325..dfe8710 100644
--- a/include/openssl/ec.h
+++ b/include/openssl/ec.h
@@ -274,10 +274,10 @@ int EC_GROUP_get_curve_name(const EC_GROUP *group);
 void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag);
 int EC_GROUP_get_asn1_flag(const EC_GROUP *group);
 
-void EC_GROUP_set_point_conversion_form(EC_GROUP *, point_conversion_form_t);
+void EC_GROUP_set_point_conversion_form(EC_GROUP *group, point_conversion_form_t form);
 point_conversion_form_t EC_GROUP_get_point_conversion_form(const EC_GROUP *);
 
-unsigned char *EC_GROUP_get0_seed(const EC_GROUP *);
+unsigned char *EC_GROUP_get0_seed(const EC_GROUP *x);
 size_t EC_GROUP_get_seed_len(const EC_GROUP *);
 size_t EC_GROUP_set_seed(EC_GROUP *, const unsigned char *, size_t len);
 
@@ -626,8 +626,8 @@ int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *c
  */
 int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx);
 
-int EC_POINT_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *);
-int EC_POINTs_make_affine(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *);
+int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx);
+int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx);
 
 /** Computes r = generator * n sum_{i=0}^num p[i] * m[i]
  *  \param  group  underlying EC_GROUP object
@@ -800,16 +800,24 @@ const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key);
 int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub);
 
 unsigned EC_KEY_get_enc_flags(const EC_KEY *key);
-void EC_KEY_set_enc_flags(EC_KEY *, unsigned int);
-point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *);
-void EC_KEY_set_conv_form(EC_KEY *, point_conversion_form_t);
+void EC_KEY_set_enc_flags(EC_KEY *eckey, unsigned int flags);
+point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key);
+void EC_KEY_set_conv_form(EC_KEY *eckey, point_conversion_form_t cform);
 /* functions to set/get method specific data  */
-void *EC_KEY_get_key_method_data(EC_KEY *, 
+void *EC_KEY_get_key_method_data(EC_KEY *key, 
 	void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
-void EC_KEY_insert_key_method_data(EC_KEY *, void *data,
+/** Sets the key method data of an EC_KEY object, if none has yet been set.
+ *  \param  key              EC_KEY object
+ *  \param  data             opaque data to install.
+ *  \param  dup_func         a function that duplicates |data|.
+ *  \param  free_func        a function that frees |data|.
+ *  \param  clear_free_func  a function that wipes and frees |data|.
+ *  \return the previously set data pointer, or NULL if |data| was inserted.
+ */
+void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data,
 	void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
 /* wrapper functions for the underlying EC_GROUP object */
-void EC_KEY_set_asn1_flag(EC_KEY *, int);
+void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag);
 
 /** Creates a table of pre-computed multiples of the generator to 
  *  accelerate further EC_KEY operations.
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 8096a72..e43a58e 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -402,7 +402,6 @@ struct evp_cipher_st
 /* Length of tag for TLS */
 #define EVP_GCM_TLS_TAG_LEN				16
 
-
 typedef struct evp_cipher_info_st
 	{
 	const EVP_CIPHER *cipher;
@@ -789,8 +788,8 @@ const EVP_CIPHER *EVP_aes_128_cfb128(void);
 # define EVP_aes_128_cfb EVP_aes_128_cfb128
 const EVP_CIPHER *EVP_aes_128_ofb(void);
 const EVP_CIPHER *EVP_aes_128_ctr(void);
-const EVP_CIPHER *EVP_aes_128_gcm(void);
 const EVP_CIPHER *EVP_aes_128_ccm(void);
+const EVP_CIPHER *EVP_aes_128_gcm(void);
 const EVP_CIPHER *EVP_aes_128_xts(void);
 const EVP_CIPHER *EVP_aes_192_ecb(void);
 const EVP_CIPHER *EVP_aes_192_cbc(void);
@@ -800,8 +799,8 @@ const EVP_CIPHER *EVP_aes_192_cfb128(void);
 # define EVP_aes_192_cfb EVP_aes_192_cfb128
 const EVP_CIPHER *EVP_aes_192_ofb(void);
 const EVP_CIPHER *EVP_aes_192_ctr(void);
-const EVP_CIPHER *EVP_aes_192_gcm(void);
 const EVP_CIPHER *EVP_aes_192_ccm(void);
+const EVP_CIPHER *EVP_aes_192_gcm(void);
 const EVP_CIPHER *EVP_aes_256_ecb(void);
 const EVP_CIPHER *EVP_aes_256_cbc(void);
 const EVP_CIPHER *EVP_aes_256_cfb1(void);
@@ -810,8 +809,8 @@ const EVP_CIPHER *EVP_aes_256_cfb128(void);
 # define EVP_aes_256_cfb EVP_aes_256_cfb128
 const EVP_CIPHER *EVP_aes_256_ofb(void);
 const EVP_CIPHER *EVP_aes_256_ctr(void);
-const EVP_CIPHER *EVP_aes_256_gcm(void);
 const EVP_CIPHER *EVP_aes_256_ccm(void);
+const EVP_CIPHER *EVP_aes_256_gcm(void);
 const EVP_CIPHER *EVP_aes_256_xts(void);
 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
 const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void);
@@ -1244,6 +1243,8 @@ void EVP_PKEY_meth_set_ctrl(EVP_PKEY_METHOD *pmeth,
 	int (*ctrl_str)(EVP_PKEY_CTX *ctx,
 					const char *type, const char *value));
 
+void EVP_add_alg_module(void);
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
@@ -1258,6 +1259,7 @@ void ERR_load_EVP_strings(void);
 #define EVP_F_AES_INIT_KEY				 133
 #define EVP_F_AES_XTS					 172
 #define EVP_F_AES_XTS_CIPHER				 175
+#define EVP_F_ALG_MODULE_INIT				 177
 #define EVP_F_CAMELLIA_INIT_KEY				 159
 #define EVP_F_CMAC_INIT					 173
 #define EVP_F_D2I_PKEY					 100
@@ -1351,15 +1353,19 @@ void ERR_load_EVP_strings(void);
 #define EVP_R_DIFFERENT_PARAMETERS			 153
 #define EVP_R_DISABLED_FOR_FIPS				 163
 #define EVP_R_ENCODE_ERROR				 115
+#define EVP_R_ERROR_LOADING_SECTION			 165
+#define EVP_R_ERROR_SETTING_FIPS_MODE			 166
 #define EVP_R_EVP_PBE_CIPHERINIT_ERROR			 119
 #define EVP_R_EXPECTING_AN_RSA_KEY			 127
 #define EVP_R_EXPECTING_A_DH_KEY			 128
 #define EVP_R_EXPECTING_A_DSA_KEY			 129
 #define EVP_R_EXPECTING_A_ECDSA_KEY			 141
 #define EVP_R_EXPECTING_A_EC_KEY			 142
+#define EVP_R_FIPS_MODE_NOT_SUPPORTED			 167
 #define EVP_R_INITIALIZATION_ERROR			 134
 #define EVP_R_INPUT_NOT_INITIALIZED			 111
 #define EVP_R_INVALID_DIGEST				 152
+#define EVP_R_INVALID_FIPS_MODE				 168
 #define EVP_R_INVALID_KEY_LENGTH			 130
 #define EVP_R_INVALID_OPERATION				 148
 #define EVP_R_IV_TOO_LARGE				 102
@@ -1384,6 +1390,7 @@ void ERR_load_EVP_strings(void);
 #define EVP_R_TOO_LARGE					 164
 #define EVP_R_UNKNOWN_CIPHER				 160
 #define EVP_R_UNKNOWN_DIGEST				 161
+#define EVP_R_UNKNOWN_OPTION				 169
 #define EVP_R_UNKNOWN_PBE_ALGORITHM			 121
 #define EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS		 135
 #define EVP_R_UNSUPPORTED_ALGORITHM			 156
diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
index 71be359..dbea4ad 100644
--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h
@@ -25,11 +25,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER	0x1000103fL
+#define OPENSSL_VERSION_NUMBER	0x1000104fL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.1c-fips 10 May 2012"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.1d-fips 5 Feb 2013"
 #else
-#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.1c 10 May 2012"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.1d 5 Feb 2013"
 #endif
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
 
diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h
index 4814a2f..5f269e5 100644
--- a/include/openssl/rsa.h
+++ b/include/openssl/rsa.h
@@ -280,7 +280,7 @@ struct rsa_st
 
 RSA *	RSA_new(void);
 RSA *	RSA_new_method(ENGINE *engine);
-int	RSA_size(const RSA *);
+int	RSA_size(const RSA *rsa);
 
 /* Deprecated version */
 #ifndef OPENSSL_NO_DEPRECATED
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 1aaadf3..5695aae 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -493,6 +493,9 @@ struct ssl_session_st
 	char *psk_identity_hint;
 	char *psk_identity;
 #endif
+	/* Used to indicate that session resumption is not allowed.
+	 * Applications can also set this bit for a new session via
+	 * not_resumable_session_cb to disable session caching and tickets. */
 	int not_resumable;
 
 	/* The cert is the certificate used to establish this connection */
@@ -535,7 +538,7 @@ struct ssl_session_st
 #endif /* OPENSSL_NO_EC */
 	/* RFC4507 info */
 	unsigned char *tlsext_tick;	/* Session ticket */
-	size_t	tlsext_ticklen;		/* Session ticket length */	
+	size_t tlsext_ticklen;		/* Session ticket length */
 	long tlsext_tick_lifetime_hint;	/* Session lifetime hint in seconds */
 #endif
 #ifndef OPENSSL_NO_SRP
@@ -931,6 +934,7 @@ struct ssl_ctx_st
 	/* Callback for status request */
 	int (*tlsext_status_cb)(SSL *ssl, void *arg);
 	void *tlsext_status_arg;
+
 	/* draft-rescorla-tls-opaque-prf-input-00.txt information */
 	int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput, size_t len, void *arg);
 	void *tlsext_opaque_prf_input_callback_arg;
@@ -956,6 +960,7 @@ struct ssl_ctx_st
 #endif
 
 #ifndef OPENSSL_NO_TLSEXT
+
 # ifndef OPENSSL_NO_NEXTPROTONEG
 	/* Next protocol negotiation information */
 	/* (for experimental NPN extension). */
@@ -2262,6 +2267,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_GET_NEW_SESSION			 181
 #define SSL_F_SSL_GET_PREV_SESSION			 217
 #define SSL_F_SSL_GET_SERVER_SEND_CERT			 182
+#define SSL_F_SSL_GET_SERVER_SEND_PKEY			 317
 #define SSL_F_SSL_GET_SIGN_PKEY				 183
 #define SSL_F_SSL_INIT_WBIO_BUFFER			 184
 #define SSL_F_SSL_LOAD_CLIENT_CA_FILE			 185
diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h
index 879be13..fee9671 100644
--- a/include/openssl/ssl3.h
+++ b/include/openssl/ssl3.h
@@ -355,10 +355,6 @@ typedef struct ssl3_record_st
 /*r */	unsigned char *comp;    /* only used with decompression - malloc()ed */
 /*r */  unsigned long epoch;    /* epoch number, needed by DTLS1 */
 /*r */  unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */
-/*rw*/	unsigned int orig_len;  /* How many bytes were available before padding
-				   was removed? This is used to implement the
-				   MAC check in constant time for CBC records.
-				 */
 	} SSL3_RECORD;
 
 typedef struct ssl3_buffer_st
@@ -594,8 +590,10 @@ typedef struct ssl3_state_st
 #define SSL3_ST_CW_CERT_VRFY_B		(0x191|SSL_ST_CONNECT)
 #define SSL3_ST_CW_CHANGE_A		(0x1A0|SSL_ST_CONNECT)
 #define SSL3_ST_CW_CHANGE_B		(0x1A1|SSL_ST_CONNECT)
+#ifndef OPENSSL_NO_NEXTPROTONEG
 #define SSL3_ST_CW_NEXT_PROTO_A		(0x200|SSL_ST_CONNECT)
 #define SSL3_ST_CW_NEXT_PROTO_B		(0x201|SSL_ST_CONNECT)
+#endif
 #define SSL3_ST_CW_CHANNEL_ID_A		(0x210|SSL_ST_CONNECT)
 #define SSL3_ST_CW_CHANNEL_ID_B		(0x211|SSL_ST_CONNECT)
 #define SSL3_ST_CW_FINISHED_A		(0x1B0|SSL_ST_CONNECT)
@@ -648,8 +646,10 @@ typedef struct ssl3_state_st
 #define SSL3_ST_SR_CHANGE_A		(0x1B0|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_CHANGE_B		(0x1B1|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_POST_CLIENT_CERT	(0x1BF|SSL_ST_ACCEPT)
+#ifndef OPENSSL_NO_NEXTPROTONEG
 #define SSL3_ST_SR_NEXT_PROTO_A		(0x210|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_NEXT_PROTO_B		(0x211|SSL_ST_ACCEPT)
+#endif
 #define SSL3_ST_SR_CHANNEL_ID_A		(0x220|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_CHANNEL_ID_B		(0x221|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_FINISHED_A		(0x1C0|SSL_ST_ACCEPT)
@@ -676,7 +676,9 @@ typedef struct ssl3_state_st
 #define SSL3_MT_CLIENT_KEY_EXCHANGE		16
 #define SSL3_MT_FINISHED			20
 #define SSL3_MT_CERTIFICATE_STATUS		22
+#ifndef OPENSSL_NO_NEXTPROTONEG
 #define SSL3_MT_NEXT_PROTO			67
+#endif
 #define SSL3_MT_ENCRYPTED_EXTENSIONS		203
 #define DTLS1_MT_HELLO_VERIFY_REQUEST    3
 
diff --git a/include/openssl/symhacks.h b/include/openssl/symhacks.h
index 403f592..07a412f 100644
--- a/include/openssl/symhacks.h
+++ b/include/openssl/symhacks.h
@@ -193,17 +193,17 @@
 #undef SSL_CTX_set_srp_username_callback
 #define SSL_CTX_set_srp_username_callback	SSL_CTX_set_srp_un_cb
 #undef ssl_add_clienthello_use_srtp_ext
-#define ssl_add_clienthello_use_srtp_ext ssl_add_clihello_use_srtp_ext
+#define ssl_add_clienthello_use_srtp_ext	ssl_add_clihello_use_srtp_ext
 #undef ssl_add_serverhello_use_srtp_ext
-#define ssl_add_serverhello_use_srtp_ext ssl_add_serhello_use_srtp_ext
+#define ssl_add_serverhello_use_srtp_ext	ssl_add_serhello_use_srtp_ext
 #undef ssl_parse_clienthello_use_srtp_ext
-#define ssl_parse_clienthello_use_srtp_ext ssl_parse_clihello_use_srtp_ext
+#define ssl_parse_clienthello_use_srtp_ext	ssl_parse_clihello_use_srtp_ext
 #undef ssl_parse_serverhello_use_srtp_ext
-#define ssl_parse_serverhello_use_srtp_ext ssl_parse_serhello_use_srtp_ext
+#define ssl_parse_serverhello_use_srtp_ext	ssl_parse_serhello_use_srtp_ext
 #undef SSL_CTX_set_next_protos_advertised_cb
-#define SSL_CTX_set_next_protos_advertised_cb SSL_CTX_set_next_protos_adv_cb
+#define SSL_CTX_set_next_protos_advertised_cb	SSL_CTX_set_next_protos_adv_cb
 #undef SSL_CTX_set_next_proto_select_cb
-#define SSL_CTX_set_next_proto_select_cb SSL_CTX_set_next_proto_sel_cb
+#define SSL_CTX_set_next_proto_select_cb	SSL_CTX_set_next_proto_sel_cb
 
 /* Hack some long ENGINE names */
 #undef ENGINE_get_default_BN_mod_exp_crt
@@ -316,8 +316,6 @@
 #define ec_GFp_simple_point_set_to_infinity     ec_GFp_simple_pt_set_to_inf
 #undef ec_GFp_simple_points_make_affine
 #define ec_GFp_simple_points_make_affine	ec_GFp_simple_pts_make_affine
-#undef ec_GFp_simple_group_get_curve_GFp
-#define ec_GFp_simple_group_get_curve_GFp       ec_GFp_simple_grp_get_curve_GFp
 #undef ec_GFp_simple_set_Jprojective_coordinates_GFp
 #define ec_GFp_simple_set_Jprojective_coordinates_GFp \
                                                 ec_GFp_smp_set_Jproj_coords_GFp
diff --git a/openssl.config b/openssl.config
index 9c20b62..e7009ea 100644
--- a/openssl.config
+++ b/openssl.config
@@ -175,8 +175,10 @@ include/openssl/camellia.h \
 include/openssl/cast.h \
 include/openssl/cms.h \
 include/openssl/idea.h \
+include/openssl/md2.h \
 include/openssl/mdc2.h \
 include/openssl/seed.h \
+include/openssl/store.h \
 include/openssl/whrlpool.h \
 install.com \
 makevms.com \
@@ -201,13 +203,7 @@ OPENSSL_PATCHES="\
 progs.patch \
 handshake_cutthrough.patch \
 jsse.patch \
-sha1_armv4_large.patch \
-mips_private.patch \
 channelid.patch \
-clang.patch \
-recursive_lock_fix.patch \
-0001-Add-and-use-a-constant-time-memcmp.patch \
-0002-Make-CBC-decoding-constant-time.patch \
 "
 
 OPENSSL_PATCHES_progs_SOURCES="\
@@ -243,10 +239,6 @@ ssl/ssl_rsa.c \
 ssl/ssl_sess.c \
 "
 
-OPENSSL_PATCHES_mips_private_SOURCES="\
-crypto/aes/asm/aes-mips.pl \
-"
-
 OPENSSL_PATCHES_channelid_SOURCES="\
 crypto/evp/evp.h \
 crypto/evp/p_lib.c \
@@ -262,11 +254,3 @@ ssl/ssl_locl.h \
 ssl/t1_lib.c \
 ssl/tls1.h \
 "
-
-OPENSSL_PATCHES_clang_SOURCES="\
-crypto/bio/bss_dgram.c \
-crypto/cryptlib.c \
-"
-OPENSSL_PATCHES_recursive_lock_fix_SOURCES="\
-crypto/asn1/x_pubkey.c \
-"
diff --git a/openssl.version b/openssl.version
index 1616021..30f1cd2 100644
--- a/openssl.version
+++ b/openssl.version
@@ -1 +1 @@
-OPENSSL_VERSION=1.0.1c
+OPENSSL_VERSION=1.0.1d
diff --git a/patches/0001-Add-and-use-a-constant-time-memcmp.patch b/patches/0001-Add-and-use-a-constant-time-memcmp.patch
deleted file mode 100644
index a593d49..0000000
--- a/patches/0001-Add-and-use-a-constant-time-memcmp.patch
+++ /dev/null
@@ -1,155 +0,0 @@
-From 306d003174cb4e5994734b20d741867aeeebf918 Mon Sep 17 00:00:00 2001
-From: Adam Langley <agl@chromium.org>
-Date: Wed, 16 Jan 2013 11:02:35 -0500
-Subject: [PATCH 1/2] Add and use a constant-time memcmp.
-
-This change adds CRYPTO_memcmp, which compares two vectors of bytes in
-an amount of time that's independent of their contents. It also changes
-several MAC compares in the code to use this over the standard memcmp,
-which may leak information about the size of a matching prefix.
----
- crypto/cryptlib.c     | 13 +++++++++++++
- crypto/crypto.h       |  7 +++++++
- crypto/rsa/rsa_oaep.c |  2 +-
- ssl/d1_pkt.c          |  2 +-
- ssl/s2_clnt.c         |  2 +-
- ssl/s2_pkt.c          |  3 +--
- ssl/s3_both.c         |  2 +-
- ssl/s3_pkt.c          |  2 +-
- ssl/t1_lib.c          |  2 +-
- 9 files changed, 27 insertions(+), 8 deletions(-)
-
-diff --git a/crypto/cryptlib.c b/crypto/cryptlib.c
-index a7cb420..304c6b7 100644
---- a/crypto/cryptlib.c
-+++ b/crypto/cryptlib.c
-@@ -925,3 +925,16 @@ void OpenSSLDie(const char *file,int line,const char *assertion)
- 	}
- 
- void *OPENSSL_stderr(void)	{ return stderr; }
-+
-+int CRYPTO_memcmp(const void *in_a, const void *in_b, size_t len)
-+	{
-+	size_t i;
-+	const unsigned char *a = in_a;
-+	const unsigned char *b = in_b;
-+	unsigned char x = 0;
-+
-+	for (i = 0; i < len; i++)
-+		x |= a[i] ^ b[i];
-+
-+	return x;
-+	}
-diff --git a/crypto/crypto.h b/crypto/crypto.h
-index 6160576..f92fc51 100644
---- a/crypto/crypto.h
-+++ b/crypto/crypto.h
-@@ -574,6 +574,13 @@ void OPENSSL_init(void);
- #define fips_cipher_abort(alg) while(0)
- #endif
- 
-+/* CRYPTO_memcmp returns zero iff the |len| bytes at |a| and |b| are equal. It
-+ * takes an amount of time dependent on |len|, but independent of the contents
-+ * of |a| and |b|. Unlike memcmp, it cannot be used to put elements into a
-+ * defined order as the return value when a != b is undefined, other than to be
-+ * non-zero. */
-+int CRYPTO_memcmp(const void *a, const void *b, size_t len);
-+
- /* BEGIN ERROR CODES */
- /* The following lines are auto generated by the script mkerr.pl. Any changes
-  * made after this point may be overwritten when the script is next run.
-diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
-index 553d212..af4d24a 100644
---- a/crypto/rsa/rsa_oaep.c
-+++ b/crypto/rsa/rsa_oaep.c
-@@ -149,7 +149,7 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
- 	if (!EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL))
- 		return -1;
- 
--	if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
-+	if (CRYPTO_memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
- 		goto decoding_err;
- 	else
- 		{
-diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
-index 987af60..5e2c56c 100644
---- a/ssl/d1_pkt.c
-+++ b/ssl/d1_pkt.c
-@@ -463,7 +463,7 @@ printf("\n");
- 		else
- 			rr->length = 0;
- 		i=s->method->ssl3_enc->mac(s,md,0);
--		if (i < 0 || mac == NULL || memcmp(md, mac, mac_size) != 0)
-+		if (i < 0 || mac == NULL || CRYPTO_memcmp(md,mac,mac_size) != 0)
- 			{
- 			decryption_failed_or_bad_record_mac = 1;
- 			}
-diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c
-index 76b690e..03b6cf9 100644
---- a/ssl/s2_clnt.c
-+++ b/ssl/s2_clnt.c
-@@ -939,7 +939,7 @@ static int get_server_verify(SSL *s)
- 		s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* SERVER-VERIFY */
- 	p += 1;
- 
--	if (memcmp(p,s->s2->challenge,s->s2->challenge_length) != 0)
-+	if (CRYPTO_memcmp(p,s->s2->challenge,s->s2->challenge_length) != 0)
- 		{
- 		ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- 		SSLerr(SSL_F_GET_SERVER_VERIFY,SSL_R_CHALLENGE_IS_DIFFERENT);
-diff --git a/ssl/s2_pkt.c b/ssl/s2_pkt.c
-index ac963b2..8bb6ab8 100644
---- a/ssl/s2_pkt.c
-+++ b/ssl/s2_pkt.c
-@@ -269,8 +269,7 @@ static int ssl2_read_internal(SSL *s, void *buf, int len, int peek)
- 			s->s2->ract_data_length-=mac_size;
- 			ssl2_mac(s,mac,0);
- 			s->s2->ract_data_length-=s->s2->padding;
--			if (	(memcmp(mac,s->s2->mac_data,
--				(unsigned int)mac_size) != 0) ||
-+			if (	(CRYPTO_memcmp(mac,s->s2->mac_data,mac_size) != 0) ||
- 				(s->s2->rlength%EVP_CIPHER_CTX_block_size(s->enc_read_ctx) != 0))
- 				{
- 				SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_MAC_DECODE);
-diff --git a/ssl/s3_both.c b/ssl/s3_both.c
-index 918da35..ead01c8 100644
---- a/ssl/s3_both.c
-+++ b/ssl/s3_both.c
-@@ -265,7 +265,7 @@ int ssl3_get_finished(SSL *s, int a, int b)
- 		goto f_err;
- 		}
- 
--	if (memcmp(p, s->s3->tmp.peer_finish_md, i) != 0)
-+	if (CRYPTO_memcmp(p, s->s3->tmp.peer_finish_md, i) != 0)
- 		{
- 		al=SSL_AD_DECRYPT_ERROR;
- 		SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_DIGEST_CHECK_FAILED);
-diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
-index dca3458..3e11140 100644
---- a/ssl/s3_pkt.c
-+++ b/ssl/s3_pkt.c
-@@ -463,7 +463,7 @@ printf("\n");
- #endif
- 			}
- 		i=s->method->ssl3_enc->mac(s,md,0);
--		if (i < 0 || mac == NULL || memcmp(md, mac, (size_t)mac_size) != 0)
-+		if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
- 			{
- 			decryption_failed_or_bad_record_mac = 1;
- 			}
-diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index d8df062..27010dd 100644
---- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
-@@ -2226,7 +2226,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
- 	HMAC_Update(&hctx, etick, eticklen);
- 	HMAC_Final(&hctx, tick_hmac, NULL);
- 	HMAC_CTX_cleanup(&hctx);
--	if (memcmp(tick_hmac, etick + eticklen, mlen))
-+	if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
- 		return 2;
- 	/* Attempt to decrypt session data */
- 	/* Move p after IV to start of encrypted ticket, update length */
--- 
-1.8.1
-
diff --git a/patches/0002-Make-CBC-decoding-constant-time.patch b/patches/0002-Make-CBC-decoding-constant-time.patch
deleted file mode 100644
index 1893aa2..0000000
--- a/patches/0002-Make-CBC-decoding-constant-time.patch
+++ /dev/null
@@ -1,1621 +0,0 @@
-From fb402b7cdeffc907a9464cb84aa1311b1f77832a Mon Sep 17 00:00:00 2001
-From: Adam Langley <agl@chromium.org>
-Date: Wed, 16 Jan 2013 11:18:19 -0500
-Subject: [PATCH 2/2] Make CBC decoding constant time.
-
-This patch makes the decoding of SSLv3 and TLS CBC records constant
-time. Without this, a timing side-channel can be used to build a padding
-oracle and mount Vaudenay's attack.
-
-This patch also disables the stitched AESNI+SHA mode pending a similar
-fix to that code.
-
-In order to be easy to backport, this change is implemented in ssl/,
-rather than as a generic AEAD mode. In the future this should be changed
-around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
----
- crypto/evp/c_allc.c |   2 +
- ssl/Makefile        |   4 +-
- ssl/d1_enc.c        |  59 ++---
- ssl/d1_pkt.c        |  87 ++++---
- ssl/s3_cbc.c        | 696 ++++++++++++++++++++++++++++++++++++++++++++++++++++
- ssl/s3_enc.c        | 119 +++++----
- ssl/s3_pkt.c        |  94 +++----
- ssl/ssl3.h          |   4 +
- ssl/ssl_algs.c      |   3 +
- ssl/ssl_locl.h      |  34 +++
- ssl/t1_enc.c        | 144 +++++------
- 11 files changed, 993 insertions(+), 253 deletions(-)
- create mode 100644 ssl/s3_cbc.c
-
-diff --git a/crypto/evp/c_allc.c b/crypto/evp/c_allc.c
-index 2a45d43..e230e60 100644
---- a/crypto/evp/c_allc.c
-+++ b/crypto/evp/c_allc.c
-@@ -195,11 +195,13 @@ void OpenSSL_add_all_ciphers(void)
- 	EVP_add_cipher(EVP_aes_256_xts());
- 	EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
- 	EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
-+#if 0  /* Disabled because of timing side-channel leaks. */
- #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
- 	EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
- 	EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
- #endif
- #endif
-+#endif
- 
- #ifndef OPENSSL_NO_CAMELLIA
- 	EVP_add_cipher(EVP_camellia_128_ecb());
-diff --git a/ssl/Makefile b/ssl/Makefile
-index feaf3e3..bdb49e2 100644
---- a/ssl/Makefile
-+++ b/ssl/Makefile
-@@ -22,7 +22,7 @@ LIB=$(TOP)/libssl.a
- SHARED_LIB= libssl$(SHLIB_EXT)
- LIBSRC=	\
- 	s2_meth.c   s2_srvr.c s2_clnt.c  s2_lib.c  s2_enc.c s2_pkt.c \
--	s3_meth.c   s3_srvr.c s3_clnt.c  s3_lib.c  s3_enc.c s3_pkt.c s3_both.c \
-+	s3_meth.c   s3_srvr.c s3_clnt.c  s3_lib.c  s3_enc.c s3_pkt.c s3_both.c s3_cbc.c \
- 	s23_meth.c s23_srvr.c s23_clnt.c s23_lib.c          s23_pkt.c \
- 	t1_meth.c   t1_srvr.c t1_clnt.c  t1_lib.c  t1_enc.c \
- 	d1_meth.c   d1_srvr.c d1_clnt.c  d1_lib.c  d1_pkt.c \
-@@ -33,7 +33,7 @@ LIBSRC=	\
- 	bio_ssl.c ssl_err.c kssl.c tls_srp.c t1_reneg.c
- LIBOBJ= \
- 	s2_meth.o  s2_srvr.o  s2_clnt.o  s2_lib.o  s2_enc.o s2_pkt.o \
--	s3_meth.o  s3_srvr.o  s3_clnt.o  s3_lib.o  s3_enc.o s3_pkt.o s3_both.o \
-+	s3_meth.o  s3_srvr.o  s3_clnt.o  s3_lib.o  s3_enc.o s3_pkt.o s3_both.o s3_cbc.o \
- 	s23_meth.o s23_srvr.o s23_clnt.o s23_lib.o          s23_pkt.o \
- 	t1_meth.o   t1_srvr.o t1_clnt.o  t1_lib.o  t1_enc.o \
- 	d1_meth.o   d1_srvr.o d1_clnt.o  d1_lib.o  d1_pkt.o \
-diff --git a/ssl/d1_enc.c b/ssl/d1_enc.c
-index 07a5e97..712c464 100644
---- a/ssl/d1_enc.c
-+++ b/ssl/d1_enc.c
-@@ -126,20 +126,28 @@
- #include <openssl/des.h>
- #endif
- 
-+/* dtls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
-+ *
-+ * Returns:
-+ *   0: (in non-constant time) if the record is publically invalid (i.e. too
-+ *       short etc).
-+ *   1: if the record's padding is valid / the encryption was successful.
-+ *   -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
-+ *       an internal error occured. */
- int dtls1_enc(SSL *s, int send)
- 	{
- 	SSL3_RECORD *rec;
- 	EVP_CIPHER_CTX *ds;
- 	unsigned long l;
--	int bs,i,ii,j,k,n=0;
-+	int bs,i,j,k,mac_size=0;
- 	const EVP_CIPHER *enc;
- 
- 	if (send)
- 		{
- 		if (EVP_MD_CTX_md(s->write_hash))
- 			{
--			n=EVP_MD_CTX_size(s->write_hash);
--			if (n < 0)
-+			mac_size=EVP_MD_CTX_size(s->write_hash);
-+			if (mac_size < 0)
- 				return -1;
- 			}
- 		ds=s->enc_write_ctx;
-@@ -164,9 +172,8 @@ int dtls1_enc(SSL *s, int send)
- 		{
- 		if (EVP_MD_CTX_md(s->read_hash))
- 			{
--			n=EVP_MD_CTX_size(s->read_hash);
--			if (n < 0)
--				return -1;
-+			mac_size=EVP_MD_CTX_size(s->read_hash);
-+			OPENSSL_assert(mac_size >= 0);
- 			}
- 		ds=s->enc_read_ctx;
- 		rec= &(s->s3->rrec);
-@@ -231,7 +238,7 @@ int dtls1_enc(SSL *s, int send)
- 		if (!send)
- 			{
- 			if (l == 0 || l%bs != 0)
--				return -1;
-+				return 0;
- 			}
- 		
- 		EVP_Cipher(ds,rec->data,rec->input,l);
-@@ -246,43 +253,7 @@ int dtls1_enc(SSL *s, int send)
- #endif	/* KSSL_DEBUG */
- 
- 		if ((bs != 1) && !send)
--			{
--			ii=i=rec->data[l-1]; /* padding_length */
--			i++;
--			if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
--				{
--				/* First packet is even in size, so check */
--				if ((memcmp(s->s3->read_sequence,
--					"\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1))
--					s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
--				if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
--					i--;
--				}
--			/* TLS 1.0 does not bound the number of padding bytes by the block size.
--			 * All of them must have value 'padding_length'. */
--			if (i + bs > (int)rec->length)
--				{
--				/* Incorrect padding. SSLerr() and ssl3_alert are done
--				 * by caller: we don't want to reveal whether this is
--				 * a decryption error or a MAC verification failure
--				 * (see http://www.openssl.org/~bodo/tls-cbc.txt) 
--				 */
--				return -1;
--				}
--			for (j=(int)(l-i); j<(int)l; j++)
--				{
--				if (rec->data[j] != ii)
--					{
--					/* Incorrect padding */
--					return -1;
--					}
--				}
--			rec->length-=i;
--
--			rec->data += bs;    /* skip the implicit IV */
--			rec->input += bs;
--			rec->length -= bs;
--			}
-+			return tls1_cbc_remove_padding(s, rec, bs, mac_size);
- 		}
- 	return(1);
- 	}
-diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
-index 5e2c56c..02c881a 100644
---- a/ssl/d1_pkt.c
-+++ b/ssl/d1_pkt.c
-@@ -376,15 +376,11 @@ static int
- dtls1_process_record(SSL *s)
- {
- 	int i,al;
--	int clear=0;
- 	int enc_err;
- 	SSL_SESSION *sess;
- 	SSL3_RECORD *rr;
- 	unsigned int mac_size;
- 	unsigned char md[EVP_MAX_MD_SIZE];
--	int decryption_failed_or_bad_record_mac = 0;
--	unsigned char *mac = NULL;
--
- 
- 	rr= &(s->s3->rrec);
- 	sess = s->session;
-@@ -414,14 +410,19 @@ dtls1_process_record(SSL *s)
- 
- 	/* decrypt in place in 'rr->input' */
- 	rr->data=rr->input;
-+	rr->orig_len=rr->length;
- 
- 	enc_err = s->method->ssl3_enc->enc(s,0);
--	if (enc_err <= 0)
-+	/* enc_err is:
-+	 *    0: (in non-constant time) if the record is publically invalid.
-+	 *    1: if the padding is valid
-+	 *    -1: if the padding is invalid */
-+	if (enc_err == 0)
- 		{
--		/* To minimize information leaked via timing, we will always
--		 * perform all computations before discarding the message.
--		 */
--		decryption_failed_or_bad_record_mac = 1;
-+		/* For DTLS we simply ignore bad packets. */
-+		rr->length = 0;
-+		s->packet_length = 0;
-+		goto err;
- 		}
- 
- #ifdef TLS_DEBUG
-@@ -431,45 +432,59 @@ printf("\n");
- #endif
- 
- 	/* r->length is now the compressed data plus mac */
--	if (	(sess == NULL) ||
--		(s->enc_read_ctx == NULL) ||
--		(s->read_hash == NULL))
--		clear=1;
--
--	if (!clear)
-+	if ((sess != NULL) &&
-+	    (s->enc_read_ctx != NULL) &&
-+	    (EVP_MD_CTX_md(s->read_hash) != NULL))
- 		{
--		/* !clear => s->read_hash != NULL => mac_size != -1 */
--		int t;
--		t=EVP_MD_CTX_size(s->read_hash);
--		OPENSSL_assert(t >= 0);
--		mac_size=t;
--
--		if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
-+		/* s->read_hash != NULL => mac_size != -1 */
-+		unsigned char *mac = NULL;
-+		unsigned char mac_tmp[EVP_MAX_MD_SIZE];
-+		mac_size=EVP_MD_CTX_size(s->read_hash);
-+		OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
-+
-+		/* orig_len is the length of the record before any padding was
-+		 * removed. This is public information, as is the MAC in use,
-+		 * therefore we can safely process the record in a different
-+		 * amount of time if it's too short to possibly contain a MAC.
-+		 */
-+		if (rr->orig_len < mac_size ||
-+		    /* CBC records must have a padding length byte too. */
-+		    (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
-+		     rr->orig_len < mac_size+1))
- 			{
--#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
--			al=SSL_AD_RECORD_OVERFLOW;
--			SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
-+			al=SSL_AD_DECODE_ERROR;
-+			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
- 			goto f_err;
--#else
--			decryption_failed_or_bad_record_mac = 1;
--#endif			
- 			}
--		/* check the MAC for rr->input (it's in mac_size bytes at the tail) */
--		if (rr->length >= mac_size)
-+
-+		if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE)
- 			{
-+			/* We update the length so that the TLS header bytes
-+			 * can be constructed correctly but we need to extract
-+			 * the MAC in constant time from within the record,
-+			 * without leaking the contents of the padding bytes.
-+			 * */
-+			mac = mac_tmp;
-+			ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
- 			rr->length -= mac_size;
--			mac = &rr->data[rr->length];
- 			}
- 		else
--			rr->length = 0;
--		i=s->method->ssl3_enc->mac(s,md,0);
--		if (i < 0 || mac == NULL || CRYPTO_memcmp(md,mac,mac_size) != 0)
- 			{
--			decryption_failed_or_bad_record_mac = 1;
-+			/* In this case there's no padding, so |rec->orig_len|
-+			 * equals |rec->length| and we checked that there's
-+			 * enough bytes for |mac_size| above. */
-+			rr->length -= mac_size;
-+			mac = &rr->data[rr->length];
- 			}
-+
-+		i=s->method->ssl3_enc->mac(s,md,0 /* not send */);
-+		if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
-+			enc_err = -1;
-+		if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
-+			enc_err = -1;
- 		}
- 
--	if (decryption_failed_or_bad_record_mac)
-+	if (enc_err < 0)
- 		{
- 		/* decryption failed, silently discard message */
- 		rr->length = 0;
-diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
-new file mode 100644
-index 0000000..e9b112c
---- /dev/null
-+++ b/ssl/s3_cbc.c
-@@ -0,0 +1,696 @@
-+/* ssl/s3_cbc.c */
-+/* ====================================================================
-+ * Copyright (c) 2012 The OpenSSL Project.  All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ *    notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ *    notice, this list of conditions and the following disclaimer in
-+ *    the documentation and/or other materials provided with the
-+ *    distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ *    software must display the following acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ *    endorse or promote products derived from this software without
-+ *    prior written permission. For written permission, please contact
-+ *    openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ *    nor may "OpenSSL" appear in their names without prior written
-+ *    permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ *    acknowledgment:
-+ *    "This product includes software developed by the OpenSSL Project
-+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay@cryptsoft.com).  This product includes software written by Tim
-+ * Hudson (tjh@cryptsoft.com).
-+ *
-+ */
-+
-+#include <stdint.h>
-+
-+#include "ssl_locl.h"
-+
-+#include <openssl/md5.h>
-+#include <openssl/sha.h>
-+
-+/* MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's length
-+ * field. (SHA-384/512 have 128-bit length.) */
-+#define MAX_HASH_BIT_COUNT_BYTES 16
-+
-+/* MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support.
-+ * Currently SHA-384/512 has a 128-byte block size and that's the largest
-+ * supported by TLS.) */
-+#define MAX_HASH_BLOCK_SIZE 128
-+
-+/* Some utility functions are needed:
-+ *
-+ * These macros return the given value with the MSB copied to all the other
-+ * bits. They use the fact that arithmetic shift shifts-in the sign bit.
-+ * However, this is not ensured by the C standard so you may need to replace
-+ * them with something else on odd CPUs. */
-+#define DUPLICATE_MSB_TO_ALL(x) ( (unsigned)( (int)(x) >> (sizeof(int)*8-1) ) )
-+#define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x)))
-+
-+/* constant_time_ge returns 0xff if a>=b and 0x00 otherwise. */
-+static unsigned constant_time_ge(unsigned a, unsigned b)
-+	{
-+	a -= b;
-+	return DUPLICATE_MSB_TO_ALL(~a);
-+	}
-+
-+/* constant_time_eq_8 returns 0xff if a==b and 0x00 otherwise. */
-+static unsigned char constant_time_eq_8(unsigned char a, unsigned char b)
-+	{
-+	unsigned c = a ^ b;
-+	c--;
-+	return DUPLICATE_MSB_TO_ALL_8(c);
-+	}
-+
-+/* ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC
-+ * record in |rec| by updating |rec->length| in constant time.
-+ *
-+ * block_size: the block size of the cipher used to encrypt the record.
-+ * returns:
-+ *   0: (in non-constant time) if the record is publicly invalid.
-+ *   1: if the padding was valid
-+ *  -1: otherwise. */
-+int ssl3_cbc_remove_padding(const SSL* s,
-+			    SSL3_RECORD *rec,
-+			    unsigned block_size,
-+			    unsigned mac_size)
-+	{
-+	unsigned padding_length, good;
-+	const unsigned overhead = 1 /* padding length byte */ + mac_size;
-+
-+	/* These lengths are all public so we can test them in non-constant
-+	 * time. */
-+	if (overhead > rec->length)
-+		return 0;
-+
-+	padding_length = rec->data[rec->length-1];
-+	good = constant_time_ge(rec->length, padding_length+overhead);
-+	/* SSLv3 requires that the padding is minimal. */
-+	good &= constant_time_ge(block_size, padding_length+1);
-+	rec->length -= good & (padding_length+1);
-+	return (int)((good & 1) | (~good & -1));
-+}
-+
-+/* tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC
-+ * record in |rec| in constant time and returns 1 if the padding is valid and
-+ * -1 otherwise. It also removes any explicit IV from the start of the record
-+ * without leaking any timing about whether there was enough space after the
-+ * padding was removed.
-+ *
-+ * block_size: the block size of the cipher used to encrypt the record.
-+ * returns:
-+ *   0: (in non-constant time) if the record is publicly invalid.
-+ *   1: if the padding was valid
-+ *  -1: otherwise. */
-+int tls1_cbc_remove_padding(const SSL* s,
-+			    SSL3_RECORD *rec,
-+			    unsigned block_size,
-+			    unsigned mac_size)
-+	{
-+	unsigned padding_length, good, to_check, i;
-+	const char has_explicit_iv =
-+		s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION;
-+	const unsigned overhead = 1 /* padding length byte */ +
-+				  mac_size +
-+				  (has_explicit_iv ? block_size : 0);
-+
-+	/* These lengths are all public so we can test them in non-constant
-+	 * time. */
-+	if (overhead > rec->length)
-+		return 0;
-+
-+	padding_length = rec->data[rec->length-1];
-+
-+	/* NB: if compression is in operation the first packet may not be of
-+	 * even length so the padding bug check cannot be performed. This bug
-+	 * workaround has been around since SSLeay so hopefully it is either
-+	 * fixed now or no buggy implementation supports compression [steve]
-+	 */
-+	if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG) && !s->expand)
-+		{
-+		/* First packet is even in size, so check */
-+		if ((memcmp(s->s3->read_sequence, "\0\0\0\0\0\0\0\0",8) == 0) &&
-+		    !(padding_length & 1))
-+			{
-+			s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
-+			}
-+		if ((s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) &&
-+		    padding_length > 0)
-+			{
-+			padding_length--;
-+			}
-+		}
-+
-+	good = constant_time_ge(rec->length, overhead+padding_length);
-+	/* The padding consists of a length byte at the end of the record and
-+	 * then that many bytes of padding, all with the same value as the
-+	 * length byte. Thus, with the length byte included, there are i+1
-+	 * bytes of padding.
-+	 *
-+	 * We can't check just |padding_length+1| bytes because that leaks
-+	 * decrypted information. Therefore we always have to check the maximum
-+	 * amount of padding possible. (Again, the length of the record is
-+	 * public information so we can use it.) */
-+	to_check = 255; /* maximum amount of padding. */
-+	if (to_check > rec->length-1)
-+		to_check = rec->length-1;
-+
-+	for (i = 0; i < to_check; i++)
-+		{
-+		unsigned char mask = constant_time_ge(padding_length, i);
-+		unsigned char b = rec->data[rec->length-1-i];
-+		/* The final |padding_length+1| bytes should all have the value
-+		 * |padding_length|. Therefore the XOR should be zero. */
-+		good &= ~(mask&(padding_length ^ b));
-+		}
-+
-+	/* If any of the final |padding_length+1| bytes had the wrong value,
-+	 * one or more of the lower eight bits of |good| will be cleared. We
-+	 * AND the bottom 8 bits together and duplicate the result to all the
-+	 * bits. */
-+	good &= good >> 4;
-+	good &= good >> 2;
-+	good &= good >> 1;
-+	good <<= sizeof(good)*8-1;
-+	good = DUPLICATE_MSB_TO_ALL(good);
-+
-+	rec->length -= good & (padding_length+1);
-+
-+	/* We can always safely skip the explicit IV. We check at the beginning
-+	 * of this function that the record has at least enough space for the
-+	 * IV, MAC and padding length byte. (These can be checked in
-+	 * non-constant time because it's all public information.) So, if the
-+	 * padding was invalid, then we didn't change |rec->length| and this is
-+	 * safe. If the padding was valid then we know that we have at least
-+	 * overhead+padding_length bytes of space and so this is still safe
-+	 * because overhead accounts for the explicit IV. */
-+	if (has_explicit_iv)
-+		{
-+		rec->data += block_size;
-+		rec->input += block_size;
-+		rec->length -= block_size;
-+		rec->orig_len -= block_size;
-+		}
-+
-+	return (int)((good & 1) | (~good & -1));
-+	}
-+
-+#if defined(_M_AMD64) || defined(__x86_64__)
-+#define CBC_MAC_ROTATE_IN_PLACE
-+#endif
-+
-+/* ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in
-+ * constant time (independent of the concrete value of rec->length, which may
-+ * vary within a 256-byte window).
-+ *
-+ * ssl3_cbc_remove_padding or tls1_cbc_remove_padding must be called prior to
-+ * this function.
-+ *
-+ * On entry:
-+ *   rec->orig_len >= md_size
-+ *   md_size <= EVP_MAX_MD_SIZE
-+ *
-+ * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with
-+ * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into
-+ * a single cache-line, then the variable memory accesses don't actually affect
-+ * the timing. This has been tested to be true on Intel amd64 chips.
-+ */
-+void ssl3_cbc_copy_mac(unsigned char* out,
-+		       const SSL3_RECORD *rec,
-+		       unsigned md_size)
-+	{
-+#if defined(CBC_MAC_ROTATE_IN_PLACE)
-+	unsigned char rotated_mac_buf[EVP_MAX_MD_SIZE*2];
-+	unsigned char *rotated_mac;
-+#else
-+	unsigned char rotated_mac[EVP_MAX_MD_SIZE];
-+#endif
-+
-+	/* mac_end is the index of |rec->data| just after the end of the MAC. */
-+	unsigned mac_end = rec->length;
-+	unsigned mac_start = mac_end - md_size;
-+	/* scan_start contains the number of bytes that we can ignore because
-+	 * the MAC's position can only vary by 255 bytes. */
-+	unsigned scan_start = 0;
-+	unsigned i, j;
-+	unsigned div_spoiler;
-+	unsigned rotate_offset;
-+
-+	OPENSSL_assert(rec->orig_len >= md_size);
-+	OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
-+
-+#if defined(CBC_MAC_ROTATE_IN_PLACE)
-+	rotated_mac = (unsigned char*) (((intptr_t)(rotated_mac_buf + 64)) & ~63);
-+#endif
-+
-+	/* This information is public so it's safe to branch based on it. */
-+	if (rec->orig_len > md_size + 255 + 1)
-+		scan_start = rec->orig_len - (md_size + 255 + 1);
-+	/* div_spoiler contains a multiple of md_size that is used to cause the
-+	 * modulo operation to be constant time. Without this, the time varies
-+	 * based on the amount of padding when running on Intel chips at least.
-+	 *
-+	 * The aim of right-shifting md_size is so that the compiler doesn't
-+	 * figure out that it can remove div_spoiler as that would require it
-+	 * to prove that md_size is always even, which I hope is beyond it. */
-+	div_spoiler = md_size >> 1;
-+	div_spoiler <<= (sizeof(div_spoiler)-1)*8;
-+	rotate_offset = (div_spoiler + mac_start - scan_start) % md_size;
-+
-+	memset(rotated_mac, 0, md_size);
-+	for (i = scan_start; i < rec->orig_len;)
-+		{
-+		for (j = 0; j < md_size && i < rec->orig_len; i++, j++)
-+			{
-+			unsigned char mac_started = constant_time_ge(i, mac_start);
-+			unsigned char mac_ended = constant_time_ge(i, mac_end);
-+			unsigned char b = 0;
-+			b = rec->data[i];
-+			rotated_mac[j] |= b & mac_started & ~mac_ended;
-+			}
-+		}
-+
-+	/* Now rotate the MAC */
-+#if defined(CBC_MAC_ROTATE_IN_PLACE)
-+	j = 0;
-+	for (i = 0; i < md_size; i++)
-+		{
-+		unsigned char offset = (div_spoiler + rotate_offset + i) % md_size;
-+		out[j++] = rotated_mac[offset];
-+		}
-+#else
-+	memset(out, 0, md_size);
-+	for (i = 0; i < md_size; i++)
-+		{
-+		unsigned char offset = (div_spoiler + md_size - rotate_offset + i) % md_size;
-+		for (j = 0; j < md_size; j++)
-+			out[j] |= rotated_mac[i] & constant_time_eq_8(j, offset);
-+		}
-+#endif
-+	}
-+
-+/* These functions serialize the state of a hash and thus perform the standard
-+ * "final" operation without adding the padding and length that such a function
-+ * typically does. */
-+static void tls1_md5_final_raw(void* ctx, unsigned char *md_out)
-+	{
-+	MD5_CTX *md5 = ctx;
-+	l2n(md5->A, md_out);
-+	l2n(md5->B, md_out);
-+	l2n(md5->C, md_out);
-+	l2n(md5->D, md_out);
-+	}
-+
-+static void tls1_sha1_final_raw(void* ctx, unsigned char *md_out)
-+	{
-+	SHA_CTX *sha1 = ctx;
-+	l2n(sha1->h0, md_out);
-+	l2n(sha1->h1, md_out);
-+	l2n(sha1->h2, md_out);
-+	l2n(sha1->h3, md_out);
-+	l2n(sha1->h4, md_out);
-+	}
-+
-+static void tls1_sha256_final_raw(void* ctx, unsigned char *md_out)
-+	{
-+	SHA256_CTX *sha256 = ctx;
-+	unsigned i;
-+
-+	for (i = 0; i < 8; i++)
-+		{
-+		l2n(sha256->h[i], md_out);
-+		}
-+	}
-+
-+static void tls1_sha512_final_raw(void* ctx, unsigned char *md_out)
-+	{
-+	SHA512_CTX *sha512 = ctx;
-+	unsigned i;
-+
-+	for (i = 0; i < 8; i++)
-+		{
-+		l2n8(sha512->h[i], md_out);
-+		}
-+	}
-+
-+/* ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
-+ * which ssl3_cbc_digest_record supports. */
-+char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
-+	{
-+	switch (ctx->digest->type)
-+		{
-+		case NID_md5:
-+		case NID_sha1:
-+		case NID_sha224:
-+		case NID_sha256:
-+		case NID_sha384:
-+		case NID_sha512:
-+			return 1;
-+		default:
-+			return 0;
-+		}
-+	}
-+
-+/* ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS
-+ * record.
-+ *
-+ *   ctx: the EVP_MD_CTX from which we take the hash function.
-+ *     ssl3_cbc_record_digest_supported must return true for this EVP_MD_CTX.
-+ *   md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written.
-+ *   md_out_size: if non-NULL, the number of output bytes is written here.
-+ *   header: the 13-byte, TLS record header.
-+ *   data: the record data itself, less any preceeding explicit IV.
-+ *   data_plus_mac_size: the secret, reported length of the data and MAC
-+ *     once the padding has been removed.
-+ *   data_plus_mac_plus_padding_size: the public length of the whole
-+ *     record, including padding.
-+ *   is_sslv3: non-zero if we are to use SSLv3. Otherwise, TLS.
-+ *
-+ * On entry: by virtue of having been through one of the remove_padding
-+ * functions, above, we know that data_plus_mac_size is large enough to contain
-+ * a padding byte and MAC. (If the padding was invalid, it might contain the
-+ * padding too. ) */
-+void ssl3_cbc_digest_record(
-+	const EVP_MD_CTX *ctx,
-+	unsigned char* md_out,
-+	size_t* md_out_size,
-+	const unsigned char header[13],
-+	const unsigned char *data,
-+	size_t data_plus_mac_size,
-+	size_t data_plus_mac_plus_padding_size,
-+	const unsigned char *mac_secret,
-+	unsigned mac_secret_length,
-+	char is_sslv3)
-+	{
-+	unsigned char md_state[sizeof(SHA512_CTX)];
-+	void (*md_final_raw)(void *ctx, unsigned char *md_out);
-+	void (*md_transform)(void *ctx, const unsigned char *block);
-+	unsigned md_size, md_block_size = 64;
-+	unsigned sslv3_pad_length = 40, header_length, variance_blocks,
-+		 len, max_mac_bytes, num_blocks,
-+		 num_starting_blocks, k, mac_end_offset, c, index_a, index_b;
-+	uint64_t bits;
-+	unsigned char length_bytes[MAX_HASH_BIT_COUNT_BYTES];
-+	/* hmac_pad is the masked HMAC key. */
-+	unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE];
-+	unsigned char first_block[MAX_HASH_BLOCK_SIZE];
-+	unsigned char mac_out[EVP_MAX_MD_SIZE];
-+	unsigned i, j, md_out_size_u;
-+	EVP_MD_CTX md_ctx;
-+	/* mdLengthSize is the number of bytes in the length field that terminates
-+	* the hash. */
-+	unsigned md_length_size = 8;
-+
-+	/* This is a, hopefully redundant, check that allows us to forget about
-+	 * many possible overflows later in this function. */
-+	OPENSSL_assert(data_plus_mac_plus_padding_size < 1024*1024);
-+
-+	switch (ctx->digest->type)
-+		{
-+		case NID_md5:
-+			MD5_Init((MD5_CTX*)md_state);
-+			md_final_raw = tls1_md5_final_raw;
-+			md_transform = (void(*)(void *ctx, const unsigned char *block)) MD5_Transform;
-+			md_size = 16;
-+			sslv3_pad_length = 48;
-+			break;
-+		case NID_sha1:
-+			SHA1_Init((SHA_CTX*)md_state);
-+			md_final_raw = tls1_sha1_final_raw;
-+			md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA1_Transform;
-+			md_size = 20;
-+			break;
-+		case NID_sha224:
-+			SHA224_Init((SHA256_CTX*)md_state);
-+			md_final_raw = tls1_sha256_final_raw;
-+			md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform;
-+			md_size = 224/8;
-+			break;
-+		case NID_sha256:
-+			SHA256_Init((SHA256_CTX*)md_state);
-+			md_final_raw = tls1_sha256_final_raw;
-+			md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform;
-+			md_size = 32;
-+			break;
-+		case NID_sha384:
-+			SHA384_Init((SHA512_CTX*)md_state);
-+			md_final_raw = tls1_sha512_final_raw;
-+			md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform;
-+			md_size = 384/8;
-+			md_block_size = 128;
-+			md_length_size = 16;
-+			break;
-+		case NID_sha512:
-+			SHA512_Init((SHA512_CTX*)md_state);
-+			md_final_raw = tls1_sha512_final_raw;
-+			md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform;
-+			md_size = 64;
-+			md_block_size = 128;
-+			md_length_size = 16;
-+			break;
-+		default:
-+			/* ssl3_cbc_record_digest_supported should have been
-+			 * called first to check that the hash function is
-+			 * supported. */
-+			OPENSSL_assert(0);
-+			if (md_out_size)
-+				*md_out_size = -1;
-+			return;
-+		}
-+
-+	OPENSSL_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES);
-+	OPENSSL_assert(md_block_size <= MAX_HASH_BLOCK_SIZE);
-+	OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
-+
-+	header_length = 13;
-+	if (is_sslv3)
-+		{
-+		header_length =
-+			mac_secret_length +
-+			sslv3_pad_length +
-+			8 /* sequence number */ +
-+			1 /* record type */ +
-+			2 /* record length */;
-+		}
-+
-+	/* variance_blocks is the number of blocks of the hash that we have to
-+	 * calculate in constant time because they could be altered by the
-+	 * padding value.
-+	 *
-+	 * In SSLv3, the padding must be minimal so the end of the plaintext
-+	 * varies by, at most, 15+20 = 35 bytes. (We conservatively assume that
-+	 * the MAC size varies from 0..20 bytes.) In case the 9 bytes of hash
-+	 * termination (0x80 + 64-bit length) don't fit in the final block, we
-+	 * say that the final two blocks can vary based on the padding.
-+	 *
-+	 * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not
-+	 * required to be minimal. Therefore we say that the final six blocks
-+	 * can vary based on the padding.
-+	 *
-+	 * Later in the function, if the message is short and there obviously
-+	 * cannot be this many blocks then variance_blocks can be reduced. */
-+	variance_blocks = is_sslv3 ? 2 : 6;
-+	/* From now on we're dealing with the MAC, which conceptually has 13
-+	 * bytes of `header' before the start of the data (TLS) or 71/75 bytes
-+	 * (SSLv3) */
-+	len = data_plus_mac_plus_padding_size + header_length;
-+	/* max_mac_bytes contains the maximum bytes of bytes in the MAC, including
-+	* |header|, assuming that there's no padding. */
-+	max_mac_bytes = len - md_size - 1;
-+	/* num_blocks is the maximum number of hash blocks. */
-+	num_blocks = (max_mac_bytes + 1 + md_length_size + md_block_size - 1) / md_block_size;
-+	/* In order to calculate the MAC in constant time we have to handle
-+	 * the final blocks specially because the padding value could cause the
-+	 * end to appear somewhere in the final |variance_blocks| blocks and we
-+	 * can't leak where. However, |num_starting_blocks| worth of data can
-+	 * be hashed right away because no padding value can affect whether
-+	 * they are plaintext. */
-+	num_starting_blocks = 0;
-+	/* k is the starting byte offset into the conceptual header||data where
-+	 * we start processing. */
-+	k = 0;
-+	/* mac_end_offset is the index just past the end of the data to be
-+	 * MACed. */
-+	mac_end_offset = data_plus_mac_size + header_length - md_size;
-+	/* c is the index of the 0x80 byte in the final hash block that
-+	 * contains application data. */
-+	c = mac_end_offset % md_block_size;
-+	/* index_a is the hash block number that contains the 0x80 terminating
-+	 * value. */
-+	index_a = mac_end_offset / md_block_size;
-+	/* index_b is the hash block number that contains the 64-bit hash
-+	 * length, in bits. */
-+	index_b = (mac_end_offset + md_length_size) / md_block_size;
-+	/* bits is the hash-length in bits. It includes the additional hash
-+	 * block for the masked HMAC key, or whole of |header| in the case of
-+	 * SSLv3. */
-+
-+	/* For SSLv3, if we're going to have any starting blocks then we need
-+	 * at least two because the header is larger than a single block. */
-+	if (num_blocks > variance_blocks + (is_sslv3 ? 1 : 0))
-+		{
-+		num_starting_blocks = num_blocks - variance_blocks;
-+		k = md_block_size*num_starting_blocks;
-+		}
-+
-+	bits = 8*mac_end_offset;
-+	if (!is_sslv3)
-+		{
-+		/* Compute the initial HMAC block. For SSLv3, the padding and
-+		 * secret bytes are included in |header| because they take more
-+		 * than a single block. */
-+		bits += 8*md_block_size;
-+		memset(hmac_pad, 0, md_block_size);
-+		OPENSSL_assert(mac_secret_length <= sizeof(hmac_pad));
-+		memcpy(hmac_pad, mac_secret, mac_secret_length);
-+		for (i = 0; i < md_block_size; i++)
-+			hmac_pad[i] ^= 0x36;
-+
-+		md_transform(md_state, hmac_pad);
-+		}
-+
-+	j = 0;
-+	if (md_length_size == 16)
-+		{
-+		memset(length_bytes, 0, 8);
-+		j = 8;
-+		}
-+	for (i = 0; i < 8; i++)
-+		length_bytes[i+j] = bits >> (8*(7-i));
-+
-+	if (k > 0)
-+		{
-+		if (is_sslv3)
-+			{
-+			/* The SSLv3 header is larger than a single block.
-+			 * overhang is the number of bytes beyond a single
-+			 * block that the header consumes: either 7 bytes
-+			 * (SHA1) or 11 bytes (MD5). */
-+			unsigned overhang = header_length-md_block_size;
-+			md_transform(md_state, header);
-+			memcpy(first_block, header + md_block_size, overhang);
-+			memcpy(first_block + overhang, data, md_block_size-overhang);
-+			md_transform(md_state, first_block);
-+			for (i = 1; i < k/md_block_size - 1; i++)
-+				md_transform(md_state, data + md_block_size*i - overhang);
-+			}
-+		else
-+			{
-+			/* k is a multiple of md_block_size. */
-+			memcpy(first_block, header, 13);
-+			memcpy(first_block+13, data, md_block_size-13);
-+			md_transform(md_state, first_block);
-+			for (i = 1; i < k/md_block_size; i++)
-+				md_transform(md_state, data + md_block_size*i - 13);
-+			}
-+		}
-+
-+	memset(mac_out, 0, sizeof(mac_out));
-+
-+	/* We now process the final hash blocks. For each block, we construct
-+	 * it in constant time. If the |i==index_a| then we'll include the 0x80
-+	 * bytes and zero pad etc. For each block we selectively copy it, in
-+	 * constant time, to |mac_out|. */
-+	for (i = num_starting_blocks; i <= num_starting_blocks+variance_blocks; i++)
-+		{
-+		unsigned char block[MAX_HASH_BLOCK_SIZE];
-+		unsigned char is_block_a = constant_time_eq_8(i, index_a);
-+		unsigned char is_block_b = constant_time_eq_8(i, index_b);
-+		for (j = 0; j < md_block_size; j++)
-+			{
-+			unsigned char b = 0, is_past_c, is_past_cp1;
-+			if (k < header_length)
-+				b = header[k];
-+			else if (k < data_plus_mac_plus_padding_size + header_length)
-+				b = data[k-header_length];
-+			k++;
-+
-+			is_past_c = is_block_a & constant_time_ge(j, c);
-+			is_past_cp1 = is_block_a & constant_time_ge(j, c+1);
-+			/* If this is the block containing the end of the
-+			 * application data, and we are at the offset for the
-+			 * 0x80 value, then overwrite b with 0x80. */
-+			b = (b&~is_past_c) | (0x80&is_past_c);
-+			/* If this the the block containing the end of the
-+			 * application data and we're past the 0x80 value then
-+			 * just write zero. */
-+			b = b&~is_past_cp1;
-+			/* If this is index_b (the final block), but not
-+			 * index_a (the end of the data), then the 64-bit
-+			 * length didn't fit into index_a and we're having to
-+			 * add an extra block of zeros. */
-+			b &= ~is_block_b | is_block_a;
-+
-+			/* The final bytes of one of the blocks contains the
-+			 * length. */
-+			if (j >= md_block_size - md_length_size)
-+				{
-+				/* If this is index_b, write a length byte. */
-+				b = (b&~is_block_b) | (is_block_b&length_bytes[j-(md_block_size-md_length_size)]);
-+				}
-+			block[j] = b;
-+			}
-+
-+		md_transform(md_state, block);
-+		md_final_raw(md_state, block);
-+		/* If this is index_b, copy the hash value to |mac_out|. */
-+		for (j = 0; j < md_size; j++)
-+			mac_out[j] |= block[j]&is_block_b;
-+		}
-+
-+	EVP_MD_CTX_init(&md_ctx);
-+	EVP_DigestInit_ex(&md_ctx, ctx->digest, NULL /* engine */);
-+	if (is_sslv3)
-+		{
-+		/* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */
-+		memset(hmac_pad, 0x5c, sslv3_pad_length);
-+
-+		EVP_DigestUpdate(&md_ctx, mac_secret, mac_secret_length);
-+		EVP_DigestUpdate(&md_ctx, hmac_pad, sslv3_pad_length);
-+		EVP_DigestUpdate(&md_ctx, mac_out, md_size);
-+		}
-+	else
-+		{
-+		/* Complete the HMAC in the standard manner. */
-+		for (i = 0; i < md_block_size; i++)
-+			hmac_pad[i] ^= 0x6a;
-+
-+		EVP_DigestUpdate(&md_ctx, hmac_pad, md_block_size);
-+		EVP_DigestUpdate(&md_ctx, mac_out, md_size);
-+		}
-+	EVP_DigestFinal(&md_ctx, md_out, &md_out_size_u);
-+	if (md_out_size)
-+		*md_out_size = md_out_size_u;
-+	EVP_MD_CTX_cleanup(&md_ctx);
-+	}
-diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
-index c5df2cb..a0eac77 100644
---- a/ssl/s3_enc.c
-+++ b/ssl/s3_enc.c
-@@ -466,12 +466,21 @@ void ssl3_cleanup_key_block(SSL *s)
- 	s->s3->tmp.key_block_length=0;
- 	}
- 
-+/* ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
-+ *
-+ * Returns:
-+ *   0: (in non-constant time) if the record is publically invalid (i.e. too
-+ *       short etc).
-+ *   1: if the record's padding is valid / the encryption was successful.
-+ *   -1: if the record's padding is invalid or, if sending, an internal error
-+ *       occured.
-+ */
- int ssl3_enc(SSL *s, int send)
- 	{
- 	SSL3_RECORD *rec;
- 	EVP_CIPHER_CTX *ds;
- 	unsigned long l;
--	int bs,i;
-+	int bs,i,mac_size=0;
- 	const EVP_CIPHER *enc;
- 
- 	if (send)
-@@ -522,32 +531,16 @@ int ssl3_enc(SSL *s, int send)
- 		if (!send)
- 			{
- 			if (l == 0 || l%bs != 0)
--				{
--				SSLerr(SSL_F_SSL3_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
--				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
- 				return 0;
--				}
- 			/* otherwise, rec->length >= bs */
- 			}
- 		
- 		EVP_Cipher(ds,rec->data,rec->input,l);
- 
-+		if (EVP_MD_CTX_md(s->read_hash) != NULL)
-+			mac_size = EVP_MD_CTX_size(s->read_hash);
- 		if ((bs != 1) && !send)
--			{
--			i=rec->data[l-1]+1;
--			/* SSL 3.0 bounds the number of padding bytes by the block size;
--			 * padding bytes (except the last one) are arbitrary */
--			if (i > bs)
--				{
--				/* Incorrect padding. SSLerr() and ssl3_alert are done
--				 * by caller: we don't want to reveal whether this is
--				 * a decryption error or a MAC verification failure
--				 * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
--				return -1;
--				}
--			/* now i <= bs <= rec->length */
--			rec->length-=i;
--			}
-+			return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
- 		}
- 	return(1);
- 	}
-@@ -716,7 +709,7 @@ int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
- 	EVP_MD_CTX md_ctx;
- 	const EVP_MD_CTX *hash;
- 	unsigned char *p,rec_char;
--	unsigned int md_size;
-+	size_t md_size;
- 	int npad;
- 	int t;
- 
-@@ -741,28 +734,68 @@ int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
- 	md_size=t;
- 	npad=(48/md_size)*md_size;
- 
--	/* Chop the digest off the end :-) */
--	EVP_MD_CTX_init(&md_ctx);
--
--	EVP_MD_CTX_copy_ex( &md_ctx,hash);
--	EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
--	EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad);
--	EVP_DigestUpdate(&md_ctx,seq,8);
--	rec_char=rec->type;
--	EVP_DigestUpdate(&md_ctx,&rec_char,1);
--	p=md;
--	s2n(rec->length,p);
--	EVP_DigestUpdate(&md_ctx,md,2);
--	EVP_DigestUpdate(&md_ctx,rec->input,rec->length);
--	EVP_DigestFinal_ex( &md_ctx,md,NULL);
--
--	EVP_MD_CTX_copy_ex( &md_ctx,hash);
--	EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
--	EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad);
--	EVP_DigestUpdate(&md_ctx,md,md_size);
--	EVP_DigestFinal_ex( &md_ctx,md,&md_size);
--
--	EVP_MD_CTX_cleanup(&md_ctx);
-+	if (!send &&
-+	    EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
-+	    ssl3_cbc_record_digest_supported(hash))
-+		{
-+		/* This is a CBC-encrypted record. We must avoid leaking any
-+		 * timing-side channel information about how many blocks of
-+		 * data we are hashing because that gives an attacker a
-+		 * timing-oracle. */
-+
-+		/* npad is, at most, 48 bytes and that's with MD5:
-+		 *   16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
-+		 *
-+		 * With SHA-1 (the largest hash speced for SSLv3) the hash size
-+		 * goes up 4, but npad goes down by 8, resulting in a smaller
-+		 * total size. */
-+		unsigned char header[75];
-+		unsigned j = 0;
-+		memcpy(header+j, mac_sec, md_size);
-+		j += md_size;
-+		memcpy(header+j, ssl3_pad_1, npad);
-+		j += npad;
-+		memcpy(header+j, seq, 8);
-+		j += 8;
-+		header[j++] = rec->type;
-+		header[j++] = rec->length >> 8;
-+		header[j++] = rec->length & 0xff;
-+
-+		ssl3_cbc_digest_record(
-+			hash,
-+			md, &md_size,
-+			header, rec->input,
-+			rec->length + md_size, rec->orig_len,
-+			mac_sec, md_size,
-+			1 /* is SSLv3 */);
-+		}
-+	else
-+		{
-+		unsigned int md_size_u;
-+		/* Chop the digest off the end :-) */
-+		EVP_MD_CTX_init(&md_ctx);
-+
-+		EVP_MD_CTX_copy_ex( &md_ctx,hash);
-+		EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
-+		EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad);
-+		EVP_DigestUpdate(&md_ctx,seq,8);
-+		rec_char=rec->type;
-+		EVP_DigestUpdate(&md_ctx,&rec_char,1);
-+		p=md;
-+		s2n(rec->length,p);
-+		EVP_DigestUpdate(&md_ctx,md,2);
-+		EVP_DigestUpdate(&md_ctx,rec->input,rec->length);
-+		EVP_DigestFinal_ex( &md_ctx,md,NULL);
-+
-+		EVP_MD_CTX_copy_ex( &md_ctx,hash);
-+		EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
-+		EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad);
-+		EVP_DigestUpdate(&md_ctx,md,md_size);
-+		EVP_DigestFinal_ex( &md_ctx,md,&md_size_u);
-+		md_size = md_size_u;
-+
-+		EVP_MD_CTX_cleanup(&md_ctx);
-+	}
- 
- 	ssl3_record_sequence_update(seq);
- 	return(md_size);
-diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
-index 3e11140..dba6653 100644
---- a/ssl/s3_pkt.c
-+++ b/ssl/s3_pkt.c
-@@ -290,11 +290,8 @@ static int ssl3_get_record(SSL *s)
- 	unsigned char *p;
- 	unsigned char md[EVP_MAX_MD_SIZE];
- 	short version;
--	int mac_size;
--	int clear=0;
-+	unsigned mac_size;
- 	size_t extra;
--	int decryption_failed_or_bad_record_mac = 0;
--	unsigned char *mac = NULL;
- 
- 	rr= &(s->s3->rrec);
- 	sess=s->session;
-@@ -401,19 +398,18 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
- 
- 	/* decrypt in place in 'rr->input' */
- 	rr->data=rr->input;
-+	rr->orig_len=rr->length;
- 
- 	enc_err = s->method->ssl3_enc->enc(s,0);
--	if (enc_err <= 0)
-+	/* enc_err is:
-+	 *    0: (in non-constant time) if the record is publically invalid.
-+	 *    1: if the padding is valid
-+	 *    -1: if the padding is invalid */
-+	if (enc_err == 0)
- 		{
--		if (enc_err == 0)
--			/* SSLerr() and ssl3_send_alert() have been called */
--			goto err;
--
--		/* Otherwise enc_err == -1, which indicates bad padding
--		 * (rec->length has not been changed in this case).
--		 * To minimize information leaked via timing, we will perform
--		 * the MAC computation anyway. */
--		decryption_failed_or_bad_record_mac = 1;
-+		al=SSL_AD_DECRYPTION_FAILED;
-+		SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
-+		goto f_err;
- 		}
- 
- #ifdef TLS_DEBUG
-@@ -423,53 +419,59 @@ printf("\n");
- #endif
- 
- 	/* r->length is now the compressed data plus mac */
--	if (	(sess == NULL) ||
--		(s->enc_read_ctx == NULL) ||
--		(EVP_MD_CTX_md(s->read_hash) == NULL))
--		clear=1;
--
--	if (!clear)
-+	if ((sess != NULL) &&
-+	    (s->enc_read_ctx != NULL) &&
-+	    (EVP_MD_CTX_md(s->read_hash) != NULL))
- 		{
--		/* !clear => s->read_hash != NULL => mac_size != -1 */
-+		/* s->read_hash != NULL => mac_size != -1 */
-+		unsigned char *mac = NULL;
-+		unsigned char mac_tmp[EVP_MAX_MD_SIZE];
- 		mac_size=EVP_MD_CTX_size(s->read_hash);
--		OPENSSL_assert(mac_size >= 0);
-+		OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
- 
--		if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
-+		/* orig_len is the length of the record before any padding was
-+		 * removed. This is public information, as is the MAC in use,
-+		 * therefore we can safely process the record in a different
-+		 * amount of time if it's too short to possibly contain a MAC.
-+		 */
-+		if (rr->orig_len < mac_size ||
-+		    /* CBC records must have a padding length byte too. */
-+		    (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
-+		     rr->orig_len < mac_size+1))
- 			{
--#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
--			al=SSL_AD_RECORD_OVERFLOW;
--			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
-+			al=SSL_AD_DECODE_ERROR;
-+			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
- 			goto f_err;
--#else
--			decryption_failed_or_bad_record_mac = 1;
--#endif			
- 			}
--		/* check the MAC for rr->input (it's in mac_size bytes at the tail) */
--		if (rr->length >= (unsigned int)mac_size)
-+
-+		if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE)
- 			{
-+			/* We update the length so that the TLS header bytes
-+			 * can be constructed correctly but we need to extract
-+			 * the MAC in constant time from within the record,
-+			 * without leaking the contents of the padding bytes.
-+			 * */
-+			mac = mac_tmp;
-+			ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
- 			rr->length -= mac_size;
--			mac = &rr->data[rr->length];
- 			}
- 		else
- 			{
--			/* record (minus padding) is too short to contain a MAC */
--#if 0 /* OK only for stream ciphers */
--			al=SSL_AD_DECODE_ERROR;
--			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
--			goto f_err;
--#else
--			decryption_failed_or_bad_record_mac = 1;
--			rr->length = 0;
--#endif
-+			/* In this case there's no padding, so |rec->orig_len|
-+			 * equals |rec->length| and we checked that there's
-+			 * enough bytes for |mac_size| above. */
-+			rr->length -= mac_size;
-+			mac = &rr->data[rr->length];
- 			}
--		i=s->method->ssl3_enc->mac(s,md,0);
-+
-+		i=s->method->ssl3_enc->mac(s,md,0 /* not send */);
- 		if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
--			{
--			decryption_failed_or_bad_record_mac = 1;
--			}
-+			enc_err = -1;
-+		if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
-+			enc_err = -1;
- 		}
- 
--	if (decryption_failed_or_bad_record_mac)
-+	if (enc_err < 0)
- 		{
- 		/* A separate 'decryption_failed' alert was introduced with TLS 1.0,
- 		 * SSL 3.0 only has 'bad_record_mac'.  But unless a decryption
-diff --git a/ssl/ssl3.h b/ssl/ssl3.h
-index 247e88c..87d3e0f 100644
---- a/ssl/ssl3.h
-+++ b/ssl/ssl3.h
-@@ -355,6 +355,10 @@ typedef struct ssl3_record_st
- /*r */	unsigned char *comp;    /* only used with decompression - malloc()ed */
- /*r */  unsigned long epoch;    /* epoch number, needed by DTLS1 */
- /*r */  unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */
-+/*rw*/	unsigned int orig_len;  /* How many bytes were available before padding
-+				   was removed? This is used to implement the
-+				   MAC check in constant time for CBC records.
-+				 */
- 	} SSL3_RECORD;
- 
- typedef struct ssl3_buffer_st
-diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c
-index d443143..41ccbaa 100644
---- a/ssl/ssl_algs.c
-+++ b/ssl/ssl_algs.c
-@@ -90,11 +90,14 @@ int SSL_library_init(void)
- 	EVP_add_cipher(EVP_aes_256_cbc());
- 	EVP_add_cipher(EVP_aes_128_gcm());
- 	EVP_add_cipher(EVP_aes_256_gcm());
-+#if 0 /* Disabled because of timing side-channel leaks. */
- #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
- 	EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
- 	EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
- #endif
- #endif
-+
-+#endif
- #ifndef OPENSSL_NO_CAMELLIA
- 	EVP_add_cipher(EVP_camellia_128_cbc());
- 	EVP_add_cipher(EVP_camellia_256_cbc());
-diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
-index 0572e10..dd8388c 100644
---- a/ssl/ssl_locl.h
-+++ b/ssl/ssl_locl.h
-@@ -215,6 +215,15 @@
- 			 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
- 			 *((c)++)=(unsigned char)(((l)    )&0xff))
- 
-+#define l2n8(l,c)	(*((c)++)=(unsigned char)(((l)>>56)&0xff), \
-+			 *((c)++)=(unsigned char)(((l)>>48)&0xff), \
-+			 *((c)++)=(unsigned char)(((l)>>40)&0xff), \
-+			 *((c)++)=(unsigned char)(((l)>>32)&0xff), \
-+			 *((c)++)=(unsigned char)(((l)>>24)&0xff), \
-+			 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
-+			 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
-+			 *((c)++)=(unsigned char)(((l)    )&0xff))
-+
- #define n2l6(c,l)	(l =((BN_ULLONG)(*((c)++)))<<40, \
- 			 l|=((BN_ULLONG)(*((c)++)))<<32, \
- 			 l|=((BN_ULLONG)(*((c)++)))<<24, \
-@@ -1133,4 +1142,29 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al
- int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen);
- int ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al);
- 
-+/* s3_cbc.c */
-+void ssl3_cbc_copy_mac(unsigned char* out,
-+		       const SSL3_RECORD *rec,
-+		       unsigned md_size);
-+int ssl3_cbc_remove_padding(const SSL* s,
-+			    SSL3_RECORD *rec,
-+			    unsigned block_size,
-+			    unsigned mac_size);
-+int tls1_cbc_remove_padding(const SSL* s,
-+			    SSL3_RECORD *rec,
-+			    unsigned block_size,
-+			    unsigned mac_size);
-+char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx);
-+void ssl3_cbc_digest_record(
-+	const EVP_MD_CTX *ctx,
-+	unsigned char* md_out,
-+	size_t* md_out_size,
-+	const unsigned char header[13],
-+	const unsigned char *data,
-+	size_t data_plus_mac_size,
-+	size_t data_plus_mac_plus_padding_size,
-+	const unsigned char *mac_secret,
-+	unsigned mac_secret_length,
-+	char is_sslv3);
-+
- #endif
-diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
-index b37678f..bb46f7f 100644
---- a/ssl/t1_enc.c
-+++ b/ssl/t1_enc.c
-@@ -667,12 +667,21 @@ err:
- 	return(ret);
- 	}
- 
-+/* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
-+ *
-+ * Returns:
-+ *   0: (in non-constant time) if the record is publically invalid (i.e. too
-+ *       short etc).
-+ *   1: if the record's padding is valid / the encryption was successful.
-+ *   -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
-+ *       an internal error occured.
-+ */
- int tls1_enc(SSL *s, int send)
- 	{
- 	SSL3_RECORD *rec;
- 	EVP_CIPHER_CTX *ds;
- 	unsigned long l;
--	int bs,i,ii,j,k,pad=0;
-+	int bs,i,j,k,pad=0,ret,mac_size=0;
- 	const EVP_CIPHER *enc;
- 
- 	if (send)
-@@ -729,11 +738,11 @@ int tls1_enc(SSL *s, int send)
- 	printf("tls1_enc(%d)\n", send);
- #endif    /* KSSL_DEBUG */
- 
--	if ((s->session == NULL) || (ds == NULL) ||
--		(enc == NULL))
-+	if ((s->session == NULL) || (ds == NULL) || (enc == NULL))
- 		{
- 		memmove(rec->data,rec->input,rec->length);
- 		rec->input=rec->data;
-+		ret = 1;
- 		}
- 	else
- 		{
-@@ -797,13 +806,13 @@ int tls1_enc(SSL *s, int send)
- 
- #ifdef KSSL_DEBUG
- 		{
--                unsigned long ui;
-+		unsigned long ui;
- 		printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
--                        ds,rec->data,rec->input,l);
-+			ds,rec->data,rec->input,l);
- 		printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n",
--                        ds->buf_len, ds->cipher->key_len,
--                        DES_KEY_SZ, DES_SCHEDULE_SZ,
--                        ds->cipher->iv_len);
-+			ds->buf_len, ds->cipher->key_len,
-+			DES_KEY_SZ, DES_SCHEDULE_SZ,
-+			ds->cipher->iv_len);
- 		printf("\t\tIV: ");
- 		for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]);
- 		printf("\n");
-@@ -816,13 +825,7 @@ int tls1_enc(SSL *s, int send)
- 		if (!send)
- 			{
- 			if (l == 0 || l%bs != 0)
--				{
--				if (s->version >= TLS1_1_VERSION)
--					return -1;
--				SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
--				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
- 				return 0;
--				}
- 			}
- 		
- 		i = EVP_Cipher(ds,rec->data,rec->input,l);
-@@ -839,68 +842,24 @@ int tls1_enc(SSL *s, int send)
- 
- #ifdef KSSL_DEBUG
- 		{
--                unsigned long i;
--                printf("\trec->data=");
-+		unsigned long i;
-+		printf("\trec->data=");
- 		for (i=0; i<l; i++)
--                        printf(" %02x", rec->data[i]);  printf("\n");
--                }
-+			printf(" %02x", rec->data[i]);  printf("\n");
-+		}
- #endif	/* KSSL_DEBUG */
- 
-+		ret = 1;
-+		if (EVP_MD_CTX_md(s->read_hash) != NULL)
-+			mac_size = EVP_MD_CTX_size(s->read_hash);
- 		if ((bs != 1) && !send)
--			{
--			ii=i=rec->data[l-1]; /* padding_length */
--			i++;
--			/* NB: if compression is in operation the first packet
--			 * may not be of even length so the padding bug check
--			 * cannot be performed. This bug workaround has been
--			 * around since SSLeay so hopefully it is either fixed
--			 * now or no buggy implementation supports compression 
--			 * [steve]
--			 */
--			if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
--				&& !s->expand)
--				{
--				/* First packet is even in size, so check */
--				if ((memcmp(s->s3->read_sequence,
--					"\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1))
--					s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
--				if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
--					i--;
--				}
--			/* TLS 1.0 does not bound the number of padding bytes by the block size.
--			 * All of them must have value 'padding_length'. */
--			if (i > (int)rec->length)
--				{
--				/* Incorrect padding. SSLerr() and ssl3_alert are done
--				 * by caller: we don't want to reveal whether this is
--				 * a decryption error or a MAC verification failure
--				 * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
--				return -1;
--				}
--			for (j=(int)(l-i); j<(int)l; j++)
--				{
--				if (rec->data[j] != ii)
--					{
--					/* Incorrect padding */
--					return -1;
--					}
--				}
--			rec->length -=i;
--			if (s->version >= TLS1_1_VERSION
--				&& EVP_CIPHER_CTX_mode(ds) == EVP_CIPH_CBC_MODE)
--				{
--				if (bs > (int)rec->length)
--					return -1;
--				rec->data += bs;    /* skip the explicit IV */
--				rec->input += bs;
--				rec->length -= bs;
--				}
--			}
-+			ret = tls1_cbc_remove_padding(s, rec, bs, mac_size);
- 		if (pad && !send)
- 			rec->length -= pad;
- 		}
--	return(1);
-+	return ret;
- 	}
-+
- int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out)
- 	{
- 	unsigned int ret;
-@@ -993,7 +952,7 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
- 	size_t md_size;
- 	int i;
- 	EVP_MD_CTX hmac, *mac_ctx;
--	unsigned char buf[5]; 
-+	unsigned char header[13];
- 	int stream_mac = (send?(ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM):(ssl->mac_flags&SSL_MAC_FLAG_READ_MAC_STREAM));
- 	int t;
- 
-@@ -1014,12 +973,6 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
- 	OPENSSL_assert(t >= 0);
- 	md_size=t;
- 
--	buf[0]=rec->type;
--	buf[1]=(unsigned char)(ssl->version>>8);
--	buf[2]=(unsigned char)(ssl->version);
--	buf[3]=rec->length>>8;
--	buf[4]=rec->length&0xff;
--
- 	/* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
- 	if (stream_mac) 
- 		{
-@@ -1038,17 +991,44 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
- 		s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p);
- 		memcpy (p,&seq[2],6);
- 
--		EVP_DigestSignUpdate(mac_ctx,dtlsseq,8);
-+		memcpy(header, dtlsseq, 8);
- 		}
- 	else
--		EVP_DigestSignUpdate(mac_ctx,seq,8);
-+		memcpy(header, seq, 8);
- 
--	EVP_DigestSignUpdate(mac_ctx,buf,5);
--	EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length);
--	t=EVP_DigestSignFinal(mac_ctx,md,&md_size);
--	OPENSSL_assert(t > 0);
-+	header[8]=rec->type;
-+	header[9]=(unsigned char)(ssl->version>>8);
-+	header[10]=(unsigned char)(ssl->version);
-+	header[11]=(rec->length)>>8;
-+	header[12]=(rec->length)&0xff;
-+
-+	if (!send &&
-+	    EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
-+	    ssl3_cbc_record_digest_supported(mac_ctx))
-+		{
-+		/* This is a CBC-encrypted record. We must avoid leaking any
-+		 * timing-side channel information about how many blocks of
-+		 * data we are hashing because that gives an attacker a
-+		 * timing-oracle. */
-+		ssl3_cbc_digest_record(
-+			mac_ctx,
-+			md, &md_size,
-+			header, rec->input,
-+			rec->length + md_size, rec->orig_len,
-+			ssl->s3->read_mac_secret,
-+			ssl->s3->read_mac_secret_size,
-+			0 /* not SSLv3 */);
-+		}
-+	else
-+		{
-+		EVP_DigestSignUpdate(mac_ctx,header,sizeof(header));
-+		EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length);
-+		t=EVP_DigestSignFinal(mac_ctx,md,&md_size);
-+		OPENSSL_assert(t > 0);
-+		}
- 		
--	if (!stream_mac) EVP_MD_CTX_cleanup(&hmac);
-+	if (!stream_mac)
-+		EVP_MD_CTX_cleanup(&hmac);
- #ifdef TLS_DEBUG
- printf("sec=");
- {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); }
--- 
-1.8.1
-
diff --git a/patches/README b/patches/README
index a1d5313..6e2af83 100644
--- a/patches/README
+++ b/patches/README
@@ -14,44 +14,7 @@ jsse.patch
 
 Support for JSSE implementation based on OpenSSL.
 
-sha1_armv4_large.patch
-
-This patch eliminates memory stores to addresses below SP.
-
-
-mips_private.patch:
-
-Fix duplicate defines of labels AES_set_encrypt_key and AES_set_decrypt_key
-by prefixing Mips version with private_ .
-Revise import script to generate o32-abi .s files for Mips.
-
-
 channelid.patch
 
 Implements TLS Channel ID support as both a client and a server.
 See http://tools.ietf.org/html/draft-balfanz-tls-channelid-00.
-
-
-clang.patch
-
-Fixes two minor compilation errors when building with the Clang compiler.
-
-
-recursive_lock_fix.patch
-
-Small fix to get rid of unwanted recursive mutex lock in X509_PUBKEY_get.
-See http://cvs.openssl.org/chngview?cn=22568 for upstream patch, and
-https://groups.google.com/d/topic/mailing.openssl.dev/4Z67vaaTChk/discussion
-for the most recent discussion.
-
-
-0001-Add-and-use-a-constant-time-memcmp.patch
-
-constant time memcmp
-
-
-0002-Make-CBC-decoding-constant-time.patch
-
-Make CBC decoding constant time CVE-2013-0169
-
-
diff --git a/patches/channelid.patch b/patches/channelid.patch
index be34cb8..03c6931 100644
--- a/patches/channelid.patch
+++ b/patches/channelid.patch
@@ -41,11 +41,10 @@ diff -ur openssl/ssl/s3_both.c openssl.channelid/ssl/s3_both.c
 diff -ur openssl/ssl/s3_clnt.c openssl.channelid/ssl/s3_clnt.c
 --- openssl/ssl/s3_clnt.c	2012-08-28 16:04:21.173349370 -0400
 +++ openssl.channelid/ssl/s3_clnt.c	2012-08-28 16:04:42.563646142 -0400
-@@ -465,14 +465,14 @@
+@@ -465,13 +465,14 @@
  				SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
  			if (ret <= 0) goto end;
  
--
 -#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
  			s->state=SSL3_ST_CW_FINISHED_A;
 -#else
@@ -715,31 +714,35 @@ diff -ur openssl/ssl/ssl3.h openssl.channelid/ssl/ssl3.h
  	} SSL3_STATE;
  
  #endif
-@@ -581,6 +592,8 @@
+@@ -581,7 +592,9 @@
  #define SSL3_ST_CW_CHANGE_B		(0x1A1|SSL_ST_CONNECT)
  #define SSL3_ST_CW_NEXT_PROTO_A		(0x200|SSL_ST_CONNECT)
  #define SSL3_ST_CW_NEXT_PROTO_B		(0x201|SSL_ST_CONNECT)
+ #endif
 +#define SSL3_ST_CW_CHANNEL_ID_A		(0x210|SSL_ST_CONNECT)
 +#define SSL3_ST_CW_CHANNEL_ID_B		(0x211|SSL_ST_CONNECT)
  #define SSL3_ST_CW_FINISHED_A		(0x1B0|SSL_ST_CONNECT)
  #define SSL3_ST_CW_FINISHED_B		(0x1B1|SSL_ST_CONNECT)
  /* read from server */
-@@ -631,8 +644,11 @@
+@@ -631,10 +644,13 @@
  #define SSL3_ST_SR_CERT_VRFY_B		(0x1A1|SSL_ST_ACCEPT)
  #define SSL3_ST_SR_CHANGE_A		(0x1B0|SSL_ST_ACCEPT)
  #define SSL3_ST_SR_CHANGE_B		(0x1B1|SSL_ST_ACCEPT)
 +#define SSL3_ST_SR_POST_CLIENT_CERT	(0x1BF|SSL_ST_ACCEPT)
+ #ifndef OPENSSL_NO_NEXTPROTONEG
  #define SSL3_ST_SR_NEXT_PROTO_A		(0x210|SSL_ST_ACCEPT)
  #define SSL3_ST_SR_NEXT_PROTO_B		(0x211|SSL_ST_ACCEPT)
+ #endif
 +#define SSL3_ST_SR_CHANNEL_ID_A		(0x220|SSL_ST_ACCEPT)
 +#define SSL3_ST_SR_CHANNEL_ID_B		(0x221|SSL_ST_ACCEPT)
  #define SSL3_ST_SR_FINISHED_A		(0x1C0|SSL_ST_ACCEPT)
  #define SSL3_ST_SR_FINISHED_B		(0x1C1|SSL_ST_ACCEPT)
  /* write to client */
-@@ -658,6 +674,7 @@
+@@ -658,7 +674,8 @@
  #define SSL3_MT_FINISHED			20
  #define SSL3_MT_CERTIFICATE_STATUS		22
  #define SSL3_MT_NEXT_PROTO			67
+ #endif
 +#define SSL3_MT_ENCRYPTED_EXTENSIONS		203
  #define DTLS1_MT_HELLO_VERIFY_REQUEST    3
  
diff --git a/patches/clang.patch b/patches/clang.patch
deleted file mode 100644
index 285945e..0000000
--- a/patches/clang.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-diff --git a/openssl/crypto/bio/bss_dgram.c b/openssl/crypto/bio/bss_dgram.c
-index 71ebe98..a6d882b 100644
---- a/crypto/bio/bss_dgram.c
-+++ b/crypto/bio/bss_dgram.c
-@@ -378,7 +378,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
- 	bio_dgram_data *data = NULL;
- #if defined(IP_MTU_DISCOVER) || defined(IP_MTU)
- 	long sockopt_val = 0;
--	unsigned int sockopt_len = 0;
-+	socklen_t sockopt_len = 0;
- #endif
- #ifdef OPENSSL_SYS_LINUX
- 	socklen_t addr_len;
-diff --git a/openssl/crypto/cryptlib.c b/openssl/crypto/cryptlib.c
-index 387a987..5dfeec7 100644
---- a/crypto/cryptlib.c
-+++ b/crypto/cryptlib.c
-@@ -500,7 +500,7 @@ void CRYPTO_THREADID_current(CRYPTO_THREADID *id)
- 	CRYPTO_THREADID_set_numeric(id, (unsigned long)find_thread(NULL));
- #else
- 	/* For everything else, default to using the address of 'errno' */
--	CRYPTO_THREADID_set_pointer(id, &errno);
-+	CRYPTO_THREADID_set_pointer(id, (void*)&errno);
- #endif
- 	}
- 
diff --git a/patches/jsse.patch b/patches/jsse.patch
index 80e5357..e4fa3b4 100644
--- a/patches/jsse.patch
+++ b/patches/jsse.patch
@@ -301,8 +301,8 @@
 -	else if (s->version == TLS1_1_VERSION)
 +	else if (version == TLS1_1_VERSION)
  		return("TLSv1.1");
--	if (s->version == TLS1_VERSION)
-+	if (version == TLS1_VERSION)
+-	else if (s->version == TLS1_VERSION)
++	else if (version == TLS1_VERSION)
  		return("TLSv1");
 -	else if (s->version == SSL3_VERSION)
 +	else if (version == SSL3_VERSION)
diff --git a/patches/mips_private.patch b/patches/mips_private.patch
deleted file mode 100644
index 97c076a..0000000
--- a/patches/mips_private.patch
+++ /dev/null
@@ -1,64 +0,0 @@
---- openssl-1.0.1c.orig/crypto/aes/asm/aes-mips.pl	2011-11-14 20:55:23.000000000 +0000
-+++ openssl-1.0.1c/crypto/aes/asm/aes-mips.pl	2012-08-14 22:13:55.250604273 +0000
-@@ -1036,9 +1036,9 @@ _mips_AES_set_encrypt_key:
- 	nop
- .end	_mips_AES_set_encrypt_key
- 
--.globl	AES_set_encrypt_key
--.ent	AES_set_encrypt_key
--AES_set_encrypt_key:
-+.globl	private_AES_set_encrypt_key
-+.ent	private_AES_set_encrypt_key
-+private_AES_set_encrypt_key:
- 	.frame	$sp,$FRAMESIZE,$ra
- 	.mask	$SAVED_REGS_MASK,-$SZREG
- 	.set	noreorder
-@@ -1060,7 +1060,7 @@ $code.=<<___ if ($flavour =~ /nubi/i);	#
- ___
- $code.=<<___ if ($flavour !~ /o32/i);	# non-o32 PIC-ification
- 	.cplocal	$Tbl
--	.cpsetup	$pf,$zero,AES_set_encrypt_key
-+	.cpsetup	$pf,$zero,private_AES_set_encrypt_key
- ___
- $code.=<<___;
- 	.set	reorder
-@@ -1083,7 +1083,7 @@ ___
- $code.=<<___;
- 	jr	$ra
- 	$PTR_ADD $sp,$FRAMESIZE
--.end	AES_set_encrypt_key
-+.end	private_AES_set_encrypt_key
- ___
- 
- my ($head,$tail)=($inp,$bits);
-@@ -1091,9 +1091,9 @@ my ($tp1,$tp2,$tp4,$tp8,$tp9,$tpb,$tpd,$
- my ($m,$x80808080,$x7f7f7f7f,$x1b1b1b1b)=($at,$t0,$t1,$t2);
- $code.=<<___;
- .align	5
--.globl	AES_set_decrypt_key
--.ent	AES_set_decrypt_key
--AES_set_decrypt_key:
-+.globl	private_AES_set_decrypt_key
-+.ent	private_AES_set_decrypt_key
-+private_AES_set_decrypt_key:
- 	.frame	$sp,$FRAMESIZE,$ra
- 	.mask	$SAVED_REGS_MASK,-$SZREG
- 	.set	noreorder
-@@ -1115,7 +1115,7 @@ $code.=<<___ if ($flavour =~ /nubi/i);	#
- ___
- $code.=<<___ if ($flavour !~ /o32/i);	# non-o32 PIC-ification
- 	.cplocal	$Tbl
--	.cpsetup	$pf,$zero,AES_set_decrypt_key
-+	.cpsetup	$pf,$zero,private_AES_set_decrypt_key
- ___
- $code.=<<___;
- 	.set	reorder
-@@ -1226,7 +1226,7 @@ ___
- $code.=<<___;
- 	jr	$ra
- 	$PTR_ADD $sp,$FRAMESIZE
--.end	AES_set_decrypt_key
-+.end	private_AES_set_decrypt_key
- ___
- }}}
- 
diff --git a/patches/recursive_lock_fix.patch b/patches/recursive_lock_fix.patch
deleted file mode 100644
index b2e8e2b..0000000
--- a/patches/recursive_lock_fix.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-Index: openssl/crypto/asn1/x_pubkey.c
-RCS File: /v/openssl/cvs/openssl/crypto/asn1/x_pubkey.c,v
-rcsdiff -q -kk '-r1.38.2.2' '-r1.38.2.3' -u '/v/openssl/cvs/openssl/crypto/asn1/x_pubkey.c,v' 2>/dev/null
---- x_pubkey.c	2012/02/28 14:47:36	1.38.2.2
-+++ x_pubkey.c	2012/05/11 13:49:15	1.38.2.3
-@@ -371,12 +371,15 @@
- 	CRYPTO_w_lock(CRYPTO_LOCK_EVP_PKEY);
- 	if (key->pkey)
- 		{
-+		CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
- 		EVP_PKEY_free(ret);
- 		ret = key->pkey;
- 		}
- 	else
-+		{
- 		key->pkey = ret;
--	CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
-+		CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
-+		}
- 	CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_EVP_PKEY);
- 	return(ret);
- err:
diff --git a/patches/sha1_armv4_large.patch b/patches/sha1_armv4_large.patch
deleted file mode 100644
index 359ff94..0000000
--- a/patches/sha1_armv4_large.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-diff --git a/crypto/sha/asm/sha1-armv4-large.pl b/crypto/sha/asm/sha1-armv4-large.pl
-index 6e65fe3..79e3f61 100644
---- a/crypto/sha/asm/sha1-armv4-large.pl
-+++ b/crypto/sha/asm/sha1-armv4-large.pl
-@@ -161,6 +161,7 @@ for($i=0;$i<5;$i++) {
- $code.=<<___;
- 	teq	$Xi,sp
- 	bne	.L_00_15		@ [((11+4)*5+2)*3]
-+	sub	sp,sp,#5*4
- ___
- 	&BODY_00_15(@V);	unshift(@V,pop(@V));
- 	&BODY_16_19(@V);	unshift(@V,pop(@V));
-@@ -170,7 +171,7 @@ ___
- $code.=<<___;
- 
- 	ldr	$K,.LK_20_39		@ [+15+16*4]
--	sub	sp,sp,#25*4
-+	sub	sp,sp,#20*4
- 	cmn	sp,#0			@ [+3], clear carry to denote 20_39
- .L_20_39_or_60_79:
- ___
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index 02c881a..b0302a7 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -379,7 +379,7 @@ dtls1_process_record(SSL *s)
 	int enc_err;
 	SSL_SESSION *sess;
 	SSL3_RECORD *rr;
-	unsigned int mac_size;
+	unsigned int mac_size, orig_len;
 	unsigned char md[EVP_MAX_MD_SIZE];
 
 	rr= &(s->s3->rrec);
@@ -410,7 +410,7 @@ dtls1_process_record(SSL *s)
 
 	/* decrypt in place in 'rr->input' */
 	rr->data=rr->input;
-	rr->orig_len=rr->length;
+	orig_len=rr->length;
 
 	enc_err = s->method->ssl3_enc->enc(s,0);
 	/* enc_err is:
@@ -447,13 +447,13 @@ printf("\n");
 		 * therefore we can safely process the record in a different
 		 * amount of time if it's too short to possibly contain a MAC.
 		 */
-		if (rr->orig_len < mac_size ||
+		if (orig_len < mac_size ||
 		    /* CBC records must have a padding length byte too. */
 		    (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
-		     rr->orig_len < mac_size+1))
+		     orig_len < mac_size+1))
 			{
 			al=SSL_AD_DECODE_ERROR;
-			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
+			SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
 			goto f_err;
 			}
 
@@ -465,12 +465,12 @@ printf("\n");
 			 * without leaking the contents of the padding bytes.
 			 * */
 			mac = mac_tmp;
-			ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
+			ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
 			rr->length -= mac_size;
 			}
 		else
 			{
-			/* In this case there's no padding, so |rec->orig_len|
+			/* In this case there's no padding, so |orig_len|
 			 * equals |rec->length| and we checked that there's
 			 * enough bytes for |mac_size| above. */
 			rr->length -= mac_size;
diff --git a/ssl/dtls1.h b/ssl/dtls1.h
index 5008bf6..e65d501 100644
--- a/ssl/dtls1.h
+++ b/ssl/dtls1.h
@@ -57,8 +57,8 @@
  *
  */
 
-#ifndef HEADER_DTLS1_H 
-#define HEADER_DTLS1_H 
+#ifndef HEADER_DTLS1_H
+#define HEADER_DTLS1_H
 
 #include <openssl/buffer.h>
 #include <openssl/pqueue.h>
@@ -72,8 +72,12 @@
 #elif defined(OPENSSL_SYS_NETWARE) && !defined(_WINSOCK2API_)
 #include <sys/timeval.h>
 #else
+#if defined(OPENSSL_SYS_VXWORKS)
+#include <sys/times.h>
+#else
 #include <sys/time.h>
 #endif
+#endif
 
 #ifdef  __cplusplus
 extern "C" {
diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c
index 954f398..03b6cf9 100644
--- a/ssl/s2_clnt.c
+++ b/ssl/s2_clnt.c
@@ -359,12 +359,14 @@ static int get_server_hello(SSL *s)
 					SSL_R_PEER_ERROR);
 			return(-1);
 			}
-#ifdef __APPLE_CC__
-		/* The Rhapsody 5.5 (a.k.a. MacOS X) compiler bug
-		 * workaround. <appro@fy.chalmers.se> */
-		s->hit=(i=*(p++))?1:0;
-#else
+#if 0
 		s->hit=(*(p++))?1:0;
+		/* Some [PPC?] compilers fail to increment p in above
+		   statement, e.g. one provided with Rhapsody 5.5, but
+		   most recent example XL C 11.1 for AIX, even without
+		   optimization flag... */
+#else
+		s->hit=(*p)?1:0; p++;
 #endif
 		s->s2->tmp.cert_type= *(p++);
 		n2s(p,i);
diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c
index bc885e8..2cba426 100644
--- a/ssl/s2_srvr.c
+++ b/ssl/s2_srvr.c
@@ -1059,10 +1059,12 @@ static int request_certificate(SSL *s)
 		EVP_PKEY *pkey=NULL;
 
 		EVP_MD_CTX_init(&ctx);
-		EVP_VerifyInit_ex(&ctx,s->ctx->rsa_md5, NULL);
-		EVP_VerifyUpdate(&ctx,s->s2->key_material,
-				 s->s2->key_material_length);
-		EVP_VerifyUpdate(&ctx,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
+		if (!EVP_VerifyInit_ex(&ctx,s->ctx->rsa_md5, NULL)
+		    || !EVP_VerifyUpdate(&ctx,s->s2->key_material,
+					 s->s2->key_material_length)
+		    || !EVP_VerifyUpdate(&ctx,ccd,
+					 SSL2_MIN_CERT_CHALLENGE_LENGTH))
+			goto msg_end;
 
 		i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL);
 		buf2=OPENSSL_malloc((unsigned int)i);
@@ -1073,7 +1075,11 @@ static int request_certificate(SSL *s)
 			}
 		p2=buf2;
 		i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,&p2);
-		EVP_VerifyUpdate(&ctx,buf2,(unsigned int)i);
+		if (!EVP_VerifyUpdate(&ctx,buf2,(unsigned int)i))
+			{
+			OPENSSL_free(buf2);
+			goto msg_end;
+			}
 		OPENSSL_free(buf2);
 
 		pkey=X509_get_pubkey(x509);
diff --git a/ssl/s3_both.c b/ssl/s3_both.c
index c775cd8..514ff85 100644
--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@@ -204,7 +204,8 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
 
 #ifndef OPENSSL_NO_NEXTPROTONEG
 /* ssl3_take_mac calculates the Finished MAC for the handshakes messages seen to far. */
-static void ssl3_take_mac(SSL *s) {
+static void ssl3_take_mac(SSL *s)
+	{
 	const char *sender;
 	int slen;
 
@@ -221,7 +222,7 @@ static void ssl3_take_mac(SSL *s) {
 
 	s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
 		sender,slen,s->s3->tmp.peer_finish_md);
-}
+	}
 #endif
 
 int ssl3_get_finished(SSL *s, int a, int b)
@@ -231,8 +232,9 @@ int ssl3_get_finished(SSL *s, int a, int b)
 	unsigned char *p;
 
 #ifdef OPENSSL_NO_NEXTPROTONEG
-	/* the mac has already been generated when we received the change
-	 * cipher spec message and is in s->s3->tmp.peer_finish_md. */
+	/* the mac has already been generated when we received the
+	 * change cipher spec message and is in s->s3->tmp.peer_finish_md.
+	 */ 
 #endif
 
 	n=s->method->ssl_get_message(s,
@@ -544,12 +546,14 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
 		s->init_num += i;
 		n -= i;
 		}
+
 #ifndef OPENSSL_NO_NEXTPROTONEG
 	/* If receiving Finished, record MAC of prior handshake messages for
 	 * Finished verification. */
 	if (*s->init_buf->data == SSL3_MT_FINISHED)
 		ssl3_take_mac(s);
 #endif
+
 	/* Feed this message into MAC computation. */
 	if (*s->init_buf->data != SSL3_MT_ENCRYPTED_EXTENSIONS)
 		ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4);
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index e9b112c..3c2c165 100644
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -53,8 +53,6 @@
  *
  */
 
-#include <stdint.h>
-
 #include "ssl_locl.h"
 
 #include <openssl/md5.h>
@@ -118,7 +116,9 @@ int ssl3_cbc_remove_padding(const SSL* s,
 	good = constant_time_ge(rec->length, padding_length+overhead);
 	/* SSLv3 requires that the padding is minimal. */
 	good &= constant_time_ge(block_size, padding_length+1);
-	rec->length -= good & (padding_length+1);
+	padding_length = good & (padding_length+1);
+	rec->length -= padding_length;
+	rec->type |= padding_length<<8;	/* kludge: pass padding length */
 	return (int)((good & 1) | (~good & -1));
 }
 
@@ -150,6 +150,21 @@ int tls1_cbc_remove_padding(const SSL* s,
 	if (overhead > rec->length)
 		return 0;
 
+	/* We can always safely skip the explicit IV. We check at the beginning
+	 * of this function that the record has at least enough space for the
+	 * IV, MAC and padding length byte. (These can be checked in
+	 * non-constant time because it's all public information.) So, if the
+	 * padding was invalid, then we didn't change |rec->length| and this is
+	 * safe. If the padding was valid then we know that we have at least
+	 * overhead+padding_length bytes of space and so this is still safe
+	 * because overhead accounts for the explicit IV. */
+	if (has_explicit_iv)
+		{
+		rec->data += block_size;
+		rec->input += block_size;
+		rec->length -= block_size;
+		}
+
 	padding_length = rec->data[rec->length-1];
 
 	/* NB: if compression is in operation the first packet may not be of
@@ -172,6 +187,13 @@ int tls1_cbc_remove_padding(const SSL* s,
 			}
 		}
 
+	if (EVP_CIPHER_flags(s->enc_read_ctx->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER)
+		{
+		/* padding is already verified */
+		rec->length -= padding_length;
+		return 1;
+		}
+
 	good = constant_time_ge(rec->length, overhead+padding_length);
 	/* The padding consists of a length byte at the end of the record and
 	 * then that many bytes of padding, all with the same value as the
@@ -205,23 +227,9 @@ int tls1_cbc_remove_padding(const SSL* s,
 	good <<= sizeof(good)*8-1;
 	good = DUPLICATE_MSB_TO_ALL(good);
 
-	rec->length -= good & (padding_length+1);
-
-	/* We can always safely skip the explicit IV. We check at the beginning
-	 * of this function that the record has at least enough space for the
-	 * IV, MAC and padding length byte. (These can be checked in
-	 * non-constant time because it's all public information.) So, if the
-	 * padding was invalid, then we didn't change |rec->length| and this is
-	 * safe. If the padding was valid then we know that we have at least
-	 * overhead+padding_length bytes of space and so this is still safe
-	 * because overhead accounts for the explicit IV. */
-	if (has_explicit_iv)
-		{
-		rec->data += block_size;
-		rec->input += block_size;
-		rec->length -= block_size;
-		rec->orig_len -= block_size;
-		}
+	padding_length = good & (padding_length+1);
+	rec->length -= padding_length;
+	rec->type |= padding_length<<8;	/* kludge: pass padding length */
 
 	return (int)((good & 1) | (~good & -1));
 	}
@@ -248,7 +256,7 @@ int tls1_cbc_remove_padding(const SSL* s,
  */
 void ssl3_cbc_copy_mac(unsigned char* out,
 		       const SSL3_RECORD *rec,
-		       unsigned md_size)
+		       unsigned md_size,unsigned orig_len)
 	{
 #if defined(CBC_MAC_ROTATE_IN_PLACE)
 	unsigned char rotated_mac_buf[EVP_MAX_MD_SIZE*2];
@@ -267,7 +275,7 @@ void ssl3_cbc_copy_mac(unsigned char* out,
 	unsigned div_spoiler;
 	unsigned rotate_offset;
 
-	OPENSSL_assert(rec->orig_len >= md_size);
+	OPENSSL_assert(orig_len >= md_size);
 	OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
 
 #if defined(CBC_MAC_ROTATE_IN_PLACE)
@@ -275,8 +283,8 @@ void ssl3_cbc_copy_mac(unsigned char* out,
 #endif
 
 	/* This information is public so it's safe to branch based on it. */
-	if (rec->orig_len > md_size + 255 + 1)
-		scan_start = rec->orig_len - (md_size + 255 + 1);
+	if (orig_len > md_size + 255 + 1)
+		scan_start = orig_len - (md_size + 255 + 1);
 	/* div_spoiler contains a multiple of md_size that is used to cause the
 	 * modulo operation to be constant time. Without this, the time varies
 	 * based on the amount of padding when running on Intel chips at least.
@@ -289,9 +297,9 @@ void ssl3_cbc_copy_mac(unsigned char* out,
 	rotate_offset = (div_spoiler + mac_start - scan_start) % md_size;
 
 	memset(rotated_mac, 0, md_size);
-	for (i = scan_start; i < rec->orig_len;)
+	for (i = scan_start; i < orig_len;)
 		{
-		for (j = 0; j < md_size && i < rec->orig_len; i++, j++)
+		for (j = 0; j < md_size && i < orig_len; i++, j++)
 			{
 			unsigned char mac_started = constant_time_ge(i, mac_start);
 			unsigned char mac_ended = constant_time_ge(i, mac_end);
@@ -341,7 +349,9 @@ static void tls1_sha1_final_raw(void* ctx, unsigned char *md_out)
 	l2n(sha1->h3, md_out);
 	l2n(sha1->h4, md_out);
 	}
+#define LARGEST_DIGEST_CTX SHA_CTX
 
+#ifndef OPENSSL_NO_SHA256
 static void tls1_sha256_final_raw(void* ctx, unsigned char *md_out)
 	{
 	SHA256_CTX *sha256 = ctx;
@@ -352,7 +362,11 @@ static void tls1_sha256_final_raw(void* ctx, unsigned char *md_out)
 		l2n(sha256->h[i], md_out);
 		}
 	}
+#undef  LARGEST_DIGEST_CTX
+#define LARGEST_DIGEST_CTX SHA256_CTX
+#endif
 
+#ifndef OPENSSL_NO_SHA512
 static void tls1_sha512_final_raw(void* ctx, unsigned char *md_out)
 	{
 	SHA512_CTX *sha512 = ctx;
@@ -363,19 +377,30 @@ static void tls1_sha512_final_raw(void* ctx, unsigned char *md_out)
 		l2n8(sha512->h[i], md_out);
 		}
 	}
+#undef  LARGEST_DIGEST_CTX
+#define LARGEST_DIGEST_CTX SHA512_CTX
+#endif
 
 /* ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
  * which ssl3_cbc_digest_record supports. */
 char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
 	{
-	switch (ctx->digest->type)
+#ifdef OPENSSL_FIPS
+	if (FIPS_mode())
+		return 0;
+#endif
+	switch (EVP_MD_CTX_type(ctx))
 		{
 		case NID_md5:
 		case NID_sha1:
+#ifndef OPENSSL_NO_SHA256
 		case NID_sha224:
 		case NID_sha256:
+#endif
+#ifndef OPENSSL_NO_SHA512
 		case NID_sha384:
 		case NID_sha512:
+#endif
 			return 1;
 		default:
 			return 0;
@@ -413,14 +438,15 @@ void ssl3_cbc_digest_record(
 	unsigned mac_secret_length,
 	char is_sslv3)
 	{
-	unsigned char md_state[sizeof(SHA512_CTX)];
+	union {	double align;
+		unsigned char c[sizeof(LARGEST_DIGEST_CTX)]; } md_state;
 	void (*md_final_raw)(void *ctx, unsigned char *md_out);
 	void (*md_transform)(void *ctx, const unsigned char *block);
 	unsigned md_size, md_block_size = 64;
 	unsigned sslv3_pad_length = 40, header_length, variance_blocks,
 		 len, max_mac_bytes, num_blocks,
 		 num_starting_blocks, k, mac_end_offset, c, index_a, index_b;
-	uint64_t bits;
+	unsigned int bits;	/* at most 18 bits */
 	unsigned char length_bytes[MAX_HASH_BIT_COUNT_BYTES];
 	/* hmac_pad is the masked HMAC key. */
 	unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE];
@@ -436,35 +462,38 @@ void ssl3_cbc_digest_record(
 	 * many possible overflows later in this function. */
 	OPENSSL_assert(data_plus_mac_plus_padding_size < 1024*1024);
 
-	switch (ctx->digest->type)
+	switch (EVP_MD_CTX_type(ctx))
 		{
 		case NID_md5:
-			MD5_Init((MD5_CTX*)md_state);
+			MD5_Init((MD5_CTX*)md_state.c);
 			md_final_raw = tls1_md5_final_raw;
 			md_transform = (void(*)(void *ctx, const unsigned char *block)) MD5_Transform;
 			md_size = 16;
 			sslv3_pad_length = 48;
 			break;
 		case NID_sha1:
-			SHA1_Init((SHA_CTX*)md_state);
+			SHA1_Init((SHA_CTX*)md_state.c);
 			md_final_raw = tls1_sha1_final_raw;
 			md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA1_Transform;
 			md_size = 20;
 			break;
+#ifndef OPENSSL_NO_SHA256
 		case NID_sha224:
-			SHA224_Init((SHA256_CTX*)md_state);
+			SHA224_Init((SHA256_CTX*)md_state.c);
 			md_final_raw = tls1_sha256_final_raw;
 			md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform;
 			md_size = 224/8;
 			break;
 		case NID_sha256:
-			SHA256_Init((SHA256_CTX*)md_state);
+			SHA256_Init((SHA256_CTX*)md_state.c);
 			md_final_raw = tls1_sha256_final_raw;
 			md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform;
 			md_size = 32;
 			break;
+#endif
+#ifndef OPENSSL_NO_SHA512
 		case NID_sha384:
-			SHA384_Init((SHA512_CTX*)md_state);
+			SHA384_Init((SHA512_CTX*)md_state.c);
 			md_final_raw = tls1_sha512_final_raw;
 			md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform;
 			md_size = 384/8;
@@ -472,13 +501,14 @@ void ssl3_cbc_digest_record(
 			md_length_size = 16;
 			break;
 		case NID_sha512:
-			SHA512_Init((SHA512_CTX*)md_state);
+			SHA512_Init((SHA512_CTX*)md_state.c);
 			md_final_raw = tls1_sha512_final_raw;
 			md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform;
 			md_size = 64;
 			md_block_size = 128;
 			md_length_size = 16;
 			break;
+#endif
 		default:
 			/* ssl3_cbc_record_digest_supported should have been
 			 * called first to check that the hash function is
@@ -577,17 +607,14 @@ void ssl3_cbc_digest_record(
 		for (i = 0; i < md_block_size; i++)
 			hmac_pad[i] ^= 0x36;
 
-		md_transform(md_state, hmac_pad);
+		md_transform(md_state.c, hmac_pad);
 		}
 
-	j = 0;
-	if (md_length_size == 16)
-		{
-		memset(length_bytes, 0, 8);
-		j = 8;
-		}
-	for (i = 0; i < 8; i++)
-		length_bytes[i+j] = bits >> (8*(7-i));
+	memset(length_bytes,0,md_length_size-4);
+	length_bytes[md_length_size-4] = (unsigned char)(bits>>24);
+	length_bytes[md_length_size-3] = (unsigned char)(bits>>16);
+	length_bytes[md_length_size-2] = (unsigned char)(bits>>8);
+	length_bytes[md_length_size-1] = (unsigned char)bits;
 
 	if (k > 0)
 		{
@@ -598,21 +625,21 @@ void ssl3_cbc_digest_record(
 			 * block that the header consumes: either 7 bytes
 			 * (SHA1) or 11 bytes (MD5). */
 			unsigned overhang = header_length-md_block_size;
-			md_transform(md_state, header);
+			md_transform(md_state.c, header);
 			memcpy(first_block, header + md_block_size, overhang);
 			memcpy(first_block + overhang, data, md_block_size-overhang);
-			md_transform(md_state, first_block);
+			md_transform(md_state.c, first_block);
 			for (i = 1; i < k/md_block_size - 1; i++)
-				md_transform(md_state, data + md_block_size*i - overhang);
+				md_transform(md_state.c, data + md_block_size*i - overhang);
 			}
 		else
 			{
 			/* k is a multiple of md_block_size. */
 			memcpy(first_block, header, 13);
 			memcpy(first_block+13, data, md_block_size-13);
-			md_transform(md_state, first_block);
+			md_transform(md_state.c, first_block);
 			for (i = 1; i < k/md_block_size; i++)
-				md_transform(md_state, data + md_block_size*i - 13);
+				md_transform(md_state.c, data + md_block_size*i - 13);
 			}
 		}
 
@@ -662,8 +689,8 @@ void ssl3_cbc_digest_record(
 			block[j] = b;
 			}
 
-		md_transform(md_state, block);
-		md_final_raw(md_state, block);
+		md_transform(md_state.c, block);
+		md_final_raw(md_state.c, block);
 		/* If this is index_b, copy the hash value to |mac_out|. */
 		for (j = 0; j < md_size; j++)
 			mac_out[j] |= block[j]&is_block_b;
@@ -694,3 +721,50 @@ void ssl3_cbc_digest_record(
 		*md_out_size = md_out_size_u;
 	EVP_MD_CTX_cleanup(&md_ctx);
 	}
+
+#ifdef OPENSSL_FIPS
+
+/* Due to the need to use EVP in FIPS mode we can't reimplement digests but
+ * we can ensure the number of blocks processed is equal for all cases
+ * by digesting additional data.
+ */
+
+void tls_fips_digest_extra(
+	const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx,
+	const unsigned char *data, size_t data_len, size_t orig_len)
+	{
+	size_t block_size, digest_pad, blocks_data, blocks_orig;
+	if (EVP_CIPHER_CTX_mode(cipher_ctx) != EVP_CIPH_CBC_MODE)
+		return;
+	block_size = EVP_MD_CTX_block_size(mac_ctx);
+	/* We are in FIPS mode if we get this far so we know we have only SHA*
+	 * digests and TLS to deal with.
+	 * Minimum digest padding length is 17 for SHA384/SHA512 and 9
+	 * otherwise.
+	 * Additional header is 13 bytes. To get the number of digest blocks
+	 * processed round up the amount of data plus padding to the nearest
+	 * block length. Block length is 128 for SHA384/SHA512 and 64 otherwise.
+	 * So we have:
+	 * blocks = (payload_len + digest_pad + 13 + block_size - 1)/block_size
+	 * equivalently:
+	 * blocks = (payload_len + digest_pad + 12)/block_size + 1
+	 * HMAC adds a constant overhead.
+	 * We're ultimately only interested in differences so this becomes
+	 * blocks = (payload_len + 29)/128
+	 * for SHA384/SHA512 and
+	 * blocks = (payload_len + 21)/64
+	 * otherwise.
+	 */
+	digest_pad = block_size == 64 ? 21 : 29;
+	blocks_orig = (orig_len + digest_pad)/block_size;
+	blocks_data = (data_len + digest_pad)/block_size;
+	/* MAC enough blocks to make up the difference between the original
+	 * and actual lengths plus one extra block to ensure this is never a
+	 * no op. The "data" pointer should always have enough space to
+	 * perform this operation as it is large enough for a maximum
+	 * length TLS buffer. 
+	 */
+	EVP_DigestSignUpdate(mac_ctx, data,
+				(blocks_orig - blocks_data + 1) * block_size);
+	}
+#endif
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index a0eac77..e3cd4f0 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -709,7 +709,7 @@ int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
 	EVP_MD_CTX md_ctx;
 	const EVP_MD_CTX *hash;
 	unsigned char *p,rec_char;
-	size_t md_size;
+	size_t md_size, orig_len;
 	int npad;
 	int t;
 
@@ -734,6 +734,10 @@ int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
 	md_size=t;
 	npad=(48/md_size)*md_size;
 
+	/* kludge: ssl3_cbc_remove_padding passes padding length in rec->type */
+	orig_len = rec->length+md_size+((unsigned int)rec->type>>8);
+	rec->type &= 0xff;
+
 	if (!send &&
 	    EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
 	    ssl3_cbc_record_digest_supported(hash))
@@ -765,7 +769,7 @@ int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
 			hash,
 			md, &md_size,
 			header, rec->input,
-			rec->length + md_size, rec->orig_len,
+			rec->length + md_size, orig_len,
 			mac_sec, md_size,
 			1 /* is SSLv3 */);
 		}
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 50aa465..0be87e8 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -1125,7 +1125,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	0, /* not implemented (non-ephemeral DH) */
 	TLS1_TXT_DH_DSS_WITH_AES_128_SHA256,
 	TLS1_CK_DH_DSS_WITH_AES_128_SHA256,
-	SSL_kDHr,
+	SSL_kDHd,
 	SSL_aDH,
 	SSL_AES128,
 	SSL_SHA256,
@@ -1407,7 +1407,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	0, /* not implemented (non-ephemeral DH) */
 	TLS1_TXT_DH_DSS_WITH_AES_256_SHA256,
 	TLS1_CK_DH_DSS_WITH_AES_256_SHA256,
-	SSL_kDHr,
+	SSL_kDHd,
 	SSL_aDH,
 	SSL_AES256,
 	SSL_SHA256,
@@ -1958,7 +1958,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	0,
 	TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256,
 	TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256,
-	SSL_kDHr,
+	SSL_kDHd,
 	SSL_aDH,
 	SSL_AES128GCM,
 	SSL_AEAD,
@@ -1974,7 +1974,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	0,
 	TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384,
 	TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384,
-	SSL_kDHr,
+	SSL_kDHd,
 	SSL_aDH,
 	SSL_AES256GCM,
 	SSL_AEAD,
@@ -2669,7 +2669,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	1,
 	TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256,
 	TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256,
-	SSL_kECDHe,
+	SSL_kECDHr,
 	SSL_aECDH,
 	SSL_AES128,
 	SSL_SHA256,
@@ -2685,7 +2685,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	1,
 	TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384,
 	TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384,
-	SSL_kECDHe,
+	SSL_kECDHr,
 	SSL_aECDH,
 	SSL_AES256,
 	SSL_SHA384,
@@ -2799,7 +2799,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	1,
 	TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256,
 	TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256,
-	SSL_kECDHe,
+	SSL_kECDHr,
 	SSL_aECDH,
 	SSL_AES128GCM,
 	SSL_AEAD,
@@ -2815,7 +2815,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	1,
 	TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384,
 	TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384,
-	SSL_kECDHe,
+	SSL_kECDHr,
 	SSL_aECDH,
 	SSL_AES256GCM,
 	SSL_AEAD,
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 5289092..bf8da98 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -290,7 +290,7 @@ static int ssl3_get_record(SSL *s)
 	unsigned char *p;
 	unsigned char md[EVP_MAX_MD_SIZE];
 	short version;
-	unsigned mac_size;
+	unsigned mac_size, orig_len;
 	size_t extra;
 
 	rr= &(s->s3->rrec);
@@ -398,7 +398,7 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
 
 	/* decrypt in place in 'rr->input' */
 	rr->data=rr->input;
-	rr->orig_len=rr->length;
+	orig_len=rr->length;
 
 	enc_err = s->method->ssl3_enc->enc(s,0);
 	/* enc_err is:
@@ -408,7 +408,7 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
 	if (enc_err == 0)
 		{
 		al=SSL_AD_DECRYPTION_FAILED;
-		SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
+		SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
 		goto f_err;
 		}
 
@@ -434,10 +434,10 @@ printf("\n");
 		 * therefore we can safely process the record in a different
 		 * amount of time if it's too short to possibly contain a MAC.
 		 */
-		if (rr->orig_len < mac_size ||
+		if (orig_len < mac_size ||
 		    /* CBC records must have a padding length byte too. */
 		    (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
-		     rr->orig_len < mac_size+1))
+		     orig_len < mac_size+1))
 			{
 			al=SSL_AD_DECODE_ERROR;
 			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
@@ -452,12 +452,12 @@ printf("\n");
 			 * without leaking the contents of the padding bytes.
 			 * */
 			mac = mac_tmp;
-			ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
+			ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
 			rr->length -= mac_size;
 			}
 		else
 			{
-			/* In this case there's no padding, so |rec->orig_len|
+			/* In this case there's no padding, so |orig_len|
 			 * equals |rec->length| and we checked that there's
 			 * enough bytes for |mac_size| above. */
 			rr->length -= mac_size;
@@ -746,6 +746,7 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
 	 * bytes and record version number > TLS 1.0
 	 */
 	if (s->state == SSL3_ST_CW_CLNT_HELLO_B
+				&& !s->renegotiate
 				&& TLS1_get_version(s) > TLS1_VERSION)
 		*(p++) = 0x1;
 	else
@@ -1240,7 +1241,7 @@ start:
 				goto f_err;
 				}
 #ifdef SSL_AD_MISSING_SRP_USERNAME
-			if (alert_descr == SSL_AD_MISSING_SRP_USERNAME)
+			else if (alert_descr == SSL_AD_MISSING_SRP_USERNAME)
 				return(0);
 #endif
 			}
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index c5c53dc..da1c2e8 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -194,7 +194,8 @@ static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
 		{
 		if(s->srp_ctx.login == NULL)
 			{
-			/* There isn't any srp login extension !!! */
+			/* RFC 5054 says SHOULD reject, 
+			   we do so if There is no srp login name */
 			ret = SSL3_AL_FATAL;
 			*al = SSL_AD_UNKNOWN_PSK_IDENTITY;
 			}
@@ -381,6 +382,7 @@ int ssl3_accept(SSL *s)
 				}
 			}
 #endif		
+			
 			s->renegotiate = 2;
 			s->state=SSL3_ST_SW_SRVR_HELLO_A;
 			s->init_num=0;
@@ -1205,7 +1207,7 @@ int ssl3_get_client_hello(SSL *s)
 			goto f_err;
 			}
 		}
-		if (ssl_check_clienthello_tlsext(s) <= 0) {
+		if (ssl_check_clienthello_tlsext_early(s) <= 0) {
 			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
 			goto err;
 		}
@@ -1427,6 +1429,16 @@ int ssl3_get_client_hello(SSL *s)
 	 * s->tmp.new_cipher	- the new cipher to use.
 	 */
 
+	/* Handles TLS extensions that we couldn't check earlier */
+	if (s->version >= SSL3_VERSION)
+		{
+		if (ssl_check_clienthello_tlsext_late(s) <= 0)
+			{
+			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
+			goto err;
+			}
+		}
+
 	if (ret < 0) ret=1;
 	if (0)
 		{
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 1aaadf3..5695aae 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -493,6 +493,9 @@ struct ssl_session_st
 	char *psk_identity_hint;
 	char *psk_identity;
 #endif
+	/* Used to indicate that session resumption is not allowed.
+	 * Applications can also set this bit for a new session via
+	 * not_resumable_session_cb to disable session caching and tickets. */
 	int not_resumable;
 
 	/* The cert is the certificate used to establish this connection */
@@ -535,7 +538,7 @@ struct ssl_session_st
 #endif /* OPENSSL_NO_EC */
 	/* RFC4507 info */
 	unsigned char *tlsext_tick;	/* Session ticket */
-	size_t	tlsext_ticklen;		/* Session ticket length */	
+	size_t tlsext_ticklen;		/* Session ticket length */
 	long tlsext_tick_lifetime_hint;	/* Session lifetime hint in seconds */
 #endif
 #ifndef OPENSSL_NO_SRP
@@ -931,6 +934,7 @@ struct ssl_ctx_st
 	/* Callback for status request */
 	int (*tlsext_status_cb)(SSL *ssl, void *arg);
 	void *tlsext_status_arg;
+
 	/* draft-rescorla-tls-opaque-prf-input-00.txt information */
 	int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput, size_t len, void *arg);
 	void *tlsext_opaque_prf_input_callback_arg;
@@ -956,6 +960,7 @@ struct ssl_ctx_st
 #endif
 
 #ifndef OPENSSL_NO_TLSEXT
+
 # ifndef OPENSSL_NO_NEXTPROTONEG
 	/* Next protocol negotiation information */
 	/* (for experimental NPN extension). */
@@ -2262,6 +2267,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_GET_NEW_SESSION			 181
 #define SSL_F_SSL_GET_PREV_SESSION			 217
 #define SSL_F_SSL_GET_SERVER_SEND_CERT			 182
+#define SSL_F_SSL_GET_SERVER_SEND_PKEY			 317
 #define SSL_F_SSL_GET_SIGN_PKEY				 183
 #define SSL_F_SSL_INIT_WBIO_BUFFER			 184
 #define SSL_F_SSL_LOAD_CLIENT_CA_FILE			 185
diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index 879be13..fee9671 100644
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -355,10 +355,6 @@ typedef struct ssl3_record_st
 /*r */	unsigned char *comp;    /* only used with decompression - malloc()ed */
 /*r */  unsigned long epoch;    /* epoch number, needed by DTLS1 */
 /*r */  unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */
-/*rw*/	unsigned int orig_len;  /* How many bytes were available before padding
-				   was removed? This is used to implement the
-				   MAC check in constant time for CBC records.
-				 */
 	} SSL3_RECORD;
 
 typedef struct ssl3_buffer_st
@@ -594,8 +590,10 @@ typedef struct ssl3_state_st
 #define SSL3_ST_CW_CERT_VRFY_B		(0x191|SSL_ST_CONNECT)
 #define SSL3_ST_CW_CHANGE_A		(0x1A0|SSL_ST_CONNECT)
 #define SSL3_ST_CW_CHANGE_B		(0x1A1|SSL_ST_CONNECT)
+#ifndef OPENSSL_NO_NEXTPROTONEG
 #define SSL3_ST_CW_NEXT_PROTO_A		(0x200|SSL_ST_CONNECT)
 #define SSL3_ST_CW_NEXT_PROTO_B		(0x201|SSL_ST_CONNECT)
+#endif
 #define SSL3_ST_CW_CHANNEL_ID_A		(0x210|SSL_ST_CONNECT)
 #define SSL3_ST_CW_CHANNEL_ID_B		(0x211|SSL_ST_CONNECT)
 #define SSL3_ST_CW_FINISHED_A		(0x1B0|SSL_ST_CONNECT)
@@ -648,8 +646,10 @@ typedef struct ssl3_state_st
 #define SSL3_ST_SR_CHANGE_A		(0x1B0|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_CHANGE_B		(0x1B1|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_POST_CLIENT_CERT	(0x1BF|SSL_ST_ACCEPT)
+#ifndef OPENSSL_NO_NEXTPROTONEG
 #define SSL3_ST_SR_NEXT_PROTO_A		(0x210|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_NEXT_PROTO_B		(0x211|SSL_ST_ACCEPT)
+#endif
 #define SSL3_ST_SR_CHANNEL_ID_A		(0x220|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_CHANNEL_ID_B		(0x221|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_FINISHED_A		(0x1C0|SSL_ST_ACCEPT)
@@ -676,7 +676,9 @@ typedef struct ssl3_state_st
 #define SSL3_MT_CLIENT_KEY_EXCHANGE		16
 #define SSL3_MT_FINISHED			20
 #define SSL3_MT_CERTIFICATE_STATUS		22
+#ifndef OPENSSL_NO_NEXTPROTONEG
 #define SSL3_MT_NEXT_PROTO			67
+#endif
 #define SSL3_MT_ENCRYPTED_EXTENSIONS		203
 #define DTLS1_MT_HELLO_VERIFY_REQUEST    3
 
diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c
index 41ccbaa..9c34d19 100644
--- a/ssl/ssl_algs.c
+++ b/ssl/ssl_algs.c
@@ -90,12 +90,10 @@ int SSL_library_init(void)
 	EVP_add_cipher(EVP_aes_256_cbc());
 	EVP_add_cipher(EVP_aes_128_gcm());
 	EVP_add_cipher(EVP_aes_256_gcm());
-#if 0 /* Disabled because of timing side-channel leaks. */
 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
 	EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
 	EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
 #endif
-#endif
 
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 917be31..5123a89 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -164,14 +164,14 @@ static void ssl_cert_set_default_md(CERT *cert)
 	{
 	/* Set digest values to defaults */
 #ifndef OPENSSL_NO_DSA
-	cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
+	cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
 #endif
 #ifndef OPENSSL_NO_RSA
 	cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
 	cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
 #endif
 #ifndef OPENSSL_NO_ECDSA
-	cert->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
+	cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
 #endif
 	}
 
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 55deaaf..e8794d4 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -312,6 +312,7 @@ static const SSL_CIPHER cipher_aliases[]={
 	{0,SSL_TXT_SSLV2,0,   0,0,0,0,SSL_SSLV2, 0,0,0,0},
 	{0,SSL_TXT_SSLV3,0,   0,0,0,0,SSL_SSLV3, 0,0,0,0},
 	{0,SSL_TXT_TLSV1,0,   0,0,0,0,SSL_TLSV1, 0,0,0,0},
+	{0,SSL_TXT_TLSV1_2,0, 0,0,0,0,SSL_TLSV1_2, 0,0,0,0},
 
 	/* export flag */
 	{0,SSL_TXT_EXP,0,     0,0,0,0,0,SSL_EXPORT,0,0,0},
@@ -1150,9 +1151,9 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 			while (	((ch >= 'A') && (ch <= 'Z')) ||
 				((ch >= '0') && (ch <= '9')) ||
 				((ch >= 'a') && (ch <= 'z')) ||
-				 (ch == '-'))
+				 (ch == '-') || (ch == '.'))
 #else
-			while (	isalnum(ch) || (ch == '-'))
+			while (	isalnum(ch) || (ch == '-') || (ch == '.'))
 #endif
 				 {
 				 ch = *(++l);
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index fbefce3..c40c718 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -230,6 +230,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_SSL_GET_NEW_SESSION),	"SSL_GET_NEW_SESSION"},
 {ERR_FUNC(SSL_F_SSL_GET_PREV_SESSION),	"SSL_GET_PREV_SESSION"},
 {ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_CERT),	"SSL_GET_SERVER_SEND_CERT"},
+{ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_PKEY),	"SSL_GET_SERVER_SEND_PKEY"},
 {ERR_FUNC(SSL_F_SSL_GET_SIGN_PKEY),	"SSL_GET_SIGN_PKEY"},
 {ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER),	"SSL_INIT_WBIO_BUFFER"},
 {ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE),	"SSL_load_client_CA_file"},
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 4db0fef..c94ff26 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2321,7 +2321,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
 #endif
 
 /* THIS NEEDS CLEANING UP */
-X509 *ssl_get_server_send_cert(SSL *s)
+CERT_PKEY *ssl_get_server_send_pkey(const SSL *s)
 	{
 	unsigned long alg_k,alg_a;
 	CERT *c;
@@ -2376,12 +2376,20 @@ X509 *ssl_get_server_send_cert(SSL *s)
 		i=SSL_PKEY_GOST01;
 	else /* if (alg_a & SSL_aNULL) */
 		{
-		SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR);
+		SSLerr(SSL_F_SSL_GET_SERVER_SEND_PKEY,ERR_R_INTERNAL_ERROR);
 		return(NULL);
 		}
-	if (c->pkeys[i].x509 == NULL) return(NULL);
 
-	return(c->pkeys[i].x509);
+	return c->pkeys + i;
+	}
+
+X509 *ssl_get_server_send_cert(const SSL *s)
+	{
+	CERT_PKEY *cpk;
+	cpk = ssl_get_server_send_pkey(s);
+	if (!cpk)
+		return NULL;
+	return cpk->x509;
 	}
 
 EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd)
@@ -2642,7 +2650,7 @@ static const char *ssl_get_version(int version)
 		return("TLSv1.2");
 	else if (version == TLS1_1_VERSION)
 		return("TLSv1.1");
-	if (version == TLS1_VERSION)
+	else if (version == TLS1_VERSION)
 		return("TLSv1");
 	else if (version == SSL3_VERSION)
 		return("SSLv3");
@@ -2837,7 +2845,9 @@ void ssl_clear_cipher_ctx(SSL *s)
 /* Fix this function so that it takes an optional type parameter */
 X509 *SSL_get_certificate(const SSL *s)
 	{
-	if (s->cert != NULL)
+	if (s->server)
+		return(ssl_get_server_send_cert(s));
+	else if (s->cert != NULL)
 		return(s->cert->key->x509);
 	else
 		return(NULL);
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 9ca3b4a..5f21726 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -841,7 +841,8 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
 int ssl_undefined_function(SSL *s);
 int ssl_undefined_void_function(void);
 int ssl_undefined_const_function(const SSL *s);
-X509 *ssl_get_server_send_cert(SSL *);
+CERT_PKEY *ssl_get_server_send_pkey(const SSL *s);
+X509 *ssl_get_server_send_cert(const SSL *);
 EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd);
 int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
 void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher);
@@ -1101,7 +1102,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d,
 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
 int ssl_prepare_clienthello_tlsext(SSL *s);
 int ssl_prepare_serverhello_tlsext(SSL *s);
-int ssl_check_clienthello_tlsext(SSL *s);
+int ssl_check_clienthello_tlsext_early(SSL *s);
+int ssl_check_clienthello_tlsext_late(SSL *s);
 int ssl_check_serverhello_tlsext(SSL *s);
 
 #ifndef OPENSSL_NO_HEARTBEATS
@@ -1149,7 +1151,7 @@ int ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al
 /* s3_cbc.c */
 void ssl3_cbc_copy_mac(unsigned char* out,
 		       const SSL3_RECORD *rec,
-		       unsigned md_size);
+		       unsigned md_size,unsigned orig_len);
 int ssl3_cbc_remove_padding(const SSL* s,
 			    SSL3_RECORD *rec,
 			    unsigned block_size,
@@ -1171,4 +1173,8 @@ void ssl3_cbc_digest_record(
 	unsigned mac_secret_length,
 	char is_sslv3);
 
+void tls_fips_digest_extra(
+	const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx,
+	const unsigned char *data, size_t data_len, size_t orig_len);
+
 #endif
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index c43f3e2..82f55b6 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -746,7 +746,7 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
 
 	ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
 
-	in=BIO_new(BIO_s_file_internal());
+	in = BIO_new(BIO_s_file_internal());
 	if (in == NULL)
 		{
 		SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_BUF_LIB);
@@ -759,14 +759,16 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
 		goto end;
 		}
 
-	x=PEM_read_bio_X509_AUX(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
+	x=PEM_read_bio_X509_AUX(in,NULL,ctx->default_passwd_callback,
+				ctx->default_passwd_callback_userdata);
 	if (x == NULL)
 		{
 		SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_PEM_LIB);
 		goto end;
 		}
 
-	ret=SSL_CTX_use_certificate(ctx,x);
+	ret = SSL_CTX_use_certificate(ctx, x);
+
 	if (ERR_peek_error() != 0)
 		ret = 0;  /* Key/certificate mismatch doesn't imply ret==0 ... */
 	if (ret)
@@ -778,13 +780,15 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
 		int r;
 		unsigned long err;
 		
-		if (ctx->extra_certs != NULL) 
+		if (ctx->extra_certs != NULL)
 			{
 			sk_X509_pop_free(ctx->extra_certs, X509_free);
 			ctx->extra_certs = NULL;
 			}
 
-		while ((ca = PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata))
+		while ((ca = PEM_read_bio_X509(in, NULL,
+					ctx->default_passwd_callback,
+					ctx->default_passwd_callback_userdata))
 			!= NULL)
 			{
 			r = SSL_CTX_add_extra_chain_cert(ctx, ca);
diff --git a/ssl/ssltest.c b/ssl/ssltest.c
index 02ce4ec..91169bb 100644
--- a/ssl/ssltest.c
+++ b/ssl/ssltest.c
@@ -544,8 +544,8 @@ int main(int argc, char *argv[])
 	int comp = 0;
 #ifndef OPENSSL_NO_COMP
 	COMP_METHOD *cm = NULL;
-#endif
 	STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
+#endif
 	int test_cipherlist = 0;
 #ifdef OPENSSL_FIPS
 	int fips_mode=0;
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 643e3e6..809ad2e 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -361,7 +361,7 @@ int tls1_change_cipher_state(SSL *s, int which)
 	{
         int i;
         for (i=0; i<s->s3->tmp.key_block_length; i++)
-		printf("%02x", key_block[i]);  printf("\n");
+		printf("%02x", s->s3->tmp.key_block[i]);  printf("\n");
         }
 #endif	/* KSSL_DEBUG */
 
@@ -949,7 +949,7 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
 	SSL3_RECORD *rec;
 	unsigned char *seq;
 	EVP_MD_CTX *hash;
-	size_t md_size;
+	size_t md_size, orig_len;
 	int i;
 	EVP_MD_CTX hmac, *mac_ctx;
 	unsigned char header[13];
@@ -996,6 +996,10 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
 	else
 		memcpy(header, seq, 8);
 
+	/* kludge: tls1_cbc_remove_padding passes padding length in rec->type */
+	orig_len = rec->length+md_size+((unsigned int)rec->type>>8);
+	rec->type &= 0xff;
+
 	header[8]=rec->type;
 	header[9]=(unsigned char)(ssl->version>>8);
 	header[10]=(unsigned char)(ssl->version);
@@ -1014,7 +1018,7 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
 			mac_ctx,
 			md, &md_size,
 			header, rec->input,
-			rec->length + md_size, rec->orig_len,
+			rec->length + md_size, orig_len,
 			ssl->s3->read_mac_secret,
 			ssl->s3->read_mac_secret_size,
 			0 /* not SSLv3 */);
@@ -1025,6 +1029,13 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
 		EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length);
 		t=EVP_DigestSignFinal(mac_ctx,md,&md_size);
 		OPENSSL_assert(t > 0);
+#ifdef OPENSSL_FIPS
+		if (!send && FIPS_mode())
+			tls_fips_digest_extra(
+	    				ssl->enc_read_ctx,
+					mac_ctx, rec->input,
+					rec->length, orig_len);
+#endif
 		}
 		
 	if (!stream_mac)
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 9972b1a..90a88ce 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1097,7 +1097,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 			int ellipticcurvelist_length = (*(sdata++) << 8);
 			ellipticcurvelist_length += (*(sdata++));
 
-			if (ellipticcurvelist_length != size - 2)
+			if (ellipticcurvelist_length != size - 2 ||
+				ellipticcurvelist_length < 1)
 				{
 				*al = TLS1_AD_DECODE_ERROR;
 				return 0;
@@ -1456,7 +1457,8 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 			unsigned char *sdata = data;
 			int ecpointformatlist_length = *(sdata++);
 
-			if (ecpointformatlist_length != size - 1)
+			if (ecpointformatlist_length != size - 1 || 
+				ecpointformatlist_length < 1)
 				{
 				*al = TLS1_AD_DECODE_ERROR;
 				return 0;
@@ -1789,7 +1791,7 @@ int ssl_prepare_serverhello_tlsext(SSL *s)
 	return 1;
 	}
 
-int ssl_check_clienthello_tlsext(SSL *s)
+int ssl_check_clienthello_tlsext_early(SSL *s)
 	{
 	int ret=SSL_TLSEXT_ERR_NOACK;
 	int al = SSL_AD_UNRECOGNIZED_NAME;
@@ -1808,42 +1810,12 @@ int ssl_check_clienthello_tlsext(SSL *s)
 	else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 		
 		ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
 
-	/* If status request then ask callback what to do.
- 	 * Note: this must be called after servername callbacks in case 
- 	 * the certificate has changed.
- 	 */
-	if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
-		{
-		int r;
-		r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
-		switch (r)
-			{
-			/* We don't want to send a status request response */
-			case SSL_TLSEXT_ERR_NOACK:
-				s->tlsext_status_expected = 0;
-				break;
-			/* status request response should be sent */
-			case SSL_TLSEXT_ERR_OK:
-				if (s->tlsext_ocsp_resp)
-					s->tlsext_status_expected = 1;
-				else
-					s->tlsext_status_expected = 0;
-				break;
-			/* something bad happened */
-			case SSL_TLSEXT_ERR_ALERT_FATAL:
-				ret = SSL_TLSEXT_ERR_ALERT_FATAL;
-				al = SSL_AD_INTERNAL_ERROR;
-				goto err;
-			}
-		}
-	else
-		s->tlsext_status_expected = 0;
-
 #ifdef TLSEXT_TYPE_opaque_prf_input
  	{
 		/* This sort of belongs into ssl_prepare_serverhello_tlsext(),
 		 * but we might be sending an alert in response to the client hello,
-		 * so this has to happen here in ssl_check_clienthello_tlsext(). */
+		 * so this has to happen here in
+		 * ssl_check_clienthello_tlsext_early(). */
 
 		int r = 1;
 	
@@ -1895,8 +1867,8 @@ int ssl_check_clienthello_tlsext(SSL *s)
 			}
 	}
 
-#endif
  err:
+#endif
 	switch (ret)
 		{
 		case SSL_TLSEXT_ERR_ALERT_FATAL:
@@ -1914,6 +1886,71 @@ int ssl_check_clienthello_tlsext(SSL *s)
 		}
 	}
 
+int ssl_check_clienthello_tlsext_late(SSL *s)
+	{
+	int ret = SSL_TLSEXT_ERR_OK;
+	int al;
+
+	/* If status request then ask callback what to do.
+ 	 * Note: this must be called after servername callbacks in case 
+ 	 * the certificate has changed, and must be called after the cipher
+	 * has been chosen because this may influence which certificate is sent
+ 	 */
+	if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
+		{
+		int r;
+		CERT_PKEY *certpkey;
+		certpkey = ssl_get_server_send_pkey(s);
+		/* If no certificate can't return certificate status */
+		if (certpkey == NULL)
+			{
+			s->tlsext_status_expected = 0;
+			return 1;
+			}
+		/* Set current certificate to one we will use so
+		 * SSL_get_certificate et al can pick it up.
+		 */
+		s->cert->key = certpkey;
+		r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
+		switch (r)
+			{
+			/* We don't want to send a status request response */
+			case SSL_TLSEXT_ERR_NOACK:
+				s->tlsext_status_expected = 0;
+				break;
+			/* status request response should be sent */
+			case SSL_TLSEXT_ERR_OK:
+				if (s->tlsext_ocsp_resp)
+					s->tlsext_status_expected = 1;
+				else
+					s->tlsext_status_expected = 0;
+				break;
+			/* something bad happened */
+			case SSL_TLSEXT_ERR_ALERT_FATAL:
+				ret = SSL_TLSEXT_ERR_ALERT_FATAL;
+				al = SSL_AD_INTERNAL_ERROR;
+				goto err;
+			}
+		}
+	else
+		s->tlsext_status_expected = 0;
+
+ err:
+	switch (ret)
+		{
+		case SSL_TLSEXT_ERR_ALERT_FATAL:
+			ssl3_send_alert(s,SSL3_AL_FATAL,al); 
+			return -1;
+
+		case SSL_TLSEXT_ERR_ALERT_WARNING:
+			ssl3_send_alert(s,SSL3_AL_WARNING,al);
+			return 1; 
+
+		default:
+			return 1;
+		}
+	}
+
 int ssl_check_serverhello_tlsext(SSL *s)
 	{
 	int ret=SSL_TLSEXT_ERR_NOACK;
@@ -2440,7 +2477,7 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
 	 */
 #ifndef OPENSSL_NO_DSA
 	if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
-		c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
+		c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
 #endif
 #ifndef OPENSSL_NO_RSA
 	if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
@@ -2451,7 +2488,7 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
 #endif
 #ifndef OPENSSL_NO_ECDSA
 	if (!c->pkeys[SSL_PKEY_ECC].digest)
-		c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
+		c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
 #endif
 	return 1;
 	}
diff --git a/ssl/tls_srp.c b/ssl/tls_srp.c
index 8512c4d..2315a7c 100644
--- a/ssl/tls_srp.c
+++ b/ssl/tls_srp.c
@@ -242,7 +242,8 @@ int SSL_srp_server_param_with_username(SSL *s, int *ad)
 		(s->srp_ctx.v == NULL))
 		return SSL3_AL_FATAL;
 
-	RAND_bytes(b, sizeof(b));
+	if (RAND_bytes(b, sizeof(b)) <= 0)
+		return SSL3_AL_FATAL;
 	s->srp_ctx.b = BN_bin2bn(b,sizeof(b),NULL);
 	OPENSSL_cleanse(b,sizeof(b));