Work around even more Estonian ID card misissuances.

Not content with signing negative RSA moduli, still other Estonian IDs have too many leading zeros. Work around those too. This workaround will be removed in six months. BUG=534766 Change-Id: Ica23b1b1499f9dbe39e94cf7b540900860e8e135 Reviewed-on: https://boringssl-review.googlesource.com/5980 Reviewed-by: Adam Langley <agl@google.com>
Update the Estonian workaround comments.
2015-09-25 13:23:53 -04:00 · 2015-09-21 16:21:40 -04:00 · 2015-09-21 16:21:34 -04:00 · 2015-08-19 01:35:50 +00:00 · 2015-08-19 00:46:02 +00:00 · 2015-08-19 00:45:42 +00:00
490 changed files with 38136 additions and 26274 deletions
@@ -3,3 +3,4 @@ ssl/test/runner/runner
 *.swp
 *.swo
 doc/*.html
+doc/doc.css
@@ -43,17 +43,38 @@ automatically.
 Note that the default build flags in the top-level CMakeLists.txt are for
 debugging - optimisation isn't enabled.

-If you want to cross-compile then there are example toolchain files for 32-bit
-Intel and ARM in util/. Wipe out the build directory, recreate it and run cmake
+If you want to cross-compile then there is an example toolchain file for
+32-bit Intel in util/. Wipe out the build directory, recreate it and run cmake
 like this:

-  cmake -DCMAKE_TOOLCHAIN_FILE=../util/arm-toolchain.cmake -GNinja ..
+  cmake -DCMAKE_TOOLCHAIN_FILE=../util/32-bit-toolchain.cmake -GNinja ..

 If you want to build as a shared library, pass -DBUILD_SHARED_LIBS=1. On
 Windows, where functions need to be tagged with "dllimport" when coming from a
 shared library, define BORINGSSL_SHARED_LIBRARY in any code which #includes the
 BoringSSL headers.

+
+Building for Android:
+
+It's possible to build BoringSSL with the Android NDK using CMake. This has
+been tested with version 10d of the NDK.
+
+Unpack the Android NDK somewhere and export ANDROID_NDK to point to the
+directory. Clone https://github.com/taka-no-me/android-cmake into util/.
+Then make a build directory as above and run CMake *twice* like this:
+
+  cmake -DANDROID_NATIVE_API_LEVEL=android-9 \
+        -DANDROID_ABI=armeabi-v7a \
+        -DCMAKE_TOOLCHAIN_FILE=../util/android-cmake/android.toolchain.cmake \
+        -DANDROID_NATIVE_API_LEVEL=16 \
+        -GNinja ..
+
+Once you've run that twice, ninja should produce Android-compatible binaries.
+You can replace "armeabi-v7a" in the above with "arm64-v8a" to build aarch64
+binaries.
+
+
 Known Limitations on Windows:

  * Versions of cmake since 3.0.2 have a bug in its Ninja generator that causes
@@ -2,9 +2,16 @@ cmake_minimum_required (VERSION 2.8.10)

 project (BoringSSL)

-find_package(Perl REQUIRED)
+if(ANDROID)
+  # Android-NDK CMake files reconfigure the path and so Go and Perl won't be
+  # found. However, ninja will still find them in $PATH if we just name them.
+  set(PERL_EXECUTABLE "perl")
+  set(GO_EXECUTABLE "go")
+else()
+  find_package(Perl REQUIRED)
+  find_program(GO_EXECUTABLE go)
+endif()

-find_program(GO_EXECUTABLE go)
 if (NOT GO_EXECUTABLE)
  message(FATAL_ERROR "Could not find Go")
 endif()
@@ -26,8 +33,6 @@ elseif(MSVC)
      "C4245" # 'initializing' : conversion from 'long' to
              # 'unsigned long', signed/unsigned mismatch
      "C4267" # conversion from 'size_t' to 'int', possible loss of data
-      "C4311" # 'type cast' : pointer truncation from 'uint8_t *' to 'long'
-              # TODO(davidben): Fix the s3_pkt.c's alignment code to avoid this.
      "C4371" # layout of class may have changed from a previous version of the
              # compiler due to better packing of member '...'
      "C4388" # signed/unsigned mismatch
@@ -47,7 +52,6 @@ elseif(MSVC)
              # copy constructor is inaccessible or deleted
      "C4626" # assignment operator could not be generated because a base class
              # assignment operator is inaccessible or deleted
-      "C4701" # potentially uninitialized local variable 'mdlen' used
      "C4706" # assignment within conditional expression
      "C4710" # 'function': function not inlined
      "C4711" # function 'function' selected for inline expansion
@@ -72,6 +76,11 @@ if((CMAKE_COMPILER_IS_GNUCXX AND CMAKE_C_COMPILER_VERSION VERSION_GREATER "4.7.9
  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wshadow")
 endif()

+if((CMAKE_COMPILER_IS_GNUCXX AND CMAKE_C_COMPILER_VERSION VERSION_GREATER "4.8.99") OR
+   CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=c11 -D_XOPEN_SOURCE=700")
+endif()
+
 add_definitions(-DBORINGSSL_IMPLEMENTATION)

 if (BUILD_SHARED_LIBS)
@@ -100,12 +109,23 @@ elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "i686")
  set(ARCH "x86")
 elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "arm")
  set(ARCH "arm")
+elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "armv6")
+  set(ARCH "arm")
+elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "armv7-a")
+  set(ARCH "arm")
 elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "aarch64")
  set(ARCH "aarch64")
 else()
  message(FATAL_ERROR "Unknown processor:" ${CMAKE_SYSTEM_PROCESSOR})
 endif()

+if (ANDROID AND ${ARCH} STREQUAL "arm")
+  # The Android-NDK CMake files somehow fail to set the -march flag for
+  # assembly files. Without this flag, the compiler believes that it's
+  # building for ARMv5.
+  set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -march=${CMAKE_SYSTEM_PROCESSOR}")
+endif()
+
 if (${ARCH} STREQUAL "x86" AND APPLE)
  # With CMake 2.8.x, ${CMAKE_SYSTEM_PROCESSOR} evalutes to i386 on OS X,
  # but clang defaults to 64-bit builds on OS X unless otherwise told.
@@ -113,7 +133,13 @@ if (${ARCH} STREQUAL "x86" AND APPLE)
  set(ARCH "x86_64")
 endif()

+if (OPENSSL_NO_ASM)
+  add_definitions(-DOPENSSL_NO_ASM)
+  set(ARCH "generic")
+endif()
+
 add_subdirectory(crypto)
 add_subdirectory(ssl)
 add_subdirectory(ssl/test)
 add_subdirectory(tool)
+add_subdirectory(decrepit)
@@ -1,3 +1,79 @@
+BoringSSL is a fork of OpenSSL. As such, large parts of it fall under OpenSSL
+licensing. Files that are completely new have a Google copyright and an ISC
+license. This license is reproduced at the bottom of this file.
+
+Contributors to BoringSSL are required to follow the CLA rules for Chromium:
+https://cla.developers.google.com/clas
+
+Some files from Intel are under yet another license, which is also included
+underneath.
+
+The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the
+OpenSSL License and the original SSLeay license apply to the toolkit. See below
+for the actual license texts. Actually both licenses are BSD-style Open Source
+licenses. In case of any license issues related to OpenSSL please contact
+openssl-core@openssl.org.
+
+  OpenSSL License
+  ---------------
+
+/* ====================================================================
+ * Copyright (c) 1998-2011 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+ Original SSLeay License
+ -----------------------
+
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -54,186 +130,56 @@
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
-/* ====================================================================
- * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+
+
+ISC license used for completely new code in BoringSSL:
+
+/* Copyright (c) 2015, Google Inc.
 *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
 *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com). */
-
-#include <openssl/err.h>
-
-#include <assert.h>
-#include <string.h>
-
-#include <openssl/lhash.h>
-#include <openssl/mem.h>
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */


-DEFINE_LHASH_OF(ERR_STATE);
+Some files from Intel carry the following license:

-/* state_hash is a map from thread ID to ERR_STATE. It works like thread-local
- * storage. */
-static LHASH_OF(ERR_STATE) *state_hash = NULL;
-
-/* global_next_library contains the next custom library value to return. */
-static int global_next_library = ERR_NUM_LIBS;
-
-/* err_state_hash is an lhash hash function for ERR_STATE. */
-static uint32_t err_state_hash(const ERR_STATE *a) {
-  return CRYPTO_THREADID_hash(&a->tid);
-}
-
-/* err_state_cmp is an lhash compare function for ERR_STATE. */
-static int err_state_cmp(const ERR_STATE *a, const ERR_STATE *b) {
-  return CRYPTO_THREADID_cmp(&a->tid, &b->tid);
-}
-
-static ERR_STATE *err_get_state(void) {
-  CRYPTO_THREADID tid;
-  ERR_STATE pattern, *state, *race_state;
-  int insert_result;
-  static ERR_STATE fallback;
-
-  CRYPTO_THREADID_current(&tid);
-  memset(&pattern, 0, sizeof(pattern));
-  CRYPTO_THREADID_cpy(&pattern.tid, &tid);
-
-  CRYPTO_r_lock(CRYPTO_LOCK_ERR);
-  if (state_hash == NULL) {
-    CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
-    CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-    if (state_hash == NULL) {
-      state_hash = lh_ERR_STATE_new(err_state_hash, err_state_cmp);
-    }
-    CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-    CRYPTO_r_lock(CRYPTO_LOCK_ERR);
-  }
-
-  if (state_hash == NULL) {
-    CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
-    return NULL;
-  }
-
-  state = lh_ERR_STATE_retrieve(state_hash, &pattern);
-  CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
-  if (state != NULL) {
-    return state;
-  }
-
-  state = OPENSSL_malloc(sizeof(ERR_STATE));
-  if (state == NULL) {
-    CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
-    /* The other error functions don't cope with a failure to get the error
-     * state, so we return a dummy value. */
-    return &fallback;
-  }
-
-  memset(state, 0, sizeof(ERR_STATE));
-  CRYPTO_THREADID_cpy(&state->tid, &tid);
-
-  CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-  insert_result = lh_ERR_STATE_insert(state_hash, &race_state, state);
-  CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-
-  if (!insert_result) {
-    /* Insertion failed because of malloc failure. */
-    OPENSSL_free(state);
-    return &fallback;
-  }
-
-  /* We cannot have raced with another thread to insert an ERR_STATE because no
-   * other thread should be inserting values for this thread. */
-  assert(race_state == NULL);
-
-  return state;
-}
-
-static ERR_STATE *err_release_state(const CRYPTO_THREADID *tid) {
-  ERR_STATE pattern, *state;
-
-  CRYPTO_THREADID_cpy(&pattern.tid, tid);
-
-  CRYPTO_r_lock(CRYPTO_LOCK_ERR);
-  if (state_hash == NULL) {
-    CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
-    return NULL;
-  }
-
-  state = lh_ERR_STATE_delete(state_hash, &pattern);
-  CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
-
-  return state;
-}
-
-static void err_shutdown(void (*err_state_free_cb)(ERR_STATE*)) {
-  CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-  if (state_hash) {
-    lh_ERR_STATE_doall(state_hash, err_state_free_cb);
-    lh_ERR_STATE_free(state_hash);
-    state_hash = NULL;
-  }
-  CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-}
-
-static int err_get_next_library(void) {
-  int ret;
-
-  CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-  ret = global_next_library++;
-  CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-
-  return ret;
-}
-
-const struct ERR_FNS_st openssl_err_default_impl = {
-  err_shutdown,
-  err_get_state,
-  err_release_state,
-  err_get_next_library,
-};
+# Copyright (c) 2012, Intel Corporation
+#
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+# *  Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# *  Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the
+#    distribution.
+#
+# *  Neither the name of the Intel Corporation nor the names of its
+#    contributors may be used to endorse or promote products derived from
+#    this software without specific prior written permission.
+#
+#
+# THIS SOFTWARE IS PROVIDED BY INTEL CORPORATION ""AS IS"" AND ANY
+# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL INTEL CORPORATION OR
+# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+# EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
@@ -105,7 +105,8 @@ type.
 Some types are allocated within the library while others are
 initialized into a struct allocated by the caller, often on the
 stack. Name these functions TYPE_NAME_new/TYPE_NAME_free and
-TYPE_NAME_init/TYPE_NAME_cleanup, respectively.
+TYPE_NAME_init/TYPE_NAME_cleanup, respectively. All TYPE_NAME_free
+functions must do nothing on NULL input.

 If a variable is the length of a pointer value, it has the suffix
 _len. An output parameter is named out or has an out_ prefix. For
@@ -12,6 +12,8 @@ elseif(UNIX)
    # The "armx" Perl scripts look for "64" in the style argument
    # in order to decide whether to generate 32- or 64-bit asm.
    set(PERLASM_STYLE linux64)
+  elseif (${ARCH} STREQUAL "arm")
+    set(PERLASM_STYLE linux32)
  elseif (${ARCH} STREQUAL "x86")
    set(PERLASM_FLAGS "-fPIC -DOPENSSL_IA32_SSE2")
    set(PERLASM_STYLE elf)
@@ -41,6 +43,7 @@ function(perlasm dest src)
    COMMAND ${PERL_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/${src} ${PERLASM_STYLE} ${PERLASM_FLAGS} ${ARGN} > ${dest}
    DEPENDS
    ${src}
+    ${PROJECT_SOURCE_DIR}/crypto/perlasm/arm-xlate.pl
    ${PROJECT_SOURCE_DIR}/crypto/perlasm/x86_64-xlate.pl
    ${PROJECT_SOURCE_DIR}/crypto/perlasm/x86asm.pl
    ${PROJECT_SOURCE_DIR}/crypto/perlasm/x86gas.pl
@@ -54,7 +57,6 @@ if (${ARCH} STREQUAL "x86_64")
  set(
    CRYPTO_ARCH_SOURCES

-    cpu-x86_64-asm.${ASM_EXT}
    cpu-intel.c
  )
 endif()
@@ -63,7 +65,6 @@ if (${ARCH} STREQUAL "x86")
  set(
    CRYPTO_ARCH_SOURCES

-    cpu-x86-asm.${ASM_EXT}
    cpu-intel.c
  )
 endif()
@@ -125,6 +126,7 @@ add_subdirectory(ecdsa)
 add_subdirectory(hmac)

 # Level 3
+add_subdirectory(cmac)
 add_subdirectory(evp)
 add_subdirectory(hkdf)
 add_subdirectory(pem)
@@ -134,19 +136,24 @@ add_subdirectory(x509v3)
 # Level 4
 add_subdirectory(pkcs8)

+# Test support code
+add_subdirectory(test)
+
 add_library(
  crypto

  crypto.c
-  mem.c
-  thread.c
-  thread_pthread.c
-  thread_win.c
-  ex_data.c
-  ex_data_impl.c
-  time_support.c
  directory_posix.c
  directory_win.c
+  ex_data.c
+  mem.c
+  refcount_c11.c
+  refcount_lock.c
+  thread.c
+  thread_none.c
+  thread_pthread.c
+  thread_win.c
+  time_support.c

  ${CRYPTO_ARCH_SOURCES}

@@ -181,6 +188,7 @@ add_library(
  $<TARGET_OBJECTS:ecdh>
  $<TARGET_OBJECTS:ecdsa>
  $<TARGET_OBJECTS:hmac>
+  $<TARGET_OBJECTS:cmac>
  $<TARGET_OBJECTS:evp>
  $<TARGET_OBJECTS:hkdf>
  $<TARGET_OBJECTS:pem>
@@ -189,7 +197,7 @@ add_library(
  $<TARGET_OBJECTS:pkcs8>
 )

-if(NOT MSVC)
+if(NOT MSVC AND NOT ANDROID)
  target_link_libraries(crypto pthread)
 endif()

@@ -197,6 +205,8 @@ add_executable(
  constant_time_test

  constant_time_test.c
+
+  $<TARGET_OBJECTS:test_support>
 )

 target_link_libraries(constant_time_test crypto)
@@ -205,9 +215,16 @@ add_executable(
  thread_test

  thread_test.c
+
+  $<TARGET_OBJECTS:test_support>
 )

 target_link_libraries(thread_test crypto)

-perlasm(cpu-x86_64-asm.${ASM_EXT} cpu-x86_64-asm.pl)
-perlasm(cpu-x86-asm.${ASM_EXT} cpu-x86-asm.pl)
+add_executable(
+  refcount_test
+
+  refcount_test.c
+)
+
+target_link_libraries(refcount_test crypto)
@@ -60,3 +60,12 @@ perlasm(aesni-x86.${ASM_EXT} asm/aesni-x86.pl)
 perlasm(aes-armv4.${ASM_EXT} asm/aes-armv4.pl)
 perlasm(bsaes-armv7.${ASM_EXT} asm/bsaes-armv7.pl)
 perlasm(aesv8-armx.${ASM_EXT} asm/aesv8-armx.pl)
+
+add_executable(
+  aes_test
+
+  aes_test.cc
+  $<TARGET_OBJECTS:test_support>
+)
+
+target_link_libraries(aes_test crypto)
@@ -0,0 +1,102 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/aes.h>
+#include <openssl/crypto.h>
+
+
+static bool TestAES(const uint8_t *key, size_t key_len,
+                    const uint8_t plaintext[AES_BLOCK_SIZE],
+                    const uint8_t ciphertext[AES_BLOCK_SIZE]) {
+  AES_KEY aes_key;
+  if (AES_set_encrypt_key(key, key_len * 8, &aes_key) != 0) {
+    fprintf(stderr, "AES_set_encrypt_key failed\n");
+    return false;
+  }
+
+  // Test encryption.
+  uint8_t block[AES_BLOCK_SIZE];
+  AES_encrypt(plaintext, block, &aes_key);
+  if (memcmp(block, ciphertext, AES_BLOCK_SIZE) != 0) {
+    fprintf(stderr, "AES_encrypt gave the wrong output\n");
+    return false;
+  }
+
+  // Test in-place encryption.
+  memcpy(block, plaintext, AES_BLOCK_SIZE);
+  AES_encrypt(block, block, &aes_key);
+  if (memcmp(block, ciphertext, AES_BLOCK_SIZE) != 0) {
+    fprintf(stderr, "AES_encrypt gave the wrong output\n");
+    return false;
+  }
+
+  if (AES_set_decrypt_key(key, key_len * 8, &aes_key) != 0) {
+    fprintf(stderr, "AES_set_decrypt_key failed\n");
+    return false;
+  }
+
+  // Test decryption.
+  AES_decrypt(ciphertext, block, &aes_key);
+  if (memcmp(block, plaintext, AES_BLOCK_SIZE) != 0) {
+    fprintf(stderr, "AES_decrypt gave the wrong output\n");
+    return false;
+  }
+
+  // Test in-place decryption.
+  memcpy(block, ciphertext, AES_BLOCK_SIZE);
+  AES_decrypt(block, block, &aes_key);
+  if (memcmp(block, plaintext, AES_BLOCK_SIZE) != 0) {
+    fprintf(stderr, "AES_decrypt gave the wrong output\n");
+    return false;
+  }
+  return true;
+}
+
+int main() {
+  CRYPTO_library_init();
+
+  // Test vectors from FIPS-197, Appendix C.
+  if (!TestAES((const uint8_t *)"\x00\x01\x02\x03\x04\x05\x06\x07"
+                                "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
+               128 / 8,
+               (const uint8_t *)"\x00\x11\x22\x33\x44\x55\x66\x77"
+                                "\x88\x99\xaa\xbb\xcc\xdd\xee\xff",
+               (const uint8_t *)"\x69\xc4\xe0\xd8\x6a\x7b\x04\x30"
+                                "\xd8\xcd\xb7\x80\x70\xb4\xc5\x5a") ||
+      !TestAES((const uint8_t *)"\x00\x01\x02\x03\x04\x05\x06\x07"
+                                "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+                                "\x10\x11\x12\x13\x14\x15\x16\x17",
+               192 / 8,
+               (const uint8_t *)"\x00\x11\x22\x33\x44\x55\x66\x77"
+                                "\x88\x99\xaa\xbb\xcc\xdd\xee\xff",
+               (const uint8_t *)"\xdd\xa9\x7c\xa4\x86\x4c\xdf\xe0"
+                                "\x6e\xaf\x70\xa0\xec\x0d\x71\x91") ||
+      !TestAES((const uint8_t *)"\x00\x01\x02\x03\x04\x05\x06\x07"
+                                "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
+                                "\x10\x11\x12\x13\x14\x15\x16\x17"
+                                "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f",
+               256 / 8,
+               (const uint8_t *)"\x00\x11\x22\x33\x44\x55\x66\x77"
+                                "\x88\x99\xaa\xbb\xcc\xdd\xee\xff",
+               (const uint8_t *)"\x8e\xa2\xb7\xca\x51\x67\x45\xbf"
+                                "\xea\xfc\x49\x90\x4b\x49\x60\x89")) {
+    return false;
+  }
+
+  printf("PASS\n");
+  return 0;
+}
@@ -45,7 +45,7 @@
 # the undertaken effort was that it appeared that in tight IA-32
 # register window little-endian flavor could achieve slightly higher
 # Instruction Level Parallelism, and it indeed resulted in up to 15%
-# better performance on most recent µ-archs...
+# better performance on most recent µ-archs...
 #
 # Third version adds AES_cbc_encrypt implementation, which resulted in
 # up to 40% performance imrovement of CBC benchmark results. 40% was
@@ -224,7 +224,7 @@ sub _data_word() { my $i; while(defined($i=shift)) { &data_word($i,$i); } }
 $speed_limit=512;	# chunks smaller than $speed_limit are
 			# processed with compact routine in CBC mode
 $small_footprint=1;	# $small_footprint=1 code is ~5% slower [on
-			# recent µ-archs], but ~5 times smaller!
+			# recent µ-archs], but ~5 times smaller!
 			# I favor compact code to minimize cache
 			# contention and in hope to "collect" 5% back
 			# in real-life applications...
@@ -565,7 +565,7 @@ sub enctransform()
 # Performance is not actually extraordinary in comparison to pure
 # x86 code. In particular encrypt performance is virtually the same.
 # Decrypt performance on the other hand is 15-20% better on newer
-# µ-archs [but we're thankful for *any* improvement here], and ~50%
+# µ-archs [but we're thankful for *any* improvement here], and ~50%
 # better on PIII:-) And additionally on the pros side this code
 # eliminates redundant references to stack and thus relieves/
 # minimizes the pressure on the memory bus.
@@ -32,8 +32,20 @@
 # Profiler-assisted and platform-specific optimization resulted in 16%
 # improvement on Cortex A8 core and ~21.5 cycles per byte.

-while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {}
-open STDOUT,">$output";
+$flavour = shift;
+if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; }
+else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} }
+
+if ($flavour && $flavour ne "void") {
+    $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+    ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+    ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+    die "can't locate arm-xlate.pl";
+
+    open STDOUT,"| \"$^X\" $xlate $flavour $output";
+} else {
+    open STDOUT,">$output";
+}

 $s0="r0";
 $s1="r1";
@@ -63,7 +75,7 @@ $code=<<___;
 .code	32
 #else
 .syntax	unified
-# ifdef __thumb2__
+# if defined(__thumb2__) && !defined(__APPLE__)
 .thumb
 # else
 .code	32
@@ -189,9 +201,13 @@ asm_AES_encrypt:
 	adr	r3,asm_AES_encrypt
 #endif
 	stmdb   sp!,{r1,r4-r12,lr}
+#ifdef	__APPLE__
+	adr	$tbl,AES_Te
+#else
+	sub	$tbl,r3,#asm_AES_encrypt-AES_Te	@ Te
+#endif
 	mov	$rounds,r0		@ inp
 	mov	$key,r2
-	sub	$tbl,r3,#asm_AES_encrypt-AES_Te	@ Te
 #if __ARM_ARCH__<7
 	ldrb	$s0,[$rounds,#3]	@ load input data in endian-neutral
 	ldrb	$t1,[$rounds,#2]	@ manner...
@@ -460,12 +476,16 @@ _armv4_AES_set_encrypt_key:
 	bne	.Labrt

 .Lok:	stmdb   sp!,{r4-r12,lr}
-	sub	$tbl,r3,#_armv4_AES_set_encrypt_key-AES_Te-1024	@ Te4
-
 	mov	$rounds,r0		@ inp
 	mov	lr,r1			@ bits
 	mov	$key,r2			@ key

+#ifdef	__APPLE__
+	adr	$tbl,AES_Te+1024				@ Te4
+#else
+	sub	$tbl,r3,#_armv4_AES_set_encrypt_key-AES_Te-1024	@ Te4
+#endif
+
 #if __ARM_ARCH__<7
 	ldrb	$s0,[$rounds,#3]	@ load input data in endian-neutral
 	ldrb	$t1,[$rounds,#2]	@ manner...
@@ -718,8 +738,8 @@ _armv4_AES_set_encrypt_key:
 .Ldone:	mov	r0,#0
 	ldmia   sp!,{r4-r12,lr}
 .Labrt:
-#if defined(__thumb2__) && __ARM_ARCH__>=7
-	.short	0x4770			@ bx lr in Thumb2 encoding
+#if __ARM_ARCH__>=5
+	ret				@ bx lr
 #else
 	tst	lr,#1
 	moveq	pc,lr			@ be binary compatible with V4, yet
@@ -961,9 +981,13 @@ asm_AES_decrypt:
 	adr	r3,asm_AES_decrypt
 #endif
 	stmdb   sp!,{r1,r4-r12,lr}
+#ifdef	__APPLE__
+	adr	$tbl,AES_Td
+#else
+	sub	$tbl,r3,#asm_AES_decrypt-AES_Td	@ Td
+#endif
 	mov	$rounds,r0		@ inp
 	mov	$key,r2
-	sub	$tbl,r3,#asm_AES_decrypt-AES_Td		@ Td
 #if __ARM_ARCH__<7
 	ldrb	$s0,[$rounds,#3]	@ load input data in endian-neutral
 	ldrb	$t1,[$rounds,#2]	@ manner...
@@ -1211,6 +1235,7 @@ _armv4_AES_decrypt:
 ___

 $code =~ s/\bbx\s+lr\b/.word\t0xe12fff1e/gm;	# make it possible to compile with -march=armv4
+$code =~ s/\bret\b/bx\tlr/gm;

 open SELF,$0;
 while(<SELF>) {
@@ -51,7 +51,7 @@
 # Westmere	3.77/1.37	1.37	1.52	1.27
 # * Bridge	5.07/0.98	0.99	1.09	0.91
 # Haswell	4.44/0.80	0.97	1.03	0.72
-# Atom		5.77/3.56	3.67	4.03	3.46
+# Silvermont	5.77/3.56	3.67	4.03	3.46
 # Bulldozer	5.80/0.98	1.05	1.24	0.93

 $PREFIX="aesni";	# if $PREFIX is set to "AES", the script
@@ -65,6 +65,9 @@ require "x86asm.pl";

 &asm_init($ARGV[0],$0);

+&external_label("OPENSSL_ia32cap_P");
+&static_label("key_const");
+
 if ($PREFIX eq "aesni")	{ $movekey=\&movups; }
 else			{ $movekey=\&movups; }

@@ -181,7 +184,10 @@ sub aesni_generate1	# fully unrolled loop
 	{   &aesni_inline_generate1("enc");	}
 	else
 	{   &call	("_aesni_encrypt1");	}
+	&pxor	($rndkey0,$rndkey0);		# clear register bank
+	&pxor	($rndkey1,$rndkey1);
 	&movups	(&QWP(0,"eax"),$inout0);
+	&pxor	($inout0,$inout0);
 	&ret	();
 &function_end_B("${PREFIX}_encrypt");

@@ -197,7 +203,10 @@ sub aesni_generate1	# fully unrolled loop
 	{   &aesni_inline_generate1("dec");	}
 	else
 	{   &call	("_aesni_decrypt1");	}
+	&pxor	($rndkey0,$rndkey0);		# clear register bank
+	&pxor	($rndkey1,$rndkey1);
 	&movups	(&QWP(0,"eax"),$inout0);
+	&pxor	($inout0,$inout0);
 	&ret	();
 &function_end_B("${PREFIX}_decrypt");

@@ -349,17 +358,15 @@ sub aesni_generate6
 	&neg		($rounds);
 	eval"&aes${p}	($inout2,$rndkey1)";
 	&pxor		($inout5,$rndkey0);
+	&$movekey	($rndkey0,&QWP(0,$key,$rounds));
 	&add		($rounds,16);
-	eval"&aes${p}	($inout3,$rndkey1)";
-	eval"&aes${p}	($inout4,$rndkey1)";
-	eval"&aes${p}	($inout5,$rndkey1)";
-	&$movekey	($rndkey0,&QWP(-16,$key,$rounds));
-	&jmp		(&label("_aesni_${p}rypt6_enter"));
+	&jmp		(&label("_aesni_${p}rypt6_inner"));

    &set_label("${p}6_loop",16);
 	eval"&aes${p}	($inout0,$rndkey1)";
 	eval"&aes${p}	($inout1,$rndkey1)";
 	eval"&aes${p}	($inout2,$rndkey1)";
+    &set_label("_aesni_${p}rypt6_inner");
 	eval"&aes${p}	($inout3,$rndkey1)";
 	eval"&aes${p}	($inout4,$rndkey1)";
 	eval"&aes${p}	($inout5,$rndkey1)";
@@ -615,6 +622,14 @@ if ($PREFIX eq "aesni") {
 	&movups	(&QWP(0x30,$out),$inout3);

 &set_label("ecb_ret");
+	&pxor	("xmm0","xmm0");		# clear register bank
+	&pxor	("xmm1","xmm1");
+	&pxor	("xmm2","xmm2");
+	&pxor	("xmm3","xmm3");
+	&pxor	("xmm4","xmm4");
+	&pxor	("xmm5","xmm5");
+	&pxor	("xmm6","xmm6");
+	&pxor	("xmm7","xmm7");
 &function_end("aesni_ecb_encrypt");

 ######################################################################
@@ -704,6 +719,15 @@ if ($PREFIX eq "aesni") {
 	&mov	("esp",&DWP(48,"esp"));
 	&mov	($out,&wparam(5));
 	&movups	(&QWP(0,$out),$cmac);
+
+	&pxor	("xmm0","xmm0");		# clear register bank
+	&pxor	("xmm1","xmm1");
+	&pxor	("xmm2","xmm2");
+	&pxor	("xmm3","xmm3");
+	&pxor	("xmm4","xmm4");
+	&pxor	("xmm5","xmm5");
+	&pxor	("xmm6","xmm6");
+	&pxor	("xmm7","xmm7");
 &function_end("aesni_ccm64_encrypt_blocks");

 &function_begin("aesni_ccm64_decrypt_blocks");
@@ -804,6 +828,15 @@ if ($PREFIX eq "aesni") {
 	&mov	("esp",&DWP(48,"esp"));
 	&mov	($out,&wparam(5));
 	&movups	(&QWP(0,$out),$cmac);
+
+	&pxor	("xmm0","xmm0");		# clear register bank
+	&pxor	("xmm1","xmm1");
+	&pxor	("xmm2","xmm2");
+	&pxor	("xmm3","xmm3");
+	&pxor	("xmm4","xmm4");
+	&pxor	("xmm5","xmm5");
+	&pxor	("xmm6","xmm6");
+	&pxor	("xmm7","xmm7");
 &function_end("aesni_ccm64_decrypt_blocks");
 }

@@ -1053,6 +1086,17 @@ if ($PREFIX eq "aesni") {
 	&movups	(&QWP(0x30,$out),$inout3);

 &set_label("ctr32_ret");
+	&pxor	("xmm0","xmm0");		# clear register bank
+	&pxor	("xmm1","xmm1");
+	&pxor	("xmm2","xmm2");
+	&pxor	("xmm3","xmm3");
+	&pxor	("xmm4","xmm4");
+	&movdqa	(&QWP(32,"esp"),"xmm0");	# clear stack
+	&pxor	("xmm5","xmm5");
+	&movdqa	(&QWP(48,"esp"),"xmm0");
+	&pxor	("xmm6","xmm6");
+	&movdqa	(&QWP(64,"esp"),"xmm0");
+	&pxor	("xmm7","xmm7");
 	&mov	("esp",&DWP(80,"esp"));
 &function_end("aesni_ctr32_encrypt_blocks");

@@ -1394,6 +1438,20 @@ if ($PREFIX eq "aesni") {
 	&movups	(&QWP(-16,$out),$inout0);	# write output

 &set_label("xts_enc_ret");
+	&pxor	("xmm0","xmm0");		# clear register bank
+	&pxor	("xmm1","xmm1");
+	&pxor	("xmm2","xmm2");
+	&movdqa	(&QWP(16*0,"esp"),"xmm0");	# clear stack
+	&pxor	("xmm3","xmm3");
+	&movdqa	(&QWP(16*1,"esp"),"xmm0");
+	&pxor	("xmm4","xmm4");
+	&movdqa	(&QWP(16*2,"esp"),"xmm0");
+	&pxor	("xmm5","xmm5");
+	&movdqa	(&QWP(16*3,"esp"),"xmm0");
+	&pxor	("xmm6","xmm6");
+	&movdqa	(&QWP(16*4,"esp"),"xmm0");
+	&pxor	("xmm7","xmm7");
+	&movdqa	(&QWP(16*5,"esp"),"xmm0");
 	&mov	("esp",&DWP(16*7+4,"esp"));	# restore %esp
 &function_end("aesni_xts_encrypt");

@@ -1756,6 +1814,20 @@ if ($PREFIX eq "aesni") {
 	&movups	(&QWP(0,$out),$inout0);		# write output

 &set_label("xts_dec_ret");
+	&pxor	("xmm0","xmm0");		# clear register bank
+	&pxor	("xmm1","xmm1");
+	&pxor	("xmm2","xmm2");
+	&movdqa	(&QWP(16*0,"esp"),"xmm0");	# clear stack
+	&pxor	("xmm3","xmm3");
+	&movdqa	(&QWP(16*1,"esp"),"xmm0");
+	&pxor	("xmm4","xmm4");
+	&movdqa	(&QWP(16*2,"esp"),"xmm0");
+	&pxor	("xmm5","xmm5");
+	&movdqa	(&QWP(16*3,"esp"),"xmm0");
+	&pxor	("xmm6","xmm6");
+	&movdqa	(&QWP(16*4,"esp"),"xmm0");
+	&pxor	("xmm7","xmm7");
+	&movdqa	(&QWP(16*5,"esp"),"xmm0");
 	&mov	("esp",&DWP(16*7+4,"esp"));	# restore %esp
 &function_end("aesni_xts_decrypt");
 }
@@ -1808,6 +1880,7 @@ if ($PREFIX eq "aesni") {
 	&add	($len,16);
 	&jnz	(&label("cbc_enc_tail"));
 	&movaps	($ivec,$inout0);
+	&pxor	($inout0,$inout0);
 	&jmp	(&label("cbc_ret"));

 &set_label("cbc_enc_tail");
@@ -1871,7 +1944,7 @@ if ($PREFIX eq "aesni") {
 	&movaps	($inout0,$inout5);
 	&movaps	($ivec,$rndkey0);
 	&add	($len,0x50);
-	&jle	(&label("cbc_dec_tail_collected"));
+	&jle	(&label("cbc_dec_clear_tail_collected"));
 	&movups	(&QWP(0,$out),$inout0);
 	&lea	($out,&DWP(0x10,$out));
 &set_label("cbc_dec_tail");
@@ -1910,10 +1983,14 @@ if ($PREFIX eq "aesni") {
 	&xorps	($inout4,$rndkey0);
 	&movups	(&QWP(0,$out),$inout0);
 	&movups	(&QWP(0x10,$out),$inout1);
+	&pxor	($inout1,$inout1);
 	&movups	(&QWP(0x20,$out),$inout2);
+	&pxor	($inout2,$inout2);
 	&movups	(&QWP(0x30,$out),$inout3);
+	&pxor	($inout3,$inout3);
 	&lea	($out,&DWP(0x40,$out));
 	&movaps	($inout0,$inout4);
+	&pxor	($inout4,$inout4);
 	&sub	($len,0x50);
 	&jmp	(&label("cbc_dec_tail_collected"));

@@ -1933,6 +2010,7 @@ if ($PREFIX eq "aesni") {
 	&xorps	($inout1,$in0);
 	&movups	(&QWP(0,$out),$inout0);
 	&movaps	($inout0,$inout1);
+	&pxor	($inout1,$inout1);
 	&lea	($out,&DWP(0x10,$out));
 	&movaps	($ivec,$in1);
 	&sub	($len,0x20);
@@ -1945,7 +2023,9 @@ if ($PREFIX eq "aesni") {
 	&xorps	($inout2,$in1);
 	&movups	(&QWP(0,$out),$inout0);
 	&movaps	($inout0,$inout2);
+	&pxor	($inout2,$inout2);
 	&movups	(&QWP(0x10,$out),$inout1);
+	&pxor	($inout1,$inout1);
 	&lea	($out,&DWP(0x20,$out));
 	&movups	($ivec,&QWP(0x20,$inp));
 	&sub	($len,0x30);
@@ -1961,29 +2041,44 @@ if ($PREFIX eq "aesni") {
 	&movups	(&QWP(0,$out),$inout0);
 	&xorps	($inout2,$rndkey1);
 	&movups	(&QWP(0x10,$out),$inout1);
+	&pxor	($inout1,$inout1);
 	&xorps	($inout3,$rndkey0);
 	&movups	(&QWP(0x20,$out),$inout2);
+	&pxor	($inout2,$inout2);
 	&lea	($out,&DWP(0x30,$out));
 	&movaps	($inout0,$inout3);
+	&pxor	($inout3,$inout3);
 	&sub	($len,0x40);
+	&jmp	(&label("cbc_dec_tail_collected"));

+&set_label("cbc_dec_clear_tail_collected",16);
+	&pxor	($inout1,$inout1);
+	&pxor	($inout2,$inout2);
+	&pxor	($inout3,$inout3);
+	&pxor	($inout4,$inout4);
 &set_label("cbc_dec_tail_collected");
 	&and	($len,15);
 	&jnz	(&label("cbc_dec_tail_partial"));
 	&movups	(&QWP(0,$out),$inout0);
+	&pxor	($rndkey0,$rndkey0);
 	&jmp	(&label("cbc_ret"));

 &set_label("cbc_dec_tail_partial",16);
 	&movaps	(&QWP(0,"esp"),$inout0);
+	&pxor	($rndkey0,$rndkey0);
 	&mov	("ecx",16);
 	&mov	($inp,"esp");
 	&sub	("ecx",$len);
 	&data_word(0xA4F3F689);		# rep movsb
+	&movdqa	(&QWP(0,"esp"),$inout0);

 &set_label("cbc_ret");
 	&mov	("esp",&DWP(16,"esp"));	# pull original %esp
 	&mov	($key_,&wparam(4));
+	&pxor	($inout0,$inout0);
+	&pxor	($rndkey1,$rndkey1);
 	&movups	(&QWP(0,$key_),$ivec);	# output IV
+	&pxor	($ivec,$ivec);
 &set_label("cbc_abort");
 &function_end("${PREFIX}_cbc_encrypt");

@@ -2000,14 +2095,24 @@ if ($PREFIX eq "aesni") {
 #	$round	rounds

 &function_begin_B("_aesni_set_encrypt_key");
+	&push	("ebp");
+	&push	("ebx");
 	&test	("eax","eax");
 	&jz	(&label("bad_pointer"));
 	&test	($key,$key);
 	&jz	(&label("bad_pointer"));

+	&call	(&label("pic"));
+&set_label("pic");
+	&blindpop("ebx");
+	&lea	("ebx",&DWP(&label("key_const")."-".&label("pic"),"ebx"));
+
+	&picmeup("ebp","OPENSSL_ia32cap_P","ebx",&label("key_const"));
 	&movups	("xmm0",&QWP(0,"eax"));	# pull first 128 bits of *userKey
 	&xorps	("xmm4","xmm4");	# low dword of xmm4 is assumed 0
+	&mov	("ebp",&DWP(4,"ebp"));
 	&lea	($key,&DWP(16,$key));
+	&and	("ebp",1<<28|1<<11);	# AVX and XOP bits
 	&cmp	($rounds,256);
 	&je	(&label("14rounds"));
 	&cmp	($rounds,192);
@@ -2016,6 +2121,9 @@ if ($PREFIX eq "aesni") {
 	&jne	(&label("bad_keybits"));

 &set_label("10rounds",16);
+	&cmp		("ebp",1<<28);
+	&je		(&label("10rounds_alt"));
+
 	&mov		($rounds,9);
 	&$movekey	(&QWP(-16,$key),"xmm0");	# round 0
 	&aeskeygenassist("xmm1","xmm0",0x01);		# round 1
@@ -2040,8 +2148,8 @@ if ($PREFIX eq "aesni") {
 	&call		(&label("key_128"));
 	&$movekey	(&QWP(0,$key),"xmm0");
 	&mov		(&DWP(80,$key),$rounds);
-	&xor		("eax","eax");
-	&ret();
+
+	&jmp	(&label("good_key"));

 &set_label("key_128",16);
 	&$movekey	(&QWP(0,$key),"xmm0");
@@ -2055,8 +2163,76 @@ if ($PREFIX eq "aesni") {
 	&xorps		("xmm0","xmm1");
 	&ret();

+&set_label("10rounds_alt",16);
+	&movdqa		("xmm5",&QWP(0x00,"ebx"));
+	&mov		($rounds,8);
+	&movdqa		("xmm4",&QWP(0x20,"ebx"));
+	&movdqa		("xmm2","xmm0");
+	&movdqu		(&QWP(-16,$key),"xmm0");
+
+&set_label("loop_key128");
+	&pshufb		("xmm0","xmm5");
+	&aesenclast	("xmm0","xmm4");
+	&pslld		("xmm4",1);
+	&lea		($key,&DWP(16,$key));
+
+	&movdqa		("xmm3","xmm2");
+	&pslldq		("xmm2",4);
+	&pxor		("xmm3","xmm2");
+	&pslldq		("xmm2",4);
+	&pxor		("xmm3","xmm2");
+	&pslldq		("xmm2",4);
+	&pxor		("xmm2","xmm3");
+
+	&pxor		("xmm0","xmm2");
+	&movdqu		(&QWP(-16,$key),"xmm0");
+	&movdqa		("xmm2","xmm0");
+
+	&dec		($rounds);
+	&jnz		(&label("loop_key128"));
+
+	&movdqa		("xmm4",&QWP(0x30,"ebx"));
+
+	&pshufb		("xmm0","xmm5");
+	&aesenclast	("xmm0","xmm4");
+	&pslld		("xmm4",1);
+
+	&movdqa		("xmm3","xmm2");
+	&pslldq		("xmm2",4);
+	&pxor		("xmm3","xmm2");
+	&pslldq		("xmm2",4);
+	&pxor		("xmm3","xmm2");
+	&pslldq		("xmm2",4);
+	&pxor		("xmm2","xmm3");
+
+	&pxor		("xmm0","xmm2");
+	&movdqu		(&QWP(0,$key),"xmm0");
+
+	&movdqa		("xmm2","xmm0");
+	&pshufb		("xmm0","xmm5");
+	&aesenclast	("xmm0","xmm4");
+
+	&movdqa		("xmm3","xmm2");
+	&pslldq		("xmm2",4);
+	&pxor		("xmm3","xmm2");
+	&pslldq		("xmm2",4);
+	&pxor		("xmm3","xmm2");
+	&pslldq		("xmm2",4);
+	&pxor		("xmm2","xmm3");
+
+	&pxor		("xmm0","xmm2");
+	&movdqu		(&QWP(16,$key),"xmm0");
+
+	&mov		($rounds,9);
+	&mov		(&DWP(96,$key),$rounds);
+
+	&jmp	(&label("good_key"));
+
 &set_label("12rounds",16);
 	&movq		("xmm2",&QWP(16,"eax"));	# remaining 1/3 of *userKey
+	&cmp		("ebp",1<<28);
+	&je		(&label("12rounds_alt"));
+
 	&mov		($rounds,11);
 	&$movekey	(&QWP(-16,$key),"xmm0");	# round 0
 	&aeskeygenassist("xmm1","xmm2",0x01);		# round 1,2
@@ -2077,8 +2253,8 @@ if ($PREFIX eq "aesni") {
 	&call		(&label("key_192b"));
 	&$movekey	(&QWP(0,$key),"xmm0");
 	&mov		(&DWP(48,$key),$rounds);
-	&xor		("eax","eax");
-	&ret();
+
+	&jmp	(&label("good_key"));

 &set_label("key_192a",16);
 	&$movekey	(&QWP(0,$key),"xmm0");
@@ -2108,10 +2284,52 @@ if ($PREFIX eq "aesni") {
 	&lea		($key,&DWP(32,$key));
 	&jmp		(&label("key_192b_warm"));

+&set_label("12rounds_alt",16);
+	&movdqa		("xmm5",&QWP(0x10,"ebx"));
+	&movdqa		("xmm4",&QWP(0x20,"ebx"));
+	&mov		($rounds,8);
+	&movdqu		(&QWP(-16,$key),"xmm0");
+
+&set_label("loop_key192");
+	&movq		(&QWP(0,$key),"xmm2");
+	&movdqa		("xmm1","xmm2");
+	&pshufb		("xmm2","xmm5");
+	&aesenclast	("xmm2","xmm4");
+	&pslld		("xmm4",1);
+	&lea		($key,&DWP(24,$key));
+
+	&movdqa		("xmm3","xmm0");
+	&pslldq		("xmm0",4);
+	&pxor		("xmm3","xmm0");
+	&pslldq		("xmm0",4);
+	&pxor		("xmm3","xmm0");
+	&pslldq		("xmm0",4);
+	&pxor		("xmm0","xmm3");
+
+	&pshufd		("xmm3","xmm0",0xff);
+	&pxor		("xmm3","xmm1");
+	&pslldq		("xmm1",4);
+	&pxor		("xmm3","xmm1");
+
+	&pxor		("xmm0","xmm2");
+	&pxor		("xmm2","xmm3");
+	&movdqu		(&QWP(-16,$key),"xmm0");
+
+	&dec		($rounds);
+	&jnz		(&label("loop_key192"));
+
+	&mov	($rounds,11);
+	&mov	(&DWP(32,$key),$rounds);
+
+	&jmp	(&label("good_key"));
+
 &set_label("14rounds",16);
 	&movups		("xmm2",&QWP(16,"eax"));	# remaining half of *userKey
-	&mov		($rounds,13);
 	&lea		($key,&DWP(16,$key));
+	&cmp		("ebp",1<<28);
+	&je		(&label("14rounds_alt"));
+
+	&mov		($rounds,13);
 	&$movekey	(&QWP(-32,$key),"xmm0");	# round 0
 	&$movekey	(&QWP(-16,$key),"xmm2");	# round 1
 	&aeskeygenassist("xmm1","xmm2",0x01);		# round 2
@@ -2143,7 +2361,8 @@ if ($PREFIX eq "aesni") {
 	&$movekey	(&QWP(0,$key),"xmm0");
 	&mov		(&DWP(16,$key),$rounds);
 	&xor		("eax","eax");
-	&ret();
+
+	&jmp	(&label("good_key"));

 &set_label("key_256a",16);
 	&$movekey	(&QWP(0,$key),"xmm2");
@@ -2169,11 +2388,77 @@ if ($PREFIX eq "aesni") {
 	&xorps		("xmm2","xmm1");
 	&ret();

+&set_label("14rounds_alt",16);
+	&movdqa		("xmm5",&QWP(0x00,"ebx"));
+	&movdqa		("xmm4",&QWP(0x20,"ebx"));
+	&mov		($rounds,7);
+	&movdqu		(&QWP(-32,$key),"xmm0");
+	&movdqa		("xmm1","xmm2");
+	&movdqu		(&QWP(-16,$key),"xmm2");
+
+&set_label("loop_key256");
+	&pshufb		("xmm2","xmm5");
+	&aesenclast	("xmm2","xmm4");
+
+	&movdqa		("xmm3","xmm0");
+	&pslldq		("xmm0",4);
+	&pxor		("xmm3","xmm0");
+	&pslldq		("xmm0",4);
+	&pxor		("xmm3","xmm0");
+	&pslldq		("xmm0",4);
+	&pxor		("xmm0","xmm3");
+	&pslld		("xmm4",1);
+
+	&pxor		("xmm0","xmm2");
+	&movdqu		(&QWP(0,$key),"xmm0");
+
+	&dec		($rounds);
+	&jz		(&label("done_key256"));
+
+	&pshufd		("xmm2","xmm0",0xff);
+	&pxor		("xmm3","xmm3");
+	&aesenclast	("xmm2","xmm3");
+
+	&movdqa		("xmm3","xmm1")
+	&pslldq		("xmm1",4);
+	&pxor		("xmm3","xmm1");
+	&pslldq		("xmm1",4);
+	&pxor		("xmm3","xmm1");
+	&pslldq		("xmm1",4);
+	&pxor		("xmm1","xmm3");
+
+	&pxor		("xmm2","xmm1");
+	&movdqu		(&QWP(16,$key),"xmm2");
+	&lea		($key,&DWP(32,$key));
+	&movdqa		("xmm1","xmm2");
+	&jmp		(&label("loop_key256"));
+
+&set_label("done_key256");
+	&mov		($rounds,13);
+	&mov		(&DWP(16,$key),$rounds);
+
+&set_label("good_key");
+	&pxor	("xmm0","xmm0");
+	&pxor	("xmm1","xmm1");
+	&pxor	("xmm2","xmm2");
+	&pxor	("xmm3","xmm3");
+	&pxor	("xmm4","xmm4");
+	&pxor	("xmm5","xmm5");
+	&xor	("eax","eax");
+	&pop	("ebx");
+	&pop	("ebp");
+	&ret	();
+
 &set_label("bad_pointer",4);
 	&mov	("eax",-1);
+	&pop	("ebx");
+	&pop	("ebp");
 	&ret	();
 &set_label("bad_keybits",4);
+	&pxor	("xmm0","xmm0");
 	&mov	("eax",-2);
+	&pop	("ebx");
+	&pop	("ebp");
 	&ret	();
 &function_end_B("_aesni_set_encrypt_key");

@@ -2223,10 +2508,18 @@ if ($PREFIX eq "aesni") {
 	&aesimc		("xmm0","xmm0");
 	&$movekey	(&QWP(0,$key),"xmm0");

+	&pxor		("xmm0","xmm0");
+	&pxor		("xmm1","xmm1");
 	&xor		("eax","eax");		# return success
 &set_label("dec_key_ret");
 	&ret	();
 &function_end_B("${PREFIX}_set_decrypt_key");
+
+&set_label("key_const",64);
+&data_word(0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d);
+&data_word(0x04070605,0x04070605,0x04070605,0x04070605);
+&data_word(1,1,1,1);
+&data_word(0x1b,0x1b,0x1b,0x1b);
 &asciz("AES for Intel AES-NI, CRYPTOGAMS by <appro\@openssl.org>");

 &asm_finish();
@@ -24,11 +24,23 @@
 #
 #		CBC enc		CBC dec		CTR
 # Apple A7	2.39		1.20		1.20
-# Cortex-A53	2.45		1.87		1.94
-# Cortex-A57	3.64		1.34		1.32
+# Cortex-A53	1.32		1.29		1.46
+# Cortex-A57(*)	1.95		0.85		0.93
+# Denver	1.96		0.86		0.80
+#
+# (*)	original 3.64/1.34/1.32 results were for r0p0 revision
+#	and are still same even for updated module;

 $flavour = shift;
-open STDOUT,">".shift;
+$output  = shift;
+
+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+die "can't locate arm-xlate.pl";
+
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;

 $prefix="aes_v8";

@@ -38,7 +50,11 @@ $code=<<___;
 #if __ARM_MAX_ARCH__>=7
 .text
 ___
-$code.=".arch	armv8-a+crypto\n"			if ($flavour =~ /64/);
+$code.=<<___ if ($flavour =~ /64/);
+#if !defined(__clang__)
+.arch  armv8-a+crypto
+#endif
+___
 $code.=".arch	armv7-a\n.fpu	neon\n.code	32\n"	if ($flavour !~ /64/);
 		#^^^^^^ this is done to simplify adoption by not depending
 		#	on latest binutils.
@@ -56,7 +72,7 @@ my ($zero,$rcon,$mask,$in0,$in1,$tmp,$key)=

 $code.=<<___;
 .align	5
-rcon:
+.Lrcon:
 .long	0x01,0x01,0x01,0x01
 .long	0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d	// rotate-n-splat
 .long	0x1b,0x1b,0x1b,0x1b
@@ -85,7 +101,7 @@ $code.=<<___;
 	tst	$bits,#0x3f
 	b.ne	.Lenc_key_abort

-	adr	$ptr,rcon
+	adr	$ptr,.Lrcon
 	cmp	$bits,#192

 	veor	$zero,$zero,$zero
@@ -308,17 +324,17 @@ ${prefix}_${dir}crypt:

 .Loop_${dir}c:
 	aes$e	$inout,$rndkey0
-	vld1.32	{$rndkey0},[$key],#16
 	aes$mc	$inout,$inout
+	vld1.32	{$rndkey0},[$key],#16
 	subs	$rounds,$rounds,#2
 	aes$e	$inout,$rndkey1
-	vld1.32	{$rndkey1},[$key],#16
 	aes$mc	$inout,$inout
+	vld1.32	{$rndkey1},[$key],#16
 	b.gt	.Loop_${dir}c

 	aes$e	$inout,$rndkey0
-	vld1.32	{$rndkey0},[$key]
 	aes$mc	$inout,$inout
+	vld1.32	{$rndkey0},[$key]
 	aes$e	$inout,$rndkey1
 	veor	$inout,$inout,$rndkey0

@@ -336,6 +352,7 @@ my ($rounds,$cnt,$key_,$step,$step1)=($enc,"w6","x7","x8","x12");
 my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$ivec,$rndlast)=map("q$_",(0..7));

 my ($dat,$tmp,$rndzero_n_last)=($dat0,$tmp0,$tmp1);
+my ($key4,$key5,$key6,$key7)=("x6","x12","x14",$key);

 ### q8-q15	preloaded key schedule

@@ -385,16 +402,42 @@ $code.=<<___;
 	veor	$rndzero_n_last,q8,$rndlast
 	b.eq	.Lcbc_enc128

+	vld1.32	{$in0-$in1},[$key_]
+	add	$key_,$key,#16
+	add	$key4,$key,#16*4
+	add	$key5,$key,#16*5
+	aese	$dat,q8
+	aesmc	$dat,$dat
+	add	$key6,$key,#16*6
+	add	$key7,$key,#16*7
+	b	.Lenter_cbc_enc
+
+.align	4
 .Loop_cbc_enc:
 	aese	$dat,q8
-	vld1.32	{q8},[$key_],#16
 	aesmc	$dat,$dat
-	subs	$cnt,$cnt,#2
+	 vst1.8	{$ivec},[$out],#16
+.Lenter_cbc_enc:
 	aese	$dat,q9
-	vld1.32	{q9},[$key_],#16
 	aesmc	$dat,$dat
-	b.gt	.Loop_cbc_enc
+	aese	$dat,$in0
+	aesmc	$dat,$dat
+	vld1.32	{q8},[$key4]
+	cmp	$rounds,#4
+	aese	$dat,$in1
+	aesmc	$dat,$dat
+	vld1.32	{q9},[$key5]
+	b.eq	.Lcbc_enc192

+	aese	$dat,q8
+	aesmc	$dat,$dat
+	vld1.32	{q8},[$key6]
+	aese	$dat,q9
+	aesmc	$dat,$dat
+	vld1.32	{q9},[$key7]
+	nop
+
+.Lcbc_enc192:
 	aese	$dat,q8
 	aesmc	$dat,$dat
 	 subs	$len,$len,#16
@@ -403,7 +446,6 @@ $code.=<<___;
 	 cclr	$step,eq
 	aese	$dat,q10
 	aesmc	$dat,$dat
-	 add	$key_,$key,#16
 	aese	$dat,q11
 	aesmc	$dat,$dat
 	 vld1.8	{q8},[$inp],$step
@@ -412,16 +454,14 @@ $code.=<<___;
 	 veor	q8,q8,$rndzero_n_last
 	aese	$dat,q13
 	aesmc	$dat,$dat
-	 vld1.32 {q9},[$key_],#16	// re-pre-load rndkey[1]
+	 vld1.32 {q9},[$key_]		// re-pre-load rndkey[1]
 	aese	$dat,q14
 	aesmc	$dat,$dat
 	aese	$dat,q15
-
-	 mov	$cnt,$rounds
 	veor	$ivec,$dat,$rndlast
-	vst1.8	{$ivec},[$out],#16
 	b.hs	.Loop_cbc_enc

+	vst1.8	{$ivec},[$out],#16
 	b	.Lcbc_done

 .align	5
@@ -483,79 +523,78 @@ $code.=<<___;

 .Loop3x_cbc_dec:
 	aesd	$dat0,q8
-	aesd	$dat1,q8
-	aesd	$dat2,q8
-	vld1.32	{q8},[$key_],#16
 	aesimc	$dat0,$dat0
+	aesd	$dat1,q8
 	aesimc	$dat1,$dat1
+	aesd	$dat2,q8
 	aesimc	$dat2,$dat2
+	vld1.32	{q8},[$key_],#16
 	subs	$cnt,$cnt,#2
 	aesd	$dat0,q9
-	aesd	$dat1,q9
-	aesd	$dat2,q9
-	vld1.32	{q9},[$key_],#16
 	aesimc	$dat0,$dat0
+	aesd	$dat1,q9
 	aesimc	$dat1,$dat1
+	aesd	$dat2,q9
 	aesimc	$dat2,$dat2
+	vld1.32	{q9},[$key_],#16
 	b.gt	.Loop3x_cbc_dec

 	aesd	$dat0,q8
+	aesimc	$dat0,$dat0
 	aesd	$dat1,q8
+	aesimc	$dat1,$dat1
 	aesd	$dat2,q8
+	aesimc	$dat2,$dat2
 	 veor	$tmp0,$ivec,$rndlast
-	aesimc	$dat0,$dat0
-	aesimc	$dat1,$dat1
-	aesimc	$dat2,$dat2
-	 veor	$tmp1,$in0,$rndlast
-	aesd	$dat0,q9
-	aesd	$dat1,q9
-	aesd	$dat2,q9
-	 veor	$tmp2,$in1,$rndlast
 	 subs	$len,$len,#0x30
-	aesimc	$dat0,$dat0
-	aesimc	$dat1,$dat1
-	aesimc	$dat2,$dat2
-	 vorr	$ivec,$in2,$in2
+	 veor	$tmp1,$in0,$rndlast
 	 mov.lo	x6,$len			// x6, $cnt, is zero at this point
-	aesd	$dat0,q12
-	aesd	$dat1,q12
-	aesd	$dat2,q12
+	aesd	$dat0,q9
+	aesimc	$dat0,$dat0
+	aesd	$dat1,q9
+	aesimc	$dat1,$dat1
+	aesd	$dat2,q9
+	aesimc	$dat2,$dat2
+	 veor	$tmp2,$in1,$rndlast
 	 add	$inp,$inp,x6		// $inp is adjusted in such way that
 					// at exit from the loop $dat1-$dat2
 					// are loaded with last "words"
-	aesimc	$dat0,$dat0
-	aesimc	$dat1,$dat1
-	aesimc	$dat2,$dat2
+	 vorr	$ivec,$in2,$in2
 	 mov	$key_,$key
-	aesd	$dat0,q13
-	aesd	$dat1,q13
-	aesd	$dat2,q13
-	 vld1.8	{$in0},[$inp],#16
+	aesd	$dat0,q12
 	aesimc	$dat0,$dat0
+	aesd	$dat1,q12
 	aesimc	$dat1,$dat1
+	aesd	$dat2,q12
+	aesimc	$dat2,$dat2
+	 vld1.8	{$in0},[$inp],#16
+	aesd	$dat0,q13
+	aesimc	$dat0,$dat0
+	aesd	$dat1,q13
+	aesimc	$dat1,$dat1
+	aesd	$dat2,q13
 	aesimc	$dat2,$dat2
 	 vld1.8	{$in1},[$inp],#16
 	aesd	$dat0,q14
-	aesd	$dat1,q14
-	aesd	$dat2,q14
-	 vld1.8	{$in2},[$inp],#16
 	aesimc	$dat0,$dat0
+	aesd	$dat1,q14
 	aesimc	$dat1,$dat1
+	aesd	$dat2,q14
 	aesimc	$dat2,$dat2
-	 vld1.32 {q8},[$key_],#16	// re-pre-load rndkey[0]
+	 vld1.8	{$in2},[$inp],#16
 	aesd	$dat0,q15
 	aesd	$dat1,q15
 	aesd	$dat2,q15
-
+	 vld1.32 {q8},[$key_],#16	// re-pre-load rndkey[0]
 	 add	$cnt,$rounds,#2
 	veor	$tmp0,$tmp0,$dat0
 	veor	$tmp1,$tmp1,$dat1
 	veor	$dat2,$dat2,$tmp2
 	 vld1.32 {q9},[$key_],#16	// re-pre-load rndkey[1]
-	 vorr	$dat0,$in0,$in0
 	vst1.8	{$tmp0},[$out],#16
-	 vorr	$dat1,$in1,$in1
+	 vorr	$dat0,$in0,$in0
 	vst1.8	{$tmp1},[$out],#16
+	 vorr	$dat1,$in1,$in1
 	vst1.8	{$dat2},[$out],#16
 	 vorr	$dat2,$in2,$in2
 	b.hs	.Loop3x_cbc_dec
@@ -566,39 +605,39 @@ $code.=<<___;

 .Lcbc_dec_tail:
 	aesd	$dat1,q8
-	aesd	$dat2,q8
-	vld1.32	{q8},[$key_],#16
 	aesimc	$dat1,$dat1
+	aesd	$dat2,q8
 	aesimc	$dat2,$dat2
+	vld1.32	{q8},[$key_],#16
 	subs	$cnt,$cnt,#2
 	aesd	$dat1,q9
-	aesd	$dat2,q9
-	vld1.32	{q9},[$key_],#16
 	aesimc	$dat1,$dat1
+	aesd	$dat2,q9
 	aesimc	$dat2,$dat2
+	vld1.32	{q9},[$key_],#16
 	b.gt	.Lcbc_dec_tail

 	aesd	$dat1,q8
-	aesd	$dat2,q8
 	aesimc	$dat1,$dat1
+	aesd	$dat2,q8
 	aesimc	$dat2,$dat2
 	aesd	$dat1,q9
-	aesd	$dat2,q9
 	aesimc	$dat1,$dat1
+	aesd	$dat2,q9
 	aesimc	$dat2,$dat2
 	aesd	$dat1,q12
-	aesd	$dat2,q12
 	aesimc	$dat1,$dat1
+	aesd	$dat2,q12
 	aesimc	$dat2,$dat2
 	 cmn	$len,#0x20
 	aesd	$dat1,q13
-	aesd	$dat2,q13
 	aesimc	$dat1,$dat1
+	aesd	$dat2,q13
 	aesimc	$dat2,$dat2
 	 veor	$tmp1,$ivec,$rndlast
 	aesd	$dat1,q14
-	aesd	$dat2,q14
 	aesimc	$dat1,$dat1
+	aesd	$dat2,q14
 	aesimc	$dat2,$dat2
 	 veor	$tmp2,$in1,$rndlast
 	aesd	$dat1,q15
@@ -699,70 +738,69 @@ $code.=<<___;
 .align	4
 .Loop3x_ctr32:
 	aese		$dat0,q8
-	aese		$dat1,q8
-	aese		$dat2,q8
-	vld1.32		{q8},[$key_],#16
 	aesmc		$dat0,$dat0
+	aese		$dat1,q8
 	aesmc		$dat1,$dat1
+	aese		$dat2,q8
 	aesmc		$dat2,$dat2
+	vld1.32		{q8},[$key_],#16
 	subs		$cnt,$cnt,#2
 	aese		$dat0,q9
-	aese		$dat1,q9
-	aese		$dat2,q9
-	vld1.32		{q9},[$key_],#16
 	aesmc		$dat0,$dat0
+	aese		$dat1,q9
 	aesmc		$dat1,$dat1
+	aese		$dat2,q9
 	aesmc		$dat2,$dat2
+	vld1.32		{q9},[$key_],#16
 	b.gt		.Loop3x_ctr32

 	aese		$dat0,q8
-	aese		$dat1,q8
-	aese		$dat2,q8
-	 mov		$key_,$key
 	aesmc		$tmp0,$dat0
-	 vld1.8		{$in0},[$inp],#16
+	aese		$dat1,q8
 	aesmc		$tmp1,$dat1
-	aesmc		$dat2,$dat2
+	 vld1.8		{$in0},[$inp],#16
 	 vorr		$dat0,$ivec,$ivec
-	aese		$tmp0,q9
+	aese		$dat2,q8
+	aesmc		$dat2,$dat2
 	 vld1.8		{$in1},[$inp],#16
-	aese		$tmp1,q9
-	aese		$dat2,q9
 	 vorr		$dat1,$ivec,$ivec
+	aese		$tmp0,q9
 	aesmc		$tmp0,$tmp0
-	 vld1.8		{$in2},[$inp],#16
+	aese		$tmp1,q9
 	aesmc		$tmp1,$tmp1
+	 vld1.8		{$in2},[$inp],#16
+	 mov		$key_,$key
+	aese		$dat2,q9
 	aesmc		$tmp2,$dat2
 	 vorr		$dat2,$ivec,$ivec
 	 add		$tctr0,$ctr,#1
 	aese		$tmp0,q12
+	aesmc		$tmp0,$tmp0
 	aese		$tmp1,q12
-	aese		$tmp2,q12
+	aesmc		$tmp1,$tmp1
 	 veor		$in0,$in0,$rndlast
 	 add		$tctr1,$ctr,#2
-	aesmc		$tmp0,$tmp0
-	aesmc		$tmp1,$tmp1
+	aese		$tmp2,q12
 	aesmc		$tmp2,$tmp2
 	 veor		$in1,$in1,$rndlast
 	 add		$ctr,$ctr,#3
 	aese		$tmp0,q13
+	aesmc		$tmp0,$tmp0
 	aese		$tmp1,q13
-	aese		$tmp2,q13
+	aesmc		$tmp1,$tmp1
 	 veor		$in2,$in2,$rndlast
 	 rev		$tctr0,$tctr0
-	aesmc		$tmp0,$tmp0
-	 vld1.32	 {q8},[$key_],#16	// re-pre-load rndkey[0]
-	aesmc		$tmp1,$tmp1
+	aese		$tmp2,q13
 	aesmc		$tmp2,$tmp2
 	 vmov.32	${dat0}[3], $tctr0
 	 rev		$tctr1,$tctr1
 	aese		$tmp0,q14
+	aesmc		$tmp0,$tmp0
 	aese		$tmp1,q14
-	aese		$tmp2,q14
+	aesmc		$tmp1,$tmp1
 	 vmov.32	${dat1}[3], $tctr1
 	 rev		$tctr2,$ctr
-	aesmc		$tmp0,$tmp0
-	aesmc		$tmp1,$tmp1
+	aese		$tmp2,q14
 	aesmc		$tmp2,$tmp2
 	 vmov.32	${dat2}[3], $tctr2
 	 subs		$len,$len,#3
@@ -770,13 +808,14 @@ $code.=<<___;
 	aese		$tmp1,q15
 	aese		$tmp2,q15

-	 mov		$cnt,$rounds
 	veor		$in0,$in0,$tmp0
+	 vld1.32	 {q8},[$key_],#16	// re-pre-load rndkey[0]
+	vst1.8		{$in0},[$out],#16
 	veor		$in1,$in1,$tmp1
+	 mov		$cnt,$rounds
+	vst1.8		{$in1},[$out],#16
 	veor		$in2,$in2,$tmp2
 	 vld1.32	 {q9},[$key_],#16	// re-pre-load rndkey[1]
-	vst1.8		{$in0},[$out],#16
-	vst1.8		{$in1},[$out],#16
 	vst1.8		{$in2},[$out],#16
 	b.hs		.Loop3x_ctr32

@@ -788,40 +827,40 @@ $code.=<<___;

 .Lctr32_tail:
 	aese		$dat0,q8
-	aese		$dat1,q8
-	vld1.32		{q8},[$key_],#16
 	aesmc		$dat0,$dat0
+	aese		$dat1,q8
 	aesmc		$dat1,$dat1
+	vld1.32		{q8},[$key_],#16
 	subs		$cnt,$cnt,#2
 	aese		$dat0,q9
-	aese		$dat1,q9
-	vld1.32		{q9},[$key_],#16
 	aesmc		$dat0,$dat0
+	aese		$dat1,q9
 	aesmc		$dat1,$dat1
+	vld1.32		{q9},[$key_],#16
 	b.gt		.Lctr32_tail

 	aese		$dat0,q8
-	aese		$dat1,q8
 	aesmc		$dat0,$dat0
+	aese		$dat1,q8
 	aesmc		$dat1,$dat1
 	aese		$dat0,q9
-	aese		$dat1,q9
 	aesmc		$dat0,$dat0
+	aese		$dat1,q9
 	aesmc		$dat1,$dat1
 	 vld1.8		{$in0},[$inp],$step
 	aese		$dat0,q12
+	aesmc		$dat0,$dat0
 	aese		$dat1,q12
+	aesmc		$dat1,$dat1
 	 vld1.8		{$in1},[$inp]
-	aesmc		$dat0,$dat0
-	aesmc		$dat1,$dat1
 	aese		$dat0,q13
+	aesmc		$dat0,$dat0
 	aese		$dat1,q13
-	aesmc		$dat0,$dat0
 	aesmc		$dat1,$dat1
-	aese		$dat0,q14
-	aese		$dat1,q14
 	 veor		$in0,$in0,$rndlast
+	aese		$dat0,q14
 	aesmc		$dat0,$dat0
+	aese		$dat1,q14
 	aesmc		$dat1,$dat1
 	 veor		$in1,$in1,$rndlast
 	aese		$dat0,q15
@@ -47,8 +47,20 @@
 #
 #					<ard.biesheuvel@linaro.org>

-while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {}
-open STDOUT,">$output";
+$flavour = shift;
+if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; }
+else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} }
+
+if ($flavour && $flavour ne "void") {
+    $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+    ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+    ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+    die "can't locate arm-xlate.pl";
+
+    open STDOUT,"| \"$^X\" $xlate $flavour $output";
+} else {
+    open STDOUT,">$output";
+}

 my ($inp,$out,$len,$key)=("r0","r1","r2","r3");
 my @XMM=map("q$_",(0..15));
@@ -703,29 +715,35 @@ $code.=<<___;
 # define BSAES_ASM_EXTENDED_KEY
 # define XTS_CHAIN_TWEAK
 # define __ARM_ARCH__ __LINUX_ARM_ARCH__
+# define __ARM_MAX_ARCH__ 7
 #endif

 #ifdef __thumb__
 # define adrl adr
 #endif

-#if __ARM_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7
+.arch	armv7-a
+.fpu	neon
+
 .text
 .syntax	unified 	@ ARMv7-capable assembler is expected to handle this
-#ifdef __thumb2__
+#if defined(__thumb2__) && !defined(__APPLE__)
 .thumb
 #else
 .code   32
 #endif

-.fpu	neon
-
 .type	_bsaes_decrypt8,%function
 .align	4
 _bsaes_decrypt8:
 	adr	$const,_bsaes_decrypt8
 	vldmia	$key!, {@XMM[9]}		@ round 0 key
+#ifdef	__APPLE__
+	adr	$const,.LM0ISR
+#else
 	add	$const,$const,#.LM0ISR-_bsaes_decrypt8
+#endif

 	vldmia	$const!, {@XMM[8]}		@ .LM0ISR
 	veor	@XMM[10], @XMM[0], @XMM[9]	@ xor with round0 key
@@ -820,7 +838,11 @@ _bsaes_const:
 _bsaes_encrypt8:
 	adr	$const,_bsaes_encrypt8
 	vldmia	$key!, {@XMM[9]}		@ round 0 key
+#ifdef	__APPLE__
+	adr	$const,.LM0SR
+#else
 	sub	$const,$const,#_bsaes_encrypt8-.LM0SR
+#endif

 	vldmia	$const!, {@XMM[8]}		@ .LM0SR
 _bsaes_encrypt8_alt:
@@ -924,7 +946,11 @@ $code.=<<___;
 _bsaes_key_convert:
 	adr	$const,_bsaes_key_convert
 	vld1.8	{@XMM[7]},  [$inp]!		@ load round 0 key
+#ifdef	__APPLE__
+	adr	$const,.LM0
+#else
 	sub	$const,$const,#_bsaes_key_convert-.LM0
+#endif
 	vld1.8	{@XMM[15]}, [$inp]!		@ load round 1 key

 	vmov.i8	@XMM[8],  #0x01			@ bit masks
@@ -1397,7 +1423,12 @@ bsaes_ctr32_encrypt_blocks:
 	vstmia	r12, {@XMM[7]}			@ save last round key

 	vld1.8	{@XMM[0]}, [$ctr]		@ load counter
+#ifdef	__APPLE__
+	mov	$ctr, #:lower16:(.LREVM0SR-.LM0)
+	add	$ctr, $const, $ctr
+#else
 	add	$ctr, $const, #.LREVM0SR-.LM0	@ borrow $ctr
+#endif
 	vldmia	$keysched, {@XMM[4]}		@ load round0 key
 #else
 	ldr	r12, [$key, #244]
@@ -1454,7 +1485,12 @@ bsaes_ctr32_encrypt_blocks:
 	vldmia		$ctr, {@XMM[8]}			@ .LREVM0SR
 	mov		r5, $rounds			@ pass rounds
 	vstmia		$fp, {@XMM[10]}			@ save next counter
+#ifdef	__APPLE__
+	mov		$const, #:lower16:(.LREVM0SR-.LSR)
+	sub		$const, $ctr, $const
+#else
 	sub		$const, $ctr, #.LREVM0SR-.LSR	@ pass constants
+#endif

 	bl		_bsaes_encrypt8_alt

@@ -1555,7 +1591,7 @@ bsaes_ctr32_encrypt_blocks:
 	rev	r8, r8
 #endif
 	sub	sp, sp, #0x10
-	vst1.8	{@XMM[1]}, [sp,:64]	@ copy counter value
+	vst1.8	{@XMM[1]}, [sp]		@ copy counter value
 	sub	sp, sp, #0x10

 .Lctr_enc_short_loop:
@@ -1566,7 +1602,7 @@ bsaes_ctr32_encrypt_blocks:
 	bl	AES_encrypt

 	vld1.8	{@XMM[0]}, [r4]!	@ load input
-	vld1.8	{@XMM[1]}, [sp,:64]	@ load encrypted counter
+	vld1.8	{@XMM[1]}, [sp]		@ load encrypted counter
 	add	r8, r8, #1
 #ifdef __ARMEL__
 	rev	r0, r8
@@ -2085,9 +2121,11 @@ bsaes_xts_decrypt:
 	vld1.8	{@XMM[8]}, [r0]			@ initial tweak
 	adr	$magic, .Lxts_magic

+#ifndef	XTS_CHAIN_TWEAK
 	tst	$len, #0xf			@ if not multiple of 16
 	it	ne				@ Thumb2 thing, sanity check in ARM
 	subne	$len, #0x10			@ subtract another 16 bytes
+#endif
 	subs	$len, #0x80

 	blo	.Lxts_dec_short
@@ -125,8 +125,7 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,

 	if (len < 1)
 		{
-		OPENSSL_PUT_ERROR(ASN1, c2i_ASN1_BIT_STRING,
-			ASN1_R_STRING_TOO_SHORT);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_STRING_TOO_SHORT);
 		goto err;
 		}

@@ -141,8 +140,7 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,
 	padding = *(p++);
 	if (padding > 7)
 		{
-		OPENSSL_PUT_ERROR(ASN1, c2i_ASN1_BIT_STRING,
-			ASN1_R_INVALID_BIT_STRING_BITS_LEFT);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_BIT_STRING_BITS_LEFT);
 		goto err;
 		}

@@ -157,8 +155,7 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,
 		s=(unsigned char *)OPENSSL_malloc((int)len);
 		if (s == NULL)
 			{
-			OPENSSL_PUT_ERROR(ASN1, c2i_ASN1_BIT_STRING,
-				ERR_R_MALLOC_FAILURE);
+			OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 			goto err;
 			}
 		memcpy(s,p,(int)len);
@@ -209,7 +206,7 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
 								 w+1);
 		if (c == NULL)
 			{
-			OPENSSL_PUT_ERROR(ASN1, ASN1_BIT_STRING_set_bit, ERR_R_MALLOC_FAILURE);
+			OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 			return 0;
 			}
  		if (w+1-a->length > 0) memset(c+a->length, 0, w+1-a->length);
@@ -107,6 +107,6 @@ int d2i_ASN1_BOOLEAN(int *a, const unsigned char **pp, long length)
 	*pp=p;
 	return(ret);
 err:
-	OPENSSL_PUT_ERROR(ASN1, d2i_ASN1_BOOLEAN, i);
+	OPENSSL_PUT_ERROR(ASN1, i);
 	return(ret);
 	}
@@ -125,7 +125,7 @@ ASN1_STRING *d2i_ASN1_type_bytes(ASN1_STRING **a, const unsigned char **pp,
 	*pp=p;
 	return(ret);
 err:
-	OPENSSL_PUT_ERROR(ASN1, d2i_ASN1_type_bytes, i);
+	OPENSSL_PUT_ERROR(ASN1, i);
 	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
 		ASN1_STRING_free(ret);
 	return(NULL);
@@ -243,7 +243,7 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, const unsigned char **pp,
 err:
 	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
 		ASN1_STRING_free(ret);
-	OPENSSL_PUT_ERROR(ASN1, d2i_ASN1_bytes, i);
+	OPENSSL_PUT_ERROR(ASN1, i);
 	return(NULL);
 	}

@@ -309,7 +309,7 @@ static int asn1_collate_primitive(ASN1_STRING *a, ASN1_const_CTX *c)
 	if (os != NULL) ASN1_STRING_free(os);
 	return(1);
 err:
-	OPENSSL_PUT_ERROR(ASN1, asn1_collate_primitive, c->error);
+	OPENSSL_PUT_ERROR(ASN1, c->error);
 	if (os != NULL) ASN1_STRING_free(os);
 	if (b.data != NULL) OPENSSL_free(b.data);
 	return(0);
@@ -75,7 +75,7 @@ void *ASN1_d2i_fp(void *(*xnew)(void), d2i_of_void *d2i, FILE *in, void **x)

        if ((b=BIO_new(BIO_s_file())) == NULL)
 		{
-		OPENSSL_PUT_ERROR(ASN1, ASN1_d2i_fp, ERR_R_BUF_LIB);
+		OPENSSL_PUT_ERROR(ASN1, ERR_R_BUF_LIB);
                return(NULL);
 		}
        BIO_set_fp(b,in,BIO_NOCLOSE);
@@ -129,7 +129,7 @@ void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x)

        if ((b=BIO_new(BIO_s_file())) == NULL)
 		{
-		OPENSSL_PUT_ERROR(ASN1, ASN1_item_d2i_fp, ERR_R_BUF_LIB);
+		OPENSSL_PUT_ERROR(ASN1, ERR_R_BUF_LIB);
                return(NULL);
 		}
        BIO_set_fp(b,in,BIO_NOCLOSE);
@@ -154,7 +154,7 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 	b=BUF_MEM_new();
 	if (b == NULL)
 		{
-		OPENSSL_PUT_ERROR(ASN1, asn1_d2i_read_bio, ERR_R_MALLOC_FAILURE);
+		OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 		return -1;
 		}

@@ -167,20 +167,20 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)

 			if (len + want < len || !BUF_MEM_grow_clean(b,len+want))
 				{
-				OPENSSL_PUT_ERROR(ASN1, asn1_d2i_read_bio, ERR_R_MALLOC_FAILURE);
+				OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 				goto err;
 				}
 			i=BIO_read(in,&(b->data[len]),want);
 			if ((i < 0) && ((len-off) == 0))
 				{
-				OPENSSL_PUT_ERROR(ASN1, asn1_d2i_read_bio, ASN1_R_NOT_ENOUGH_DATA);
+				OPENSSL_PUT_ERROR(ASN1, ASN1_R_NOT_ENOUGH_DATA);
 				goto err;
 				}
 			if (i > 0)
 				{
 				if (len+i < len)
 					{
-					OPENSSL_PUT_ERROR(ASN1, asn1_d2i_read_bio, ASN1_R_TOO_LONG);
+					OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG);
 					goto err;
 					}
 				len+=i;
@@ -211,7 +211,7 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 			eos++;
 			if (eos < 0)
 				{
-				OPENSSL_PUT_ERROR(ASN1, asn1_d2i_read_bio, ASN1_R_HEADER_TOO_LONG);
+				OPENSSL_PUT_ERROR(ASN1, ASN1_R_HEADER_TOO_LONG);
 				goto err;
 				}
 			want=HEADER_SIZE;
@@ -235,12 +235,12 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 				if (want > INT_MAX /* BIO_read takes an int length */ ||
 					len+want < len)
 						{
-						OPENSSL_PUT_ERROR(ASN1, asn1_d2i_read_bio, ASN1_R_TOO_LONG);
+						OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG);
 						goto err;
 						}
 				if (!BUF_MEM_grow_clean(b,len+want))
 					{
-					OPENSSL_PUT_ERROR(ASN1, asn1_d2i_read_bio, ERR_R_MALLOC_FAILURE);
+					OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 					goto err;
 					}
 				while (want > 0)
@@ -248,7 +248,7 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 					i=BIO_read(in,&(b->data[len]),want);
 					if (i <= 0)
 						{
-						OPENSSL_PUT_ERROR(ASN1, asn1_d2i_read_bio, ASN1_R_NOT_ENOUGH_DATA);
+						OPENSSL_PUT_ERROR(ASN1, ASN1_R_NOT_ENOUGH_DATA);
 						goto err;
 						}
 					/* This can't overflow because
@@ -259,7 +259,7 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 				}
 			if (off + c.slen < off)
 				{
-				OPENSSL_PUT_ERROR(ASN1, asn1_d2i_read_bio, ASN1_R_TOO_LONG);
+				OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG);
 				goto err;
 				}
 			off+=c.slen;
@@ -274,7 +274,7 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)

 	if (off > INT_MAX)
 		{
-		OPENSSL_PUT_ERROR(ASN1, asn1_d2i_read_bio, ASN1_R_TOO_LONG);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG);
 		goto err;
 		}

@@ -72,7 +72,7 @@ void *ASN1_dup(i2d_of_void *i2d, d2i_of_void *d2i, void *x)
 	i=i2d(x,NULL);
 	b=OPENSSL_malloc(i+10);
 	if (b == NULL)
-		{ OPENSSL_PUT_ERROR(ASN1, ASN1_dup, ERR_R_MALLOC_FAILURE); return(NULL); }
+		{ OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); return(NULL); }
 	p= b;
 	i=i2d(x,&p);
 	p2= b;
@@ -95,7 +95,7 @@ void *ASN1_item_dup(const ASN1_ITEM *it, void *x)

 	i=ASN1_item_i2d(x,&b,it);
 	if (b == NULL)
-		{ OPENSSL_PUT_ERROR(ASN1, ASN1_item_dup, ERR_R_MALLOC_FAILURE); return(NULL); }
+		{ OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); return(NULL); }
 	p= b;
 	ret=ASN1_item_d2i(NULL,&p,i, it);
 	OPENSSL_free(b);
@@ -84,7 +84,7 @@ int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v)
 		}
 	if (a->data == NULL)
 		{
-		OPENSSL_PUT_ERROR(ASN1, ASN1_ENUMERATED_set, ERR_R_MALLOC_FAILURE);
+		OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 		return(0);
 		}
 	d=v;
@@ -147,7 +147,7 @@ ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai)
 		ret=ai;
 	if (ret == NULL)
 		{
-		OPENSSL_PUT_ERROR(ASN1, BN_to_ASN1_ENUMERATED, ASN1_R_NESTED_ASN1_ERROR);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
 		goto err;
 		}
 	if(BN_is_negative(bn)) ret->type = V_ASN1_NEG_ENUMERATED;
@@ -159,7 +159,7 @@ ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai)
 		unsigned char *new_data=OPENSSL_realloc(ret->data, len+4);
 		if (!new_data)
 			{
-			OPENSSL_PUT_ERROR(ASN1, BN_to_ASN1_ENUMERATED, ERR_R_MALLOC_FAILURE);
+			OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 			goto err;
 			}
 		ret->data=new_data;
@@ -177,7 +177,7 @@ BIGNUM *ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai, BIGNUM *bn)
 	BIGNUM *ret;

 	if ((ret=BN_bin2bn(ai->data,ai->length,bn)) == NULL)
-		OPENSSL_PUT_ERROR(ASN1, ASN1_ENUMERATED_to_BN, ASN1_R_BN_LIB);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_BN_LIB);
 	else if(ai->type == V_ASN1_NEG_ENUMERATED) BN_set_negative(ret,1);
 	return(ret);
 	}
@@ -57,6 +57,7 @@
 #include <openssl/asn1.h>

 #include <string.h>
+#include <time.h>

 #include <openssl/err.h>
 #include <openssl/mem.h>
@@ -238,7 +239,7 @@ ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_adj(ASN1_GENERALIZEDTIME *s,
 		p=OPENSSL_malloc(len);
 		if (p == NULL)
 			{
-			OPENSSL_PUT_ERROR(ASN1, ASN1_GENERALIZEDTIME_adj, ERR_R_MALLOC_FAILURE);
+			OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 			return(NULL);
 			}
 		if (s->data != NULL)
@@ -67,7 +67,7 @@ int ASN1_i2d_fp(i2d_of_void *i2d, FILE *out, void *x)

        if ((b=BIO_new(BIO_s_file())) == NULL)
 		{
-		OPENSSL_PUT_ERROR(ASN1, ASN1_i2d_fp, ERR_R_BUF_LIB);
+		OPENSSL_PUT_ERROR(ASN1, ERR_R_BUF_LIB);
                return(0);
 		}
        BIO_set_fp(b,out,BIO_NOCLOSE);
@@ -86,7 +86,7 @@ int ASN1_i2d_bio(i2d_of_void *i2d, BIO *out, unsigned char *x)
 	b=(char *)OPENSSL_malloc(n);
 	if (b == NULL)
 		{
-		OPENSSL_PUT_ERROR(ASN1, ASN1_i2d_bio, ERR_R_MALLOC_FAILURE);
+		OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 		return(0);
 		}

@@ -116,7 +116,7 @@ int ASN1_item_i2d_fp(const ASN1_ITEM *it, FILE *out, void *x)

        if ((b=BIO_new(BIO_s_file())) == NULL)
 		{
-		OPENSSL_PUT_ERROR(ASN1, ASN1_item_i2d_fp, ERR_R_BUF_LIB);
+		OPENSSL_PUT_ERROR(ASN1, ERR_R_BUF_LIB);
                return(0);
 		}
        BIO_set_fp(b,out,BIO_NOCLOSE);
@@ -133,7 +133,7 @@ int ASN1_item_i2d_bio(const ASN1_ITEM *it, BIO *out, void *x)
 	n = ASN1_item_i2d(x, &b, it);
 	if (b == NULL)
 		{
-		OPENSSL_PUT_ERROR(ASN1, ASN1_item_i2d_bio, ERR_R_MALLOC_FAILURE);
+		OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 		return(0);
 		}

@@ -257,7 +257,7 @@ ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a, const unsigned char **pp,
 	*pp=pend;
 	return(ret);
 err:
-	OPENSSL_PUT_ERROR(ASN1, c2i_ASN1_INTEGER, i);
+	OPENSSL_PUT_ERROR(ASN1, i);
 	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
 		M_ASN1_INTEGER_free(ret);
 	return(NULL);
@@ -327,7 +327,7 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
 	*pp=p;
 	return(ret);
 err:
-	OPENSSL_PUT_ERROR(ASN1, d2i_ASN1_UINTEGER, i);
+	OPENSSL_PUT_ERROR(ASN1, i);
 	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
 		M_ASN1_INTEGER_free(ret);
 	return(NULL);
@@ -350,7 +350,7 @@ int ASN1_INTEGER_set(ASN1_INTEGER *a, long v)
 		}
 	if (a->data == NULL)
 		{
-		OPENSSL_PUT_ERROR(ASN1, ASN1_INTEGER_set, ERR_R_MALLOC_FAILURE);
+		OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 		return(0);
 		}
 	d=v;
@@ -413,10 +413,10 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai)
 		ret=ai;
 	if (ret == NULL)
 		{
-		OPENSSL_PUT_ERROR(ASN1, BN_to_ASN1_INTEGER, ASN1_R_NESTED_ASN1_ERROR);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
 		goto err;
 		}
-	if (BN_is_negative(bn))
+	if (BN_is_negative(bn) && !BN_is_zero(bn))
 		ret->type = V_ASN1_NEG_INTEGER;
 	else ret->type=V_ASN1_INTEGER;
 	j=BN_num_bits(bn);
@@ -426,7 +426,7 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai)
 		unsigned char *new_data=OPENSSL_realloc(ret->data, len+4);
 		if (!new_data)
 			{
-			OPENSSL_PUT_ERROR(ASN1, BN_to_ASN1_INTEGER, ERR_R_MALLOC_FAILURE);
+			OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 			goto err;
 			}
 		ret->data=new_data;
@@ -449,7 +449,7 @@ BIGNUM *ASN1_INTEGER_to_BN(const ASN1_INTEGER *ai, BIGNUM *bn)
 	BIGNUM *ret;

 	if ((ret=BN_bin2bn(ai->data,ai->length,bn)) == NULL)
-		OPENSSL_PUT_ERROR(ASN1, ASN1_INTEGER_to_BN, ASN1_R_BN_LIB);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_BN_LIB);
 	else if(ai->type == V_ASN1_NEG_INTEGER)
 		BN_set_negative(ret, 1);
 	return(ret);
@@ -108,7 +108,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,

 		case MBSTRING_BMP:
 		if(len & 1) {
-			OPENSSL_PUT_ERROR(ASN1, ASN1_mbstring_ncopy,  ASN1_R_INVALID_BMPSTRING_LENGTH);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_BMPSTRING_LENGTH);
 			return -1;
 		}
 		nchar = len >> 1;
@@ -116,7 +116,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,

 		case MBSTRING_UNIV:
 		if(len & 3) {
-			OPENSSL_PUT_ERROR(ASN1, ASN1_mbstring_ncopy,  ASN1_R_INVALID_UNIVERSALSTRING_LENGTH);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_UNIVERSALSTRING_LENGTH);
 			return -1;
 		}
 		nchar = len >> 2;
@@ -127,7 +127,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 		/* This counts the characters and does utf8 syntax checking */
 		ret = traverse_string(in, len, MBSTRING_UTF8, in_utf8, &nchar);
 		if(ret < 0) {
-			OPENSSL_PUT_ERROR(ASN1, ASN1_mbstring_ncopy,  ASN1_R_INVALID_UTF8STRING);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_UTF8STRING);
 			return -1;
 		}
 		break;
@@ -137,19 +137,19 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 		break;

 		default:
-		OPENSSL_PUT_ERROR(ASN1, ASN1_mbstring_ncopy,  ASN1_R_UNKNOWN_FORMAT);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNKNOWN_FORMAT);
 		return -1;
 	}

 	if((minsize > 0) && (nchar < minsize)) {
-		OPENSSL_PUT_ERROR(ASN1, ASN1_mbstring_ncopy,  ASN1_R_STRING_TOO_SHORT);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_STRING_TOO_SHORT);
 		BIO_snprintf(strbuf, sizeof strbuf, "%ld", minsize);
 		ERR_add_error_data(2, "minsize=", strbuf);
 		return -1;
 	}

 	if((maxsize > 0) && (nchar > maxsize)) {
-		OPENSSL_PUT_ERROR(ASN1, ASN1_mbstring_ncopy,  ASN1_R_STRING_TOO_LONG);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_STRING_TOO_LONG);
 		BIO_snprintf(strbuf, sizeof strbuf, "%ld", maxsize);
 		ERR_add_error_data(2, "maxsize=", strbuf);
 		return -1;
@@ -157,7 +157,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,

 	/* Now work out minimal type (if any) */
 	if(traverse_string(in, len, inform, type_str, &mask) < 0) {
-		OPENSSL_PUT_ERROR(ASN1, ASN1_mbstring_ncopy,  ASN1_R_ILLEGAL_CHARACTERS);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_CHARACTERS);
 		return -1;
 	}

@@ -191,7 +191,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 		free_out = 1;
 		dest = ASN1_STRING_type_new(str_type);
 		if(!dest) {
-			OPENSSL_PUT_ERROR(ASN1, ASN1_mbstring_ncopy,  ERR_R_MALLOC_FAILURE);
+			OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 			return -1;
 		}
 		*out = dest;
@@ -199,7 +199,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 	/* If both the same type just copy across */
 	if(inform == outform) {
 		if(!ASN1_STRING_set(dest, in, len)) {
-			OPENSSL_PUT_ERROR(ASN1, ASN1_mbstring_ncopy, ERR_R_MALLOC_FAILURE);
+			OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 			return -1;
 		}
 		return str_type;
@@ -230,7 +230,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 	}
 	if(!(p = OPENSSL_malloc(outlen + 1))) {
 		if(free_out) ASN1_STRING_free(dest);
-		OPENSSL_PUT_ERROR(ASN1, ASN1_mbstring_ncopy, ERR_R_MALLOC_FAILURE);
+		OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 		return -1;
 	}
 	dest->length = outlen;
@@ -106,13 +106,13 @@ int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num)
 		}
 	else
 		{
-		OPENSSL_PUT_ERROR(ASN1, a2d_ASN1_OBJECT, ASN1_R_FIRST_NUM_TOO_LARGE);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_FIRST_NUM_TOO_LARGE);
 		goto err;
 		}

 	if (num <= 0)
 		{
-		OPENSSL_PUT_ERROR(ASN1, a2d_ASN1_OBJECT, ASN1_R_MISSING_SECOND_NUMBER);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_SECOND_NUMBER);
 		goto err;
 		}
 	c= *(p++);
@@ -122,7 +122,7 @@ int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num)
 		if (num <= 0) break;
 		if ((c != '.') && (c != ' '))
 			{
-			OPENSSL_PUT_ERROR(ASN1, a2d_ASN1_OBJECT, ASN1_R_INVALID_SEPARATOR);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_SEPARATOR);
 			goto err;
 			}
 		l=0;
@@ -136,7 +136,7 @@ int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num)
 				break;
 			if ((c < '0') || (c > '9'))
 				{
-				OPENSSL_PUT_ERROR(ASN1, a2d_ASN1_OBJECT, ASN1_R_INVALID_DIGIT);
+				OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_DIGIT);
 				goto err;
 				}
 			if (!use_bn && l >= ((ULONG_MAX - 80) / 10L))
@@ -160,7 +160,7 @@ int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num)
 			{
 			if ((first < 2) && (l >= 40))
 				{
-				OPENSSL_PUT_ERROR(ASN1, a2d_ASN1_OBJECT, ASN1_R_SECOND_NUMBER_TOO_LARGE);
+				OPENSSL_PUT_ERROR(ASN1, ASN1_R_SECOND_NUMBER_TOO_LARGE);
 				goto err;
 				}
 			if (use_bn)
@@ -204,7 +204,7 @@ int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num)
 			{
 			if (len+i > olen)
 				{
-				OPENSSL_PUT_ERROR(ASN1, a2d_ASN1_OBJECT, ASN1_R_BUFFER_TOO_SMALL);
+				OPENSSL_PUT_ERROR(ASN1, ASN1_R_BUFFER_TOO_SMALL);
 				goto err;
 				}
 			while (--i > 0)
@@ -280,7 +280,7 @@ ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
 	if(ret) *pp = p;
 	return ret;
 err:
-	OPENSSL_PUT_ERROR(ASN1, d2i_ASN1_OBJECT, i);
+	OPENSSL_PUT_ERROR(ASN1, i);
 	return(NULL);
 }

@@ -300,7 +300,7 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
 	if (len <= 0 || len > INT_MAX || pp == NULL || (p = *pp) == NULL ||
 	    p[len - 1] & 0x80)
 		{
-		OPENSSL_PUT_ERROR(ASN1, c2i_ASN1_OBJECT, ASN1_R_INVALID_OBJECT_ENCODING);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_OBJECT_ENCODING);
 		return NULL;
 		}
 	/* Now 0 < len <= INT_MAX, so the cast is safe. */
@@ -309,7 +309,7 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
 		{
 		if (*p == 0x80 && (!i || !(p[-1] & 0x80)))
 			{
-			OPENSSL_PUT_ERROR(ASN1, c2i_ASN1_OBJECT, ASN1_R_INVALID_OBJECT_ENCODING);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_OBJECT_ENCODING);
 			return NULL;
 			}
 		}
@@ -350,7 +350,7 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
 	*pp=p;
 	return(ret);
 err:
-	OPENSSL_PUT_ERROR(ASN1, c2i_ASN1_OBJECT, i);
+	OPENSSL_PUT_ERROR(ASN1, i);
 	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
 		ASN1_OBJECT_free(ret);
 	return(NULL);
@@ -363,7 +363,7 @@ ASN1_OBJECT *ASN1_OBJECT_new(void)
 	ret=(ASN1_OBJECT *)OPENSSL_malloc(sizeof(ASN1_OBJECT));
 	if (ret == NULL)
 		{
-		OPENSSL_PUT_ERROR(ASN1, ASN1_OBJECT_new, ERR_R_MALLOC_FAILURE);
+		OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 		return(NULL);
 		}
 	ret->length=0;
@@ -215,13 +215,13 @@ int ASN1_STRING_TABLE_add(int nid,
 	flags &= ~STABLE_FLAGS_MALLOC;
 	if(!stable) stable = sk_ASN1_STRING_TABLE_new(sk_table_cmp);
 	if(!stable) {
-		OPENSSL_PUT_ERROR(ASN1, ASN1_STRING_TABLE_add,  ERR_R_MALLOC_FAILURE);
+		OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 		return 0;
 	}
 	if(!(tmp = ASN1_STRING_TABLE_get(nid))) {
 		tmp = OPENSSL_malloc(sizeof(ASN1_STRING_TABLE));
 		if(!tmp) {
-			OPENSSL_PUT_ERROR(ASN1, ASN1_STRING_TABLE_add,  ERR_R_MALLOC_FAILURE);
+			OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 			return 0;
 		}
 		tmp->flags = flags | STABLE_FLAGS_MALLOC;
@@ -57,6 +57,7 @@
 #include <openssl/asn1.h>

 #include <string.h>
+#include <time.h>

 #include <openssl/asn1t.h>
 #include <openssl/buf.h>
@@ -84,7 +85,7 @@ int i2d_ASN1_TIME(ASN1_TIME *a, unsigned char **pp)
 	if(a->type == V_ASN1_UTCTIME || a->type == V_ASN1_GENERALIZEDTIME)
 				return(i2d_ASN1_bytes((ASN1_STRING *)a,pp,
 				     a->type ,V_ASN1_UNIVERSAL));
-	OPENSSL_PUT_ERROR(ASN1, XXX, ASN1_R_EXPECTING_A_TIME);
+	OPENSSL_PUT_ERROR(ASN1, ASN1_R_EXPECTING_A_TIME);
 	return -1;
 	}
 #endif
@@ -104,7 +105,7 @@ ASN1_TIME *ASN1_TIME_adj(ASN1_TIME *s, time_t t,
 	ts=OPENSSL_gmtime(&t,&data);
 	if (ts == NULL)
 		{
-		OPENSSL_PUT_ERROR(ASN1, ASN1_TIME_adj,  ASN1_R_ERROR_GETTING_TIME);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_ERROR_GETTING_TIME);
 		return NULL;
 		}
 	if (offset_day || offset_sec)
@@ -57,6 +57,7 @@
 #include <openssl/asn1.h>

 #include <string.h>
+#include <time.h>

 #include <openssl/err.h>
 #include <openssl/mem.h>
@@ -80,12 +81,12 @@ ASN1_UTCTIME *d2i_ASN1_UTCTIME(ASN1_UTCTIME **a, unsigned char **pp,
 		V_ASN1_UTCTIME,V_ASN1_UNIVERSAL);
 	if (ret == NULL)
 		{
-		OPENSSL_PUT_ERROR(ASN1, XXX, ERR_R_NESTED_ASN1_ERROR);
+		OPENSSL_PUT_ERROR(ASN1, ERR_R_NESTED_ASN1_ERROR);
 		return(NULL);
 		}
 	if (!ASN1_UTCTIME_check(ret))
 		{
-		OPENSSL_PUT_ERROR(ASN1, XXX, ASN1_R_INVALID_TIME_FORMAT);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_TIME_FORMAT);
 		goto err;
 		}

@@ -256,7 +257,7 @@ ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t,
 		p=OPENSSL_malloc(len);
 		if (p == NULL)
 			{
-			OPENSSL_PUT_ERROR(ASN1, ASN1_UTCTIME_adj, ERR_R_MALLOC_FAILURE);
+			OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 			goto err;
 			}
 		if (s->data != NULL)
@@ -69,17 +69,10 @@
 OPENSSL_DECLARE_ERROR_REASON(ASN1, MALLOC_FAILURE);

 /* Cross-module errors from crypto/x509/i2d_pr.c */
-OPENSSL_DECLARE_ERROR_FUNCTION(ASN1, i2d_PrivateKey);
 OPENSSL_DECLARE_ERROR_REASON(ASN1, UNSUPPORTED_PUBLIC_KEY_TYPE);

 /* Cross-module errors from crypto/x509/asn1_gen.c.
 * TODO(davidben): Remove these once asn1_gen.c is gone. */
-OPENSSL_DECLARE_ERROR_FUNCTION(ASN1, ASN1_generate_v3);
-OPENSSL_DECLARE_ERROR_FUNCTION(ASN1, asn1_cb);
-OPENSSL_DECLARE_ERROR_FUNCTION(ASN1, parse_tagging);
-OPENSSL_DECLARE_ERROR_FUNCTION(ASN1, append_exp);
-OPENSSL_DECLARE_ERROR_FUNCTION(ASN1, asn1_str2type);
-OPENSSL_DECLARE_ERROR_FUNCTION(ASN1, bitstr_cb);
 OPENSSL_DECLARE_ERROR_REASON(ASN1, DEPTH_EXCEEDED);
 OPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_BITSTRING_FORMAT);
 OPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_BOOLEAN);
@@ -183,7 +176,7 @@ int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag,
 #endif
 	if (*plength > (omax - (p - *pp)))
 		{
-		OPENSSL_PUT_ERROR(ASN1, ASN1_get_object, ASN1_R_TOO_LONG);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG);
 		/* Set this so that even if things are not long enough
 		 * the values are set correctly */
 		ret|=0x80;
@@ -191,7 +184,7 @@ int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag,
 	*pp=p;
 	return(ret|inf);
 err:
-	OPENSSL_PUT_ERROR(ASN1, ASN1_get_object, ASN1_R_HEADER_TOO_LONG);
+	OPENSSL_PUT_ERROR(ASN1, ASN1_R_HEADER_TOO_LONG);
 	return(0x80);
 	}

@@ -433,7 +426,7 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len)

 		if (str->data == NULL)
 			{
-			OPENSSL_PUT_ERROR(ASN1, ASN1_STRING_set, ERR_R_MALLOC_FAILURE);
+			OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 			str->data=c;
 			return(0);
 			}
@@ -469,7 +462,7 @@ ASN1_STRING *ASN1_STRING_type_new(int type)
 	ret=(ASN1_STRING *)OPENSSL_malloc(sizeof(ASN1_STRING));
 	if (ret == NULL)
 		{
-		OPENSSL_PUT_ERROR(ASN1, ASN1_STRING_type_new, ERR_R_MALLOC_FAILURE);
+		OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 		return(NULL);
 		}
 	ret->length=0;
@@ -504,15 +497,6 @@ int ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
 		return(i);
 	}

-void asn1_add_error(const unsigned char *address, int offset)
-	{
-	char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1];
-
-	BIO_snprintf(buf1,sizeof buf1,"%lu",(unsigned long)address);
-	BIO_snprintf(buf2,sizeof buf2,"%d",offset);
-	ERR_add_error_data(4,"address=",buf1," offset=",buf2);
-	}
-
 int ASN1_STRING_length(const ASN1_STRING *x)
 { return M_ASN1_STRING_length(x); }

@@ -68,7 +68,7 @@ ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_STRING **oct)

 	if (!oct || !*oct) {
 		if (!(octmp = ASN1_STRING_new ())) {
-			OPENSSL_PUT_ERROR(ASN1, ASN1_item_pack, ERR_R_MALLOC_FAILURE);
+			OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 			return NULL;
 		}
 		if (oct) *oct = octmp;
@@ -80,11 +80,11 @@ ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_STRING **oct)
 	}
 		
 	if (!(octmp->length = ASN1_item_i2d(obj, &octmp->data, it))) {
-		OPENSSL_PUT_ERROR(ASN1, ASN1_item_pack, ASN1_R_ENCODE_ERROR);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_ENCODE_ERROR);
 		return NULL;
 	}
 	if (!octmp->data) {
-		OPENSSL_PUT_ERROR(ASN1, ASN1_item_pack, ERR_R_MALLOC_FAILURE);
+		OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
 	return octmp;
@@ -99,6 +99,6 @@ void *ASN1_item_unpack(ASN1_STRING *oct, const ASN1_ITEM *it)

 	p = oct->data;
 	if(!(ret = ASN1_item_d2i(NULL, &p, oct->length, it)))
-		OPENSSL_PUT_ERROR(ASN1, ASN1_item_unpack, ASN1_R_DECODE_ERROR);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_DECODE_ERROR);
 	return ret;
 }
@@ -112,7 +112,7 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)

 	if (!aux || !aux->asn1_cb)
 		{
-		OPENSSL_PUT_ERROR(ASN1, BIO_new_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_STREAMING_NOT_SUPPORTED);
 		return NULL;
 		}
 	ndef_aux = OPENSSL_malloc(sizeof(NDEF_SUPPORT));
@@ -144,7 +144,7 @@ int a2i_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *bs, char *buf, int size)
 		i-=again;
 		if (i%2 != 0)
 			{
-			OPENSSL_PUT_ERROR(ASN1, a2i_ASN1_ENUMERATED, ASN1_R_ODD_NUMBER_OF_CHARS);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_ODD_NUMBER_OF_CHARS);
 			goto err;
 			}
 		i/=2;
@@ -158,7 +158,7 @@ int a2i_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *bs, char *buf, int size)
 					(unsigned int)num+i*2);
 			if (sp == NULL)
 				{
-				OPENSSL_PUT_ERROR(ASN1, a2i_ASN1_ENUMERATED, ERR_R_MALLOC_FAILURE);
+				OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 				goto err;
 				}
 			s=sp;
@@ -177,7 +177,7 @@ int a2i_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *bs, char *buf, int size)
 					m=m-'A'+10;
 				else
 					{
-					OPENSSL_PUT_ERROR(ASN1, a2i_ASN1_ENUMERATED, ASN1_R_NON_HEX_CHARACTERS);
+					OPENSSL_PUT_ERROR(ASN1, ASN1_R_NON_HEX_CHARACTERS);
 					goto err;
 					}
 				s[num+j]<<=4;
@@ -197,7 +197,7 @@ err:
 	if (0)
 		{
 err_sl:
-		OPENSSL_PUT_ERROR(ASN1, a2i_ASN1_ENUMERATED, ASN1_R_SHORT_LINE);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_SHORT_LINE);
 		}
 	if (s != NULL)
 		OPENSSL_free(s);
@@ -149,7 +149,7 @@ int a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *bs, char *buf, int size)
 		i-=again;
 		if (i%2 != 0)
 			{
-			OPENSSL_PUT_ERROR(ASN1, a2i_ASN1_INTEGER, ASN1_R_ODD_NUMBER_OF_CHARS);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_ODD_NUMBER_OF_CHARS);
 			goto err;
 			}
 		i/=2;
@@ -162,7 +162,7 @@ int a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *bs, char *buf, int size)
 				sp=OPENSSL_realloc_clean(s,slen,num+i*2);
 			if (sp == NULL)
 				{
-				OPENSSL_PUT_ERROR(ASN1, a2i_ASN1_INTEGER, ERR_R_MALLOC_FAILURE);
+				OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 				goto err;
 				}
 			s=sp;
@@ -181,7 +181,7 @@ int a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *bs, char *buf, int size)
 					m=m-'A'+10;
 				else
 					{
-					OPENSSL_PUT_ERROR(ASN1, a2i_ASN1_INTEGER, ASN1_R_NON_HEX_CHARACTERS);
+					OPENSSL_PUT_ERROR(ASN1, ASN1_R_NON_HEX_CHARACTERS);
 					goto err;
 					}
 				s[num+j]<<=4;
@@ -201,7 +201,7 @@ err:
 	if (0)
 		{
 err_sl:
-		OPENSSL_PUT_ERROR(ASN1, a2i_ASN1_INTEGER, ASN1_R_SHORT_LINE);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_SHORT_LINE);
 		}
 	if (s != NULL)
 		OPENSSL_free(s);
@@ -142,7 +142,7 @@ int a2i_ASN1_STRING(BIO *bp, ASN1_STRING *bs, char *buf, int size)
 		i-=again;
 		if (i%2 != 0)
 			{
-			OPENSSL_PUT_ERROR(ASN1, a2i_ASN1_STRING, ASN1_R_ODD_NUMBER_OF_CHARS);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_ODD_NUMBER_OF_CHARS);
 			goto err;
 			}
 		i/=2;
@@ -156,7 +156,7 @@ int a2i_ASN1_STRING(BIO *bp, ASN1_STRING *bs, char *buf, int size)
 					(unsigned int)num+i*2);
 			if (sp == NULL)
 				{
-				OPENSSL_PUT_ERROR(ASN1, a2i_ASN1_STRING, ERR_R_MALLOC_FAILURE);
+				OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 				goto err;
 				}
 			s=sp;
@@ -175,7 +175,7 @@ int a2i_ASN1_STRING(BIO *bp, ASN1_STRING *bs, char *buf, int size)
 					m=m-'A'+10;
 				else
 					{
-					OPENSSL_PUT_ERROR(ASN1, a2i_ASN1_STRING, ASN1_R_NON_HEX_CHARACTERS);
+					OPENSSL_PUT_ERROR(ASN1, ASN1_R_NON_HEX_CHARACTERS);
 					goto err;
 					}
 				s[num+j]<<=4;
@@ -195,7 +195,7 @@ err:
 	if (0)
 		{
 err_sl:
-		OPENSSL_PUT_ERROR(ASN1, a2i_ASN1_STRING, ASN1_R_SHORT_LINE);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_SHORT_LINE);
 		}
 	if (s != NULL)
 		OPENSSL_free(s);
@@ -63,6 +63,8 @@
 #include <openssl/err.h>
 #include <openssl/mem.h>

+#include "../internal.h"
+

 static int asn1_check_eoc(const unsigned char **in, long len);
 static int asn1_find_end(const unsigned char **in, long len, char inf);
@@ -187,7 +189,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 			 */
 			if ((tag != -1) || opt)
 				{
-				OPENSSL_PUT_ERROR(ASN1, ASN1_item_ex_d2i,  ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
+				OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
 				goto err;
 				}
 			return asn1_template_ex_d2i(pval, in, len,
@@ -204,7 +206,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 						&p, len, -1, 0, 1, ctx);
 		if (!ret)
 			{
-			OPENSSL_PUT_ERROR(ASN1, ASN1_item_ex_d2i,  ASN1_R_NESTED_ASN1_ERROR);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
 			goto err;
 			}

@@ -213,7 +215,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 			{
 			/* If OPTIONAL, assume this is OK */
 			if (opt) return -1;
-			OPENSSL_PUT_ERROR(ASN1, ASN1_item_ex_d2i,  ASN1_R_MSTRING_NOT_UNIVERSAL);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_MSTRING_NOT_UNIVERSAL);
 			goto err;
 			}
 		/* Check tag matches bit map */
@@ -222,7 +224,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 			/* If OPTIONAL, assume this is OK */
 			if (opt)
 				return -1;
-			OPENSSL_PUT_ERROR(ASN1, ASN1_item_ex_d2i,  ASN1_R_MSTRING_WRONG_TAG);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_MSTRING_WRONG_TAG);
 			goto err;
 			}
 		return asn1_d2i_ex_primitive(pval, in, len,
@@ -253,7 +255,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 					&p, len, exptag, aclass, 1, ctx);
 			if (!ret)
 				{
-				OPENSSL_PUT_ERROR(ASN1, ASN1_item_ex_d2i,  ASN1_R_NESTED_ASN1_ERROR);
+				OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
 				goto err;
 				}
 			if (ret == -1)
@@ -281,7 +283,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 			imphack = *wp;
 			if (p == NULL)
 				{
-				OPENSSL_PUT_ERROR(ASN1, ASN1_item_ex_d2i,  ASN1_R_NESTED_ASN1_ERROR);
+				OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
 				goto err;
 				}
 			*wp = (unsigned char)((*p & V_ASN1_CONSTRUCTED)
@@ -296,7 +298,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 		if (ptmpval)
 			return 1;

-		OPENSSL_PUT_ERROR(ASN1, ASN1_item_ex_d2i,  ASN1_R_NESTED_ASN1_ERROR);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
 		goto err;


@@ -318,7 +320,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 			}
 		else if (!ASN1_item_ex_new(pval, it))
 			{
-			OPENSSL_PUT_ERROR(ASN1, ASN1_item_ex_d2i,  ASN1_R_NESTED_ASN1_ERROR);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
 			goto err;
 			}
 		/* CHOICE type, try each possibility in turn */
@@ -338,7 +340,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 				break;
 			/* Otherwise must be an ASN1 parsing error */
 			errtt = tt;
-			OPENSSL_PUT_ERROR(ASN1, ASN1_item_ex_d2i,  ASN1_R_NESTED_ASN1_ERROR);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
 			goto err;
 			}

@@ -352,7 +354,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 				ASN1_item_ex_free(pval, it);
 				return -1;
 				}
-			OPENSSL_PUT_ERROR(ASN1, ASN1_item_ex_d2i,  ASN1_R_NO_MATCHING_CHOICE_TYPE);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NO_MATCHING_CHOICE_TYPE);
 			goto err;
 			}

@@ -378,7 +380,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 					&p, len, tag, aclass, opt, ctx);
 		if (!ret)
 			{
-			OPENSSL_PUT_ERROR(ASN1, ASN1_item_ex_d2i,  ASN1_R_NESTED_ASN1_ERROR);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
 			goto err;
 			}
 		else if (ret == -1)
@@ -392,13 +394,13 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 		else seq_nolen = seq_eoc;
 		if (!cst)
 			{
-			OPENSSL_PUT_ERROR(ASN1, ASN1_item_ex_d2i,  ASN1_R_SEQUENCE_NOT_CONSTRUCTED);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_SEQUENCE_NOT_CONSTRUCTED);
 			goto err;
 			}

 		if (!*pval && !ASN1_item_ex_new(pval, it))
 			{
-			OPENSSL_PUT_ERROR(ASN1, ASN1_item_ex_d2i,  ASN1_R_NESTED_ASN1_ERROR);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
 			goto err;
 			}

@@ -435,7 +437,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 				{
 				if (!seq_eoc)
 					{
-					OPENSSL_PUT_ERROR(ASN1, ASN1_item_ex_d2i,  ASN1_R_UNEXPECTED_EOC);
+					OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNEXPECTED_EOC);
 					goto err;
 					}
 				len -= p - q;
@@ -477,13 +479,13 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 		/* Check for EOC if expecting one */
 		if (seq_eoc && !asn1_check_eoc(&p, len))
 			{
-			OPENSSL_PUT_ERROR(ASN1, ASN1_item_ex_d2i,  ASN1_R_MISSING_EOC);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC);
 			goto err;
 			}
 		/* Check all data read */
 		if (!seq_nolen && len)
 			{
-			OPENSSL_PUT_ERROR(ASN1, ASN1_item_ex_d2i,  ASN1_R_SEQUENCE_LENGTH_MISMATCH);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_SEQUENCE_LENGTH_MISMATCH);
 			goto err;
 			}

@@ -506,7 +508,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 			else
 				{
 				errtt = seqtt;
-				OPENSSL_PUT_ERROR(ASN1, ASN1_item_ex_d2i,  ASN1_R_FIELD_MISSING);
+				OPENSSL_PUT_ERROR(ASN1, ASN1_R_FIELD_MISSING);
 				goto err;
 				}
 			}
@@ -522,7 +524,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 		return 0;
 		}
 	auxerr:
-	OPENSSL_PUT_ERROR(ASN1, ASN1_item_ex_d2i,  ASN1_R_AUX_ERROR);
+	OPENSSL_PUT_ERROR(ASN1, ASN1_R_AUX_ERROR);
 	err:
 	ASN1_item_ex_free(pval, it);
 	if (errtt)
@@ -567,21 +569,21 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val,
 		q = p;
 		if (!ret)
 			{
-			OPENSSL_PUT_ERROR(ASN1, asn1_template_ex_d2i,  ASN1_R_NESTED_ASN1_ERROR);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
 			return 0;
 			}
 		else if (ret == -1)
 			return -1;
 		if (!cst)
 			{
-			OPENSSL_PUT_ERROR(ASN1, asn1_template_ex_d2i,  ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED);
 			return 0;
 			}
 		/* We've found the field so it can't be OPTIONAL now */
 		ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx);
 		if (!ret)
 			{
-			OPENSSL_PUT_ERROR(ASN1, asn1_template_ex_d2i,  ASN1_R_NESTED_ASN1_ERROR);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
 			return 0;
 			}
 		/* We read the field in OK so update length */
@@ -591,7 +593,7 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val,
 			/* If NDEF we must have an EOC here */
 			if (!asn1_check_eoc(&p, len))
 				{
-				OPENSSL_PUT_ERROR(ASN1, asn1_template_ex_d2i,  ASN1_R_MISSING_EOC);
+				OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC);
 				goto err;
 				}
 			}
@@ -601,7 +603,7 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val,
 			 * an error */
 			if (len)
 				{
-				OPENSSL_PUT_ERROR(ASN1, asn1_template_ex_d2i,  ASN1_R_EXPLICIT_LENGTH_MISMATCH);
+				OPENSSL_PUT_ERROR(ASN1, ASN1_R_EXPLICIT_LENGTH_MISMATCH);
 				goto err;
 				}
 			}
@@ -657,7 +659,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
 					&p, len, sktag, skaclass, opt, ctx);
 		if (!ret)
 			{
-			OPENSSL_PUT_ERROR(ASN1, asn1_template_noexp_d2i,  ASN1_R_NESTED_ASN1_ERROR);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
 			return 0;
 			}
 		else if (ret == -1)
@@ -680,7 +682,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
 				
 		if (!*val)
 			{
-			OPENSSL_PUT_ERROR(ASN1, asn1_template_noexp_d2i,  ERR_R_MALLOC_FAILURE);
+			OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 			goto err;
 			}

@@ -694,7 +696,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
 				{
 				if (!sk_eoc)
 					{
-					OPENSSL_PUT_ERROR(ASN1, asn1_template_noexp_d2i,  ASN1_R_UNEXPECTED_EOC);
+					OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNEXPECTED_EOC);
 					goto err;
 					}
 				len -= p - q;
@@ -706,20 +708,20 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
 						ASN1_ITEM_ptr(tt->item),
 						-1, 0, 0, ctx))
 				{
-				OPENSSL_PUT_ERROR(ASN1, asn1_template_noexp_d2i,  ASN1_R_NESTED_ASN1_ERROR);
+				OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
 				goto err;
 				}
 			len -= p - q;
 			if (!sk_ASN1_VALUE_push((STACK_OF(ASN1_VALUE) *)*val,
 						skfield))
 				{
-				OPENSSL_PUT_ERROR(ASN1, asn1_template_noexp_d2i,  ERR_R_MALLOC_FAILURE);
+				OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 				goto err;
 				}
 			}
 		if (sk_eoc)
 			{
-			OPENSSL_PUT_ERROR(ASN1, asn1_template_noexp_d2i,  ASN1_R_MISSING_EOC);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC);
 			goto err;
 			}
 		}
@@ -730,7 +732,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
 			ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt, ctx);
 		if (!ret)
 			{
-			OPENSSL_PUT_ERROR(ASN1, asn1_template_noexp_d2i,  ASN1_R_NESTED_ASN1_ERROR);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
 			goto err;
 			}
 		else if (ret == -1)
@@ -743,7 +745,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
 							-1, 0, opt, ctx);
 		if (!ret)
 			{
-			OPENSSL_PUT_ERROR(ASN1, asn1_template_noexp_d2i,  ASN1_R_NESTED_ASN1_ERROR);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
 			goto err;
 			}
 		else if (ret == -1)
@@ -762,6 +764,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
 				const unsigned char **in, long inlen, 
 				const ASN1_ITEM *it,
 				int tag, int aclass, char opt, ASN1_TLC *ctx)
+        OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS
 	{
 	int ret = 0, utype;
 	long plen;
@@ -772,7 +775,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
 	long len; 
 	if (!pval)
 		{
-		OPENSSL_PUT_ERROR(ASN1, asn1_d2i_ex_primitive,  ASN1_R_ILLEGAL_NULL);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_NULL);
 		return 0; /* Should never happen */
 		}

@@ -790,12 +793,12 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
 		unsigned char oclass;
 		if (tag >= 0)
 			{
-			OPENSSL_PUT_ERROR(ASN1, asn1_d2i_ex_primitive,  ASN1_R_ILLEGAL_TAGGED_ANY);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_TAGGED_ANY);
 			return 0;
 			}
 		if (opt)
 			{
-			OPENSSL_PUT_ERROR(ASN1, asn1_d2i_ex_primitive,  ASN1_R_ILLEGAL_OPTIONAL_ANY);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_OPTIONAL_ANY);
 			return 0;
 			}
 		p = *in;
@@ -803,7 +806,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
 					&p, inlen, -1, 0, 0, ctx);
 		if (!ret)
 			{
-			OPENSSL_PUT_ERROR(ASN1, asn1_d2i_ex_primitive,  ASN1_R_NESTED_ASN1_ERROR);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
 			return 0;
 			}
 		if (oclass != V_ASN1_UNIVERSAL)
@@ -820,7 +823,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
 				&p, inlen, tag, aclass, opt, ctx);
 	if (!ret)
 		{
-		OPENSSL_PUT_ERROR(ASN1, asn1_d2i_ex_primitive,  ASN1_R_NESTED_ASN1_ERROR);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
 		return 0;
 		}
 	else if (ret == -1)
@@ -840,7 +843,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
 		/* SEQUENCE and SET must be constructed */
 		else if (!cst)
 			{
-			OPENSSL_PUT_ERROR(ASN1, asn1_d2i_ex_primitive,  ASN1_R_TYPE_NOT_CONSTRUCTED);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_TYPE_NOT_CONSTRUCTED);
 			return 0;
 			}

@@ -866,8 +869,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
 			|| utype == V_ASN1_ENUMERATED)
 			{
 			/* These types only have primitive encodings. */
-			OPENSSL_PUT_ERROR(ASN1, asn1_d2i_ex_primitive,
-				ASN1_R_TYPE_NOT_PRIMITIVE);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_TYPE_NOT_PRIMITIVE);
 			return 0;
 			}

@@ -889,7 +891,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
 		/* Append a final null to string */
 		if (!BUF_MEM_grow_clean(&buf, len + 1))
 			{
-			OPENSSL_PUT_ERROR(ASN1, asn1_d2i_ex_primitive,  ERR_R_MALLOC_FAILURE);
+			OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 			return 0;
 			}
 		buf.data[len] = 0;
@@ -957,7 +959,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
 		case V_ASN1_NULL:
 		if (len)
 			{
-			OPENSSL_PUT_ERROR(ASN1, asn1_ex_c2i,  ASN1_R_NULL_IS_WRONG_LENGTH);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NULL_IS_WRONG_LENGTH);
 			goto err;
 			}
 		*pval = (ASN1_VALUE *)1;
@@ -966,7 +968,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
 		case V_ASN1_BOOLEAN:
 		if (len != 1)
 			{
-			OPENSSL_PUT_ERROR(ASN1, asn1_ex_c2i,  ASN1_R_BOOLEAN_IS_WRONG_LENGTH);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_BOOLEAN_IS_WRONG_LENGTH);
 			goto err;
 			}
 		else
@@ -1013,12 +1015,12 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
 		default:
 		if (utype == V_ASN1_BMPSTRING && (len & 1))
 			{
-			OPENSSL_PUT_ERROR(ASN1, asn1_ex_c2i,  ASN1_R_BMPSTRING_IS_WRONG_LENGTH);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_BMPSTRING_IS_WRONG_LENGTH);
 			goto err;
 			}
 		if (utype == V_ASN1_UNIVERSALSTRING && (len & 3))
 			{
-			OPENSSL_PUT_ERROR(ASN1, asn1_ex_c2i,  ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH);
 			goto err;
 			}
 		/* All based on ASN1_STRING and handled the same */
@@ -1027,7 +1029,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
 			stmp = ASN1_STRING_type_new(utype);
 			if (!stmp)
 				{
-				OPENSSL_PUT_ERROR(ASN1, asn1_ex_c2i,  ERR_R_MALLOC_FAILURE);
+				OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 				goto err;
 				}
 			*pval = (ASN1_VALUE *)stmp;
@@ -1050,7 +1052,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
 			{
 			if (!ASN1_STRING_set(stmp, cont, len))
 				{
-				OPENSSL_PUT_ERROR(ASN1, asn1_ex_c2i,  ERR_R_MALLOC_FAILURE);
+				OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 				ASN1_STRING_free(stmp);	
 				*pval = NULL;
 				goto err;
@@ -1112,7 +1114,7 @@ static int asn1_find_end(const unsigned char **in, long len, char inf)
 		if(!asn1_check_tlen(&plen, NULL, NULL, &inf, NULL, &p, len,
 				-1, 0, 0, NULL))
 			{
-			OPENSSL_PUT_ERROR(ASN1, asn1_find_end,  ASN1_R_NESTED_ASN1_ERROR);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
 			return 0;
 			}
 		if (inf)
@@ -1123,7 +1125,7 @@ static int asn1_find_end(const unsigned char **in, long len, char inf)
 		}
 	if (expected_eoc)
 		{
-		OPENSSL_PUT_ERROR(ASN1, asn1_find_end,  ASN1_R_MISSING_EOC);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC);
 		return 0;
 		}
 	*in = p;
@@ -1170,7 +1172,7 @@ static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len,
 			 * constructed form */
 			if (!inf)
 				{
-				OPENSSL_PUT_ERROR(ASN1, asn1_collect,  ASN1_R_UNEXPECTED_EOC);
+				OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNEXPECTED_EOC);
 				return 0;
 				}
 			inf = 0;
@@ -1180,7 +1182,7 @@ static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len,
 		if (!asn1_check_tlen(&plen, NULL, NULL, &ininf, &cst, &p,
 					len, tag, aclass, 0, NULL))
 			{
-			OPENSSL_PUT_ERROR(ASN1, asn1_collect,  ASN1_R_NESTED_ASN1_ERROR);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
 			return 0;
 			}

@@ -1189,7 +1191,7 @@ static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len,
 			{
 			if (depth >= ASN1_MAX_STRING_NEST)
 				{
-				OPENSSL_PUT_ERROR(ASN1, asn1_collect,  ASN1_R_NESTED_ASN1_STRING);
+				OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_STRING);
 				return 0;
 				}
 			if (!asn1_collect(buf, &p, plen, ininf, tag, aclass,
@@ -1202,7 +1204,7 @@ static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len,
 		}
 	if (inf)
 		{
-		OPENSSL_PUT_ERROR(ASN1, asn1_collect,  ASN1_R_MISSING_EOC);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC);
 		return 0;
 		}
 	*in = p;
@@ -1217,7 +1219,7 @@ static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen)
 		len = buf->length;
 		if (!BUF_MEM_grow_clean(buf, len + plen))
 			{
-			OPENSSL_PUT_ERROR(ASN1, collect_data,  ERR_R_MALLOC_FAILURE);
+			OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 			return 0;
 			}
 		memcpy(buf->data + len, *p, plen);
@@ -1285,7 +1287,7 @@ static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass,
 			 */
 			if (!(i & 0x81) && ((plen + ctx->hdrlen) > len))
 				{
-				OPENSSL_PUT_ERROR(ASN1, asn1_check_tlen,  ASN1_R_TOO_LONG);
+				OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG);
 				asn1_tlc_clear(ctx);
 				return 0;
 				}
@@ -1294,7 +1296,7 @@ static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass,

 	if (i & 0x80)
 		{
-		OPENSSL_PUT_ERROR(ASN1, asn1_check_tlen,  ASN1_R_BAD_OBJECT_HEADER);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_OBJECT_HEADER);
 		asn1_tlc_clear(ctx);
 		return 0;
 		}
@@ -1307,7 +1309,7 @@ static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass,
 			 */
 			if (opt) return -1;
 			asn1_tlc_clear(ctx);
-			OPENSSL_PUT_ERROR(ASN1, asn1_check_tlen,  ASN1_R_WRONG_TAG);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_TAG);
 			return 0;
 			}
 		/* We have a tag and class match:
@@ -143,7 +143,7 @@ static void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int c

 		case ASN1_ITYPE_NDEF_SEQUENCE:
 		case ASN1_ITYPE_SEQUENCE:
-		if (asn1_do_lock(pval, -1, it) > 0)
+		if (!asn1_refcount_dec_and_test_zero(pval, it))
 			return;
 		if (asn1_cb)
 			{
@@ -100,8 +100,6 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
 	else
 		asn1_cb = 0;

-	if (!combine) *pval = NULL;
-
 #ifdef CRYPTO_MDEBUG
 	if (it->sname)
 		CRYPTO_push_info(it->sname);
@@ -192,7 +190,7 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
 			if (!*pval)
 				goto memerr;
 			memset(*pval, 0, it->size);
-			asn1_do_lock(pval, 0, it);
+			asn1_refcount_set_one(pval, it);
 			asn1_enc_init(pval, it);
 			}
 		for (i = 0, tt = it->templates; i < it->tcount; tt++, i++)
@@ -211,7 +209,7 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
 	return 1;

 	memerr:
-	OPENSSL_PUT_ERROR(ASN1, asn1_item_ex_combine_new,  ERR_R_MALLOC_FAILURE);
+	OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 	ASN1_item_ex_free(pval, it);
 #ifdef CRYPTO_MDEBUG
 	if (it->sname) CRYPTO_pop_info();
@@ -219,7 +217,7 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
 	return 0;

 	auxerr:
-	OPENSSL_PUT_ERROR(ASN1, asn1_item_ex_combine_new,  ASN1_R_AUX_ERROR);
+	OPENSSL_PUT_ERROR(ASN1, ASN1_R_AUX_ERROR);
 	ASN1_item_ex_free(pval, it);
 #ifdef CRYPTO_MDEBUG
 	if (it->sname) CRYPTO_pop_info();
@@ -291,7 +289,7 @@ int ASN1_template_new(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
 		skval = sk_ASN1_VALUE_new_null();
 		if (!skval)
 			{
-			OPENSSL_PUT_ERROR(ASN1, ASN1_template_new,  ERR_R_MALLOC_FAILURE);
+			OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 			ret = 0;
 			goto done;
 			}
@@ -88,7 +88,7 @@ ASN1_PCTX *ASN1_PCTX_new(void)
 	ret = OPENSSL_malloc(sizeof(ASN1_PCTX));
 	if (ret == NULL)
 		{
-		OPENSSL_PUT_ERROR(ASN1, ASN1_PCTX_new, ERR_R_MALLOC_FAILURE);
+		OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
 		return NULL;
 		}
 	ret->flags = 0;
@@ -62,6 +62,9 @@
 #include <openssl/mem.h>
 #include <openssl/obj.h>
 #include <openssl/err.h>
+#include <openssl/thread.h>
+
+#include "../internal.h"


 /* Utility functions for manipulating fields and offsets */
@@ -85,28 +88,32 @@ int asn1_set_choice_selector(ASN1_VALUE **pval, int value,
  return ret;
 }

-/* Do reference counting. The value 'op' decides what to do. if it is +1 then
- * the count is incremented. If op is 0 count is set to 1. If op is -1 count is
- * decremented and the return value is the current refrence count or 0 if no
- * reference count exists. */
-int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it) {
-  const ASN1_AUX *aux;
-  int *lck, ret;
+static CRYPTO_refcount_t *asn1_get_references(ASN1_VALUE **pval,
+                                              const ASN1_ITEM *it) {
  if (it->itype != ASN1_ITYPE_SEQUENCE &&
      it->itype != ASN1_ITYPE_NDEF_SEQUENCE) {
-    return 0;
+    return NULL;
  }
-  aux = it->funcs;
+  const ASN1_AUX *aux = it->funcs;
  if (!aux || !(aux->flags & ASN1_AFLG_REFCOUNT)) {
-    return 0;
+    return NULL;
  }
-  lck = offset2ptr(*pval, aux->ref_offset);
-  if (op == 0) {
-    *lck = 1;
-    return 1;
+  return offset2ptr(*pval, aux->ref_offset);
+}
+
+void asn1_refcount_set_one(ASN1_VALUE **pval, const ASN1_ITEM *it) {
+  CRYPTO_refcount_t *references = asn1_get_references(pval, it);
+  if (references != NULL) {
+    *references = 1;
  }
-  ret = CRYPTO_add(lck, op, aux->ref_lock);
-  return ret;
+}
+
+int asn1_refcount_dec_and_test_zero(ASN1_VALUE **pval, const ASN1_ITEM *it) {
+  CRYPTO_refcount_t *references = asn1_get_references(pval, it);
+  if (references != NULL) {
+    return CRYPTO_refcount_dec_and_test_zero(references);
+  }
+  return 1;
 }

 static ASN1_ENCODING *asn1_get_enc_ptr(ASN1_VALUE **pval, const ASN1_ITEM *it) {
@@ -253,8 +260,7 @@ const ASN1_TEMPLATE *asn1_do_adb(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt,
 err:
  /* FIXME: should log the value or OID of unsupported type */
  if (nullerr) {
-    OPENSSL_PUT_ERROR(ASN1, asn1_do_adb,
-                      ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE);
+    OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE);
  }
  return NULL;
 }
@@ -150,7 +150,7 @@ static int long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
 	unsigned long utmp = 0;
 	char *cp = (char *)pval;
 	if(len > (int)sizeof(long)) {
-		OPENSSL_PUT_ERROR(ASN1, long_c2i,  ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
 		return 0;
 	}
 	/* Is it negative? */
@@ -168,7 +168,7 @@ static int long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
 		ltmp = -ltmp;
 	}
 	if(ltmp == it->size) {
-		OPENSSL_PUT_ERROR(ASN1, long_c2i,  ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
+		OPENSSL_PUT_ERROR(ASN1, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
 		return 0;
 	}
 	memcpy(cp, &ltmp, sizeof(long));
@@ -12,6 +12,8 @@ add_executable(
  base64_test

  base64_test.cc
+
+  $<TARGET_OBJECTS:test_support>
 )

 target_link_libraries(base64_test crypto)
@@ -22,6 +22,8 @@ add_executable(
  bio_test

  bio_test.cc
+
+  $<TARGET_OBJECTS:test_support>
 )

 target_link_libraries(bio_test crypto)
@@ -56,15 +56,17 @@

 #include <openssl/bio.h>

+#include <assert.h>
 #include <errno.h>
 #include <limits.h>
-#include <stddef.h>
 #include <string.h>

 #include <openssl/err.h>
 #include <openssl/mem.h>
 #include <openssl/thread.h>

+#include "../internal.h"
+

 /* BIO_set initialises a BIO structure to have the given type and sets the
 * reference count to one. It returns one on success or zero on error. */
@@ -78,24 +80,17 @@ static int bio_set(BIO *bio, const BIO_METHOD *method) {
  bio->shutdown = 1;
  bio->references = 1;

-  if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_BIO, bio, &bio->ex_data)) {
+  if (method->create != NULL && !method->create(bio)) {
    return 0;
  }

-  if (method->create != NULL) {
-    if (!method->create(bio)) {
-      CRYPTO_free_ex_data(CRYPTO_EX_INDEX_BIO, bio, &bio->ex_data);
-      return 0;
-    }
-  }
-
  return 1;
 }

 BIO *BIO_new(const BIO_METHOD *method) {
  BIO *ret = OPENSSL_malloc(sizeof(BIO));
  if (ret == NULL) {
-    OPENSSL_PUT_ERROR(BIO, BIO_new, ERR_R_MALLOC_FAILURE);
+    OPENSSL_PUT_ERROR(BIO, ERR_R_MALLOC_FAILURE);
    return NULL;
  }

@@ -111,8 +106,7 @@ int BIO_free(BIO *bio) {
  BIO *next_bio;

  for (; bio != NULL; bio = next_bio) {
-    int refs = CRYPTO_add(&bio->references, -1, CRYPTO_LOCK_BIO);
-    if (refs > 0) {
+    if (!CRYPTO_refcount_dec_and_test_zero(&bio->references)) {
      return 0;
    }

@@ -125,8 +119,6 @@ int BIO_free(BIO *bio) {

    next_bio = BIO_pop(bio);

-    CRYPTO_free_ex_data(CRYPTO_EX_INDEX_BIO, bio, &bio->ex_data);
-
    if (bio->method != NULL && bio->method->destroy != NULL) {
      bio->method->destroy(bio);
    }
@@ -136,6 +128,11 @@ int BIO_free(BIO *bio) {
  return 1;
 }

+BIO *BIO_up_ref(BIO *bio) {
+  CRYPTO_refcount_inc(&bio->references);
+  return bio;
+}
+
 void BIO_vfree(BIO *bio) {
  BIO_free(bio);
 }
@@ -156,7 +153,7 @@ static int bio_io(BIO *bio, void *buf, int len, size_t method_offset,
  }

  if (io_func == NULL) {
-    OPENSSL_PUT_ERROR(BIO, bio_io, BIO_R_UNSUPPORTED_METHOD);
+    OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
    return -2;
  }

@@ -168,7 +165,7 @@ static int bio_io(BIO *bio, void *buf, int len, size_t method_offset,
  }

  if (!bio->init) {
-    OPENSSL_PUT_ERROR(BIO, bio_io, BIO_R_UNINITIALIZED);
+    OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED);
    return -2;
  }

@@ -220,7 +217,7 @@ long BIO_ctrl(BIO *bio, int cmd, long larg, void *parg) {
  }

  if (bio->method == NULL || bio->method->ctrl == NULL) {
-    OPENSSL_PUT_ERROR(BIO, BIO_ctrl, BIO_R_UNSUPPORTED_METHOD);
+    OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
    return -2;
  }

@@ -326,7 +323,7 @@ long BIO_callback_ctrl(BIO *bio, int cmd, bio_info_cb fp) {
  }

  if (bio->method == NULL || bio->method->callback_ctrl == NULL) {
-    OPENSSL_PUT_ERROR(BIO, BIO_callback_ctrl, BIO_R_UNSUPPORTED_METHOD);
+    OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
    return 0;
  }

@@ -397,10 +394,6 @@ BIO *BIO_push(BIO *bio, BIO *appended_bio) {
  }

  last_bio->next_bio = appended_bio;
-  /* TODO(fork): this seems very suspect. If we got rid of BIO SSL, we could
-   * get rid of this. */
-  BIO_ctrl(bio, BIO_CTRL_PUSH, 0, bio);
-
  return bio;
 }

@@ -411,7 +404,6 @@ BIO *BIO_pop(BIO *bio) {
    return NULL;
  }
  ret = bio->next_bio;
-  BIO_ctrl(bio, BIO_CTRL_POP, 0, bio);
  bio->next_bio = NULL;
  return ret;
 }
@@ -462,12 +454,6 @@ int BIO_indent(BIO *bio, unsigned indent, unsigned max_indent) {
  return 1;
 }

-void BIO_print_errors_fp(FILE *out) {
-  BIO *bio = BIO_new_fp(out, BIO_NOCLOSE);
-  BIO_print_errors(bio);
-  BIO_free(bio);
-}
-
 static int print_bio(const char *str, size_t len, void *bio) {
  return BIO_write((BIO *)bio, str, len);
 }
@@ -475,3 +461,146 @@ static int print_bio(const char *str, size_t len, void *bio) {
 void BIO_print_errors(BIO *bio) {
  ERR_print_errors_cb(print_bio, bio);
 }
+
+void ERR_print_errors(BIO *bio) {
+  BIO_print_errors(bio);
+}
+
+/* bio_read_all reads everything from |bio| and prepends |prefix| to it. On
+ * success, |*out| is set to an allocated buffer (which should be freed with
+ * |OPENSSL_free|), |*out_len| is set to its length and one is returned. The
+ * buffer will contain |prefix| followed by the contents of |bio|. On failure,
+ * zero is returned.
+ *
+ * The function will fail if the size of the output would equal or exceed
+ * |max_len|. */
+static int bio_read_all(BIO *bio, uint8_t **out, size_t *out_len,
+                        const uint8_t *prefix, size_t prefix_len,
+                        size_t max_len) {
+  static const size_t kChunkSize = 4096;
+
+  size_t len = prefix_len + kChunkSize;
+  if (len > max_len) {
+    len = max_len;
+  }
+  if (len < prefix_len) {
+    return 0;
+  }
+  *out = OPENSSL_malloc(len);
+  if (*out == NULL) {
+    return 0;
+  }
+  memcpy(*out, prefix, prefix_len);
+  size_t done = prefix_len;
+
+  for (;;) {
+    if (done == len) {
+      OPENSSL_free(*out);
+      return 0;
+    }
+    const size_t todo = len - done;
+    assert(todo < INT_MAX);
+    const int n = BIO_read(bio, *out + done, todo);
+    if (n == 0) {
+      *out_len = done;
+      return 1;
+    } else if (n == -1) {
+      OPENSSL_free(*out);
+      return 0;
+    }
+
+    done += n;
+    if (len < max_len && len - done < kChunkSize / 2) {
+      len += kChunkSize;
+      if (len < kChunkSize || len > max_len) {
+        len = max_len;
+      }
+      uint8_t *new_buf = OPENSSL_realloc(*out, len);
+      if (new_buf == NULL) {
+        OPENSSL_free(*out);
+        return 0;
+      }
+      *out = new_buf;
+    }
+  }
+}
+
+int BIO_read_asn1(BIO *bio, uint8_t **out, size_t *out_len, size_t max_len) {
+  uint8_t header[6];
+
+  static const size_t kInitialHeaderLen = 2;
+  if (BIO_read(bio, header, kInitialHeaderLen) != kInitialHeaderLen) {
+    return 0;
+  }
+
+  const uint8_t tag = header[0];
+  const uint8_t length_byte = header[1];
+
+  if ((tag & 0x1f) == 0x1f) {
+    /* Long form tags are not supported. */
+    return 0;
+  }
+
+  size_t len, header_len;
+  if ((length_byte & 0x80) == 0) {
+    /* Short form length. */
+    len = length_byte;
+    header_len = kInitialHeaderLen;
+  } else {
+    const size_t num_bytes = length_byte & 0x7f;
+
+    if ((tag & 0x20 /* constructed */) != 0 && num_bytes == 0) {
+      /* indefinite length. */
+      return bio_read_all(bio, out, out_len, header, kInitialHeaderLen,
+                          max_len);
+    }
+
+    if (num_bytes == 0 || num_bytes > 4) {
+      return 0;
+    }
+
+    if (BIO_read(bio, header + kInitialHeaderLen, num_bytes) != num_bytes) {
+      return 0;
+    }
+    header_len = kInitialHeaderLen + num_bytes;
+
+    uint32_t len32 = 0;
+    unsigned i;
+    for (i = 0; i < num_bytes; i++) {
+      len32 <<= 8;
+      len32 |= header[kInitialHeaderLen + i];
+    }
+
+    if (len32 < 128) {
+      /* Length should have used short-form encoding. */
+      return 0;
+    }
+
+    if ((len32 >> ((num_bytes-1)*8)) == 0) {
+      /* Length should have been at least one byte shorter. */
+      return 0;
+    }
+
+    len = len32;
+  }
+
+  if (len + header_len < len ||
+      len + header_len > max_len) {
+    return 0;
+  }
+  len += header_len;
+  *out_len = len;
+
+  *out = OPENSSL_malloc(len);
+  if (*out == NULL) {
+    return 0;
+  }
+  memcpy(*out, header, header_len);
+  if (BIO_read(bio, (*out) + header_len, len - header_len) !=
+      len - header_len) {
+    OPENSSL_free(*out);
+    return 0;
+  }
+
+  return 1;
+}
@@ -70,7 +70,7 @@ BIO *BIO_new_mem_buf(void *buf, int len) {
  const size_t size = len < 0 ? strlen((char *)buf) : (size_t)len;

  if (!buf && len != 0) {
-    OPENSSL_PUT_ERROR(BIO, BIO_new_mem_buf, BIO_R_NULL_PARAMETER);
+    OPENSSL_PUT_ERROR(BIO, BIO_R_NULL_PARAMETER);
    return NULL;
  }

@@ -167,7 +167,7 @@ static int mem_write(BIO *bio, const char *in, int inl) {
  b = (BUF_MEM *)bio->ptr;

  if (bio->flags & BIO_FLAGS_MEM_RDONLY) {
-    OPENSSL_PUT_ERROR(BIO, mem_write, BIO_R_WRITE_TO_READ_ONLY_BIO);
+    OPENSSL_PUT_ERROR(BIO, BIO_R_WRITE_TO_READ_ONLY_BIO);
    goto err;
  }

@@ -36,6 +36,7 @@
 #include <openssl/bio.h>
 #include <openssl/crypto.h>
 #include <openssl/err.h>
+#include <openssl/mem.h>

 #include <algorithm>

@@ -111,7 +112,7 @@ static bool TestSocketConnect() {
  if (BIO_write(bio.get(), kTestMessage, sizeof(kTestMessage)) !=
      sizeof(kTestMessage)) {
    fprintf(stderr, "BIO_write failed.\n");
-    BIO_print_errors_fp(stderr);
+    ERR_print_errors_fp(stderr);
    return false;
  }

@@ -328,6 +329,87 @@ static bool TestPrintf() {
  return true;
 }

+static bool ReadASN1(bool should_succeed, const uint8_t *data, size_t data_len,
+                     size_t expected_len, size_t max_len) {
+  ScopedBIO bio(BIO_new_mem_buf(const_cast<uint8_t*>(data), data_len));
+
+  uint8_t *out;
+  size_t out_len;
+  int ok = BIO_read_asn1(bio.get(), &out, &out_len, max_len);
+  if (!ok) {
+    out = nullptr;
+  }
+  ScopedOpenSSLBytes out_storage(out);
+
+  if (should_succeed != (ok == 1)) {
+    return false;
+  }
+
+  if (should_succeed &&
+      (out_len != expected_len || memcmp(data, out, expected_len) != 0)) {
+    return false;
+  }
+
+  return true;
+}
+
+static bool TestASN1() {
+  static const uint8_t kData1[] = {0x30, 2, 1, 2, 0, 0};
+  static const uint8_t kData2[] = {0x30, 3, 1, 2};  /* truncated */
+  static const uint8_t kData3[] = {0x30, 0x81, 1, 1};  /* should be short len */
+  static const uint8_t kData4[] = {0x30, 0x82, 0, 1, 1};  /* zero padded. */
+
+  if (!ReadASN1(true, kData1, sizeof(kData1), 4, 100) ||
+      !ReadASN1(false, kData2, sizeof(kData2), 0, 100) ||
+      !ReadASN1(false, kData3, sizeof(kData3), 0, 100) ||
+      !ReadASN1(false, kData4, sizeof(kData4), 0, 100)) {
+    return false;
+  }
+
+  static const size_t kLargePayloadLen = 8000;
+  static const uint8_t kLargePrefix[] = {0x30, 0x82, kLargePayloadLen >> 8,
+                                         kLargePayloadLen & 0xff};
+  ScopedOpenSSLBytes large(reinterpret_cast<uint8_t *>(
+      OPENSSL_malloc(sizeof(kLargePrefix) + kLargePayloadLen)));
+  if (!large) {
+    return false;
+  }
+  memset(large.get() + sizeof(kLargePrefix), 0, kLargePayloadLen);
+  memcpy(large.get(), kLargePrefix, sizeof(kLargePrefix));
+
+  if (!ReadASN1(true, large.get(), sizeof(kLargePrefix) + kLargePayloadLen,
+                sizeof(kLargePrefix) + kLargePayloadLen,
+                kLargePayloadLen * 2)) {
+    fprintf(stderr, "Large payload test failed.\n");
+    return false;
+  }
+
+  if (!ReadASN1(false, large.get(), sizeof(kLargePrefix) + kLargePayloadLen,
+                sizeof(kLargePrefix) + kLargePayloadLen,
+                kLargePayloadLen - 1)) {
+    fprintf(stderr, "max_len test failed.\n");
+    return false;
+  }
+
+  static const uint8_t kIndefPrefix[] = {0x30, 0x80};
+  memcpy(large.get(), kIndefPrefix, sizeof(kIndefPrefix));
+  if (!ReadASN1(true, large.get(), sizeof(kLargePrefix) + kLargePayloadLen,
+                sizeof(kLargePrefix) + kLargePayloadLen,
+                kLargePayloadLen*2)) {
+    fprintf(stderr, "indefinite length test failed.\n");
+    return false;
+  }
+
+  if (!ReadASN1(false, large.get(), sizeof(kLargePrefix) + kLargePayloadLen,
+                sizeof(kLargePrefix) + kLargePayloadLen,
+                kLargePayloadLen-1)) {
+    fprintf(stderr, "indefinite length, max_len test failed.\n");
+    return false;
+  }
+
+  return true;
+}
+
 int main(void) {
  CRYPTO_library_init();
  ERR_load_crypto_strings();
@@ -349,7 +431,8 @@ int main(void) {

  if (!TestSocketConnect() ||
      !TestPrintf() ||
-      !TestZeroCopyBioPairs()) {
+      !TestZeroCopyBioPairs() ||
+      !TestASN1()) {
    return 1;
  }

@@ -122,17 +122,13 @@ err1:
 static int buffer_free(BIO *bio) {
  BIO_F_BUFFER_CTX *ctx;

-  if (bio == NULL) {
+  if (bio == NULL || bio->ptr == NULL) {
    return 0;
  }

  ctx = (BIO_F_BUFFER_CTX *)bio->ptr;
-  if (ctx->ibuf != NULL) {
-    OPENSSL_free(ctx->ibuf);
-  }
-  if (ctx->obuf != NULL) {
-    OPENSSL_free(ctx->obuf);
-  }
+  OPENSSL_free(ctx->ibuf);
+  OPENSSL_free(ctx->obuf);
  OPENSSL_free(bio->ptr);

  bio->ptr = NULL;
@@ -410,7 +406,7 @@ static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr) {
  return ret;

 malloc_error:
-  OPENSSL_PUT_ERROR(BIO, buffer_ctrl, ERR_R_MALLOC_FAILURE);
+  OPENSSL_PUT_ERROR(BIO, ERR_R_MALLOC_FAILURE);
  return 0;
 }

@@ -142,7 +142,7 @@ static int conn_state(BIO *bio, BIO_CONNECT *c) {
      case BIO_CONN_S_BEFORE:
        p = c->param_hostname;
        if (p == NULL) {
-          OPENSSL_PUT_ERROR(BIO, conn_state, BIO_R_NO_HOSTNAME_SPECIFIED);
+          OPENSSL_PUT_ERROR(BIO, BIO_R_NO_HOSTNAME_SPECIFIED);
          goto exit_loop;
        }
        for (; *p != 0; p++) {
@@ -161,15 +161,13 @@ static int conn_state(BIO *bio, BIO_CONNECT *c) {
                break;
              }
            }
-            if (c->param_port != NULL) {
-              OPENSSL_free(c->param_port);
-            }
+            OPENSSL_free(c->param_port);
            c->param_port = BUF_strdup(p);
          }
        }

        if (c->param_port == NULL) {
-          OPENSSL_PUT_ERROR(BIO, conn_state, BIO_R_NO_PORT_SPECIFIED);
+          OPENSSL_PUT_ERROR(BIO, BIO_R_NO_PORT_SPECIFIED);
          ERR_add_error_data(2, "host=", c->param_hostname);
          goto exit_loop;
        }
@@ -177,7 +175,7 @@ static int conn_state(BIO *bio, BIO_CONNECT *c) {
        if (!bio_ip_and_port_to_socket_and_addr(
                &bio->num, &c->them, &c->them_length, c->param_hostname,
                c->param_port)) {
-          OPENSSL_PUT_ERROR(BIO, conn_state, BIO_R_UNABLE_TO_CREATE_SOCKET);
+          OPENSSL_PUT_ERROR(BIO, BIO_R_UNABLE_TO_CREATE_SOCKET);
          ERR_add_error_data(4, "host=", c->param_hostname, ":", c->param_port);
          goto exit_loop;
        }
@@ -187,7 +185,7 @@ static int conn_state(BIO *bio, BIO_CONNECT *c) {

        if (c->nbio) {
          if (!bio_socket_nbio(bio->num, 1)) {
-            OPENSSL_PUT_ERROR(BIO, conn_state, BIO_R_ERROR_SETTING_NBIO);
+            OPENSSL_PUT_ERROR(BIO, BIO_R_ERROR_SETTING_NBIO);
            ERR_add_error_data(4, "host=", c->param_hostname, ":",
                               c->param_port);
            goto exit_loop;
@@ -199,7 +197,7 @@ static int conn_state(BIO *bio, BIO_CONNECT *c) {
                         sizeof(i));
        if (ret < 0) {
          OPENSSL_PUT_SYSTEM_ERROR(setsockopt);
-          OPENSSL_PUT_ERROR(BIO, conn_state, BIO_R_KEEPALIVE);
+          OPENSSL_PUT_ERROR(BIO, BIO_R_KEEPALIVE);
          ERR_add_error_data(4, "host=", c->param_hostname, ":", c->param_port);
          goto exit_loop;
        }
@@ -213,7 +211,7 @@ static int conn_state(BIO *bio, BIO_CONNECT *c) {
            bio->retry_reason = BIO_RR_CONNECT;
          } else {
            OPENSSL_PUT_SYSTEM_ERROR(connect);
-            OPENSSL_PUT_ERROR(BIO, conn_state, BIO_R_CONNECT_ERROR);
+            OPENSSL_PUT_ERROR(BIO, BIO_R_CONNECT_ERROR);
            ERR_add_error_data(4, "host=", c->param_hostname, ":",
                               c->param_port);
          }
@@ -234,7 +232,7 @@ static int conn_state(BIO *bio, BIO_CONNECT *c) {
          } else {
            BIO_clear_retry_flags(bio);
            OPENSSL_PUT_SYSTEM_ERROR(connect);
-            OPENSSL_PUT_ERROR(BIO, conn_state, BIO_R_NBIO_CONNECT_ERROR);
+            OPENSSL_PUT_ERROR(BIO, BIO_R_NBIO_CONNECT_ERROR);
            ERR_add_error_data(4, "host=", c->param_hostname, ":", c->param_port);
            ret = 0;
          }
@@ -286,12 +284,8 @@ static void BIO_CONNECT_free(BIO_CONNECT *c) {
    return;
  }

-  if (c->param_hostname != NULL) {
-    OPENSSL_free(c->param_hostname);
-  }
-  if (c->param_port != NULL) {
-    OPENSSL_free(c->param_port);
-  }
+  OPENSSL_free(c->param_hostname);
+  OPENSSL_free(c->param_port);
  OPENSSL_free(c);
 }

@@ -426,15 +420,17 @@ static long conn_ctrl(BIO *bio, int cmd, long num, void *ptr) {
      if (ptr != NULL) {
        bio->init = 1;
        if (num == 0) {
-          if (data->param_hostname != NULL) {
-            OPENSSL_free(data->param_hostname);
-          }
+          OPENSSL_free(data->param_hostname);
          data->param_hostname = BUF_strdup(ptr);
-        } else if (num == 1) {
-          if (data->param_port != NULL) {
-            OPENSSL_free(data->param_port);
+          if (data->param_hostname == NULL) {
+            ret = 0;
          }
+        } else if (num == 1) {
+          OPENSSL_free(data->param_port);
          data->param_port = BUF_strdup(ptr);
+          if (data->param_port == NULL) {
+            ret = 0;
+          }
        } else {
          ret = 0;
        }
@@ -468,7 +464,7 @@ static long conn_ctrl(BIO *bio, int cmd, long num, void *ptr) {
      break;
    case BIO_CTRL_SET_CALLBACK: {
 #if 0 /* FIXME: Should this be used?  -- Richard Levitte */
-		OPENSSL_PUT_ERROR(BIO, XXX, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+		OPENSSL_PUT_ERROR(BIO, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 		ret = -1;
 #else
      ret = 0;
@@ -88,7 +88,7 @@
 #define BIO_FP_APPEND 0x08

 static FILE *open_file(const char *filename, const char *mode) {
-#if defined(_WIN32) && defined(CP_UTF8)
+#if defined(OPENSSL_WINDOWS) && defined(CP_UTF8)
  int sz, len_0 = (int)strlen(filename) + 1;
  DWORD flags;

@@ -133,9 +133,9 @@ BIO *BIO_new_file(const char *filename, const char *mode) {

    ERR_add_error_data(5, "fopen('", filename, "','", mode, "')");
    if (errno == ENOENT) {
-      OPENSSL_PUT_ERROR(BIO, BIO_new_file, BIO_R_NO_SUCH_FILE);
+      OPENSSL_PUT_ERROR(BIO, BIO_R_NO_SUCH_FILE);
    } else {
-      OPENSSL_PUT_ERROR(BIO, BIO_new_file, BIO_R_SYS_LIB);
+      OPENSSL_PUT_ERROR(BIO, BIO_R_SYS_LIB);
    }
    return NULL;
  }
@@ -191,7 +191,7 @@ static int file_read(BIO *b, char *out, int outl) {
  ret = fread(out, 1, outl, (FILE *)b->ptr);
  if (ret == 0 && ferror((FILE *)b->ptr)) {
    OPENSSL_PUT_SYSTEM_ERROR(fread);
-    OPENSSL_PUT_ERROR(BIO, file_read, ERR_R_SYS_LIB);
+    OPENSSL_PUT_ERROR(BIO, ERR_R_SYS_LIB);
    ret = -1;
  }

@@ -253,7 +253,7 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr) {
      } else if (num & BIO_FP_READ) {
        BUF_strlcpy(p, "r", sizeof(p));
      } else {
-        OPENSSL_PUT_ERROR(BIO, file_ctrl, BIO_R_BAD_FOPEN_MODE);
+        OPENSSL_PUT_ERROR(BIO, BIO_R_BAD_FOPEN_MODE);
        ret = 0;
        break;
      }
@@ -261,7 +261,7 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr) {
      if (fp == NULL) {
        OPENSSL_PUT_SYSTEM_ERROR(fopen);
        ERR_add_error_data(5, "fopen('", ptr, "','", p, "')");
-        OPENSSL_PUT_ERROR(BIO, file_ctrl, ERR_R_SYS_LIB);
+        OPENSSL_PUT_ERROR(BIO, ERR_R_SYS_LIB);
        ret = 0;
        break;
      }
@@ -145,7 +145,7 @@ static int bio_free(BIO *bio) {
    bio_destroy_pair(bio);
  }

-  if (b->buf != NULL && !b->buf_externally_allocated) {
+  if (!b->buf_externally_allocated) {
    OPENSSL_free(b->buf);
  }

@@ -181,27 +181,25 @@ int BIO_zero_copy_get_read_buf(BIO* bio, uint8_t** out_read_buf,
  BIO_clear_retry_flags(bio);

  if (!bio->init) {
-    OPENSSL_PUT_ERROR(BIO, BIO_zero_copy_get_read_buf, BIO_R_UNINITIALIZED);
+    OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED);
    return 0;
  }

  b = bio->ptr;

  if (!b || !b->peer) {
-    OPENSSL_PUT_ERROR(BIO, BIO_zero_copy_get_read_buf,
-                      BIO_R_UNSUPPORTED_METHOD);
+    OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
    return 0;
  }

  peer_b = b->peer->ptr;
  if (!peer_b || !peer_b->peer || peer_b->peer->ptr != b) {
-    OPENSSL_PUT_ERROR(BIO, BIO_zero_copy_get_read_buf,
-                      BIO_R_UNSUPPORTED_METHOD);
+    OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
    return 0;
  }

  if (peer_b->zero_copy_read_lock) {
-    OPENSSL_PUT_ERROR(BIO, BIO_zero_copy_get_read_buf, BIO_R_INVALID_ARGUMENT);
+    OPENSSL_PUT_ERROR(BIO, BIO_R_INVALID_ARGUMENT);
    return 0;
  }

@@ -229,37 +227,32 @@ int BIO_zero_copy_get_read_buf_done(BIO* bio, size_t bytes_read) {
  assert(BIO_get_retry_flags(bio) == 0);

  if (!bio->init) {
-    OPENSSL_PUT_ERROR(BIO, BIO_zero_copy_get_read_buf_done,
-                      BIO_R_UNINITIALIZED);
+    OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED);
    return 0;
  }

  b = bio->ptr;

  if (!b || !b->peer) {
-    OPENSSL_PUT_ERROR(BIO, BIO_zero_copy_get_read_buf_done,
-                      BIO_R_UNSUPPORTED_METHOD);
+    OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
    return 0;
  }

  peer_b = b->peer->ptr;
  if (!peer_b || !peer_b->peer || peer_b->peer->ptr != b) {
-    OPENSSL_PUT_ERROR(BIO, BIO_zero_copy_get_read_buf_done,
-                      BIO_R_UNSUPPORTED_METHOD);
+    OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
    return 0;
  }

  if (!peer_b->zero_copy_read_lock) {
-    OPENSSL_PUT_ERROR(BIO, BIO_zero_copy_get_read_buf_done,
-                      BIO_R_INVALID_ARGUMENT);
+    OPENSSL_PUT_ERROR(BIO, BIO_R_INVALID_ARGUMENT);
    return 0;
  }

  max_available =
      bio_zero_copy_get_read_buf(peer_b, &dummy_read_buf, &dummy_read_offset);
  if (bytes_read > max_available) {
-    OPENSSL_PUT_ERROR(BIO, BIO_zero_copy_get_read_buf_done,
-                      BIO_R_INVALID_ARGUMENT);
+    OPENSSL_PUT_ERROR(BIO, BIO_R_INVALID_ARGUMENT);
    return 0;
  }

@@ -318,35 +311,33 @@ int BIO_zero_copy_get_write_buf(BIO* bio, uint8_t** out_write_buf,
  BIO_clear_retry_flags(bio);

  if (!bio->init) {
-    OPENSSL_PUT_ERROR(BIO, BIO_zero_copy_get_write_buf, BIO_R_UNINITIALIZED);
+    OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED);
    return 0;
  }

  b = bio->ptr;

  if (!b || !b->buf || !b->peer) {
-    OPENSSL_PUT_ERROR(BIO, BIO_zero_copy_get_write_buf,
-                      BIO_R_UNSUPPORTED_METHOD);
+    OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
    return 0;
  }
  peer_b = b->peer->ptr;
  if (!peer_b || !peer_b->peer || peer_b->peer->ptr != b) {
-    OPENSSL_PUT_ERROR(BIO, BIO_zero_copy_get_write_buf,
-                      BIO_R_UNSUPPORTED_METHOD);
+    OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
    return 0;
  }

  assert(b->buf != NULL);

  if (b->zero_copy_write_lock) {
-    OPENSSL_PUT_ERROR(BIO, BIO_zero_copy_get_write_buf, BIO_R_INVALID_ARGUMENT);
+    OPENSSL_PUT_ERROR(BIO, BIO_R_INVALID_ARGUMENT);
    return 0;
  }

  b->request = 0;
  if (b->closed) {
    /* Bio is already closed. */
-    OPENSSL_PUT_ERROR(BIO, BIO_zero_copy_get_write_buf, BIO_R_BROKEN_PIPE);
+    OPENSSL_PUT_ERROR(BIO, BIO_R_BROKEN_PIPE);
    return 0;
  }

@@ -369,43 +360,38 @@ int BIO_zero_copy_get_write_buf_done(BIO* bio, size_t bytes_written) {
  uint8_t* dummy_write_buf;

  if (!bio->init) {
-    OPENSSL_PUT_ERROR(BIO, BIO_zero_copy_get_write_buf_done,
-                      BIO_R_UNINITIALIZED);
+    OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED);
    return 0;
  }

  b = bio->ptr;

  if (!b || !b->buf || !b->peer) {
-    OPENSSL_PUT_ERROR(BIO, BIO_zero_copy_get_write_buf_done,
-                      BIO_R_UNSUPPORTED_METHOD);
+    OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
    return 0;
  }
  peer_b = b->peer->ptr;
  if (!peer_b || !peer_b->peer || peer_b->peer->ptr != b) {
-    OPENSSL_PUT_ERROR(BIO, BIO_zero_copy_get_write_buf_done,
-                      BIO_R_UNSUPPORTED_METHOD);
+    OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
    return 0;
  }

  b->request = 0;
  if (b->closed) {
    /* BIO is already closed. */
-    OPENSSL_PUT_ERROR(BIO, BIO_zero_copy_get_write_buf_done, BIO_R_BROKEN_PIPE);
+    OPENSSL_PUT_ERROR(BIO, BIO_R_BROKEN_PIPE);
    return 0;
  }

  if (!b->zero_copy_write_lock) {
-    OPENSSL_PUT_ERROR(BIO, BIO_zero_copy_get_write_buf_done,
-                      BIO_R_INVALID_ARGUMENT);
+    OPENSSL_PUT_ERROR(BIO, BIO_R_INVALID_ARGUMENT);
    return 0;
  }

  rest = bio_zero_copy_get_write_buf(b, &dummy_write_buf, &dummy_write_offset);

  if (bytes_written > rest) {
-    OPENSSL_PUT_ERROR(BIO, BIO_zero_copy_get_write_buf_done,
-                      BIO_R_INVALID_ARGUMENT);
+    OPENSSL_PUT_ERROR(BIO, BIO_R_INVALID_ARGUMENT);
    return 0;
  }

@@ -525,7 +511,7 @@ static int bio_write(BIO *bio, const char *buf, int num_) {
  b->request = 0;
  if (b->closed) {
    /* we already closed */
-    OPENSSL_PUT_ERROR(BIO, bio_write, BIO_R_BROKEN_PIPE);
+    OPENSSL_PUT_ERROR(BIO, BIO_R_BROKEN_PIPE);
    return -1;
  }

@@ -590,7 +576,7 @@ static int bio_make_pair(BIO* bio1, BIO* bio2,
  b2 = bio2->ptr;

  if (b1->peer != NULL || b2->peer != NULL) {
-    OPENSSL_PUT_ERROR(BIO, bio_make_pair, BIO_R_IN_USE);
+    OPENSSL_PUT_ERROR(BIO, BIO_R_IN_USE);
    return 0;
  }

@@ -605,7 +591,7 @@ static int bio_make_pair(BIO* bio1, BIO* bio2,
      b1->buf_externally_allocated = 0;
      b1->buf = OPENSSL_malloc(b1->size);
      if (b1->buf == NULL) {
-        OPENSSL_PUT_ERROR(BIO, bio_make_pair, ERR_R_MALLOC_FAILURE);
+        OPENSSL_PUT_ERROR(BIO, ERR_R_MALLOC_FAILURE);
        return 0;
      }
    } else {
@@ -624,7 +610,7 @@ static int bio_make_pair(BIO* bio1, BIO* bio2,
      b2->buf_externally_allocated = 0;
      b2->buf = OPENSSL_malloc(b2->size);
      if (b2->buf == NULL) {
-        OPENSSL_PUT_ERROR(BIO, bio_make_pair, ERR_R_MALLOC_FAILURE);
+        OPENSSL_PUT_ERROR(BIO, ERR_R_MALLOC_FAILURE);
        return 0;
      }
    } else {
@@ -793,14 +779,10 @@ int BIO_new_bio_pair_external_buf(BIO** bio1_p, size_t writebuf1_len,

 err:
  if (ret == 0) {
-    if (bio1) {
-      BIO_free(bio1);
-      bio1 = NULL;
-    }
-    if (bio2) {
-      BIO_free(bio2);
-      bio2 = NULL;
-    }
+    BIO_free(bio1);
+    bio1 = NULL;
+    BIO_free(bio2);
+    bio2 = NULL;
  }

  *bio1_p = bio1;
@@ -64,6 +64,7 @@
 #include <stdarg.h>
 #include <stdio.h>

+#include <openssl/err.h>
 #include <openssl/mem.h>

 int BIO_printf(BIO *bio, const char *format, ...) {
@@ -94,9 +95,8 @@ int BIO_printf(BIO *bio, const char *format, ...) {
    out = OPENSSL_malloc(requested_len + 1);
    out_malloced = 1;
    if (out == NULL) {
-      /* Unclear what can be done in this situation. OpenSSL has historically
-       * crashed and that seems better than producing the wrong output. */
-      abort();
+      OPENSSL_PUT_ERROR(BIO, ERR_R_MALLOC_FAILURE);
+      return -1;
    }
    va_start(args, format);
    out_len = vsnprintf(out, requested_len + 1, format, args);
@@ -12,7 +12,8 @@
 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

-#define _POSIX_SOURCE
+#undef _POSIX_C_SOURCE
+#define _POSIX_C_SOURCE 200112L

 #include <openssl/bio.h>
 #include <openssl/err.h>
@@ -50,8 +51,8 @@ int bio_ip_and_port_to_socket_and_addr(int *out_sock,

  ret = getaddrinfo(hostname, port_str, &hint, &result);
  if (ret != 0) {
-    OPENSSL_PUT_ERROR(SYS, getaddrinfo, 0);
-    ERR_add_error_data(2, gai_strerror(ret));
+    OPENSSL_PUT_ERROR(SYS, 0);
+    ERR_add_error_data(1, gai_strerror(ret));
    return 0;
  }

@@ -4,7 +4,6 @@ if (${ARCH} STREQUAL "x86_64")
  set(
    BN_ARCH_SOURCES

-    asm/x86_64-gcc.c
    x86_64-mont.${ASM_EXT}
    x86_64-mont5.${ASM_EXT}
    rsaz-x86_64.${ASM_EXT}
@@ -38,7 +37,9 @@ add_library(
  OBJECT

  add.c
+  asm/x86_64-gcc.c
  bn.c
+  bn_asn1.c
  cmp.c
  convert.c
  ctx.c
@@ -70,6 +71,8 @@ add_executable(
  bn_test

  bn_test.cc
+
+  $<TARGET_OBJECTS:test_support>
 )

 target_link_libraries(bn_test crypto)
@@ -267,7 +267,7 @@ int BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) {

  if (dif < 0) /* hmm... should not be happening */
  {
-    OPENSSL_PUT_ERROR(BN, BN_usub, BN_R_ARG2_LT_ARG3);
+    OPENSSL_PUT_ERROR(BN, BN_R_ARG2_LT_ARG3);
    return 0;
  }

@@ -38,8 +38,20 @@
 # for execution on all NEON-capable processors, because gain on
 # others outweighs the marginal loss on Cortex-A9.

-while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {}
-open STDOUT,">$output";
+$flavour = shift;
+if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; }
+else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} }
+
+if ($flavour && $flavour ne "void") {
+    $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+    ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+    ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+    die "can't locate arm-xlate.pl";
+
+    open STDOUT,"| \"$^X\" $xlate $flavour $output";
+} else {
+    open STDOUT,">$output";
+}

 $num="r0";	# starts as num argument, but holds &tp[num-1]
 $ap="r1";
@@ -72,10 +84,10 @@ $code=<<___;
 .text
 .code	32

-#if __ARM_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7
 .align	5
 .LOPENSSL_armcap:
-.word	OPENSSL_armcap_P-bn_mul_mont
+.word	OPENSSL_armcap_P-.Lbn_mul_mont
 #endif

 .global	bn_mul_mont
@@ -84,14 +96,18 @@ $code=<<___;

 .align	5
 bn_mul_mont:
+.Lbn_mul_mont:
 	ldr	ip,[sp,#4]		@ load num
 	stmdb	sp!,{r0,r2}		@ sp points at argument block
-#if __ARM_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7
 	tst	ip,#7
 	bne	.Lialu
 	adr	r0,bn_mul_mont
 	ldr	r2,.LOPENSSL_armcap
 	ldr	r0,[r0,r2]
+#ifdef	__APPLE__
+	ldr	r0,[r0]
+#endif
 	tst	r0,#1			@ NEON available?
 	ldmia	sp, {r0,r2}
 	beq	.Lialu
@@ -231,9 +247,14 @@ bn_mul_mont:
 	ldmia	sp!,{r4-r12,lr}		@ restore registers
 	add	sp,sp,#2*4		@ skip over {r0,r2}
 	mov	r0,#1
-.Labrt:	tst	lr,#1
+.Labrt:
+#if __ARM_ARCH__>=5
+	ret				@ bx lr
+#else
+	tst	lr,#1
 	moveq	pc,lr			@ be binary compatible with V4, yet
 	bx	lr			@ interoperable with Thumb ISA:-)
+#endif
 .size	bn_mul_mont,.-bn_mul_mont
 ___
 {
@@ -252,7 +273,8 @@ my ($rptr,$aptr,$bptr,$nptr,$n0,$num)=map("r$_",(0..5));
 my ($tinptr,$toutptr,$inner,$outer)=map("r$_",(6..9));

 $code.=<<___;
-#if __ARM_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7
+.arch	armv7-a
 .fpu	neon

 .type	bn_mul8x_mont_neon,%function
@@ -651,7 +673,7 @@ bn_mul8x_mont_neon:
 	sub	sp,ip,#96
        vldmia  sp!,{d8-d15}
        ldmia   sp!,{r4-r11}
-	bx	lr
+	ret						@ bx lr
 .size	bn_mul8x_mont_neon,.-bn_mul8x_mont_neon
 #endif
 ___
@@ -659,7 +681,7 @@ ___
 $code.=<<___;
 .asciz	"Montgomery multiplication for ARMv4/NEON, CRYPTOGAMS by <appro\@openssl.org>"
 .align	2
-#if __ARM_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7
 .comm	OPENSSL_armcap_P,4,4
 .hidden	OPENSSL_armcap_P
 #endif
@@ -667,5 +689,6 @@ ___

 $code =~ s/\`([^\`]*)\`/eval $1/gem;
 $code =~ s/\bbx\s+lr\b/.word\t0xe12fff1e/gm;	# make it possible to compile with -march=armv4
+$code =~ s/\bret\b/bx	lr/gm;
 print $code;
 close STDOUT;
@@ -1,6 +1,6 @@
 #include <openssl/bn.h>

-#if defined(OPENSSL_X86_64) && !defined(OPENSSL_WINDOWS)
+#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && !defined(OPENSSL_WINDOWS)

 #include "../internal.h"

@@ -596,4 +596,4 @@ void bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a) {
  r[7] = c2;
 }

-#endif  /* defined(OPENSSL_X86_64) && !defined(OPENSSL_WINDOWS) */
+#endif  /* !NO_ASM && X86_64 && !WINDOWS */
@@ -69,7 +69,7 @@ BIGNUM *BN_new(void) {
  BIGNUM *bn = OPENSSL_malloc(sizeof(BIGNUM));

  if (bn == NULL) {
-    OPENSSL_PUT_ERROR(BN, BN_new, ERR_R_MALLOC_FAILURE);
+    OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
    return NULL;
  }

@@ -88,7 +88,7 @@ void BN_free(BIGNUM *bn) {
    return;
  }

-  if (bn->d != NULL && (bn->flags & BN_FLG_STATIC_DATA) == 0) {
+  if ((bn->flags & BN_FLG_STATIC_DATA) == 0) {
    OPENSSL_free(bn->d);
  }

@@ -279,41 +279,43 @@ void BN_set_negative(BIGNUM *bn, int sign) {
  }
 }

-BIGNUM *bn_wexpand(BIGNUM *bn, unsigned words) {
+BIGNUM *bn_wexpand(BIGNUM *bn, size_t words) {
  BN_ULONG *a;

-  if (words <= (unsigned) bn->dmax) {
+  if (words <= (size_t)bn->dmax) {
    return bn;
  }

  if (words > (INT_MAX / (4 * BN_BITS2))) {
-    OPENSSL_PUT_ERROR(BN, bn_wexpand, BN_R_BIGNUM_TOO_LONG);
+    OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG);
    return NULL;
  }

  if (bn->flags & BN_FLG_STATIC_DATA) {
-    OPENSSL_PUT_ERROR(BN, bn_wexpand, BN_R_EXPAND_ON_STATIC_BIGNUM_DATA);
+    OPENSSL_PUT_ERROR(BN, BN_R_EXPAND_ON_STATIC_BIGNUM_DATA);
    return NULL;
  }

  a = (BN_ULONG *)OPENSSL_malloc(sizeof(BN_ULONG) * words);
  if (a == NULL) {
-    OPENSSL_PUT_ERROR(BN, bn_wexpand, ERR_R_MALLOC_FAILURE);
+    OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
    return NULL;
  }

  memcpy(a, bn->d, sizeof(BN_ULONG) * bn->top);

-  if (bn->d) {
-    OPENSSL_free(bn->d);
-  }
+  OPENSSL_free(bn->d);
  bn->d = a;
-  bn->dmax = words;
+  bn->dmax = (int)words;

  return bn;
 }

-BIGNUM *bn_expand(BIGNUM *bn, unsigned bits) {
+BIGNUM *bn_expand(BIGNUM *bn, size_t bits) {
+  if (bits + BN_BITS2 - 1 < bits) {
+    OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG);
+    return NULL;
+  }
  return bn_wexpand(bn, (bits+BN_BITS2-1)/BN_BITS2);
 }

@@ -0,0 +1,93 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/bn.h>
+
+#include <openssl/bytestring.h>
+#include <openssl/err.h>
+
+
+int BN_cbs2unsigned(CBS *cbs, BIGNUM *ret) {
+  CBS child;
+  if (!CBS_get_asn1(cbs, &child, CBS_ASN1_INTEGER) ||
+      CBS_len(&child) == 0) {
+    OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING);
+    return 0;
+  }
+
+  if (CBS_data(&child)[0] & 0x80) {
+    OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);
+    return 0;
+  }
+
+  /* INTEGERs must be minimal. */
+  if (CBS_data(&child)[0] == 0x00 &&
+      CBS_len(&child) > 1 &&
+      !(CBS_data(&child)[1] & 0x80)) {
+    OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING);
+    return 0;
+  }
+
+  return BN_bin2bn(CBS_data(&child), CBS_len(&child), ret) != NULL;
+}
+
+int BN_cbs2unsigned_buggy(CBS *cbs, BIGNUM *ret) {
+  CBS child;
+  if (!CBS_get_asn1(cbs, &child, CBS_ASN1_INTEGER) ||
+      CBS_len(&child) == 0) {
+    OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING);
+    return 0;
+  }
+
+  /* This function intentionally does not reject negative numbers or non-minimal
+   * encodings. Estonian IDs issued between September 2014 to September 2015 are
+   * broken. See https://crbug.com/532048 and https://crbug.com/534766.
+   *
+   * TODO(davidben): Remove this code and callers in March 2016. */
+  return BN_bin2bn(CBS_data(&child), CBS_len(&child), ret) != NULL;
+}
+
+int BN_bn2cbb(CBB *cbb, const BIGNUM *bn) {
+  /* Negative numbers are unsupported. */
+  if (BN_is_negative(bn)) {
+    OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);
+    return 0;
+  }
+
+  CBB child;
+  if (!CBB_add_asn1(cbb, &child, CBS_ASN1_INTEGER)) {
+    OPENSSL_PUT_ERROR(BN, BN_R_ENCODE_ERROR);
+    return 0;
+  }
+
+  /* The number must be padded with a leading zero if the high bit would
+   * otherwise be set (or |bn| is zero). */
+  if (BN_num_bits(bn) % 8 == 0 &&
+      !CBB_add_u8(&child, 0x00)) {
+    OPENSSL_PUT_ERROR(BN, BN_R_ENCODE_ERROR);
+    return 0;
+  }
+
+  uint8_t *out;
+  if (!CBB_add_space(&child, &out, BN_num_bytes(bn))) {
+    OPENSSL_PUT_ERROR(BN, BN_R_ENCODE_ERROR);
+    return 0;
+  }
+  BN_bn2bin(bn, out);
+  if (!CBB_flush(cbb)) {
+    OPENSSL_PUT_ERROR(BN, BN_R_ENCODE_ERROR);
+    return 0;
+  }
+  return 1;
+}
@@ -56,7 +56,9 @@

 #include <openssl/bn.h>

+#include <assert.h>
 #include <ctype.h>
+#include <limits.h>
 #include <stdio.h>
 #include <string.h>

@@ -67,7 +69,8 @@
 #include "internal.h"

 BIGNUM *BN_bin2bn(const uint8_t *in, size_t len, BIGNUM *ret) {
-  unsigned num_words, m;
+  size_t num_words;
+  unsigned m;
  BN_ULONG word = 0;
  BIGNUM *bn = NULL;

@@ -93,7 +96,10 @@ BIGNUM *BN_bin2bn(const uint8_t *in, size_t len, BIGNUM *ret) {
    return NULL;
  }

-  ret->top = num_words;
+  /* |bn_wexpand| must check bounds on |num_words| to write it into
+   * |ret->dmax|. */
+  assert(num_words <= INT_MAX);
+  ret->top = (int)num_words;
  ret->neg = 0;

  while (len--) {
@@ -198,7 +204,7 @@ char *BN_bn2hex(const BIGNUM *bn) {

  buf = (char *)OPENSSL_malloc(bn->top * BN_BYTES * 2 + 2);
  if (buf == NULL) {
-    OPENSSL_PUT_ERROR(BN, BN_bn2hex, ERR_R_MALLOC_FAILURE);
+    OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
    return NULL;
  }

@@ -227,66 +233,80 @@ char *BN_bn2hex(const BIGNUM *bn) {
  return buf;
 }

-/* decode_hex decodes |i| bytes of hex data from |in| and updates |bn|. */
-static void decode_hex(BIGNUM *bn, const char *in, int i) {
-  int h, m, j, k, c;
-  BN_ULONG l=0;
-
-  j = i; /* least significant 'hex' */
-  h = 0;
-  while (j > 0) {
-    m = ((BN_BYTES * 2) <= j) ? (BN_BYTES * 2) : j;
-    l = 0;
-    for (;;) {
-      c = in[j - m];
-      if ((c >= '0') && (c <= '9')) {
-        k = c - '0';
-      } else if ((c >= 'a') && (c <= 'f')) {
-        k = c - 'a' + 10;
-      } else if ((c >= 'A') && (c <= 'F')) {
-        k = c - 'A' + 10;
-      } else {
-        k = 0; /* paranoia */
-      }
-
-      l = (l << 4) | k;
-
-      if (--m <= 0) {
-        bn->d[h++] = l;
-        break;
-      }
-    }
-
-    j -= (BN_BYTES * 2);
+/* decode_hex decodes |in_len| bytes of hex data from |in| and updates |bn|. */
+static int decode_hex(BIGNUM *bn, const char *in, int in_len) {
+  if (in_len > INT_MAX/4) {
+    OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG);
+    return 0;
+  }
+  /* |in_len| is the number of hex digits. */
+  if (bn_expand(bn, in_len * 4) == NULL) {
+    return 0;
  }

-  bn->top = h;
+  int i = 0;
+  while (in_len > 0) {
+    /* Decode one |BN_ULONG| at a time. */
+    int todo = BN_BYTES * 2;
+    if (todo > in_len) {
+      todo = in_len;
+    }
+
+    BN_ULONG word = 0;
+    int j;
+    for (j = todo; j > 0; j--) {
+      char c = in[in_len - j];
+
+      BN_ULONG hex;
+      if (c >= '0' && c <= '9') {
+        hex = c - '0';
+      } else if (c >= 'a' && c <= 'f') {
+        hex = c - 'a' + 10;
+      } else if (c >= 'A' && c <= 'F') {
+        hex = c - 'A' + 10;
+      } else {
+        hex = 0;
+        /* This shouldn't happen. The caller checks |isxdigit|. */
+        assert(0);
+      }
+      word = (word << 4) | hex;
+    }
+
+    bn->d[i++] = word;
+    in_len -= todo;
+  }
+  assert(i <= bn->dmax);
+  bn->top = i;
+  return 1;
 }

-/* decode_dec decodes |i| bytes of decimal data from |in| and updates |bn|. */
-static void decode_dec(BIGNUM *bn, const char *in, int i) {
-  int j;
+/* decode_dec decodes |in_len| bytes of decimal data from |in| and updates |bn|. */
+static int decode_dec(BIGNUM *bn, const char *in, int in_len) {
+  int i, j;
  BN_ULONG l = 0;

-  j = BN_DEC_NUM - (i % BN_DEC_NUM);
+  /* Decode |BN_DEC_NUM| digits at a time. */
+  j = BN_DEC_NUM - (in_len % BN_DEC_NUM);
  if (j == BN_DEC_NUM) {
    j = 0;
  }
  l = 0;
-  while (*in) {
+  for (i = 0; i < in_len; i++) {
    l *= 10;
-    l += *in - '0';
-    in++;
+    l += in[i] - '0';
    if (++j == BN_DEC_NUM) {
-      BN_mul_word(bn, BN_DEC_CONV);
-      BN_add_word(bn, l);
+      if (!BN_mul_word(bn, BN_DEC_CONV) ||
+          !BN_add_word(bn, l)) {
+        return 0;
+      }
      l = 0;
      j = 0;
    }
  }
+  return 1;
 }

-typedef void (*decode_func) (BIGNUM *bn, const char *in, int i);
+typedef int (*decode_func) (BIGNUM *bn, const char *in, int in_len);
 typedef int (*char_test_func) (int c);

 static int bn_x2bn(BIGNUM **outp, const char *in, decode_func decode, char_test_func want_char) {
@@ -303,7 +323,7 @@ static int bn_x2bn(BIGNUM **outp, const char *in, decode_func decode, char_test_
    in++;
  }

-  for (i = 0; want_char((unsigned char)in[i]); i++) {}
+  for (i = 0; want_char((unsigned char)in[i]) && i + neg < INT_MAX; i++) {}

  num = i + neg;
  if (outp == NULL) {
@@ -320,16 +340,15 @@ static int bn_x2bn(BIGNUM **outp, const char *in, decode_func decode, char_test_
    ret = *outp;
    BN_zero(ret);
  }
-  ret->neg = neg;

-  /* i is the number of hex digests; */
-  if (bn_expand(ret, i * 4) == NULL) {
+  if (!decode(ret, in, i)) {
    goto err;
  }

-  decode(ret, in, i);
-
  bn_correct_top(ret);
+  if (!BN_is_zero(ret)) {
+    ret->neg = neg;
+  }

  *outp = ret;
  return num;
@@ -364,7 +383,7 @@ char *BN_bn2dec(const BIGNUM *a) {
      (BN_ULONG *)OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG));
  buf = (char *)OPENSSL_malloc(num + 3);
  if ((buf == NULL) || (bn_data == NULL)) {
-    OPENSSL_PUT_ERROR(BN, BN_bn2dec, ERR_R_MALLOC_FAILURE);
+    OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
    goto err;
  }
  t = BN_dup(a);
@@ -406,13 +425,9 @@ char *BN_bn2dec(const BIGNUM *a) {
  ok = 1;

 err:
-  if (bn_data != NULL) {
-    OPENSSL_free(bn_data);
-  }
-  if (t != NULL) {
-    BN_free(t);
-  }
-  if (!ok && buf) {
+  OPENSSL_free(bn_data);
+  BN_free(t);
+  if (!ok) {
    OPENSSL_free(buf);
    buf = NULL;
  }
@@ -440,7 +455,7 @@ int BN_asc2bn(BIGNUM **outp, const char *in) {
    }
  }

-  if (*orig_in == '-') {
+  if (*orig_in == '-' && !BN_is_zero(*outp)) {
    (*outp)->neg = 1;
  }

@@ -502,3 +517,81 @@ BN_ULONG BN_get_word(const BIGNUM *bn) {
      return BN_MASK2;
  }
 }
+
+size_t BN_bn2mpi(const BIGNUM *in, uint8_t *out) {
+  const size_t bits = BN_num_bits(in);
+  const size_t bytes = (bits + 7) / 8;
+  /* If the number of bits is a multiple of 8, i.e. if the MSB is set,
+   * prefix with a zero byte. */
+  int extend = 0;
+  if (bytes != 0 && (bits & 0x07) == 0) {
+    extend = 1;
+  }
+
+  const size_t len = bytes + extend;
+  if (len < bytes ||
+      4 + len < len ||
+      (len & 0xffffffff) != len) {
+    /* If we cannot represent the number then we emit zero as the interface
+     * doesn't allow an error to be signalled. */
+    if (out) {
+      memset(out, 0, 4);
+    }
+    return 4;
+  }
+
+  if (out == NULL) {
+    return 4 + len;
+  }
+
+  out[0] = len >> 24;
+  out[1] = len >> 16;
+  out[2] = len >> 8;
+  out[3] = len;
+  if (extend) {
+    out[4] = 0;
+  }
+  BN_bn2bin(in, out + 4 + extend);
+  if (in->neg && len > 0) {
+    out[4] |= 0x80;
+  }
+  return len + 4;
+}
+
+BIGNUM *BN_mpi2bn(const uint8_t *in, size_t len, BIGNUM *out) {
+  if (len < 4) {
+    OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING);
+    return NULL;
+  }
+  const size_t in_len = ((size_t)in[0] << 24) |
+                        ((size_t)in[1] << 16) |
+                        ((size_t)in[2] << 8) |
+                        ((size_t)in[3]);
+  if (in_len != len - 4) {
+    OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING);
+    return NULL;
+  }
+
+  if (out == NULL) {
+    out = BN_new();
+  }
+  if (out == NULL) {
+    OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
+    return NULL;
+  }
+
+  if (in_len == 0) {
+    BN_zero(out);
+    return out;
+  }
+
+  in += 4;
+  if (BN_bin2bn(in, in_len, out) == NULL) {
+    return NULL;
+  }
+  out->neg = ((*in) & 0x80) != 0;
+  if (out->neg) {
+    BN_clear_bit(out, BN_num_bits(out) - 1);
+  }
+  return out;
+}
@@ -124,7 +124,7 @@ struct bignum_ctx {
 BN_CTX *BN_CTX_new(void) {
  BN_CTX *ret = OPENSSL_malloc(sizeof(BN_CTX));
  if (!ret) {
-    OPENSSL_PUT_ERROR(BN, BN_CTX_new, ERR_R_MALLOC_FAILURE);
+    OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
    return NULL;
  }

@@ -153,7 +153,7 @@ void BN_CTX_start(BN_CTX *ctx) {
    ctx->err_stack++;
  } else if (!BN_STACK_push(&ctx->stack, ctx->used)) {
    /* (Try to) get a new frame pointer */
-    OPENSSL_PUT_ERROR(BN, BN_CTX_start, BN_R_TOO_MANY_TEMPORARY_VARIABLES);
+    OPENSSL_PUT_ERROR(BN, BN_R_TOO_MANY_TEMPORARY_VARIABLES);
    ctx->err_stack++;
  }
 }
@@ -169,7 +169,7 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx) {
    /* Setting too_many prevents repeated "get" attempts from
     * cluttering the error stack. */
    ctx->too_many = 1;
-    OPENSSL_PUT_ERROR(BN, BN_CTX_get, BN_R_TOO_MANY_TEMPORARY_VARIABLES);
+    OPENSSL_PUT_ERROR(BN, BN_R_TOO_MANY_TEMPORARY_VARIABLES);
    return NULL;
  }

@@ -205,9 +205,7 @@ static void BN_STACK_init(BN_STACK *st) {
 }

 static void BN_STACK_finish(BN_STACK *st) {
-  if (st->size) {
-    OPENSSL_free(st->indexes);
-  }
+  OPENSSL_free(st->indexes);
 }

 static int BN_STACK_push(BN_STACK *st, unsigned int idx) {
@@ -222,9 +220,7 @@ static int BN_STACK_push(BN_STACK *st, unsigned int idx) {
    if (st->depth) {
      memcpy(newitems, st->indexes, st->depth * sizeof(unsigned int));
    }
-    if (st->size) {
-      OPENSSL_free(st->indexes);
-    }
+    OPENSSL_free(st->indexes);
    st->indexes = newitems;
    st->size = newsize;
  }
@@ -125,7 +125,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
   * so don't just rely on bn_check_top() here */
  if ((num->top > 0 && num->d[num->top - 1] == 0) ||
      (divisor->top > 0 && divisor->d[divisor->top - 1] == 0)) {
-    OPENSSL_PUT_ERROR(BN, BN_div, BN_R_NOT_INITIALIZED);
+    OPENSSL_PUT_ERROR(BN, BN_R_NOT_INITIALIZED);
    return 0;
  }

@@ -135,7 +135,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
  }

  if (BN_is_zero(divisor)) {
-    OPENSSL_PUT_ERROR(BN, BN_div, BN_R_DIV_BY_ZERO);
+    OPENSSL_PUT_ERROR(BN, BN_R_DIV_BY_ZERO);
    return 0;
  }

@@ -492,9 +492,7 @@ int BN_mod_lshift(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m,

  ret = BN_mod_lshift_quick(r, r, n, (abs_m ? abs_m : m));

-  if (abs_m) {
-    BN_free(abs_m);
-  }
+  BN_free(abs_m);
  return ret;
 }

@@ -513,7 +511,7 @@ int BN_mod_lshift_quick(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m) {
    /* max_shift >= 0 */

    if (max_shift < 0) {
-      OPENSSL_PUT_ERROR(BN, BN_mod_lshift_quick, BN_R_INPUT_NOT_REDUCED);
+      OPENSSL_PUT_ERROR(BN, BN_R_INPUT_NOT_REDUCED);
      return 0;
    }

@@ -131,7 +131,7 @@ int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) {

  if ((p->flags & BN_FLG_CONSTTIME) != 0) {
    /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
-    OPENSSL_PUT_ERROR(BN, BN_exp, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+    OPENSSL_PUT_ERROR(BN, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
    return 0;
  }

@@ -173,8 +173,8 @@ int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) {
    }
  }

-  if (r != rr) {
-    BN_copy(r, rr);
+  if (r != rr && !BN_copy(r, rr)) {
+    goto err;
  }
  ret = 1;

@@ -333,7 +333,7 @@ static int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
  j = 0;
  while (BN_ucmp(r, &(recp->N)) >= 0) {
    if (j++ > 2) {
-      OPENSSL_PUT_ERROR(BN, BN_div_recp, BN_R_BAD_RECIPROCAL);
+      OPENSSL_PUT_ERROR(BN, BN_R_BAD_RECIPROCAL);
      goto err;
    }
    if (!BN_usub(r, r, &(recp->N))) {
@@ -427,7 +427,7 @@ static int mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,

  if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {
    /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
-    OPENSSL_PUT_ERROR(BN, mod_exp_recp, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+    OPENSSL_PUT_ERROR(BN, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
    return 0;
  }

@@ -616,7 +616,7 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
  }

  if (!BN_is_odd(m)) {
-    OPENSSL_PUT_ERROR(BN, BN_mod_exp_mont, BN_R_CALLED_WITH_EVEN_MODULUS);
+    OPENSSL_PUT_ERROR(BN, BN_R_CALLED_WITH_EVEN_MODULUS);
    return 0;
  }
  bits = BN_num_bits(p);
@@ -763,7 +763,7 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
  ret = 1;

 err:
-  if (in_mont == NULL && mont != NULL) {
+  if (in_mont == NULL) {
    BN_MONT_CTX_free(mont);
  }
  BN_CTX_end(ctx);
@@ -865,8 +865,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
  top = m->top;

  if (!(m->d[0] & 1)) {
-    OPENSSL_PUT_ERROR(BN, BN_mod_exp_mont_consttime,
-                      BN_R_CALLED_WITH_EVEN_MODULUS);
+    OPENSSL_PUT_ERROR(BN, BN_R_CALLED_WITH_EVEN_MODULUS);
    return 0;
  }
  bits = BN_num_bits(p);
@@ -878,8 +877,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
  BN_CTX_start(ctx);

  /* Allocate a montgomery context if it was not supplied by the caller.
-   * If this is not done, things will break in the montgomery part.
-   */
+   * If this is not done, things will break in the montgomery part. */
  if (in_mont != NULL) {
    mont = in_mont;
  } else {
@@ -927,7 +925,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
    }
  }
 #endif
-  (void)0;

  /* Allocate a buffer large enough to hold all of the pre-computed
   * powers of am, am itself and tmp.
@@ -1191,14 +1188,12 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
  }
  ret = 1;
 err:
-  if ((in_mont == NULL) && (mont != NULL)) {
+  if (in_mont == NULL) {
    BN_MONT_CTX_free(mont);
  }
  if (powerbuf != NULL) {
    OPENSSL_cleanse(powerbuf, powerbufLen);
-    if (powerbufFree) {
-      OPENSSL_free(powerbufFree);
-    }
+    OPENSSL_free(powerbufFree);
  }
  BN_CTX_end(ctx);
  return (ret);
@@ -1226,13 +1221,12 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,

  if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {
    /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
-    OPENSSL_PUT_ERROR(BN, BN_mod_exp_mont_word,
-        ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+    OPENSSL_PUT_ERROR(BN, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
    return 0;
  }

  if (!BN_is_odd(m)) {
-    OPENSSL_PUT_ERROR(BN, BN_mod_exp_mont_word, BN_R_CALLED_WITH_EVEN_MODULUS);
+    OPENSSL_PUT_ERROR(BN, BN_R_CALLED_WITH_EVEN_MODULUS);
    return 0;
  }

@@ -1353,7 +1347,7 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
  ret = 1;

 err:
-  if (in_mont == NULL && mont != NULL) {
+  if (in_mont == NULL) {
    BN_MONT_CTX_free(mont);
  }
  BN_CTX_end(ctx);
@@ -1375,7 +1369,7 @@ int BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,
  BN_MONT_CTX *mont = NULL;

  if (!(m->d[0] & 1)) {
-    OPENSSL_PUT_ERROR(BN, BN_mod_exp2_mont, BN_R_CALLED_WITH_EVEN_MODULUS);
+    OPENSSL_PUT_ERROR(BN, BN_R_CALLED_WITH_EVEN_MODULUS);
    return 0;
  }
  bits1 = BN_num_bits(p1);
@@ -1557,7 +1551,7 @@ int BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,
  ret = 1;

 err:
-  if (in_mont == NULL && mont != NULL) {
+  if (in_mont == NULL) {
    BN_MONT_CTX_free(mont);
  }
  BN_CTX_end(ctx);
@@ -522,7 +522,7 @@ BIGNUM *BN_mod_inverse(BIGNUM *out, const BIGNUM *a, const BIGNUM *n,
      }
    }
  } else {
-    OPENSSL_PUT_ERROR(BN, BN_mod_inverse, BN_R_NO_INVERSE);
+    OPENSSL_PUT_ERROR(BN, BN_R_NO_INVERSE);
    goto err;
  }
  ret = R;
@@ -682,7 +682,7 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *out, const BIGNUM *a,
      }
    }
  } else {
-    OPENSSL_PUT_ERROR(BN, BN_mod_inverse_no_branch, BN_R_NO_INVERSE);
+    OPENSSL_PUT_ERROR(BN, BN_R_NO_INVERSE);
    goto err;
  }
  ret = R;
@@ -125,14 +125,6 @@

 #include <openssl/base.h>

-/* Some versions of inttypes.h will not define print macros in C++ unless
- * __STDC_FORMAT_MACROS is set. */
-#if !defined(__STDC_FORMAT_MACROS)
-#define __STDC_FORMAT_MACROS
-#endif
-
-#include <inttypes.h>
-
 #if defined(OPENSSL_X86_64) && defined(_MSC_VER) && _MSC_VER >= 1400
 #pragma warning(push, 3)
 #include <intrin.h>
@@ -144,9 +136,9 @@
 extern "C" {
 #endif

-/* bn_expand acts the same as |BN_wexpand|, but takes a number of bits rather
+/* bn_expand acts the same as |bn_wexpand|, but takes a number of bits rather
 * than a number of words. */
-BIGNUM *bn_expand(BIGNUM *bn, unsigned bits);
+BIGNUM *bn_expand(BIGNUM *bn, size_t bits);

 #if defined(OPENSSL_64_BIT)

@@ -167,10 +159,7 @@ BIGNUM *bn_expand(BIGNUM *bn, unsigned bits);
 #define BN_MASK2h1	(0xffffffff80000000L)
 #define BN_TBIT		(0x8000000000000000L)
 #define BN_DEC_CONV	(10000000000000000000UL)
-#define BN_DEC_FMT1	"%" PRIu64
-#define BN_DEC_FMT2	"%019" PRIu64
 #define BN_DEC_NUM	19
-#define BN_HEX_FMT1	"%" PRIx64

 #elif defined(OPENSSL_32_BIT)

@@ -187,10 +176,7 @@ BIGNUM *bn_expand(BIGNUM *bn, unsigned bits);
 #define BN_MASK2h	(0xffff0000L)
 #define BN_TBIT		(0x80000000L)
 #define BN_DEC_CONV	(1000000000L)
-#define BN_DEC_FMT1	"%" PRIu32
-#define BN_DEC_FMT2	"%09" PRIu32
 #define BN_DEC_NUM	9
-#define BN_HEX_FMT1	"%" PRIx32

 #else
 #error "Must define either OPENSSL_32_BIT or OPENSSL_64_BIT"
@@ -110,10 +110,12 @@

 #include <string.h>

+#include <openssl/err.h>
 #include <openssl/mem.h>
 #include <openssl/thread.h>

 #include "internal.h"
+#include "../internal.h"


 #if !defined(OPENSSL_NO_ASM) && \
@@ -175,6 +177,11 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) {
  BIGNUM tmod;
  BN_ULONG buf[2];

+  if (BN_is_zero(mod)) {
+    OPENSSL_PUT_ERROR(BN, BN_R_DIV_BY_ZERO);
+    return 0;
+  }
+
  BN_CTX_start(ctx);
  Ri = BN_CTX_get(ctx);
  if (Ri == NULL) {
@@ -292,44 +299,36 @@ err:
  return ret;
 }

-BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock,
-                                    const BIGNUM *mod, BN_CTX *ctx) {
-  BN_MONT_CTX *ret;
+BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, CRYPTO_MUTEX *lock,
+                                    const BIGNUM *mod, BN_CTX *bn_ctx) {
+  CRYPTO_MUTEX_lock_read(lock);
+  BN_MONT_CTX *ctx = *pmont;
+  CRYPTO_MUTEX_unlock(lock);

-  CRYPTO_r_lock(lock);
-  ret = *pmont;
-  CRYPTO_r_unlock(lock);
-  if (ret) {
-    return ret;
+  if (ctx) {
+    return ctx;
  }

-  /* We don't want to serialise globally while doing our lazy-init math in
-   * BN_MONT_CTX_set. That punishes threads that are doing independent
-   * things. Instead, punish the case where more than one thread tries to
-   * lazy-init the same 'pmont', by having each do the lazy-init math work
-   * independently and only use the one from the thread that wins the race
-   * (the losers throw away the work they've done). */
-  ret = BN_MONT_CTX_new();
-  if (!ret) {
-    return NULL;
-  }
-  if (!BN_MONT_CTX_set(ret, mod, ctx)) {
-    BN_MONT_CTX_free(ret);
-    return NULL;
+  CRYPTO_MUTEX_lock_write(lock);
+  ctx = *pmont;
+  if (ctx) {
+    goto out;
  }

-  /* The locked compare-and-set, after the local work is done. */
-  CRYPTO_w_lock(lock);
-  if (*pmont) {
-    BN_MONT_CTX_free(ret);
-    ret = *pmont;
-  } else {
-    *pmont = ret;
+  ctx = BN_MONT_CTX_new();
+  if (ctx == NULL) {
+    goto out;
  }
+  if (!BN_MONT_CTX_set(ctx, mod, bn_ctx)) {
+    BN_MONT_CTX_free(ctx);
+    ctx = NULL;
+    goto out;
+  }
+  *pmont = ctx;

-  CRYPTO_w_unlock(lock);
-
-  return ret;
+out:
+  CRYPTO_MUTEX_unlock(lock);
+  return ctx;
 }

 int BN_to_montgomery(BIGNUM *ret, const BIGNUM *a, const BN_MONT_CTX *mont,
@@ -666,8 +666,8 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) {

 end:
  bn_correct_top(rr);
-  if (r != rr) {
-    BN_copy(r, rr);
+  if (r != rr && !BN_copy(r, rr)) {
+    goto err;
  }
  ret = 1;

@@ -877,8 +877,8 @@ int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) {
    rr->top = max;
  }

-  if (rr != r) {
-    BN_copy(r, rr);
+  if (rr != r && !BN_copy(r, rr)) {
+    goto err;
  }
  ret = 1;

@@ -362,11 +362,11 @@ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add,

  if (bits < 2) {
    /* There are no prime numbers this small. */
-    OPENSSL_PUT_ERROR(BN, BN_generate_prime_ex, BN_R_BITS_TOO_SMALL);
+    OPENSSL_PUT_ERROR(BN, BN_R_BITS_TOO_SMALL);
    return 0;
  } else if (bits == 2 && safe) {
    /* The smallest safe prime (7) is three bits. */
-    OPENSSL_PUT_ERROR(BN, BN_generate_prime_ex, BN_R_BITS_TOO_SMALL);
+    OPENSSL_PUT_ERROR(BN, BN_R_BITS_TOO_SMALL);
    return 0;
  }

@@ -515,11 +515,10 @@ int BN_is_prime_fasttest_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed,

  /* A := abs(a) */
  if (a->neg) {
-    BIGNUM *t;
-    if ((t = BN_CTX_get(ctx)) == NULL) {
+    BIGNUM *t = BN_CTX_get(ctx);
+    if (t == NULL || !BN_copy(t, a)) {
      goto err;
    }
-    BN_copy(t, a);
    t->neg = 0;
    A = t;
  } else {
@@ -134,7 +134,7 @@ int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) {

  buf = OPENSSL_malloc(bytes);
  if (buf == NULL) {
-    OPENSSL_PUT_ERROR(BN, BN_rand, ERR_R_MALLOC_FAILURE);
+    OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
    goto err;
  }

@@ -144,7 +144,7 @@ int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) {
  }

  if (top != -1) {
-    if (top) {
+    if (top && bits > 1) {
      if (bit == 0) {
        buf[0] = 1;
        buf[1] |= 0x80;
@@ -186,7 +186,7 @@ int BN_rand_range(BIGNUM *r, const BIGNUM *range) {
  unsigned count = 100;

  if (range->neg || BN_is_zero(range)) {
-    OPENSSL_PUT_ERROR(BN, BN_rand_range, BN_R_INVALID_RANGE);
+    OPENSSL_PUT_ERROR(BN, BN_R_INVALID_RANGE);
    return 0;
  }

@@ -219,7 +219,7 @@ int BN_rand_range(BIGNUM *r, const BIGNUM *range) {
      }

      if (!--count) {
-        OPENSSL_PUT_ERROR(BN, BN_rand_range, BN_R_TOO_MANY_ITERATIONS);
+        OPENSSL_PUT_ERROR(BN, BN_R_TOO_MANY_ITERATIONS);
        return 0;
      }
    } while (BN_cmp(r, range) >= 0);
@@ -231,7 +231,7 @@ int BN_rand_range(BIGNUM *r, const BIGNUM *range) {
      }

      if (!--count) {
-        OPENSSL_PUT_ERROR(BN, BN_rand_range, BN_R_TOO_MANY_ITERATIONS);
+        OPENSSL_PUT_ERROR(BN, BN_R_TOO_MANY_ITERATIONS);
        return 0;
      }
    } while (BN_cmp(r, range) >= 0);
@@ -264,13 +264,13 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, const BIGNUM *priv,
  }

  if (BN_is_zero(range)) {
-    OPENSSL_PUT_ERROR(BN, BN_generate_dsa_nonce, BN_R_DIV_BY_ZERO);
+    OPENSSL_PUT_ERROR(BN, BN_R_DIV_BY_ZERO);
    goto err;
  }

  k_bytes = OPENSSL_malloc(num_k_bytes);
  if (!k_bytes) {
-    OPENSSL_PUT_ERROR(BN, BN_generate_dsa_nonce, ERR_R_MALLOC_FAILURE);
+    OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
    goto err;
  }

@@ -281,7 +281,7 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, const BIGNUM *priv,
    /* No reasonable DSA or ECDSA key should have a private key
     * this large and we don't handle this case in order to avoid
     * leaking the length of the private key. */
-    OPENSSL_PUT_ERROR(BN, BN_generate_dsa_nonce, BN_R_PRIVATE_KEY_TOO_LARGE);
+    OPENSSL_PUT_ERROR(BN, BN_R_PRIVATE_KEY_TOO_LARGE);
    goto err;
  }
  memcpy(private_bytes, priv->d, todo);
@@ -321,8 +321,6 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, const BIGNUM *priv,
  ret = 1;

 err:
-  if (k_bytes) {
-    OPENSSL_free(k_bytes);
-  }
+  OPENSSL_free(k_bytes);
  return ret;
 }
@@ -1,32 +1,44 @@
-/******************************************************************************
-* Copyright(c) 2012, Intel Corp.                                             
-* Developers and authors:                                                    
-* Shay Gueron (1, 2), and Vlad Krasnov (1)                                   
-* (1) Intel Corporation, Israel Development Center, Haifa, Israel                               
-* (2) University of Haifa, Israel                                              
+/*****************************************************************************
+*                                                                            *
+*  Copyright (c) 2012, Intel Corporation                                     *
+*                                                                            *
+*  All rights reserved.                                                      *
+*                                                                            *
+*  Redistribution and use in source and binary forms, with or without        *
+*  modification, are permitted provided that the following conditions are    *
+*  met:                                                                      *
+*                                                                            *
+*  *  Redistributions of source code must retain the above copyright         *
+*     notice, this list of conditions and the following disclaimer.          *
+*                                                                            *
+*  *  Redistributions in binary form must reproduce the above copyright      *
+*     notice, this list of conditions and the following disclaimer in the    *
+*     documentation and/or other materials provided with the                 *
+*     distribution.                                                          *
+*                                                                            *
+*  *  Neither the name of the Intel Corporation nor the names of its         *
+*     contributors may be used to endorse or promote products derived from   *
+*     this software without specific prior written permission.               *
+*                                                                            *
+*                                                                            *
+*  THIS SOFTWARE IS PROVIDED BY INTEL CORPORATION ""AS IS"" AND ANY          *
+*  EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE         *
+*  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR        *
+*  PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL INTEL CORPORATION OR            *
+*  CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,     *
+*  EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,       *
+*  PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR        *
+*  PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF    *
+*  LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING      *
+*  NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS        *
+*  SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.              *
+*                                                                            *
 ******************************************************************************
-* LICENSE:                                                                
-* This submission to OpenSSL is to be made available under the OpenSSL  
-* license, and only to the OpenSSL project, in order to allow integration    
-* into the publicly distributed code. 
-* The use of this code, or portions of this code, or concepts embedded in
-* this code, or modification of this code and/or algorithm(s) in it, or the
-* use of this code for any other purpose than stated above, requires special
-* licensing.                                                                  
-******************************************************************************
-* DISCLAIMER:                                                                
-* THIS SOFTWARE IS PROVIDED BY THE CONTRIBUTORS AND THE COPYRIGHT OWNERS     
-* ``AS IS''. ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 
-* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
-* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS OR THE COPYRIGHT
-* OWNERS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, 
-* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF    
-* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS   
-* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN    
-* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)    
-* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
-* POSSIBILITY OF SUCH DAMAGE.                                                
-******************************************************************************/
+* Developers and authors:                                                    *
+* Shay Gueron (1, 2), and Vlad Krasnov (1)                                   *
+* (1) Intel Corporation, Israel Development Center, Haifa, Israel            *
+* (2) University of Haifa, Israel                                            *
+*****************************************************************************/

 #ifndef RSAZ_EXP_H
 #define RSAZ_EXP_H
@@ -58,6 +58,8 @@

 #include <string.h>

+#include <openssl/err.h>
+
 #include "internal.h"


@@ -66,6 +68,11 @@ int BN_lshift(BIGNUM *r, const BIGNUM *a, int n) {
  BN_ULONG *t, *f;
  BN_ULONG l;

+  if (n < 0) {
+    OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);
+    return 0;
+  }
+
  r->neg = a->neg;
  nw = n / BN_BITS2;
  if (bn_wexpand(r, a->top + nw + 1) == NULL) {
@@ -130,6 +137,11 @@ int BN_rshift(BIGNUM *r, const BIGNUM *a, int n) {
  BN_ULONG *t, *f;
  BN_ULONG l, tmp;

+  if (n < 0) {
+    OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);
+    return 0;
+  }
+
  nw = n / BN_BITS2;
  rb = n % BN_BITS2;
  lb = BN_BITS2 - rb;
@@ -86,7 +86,7 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) {
      return ret;
    }

-    OPENSSL_PUT_ERROR(BN, BN_mod_sqrt, BN_R_P_IS_NOT_PRIME);
+    OPENSSL_PUT_ERROR(BN, BN_R_P_IS_NOT_PRIME);
    return (NULL);
  }

@@ -260,7 +260,7 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) {
    }
    if (r == 0) {
      /* m divides p */
-      OPENSSL_PUT_ERROR(BN, BN_mod_sqrt, BN_R_P_IS_NOT_PRIME);
+      OPENSSL_PUT_ERROR(BN, BN_R_P_IS_NOT_PRIME);
      goto end;
    }
  } while (r == 1 && ++i < 82);
@@ -271,7 +271,7 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) {
     * Even if  p  is not prime, we should have found some  y
     * such that r == -1.
     */
-    OPENSSL_PUT_ERROR(BN, BN_mod_sqrt, BN_R_TOO_MANY_ITERATIONS);
+    OPENSSL_PUT_ERROR(BN, BN_R_TOO_MANY_ITERATIONS);
    goto end;
  }

@@ -286,7 +286,7 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) {
    goto end;
  }
  if (BN_is_one(y)) {
-    OPENSSL_PUT_ERROR(BN, BN_mod_sqrt, BN_R_P_IS_NOT_PRIME);
+    OPENSSL_PUT_ERROR(BN, BN_R_P_IS_NOT_PRIME);
    goto end;
  }

@@ -377,7 +377,7 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) {
    while (!BN_is_one(t)) {
      i++;
      if (i == e) {
-        OPENSSL_PUT_ERROR(BN, BN_mod_sqrt, BN_R_NOT_A_SQUARE);
+        OPENSSL_PUT_ERROR(BN, BN_R_NOT_A_SQUARE);
        goto end;
      }
      if (!BN_mod_mul(t, t, t, p, ctx)) {
@@ -413,14 +413,14 @@ vrfy:
    }

    if (!err && 0 != BN_cmp(x, A)) {
-      OPENSSL_PUT_ERROR(BN, BN_mod_sqrt, BN_R_NOT_A_SQUARE);
+      OPENSSL_PUT_ERROR(BN, BN_R_NOT_A_SQUARE);
      err = 1;
    }
  }

 end:
  if (err) {
-    if (ret != NULL && ret != in) {
+    if (ret != in) {
      BN_clear_free(ret);
    }
    ret = NULL;
@@ -434,7 +434,7 @@ int BN_sqrt(BIGNUM *out_sqrt, const BIGNUM *in, BN_CTX *ctx) {
  int ok = 0, last_delta_valid = 0;

  if (in->neg) {
-    OPENSSL_PUT_ERROR(BN, BN_sqrt, BN_R_NEGATIVE_NUMBER);
+    OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);
    return 0;
  }
  if (BN_is_zero(in)) {
@@ -452,7 +452,7 @@ int BN_sqrt(BIGNUM *out_sqrt, const BIGNUM *in, BN_CTX *ctx) {
  last_delta = BN_CTX_get(ctx);
  delta = BN_CTX_get(ctx);
  if (estimate == NULL || tmp == NULL || last_delta == NULL || delta == NULL) {
-    OPENSSL_PUT_ERROR(BN, BN_sqrt, ERR_R_MALLOC_FAILURE);
+    OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
    goto err;
  }

@@ -470,7 +470,7 @@ int BN_sqrt(BIGNUM *out_sqrt, const BIGNUM *in, BN_CTX *ctx) {
        !BN_sqr(tmp, estimate, ctx) ||
        /* |delta| = |in| - |tmp| */
        !BN_sub(delta, in, tmp)) {
-      OPENSSL_PUT_ERROR(BN, BN_sqrt, ERR_R_BN_LIB);
+      OPENSSL_PUT_ERROR(BN, ERR_R_BN_LIB);
      goto err;
    }

@@ -490,15 +490,15 @@ int BN_sqrt(BIGNUM *out_sqrt, const BIGNUM *in, BN_CTX *ctx) {
  }

  if (BN_cmp(tmp, in) != 0) {
-    OPENSSL_PUT_ERROR(BN, BN_sqrt, BN_R_NOT_A_SQUARE);
+    OPENSSL_PUT_ERROR(BN, BN_R_NOT_A_SQUARE);
    goto err;
  }

  ok = 1;

 err:
-  if (ok && out_sqrt == in) {
-    BN_copy(out_sqrt, estimate);
+  if (ok && out_sqrt == in && !BN_copy(out_sqrt, estimate)) {
+    ok = 0;
  }
  BN_CTX_end(ctx);
  return ok;
@@ -67,7 +67,7 @@ BUF_MEM *BUF_MEM_new(void) {

  ret = OPENSSL_malloc(sizeof(BUF_MEM));
  if (ret == NULL) {
-    OPENSSL_PUT_ERROR(BUF, BUF_MEM_new, ERR_R_MALLOC_FAILURE);
+    OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
    return NULL;
  }

@@ -105,14 +105,14 @@ static size_t buf_mem_grow(BUF_MEM *buf, size_t len, char clean) {
  n = len + 3;
  if (n < len) {
    /* overflow */
-    OPENSSL_PUT_ERROR(BUF, buf_mem_grow, ERR_R_MALLOC_FAILURE);
+    OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
    return 0;
  }
  n = n / 3;
  alloc_size = n * 4;
  if (alloc_size / 4 != n) {
    /* overflow */
-    OPENSSL_PUT_ERROR(BUF, buf_mem_grow, ERR_R_MALLOC_FAILURE);
+    OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
    return 0;
  }

@@ -127,7 +127,7 @@ static size_t buf_mem_grow(BUF_MEM *buf, size_t len, char clean) {
  }

  if (new_buf == NULL) {
-    OPENSSL_PUT_ERROR(BUF, buf_mem_grow, ERR_R_MALLOC_FAILURE);
+    OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
    len = 0;
  } else {
    buf->data = new_buf;
@@ -180,12 +180,12 @@ char *BUF_strndup(const char *buf, size_t size) {
  alloc_size = size + 1;
  if (alloc_size < size) {
    /* overflow */
-    OPENSSL_PUT_ERROR(BUF, BUF_strndup, ERR_R_MALLOC_FAILURE);
+    OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
    return NULL;
  }
  ret = OPENSSL_malloc(alloc_size);
  if (ret == NULL) {
-    OPENSSL_PUT_ERROR(BUF, BUF_strndup, ERR_R_MALLOC_FAILURE);
+    OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
    return NULL;
  }

@@ -226,7 +226,7 @@ void *BUF_memdup(const void *data, size_t dst_size) {

  ret = OPENSSL_malloc(dst_size);
  if (ret == NULL) {
-    OPENSSL_PUT_ERROR(BUF, BUF_memdup, ERR_R_MALLOC_FAILURE);
+    OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
    return NULL;
  }

@@ -14,6 +14,8 @@ add_executable(
  bytestring_test

  bytestring_test.cc
+
+  $<TARGET_OBJECTS:test_support>
 )

 target_link_libraries(bytestring_test crypto)
@@ -43,7 +43,7 @@ static int cbs_find_ber(CBS *orig_in, char *ber_found, unsigned depth) {
    unsigned tag;
    size_t header_len;

-    if (!CBS_get_any_asn1_element(&in, &contents, &tag, &header_len)) {
+    if (!CBS_get_any_ber_asn1_element(&in, &contents, &tag, &header_len)) {
      return 0;
    }
    if (CBS_len(&contents) == header_len &&
@@ -74,7 +74,7 @@ static char is_primitive_type(unsigned tag) {
 }

 /* is_eoc returns true if |header_len| and |contents|, as returned by
- * |CBS_get_any_asn1_element|, indicate an "end of contents" (EOC) value. */
+ * |CBS_get_any_ber_asn1_element|, indicate an "end of contents" (EOC) value. */
 static char is_eoc(size_t header_len, CBS *contents) {
  return header_len == 2 && CBS_len(contents) == 2 &&
         memcmp(CBS_data(contents), "\x00\x00", 2) == 0;
@@ -98,7 +98,7 @@ static int cbs_convert_ber(CBS *in, CBB *out, char squash_header,
    size_t header_len;
    CBB *out_contents, out_contents_storage;

-    if (!CBS_get_any_asn1_element(in, &contents, &tag, &header_len)) {
+    if (!CBS_get_any_ber_asn1_element(in, &contents, &tag, &header_len)) {
      return 0;
    }
    out_contents = out;
@@ -129,8 +129,8 @@ static int cbs_convert_ber(CBS *in, CBB *out, char squash_header,
          size_t inner_header_len;

          CBS_init(&in_copy, CBS_data(in), CBS_len(in));
-          if (!CBS_get_any_asn1_element(&in_copy, &inner_contents, &inner_tag,
-                                        &inner_header_len)) {
+          if (!CBS_get_any_ber_asn1_element(&in_copy, &inner_contents,
+                                            &inner_tag, &inner_header_len)) {
            return 0;
          }
          if (CBS_len(&inner_contents) > inner_header_len &&
@@ -209,7 +209,9 @@ int CBS_asn1_ber_to_der(CBS *in, uint8_t **out, size_t *out_len) {
    return 1;
  }

-  CBB_init(&cbb, CBS_len(in));
+  if (!CBB_init(&cbb, CBS_len(in))) {
+    return 0;
+  }
  if (!cbs_convert_ber(in, &cbb, 0, 0, 0)) {
    CBB_cleanup(&cbb);
    return 0;
@@ -109,7 +109,7 @@ static bool TestGetASN1() {
  static const uint8_t kData2[] = {0x30, 3, 1, 2};
  static const uint8_t kData3[] = {0x30, 0x80};
  static const uint8_t kData4[] = {0x30, 0x81, 1, 1};
-  static const uint8_t kData5[] = {0x30, 0x82, 0, 1, 1};
+  static const uint8_t kData5[4 + 0x80] = {0x30, 0x82, 0, 0x80};
  static const uint8_t kData6[] = {0xa1, 3, 0x4, 1, 1};
  static const uint8_t kData7[] = {0xa1, 3, 0x4, 2, 1};
  static const uint8_t kData8[] = {0xa1, 3, 0x2, 1, 1};
@@ -596,8 +596,10 @@ static const ASN1InvalidUint64Test kASN1InvalidUint64Tests[] = {
    {"\x02\x00", 2},
    // Negative number.
    {"\x02\x01\x80", 3},
-    // Overflow
+    // Overflow.
    {"\x02\x09\x01\x00\x00\x00\x00\x00\x00\x00\x00", 11},
+    // Leading zeros.
+    {"\x02\x02\x00\x01", 4},
 };

 static bool TestASN1Uint64() {
@@ -647,6 +649,14 @@ static bool TestASN1Uint64() {
  return true;
 }

+static int TestZero() {
+  CBB cbb;
+  CBB_zero(&cbb);
+  // Calling |CBB_cleanup| on a zero-state |CBB| must not crash.
+  CBB_cleanup(&cbb);
+  return 1;
+}
+
 int main(void) {
  CRYPTO_library_init();

@@ -663,7 +673,8 @@ int main(void) {
      !TestCBBASN1() ||
      !TestBerConvert() ||
      !TestASN1Uint64() ||
-      !TestGetOptionalASN1Bool()) {
+      !TestGetOptionalASN1Bool() ||
+      !TestZero()) {
    return 1;
  }

@@ -20,6 +20,10 @@
 #include <openssl/mem.h>


+void CBB_zero(CBB *cbb) {
+  memset(cbb, 0, sizeof(CBB));
+}
+
 static int cbb_init(CBB *cbb, uint8_t *buf, size_t cap) {
  struct cbb_buffer_st *base;

@@ -66,7 +70,7 @@ int CBB_init_fixed(CBB *cbb, uint8_t *buf, size_t len) {

 void CBB_cleanup(CBB *cbb) {
  if (cbb->base) {
-    if (cbb->base->buf && cbb->base->can_resize) {
+    if (cbb->base->can_resize) {
      OPENSSL_free(cbb->base->buf);
    }
    OPENSSL_free(cbb->base);
@@ -243,6 +247,11 @@ int CBB_flush(CBB *cbb) {
  return 1;
 }

+size_t CBB_len(const CBB *cbb) {
+  assert(cbb->child == NULL);
+
+  return cbb->base->len;
+}

 static int cbb_add_length_prefixed(CBB *cbb, CBB *out_contents,
                                   size_t len_len) {
@@ -52,10 +52,8 @@ size_t CBS_len(const CBS *cbs) {
 }

 int CBS_stow(const CBS *cbs, uint8_t **out_ptr, size_t *out_len) {
-  if (*out_ptr != NULL) {
-    OPENSSL_free(*out_ptr);
-    *out_ptr = NULL;
-  }
+  OPENSSL_free(*out_ptr);
+  *out_ptr = NULL;
  *out_len = 0;

  if (cbs->len == 0) {
@@ -159,8 +157,8 @@ int CBS_get_u24_length_prefixed(CBS *cbs, CBS *out) {
  return cbs_get_length_prefixed(cbs, out, 3);
 }

-int CBS_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag,
-                             size_t *out_header_len) {
+static int cbs_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag,
+                                    size_t *out_header_len, int ber_ok) {
  uint8_t tag, length_byte;
  CBS header = *cbs;
  CBS throwaway;
@@ -195,9 +193,11 @@ int CBS_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag,
    const size_t num_bytes = length_byte & 0x7f;
    uint32_t len32;

-    if ((tag & CBS_ASN1_CONSTRUCTED) != 0 && num_bytes == 0) {
+    if (ber_ok && (tag & CBS_ASN1_CONSTRUCTED) != 0 && num_bytes == 0) {
      /* indefinite length */
-      *out_header_len = 2;
+      if (out_header_len != NULL) {
+        *out_header_len = 2;
+      }
      return CBS_get_bytes(cbs, out, 2);
    }

@@ -229,6 +229,18 @@ int CBS_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag,
  return CBS_get_bytes(cbs, out, len);
 }

+int CBS_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag,
+                                    size_t *out_header_len) {
+  return cbs_get_any_asn1_element(cbs, out, out_tag, out_header_len,
+                                  0 /* DER only */);
+}
+
+int CBS_get_any_ber_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag,
+                                 size_t *out_header_len) {
+  return cbs_get_any_asn1_element(cbs, out, out_tag, out_header_len,
+                                  1 /* BER allowed */);
+}
+
 static int cbs_get_asn1(CBS *cbs, CBS *out, unsigned tag_value,
                        int skip_header) {
  size_t header_len;
@@ -240,12 +252,7 @@ static int cbs_get_asn1(CBS *cbs, CBS *out, unsigned tag_value,
  }

  if (!CBS_get_any_asn1_element(cbs, out, &tag, &header_len) ||
-      tag != tag_value ||
-      (header_len > 0 &&
-       /* This ensures that the tag is either zero length or
-        * indefinite-length. */
-       CBS_len(out) == header_len &&
-       CBS_data(out)[header_len - 1] == 0x80)) {
+      tag != tag_value) {
    return 0;
  }

@@ -291,7 +298,12 @@ int CBS_get_asn1_uint64(CBS *cbs, uint64_t *out) {
  }

  if ((data[0] & 0x80) != 0) {
-    /* negative number */
+    /* Negative number. */
+    return 0;
+  }
+
+  if (data[0] == 0 && len > 1 && (data[1] & 0x80) == 0) {
+    /* Extra leading zeros. */
    return 0;
  }

@@ -23,6 +23,7 @@
 #     /opt/gcc-linaro-4.9-2014.11-x86_64_arm-linux-gnueabihf/bin/arm-linux-gnueabihf-gcc -O3 -mcpu=cortex-a8 -mfpu=neon -fpic -DASM_GEN -I ../../include -S chacha_vec.c -o -

 #if !defined(OPENSSL_NO_ASM)
+#if defined(__arm__) || defined(__aarch64__)

 	.syntax unified
 	.cpu cortex-a8
@@ -1423,4 +1424,5 @@ CRYPTO_chacha_20_neon:
 	.ident	"GCC: (Linaro GCC 2014.11) 4.9.3 20141031 (prerelease)"
 	.section	.note.GNU-stack,"",%progbits

+#endif  /* __arm__ || __aarch64__ */
 #endif  /* !OPENSSL_NO_ASM */
@@ -52,7 +52,8 @@ func main() {
 	output.WriteString(compiler)
 	output.WriteString(" ")
 	output.WriteString(strings.Join(args, " "))
-	output.WriteString("\n\n#if !defined(OPENSSL_NO_ASM)\n\n")
+	output.WriteString("\n\n#if !defined(OPENSSL_NO_ASM)\n")
+	output.WriteString("#if defined(__arm__) || defined(__aarch64__)\n\n")

 	cmd := exec.Command(compiler, args...)
 	cmd.Stderr = os.Stderr
@@ -144,5 +145,6 @@ const attr28Block = `
 `

 const trailer = `
+#endif  /* __arm__ || __aarch64__ */
 #endif  /* !OPENSSL_NO_ASM */
 `
@@ -24,13 +24,15 @@ add_library(
 add_executable(
  cipher_test

-  cipher_test.c
+  cipher_test.cc
+  $<TARGET_OBJECTS:test_support>
 )

 add_executable(
  aead_test

-  aead_test.c
+  aead_test.cc
+  $<TARGET_OBJECTS:test_support>
 )

 target_link_libraries(cipher_test crypto)
@@ -34,7 +34,8 @@ int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
                      const uint8_t *key, size_t key_len, size_t tag_len,
                      ENGINE *impl) {
  if (!aead->init) {
-    OPENSSL_PUT_ERROR(CIPHER, EVP_AEAD_CTX_init, CIPHER_R_NO_DIRECTION_SET);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_NO_DIRECTION_SET);
+    ctx->aead = NULL;
    return 0;
  }
  return EVP_AEAD_CTX_init_with_direction(ctx, aead, key, key_len, tag_len,
@@ -45,17 +46,26 @@ int EVP_AEAD_CTX_init_with_direction(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
                                     const uint8_t *key, size_t key_len,
                                     size_t tag_len,
                                     enum evp_aead_direction_t dir) {
-  ctx->aead = aead;
  if (key_len != aead->key_len) {
-    OPENSSL_PUT_ERROR(CIPHER, EVP_AEAD_CTX_init_with_direction,
-                      CIPHER_R_UNSUPPORTED_KEY_SIZE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_KEY_SIZE);
+    ctx->aead = NULL;
    return 0;
  }
+
+  ctx->aead = aead;
+
+  int ok;
  if (aead->init) {
-    return aead->init(ctx, key, key_len, tag_len);
+    ok = aead->init(ctx, key, key_len, tag_len);
  } else {
-    return aead->init_with_direction(ctx, key, key_len, tag_len, dir);
+    ok = aead->init_with_direction(ctx, key, key_len, tag_len, dir);
  }
+
+  if (!ok) {
+    ctx->aead = NULL;
+  }
+
+  return ok;
 }

 void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx) {
@@ -90,12 +100,12 @@ int EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,
  size_t possible_out_len = in_len + ctx->aead->overhead;

  if (possible_out_len < in_len /* overflow */) {
-    OPENSSL_PUT_ERROR(CIPHER, EVP_AEAD_CTX_seal, CIPHER_R_TOO_LARGE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
    goto error;
  }

  if (!check_alias(in, in_len, out)) {
-    OPENSSL_PUT_ERROR(CIPHER, EVP_AEAD_CTX_seal, CIPHER_R_OUTPUT_ALIASES_INPUT);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_OUTPUT_ALIASES_INPUT);
    goto error;
  }

@@ -117,7 +127,7 @@ int EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,
                      size_t nonce_len, const uint8_t *in, size_t in_len,
                      const uint8_t *ad, size_t ad_len) {
  if (!check_alias(in, in_len, out)) {
-    OPENSSL_PUT_ERROR(CIPHER, EVP_AEAD_CTX_open, CIPHER_R_OUTPUT_ALIASES_INPUT);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_OUTPUT_ALIASES_INPUT);
    goto error;
  }

@@ -1,391 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <stdint.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <openssl/aead.h>
-#include <openssl/bio.h>
-#include <openssl/crypto.h>
-#include <openssl/err.h>
-
-/* This program tests an AEAD against a series of test vectors from a file. The
- * test vector file consists of key-value lines where the key and value are
- * separated by a colon and optional whitespace. The keys are listed in
- * |NAMES|, below. The values are hex-encoded data.
- *
- * After a number of key-value lines, a blank line or EOF indicates the end of
- * the test case.
- *
- * For example, here's a valid test case:
- *
- *   KEY: 5a19f3173586b4c42f8412f4d5a786531b3231753e9e00998aec12fda8df10e4
- *   NONCE: 978105dfce667bf4
- *   IN: 6a4583908d
- *   AD: b654574932
- *   CT: 5294265a60
- *   TAG: 1d45758621762e061368e68868e2f929
- */
-
-#define BUF_MAX 512
-
-/* These are the different types of line that are found in the input file. */
-enum {
-  KEY = 0, /* hex encoded key. */
-  NONCE,   /* hex encoded nonce. */
-  IN,      /* hex encoded plaintext. */
-  AD,      /* hex encoded additional data. */
-  CT,      /* hex encoded ciphertext (not including the authenticator,
-              which is next). */
-  TAG,     /* hex encoded authenticator. */
-  NO_SEAL, /* non-zero length if seal(IN) is not expected to be CT+TAG,
-              however open(CT+TAG) should still be IN. */
-  FAILS,   /* non-zero length if open(CT+TAG) is expected to fail. */
-  NUM_TYPES,
-};
-
-static const char NAMES[8][NUM_TYPES] = {
-  "KEY", "NONCE", "IN", "AD", "CT", "TAG", "NO_SEAL", "FAILS",
-};
-
-static unsigned char hex_digit(char h) {
-  if (h >= '0' && h <= '9') {
-    return h - '0';
-  } else if (h >= 'a' && h <= 'f') {
-    return h - 'a' + 10;
-  } else if (h >= 'A' && h <= 'F') {
-    return h - 'A' + 10;
-  } else {
-    return 16;
-  }
-}
-
-static int run_test_case(const EVP_AEAD *aead,
-                         uint8_t bufs[NUM_TYPES][BUF_MAX],
-                         const unsigned int lengths[NUM_TYPES],
-                         unsigned int line_no) {
-  EVP_AEAD_CTX ctx;
-  size_t ciphertext_len, plaintext_len;
-  uint8_t out[BUF_MAX + EVP_AEAD_MAX_OVERHEAD + 1];
-  /* Note: When calling |EVP_AEAD_CTX_open|, the "stateful" AEADs require
-   * |max_out| be at least |in_len| despite the final output always being
-   * smaller by at least tag length. */
-  uint8_t out2[sizeof(out)];
-
-  if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, bufs[KEY], lengths[KEY],
-                                        lengths[TAG], evp_aead_seal)) {
-    fprintf(stderr, "Failed to init AEAD on line %u\n", line_no);
-    return 0;
-  }
-
-  if (!lengths[NO_SEAL]) {
-    if (!EVP_AEAD_CTX_seal(&ctx, out, &ciphertext_len, sizeof(out), bufs[NONCE],
-                           lengths[NONCE], bufs[IN], lengths[IN], bufs[AD],
-                           lengths[AD])) {
-      fprintf(stderr, "Failed to run AEAD on line %u\n", line_no);
-      return 0;
-    }
-
-    if (ciphertext_len != lengths[CT] + lengths[TAG]) {
-      fprintf(stderr, "Bad output length on line %u: %u vs %u\n", line_no,
-              (unsigned)ciphertext_len, (unsigned)(lengths[CT] + lengths[TAG]));
-      return 0;
-    }
-
-    if (memcmp(out, bufs[CT], lengths[CT]) != 0) {
-      fprintf(stderr, "Bad output on line %u\n", line_no);
-      return 0;
-    }
-
-    if (memcmp(out + lengths[CT], bufs[TAG], lengths[TAG]) != 0) {
-      fprintf(stderr, "Bad tag on line %u\n", line_no);
-      return 0;
-    }
-  } else {
-    memcpy(out, bufs[CT], lengths[CT]);
-    memcpy(out + lengths[CT], bufs[TAG], lengths[TAG]);
-    ciphertext_len = lengths[CT] + lengths[TAG];
-  }
-
-  /* The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
-   * reset after each operation. */
-  EVP_AEAD_CTX_cleanup(&ctx);
-  if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, bufs[KEY], lengths[KEY],
-                                        lengths[TAG], evp_aead_open)) {
-    fprintf(stderr, "Failed to init AEAD on line %u\n", line_no);
-    return 0;
-  }
-
-  int ret = EVP_AEAD_CTX_open(&ctx, out2, &plaintext_len, sizeof(out2),
-                              bufs[NONCE], lengths[NONCE], out, ciphertext_len,
-                              bufs[AD], lengths[AD]);
-  if (lengths[FAILS]) {
-    if (ret) {
-      fprintf(stderr, "Decrypted bad data on line %u\n", line_no);
-      return 0;
-    }
-    ERR_clear_error();
-  } else {
-    if (!ret) {
-      fprintf(stderr, "Failed to decrypt on line %u\n", line_no);
-      return 0;
-    }
-
-    if (plaintext_len != lengths[IN]) {
-      fprintf(stderr, "Bad decrypt on line %u: %u\n", line_no,
-              (unsigned)ciphertext_len);
-      return 0;
-    }
-
-    /* The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
-     * reset after each operation. */
-    EVP_AEAD_CTX_cleanup(&ctx);
-    if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, bufs[KEY], lengths[KEY],
-                                          lengths[TAG], evp_aead_open)) {
-      fprintf(stderr, "Failed to init AEAD on line %u\n", line_no);
-      return 0;
-    }
-
-    /* Garbage at the end isn't ignored. */
-    out[ciphertext_len] = 0;
-    if (EVP_AEAD_CTX_open(&ctx, out2, &plaintext_len, sizeof(out2),
-                          bufs[NONCE], lengths[NONCE], out, ciphertext_len + 1,
-                          bufs[AD], lengths[AD])) {
-      fprintf(stderr, "Decrypted bad data on line %u\n", line_no);
-      return 0;
-    }
-    ERR_clear_error();
-
-    /* The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
-     * reset after each operation. */
-    EVP_AEAD_CTX_cleanup(&ctx);
-    if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, bufs[KEY], lengths[KEY],
-                                          lengths[TAG], evp_aead_open)) {
-      fprintf(stderr, "Failed to init AEAD on line %u\n", line_no);
-      return 0;
-    }
-
-    /* Verify integrity is checked. */
-    out[0] ^= 0x80;
-    if (EVP_AEAD_CTX_open(&ctx, out2, &plaintext_len, sizeof(out2), bufs[NONCE],
-                          lengths[NONCE], out, ciphertext_len, bufs[AD],
-                          lengths[AD])) {
-      fprintf(stderr, "Decrypted bad data on line %u\n", line_no);
-      return 0;
-    }
-    ERR_clear_error();
-  }
-
-  EVP_AEAD_CTX_cleanup(&ctx);
-  return 1;
-}
-
-int main(int argc, char **argv) {
-  FILE *f;
-  const EVP_AEAD *aead = NULL;
-  unsigned int line_no = 0, num_tests = 0, j;
-
-  unsigned char bufs[NUM_TYPES][BUF_MAX];
-  unsigned int lengths[NUM_TYPES];
-
-  CRYPTO_library_init();
-  ERR_load_crypto_strings();
-
-  if (argc != 3) {
-    fprintf(stderr, "%s <aead> <test file.txt>\n", argv[0]);
-    return 1;
-  }
-
-  if (strcmp(argv[1], "aes-128-gcm") == 0) {
-    aead = EVP_aead_aes_128_gcm();
-  } else if (strcmp(argv[1], "aes-256-gcm") == 0) {
-    aead = EVP_aead_aes_256_gcm();
-  } else if (strcmp(argv[1], "chacha20-poly1305") == 0) {
-    aead = EVP_aead_chacha20_poly1305();
-  } else if (strcmp(argv[1], "rc4-md5-tls") == 0) {
-    aead = EVP_aead_rc4_md5_tls();
-  } else if (strcmp(argv[1], "rc4-sha1-tls") == 0) {
-    aead = EVP_aead_rc4_sha1_tls();
-  } else if (strcmp(argv[1], "aes-128-cbc-sha1-tls") == 0) {
-    aead = EVP_aead_aes_128_cbc_sha1_tls();
-  } else if (strcmp(argv[1], "aes-128-cbc-sha1-tls-implicit-iv") == 0) {
-    aead = EVP_aead_aes_128_cbc_sha1_tls_implicit_iv();
-  } else if (strcmp(argv[1], "aes-128-cbc-sha256-tls") == 0) {
-    aead = EVP_aead_aes_128_cbc_sha256_tls();
-  } else if (strcmp(argv[1], "aes-256-cbc-sha1-tls") == 0) {
-    aead = EVP_aead_aes_256_cbc_sha1_tls();
-  } else if (strcmp(argv[1], "aes-256-cbc-sha1-tls-implicit-iv") == 0) {
-    aead = EVP_aead_aes_256_cbc_sha1_tls_implicit_iv();
-  } else if (strcmp(argv[1], "aes-256-cbc-sha256-tls") == 0) {
-    aead = EVP_aead_aes_256_cbc_sha256_tls();
-  } else if (strcmp(argv[1], "aes-256-cbc-sha384-tls") == 0) {
-    aead = EVP_aead_aes_256_cbc_sha384_tls();
-  } else if (strcmp(argv[1], "des-ede3-cbc-sha1-tls") == 0) {
-    aead = EVP_aead_des_ede3_cbc_sha1_tls();
-  } else if (strcmp(argv[1], "des-ede3-cbc-sha1-tls-implicit-iv") == 0) {
-    aead = EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv();
-  } else if (strcmp(argv[1], "rc4-md5-ssl3") == 0) {
-    aead = EVP_aead_rc4_md5_ssl3();
-  } else if (strcmp(argv[1], "rc4-sha1-ssl3") == 0) {
-    aead = EVP_aead_rc4_sha1_ssl3();
-  } else if (strcmp(argv[1], "aes-128-cbc-sha1-ssl3") == 0) {
-    aead = EVP_aead_aes_128_cbc_sha1_ssl3();
-  } else if (strcmp(argv[1], "aes-256-cbc-sha1-ssl3") == 0) {
-    aead = EVP_aead_aes_256_cbc_sha1_ssl3();
-  } else if (strcmp(argv[1], "des-ede3-cbc-sha1-ssl3") == 0) {
-    aead = EVP_aead_des_ede3_cbc_sha1_ssl3();
-  } else if (strcmp(argv[1], "aes-128-key-wrap") == 0) {
-    aead = EVP_aead_aes_128_key_wrap();
-  } else if (strcmp(argv[1], "aes-256-key-wrap") == 0) {
-    aead = EVP_aead_aes_256_key_wrap();
-  } else if (strcmp(argv[1], "aes-128-ctr-hmac-sha256") == 0) {
-    aead = EVP_aead_aes_128_ctr_hmac_sha256();
-  } else if (strcmp(argv[1], "aes-256-ctr-hmac-sha256") == 0) {
-    aead = EVP_aead_aes_256_ctr_hmac_sha256();
-  } else {
-    fprintf(stderr, "Unknown AEAD: %s\n", argv[1]);
-    return 2;
-  }
-
-  f = fopen(argv[2], "r");
-  if (f == NULL) {
-    perror("failed to open input");
-    return 1;
-  }
-
-  for (j = 0; j < NUM_TYPES; j++) {
-    lengths[j] = 0;
-  }
-
-  for (;;) {
-    char line[4096];
-    unsigned int i, type_len = 0;
-
-    unsigned char *buf = NULL;
-    unsigned int *buf_len = NULL;
-
-    if (!fgets(line, sizeof(line), f)) {
-      line[0] = 0;
-    }
-
-    line_no++;
-    if (line[0] == '#') {
-      continue;
-    }
-
-    if (line[0] == '\n' || line[0] == 0) {
-      /* Run a test, if possible. */
-      char any_values_set = 0;
-      for (j = 0; j < NUM_TYPES; j++) {
-        if (lengths[j] != 0) {
-          any_values_set = 1;
-          break;
-        }
-      }
-
-      if (any_values_set) {
-        if (!run_test_case(aead, bufs, lengths, line_no)) {
-          BIO_print_errors_fp(stderr);
-          return 4;
-        }
-
-        for (j = 0; j < NUM_TYPES; j++) {
-          lengths[j] = 0;
-        }
-
-        num_tests++;
-      }
-
-      if (line[0] == 0) {
-        break;
-      }
-      continue;
-    }
-
-    /* Each line looks like:
-     *   TYPE: 0123abc
-     * Where "TYPE" is the type of the data on the line,
-     * e.g. "KEY". */
-    for (i = 0; line[i] != 0 && line[i] != '\n'; i++) {
-      if (line[i] == ':') {
-        type_len = i;
-        break;
-      }
-    }
-    i++;
-
-    if (type_len == 0) {
-      fprintf(stderr, "Parse error on line %u\n", line_no);
-      return 3;
-    }
-
-    /* After the colon, there's optional whitespace. */
-    for (; line[i] != 0 && line[i] != '\n'; i++) {
-      if (line[i] != ' ' && line[i] != '\t') {
-        break;
-      }
-    }
-
-    line[type_len] = 0;
-    for (j = 0; j < NUM_TYPES; j++) {
-      if (strcmp(line, NAMES[j]) != 0) {
-        continue;
-      }
-      if (lengths[j] != 0) {
-        fprintf(stderr, "Duplicate value on line %u\n", line_no);
-        return 3;
-      }
-      buf = bufs[j];
-      buf_len = &lengths[j];
-    }
-
-    if (buf == NULL) {
-      fprintf(stderr, "Unknown line type on line %u\n", line_no);
-      return 3;
-    }
-
-    j = 0;
-    for (; line[i] != 0 && line[i] != '\n'; i++) {
-      unsigned char v, v2;
-      v = hex_digit(line[i++]);
-      if (line[i] == 0 || line[i] == '\n') {
-        fprintf(stderr, "Odd-length hex data on line %u\n", line_no);
-        return 3;
-      }
-      v2 = hex_digit(line[i]);
-      if (v > 15 || v2 > 15) {
-        fprintf(stderr, "Invalid hex char on line %u\n", line_no);
-        return 3;
-      }
-      v <<= 4;
-      v |= v2;
-
-      if (j == BUF_MAX) {
-        fprintf(stderr, "Too much hex data on line %u (max is %u bytes)\n",
-                line_no, (unsigned)BUF_MAX);
-        return 3;
-      }
-      buf[j++] = v;
-      *buf_len = *buf_len + 1;
-    }
-  }
-
-  printf("Completed %u test cases\n", num_tests);
-  printf("PASS\n");
-  fclose(f);
-
-  return 0;
-}
@@ -0,0 +1,278 @@
+/* Copyright (c) 2014, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <stdint.h>
+#include <string.h>
+
+#include <vector>
+
+#include <openssl/aead.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+
+#include "../test/file_test.h"
+#include "../test/stl_compat.h"
+
+
+// This program tests an AEAD against a series of test vectors from a file,
+// using the FileTest format. As an example, here's a valid test case:
+//
+//   KEY: 5a19f3173586b4c42f8412f4d5a786531b3231753e9e00998aec12fda8df10e4
+//   NONCE: 978105dfce667bf4
+//   IN: 6a4583908d
+//   AD: b654574932
+//   CT: 5294265a60
+//   TAG: 1d45758621762e061368e68868e2f929
+
+// EVP_AEAD_CTX lacks a zero state, so it doesn't fit easily into
+// ScopedOpenSSLContext.
+class EVP_AEAD_CTXScoper {
+ public:
+  EVP_AEAD_CTXScoper(EVP_AEAD_CTX *ctx) : ctx_(ctx) {}
+  ~EVP_AEAD_CTXScoper() {
+    EVP_AEAD_CTX_cleanup(ctx_);
+  }
+ private:
+  EVP_AEAD_CTX *ctx_;
+};
+
+static bool TestAEAD(FileTest *t, void *arg) {
+  const EVP_AEAD *aead = reinterpret_cast<const EVP_AEAD*>(arg);
+
+  std::vector<uint8_t> key, nonce, in, ad, ct, tag;
+  if (!t->GetBytes(&key, "KEY") ||
+      !t->GetBytes(&nonce, "NONCE") ||
+      !t->GetBytes(&in, "IN") ||
+      !t->GetBytes(&ad, "AD") ||
+      !t->GetBytes(&ct, "CT") ||
+      !t->GetBytes(&tag, "TAG")) {
+    return false;
+  }
+
+  EVP_AEAD_CTX ctx;
+  if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, bssl::vector_data(&key),
+                                        key.size(), tag.size(),
+                                        evp_aead_seal)) {
+    t->PrintLine("Failed to init AEAD.");
+    return false;
+  }
+  EVP_AEAD_CTXScoper cleanup(&ctx);
+
+  std::vector<uint8_t> out(in.size() + EVP_AEAD_max_overhead(aead));
+  if (!t->HasAttribute("NO_SEAL")) {
+    size_t out_len;
+    if (!EVP_AEAD_CTX_seal(&ctx, bssl::vector_data(&out), &out_len, out.size(),
+                           bssl::vector_data(&nonce), nonce.size(),
+                           bssl::vector_data(&in), in.size(),
+                           bssl::vector_data(&ad), ad.size())) {
+      t->PrintLine("Failed to run AEAD.");
+      return false;
+    }
+    out.resize(out_len);
+
+    if (out.size() != ct.size() + tag.size()) {
+      t->PrintLine("Bad output length: %u vs %u.", (unsigned)out_len,
+                   (unsigned)(ct.size() + tag.size()));
+      return false;
+    }
+    if (!t->ExpectBytesEqual(bssl::vector_data(&ct), ct.size(),
+                             bssl::vector_data(&out), ct.size()) ||
+        !t->ExpectBytesEqual(bssl::vector_data(&tag), tag.size(),
+                             bssl::vector_data(&out) + ct.size(), tag.size())) {
+      return false;
+    }
+  } else {
+    out.resize(ct.size() + tag.size());
+    memcpy(bssl::vector_data(&out), bssl::vector_data(&ct), ct.size());
+    memcpy(bssl::vector_data(&out) + ct.size(), bssl::vector_data(&tag),
+           tag.size());
+  }
+
+  // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
+  // reset after each operation.
+  EVP_AEAD_CTX_cleanup(&ctx);
+  if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, bssl::vector_data(&key),
+                                        key.size(), tag.size(),
+                                        evp_aead_open)) {
+    t->PrintLine("Failed to init AEAD.");
+    return false;
+  }
+
+  std::vector<uint8_t> out2(out.size());
+  size_t out2_len;
+  int ret = EVP_AEAD_CTX_open(&ctx,
+                              bssl::vector_data(&out2), &out2_len, out2.size(),
+                              bssl::vector_data(&nonce), nonce.size(),
+                              bssl::vector_data(&out), out.size(),
+                              bssl::vector_data(&ad), ad.size());
+  if (t->HasAttribute("FAILS")) {
+    if (ret) {
+      t->PrintLine("Decrypted bad data.");
+      return false;
+    }
+    ERR_clear_error();
+    return true;
+  }
+
+  if (!ret) {
+    t->PrintLine("Failed to decrypt.");
+    return false;
+  }
+  out2.resize(out2_len);
+  if (!t->ExpectBytesEqual(bssl::vector_data(&in), in.size(),
+                           bssl::vector_data(&out2), out2.size())) {
+    return false;
+  }
+
+  // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
+  // reset after each operation.
+  EVP_AEAD_CTX_cleanup(&ctx);
+  if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, bssl::vector_data(&key),
+                                        key.size(), tag.size(),
+                                        evp_aead_open)) {
+    t->PrintLine("Failed to init AEAD.");
+    return false;
+  }
+
+  // Garbage at the end isn't ignored.
+  out.push_back(0);
+  out2.resize(out.size());
+  if (EVP_AEAD_CTX_open(&ctx, bssl::vector_data(&out2), &out2_len, out2.size(),
+                        bssl::vector_data(&nonce), nonce.size(),
+                        bssl::vector_data(&out), out.size(),
+                        bssl::vector_data(&ad), ad.size())) {
+    t->PrintLine("Decrypted bad data with trailing garbage.");
+    return false;
+  }
+  ERR_clear_error();
+
+  // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
+  // reset after each operation.
+  EVP_AEAD_CTX_cleanup(&ctx);
+  if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, bssl::vector_data(&key),
+                                        key.size(), tag.size(),
+                                        evp_aead_open)) {
+    t->PrintLine("Failed to init AEAD.");
+    return false;
+  }
+
+  // Verify integrity is checked.
+  out[0] ^= 0x80;
+  out.resize(out.size() - 1);
+  out2.resize(out.size());
+  if (EVP_AEAD_CTX_open(&ctx, bssl::vector_data(&out2), &out2_len, out2.size(),
+                        bssl::vector_data(&nonce), nonce.size(),
+                        bssl::vector_data(&out), out.size(),
+                        bssl::vector_data(&ad), ad.size())) {
+    t->PrintLine("Decrypted bad data with corrupted byte.");
+    return false;
+  }
+  ERR_clear_error();
+
+  return true;
+}
+
+static int TestCleanupAfterInitFailure(const EVP_AEAD *aead) {
+  EVP_AEAD_CTX ctx;
+  uint8_t key[128];
+
+  memset(key, 0, sizeof(key));
+  const size_t key_len = EVP_AEAD_key_length(aead);
+  if (key_len > sizeof(key)) {
+    fprintf(stderr, "Key length of AEAD too long.\n");
+    return 0;
+  }
+
+  if (EVP_AEAD_CTX_init(&ctx, aead, key, key_len,
+                        9999 /* a silly tag length to trigger an error */,
+                        NULL /* ENGINE */) != 0) {
+    fprintf(stderr, "A silly tag length didn't trigger an error!\n");
+    return 0;
+  }
+  ERR_clear_error();
+
+  /* Running a second, failed _init should not cause a memory leak. */
+  if (EVP_AEAD_CTX_init(&ctx, aead, key, key_len,
+                        9999 /* a silly tag length to trigger an error */,
+                        NULL /* ENGINE */) != 0) {
+    fprintf(stderr, "A silly tag length didn't trigger an error!\n");
+    return 0;
+  }
+  ERR_clear_error();
+
+  /* Calling _cleanup on an |EVP_AEAD_CTX| after a failed _init should be a
+   * no-op. */
+  EVP_AEAD_CTX_cleanup(&ctx);
+  return 1;
+}
+
+struct AEADName {
+  const char name[40];
+  const EVP_AEAD *(*func)(void);
+};
+
+static const struct AEADName kAEADs[] = {
+  { "aes-128-gcm", EVP_aead_aes_128_gcm },
+  { "aes-256-gcm", EVP_aead_aes_256_gcm },
+  { "chacha20-poly1305", EVP_aead_chacha20_poly1305 },
+  { "rc4-md5-tls", EVP_aead_rc4_md5_tls },
+  { "rc4-sha1-tls", EVP_aead_rc4_sha1_tls },
+  { "aes-128-cbc-sha1-tls", EVP_aead_aes_128_cbc_sha1_tls },
+  { "aes-128-cbc-sha1-tls-implicit-iv", EVP_aead_aes_128_cbc_sha1_tls_implicit_iv },
+  { "aes-128-cbc-sha256-tls", EVP_aead_aes_128_cbc_sha256_tls },
+  { "aes-256-cbc-sha1-tls", EVP_aead_aes_256_cbc_sha1_tls },
+  { "aes-256-cbc-sha1-tls-implicit-iv", EVP_aead_aes_256_cbc_sha1_tls_implicit_iv },
+  { "aes-256-cbc-sha256-tls", EVP_aead_aes_256_cbc_sha256_tls },
+  { "aes-256-cbc-sha384-tls", EVP_aead_aes_256_cbc_sha384_tls },
+  { "des-ede3-cbc-sha1-tls", EVP_aead_des_ede3_cbc_sha1_tls },
+  { "des-ede3-cbc-sha1-tls-implicit-iv", EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv },
+  { "rc4-md5-ssl3", EVP_aead_rc4_md5_ssl3 },
+  { "rc4-sha1-ssl3", EVP_aead_rc4_sha1_ssl3 },
+  { "aes-128-cbc-sha1-ssl3", EVP_aead_aes_128_cbc_sha1_ssl3 },
+  { "aes-256-cbc-sha1-ssl3", EVP_aead_aes_256_cbc_sha1_ssl3 },
+  { "des-ede3-cbc-sha1-ssl3", EVP_aead_des_ede3_cbc_sha1_ssl3 },
+  { "aes-128-key-wrap", EVP_aead_aes_128_key_wrap },
+  { "aes-256-key-wrap", EVP_aead_aes_256_key_wrap },
+  { "aes-128-ctr-hmac-sha256", EVP_aead_aes_128_ctr_hmac_sha256 },
+  { "aes-256-ctr-hmac-sha256", EVP_aead_aes_256_ctr_hmac_sha256 },
+  { "", NULL },
+};
+
+int main(int argc, char **argv) {
+  CRYPTO_library_init();
+
+  if (argc != 3) {
+    fprintf(stderr, "%s <aead> <test file.txt>\n", argv[0]);
+    return 1;
+  }
+
+  const EVP_AEAD *aead;
+  for (unsigned i = 0;; i++) {
+    const struct AEADName &aead_name = kAEADs[i];
+    if (aead_name.func == NULL) {
+      fprintf(stderr, "Unknown AEAD: %s\n", argv[1]);
+      return 2;
+    }
+    if (strcmp(aead_name.name, argv[1]) == 0) {
+      aead = aead_name.func();
+      break;
+    }
+  }
+
+  if (!TestCleanupAfterInitFailure(aead)) {
+    return 1;
+  }
+
+  return FileTestMain(TestAEAD, const_cast<EVP_AEAD*>(aead), argv[2]);
+}
@@ -68,12 +68,18 @@

 const EVP_CIPHER *EVP_get_cipherbynid(int nid) {
  switch (nid) {
+    case NID_rc2_cbc:
+      return EVP_rc2_cbc();
+    case NID_rc2_40_cbc:
+      return EVP_rc2_40_cbc();
    case NID_des_ede3_cbc:
      return EVP_des_ede3_cbc();
    case NID_des_ede_cbc:
      return EVP_des_cbc();
    case NID_aes_128_cbc:
      return EVP_aes_128_cbc();
+    case NID_aes_192_cbc:
+      return EVP_aes_192_cbc();
    case NID_aes_256_cbc:
      return EVP_aes_256_cbc();
    default:
@@ -94,14 +100,13 @@ EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void) {
 }

 int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c) {
-  if (c->cipher != NULL && c->cipher->cleanup) {
-    c->cipher->cleanup(c);
-  }
-
-  if (c->cipher_data) {
+  if (c->cipher != NULL) {
+    if (c->cipher->cleanup) {
+      c->cipher->cleanup(c);
+    }
    OPENSSL_cleanse(c->cipher_data, c->cipher->ctx_size);
-    OPENSSL_free(c->cipher_data);
  }
+  OPENSSL_free(c->cipher_data);

  memset(c, 0, sizeof(EVP_CIPHER_CTX));
  return 1;
@@ -116,7 +121,7 @@ void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) {

 int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in) {
  if (in == NULL || in->cipher == NULL) {
-    OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_copy, CIPHER_R_INPUT_NOT_INITIALIZED);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INPUT_NOT_INITIALIZED);
    return 0;
  }

@@ -126,7 +131,7 @@ int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in) {
  if (in->cipher_data && in->cipher->ctx_size) {
    out->cipher_data = OPENSSL_malloc(in->cipher->ctx_size);
    if (!out->cipher_data) {
-      OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_copy, ERR_R_MALLOC_FAILURE);
+      OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE);
      return 0;
    }
    memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size);
@@ -165,7 +170,8 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
    if (ctx->cipher->ctx_size) {
      ctx->cipher_data = OPENSSL_malloc(ctx->cipher->ctx_size);
      if (!ctx->cipher_data) {
-        OPENSSL_PUT_ERROR(CIPHER, EVP_CipherInit_ex, ERR_R_MALLOC_FAILURE);
+        ctx->cipher = NULL;
+        OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE);
        return 0;
      }
    } else {
@@ -177,12 +183,13 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,

    if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) {
      if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) {
-        OPENSSL_PUT_ERROR(CIPHER, EVP_CipherInit_ex, CIPHER_R_INITIALIZATION_ERROR);
+        ctx->cipher = NULL;
+        OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INITIALIZATION_ERROR);
        return 0;
      }
    }
  } else if (!ctx->cipher) {
-    OPENSSL_PUT_ERROR(CIPHER, EVP_CipherInit_ex, CIPHER_R_NO_CIPHER_SET);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_NO_CIPHER_SET);
    return 0;
  }

@@ -197,7 +204,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
        break;

      case EVP_CIPH_CFB_MODE:
-      case EVP_CIPH_OFB_MODE:
        ctx->num = 0;
        /* fall-through */

@@ -210,6 +216,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
        break;

      case EVP_CIPH_CTR_MODE:
+      case EVP_CIPH_OFB_MODE:
        ctx->num = 0;
        /* Don't reuse IV for CTR mode */
        if (iv) {
@@ -337,8 +344,7 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) {
  bl = ctx->buf_len;
  if (ctx->flags & EVP_CIPH_NO_PADDING) {
    if (bl) {
-      OPENSSL_PUT_ERROR(CIPHER, EVP_EncryptFinal_ex,
-                        CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
+      OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
      return 0;
    }
    *out_len = 0;
@@ -433,8 +439,7 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len) {
  b = ctx->cipher->block_size;
  if (ctx->flags & EVP_CIPH_NO_PADDING) {
    if (ctx->buf_len) {
-      OPENSSL_PUT_ERROR(CIPHER, EVP_DecryptFinal_ex,
-                        CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
+      OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
      return 0;
    }
    *out_len = 0;
@@ -443,8 +448,7 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len) {

  if (b > 1) {
    if (ctx->buf_len || !ctx->final_used) {
-      OPENSSL_PUT_ERROR(CIPHER, EVP_DecryptFinal_ex,
-                        CIPHER_R_WRONG_FINAL_BLOCK_LENGTH);
+      OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_WRONG_FINAL_BLOCK_LENGTH);
      return 0;
    }
    assert(b <= sizeof(ctx->final));
@@ -453,13 +457,13 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len) {
     * Otherwise it provides a padding oracle. */
    n = ctx->final[b - 1];
    if (n == 0 || n > (int)b) {
-      OPENSSL_PUT_ERROR(CIPHER, EVP_DecryptFinal_ex, CIPHER_R_BAD_DECRYPT);
+      OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
      return 0;
    }

    for (i = 0; i < n; i++) {
      if (ctx->final[--b] != n) {
-        OPENSSL_PUT_ERROR(CIPHER, EVP_DecryptFinal_ex, CIPHER_R_BAD_DECRYPT);
+        OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
        return 0;
      }
    }
@@ -537,19 +541,18 @@ uint32_t EVP_CIPHER_CTX_mode(const EVP_CIPHER_CTX *ctx) {
 int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int command, int arg, void *ptr) {
  int ret;
  if (!ctx->cipher) {
-    OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_ctrl, CIPHER_R_NO_CIPHER_SET);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_NO_CIPHER_SET);
    return 0;
  }

  if (!ctx->cipher->ctrl) {
-    OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_ctrl, CIPHER_R_CTRL_NOT_IMPLEMENTED);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_CTRL_NOT_IMPLEMENTED);
    return 0;
  }

  ret = ctx->cipher->ctrl(ctx, command, arg, ptr);
  if (ret == -1) {
-    OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_ctrl,
-                      CIPHER_R_CTRL_OPERATION_NOT_IMPLEMENTED);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_CTRL_OPERATION_NOT_IMPLEMENTED);
    return 0;
  }

@@ -571,8 +574,7 @@ int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *c, unsigned key_len) {
  }

  if (key_len == 0 || !(c->cipher->flags & EVP_CIPH_VARIABLE_LENGTH)) {
-    OPENSSL_PUT_ERROR(CIPHER, EVP_CIPHER_CTX_set_key_length,
-                      CIPHER_R_INVALID_KEY_LENGTH);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_KEY_LENGTH);
    return 0;
  }

@@ -582,10 +584,6 @@ int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *c, unsigned key_len) {

 int EVP_CIPHER_nid(const EVP_CIPHER *cipher) { return cipher->nid; }

-const char *EVP_CIPHER_name(const EVP_CIPHER *cipher) {
-  return OBJ_nid2sn(cipher->nid);
-}
-
 unsigned EVP_CIPHER_block_size(const EVP_CIPHER *cipher) {
  return cipher->block_size;
 }
@@ -633,7 +631,7 @@ const EVP_CIPHER *EVP_get_cipherbyname(const char *name) {
    return EVP_rc4();
  } else if (OPENSSL_strcasecmp(name, "des-cbc") == 0) {
    return EVP_des_cbc();
-  } else if (OPENSSL_strcasecmp(name, "3des-cbc") == 0 ||
+  } else if (OPENSSL_strcasecmp(name, "des-ede3-cbc") == 0 ||
             OPENSSL_strcasecmp(name, "3des") == 0) {
    return EVP_des_ede3_cbc();
  } else if (OPENSSL_strcasecmp(name, "aes-128-cbc") == 0) {
@@ -1,415 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.] */
-
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/bio.h>
-#include <openssl/cipher.h>
-#include <openssl/crypto.h>
-#include <openssl/err.h>
-
-
-static void hexdump(FILE *f, const char *title, const uint8_t *s, int l) {
-  int n = 0;
-
-  fprintf(f, "%s", title);
-  for (; n < l; ++n) {
-    if ((n % 16) == 0) {
-      fprintf(f, "\n%04x", n);
-    }
-    fprintf(f, " %02x", s[n]);
-  }
-  fprintf(f, "\n");
-}
-
-static int convert(uint8_t *s) {
-  uint8_t *d;
-
-  for (d = s; *s; s += 2, ++d) {
-    unsigned int n;
-
-    if (!s[1]) {
-      fprintf(stderr, "Odd number of hex digits!");
-      exit(4);
-    }
-    sscanf((char *)s, "%2x", &n);
-    *d = (uint8_t)n;
-  }
-  return s - d;
-}
-
-static char *sstrsep(char **string, const char *delim) {
-  char isdelim[256];
-  char *token = *string;
-
-  if (**string == 0) {
-    return NULL;
-  }
-
-  memset(isdelim, 0, 256);
-  isdelim[0] = 1;
-
-  while (*delim) {
-    isdelim[(uint8_t)(*delim)] = 1;
-    delim++;
-  }
-
-  while (!isdelim[(uint8_t)(**string)]) {
-    (*string)++;
-  }
-
-  if (**string) {
-    **string = 0;
-    (*string)++;
-  }
-
-  return token;
-}
-
-static uint8_t *ustrsep(char **p, const char *sep) {
-  return (uint8_t *)sstrsep(p, sep);
-}
-
-static void test1(const EVP_CIPHER *c, const uint8_t *key, int kn,
-                  const uint8_t *iv, int in, const uint8_t *plaintext, int pn,
-                  const uint8_t *ciphertext, int cn, const uint8_t *aad, int an,
-                  const uint8_t *tag, int tn, int encdec) {
-  EVP_CIPHER_CTX ctx;
-  uint8_t out[4096];
-  int outl, outl2, mode;
-
-  printf("Testing cipher %s%s\n", EVP_CIPHER_name(c),
-         (encdec == 1 ? "(encrypt)"
-                      : (encdec == 0 ? "(decrypt)" : "(encrypt/decrypt)")));
-  hexdump(stdout, "Key", key, kn);
-  if (in) {
-    hexdump(stdout, "IV", iv, in);
-  }
-  hexdump(stdout, "Plaintext", plaintext, pn);
-  hexdump(stdout, "Ciphertext", ciphertext, cn);
-  if (an) {
-    hexdump(stdout, "AAD", aad, an);
-  }
-  if (tn) {
-    hexdump(stdout, "Tag", tag, tn);
-  }
-  mode = EVP_CIPHER_mode(c);
-  if (kn != EVP_CIPHER_key_length(c)) {
-    fprintf(stderr, "Key length doesn't match, got %d expected %lu\n", kn,
-            (unsigned long)EVP_CIPHER_key_length(c));
-    exit(5);
-  }
-  EVP_CIPHER_CTX_init(&ctx);
-  if (encdec != 0) {
-    if (mode == EVP_CIPH_GCM_MODE) {
-      if (!EVP_EncryptInit_ex(&ctx, c, NULL, NULL, NULL)) {
-        fprintf(stderr, "EncryptInit failed\n");
-        BIO_print_errors_fp(stderr);
-        exit(10);
-      }
-      if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, in, NULL)) {
-        fprintf(stderr, "IV length set failed\n");
-        BIO_print_errors_fp(stderr);
-        exit(11);
-      }
-      if (!EVP_EncryptInit_ex(&ctx, NULL, NULL, key, iv)) {
-        fprintf(stderr, "Key/IV set failed\n");
-        BIO_print_errors_fp(stderr);
-        exit(12);
-      }
-      if (an && !EVP_EncryptUpdate(&ctx, NULL, &outl, aad, an)) {
-        fprintf(stderr, "AAD set failed\n");
-        BIO_print_errors_fp(stderr);
-        exit(13);
-      }
-    } else if (!EVP_EncryptInit_ex(&ctx, c, NULL, key, iv)) {
-      fprintf(stderr, "EncryptInit failed\n");
-      BIO_print_errors_fp(stderr);
-      exit(10);
-    }
-    EVP_CIPHER_CTX_set_padding(&ctx, 0);
-
-    if (!EVP_EncryptUpdate(&ctx, out, &outl, plaintext, pn)) {
-      fprintf(stderr, "Encrypt failed\n");
-      BIO_print_errors_fp(stderr);
-      exit(6);
-    }
-    if (!EVP_EncryptFinal_ex(&ctx, out + outl, &outl2)) {
-      fprintf(stderr, "EncryptFinal failed\n");
-      BIO_print_errors_fp(stderr);
-      exit(7);
-    }
-
-    if (outl + outl2 != cn) {
-      fprintf(stderr, "Ciphertext length mismatch got %d expected %d\n",
-              outl + outl2, cn);
-      exit(8);
-    }
-
-    if (memcmp(out, ciphertext, cn)) {
-      fprintf(stderr, "Ciphertext mismatch\n");
-      hexdump(stderr, "Got", out, cn);
-      hexdump(stderr, "Expected", ciphertext, cn);
-      exit(9);
-    }
-    if (mode == EVP_CIPH_GCM_MODE) {
-      uint8_t rtag[16];
-      /* Note: EVP_CTRL_CCM_GET_TAG has same value as
-       * EVP_CTRL_GCM_GET_TAG
-       */
-      if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, tn, rtag)) {
-        fprintf(stderr, "Get tag failed\n");
-        BIO_print_errors_fp(stderr);
-        exit(14);
-      }
-      if (memcmp(rtag, tag, tn)) {
-        fprintf(stderr, "Tag mismatch\n");
-        hexdump(stderr, "Got", rtag, tn);
-        hexdump(stderr, "Expected", tag, tn);
-        exit(9);
-      }
-    }
-  }
-
-  if (encdec <= 0) {
-    if (mode == EVP_CIPH_GCM_MODE) {
-      if (!EVP_DecryptInit_ex(&ctx, c, NULL, NULL, NULL)) {
-        fprintf(stderr, "EncryptInit failed\n");
-        BIO_print_errors_fp(stderr);
-        exit(10);
-      }
-      if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, in, NULL)) {
-        fprintf(stderr, "IV length set failed\n");
-        BIO_print_errors_fp(stderr);
-        exit(11);
-      }
-      if (!EVP_DecryptInit_ex(&ctx, NULL, NULL, key, iv)) {
-        fprintf(stderr, "Key/IV set failed\n");
-        BIO_print_errors_fp(stderr);
-        exit(12);
-      }
-      if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, tn, (void *)tag)) {
-        fprintf(stderr, "Set tag failed\n");
-        BIO_print_errors_fp(stderr);
-        exit(14);
-      }
-      if (an && !EVP_DecryptUpdate(&ctx, NULL, &outl, aad, an)) {
-        fprintf(stderr, "AAD set failed\n");
-        BIO_print_errors_fp(stderr);
-        exit(13);
-      }
-    } else if (!EVP_DecryptInit_ex(&ctx, c, NULL, key, iv)) {
-      fprintf(stderr, "DecryptInit failed\n");
-      BIO_print_errors_fp(stderr);
-      exit(11);
-    }
-    EVP_CIPHER_CTX_set_padding(&ctx, 0);
-
-    if (!EVP_DecryptUpdate(&ctx, out, &outl, ciphertext, cn)) {
-      fprintf(stderr, "Decrypt failed\n");
-      BIO_print_errors_fp(stderr);
-      exit(6);
-    }
-    outl2 = 0;
-    if (!EVP_DecryptFinal_ex(&ctx, out + outl, &outl2)) {
-      fprintf(stderr, "DecryptFinal failed\n");
-      BIO_print_errors_fp(stderr);
-      exit(7);
-    }
-
-    if (outl + outl2 != pn) {
-      fprintf(stderr, "Plaintext length mismatch got %d expected %d\n",
-              outl + outl2, pn);
-      exit(8);
-    }
-
-    if (memcmp(out, plaintext, pn)) {
-      fprintf(stderr, "Plaintext mismatch\n");
-      hexdump(stderr, "Got", out, pn);
-      hexdump(stderr, "Expected", plaintext, pn);
-      exit(9);
-    }
-  }
-
-  EVP_CIPHER_CTX_cleanup(&ctx);
-
-  printf("\n");
-}
-
-static int test_cipher(const char *cipher, const uint8_t *key, int kn,
-                       const uint8_t *iv, int in, const uint8_t *plaintext,
-                       int pn, const uint8_t *ciphertext, int cn,
-                       const uint8_t *aad, int an, const uint8_t *tag, int tn,
-                       int encdec) {
-  const EVP_CIPHER *c;
-
-  if (strcmp(cipher, "DES-CBC") == 0) {
-    c = EVP_des_cbc();
-  } else if (strcmp(cipher, "DES-EDE3-CBC") == 0) {
-    c = EVP_des_ede3_cbc();
-  } else if (strcmp(cipher, "RC4") == 0) {
-    c = EVP_rc4();
-  } else if (strcmp(cipher, "AES-128-ECB") == 0) {
-    c = EVP_aes_128_ecb();
-  } else if (strcmp(cipher, "AES-256-ECB") == 0) {
-    c = EVP_aes_256_ecb();
-  } else if (strcmp(cipher, "AES-128-CBC") == 0) {
-    c = EVP_aes_128_cbc();
-  } else if (strcmp(cipher, "AES-128-GCM") == 0) {
-    c = EVP_aes_128_gcm();
-  } else if (strcmp(cipher, "AES-256-CBC") == 0) {
-    c = EVP_aes_256_cbc();
-  } else if (strcmp(cipher, "AES-128-CTR") == 0) {
-    c = EVP_aes_128_ctr();
-  } else if (strcmp(cipher, "AES-256-CTR") == 0) {
-    c = EVP_aes_256_ctr();
-  } else if (strcmp(cipher, "AES-256-GCM") == 0) {
-    c = EVP_aes_256_gcm();
-  } else {
-    fprintf(stderr, "Unknown cipher type %s\n", cipher);
-    return 0;
-  }
-
-  test1(c, key, kn, iv, in, plaintext, pn, ciphertext, cn, aad, an, tag, tn,
-        encdec);
-
-  return 1;
-}
-
-int main(int argc, char **argv) {
-  const char *input_file;
-  FILE *f;
-
-  CRYPTO_library_init();
-
-  if (argc != 2) {
-    fprintf(stderr, "%s <test file>\n", argv[0]);
-    return 1;
-  }
-
-  input_file = argv[1];
-
-  f = fopen(input_file, "r");
-  if (!f) {
-    perror(input_file);
-    return 2;
-  }
-
-  ERR_load_crypto_strings();
-
-  for (;;) {
-    char line[4096];
-    char *p;
-    char *cipher;
-    uint8_t *iv, *key, *plaintext, *ciphertext, *aad, *tag;
-    int encdec;
-    int kn, in, pn, cn;
-    int an = 0;
-    int tn = 0;
-
-    if (!fgets((char *)line, sizeof line, f)) {
-      break;
-    }
-    if (line[0] == '#' || line[0] == '\n') {
-      continue;
-    }
-    p = line;
-    cipher = sstrsep(&p, ":");
-    key = ustrsep(&p, ":");
-    iv = ustrsep(&p, ":");
-    plaintext = ustrsep(&p, ":");
-    ciphertext = ustrsep(&p, ":");
-    if (p[-1] == '\n') {
-      encdec = -1;
-      p[-1] = '\0';
-      tag = aad = NULL;
-      an = tn = 0;
-    } else {
-      aad = ustrsep(&p, ":");
-      tag = ustrsep(&p, ":");
-      if (tag == NULL) {
-        p = (char *)aad;
-        tag = aad = NULL;
-        an = tn = 0;
-      }
-      if (p[-1] == '\n') {
-        encdec = -1;
-        p[-1] = '\0';
-      } else {
-        encdec = atoi(sstrsep(&p, "\n"));
-      }
-    }
-
-    kn = convert(key);
-    in = convert(iv);
-    pn = convert(plaintext);
-    cn = convert(ciphertext);
-    if (aad) {
-      an = convert(aad);
-      tn = convert(tag);
-    }
-
-    if (!test_cipher(cipher, key, kn, iv, in, plaintext, pn, ciphertext, cn,
-                     aad, an, tag, tn, encdec)) {
-      return 3;
-    }
-  }
-  fclose(f);
-
-  printf("PASS\n");
-  return 0;
-}
@@ -0,0 +1,287 @@
+/*
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <string>
+#include <vector>
+
+#include <openssl/cipher.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+
+#include "../test/file_test.h"
+#include "../test/scoped_types.h"
+#include "../test/stl_compat.h"
+
+
+static const EVP_CIPHER *GetCipher(const std::string &name) {
+  if (name == "DES-CBC") {
+    return EVP_des_cbc();
+  } else if (name == "DES-EDE3-CBC") {
+    return EVP_des_ede3_cbc();
+  } else if (name == "RC4") {
+    return EVP_rc4();
+  } else if (name == "AES-128-ECB") {
+    return EVP_aes_128_ecb();
+  } else if (name == "AES-256-ECB") {
+    return EVP_aes_256_ecb();
+  } else if (name == "AES-128-CBC") {
+    return EVP_aes_128_cbc();
+  } else if (name == "AES-128-GCM") {
+    return EVP_aes_128_gcm();
+  } else if (name == "AES-128-OFB") {
+    return EVP_aes_128_ofb();
+  } else if (name == "AES-192-CBC") {
+    return EVP_aes_192_cbc();
+  } else if (name == "AES-192-ECB") {
+    return EVP_aes_192_ecb();
+  } else if (name == "AES-256-CBC") {
+    return EVP_aes_256_cbc();
+  } else if (name == "AES-128-CTR") {
+    return EVP_aes_128_ctr();
+  } else if (name == "AES-256-CTR") {
+    return EVP_aes_256_ctr();
+  } else if (name == "AES-256-GCM") {
+    return EVP_aes_256_gcm();
+  } else if (name == "AES-256-OFB") {
+    return EVP_aes_256_ofb();
+  }
+  return nullptr;
+}
+
+static bool TestOperation(FileTest *t,
+                          const EVP_CIPHER *cipher,
+                          bool encrypt,
+                          bool streaming,
+                          const std::vector<uint8_t> &key,
+                          const std::vector<uint8_t> &iv,
+                          const std::vector<uint8_t> &plaintext,
+                          const std::vector<uint8_t> &ciphertext,
+                          const std::vector<uint8_t> &aad,
+                          const std::vector<uint8_t> &tag) {
+  const std::vector<uint8_t> *in, *out;
+  if (encrypt) {
+    in = &plaintext;
+    out = &ciphertext;
+  } else {
+    in = &ciphertext;
+    out = &plaintext;
+  }
+
+  bool is_aead = EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE;
+
+  ScopedEVP_CIPHER_CTX ctx;
+  if (!EVP_CipherInit_ex(ctx.get(), cipher, nullptr, nullptr, nullptr,
+                         encrypt ? 1 : 0)) {
+    return false;
+  }
+  if (t->HasAttribute("IV")) {
+    if (is_aead) {
+      if (!EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_IVLEN,
+                               iv.size(), 0)) {
+        return false;
+      }
+    } else if (iv.size() != (size_t)EVP_CIPHER_CTX_iv_length(ctx.get())) {
+      t->PrintLine("Bad IV length.");
+      return false;
+    }
+  }
+  if (is_aead && !encrypt &&
+      !EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_TAG, tag.size(),
+                           const_cast<uint8_t*>(bssl::vector_data(&tag)))) {
+    return false;
+  }
+  // The ciphers are run with no padding. For each of the ciphers we test, the
+  // output size matches the input size.
+  std::vector<uint8_t> result(in->size());
+  if (in->size() != out->size()) {
+    t->PrintLine("Input/output size mismatch (%u vs %u).", (unsigned)in->size(),
+                 (unsigned)out->size());
+    return false;
+  }
+  // Note: the deprecated |EVP_CIPHER|-based AES-GCM API is sensitive to whether
+  // parameters are NULL, so it is important to skip the |in| and |aad|
+  // |EVP_CipherUpdate| calls when empty.
+  int unused, result_len1 = 0, result_len2;
+  if (!EVP_CIPHER_CTX_set_key_length(ctx.get(), key.size()) ||
+      !EVP_CipherInit_ex(ctx.get(), nullptr, nullptr, bssl::vector_data(&key),
+                         bssl::vector_data(&iv), -1) ||
+      (!aad.empty() &&
+       !EVP_CipherUpdate(ctx.get(), nullptr, &unused, bssl::vector_data(&aad),
+                         aad.size())) ||
+      !EVP_CIPHER_CTX_set_padding(ctx.get(), 0)) {
+    t->PrintLine("Operation failed.");
+    return false;
+  }
+  if (streaming) {
+    for (size_t i = 0; i < in->size(); i++) {
+      uint8_t c = (*in)[i];
+      int len;
+      if (!EVP_CipherUpdate(ctx.get(), bssl::vector_data(&result) + result_len1,
+                            &len, &c, 1)) {
+        t->PrintLine("Operation failed.");
+        return false;
+      }
+      result_len1 += len;
+    }
+  } else if (!in->empty() &&
+             !EVP_CipherUpdate(ctx.get(), bssl::vector_data(&result),
+                               &result_len1, bssl::vector_data(in),
+                               in->size())) {
+    t->PrintLine("Operation failed.");
+    return false;
+  }
+  if (!EVP_CipherFinal_ex(ctx.get(), bssl::vector_data(&result) + result_len1,
+                          &result_len2)) {
+    t->PrintLine("Operation failed.");
+    return false;
+  }
+  result.resize(result_len1 + result_len2);
+  if (!t->ExpectBytesEqual(bssl::vector_data(out), out->size(),
+                           bssl::vector_data(&result), result.size())) {
+    return false;
+  }
+  if (encrypt && is_aead) {
+    uint8_t rtag[16];
+    if (tag.size() > sizeof(rtag)) {
+      t->PrintLine("Bad tag length.");
+      return false;
+    }
+    if (!EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_GET_TAG, tag.size(),
+                             rtag) ||
+        !t->ExpectBytesEqual(bssl::vector_data(&tag), tag.size(), rtag,
+                             tag.size())) {
+      return false;
+    }
+  }
+  return true;
+}
+
+static bool TestCipher(FileTest *t, void *arg) {
+  std::string cipher_str;
+  if (!t->GetAttribute(&cipher_str, "Cipher")) {
+    return false;
+  }
+  const EVP_CIPHER *cipher = GetCipher(cipher_str);
+  if (cipher == nullptr) {
+    t->PrintLine("Unknown cipher: '%s'.", cipher_str.c_str());
+    return false;
+  }
+
+  std::vector<uint8_t> key, iv, plaintext, ciphertext, aad, tag;
+  if (!t->GetBytes(&key, "Key") ||
+      !t->GetBytes(&plaintext, "Plaintext") ||
+      !t->GetBytes(&ciphertext, "Ciphertext")) {
+    return false;
+  }
+  if (EVP_CIPHER_iv_length(cipher) > 0 &&
+      !t->GetBytes(&iv, "IV")) {
+    return false;
+  }
+  if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) {
+    if (!t->GetBytes(&aad, "AAD") ||
+        !t->GetBytes(&tag, "Tag")) {
+      return false;
+    }
+  }
+
+  enum {
+    kEncrypt,
+    kDecrypt,
+    kBoth,
+  } operation = kBoth;
+  if (t->HasAttribute("Operation")) {
+    const std::string &str = t->GetAttributeOrDie("Operation");
+    if (str == "ENCRYPT") {
+      operation = kEncrypt;
+    } else if (str == "DECRYPT") {
+      operation = kDecrypt;
+    } else {
+      t->PrintLine("Unknown operation: '%s'.", str.c_str());
+      return false;
+    }
+  }
+
+  // By default, both directions are run, unless overridden by the operation.
+  if (operation != kDecrypt) {
+    if (!TestOperation(t, cipher, true /* encrypt */, false /* single-shot */,
+                       key, iv, plaintext, ciphertext, aad, tag) ||
+        !TestOperation(t, cipher, true /* encrypt */, true /* streaming */, key,
+                       iv, plaintext, ciphertext, aad, tag)) {
+      return false;
+    }
+  }
+  if (operation != kEncrypt) {
+    if (!TestOperation(t, cipher, false /* decrypt */, false /* single-shot */,
+                       key, iv, plaintext, ciphertext, aad, tag) ||
+        !TestOperation(t, cipher, false /* decrypt */, true /* streaming */,
+                       key, iv, plaintext, ciphertext, aad, tag)) {
+      return false;
+    }
+  }
+
+  return true;
+}
+
+int main(int argc, char **argv) {
+  CRYPTO_library_init();
+
+  if (argc != 2) {
+    fprintf(stderr, "%s <test file>\n", argv[0]);
+    return 1;
+  }
+
+  return FileTestMain(TestCipher, nullptr, argv[1]);
+}
@@ -98,8 +98,6 @@ typedef struct {
 #if !defined(OPENSSL_NO_ASM) && \
    (defined(OPENSSL_X86_64) || defined(OPENSSL_X86))
 #define VPAES
-extern unsigned int OPENSSL_ia32cap_P[];
-
 static char vpaes_capable(void) {
  return (OPENSSL_ia32cap_P[1] & (1 << (41 - 32))) != 0;
 }
@@ -115,7 +113,7 @@ static char bsaes_capable(void) {
    (defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64))
 #include "../arm_arch.h"

-#if defined(OPENSSL_ARM) && __ARM_ARCH__ >= 7
+#if defined(OPENSSL_ARM) && __ARM_MAX_ARCH__ >= 7
 #define BSAES
 static char bsaes_capable(void) {
  return CRYPTO_is_NEON_capable();
@@ -283,7 +281,8 @@ void aesni_ctr32_encrypt_blocks(const uint8_t *in, uint8_t *out, size_t blocks,
 #endif

 static int aes_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
-                        const uint8_t *iv, int enc) {
+                        const uint8_t *iv, int enc)
+                        OPENSSL_SUPPRESS_UNREACHABLE_CODE_WARNINGS {
  int ret, mode;
  EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;

@@ -337,15 +336,15 @@ static int aes_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
  }

  if (ret < 0) {
-    OPENSSL_PUT_ERROR(CIPHER, aes_init_key, CIPHER_R_AES_KEY_SETUP_FAILED);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED);
    return 0;
  }

  return 1;
 }

-static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-                          const unsigned char *in, size_t len) {
+static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
+                          size_t len) {
  EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;

  if (dat->stream.cbc) {
@@ -359,8 +358,8 @@ static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  return 1;
 }

-static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-                          const unsigned char *in, size_t len) {
+static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
+                          size_t len) {
  size_t bl = ctx->cipher->block_size;
  size_t i;
  EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
@@ -376,8 +375,8 @@ static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  return 1;
 }

-static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-                          const unsigned char *in, size_t len) {
+static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
+                          size_t len) {
  unsigned int num = ctx->num;
  EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;

@@ -392,11 +391,20 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
  return 1;
 }

+static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
+                          size_t len) {
+  EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
+
+  CRYPTO_ofb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num, dat->block);
+  return 1;
+}
+
 static char aesni_capable(void);

 static ctr128_f aes_ctr_set_key(AES_KEY *aes_key, GCM128_CONTEXT *gcm_ctx,
                                block128_f *out_block, const uint8_t *key,
-                                size_t key_len) {
+                                size_t key_len)
+                                OPENSSL_SUPPRESS_UNREACHABLE_CODE_WARNINGS {
  if (aesni_capable()) {
    aesni_set_encrypt_key(key, key_len * 8, aes_key);
    if (gcm_ctx != NULL) {
@@ -701,7 +709,7 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
  } else {
    if (!ctx->encrypt) {
      if (gctx->taglen < 0 ||
-          !CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, gctx->taglen) != 0) {
+          !CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, gctx->taglen)) {
        return -1;
      }
      gctx->iv_set = 0;
@@ -733,6 +741,12 @@ static const EVP_CIPHER aes_128_ecb = {
    NULL /* app_data */, aes_init_key,        aes_ecb_cipher,
    NULL /* cleanup */,  NULL /* ctrl */};

+static const EVP_CIPHER aes_128_ofb = {
+    NID_aes_128_ofb128,  1 /* block_size */,  16 /* key_size */,
+    16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_OFB_MODE,
+    NULL /* app_data */, aes_init_key,        aes_ofb_cipher,
+    NULL /* cleanup */,  NULL /* ctrl */};
+
 static const EVP_CIPHER aes_128_gcm = {
    NID_aes_128_gcm, 1 /* block_size */, 16 /* key_size */, 12 /* iv_len */,
    sizeof(EVP_AES_GCM_CTX),
@@ -743,6 +757,34 @@ static const EVP_CIPHER aes_128_gcm = {
    aes_gcm_ctrl};


+static const EVP_CIPHER aes_192_cbc = {
+    NID_aes_192_cbc,     16 /* block_size */, 24 /* key_size */,
+    16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_CBC_MODE,
+    NULL /* app_data */, aes_init_key,        aes_cbc_cipher,
+    NULL /* cleanup */,  NULL /* ctrl */};
+
+static const EVP_CIPHER aes_192_ctr = {
+    NID_aes_192_ctr,     1 /* block_size */,  24 /* key_size */,
+    16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_CTR_MODE,
+    NULL /* app_data */, aes_init_key,        aes_ctr_cipher,
+    NULL /* cleanup */,  NULL /* ctrl */};
+
+static const EVP_CIPHER aes_192_ecb = {
+    NID_aes_192_ecb,     16 /* block_size */, 24 /* key_size */,
+    0 /* iv_len */,      sizeof(EVP_AES_KEY), EVP_CIPH_ECB_MODE,
+    NULL /* app_data */, aes_init_key,        aes_ecb_cipher,
+    NULL /* cleanup */,  NULL /* ctrl */};
+
+static const EVP_CIPHER aes_192_gcm = {
+    NID_aes_192_gcm, 1 /* block_size */, 24 /* key_size */, 12 /* iv_len */,
+    sizeof(EVP_AES_GCM_CTX),
+    EVP_CIPH_GCM_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER |
+        EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT |
+        EVP_CIPH_FLAG_AEAD_CIPHER,
+    NULL /* app_data */, aes_gcm_init_key, aes_gcm_cipher, aes_gcm_cleanup,
+    aes_gcm_ctrl};
+
+
 static const EVP_CIPHER aes_256_cbc = {
    NID_aes_256_cbc,     16 /* block_size */, 32 /* key_size */,
    16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_CBC_MODE,
@@ -761,6 +803,12 @@ static const EVP_CIPHER aes_256_ecb = {
    NULL /* app_data */, aes_init_key,        aes_ecb_cipher,
    NULL /* cleanup */,  NULL /* ctrl */};

+static const EVP_CIPHER aes_256_ofb = {
+    NID_aes_256_ofb128,  1 /* block_size */,  32 /* key_size */,
+    16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_OFB_MODE,
+    NULL /* app_data */, aes_init_key,        aes_ofb_cipher,
+    NULL /* cleanup */,  NULL /* ctrl */};
+
 static const EVP_CIPHER aes_256_gcm = {
    NID_aes_256_gcm, 1 /* block_size */, 32 /* key_size */, 12 /* iv_len */,
    sizeof(EVP_AES_GCM_CTX),
@@ -803,7 +851,7 @@ static int aesni_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
  }

  if (ret < 0) {
-    OPENSSL_PUT_ERROR(CIPHER, aesni_init_key, CIPHER_R_AES_KEY_SETUP_FAILED);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED);
    return 0;
  }

@@ -881,6 +929,12 @@ static const EVP_CIPHER aesni_128_ecb = {
    NULL /* app_data */, aesni_init_key,      aesni_ecb_cipher,
    NULL /* cleanup */,  NULL /* ctrl */};

+static const EVP_CIPHER aesni_128_ofb = {
+    NID_aes_128_ofb128,  1 /* block_size */,  16 /* key_size */,
+    16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_OFB_MODE,
+    NULL /* app_data */, aesni_init_key,      aes_ofb_cipher,
+    NULL /* cleanup */,  NULL /* ctrl */};
+
 static const EVP_CIPHER aesni_128_gcm = {
    NID_aes_128_gcm, 1 /* block_size */, 16 /* key_size */, 12 /* iv_len */,
    sizeof(EVP_AES_GCM_CTX),
@@ -891,6 +945,34 @@ static const EVP_CIPHER aesni_128_gcm = {
    aes_gcm_ctrl};


+static const EVP_CIPHER aesni_192_cbc = {
+    NID_aes_192_cbc,     16 /* block_size */, 24 /* key_size */,
+    16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_CBC_MODE,
+    NULL /* app_data */, aesni_init_key,      aesni_cbc_cipher,
+    NULL /* cleanup */,  NULL /* ctrl */};
+
+static const EVP_CIPHER aesni_192_ctr = {
+    NID_aes_192_ctr,     1 /* block_size */,  24 /* key_size */,
+    16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_CTR_MODE,
+    NULL /* app_data */, aesni_init_key,      aes_ctr_cipher,
+    NULL /* cleanup */,  NULL /* ctrl */};
+
+static const EVP_CIPHER aesni_192_ecb = {
+    NID_aes_192_ecb,     16 /* block_size */, 24 /* key_size */,
+    0 /* iv_len */,      sizeof(EVP_AES_KEY), EVP_CIPH_ECB_MODE,
+    NULL /* app_data */, aesni_init_key,      aesni_ecb_cipher,
+    NULL /* cleanup */,  NULL /* ctrl */};
+
+static const EVP_CIPHER aesni_192_gcm = {
+    NID_aes_192_gcm, 1 /* block_size */, 24 /* key_size */, 12 /* iv_len */,
+    sizeof(EVP_AES_GCM_CTX),
+    EVP_CIPH_GCM_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER |
+        EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT |
+        EVP_CIPH_FLAG_AEAD_CIPHER,
+    NULL /* app_data */, aesni_gcm_init_key, aes_gcm_cipher, aes_gcm_cleanup,
+    aes_gcm_ctrl};
+
+
 static const EVP_CIPHER aesni_256_cbc = {
    NID_aes_256_cbc,     16 /* block_size */, 32 /* key_size */,
    16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_CBC_MODE,
@@ -909,6 +991,12 @@ static const EVP_CIPHER aesni_256_ecb = {
    NULL /* app_data */, aesni_init_key,      aesni_ecb_cipher,
    NULL /* cleanup */,  NULL /* ctrl */};

+static const EVP_CIPHER aesni_256_ofb = {
+    NID_aes_256_ofb128,  1 /* block_size */,  32 /* key_size */,
+    16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_OFB_MODE,
+    NULL /* app_data */, aesni_init_key,      aes_ofb_cipher,
+    NULL /* cleanup */,  NULL /* ctrl */};
+
 static const EVP_CIPHER aesni_256_gcm = {
    NID_aes_256_gcm, 1 /* block_size */, 32 /* key_size */, 12 /* iv_len */,
    sizeof(EVP_AES_GCM_CTX),
@@ -943,11 +1031,18 @@ static char aesni_capable(void) {
 EVP_CIPHER_FUNCTION(128, cbc)
 EVP_CIPHER_FUNCTION(128, ctr)
 EVP_CIPHER_FUNCTION(128, ecb)
+EVP_CIPHER_FUNCTION(128, ofb)
 EVP_CIPHER_FUNCTION(128, gcm)

+EVP_CIPHER_FUNCTION(192, cbc)
+EVP_CIPHER_FUNCTION(192, ctr)
+EVP_CIPHER_FUNCTION(192, ecb)
+EVP_CIPHER_FUNCTION(192, gcm)
+
 EVP_CIPHER_FUNCTION(256, cbc)
 EVP_CIPHER_FUNCTION(256, ctr)
 EVP_CIPHER_FUNCTION(256, ecb)
+EVP_CIPHER_FUNCTION(256, ofb)
 EVP_CIPHER_FUNCTION(256, gcm)


@@ -969,7 +1064,7 @@ static int aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
  const size_t key_bits = key_len * 8;

  if (key_bits != 128 && key_bits != 256) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_init, CIPHER_R_BAD_KEY_LENGTH);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
    return 0; /* EVP_AEAD_CTX_init should catch this. */
  }

@@ -978,7 +1073,7 @@ static int aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
  }

  if (tag_len > EVP_AEAD_AES_GCM_TAG_LEN) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_init, CIPHER_R_TAG_TOO_LARGE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE);
    return 0;
  }

@@ -1011,12 +1106,12 @@ static int aead_aes_gcm_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
  GCM128_CONTEXT gcm;

  if (in_len + gcm_ctx->tag_len < in_len) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_seal, CIPHER_R_TOO_LARGE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
    return 0;
  }

  if (max_out_len < in_len + gcm_ctx->tag_len) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_seal, CIPHER_R_BUFFER_TOO_SMALL);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
    return 0;
  }

@@ -1055,14 +1150,14 @@ static int aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
  GCM128_CONTEXT gcm;

  if (in_len < gcm_ctx->tag_len) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_open, CIPHER_R_BAD_DECRYPT);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
    return 0;
  }

  plaintext_len = in_len - gcm_ctx->tag_len;

  if (max_out_len < plaintext_len) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_open, CIPHER_R_BUFFER_TOO_SMALL);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
    return 0;
  }

@@ -1088,7 +1183,7 @@ static int aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, uint8_t *out,

  CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len);
  if (CRYPTO_memcmp(tag, in + plaintext_len, gcm_ctx->tag_len) != 0) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_open, CIPHER_R_BAD_DECRYPT);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
    return 0;
  }

@@ -1142,7 +1237,7 @@ static int aead_aes_key_wrap_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
  const size_t key_bits = key_len * 8;

  if (key_bits != 128 && key_bits != 256) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_init, CIPHER_R_BAD_KEY_LENGTH);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
    return 0; /* EVP_AEAD_CTX_init should catch this. */
  }

@@ -1151,14 +1246,13 @@ static int aead_aes_key_wrap_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
  }

  if (tag_len != 8) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_init,
-                      CIPHER_R_UNSUPPORTED_TAG_SIZE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_TAG_SIZE);
    return 0;
  }

  kw_ctx = OPENSSL_malloc(sizeof(struct aead_aes_key_wrap_ctx));
  if (kw_ctx == NULL) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_init, ERR_R_MALLOC_FAILURE);
+    OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE);
    return 0;
  }

@@ -1196,8 +1290,7 @@ static int aead_aes_key_wrap_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
  uint8_t A[AES_BLOCK_SIZE];

  if (ad_len != 0) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal,
-                      CIPHER_R_UNSUPPORTED_AD_SIZE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_AD_SIZE);
    return 0;
  }

@@ -1207,14 +1300,12 @@ static int aead_aes_key_wrap_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
  }

  if (nonce_len != 8) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal,
-                      CIPHER_R_UNSUPPORTED_NONCE_SIZE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
    return 0;
  }

  if (in_len % 8 != 0) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal,
-                      CIPHER_R_UNSUPPORTED_INPUT_SIZE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_INPUT_SIZE);
    return 0;
  }

@@ -1223,32 +1314,29 @@ static int aead_aes_key_wrap_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
   * conservatively cap it to 2^32-16 to stop 32-bit platforms complaining that
   * a comparison is always true. */
  if (in_len > 0xfffffff0) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal, CIPHER_R_TOO_LARGE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
    return 0;
  }

  n = in_len / 8;

  if (n < 2) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal,
-                      CIPHER_R_UNSUPPORTED_INPUT_SIZE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_INPUT_SIZE);
    return 0;
  }

  if (in_len + 8 < in_len) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal, CIPHER_R_TOO_LARGE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
    return 0;
  }

  if (max_out_len < in_len + 8) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal,
-                      CIPHER_R_BUFFER_TOO_SMALL);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
    return 0;
  }

  if (AES_set_encrypt_key(kw_ctx->key, kw_ctx->key_bits, &ks.ks) < 0) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_seal,
-                      CIPHER_R_AES_KEY_SETUP_FAILED);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED);
    return 0;
  }

@@ -1291,8 +1379,7 @@ static int aead_aes_key_wrap_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
  uint8_t A[AES_BLOCK_SIZE];

  if (ad_len != 0) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open,
-                      CIPHER_R_UNSUPPORTED_AD_SIZE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_AD_SIZE);
    return 0;
  }

@@ -1302,14 +1389,12 @@ static int aead_aes_key_wrap_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
  }

  if (nonce_len != 8) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open,
-                      CIPHER_R_UNSUPPORTED_NONCE_SIZE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
    return 0;
  }

  if (in_len % 8 != 0) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open,
-                      CIPHER_R_UNSUPPORTED_INPUT_SIZE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_INPUT_SIZE);
    return 0;
  }

@@ -1318,26 +1403,24 @@ static int aead_aes_key_wrap_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
   * conservatively cap it to 2^32-8 to stop 32-bit platforms complaining that
   * a comparison is always true. */
  if (in_len > 0xfffffff8) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, CIPHER_R_TOO_LARGE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
    return 0;
  }

  if (in_len < 24) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, CIPHER_R_BAD_DECRYPT);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
    return 0;
  }

  n = (in_len / 8) - 1;

  if (max_out_len < in_len - 8) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open,
-                      CIPHER_R_BUFFER_TOO_SMALL);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
    return 0;
  }

  if (AES_set_decrypt_key(kw_ctx->key, kw_ctx->key_bits, &ks.ks) < 0) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open,
-                      CIPHER_R_AES_KEY_SETUP_FAILED);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED);
    return 0;
  }

@@ -1360,7 +1443,7 @@ static int aead_aes_key_wrap_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
  }

  if (CRYPTO_memcmp(A, nonce, 8) != 0) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, CIPHER_R_BAD_DECRYPT);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
    return 0;
  }

@@ -1444,15 +1527,13 @@ static int aead_aes_ctr_hmac_sha256_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
  static const size_t hmac_key_len = 32;

  if (key_len < hmac_key_len) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_init,
-                      CIPHER_R_BAD_KEY_LENGTH);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
    return 0; /* EVP_AEAD_CTX_init should catch this. */
  }

  const size_t aes_key_len = key_len - hmac_key_len;
  if (aes_key_len != 16 && aes_key_len != 32) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_init,
-                      CIPHER_R_BAD_KEY_LENGTH);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
    return 0; /* EVP_AEAD_CTX_init should catch this. */
  }

@@ -1461,15 +1542,13 @@ static int aead_aes_ctr_hmac_sha256_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
  }

  if (tag_len > EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_init,
-                      CIPHER_R_TAG_TOO_LARGE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE);
    return 0;
  }

  aes_ctx = OPENSSL_malloc(sizeof(struct aead_aes_ctr_hmac_sha256_ctx));
  if (aes_ctx == NULL) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_init,
-                      ERR_R_MALLOC_FAILURE);
+    OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE);
    return 0;
  }

@@ -1569,20 +1648,17 @@ static int aead_aes_ctr_hmac_sha256_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
  if (in_len + aes_ctx->tag_len < in_len ||
      /* This input is so large it would overflow the 32-bit block counter. */
      in_len_64 >= (OPENSSL_U64(1) << 32) * AES_BLOCK_SIZE) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_seal,
-                      CIPHER_R_TOO_LARGE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
    return 0;
  }

  if (max_out_len < in_len + aes_ctx->tag_len) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_seal,
-                      CIPHER_R_BUFFER_TOO_SMALL);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
    return 0;
  }

  if (nonce_len != EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_seal,
-                      CIPHER_R_UNSUPPORTED_NONCE_SIZE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
    return 0;
  }

@@ -1606,22 +1682,19 @@ static int aead_aes_ctr_hmac_sha256_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
  size_t plaintext_len;

  if (in_len < aes_ctx->tag_len) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_open,
-                      CIPHER_R_BAD_DECRYPT);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
    return 0;
  }

  plaintext_len = in_len - aes_ctx->tag_len;

  if (max_out_len < plaintext_len) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_open,
-                      CIPHER_R_BUFFER_TOO_SMALL);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
    return 0;
  }

  if (nonce_len != EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_open,
-                      CIPHER_R_UNSUPPORTED_NONCE_SIZE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
    return 0;
  }

@@ -1630,8 +1703,7 @@ static int aead_aes_ctr_hmac_sha256_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
                 &aes_ctx->outer_init_state, ad, ad_len, nonce, in,
                 plaintext_len);
  if (CRYPTO_memcmp(hmac_result, in + plaintext_len, aes_ctx->tag_len) != 0) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_open,
-                      CIPHER_R_BAD_DECRYPT);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
    return 0;
  }

@@ -1652,6 +1724,7 @@ static const EVP_AEAD aead_aes_128_ctr_hmac_sha256 = {
    aead_aes_ctr_hmac_sha256_cleanup,
    aead_aes_ctr_hmac_sha256_seal,
    aead_aes_ctr_hmac_sha256_open,
+    NULL /* get_rc4_state */,
 };

 static const EVP_AEAD aead_aes_256_ctr_hmac_sha256 = {
@@ -1665,6 +1738,7 @@ static const EVP_AEAD aead_aes_256_ctr_hmac_sha256 = {
    aead_aes_ctr_hmac_sha256_cleanup,
    aead_aes_ctr_hmac_sha256_seal,
    aead_aes_ctr_hmac_sha256_open,
+    NULL /* get_rc4_state */,
 };

 const EVP_AEAD *EVP_aead_aes_128_ctr_hmac_sha256(void) {
@@ -42,7 +42,7 @@ static int aead_chacha20_poly1305_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
  }

  if (tag_len > POLY1305_TAG_LEN) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_init, CIPHER_R_TOO_LARGE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
    return 0;
  }

@@ -107,23 +107,22 @@ static int aead_chacha20_poly1305_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
   * Casting to uint64_t inside the conditional is not sufficient to stop
   * the warning. */
  if (in_len_64 >= (1ull << 32) * 64 - 64) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_seal, CIPHER_R_TOO_LARGE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
    return 0;
  }

  if (in_len + c20_ctx->tag_len < in_len) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_seal, CIPHER_R_TOO_LARGE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
    return 0;
  }

  if (max_out_len < in_len + c20_ctx->tag_len) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_seal,
-                      CIPHER_R_BUFFER_TOO_SMALL);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
    return 0;
  }

  if (nonce_len != CHACHA20_NONCE_LEN) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_seal, CIPHER_R_IV_TOO_LARGE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_IV_TOO_LARGE);
    return 0;
  }

@@ -156,7 +155,7 @@ static int aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
  const uint64_t in_len_64 = in_len;

  if (in_len < c20_ctx->tag_len) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_open, CIPHER_R_BAD_DECRYPT);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
    return 0;
  }

@@ -168,20 +167,19 @@ static int aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
   * Casting to uint64_t inside the conditional is not sufficient to stop
   * the warning. */
  if (in_len_64 >= (1ull << 32) * 64 - 64) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_open, CIPHER_R_TOO_LARGE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
    return 0;
  }

  if (nonce_len != CHACHA20_NONCE_LEN) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_open, CIPHER_R_IV_TOO_LARGE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_IV_TOO_LARGE);
    return 0;
  }

  plaintext_len = in_len - c20_ctx->tag_len;

  if (max_out_len < plaintext_len) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_open,
-                      CIPHER_R_BUFFER_TOO_SMALL);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
    return 0;
  }

@@ -195,7 +193,7 @@ static int aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
  CRYPTO_poly1305_finish(&poly1305, mac);

  if (CRYPTO_memcmp(mac, in + plaintext_len, c20_ctx->tag_len) != 0) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_chacha20_poly1305_open, CIPHER_R_BAD_DECRYPT);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
    return 0;
  }

@@ -127,7 +127,7 @@ static int des_ede3_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out,
 }

 static const EVP_CIPHER des3_cbc = {
-    NID_des_cbc,         8 /* block_size */,  24 /* key_size */,
+    NID_des_ede3_cbc,    8 /* block_size */,  24 /* key_size */,
    8 /* iv_len */,      sizeof(DES_EDE_KEY), EVP_CIPH_CBC_MODE,
    NULL /* app_data */, des_ede3_init_key,   des_ede3_cbc_cipher,
    NULL /* cleanup */,  NULL /* ctrl */, };
@@ -395,13 +395,18 @@ static int rc2_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) {
    case EVP_CTRL_INIT:
      key->key_bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
      return 1;
+    case EVP_CTRL_SET_RC2_KEY_BITS:
+      /* Should be overridden by later call to |EVP_CTRL_INIT|, but
+       * people call it, so it may as well work. */
+      key->key_bits = arg;
+      return 1;

    default:
      return -1;
  }
 }

-static const EVP_CIPHER rc2_40_cbc_cipher = {
+static const EVP_CIPHER rc2_40_cbc = {
    NID_rc2_40_cbc,
    8 /* block size */,
    5 /* 40 bit */,
@@ -416,5 +421,23 @@ static const EVP_CIPHER rc2_40_cbc_cipher = {
 };

 const EVP_CIPHER *EVP_rc2_40_cbc(void) {
-  return &rc2_40_cbc_cipher;
+  return &rc2_40_cbc;
+}
+
+static const EVP_CIPHER rc2_cbc = {
+    NID_rc2_cbc,
+    8 /* block size */,
+    16 /* 128 bit */,
+    8 /* iv len */,
+    sizeof(EVP_RC2_KEY),
+    EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT,
+    NULL /* app_data */,
+    rc2_init_key,
+    rc2_cbc_cipher,
+    NULL,
+    rc2_ctrl,
+};
+
+const EVP_CIPHER *EVP_rc2_cbc(void) {
+  return &rc2_cbc;
 }
@@ -115,20 +115,20 @@ aead_rc4_md5_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
  }

  if (tag_len > MD5_DIGEST_LENGTH) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_init, CIPHER_R_TOO_LARGE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
    return 0;
  }

  /* The keys consists of |MD5_DIGEST_LENGTH| bytes of HMAC(MD5) key followed
   * by some number of bytes of RC4 key. */
  if (key_len <= MD5_DIGEST_LENGTH) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_init, CIPHER_R_BAD_KEY_LENGTH);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
    return 0;
  }

  rc4_ctx = OPENSSL_malloc(sizeof(struct aead_rc4_md5_tls_ctx));
  if (rc4_ctx == NULL) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_init, ERR_R_MALLOC_FAILURE);
+    OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE);
    return 0;
  }
  memset(rc4_ctx, 0, sizeof(struct aead_rc4_md5_tls_ctx));
@@ -185,22 +185,22 @@ static int aead_rc4_md5_tls_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
  uint8_t digest[MD5_DIGEST_LENGTH];

  if (in_len + rc4_ctx->tag_len < in_len) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_seal, CIPHER_R_TOO_LARGE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
    return 0;
  }

  if (nonce_len != 0) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_seal, CIPHER_R_IV_TOO_LARGE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_IV_TOO_LARGE);
    return 0;
  }

  if (max_out_len < in_len + rc4_ctx->tag_len) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_seal, CIPHER_R_BUFFER_TOO_SMALL);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
    return 0;
  }

  if (nonce_len != 0) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_seal, CIPHER_R_TOO_LARGE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
    return 0;
  }

@@ -288,19 +288,21 @@ static int aead_rc4_md5_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
  uint8_t digest[MD5_DIGEST_LENGTH];

  if (in_len < rc4_ctx->tag_len) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_open, CIPHER_R_BAD_DECRYPT);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
    return 0;
  }

  plaintext_len = in_len - rc4_ctx->tag_len;

  if (nonce_len != 0) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_open, CIPHER_R_TOO_LARGE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
    return 0;
  }

-  if (max_out_len < plaintext_len) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_open, CIPHER_R_BUFFER_TOO_SMALL);
+  if (max_out_len < in_len) {
+    /* This requires that the caller provide space for the MAC, even though it
+     * will always be removed on return. */
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
    return 0;
  }

@@ -364,7 +366,7 @@ static int aead_rc4_md5_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
  MD5_Final(digest, &md);

  if (CRYPTO_memcmp(out + plaintext_len, digest, rc4_ctx->tag_len)) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_open, CIPHER_R_BAD_DECRYPT);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
    return 0;
  }

@@ -85,12 +85,12 @@ static int aead_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
                          const EVP_CIPHER *cipher, const EVP_MD *md) {
  if (tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH &&
      tag_len != EVP_MD_size(md)) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_init, CIPHER_R_UNSUPPORTED_TAG_SIZE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_TAG_SIZE);
    return 0;
  }

  if (key_len != EVP_AEAD_key_length(ctx->aead)) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_init, CIPHER_R_BAD_KEY_LENGTH);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
    return 0;
  }

@@ -102,7 +102,7 @@ static int aead_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,

  AEAD_SSL3_CTX *ssl3_ctx = OPENSSL_malloc(sizeof(AEAD_SSL3_CTX));
  if (ssl3_ctx == NULL) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_init, ERR_R_MALLOC_FAILURE);
+    OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE);
    return 0;
  }
  EVP_CIPHER_CTX_init(&ssl3_ctx->cipher_ctx);
@@ -115,6 +115,7 @@ static int aead_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
      !EVP_DigestInit_ex(&ssl3_ctx->md_ctx, md, NULL) ||
      !EVP_DigestUpdate(&ssl3_ctx->md_ctx, key, mac_key_len)) {
    aead_ssl3_cleanup(ctx);
+    ctx->aead_state = NULL;
    return 0;
  }
  EVP_CIPHER_CTX_set_padding(&ssl3_ctx->cipher_ctx, 0);
@@ -132,29 +133,29 @@ static int aead_ssl3_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,

  if (!ssl3_ctx->cipher_ctx.encrypt) {
    /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */
-    OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_seal, CIPHER_R_INVALID_OPERATION);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
    return 0;
  }

  if (in_len + EVP_AEAD_max_overhead(ctx->aead) < in_len ||
      in_len > INT_MAX) {
    /* EVP_CIPHER takes int as input. */
-    OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_seal, CIPHER_R_TOO_LARGE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
    return 0;
  }

  if (max_out_len < in_len + EVP_AEAD_max_overhead(ctx->aead)) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_seal, CIPHER_R_BUFFER_TOO_SMALL);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
    return 0;
  }

  if (nonce_len != 0) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_seal, CIPHER_R_IV_TOO_LARGE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_IV_TOO_LARGE);
    return 0;
  }

  if (ad_len != 11 - 2 /* length bytes */) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_seal, CIPHER_R_INVALID_AD_SIZE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE);
    return 0;
  }

@@ -216,36 +217,36 @@ static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out,

  if (ssl3_ctx->cipher_ctx.encrypt) {
    /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */
-    OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_INVALID_OPERATION);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
    return 0;
  }

  size_t mac_len = EVP_MD_CTX_size(&ssl3_ctx->md_ctx);
  if (in_len < mac_len) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_BAD_DECRYPT);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
    return 0;
  }

  if (max_out_len < in_len) {
    /* This requires that the caller provide space for the MAC, even though it
     * will always be removed on return. */
-    OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_BUFFER_TOO_SMALL);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
    return 0;
  }

  if (nonce_len != 0) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_TOO_LARGE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
    return 0;
  }

  if (ad_len != 11 - 2 /* length bytes */) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_INVALID_AD_SIZE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE);
    return 0;
  }

  if (in_len > INT_MAX) {
    /* EVP_CIPHER takes int as input. */
-    OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_TOO_LARGE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
    return 0;
  }

@@ -269,12 +270,12 @@ static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
  if (EVP_CIPHER_CTX_mode(&ssl3_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) {
    unsigned padding_length = out[total - 1];
    if (total < padding_length + 1 + mac_len) {
-      OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_BAD_DECRYPT);
+      OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
      return 0;
    }
    /* The padding must be minimal. */
    if (padding_length + 1 > EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx)) {
-      OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_BAD_DECRYPT);
+      OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
      return 0;
    }
    data_len = total - padding_length - 1 - mac_len;
@@ -288,7 +289,7 @@ static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
    return 0;
  }
  if (CRYPTO_memcmp(&out[data_len], mac, mac_len) != 0) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_BAD_DECRYPT);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
    return 0;
  }

@@ -57,12 +57,12 @@ static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
                         char implicit_iv) {
  if (tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH &&
      tag_len != EVP_MD_size(md)) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_tls_init, CIPHER_R_UNSUPPORTED_TAG_SIZE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_TAG_SIZE);
    return 0;
  }

  if (key_len != EVP_AEAD_key_length(ctx->aead)) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_tls_init, CIPHER_R_BAD_KEY_LENGTH);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
    return 0;
  }

@@ -75,7 +75,7 @@ static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,

  AEAD_TLS_CTX *tls_ctx = OPENSSL_malloc(sizeof(AEAD_TLS_CTX));
  if (tls_ctx == NULL) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_tls_init, ERR_R_MALLOC_FAILURE);
+    OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE);
    return 0;
  }
  EVP_CIPHER_CTX_init(&tls_ctx->cipher_ctx);
@@ -91,6 +91,7 @@ static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
                         dir == evp_aead_seal) ||
      !HMAC_Init_ex(&tls_ctx->hmac_ctx, key, mac_key_len, md, NULL)) {
    aead_tls_cleanup(ctx);
+    ctx->aead_state = NULL;
    return 0;
  }
  EVP_CIPHER_CTX_set_padding(&tls_ctx->cipher_ctx, 0);
@@ -108,7 +109,7 @@ static int aead_tls_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,

  if (!tls_ctx->cipher_ctx.encrypt) {
    /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */
-    OPENSSL_PUT_ERROR(CIPHER, aead_tls_seal, CIPHER_R_INVALID_OPERATION);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
    return 0;

  }
@@ -116,22 +117,22 @@ static int aead_tls_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
  if (in_len + EVP_AEAD_max_overhead(ctx->aead) < in_len ||
      in_len > INT_MAX) {
    /* EVP_CIPHER takes int as input. */
-    OPENSSL_PUT_ERROR(CIPHER, aead_tls_seal, CIPHER_R_TOO_LARGE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
    return 0;
  }

  if (max_out_len < in_len + EVP_AEAD_max_overhead(ctx->aead)) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_tls_seal, CIPHER_R_BUFFER_TOO_SMALL);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
    return 0;
  }

  if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_tls_seal, CIPHER_R_INVALID_NONCE_SIZE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);
    return 0;
  }

  if (ad_len != 13 - 2 /* length bytes */) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_tls_seal, CIPHER_R_INVALID_AD_SIZE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE);
    return 0;
  }

@@ -213,36 +214,36 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,

  if (tls_ctx->cipher_ctx.encrypt) {
    /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */
-    OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_INVALID_OPERATION);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
    return 0;

  }

  if (in_len < HMAC_size(&tls_ctx->hmac_ctx)) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_BAD_DECRYPT);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
    return 0;
  }

  if (max_out_len < in_len) {
    /* This requires that the caller provide space for the MAC, even though it
     * will always be removed on return. */
-    OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_BUFFER_TOO_SMALL);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
    return 0;
  }

  if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_INVALID_NONCE_SIZE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);
    return 0;
  }

  if (ad_len != 13 - 2 /* length bytes */) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_INVALID_AD_SIZE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE);
    return 0;
  }

  if (in_len > INT_MAX) {
    /* EVP_CIPHER takes int as input. */
-    OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_TOO_LARGE);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
    return 0;
  }

@@ -277,7 +278,7 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
        (unsigned)HMAC_size(&tls_ctx->hmac_ctx));
    /* Publicly invalid. This can be rejected in non-constant time. */
    if (padding_ok == 0) {
-      OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_BAD_DECRYPT);
+      OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
      return 0;
    }
  } else {
@@ -311,7 +312,7 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
    if (!EVP_tls_cbc_digest_record(tls_ctx->hmac_ctx.md, mac, &mac_len,
                                   ad_fixed, out, data_plus_mac_len, total,
                                   tls_ctx->mac_key, tls_ctx->mac_key_len)) {
-      OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_BAD_DECRYPT);
+      OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
      return 0;
    }
    assert(mac_len == HMAC_size(&tls_ctx->hmac_ctx));
@@ -348,7 +349,7 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
                                       0);
  good &= constant_time_eq_int(padding_ok, 1);
  if (!good) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_BAD_DECRYPT);
+    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
    return 0;
  }

@@ -60,55 +60,16 @@
 #include <openssl/base.h>

 #include <openssl/aead.h>
-#include <openssl/asn1t.h>

 #if defined(__cplusplus)
 extern "C" {
 #endif


-struct evp_cipher_st {
-  /* type contains a NID identifing the cipher. (For example, NID_rc4.) */
-  int nid;
-
-  /* block_size contains the block size, in bytes, of the cipher, or 1 for a
-   * stream cipher. */
-  unsigned block_size;
-
-  /* key_len contains the key size, in bytes, for the cipher. If the cipher
-   * takes a variable key size then this contains the default size. */
-  unsigned key_len;
-
-  /* iv_len contains the IV size, in bytes, or zero if inapplicable. */
-  unsigned iv_len;
-
-  /* ctx_size contains the size, in bytes, of the per-key context for this
-   * cipher. */
-  unsigned ctx_size;
-
-  /* flags contains the OR of a number of flags. See |EVP_CIPH_*|. */
-  uint32_t flags;
-
-  /* app_data is a pointer to opaque, user data. */
-  void *app_data;
-
-  int (*init)(EVP_CIPHER_CTX *ctx, const uint8_t *key, const uint8_t *iv,
-              int enc);
-
-  int (*cipher)(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
-                size_t inl);
-
-  void (*cleanup)(EVP_CIPHER_CTX *);
-
-  int (*ctrl)(EVP_CIPHER_CTX *, int type, int arg, void *ptr);
-};
-
 /* EVP_CIPH_MODE_MASK contains the bits of |flags| that represent the mode. */
 #define EVP_CIPH_MODE_MASK 0x3f


-struct evp_aead_ctx_st;
-
 /* EVP_AEAD represents a specific AEAD algorithm. */
 struct evp_aead_st {
  uint8_t key_len;
@@ -116,25 +77,25 @@ struct evp_aead_st {
  uint8_t overhead;
  uint8_t max_tag_len;

-  int (*init)(struct evp_aead_ctx_st *, const uint8_t *key,
-              size_t key_len, size_t tag_len);
-  int (*init_with_direction)(struct evp_aead_ctx_st *, const uint8_t *key,
-			     size_t key_len, size_t tag_len,
-			     enum evp_aead_direction_t dir);
-  void (*cleanup)(struct evp_aead_ctx_st *);
+  /* init initialises an |EVP_AEAD_CTX|. If this call returns zero then
+   * |cleanup| will not be called for that context. */
+  int (*init)(EVP_AEAD_CTX *, const uint8_t *key, size_t key_len,
+              size_t tag_len);
+  int (*init_with_direction)(EVP_AEAD_CTX *, const uint8_t *key, size_t key_len,
+                             size_t tag_len, enum evp_aead_direction_t dir);
+  void (*cleanup)(EVP_AEAD_CTX *);

-  int (*seal)(const struct evp_aead_ctx_st *ctx, uint8_t *out,
-              size_t *out_len, size_t max_out_len, const uint8_t *nonce,
-              size_t nonce_len, const uint8_t *in, size_t in_len,
-              const uint8_t *ad, size_t ad_len);
+  int (*seal)(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,
+              size_t max_out_len, const uint8_t *nonce, size_t nonce_len,
+              const uint8_t *in, size_t in_len, const uint8_t *ad,
+              size_t ad_len);

-  int (*open)(const struct evp_aead_ctx_st *ctx, uint8_t *out,
-              size_t *out_len, size_t max_out_len, const uint8_t *nonce,
-              size_t nonce_len, const uint8_t *in, size_t in_len,
-              const uint8_t *ad, size_t ad_len);
+  int (*open)(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,
+              size_t max_out_len, const uint8_t *nonce, size_t nonce_len,
+              const uint8_t *in, size_t in_len, const uint8_t *ad,
+              size_t ad_len);

-  int (*get_rc4_state)(const struct evp_aead_ctx_st *ctx,
-                       const RC4_KEY **out_key);
+  int (*get_rc4_state)(const EVP_AEAD_CTX *ctx, const RC4_KEY **out_key);
 };


@@ -418,3 +418,9 @@ AD: 18e2ed6d500b176e49f7e1b5074c0b7dbfdefdf00a63d9fa2fea8c5e78a1c4ae00f17b234429
 CT: 5f3627bd53f8da0bbe6f3c9246d6f96fe9abb91cdecf66ddd42f833d98f4d4634c2e1e1ad4088c84c22191bdb9d99ef227320e455dd112c4a9e9cca95724fcc9ae024ed12bf60a802d0b87b99d9bf22590786567c2962171d2b05bec9754c627608e9eba7bccc70540aa4da72e1e04b26d8f968b10230f707501c0091a8ac118f86e87aae1ac00257aee29c3345bd3839154977acd378fc1b2197f5c1fd8e12262f9c2974fb92dc481eeb51aadd44a8851f61b93a84ba57f2870df0423d289bfdcfe634f9ecb7d7c6110a95b49418a2dd6663377690275c205b3efa79a0a77c92567fb429d8ee437312a39df7516dc238f7b9414938223d7ec24d256d3fb3a5954a7c75dbd79486d49ba6bb38a7ccce0f58700260b71319adf98ab8684e34913abe2d9d97193e2
 TAG: e690e89af39ff367f5d40a1b7c7ccd4f

+KEY: 31323334353637383930313233343536
+NONCE: 31323334353637383930313233343536
+IN: 48656c6c6f2c20576f726c64
+AD:
+CT: cec189d0e8419b90fb16d555
+TAG: 32893832a8d609224d77c2e56a922282
@@ -1,83 +1,544 @@
 # RC4 tests (from rc4test)
-RC4:0123456789abcdef0123456789abcdef::0123456789abcdef:75b7878099e0c596
-RC4:0123456789abcdef0123456789abcdef::0000000000000000:7494c2e7104b0879
-RC4:00000000000000000000000000000000::0000000000000000:de188941a3375d3a
-RC4:ef012345ef012345ef012345ef012345::0000000000000000000000000000000000000000:d6a141a7ec3c38dfbd615a1162e1c7ba36b67858
-RC4:0123456789abcdef0123456789abcdef::123456789ABCDEF0123456789ABCDEF0123456789ABCDEF012345678:66a0949f8af7d6891f7f832ba833c00c892ebe30143ce28740011ecf
-RC4:ef012345ef012345ef012345ef012345::00000000000000000000:d6a141a7ec3c38dfbd61
+Cipher = RC4
+Key = 0123456789abcdef0123456789abcdef
+Plaintext = 0123456789abcdef
+Ciphertext = 75b7878099e0c596
+
+Cipher = RC4
+Key = 0123456789abcdef0123456789abcdef
+Plaintext = 0000000000000000
+Ciphertext = 7494c2e7104b0879
+
+Cipher = RC4
+Key = 00000000000000000000000000000000
+Plaintext = 0000000000000000
+Ciphertext = de188941a3375d3a
+
+Cipher = RC4
+Key = ef012345ef012345ef012345ef012345
+Plaintext = 0000000000000000000000000000000000000000
+Ciphertext = d6a141a7ec3c38dfbd615a1162e1c7ba36b67858
+
+Cipher = RC4
+Key = 0123456789abcdef0123456789abcdef
+Plaintext = 123456789ABCDEF0123456789ABCDEF0123456789ABCDEF012345678
+Ciphertext = 66a0949f8af7d6891f7f832ba833c00c892ebe30143ce28740011ecf
+
+Cipher = RC4
+Key = ef012345ef012345ef012345ef012345
+Plaintext = 00000000000000000000
+Ciphertext = d6a141a7ec3c38dfbd61
+

 # DES EDE3 CBC tests (from destest)
-DES-EDE3-CBC:0123456789abcdeff1e0d3c2b5a49786fedcba9876543210:fedcba9876543210:37363534333231204E6F77206973207468652074696D6520666F722000000000:3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675
+Cipher = DES-EDE3-CBC
+Key = 0123456789abcdeff1e0d3c2b5a49786fedcba9876543210
+IV = fedcba9876543210
+Plaintext = 37363534333231204E6F77206973207468652074696D6520666F722000000000
+Ciphertext = 3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675
+

 # AES 128 ECB tests (from FIPS-197 test vectors, encrypt)
-AES-128-ECB:000102030405060708090A0B0C0D0E0F::00112233445566778899AABBCCDDEEFF:69C4E0D86A7B0430D8CDB78070B4C55A:1
+Cipher = AES-128-ECB
+Key = 000102030405060708090A0B0C0D0E0F
+Operation = ENCRYPT
+Plaintext = 00112233445566778899AABBCCDDEEFF
+Ciphertext = 69C4E0D86A7B0430D8CDB78070B4C55A
+

 # AES 256 ECB tests (from FIPS-197 test vectors, encrypt)
-AES-256-ECB:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F::00112233445566778899AABBCCDDEEFF:8EA2B7CA516745BFEAFC49904B496089:1
+Cipher = AES-256-ECB
+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
+Operation = ENCRYPT
+Plaintext = 00112233445566778899AABBCCDDEEFF
+Ciphertext = 8EA2B7CA516745BFEAFC49904B496089

-# AES 128 CBC tests (from NIST test vectors, decrypt)

 # AES tests from NIST document SP800-38A
 # For all ECB encrypts and decrypts, the transformed sequence is
 #   AES-bits-ECB:key::plaintext:ciphertext:encdec
 # ECB-AES128.Encrypt and ECB-AES128.Decrypt
-AES-128-ECB:2B7E151628AED2A6ABF7158809CF4F3C::6BC1BEE22E409F96E93D7E117393172A:3AD77BB40D7A3660A89ECAF32466EF97
-AES-128-ECB:2B7E151628AED2A6ABF7158809CF4F3C::AE2D8A571E03AC9C9EB76FAC45AF8E51:F5D3D58503B9699DE785895A96FDBAAF
-AES-128-ECB:2B7E151628AED2A6ABF7158809CF4F3C::30C81C46A35CE411E5FBC1191A0A52EF:43B1CD7F598ECE23881B00E3ED030688
-AES-128-ECB:2B7E151628AED2A6ABF7158809CF4F3C::F69F2445DF4F9B17AD2B417BE66C3710:7B0C785E27E8AD3F8223207104725DD4
+Cipher = AES-128-ECB
+Key = 2B7E151628AED2A6ABF7158809CF4F3C
+Plaintext = 6BC1BEE22E409F96E93D7E117393172A
+Ciphertext = 3AD77BB40D7A3660A89ECAF32466EF97
+
+Cipher = AES-128-ECB
+Key = 2B7E151628AED2A6ABF7158809CF4F3C
+Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
+Ciphertext = F5D3D58503B9699DE785895A96FDBAAF
+
+Cipher = AES-128-ECB
+Key = 2B7E151628AED2A6ABF7158809CF4F3C
+Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
+Ciphertext = 43B1CD7F598ECE23881B00E3ED030688
+
+Cipher = AES-128-ECB
+Key = 2B7E151628AED2A6ABF7158809CF4F3C
+Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
+Ciphertext = 7B0C785E27E8AD3F8223207104725DD4
+
+
 # ECB-AES256.Encrypt and ECB-AES256.Decrypt
-AES-256-ECB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4::6BC1BEE22E409F96E93D7E117393172A:F3EED1BDB5D2A03C064B5A7E3DB181F8
-AES-256-ECB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4::AE2D8A571E03AC9C9EB76FAC45AF8E51:591CCB10D410ED26DC5BA74A31362870
-AES-256-ECB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4::30C81C46A35CE411E5FBC1191A0A52EF:B6ED21B99CA6F4F9F153E7B1BEAFED1D
-AES-256-ECB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4::F69F2445DF4F9B17AD2B417BE66C3710:23304B7A39F9F3FF067D8D8F9E24ECC7
+Cipher = AES-256-ECB
+Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
+Plaintext = 6BC1BEE22E409F96E93D7E117393172A
+Ciphertext = F3EED1BDB5D2A03C064B5A7E3DB181F8
+
+Cipher = AES-256-ECB
+Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
+Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
+Ciphertext = 591CCB10D410ED26DC5BA74A31362870
+
+Cipher = AES-256-ECB
+Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
+Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
+Ciphertext = B6ED21B99CA6F4F9F153E7B1BEAFED1D
+
+Cipher = AES-256-ECB
+Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
+Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
+Ciphertext = 23304B7A39F9F3FF067D8D8F9E24ECC7
+
+
 # For all CBC encrypts and decrypts, the transformed sequence is
 #   AES-bits-CBC:key:IV/ciphertext':plaintext:ciphertext:encdec
 # CBC-AES128.Encrypt and CBC-AES128.Decrypt
-AES-128-CBC:2B7E151628AED2A6ABF7158809CF4F3C:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:7649ABAC8119B246CEE98E9B12E9197D
-AES-128-CBC:2B7E151628AED2A6ABF7158809CF4F3C:7649ABAC8119B246CEE98E9B12E9197D:AE2D8A571E03AC9C9EB76FAC45AF8E51:5086CB9B507219EE95DB113A917678B2
-AES-128-CBC:2B7E151628AED2A6ABF7158809CF4F3C:5086CB9B507219EE95DB113A917678B2:30C81C46A35CE411E5FBC1191A0A52EF:73BED6B8E3C1743B7116E69E22229516
-AES-128-CBC:2B7E151628AED2A6ABF7158809CF4F3C:73BED6B8E3C1743B7116E69E22229516:F69F2445DF4F9B17AD2B417BE66C3710:3FF1CAA1681FAC09120ECA307586E1A7
+Cipher = AES-128-CBC
+Key = 2B7E151628AED2A6ABF7158809CF4F3C
+IV = 000102030405060708090A0B0C0D0E0F
+Plaintext = 6BC1BEE22E409F96E93D7E117393172A
+Ciphertext = 7649ABAC8119B246CEE98E9B12E9197D
+
+Cipher = AES-128-CBC
+Key = 2B7E151628AED2A6ABF7158809CF4F3C
+IV = 7649ABAC8119B246CEE98E9B12E9197D
+Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
+Ciphertext = 5086CB9B507219EE95DB113A917678B2
+
+Cipher = AES-128-CBC
+Key = 2B7E151628AED2A6ABF7158809CF4F3C
+IV = 5086CB9B507219EE95DB113A917678B2
+Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
+Ciphertext = 73BED6B8E3C1743B7116E69E22229516
+
+Cipher = AES-128-CBC
+Key = 2B7E151628AED2A6ABF7158809CF4F3C
+IV = 73BED6B8E3C1743B7116E69E22229516
+Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
+Ciphertext = 3FF1CAA1681FAC09120ECA307586E1A7
+
+
 # CBC-AES256.Encrypt and CBC-AES256.Decrypt
-AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:F58C4C04D6E5F1BA779EABFB5F7BFBD6
-AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:F58C4C04D6E5F1BA779EABFB5F7BFBD6:AE2D8A571E03AC9C9EB76FAC45AF8E51:9CFC4E967EDB808D679F777BC6702C7D
-AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:9CFC4E967EDB808D679F777BC6702C7D:30C81C46A35CE411E5FBC1191A0A52EF:39F23369A9D9BACFA530E26304231461
-AES-256-CBC:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:39F23369A9D9BACFA530E26304231461:F69F2445DF4F9B17AD2B417BE66C3710:B2EB05E2C39BE9FCDA6C19078C6A9D1B
+Cipher = AES-256-CBC
+Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
+IV = 000102030405060708090A0B0C0D0E0F
+Plaintext = 6BC1BEE22E409F96E93D7E117393172A
+Ciphertext = F58C4C04D6E5F1BA779EABFB5F7BFBD6
+
+Cipher = AES-256-CBC
+Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
+IV = F58C4C04D6E5F1BA779EABFB5F7BFBD6
+Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
+Ciphertext = 9CFC4E967EDB808D679F777BC6702C7D
+
+Cipher = AES-256-CBC
+Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
+IV = 9CFC4E967EDB808D679F777BC6702C7D
+Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
+Ciphertext = 39F23369A9D9BACFA530E26304231461
+
+Cipher = AES-256-CBC
+Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
+IV = 39F23369A9D9BACFA530E26304231461
+Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
+Ciphertext = B2EB05E2C39BE9FCDA6C19078C6A9D1B
+

 # AES Counter test vectors from RFC3686
-AES-128-CTR:AE6852F8121067CC4BF7A5765577F39E:00000030000000000000000000000001:53696E676C6520626C6F636B206D7367:E4095D4FB7A7B3792D6175A3261311B8:1
-AES-128-CTR:7E24067817FAE0D743D6CE1F32539163:006CB6DBC0543B59DA48D90B00000001:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F:5104A106168A72D9790D41EE8EDAD388EB2E1EFC46DA57C8FCE630DF9141BE28:1
-AES-128-CTR:7691BE035E5020A8AC6E618529F9A0DC:00E0017B27777F3F4A1786F000000001:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212223:C1CF48A89F2FFDD9CF4652E9EFDB72D74540A42BDE6D7836D59A5CEAAEF3105325B2072F:1
+Cipher = AES-128-CTR
+Key = AE6852F8121067CC4BF7A5765577F39E
+IV = 00000030000000000000000000000001
+Operation = ENCRYPT
+Plaintext = 53696E676C6520626C6F636B206D7367
+Ciphertext = E4095D4FB7A7B3792D6175A3261311B8
+
+Cipher = AES-128-CTR
+Key = 7E24067817FAE0D743D6CE1F32539163
+IV = 006CB6DBC0543B59DA48D90B00000001
+Operation = ENCRYPT
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
+Ciphertext = 5104A106168A72D9790D41EE8EDAD388EB2E1EFC46DA57C8FCE630DF9141BE28
+
+Cipher = AES-128-CTR
+Key = 7691BE035E5020A8AC6E618529F9A0DC
+IV = 00E0017B27777F3F4A1786F000000001
+Operation = ENCRYPT
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212223
+Ciphertext = C1CF48A89F2FFDD9CF4652E9EFDB72D74540A42BDE6D7836D59A5CEAAEF3105325B2072F
+
+Cipher = AES-256-CTR
+Key = 776BEFF2851DB06F4C8A0542C8696F6C6A81AF1EEC96B4D37FC1D689E6C1C104
+IV = 00000060DB5672C97AA8F0B200000001
+Operation = ENCRYPT
+Plaintext = 53696E676C6520626C6F636B206D7367
+Ciphertext = 145AD01DBF824EC7560863DC71E3E0C0
+
+Cipher = AES-256-CTR
+Key = F6D66D6BD52D59BB0796365879EFF886C66DD51A5B6A99744B50590C87A23884
+IV = 00FAAC24C1585EF15A43D87500000001
+Operation = ENCRYPT
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
+Ciphertext = F05E231B3894612C49EE000B804EB2A9B8306B508F839D6A5530831D9344AF1C
+
+Cipher = AES-256-CTR
+Key = FF7A617CE69148E4F1726E2F43581DE2AA62D9F805532EDFF1EED687FB54153D
+IV = 001CC5B751A51D70A1C1114800000001
+Operation = ENCRYPT
+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212223
+Ciphertext = EB6C52821D0BBBF7CE7594462ACA4FAAB407DF866569FD07F48CC0B583D6071F1EC0E6B8

-AES-256-CTR:776BEFF2851DB06F4C8A0542C8696F6C6A81AF1EEC96B4D37FC1D689E6C1C104:00000060DB5672C97AA8F0B200000001:53696E676C6520626C6F636B206D7367:145AD01DBF824EC7560863DC71E3E0C0:1
-AES-256-CTR:F6D66D6BD52D59BB0796365879EFF886C66DD51A5B6A99744B50590C87A23884:00FAAC24C1585EF15A43D87500000001:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F:F05E231B3894612C49EE000B804EB2A9B8306B508F839D6A5530831D9344AF1C:1
-AES-256-CTR:FF7A617CE69148E4F1726E2F43581DE2AA62D9F805532EDFF1EED687FB54153D:001CC5B751A51D70A1C1114800000001:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212223:EB6C52821D0BBBF7CE7594462ACA4FAAB407DF866569FD07F48CC0B583D6071F1EC0E6B8:1

 # AES GCM test vectors from http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf
-AES-128-GCM:00000000000000000000000000000000:000000000000000000000000::::58e2fccefa7e3061367f1d57a4e7455a
-AES-128-GCM:00000000000000000000000000000000:000000000000000000000000:00000000000000000000000000000000:0388dace60b6a392f328c2b971b2fe78::ab6e47d42cec13bdf53a67b21257bddf
-AES-128-GCM:feffe9928665731c6d6a8f9467308308:cafebabefacedbaddecaf888:d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255:42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091473f5985::4d5c2af327cd64a62cf35abd2ba6fab4
-AES-128-GCM:feffe9928665731c6d6a8f9467308308:cafebabefacedbaddecaf888:d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39:42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091:feedfacedeadbeeffeedfacedeadbeefabaddad2:5bc94fbc3221a5db94fae95ae7121a47
-AES-128-GCM:feffe9928665731c6d6a8f9467308308:cafebabefacedbad:d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39:61353b4c2806934a777ff51fa22a4755699b2a714fcdc6f83766e5f97b6c742373806900e49f24b22b097544d4896b424989b5e1ebac0f07c23f4598:feedfacedeadbeeffeedfacedeadbeefabaddad2:3612d2e79e3b0785561be14aaca2fccb
-AES-128-GCM:feffe9928665731c6d6a8f9467308308:9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b:d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39:8ce24998625615b603a033aca13fb894be9112a5c3a211a8ba262a3cca7e2ca701e4a9a4fba43c90ccdcb281d48c7c6fd62875d2aca417034c34aee5:feedfacedeadbeeffeedfacedeadbeefabaddad2:619cc5aefffe0bfa462af43c1699d050
-AES-256-GCM:0000000000000000000000000000000000000000000000000000000000000000:000000000000000000000000::::530f8afbc74536b9a963b4f1c4cb738b
-AES-256-GCM:0000000000000000000000000000000000000000000000000000000000000000:000000000000000000000000:00000000000000000000000000000000:cea7403d4d606b6e074ec5d3baf39d18::d0d1c8a799996bf0265b98b5d48ab919
-AES-256-GCM:feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308:cafebabefacedbaddecaf888:d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255:522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662898015ad::b094dac5d93471bdec1a502270e3cc6c
-AES-256-GCM:feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308:cafebabefacedbaddecaf888:d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39:522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662:feedfacedeadbeeffeedfacedeadbeefabaddad2:76fc6ece0f4e1768cddf8853bb2d551b
-AES-256-GCM:feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308:cafebabefacedbad:d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39:c3762df1ca787d32ae47c13bf19844cbaf1ae14d0b976afac52ff7d79bba9de0feb582d33934a4f0954cc2363bc73f7862ac430e64abe499f47c9b1f:feedfacedeadbeeffeedfacedeadbeefabaddad2:3a337dbf46a792c45e454913fe2ea8f2
-AES-256-GCM:feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308:9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b:d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39:5a8def2f0c9e53f1f75d7853659e2a20eeb2b22aafde6419a058ab4f6f746bf40fc0c3b780f244452da3ebf1c5d82cdea2418997200ef82e44ae7e3f:feedfacedeadbeeffeedfacedeadbeefabaddad2:a44a8266ee1c8eb0c8b5d4cf5ae9f19a
+Cipher = AES-128-GCM
+Key = 00000000000000000000000000000000
+IV = 000000000000000000000000
+Plaintext =
+Ciphertext =
+AAD =
+Tag = 58e2fccefa7e3061367f1d57a4e7455a
+
+Cipher = AES-128-GCM
+Key = 00000000000000000000000000000000
+IV = 000000000000000000000000
+Plaintext = 00000000000000000000000000000000
+Ciphertext = 0388dace60b6a392f328c2b971b2fe78
+AAD =
+Tag = ab6e47d42cec13bdf53a67b21257bddf
+
+Cipher = AES-128-GCM
+Key = feffe9928665731c6d6a8f9467308308
+IV = cafebabefacedbaddecaf888
+Plaintext = d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255
+Ciphertext = 42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091473f5985
+AAD =
+Tag = 4d5c2af327cd64a62cf35abd2ba6fab4
+
+Cipher = AES-128-GCM
+Key = feffe9928665731c6d6a8f9467308308
+IV = cafebabefacedbaddecaf888
+Plaintext = d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+Ciphertext = 42831ec2217774244b7221b784d0d49ce3aa212f2c02a4e035c17e2329aca12e21d514b25466931c7d8f6a5aac84aa051ba30b396a0aac973d58e091
+AAD = feedfacedeadbeeffeedfacedeadbeefabaddad2
+Tag = 5bc94fbc3221a5db94fae95ae7121a47
+
+Cipher = AES-128-GCM
+Key = feffe9928665731c6d6a8f9467308308
+IV = cafebabefacedbad
+Plaintext = d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+Ciphertext = 61353b4c2806934a777ff51fa22a4755699b2a714fcdc6f83766e5f97b6c742373806900e49f24b22b097544d4896b424989b5e1ebac0f07c23f4598
+AAD = feedfacedeadbeeffeedfacedeadbeefabaddad2
+Tag = 3612d2e79e3b0785561be14aaca2fccb
+
+Cipher = AES-128-GCM
+Key = feffe9928665731c6d6a8f9467308308
+IV = 9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b
+Plaintext = d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+Ciphertext = 8ce24998625615b603a033aca13fb894be9112a5c3a211a8ba262a3cca7e2ca701e4a9a4fba43c90ccdcb281d48c7c6fd62875d2aca417034c34aee5
+AAD = feedfacedeadbeeffeedfacedeadbeefabaddad2
+Tag = 619cc5aefffe0bfa462af43c1699d050
+
+Cipher = AES-256-GCM
+Key = 0000000000000000000000000000000000000000000000000000000000000000
+IV = 000000000000000000000000
+Plaintext =
+Ciphertext =
+AAD =
+Tag = 530f8afbc74536b9a963b4f1c4cb738b
+
+Cipher = AES-256-GCM
+Key = 0000000000000000000000000000000000000000000000000000000000000000
+IV = 000000000000000000000000
+Plaintext = 00000000000000000000000000000000
+Ciphertext = cea7403d4d606b6e074ec5d3baf39d18
+AAD =
+Tag = d0d1c8a799996bf0265b98b5d48ab919
+
+Cipher = AES-256-GCM
+Key = feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308
+IV = cafebabefacedbaddecaf888
+Plaintext = d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255
+Ciphertext = 522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662898015ad
+AAD =
+Tag = b094dac5d93471bdec1a502270e3cc6c
+
+Cipher = AES-256-GCM
+Key = feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308
+IV = cafebabefacedbaddecaf888
+Plaintext = d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+Ciphertext = 522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662
+AAD = feedfacedeadbeeffeedfacedeadbeefabaddad2
+Tag = 76fc6ece0f4e1768cddf8853bb2d551b
+
+Cipher = AES-256-GCM
+Key = feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308
+IV = cafebabefacedbad
+Plaintext = d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+Ciphertext = c3762df1ca787d32ae47c13bf19844cbaf1ae14d0b976afac52ff7d79bba9de0feb582d33934a4f0954cc2363bc73f7862ac430e64abe499f47c9b1f
+AAD = feedfacedeadbeeffeedfacedeadbeefabaddad2
+Tag = 3a337dbf46a792c45e454913fe2ea8f2
+
+Cipher = AES-256-GCM
+Key = feffe9928665731c6d6a8f9467308308feffe9928665731c6d6a8f9467308308
+IV = 9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b
+Plaintext = d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39
+Ciphertext = 5a8def2f0c9e53f1f75d7853659e2a20eeb2b22aafde6419a058ab4f6f746bf40fc0c3b780f244452da3ebf1c5d82cdea2418997200ef82e44ae7e3f
+AAD = feedfacedeadbeeffeedfacedeadbeefabaddad2
+Tag = a44a8266ee1c8eb0c8b5d4cf5ae9f19a
+
 # local add-ons, primarily streaming ghash tests
 # 128 bytes aad
-AES-128-GCM:00000000000000000000000000000000:000000000000000000000000:::d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662898015ad:5fea793a2d6f974d37e68e0cb8ff9492
-# 48 bytes plaintext
-AES-128-GCM:00000000000000000000000000000000:000000000000000000000000:000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:0388dace60b6a392f328c2b971b2fe78f795aaab494b5923f7fd89ff948bc1e0200211214e7394da2089b6acd093abe0::9dd0a376b08e40eb00c35f29f9ea61a4
-# 80 bytes plaintext
-AES-128-GCM:00000000000000000000000000000000:000000000000000000000000:0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:0388dace60b6a392f328c2b971b2fe78f795aaab494b5923f7fd89ff948bc1e0200211214e7394da2089b6acd093abe0c94da219118e297d7b7ebcbcc9c388f28ade7d85a8ee35616f7124a9d5270291::98885a3a22bd4742fe7b72172193b163
-# 128 bytes plaintext
-AES-128-GCM:00000000000000000000000000000000:000000000000000000000000:0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:0388dace60b6a392f328c2b971b2fe78f795aaab494b5923f7fd89ff948bc1e0200211214e7394da2089b6acd093abe0c94da219118e297d7b7ebcbcc9c388f28ade7d85a8ee35616f7124a9d527029195b84d1b96c690ff2f2de30bf2ec89e00253786e126504f0dab90c48a30321de3345e6b0461e7c9e6c6b7afedde83f40::cac45f60e31efd3b5a43b98a22ce1aa1
-# 192 bytes plaintext, iv is chosen so that initial counter LSB is 0xFF
-AES-128-GCM:00000000000000000000000000000000:ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:56b3373ca9ef6e4a2b64fe1e9a17b61425f10d47a75a5fce13efc6bc784af24f4141bdd48cf7c770887afd573cca5418a9aeffcd7c5ceddfc6a78397b9a85b499da558257267caab2ad0b23ca476a53cb17fb41c4b8b475cb4f3f7165094c229c9e8c4dc0a2a5ff1903e501511221376a1cdb8364c5061a20cae74bc4acd76ceb0abc9fd3217ef9f8c90be402ddf6d8697f4f880dff15bfb7a6b28241ec8fe183c2d59e3f9dfff653c7126f0acb9e64211f42bae12af462b1070bef1ab5e3606::566f8ef683078bfdeeffa869d751a017
-# 288 bytes plaintext, iv is chosen so that initial counter LSB is 0xFF
-AES-128-GCM:00000000000000000000000000000000:ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:56b3373ca9ef6e4a2b64fe1e9a17b61425f10d47a75a5fce13efc6bc784af24f4141bdd48cf7c770887afd573cca5418a9aeffcd7c5ceddfc6a78397b9a85b499da558257267caab2ad0b23ca476a53cb17fb41c4b8b475cb4f3f7165094c229c9e8c4dc0a2a5ff1903e501511221376a1cdb8364c5061a20cae74bc4acd76ceb0abc9fd3217ef9f8c90be402ddf6d8697f4f880dff15bfb7a6b28241ec8fe183c2d59e3f9dfff653c7126f0acb9e64211f42bae12af462b1070bef1ab5e3606872ca10dee15b3249b1a1b958f23134c4bccb7d03200bce420a2f8eb66dcf3644d1423c1b5699003c13ecef4bf38a3b60eedc34033bac1902783dc6d89e2e774188a439c7ebcc0672dbda4ddcfb2794613b0be41315ef778708a70ee7d75165c::8b307f6b33286d0ab026a9ed3fe1e85f
-# 80 bytes plaintext, submitted by Intel
-AES-128-GCM:843ffcf5d2b72694d19ed01d01249412:dbcca32ebf9b804617c3aa9e:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f:6268c6fa2a80b2d137467f092f657ac04d89be2beaa623d61b5a868c8f03ff95d3dcee23ad2f1ab3a6c80eaf4b140eb05de3457f0fbc111a6b43d0763aa422a3013cf1dc37fe417d1fbfc449b75d4cc5:00000000000000000000000000000000101112131415161718191a1b1c1d1e1f:3b629ccfbc1119b7319e1dce2cd6fd6d
+Cipher = AES-128-GCM
+Key = 00000000000000000000000000000000
+IV = 000000000000000000000000
+Plaintext =
+Ciphertext =
+AAD = d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255522dc1f099567d07f47f37a32a84427d643a8cdcbfe5c0c97598a2bd2555d1aa8cb08e48590dbb3da7b08b1056828838c5f61e6393ba7a0abcc9f662898015ad
+Tag = 5fea793a2d6f974d37e68e0cb8ff9492

+# 48 bytes plaintext
+Cipher = AES-128-GCM
+Key = 00000000000000000000000000000000
+IV = 000000000000000000000000
+Plaintext = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+Ciphertext = 0388dace60b6a392f328c2b971b2fe78f795aaab494b5923f7fd89ff948bc1e0200211214e7394da2089b6acd093abe0
+AAD =
+Tag = 9dd0a376b08e40eb00c35f29f9ea61a4
+
+# 80 bytes plaintext
+Cipher = AES-128-GCM
+Key = 00000000000000000000000000000000
+IV = 000000000000000000000000
+Plaintext = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+Ciphertext = 0388dace60b6a392f328c2b971b2fe78f795aaab494b5923f7fd89ff948bc1e0200211214e7394da2089b6acd093abe0c94da219118e297d7b7ebcbcc9c388f28ade7d85a8ee35616f7124a9d5270291
+AAD =
+Tag = 98885a3a22bd4742fe7b72172193b163
+
+# 128 bytes plaintext
+Cipher = AES-128-GCM
+Key = 00000000000000000000000000000000
+IV = 000000000000000000000000
+Plaintext = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+Ciphertext = 0388dace60b6a392f328c2b971b2fe78f795aaab494b5923f7fd89ff948bc1e0200211214e7394da2089b6acd093abe0c94da219118e297d7b7ebcbcc9c388f28ade7d85a8ee35616f7124a9d527029195b84d1b96c690ff2f2de30bf2ec89e00253786e126504f0dab90c48a30321de3345e6b0461e7c9e6c6b7afedde83f40
+AAD =
+Tag = cac45f60e31efd3b5a43b98a22ce1aa1
+
+# 192 bytes plaintext, iv is chosen so that initial counter LSB is 0xFF
+Cipher = AES-128-GCM
+Key = 00000000000000000000000000000000
+IV = ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+Plaintext = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+Ciphertext = 56b3373ca9ef6e4a2b64fe1e9a17b61425f10d47a75a5fce13efc6bc784af24f4141bdd48cf7c770887afd573cca5418a9aeffcd7c5ceddfc6a78397b9a85b499da558257267caab2ad0b23ca476a53cb17fb41c4b8b475cb4f3f7165094c229c9e8c4dc0a2a5ff1903e501511221376a1cdb8364c5061a20cae74bc4acd76ceb0abc9fd3217ef9f8c90be402ddf6d8697f4f880dff15bfb7a6b28241ec8fe183c2d59e3f9dfff653c7126f0acb9e64211f42bae12af462b1070bef1ab5e3606
+AAD =
+Tag = 566f8ef683078bfdeeffa869d751a017
+
+# 288 bytes plaintext, iv is chosen so that initial counter LSB is 0xFF
+Cipher = AES-128-GCM
+Key = 00000000000000000000000000000000
+IV = ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+Plaintext = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+Ciphertext = 56b3373ca9ef6e4a2b64fe1e9a17b61425f10d47a75a5fce13efc6bc784af24f4141bdd48cf7c770887afd573cca5418a9aeffcd7c5ceddfc6a78397b9a85b499da558257267caab2ad0b23ca476a53cb17fb41c4b8b475cb4f3f7165094c229c9e8c4dc0a2a5ff1903e501511221376a1cdb8364c5061a20cae74bc4acd76ceb0abc9fd3217ef9f8c90be402ddf6d8697f4f880dff15bfb7a6b28241ec8fe183c2d59e3f9dfff653c7126f0acb9e64211f42bae12af462b1070bef1ab5e3606872ca10dee15b3249b1a1b958f23134c4bccb7d03200bce420a2f8eb66dcf3644d1423c1b5699003c13ecef4bf38a3b60eedc34033bac1902783dc6d89e2e774188a439c7ebcc0672dbda4ddcfb2794613b0be41315ef778708a70ee7d75165c
+AAD =
+Tag = 8b307f6b33286d0ab026a9ed3fe1e85f
+
+# 80 bytes plaintext, submitted by Intel
+Cipher = AES-128-GCM
+Key = 843ffcf5d2b72694d19ed01d01249412
+IV = dbcca32ebf9b804617c3aa9e
+Plaintext = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f
+Ciphertext = 6268c6fa2a80b2d137467f092f657ac04d89be2beaa623d61b5a868c8f03ff95d3dcee23ad2f1ab3a6c80eaf4b140eb05de3457f0fbc111a6b43d0763aa422a3013cf1dc37fe417d1fbfc449b75d4cc5
+AAD = 00000000000000000000000000000000101112131415161718191a1b1c1d1e1f
+Tag = 3b629ccfbc1119b7319e1dce2cd6fd6d
+
+Cipher = AES-128-GCM
+Key = 31323334353637383930313233343536
+IV = 31323334353637383930313233343536
+Plaintext = 48656c6c6f2c20576f726c64
+Ciphertext = cec189d0e8419b90fb16d555
+Tag = 32893832a8d609224d77c2e56a922282
+AAD =
+
+# OFB tests from OpenSSL upstream.
+
+# OFB-AES128.Encrypt
+Cipher = AES-128-OFB
+Key = 2B7E151628AED2A6ABF7158809CF4F3C
+IV = 000102030405060708090A0B0C0D0E0F
+Operation = ENCRYPT
+Plaintext = 6BC1BEE22E409F96E93D7E117393172A
+Ciphertext = 3B3FD92EB72DAD20333449F8E83CFB4A
+
+Cipher = AES-128-OFB
+Key = 2B7E151628AED2A6ABF7158809CF4F3C
+IV = 50FE67CC996D32B6DA0937E99BAFEC60
+Operation = ENCRYPT
+Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
+Ciphertext = 7789508D16918F03F53C52DAC54ED825
+
+Cipher = AES-128-OFB
+Key = 2B7E151628AED2A6ABF7158809CF4F3C
+IV = D9A4DADA0892239F6B8B3D7680E15674
+Operation = ENCRYPT
+Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
+Ciphertext = 9740051E9C5FECF64344F7A82260EDCC
+
+Cipher = AES-128-OFB
+Key = 2B7E151628AED2A6ABF7158809CF4F3C
+IV = A78819583F0308E7A6BF36B1386ABF23
+Operation = ENCRYPT
+Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
+Ciphertext = 304C6528F659C77866A510D9C1D6AE5E
+
+# OFB-AES128.Decrypt
+Cipher = AES-128-OFB
+Key = 2B7E151628AED2A6ABF7158809CF4F3C
+IV = 000102030405060708090A0B0C0D0E0F
+Operation = DECRYPT
+Plaintext = 6BC1BEE22E409F96E93D7E117393172A
+Ciphertext = 3B3FD92EB72DAD20333449F8E83CFB4A
+
+Cipher = AES-128-OFB
+Key = 2B7E151628AED2A6ABF7158809CF4F3C
+IV = 50FE67CC996D32B6DA0937E99BAFEC60
+Operation = DECRYPT
+Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
+Ciphertext = 7789508D16918F03F53C52DAC54ED825
+
+Cipher = AES-128-OFB
+Key = 2B7E151628AED2A6ABF7158809CF4F3C
+IV = D9A4DADA0892239F6B8B3D7680E15674
+Operation = DECRYPT
+Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
+Ciphertext = 9740051E9C5FECF64344F7A82260EDCC
+
+Cipher = AES-128-OFB
+Key = 2B7E151628AED2A6ABF7158809CF4F3C
+IV = A78819583F0308E7A6BF36B1386ABF23
+Operation = DECRYPT
+Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
+Ciphertext = 304C6528F659C77866A510D9C1D6AE5E
+
+# OFB-AES256.Encrypt
+Cipher = AES-256-OFB
+Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
+IV = 000102030405060708090A0B0C0D0E0F
+Operation = ENCRYPT
+Plaintext = 6BC1BEE22E409F96E93D7E117393172A
+Ciphertext = DC7E84BFDA79164B7ECD8486985D3860
+
+Cipher = AES-256-OFB
+Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
+IV = B7BF3A5DF43989DD97F0FA97EBCE2F4A
+Operation = ENCRYPT
+Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
+Ciphertext = 4FEBDC6740D20B3AC88F6AD82A4FB08D
+
+Cipher = AES-256-OFB
+Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
+IV = E1C656305ED1A7A6563805746FE03EDC
+Operation = ENCRYPT
+Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
+Ciphertext = 71AB47A086E86EEDF39D1C5BBA97C408
+
+Cipher = AES-256-OFB
+Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
+IV = 41635BE625B48AFC1666DD42A09D96E7
+Operation = ENCRYPT
+Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
+Ciphertext = 0126141D67F37BE8538F5A8BE740E484
+
+
+# OFB-AES256.Decrypt
+Cipher = AES-256-OFB
+Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
+IV = 000102030405060708090A0B0C0D0E0F
+Operation = DECRYPT
+Plaintext = 6BC1BEE22E409F96E93D7E117393172A
+Ciphertext = DC7E84BFDA79164B7ECD8486985D3860
+
+Cipher = AES-256-OFB
+Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
+IV = B7BF3A5DF43989DD97F0FA97EBCE2F4A
+Operation = DECRYPT
+Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
+Ciphertext = 4FEBDC6740D20B3AC88F6AD82A4FB08D
+
+Cipher = AES-256-OFB
+Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
+IV = E1C656305ED1A7A6563805746FE03EDC
+Operation = DECRYPT
+Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
+Ciphertext = 71AB47A086E86EEDF39D1C5BBA97C408
+
+Cipher = AES-256-OFB
+Key = 603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4
+IV = 41635BE625B48AFC1666DD42A09D96E7
+Operation = DECRYPT
+Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
+Ciphertext = 0126141D67F37BE8538F5A8BE740E484
+
+
+# AES-192 CBC-mode test from upstream OpenSSL.
+Cipher = AES-192-CBC
+Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
+IV = 000102030405060708090A0B0C0D0E0F
+Plaintext = 6BC1BEE22E409F96E93D7E117393172A
+Ciphertext = 4F021DB243BC633D7178183A9FA071E8
+
+Cipher = AES-192-CBC
+Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
+IV = 4F021DB243BC633D7178183A9FA071E8
+Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
+Ciphertext = B4D9ADA9AD7DEDF4E5E738763F69145A
+
+Cipher = AES-192-CBC
+Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
+IV = B4D9ADA9AD7DEDF4E5E738763F69145A
+Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
+Ciphertext = 571B242012FB7AE07FA9BAAC3DF102E0
+
+Cipher = AES-192-CBC
+Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
+IV = 571B242012FB7AE07FA9BAAC3DF102E0
+Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
+Ciphertext = 08B0E27988598881D920A9E64F5615CD
+
+
+# AES-192-ECB tests from FIPS-197
+Cipher = AES-192-ECB
+Key = 000102030405060708090A0B0C0D0E0F1011121314151617
+Operation = ENCRYPT
+Plaintext = 00112233445566778899AABBCCDDEEFF
+Ciphertext = DDA97CA4864CDFE06EAF70A0EC0D7191
+
+
+# AES-192-ECB tests from NIST document SP800-38A
+Cipher = AES-192-ECB
+Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
+Plaintext = 6BC1BEE22E409F96E93D7E117393172A
+Ciphertext = BD334F1D6E45F25FF712A214571FA5CC
+
+Cipher = AES-192-ECB
+Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
+Plaintext = AE2D8A571E03AC9C9EB76FAC45AF8E51
+Ciphertext = 974104846D0AD3AD7734ECB3ECEE4EEF
+
+Cipher = AES-192-ECB
+Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
+Plaintext = 30C81C46A35CE411E5FBC1191A0A52EF
+Ciphertext = EF7AFD2270E2E60ADCE0BA2FACE6444E
+
+Cipher = AES-192-ECB
+Key = 8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B
+Plaintext = F69F2445DF4F9B17AD2B417BE66C3710
+Ciphertext = 9A4B41BA738D6C72FB16691603C18E0E
@@ -0,0 +1,19 @@
+include_directories(. .. ../../include)
+
+add_library(
+  cmac
+
+  OBJECT
+
+  cmac.c
+)
+
+add_executable(
+  cmac_test
+
+  cmac_test.cc
+
+  $<TARGET_OBJECTS:test_support>
+)
+
+target_link_libraries(cmac_test crypto)
@@ -0,0 +1,239 @@
+/* ====================================================================
+ * Copyright (c) 2010 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ==================================================================== */
+
+#include <openssl/cmac.h>
+
+#include <assert.h>
+#include <string.h>
+
+#include <openssl/aes.h>
+#include <openssl/cipher.h>
+#include <openssl/mem.h>
+
+
+struct cmac_ctx_st {
+  EVP_CIPHER_CTX cipher_ctx;
+  /* k1 and k2 are the CMAC subkeys. See
+   * https://tools.ietf.org/html/rfc4493#section-2.3 */
+  uint8_t k1[AES_BLOCK_SIZE];
+  uint8_t k2[AES_BLOCK_SIZE];
+  /* Last (possibly partial) scratch */
+  uint8_t block[AES_BLOCK_SIZE];
+  /* block_used contains the number of valid bytes in |block|. */
+  unsigned block_used;
+};
+
+static void CMAC_CTX_init(CMAC_CTX *ctx) {
+  EVP_CIPHER_CTX_init(&ctx->cipher_ctx);
+}
+
+static void CMAC_CTX_cleanup(CMAC_CTX *ctx) {
+  EVP_CIPHER_CTX_cleanup(&ctx->cipher_ctx);
+  OPENSSL_cleanse(ctx->k1, sizeof(ctx->k1));
+  OPENSSL_cleanse(ctx->k2, sizeof(ctx->k2));
+  OPENSSL_cleanse(ctx->block, sizeof(ctx->block));
+}
+
+int AES_CMAC(uint8_t out[16], const uint8_t *key, size_t key_len,
+             const uint8_t *in, size_t in_len) {
+  const EVP_CIPHER *cipher;
+  switch (key_len) {
+    case 16:
+      cipher = EVP_aes_128_cbc();
+      break;
+    case 32:
+      cipher = EVP_aes_256_cbc();
+      break;
+    default:
+      return 0;
+  }
+
+  size_t scratch_out_len;
+  CMAC_CTX ctx;
+  CMAC_CTX_init(&ctx);
+
+  const int ok = CMAC_Init(&ctx, key, key_len, cipher, NULL /* engine */) &&
+                 CMAC_Update(&ctx, in, in_len) &&
+                 CMAC_Final(&ctx, out, &scratch_out_len);
+
+  CMAC_CTX_cleanup(&ctx);
+  return ok;
+}
+
+CMAC_CTX *CMAC_CTX_new(void) {
+  CMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));
+  if (ctx != NULL) {
+    CMAC_CTX_init(ctx);
+  }
+  return ctx;
+}
+
+void CMAC_CTX_free(CMAC_CTX *ctx) {
+  if (ctx == NULL) {
+    return;
+  }
+
+  CMAC_CTX_cleanup(ctx);
+  OPENSSL_free(ctx);
+}
+
+/* binary_field_mul_x treats the 128 bits at |in| as an element of GF(2¹²⁸)
+ * with a hard-coded reduction polynomial and sets |out| as x times the
+ * input.
+ *
+ * See https://tools.ietf.org/html/rfc4493#section-2.3 */
+static void binary_field_mul_x(uint8_t out[16], const uint8_t in[16]) {
+  unsigned i;
+
+  /* Shift |in| to left, including carry. */
+  for (i = 0; i < 15; i++) {
+    out[i] = (in[i] << 1) | (in[i+1] >> 7);
+  }
+
+  /* If MSB set fixup with R. */
+  const uint8_t carry = in[0] >> 7;
+  out[i] = (in[i] << 1) ^ ((0 - carry) & 0x87);
+}
+
+static const uint8_t kZeroIV[AES_BLOCK_SIZE] = {0};
+
+int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t key_len,
+              const EVP_CIPHER *cipher, ENGINE *engine) {
+  uint8_t scratch[AES_BLOCK_SIZE];
+
+  if (EVP_CIPHER_block_size(cipher) != AES_BLOCK_SIZE ||
+      EVP_CIPHER_key_length(cipher) != key_len ||
+      !EVP_EncryptInit_ex(&ctx->cipher_ctx, cipher, NULL, key, kZeroIV) ||
+      !EVP_Cipher(&ctx->cipher_ctx, scratch, kZeroIV, AES_BLOCK_SIZE) ||
+      /* Reset context again ready for first data. */
+      !EVP_EncryptInit_ex(&ctx->cipher_ctx, NULL, NULL, NULL, kZeroIV)) {
+    return 0;
+  }
+
+  binary_field_mul_x(ctx->k1, scratch);
+  binary_field_mul_x(ctx->k2, ctx->k1);
+  ctx->block_used = 0;
+
+  return 1;
+}
+
+int CMAC_Reset(CMAC_CTX *ctx) {
+  ctx->block_used = 0;
+  return EVP_EncryptInit_ex(&ctx->cipher_ctx, NULL, NULL, NULL, kZeroIV);
+}
+
+int CMAC_Update(CMAC_CTX *ctx, const uint8_t *in, size_t in_len) {
+  uint8_t scratch[AES_BLOCK_SIZE];
+
+  if (ctx->block_used > 0) {
+    size_t todo = AES_BLOCK_SIZE - ctx->block_used;
+    if (in_len < todo) {
+      todo = in_len;
+    }
+
+    memcpy(ctx->block + ctx->block_used, in, todo);
+    in += todo;
+    in_len -= todo;
+    ctx->block_used += todo;
+
+    /* If |in_len| is zero then either |ctx->block_used| is less than
+     * |AES_BLOCK_SIZE|, in which case we can stop here, or |ctx->block_used|
+     * is exactly |AES_BLOCK_SIZE| but there's no more data to process. In the
+     * latter case we don't want to process this block now because it might be
+     * the last block and that block is treated specially. */
+    if (in_len == 0) {
+      return 1;
+    }
+
+    assert(ctx->block_used == AES_BLOCK_SIZE);
+
+    if (!EVP_Cipher(&ctx->cipher_ctx, scratch, ctx->block, AES_BLOCK_SIZE)) {
+      return 0;
+    }
+  }
+
+  /* Encrypt all but one of the remaining blocks. */
+  while (in_len > AES_BLOCK_SIZE) {
+    if (!EVP_Cipher(&ctx->cipher_ctx, scratch, in, AES_BLOCK_SIZE)) {
+      return 0;
+    }
+    in += AES_BLOCK_SIZE;
+    in_len -= AES_BLOCK_SIZE;
+  }
+
+  memcpy(ctx->block, in, in_len);
+  ctx->block_used = in_len;
+
+  return 1;
+}
+
+int CMAC_Final(CMAC_CTX *ctx, uint8_t *out, size_t *out_len) {
+  *out_len = AES_BLOCK_SIZE;
+  if (out == NULL) {
+    return 1;
+  }
+
+  const uint8_t *mask = ctx->k1;
+
+  if (ctx->block_used != AES_BLOCK_SIZE) {
+    /* If the last block is incomplete, terminate it with a single 'one' bit
+     * followed by zeros. */
+    ctx->block[ctx->block_used] = 0x80;
+    memset(ctx->block + ctx->block_used + 1, 0,
+           AES_BLOCK_SIZE - (ctx->block_used + 1));
+
+    mask = ctx->k2;
+  }
+
+  unsigned i;
+  for (i = 0; i < AES_BLOCK_SIZE; i++) {
+    out[i] = ctx->block[i] ^ mask[i];
+  }
+
+  return EVP_Cipher(&ctx->cipher_ctx, out, out, AES_BLOCK_SIZE);
+}
@@ -0,0 +1,151 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <stdio.h>
+
+#include <algorithm>
+
+#include <openssl/cmac.h>
+
+#include "../test/scoped_types.h"
+#include "../test/test_util.h"
+
+
+static void dump(const uint8_t *got, const uint8_t *want, size_t len) {
+  hexdump(stderr, "got :", got, len);
+  hexdump(stderr, "want:", want, len);
+  fflush(stderr);
+}
+
+static int test(const char *name, const uint8_t *key, size_t key_len,
+                const uint8_t *msg, size_t msg_len, const uint8_t *expected) {
+  uint8_t out[16];
+
+  if (!AES_CMAC(out, key, key_len, msg, msg_len)) {
+    fprintf(stderr, "%s: AES_CMAC failed\n", name);
+    return 0;
+  }
+
+  if (CRYPTO_memcmp(out, expected, sizeof(out)) != 0) {
+    fprintf(stderr, "%s: CMAC result differs:\n", name);
+    dump(out, expected, sizeof(out));
+    return 0;
+  }
+
+  ScopedCMAC_CTX ctx(CMAC_CTX_new());
+  if (!CMAC_Init(ctx.get(), key, key_len, EVP_aes_128_cbc(), NULL)) {
+    fprintf(stderr, "%s: CMAC_Init failed.\n", name);
+    return 0;
+  }
+
+  for (unsigned chunk_size = 1; chunk_size <= msg_len; chunk_size++) {
+    if (!CMAC_Reset(ctx.get())) {
+      fprintf(stderr, "%s/%u: CMAC_Reset failed.\n", name, chunk_size);
+      return 0;
+    }
+
+    size_t done = 0;
+    while (done < msg_len) {
+      size_t todo = std::min(msg_len - done, static_cast<size_t>(chunk_size));
+      if (!CMAC_Update(ctx.get(), msg + done, todo)) {
+        fprintf(stderr, "%s/%u: CMAC_Update failed.\n", name, chunk_size);
+        return 0;
+      }
+
+      done += todo;
+    }
+
+    size_t out_len;
+    if (!CMAC_Final(ctx.get(), out, &out_len)) {
+      fprintf(stderr, "%s/%u: CMAC_Final failed.\n", name, chunk_size);
+      return 0;
+    }
+
+    if (out_len != sizeof(out)) {
+      fprintf(stderr, "%s/%u: incorrect out_len: %u.\n", name, chunk_size,
+              static_cast<unsigned>(out_len));
+      return 0;
+    }
+
+    if (CRYPTO_memcmp(out, expected, sizeof(out)) != 0) {
+      fprintf(stderr, "%s/%u: CMAC result differs:\n", name, chunk_size);
+      dump(out, expected, sizeof(out));
+      return 0;
+    }
+  }
+
+  return 1;
+}
+
+static int rfc_4493_test_vectors(void) {
+  static const uint8_t kKey[16] = {
+      0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
+      0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c,
+  };
+  static const uint8_t kOut1[16] = {
+      0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
+      0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46,
+  };
+  static const uint8_t kMsg2[] = {
+      0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
+      0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
+  };
+  static const uint8_t kOut2[16] = {
+      0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
+      0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c,
+  };
+  static const uint8_t kMsg3[] = {
+      0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
+      0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
+      0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
+      0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
+      0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
+  };
+  static const uint8_t kOut3[16] = {
+      0xdf, 0xa6, 0x67, 0x47, 0xde, 0x9a, 0xe6, 0x30,
+      0x30, 0xca, 0x32, 0x61, 0x14, 0x97, 0xc8, 0x27,
+  };
+  static const uint8_t kMsg4[] = {
+      0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
+      0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
+      0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
+      0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
+      0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
+      0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
+      0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
+      0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10,
+  };
+  static const uint8_t kOut4[16] = {
+      0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
+      0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe,
+  };
+
+  if (!test("RFC 4493 #1", kKey, sizeof(kKey), NULL, 0, kOut1) ||
+      !test("RFC 4493 #2", kKey, sizeof(kKey), kMsg2, sizeof(kMsg2), kOut2) ||
+      !test("RFC 4493 #3", kKey, sizeof(kKey), kMsg3, sizeof(kMsg3), kOut3) ||
+      !test("RFC 4493 #4", kKey, sizeof(kKey), kMsg4, sizeof(kMsg4), kOut4)) {
+    return 0;
+  }
+
+  return 1;
+}
+
+int main(int argc, char **argv) {
+  if (!rfc_4493_test_vectors()) {
+    return 1;
+  }
+
+  printf("PASS\n");
+  return 0;
+}
@@ -90,9 +90,13 @@ static int conf_value_cmp(const CONF_VALUE *a, const CONF_VALUE *b) {
  }
 }

-CONF *NCONF_new(void) {
+CONF *NCONF_new(void *method) {
  CONF *conf;

+  if (method != NULL) {
+    return NULL;
+  }
+
  conf = OPENSSL_malloc(sizeof(CONF));
  if (conf == NULL) {
    return NULL;
@@ -281,7 +285,7 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from) {
      rp = e;
      if (q) {
        if (r != q) {
-          OPENSSL_PUT_ERROR(CONF, str_copy, CONF_R_NO_CLOSE_BRACE);
+          OPENSSL_PUT_ERROR(CONF, CONF_R_NO_CLOSE_BRACE);
          goto err;
        }
        e++;
@@ -300,7 +304,7 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from) {
      }
      *rp = r;
      if (p == NULL) {
-        OPENSSL_PUT_ERROR(CONF, str_copy, CONF_R_VARIABLE_HAS_NO_VALUE);
+        OPENSSL_PUT_ERROR(CONF, CONF_R_VARIABLE_HAS_NO_VALUE);
        goto err;
      }
      BUF_MEM_grow_clean(buf, (strlen(p) + buf->length - (e - from)));
@@ -501,20 +505,20 @@ static int def_load_bio(CONF *conf, BIO *in, long *out_error_line) {
  char *start, *psection, *pname;

  if ((buff = BUF_MEM_new()) == NULL) {
-    OPENSSL_PUT_ERROR(CONF, def_load_bio, ERR_R_BUF_LIB);
+    OPENSSL_PUT_ERROR(CONF, ERR_R_BUF_LIB);
    goto err;
  }

  section = (char *)OPENSSL_malloc(10);
  if (section == NULL) {
-    OPENSSL_PUT_ERROR(CONF, def_load_bio, ERR_R_MALLOC_FAILURE);
+    OPENSSL_PUT_ERROR(CONF, ERR_R_MALLOC_FAILURE);
    goto err;
  }
  BUF_strlcpy(section, "default", 10);

  sv = NCONF_new_section(conf, section);
  if (sv == NULL) {
-    OPENSSL_PUT_ERROR(CONF, def_load_bio, CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
+    OPENSSL_PUT_ERROR(CONF, CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
    goto err;
  }

@@ -522,7 +526,7 @@ static int def_load_bio(CONF *conf, BIO *in, long *out_error_line) {
  again = 0;
  for (;;) {
    if (!BUF_MEM_grow(buff, bufnum + CONFBUFSIZE)) {
-      OPENSSL_PUT_ERROR(CONF, def_load_bio, ERR_R_BUF_LIB);
+      OPENSSL_PUT_ERROR(CONF, ERR_R_BUF_LIB);
      goto err;
    }
    p = &(buff->data[bufnum]);
@@ -591,7 +595,7 @@ static int def_load_bio(CONF *conf, BIO *in, long *out_error_line) {
          ss = p;
          goto again;
        }
-        OPENSSL_PUT_ERROR(CONF, def_load_bio, CONF_R_MISSING_CLOSE_SQUARE_BRACKET);
+        OPENSSL_PUT_ERROR(CONF, CONF_R_MISSING_CLOSE_SQUARE_BRACKET);
        goto err;
      }
      *end = '\0';
@@ -602,7 +606,7 @@ static int def_load_bio(CONF *conf, BIO *in, long *out_error_line) {
        sv = NCONF_new_section(conf, section);
      }
      if (sv == NULL) {
-        OPENSSL_PUT_ERROR(CONF, def_load_bio, CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
+        OPENSSL_PUT_ERROR(CONF, CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
        goto err;
      }
      continue;
@@ -619,7 +623,7 @@ static int def_load_bio(CONF *conf, BIO *in, long *out_error_line) {
      }
      p = eat_ws(conf, end);
      if (*p != '=') {
-        OPENSSL_PUT_ERROR(CONF, def_load_bio, CONF_R_MISSING_EQUAL_SIGN);
+        OPENSSL_PUT_ERROR(CONF, CONF_R_MISSING_EQUAL_SIGN);
        goto err;
      }
      *end = '\0';
@@ -636,7 +640,7 @@ static int def_load_bio(CONF *conf, BIO *in, long *out_error_line) {
      *p = '\0';

      if (!(v = (CONF_VALUE *)OPENSSL_malloc(sizeof(CONF_VALUE)))) {
-        OPENSSL_PUT_ERROR(CONF, def_load_bio, ERR_R_MALLOC_FAILURE);
+        OPENSSL_PUT_ERROR(CONF, ERR_R_MALLOC_FAILURE);
        goto err;
      }
      if (psection == NULL) {
@@ -645,7 +649,7 @@ static int def_load_bio(CONF *conf, BIO *in, long *out_error_line) {
      v->name = (char *)OPENSSL_malloc(strlen(pname) + 1);
      v->value = NULL;
      if (v->name == NULL) {
-        OPENSSL_PUT_ERROR(CONF, def_load_bio, ERR_R_MALLOC_FAILURE);
+        OPENSSL_PUT_ERROR(CONF, ERR_R_MALLOC_FAILURE);
        goto err;
      }
      BUF_strlcpy(v->name, pname, strlen(pname) + 1);
@@ -658,14 +662,14 @@ static int def_load_bio(CONF *conf, BIO *in, long *out_error_line) {
          tv = NCONF_new_section(conf, psection);
        }
        if (tv == NULL) {
-          OPENSSL_PUT_ERROR(CONF, def_load_bio, CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
+          OPENSSL_PUT_ERROR(CONF, CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
          goto err;
        }
      } else {
        tv = sv;
      }
      if (add_string(conf, tv, v) == 0) {
-        OPENSSL_PUT_ERROR(CONF, def_load_bio, ERR_R_MALLOC_FAILURE);
+        OPENSSL_PUT_ERROR(CONF, ERR_R_MALLOC_FAILURE);
        goto err;
      }
      v = NULL;
@@ -711,7 +715,7 @@ int NCONF_load(CONF *conf, const char *filename, long *out_error_line) {
  int ret;

  if (in == NULL) {
-    OPENSSL_PUT_ERROR(CONF, NCONF_load, ERR_R_SYS_LIB);
+    OPENSSL_PUT_ERROR(CONF, ERR_R_SYS_LIB);
    return 0;
  }

@@ -721,6 +725,10 @@ int NCONF_load(CONF *conf, const char *filename, long *out_error_line) {
  return ret;
 }

+int NCONF_load_bio(CONF *conf, BIO *bio, long *out_error_line) {
+  return def_load_bio(conf, bio, out_error_line);
+}
+
 int CONF_parse_list(const char *list, char sep, int remove_whitespace,
                    int (*list_cb)(const char *elem, int len, void *usr),
                    void *arg) {
@@ -728,7 +736,7 @@ int CONF_parse_list(const char *list, char sep, int remove_whitespace,
  const char *lstart, *tmpend, *p;

  if (list == NULL) {
-    OPENSSL_PUT_ERROR(CONF, CONF_parse_list, CONF_R_LIST_CANNOT_BE_NULL);
+    OPENSSL_PUT_ERROR(CONF, CONF_R_LIST_CANNOT_BE_NULL);
    return 0;
  }

--- a/Show More
+++ b/Show More