Remove deprecated cipher property APIs.

Consumers have been switched to the new ones. Change-Id: I7a8ec6308775a105a490882c97955daed12a2c2c Reviewed-on: https://boringssl-review.googlesource.com/19605 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Cut down on some redundant flags.
2017-08-28 17:47:25 +00:00 · 2017-08-24 16:18:32 +00:00 · 2017-08-24 16:14:22 +00:00 · 2017-08-24 16:10:54 +00:00 · 2017-08-24 00:35:05 +00:00 · 2017-08-23 17:13:42 +00:00
4368 changed files with 547732 additions and 154081 deletions
@@ -4,3 +4,21 @@ ssl/test/runner/runner
 *.swo
 doc/*.html
 doc/doc.css
+
+util/bot/android_tools
+util/bot/cmake-linux64
+util/bot/cmake-linux64.tar.gz
+util/bot/cmake-mac
+util/bot/cmake-mac.tar.gz
+util/bot/cmake-win32
+util/bot/cmake-win32.zip
+util/bot/golang
+util/bot/gyp
+util/bot/libFuzzer
+util/bot/llvm-build
+util/bot/perl-win32
+util/bot/perl-win32.zip
+util/bot/sde-linux64
+util/bot/sde-linux64.tar.bz2
+util/bot/win_toolchain.json
+util/bot/yasm-win32.exe
@@ -14,10 +14,10 @@ All supported public APIs are documented in the public header files, found in
 Some headers lack documention comments. These are functions and structures from
 OpenSSL's legacy ASN.1, X.509, and PEM implementation. If possible, avoid using
 them. These are left largely unmodified from upstream and are retained only for
-compatibilty with existing OpenSSL consumers.
+compatibility with existing OpenSSL consumers.


-# Forward declarations
+## Forward declarations

 Do not write `typedef struct foo_st FOO` or try otherwise to define BoringSSL's
 types. Including `openssl/base.h` (or `openssl/ossl_typ.h` for consumers who
@@ -2,7 +2,7 @@

 ## Build Prerequisites

-  * [CMake](https://cmake.org/download/) 2.8.8 or later is required.
+  * [CMake](https://cmake.org/download/) 2.8.11 or later is required.

  * Perl 5.6.1 or later is required. On Windows,
    [Active State Perl](http://www.activestate.com/activeperl/) has been
@@ -33,7 +33,7 @@
    executable may be configured explicitly by setting `GO_EXECUTABLE`.

  * To build the x86 and x86\_64 assembly, your assembler must support AVX2
-    instructions. If using GNU binutils, you must have 2.22 or later.
+    instructions and MOVBE. If using GNU binutils, you must have 2.22 or later

 ## Building

@@ -96,6 +96,15 @@ higher to build aarch64 binaries.

 For other options, see [android-cmake's documentation](./third_party/android-cmake/README.md).

+### Building for iOS
+
+To build for iOS, pass `-DCMAKE_OSX_SYSROOT=iphoneos` and
+`-DCMAKE_OSX_ARCHITECTURES=ARCH` to CMake, where `ARCH` is the desired
+architecture, matching values used in the `-arch` flag in Apple's toolchain.
+
+Passing multiple architectures for a multiple-architecture build is not
+supported.
+
 ## Known Limitations on Windows

  * Versions of CMake since 3.0.2 have a bug in its Ninja generator that causes
@@ -116,16 +125,18 @@ ARM, unlike Intel, does not have an instruction that allows applications to
 discover the capabilities of the processor. Instead, the capability information
 has to be provided by the operating system somehow.

-BoringSSL will try to use `getauxval` to discover the capabilities and, failing
-that, will probe for NEON support by executing a NEON instruction and handling
-any illegal-instruction signal. But some environments don't support that sort
-of thing and, for them, it's possible to configure the CPU capabilities
-at compile time.
+By default, on Linux-based systems, BoringSSL will try to use `getauxval` and
+`/proc` to discover the capabilities. But some environments don't support that
+sort of thing and, for them, it's possible to configure the CPU capabilities at
+compile time.

-If you define `OPENSSL_STATIC_ARMCAP` then you can define any of the following
-to enabling the corresponding ARM feature.
+On iOS or builds which define `OPENSSL_STATIC_ARMCAP`, features will be
+determined based on the `__ARM_NEON__` and `__ARM_FEATURE_CRYPTO` preprocessor
+symbols reported by the compiler. These values are usually controlled by the
+`-march` flag. You can also define any of the following to enable the
+corresponding ARM feature.

-  * `OPENSSL_STATIC_ARMCAP_NEON` or `__ARM_NEON__` (note that the latter is set by compilers when NEON support is enabled).
+  * `OPENSSL_STATIC_ARMCAP_NEON`
  * `OPENSSL_STATIC_ARMCAP_AES`
  * `OPENSSL_STATIC_ARMCAP_SHA1`
  * `OPENSSL_STATIC_ARMCAP_SHA256`
@@ -1,4 +1,4 @@
-cmake_minimum_required (VERSION 2.8.10)
+cmake_minimum_required (VERSION 2.8.11)

 # Defer enabling C and CXX languages.
 project (BoringSSL NONE)
@@ -9,6 +9,8 @@ if(WIN32)
  set(CMAKE_GENERATOR_CC cl)
 endif()

+include(sources.cmake)
+
 enable_language(C)
 enable_language(CXX)

@@ -30,23 +32,48 @@ if (NOT GO_EXECUTABLE)
  message(FATAL_ERROR "Could not find Go")
 endif()

+if (BORINGSSL_ALLOW_CXX_RUNTIME)
+  add_definitions(-DBORINGSSL_ALLOW_CXX_RUNTIME)
+endif()
+
 if(CMAKE_COMPILER_IS_GNUCXX OR CMAKE_CXX_COMPILER_ID MATCHES "Clang")
  set(C_CXX_FLAGS "-Wall -Werror -Wformat=2 -Wsign-compare -Wmissing-field-initializers -Wwrite-strings -ggdb -fvisibility=hidden -fno-common")
  if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
-    set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wnewline-eof")
+    set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wnewline-eof -fcolor-diagnostics")
+  else()
+    # GCC (at least 4.8.4) has a bug where it'll find unreachable free() calls
+    # and declare that the code is trying to free a stack pointer.
+    set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wno-free-nonheap-object")
  endif()
  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${C_CXX_FLAGS} -Wmissing-prototypes -Wold-style-definition -Wstrict-prototypes")
  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++11 ${C_CXX_FLAGS} -Wmissing-declarations")
-  # Clang's integerated assembler does not support debug symbols.
-  if(NOT CMAKE_CXX_COMPILER_ID MATCHES "Clang")
-    set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -Wa,-g")
+
+  if(NOT BORINGSSL_ALLOW_CXX_RUNTIME)
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-exceptions -fno-rtti")
+  endif()
+
+  # In GCC, -Wmissing-declarations is the C++ spelling of -Wmissing-prototypes
+  # and using the wrong one is an error. In Clang, -Wmissing-prototypes is the
+  # spelling for both and -Wmissing-declarations is some other warning.
+  #
+  # https://gcc.gnu.org/onlinedocs/gcc-7.1.0/gcc/Warning-Options.html#Warning-Options
+  # https://clang.llvm.org/docs/DiagnosticsReference.html#wmissing-prototypes
+  # https://clang.llvm.org/docs/DiagnosticsReference.html#wmissing-declarations
+  if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wmissing-prototypes -Wimplicit-fallthrough")
  endif()
 elseif(MSVC)
  set(MSVC_DISABLED_WARNINGS_LIST
+      "C4061" # enumerator 'identifier' in switch of enum 'enumeration' is not
+              # explicitly handled by a case label
+              # Disable this because it flags even when there is a default.
      "C4100" # 'exarg' : unreferenced formal parameter
      "C4127" # conditional expression is constant
      "C4200" # nonstandard extension used : zero-sized array in
              # struct/union.
+      "C4204" # nonstandard extension used: non-constant aggregate initializer
+      "C4221" # nonstandard extension used : 'identifier' : cannot be
+              # initialized using address of automatic variable
      "C4242" # 'function' : conversion from 'int' to 'uint8_t',
              # possible loss of data
      "C4244" # 'function' : conversion from 'int' to 'uint8_t',
@@ -75,12 +102,16 @@ elseif(MSVC)
              # copy constructor is inaccessible or deleted
      "C4626" # assignment operator could not be generated because a base class
              # assignment operator is inaccessible or deleted
+      "C4668" # 'symbol' is not defined as a preprocessor macro, replacing with
+              # '0' for 'directives'
+              # Disable this because GTest uses it everywhere.
      "C4706" # assignment within conditional expression
      "C4710" # 'function': function not inlined
      "C4711" # function 'function' selected for inline expansion
      "C4800" # 'int' : forcing value to bool 'true' or 'false'
              # (performance warning)
      "C4820" # 'bytes' bytes padding added after construct 'member_name'
+      "C5026" # move constructor was implicitly defined as deleted
      "C5027" # move assignment operator was implicitly defined as deleted
      )
  set(MSVC_LEVEL4_WARNINGS_LIST
@@ -94,10 +125,16 @@ elseif(MSVC)
  set(CMAKE_C_FLAGS   "-Wall -WX ${MSVC_DISABLED_WARNINGS_STR} ${MSVC_LEVEL4_WARNINGS_STR}")
  set(CMAKE_CXX_FLAGS "-Wall -WX ${MSVC_DISABLED_WARNINGS_STR} ${MSVC_LEVEL4_WARNINGS_STR}")
  set(CMAKE_ASM_NASM_FLAGS "-g cv8")
+endif()
+
+if(WIN32)
  add_definitions(-D_HAS_EXCEPTIONS=0)
  add_definitions(-DWIN32_LEAN_AND_MEAN)
  add_definitions(-DNOMINMAX)
-  add_definitions(-D_CRT_SECURE_NO_WARNINGS) # Allow use of fopen
+  # Allow use of fopen.
+  add_definitions(-D_CRT_SECURE_NO_WARNINGS)
+  # VS 2017 and higher supports STL-only warning suppressions.
+  add_definitions("-D_STL_EXTRA_DISABLED_WARNINGS=4774 4987")
 endif()

 if((CMAKE_COMPILER_IS_GNUCXX AND CMAKE_C_COMPILER_VERSION VERSION_GREATER "4.7.99") OR
@@ -121,15 +158,20 @@ if(NOT WIN32)
 endif()

 if(FUZZ)
-  if(!CMAKE_CXX_COMPILER_ID MATCHES "Clang")
-    message("You need to build with Clang for fuzzing to work")
+  if(NOT CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+    message(FATAL_ERROR "You need to build with Clang for fuzzing to work")
  endif()

-  add_definitions(-DBORINGSSL_UNSAFE_FUZZER_MODE)
-  set(RUNNER_ARGS "-fuzzer")
+  add_definitions(-DBORINGSSL_UNSAFE_DETERMINISTIC_MODE)
+  set(RUNNER_ARGS "-deterministic")

-  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address -fsanitize-coverage=edge,indirect-calls,8bit-counters")
-  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address -fsanitize-coverage=edge,indirect-calls,8bit-counters")
+  if(NOT NO_FUZZER_MODE)
+    add_definitions(-DBORINGSSL_UNSAFE_FUZZER_MODE)
+    set(RUNNER_ARGS ${RUNNER_ARGS} "-fuzzer" "-shim-config" "fuzzer_mode.json")
+  endif()
+
+  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address -fsanitize-coverage=edge,indirect-calls,trace-pc-guard")
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address -fsanitize-coverage=edge,indirect-calls,trace-pc-guard")
  set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address")
  link_directories(.)
 endif()
@@ -143,7 +185,64 @@ if (BUILD_SHARED_LIBS)
  set(CMAKE_POSITION_INDEPENDENT_CODE TRUE)
 endif()

-if (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+if (MSAN)
+  if(NOT CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+    message(FATAL_ERROR "Cannot enable MSAN unless using Clang")
+  endif()
+
+  if (ASAN)
+    message(FATAL_ERROR "ASAN and MSAN are mutually exclusive")
+  endif()
+
+  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer")
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer")
+  set(OPENSSL_NO_ASM "1")
+endif()
+
+if (ASAN)
+  if(NOT CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+    message(FATAL_ERROR "Cannot enable ASAN unless using Clang")
+  endif()
+
+  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address -fsanitize-address-use-after-scope -fno-omit-frame-pointer")
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address -fsanitize-address-use-after-scope -fno-omit-frame-pointer")
+  set(OPENSSL_NO_ASM "1")
+endif()
+
+if (GCOV)
+  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fprofile-arcs -ftest-coverage")
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fprofile-arcs -ftest-coverage")
+endif()
+
+if(FIPS)
+  add_definitions(-DBORINGSSL_FIPS)
+  if(FIPS_BREAK_TEST)
+    add_definitions("-DBORINGSSL_FIPS_BREAK_${FIPS_BREAK_TEST}=1")
+  endif()
+  # Delocate does not work for ASan and MSan builds.
+  if(NOT ASAN AND NOT MSAN)
+    set(FIPS_DELOCATE "1")
+  endif()
+endif()
+
+# CMake's iOS support uses Apple's multiple-architecture toolchain. It takes an
+# architecture list from CMAKE_OSX_ARCHITECTURES, leaves CMAKE_SYSTEM_PROCESSOR
+# alone, and expects all architecture-specific logic to be conditioned within
+# the source files rather than the build. This does not work for our assembly
+# files, so we fix CMAKE_SYSTEM_PROCESSOR and only support single-architecture
+# builds.
+if (NOT OPENSSL_NO_ASM AND CMAKE_OSX_ARCHITECTURES)
+  list(LENGTH CMAKE_OSX_ARCHITECTURES NUM_ARCHES)
+  if (NOT ${NUM_ARCHES} EQUAL 1)
+    message(FATAL_ERROR "Universal binaries not supported.")
+  endif()
+  list(GET CMAKE_OSX_ARCHITECTURES 0 CMAKE_SYSTEM_PROCESSOR)
+endif()
+
+if (OPENSSL_NO_ASM)
+  add_definitions(-DOPENSSL_NO_ASM)
+  set(ARCH "generic")
+elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "x86_64")
  set(ARCH "x86_64")
 elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "amd64")
  set(ARCH "x86_64")
@@ -160,14 +259,17 @@ elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "i386")
  set(ARCH "x86")
 elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "i686")
  set(ARCH "x86")
-elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "arm")
-  set(ARCH "arm")
-elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "armv6")
-  set(ARCH "arm")
-elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "armv7-a")
-  set(ARCH "arm")
 elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "aarch64")
  set(ARCH "aarch64")
+elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "arm64")
+  set(ARCH "aarch64")
+elseif (${CMAKE_SYSTEM_PROCESSOR} MATCHES "^arm*")
+  set(ARCH "arm")
+elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "mips")
+  # Just to avoid the “unknown processor” error.
+  set(ARCH "generic")
+elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "ppc64le")
+  set(ARCH "ppc64le")
 else()
  message(FATAL_ERROR "Unknown processor:" ${CMAKE_SYSTEM_PROCESSOR})
 endif()
@@ -186,22 +288,42 @@ if (${ARCH} STREQUAL "x86" AND APPLE)
  set(ARCH "x86_64")
 endif()

-if (OPENSSL_NO_ASM)
-  add_definitions(-DOPENSSL_NO_ASM)
-  set(ARCH "generic")
-endif()
+# Add minimal googletest targets. The provided one has many side-effects, and
+# googletest has a very straightforward build.
+add_library(gtest third_party/googletest/src/gtest-all.cc)
+target_include_directories(gtest PRIVATE third_party/googletest)
+
+include_directories(third_party/googletest/include)

 # Declare a dummy target to build all unit tests. Test targets should inject
 # themselves as dependencies next to the target definition.
 add_custom_target(all_tests)

+add_custom_command(
+  OUTPUT crypto_test_data.cc
+  COMMAND ${GO_EXECUTABLE} run util/embed_test_data.go ${CRYPTO_TEST_DATA} >
+  ${CMAKE_CURRENT_BINARY_DIR}/crypto_test_data.cc
+  DEPENDS util/embed_test_data.go ${CRYPTO_TEST_DATA}
+  WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})
+
+add_library(crypto_test_data OBJECT crypto_test_data.cc)
+
 add_subdirectory(crypto)
 add_subdirectory(ssl)
 add_subdirectory(ssl/test)
+add_subdirectory(fipstools)
 add_subdirectory(tool)
 add_subdirectory(decrepit)

 if(FUZZ)
+  if(LIBFUZZER_FROM_DEPS)
+    file(GLOB LIBFUZZER_SOURCES "util/bot/libFuzzer/*.cpp")
+    add_library(Fuzzer STATIC ${LIBFUZZER_SOURCES})
+    # libFuzzer does not pass our aggressive warnings. It also must be built
+    # without -fsanitize-coverage options or clang crashes.
+    set_target_properties(Fuzzer PROPERTIES COMPILE_FLAGS "-Wno-shadow -Wno-format-nonliteral -Wno-missing-prototypes -fsanitize-coverage=0")
+  endif()
+
  add_subdirectory(fuzz)
 endif()

@@ -23,22 +23,24 @@ Then copy `libFuzzer.a` to the top-level of your BoringSSL source directory.
 From the `build/` directory, you can then run the fuzzers. For example:

 ```
-./fuzz/cert -max_len=3072 -jobs=32 -workers=32 ../fuzz/cert_corpus/
+./fuzz/cert -max_len=10000 -jobs=32 -workers=32 ../fuzz/cert_corpus/
 ```

 The arguments to `jobs` and `workers` should be the number of cores that you wish to dedicate to fuzzing. By default, libFuzzer uses the largest test in the corpus (or 64 if empty) as the maximum test case length. The `max_len` argument overrides this.

 The recommended values of `max_len` for each test are:

-| Test       | `max_len` value |
-|------------|-----------------|
-| `cert`     | 3072            |
-| `client`   | 20000           |
-| `pkcs8`    | 2048            |
-| `privkey`  | 2048            |
-| `server`   | 4096            |
-| `spki`     | 1024            |
-| `read_pem` | 512             |
+| Test          | `max_len` value |
+|---------------|-----------------|
+| `cert`        | 10000           |
+| `client`      | 20000           |
+| `pkcs8`       | 2048            |
+| `privkey`     | 2048            |
+| `server`      | 4096            |
+| `session`     | 8192            |
+| `spki`        | 1024            |
+| `read_pem`    | 512             |
+| `ssl_ctx_api` | 256             |

 These were determined by rounding up the length of the largest case in the corpus.

@@ -52,39 +54,33 @@ In order to minimise all the corpuses, build for fuzzing and run `./fuzz/minimis

 ## Fuzzer mode

-When `-DFUZZ=1` is passed into CMake, BoringSSL builds with `BORINGSSL_UNSAFE_FUZZER_MODE` defined. This modifies the library, particularly the TLS stack, to be more friendly to fuzzers. It will:
+When `-DFUZZ=1` is passed into CMake, BoringSSL builds with `BORINGSSL_UNSAFE_FUZZER_MODE` and `BORINGSSL_UNSAFE_DETERMINISTIC_MODE` defined. This modifies the library to be more friendly to fuzzers. If `BORINGSSL_UNSAFE_DETERMINISTIC_MODE` is set, BoringSSL will:

 * Replace `RAND_bytes` with a deterministic PRNG. Call `RAND_reset_for_fuzzing()` at the start of fuzzers which use `RAND_bytes` to reset the PRNG state.

+* Use a hard-coded time instead of the actual time.
+
+Additionally, if `BORINGSSL_UNSAFE_FUZZER_MODE` is set, BoringSSL will:
+
 * Modify the TLS stack to perform all signature checks (CertificateVerify and ServerKeyExchange) and the Finished check, but always act as if the check succeeded.

 * Treat every cipher as the NULL cipher.

-* Use a hard-coded time instead of the actual time.
-
 * Tickets are unencrypted and the MAC check is performed but ignored.

+* renegotiation\_info checks are ignored.
+
 This is to prevent the fuzzer from getting stuck at a cryptographic invariant in the protocol.

 ## TLS transcripts

-The `client` and `server` corpora are seeded from the test suite. The test suite has a `-fuzzer` flag which mirrors the fuzzer mode changes above and a `-deterministic` flag which removes all non-determinism on the Go side. Not all tests pass, so `ssl/test/runner/fuzzer_mode.json` contains the necessary suppressions. To run the tests against a fuzzer-mode `bssl_shim`, run:
+The `client` and `server` corpora are seeded from the test suite. The test suite has a `-fuzzer` flag which mirrors the fuzzer mode changes above and a `-deterministic` flag which removes all non-determinism on the Go side. Not all tests pass, so `ssl/test/runner/fuzzer_mode.json` contains the necessary suppressions. The `run_tests` target will pass appropriate command-line flags.
+
+There are separate corpora, `client_corpus_no_fuzzer_mode` and `server_corpus_no_fuzzer_mode`. These are transcripts for fuzzers with only `BORINGSSL_UNSAFE_DETERMINISTIC_MODE` defined. To build in this mode, pass `-DNO_FUZZER_MODE=1` into CMake. This configuration is run in the same way but without `-fuzzer` and `-shim-config` flags.
+
+If both sets of tests pass, refresh the fuzzer corpora with `refresh_ssl_corpora.sh`:

 ```
-cd ssl/test/runner
-go test -fuzzer -deterministic -shim-config fuzzer_mode.json
-```
-
-For a different build directory from `build/`, pass the appropriate `-shim-path` flag. If those tests pass, record a set of transcripts with:
-
-```
-go test -fuzzer -deterministic -transcript-dir /tmp/transcripts/
-```
-
-Note the suppressions file is ignored so disabled tests record transcripts too. Then merge into the existing corpora:
-
-```
-cd build/
-./fuzz/client -max_len=50000 -merge=1 ../fuzz/client_corpus /tmp/transcripts/tls/client
-./fuzz/server -max_len=50000 -merge=1 ../fuzz/server_corpus /tmp/transcripts/tls/server
+cd fuzz
+./refresh_ssl_corpora.sh /path/to/fuzzer/mode/build /path/to/non/fuzzer/mode/build
 ```
@@ -5,7 +5,7 @@

 ## Bazel

-If you are using [Bazel](http://www.bazel.io) then you can incorporate
+If you are using [Bazel](https://bazel.build) then you can incorporate
 BoringSSL as an external repository by using a commit from the
 `master-with-bazel` branch. That branch is maintained by a bot from `master`
 and includes the needed generated files and a top-level BUILD file.
@@ -38,7 +38,7 @@ updating things more complex.
 BoringSSL is designed to work with many different build systems. Currently,
 different projects use [GYP](https://gyp.gsrc.io/),
 [GN](https://chromium.googlesource.com/chromium/src/+/master/tools/gn/docs/quick_start.md),
-[Bazel](http://bazel.io/) and [Make](https://www.gnu.org/software/make/)  to
+[Bazel](https://bazel.build/) and [Make](https://www.gnu.org/software/make/)  to
 build BoringSSL, without too much pain.

 The development build system is CMake and the CMake build knows how to
@@ -116,7 +116,9 @@ response in (unpipelined) HTTP/1.1.

 Things which do not work:

-* There is no support for renegotiation as a server.
+* There is no support for renegotiation as a server. (Attempts by clients will
+  result in a fatal alert so that ClientHello messages cannot be used to flood
+  a server and escape higher-level limits.)

 * There is no support for renegotiation in DTLS.

@@ -128,6 +130,17 @@ Things which do not work:
 * If a HelloRequest is received while `SSL_write` has unsent application data,
  the renegotiation is rejected.

+* Renegotiation does not participate in session resumption. The client will
+  not offer a session on renegotiation or resume any session established by a
+  renegotiation handshake.
+
+* The server may not change its certificate in the renegotiation. This mitigates
+  the [triple handshake attack](https://mitls.org/pages/attacks/3SHAKE). Any new
+  stapled OCSP response and SCT list will be ignored. As no authentication state
+  may change, BoringSSL will not re-verify the certificate on a renegotiation.
+  Callbacks such as `SSL_CTX_set_custom_verify` will only run on the initial
+  handshake.
+
 ### Lowercase hexadecimal

 BoringSSL's `BN_bn2hex` function uses lowercase hexadecimal digits instead of
@@ -227,6 +240,7 @@ parameter.
 `SSL_CTRL_OPTIONS` | `SSL_CTX_get_options` or `SSL_CTX_set_options`
 `SSL_CTRL_SESS_NUMBER` | `SSL_CTX_sess_number`
 `SSL_CTRL_SET_CURVES` | `SSL_CTX_set1_curves`
+`SSL_CTRL_SET_ECDH_AUTO` | `SSL_CTX_set_ecdh_auto`
 `SSL_CTRL_SET_MAX_CERT_LIST` | `SSL_CTX_set_max_cert_list`
 `SSL_CTRL_SET_MAX_SEND_FRAGMENT` | `SSL_CTX_set_max_send_fragment`
 `SSL_CTRL_SET_MSG_CALLBACK` | `SSL_set_msg_callback`
@@ -246,3 +260,27 @@ parameter.
 `SSL_CTRL_SET_TMP_ECDH_CB` | `SSL_CTX_set_tmp_ecdh_callback`
 `SSL_CTRL_SET_TMP_RSA` | `SSL_CTX_set_tmp_rsa` is equivalent, but [*do not use this function*](https://freakattack.com/). (It is a no-op in BoringSSL.)
 `SSL_CTRL_SET_TMP_RSA_CB` | `SSL_CTX_set_tmp_rsa_callback` is equivalent, but [*do not use this function*](https://freakattack.com/). (It is a no-op in BoringSSL.)
+
+## Significant API additions
+
+In some places, BoringSSL has added significant APIs. Use of these APIs goes beyound “porting” and means giving up on OpenSSL compatibility.
+
+One example of this has already been mentioned: the [CBS and CBB](https://commondatastorage.googleapis.com/chromium-boringssl-docs/bytestring.h.html) functions should be used whenever parsing or serialising data.
+
+### CRYPTO\_BUFFER
+
+With the standard OpenSSL APIs, when making many TLS connections, the certificate data for each connection is retained in memory in an expensive `X509` structure. Additionally, common certificates often appear in the chains for multiple connections and are needlessly duplicated in memory.
+
+A [`CRYPTO_BUFFER`](https://commondatastorage.googleapis.com/chromium-boringssl-docs/pool.h.html) is just an opaque byte string. A `CRYPTO_BUFFER_POOL` is an intern table for these buffers, i.e. it ensures that only a single copy of any given byte string is kept for each pool.
+
+The function `TLS_with_buffers_method` returns an `SSL_METHOD` that avoids creating `X509` objects for certificates. Additionally, `SSL_CTX_set0_buffer_pool` can be used to install a pool on an `SSL_CTX` so that certificates can be deduplicated across connections and across `SSL_CTX`s.
+
+When using these functions, the application also needs to ensure that it doesn't call other functions that deal with `X509` or `X509_NAME` objects. For example, `SSL_get_peer_certificate` or `SSL_get_peer_cert_chain`. Doing so will trigger an assert in debug mode and will result in NULLs in release mode. Instead, call the buffer-based alternatives such as `SSL_get0_peer_certificates`. (See [ssl.h](https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html) for functions taking or returning `CRYPTO_BUFFER`.) The buffer-based alternative functions will work even when not using `TLS_with_buffers_method`, thus application code can transition gradually.
+
+In order to use buffers, the application code also needs to implement its own certificate verification using `SSL_[CTX_]set_custom_verify`. Otherwise all connections will fail with a verification error. Auto-chaining is also disabled when using buffers.
+
+Once those changes have been completed, the whole of the OpenSSL X.509 and ASN.1 code should be eliminated by the linker if BoringSSL is linked statically.
+
+### Asynchronous and opaque private keys
+
+OpenSSL offers the ENGINE API for implementing opaque private keys (i.e. private keys where software only has oracle access because the secrets are held in special hardware or on another machine). While the ENGINE API has been mostly removed from BoringSSL, it is still possible to support opaque keys in this way. However, when using such keys with TLS and BoringSSL, you should strongly prefer using `SSL_PRIVATE_KEY_METHOD` via `SSL[_CTX]_set_private_key_method`. This allows a handshake to be suspended while the private operation is in progress. It also supports more forms of opaque key as it exposes higher-level information about the operation to be performed.
@@ -45,6 +45,16 @@ not
 Rather than `malloc()` and `free()`, use the wrappers `OPENSSL_malloc()`
 and `OPENSSL_free()`. Use the standard C `assert()` function freely.

+Use the following wrappers, found in `crypto/internal.h` instead of the
+corresponding C standard library functions. They behave the same but avoid
+confusing undefined behavior.
+
+* `OPENSSL_memchr`
+* `OPENSSL_memcmp`
+* `OPENSSL_memcpy`
+* `OPENSSL_memmove`
+* `OPENSSL_memset`
+
 For new constants, prefer enums when the values are sequential and typed
 constants for flags. If adding values to an existing set of `#define`s,
 continue with `#define`.
@@ -197,3 +207,14 @@ return value patterns in legacy functions.

 Document private functions in their `internal.h` header or, if static,
 where defined.
+
+
+## Build logic
+
+BoringSSL is used by many projects with many different build tools.
+Reimplementing and maintaining build logic in each downstream build is
+cumbersome, so build logic should be avoided where possible. Platform-specific
+files should be excluded by wrapping the contents in `#ifdef`s, rather than
+computing platform-specific file lists. Generated source files such as perlasm
+and `err_data.c` may be used in the standalone CMake build but, for downstream
+builds, they should be pre-generated in `generate_build_files.py`.
@@ -1,43 +1,63 @@
 include_directories(../include)

-if(APPLE)
-  if (${ARCH} STREQUAL "x86")
-    set(PERLASM_FLAGS "-fPIC -DOPENSSL_IA32_SSE2")
-  endif()
-  set(PERLASM_STYLE macosx)
-  set(ASM_EXT S)
-  enable_language(ASM)
-elseif(UNIX)
-  if (${ARCH} STREQUAL "aarch64")
-    # The "armx" Perl scripts look for "64" in the style argument
-    # in order to decide whether to generate 32- or 64-bit asm.
-    set(PERLASM_STYLE linux64)
-  elseif (${ARCH} STREQUAL "arm")
-    set(PERLASM_STYLE linux32)
-  elseif (${ARCH} STREQUAL "x86")
-    set(PERLASM_FLAGS "-fPIC -DOPENSSL_IA32_SSE2")
-    set(PERLASM_STYLE elf)
-  elseif (${ARCH} STREQUAL "ppc64le")
-    set(PERLASM_STYLE ppc64le)
-  else()
-    set(PERLASM_STYLE elf)
-  endif()
-  set(ASM_EXT S)
-  enable_language(ASM)
-  set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -Wa,--noexecstack")
-else()
-  if (CMAKE_CL_64)
-    message("Using nasm")
-    set(PERLASM_STYLE nasm)
-  else()
-    message("Using win32n")
-    set(PERLASM_STYLE win32n)
-    set(PERLASM_FLAGS "-DOPENSSL_IA32_SSE2")
-  endif()
+if(NOT OPENSSL_NO_ASM)
+  if(UNIX)
+    if (${ARCH} STREQUAL "aarch64")
+      # The "armx" Perl scripts look for "64" in the style argument
+      # in order to decide whether to generate 32- or 64-bit asm.
+      if (APPLE)
+        set(PERLASM_STYLE ios64)
+      else()
+        set(PERLASM_STYLE linux64)
+      endif()
+    elseif (${ARCH} STREQUAL "arm")
+      if (APPLE)
+        set(PERLASM_STYLE ios32)
+      else()
+        set(PERLASM_STYLE linux32)
+      endif()
+    elseif (${ARCH} STREQUAL "ppc64le")
+      set(PERLASM_STYLE linux64le)
+    else()
+      if (${ARCH} STREQUAL "x86")
+        set(PERLASM_FLAGS "-fPIC -DOPENSSL_IA32_SSE2")
+      endif()
+      if (APPLE)
+        set(PERLASM_STYLE macosx)
+      else()
+        set(PERLASM_STYLE elf)
+      endif()
+    endif()
+    set(ASM_EXT S)
+    enable_language(ASM)
+    set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -Wa,--noexecstack")

-  # On Windows, we use the NASM output, specifically built with Yasm.
-  set(ASM_EXT asm)
-  enable_language(ASM_NASM)
+    # Clang's integerated assembler does not support debug symbols.
+    if(NOT CMAKE_ASM_COMPILER_ID MATCHES "Clang")
+      set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -Wa,-g")
+    endif()
+
+    # CMake does not add -isysroot and -arch flags to assembly.
+    if (APPLE)
+      if (CMAKE_OSX_SYSROOT)
+        set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -isysroot ${CMAKE_OSX_SYSROOT}")
+      endif()
+      foreach(arch ${CMAKE_OSX_ARCHITECTURES})
+        set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -arch ${arch}")
+      endforeach()
+    endif()
+  else()
+    if (${ARCH} STREQUAL "x86_64")
+      set(PERLASM_STYLE nasm)
+    else()
+      set(PERLASM_STYLE win32n)
+      set(PERLASM_FLAGS "-DOPENSSL_IA32_SSE2")
+    endif()
+
+    # On Windows, we use the NASM output, specifically built with Yasm.
+    set(ASM_EXT asm)
+    enable_language(ASM_NASM)
+  endif()
 endif()

 function(perlasm dest src)
@@ -64,27 +84,21 @@ add_subdirectory(err)
 add_subdirectory(buf)
 add_subdirectory(base64)
 add_subdirectory(bytestring)
+add_subdirectory(pool)

 # Level 0.2 - depends on nothing but itself
-add_subdirectory(sha)
-add_subdirectory(md4)
-add_subdirectory(md5)
-add_subdirectory(modes)
-add_subdirectory(aes)
-add_subdirectory(des)
 add_subdirectory(rc4)
 add_subdirectory(conf)
 add_subdirectory(chacha)
 add_subdirectory(poly1305)
 add_subdirectory(curve25519)
-add_subdirectory(newhope)

 # Level 1, depends only on 0.*
-add_subdirectory(digest)
-add_subdirectory(cipher)
-add_subdirectory(rand)
+add_subdirectory(digest_extra)
+add_subdirectory(cipher_extra)
+add_subdirectory(rand_extra)
 add_subdirectory(bio)
-add_subdirectory(bn)
+add_subdirectory(bn_extra)
 add_subdirectory(obj)
 add_subdirectory(asn1)

@@ -92,11 +106,10 @@ add_subdirectory(asn1)
 add_subdirectory(engine)
 add_subdirectory(dh)
 add_subdirectory(dsa)
-add_subdirectory(rsa)
-add_subdirectory(ec)
+add_subdirectory(rsa_extra)
+add_subdirectory(ec_extra)
 add_subdirectory(ecdh)
-add_subdirectory(ecdsa)
-add_subdirectory(hmac)
+add_subdirectory(ecdsa_extra)

 # Level 3
 add_subdirectory(cmac)
@@ -107,13 +120,18 @@ add_subdirectory(x509)
 add_subdirectory(x509v3)

 # Level 4
+add_subdirectory(pkcs7)
 add_subdirectory(pkcs8)

 # Test support code
 add_subdirectory(test)

+add_subdirectory(fipsmodule)
+
 add_library(
-  crypto
+  crypto_base
+
+  OBJECT

  cpu-aarch64-linux.c
  cpu-arm.c
@@ -129,81 +147,129 @@ add_library(
  thread_none.c
  thread_pthread.c
  thread_win.c
-  time_support.c
+)

+if(FIPS_DELOCATE)
+  SET_SOURCE_FILES_PROPERTIES(fipsmodule/bcm.o PROPERTIES EXTERNAL_OBJECT true)
+  SET_SOURCE_FILES_PROPERTIES(fipsmodule/bcm.o PROPERTIES GENERATED true)
+
+  set(
+    CRYPTO_FIPS_OBJECTS
+
+    fipsmodule/bcm.o
+  )
+endif()
+
+add_library(
+  crypto
+
+  $<TARGET_OBJECTS:crypto_base>
  $<TARGET_OBJECTS:stack>
  $<TARGET_OBJECTS:lhash>
  $<TARGET_OBJECTS:err>
  $<TARGET_OBJECTS:base64>
  $<TARGET_OBJECTS:bytestring>
-  $<TARGET_OBJECTS:sha>
-  $<TARGET_OBJECTS:md4>
-  $<TARGET_OBJECTS:md5>
-  $<TARGET_OBJECTS:digest>
-  $<TARGET_OBJECTS:cipher>
-  $<TARGET_OBJECTS:modes>
-  $<TARGET_OBJECTS:aes>
-  $<TARGET_OBJECTS:des>
+  $<TARGET_OBJECTS:pool>
+  $<TARGET_OBJECTS:fipsmodule>
+  $<TARGET_OBJECTS:digest_extra>
+  $<TARGET_OBJECTS:cipher_extra>
  $<TARGET_OBJECTS:rc4>
  $<TARGET_OBJECTS:conf>
  $<TARGET_OBJECTS:chacha>
  $<TARGET_OBJECTS:poly1305>
  $<TARGET_OBJECTS:curve25519>
  $<TARGET_OBJECTS:buf>
-  $<TARGET_OBJECTS:bn>
+  $<TARGET_OBJECTS:bn_extra>
  $<TARGET_OBJECTS:bio>
-  $<TARGET_OBJECTS:rand>
+  $<TARGET_OBJECTS:rand_extra>
  $<TARGET_OBJECTS:obj>
  $<TARGET_OBJECTS:asn1>
  $<TARGET_OBJECTS:engine>
  $<TARGET_OBJECTS:dh>
  $<TARGET_OBJECTS:dsa>
-  $<TARGET_OBJECTS:rsa>
-  $<TARGET_OBJECTS:ec>
+  $<TARGET_OBJECTS:rsa_extra>
+  $<TARGET_OBJECTS:ec_extra>
  $<TARGET_OBJECTS:ecdh>
-  $<TARGET_OBJECTS:ecdsa>
-  $<TARGET_OBJECTS:hmac>
+  $<TARGET_OBJECTS:ecdsa_extra>
  $<TARGET_OBJECTS:cmac>
  $<TARGET_OBJECTS:evp>
  $<TARGET_OBJECTS:hkdf>
  $<TARGET_OBJECTS:pem>
  $<TARGET_OBJECTS:x509>
  $<TARGET_OBJECTS:x509v3>
+  $<TARGET_OBJECTS:pkcs7>
  $<TARGET_OBJECTS:pkcs8_lib>
-  $<TARGET_OBJECTS:newhope>
+
+  ${CRYPTO_FIPS_OBJECTS}
 )

+if(FIPS_DELOCATE)
+  add_dependencies(crypto bcm_o_target)
+endif()
+
+SET_TARGET_PROPERTIES(crypto PROPERTIES LINKER_LANGUAGE C)
+
 if(NOT MSVC AND NOT ANDROID)
  target_link_libraries(crypto pthread)
 endif()

+# TODO(davidben): Convert the remaining tests to GTest.
 add_executable(
-  constant_time_test
+  crypto_test

-  constant_time_test.c
+  asn1/asn1_test.cc
+  base64/base64_test.cc
+  bio/bio_test.cc
+  bytestring/bytestring_test.cc
+  chacha/chacha_test.cc
+  cipher_extra/aead_test.cc
+  cipher_extra/cipher_test.cc
+  cmac/cmac_test.cc
+  compiler_test.cc
+  constant_time_test.cc
+  curve25519/ed25519_test.cc
+  curve25519/spake25519_test.cc
+  curve25519/x25519_test.cc
+  ecdh/ecdh_test.cc
+  dh/dh_test.cc
+  digest_extra/digest_test.cc
+  dsa/dsa_test.cc
+  err/err_test.cc
+  evp/evp_extra_test.cc
+  evp/evp_test.cc
+  evp/pbkdf_test.cc
+  evp/scrypt_test.cc
+  fipsmodule/aes/aes_test.cc
+  fipsmodule/bn/bn_test.cc
+  fipsmodule/ec/ec_test.cc
+  fipsmodule/ec/p256-x86_64_test.cc
+  fipsmodule/ecdsa/ecdsa_test.cc
+  fipsmodule/modes/gcm_test.cc
+  fipsmodule/rand/ctrdrbg_test.cc
+  hkdf/hkdf_test.cc
+  hmac_extra/hmac_test.cc
+  lhash/lhash_test.cc
+  obj/obj_test.cc
+  pkcs7/pkcs7_test.cc
+  pkcs8/pkcs8_test.cc
+  pkcs8/pkcs12_test.cc
+  poly1305/poly1305_test.cc
+  pool/pool_test.cc
+  refcount_test.cc
+  rsa_extra/rsa_test.cc
+  test/file_test_gtest.cc
+  thread_test.cc
+  x509/x509_test.cc
+  x509v3/tab_test.cc
+  x509v3/v3name_test.cc

+  $<TARGET_OBJECTS:crypto_test_data>
+  $<TARGET_OBJECTS:gtest_main>
  $<TARGET_OBJECTS:test_support>
 )

-target_link_libraries(constant_time_test crypto)
-add_dependencies(all_tests constant_time_test)
-
-add_executable(
-  thread_test
-
-  thread_test.c
-
-  $<TARGET_OBJECTS:test_support>
-)
-
-target_link_libraries(thread_test crypto)
-add_dependencies(all_tests thread_test)
-
-add_executable(
-  refcount_test
-
-  refcount_test.c
-)
-
-target_link_libraries(refcount_test crypto)
-add_dependencies(all_tests refcount_test)
+target_link_libraries(crypto_test crypto gtest)
+if (WIN32)
+  target_link_libraries(crypto_test ws2_32)
+endif()
+add_dependencies(all_tests crypto_test)
@@ -1,81 +0,0 @@
-include_directories(../../include)
-
-if (${ARCH} STREQUAL "x86_64")
-  set(
-    AES_ARCH_SOURCES
-
-    aes-x86_64.${ASM_EXT}
-    aesni-x86_64.${ASM_EXT}
-    bsaes-x86_64.${ASM_EXT}
-    vpaes-x86_64.${ASM_EXT}
-  )
-endif()
-
-if (${ARCH} STREQUAL "x86")
-  set(
-    AES_ARCH_SOURCES
-
-    aes-586.${ASM_EXT}
-    vpaes-x86.${ASM_EXT}
-    aesni-x86.${ASM_EXT}
-  )
-endif()
-
-if (${ARCH} STREQUAL "arm")
-  set(
-    AES_ARCH_SOURCES
-
-    aes-armv4.${ASM_EXT}
-    bsaes-armv7.${ASM_EXT}
-    aesv8-armx.${ASM_EXT}
-  )
-endif()
-
-if (${ARCH} STREQUAL "aarch64")
-  set(
-    AES_ARCH_SOURCES
-
-    aesv8-armx.${ASM_EXT}
-  )
-endif()
-
-if (${ARCH} STREQUAL "ppc64le")
-  set(
-    AES_ARCH_SOURCES
-
-    aesp8-ppc.${ASM_EXT}
-  )
-endif()
-
-add_library(
-  aes
-
-  OBJECT
-
-  aes.c
-  mode_wrappers.c
-
-  ${AES_ARCH_SOURCES}
-)
-
-perlasm(aes-x86_64.${ASM_EXT} asm/aes-x86_64.pl)
-perlasm(aesni-x86_64.${ASM_EXT} asm/aesni-x86_64.pl)
-perlasm(bsaes-x86_64.${ASM_EXT} asm/bsaes-x86_64.pl)
-perlasm(vpaes-x86_64.${ASM_EXT} asm/vpaes-x86_64.pl)
-perlasm(aes-586.${ASM_EXT} asm/aes-586.pl)
-perlasm(vpaes-x86.${ASM_EXT} asm/vpaes-x86.pl)
-perlasm(aesni-x86.${ASM_EXT} asm/aesni-x86.pl)
-perlasm(aes-armv4.${ASM_EXT} asm/aes-armv4.pl)
-perlasm(bsaes-armv7.${ASM_EXT} asm/bsaes-armv7.pl)
-perlasm(aesv8-armx.${ASM_EXT} asm/aesv8-armx.pl)
-perlasm(aesp8-ppc.${ASM_EXT} asm/aesp8-ppc.pl)
-
-add_executable(
-  aes_test
-
-  aes_test.cc
-  $<TARGET_OBJECTS:test_support>
-)
-
-target_link_libraries(aes_test crypto)
-add_dependencies(all_tests aes_test)
@@ -1,102 +0,0 @@
-/* Copyright (c) 2015, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/aes.h>
-#include <openssl/crypto.h>
-
-
-static bool TestAES(const uint8_t *key, size_t key_len,
-                    const uint8_t plaintext[AES_BLOCK_SIZE],
-                    const uint8_t ciphertext[AES_BLOCK_SIZE]) {
-  AES_KEY aes_key;
-  if (AES_set_encrypt_key(key, key_len * 8, &aes_key) != 0) {
-    fprintf(stderr, "AES_set_encrypt_key failed\n");
-    return false;
-  }
-
-  // Test encryption.
-  uint8_t block[AES_BLOCK_SIZE];
-  AES_encrypt(plaintext, block, &aes_key);
-  if (memcmp(block, ciphertext, AES_BLOCK_SIZE) != 0) {
-    fprintf(stderr, "AES_encrypt gave the wrong output\n");
-    return false;
-  }
-
-  // Test in-place encryption.
-  memcpy(block, plaintext, AES_BLOCK_SIZE);
-  AES_encrypt(block, block, &aes_key);
-  if (memcmp(block, ciphertext, AES_BLOCK_SIZE) != 0) {
-    fprintf(stderr, "AES_encrypt gave the wrong output\n");
-    return false;
-  }
-
-  if (AES_set_decrypt_key(key, key_len * 8, &aes_key) != 0) {
-    fprintf(stderr, "AES_set_decrypt_key failed\n");
-    return false;
-  }
-
-  // Test decryption.
-  AES_decrypt(ciphertext, block, &aes_key);
-  if (memcmp(block, plaintext, AES_BLOCK_SIZE) != 0) {
-    fprintf(stderr, "AES_decrypt gave the wrong output\n");
-    return false;
-  }
-
-  // Test in-place decryption.
-  memcpy(block, ciphertext, AES_BLOCK_SIZE);
-  AES_decrypt(block, block, &aes_key);
-  if (memcmp(block, plaintext, AES_BLOCK_SIZE) != 0) {
-    fprintf(stderr, "AES_decrypt gave the wrong output\n");
-    return false;
-  }
-  return true;
-}
-
-int main() {
-  CRYPTO_library_init();
-
-  // Test vectors from FIPS-197, Appendix C.
-  if (!TestAES((const uint8_t *)"\x00\x01\x02\x03\x04\x05\x06\x07"
-                                "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
-               128 / 8,
-               (const uint8_t *)"\x00\x11\x22\x33\x44\x55\x66\x77"
-                                "\x88\x99\xaa\xbb\xcc\xdd\xee\xff",
-               (const uint8_t *)"\x69\xc4\xe0\xd8\x6a\x7b\x04\x30"
-                                "\xd8\xcd\xb7\x80\x70\xb4\xc5\x5a") ||
-      !TestAES((const uint8_t *)"\x00\x01\x02\x03\x04\x05\x06\x07"
-                                "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
-                                "\x10\x11\x12\x13\x14\x15\x16\x17",
-               192 / 8,
-               (const uint8_t *)"\x00\x11\x22\x33\x44\x55\x66\x77"
-                                "\x88\x99\xaa\xbb\xcc\xdd\xee\xff",
-               (const uint8_t *)"\xdd\xa9\x7c\xa4\x86\x4c\xdf\xe0"
-                                "\x6e\xaf\x70\xa0\xec\x0d\x71\x91") ||
-      !TestAES((const uint8_t *)"\x00\x01\x02\x03\x04\x05\x06\x07"
-                                "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
-                                "\x10\x11\x12\x13\x14\x15\x16\x17"
-                                "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f",
-               256 / 8,
-               (const uint8_t *)"\x00\x11\x22\x33\x44\x55\x66\x77"
-                                "\x88\x99\xaa\xbb\xcc\xdd\xee\xff",
-               (const uint8_t *)"\x8e\xa2\xb7\xca\x51\x67\x45\xbf"
-                                "\xea\xfc\x49\x90\x4b\x49\x60\x89")) {
-    return false;
-  }
-
-  printf("PASS\n");
-  return 0;
-}
@@ -1,87 +0,0 @@
-/* ====================================================================
- * Copyright (c) 2002-2006 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ==================================================================== */
-
-#ifndef OPENSSL_HEADER_AES_INTERNAL_H
-#define OPENSSL_HEADER_AES_INTERNAL_H
-
-#include <openssl/base.h>
-
-#if defined(__cplusplus)
-extern "C" {
-#endif
-
-
-#if defined(_MSC_VER) && \
-    (defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64))
-#define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
-#define GETU32(p) SWAP(*((uint32_t *)(p)))
-#define PUTU32(ct, st) \
-  { *((uint32_t *)(ct)) = SWAP((st)); }
-#else
-#define GETU32(pt)                                         \
-  (((uint32_t)(pt)[0] << 24) ^ ((uint32_t)(pt)[1] << 16) ^ \
-   ((uint32_t)(pt)[2] << 8) ^ ((uint32_t)(pt)[3]))
-#define PUTU32(ct, st)          \
-  {                             \
-    (ct)[0] = (uint8_t)((st) >> 24); \
-    (ct)[1] = (uint8_t)((st) >> 16); \
-    (ct)[2] = (uint8_t)((st) >> 8);  \
-    (ct)[3] = (uint8_t)(st);         \
-  }
-#endif
-
-#define MAXKC (256 / 32)
-#define MAXKB (256 / 8)
-#define MAXNR 14
-
-
-#if defined(__cplusplus)
-} /* extern C */
-#endif
-
-#endif /* OPENSSL_HEADER_AES_INTERNAL_H */
@@ -28,24 +28,11 @@ add_library(
  f_enum.c
  f_int.c
  f_string.c
-  t_bitst.c
  tasn_dec.c
  tasn_enc.c
  tasn_fre.c
  tasn_new.c
  tasn_typ.c
  tasn_utl.c
-  x_bignum.c
-  x_long.c
+  time_support.c
 )
-
-add_executable(
-  asn1_test
-
-  asn1_test.cc
-
-  $<TARGET_OBJECTS:test_support>
-)
-
-target_link_libraries(asn1_test crypto)
-add_dependencies(all_tests asn1_test)
@@ -61,6 +61,9 @@
 #include <openssl/err.h>
 #include <openssl/mem.h>

+#include "../internal.h"
+
+
 int ASN1_BIT_STRING_set(ASN1_BIT_STRING *x, unsigned char *d, int len)
 {
    return M_ASN1_BIT_STRING_set(x, d, len);
@@ -115,7 +118,7 @@ int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)

    *(p++) = (unsigned char)bits;
    d = a->data;
-    memcpy(p, d, len);
+    OPENSSL_memcpy(p, d, len);
    p += len;
    if (len > 0)
        p[-1] &= (0xff << bits);
@@ -162,7 +165,7 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,
            OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
            goto err;
        }
-        memcpy(s, p, (int)len);
+        OPENSSL_memcpy(s, p, (int)len);
        s[len - 1] &= (0xff << padding);
        p += len;
    } else
@@ -215,7 +218,7 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
            return 0;
        }
        if (w + 1 - a->length > 0)
-            memset(c + a->length, 0, w + 1 - a->length);
+            OPENSSL_memset(c + a->length, 0, w + 1 - a->length);
        a->data = c;
        a->length = w + 1;
    }
@@ -140,6 +140,21 @@ void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x)
 }
 #endif

+typedef struct asn1_const_ctx_st
+    {
+    const unsigned char *p;/* work char pointer */
+    int eos;    /* end of sequence read for indefinite encoding */
+    int error;  /* error code to use when returning an error */
+    int inf;    /* constructed if 0x20, indefinite is 0x21 */
+    int tag;    /* tag from last 'get object' */
+    int xclass; /* class from last 'get object' */
+    long slen;  /* length of last 'get object' */
+    const unsigned char *max; /* largest value of p allowed */
+    const unsigned char *q;/* temporary variable */
+    const unsigned char **pp;/* variable */
+    int line;   /* used in error processing */
+    } ASN1_const_CTX;
+
 #define HEADER_SIZE   8
 #define ASN1_CHUNK_INITIAL_SIZE (16 * 1024)
 static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
@@ -61,6 +61,9 @@
 #include <openssl/err.h>
 #include <openssl/mem.h>

+#include "../internal.h"
+
+
 /*
 * Code for ENUMERATED type: identical to INTEGER apart from a different tag.
 * for comments on encoding see a_int.c
@@ -79,7 +82,7 @@ int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v)
            OPENSSL_free(a->data);
        if ((a->data =
             (unsigned char *)OPENSSL_malloc(sizeof(long) + 1)) != NULL)
-            memset((char *)a->data, 0, sizeof(long) + 1);
+            OPENSSL_memset((char *)a->data, 0, sizeof(long) + 1);
    }
    if (a->data == NULL) {
        OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
@@ -61,7 +61,6 @@

 #include <openssl/err.h>
 #include <openssl/mem.h>
-#include <openssl/time_support.h>

 #include "asn1_locl.h"

@@ -149,7 +148,7 @@ int asn1_generalizedtime_to_tm(struct tm *tm, const ASN1_GENERALIZEDTIME *d)
    if (a[o] == 'Z')
        o++;
    else if ((a[o] == '+') || (a[o] == '-')) {
-        int offsign = a[o] == '-' ? -1 : 1, offset = 0;
+        int offsign = a[o] == '-' ? 1 : -1, offset = 0;
        o++;
        if (o + 4 > l)
            goto err;
@@ -220,37 +219,43 @@ ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_adj(ASN1_GENERALIZEDTIME *s,
    struct tm *ts;
    struct tm data;
    size_t len = 20;
+    ASN1_GENERALIZEDTIME *tmps = NULL;

    if (s == NULL)
-        s = M_ASN1_GENERALIZEDTIME_new();
-    if (s == NULL)
-        return (NULL);
+        tmps = ASN1_GENERALIZEDTIME_new();
+    else
+        tmps = s;
+    if (tmps == NULL)
+        return NULL;

    ts = OPENSSL_gmtime(&t, &data);
    if (ts == NULL)
-        return (NULL);
+        goto err;

    if (offset_day || offset_sec) {
        if (!OPENSSL_gmtime_adj(ts, offset_day, offset_sec))
-            return NULL;
+            goto err;
    }

-    p = (char *)s->data;
-    if ((p == NULL) || ((size_t)s->length < len)) {
+    p = (char *)tmps->data;
+    if ((p == NULL) || ((size_t)tmps->length < len)) {
        p = OPENSSL_malloc(len);
        if (p == NULL) {
            OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
-            return (NULL);
+            goto err;
        }
-        if (s->data != NULL)
-            OPENSSL_free(s->data);
-        s->data = (unsigned char *)p;
+        OPENSSL_free(tmps->data);
+        tmps->data = (unsigned char *)p;
    }

    BIO_snprintf(p, len, "%04d%02d%02d%02d%02d%02dZ", ts->tm_year + 1900,
                 ts->tm_mon + 1, ts->tm_mday, ts->tm_hour, ts->tm_min,
                 ts->tm_sec);
-    s->length = strlen(p);
-    s->type = V_ASN1_GENERALIZEDTIME;
-    return (s);
+    tmps->length = strlen(p);
+    tmps->type = V_ASN1_GENERALIZEDTIME;
+    return tmps;
+ err:
+    if (s == NULL)
+        ASN1_GENERALIZEDTIME_free(tmps);
+    return NULL;
 }
@@ -61,6 +61,9 @@
 #include <openssl/err.h>
 #include <openssl/mem.h>

+#include "../internal.h"
+
+
 ASN1_INTEGER *ASN1_INTEGER_dup(const ASN1_INTEGER *x)
 {
    return M_ASN1_INTEGER_dup(x);
@@ -157,7 +160,7 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp)
    if (a->length == 0)
        *(p++) = 0;
    else if (!neg)
-        memcpy(p, a->data, (unsigned int)a->length);
+        OPENSSL_memcpy(p, a->data, (unsigned int)a->length);
    else {
        /* Begin at the end of the encoding */
        n = a->data + a->length - 1;
@@ -254,7 +257,7 @@ ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a, const unsigned char **pp,
            p++;
            len--;
        }
-        memcpy(s, p, (int)len);
+        OPENSSL_memcpy(s, p, (int)len);
    }

    if (ret->data != NULL)
@@ -322,7 +325,7 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
            p++;
            len--;
        }
-        memcpy(s, p, (int)len);
+        OPENSSL_memcpy(s, p, (int)len);
        p += len;
    }

@@ -354,7 +357,7 @@ int ASN1_INTEGER_set(ASN1_INTEGER *a, long v)
            OPENSSL_free(a->data);
        if ((a->data =
             (unsigned char *)OPENSSL_malloc(sizeof(long) + 1)) != NULL)
-            memset((char *)a->data, 0, sizeof(long) + 1);
+            OPENSSL_memset((char *)a->data, 0, sizeof(long) + 1);
    }
    if (a->data == NULL) {
        OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
@@ -63,6 +63,9 @@
 #include <openssl/mem.h>
 #include <openssl/obj.h>

+#include "../internal.h"
+
+
 int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp)
 {
    unsigned char *p;
@@ -77,7 +80,7 @@ int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp)

    p = *pp;
    ASN1_put_object(&p, 0, a->length, V_ASN1_OBJECT, V_ASN1_UNIVERSAL);
-    memcpy(p, a->data, a->length);
+    OPENSSL_memcpy(p, a->data, a->length);
    p += a->length;

    *pp = p;
@@ -321,7 +324,7 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
        }
        ret->flags |= ASN1_OBJECT_FLAG_DYNAMIC_DATA;
    }
-    memcpy(data, p, length);
+    OPENSSL_memcpy(data, p, length);
    /* reattach data to object, after which it remains const */
    ret->data = data;
    ret->length = length;
@@ -91,31 +91,3 @@ int ASN1_PRINTABLE_type(const unsigned char *s, int len)
        return (V_ASN1_IA5STRING);
    return (V_ASN1_PRINTABLESTRING);
 }
-
-int ASN1_UNIVERSALSTRING_to_string(ASN1_UNIVERSALSTRING *s)
-{
-    int i;
-    unsigned char *p;
-
-    if (s->type != V_ASN1_UNIVERSALSTRING)
-        return (0);
-    if ((s->length % 4) != 0)
-        return (0);
-    p = s->data;
-    for (i = 0; i < s->length; i += 4) {
-        if ((p[0] != '\0') || (p[1] != '\0') || (p[2] != '\0'))
-            break;
-        else
-            p += 4;
-    }
-    if (i < s->length)
-        return (0);
-    p = s->data;
-    for (i = 3; i < s->length; i += 4) {
-        *(p++) = s->data[i];
-    }
-    *(p) = '\0';
-    s->length /= 4;
-    s->type = ASN1_PRINTABLE_type(s->data, s->length);
-    return (1);
-}
@@ -62,6 +62,9 @@
 #include <openssl/err.h>
 #include <openssl/mem.h>
 #include <openssl/obj.h>
+#include <openssl/stack.h>
+
+DEFINE_STACK_OF(ASN1_STRING_TABLE)

 static STACK_OF(ASN1_STRING_TABLE) *stable = NULL;
 static void st_free(ASN1_STRING_TABLE *tbl);
@@ -63,7 +63,6 @@
 #include <openssl/buf.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
-#include <openssl/time_support.h>

 #include "asn1_locl.h"

@@ -115,7 +114,7 @@ int ASN1_TIME_check(ASN1_TIME *t)
 ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t,
                                                   ASN1_GENERALIZEDTIME **out)
 {
-    ASN1_GENERALIZEDTIME *ret;
+    ASN1_GENERALIZEDTIME *ret = NULL;
    char *str;
    int newlen;

@@ -124,22 +123,21 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t,

    if (!out || !*out) {
        if (!(ret = ASN1_GENERALIZEDTIME_new()))
-            return NULL;
-        if (out)
-            *out = ret;
-    } else
+            goto err;
+    } else {
        ret = *out;
+    }

    /* If already GeneralizedTime just copy across */
    if (t->type == V_ASN1_GENERALIZEDTIME) {
        if (!ASN1_STRING_set(ret, t->data, t->length))
-            return NULL;
-        return ret;
+            goto err;
+        goto done;
    }

    /* grow the string */
    if (!ASN1_STRING_set(ret, NULL, t->length + 2))
-        return NULL;
+        goto err;
    /* ASN1_STRING_set() allocated 'len + 1' bytes. */
    newlen = t->length + 2 + 1;
    str = (char *)ret->data;
@@ -151,9 +149,18 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t,

    BUF_strlcat(str, (char *)t->data, newlen);

-    return ret;
+ done:
+   if (out != NULL && *out == NULL)
+       *out = ret;
+   return ret;
+
+ err:
+    if (out == NULL || *out != ret)
+        ASN1_GENERALIZEDTIME_free(ret);
+    return NULL;
 }

+
 int ASN1_TIME_set_string(ASN1_TIME *s, const char *str)
 {
    ASN1_TIME t;
@@ -61,7 +61,6 @@

 #include <openssl/err.h>
 #include <openssl/mem.h>
-#include <openssl/time_support.h>

 #include "asn1_locl.h"

@@ -128,7 +127,7 @@ int asn1_utctime_to_tm(struct tm *tm, const ASN1_UTCTIME *d)
    if (a[o] == 'Z')
        o++;
    else if ((a[o] == '+') || (a[o] == '-')) {
-        int offsign = a[o] == '-' ? -1 : 1, offset = 0;
+        int offsign = a[o] == '-' ? 1 : -1, offset = 0;
        o++;
        if (o + 4 > l)
            goto err;
@@ -270,7 +269,7 @@ time_t ASN1_UTCTIME_get(const ASN1_UTCTIME *s)
    struct tm tm;
    int offset;

-    memset(&tm, '\0', sizeof tm);
+    OPENSSL_memset(&tm, '\0', sizeof tm);

 # define g2(p) (((p)[0]-'0')*10+(p)[1]-'0')
    tm.tm_year = g2(s->data);
@@ -63,6 +63,9 @@
 #include <openssl/err.h>
 #include <openssl/mem.h>

+#include "../internal.h"
+
+
 /* Cross-module errors from crypto/x509/i2d_pr.c. */
 OPENSSL_DECLARE_ERROR_REASON(ASN1, UNSUPPORTED_PUBLIC_KEY_TYPE)

@@ -104,30 +107,6 @@ static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
                           long max);
 static void asn1_put_length(unsigned char **pp, int length);

-static int _asn1_check_infinite_end(const unsigned char **p, long len)
-{
-    /*
-     * If there is 0 or 1 byte left, the length check should pick things up
-     */
-    if (len <= 0)
-        return (1);
-    else if ((len >= 2) && ((*p)[0] == 0) && ((*p)[1] == 0)) {
-        (*p) += 2;
-        return (1);
-    }
-    return (0);
-}
-
-int ASN1_check_infinite_end(unsigned char **p, long len)
-{
-    return _asn1_check_infinite_end((const unsigned char **)p, len);
-}
-
-int ASN1_const_check_infinite_end(const unsigned char **p, long len)
-{
-    return _asn1_check_infinite_end(p, len);
-}
-
 int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag,
                    int *pclass, long omax)
 {
@@ -324,31 +303,6 @@ int ASN1_object_size(int constructed, int length, int tag)
    return ret + length;
 }

-static int _asn1_Finish(ASN1_const_CTX *c)
-{
-    if ((c->inf == (1 | V_ASN1_CONSTRUCTED)) && (!c->eos)) {
-        if (!ASN1_const_check_infinite_end(&c->p, c->slen)) {
-            c->error = ASN1_R_MISSING_ASN1_EOS;
-            return (0);
-        }
-    }
-    if (((c->slen != 0) && !(c->inf & 1)) || ((c->slen < 0) && (c->inf & 1))) {
-        c->error = ASN1_R_ASN1_LENGTH_MISMATCH;
-        return (0);
-    }
-    return (1);
-}
-
-int asn1_Finish(ASN1_CTX *c)
-{
-    return _asn1_Finish((ASN1_const_CTX *)c);
-}
-
-int asn1_const_Finish(ASN1_const_CTX *c)
-{
-    return _asn1_Finish(c);
-}
-
 int ASN1_STRING_copy(ASN1_STRING *dst, const ASN1_STRING *str)
 {
    if (str == NULL)
@@ -401,7 +355,7 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len)
    }
    str->length = len;
    if (data != NULL) {
-        memcpy(str->data, data, len);
+        OPENSSL_memcpy(str->data, data, len);
        /* an allowance for strings :-) */
        str->data[len] = '\0';
    }
@@ -452,7 +406,7 @@ int ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b)

    i = (a->length - b->length);
    if (i == 0) {
-        i = memcmp(a->data, b->data, a->length);
+        i = OPENSSL_memcmp(a->data, b->data, a->length);
        if (i == 0)
            return (a->type - b->type);
        else
@@ -57,7 +57,42 @@
 *
 */

+#ifndef OPENSSL_HEADER_ASN1_ASN1_LOCL_H
+#define OPENSSL_HEADER_ASN1_ASN1_LOCL_H
+
+#include <time.h>
+
+#include <openssl/asn1.h>
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+/* Wrapper functions for time functions. */
+
+/* OPENSSL_gmtime wraps |gmtime_r|. See the manual page for that function. */
+struct tm *OPENSSL_gmtime(const time_t *time, struct tm *result);
+
+/* OPENSSL_gmtime_adj updates |tm| by adding |offset_day| days and |offset_sec|
+ * seconds. */
+int OPENSSL_gmtime_adj(struct tm *tm, int offset_day, long offset_sec);
+
+/* OPENSSL_gmtime_diff calculates the difference between |from| and |to| and
+ * outputs the difference as a number of days and seconds in |*out_days| and
+ * |*out_secs|. */
+int OPENSSL_gmtime_diff(int *out_days, int *out_secs, const struct tm *from,
+                        const struct tm *to);
+
+
 /* Internal ASN1 structures and functions: not for application use */

 int asn1_utctime_to_tm(struct tm *tm, const ASN1_UTCTIME *d);
 int asn1_generalizedtime_to_tm(struct tm *tm, const ASN1_GENERALIZEDTIME *d);
+
+
+#if defined(__cplusplus)
+}  /* extern C */
+#endif
+
+#endif  /* OPENSSL_HEADER_ASN1_ASN1_LOCL_H */
@@ -14,10 +14,13 @@

 #include <stdio.h>

+#include <gtest/gtest.h>
+
 #include <openssl/asn1.h>
-#include <openssl/crypto.h>
 #include <openssl/err.h>

+#include "../test/test_util.h"
+

 // kTag128 is an ASN.1 structure with a universal tag with number 128.
 static const uint8_t kTag128[] = {
@@ -38,42 +41,22 @@ static const uint8_t kTagOverflow[] = {
    0x1f, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x01, 0x00,
 };

-static bool TestLargeTags() {
+TEST(ASN1Test, LargeTags) {
  const uint8_t *p = kTag258;
  bssl::UniquePtr<ASN1_TYPE> obj(d2i_ASN1_TYPE(NULL, &p, sizeof(kTag258)));
-  if (obj) {
-    fprintf(stderr, "Parsed value with illegal tag (type = %d).\n", obj->type);
-    return false;
-  }
+  EXPECT_FALSE(obj) << "Parsed value with illegal tag" << obj->type;
  ERR_clear_error();

  p = kTagOverflow;
  obj.reset(d2i_ASN1_TYPE(NULL, &p, sizeof(kTagOverflow)));
-  if (obj) {
-    fprintf(stderr, "Parsed value with tag overflow (type = %d).\n", obj->type);
-    return false;
-  }
+  EXPECT_FALSE(obj) << "Parsed value with tag overflow" << obj->type;
  ERR_clear_error();

  p = kTag128;
  obj.reset(d2i_ASN1_TYPE(NULL, &p, sizeof(kTag128)));
-  if (!obj || obj->type != 128 || obj->value.asn1_string->length != 1 ||
-      obj->value.asn1_string->data[0] != 0) {
-    fprintf(stderr, "Failed to parse value with tag 128.\n");
-    ERR_print_errors_fp(stderr);
-    return false;
-  }
-
-  return true;
-}
-
-int main() {
-  CRYPTO_library_init();
-
-  if (!TestLargeTags()) {
-    return 1;
-  }
-
-  printf("PASS\n");
-  return 0;
+  ASSERT_TRUE(obj);
+  EXPECT_EQ(128, obj->type);
+  const uint8_t kZero = 0;
+  EXPECT_EQ(Bytes(&kZero, 1), Bytes(obj->value.asn1_string->data,
+                                    obj->value.asn1_string->length));
 }
@@ -1,103 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.] */
-
-#include <openssl/asn1.h>
-
-#include <string.h>
-
-#include <openssl/mem.h>
-
-int ASN1_BIT_STRING_name_print(BIO *out, ASN1_BIT_STRING *bs,
-                               BIT_STRING_BITNAME *tbl, int indent)
-{
-    BIT_STRING_BITNAME *bnam;
-    char first = 1;
-    BIO_printf(out, "%*s", indent, "");
-    for (bnam = tbl; bnam->lname; bnam++) {
-        if (ASN1_BIT_STRING_get_bit(bs, bnam->bitnum)) {
-            if (!first)
-                BIO_puts(out, ", ");
-            BIO_puts(out, bnam->lname);
-            first = 0;
-        }
-    }
-    BIO_puts(out, "\n");
-    return 1;
-}
-
-int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, char *name, int value,
-                            BIT_STRING_BITNAME *tbl)
-{
-    int bitnum;
-    bitnum = ASN1_BIT_STRING_num_asc(name, tbl);
-    if (bitnum < 0)
-        return 0;
-    if (bs) {
-        if (!ASN1_BIT_STRING_set_bit(bs, bitnum, value))
-            return 0;
-    }
-    return 1;
-}
-
-int ASN1_BIT_STRING_num_asc(char *name, BIT_STRING_BITNAME *tbl)
-{
-    BIT_STRING_BITNAME *bnam;
-    for (bnam = tbl; bnam->lname; bnam++) {
-        if (!strcmp(bnam->sname, name) || !strcmp(bnam->lname, name))
-            return bnam->bitnum;
-    }
-    return -1;
-}
@@ -180,6 +180,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
    int ret = 0;
    ASN1_VALUE **pchptr, *ptmpval;
    int combine = aclass & ASN1_TFLG_COMBINE;
+    aclass &= ~ASN1_TFLG_COMBINE;
    if (!pval)
        return 0;
    if (aux && aux->asn1_cb)
@@ -667,6 +668,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
            }
            len -= p - q;
            if (!sk_ASN1_VALUE_push((STACK_OF(ASN1_VALUE) *)*val, skfield)) {
+                ASN1_item_ex_free(&skfield, ASN1_ITEM_ptr(tt->item));
                OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
                goto err;
            }
@@ -1108,7 +1110,7 @@ static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen)
            OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
            return 0;
        }
-        memcpy(buf->data + len, *p, plen);
+        OPENSSL_memcpy(buf->data + len, *p, plen);
    }
    *p += plen;
    return 1;
@@ -62,6 +62,9 @@
 #include <openssl/asn1t.h>
 #include <openssl/mem.h>

+#include "../internal.h"
+
+
 static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out,
                                 const ASN1_ITEM *it, int tag, int aclass);
 static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out,
@@ -415,7 +418,7 @@ static int der_cmp(const void *a, const void *b)
    const DER_ENC *d1 = a, *d2 = b;
    int cmplen, i;
    cmplen = (d1->length < d2->length) ? d1->length : d2->length;
-    i = memcmp(d1->data, d2->data, cmplen);
+    i = OPENSSL_memcmp(d1->data, d2->data, cmplen);
    if (i)
        return i;
    return d1->length - d2->length;
@@ -470,7 +473,7 @@ static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out,
    /* Output sorted DER encoding */
    p = *out;
    for (i = 0, tder = derlst; i < sk_ASN1_VALUE_num(sk); i++, tder++) {
-        memcpy(p, tder->data, tder->length);
+        OPENSSL_memcpy(p, tder->data, tder->length);
        p += tder->length;
    }
    *out = p;
@@ -660,6 +663,6 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype,

    }
    if (cout && len)
-        memcpy(cout, cont, len);
+        OPENSSL_memcpy(cout, cont, len);
    return len;
 }
@@ -63,6 +63,9 @@
 #include <openssl/mem.h>
 #include <openssl/obj.h>

+#include "../internal.h"
+
+
 static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
                                    int combine);
 static void asn1_item_clear(ASN1_VALUE **pval, const ASN1_ITEM *it);
@@ -153,11 +156,11 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
            *pval = OPENSSL_malloc(it->size);
            if (!*pval)
                goto memerr;
-            memset(*pval, 0, it->size);
+            OPENSSL_memset(*pval, 0, it->size);
        }
        asn1_set_choice_selector(pval, -1, it);
        if (asn1_cb && !asn1_cb(ASN1_OP_NEW_POST, pval, it, NULL))
-            goto auxerr;
+            goto auxerr2;
        break;

    case ASN1_ITYPE_NDEF_SEQUENCE:
@@ -178,17 +181,17 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
            *pval = OPENSSL_malloc(it->size);
            if (!*pval)
                goto memerr;
-            memset(*pval, 0, it->size);
+            OPENSSL_memset(*pval, 0, it->size);
            asn1_refcount_set_one(pval, it);
            asn1_enc_init(pval, it);
        }
        for (i = 0, tt = it->templates; i < it->tcount; tt++, i++) {
            pseqval = asn1_get_field_ptr(pval, tt);
            if (!ASN1_template_new(pseqval, tt))
-                goto memerr;
+                goto memerr2;
        }
        if (asn1_cb && !asn1_cb(ASN1_OP_NEW_POST, pval, it, NULL))
-            goto auxerr;
+            goto auxerr2;
        break;
    }
 #ifdef CRYPTO_MDEBUG
@@ -197,18 +200,20 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
 #endif
    return 1;

+ memerr2:
+    ASN1_item_ex_free(pval, it);
 memerr:
    OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
-    ASN1_item_ex_free(pval, it);
 #ifdef CRYPTO_MDEBUG
    if (it->sname)
        CRYPTO_pop_info();
 #endif
    return 0;

+ auxerr2:
+    ASN1_item_ex_free(pval, it);
 auxerr:
    OPENSSL_PUT_ERROR(ASN1, ASN1_R_AUX_ERROR);
-    ASN1_item_ex_free(pval, it);
 #ifdef CRYPTO_MDEBUG
    if (it->sname)
        CRYPTO_pop_info();
@@ -56,6 +56,7 @@

 #include <openssl/asn1.h>

+#include <assert.h>
 #include <string.h>

 #include <openssl/asn1t.h>
@@ -70,7 +71,7 @@
 /* Utility functions for manipulating fields and offsets */

 /* Add 'offset' to 'addr' */
-#define offset2ptr(addr, offset) (void *)(((char *) addr) + offset)
+#define offset2ptr(addr, offset) (void *)(((char *)(addr)) + (offset))

 /* Given an ASN1_ITEM CHOICE type return the selector value */
 int asn1_get_choice_selector(ASN1_VALUE **pval, const ASN1_ITEM *it) {
@@ -134,6 +135,8 @@ void asn1_enc_init(ASN1_VALUE **pval, const ASN1_ITEM *it) {
  if (enc) {
    enc->enc = NULL;
    enc->len = 0;
+    enc->alias_only = 0;
+    enc->alias_only_on_next_parse = 0;
    enc->modified = 1;
  }
 }
@@ -142,11 +145,13 @@ void asn1_enc_free(ASN1_VALUE **pval, const ASN1_ITEM *it) {
  ASN1_ENCODING *enc;
  enc = asn1_get_enc_ptr(pval, it);
  if (enc) {
-    if (enc->enc) {
+    if (enc->enc && !enc->alias_only) {
      OPENSSL_free(enc->enc);
    }
    enc->enc = NULL;
    enc->len = 0;
+    enc->alias_only = 0;
+    enc->alias_only_on_next_parse = 0;
    enc->modified = 1;
  }
 }
@@ -159,14 +164,23 @@ int asn1_enc_save(ASN1_VALUE **pval, const unsigned char *in, int inlen,
    return 1;
  }

-  if (enc->enc) {
+  if (!enc->alias_only) {
    OPENSSL_free(enc->enc);
  }
-  enc->enc = OPENSSL_malloc(inlen);
-  if (!enc->enc) {
-    return 0;
+
+  enc->alias_only = enc->alias_only_on_next_parse;
+  enc->alias_only_on_next_parse = 0;
+
+  if (enc->alias_only) {
+    enc->enc = (uint8_t *) in;
+  } else {
+    enc->enc = OPENSSL_malloc(inlen);
+    if (!enc->enc) {
+      return 0;
+    }
+    OPENSSL_memcpy(enc->enc, in, inlen);
  }
-  memcpy(enc->enc, in, inlen);
+
  enc->len = inlen;
  enc->modified = 0;

@@ -181,7 +195,7 @@ int asn1_enc_restore(int *len, unsigned char **out, ASN1_VALUE **pval,
    return 0;
  }
  if (out) {
-    memcpy(*out, enc->enc, enc->len);
+    OPENSSL_memcpy(*out, enc->enc, enc->len);
    *out += enc->len;
  }
  if (len) {
@@ -59,7 +59,7 @@
 #define _POSIX_C_SOURCE 201410L  /* for gmtime_r */
 #endif

-#include <openssl/time_support.h>
+#include "asn1_locl.h"

 #include <time.h>

@@ -171,7 +171,7 @@ int OPENSSL_gmtime_adj(struct tm *tm, int off_day, long offset_sec) {
  return 1;
 }

-int OPENSSL_gmtime_diff(int *pday, int *psec, const struct tm *from,
+int OPENSSL_gmtime_diff(int *out_days, int *out_secs, const struct tm *from,
                        const struct tm *to) {
  int from_sec, to_sec, diff_sec;
  long from_jd, to_jd, diff_day;
@@ -195,11 +195,11 @@ int OPENSSL_gmtime_diff(int *pday, int *psec, const struct tm *from,
    diff_sec -= SECS_PER_DAY;
  }

-  if (pday) {
-    *pday = (int)diff_day;
+  if (out_days) {
+    *out_days = (int)diff_day;
  }
-  if (psec) {
-    *psec = diff_sec;
+  if (out_secs) {
+    *out_secs = diff_sec;
  }

  return 1;
@@ -1,153 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.] */
-
-#include <openssl/asn1.h>
-
-#include <openssl/asn1t.h>
-#include <openssl/bn.h>
-
-/*
- * Custom primitive type for BIGNUM handling. This reads in an ASN1_INTEGER
- * as a BIGNUM directly. Currently it ignores the sign which isn't a problem
- * since all BIGNUMs used are non negative and anything that looks negative
- * is normally due to an encoding error.
- */
-
-#define BN_SENSITIVE    1
-
-static int bn_new(ASN1_VALUE **pval, const ASN1_ITEM *it);
-static void bn_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
-
-static int bn_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype,
-                  const ASN1_ITEM *it);
-static int bn_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
-                  int utype, char *free_cont, const ASN1_ITEM *it);
-
-static const ASN1_PRIMITIVE_FUNCS bignum_pf = {
-    NULL, 0,
-    bn_new,
-    bn_free,
-    0,
-    bn_c2i,
-    bn_i2c,
-    NULL /* prim_print */ ,
-};
-
-ASN1_ITEM_start(BIGNUM)
-        ASN1_ITYPE_PRIMITIVE, V_ASN1_INTEGER, NULL, 0, &bignum_pf, 0, "BIGNUM"
-ASN1_ITEM_end(BIGNUM)
-
-ASN1_ITEM_start(CBIGNUM)
-        ASN1_ITYPE_PRIMITIVE, V_ASN1_INTEGER, NULL, 0, &bignum_pf, BN_SENSITIVE, "BIGNUM"
-ASN1_ITEM_end(CBIGNUM)
-
-static int bn_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
-{
-    *pval = (ASN1_VALUE *)BN_new();
-    if (*pval)
-        return 1;
-    else
-        return 0;
-}
-
-static void bn_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
-{
-    if (!*pval)
-        return;
-    if (it->size & BN_SENSITIVE)
-        BN_clear_free((BIGNUM *)*pval);
-    else
-        BN_free((BIGNUM *)*pval);
-    *pval = NULL;
-}
-
-static int bn_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype,
-                  const ASN1_ITEM *it)
-{
-    BIGNUM *bn;
-    int pad;
-    if (!*pval)
-        return -1;
-    bn = (BIGNUM *)*pval;
-    /* If MSB set in an octet we need a padding byte */
-    if (BN_num_bits(bn) & 0x7)
-        pad = 0;
-    else
-        pad = 1;
-    if (cont) {
-        if (pad)
-            *cont++ = 0;
-        BN_bn2bin(bn, cont);
-    }
-    return pad + BN_num_bytes(bn);
-}
-
-static int bn_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
-                  int utype, char *free_cont, const ASN1_ITEM *it)
-{
-    BIGNUM *bn;
-    if (!*pval) {
-        if (!bn_new(pval, it)) {
-            return 0;
-        }
-    }
-    bn = (BIGNUM *)*pval;
-    if (!BN_bin2bn(cont, len, bn)) {
-        bn_free(pval, it);
-        return 0;
-    }
-    return 1;
-}
@@ -1,197 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.] */
-
-#include <openssl/asn1.h>
-
-#include <string.h>
-
-#include <openssl/asn1t.h>
-#include <openssl/bn.h>
-#include <openssl/err.h>
-#include <openssl/mem.h>
-
-/*
- * Custom primitive type for long handling. This converts between an
- * ASN1_INTEGER and a long directly.
- */
-
-static int long_new(ASN1_VALUE **pval, const ASN1_ITEM *it);
-static void long_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
-
-static int long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype,
-                    const ASN1_ITEM *it);
-static int long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
-                    int utype, char *free_cont, const ASN1_ITEM *it);
-static int long_print(BIO *out, ASN1_VALUE **pval, const ASN1_ITEM *it,
-                      int indent, const ASN1_PCTX *pctx);
-
-static const ASN1_PRIMITIVE_FUNCS long_pf = {
-    NULL, 0,
-    long_new,
-    long_free,
-    long_free,                  /* Clear should set to initial value */
-    long_c2i,
-    long_i2c,
-    long_print
-};
-
-ASN1_ITEM_start(LONG)
-        ASN1_ITYPE_PRIMITIVE, V_ASN1_INTEGER, NULL, 0, &long_pf, ASN1_LONG_UNDEF, "LONG"
-ASN1_ITEM_end(LONG)
-
-ASN1_ITEM_start(ZLONG)
-        ASN1_ITYPE_PRIMITIVE, V_ASN1_INTEGER, NULL, 0, &long_pf, 0, "ZLONG"
-ASN1_ITEM_end(ZLONG)
-
-static int long_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
-{
-    *(long *)pval = it->size;
-    return 1;
-}
-
-static void long_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
-{
-    *(long *)pval = it->size;
-}
-
-static int long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype,
-                    const ASN1_ITEM *it)
-{
-    long ltmp;
-    unsigned long utmp;
-    int clen, pad, i;
-    /* this exists to bypass broken gcc optimization */
-    char *cp = (char *)pval;
-
-    /* use memcpy, because we may not be long aligned */
-    memcpy(&ltmp, cp, sizeof(long));
-
-    if (ltmp == it->size)
-        return -1;
-    /*
-     * Convert the long to positive: we subtract one if negative so we can
-     * cleanly handle the padding if only the MSB of the leading octet is
-     * set.
-     */
-    if (ltmp < 0)
-        utmp = -ltmp - 1;
-    else
-        utmp = ltmp;
-    clen = BN_num_bits_word(utmp);
-    /* If MSB of leading octet set we need to pad */
-    if (!(clen & 0x7))
-        pad = 1;
-    else
-        pad = 0;
-
-    /* Convert number of bits to number of octets */
-    clen = (clen + 7) >> 3;
-
-    if (cont) {
-        if (pad)
-            *cont++ = (ltmp < 0) ? 0xff : 0;
-        for (i = clen - 1; i >= 0; i--) {
-            cont[i] = (unsigned char)(utmp & 0xff);
-            if (ltmp < 0)
-                cont[i] ^= 0xff;
-            utmp >>= 8;
-        }
-    }
-    return clen + pad;
-}
-
-static int long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
-                    int utype, char *free_cont, const ASN1_ITEM *it)
-{
-    int neg, i;
-    long ltmp;
-    unsigned long utmp = 0;
-    char *cp = (char *)pval;
-    if (len > (int)sizeof(long)) {
-        OPENSSL_PUT_ERROR(ASN1, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
-        return 0;
-    }
-    /* Is it negative? */
-    if (len && (cont[0] & 0x80))
-        neg = 1;
-    else
-        neg = 0;
-    utmp = 0;
-    for (i = 0; i < len; i++) {
-        utmp <<= 8;
-        if (neg)
-            utmp |= cont[i] ^ 0xff;
-        else
-            utmp |= cont[i];
-    }
-    ltmp = (long)utmp;
-    if (neg) {
-        ltmp++;
-        ltmp = -ltmp;
-    }
-    if (ltmp == it->size) {
-        OPENSSL_PUT_ERROR(ASN1, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
-        return 0;
-    }
-    memcpy(cp, &ltmp, sizeof(long));
-    return 1;
-}
-
-static int long_print(BIO *out, ASN1_VALUE **pval, const ASN1_ITEM *it,
-                      int indent, const ASN1_PCTX *pctx)
-{
-    return BIO_printf(out, "%ld\n", *(long *)pval);
-}
@@ -7,14 +7,3 @@ add_library(

  base64.c
 )
-
-add_executable(
-  base64_test
-
-  base64_test.cc
-
-  $<TARGET_OBJECTS:test_support>
-)
-
-target_link_libraries(base64_test crypto)
-add_dependencies(all_tests base64_test)
@@ -62,13 +62,41 @@

 #include <openssl/type_check.h>

+#include "../internal.h"

-/* Encoding. */

-static const unsigned char data_bin2ascii[65] =
-    "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+// constant_time_lt_args_8 behaves like |constant_time_lt_8| but takes |uint8_t|
+// arguments for a slightly simpler implementation.
+static inline uint8_t constant_time_lt_args_8(uint8_t a, uint8_t b) {
+  crypto_word_t aw = a;
+  crypto_word_t bw = b;
+  // |crypto_word_t| is larger than |uint8_t|, so |aw| and |bw| have the same
+  // MSB. |aw| < |bw| iff MSB(|aw| - |bw|) is 1.
+  return constant_time_msb_w(aw - bw);
+}

-#define conv_bin2ascii(a) (data_bin2ascii[(a) & 0x3f])
+// constant_time_in_range_8 returns |CONSTTIME_TRUE_8| if |min| <= |a| <= |max|
+// and |CONSTTIME_FALSE_8| otherwise.
+static inline uint8_t constant_time_in_range_8(uint8_t a, uint8_t min,
+                                               uint8_t max) {
+  a -= min;
+  return constant_time_lt_args_8(a, max - min + 1);
+}
+
+// Encoding.
+
+static uint8_t conv_bin2ascii(uint8_t a) {
+  // Since PEM is sometimes used to carry private keys, we encode base64 data
+  // itself in constant-time.
+  a &= 0x3f;
+  uint8_t ret = constant_time_select_8(constant_time_eq_8(a, 62), '+', '/');
+  ret =
+      constant_time_select_8(constant_time_lt_args_8(a, 62), a - 52 + '0', ret);
+  ret =
+      constant_time_select_8(constant_time_lt_args_8(a, 52), a - 26 + 'a', ret);
+  ret = constant_time_select_8(constant_time_lt_args_8(a, 26), a + 'A', ret);
+  return ret;
+}

 OPENSSL_COMPILE_ASSERT(sizeof(((EVP_ENCODE_CTX *)(NULL))->data) % 3 == 0,
                       data_length_must_be_multiple_of_base64_chunk_size);
@@ -95,7 +123,7 @@ int EVP_EncodedLength(size_t *out_len, size_t len) {
 }

 void EVP_EncodeInit(EVP_ENCODE_CTX *ctx) {
-  memset(ctx, 0, sizeof(EVP_ENCODE_CTX));
+  OPENSSL_memset(ctx, 0, sizeof(EVP_ENCODE_CTX));
 }

 void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len,
@@ -110,14 +138,14 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len,
  assert(ctx->data_used < sizeof(ctx->data));

  if (sizeof(ctx->data) - ctx->data_used > in_len) {
-    memcpy(&ctx->data[ctx->data_used], in, in_len);
+    OPENSSL_memcpy(&ctx->data[ctx->data_used], in, in_len);
    ctx->data_used += (unsigned)in_len;
    return;
  }

  if (ctx->data_used != 0) {
    const size_t todo = sizeof(ctx->data) - ctx->data_used;
-    memcpy(&ctx->data[ctx->data_used], in, todo);
+    OPENSSL_memcpy(&ctx->data[ctx->data_used], in, todo);
    in += todo;
    in_len -= todo;

@@ -149,14 +177,14 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len,
  }

  if (in_len != 0) {
-    memcpy(ctx->data, in, in_len);
+    OPENSSL_memcpy(ctx->data, in, in_len);
  }

  ctx->data_used = (unsigned)in_len;

  if (total > INT_MAX) {
-    /* We cannot signal an error, but we can at least avoid making *out_len
-     * negative. */
+    // We cannot signal an error, but we can at least avoid making *out_len
+    // negative.
    total = 0;
  }
  *out_len = (int)total;
@@ -173,8 +201,8 @@ void EVP_EncodeFinal(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len) {
  out[encoded] = '\0';
  ctx->data_used = 0;

-  /* ctx->data_used is bounded by sizeof(ctx->data), so this does not
-   * overflow. */
+  // ctx->data_used is bounded by sizeof(ctx->data), so this does not
+  // overflow.
  assert(encoded <= INT_MAX);
  *out_len = (int)encoded;
 }
@@ -212,7 +240,7 @@ size_t EVP_EncodeBlock(uint8_t *dst, const uint8_t *src, size_t src_len) {
 }


-/* Decoding. */
+// Decoding.

 int EVP_DecodedLength(size_t *out_len, size_t len) {
  if (len % 4 != 0) {
@@ -224,38 +252,34 @@ int EVP_DecodedLength(size_t *out_len, size_t len) {
 }

 void EVP_DecodeInit(EVP_ENCODE_CTX *ctx) {
-  memset(ctx, 0, sizeof(EVP_ENCODE_CTX));
+  OPENSSL_memset(ctx, 0, sizeof(EVP_ENCODE_CTX));
 }

-/* kBase64ASCIIToBinData maps characters (c < 128) to their base64 value, or
- * else 0xff if they are invalid. As a special case, the padding character
- * ('=') is mapped to zero. */
-static const uint8_t kBase64ASCIIToBinData[128] = {
-    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
-    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff,
-    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3e, 0xff, 0xff, 0xff, 0x3f,
-    0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0xff, 0xff,
-    0xff, 0x00, 0xff, 0xff, 0xff, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06,
-    0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12,
-    0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0xff, 0xff, 0xff, 0xff, 0xff,
-    0xff, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24,
-    0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30,
-    0x31, 0x32, 0x33, 0xff, 0xff, 0xff, 0xff, 0xff,
-};
-
 static uint8_t base64_ascii_to_bin(uint8_t a) {
-  if (a >= 128) {
-    return 0xFF;
-  }
+  // Since PEM is sometimes used to carry private keys, we decode base64 data
+  // itself in constant-time.
+  const uint8_t is_upper = constant_time_in_range_8(a, 'A', 'Z');
+  const uint8_t is_lower = constant_time_in_range_8(a, 'a', 'z');
+  const uint8_t is_digit = constant_time_in_range_8(a, '0', '9');
+  const uint8_t is_plus = constant_time_eq_8(a, '+');
+  const uint8_t is_slash = constant_time_eq_8(a, '/');
+  const uint8_t is_equals = constant_time_eq_8(a, '=');

-  return kBase64ASCIIToBinData[a];
+  uint8_t ret = 0xff;  // 0xff signals invalid.
+  ret = constant_time_select_8(is_upper, a - 'A', ret);       // [0,26)
+  ret = constant_time_select_8(is_lower, a - 'a' + 26, ret);  // [26,52)
+  ret = constant_time_select_8(is_digit, a - '0' + 52, ret);  // [52,62)
+  ret = constant_time_select_8(is_plus, 62, ret);
+  ret = constant_time_select_8(is_slash, 63, ret);
+  // Padding maps to zero, to be further handled by the caller.
+  ret = constant_time_select_8(is_equals, 0, ret);
+  return ret;
 }

-/* base64_decode_quad decodes a single “quad” (i.e. four characters) of base64
- * data and writes up to three bytes to |out|. It sets |*out_num_bytes| to the
- * number of bytes written, which will be less than three if the quad ended
- * with padding.  It returns one on success or zero on error. */
+// base64_decode_quad decodes a single “quad” (i.e. four characters) of base64
+// data and writes up to three bytes to |out|. It sets |*out_num_bytes| to the
+// number of bytes written, which will be less than three if the quad ended
+// with padding.  It returns one on success or zero on error.
 static int base64_decode_quad(uint8_t *out, size_t *out_num_bytes,
                              const uint8_t *in) {
  const uint8_t a = base64_ascii_to_bin(in[0]);
@@ -276,20 +300,20 @@ static int base64_decode_quad(uint8_t *out, size_t *out_num_bytes,

  switch (padding_pattern) {
    case 0:
-      /* The common case of no padding. */
+      // The common case of no padding.
      *out_num_bytes = 3;
      out[0] = v >> 16;
      out[1] = v >> 8;
      out[2] = v;
      break;

-    case 1: /* xxx= */
+    case 1:  // xxx=
      *out_num_bytes = 2;
      out[0] = v >> 16;
      out[1] = v >> 8;
      break;

-    case 3: /* xx== */
+    case 3:  // xx==
      *out_num_bytes = 1;
      out[0] = v >> 16;
      break;
@@ -320,7 +344,7 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len,
        continue;
    }

-    if (base64_ascii_to_bin(c) == 0xff || ctx->eof_seen) {
+    if (ctx->eof_seen) {
      ctx->error_encountered = 1;
      return -1;
    }
@@ -400,7 +424,7 @@ int EVP_DecodeBase64(uint8_t *out, size_t *out_len, size_t max_out,
 }

 int EVP_DecodeBlock(uint8_t *dst, const uint8_t *src, size_t src_len) {
-  /* Trim spaces and tabs from the beginning of the input. */
+  // Trim spaces and tabs from the beginning of the input.
  while (src_len > 0) {
    if (src[0] != ' ' && src[0] != '\t') {
      break;
@@ -410,7 +434,7 @@ int EVP_DecodeBlock(uint8_t *dst, const uint8_t *src, size_t src_len) {
    src_len--;
  }

-  /* Trim newlines, spaces and tabs from the end of the line. */
+  // Trim newlines, spaces and tabs from the end of the line.
  while (src_len > 0) {
    switch (src[src_len-1]) {
      case ' ':
@@ -431,8 +455,8 @@ int EVP_DecodeBlock(uint8_t *dst, const uint8_t *src, size_t src_len) {
    return -1;
  }

-  /* EVP_DecodeBlock does not take padding into account, so put the
-   * NULs back in... so the caller can strip them back out. */
+  // EVP_DecodeBlock does not take padding into account, so put the
+  // NULs back in... so the caller can strip them back out.
  while (dst_len % 3 != 0) {
    dst[dst_len++] = '\0';
  }
@@ -18,11 +18,14 @@
 #include <string>
 #include <vector>

+#include <gtest/gtest.h>
+
 #include <openssl/base64.h>
 #include <openssl/crypto.h>
 #include <openssl/err.h>

 #include "../internal.h"
+#include "../test/test_util.h"


 enum encoding_relation {
@@ -100,7 +103,9 @@ static const TestVector kTestVectors[] = {
     "=======\n"},
 };

-static const size_t kNumTests = OPENSSL_ARRAY_SIZE(kTestVectors);
+class Base64Test : public testing::TestWithParam<TestVector> {};
+
+INSTANTIATE_TEST_CASE_P(, Base64Test, testing::ValuesIn(kTestVectors));

 // RemoveNewlines returns a copy of |in| with all '\n' characters removed.
 static std::string RemoveNewlines(const char *in) {
@@ -116,279 +121,187 @@ static std::string RemoveNewlines(const char *in) {
  return ret;
 }

-static bool TestEncodeBlock() {
-  for (unsigned i = 0; i < kNumTests; i++) {
-    const TestVector *t = &kTestVectors[i];
-    if (t->relation != canonical) {
-      continue;
-    }
+TEST_P(Base64Test, EncodeBlock) {
+  const TestVector &t = GetParam();
+  if (t.relation != canonical) {
+    return;
+  }

-    const size_t decoded_len = strlen(t->decoded);
+  const size_t decoded_len = strlen(t.decoded);
+  size_t max_encoded_len;
+  ASSERT_TRUE(EVP_EncodedLength(&max_encoded_len, decoded_len));
+
+  std::vector<uint8_t> out_vec(max_encoded_len);
+  uint8_t *out = out_vec.data();
+  size_t len = EVP_EncodeBlock(out, (const uint8_t *)t.decoded, decoded_len);
+
+  std::string encoded(RemoveNewlines(t.encoded));
+  EXPECT_EQ(Bytes(encoded), Bytes(out, len));
+}
+
+TEST_P(Base64Test, DecodeBase64) {
+  const TestVector &t = GetParam();
+  if (t.relation == valid) {
+    // The non-canonical encodings will generally have odd whitespace etc
+    // that |EVP_DecodeBase64| will reject.
+    return;
+  }
+
+  const std::string encoded(RemoveNewlines(t.encoded));
+  std::vector<uint8_t> out_vec(encoded.size());
+  uint8_t *out = out_vec.data();
+
+  size_t len;
+  int ok = EVP_DecodeBase64(out, &len, out_vec.size(),
+                            (const uint8_t *)encoded.data(), encoded.size());
+
+  if (t.relation == invalid) {
+    EXPECT_FALSE(ok);
+  } else if (t.relation == canonical) {
+    ASSERT_TRUE(ok);
+    EXPECT_EQ(Bytes(t.decoded), Bytes(out, len));
+  }
+}
+
+TEST_P(Base64Test, DecodeBlock) {
+  const TestVector &t = GetParam();
+  if (t.relation != canonical) {
+    return;
+  }
+
+  std::string encoded(RemoveNewlines(t.encoded));
+
+  std::vector<uint8_t> out_vec(encoded.size());
+  uint8_t *out = out_vec.data();
+
+  // Test that the padding behavior of the deprecated API is preserved.
+  int ret =
+      EVP_DecodeBlock(out, (const uint8_t *)encoded.data(), encoded.size());
+  ASSERT_GE(ret, 0);
+  // EVP_DecodeBlock should ignore padding.
+  ASSERT_EQ(0, ret % 3);
+  size_t expected_len = strlen(t.decoded);
+  if (expected_len % 3 != 0) {
+    ret -= 3 - (expected_len % 3);
+  }
+  EXPECT_EQ(Bytes(t.decoded), Bytes(out, static_cast<size_t>(ret)));
+}
+
+TEST_P(Base64Test, EncodeDecode) {
+  const TestVector &t = GetParam();
+
+  EVP_ENCODE_CTX ctx;
+  const size_t decoded_len = strlen(t.decoded);
+
+  if (t.relation == canonical) {
    size_t max_encoded_len;
-    if (!EVP_EncodedLength(&max_encoded_len, decoded_len)) {
-      fprintf(stderr, "#%u: EVP_EncodedLength failed\n", i);
-      return false;
-    }
+    ASSERT_TRUE(EVP_EncodedLength(&max_encoded_len, decoded_len));

+    // EVP_EncodeUpdate will output new lines every 64 bytes of output so we
+    // need slightly more than |EVP_EncodedLength| returns. */
+    max_encoded_len += (max_encoded_len + 63) >> 6;
    std::vector<uint8_t> out_vec(max_encoded_len);
    uint8_t *out = out_vec.data();
-    size_t len = EVP_EncodeBlock(out, (const uint8_t *)t->decoded, decoded_len);

-    std::string encoded(RemoveNewlines(t->encoded));
-    if (len != encoded.size() ||
-        memcmp(out, encoded.data(), len) != 0) {
-      fprintf(stderr, "encode(\"%s\") = \"%.*s\", want \"%s\"\n",
-              t->decoded, (int)len, (const char*)out, encoded.c_str());
-      return false;
-    }
-  }
+    EVP_EncodeInit(&ctx);

-  return true;
-}
-
-static bool TestDecodeBase64() {
-  size_t len;
-
-  for (unsigned i = 0; i < kNumTests; i++) {
-    const TestVector *t = &kTestVectors[i];
-
-    if (t->relation == valid) {
-      // The non-canonical encodings will generally have odd whitespace etc
-      // that |EVP_DecodeBase64| will reject.
-      continue;
-    }
-
-    const std::string encoded(RemoveNewlines(t->encoded));
-    std::vector<uint8_t> out_vec(encoded.size());
-    uint8_t *out = out_vec.data();
-
-    int ok = EVP_DecodeBase64(out, &len, out_vec.size(),
-                              (const uint8_t *)encoded.data(), encoded.size());
-
-    if (t->relation == invalid) {
-      if (ok) {
-        fprintf(stderr, "decode(\"%s\") didn't fail but should have\n",
-                encoded.c_str());
-        return false;
-      }
-    } else if (t->relation == canonical) {
-      if (!ok) {
-        fprintf(stderr, "decode(\"%s\") failed\n", encoded.c_str());
-        return false;
-      }
-
-      if (len != strlen(t->decoded) ||
-          memcmp(out, t->decoded, len) != 0) {
-        fprintf(stderr, "decode(\"%s\") = \"%.*s\", want \"%s\"\n",
-                encoded.c_str(), (int)len, (const char*)out, t->decoded);
-        return false;
-      }
-    }
-  }
-
-  return true;
-}
-
-static bool TestDecodeBlock() {
-  for (unsigned i = 0; i < kNumTests; i++) {
-    const TestVector *t = &kTestVectors[i];
-    if (t->relation != canonical) {
-      continue;
-    }
-
-    std::string encoded(RemoveNewlines(t->encoded));
-
-    std::vector<uint8_t> out_vec(encoded.size());
-    uint8_t *out = out_vec.data();
-
-    // Test that the padding behavior of the deprecated API is preserved.
-    int ret =
-        EVP_DecodeBlock(out, (const uint8_t *)encoded.data(), encoded.size());
-    if (ret < 0) {
-      fprintf(stderr, "EVP_DecodeBlock(\"%s\") failed\n", t->encoded);
-      return false;
-    }
-    if (ret % 3 != 0) {
-      fprintf(stderr, "EVP_DecodeBlock did not ignore padding\n");
-      return false;
-    }
-    size_t expected_len = strlen(t->decoded);
-    if (expected_len % 3 != 0) {
-      ret -= 3 - (expected_len % 3);
-    }
-    if (static_cast<size_t>(ret) != strlen(t->decoded) ||
-        memcmp(out, t->decoded, ret) != 0) {
-      fprintf(stderr, "decode(\"%s\") = \"%.*s\", want \"%s\"\n",
-              t->encoded, ret, (const char*)out, t->decoded);
-      return false;
-    }
-  }
-
-  return true;
-}
-
-static bool TestEncodeDecode() {
-  for (unsigned test_num = 0; test_num < kNumTests; test_num++) {
-    const TestVector *t = &kTestVectors[test_num];
-
-    EVP_ENCODE_CTX ctx;
-    const size_t decoded_len = strlen(t->decoded);
-
-    if (t->relation == canonical) {
-      size_t max_encoded_len;
-      if (!EVP_EncodedLength(&max_encoded_len, decoded_len)) {
-        fprintf(stderr, "#%u: EVP_EncodedLength failed\n", test_num);
-        return false;
-      }
-
-      // EVP_EncodeUpdate will output new lines every 64 bytes of output so we
-      // need slightly more than |EVP_EncodedLength| returns. */
-      max_encoded_len += (max_encoded_len + 63) >> 6;
-      std::vector<uint8_t> out_vec(max_encoded_len);
-      uint8_t *out = out_vec.data();
-
-      EVP_EncodeInit(&ctx);
-
-      int out_len;
-      EVP_EncodeUpdate(&ctx, out, &out_len,
-                       reinterpret_cast<const uint8_t *>(t->decoded),
-                       decoded_len);
-      size_t total = out_len;
-
-      EVP_EncodeFinal(&ctx, out + total, &out_len);
-      total += out_len;
-
-      if (total != strlen(t->encoded) || memcmp(out, t->encoded, total) != 0) {
-        fprintf(stderr, "#%u: EVP_EncodeUpdate produced different output: '%s' (%u)\n",
-                test_num, out, static_cast<unsigned>(total));
-        return false;
-      }
-    }
-
-    std::vector<uint8_t> out_vec(strlen(t->encoded));
-    uint8_t *out = out_vec.data();
-
-    EVP_DecodeInit(&ctx);
    int out_len;
-    size_t total = 0;
-    int ret = EVP_DecodeUpdate(&ctx, out, &out_len,
-                               reinterpret_cast<const uint8_t *>(t->encoded),
-                               strlen(t->encoded));
-    if (ret != -1) {
-      total = out_len;
-      ret = EVP_DecodeFinal(&ctx, out + total, &out_len);
-      total += out_len;
-    }
+    EVP_EncodeUpdate(&ctx, out, &out_len,
+                     reinterpret_cast<const uint8_t *>(t.decoded),
+                     decoded_len);
+    size_t total = out_len;

-    switch (t->relation) {
-      case canonical:
-      case valid:
-        if (ret == -1) {
-          fprintf(stderr, "#%u: EVP_DecodeUpdate failed\n", test_num);
-          return false;
-        }
-        if (total != decoded_len || memcmp(out, t->decoded, decoded_len)) {
-          fprintf(stderr, "#%u: EVP_DecodeUpdate produced incorrect output\n",
-                  test_num);
-          return false;
-        }
-        break;
+    EVP_EncodeFinal(&ctx, out + total, &out_len);
+    total += out_len;

-      case invalid:
-        if (ret != -1) {
-          fprintf(stderr, "#%u: EVP_DecodeUpdate was successful but shouldn't have been\n", test_num);
-          return false;
-        }
-        break;
-    }
+    EXPECT_EQ(Bytes(t.encoded), Bytes(out, total));
  }

-  return true;
+  std::vector<uint8_t> out_vec(strlen(t.encoded));
+  uint8_t *out = out_vec.data();
+
+  EVP_DecodeInit(&ctx);
+  int out_len;
+  size_t total = 0;
+  int ret = EVP_DecodeUpdate(&ctx, out, &out_len,
+                             reinterpret_cast<const uint8_t *>(t.encoded),
+                             strlen(t.encoded));
+  if (ret != -1) {
+    total = out_len;
+    ret = EVP_DecodeFinal(&ctx, out + total, &out_len);
+    total += out_len;
+  }
+
+  switch (t.relation) {
+    case canonical:
+    case valid:
+      ASSERT_NE(-1, ret);
+      EXPECT_EQ(Bytes(t.decoded), Bytes(out, total));
+      break;
+
+    case invalid:
+      EXPECT_EQ(-1, ret);
+      break;
+  }
 }

-static bool TestDecodeUpdateStreaming() {
-  for (unsigned test_num = 0; test_num < kNumTests; test_num++) {
-    const TestVector *t = &kTestVectors[test_num];
-    if (t->relation == invalid) {
-      continue;
-    }
+TEST_P(Base64Test, DecodeUpdateStreaming) {
+  const TestVector &t = GetParam();
+  if (t.relation == invalid) {
+    return;
+  }

-    const size_t encoded_len = strlen(t->encoded);
+  const size_t encoded_len = strlen(t.encoded);

-    std::vector<uint8_t> out(encoded_len);
+  std::vector<uint8_t> out(encoded_len);

-    for (size_t chunk_size = 1; chunk_size <= encoded_len; chunk_size++) {
-      size_t out_len = 0;
-      EVP_ENCODE_CTX ctx;
-      EVP_DecodeInit(&ctx);
+  for (size_t chunk_size = 1; chunk_size <= encoded_len; chunk_size++) {
+    SCOPED_TRACE(chunk_size);
+    size_t out_len = 0;
+    EVP_ENCODE_CTX ctx;
+    EVP_DecodeInit(&ctx);

-      for (size_t i = 0; i < encoded_len;) {
-        size_t todo = encoded_len - i;
-        if (todo > chunk_size) {
-          todo = chunk_size;
-        }
-
-        int bytes_written;
-        int ret = EVP_DecodeUpdate(
-            &ctx, out.data() + out_len, &bytes_written,
-            reinterpret_cast<const uint8_t *>(t->encoded + i), todo);
-        i += todo;
-
-        switch (ret) {
-          case -1:
-            fprintf(stderr, "#%u: EVP_DecodeUpdate returned error\n", test_num);
-            return 0;
-          case 0:
-            out_len += bytes_written;
-            if (i == encoded_len ||
-                (i + 1 == encoded_len && t->encoded[i] == '\n') ||
-                /* If there was an '-' in the input (which means “EOF”) then
-                 * this loop will continue to test that |EVP_DecodeUpdate| will
-                 * ignore the remainder of the input. */
-                strchr(t->encoded, '-') != nullptr) {
-              break;
-            }
-
-            fprintf(stderr,
-                    "#%u: EVP_DecodeUpdate returned zero before end of "
-                    "encoded data\n",
-                    test_num);
-            return 0;
-          default:
-            out_len += bytes_written;
-        }
+    for (size_t i = 0; i < encoded_len;) {
+      size_t todo = encoded_len - i;
+      if (todo > chunk_size) {
+        todo = chunk_size;
      }

      int bytes_written;
-      int ret = EVP_DecodeFinal(&ctx, out.data() + out_len, &bytes_written);
-      if (ret == -1) {
-        fprintf(stderr, "#%u: EVP_DecodeFinal returned error\n", test_num);
-        return 0;
-      }
-      out_len += bytes_written;
+      int ret = EVP_DecodeUpdate(
+          &ctx, out.data() + out_len, &bytes_written,
+          reinterpret_cast<const uint8_t *>(t.encoded + i), todo);
+      i += todo;

-      if (out_len != strlen(t->decoded) ||
-          memcmp(out.data(), t->decoded, out_len) != 0) {
-        fprintf(stderr, "#%u: incorrect output\n", test_num);
-        return 0;
+      switch (ret) {
+        case -1:
+          FAIL() << "EVP_DecodeUpdate failed";
+        case 0:
+          out_len += bytes_written;
+          if (i == encoded_len ||
+              (i + 1 == encoded_len && t.encoded[i] == '\n') ||
+              // If there was an '-' in the input (which means “EOF”) then
+              // this loop will continue to test that |EVP_DecodeUpdate| will
+              // ignore the remainder of the input.
+              strchr(t.encoded, '-') != nullptr) {
+            break;
+          }
+
+          FAIL()
+              << "EVP_DecodeUpdate returned zero before end of encoded data.";
+        case 1:
+          out_len += bytes_written;
+          break;
+        default:
+          FAIL() << "Invalid return value " << ret;
      }
    }
+
+    int bytes_written;
+    int ret = EVP_DecodeFinal(&ctx, out.data() + out_len, &bytes_written);
+    ASSERT_NE(ret, -1);
+    out_len += bytes_written;
+
+    EXPECT_EQ(Bytes(t.decoded), Bytes(out.data(), out_len));
  }
-
-  return true;
-}
-
-int main(void) {
-  CRYPTO_library_init();
-
-  if (!TestEncodeBlock() ||
-      !TestDecodeBase64() ||
-      !TestDecodeBlock() ||
-      !TestDecodeUpdateStreaming() ||
-      !TestEncodeDecode()) {
-    return 1;
-  }
-
-  printf("PASS\n");
-  return 0;
 }
@@ -7,7 +7,6 @@ add_library(

  bio.c
  bio_mem.c
-  buffer.c
  connect.c
  fd.c
  file.c
@@ -17,17 +16,3 @@ add_library(
  socket.c
  socket_helper.c
 )
-
-add_executable(
-  bio_test
-
-  bio_test.cc
-
-  $<TARGET_OBJECTS:test_support>
-)
-
-target_link_libraries(bio_test crypto)
-if (WIN32)
-  target_link_libraries(bio_test ws2_32)
-endif()
-add_dependencies(all_tests bio_test)
@@ -75,7 +75,7 @@ BIO *BIO_new(const BIO_METHOD *method) {
    return NULL;
  }

-  memset(ret, 0, sizeof(BIO));
+  OPENSSL_memset(ret, 0, sizeof(BIO));
  ret->method = method;
  ret->shutdown = 1;
  ret->references = 1;
@@ -96,13 +96,6 @@ int BIO_free(BIO *bio) {
      return 0;
    }

-    if (bio->callback != NULL) {
-      int i = (int)bio->callback(bio, BIO_CB_FREE, NULL, 0, 0, 1);
-      if (i <= 0) {
-        return i;
-      }
-    }
-
    next_bio = BIO_pop(bio);

    if (bio->method != NULL && bio->method->destroy != NULL) {
@@ -127,64 +120,61 @@ void BIO_free_all(BIO *bio) {
  BIO_free(bio);
 }

-static int bio_io(BIO *bio, void *buf, int len, size_t method_offset,
-                  int callback_flags, size_t *num) {
-  int i;
-  typedef int (*io_func_t)(BIO *, char *, int);
-  io_func_t io_func = NULL;
-
-  if (bio != NULL && bio->method != NULL) {
-    io_func =
-        *((const io_func_t *)(((const uint8_t *)bio->method) + method_offset));
-  }
-
-  if (io_func == NULL) {
+int BIO_read(BIO *bio, void *buf, int len) {
+  if (bio == NULL || bio->method == NULL || bio->method->bread == NULL) {
    OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
    return -2;
  }
-
-  if (bio->callback != NULL) {
-    i = (int) bio->callback(bio, callback_flags, buf, len, 0L, 1L);
-    if (i <= 0) {
-      return i;
-    }
-  }
-
  if (!bio->init) {
    OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED);
    return -2;
  }
-
-  i = 0;
-  if (buf != NULL && len > 0) {
-    i = io_func(bio, buf, len);
+  if (len <= 0) {
+    return 0;
  }
-
-  if (i > 0) {
-    *num += i;
+  int ret = bio->method->bread(bio, buf, len);
+  if (ret > 0) {
+    bio->num_read += ret;
  }
-
-  if (bio->callback != NULL) {
-    i = (int)(bio->callback(bio, callback_flags | BIO_CB_RETURN, buf, len, 0L,
-                            (long)i));
-  }
-
-  return i;
-}
-
-int BIO_read(BIO *bio, void *buf, int len) {
-  return bio_io(bio, buf, len, offsetof(BIO_METHOD, bread), BIO_CB_READ,
-                &bio->num_read);
+  return ret;
 }

 int BIO_gets(BIO *bio, char *buf, int len) {
-  return bio_io(bio, buf, len, offsetof(BIO_METHOD, bgets), BIO_CB_GETS,
-                &bio->num_read);
+  if (bio == NULL || bio->method == NULL || bio->method->bgets == NULL) {
+    OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
+    return -2;
+  }
+  if (!bio->init) {
+    OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED);
+    return -2;
+  }
+  if (len <= 0) {
+    return 0;
+  }
+  int ret = bio->method->bgets(bio, buf, len);
+  if (ret > 0) {
+    bio->num_read += ret;
+  }
+  return ret;
 }

 int BIO_write(BIO *bio, const void *in, int inl) {
-  return bio_io(bio, (char *)in, inl, offsetof(BIO_METHOD, bwrite),
-                BIO_CB_WRITE, &bio->num_write);
+  if (bio == NULL || bio->method == NULL || bio->method->bwrite == NULL) {
+    OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
+    return -2;
+  }
+  if (!bio->init) {
+    OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED);
+    return -2;
+  }
+  if (inl <= 0) {
+    return 0;
+  }
+  int ret = bio->method->bwrite(bio, in, inl);
+  if (ret > 0) {
+    bio->num_write += ret;
+  }
+  return ret;
 }

 int BIO_puts(BIO *bio, const char *in) {
@@ -196,8 +186,6 @@ int BIO_flush(BIO *bio) {
 }

 long BIO_ctrl(BIO *bio, int cmd, long larg, void *parg) {
-  long ret;
-
  if (bio == NULL) {
    return 0;
  }
@@ -207,20 +195,7 @@ long BIO_ctrl(BIO *bio, int cmd, long larg, void *parg) {
    return -2;
  }

-  if (bio->callback != NULL) {
-    ret = bio->callback(bio, BIO_CB_CTRL, parg, cmd, larg, 1);
-    if (ret <= 0) {
-      return ret;
-    }
-  }
-
-  ret = bio->method->ctrl(bio, cmd, larg, parg);
-
-  if (bio->callback != NULL) {
-    ret = bio->callback(bio, BIO_CB_CTRL | BIO_CB_RETURN, parg, cmd, larg, ret);
-  }
-
-  return ret;
+  return bio->method->ctrl(bio, cmd, larg, parg);
 }

 char *BIO_ptr_ctrl(BIO *b, int cmd, long larg) {
@@ -305,9 +280,6 @@ void BIO_copy_next_retry(BIO *bio) {
 }

 long BIO_callback_ctrl(BIO *bio, int cmd, bio_info_cb fp) {
-  long ret;
-  bio_info_cb cb;
-
  if (bio == NULL) {
    return 0;
  }
@@ -317,26 +289,17 @@ long BIO_callback_ctrl(BIO *bio, int cmd, bio_info_cb fp) {
    return 0;
  }

-  cb = bio->callback;
-
-  if (cb != NULL) {
-    ret = cb(bio, BIO_CB_CTRL, (void *)&fp, cmd, 0, 1L);
-    if (ret <= 0) {
-      return ret;
-    }
-  }
-
-  ret = bio->method->callback_ctrl(bio, cmd, fp);
-
-  if (cb != NULL) {
-    ret = cb(bio, BIO_CB_CTRL | BIO_CB_RETURN, (void *)&fp, cmd, 0, ret);
-  }
-
-  return ret;
+  return bio->method->callback_ctrl(bio, cmd, fp);
 }

 size_t BIO_pending(const BIO *bio) {
-  return BIO_ctrl((BIO *) bio, BIO_CTRL_PENDING, 0, NULL);
+  const long r = BIO_ctrl((BIO *) bio, BIO_CTRL_PENDING, 0, NULL);
+  assert(r >= 0);
+
+  if (r < 0) {
+    return 0;
+  }
+  return r;
 }

 size_t BIO_ctrl_pending(const BIO *bio) {
@@ -344,25 +307,19 @@ size_t BIO_ctrl_pending(const BIO *bio) {
 }

 size_t BIO_wpending(const BIO *bio) {
-  return BIO_ctrl((BIO *) bio, BIO_CTRL_WPENDING, 0, NULL);
+  const long r = BIO_ctrl((BIO *) bio, BIO_CTRL_WPENDING, 0, NULL);
+  assert(r >= 0);
+
+  if (r < 0) {
+    return 0;
+  }
+  return r;
 }

 int BIO_set_close(BIO *bio, int close_flag) {
  return BIO_ctrl(bio, BIO_CTRL_SET_CLOSE, close_flag, NULL);
 }

-void BIO_set_callback(BIO *bio, bio_info_cb callback_func) {
-  bio->callback = callback_func;
-}
-
-void BIO_set_callback_arg(BIO *bio, char *arg) {
-  bio->cb_arg = arg;
-}
-
-char *BIO_get_callback_arg(const BIO *bio) {
-  return bio->cb_arg;
-}
-
 OPENSSL_EXPORT size_t BIO_number_read(const BIO *bio) {
  return bio->num_read;
 }
@@ -448,22 +405,18 @@ static int print_bio(const char *str, size_t len, void *bio) {
  return BIO_write((BIO *)bio, str, len);
 }

-void BIO_print_errors(BIO *bio) {
+void ERR_print_errors(BIO *bio) {
  ERR_print_errors_cb(print_bio, bio);
 }

-void ERR_print_errors(BIO *bio) {
-  BIO_print_errors(bio);
-}
-
-/* bio_read_all reads everything from |bio| and prepends |prefix| to it. On
- * success, |*out| is set to an allocated buffer (which should be freed with
- * |OPENSSL_free|), |*out_len| is set to its length and one is returned. The
- * buffer will contain |prefix| followed by the contents of |bio|. On failure,
- * zero is returned.
- *
- * The function will fail if the size of the output would equal or exceed
- * |max_len|. */
+// bio_read_all reads everything from |bio| and prepends |prefix| to it. On
+// success, |*out| is set to an allocated buffer (which should be freed with
+// |OPENSSL_free|), |*out_len| is set to its length and one is returned. The
+// buffer will contain |prefix| followed by the contents of |bio|. On failure,
+// zero is returned.
+//
+// The function will fail if the size of the output would equal or exceed
+// |max_len|.
 static int bio_read_all(BIO *bio, uint8_t **out, size_t *out_len,
                        const uint8_t *prefix, size_t prefix_len,
                        size_t max_len) {
@@ -480,7 +433,7 @@ static int bio_read_all(BIO *bio, uint8_t **out, size_t *out_len,
  if (*out == NULL) {
    return 0;
  }
-  memcpy(*out, prefix, prefix_len);
+  OPENSSL_memcpy(*out, prefix, prefix_len);
  size_t done = prefix_len;

  for (;;) {
@@ -527,20 +480,20 @@ int BIO_read_asn1(BIO *bio, uint8_t **out, size_t *out_len, size_t max_len) {
  const uint8_t length_byte = header[1];

  if ((tag & 0x1f) == 0x1f) {
-    /* Long form tags are not supported. */
+    // Long form tags are not supported.
    return 0;
  }

  size_t len, header_len;
  if ((length_byte & 0x80) == 0) {
-    /* Short form length. */
+    // Short form length.
    len = length_byte;
    header_len = kInitialHeaderLen;
  } else {
    const size_t num_bytes = length_byte & 0x7f;

    if ((tag & 0x20 /* constructed */) != 0 && num_bytes == 0) {
-      /* indefinite length. */
+      // indefinite length.
      return bio_read_all(bio, out, out_len, header, kInitialHeaderLen,
                          max_len);
    }
@@ -563,12 +516,12 @@ int BIO_read_asn1(BIO *bio, uint8_t **out, size_t *out_len, size_t max_len) {
    }

    if (len32 < 128) {
-      /* Length should have used short-form encoding. */
+      // Length should have used short-form encoding.
      return 0;
    }

    if ((len32 >> ((num_bytes-1)*8)) == 0) {
-      /* Length should have been at least one byte shorter. */
+      // Length should have been at least one byte shorter.
      return 0;
    }

@@ -587,7 +540,7 @@ int BIO_read_asn1(BIO *bio, uint8_t **out, size_t *out_len, size_t max_len) {
  if (*out == NULL) {
    return 0;
  }
-  memcpy(*out, header, header_len);
+  OPENSSL_memcpy(*out, header, header_len);
  if (BIO_read(bio, (*out) + header_len, len - header_len) !=
      (int) (len - header_len)) {
    OPENSSL_free(*out);
@@ -596,3 +549,9 @@ int BIO_read_asn1(BIO *bio, uint8_t **out, size_t *out_len, size_t max_len) {

  return 1;
 }
+
+void BIO_set_retry_special(BIO *bio) {
+  bio->flags |= BIO_FLAGS_READ | BIO_FLAGS_IO_SPECIAL;
+}
+
+int BIO_set_write_buffer_size(BIO *bio, int buffer_size) { return 0; }
@@ -63,6 +63,8 @@
 #include <openssl/err.h>
 #include <openssl/mem.h>

+#include "../internal.h"
+

 BIO *BIO_new_mem_buf(const void *buf, int len) {
  BIO *ret;
@@ -80,16 +82,16 @@ BIO *BIO_new_mem_buf(const void *buf, int len) {
  }

  b = (BUF_MEM *)ret->ptr;
-  /* BIO_FLAGS_MEM_RDONLY ensures |b->data| is not written to. */
+  // BIO_FLAGS_MEM_RDONLY ensures |b->data| is not written to.
  b->data = (void *)buf;
  b->length = size;
  b->max = size;

  ret->flags |= BIO_FLAGS_MEM_RDONLY;

-  /* |num| is used to store the value that this BIO will return when it runs
-   * out of data. If it's negative then the retry flags will also be set. Since
-   * this is static data, retrying wont help */
+  // |num| is used to store the value that this BIO will return when it runs
+  // out of data. If it's negative then the retry flags will also be set. Since
+  // this is static data, retrying wont help
  ret->num = 0;

  return ret;
@@ -103,8 +105,8 @@ static int mem_new(BIO *bio) {
    return 0;
  }

-  /* |shutdown| is used to store the close flag: whether the BIO has ownership
-   * of the BUF_MEM. */
+  // |shutdown| is used to store the close flag: whether the BIO has ownership
+  // of the BUF_MEM.
  bio->shutdown = 1;
  bio->init = 1;
  bio->num = -1;
@@ -144,12 +146,12 @@ static int mem_read(BIO *bio, char *out, int outl) {
  }

  if (ret > 0) {
-    memcpy(out, b->data, ret);
+    OPENSSL_memcpy(out, b->data, ret);
    b->length -= ret;
    if (bio->flags & BIO_FLAGS_MEM_RDONLY) {
      b->data += ret;
    } else {
-      memmove(b->data, &b->data[ret], b->length);
+      OPENSSL_memmove(b->data, &b->data[ret], b->length);
    }
  } else if (b->length == 0) {
    ret = bio->num;
@@ -180,17 +182,13 @@ static int mem_write(BIO *bio, const char *in, int inl) {
  if (BUF_MEM_grow_clean(b, blen + inl) != ((size_t) blen) + inl) {
    goto err;
  }
-  memcpy(&b->data[blen], in, inl);
+  OPENSSL_memcpy(&b->data[blen], in, inl);
  ret = inl;

 err:
  return ret;
 }

-static int mem_puts(BIO *bp, const char *str) {
-  return mem_write(bp, str, strlen(str));
-}
-
 static int mem_gets(BIO *bio, char *buf, int size) {
  int i, j;
  char *p;
@@ -216,8 +214,8 @@ static int mem_gets(BIO *bio, char *buf, int size) {
    }
  }

-  /* i is now the max num of bytes to copy, either j or up to and including the
-   * first newline */
+  // i is now the max num of bytes to copy, either j or up to and including the
+  // first newline

  i = mem_read(bio, buf, i);
  if (i > 0) {
@@ -235,12 +233,12 @@ static long mem_ctrl(BIO *bio, int cmd, long num, void *ptr) {
  switch (cmd) {
    case BIO_CTRL_RESET:
      if (b->data != NULL) {
-        /* For read only case reset to the start again */
+        // For read only case reset to the start again
        if (bio->flags & BIO_FLAGS_MEM_RDONLY) {
          b->data -= b->max - b->length;
          b->length = b->max;
        } else {
-          memset(b->data, 0, b->max);
+          OPENSSL_memset(b->data, 0, b->max);
          b->length = 0;
        }
      }
@@ -293,8 +291,12 @@ static long mem_ctrl(BIO *bio, int cmd, long num, void *ptr) {
 }

 static const BIO_METHOD mem_method = {
-    BIO_TYPE_MEM, "memory buffer", mem_write, mem_read, mem_puts,
-    mem_gets,     mem_ctrl,        mem_new,   mem_free, NULL, };
+    BIO_TYPE_MEM,    "memory buffer",
+    mem_write,       mem_read,
+    NULL /* puts */, mem_gets,
+    mem_ctrl,        mem_new,
+    mem_free,        NULL /* callback_ctrl */,
+};

 const BIO_METHOD *BIO_s_mem(void) { return &mem_method; }

@@ -16,7 +16,18 @@
 #define _POSIX_C_SOURCE 201410L
 #endif

-#include <openssl/base.h>
+#include <algorithm>
+#include <string>
+
+#include <gtest/gtest.h>
+
+#include <openssl/bio.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/mem.h>
+
+#include "../internal.h"
+#include "../test/test_util.h"

 #if !defined(OPENSSL_WINDOWS)
 #include <arpa/inet.h>
@@ -33,33 +44,21 @@ OPENSSL_MSVC_PRAGMA(warning(push, 3))
 OPENSSL_MSVC_PRAGMA(warning(pop))
 #endif

-#include <openssl/bio.h>
-#include <openssl/crypto.h>
-#include <openssl/err.h>
-#include <openssl/mem.h>
-
-#include <algorithm>
-
-#include "../internal.h"
-

 #if !defined(OPENSSL_WINDOWS)
-static int closesocket(int sock) {
-  return close(sock);
-}
-
-static void PrintSocketError(const char *func) {
-  perror(func);
-}
+static int closesocket(int sock) { return close(sock); }
+static std::string LastSocketError() { return strerror(errno); }
 #else
-static void PrintSocketError(const char *func) {
-  fprintf(stderr, "%s: %d\n", func, WSAGetLastError());
+static std::string LastSocketError() {
+  char buf[DECIMAL_SIZE(int) + 1];
+  BIO_snprintf(buf, sizeof(buf), "%d", WSAGetLastError());
+  return buf;
 }
 #endif

 class ScopedSocket {
 public:
-  ScopedSocket(int sock) : sock_(sock) {}
+  explicit ScopedSocket(int sock) : sock_(sock) {}
  ~ScopedSocket() {
    closesocket(sock_);
  }
@@ -68,372 +67,262 @@ class ScopedSocket {
  const int sock_;
 };

-static bool TestSocketConnect() {
+TEST(BIOTest, SocketConnect) {
  static const char kTestMessage[] = "test";
+  int listening_sock = -1;
+  socklen_t len = 0;
+  sockaddr_storage ss;
+  struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *) &ss;
+  struct sockaddr_in *sin = (struct sockaddr_in *) &ss;
+  OPENSSL_memset(&ss, 0, sizeof(ss));

-  int listening_sock = socket(AF_INET, SOCK_STREAM, 0);
-  if (listening_sock == -1) {
-    PrintSocketError("socket");
-    return false;
+  ss.ss_family = AF_INET6;
+  listening_sock = socket(AF_INET6, SOCK_STREAM, 0);
+  ASSERT_NE(-1, listening_sock) << LastSocketError();
+  len = sizeof(*sin6);
+  ASSERT_EQ(1, inet_pton(AF_INET6, "::1", &sin6->sin6_addr))
+      << LastSocketError();
+  if (bind(listening_sock, (struct sockaddr *)sin6, sizeof(*sin6)) == -1) {
+    closesocket(listening_sock);
+
+    ss.ss_family = AF_INET;
+    listening_sock = socket(AF_INET, SOCK_STREAM, 0);
+    ASSERT_NE(-1, listening_sock) << LastSocketError();
+    len = sizeof(*sin);
+    ASSERT_EQ(1, inet_pton(AF_INET, "127.0.0.1", &sin->sin_addr))
+        << LastSocketError();
+    ASSERT_EQ(0, bind(listening_sock, (struct sockaddr *)sin, sizeof(*sin)))
+        << LastSocketError();
  }
+
  ScopedSocket listening_sock_closer(listening_sock);
-
-  struct sockaddr_in sin;
-  memset(&sin, 0, sizeof(sin));
-  sin.sin_family = AF_INET;
-  if (!inet_pton(AF_INET, "127.0.0.1", &sin.sin_addr)) {
-    PrintSocketError("inet_pton");
-    return false;
-  }
-  if (bind(listening_sock, (struct sockaddr *)&sin, sizeof(sin)) != 0) {
-    PrintSocketError("bind");
-    return false;
-  }
-  if (listen(listening_sock, 1)) {
-    PrintSocketError("listen");
-    return false;
-  }
-  socklen_t sockaddr_len = sizeof(sin);
-  if (getsockname(listening_sock, (struct sockaddr *)&sin, &sockaddr_len) ||
-      sockaddr_len != sizeof(sin)) {
-    PrintSocketError("getsockname");
-    return false;
-  }
+  ASSERT_EQ(0, listen(listening_sock, 1)) << LastSocketError();
+  ASSERT_EQ(0, getsockname(listening_sock, (struct sockaddr *)&ss, &len))
+        << LastSocketError();

  char hostname[80];
-  BIO_snprintf(hostname, sizeof(hostname), "%s:%d", "127.0.0.1",
-               ntohs(sin.sin_port));
+  if (ss.ss_family == AF_INET6) {
+    BIO_snprintf(hostname, sizeof(hostname), "[::1]:%d",
+                 ntohs(sin6->sin6_port));
+  } else if (ss.ss_family == AF_INET) {
+    BIO_snprintf(hostname, sizeof(hostname), "127.0.0.1:%d",
+                 ntohs(sin->sin_port));
+  }
+
+  // Connect to it with a connect BIO.
  bssl::UniquePtr<BIO> bio(BIO_new_connect(hostname));
-  if (!bio) {
-    fprintf(stderr, "BIO_new_connect failed.\n");
-    return false;
-  }
+  ASSERT_TRUE(bio);

-  if (BIO_write(bio.get(), kTestMessage, sizeof(kTestMessage)) !=
-      sizeof(kTestMessage)) {
-    fprintf(stderr, "BIO_write failed.\n");
-    ERR_print_errors_fp(stderr);
-    return false;
-  }
+  // Write a test message to the BIO.
+  ASSERT_EQ(static_cast<int>(sizeof(kTestMessage)),
+            BIO_write(bio.get(), kTestMessage, sizeof(kTestMessage)));

-  int sock = accept(listening_sock, (struct sockaddr *) &sin, &sockaddr_len);
-  if (sock == -1) {
-    PrintSocketError("accept");
-    return false;
-  }
+  // Accept the socket.
+  int sock = accept(listening_sock, (struct sockaddr *) &ss, &len);
+  ASSERT_NE(-1, sock) << LastSocketError();
  ScopedSocket sock_closer(sock);

-  char buf[5];
-  if (recv(sock, buf, sizeof(buf), 0) != sizeof(kTestMessage)) {
-    PrintSocketError("read");
-    return false;
-  }
-  if (memcmp(buf, kTestMessage, sizeof(kTestMessage))) {
-    return false;
-  }
-
-  return true;
+  // Check the same message is read back out.
+  char buf[sizeof(kTestMessage)];
+  ASSERT_EQ(static_cast<int>(sizeof(kTestMessage)),
+            recv(sock, buf, sizeof(buf), 0))
+      << LastSocketError();
+  EXPECT_EQ(Bytes(kTestMessage, sizeof(kTestMessage)), Bytes(buf, sizeof(buf)));
 }

-
-// BioReadZeroCopyWrapper is a wrapper around the zero-copy APIs to make
-// testing easier.
-static size_t BioReadZeroCopyWrapper(BIO *bio, uint8_t *data, size_t len) {
-  uint8_t *read_buf;
-  size_t read_buf_offset;
-  size_t available_bytes;
-  size_t len_read = 0;
-
-  do {
-    if (!BIO_zero_copy_get_read_buf(bio, &read_buf, &read_buf_offset,
-                                    &available_bytes)) {
-      return 0;
-    }
-
-    available_bytes = std::min(available_bytes, len - len_read);
-    memmove(data + len_read, read_buf + read_buf_offset, available_bytes);
-
-    BIO_zero_copy_get_read_buf_done(bio, available_bytes);
-
-    len_read += available_bytes;
-  } while (len - len_read > 0 && available_bytes > 0);
-
-  return len_read;
-}
-
-// BioWriteZeroCopyWrapper is a wrapper around the zero-copy APIs to make
-// testing easier.
-static size_t BioWriteZeroCopyWrapper(BIO *bio, const uint8_t *data,
-                                      size_t len) {
-  uint8_t *write_buf;
-  size_t write_buf_offset;
-  size_t available_bytes;
-  size_t len_written = 0;
-
-  do {
-    if (!BIO_zero_copy_get_write_buf(bio, &write_buf, &write_buf_offset,
-                                     &available_bytes)) {
-      return 0;
-    }
-
-    available_bytes = std::min(available_bytes, len - len_written);
-    memmove(write_buf + write_buf_offset, data + len_written, available_bytes);
-
-    BIO_zero_copy_get_write_buf_done(bio, available_bytes);
-
-    len_written += available_bytes;
-  } while (len - len_written > 0 && available_bytes > 0);
-
-  return len_written;
-}
-
-static bool TestZeroCopyBioPairs() {
-  // Test read and write, especially triggering the ring buffer wrap-around.
-  uint8_t bio1_application_send_buffer[1024];
-  uint8_t bio2_application_recv_buffer[1024];
-
-  const size_t kLengths[] = {254, 255, 256, 257, 510, 511, 512, 513};
-
-  // These trigger ring buffer wrap around.
-  const size_t kPartialLengths[] = {0, 1, 2, 3, 128, 255, 256, 257, 511, 512};
-
-  static const size_t kBufferSize = 512;
-
-  srand(1);
-  for (size_t i = 0; i < sizeof(bio1_application_send_buffer); i++) {
-    bio1_application_send_buffer[i] = rand() & 255;
-  }
-
-  // Transfer bytes from bio1_application_send_buffer to
-  // bio2_application_recv_buffer in various ways.
-  for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kLengths); i++) {
-    for (size_t j = 0; j < OPENSSL_ARRAY_SIZE(kPartialLengths); j++) {
-      size_t total_write = 0;
-      size_t total_read = 0;
-
-      BIO *bio1, *bio2;
-      if (!BIO_new_bio_pair(&bio1, kBufferSize, &bio2, kBufferSize)) {
-        return false;
-      }
-      bssl::UniquePtr<BIO> bio1_scoper(bio1);
-      bssl::UniquePtr<BIO> bio2_scoper(bio2);
-
-      total_write += BioWriteZeroCopyWrapper(
-          bio1, bio1_application_send_buffer, kLengths[i]);
-
-      // This tests interleaved read/write calls. Do a read between zero copy
-      // write calls.
-      uint8_t *write_buf;
-      size_t write_buf_offset;
-      size_t available_bytes;
-      if (!BIO_zero_copy_get_write_buf(bio1, &write_buf, &write_buf_offset,
-                                       &available_bytes)) {
-        return false;
-      }
-
-      // Free kPartialLengths[j] bytes in the beginning of bio1 write buffer.
-      // This enables ring buffer wrap around for the next write.
-      total_read += BIO_read(bio2, bio2_application_recv_buffer + total_read,
-                             kPartialLengths[j]);
-
-      size_t interleaved_write_len = std::min(kPartialLengths[j],
-                                              available_bytes);
-
-      // Write the data for the interleaved write call. If the buffer becomes
-      // empty after a read, the write offset is normally set to 0. Check that
-      // this does not happen for interleaved read/write and that
-      // |write_buf_offset| is still valid.
-      memcpy(write_buf + write_buf_offset,
-             bio1_application_send_buffer + total_write, interleaved_write_len);
-      if (BIO_zero_copy_get_write_buf_done(bio1, interleaved_write_len)) {
-        total_write += interleaved_write_len;
-      }
-
-      // Do another write in case |write_buf_offset| was wrapped.
-      total_write += BioWriteZeroCopyWrapper(
-          bio1, bio1_application_send_buffer + total_write,
-          kPartialLengths[j] - interleaved_write_len);
-
-      // Drain the rest.
-      size_t bytes_left = BIO_pending(bio2);
-      total_read += BioReadZeroCopyWrapper(
-          bio2, bio2_application_recv_buffer + total_read, bytes_left);
-
-      if (total_read != total_write) {
-        fprintf(stderr, "Lengths not equal in round (%u, %u)\n", (unsigned)i,
-                (unsigned)j);
-        return false;
-      }
-      if (total_read > kLengths[i] + kPartialLengths[j]) {
-        fprintf(stderr, "Bad lengths in round (%u, %u)\n", (unsigned)i,
-                (unsigned)j);
-        return false;
-      }
-      if (memcmp(bio1_application_send_buffer, bio2_application_recv_buffer,
-                 total_read) != 0) {
-        fprintf(stderr, "Buffers not equal in round (%u, %u)\n", (unsigned)i,
-                (unsigned)j);
-        return false;
-      }
-    }
-  }
-
-  return true;
-}
-
-static bool TestPrintf() {
+TEST(BIOTest, Printf) {
  // Test a short output, a very long one, and various sizes around
  // 256 (the size of the buffer) to ensure edge cases are correct.
-  static const size_t kLengths[] = { 5, 250, 251, 252, 253, 254, 1023 };
+  static const size_t kLengths[] = {5, 250, 251, 252, 253, 254, 1023};

  bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
-  if (!bio) {
-    fprintf(stderr, "BIO_new failed\n");
-    return false;
-  }
+  ASSERT_TRUE(bio);

-  for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kLengths); i++) {
-    char string[1024];
-    if (kLengths[i] >= sizeof(string)) {
-      fprintf(stderr, "Bad test string length\n");
-      return false;
-    }
-    memset(string, 'a', sizeof(string));
-    string[kLengths[i]] = '\0';
+  for (size_t length : kLengths) {
+    SCOPED_TRACE(length);
+
+    std::string in(length, 'a');
+
+    int ret = BIO_printf(bio.get(), "test %s", in.c_str());
+    ASSERT_GE(ret, 0);
+    EXPECT_EQ(5 + length, static_cast<size_t>(ret));

-    int ret = BIO_printf(bio.get(), "test %s", string);
-    if (ret < 0 || static_cast<size_t>(ret) != 5 + kLengths[i]) {
-      fprintf(stderr, "BIO_printf failed: %d\n", ret);
-      return false;
-    }
    const uint8_t *contents;
    size_t len;
-    if (!BIO_mem_contents(bio.get(), &contents, &len)) {
-      fprintf(stderr, "BIO_mem_contents failed\n");
-      return false;
-    }
-    if (len != 5 + kLengths[i] ||
-        strncmp((const char *)contents, "test ", 5) != 0 ||
-        strncmp((const char *)contents + 5, string, kLengths[i]) != 0) {
-      fprintf(stderr, "Contents did not match: %.*s\n", (int)len, contents);
-      return false;
-    }
+    ASSERT_TRUE(BIO_mem_contents(bio.get(), &contents, &len));
+    EXPECT_EQ("test " + in,
+              std::string(reinterpret_cast<const char *>(contents), len));

-    if (!BIO_reset(bio.get())) {
-      fprintf(stderr, "BIO_reset failed\n");
-      return false;
-    }
+    ASSERT_TRUE(BIO_reset(bio.get()));
  }
-
-  return true;
 }

-static bool ReadASN1(bool should_succeed, const uint8_t *data, size_t data_len,
-                     size_t expected_len, size_t max_len) {
-  bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(data, data_len));
+static const size_t kLargeASN1PayloadLen = 8000;
+
+struct ASN1TestParam {
+  bool should_succeed;
+  std::vector<uint8_t> input;
+  // suffix_len is the number of zeros to append to |input|.
+  size_t suffix_len;
+  // expected_len, if |should_succeed| is true, is the expected length of the
+  // ASN.1 element.
+  size_t expected_len;
+  size_t max_len;
+} kASN1TestParams[] = {
+    {true, {0x30, 2, 1, 2, 0, 0}, 0, 4, 100},
+    {false /* truncated */, {0x30, 3, 1, 2}, 0, 0, 100},
+    {false /* should be short len */, {0x30, 0x81, 1, 1}, 0, 0, 100},
+    {false /* zero padded */, {0x30, 0x82, 0, 1, 1}, 0, 0, 100},
+
+    // Test a large payload.
+    {true,
+     {0x30, 0x82, kLargeASN1PayloadLen >> 8, kLargeASN1PayloadLen & 0xff},
+     kLargeASN1PayloadLen,
+     4 + kLargeASN1PayloadLen,
+     kLargeASN1PayloadLen * 2},
+    {false /* max_len too short */,
+     {0x30, 0x82, kLargeASN1PayloadLen >> 8, kLargeASN1PayloadLen & 0xff},
+     kLargeASN1PayloadLen,
+     4 + kLargeASN1PayloadLen,
+     3 + kLargeASN1PayloadLen},
+
+    // Test an indefinite-length input.
+    {true,
+     {0x30, 0x80},
+     kLargeASN1PayloadLen + 2,
+     2 + kLargeASN1PayloadLen + 2,
+     kLargeASN1PayloadLen * 2},
+    {false /* max_len too short */,
+     {0x30, 0x80},
+     kLargeASN1PayloadLen + 2,
+     2 + kLargeASN1PayloadLen + 2,
+     2 + kLargeASN1PayloadLen + 1},
+};
+
+class BIOASN1Test : public testing::TestWithParam<ASN1TestParam> {};
+
+TEST_P(BIOASN1Test, ReadASN1) {
+  const ASN1TestParam& param = GetParam();
+  std::vector<uint8_t> input = param.input;
+  input.resize(input.size() + param.suffix_len, 0);
+
+  bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(input.data(), input.size()));
+  ASSERT_TRUE(bio);

  uint8_t *out;
  size_t out_len;
-  int ok = BIO_read_asn1(bio.get(), &out, &out_len, max_len);
+  int ok = BIO_read_asn1(bio.get(), &out, &out_len, param.max_len);
  if (!ok) {
    out = nullptr;
  }
  bssl::UniquePtr<uint8_t> out_storage(out);

-  if (should_succeed != (ok == 1)) {
-    return false;
+  ASSERT_EQ(param.should_succeed, (ok == 1));
+  if (param.should_succeed) {
+    EXPECT_EQ(Bytes(input.data(), param.expected_len), Bytes(out, out_len));
  }
-
-  if (should_succeed &&
-      (out_len != expected_len || memcmp(data, out, expected_len) != 0)) {
-    return false;
-  }
-
-  return true;
 }

-static bool TestASN1() {
-  static const uint8_t kData1[] = {0x30, 2, 1, 2, 0, 0};
-  static const uint8_t kData2[] = {0x30, 3, 1, 2};  /* truncated */
-  static const uint8_t kData3[] = {0x30, 0x81, 1, 1};  /* should be short len */
-  static const uint8_t kData4[] = {0x30, 0x82, 0, 1, 1};  /* zero padded. */
+INSTANTIATE_TEST_CASE_P(, BIOASN1Test, testing::ValuesIn(kASN1TestParams));

-  if (!ReadASN1(true, kData1, sizeof(kData1), 4, 100) ||
-      !ReadASN1(false, kData2, sizeof(kData2), 0, 100) ||
-      !ReadASN1(false, kData3, sizeof(kData3), 0, 100) ||
-      !ReadASN1(false, kData4, sizeof(kData4), 0, 100)) {
-    return false;
+// Run through the tests twice, swapping |bio1| and |bio2|, for symmetry.
+class BIOPairTest : public testing::TestWithParam<bool> {};
+
+TEST_P(BIOPairTest, TestPair) {
+  BIO *bio1, *bio2;
+  ASSERT_TRUE(BIO_new_bio_pair(&bio1, 10, &bio2, 10));
+  bssl::UniquePtr<BIO> free_bio1(bio1), free_bio2(bio2);
+
+  if (GetParam()) {
+    std::swap(bio1, bio2);
  }

-  static const size_t kLargePayloadLen = 8000;
-  static const uint8_t kLargePrefix[] = {0x30, 0x82, kLargePayloadLen >> 8,
-                                         kLargePayloadLen & 0xff};
-  bssl::UniquePtr<uint8_t> large(reinterpret_cast<uint8_t *>(
-      OPENSSL_malloc(sizeof(kLargePrefix) + kLargePayloadLen)));
-  if (!large) {
-    return false;
-  }
-  memset(large.get() + sizeof(kLargePrefix), 0, kLargePayloadLen);
-  memcpy(large.get(), kLargePrefix, sizeof(kLargePrefix));
+  // Check initial states.
+  EXPECT_EQ(10u, BIO_ctrl_get_write_guarantee(bio1));
+  EXPECT_EQ(0u, BIO_ctrl_get_read_request(bio1));

-  if (!ReadASN1(true, large.get(), sizeof(kLargePrefix) + kLargePayloadLen,
-                sizeof(kLargePrefix) + kLargePayloadLen,
-                kLargePayloadLen * 2)) {
-    fprintf(stderr, "Large payload test failed.\n");
-    return false;
-  }
+  // Data written in one end may be read out the other.
+  uint8_t buf[20];
+  EXPECT_EQ(5, BIO_write(bio1, "12345", 5));
+  EXPECT_EQ(5u, BIO_ctrl_get_write_guarantee(bio1));
+  ASSERT_EQ(5, BIO_read(bio2, buf, sizeof(buf)));
+  EXPECT_EQ(Bytes("12345"), Bytes(buf, 5));
+  EXPECT_EQ(10u, BIO_ctrl_get_write_guarantee(bio1));

-  if (!ReadASN1(false, large.get(), sizeof(kLargePrefix) + kLargePayloadLen,
-                sizeof(kLargePrefix) + kLargePayloadLen,
-                kLargePayloadLen - 1)) {
-    fprintf(stderr, "max_len test failed.\n");
-    return false;
-  }
+  // Attempting to write more than 10 bytes will write partially.
+  EXPECT_EQ(10, BIO_write(bio1, "1234567890___", 13));
+  EXPECT_EQ(0u, BIO_ctrl_get_write_guarantee(bio1));
+  EXPECT_EQ(-1, BIO_write(bio1, "z", 1));
+  EXPECT_TRUE(BIO_should_write(bio1));
+  ASSERT_EQ(10, BIO_read(bio2, buf, sizeof(buf)));
+  EXPECT_EQ(Bytes("1234567890"), Bytes(buf, 10));
+  EXPECT_EQ(10u, BIO_ctrl_get_write_guarantee(bio1));

-  static const uint8_t kIndefPrefix[] = {0x30, 0x80};
-  memcpy(large.get(), kIndefPrefix, sizeof(kIndefPrefix));
-  if (!ReadASN1(true, large.get(), sizeof(kLargePrefix) + kLargePayloadLen,
-                sizeof(kLargePrefix) + kLargePayloadLen,
-                kLargePayloadLen*2)) {
-    fprintf(stderr, "indefinite length test failed.\n");
-    return false;
-  }
+  // Unsuccessful reads update the read request.
+  EXPECT_EQ(-1, BIO_read(bio2, buf, 5));
+  EXPECT_TRUE(BIO_should_read(bio2));
+  EXPECT_EQ(5u, BIO_ctrl_get_read_request(bio1));

-  if (!ReadASN1(false, large.get(), sizeof(kLargePrefix) + kLargePayloadLen,
-                sizeof(kLargePrefix) + kLargePayloadLen,
-                kLargePayloadLen-1)) {
-    fprintf(stderr, "indefinite length, max_len test failed.\n");
-    return false;
-  }
+  // The read request is clamped to the size of the buffer.
+  EXPECT_EQ(-1, BIO_read(bio2, buf, 20));
+  EXPECT_TRUE(BIO_should_read(bio2));
+  EXPECT_EQ(10u, BIO_ctrl_get_read_request(bio1));

-  return true;
+  // Data may be written and read in chunks.
+  EXPECT_EQ(5, BIO_write(bio1, "12345", 5));
+  EXPECT_EQ(5u, BIO_ctrl_get_write_guarantee(bio1));
+  EXPECT_EQ(5, BIO_write(bio1, "67890___", 8));
+  EXPECT_EQ(0u, BIO_ctrl_get_write_guarantee(bio1));
+  ASSERT_EQ(3, BIO_read(bio2, buf, 3));
+  EXPECT_EQ(Bytes("123"), Bytes(buf, 3));
+  EXPECT_EQ(3u, BIO_ctrl_get_write_guarantee(bio1));
+  ASSERT_EQ(7, BIO_read(bio2, buf, sizeof(buf)));
+  EXPECT_EQ(Bytes("4567890"), Bytes(buf, 7));
+  EXPECT_EQ(10u, BIO_ctrl_get_write_guarantee(bio1));
+
+  // Successful reads reset the read request.
+  EXPECT_EQ(0u, BIO_ctrl_get_read_request(bio1));
+
+  // Test writes and reads starting in the middle of the ring buffer and
+  // wrapping to front.
+  EXPECT_EQ(8, BIO_write(bio1, "abcdefgh", 8));
+  EXPECT_EQ(2u, BIO_ctrl_get_write_guarantee(bio1));
+  ASSERT_EQ(3, BIO_read(bio2, buf, 3));
+  EXPECT_EQ(Bytes("abc"), Bytes(buf, 3));
+  EXPECT_EQ(5u, BIO_ctrl_get_write_guarantee(bio1));
+  EXPECT_EQ(5, BIO_write(bio1, "ijklm___", 8));
+  EXPECT_EQ(0u, BIO_ctrl_get_write_guarantee(bio1));
+  ASSERT_EQ(10, BIO_read(bio2, buf, sizeof(buf)));
+  EXPECT_EQ(Bytes("defghijklm"), Bytes(buf, 10));
+  EXPECT_EQ(10u, BIO_ctrl_get_write_guarantee(bio1));
+
+  // Data may flow from both ends in parallel.
+  EXPECT_EQ(5, BIO_write(bio1, "12345", 5));
+  EXPECT_EQ(5, BIO_write(bio2, "67890", 5));
+  ASSERT_EQ(5, BIO_read(bio2, buf, sizeof(buf)));
+  EXPECT_EQ(Bytes("12345"), Bytes(buf, 5));
+  ASSERT_EQ(5, BIO_read(bio1, buf, sizeof(buf)));
+  EXPECT_EQ(Bytes("67890"), Bytes(buf, 5));
+
+  // Closing the write end causes an EOF on the read half, after draining.
+  EXPECT_EQ(5, BIO_write(bio1, "12345", 5));
+  EXPECT_TRUE(BIO_shutdown_wr(bio1));
+  ASSERT_EQ(5, BIO_read(bio2, buf, sizeof(buf)));
+  EXPECT_EQ(Bytes("12345"), Bytes(buf, 5));
+  EXPECT_EQ(0, BIO_read(bio2, buf, sizeof(buf)));
+
+  // A closed write end may not be written to.
+  EXPECT_EQ(0u, BIO_ctrl_get_write_guarantee(bio1));
+  EXPECT_EQ(-1, BIO_write(bio1, "_____", 5));
+
+  uint32_t err = ERR_get_error();
+  EXPECT_EQ(ERR_LIB_BIO, ERR_GET_LIB(err));
+  EXPECT_EQ(BIO_R_BROKEN_PIPE, ERR_GET_REASON(err));
+
+  // The other end is still functional.
+  EXPECT_EQ(5, BIO_write(bio2, "12345", 5));
+  ASSERT_EQ(5, BIO_read(bio1, buf, sizeof(buf)));
+  EXPECT_EQ(Bytes("12345"), Bytes(buf, 5));
 }

-int main(void) {
-  CRYPTO_library_init();
-
-#if defined(OPENSSL_WINDOWS)
-  // Initialize Winsock.
-  WORD wsa_version = MAKEWORD(2, 2);
-  WSADATA wsa_data;
-  int wsa_err = WSAStartup(wsa_version, &wsa_data);
-  if (wsa_err != 0) {
-    fprintf(stderr, "WSAStartup failed: %d\n", wsa_err);
-    return 1;
-  }
-  if (wsa_data.wVersion != wsa_version) {
-    fprintf(stderr, "Didn't get expected version: %x\n", wsa_data.wVersion);
-    return 1;
-  }
-#endif
-
-  if (!TestSocketConnect() ||
-      !TestPrintf() ||
-      !TestZeroCopyBioPairs() ||
-      !TestASN1()) {
-    return 1;
-  }
-
-  printf("PASS\n");
-  return 0;
-}
+INSTANTIATE_TEST_CASE_P(, BIOPairTest, testing::Values(false, true));
@@ -1,496 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.] */
-
-#include <openssl/bio.h>
-
-#include <string.h>
-
-#include <openssl/buf.h>
-#include <openssl/err.h>
-#include <openssl/mem.h>
-
-
-#define DEFAULT_BUFFER_SIZE 4096
-
-typedef struct bio_f_buffer_ctx_struct {
-  /* Buffers are setup like this:
-   *
-   * <---------------------- size ----------------------->
-   * +---------------------------------------------------+
-   * | consumed | remaining          | free space        |
-   * +---------------------------------------------------+
-   * <-- off --><------- len ------->
-   */
-
-  int ibuf_size;  /* how big is the input buffer */
-  int obuf_size;  /* how big is the output buffer */
-
-  char *ibuf;   /* the char array */
-  int ibuf_len; /* how many bytes are in it */
-  int ibuf_off; /* write/read offset */
-
-  char *obuf;   /* the char array */
-  int obuf_len; /* how many bytes are in it */
-  int obuf_off; /* write/read offset */
-} BIO_F_BUFFER_CTX;
-
-static int buffer_new(BIO *bio) {
-  BIO_F_BUFFER_CTX *ctx;
-
-  ctx = OPENSSL_malloc(sizeof(BIO_F_BUFFER_CTX));
-  if (ctx == NULL) {
-    return 0;
-  }
-  memset(ctx, 0, sizeof(BIO_F_BUFFER_CTX));
-
-  ctx->ibuf = OPENSSL_malloc(DEFAULT_BUFFER_SIZE);
-  if (ctx->ibuf == NULL) {
-    goto err1;
-  }
-  ctx->obuf = OPENSSL_malloc(DEFAULT_BUFFER_SIZE);
-  if (ctx->obuf == NULL) {
-    goto err2;
-  }
-  ctx->ibuf_size = DEFAULT_BUFFER_SIZE;
-  ctx->obuf_size = DEFAULT_BUFFER_SIZE;
-
-  bio->init = 1;
-  bio->ptr = (char *)ctx;
-  return 1;
-
-err2:
-  OPENSSL_free(ctx->ibuf);
-
-err1:
-  OPENSSL_free(ctx);
-  return 0;
-}
-
-static int buffer_free(BIO *bio) {
-  BIO_F_BUFFER_CTX *ctx;
-
-  if (bio == NULL || bio->ptr == NULL) {
-    return 0;
-  }
-
-  ctx = (BIO_F_BUFFER_CTX *)bio->ptr;
-  OPENSSL_free(ctx->ibuf);
-  OPENSSL_free(ctx->obuf);
-  OPENSSL_free(bio->ptr);
-
-  bio->ptr = NULL;
-  bio->init = 0;
-  bio->flags = 0;
-
-  return 1;
-}
-
-static int buffer_read(BIO *bio, char *out, int outl) {
-  int i, num = 0;
-  BIO_F_BUFFER_CTX *ctx;
-
-  ctx = (BIO_F_BUFFER_CTX *)bio->ptr;
-
-  if (ctx == NULL || bio->next_bio == NULL) {
-    return 0;
-  }
-
-  num = 0;
-  BIO_clear_retry_flags(bio);
-
-  for (;;) {
-    i = ctx->ibuf_len;
-    /* If there is stuff left over, grab it */
-    if (i != 0) {
-      if (i > outl) {
-        i = outl;
-      }
-      memcpy(out, &ctx->ibuf[ctx->ibuf_off], i);
-      ctx->ibuf_off += i;
-      ctx->ibuf_len -= i;
-      num += i;
-      if (outl == i) {
-        return num;
-      }
-      outl -= i;
-      out += i;
-    }
-
-    /* We may have done a partial read. Try to do more. We have nothing in the
-     * buffer. If we get an error and have read some data, just return it and
-     * let them retry to get the error again. Copy direct to parent address
-     * space */
-    if (outl > ctx->ibuf_size) {
-      for (;;) {
-        i = BIO_read(bio->next_bio, out, outl);
-        if (i <= 0) {
-          BIO_copy_next_retry(bio);
-          if (i < 0) {
-            return (num > 0) ? num : i;
-          }
-          return num;
-        }
-        num += i;
-        if (outl == i) {
-          return num;
-        }
-        out += i;
-        outl -= i;
-      }
-    }
-    /* else */
-
-    /* we are going to be doing some buffering */
-    i = BIO_read(bio->next_bio, ctx->ibuf, ctx->ibuf_size);
-    if (i <= 0) {
-      BIO_copy_next_retry(bio);
-      if (i < 0) {
-        return (num > 0) ? num : i;
-      }
-      return num;
-    }
-    ctx->ibuf_off = 0;
-    ctx->ibuf_len = i;
-  }
-}
-
-static int buffer_write(BIO *b, const char *in, int inl) {
-  int i, num = 0;
-  BIO_F_BUFFER_CTX *ctx;
-
-  ctx = (BIO_F_BUFFER_CTX *)b->ptr;
-  if (ctx == NULL || b->next_bio == NULL) {
-    return 0;
-  }
-
-  BIO_clear_retry_flags(b);
-
-  for (;;) {
-    i = ctx->obuf_size - (ctx->obuf_off + ctx->obuf_len);
-    /* add to buffer and return */
-    if (i >= inl) {
-      memcpy(&ctx->obuf[ctx->obuf_off + ctx->obuf_len], in, inl);
-      ctx->obuf_len += inl;
-      return num + inl;
-    }
-    /* else */
-    /* stuff already in buffer, so add to it first, then flush */
-    if (ctx->obuf_len != 0) {
-      if (i > 0) {
-        memcpy(&ctx->obuf[ctx->obuf_off + ctx->obuf_len], in, i);
-        in += i;
-        inl -= i;
-        num += i;
-        ctx->obuf_len += i;
-      }
-
-      /* we now have a full buffer needing flushing */
-      for (;;) {
-        i = BIO_write(b->next_bio, &ctx->obuf[ctx->obuf_off], ctx->obuf_len);
-        if (i <= 0) {
-          BIO_copy_next_retry(b);
-
-          if (i < 0) {
-            return (num > 0) ? num : i;
-          }
-          return num;
-        }
-        ctx->obuf_off += i;
-        ctx->obuf_len -= i;
-        if (ctx->obuf_len == 0) {
-          break;
-        }
-      }
-    }
-
-    /* we only get here if the buffer has been flushed and we
-     * still have stuff to write */
-    ctx->obuf_off = 0;
-
-    /* we now have inl bytes to write */
-    while (inl >= ctx->obuf_size) {
-      i = BIO_write(b->next_bio, in, inl);
-      if (i <= 0) {
-        BIO_copy_next_retry(b);
-        if (i < 0) {
-          return (num > 0) ? num : i;
-        }
-        return num;
-      }
-      num += i;
-      in += i;
-      inl -= i;
-      if (inl == 0) {
-        return num;
-      }
-    }
-
-    /* copy the rest into the buffer since we have only a small
-     * amount left */
-  }
-}
-
-static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr) {
-  BIO_F_BUFFER_CTX *ctx;
-  long ret = 1;
-  char *p1, *p2;
-  int r, *ip;
-  int ibs, obs;
-
-  ctx = (BIO_F_BUFFER_CTX *)b->ptr;
-
-  switch (cmd) {
-    case BIO_CTRL_RESET:
-      ctx->ibuf_off = 0;
-      ctx->ibuf_len = 0;
-      ctx->obuf_off = 0;
-      ctx->obuf_len = 0;
-      if (b->next_bio == NULL) {
-        return 0;
-      }
-      ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
-      break;
-
-    case BIO_CTRL_INFO:
-      ret = ctx->obuf_len;
-      break;
-
-    case BIO_CTRL_WPENDING:
-      ret = (long)ctx->obuf_len;
-      if (ret == 0) {
-        if (b->next_bio == NULL) {
-          return 0;
-        }
-        ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
-      }
-      break;
-
-    case BIO_CTRL_PENDING:
-      ret = (long)ctx->ibuf_len;
-      if (ret == 0) {
-        if (b->next_bio == NULL) {
-          return 0;
-        }
-        ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
-      }
-      break;
-
-    case BIO_C_SET_BUFF_SIZE:
-      ip = (int *)ptr;
-      if (*ip == 0) {
-        ibs = (int)num;
-        obs = ctx->obuf_size;
-      } else /* if (*ip == 1) */ {
-        ibs = ctx->ibuf_size;
-        obs = (int)num;
-      }
-      p1 = ctx->ibuf;
-      p2 = ctx->obuf;
-      if (ibs > DEFAULT_BUFFER_SIZE && ibs != ctx->ibuf_size) {
-        p1 = OPENSSL_malloc(ibs);
-        if (p1 == NULL) {
-          goto malloc_error;
-        }
-      }
-      if (obs > DEFAULT_BUFFER_SIZE && obs != ctx->obuf_size) {
-        p2 = OPENSSL_malloc(obs);
-        if (p2 == NULL) {
-          if (p1 != ctx->ibuf) {
-            OPENSSL_free(p1);
-          }
-          goto malloc_error;
-        }
-      }
-
-      if (ctx->ibuf != p1) {
-        OPENSSL_free(ctx->ibuf);
-        ctx->ibuf = p1;
-        ctx->ibuf_size = ibs;
-      }
-      ctx->ibuf_off = 0;
-      ctx->ibuf_len = 0;
-
-      if (ctx->obuf != p2) {
-        OPENSSL_free(ctx->obuf);
-        ctx->obuf = p2;
-        ctx->obuf_size = obs;
-      }
-      ctx->obuf_off = 0;
-      ctx->obuf_len = 0;
-      break;
-
-    case BIO_CTRL_FLUSH:
-      if (b->next_bio == NULL) {
-        return 0;
-      }
-
-      while (ctx->obuf_len > 0) {
-        BIO_clear_retry_flags(b);
-        r = BIO_write(b->next_bio, &(ctx->obuf[ctx->obuf_off]),
-                      ctx->obuf_len);
-        BIO_copy_next_retry(b);
-        if (r <= 0) {
-          return r;
-        }
-        ctx->obuf_off += r;
-        ctx->obuf_len -= r;
-      }
-
-      ctx->obuf_len = 0;
-      ctx->obuf_off = 0;
-      ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
-      break;
-
-    default:
-      if (b->next_bio == NULL) {
-        return 0;
-      }
-      BIO_clear_retry_flags(b);
-      ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
-      BIO_copy_next_retry(b);
-      break;
-  }
-  return ret;
-
-malloc_error:
-  OPENSSL_PUT_ERROR(BIO, ERR_R_MALLOC_FAILURE);
-  return 0;
-}
-
-static long buffer_callback_ctrl(BIO *b, int cmd, bio_info_cb fp) {
-  long ret = 1;
-
-  if (b->next_bio == NULL) {
-    return 0;
-  }
-
-  switch (cmd) {
-    default:
-      ret = BIO_callback_ctrl(b->next_bio, cmd, fp);
-      break;
-  }
-  return ret;
-}
-
-static int buffer_gets(BIO *b, char *buf, int size) {
-  BIO_F_BUFFER_CTX *ctx;
-  int num = 0, i, flag;
-  char *p;
-
-  ctx = (BIO_F_BUFFER_CTX *)b->ptr;
-  if (buf == NULL || size <= 0) {
-    return 0;
-  }
-
-  size--; /* reserve space for a '\0' */
-  BIO_clear_retry_flags(b);
-
-  for (;;) {
-    if (ctx->ibuf_len > 0) {
-      p = &ctx->ibuf[ctx->ibuf_off];
-      flag = 0;
-      for (i = 0; (i < ctx->ibuf_len) && (i < size); i++) {
-        *(buf++) = p[i];
-        if (p[i] == '\n') {
-          flag = 1;
-          i++;
-          break;
-        }
-      }
-      num += i;
-      size -= i;
-      ctx->ibuf_len -= i;
-      ctx->ibuf_off += i;
-      if (flag || size == 0) {
-        *buf = '\0';
-        return num;
-      }
-    } else /* read another chunk */
-    {
-      i = BIO_read(b->next_bio, ctx->ibuf, ctx->ibuf_size);
-      if (i <= 0) {
-        BIO_copy_next_retry(b);
-        *buf = '\0';
-        if (i < 0) {
-          return (num > 0) ? num : i;
-        }
-        return num;
-      }
-      ctx->ibuf_len = i;
-      ctx->ibuf_off = 0;
-    }
-  }
-}
-
-static int buffer_puts(BIO *b, const char *str) {
-  return buffer_write(b, str, strlen(str));
-}
-
-static const BIO_METHOD methods_buffer = {
-    BIO_TYPE_BUFFER, "buffer",             buffer_write, buffer_read,
-    buffer_puts,     buffer_gets,          buffer_ctrl,  buffer_new,
-    buffer_free,     buffer_callback_ctrl,
-};
-
-const BIO_METHOD *BIO_f_buffer(void) { return &methods_buffer; }
-
-int BIO_set_read_buffer_size(BIO *bio, int buffer_size) {
-  return BIO_int_ctrl(bio, BIO_C_SET_BUFF_SIZE, buffer_size, 0);
-}
-
-int BIO_set_write_buffer_size(BIO *bio, int buffer_size) {
-  return BIO_int_ctrl(bio, BIO_C_SET_BUFF_SIZE, buffer_size, 1);
-}
@@ -77,6 +77,7 @@ OPENSSL_MSVC_PRAGMA(warning(pop))
 #include <openssl/mem.h>

 #include "internal.h"
+#include "../internal.h"


 enum {
@@ -97,12 +98,12 @@ typedef struct bio_connect_st {
  struct sockaddr_storage them;
  socklen_t them_length;

-  /* the file descriptor is kept in bio->num in order to match the socket
-   * BIO. */
+  // the file descriptor is kept in bio->num in order to match the socket
+  // BIO.

-  /* info_callback is called when the connection is initially made
-   * callback(BIO,state,ret);  The callback should return 'ret', state is for
-   * compatibility with the SSL info_callback. */
+  // info_callback is called when the connection is initially made
+  // callback(BIO,state,ret);  The callback should return 'ret', state is for
+  // compatibility with the SSL info_callback.
  int (*info_callback)(const BIO *bio, int state, int ret);
 } BIO_CONNECT;

@@ -112,9 +113,9 @@ static int closesocket(int sock) {
 }
 #endif

-/* split_host_and_port sets |*out_host| and |*out_port| to the host and port
- * parsed from |name|. It returns one on success or zero on error. Even when
- * successful, |*out_port| may be NULL on return if no port was specified. */
+// split_host_and_port sets |*out_host| and |*out_port| to the host and port
+// parsed from |name|. It returns one on success or zero on error. Even when
+// successful, |*out_port| may be NULL on return if no port was specified.
 static int split_host_and_port(char **out_host, char **out_port, const char *name) {
  const char *host, *port = NULL;
  size_t host_len = 0;
@@ -122,24 +123,24 @@ static int split_host_and_port(char **out_host, char **out_port, const char *nam
  *out_host = NULL;
  *out_port = NULL;

-  if (name[0] == '[') {  /* bracketed IPv6 address */
+  if (name[0] == '[') {  // bracketed IPv6 address
    const char *close = strchr(name, ']');
    if (close == NULL) {
      return 0;
    }
    host = name + 1;
    host_len = close - host;
-    if (close[1] == ':') {  /* [IP]:port */
+    if (close[1] == ':') {  // [IP]:port
      port = close + 2;
    } else if (close[1] != 0) {
      return 0;
    }
  } else {
    const char *colon = strchr(name, ':');
-    if (colon == NULL || strchr(colon + 1, ':') != NULL) {  /* IPv6 address */
+    if (colon == NULL || strchr(colon + 1, ':') != NULL) {  // IPv6 address
      host = name;
      host_len = strlen(name);
-    } else {  /* host:port */
+    } else {  // host:port
      host = name;
      host_len = colon - name;
      port = colon + 1;
@@ -174,9 +175,9 @@ static int conn_state(BIO *bio, BIO_CONNECT *c) {
  for (;;) {
    switch (c->state) {
      case BIO_CONN_S_BEFORE:
-        /* If there's a hostname and a port, assume that both are
-         * exactly what they say. If there is only a hostname, try
-         * (just once) to split it into a hostname and port. */
+        // If there's a hostname and a port, assume that both are
+        // exactly what they say. If there is only a hostname, try
+        // (just once) to split it into a hostname and port.

        if (c->param_hostname == NULL) {
          OPENSSL_PUT_ERROR(BIO, BIO_R_NO_HOSTNAME_SPECIFIED);
@@ -298,7 +299,7 @@ static BIO_CONNECT *BIO_CONNECT_new(void) {
  if (ret == NULL) {
    return NULL;
  }
-  memset(ret, 0, sizeof(BIO_CONNECT));
+  OPENSSL_memset(ret, 0, sizeof(BIO_CONNECT));

  ret->state = BIO_CONN_S_BEFORE;
  return ret;
@@ -329,7 +330,7 @@ static void conn_close_socket(BIO *bio) {
    return;
  }

-  /* Only do a shutdown if things were established */
+  // Only do a shutdown if things were established
  if (c->state == BIO_CONN_S_OK) {
    shutdown(bio->num, 2);
  }
@@ -414,7 +415,7 @@ static long conn_ctrl(BIO *bio, int cmd, long num, void *ptr) {
      bio->flags = 0;
      break;
    case BIO_C_DO_STATE_MACHINE:
-      /* use this one to start the connection */
+      // use this one to start the connection
      if (data->state != BIO_CONN_S_OK) {
        ret = (long)conn_state(bio, data);
      } else {
@@ -467,14 +468,6 @@ static long conn_ctrl(BIO *bio, int cmd, long num, void *ptr) {
      break;
    case BIO_CTRL_FLUSH:
      break;
-    case BIO_CTRL_SET_CALLBACK: {
-#if 0 /* FIXME: Should this be used?  -- Richard Levitte */
-		OPENSSL_PUT_ERROR(BIO, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-		ret = -1;
-#else
-      ret = 0;
-#endif
-    } break;
    case BIO_CTRL_GET_CALLBACK: {
      int (**fptr)(const BIO *bio, int state, int xret);
      fptr = (int (**)(const BIO *bio, int state, int xret))ptr;
@@ -484,7 +477,7 @@ static long conn_ctrl(BIO *bio, int cmd, long num, void *ptr) {
      ret = 0;
      break;
  }
-  return (ret);
+  return ret;
 }

 static long conn_callback_ctrl(BIO *bio, int cmd, bio_info_cb fp) {
@@ -494,9 +487,9 @@ static long conn_callback_ctrl(BIO *bio, int cmd, bio_info_cb fp) {
  data = (BIO_CONNECT *)bio->ptr;

  switch (cmd) {
-    case BIO_CTRL_SET_CALLBACK: {
+    case BIO_CTRL_SET_CALLBACK:
      data->info_callback = (int (*)(const struct bio_st *, int, int))fp;
-    } break;
+      break;
    default:
      ret = 0;
      break;
@@ -504,10 +497,6 @@ static long conn_callback_ctrl(BIO *bio, int cmd, bio_info_cb fp) {
  return ret;
 }

-static int conn_puts(BIO *bp, const char *str) {
-  return conn_write(bp, str, strlen(str));
-}
-
 BIO *BIO_new_connect(const char *hostname) {
  BIO *ret;

@@ -523,8 +512,8 @@ BIO *BIO_new_connect(const char *hostname) {
 }

 static const BIO_METHOD methods_connectp = {
-    BIO_TYPE_CONNECT, "socket connect",         conn_write, conn_read,
-    conn_puts,        NULL /* connect_gets, */, conn_ctrl,  conn_new,
+    BIO_TYPE_CONNECT, "socket connect",   conn_write, conn_read,
+    NULL /* puts */,  NULL /* gets */,    conn_ctrl,  conn_new,
    conn_free,        conn_callback_ctrl,
 };

@@ -138,7 +138,7 @@ BIO *BIO_new_fd(int fd, int close_flag) {
 }

 static int fd_new(BIO *bio) {
-  /* num is used to store the file descriptor. */
+  // num is used to store the file descriptor.
  bio->num = -1;
  return 1;
 }
@@ -241,10 +241,6 @@ static long fd_ctrl(BIO *b, int cmd, long num, void *ptr) {
  return ret;
 }

-static int fd_puts(BIO *bp, const char *str) {
-  return fd_write(bp, str, strlen(str));
-}
-
 static int fd_gets(BIO *bp, char *buf, int size) {
  char *ptr = buf;
  char *end = buf + size - 1;
@@ -263,8 +259,9 @@ static int fd_gets(BIO *bp, char *buf, int size) {
 }

 static const BIO_METHOD methods_fdp = {
-    BIO_TYPE_FD, "file descriptor", fd_write, fd_read, fd_puts,
-    fd_gets,     fd_ctrl,           fd_new,   fd_free, NULL, };
+    BIO_TYPE_FD, "file descriptor", fd_write, fd_read, NULL /* puts */,
+    fd_gets,     fd_ctrl,           fd_new,   fd_free, NULL /* callback_ctrl */,
+};

 const BIO_METHOD *BIO_s_fd(void) { return &methods_fdp; }

@@ -55,18 +55,17 @@
 * [including the GNU Public Licence.] */

 #if defined(__linux) || defined(__sun) || defined(__hpux)
-/* Following definition aliases fopen to fopen64 on above mentioned
- * platforms. This makes it possible to open and sequentially access
- * files larger than 2GB from 32-bit application. It does not allow to
- * traverse them beyond 2GB with fseek/ftell, but on the other hand *no*
- * 32-bit platform permits that, not with fseek/ftell. Not to mention
- * that breaking 2GB limit for seeking would require surgery to *our*
- * API. But sequential access suffices for practical cases when you
- * can run into large files, such as fingerprinting, so we can let API
- * alone. For reference, the list of 32-bit platforms which allow for
- * sequential access of large files without extra "magic" comprise *BSD,
- * Darwin, IRIX...
- */
+// Following definition aliases fopen to fopen64 on above mentioned
+// platforms. This makes it possible to open and sequentially access
+// files larger than 2GB from 32-bit application. It does not allow to
+// traverse them beyond 2GB with fseek/ftell, but on the other hand *no*
+// 32-bit platform permits that, not with fseek/ftell. Not to mention
+// that breaking 2GB limit for seeking would require surgery to *our*
+// API. But sequential access suffices for practical cases when you
+// can run into large files, such as fingerprinting, so we can let API
+// alone. For reference, the list of 32-bit platforms which allow for
+// sequential access of large files without extra "magic" comprise *BSD,
+// Darwin, IRIX...
 #ifndef _FILE_OFFSET_BITS
 #define _FILE_OFFSET_BITS 64
 #endif
@@ -157,7 +156,7 @@ static int file_read(BIO *b, char *out, int outl) {
    return -1;
  }

-  /* fread reads at most |outl| bytes, so |ret| fits in an int. */
+  // fread reads at most |outl| bytes, so |ret| fits in an int.
  return (int)ret;
 }

@@ -232,7 +231,7 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr) {
      b->init = 1;
      break;
    case BIO_C_GET_FILE_PTR:
-      /* the ptr parameter is actually a FILE ** in this case. */
+      // the ptr parameter is actually a FILE ** in this case.
      if (ptr != NULL) {
        fpp = (FILE **)ptr;
        *fpp = (FILE *)b->ptr;
@@ -273,13 +272,13 @@ err:
  return ret;
 }

-static int file_puts(BIO *bp, const char *str) {
-  return file_write(bp, str, strlen(str));
-}
-
 static const BIO_METHOD methods_filep = {
-    BIO_TYPE_FILE, "FILE pointer", file_write, file_read, file_puts,
-    file_gets,     file_ctrl,      file_new,   file_free, NULL, };
+    BIO_TYPE_FILE,   "FILE pointer",
+    file_write,      file_read,
+    NULL /* puts */, file_gets,
+    file_ctrl,       file_new,
+    file_free,       NULL /* callback_ctrl */,
+};

 const BIO_METHOD *BIO_s_file(void) { return &methods_filep; }

@@ -59,13 +59,15 @@
 #include <limits.h>
 #include <string.h>

+#include "../internal.h"

-/* hexdump_ctx contains the state of a hexdump. */
+
+// hexdump_ctx contains the state of a hexdump.
 struct hexdump_ctx {
  BIO *bio;
-  char right_chars[18]; /* the contents of the right-hand side, ASCII dump. */
-  unsigned used;        /* number of bytes in the current line. */
-  size_t n;             /* number of bytes total. */
+  char right_chars[18];  // the contents of the right-hand side, ASCII dump.
+  unsigned used;         // number of bytes in the current line.
+  size_t n;              // number of bytes total.
  unsigned indent;
 };

@@ -82,21 +84,20 @@ static char to_char(uint8_t b) {
  return b;
 }

-/* hexdump_write adds |len| bytes of |data| to the current hex dump described by
- * |ctx|. */
+// hexdump_write adds |len| bytes of |data| to the current hex dump described by
+// |ctx|.
 static int hexdump_write(struct hexdump_ctx *ctx, const uint8_t *data,
                         size_t len) {
  char buf[10];
  unsigned l;

-  /* Output lines look like:
-   * 00000010  2e 2f 30 31 32 33 34 35  36 37 38 ... 3c 3d // |./0123456789:;<=|
-   * ^ offset                          ^ extra space           ^ ASCII of line
-   */
+  // Output lines look like:
+  // 00000010  2e 2f 30 31 32 33 34 35  36 37 38 ... 3c 3d // |./0123456789:;<=|
+  // ^ offset                          ^ extra space           ^ ASCII of line

  for (size_t i = 0; i < len; i++) {
    if (ctx->used == 0) {
-      /* The beginning of a line. */
+      // The beginning of a line.
      BIO_indent(ctx->bio, ctx->indent, UINT_MAX);

      hexbyte(&buf[0], ctx->n >> 24);
@@ -113,12 +114,12 @@ static int hexdump_write(struct hexdump_ctx *ctx, const uint8_t *data,
    buf[2] = ' ';
    l = 3;
    if (ctx->used == 7) {
-      /* There's an additional space after the 8th byte. */
+      // There's an additional space after the 8th byte.
      buf[3] = ' ';
      l = 4;
    } else if (ctx->used == 15) {
-      /* At the end of the line there's an extra space and the bar for the
-       * right column. */
+      // At the end of the line there's an extra space and the bar for the
+      // right column.
      buf[3] = ' ';
      buf[4] = '|';
      l = 5;
@@ -143,9 +144,9 @@ static int hexdump_write(struct hexdump_ctx *ctx, const uint8_t *data,
  return 1;
 }

-/* finish flushes any buffered data in |ctx|. */
+// finish flushes any buffered data in |ctx|.
 static int finish(struct hexdump_ctx *ctx) {
-  /* See the comments in |hexdump| for the details of this format. */
+  // See the comments in |hexdump| for the details of this format.
  const unsigned n_bytes = ctx->used;
  unsigned l;
  char buf[5];
@@ -154,7 +155,7 @@ static int finish(struct hexdump_ctx *ctx) {
    return 1;
  }

-  memset(buf, ' ', 4);
+  OPENSSL_memset(buf, ' ', 4);
  buf[4] = '|';

  for (; ctx->used < 16; ctx->used++) {
@@ -179,7 +180,7 @@ static int finish(struct hexdump_ctx *ctx) {

 int BIO_hexdump(BIO *bio, const uint8_t *data, size_t len, unsigned indent) {
  struct hexdump_ctx ctx;
-  memset(&ctx, 0, sizeof(ctx));
+  OPENSSL_memset(&ctx, 0, sizeof(ctx));
  ctx.bio = bio;
  ctx.indent = indent;

@@ -61,7 +61,7 @@

 #if !defined(OPENSSL_WINDOWS)
 #if defined(OPENSSL_PNACL)
-/* newlib uses u_short in socket.h without defining it. */
+// newlib uses u_short in socket.h without defining it.
 typedef unsigned short u_short;
 #endif
 #include <sys/types.h>
@@ -78,34 +78,34 @@ extern "C" {
 #endif


-/* BIO_ip_and_port_to_socket_and_addr creates a socket and fills in |*out_addr|
- * and |*out_addr_length| with the correct values for connecting to |hostname|
- * on |port_str|. It returns one on success or zero on error. */
+// BIO_ip_and_port_to_socket_and_addr creates a socket and fills in |*out_addr|
+// and |*out_addr_length| with the correct values for connecting to |hostname|
+// on |port_str|. It returns one on success or zero on error.
 int bio_ip_and_port_to_socket_and_addr(int *out_sock,
                                       struct sockaddr_storage *out_addr,
                                       socklen_t *out_addr_length,
                                       const char *hostname,
                                       const char *port_str);

-/* BIO_socket_nbio sets whether |sock| is non-blocking. It returns one on
- * success and zero otherwise. */
+// BIO_socket_nbio sets whether |sock| is non-blocking. It returns one on
+// success and zero otherwise.
 int bio_socket_nbio(int sock, int on);

-/* BIO_clear_socket_error clears the last system socket error.
- *
- * TODO(fork): remove all callers of this. */
+// BIO_clear_socket_error clears the last system socket error.
+//
+// TODO(fork): remove all callers of this.
 void bio_clear_socket_error(void);

-/* BIO_sock_error returns the last socket error on |sock|. */
+// BIO_sock_error returns the last socket error on |sock|.
 int bio_sock_error(int sock);

-/* BIO_fd_should_retry returns non-zero if |return_value| indicates an error
- * and |errno| indicates that it's non-fatal. */
+// BIO_fd_should_retry returns non-zero if |return_value| indicates an error
+// and |errno| indicates that it's non-fatal.
 int bio_fd_should_retry(int return_value);


 #if defined(__cplusplus)
-}  /* extern C */
+}  // extern C
 #endif

-#endif  /* OPENSSL_HEADER_BIO_INTERNAL_H */
+#endif  // OPENSSL_HEADER_BIO_INTERNAL_H
@@ -59,30 +59,26 @@
 #include <openssl/err.h>
 #include <openssl/mem.h>

+#include "../internal.h"
+

 struct bio_bio_st {
-  BIO *peer; /* NULL if buf == NULL.
-              * If peer != NULL, then peer->ptr is also a bio_bio_st,
-              * and its "peer" member points back to us.
-              * peer != NULL iff init != 0 in the BIO. */
+  BIO *peer;  // NULL if buf == NULL.
+              // If peer != NULL, then peer->ptr is also a bio_bio_st,
+              // and its "peer" member points back to us.
+              // peer != NULL iff init != 0 in the BIO.

-  /* This is for what we write (i.e. reading uses peer's struct): */
-  int closed;    /* valid iff peer != NULL */
-  size_t len;    /* valid iff buf != NULL; 0 if peer == NULL */
-  size_t offset; /* valid iff buf != NULL; 0 if len == 0 */
+  // This is for what we write (i.e. reading uses peer's struct):
+  int closed;     // valid iff peer != NULL
+  size_t len;     // valid iff buf != NULL; 0 if peer == NULL
+  size_t offset;  // valid iff buf != NULL; 0 if len == 0
  size_t size;
-  uint8_t *buf; /* "size" elements (if != NULL) */
-  char buf_externally_allocated; /* true iff buf was externally allocated. */
+  uint8_t *buf;  // "size" elements (if != NULL)

-  char zero_copy_read_lock;  /* true iff a zero copy read operation
-                              * is in progress. */
-  char zero_copy_write_lock; /* true iff a zero copy write operation
-                              * is in progress. */
-
-  size_t request; /* valid iff peer != NULL; 0 if len != 0,
-                   * otherwise set by peer to number of bytes
-                   * it (unsuccessfully) tried to read,
-                   * never more than buffer space (size-len) warrants. */
+  size_t request;  // valid iff peer != NULL; 0 if len != 0,
+                   // otherwise set by peer to number of bytes
+                   // it (unsuccessfully) tried to read,
+                   // never more than buffer space (size-len) warrants.
 };

 static int bio_new(BIO *bio) {
@@ -92,9 +88,9 @@ static int bio_new(BIO *bio) {
  if (b == NULL) {
    return 0;
  }
-  memset(b, 0, sizeof(struct bio_bio_st));
+  OPENSSL_memset(b, 0, sizeof(struct bio_bio_st));

-  b->size = 17 * 1024; /* enough for one TLS record (just a default) */
+  b->size = 17 * 1024;  // enough for one TLS record (just a default)
  bio->ptr = b;
  return 1;
 }
@@ -145,263 +141,12 @@ static int bio_free(BIO *bio) {
    bio_destroy_pair(bio);
  }

-  if (!b->buf_externally_allocated) {
-    OPENSSL_free(b->buf);
-  }
-
+  OPENSSL_free(b->buf);
  OPENSSL_free(b);

  return 1;
 }

-static size_t bio_zero_copy_get_read_buf(struct bio_bio_st* peer_b,
-                                         uint8_t** out_read_buf,
-                                         size_t* out_buf_offset) {
-  size_t max_available;
-  if (peer_b->len > peer_b->size - peer_b->offset) {
-    /* Only the first half of the ring buffer can be read. */
-    max_available = peer_b->size - peer_b->offset;
-  } else {
-    max_available = peer_b->len;
-  }
-
-  *out_read_buf = peer_b->buf;
-  *out_buf_offset = peer_b->offset;
-  return max_available;
-}
-
-int BIO_zero_copy_get_read_buf(BIO* bio, uint8_t** out_read_buf,
-                               size_t* out_buf_offset,
-                               size_t* out_available_bytes) {
-  struct bio_bio_st* b;
-  struct bio_bio_st* peer_b;
-  size_t max_available;
-  *out_available_bytes = 0;
-
-  BIO_clear_retry_flags(bio);
-
-  if (!bio->init) {
-    OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED);
-    return 0;
-  }
-
-  b = bio->ptr;
-
-  if (!b || !b->peer) {
-    OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
-    return 0;
-  }
-
-  peer_b = b->peer->ptr;
-  if (!peer_b || !peer_b->peer || peer_b->peer->ptr != b) {
-    OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
-    return 0;
-  }
-
-  if (peer_b->zero_copy_read_lock) {
-    OPENSSL_PUT_ERROR(BIO, BIO_R_INVALID_ARGUMENT);
-    return 0;
-  }
-
-  peer_b->request = 0;  /* Is not used by zero-copy API. */
-
-  max_available =
-      bio_zero_copy_get_read_buf(peer_b, out_read_buf, out_buf_offset);
-
-  assert(peer_b->buf != NULL);
-  if (max_available > 0) {
-    peer_b->zero_copy_read_lock = 1;
-  }
-
-  *out_available_bytes = max_available;
-  return 1;
-}
-
-int BIO_zero_copy_get_read_buf_done(BIO* bio, size_t bytes_read) {
-  struct bio_bio_st* b;
-  struct bio_bio_st* peer_b;
-  size_t max_available;
-  size_t dummy_read_offset;
-  uint8_t* dummy_read_buf;
-
-  assert(BIO_get_retry_flags(bio) == 0);
-
-  if (!bio->init) {
-    OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED);
-    return 0;
-  }
-
-  b = bio->ptr;
-
-  if (!b || !b->peer) {
-    OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
-    return 0;
-  }
-
-  peer_b = b->peer->ptr;
-  if (!peer_b || !peer_b->peer || peer_b->peer->ptr != b) {
-    OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
-    return 0;
-  }
-
-  if (!peer_b->zero_copy_read_lock) {
-    OPENSSL_PUT_ERROR(BIO, BIO_R_INVALID_ARGUMENT);
-    return 0;
-  }
-
-  max_available =
-      bio_zero_copy_get_read_buf(peer_b, &dummy_read_buf, &dummy_read_offset);
-  if (bytes_read > max_available) {
-    OPENSSL_PUT_ERROR(BIO, BIO_R_INVALID_ARGUMENT);
-    return 0;
-  }
-
-  assert(peer_b->len >= bytes_read);
-  peer_b->len -= bytes_read;
-  assert(peer_b->offset + bytes_read <= peer_b->size);
-
-  /* Move read offset. If zero_copy_write_lock == 1 we must advance the
-   * offset even if buffer becomes empty, to make sure
-   * write_offset = (offset + len) mod size does not change. */
-  if (peer_b->offset + bytes_read == peer_b->size ||
-      (!peer_b->zero_copy_write_lock && peer_b->len == 0)) {
-    peer_b->offset = 0;
-  } else {
-    peer_b->offset += bytes_read;
-  }
-
-  bio->num_read += bytes_read;
-  peer_b->zero_copy_read_lock = 0;
-  return 1;
-}
-
-static size_t bio_zero_copy_get_write_buf(struct bio_bio_st* b,
-                                          uint8_t** out_write_buf,
-                                          size_t* out_buf_offset) {
-  size_t write_offset;
-  size_t max_available;
-
-  assert(b->len <= b->size);
-
-  write_offset = b->offset + b->len;
-
-  if (write_offset >= b->size) {
-    /* Only the first half of the ring buffer can be written to. */
-    write_offset -= b->size;
-    /* write up to the start of the ring buffer. */
-    max_available = b->offset - write_offset;
-  } else {
-    /* write up to the end the buffer. */
-    max_available = b->size - write_offset;
-  }
-
-  *out_write_buf = b->buf;
-  *out_buf_offset = write_offset;
-  return max_available;
-}
-
-int BIO_zero_copy_get_write_buf(BIO* bio, uint8_t** out_write_buf,
-                                size_t* out_buf_offset,
-                                size_t* out_available_bytes) {
-  struct bio_bio_st* b;
-  struct bio_bio_st* peer_b;
-  size_t max_available;
-
-  *out_available_bytes = 0;
-  BIO_clear_retry_flags(bio);
-
-  if (!bio->init) {
-    OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED);
-    return 0;
-  }
-
-  b = bio->ptr;
-
-  if (!b || !b->buf || !b->peer) {
-    OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
-    return 0;
-  }
-  peer_b = b->peer->ptr;
-  if (!peer_b || !peer_b->peer || peer_b->peer->ptr != b) {
-    OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
-    return 0;
-  }
-
-  assert(b->buf != NULL);
-
-  if (b->zero_copy_write_lock) {
-    OPENSSL_PUT_ERROR(BIO, BIO_R_INVALID_ARGUMENT);
-    return 0;
-  }
-
-  b->request = 0;
-  if (b->closed) {
-    /* Bio is already closed. */
-    OPENSSL_PUT_ERROR(BIO, BIO_R_BROKEN_PIPE);
-    return 0;
-  }
-
-  max_available = bio_zero_copy_get_write_buf(b, out_write_buf, out_buf_offset);
-
-  if (max_available > 0) {
-    b->zero_copy_write_lock = 1;
-  }
-
-  *out_available_bytes = max_available;
-  return 1;
-}
-
-int BIO_zero_copy_get_write_buf_done(BIO* bio, size_t bytes_written) {
-  struct bio_bio_st* b;
-  struct bio_bio_st* peer_b;
-
-  size_t rest;
-  size_t dummy_write_offset;
-  uint8_t* dummy_write_buf;
-
-  if (!bio->init) {
-    OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED);
-    return 0;
-  }
-
-  b = bio->ptr;
-
-  if (!b || !b->buf || !b->peer) {
-    OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
-    return 0;
-  }
-  peer_b = b->peer->ptr;
-  if (!peer_b || !peer_b->peer || peer_b->peer->ptr != b) {
-    OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
-    return 0;
-  }
-
-  b->request = 0;
-  if (b->closed) {
-    /* BIO is already closed. */
-    OPENSSL_PUT_ERROR(BIO, BIO_R_BROKEN_PIPE);
-    return 0;
-  }
-
-  if (!b->zero_copy_write_lock) {
-    OPENSSL_PUT_ERROR(BIO, BIO_R_INVALID_ARGUMENT);
-    return 0;
-  }
-
-  rest = bio_zero_copy_get_write_buf(b, &dummy_write_buf, &dummy_write_offset);
-
-  if (bytes_written > rest) {
-    OPENSSL_PUT_ERROR(BIO, BIO_R_INVALID_ARGUMENT);
-    return 0;
-  }
-
-  bio->num_write += bytes_written;
-  /* Move write offset. */
-  b->len += bytes_written;
-  b->zero_copy_write_lock = 0;
-  return 1;
-}
-
 static int bio_read(BIO *bio, char *buf, int size_) {
  size_t size = size_;
  size_t rest;
@@ -420,38 +165,38 @@ static int bio_read(BIO *bio, char *buf, int size_) {
  assert(peer_b != NULL);
  assert(peer_b->buf != NULL);

-  peer_b->request = 0; /* will be set in "retry_read" situation */
+  peer_b->request = 0;  // will be set in "retry_read" situation

-  if (buf == NULL || size == 0 || peer_b->zero_copy_read_lock) {
+  if (buf == NULL || size == 0) {
    return 0;
  }

  if (peer_b->len == 0) {
    if (peer_b->closed) {
-      return 0; /* writer has closed, and no data is left */
+      return 0;  // writer has closed, and no data is left
    } else {
-      BIO_set_retry_read(bio); /* buffer is empty */
+      BIO_set_retry_read(bio);  // buffer is empty
      if (size <= peer_b->size) {
        peer_b->request = size;
      } else {
-        /* don't ask for more than the peer can
-         * deliver in one write */
+        // don't ask for more than the peer can
+        // deliver in one write
        peer_b->request = peer_b->size;
      }
      return -1;
    }
  }

-  /* we can read */
+  // we can read
  if (peer_b->len < size) {
    size = peer_b->len;
  }

-  /* now read "size" bytes */
+  // now read "size" bytes
  rest = size;

  assert(rest > 0);
-  /* one or two iterations */
+  // one or two iterations
  do {
    size_t chunk;

@@ -459,18 +204,15 @@ static int bio_read(BIO *bio, char *buf, int size_) {
    if (peer_b->offset + rest <= peer_b->size) {
      chunk = rest;
    } else {
-      /* wrap around ring buffer */
+      // wrap around ring buffer
      chunk = peer_b->size - peer_b->offset;
    }
    assert(peer_b->offset + chunk <= peer_b->size);

-    memcpy(buf, peer_b->buf + peer_b->offset, chunk);
+    OPENSSL_memcpy(buf, peer_b->buf + peer_b->offset, chunk);

    peer_b->len -= chunk;
-    /* If zero_copy_write_lock == 1 we must advance the offset even if buffer
-     * becomes empty, to make sure write_offset = (offset + len) % size
-     * does not change. */
-    if (peer_b->len || peer_b->zero_copy_write_lock) {
+    if (peer_b->len) {
      peer_b->offset += chunk;
      assert(peer_b->offset <= peer_b->size);
      if (peer_b->offset == peer_b->size) {
@@ -478,7 +220,7 @@ static int bio_read(BIO *bio, char *buf, int size_) {
      }
      buf += chunk;
    } else {
-      /* buffer now empty, no need to advance "buf" */
+      // buffer now empty, no need to advance "buf"
      assert(chunk == rest);
      peer_b->offset = 0;
    }
@@ -504,13 +246,9 @@ static int bio_write(BIO *bio, const char *buf, int num_) {
  assert(b->peer != NULL);
  assert(b->buf != NULL);

-  if (b->zero_copy_write_lock) {
-    return 0;
-  }
-
  b->request = 0;
  if (b->closed) {
-    /* we already closed */
+    // we already closed
    OPENSSL_PUT_ERROR(BIO, BIO_R_BROKEN_PIPE);
    return -1;
  }
@@ -518,20 +256,20 @@ static int bio_write(BIO *bio, const char *buf, int num_) {
  assert(b->len <= b->size);

  if (b->len == b->size) {
-    BIO_set_retry_write(bio); /* buffer is full */
+    BIO_set_retry_write(bio);  // buffer is full
    return -1;
  }

-  /* we can write */
+  // we can write
  if (num > b->size - b->len) {
    num = b->size - b->len;
  }

-  /* now write "num" bytes */
+  // now write "num" bytes
  rest = num;

  assert(rest > 0);
-  /* one or two iterations */
+  // one or two iterations
  do {
    size_t write_offset;
    size_t chunk;
@@ -542,16 +280,16 @@ static int bio_write(BIO *bio, const char *buf, int num_) {
    if (write_offset >= b->size) {
      write_offset -= b->size;
    }
-    /* b->buf[write_offset] is the first byte we can write to. */
+    // b->buf[write_offset] is the first byte we can write to.

    if (write_offset + rest <= b->size) {
      chunk = rest;
    } else {
-      /* wrap around ring buffer */
+      // wrap around ring buffer
      chunk = b->size - write_offset;
    }

-    memcpy(b->buf + write_offset, buf, chunk);
+    OPENSSL_memcpy(b->buf + write_offset, buf, chunk);

    b->len += chunk;

@@ -564,9 +302,8 @@ static int bio_write(BIO *bio, const char *buf, int num_) {
  return num;
 }

-static int bio_make_pair(BIO* bio1, BIO* bio2,
-                         size_t writebuf1_len, uint8_t* ext_writebuf1,
-                         size_t writebuf2_len, uint8_t* ext_writebuf2) {
+static int bio_make_pair(BIO *bio1, BIO *bio2, size_t writebuf1_len,
+                         size_t writebuf2_len) {
  struct bio_bio_st *b1, *b2;

  assert(bio1 != NULL);
@@ -580,23 +317,14 @@ static int bio_make_pair(BIO* bio1, BIO* bio2,
    return 0;
  }

-  assert(b1->buf_externally_allocated == 0);
-  assert(b2->buf_externally_allocated == 0);
-
  if (b1->buf == NULL) {
    if (writebuf1_len) {
      b1->size = writebuf1_len;
    }
-    if (!ext_writebuf1) {
-      b1->buf_externally_allocated = 0;
-      b1->buf = OPENSSL_malloc(b1->size);
-      if (b1->buf == NULL) {
-        OPENSSL_PUT_ERROR(BIO, ERR_R_MALLOC_FAILURE);
-        return 0;
-      }
-    } else {
-      b1->buf = ext_writebuf1;
-      b1->buf_externally_allocated = 1;
+    b1->buf = OPENSSL_malloc(b1->size);
+    if (b1->buf == NULL) {
+      OPENSSL_PUT_ERROR(BIO, ERR_R_MALLOC_FAILURE);
+      return 0;
    }
    b1->len = 0;
    b1->offset = 0;
@@ -606,16 +334,10 @@ static int bio_make_pair(BIO* bio1, BIO* bio2,
    if (writebuf2_len) {
      b2->size = writebuf2_len;
    }
-    if (!ext_writebuf2) {
-      b2->buf_externally_allocated = 0;
-      b2->buf = OPENSSL_malloc(b2->size);
-      if (b2->buf == NULL) {
-        OPENSSL_PUT_ERROR(BIO, ERR_R_MALLOC_FAILURE);
-        return 0;
-      }
-    } else {
-      b2->buf = ext_writebuf2;
-      b2->buf_externally_allocated = 1;
+    b2->buf = OPENSSL_malloc(b2->size);
+    if (b2->buf == NULL) {
+      OPENSSL_PUT_ERROR(BIO, ERR_R_MALLOC_FAILURE);
+      return 0;
    }
    b2->len = 0;
    b2->offset = 0;
@@ -624,13 +346,9 @@ static int bio_make_pair(BIO* bio1, BIO* bio2,
  b1->peer = bio2;
  b1->closed = 0;
  b1->request = 0;
-  b1->zero_copy_read_lock = 0;
-  b1->zero_copy_write_lock = 0;
  b2->peer = bio1;
  b2->closed = 0;
  b2->request = 0;
-  b2->zero_copy_read_lock = 0;
-  b2->zero_copy_write_lock = 0;

  bio1->init = 1;
  bio2->init = 1;
@@ -645,15 +363,15 @@ static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr) {
  assert(b != NULL);

  switch (cmd) {
-    /* specific CTRL codes */
+    // specific CTRL codes

    case BIO_C_GET_WRITE_BUF_SIZE:
      ret = (long)b->size;
      break;

    case BIO_C_GET_WRITE_GUARANTEE:
-      /* How many bytes can the caller feed to the next write
-       * without having to keep any? */
+      // How many bytes can the caller feed to the next write
+      // without having to keep any?
      if (b->peer == NULL || b->closed) {
        ret = 0;
      } else {
@@ -662,28 +380,28 @@ static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr) {
      break;

    case BIO_C_GET_READ_REQUEST:
-      /* If the peer unsuccessfully tried to read, how many bytes
-       * were requested?  (As with BIO_CTRL_PENDING, that number
-       * can usually be treated as boolean.) */
+      // If the peer unsuccessfully tried to read, how many bytes
+      // were requested?  (As with BIO_CTRL_PENDING, that number
+      // can usually be treated as boolean.)
      ret = (long)b->request;
      break;

    case BIO_C_RESET_READ_REQUEST:
-      /* Reset request.  (Can be useful after read attempts
-       * at the other side that are meant to be non-blocking,
-       * e.g. when probing SSL_read to see if any data is
-       * available.) */
+      // Reset request.  (Can be useful after read attempts
+      // at the other side that are meant to be non-blocking,
+      // e.g. when probing SSL_read to see if any data is
+      // available.)
      b->request = 0;
      ret = 1;
      break;

    case BIO_C_SHUTDOWN_WR:
-      /* similar to shutdown(..., SHUT_WR) */
+      // similar to shutdown(..., SHUT_WR)
      b->closed = 1;
      ret = 1;
      break;

-    /* standard CTRL codes follow */
+    // standard CTRL codes follow

    case BIO_CTRL_GET_CLOSE:
      ret = bio->shutdown;
@@ -732,62 +450,30 @@ static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr) {
  return ret;
 }

-static int bio_puts(BIO *bio, const char *str) {
-  return bio_write(bio, str, strlen(str));
-}

 static const BIO_METHOD methods_biop = {
-    BIO_TYPE_BIO, "BIO pair",             bio_write, bio_read,
-    bio_puts,     NULL /* no bio_gets */, bio_ctrl,  bio_new,
-    bio_free,     NULL /* no bio_callback_ctrl */
+    BIO_TYPE_BIO,    "BIO pair", bio_write, bio_read, NULL /* puts */,
+    NULL /* gets */, bio_ctrl,   bio_new,   bio_free, NULL /* callback_ctrl */,
 };

 static const BIO_METHOD *bio_s_bio(void) { return &methods_biop; }

-int BIO_new_bio_pair(BIO** bio1_p, size_t writebuf1,
-                     BIO** bio2_p, size_t writebuf2) {
-  return BIO_new_bio_pair_external_buf(bio1_p, writebuf1, NULL, bio2_p,
-                                       writebuf2, NULL);
-}
-
-int BIO_new_bio_pair_external_buf(BIO** bio1_p, size_t writebuf1_len,
-                                  uint8_t* ext_writebuf1,
-                                  BIO** bio2_p, size_t writebuf2_len,
-                                  uint8_t* ext_writebuf2) {
-  BIO *bio1 = NULL, *bio2 = NULL;
-  int ret = 0;
-
-  /* External buffers must have sizes greater than 0. */
-  if ((ext_writebuf1 && !writebuf1_len) || (ext_writebuf2 && !writebuf2_len)) {
-    goto err;
-  }
-
-  bio1 = BIO_new(bio_s_bio());
-  if (bio1 == NULL) {
-    goto err;
-  }
-  bio2 = BIO_new(bio_s_bio());
-  if (bio2 == NULL) {
-    goto err;
-  }
-
-  if (!bio_make_pair(bio1, bio2, writebuf1_len, ext_writebuf1, writebuf2_len,
-                     ext_writebuf2)) {
-    goto err;
-  }
-  ret = 1;
-
-err:
-  if (ret == 0) {
+int BIO_new_bio_pair(BIO** bio1_p, size_t writebuf1_len,
+                     BIO** bio2_p, size_t writebuf2_len) {
+  BIO *bio1 = BIO_new(bio_s_bio());
+  BIO *bio2 = BIO_new(bio_s_bio());
+  if (bio1 == NULL || bio2 == NULL ||
+      !bio_make_pair(bio1, bio2, writebuf1_len, writebuf2_len)) {
    BIO_free(bio1);
-    bio1 = NULL;
    BIO_free(bio2);
-    bio2 = NULL;
+    *bio1_p = NULL;
+    *bio2_p = NULL;
+    return 0;
  }

  *bio1_p = bio1;
  *bio2_p = bio2;
-  return ret;
+  return 1;
 }

 size_t BIO_ctrl_get_read_request(BIO *bio) {
@@ -55,7 +55,7 @@
 * [including the GNU Public Licence.] */

 #if !defined(_POSIX_C_SOURCE)
-#define _POSIX_C_SOURCE 201410L  /* for snprintf, vprintf etc */
+#define _POSIX_C_SOURCE 201410L  // for snprintf, vprintf etc
 #endif

 #include <openssl/bio.h>
@@ -77,13 +77,13 @@ int BIO_printf(BIO *bio, const char *format, ...) {
  va_end(args);

 #if defined(OPENSSL_WINDOWS)
-  /* On Windows, vsnprintf returns -1 rather than the requested length on
-   * truncation */
+  // On Windows, vsnprintf returns -1 rather than the requested length on
+  // truncation
  if (out_len < 0) {
    va_start(args, format);
    out_len = _vscprintf(format, args);
    va_end(args);
-    assert(out_len >= sizeof(buf));
+    assert(out_len >= (int)sizeof(buf));
  }
 #endif

@@ -93,9 +93,9 @@ int BIO_printf(BIO *bio, const char *format, ...) {

  if ((size_t) out_len >= sizeof(buf)) {
    const int requested_len = out_len;
-    /* The output was truncated. Note that vsnprintf's return value
-     * does not include a trailing NUL, but the buffer must be sized
-     * for it. */
+    // The output was truncated. Note that vsnprintf's return value
+    // does not include a trailing NUL, but the buffer must be sized
+    // for it.
    out = OPENSSL_malloc(requested_len + 1);
    out_malloced = 1;
    if (out == NULL) {
@@ -67,7 +67,7 @@ OPENSSL_MSVC_PRAGMA(warning(push, 3))
 #include <winsock2.h>
 OPENSSL_MSVC_PRAGMA(warning(pop))

-#pragma comment(lib, "Ws2_32.lib")
+OPENSSL_MSVC_PRAGMA(comment(lib, "Ws2_32.lib"))
 #endif

 #include "internal.h"
@@ -142,10 +142,6 @@ static int sock_write(BIO *b, const char *in, int inl) {
  return ret;
 }

-static int sock_puts(BIO *bp, const char *str) {
-  return sock_write(bp, str, strlen(str));
-}
-
 static long sock_ctrl(BIO *b, int cmd, long num, void *ptr) {
  long ret = 1;
  int *ip;
@@ -185,8 +181,11 @@ static long sock_ctrl(BIO *b, int cmd, long num, void *ptr) {
 }

 static const BIO_METHOD methods_sockp = {
-    BIO_TYPE_SOCKET,  "socket",  sock_write, sock_read, sock_puts,
-    NULL /* gets, */, sock_ctrl, sock_new,   sock_free, NULL,
+    BIO_TYPE_SOCKET, "socket",
+    sock_write,      sock_read,
+    NULL /* puts */, NULL /* gets, */,
+    sock_ctrl,       sock_new,
+    sock_free,       NULL /* callback_ctrl */,
 };

 const BIO_METHOD *BIO_s_socket(void) { return &methods_sockp; }
@@ -33,6 +33,7 @@ OPENSSL_MSVC_PRAGMA(warning(pop))
 #endif

 #include "internal.h"
+#include "../internal.h"


 int bio_ip_and_port_to_socket_and_addr(int *out_sock,
@@ -45,7 +46,7 @@ int bio_ip_and_port_to_socket_and_addr(int *out_sock,

  *out_sock = -1;

-  memset(&hint, 0, sizeof(hint));
+  OPENSSL_memset(&hint, 0, sizeof(hint));
  hint.ai_family = AF_UNSPEC;
  hint.ai_socktype = SOCK_STREAM;

@@ -62,8 +63,8 @@ int bio_ip_and_port_to_socket_and_addr(int *out_sock,
    if ((size_t) cur->ai_addrlen > sizeof(struct sockaddr_storage)) {
      continue;
    }
-    memset(out_addr, 0, sizeof(struct sockaddr_storage));
-    memcpy(out_addr, cur->ai_addr, cur->ai_addrlen);
+    OPENSSL_memset(out_addr, 0, sizeof(struct sockaddr_storage));
+    OPENSSL_memcpy(out_addr, cur->ai_addr, cur->ai_addrlen);
    *out_addr_length = cur->ai_addrlen;

    *out_sock = socket(cur->ai_family, cur->ai_socktype, cur->ai_protocol);
@@ -1,89 +0,0 @@
-include_directories(../../include)
-
-if (${ARCH} STREQUAL "x86_64")
-  set(
-    BN_ARCH_SOURCES
-
-    x86_64-mont.${ASM_EXT}
-    x86_64-mont5.${ASM_EXT}
-    rsaz-x86_64.${ASM_EXT}
-    rsaz-avx2.${ASM_EXT}
-
-    rsaz_exp.c
-  )
-endif()
-
-if (${ARCH} STREQUAL "x86")
-  set(
-    BN_ARCH_SOURCES
-
-    bn-586.${ASM_EXT}
-    co-586.${ASM_EXT}
-    x86-mont.${ASM_EXT}
-  )
-endif()
-
-if (${ARCH} STREQUAL "arm")
-  set(
-    BN_ARCH_SOURCES
-
-    armv4-mont.${ASM_EXT}
-  )
-endif()
-
-if (${ARCH} STREQUAL "aarch64")
-  set(
-    BN_ARCH_SOURCES
-
-    armv8-mont.${ASM_EXT}
-  )
-endif()
-
-add_library(
-  bn
-
-  OBJECT
-
-  add.c
-  asm/x86_64-gcc.c
-  bn.c
-  bn_asn1.c
-  cmp.c
-  convert.c
-  ctx.c
-  div.c
-  exponentiation.c
-  generic.c
-  gcd.c
-  kronecker.c
-  montgomery.c
-  montgomery_inv.c
-  mul.c
-  prime.c
-  random.c
-  shift.c
-  sqrt.c
-
-  ${BN_ARCH_SOURCES}
-)
-
-perlasm(x86_64-mont.${ASM_EXT} asm/x86_64-mont.pl)
-perlasm(x86_64-mont5.${ASM_EXT} asm/x86_64-mont5.pl)
-perlasm(rsaz-x86_64.${ASM_EXT} asm/rsaz-x86_64.pl)
-perlasm(rsaz-avx2.${ASM_EXT} asm/rsaz-avx2.pl)
-perlasm(bn-586.${ASM_EXT} asm/bn-586.pl)
-perlasm(co-586.${ASM_EXT} asm/co-586.pl)
-perlasm(x86-mont.${ASM_EXT} asm/x86-mont.pl)
-perlasm(armv4-mont.${ASM_EXT} asm/armv4-mont.pl)
-perlasm(armv8-mont.${ASM_EXT} asm/armv8-mont.pl)
-
-add_executable(
-  bn_test
-
-  bn_test.cc
-
-  $<TARGET_OBJECTS:test_support>
-)
-
-target_link_libraries(bn_test crypto)
-add_dependencies(all_tests bn_test)
@@ -1,693 +0,0 @@
-#!/usr/bin/env perl
-
-# ====================================================================
-# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
-# project. The module is, however, dual licensed under OpenSSL and
-# CRYPTOGAMS licenses depending on where you obtain it. For further
-# details see http://www.openssl.org/~appro/cryptogams/.
-# ====================================================================
-
-# January 2007.
-
-# Montgomery multiplication for ARMv4.
-#
-# Performance improvement naturally varies among CPU implementations
-# and compilers. The code was observed to provide +65-35% improvement
-# [depending on key length, less for longer keys] on ARM920T, and
-# +115-80% on Intel IXP425. This is compared to pre-bn_mul_mont code
-# base and compiler generated code with in-lined umull and even umlal
-# instructions. The latter means that this code didn't really have an 
-# "advantage" of utilizing some "secret" instruction.
-#
-# The code is interoperable with Thumb ISA and is rather compact, less
-# than 1/2KB. Windows CE port would be trivial, as it's exclusively
-# about decorations, ABI and instruction syntax are identical.
-
-# November 2013
-#
-# Add NEON code path, which handles lengths divisible by 8. RSA/DSA
-# performance improvement on Cortex-A8 is ~45-100% depending on key
-# length, more for longer keys. On Cortex-A15 the span is ~10-105%.
-# On Snapdragon S4 improvement was measured to vary from ~70% to
-# incredible ~380%, yes, 4.8x faster, for RSA4096 sign. But this is
-# rather because original integer-only code seems to perform
-# suboptimally on S4. Situation on Cortex-A9 is unfortunately
-# different. It's being looked into, but the trouble is that
-# performance for vectors longer than 256 bits is actually couple
-# of percent worse than for integer-only code. The code is chosen
-# for execution on all NEON-capable processors, because gain on
-# others outweighs the marginal loss on Cortex-A9.
-
-$flavour = shift;
-if ($flavour=~/\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; }
-else { while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {} }
-
-if ($flavour && $flavour ne "void") {
-    $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-    ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
-    ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
-    die "can't locate arm-xlate.pl";
-
-    open STDOUT,"| \"$^X\" $xlate $flavour $output";
-} else {
-    open STDOUT,">$output";
-}
-
-$num="r0";	# starts as num argument, but holds &tp[num-1]
-$ap="r1";
-$bp="r2"; $bi="r2"; $rp="r2";
-$np="r3";
-$tp="r4";
-$aj="r5";
-$nj="r6";
-$tj="r7";
-$n0="r8";
-###########	# r9 is reserved by ELF as platform specific, e.g. TLS pointer
-$alo="r10";	# sl, gcc uses it to keep @GOT
-$ahi="r11";	# fp
-$nlo="r12";	# ip
-###########	# r13 is stack pointer
-$nhi="r14";	# lr
-###########	# r15 is program counter
-
-#### argument block layout relative to &tp[num-1], a.k.a. $num
-$_rp="$num,#12*4";
-# ap permanently resides in r1
-$_bp="$num,#13*4";
-# np permanently resides in r3
-$_n0="$num,#14*4";
-$_num="$num,#15*4";	$_bpend=$_num;
-
-$code=<<___;
-#include <openssl/arm_arch.h>
-
-.text
-.code	32
-
-#if __ARM_MAX_ARCH__>=7
-.align	5
-.LOPENSSL_armcap:
-.word	OPENSSL_armcap_P-.Lbn_mul_mont
-#endif
-
-.global	bn_mul_mont
-.type	bn_mul_mont,%function
-
-.align	5
-bn_mul_mont:
-.Lbn_mul_mont:
-	ldr	ip,[sp,#4]		@ load num
-	stmdb	sp!,{r0,r2}		@ sp points at argument block
-#if __ARM_MAX_ARCH__>=7
-	tst	ip,#7
-	bne	.Lialu
-	adr	r0,bn_mul_mont
-	ldr	r2,.LOPENSSL_armcap
-	ldr	r0,[r0,r2]
-#ifdef	__APPLE__
-	ldr	r0,[r0]
-#endif
-	tst	r0,#ARMV7_NEON		@ NEON available?
-	ldmia	sp, {r0,r2}
-	beq	.Lialu
-	add	sp,sp,#8
-	b	bn_mul8x_mont_neon
-.align	4
-.Lialu:
-#endif
-	cmp	ip,#2
-	mov	$num,ip			@ load num
-	movlt	r0,#0
-	addlt	sp,sp,#2*4
-	blt	.Labrt
-
-	stmdb	sp!,{r4-r12,lr}		@ save 10 registers
-
-	mov	$num,$num,lsl#2		@ rescale $num for byte count
-	sub	sp,sp,$num		@ alloca(4*num)
-	sub	sp,sp,#4		@ +extra dword
-	sub	$num,$num,#4		@ "num=num-1"
-	add	$tp,$bp,$num		@ &bp[num-1]
-
-	add	$num,sp,$num		@ $num to point at &tp[num-1]
-	ldr	$n0,[$_n0]		@ &n0
-	ldr	$bi,[$bp]		@ bp[0]
-	ldr	$aj,[$ap],#4		@ ap[0],ap++
-	ldr	$nj,[$np],#4		@ np[0],np++
-	ldr	$n0,[$n0]		@ *n0
-	str	$tp,[$_bpend]		@ save &bp[num]
-
-	umull	$alo,$ahi,$aj,$bi	@ ap[0]*bp[0]
-	str	$n0,[$_n0]		@ save n0 value
-	mul	$n0,$alo,$n0		@ "tp[0]"*n0
-	mov	$nlo,#0
-	umlal	$alo,$nlo,$nj,$n0	@ np[0]*n0+"t[0]"
-	mov	$tp,sp
-
-.L1st:
-	ldr	$aj,[$ap],#4		@ ap[j],ap++
-	mov	$alo,$ahi
-	ldr	$nj,[$np],#4		@ np[j],np++
-	mov	$ahi,#0
-	umlal	$alo,$ahi,$aj,$bi	@ ap[j]*bp[0]
-	mov	$nhi,#0
-	umlal	$nlo,$nhi,$nj,$n0	@ np[j]*n0
-	adds	$nlo,$nlo,$alo
-	str	$nlo,[$tp],#4		@ tp[j-1]=,tp++
-	adc	$nlo,$nhi,#0
-	cmp	$tp,$num
-	bne	.L1st
-
-	adds	$nlo,$nlo,$ahi
-	ldr	$tp,[$_bp]		@ restore bp
-	mov	$nhi,#0
-	ldr	$n0,[$_n0]		@ restore n0
-	adc	$nhi,$nhi,#0
-	str	$nlo,[$num]		@ tp[num-1]=
-	str	$nhi,[$num,#4]		@ tp[num]=
-
-.Louter:
-	sub	$tj,$num,sp		@ "original" $num-1 value
-	sub	$ap,$ap,$tj		@ "rewind" ap to &ap[1]
-	ldr	$bi,[$tp,#4]!		@ *(++bp)
-	sub	$np,$np,$tj		@ "rewind" np to &np[1]
-	ldr	$aj,[$ap,#-4]		@ ap[0]
-	ldr	$alo,[sp]		@ tp[0]
-	ldr	$nj,[$np,#-4]		@ np[0]
-	ldr	$tj,[sp,#4]		@ tp[1]
-
-	mov	$ahi,#0
-	umlal	$alo,$ahi,$aj,$bi	@ ap[0]*bp[i]+tp[0]
-	str	$tp,[$_bp]		@ save bp
-	mul	$n0,$alo,$n0
-	mov	$nlo,#0
-	umlal	$alo,$nlo,$nj,$n0	@ np[0]*n0+"tp[0]"
-	mov	$tp,sp
-
-.Linner:
-	ldr	$aj,[$ap],#4		@ ap[j],ap++
-	adds	$alo,$ahi,$tj		@ +=tp[j]
-	ldr	$nj,[$np],#4		@ np[j],np++
-	mov	$ahi,#0
-	umlal	$alo,$ahi,$aj,$bi	@ ap[j]*bp[i]
-	mov	$nhi,#0
-	umlal	$nlo,$nhi,$nj,$n0	@ np[j]*n0
-	adc	$ahi,$ahi,#0
-	ldr	$tj,[$tp,#8]		@ tp[j+1]
-	adds	$nlo,$nlo,$alo
-	str	$nlo,[$tp],#4		@ tp[j-1]=,tp++
-	adc	$nlo,$nhi,#0
-	cmp	$tp,$num
-	bne	.Linner
-
-	adds	$nlo,$nlo,$ahi
-	mov	$nhi,#0
-	ldr	$tp,[$_bp]		@ restore bp
-	adc	$nhi,$nhi,#0
-	ldr	$n0,[$_n0]		@ restore n0
-	adds	$nlo,$nlo,$tj
-	ldr	$tj,[$_bpend]		@ restore &bp[num]
-	adc	$nhi,$nhi,#0
-	str	$nlo,[$num]		@ tp[num-1]=
-	str	$nhi,[$num,#4]		@ tp[num]=
-
-	cmp	$tp,$tj
-	bne	.Louter
-
-	ldr	$rp,[$_rp]		@ pull rp
-	add	$num,$num,#4		@ $num to point at &tp[num]
-	sub	$aj,$num,sp		@ "original" num value
-	mov	$tp,sp			@ "rewind" $tp
-	mov	$ap,$tp			@ "borrow" $ap
-	sub	$np,$np,$aj		@ "rewind" $np to &np[0]
-
-	subs	$tj,$tj,$tj		@ "clear" carry flag
-.Lsub:	ldr	$tj,[$tp],#4
-	ldr	$nj,[$np],#4
-	sbcs	$tj,$tj,$nj		@ tp[j]-np[j]
-	str	$tj,[$rp],#4		@ rp[j]=
-	teq	$tp,$num		@ preserve carry
-	bne	.Lsub
-	sbcs	$nhi,$nhi,#0		@ upmost carry
-	mov	$tp,sp			@ "rewind" $tp
-	sub	$rp,$rp,$aj		@ "rewind" $rp
-
-	and	$ap,$tp,$nhi
-	bic	$np,$rp,$nhi
-	orr	$ap,$ap,$np		@ ap=borrow?tp:rp
-
-.Lcopy:	ldr	$tj,[$ap],#4		@ copy or in-place refresh
-	str	sp,[$tp],#4		@ zap tp
-	str	$tj,[$rp],#4
-	cmp	$tp,$num
-	bne	.Lcopy
-
-	add	sp,$num,#4		@ skip over tp[num+1]
-	ldmia	sp!,{r4-r12,lr}		@ restore registers
-	add	sp,sp,#2*4		@ skip over {r0,r2}
-	mov	r0,#1
-.Labrt:
-#if __ARM_ARCH__>=5
-	ret				@ bx lr
-#else
-	tst	lr,#1
-	moveq	pc,lr			@ be binary compatible with V4, yet
-	bx	lr			@ interoperable with Thumb ISA:-)
-#endif
-.size	bn_mul_mont,.-bn_mul_mont
-___
-{
-sub Dlo()   { shift=~m|q([1]?[0-9])|?"d".($1*2):"";     }
-sub Dhi()   { shift=~m|q([1]?[0-9])|?"d".($1*2+1):"";   }
-
-my ($A0,$A1,$A2,$A3)=map("d$_",(0..3));
-my ($N0,$N1,$N2,$N3)=map("d$_",(4..7));
-my ($Z,$Temp)=("q4","q5");
-my ($A0xB,$A1xB,$A2xB,$A3xB,$A4xB,$A5xB,$A6xB,$A7xB)=map("q$_",(6..13));
-my ($Bi,$Ni,$M0)=map("d$_",(28..31));
-my $zero=&Dlo($Z);
-my $temp=&Dlo($Temp);
-
-my ($rptr,$aptr,$bptr,$nptr,$n0,$num)=map("r$_",(0..5));
-my ($tinptr,$toutptr,$inner,$outer)=map("r$_",(6..9));
-
-$code.=<<___;
-#if __ARM_MAX_ARCH__>=7
-.arch	armv7-a
-.fpu	neon
-
-.type	bn_mul8x_mont_neon,%function
-.align	5
-bn_mul8x_mont_neon:
-	mov	ip,sp
-	stmdb	sp!,{r4-r11}
-	vstmdb	sp!,{d8-d15}		@ ABI specification says so
-	ldmia	ip,{r4-r5}		@ load rest of parameter block
-
-	sub		$toutptr,sp,#16
-	vld1.32		{${Bi}[0]}, [$bptr,:32]!
-	sub		$toutptr,$toutptr,$num,lsl#4
-	vld1.32		{$A0-$A3},  [$aptr]!		@ can't specify :32 :-(
-	and		$toutptr,$toutptr,#-64
-	vld1.32		{${M0}[0]}, [$n0,:32]
-	mov		sp,$toutptr			@ alloca
-	veor		$zero,$zero,$zero
-	subs		$inner,$num,#8
-	vzip.16		$Bi,$zero
-
-	vmull.u32	$A0xB,$Bi,${A0}[0]
-	vmull.u32	$A1xB,$Bi,${A0}[1]
-	vmull.u32	$A2xB,$Bi,${A1}[0]
-	vshl.i64	$temp,`&Dhi("$A0xB")`,#16
-	vmull.u32	$A3xB,$Bi,${A1}[1]
-
-	vadd.u64	$temp,$temp,`&Dlo("$A0xB")`
-	veor		$zero,$zero,$zero
-	vmul.u32	$Ni,$temp,$M0
-
-	vmull.u32	$A4xB,$Bi,${A2}[0]
-	 vld1.32	{$N0-$N3}, [$nptr]!
-	vmull.u32	$A5xB,$Bi,${A2}[1]
-	vmull.u32	$A6xB,$Bi,${A3}[0]
-	vzip.16		$Ni,$zero
-	vmull.u32	$A7xB,$Bi,${A3}[1]
-
-	bne	.LNEON_1st
-
-	@ special case for num=8, everything is in register bank...
-
-	vmlal.u32	$A0xB,$Ni,${N0}[0]
-	sub		$outer,$num,#1
-	vmlal.u32	$A1xB,$Ni,${N0}[1]
-	vmlal.u32	$A2xB,$Ni,${N1}[0]
-	vmlal.u32	$A3xB,$Ni,${N1}[1]
-
-	vmlal.u32	$A4xB,$Ni,${N2}[0]
-	vmov		$Temp,$A0xB
-	vmlal.u32	$A5xB,$Ni,${N2}[1]
-	vmov		$A0xB,$A1xB
-	vmlal.u32	$A6xB,$Ni,${N3}[0]
-	vmov		$A1xB,$A2xB
-	vmlal.u32	$A7xB,$Ni,${N3}[1]
-	vmov		$A2xB,$A3xB
-	vmov		$A3xB,$A4xB
-	vshr.u64	$temp,$temp,#16
-	vmov		$A4xB,$A5xB
-	vmov		$A5xB,$A6xB
-	vadd.u64	$temp,$temp,`&Dhi("$Temp")`
-	vmov		$A6xB,$A7xB
-	veor		$A7xB,$A7xB
-	vshr.u64	$temp,$temp,#16
-
-	b	.LNEON_outer8
-
-.align	4
-.LNEON_outer8:
-	vld1.32		{${Bi}[0]}, [$bptr,:32]!
-	veor		$zero,$zero,$zero
-	vzip.16		$Bi,$zero
-	vadd.u64	`&Dlo("$A0xB")`,`&Dlo("$A0xB")`,$temp
-
-	vmlal.u32	$A0xB,$Bi,${A0}[0]
-	vmlal.u32	$A1xB,$Bi,${A0}[1]
-	vmlal.u32	$A2xB,$Bi,${A1}[0]
-	vshl.i64	$temp,`&Dhi("$A0xB")`,#16
-	vmlal.u32	$A3xB,$Bi,${A1}[1]
-
-	vadd.u64	$temp,$temp,`&Dlo("$A0xB")`
-	veor		$zero,$zero,$zero
-	subs		$outer,$outer,#1
-	vmul.u32	$Ni,$temp,$M0
-
-	vmlal.u32	$A4xB,$Bi,${A2}[0]
-	vmlal.u32	$A5xB,$Bi,${A2}[1]
-	vmlal.u32	$A6xB,$Bi,${A3}[0]
-	vzip.16		$Ni,$zero
-	vmlal.u32	$A7xB,$Bi,${A3}[1]
-
-	vmlal.u32	$A0xB,$Ni,${N0}[0]
-	vmlal.u32	$A1xB,$Ni,${N0}[1]
-	vmlal.u32	$A2xB,$Ni,${N1}[0]
-	vmlal.u32	$A3xB,$Ni,${N1}[1]
-
-	vmlal.u32	$A4xB,$Ni,${N2}[0]
-	vmov		$Temp,$A0xB
-	vmlal.u32	$A5xB,$Ni,${N2}[1]
-	vmov		$A0xB,$A1xB
-	vmlal.u32	$A6xB,$Ni,${N3}[0]
-	vmov		$A1xB,$A2xB
-	vmlal.u32	$A7xB,$Ni,${N3}[1]
-	vmov		$A2xB,$A3xB
-	vmov		$A3xB,$A4xB
-	vshr.u64	$temp,$temp,#16
-	vmov		$A4xB,$A5xB
-	vmov		$A5xB,$A6xB
-	vadd.u64	$temp,$temp,`&Dhi("$Temp")`
-	vmov		$A6xB,$A7xB
-	veor		$A7xB,$A7xB
-	vshr.u64	$temp,$temp,#16
-
-	bne	.LNEON_outer8
-
-	vadd.u64	`&Dlo("$A0xB")`,`&Dlo("$A0xB")`,$temp
-	mov		$toutptr,sp
-	vshr.u64	$temp,`&Dlo("$A0xB")`,#16
-	mov		$inner,$num
-	vadd.u64	`&Dhi("$A0xB")`,`&Dhi("$A0xB")`,$temp
-	add		$tinptr,sp,#16
-	vshr.u64	$temp,`&Dhi("$A0xB")`,#16
-	vzip.16		`&Dlo("$A0xB")`,`&Dhi("$A0xB")`
-
-	b	.LNEON_tail2
-
-.align	4
-.LNEON_1st:
-	vmlal.u32	$A0xB,$Ni,${N0}[0]
-	 vld1.32	{$A0-$A3}, [$aptr]!
-	vmlal.u32	$A1xB,$Ni,${N0}[1]
-	subs		$inner,$inner,#8
-	vmlal.u32	$A2xB,$Ni,${N1}[0]
-	vmlal.u32	$A3xB,$Ni,${N1}[1]
-
-	vmlal.u32	$A4xB,$Ni,${N2}[0]
-	 vld1.32	{$N0-$N1}, [$nptr]!
-	vmlal.u32	$A5xB,$Ni,${N2}[1]
-	 vst1.64	{$A0xB-$A1xB}, [$toutptr,:256]!
-	vmlal.u32	$A6xB,$Ni,${N3}[0]
-	vmlal.u32	$A7xB,$Ni,${N3}[1]
-	 vst1.64	{$A2xB-$A3xB}, [$toutptr,:256]!
-
-	vmull.u32	$A0xB,$Bi,${A0}[0]
-	 vld1.32	{$N2-$N3}, [$nptr]!
-	vmull.u32	$A1xB,$Bi,${A0}[1]
-	 vst1.64	{$A4xB-$A5xB}, [$toutptr,:256]!
-	vmull.u32	$A2xB,$Bi,${A1}[0]
-	vmull.u32	$A3xB,$Bi,${A1}[1]
-	 vst1.64	{$A6xB-$A7xB}, [$toutptr,:256]!
-
-	vmull.u32	$A4xB,$Bi,${A2}[0]
-	vmull.u32	$A5xB,$Bi,${A2}[1]
-	vmull.u32	$A6xB,$Bi,${A3}[0]
-	vmull.u32	$A7xB,$Bi,${A3}[1]
-
-	bne	.LNEON_1st
-
-	vmlal.u32	$A0xB,$Ni,${N0}[0]
-	add		$tinptr,sp,#16
-	vmlal.u32	$A1xB,$Ni,${N0}[1]
-	sub		$aptr,$aptr,$num,lsl#2		@ rewind $aptr
-	vmlal.u32	$A2xB,$Ni,${N1}[0]
-	 vld1.64	{$Temp}, [sp,:128]
-	vmlal.u32	$A3xB,$Ni,${N1}[1]
-	sub		$outer,$num,#1
-
-	vmlal.u32	$A4xB,$Ni,${N2}[0]
-	vst1.64		{$A0xB-$A1xB}, [$toutptr,:256]!
-	vmlal.u32	$A5xB,$Ni,${N2}[1]
-	vshr.u64	$temp,$temp,#16
-	 vld1.64	{$A0xB},       [$tinptr, :128]!
-	vmlal.u32	$A6xB,$Ni,${N3}[0]
-	vst1.64		{$A2xB-$A3xB}, [$toutptr,:256]!
-	vmlal.u32	$A7xB,$Ni,${N3}[1]
-
-	vst1.64		{$A4xB-$A5xB}, [$toutptr,:256]!
-	vadd.u64	$temp,$temp,`&Dhi("$Temp")`
-	veor		$Z,$Z,$Z
-	vst1.64		{$A6xB-$A7xB}, [$toutptr,:256]!
-	 vld1.64	{$A1xB-$A2xB}, [$tinptr, :256]!
-	vst1.64		{$Z},          [$toutptr,:128]
-	vshr.u64	$temp,$temp,#16
-
-	b		.LNEON_outer
-
-.align	4
-.LNEON_outer:
-	vld1.32		{${Bi}[0]}, [$bptr,:32]!
-	sub		$nptr,$nptr,$num,lsl#2		@ rewind $nptr
-	vld1.32		{$A0-$A3},  [$aptr]!
-	veor		$zero,$zero,$zero
-	mov		$toutptr,sp
-	vzip.16		$Bi,$zero
-	sub		$inner,$num,#8
-	vadd.u64	`&Dlo("$A0xB")`,`&Dlo("$A0xB")`,$temp
-
-	vmlal.u32	$A0xB,$Bi,${A0}[0]
-	 vld1.64	{$A3xB-$A4xB},[$tinptr,:256]!
-	vmlal.u32	$A1xB,$Bi,${A0}[1]
-	vmlal.u32	$A2xB,$Bi,${A1}[0]
-	 vld1.64	{$A5xB-$A6xB},[$tinptr,:256]!
-	vmlal.u32	$A3xB,$Bi,${A1}[1]
-
-	vshl.i64	$temp,`&Dhi("$A0xB")`,#16
-	veor		$zero,$zero,$zero
-	vadd.u64	$temp,$temp,`&Dlo("$A0xB")`
-	 vld1.64	{$A7xB},[$tinptr,:128]!
-	vmul.u32	$Ni,$temp,$M0
-
-	vmlal.u32	$A4xB,$Bi,${A2}[0]
-	 vld1.32	{$N0-$N3}, [$nptr]!
-	vmlal.u32	$A5xB,$Bi,${A2}[1]
-	vmlal.u32	$A6xB,$Bi,${A3}[0]
-	vzip.16		$Ni,$zero
-	vmlal.u32	$A7xB,$Bi,${A3}[1]
-
-.LNEON_inner:
-	vmlal.u32	$A0xB,$Ni,${N0}[0]
-	 vld1.32	{$A0-$A3}, [$aptr]!
-	vmlal.u32	$A1xB,$Ni,${N0}[1]
-	 subs		$inner,$inner,#8
-	vmlal.u32	$A2xB,$Ni,${N1}[0]
-	vmlal.u32	$A3xB,$Ni,${N1}[1]
-	vst1.64		{$A0xB-$A1xB}, [$toutptr,:256]!
-
-	vmlal.u32	$A4xB,$Ni,${N2}[0]
-	 vld1.64	{$A0xB},       [$tinptr, :128]!
-	vmlal.u32	$A5xB,$Ni,${N2}[1]
-	vst1.64		{$A2xB-$A3xB}, [$toutptr,:256]!
-	vmlal.u32	$A6xB,$Ni,${N3}[0]
-	 vld1.64	{$A1xB-$A2xB}, [$tinptr, :256]!
-	vmlal.u32	$A7xB,$Ni,${N3}[1]
-	vst1.64		{$A4xB-$A5xB}, [$toutptr,:256]!
-
-	vmlal.u32	$A0xB,$Bi,${A0}[0]
-	 vld1.64	{$A3xB-$A4xB}, [$tinptr, :256]!
-	vmlal.u32	$A1xB,$Bi,${A0}[1]
-	vst1.64		{$A6xB-$A7xB}, [$toutptr,:256]!
-	vmlal.u32	$A2xB,$Bi,${A1}[0]
-	 vld1.64	{$A5xB-$A6xB}, [$tinptr, :256]!
-	vmlal.u32	$A3xB,$Bi,${A1}[1]
-	 vld1.32	{$N0-$N3}, [$nptr]!
-
-	vmlal.u32	$A4xB,$Bi,${A2}[0]
-	 vld1.64	{$A7xB},       [$tinptr, :128]!
-	vmlal.u32	$A5xB,$Bi,${A2}[1]
-	vmlal.u32	$A6xB,$Bi,${A3}[0]
-	vmlal.u32	$A7xB,$Bi,${A3}[1]
-
-	bne	.LNEON_inner
-
-	vmlal.u32	$A0xB,$Ni,${N0}[0]
-	add		$tinptr,sp,#16
-	vmlal.u32	$A1xB,$Ni,${N0}[1]
-	sub		$aptr,$aptr,$num,lsl#2		@ rewind $aptr
-	vmlal.u32	$A2xB,$Ni,${N1}[0]
-	 vld1.64	{$Temp}, [sp,:128]
-	vmlal.u32	$A3xB,$Ni,${N1}[1]
-	subs		$outer,$outer,#1
-
-	vmlal.u32	$A4xB,$Ni,${N2}[0]
-	vst1.64		{$A0xB-$A1xB}, [$toutptr,:256]!
-	vmlal.u32	$A5xB,$Ni,${N2}[1]
-	 vld1.64	{$A0xB},       [$tinptr, :128]!
-	vshr.u64	$temp,$temp,#16
-	vst1.64		{$A2xB-$A3xB}, [$toutptr,:256]!
-	vmlal.u32	$A6xB,$Ni,${N3}[0]
-	 vld1.64	{$A1xB-$A2xB}, [$tinptr, :256]!
-	vmlal.u32	$A7xB,$Ni,${N3}[1]
-
-	vst1.64		{$A4xB-$A5xB}, [$toutptr,:256]!
-	vadd.u64	$temp,$temp,`&Dhi("$Temp")`
-	vst1.64		{$A6xB-$A7xB}, [$toutptr,:256]!
-	vshr.u64	$temp,$temp,#16
-
-	bne	.LNEON_outer
-
-	mov		$toutptr,sp
-	mov		$inner,$num
-
-.LNEON_tail:
-	vadd.u64	`&Dlo("$A0xB")`,`&Dlo("$A0xB")`,$temp
-	vld1.64		{$A3xB-$A4xB}, [$tinptr, :256]!
-	vshr.u64	$temp,`&Dlo("$A0xB")`,#16
-	vadd.u64	`&Dhi("$A0xB")`,`&Dhi("$A0xB")`,$temp
-	vld1.64		{$A5xB-$A6xB}, [$tinptr, :256]!
-	vshr.u64	$temp,`&Dhi("$A0xB")`,#16
-	vld1.64		{$A7xB},       [$tinptr, :128]!
-	vzip.16		`&Dlo("$A0xB")`,`&Dhi("$A0xB")`
-
-.LNEON_tail2:
-	vadd.u64	`&Dlo("$A1xB")`,`&Dlo("$A1xB")`,$temp
-	vst1.32		{`&Dlo("$A0xB")`[0]}, [$toutptr, :32]!
-	vshr.u64	$temp,`&Dlo("$A1xB")`,#16
-	vadd.u64	`&Dhi("$A1xB")`,`&Dhi("$A1xB")`,$temp
-	vshr.u64	$temp,`&Dhi("$A1xB")`,#16
-	vzip.16		`&Dlo("$A1xB")`,`&Dhi("$A1xB")`
-
-	vadd.u64	`&Dlo("$A2xB")`,`&Dlo("$A2xB")`,$temp
-	vst1.32		{`&Dlo("$A1xB")`[0]}, [$toutptr, :32]!
-	vshr.u64	$temp,`&Dlo("$A2xB")`,#16
-	vadd.u64	`&Dhi("$A2xB")`,`&Dhi("$A2xB")`,$temp
-	vshr.u64	$temp,`&Dhi("$A2xB")`,#16
-	vzip.16		`&Dlo("$A2xB")`,`&Dhi("$A2xB")`
-
-	vadd.u64	`&Dlo("$A3xB")`,`&Dlo("$A3xB")`,$temp
-	vst1.32		{`&Dlo("$A2xB")`[0]}, [$toutptr, :32]!
-	vshr.u64	$temp,`&Dlo("$A3xB")`,#16
-	vadd.u64	`&Dhi("$A3xB")`,`&Dhi("$A3xB")`,$temp
-	vshr.u64	$temp,`&Dhi("$A3xB")`,#16
-	vzip.16		`&Dlo("$A3xB")`,`&Dhi("$A3xB")`
-
-	vadd.u64	`&Dlo("$A4xB")`,`&Dlo("$A4xB")`,$temp
-	vst1.32		{`&Dlo("$A3xB")`[0]}, [$toutptr, :32]!
-	vshr.u64	$temp,`&Dlo("$A4xB")`,#16
-	vadd.u64	`&Dhi("$A4xB")`,`&Dhi("$A4xB")`,$temp
-	vshr.u64	$temp,`&Dhi("$A4xB")`,#16
-	vzip.16		`&Dlo("$A4xB")`,`&Dhi("$A4xB")`
-
-	vadd.u64	`&Dlo("$A5xB")`,`&Dlo("$A5xB")`,$temp
-	vst1.32		{`&Dlo("$A4xB")`[0]}, [$toutptr, :32]!
-	vshr.u64	$temp,`&Dlo("$A5xB")`,#16
-	vadd.u64	`&Dhi("$A5xB")`,`&Dhi("$A5xB")`,$temp
-	vshr.u64	$temp,`&Dhi("$A5xB")`,#16
-	vzip.16		`&Dlo("$A5xB")`,`&Dhi("$A5xB")`
-
-	vadd.u64	`&Dlo("$A6xB")`,`&Dlo("$A6xB")`,$temp
-	vst1.32		{`&Dlo("$A5xB")`[0]}, [$toutptr, :32]!
-	vshr.u64	$temp,`&Dlo("$A6xB")`,#16
-	vadd.u64	`&Dhi("$A6xB")`,`&Dhi("$A6xB")`,$temp
-	vld1.64		{$A0xB}, [$tinptr, :128]!
-	vshr.u64	$temp,`&Dhi("$A6xB")`,#16
-	vzip.16		`&Dlo("$A6xB")`,`&Dhi("$A6xB")`
-
-	vadd.u64	`&Dlo("$A7xB")`,`&Dlo("$A7xB")`,$temp
-	vst1.32		{`&Dlo("$A6xB")`[0]}, [$toutptr, :32]!
-	vshr.u64	$temp,`&Dlo("$A7xB")`,#16
-	vadd.u64	`&Dhi("$A7xB")`,`&Dhi("$A7xB")`,$temp
-	vld1.64		{$A1xB-$A2xB},	[$tinptr, :256]!
-	vshr.u64	$temp,`&Dhi("$A7xB")`,#16
-	vzip.16		`&Dlo("$A7xB")`,`&Dhi("$A7xB")`
-	subs		$inner,$inner,#8
-	vst1.32		{`&Dlo("$A7xB")`[0]}, [$toutptr, :32]!
-
-	bne	.LNEON_tail
-
-	vst1.32	{${temp}[0]}, [$toutptr, :32]		@ top-most bit
-	sub	$nptr,$nptr,$num,lsl#2			@ rewind $nptr
-	subs	$aptr,sp,#0				@ clear carry flag
-	add	$bptr,sp,$num,lsl#2
-
-.LNEON_sub:
-	ldmia	$aptr!, {r4-r7}
-	ldmia	$nptr!, {r8-r11}
-	sbcs	r8, r4,r8
-	sbcs	r9, r5,r9
-	sbcs	r10,r6,r10
-	sbcs	r11,r7,r11
-	teq	$aptr,$bptr				@ preserves carry
-	stmia	$rptr!, {r8-r11}
-	bne	.LNEON_sub
-
-	ldr	r10, [$aptr]				@ load top-most bit
-	veor	q0,q0,q0
-	sub	r11,$bptr,sp				@ this is num*4
-	veor	q1,q1,q1
-	mov	$aptr,sp
-	sub	$rptr,$rptr,r11				@ rewind $rptr
-	mov	$nptr,$bptr				@ second 3/4th of frame
-	sbcs	r10,r10,#0				@ result is carry flag
-
-.LNEON_copy_n_zap:
-	ldmia	$aptr!, {r4-r7}
-	ldmia	$rptr,  {r8-r11}
-	movcc	r8, r4
-	vst1.64	{q0-q1}, [$nptr,:256]!			@ wipe
-	movcc	r9, r5
-	movcc	r10,r6
-	vst1.64	{q0-q1}, [$nptr,:256]!			@ wipe
-	movcc	r11,r7
-	ldmia	$aptr, {r4-r7}
-	stmia	$rptr!, {r8-r11}
-	sub	$aptr,$aptr,#16
-	ldmia	$rptr, {r8-r11}
-	movcc	r8, r4
-	vst1.64	{q0-q1}, [$aptr,:256]!			@ wipe
-	movcc	r9, r5
-	movcc	r10,r6
-	vst1.64	{q0-q1}, [$nptr,:256]!			@ wipe
-	movcc	r11,r7
-	teq	$aptr,$bptr				@ preserves carry
-	stmia	$rptr!, {r8-r11}
-	bne	.LNEON_copy_n_zap
-
-	sub	sp,ip,#96
-        vldmia  sp!,{d8-d15}
-        ldmia   sp!,{r4-r11}
-	ret						@ bx lr
-.size	bn_mul8x_mont_neon,.-bn_mul8x_mont_neon
-#endif
-___
-}
-$code.=<<___;
-.asciz	"Montgomery multiplication for ARMv4/NEON, CRYPTOGAMS by <appro\@openssl.org>"
-.align	2
-#if __ARM_MAX_ARCH__>=7
-.comm	OPENSSL_armcap_P,4,4
-.hidden	OPENSSL_armcap_P
-#endif
-___
-
-$code =~ s/\`([^\`]*)\`/eval $1/gem;
-$code =~ s/\bbx\s+lr\b/.word\t0xe12fff1e/gm;	# make it possible to compile with -march=armv4
-$code =~ s/\bret\b/bx	lr/gm;
-print $code;
-close STDOUT;
@@ -1,531 +0,0 @@
-/* x86_64 BIGNUM accelerator version 0.1, December 2002.
- *
- * Implemented by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
- * project.
- *
- * Rights for redistribution and usage in source and binary forms are
- * granted according to the OpenSSL license. Warranty of any kind is
- * disclaimed.
- *
- * Q. Version 0.1? It doesn't sound like Andy, he used to assign real
- *    versions, like 1.0...
- * A. Well, that's because this code is basically a quick-n-dirty
- *    proof-of-concept hack. As you can see it's implemented with
- *    inline assembler, which means that you're bound to GCC and that
- *    there might be enough room for further improvement.
- *
- * Q. Why inline assembler?
- * A. x86_64 features own ABI which I'm not familiar with. This is
- *    why I decided to let the compiler take care of subroutine
- *    prologue/epilogue as well as register allocation. For reference.
- *    Win64 implements different ABI for AMD64, different from Linux.
- *
- * Q. How much faster does it get?
- * A. 'apps/openssl speed rsa dsa' output with no-asm:
- *
- *	                  sign    verify    sign/s verify/s
- *	rsa  512 bits   0.0006s   0.0001s   1683.8  18456.2
- *	rsa 1024 bits   0.0028s   0.0002s    356.0   6407.0
- *	rsa 2048 bits   0.0172s   0.0005s     58.0   1957.8
- *	rsa 4096 bits   0.1155s   0.0018s      8.7    555.6
- *	                  sign    verify    sign/s verify/s
- *	dsa  512 bits   0.0005s   0.0006s   2100.8   1768.3
- *	dsa 1024 bits   0.0014s   0.0018s    692.3    559.2
- *	dsa 2048 bits   0.0049s   0.0061s    204.7    165.0
- *
- *    'apps/openssl speed rsa dsa' output with this module:
- *
- *	                  sign    verify    sign/s verify/s
- *	rsa  512 bits   0.0004s   0.0000s   2767.1  33297.9
- *	rsa 1024 bits   0.0012s   0.0001s    867.4  14674.7
- *	rsa 2048 bits   0.0061s   0.0002s    164.0   5270.0
- *	rsa 4096 bits   0.0384s   0.0006s     26.1   1650.8
- *	                  sign    verify    sign/s verify/s
- *	dsa  512 bits   0.0002s   0.0003s   4442.2   3786.3
- *	dsa 1024 bits   0.0005s   0.0007s   1835.1   1497.4
- *	dsa 2048 bits   0.0016s   0.0020s    620.4    504.6
- *
- *    For the reference. IA-32 assembler implementation performs
- *    very much like 64-bit code compiled with no-asm on the same
- *    machine.
- */
-
-#include <openssl/bn.h>
-
-/* TODO(davidben): Get this file working on Windows x64. */
-#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__GNUC__)
-
-#include "../internal.h"
-
-
-#undef mul
-#undef mul_add
-
-#define asm __asm__
-
-/*
- * "m"(a), "+m"(r)	is the way to favor DirectPath µ-code;
- * "g"(0)		let the compiler to decide where does it
- *			want to keep the value of zero;
- */
-#define mul_add(r, a, word, carry)                                     \
-  do {                                                                 \
-    register BN_ULONG high, low;                                       \
-    asm("mulq %3" : "=a"(low), "=d"(high) : "a"(word), "m"(a) : "cc"); \
-    asm("addq %2,%0; adcq %3,%1"                                       \
-        : "+r"(carry), "+d"(high)                                      \
-        : "a"(low), "g"(0)                                             \
-        : "cc");                                                       \
-    asm("addq %2,%0; adcq %3,%1"                                       \
-        : "+m"(r), "+d"(high)                                          \
-        : "r"(carry), "g"(0)                                           \
-        : "cc");                                                       \
-    carry = high;                                                      \
-  } while (0)
-
-#define mul(r, a, word, carry)                                         \
-  do {                                                                 \
-    register BN_ULONG high, low;                                       \
-    asm("mulq %3" : "=a"(low), "=d"(high) : "a"(word), "g"(a) : "cc"); \
-    asm("addq %2,%0; adcq %3,%1"                                       \
-        : "+r"(carry), "+d"(high)                                      \
-        : "a"(low), "g"(0)                                             \
-        : "cc");                                                       \
-    (r) = carry, carry = high;                                         \
-  } while (0)
-#undef sqr
-#define sqr(r0, r1, a) asm("mulq %2" : "=a"(r0), "=d"(r1) : "a"(a) : "cc");
-
-BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num,
-                          BN_ULONG w) {
-  BN_ULONG c1 = 0;
-
-  if (num <= 0) {
-    return (c1);
-  }
-
-  while (num & ~3) {
-    mul_add(rp[0], ap[0], w, c1);
-    mul_add(rp[1], ap[1], w, c1);
-    mul_add(rp[2], ap[2], w, c1);
-    mul_add(rp[3], ap[3], w, c1);
-    ap += 4;
-    rp += 4;
-    num -= 4;
-  }
-  if (num) {
-    mul_add(rp[0], ap[0], w, c1);
-    if (--num == 0) {
-      return c1;
-    }
-    mul_add(rp[1], ap[1], w, c1);
-    if (--num == 0) {
-      return c1;
-    }
-    mul_add(rp[2], ap[2], w, c1);
-    return c1;
-  }
-
-  return c1;
-}
-
-BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w) {
-  BN_ULONG c1 = 0;
-
-  if (num <= 0) {
-    return c1;
-  }
-
-  while (num & ~3) {
-    mul(rp[0], ap[0], w, c1);
-    mul(rp[1], ap[1], w, c1);
-    mul(rp[2], ap[2], w, c1);
-    mul(rp[3], ap[3], w, c1);
-    ap += 4;
-    rp += 4;
-    num -= 4;
-  }
-  if (num) {
-    mul(rp[0], ap[0], w, c1);
-    if (--num == 0) {
-      return c1;
-    }
-    mul(rp[1], ap[1], w, c1);
-    if (--num == 0) {
-      return c1;
-    }
-    mul(rp[2], ap[2], w, c1);
-  }
-  return c1;
-}
-
-void bn_sqr_words(BN_ULONG *r, const BN_ULONG *a, int n) {
-  if (n <= 0) {
-    return;
-  }
-
-  while (n & ~3) {
-    sqr(r[0], r[1], a[0]);
-    sqr(r[2], r[3], a[1]);
-    sqr(r[4], r[5], a[2]);
-    sqr(r[6], r[7], a[3]);
-    a += 4;
-    r += 8;
-    n -= 4;
-  }
-  if (n) {
-    sqr(r[0], r[1], a[0]);
-    if (--n == 0) {
-      return;
-    }
-    sqr(r[2], r[3], a[1]);
-    if (--n == 0) {
-      return;
-    }
-    sqr(r[4], r[5], a[2]);
-  }
-}
-
-BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
-                      int n) {
-  BN_ULONG ret;
-  size_t i = 0;
-
-  if (n <= 0) {
-    return 0;
-  }
-
-  asm volatile (
-      "	subq	%0,%0		\n" /* clear carry */
-      "	jmp	1f		\n"
-      ".p2align 4			\n"
-      "1:	movq	(%4,%2,8),%0	\n"
-      "	adcq	(%5,%2,8),%0	\n"
-      "	movq	%0,(%3,%2,8)	\n"
-      "	lea	1(%2),%2	\n"
-      "	loop	1b		\n"
-      "	sbbq	%0,%0		\n"
-      : "=&r"(ret), "+c"(n), "+r"(i)
-      : "r"(rp), "r"(ap), "r"(bp)
-      : "cc", "memory");
-
-  return ret & 1;
-}
-
-BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
-                      int n) {
-  BN_ULONG ret;
-  size_t i = 0;
-
-  if (n <= 0) {
-    return 0;
-  }
-
-  asm volatile (
-      "	subq	%0,%0		\n" /* clear borrow */
-      "	jmp	1f		\n"
-      ".p2align 4			\n"
-      "1:	movq	(%4,%2,8),%0	\n"
-      "	sbbq	(%5,%2,8),%0	\n"
-      "	movq	%0,(%3,%2,8)	\n"
-      "	lea	1(%2),%2	\n"
-      "	loop	1b		\n"
-      "	sbbq	%0,%0		\n"
-      : "=&r"(ret), "+c"(n), "+r"(i)
-      : "r"(rp), "r"(ap), "r"(bp)
-      : "cc", "memory");
-
-  return ret & 1;
-}
-
-/* mul_add_c(a,b,c0,c1,c2)  -- c+=a*b for three word number c=(c2,c1,c0) */
-/* mul_add_c2(a,b,c0,c1,c2) -- c+=2*a*b for three word number c=(c2,c1,c0) */
-/* sqr_add_c(a,i,c0,c1,c2)  -- c+=a[i]^2 for three word number c=(c2,c1,c0) */
-/* sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0)
- */
-
-/* Keep in mind that carrying into high part of multiplication result can not
- * overflow, because it cannot be all-ones. */
-#define mul_add_c(a, b, c0, c1, c2)          \
-  do {                                       \
-    BN_ULONG t1, t2;                \
-    asm("mulq %3" : "=a"(t1), "=d"(t2) : "a"(a), "m"(b) : "cc"); \
-    asm("addq %3,%0; adcq %4,%1; adcq %5,%2" \
-        : "+r"(c0), "+r"(c1), "+r"(c2)       \
-        : "r"(t1), "r"(t2), "g"(0)           \
-        : "cc");                             \
-  } while (0)
-
-#define sqr_add_c(a, i, c0, c1, c2)          \
-  do {                                       \
-    BN_ULONG t1, t2;                         \
-    asm("mulq %2" : "=a"(t1), "=d"(t2) : "a"(a[i]) : "cc"); \
-    asm("addq %3,%0; adcq %4,%1; adcq %5,%2" \
-        : "+r"(c0), "+r"(c1), "+r"(c2)       \
-        : "r"(t1), "r"(t2), "g"(0)           \
-        : "cc");                             \
-  } while (0)
-
-#define mul_add_c2(a, b, c0, c1, c2)         \
-  do {                                       \
-    BN_ULONG t1, t2;                                                    \
-    asm("mulq %3" : "=a"(t1), "=d"(t2) : "a"(a), "m"(b) : "cc");        \
-    asm("addq %3,%0; adcq %4,%1; adcq %5,%2" \
-        : "+r"(c0), "+r"(c1), "+r"(c2)       \
-        : "r"(t1), "r"(t2), "g"(0)           \
-        : "cc");                             \
-    asm("addq %3,%0; adcq %4,%1; adcq %5,%2" \
-        : "+r"(c0), "+r"(c1), "+r"(c2)       \
-        : "r"(t1), "r"(t2), "g"(0)           \
-        : "cc");                             \
-  } while (0)
-
-#define sqr_add_c2(a, i, j, c0, c1, c2) mul_add_c2((a)[i], (a)[j], c0, c1, c2)
-
-void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b) {
-  BN_ULONG c1, c2, c3;
-
-  c1 = 0;
-  c2 = 0;
-  c3 = 0;
-  mul_add_c(a[0], b[0], c1, c2, c3);
-  r[0] = c1;
-  c1 = 0;
-  mul_add_c(a[0], b[1], c2, c3, c1);
-  mul_add_c(a[1], b[0], c2, c3, c1);
-  r[1] = c2;
-  c2 = 0;
-  mul_add_c(a[2], b[0], c3, c1, c2);
-  mul_add_c(a[1], b[1], c3, c1, c2);
-  mul_add_c(a[0], b[2], c3, c1, c2);
-  r[2] = c3;
-  c3 = 0;
-  mul_add_c(a[0], b[3], c1, c2, c3);
-  mul_add_c(a[1], b[2], c1, c2, c3);
-  mul_add_c(a[2], b[1], c1, c2, c3);
-  mul_add_c(a[3], b[0], c1, c2, c3);
-  r[3] = c1;
-  c1 = 0;
-  mul_add_c(a[4], b[0], c2, c3, c1);
-  mul_add_c(a[3], b[1], c2, c3, c1);
-  mul_add_c(a[2], b[2], c2, c3, c1);
-  mul_add_c(a[1], b[3], c2, c3, c1);
-  mul_add_c(a[0], b[4], c2, c3, c1);
-  r[4] = c2;
-  c2 = 0;
-  mul_add_c(a[0], b[5], c3, c1, c2);
-  mul_add_c(a[1], b[4], c3, c1, c2);
-  mul_add_c(a[2], b[3], c3, c1, c2);
-  mul_add_c(a[3], b[2], c3, c1, c2);
-  mul_add_c(a[4], b[1], c3, c1, c2);
-  mul_add_c(a[5], b[0], c3, c1, c2);
-  r[5] = c3;
-  c3 = 0;
-  mul_add_c(a[6], b[0], c1, c2, c3);
-  mul_add_c(a[5], b[1], c1, c2, c3);
-  mul_add_c(a[4], b[2], c1, c2, c3);
-  mul_add_c(a[3], b[3], c1, c2, c3);
-  mul_add_c(a[2], b[4], c1, c2, c3);
-  mul_add_c(a[1], b[5], c1, c2, c3);
-  mul_add_c(a[0], b[6], c1, c2, c3);
-  r[6] = c1;
-  c1 = 0;
-  mul_add_c(a[0], b[7], c2, c3, c1);
-  mul_add_c(a[1], b[6], c2, c3, c1);
-  mul_add_c(a[2], b[5], c2, c3, c1);
-  mul_add_c(a[3], b[4], c2, c3, c1);
-  mul_add_c(a[4], b[3], c2, c3, c1);
-  mul_add_c(a[5], b[2], c2, c3, c1);
-  mul_add_c(a[6], b[1], c2, c3, c1);
-  mul_add_c(a[7], b[0], c2, c3, c1);
-  r[7] = c2;
-  c2 = 0;
-  mul_add_c(a[7], b[1], c3, c1, c2);
-  mul_add_c(a[6], b[2], c3, c1, c2);
-  mul_add_c(a[5], b[3], c3, c1, c2);
-  mul_add_c(a[4], b[4], c3, c1, c2);
-  mul_add_c(a[3], b[5], c3, c1, c2);
-  mul_add_c(a[2], b[6], c3, c1, c2);
-  mul_add_c(a[1], b[7], c3, c1, c2);
-  r[8] = c3;
-  c3 = 0;
-  mul_add_c(a[2], b[7], c1, c2, c3);
-  mul_add_c(a[3], b[6], c1, c2, c3);
-  mul_add_c(a[4], b[5], c1, c2, c3);
-  mul_add_c(a[5], b[4], c1, c2, c3);
-  mul_add_c(a[6], b[3], c1, c2, c3);
-  mul_add_c(a[7], b[2], c1, c2, c3);
-  r[9] = c1;
-  c1 = 0;
-  mul_add_c(a[7], b[3], c2, c3, c1);
-  mul_add_c(a[6], b[4], c2, c3, c1);
-  mul_add_c(a[5], b[5], c2, c3, c1);
-  mul_add_c(a[4], b[6], c2, c3, c1);
-  mul_add_c(a[3], b[7], c2, c3, c1);
-  r[10] = c2;
-  c2 = 0;
-  mul_add_c(a[4], b[7], c3, c1, c2);
-  mul_add_c(a[5], b[6], c3, c1, c2);
-  mul_add_c(a[6], b[5], c3, c1, c2);
-  mul_add_c(a[7], b[4], c3, c1, c2);
-  r[11] = c3;
-  c3 = 0;
-  mul_add_c(a[7], b[5], c1, c2, c3);
-  mul_add_c(a[6], b[6], c1, c2, c3);
-  mul_add_c(a[5], b[7], c1, c2, c3);
-  r[12] = c1;
-  c1 = 0;
-  mul_add_c(a[6], b[7], c2, c3, c1);
-  mul_add_c(a[7], b[6], c2, c3, c1);
-  r[13] = c2;
-  c2 = 0;
-  mul_add_c(a[7], b[7], c3, c1, c2);
-  r[14] = c3;
-  r[15] = c1;
-}
-
-void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b) {
-  BN_ULONG c1, c2, c3;
-
-  c1 = 0;
-  c2 = 0;
-  c3 = 0;
-  mul_add_c(a[0], b[0], c1, c2, c3);
-  r[0] = c1;
-  c1 = 0;
-  mul_add_c(a[0], b[1], c2, c3, c1);
-  mul_add_c(a[1], b[0], c2, c3, c1);
-  r[1] = c2;
-  c2 = 0;
-  mul_add_c(a[2], b[0], c3, c1, c2);
-  mul_add_c(a[1], b[1], c3, c1, c2);
-  mul_add_c(a[0], b[2], c3, c1, c2);
-  r[2] = c3;
-  c3 = 0;
-  mul_add_c(a[0], b[3], c1, c2, c3);
-  mul_add_c(a[1], b[2], c1, c2, c3);
-  mul_add_c(a[2], b[1], c1, c2, c3);
-  mul_add_c(a[3], b[0], c1, c2, c3);
-  r[3] = c1;
-  c1 = 0;
-  mul_add_c(a[3], b[1], c2, c3, c1);
-  mul_add_c(a[2], b[2], c2, c3, c1);
-  mul_add_c(a[1], b[3], c2, c3, c1);
-  r[4] = c2;
-  c2 = 0;
-  mul_add_c(a[2], b[3], c3, c1, c2);
-  mul_add_c(a[3], b[2], c3, c1, c2);
-  r[5] = c3;
-  c3 = 0;
-  mul_add_c(a[3], b[3], c1, c2, c3);
-  r[6] = c1;
-  r[7] = c2;
-}
-
-void bn_sqr_comba8(BN_ULONG *r, const BN_ULONG *a) {
-  BN_ULONG c1, c2, c3;
-
-  c1 = 0;
-  c2 = 0;
-  c3 = 0;
-  sqr_add_c(a, 0, c1, c2, c3);
-  r[0] = c1;
-  c1 = 0;
-  sqr_add_c2(a, 1, 0, c2, c3, c1);
-  r[1] = c2;
-  c2 = 0;
-  sqr_add_c(a, 1, c3, c1, c2);
-  sqr_add_c2(a, 2, 0, c3, c1, c2);
-  r[2] = c3;
-  c3 = 0;
-  sqr_add_c2(a, 3, 0, c1, c2, c3);
-  sqr_add_c2(a, 2, 1, c1, c2, c3);
-  r[3] = c1;
-  c1 = 0;
-  sqr_add_c(a, 2, c2, c3, c1);
-  sqr_add_c2(a, 3, 1, c2, c3, c1);
-  sqr_add_c2(a, 4, 0, c2, c3, c1);
-  r[4] = c2;
-  c2 = 0;
-  sqr_add_c2(a, 5, 0, c3, c1, c2);
-  sqr_add_c2(a, 4, 1, c3, c1, c2);
-  sqr_add_c2(a, 3, 2, c3, c1, c2);
-  r[5] = c3;
-  c3 = 0;
-  sqr_add_c(a, 3, c1, c2, c3);
-  sqr_add_c2(a, 4, 2, c1, c2, c3);
-  sqr_add_c2(a, 5, 1, c1, c2, c3);
-  sqr_add_c2(a, 6, 0, c1, c2, c3);
-  r[6] = c1;
-  c1 = 0;
-  sqr_add_c2(a, 7, 0, c2, c3, c1);
-  sqr_add_c2(a, 6, 1, c2, c3, c1);
-  sqr_add_c2(a, 5, 2, c2, c3, c1);
-  sqr_add_c2(a, 4, 3, c2, c3, c1);
-  r[7] = c2;
-  c2 = 0;
-  sqr_add_c(a, 4, c3, c1, c2);
-  sqr_add_c2(a, 5, 3, c3, c1, c2);
-  sqr_add_c2(a, 6, 2, c3, c1, c2);
-  sqr_add_c2(a, 7, 1, c3, c1, c2);
-  r[8] = c3;
-  c3 = 0;
-  sqr_add_c2(a, 7, 2, c1, c2, c3);
-  sqr_add_c2(a, 6, 3, c1, c2, c3);
-  sqr_add_c2(a, 5, 4, c1, c2, c3);
-  r[9] = c1;
-  c1 = 0;
-  sqr_add_c(a, 5, c2, c3, c1);
-  sqr_add_c2(a, 6, 4, c2, c3, c1);
-  sqr_add_c2(a, 7, 3, c2, c3, c1);
-  r[10] = c2;
-  c2 = 0;
-  sqr_add_c2(a, 7, 4, c3, c1, c2);
-  sqr_add_c2(a, 6, 5, c3, c1, c2);
-  r[11] = c3;
-  c3 = 0;
-  sqr_add_c(a, 6, c1, c2, c3);
-  sqr_add_c2(a, 7, 5, c1, c2, c3);
-  r[12] = c1;
-  c1 = 0;
-  sqr_add_c2(a, 7, 6, c2, c3, c1);
-  r[13] = c2;
-  c2 = 0;
-  sqr_add_c(a, 7, c3, c1, c2);
-  r[14] = c3;
-  r[15] = c1;
-}
-
-void bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a) {
-  BN_ULONG c1, c2, c3;
-
-  c1 = 0;
-  c2 = 0;
-  c3 = 0;
-  sqr_add_c(a, 0, c1, c2, c3);
-  r[0] = c1;
-  c1 = 0;
-  sqr_add_c2(a, 1, 0, c2, c3, c1);
-  r[1] = c2;
-  c2 = 0;
-  sqr_add_c(a, 1, c3, c1, c2);
-  sqr_add_c2(a, 2, 0, c3, c1, c2);
-  r[2] = c3;
-  c3 = 0;
-  sqr_add_c2(a, 3, 0, c1, c2, c3);
-  sqr_add_c2(a, 2, 1, c1, c2, c3);
-  r[3] = c1;
-  c1 = 0;
-  sqr_add_c(a, 2, c2, c3, c1);
-  sqr_add_c2(a, 3, 1, c2, c3, c1);
-  r[4] = c2;
-  c2 = 0;
-  sqr_add_c2(a, 3, 2, c3, c1, c2);
-  r[5] = c3;
-  c3 = 0;
-  sqr_add_c(a, 3, c1, c2, c3);
-  r[6] = c1;
-  r[7] = c2;
-}
-
-#endif  /* !NO_ASM && X86_64 && __GNUC__ */
@@ -1,599 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.] */
-
-#include <openssl/bn.h>
-
-#include <assert.h>
-#include <ctype.h>
-#include <limits.h>
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/bio.h>
-#include <openssl/bytestring.h>
-#include <openssl/err.h>
-#include <openssl/mem.h>
-
-#include "internal.h"
-
-BIGNUM *BN_bin2bn(const uint8_t *in, size_t len, BIGNUM *ret) {
-  size_t num_words;
-  unsigned m;
-  BN_ULONG word = 0;
-  BIGNUM *bn = NULL;
-
-  if (ret == NULL) {
-    ret = bn = BN_new();
-  }
-
-  if (ret == NULL) {
-    return NULL;
-  }
-
-  if (len == 0) {
-    ret->top = 0;
-    return ret;
-  }
-
-  num_words = ((len - 1) / BN_BYTES) + 1;
-  m = (len - 1) % BN_BYTES;
-  if (bn_wexpand(ret, num_words) == NULL) {
-    if (bn) {
-      BN_free(bn);
-    }
-    return NULL;
-  }
-
-  /* |bn_wexpand| must check bounds on |num_words| to write it into
-   * |ret->dmax|. */
-  assert(num_words <= INT_MAX);
-  ret->top = (int)num_words;
-  ret->neg = 0;
-
-  while (len--) {
-    word = (word << 8) | *(in++);
-    if (m-- == 0) {
-      ret->d[--num_words] = word;
-      word = 0;
-      m = BN_BYTES - 1;
-    }
-  }
-
-  /* need to call this due to clear byte at top if avoiding having the top bit
-   * set (-ve number) */
-  bn_correct_top(ret);
-  return ret;
-}
-
-size_t BN_bn2bin(const BIGNUM *in, uint8_t *out) {
-  size_t n, i;
-  BN_ULONG l;
-
-  n = i = BN_num_bytes(in);
-  while (i--) {
-    l = in->d[i / BN_BYTES];
-    *(out++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
-  }
-  return n;
-}
-
-/* constant_time_select_ulong returns |x| if |v| is 1 and |y| if |v| is 0. Its
- * behavior is undefined if |v| takes any other value. */
-static BN_ULONG constant_time_select_ulong(int v, BN_ULONG x, BN_ULONG y) {
-  BN_ULONG mask = v;
-  mask--;
-
-  return (~mask & x) | (mask & y);
-}
-
-/* constant_time_le_size_t returns 1 if |x| <= |y| and 0 otherwise. |x| and |y|
- * must not have their MSBs set. */
-static int constant_time_le_size_t(size_t x, size_t y) {
-  return ((x - y - 1) >> (sizeof(size_t) * 8 - 1)) & 1;
-}
-
-/* read_word_padded returns the |i|'th word of |in|, if it is not out of
- * bounds. Otherwise, it returns 0. It does so without branches on the size of
- * |in|, however it necessarily does not have the same memory access pattern. If
- * the access would be out of bounds, it reads the last word of |in|. |in| must
- * not be zero. */
-static BN_ULONG read_word_padded(const BIGNUM *in, size_t i) {
-  /* Read |in->d[i]| if valid. Otherwise, read the last word. */
-  BN_ULONG l = in->d[constant_time_select_ulong(
-      constant_time_le_size_t(in->dmax, i), in->dmax - 1, i)];
-
-  /* Clamp to zero if above |d->top|. */
-  return constant_time_select_ulong(constant_time_le_size_t(in->top, i), 0, l);
-}
-
-int BN_bn2bin_padded(uint8_t *out, size_t len, const BIGNUM *in) {
-  /* Special case for |in| = 0. Just branch as the probability is negligible. */
-  if (BN_is_zero(in)) {
-    memset(out, 0, len);
-    return 1;
-  }
-
-  /* Check if the integer is too big. This case can exit early in non-constant
-   * time. */
-  if ((size_t)in->top > (len + (BN_BYTES - 1)) / BN_BYTES) {
-    return 0;
-  }
-  if ((len % BN_BYTES) != 0) {
-    BN_ULONG l = read_word_padded(in, len / BN_BYTES);
-    if (l >> (8 * (len % BN_BYTES)) != 0) {
-      return 0;
-    }
-  }
-
-  /* Write the bytes out one by one. Serialization is done without branching on
-   * the bits of |in| or on |in->top|, but if the routine would otherwise read
-   * out of bounds, the memory access pattern can't be fixed. However, for an
-   * RSA key of size a multiple of the word size, the probability of BN_BYTES
-   * leading zero octets is low.
-   *
-   * See Falko Stenzke, "Manger's Attack revisited", ICICS 2010. */
-  size_t i = len;
-  while (i--) {
-    BN_ULONG l = read_word_padded(in, i / BN_BYTES);
-    *(out++) = (uint8_t)(l >> (8 * (i % BN_BYTES))) & 0xff;
-  }
-  return 1;
-}
-
-int BN_bn2cbb_padded(CBB *out, size_t len, const BIGNUM *in) {
-  uint8_t *ptr;
-  return CBB_add_space(out, &ptr, len) && BN_bn2bin_padded(ptr, len, in);
-}
-
-static const char hextable[] = "0123456789abcdef";
-
-char *BN_bn2hex(const BIGNUM *bn) {
-  char *buf = OPENSSL_malloc(1 /* leading '-' */ + 1 /* zero is non-empty */ +
-                             bn->top * BN_BYTES * 2 + 1 /* trailing NUL */);
-  if (buf == NULL) {
-    OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
-    return NULL;
-  }
-
-  char *p = buf;
-  if (bn->neg) {
-    *(p++) = '-';
-  }
-
-  if (BN_is_zero(bn)) {
-    *(p++) = '0';
-  }
-
-  int z = 0;
-  for (int i = bn->top - 1; i >= 0; i--) {
-    for (int j = BN_BITS2 - 8; j >= 0; j -= 8) {
-      /* strip leading zeros */
-      int v = ((int)(bn->d[i] >> (long)j)) & 0xff;
-      if (z || v != 0) {
-        *(p++) = hextable[v >> 4];
-        *(p++) = hextable[v & 0x0f];
-        z = 1;
-      }
-    }
-  }
-  *p = '\0';
-
-  return buf;
-}
-
-/* decode_hex decodes |in_len| bytes of hex data from |in| and updates |bn|. */
-static int decode_hex(BIGNUM *bn, const char *in, int in_len) {
-  if (in_len > INT_MAX/4) {
-    OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG);
-    return 0;
-  }
-  /* |in_len| is the number of hex digits. */
-  if (bn_expand(bn, in_len * 4) == NULL) {
-    return 0;
-  }
-
-  int i = 0;
-  while (in_len > 0) {
-    /* Decode one |BN_ULONG| at a time. */
-    int todo = BN_BYTES * 2;
-    if (todo > in_len) {
-      todo = in_len;
-    }
-
-    BN_ULONG word = 0;
-    int j;
-    for (j = todo; j > 0; j--) {
-      char c = in[in_len - j];
-
-      BN_ULONG hex;
-      if (c >= '0' && c <= '9') {
-        hex = c - '0';
-      } else if (c >= 'a' && c <= 'f') {
-        hex = c - 'a' + 10;
-      } else if (c >= 'A' && c <= 'F') {
-        hex = c - 'A' + 10;
-      } else {
-        hex = 0;
-        /* This shouldn't happen. The caller checks |isxdigit|. */
-        assert(0);
-      }
-      word = (word << 4) | hex;
-    }
-
-    bn->d[i++] = word;
-    in_len -= todo;
-  }
-  assert(i <= bn->dmax);
-  bn->top = i;
-  return 1;
-}
-
-/* decode_dec decodes |in_len| bytes of decimal data from |in| and updates |bn|. */
-static int decode_dec(BIGNUM *bn, const char *in, int in_len) {
-  int i, j;
-  BN_ULONG l = 0;
-
-  /* Decode |BN_DEC_NUM| digits at a time. */
-  j = BN_DEC_NUM - (in_len % BN_DEC_NUM);
-  if (j == BN_DEC_NUM) {
-    j = 0;
-  }
-  l = 0;
-  for (i = 0; i < in_len; i++) {
-    l *= 10;
-    l += in[i] - '0';
-    if (++j == BN_DEC_NUM) {
-      if (!BN_mul_word(bn, BN_DEC_CONV) ||
-          !BN_add_word(bn, l)) {
-        return 0;
-      }
-      l = 0;
-      j = 0;
-    }
-  }
-  return 1;
-}
-
-typedef int (*decode_func) (BIGNUM *bn, const char *in, int in_len);
-typedef int (*char_test_func) (int c);
-
-static int bn_x2bn(BIGNUM **outp, const char *in, decode_func decode, char_test_func want_char) {
-  BIGNUM *ret = NULL;
-  int neg = 0, i;
-  int num;
-
-  if (in == NULL || *in == 0) {
-    return 0;
-  }
-
-  if (*in == '-') {
-    neg = 1;
-    in++;
-  }
-
-  for (i = 0; want_char((unsigned char)in[i]) && i + neg < INT_MAX; i++) {}
-
-  num = i + neg;
-  if (outp == NULL) {
-    return num;
-  }
-
-  /* in is the start of the hex digits, and it is 'i' long */
-  if (*outp == NULL) {
-    ret = BN_new();
-    if (ret == NULL) {
-      return 0;
-    }
-  } else {
-    ret = *outp;
-    BN_zero(ret);
-  }
-
-  if (!decode(ret, in, i)) {
-    goto err;
-  }
-
-  bn_correct_top(ret);
-  if (!BN_is_zero(ret)) {
-    ret->neg = neg;
-  }
-
-  *outp = ret;
-  return num;
-
-err:
-  if (*outp == NULL) {
-    BN_free(ret);
-  }
-
-  return 0;
-}
-
-int BN_hex2bn(BIGNUM **outp, const char *in) {
-  return bn_x2bn(outp, in, decode_hex, isxdigit);
-}
-
-char *BN_bn2dec(const BIGNUM *a) {
-  /* It is easier to print strings little-endian, so we assemble it in reverse
-   * and fix at the end. */
-  BIGNUM *copy = NULL;
-  CBB cbb;
-  if (!CBB_init(&cbb, 16) ||
-      !CBB_add_u8(&cbb, 0 /* trailing NUL */)) {
-    goto cbb_err;
-  }
-
-  if (BN_is_zero(a)) {
-    if (!CBB_add_u8(&cbb, '0')) {
-      goto cbb_err;
-    }
-  } else {
-    copy = BN_dup(a);
-    if (copy == NULL) {
-      goto err;
-    }
-
-    while (!BN_is_zero(copy)) {
-      BN_ULONG word = BN_div_word(copy, BN_DEC_CONV);
-      if (word == (BN_ULONG)-1) {
-        goto err;
-      }
-
-      const int add_leading_zeros = !BN_is_zero(copy);
-      for (int i = 0; i < BN_DEC_NUM && (add_leading_zeros || word != 0); i++) {
-        if (!CBB_add_u8(&cbb, '0' + word % 10)) {
-          goto cbb_err;
-        }
-        word /= 10;
-      }
-      assert(word == 0);
-    }
-  }
-
-  if (BN_is_negative(a) &&
-      !CBB_add_u8(&cbb, '-')) {
-    goto cbb_err;
-  }
-
-  uint8_t *data;
-  size_t len;
-  if (!CBB_finish(&cbb, &data, &len)) {
-    goto cbb_err;
-  }
-
-  /* Reverse the buffer. */
-  for (size_t i = 0; i < len/2; i++) {
-    uint8_t tmp = data[i];
-    data[i] = data[len - 1 - i];
-    data[len - 1 - i] = tmp;
-  }
-
-  BN_free(copy);
-  return (char *)data;
-
-cbb_err:
-  OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
-err:
-  BN_free(copy);
-  CBB_cleanup(&cbb);
-  return NULL;
-}
-
-int BN_dec2bn(BIGNUM **outp, const char *in) {
-  return bn_x2bn(outp, in, decode_dec, isdigit);
-}
-
-int BN_asc2bn(BIGNUM **outp, const char *in) {
-  const char *const orig_in = in;
-  if (*in == '-') {
-    in++;
-  }
-
-  if (in[0] == '0' && (in[1] == 'X' || in[1] == 'x')) {
-    if (!BN_hex2bn(outp, in+2)) {
-      return 0;
-    }
-  } else {
-    if (!BN_dec2bn(outp, in)) {
-      return 0;
-    }
-  }
-
-  if (*orig_in == '-' && !BN_is_zero(*outp)) {
-    (*outp)->neg = 1;
-  }
-
-  return 1;
-}
-
-int BN_print(BIO *bp, const BIGNUM *a) {
-  int i, j, v, z = 0;
-  int ret = 0;
-
-  if (a->neg && BIO_write(bp, "-", 1) != 1) {
-    goto end;
-  }
-
-  if (BN_is_zero(a) && BIO_write(bp, "0", 1) != 1) {
-    goto end;
-  }
-
-  for (i = a->top - 1; i >= 0; i--) {
-    for (j = BN_BITS2 - 4; j >= 0; j -= 4) {
-      /* strip leading zeros */
-      v = ((int)(a->d[i] >> (long)j)) & 0x0f;
-      if (z || v != 0) {
-        if (BIO_write(bp, &hextable[v], 1) != 1) {
-          goto end;
-        }
-        z = 1;
-      }
-    }
-  }
-  ret = 1;
-
-end:
-  return ret;
-}
-
-int BN_print_fp(FILE *fp, const BIGNUM *a) {
-  BIO *b;
-  int ret;
-
-  b = BIO_new(BIO_s_file());
-  if (b == NULL) {
-    return 0;
-  }
-  BIO_set_fp(b, fp, BIO_NOCLOSE);
-  ret = BN_print(b, a);
-  BIO_free(b);
-
-  return ret;
-}
-
-BN_ULONG BN_get_word(const BIGNUM *bn) {
-  switch (bn->top) {
-    case 0:
-      return 0;
-    case 1:
-      return bn->d[0];
-    default:
-      return BN_MASK2;
-  }
-}
-
-size_t BN_bn2mpi(const BIGNUM *in, uint8_t *out) {
-  const size_t bits = BN_num_bits(in);
-  const size_t bytes = (bits + 7) / 8;
-  /* If the number of bits is a multiple of 8, i.e. if the MSB is set,
-   * prefix with a zero byte. */
-  int extend = 0;
-  if (bytes != 0 && (bits & 0x07) == 0) {
-    extend = 1;
-  }
-
-  const size_t len = bytes + extend;
-  if (len < bytes ||
-      4 + len < len ||
-      (len & 0xffffffff) != len) {
-    /* If we cannot represent the number then we emit zero as the interface
-     * doesn't allow an error to be signalled. */
-    if (out) {
-      memset(out, 0, 4);
-    }
-    return 4;
-  }
-
-  if (out == NULL) {
-    return 4 + len;
-  }
-
-  out[0] = len >> 24;
-  out[1] = len >> 16;
-  out[2] = len >> 8;
-  out[3] = len;
-  if (extend) {
-    out[4] = 0;
-  }
-  BN_bn2bin(in, out + 4 + extend);
-  if (in->neg && len > 0) {
-    out[4] |= 0x80;
-  }
-  return len + 4;
-}
-
-BIGNUM *BN_mpi2bn(const uint8_t *in, size_t len, BIGNUM *out) {
-  if (len < 4) {
-    OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING);
-    return NULL;
-  }
-  const size_t in_len = ((size_t)in[0] << 24) |
-                        ((size_t)in[1] << 16) |
-                        ((size_t)in[2] << 8) |
-                        ((size_t)in[3]);
-  if (in_len != len - 4) {
-    OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING);
-    return NULL;
-  }
-
-  int out_is_alloced = 0;
-  if (out == NULL) {
-    out = BN_new();
-    if (out == NULL) {
-      OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
-      return NULL;
-    }
-    out_is_alloced = 1;
-  }
-
-  if (in_len == 0) {
-    BN_zero(out);
-    return out;
-  }
-
-  in += 4;
-  if (BN_bin2bn(in, in_len, out) == NULL) {
-    if (out_is_alloced) {
-      BN_free(out);
-    }
-    return NULL;
-  }
-  out->neg = ((*in) & 0x80) != 0;
-  if (out->neg) {
-    BN_clear_bit(out, BN_num_bits(out) - 1);
-  }
-  return out;
-}
@@ -1,671 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.] */
-
-#include <openssl/bn.h>
-
-#include <assert.h>
-#include <limits.h>
-#include <openssl/err.h>
-
-#include "internal.h"
-
-
-#if !defined(BN_ULLONG)
-/* bn_div_words divides a double-width |h|,|l| by |d| and returns the result,
- * which must fit in a |BN_ULONG|. */
-static BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d) {
-  BN_ULONG dh, dl, q, ret = 0, th, tl, t;
-  int i, count = 2;
-
-  if (d == 0) {
-    return BN_MASK2;
-  }
-
-  i = BN_num_bits_word(d);
-  assert((i == BN_BITS2) || (h <= (BN_ULONG)1 << i));
-
-  i = BN_BITS2 - i;
-  if (h >= d) {
-    h -= d;
-  }
-
-  if (i) {
-    d <<= i;
-    h = (h << i) | (l >> (BN_BITS2 - i));
-    l <<= i;
-  }
-  dh = (d & BN_MASK2h) >> BN_BITS4;
-  dl = (d & BN_MASK2l);
-  for (;;) {
-    if ((h >> BN_BITS4) == dh) {
-      q = BN_MASK2l;
-    } else {
-      q = h / dh;
-    }
-
-    th = q * dh;
-    tl = dl * q;
-    for (;;) {
-      t = h - th;
-      if ((t & BN_MASK2h) ||
-          ((tl) <= ((t << BN_BITS4) | ((l & BN_MASK2h) >> BN_BITS4)))) {
-        break;
-      }
-      q--;
-      th -= dh;
-      tl -= dl;
-    }
-    t = (tl >> BN_BITS4);
-    tl = (tl << BN_BITS4) & BN_MASK2h;
-    th += t;
-
-    if (l < tl) {
-      th++;
-    }
-    l -= tl;
-    if (h < th) {
-      h += d;
-      q--;
-    }
-    h -= th;
-
-    if (--count == 0) {
-      break;
-    }
-
-    ret = q << BN_BITS4;
-    h = ((h << BN_BITS4) | (l >> BN_BITS4)) & BN_MASK2;
-    l = (l & BN_MASK2l) << BN_BITS4;
-  }
-
-  ret |= q;
-  return ret;
-}
-#endif /* !defined(BN_ULLONG) */
-
-static inline void bn_div_rem_words(BN_ULONG *quotient_out, BN_ULONG *rem_out,
-                                    BN_ULONG n0, BN_ULONG n1, BN_ULONG d0) {
-  /* GCC and Clang generate function calls to |__udivdi3| and |__umoddi3| when
-   * the |BN_ULLONG|-based C code is used.
-   *
-   * GCC bugs:
-   *   * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=14224
-   *   * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=43721
-   *   * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=54183
-   *   * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58897
-   *   * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65668
-   *
-   * Clang bugs:
-   *   * https://llvm.org/bugs/show_bug.cgi?id=6397
-   *   * https://llvm.org/bugs/show_bug.cgi?id=12418
-   *
-   * These issues aren't specific to x86 and x86_64, so it might be worthwhile
-   * to add more assembly language implementations. */
-#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__GNUC__)
-  __asm__ volatile (
-    "divl %4"
-    : "=a"(*quotient_out), "=d"(*rem_out)
-    : "a"(n1), "d"(n0), "rm"(d0)
-    : "cc" );
-#elif !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__GNUC__)
-  __asm__ volatile (
-    "divq %4"
-    : "=a"(*quotient_out), "=d"(*rem_out)
-    : "a"(n1), "d"(n0), "rm"(d0)
-    : "cc" );
-#else
-#if defined(BN_ULLONG)
-  BN_ULLONG n = (((BN_ULLONG)n0) << BN_BITS2) | n1;
-  *quotient_out = (BN_ULONG)(n / d0);
-#else
-  *quotient_out = bn_div_words(n0, n1, d0);
-#endif
-  *rem_out = n1 - (*quotient_out * d0);
-#endif
-}
-
-/* BN_div computes  dv := num / divisor,  rounding towards
- * zero, and sets up rm  such that  dv*divisor + rm = num  holds.
- * Thus:
- *     dv->neg == num->neg ^ divisor->neg  (unless the result is zero)
- *     rm->neg == num->neg                 (unless the remainder is zero)
- * If 'dv' or 'rm' is NULL, the respective value is not returned. */
-int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
-           BN_CTX *ctx) {
-  int norm_shift, i, loop;
-  BIGNUM *tmp, wnum, *snum, *sdiv, *res;
-  BN_ULONG *resp, *wnump;
-  BN_ULONG d0, d1;
-  int num_n, div_n;
-  int no_branch = 0;
-
-  /* Invalid zero-padding would have particularly bad consequences
-   * so don't just rely on bn_check_top() here */
-  if ((num->top > 0 && num->d[num->top - 1] == 0) ||
-      (divisor->top > 0 && divisor->d[divisor->top - 1] == 0)) {
-    OPENSSL_PUT_ERROR(BN, BN_R_NOT_INITIALIZED);
-    return 0;
-  }
-
-  if ((num->flags & BN_FLG_CONSTTIME) != 0 ||
-      (divisor->flags & BN_FLG_CONSTTIME) != 0) {
-    no_branch = 1;
-  }
-
-  if (BN_is_zero(divisor)) {
-    OPENSSL_PUT_ERROR(BN, BN_R_DIV_BY_ZERO);
-    return 0;
-  }
-
-  if (!no_branch && BN_ucmp(num, divisor) < 0) {
-    if (rm != NULL) {
-      if (BN_copy(rm, num) == NULL) {
-        return 0;
-      }
-    }
-    if (dv != NULL) {
-      BN_zero(dv);
-    }
-    return 1;
-  }
-
-  BN_CTX_start(ctx);
-  tmp = BN_CTX_get(ctx);
-  snum = BN_CTX_get(ctx);
-  sdiv = BN_CTX_get(ctx);
-  if (dv == NULL) {
-    res = BN_CTX_get(ctx);
-  } else {
-    res = dv;
-  }
-  if (sdiv == NULL || res == NULL || tmp == NULL || snum == NULL) {
-    goto err;
-  }
-
-  /* First we normalise the numbers */
-  norm_shift = BN_BITS2 - ((BN_num_bits(divisor)) % BN_BITS2);
-  if (!(BN_lshift(sdiv, divisor, norm_shift))) {
-    goto err;
-  }
-  sdiv->neg = 0;
-  norm_shift += BN_BITS2;
-  if (!(BN_lshift(snum, num, norm_shift))) {
-    goto err;
-  }
-  snum->neg = 0;
-
-  if (no_branch) {
-    /* Since we don't know whether snum is larger than sdiv,
-     * we pad snum with enough zeroes without changing its
-     * value.
-     */
-    if (snum->top <= sdiv->top + 1) {
-      if (bn_wexpand(snum, sdiv->top + 2) == NULL) {
-        goto err;
-      }
-      for (i = snum->top; i < sdiv->top + 2; i++) {
-        snum->d[i] = 0;
-      }
-      snum->top = sdiv->top + 2;
-    } else {
-      if (bn_wexpand(snum, snum->top + 1) == NULL) {
-        goto err;
-      }
-      snum->d[snum->top] = 0;
-      snum->top++;
-    }
-  }
-
-  div_n = sdiv->top;
-  num_n = snum->top;
-  loop = num_n - div_n;
-  /* Lets setup a 'window' into snum
-   * This is the part that corresponds to the current
-   * 'area' being divided */
-  wnum.neg = 0;
-  wnum.d = &(snum->d[loop]);
-  wnum.top = div_n;
-  /* only needed when BN_ucmp messes up the values between top and max */
-  wnum.dmax = snum->dmax - loop; /* so we don't step out of bounds */
-
-  /* Get the top 2 words of sdiv */
-  /* div_n=sdiv->top; */
-  d0 = sdiv->d[div_n - 1];
-  d1 = (div_n == 1) ? 0 : sdiv->d[div_n - 2];
-
-  /* pointer to the 'top' of snum */
-  wnump = &(snum->d[num_n - 1]);
-
-  /* Setup to 'res' */
-  res->neg = (num->neg ^ divisor->neg);
-  if (!bn_wexpand(res, (loop + 1))) {
-    goto err;
-  }
-  res->top = loop - no_branch;
-  resp = &(res->d[loop - 1]);
-
-  /* space for temp */
-  if (!bn_wexpand(tmp, (div_n + 1))) {
-    goto err;
-  }
-
-  if (!no_branch) {
-    if (BN_ucmp(&wnum, sdiv) >= 0) {
-      bn_sub_words(wnum.d, wnum.d, sdiv->d, div_n);
-      *resp = 1;
-    } else {
-      res->top--;
-    }
-  }
-
-  /* if res->top == 0 then clear the neg value otherwise decrease
-   * the resp pointer */
-  if (res->top == 0) {
-    res->neg = 0;
-  } else {
-    resp--;
-  }
-
-  for (i = 0; i < loop - 1; i++, wnump--, resp--) {
-    BN_ULONG q, l0;
-    /* the first part of the loop uses the top two words of snum and sdiv to
-     * calculate a BN_ULONG q such that | wnum - sdiv * q | < sdiv */
-    BN_ULONG n0, n1, rem = 0;
-
-    n0 = wnump[0];
-    n1 = wnump[-1];
-    if (n0 == d0) {
-      q = BN_MASK2;
-    } else {
-      /* n0 < d0 */
-      bn_div_rem_words(&q, &rem, n0, n1, d0);
-
-#ifdef BN_ULLONG
-      BN_ULLONG t2 = (BN_ULLONG)d1 * q;
-      for (;;) {
-        if (t2 <= ((((BN_ULLONG)rem) << BN_BITS2) | wnump[-2])) {
-          break;
-        }
-        q--;
-        rem += d0;
-        if (rem < d0) {
-          break; /* don't let rem overflow */
-        }
-        t2 -= d1;
-      }
-#else /* !BN_ULLONG */
-      BN_ULONG t2l, t2h;
-      BN_UMULT_LOHI(t2l, t2h, d1, q);
-      for (;;) {
-        if ((t2h < rem) || ((t2h == rem) && (t2l <= wnump[-2]))) {
-          break;
-        }
-        q--;
-        rem += d0;
-        if (rem < d0) {
-          break; /* don't let rem overflow */
-        }
-        if (t2l < d1) {
-          t2h--;
-        }
-        t2l -= d1;
-      }
-#endif /* !BN_ULLONG */
-    }
-
-    l0 = bn_mul_words(tmp->d, sdiv->d, div_n, q);
-    tmp->d[div_n] = l0;
-    wnum.d--;
-    /* ingore top values of the bignums just sub the two
-     * BN_ULONG arrays with bn_sub_words */
-    if (bn_sub_words(wnum.d, wnum.d, tmp->d, div_n + 1)) {
-      /* Note: As we have considered only the leading
-       * two BN_ULONGs in the calculation of q, sdiv * q
-       * might be greater than wnum (but then (q-1) * sdiv
-       * is less or equal than wnum)
-       */
-      q--;
-      if (bn_add_words(wnum.d, wnum.d, sdiv->d, div_n)) {
-        /* we can't have an overflow here (assuming
-         * that q != 0, but if q == 0 then tmp is
-         * zero anyway) */
-        (*wnump)++;
-      }
-    }
-    /* store part of the result */
-    *resp = q;
-  }
-  bn_correct_top(snum);
-  if (rm != NULL) {
-    /* Keep a copy of the neg flag in num because if rm==num
-     * BN_rshift() will overwrite it.
-     */
-    int neg = num->neg;
-    if (!BN_rshift(rm, snum, norm_shift)) {
-      goto err;
-    }
-    if (!BN_is_zero(rm)) {
-      rm->neg = neg;
-    }
-  }
-  if (no_branch) {
-    bn_correct_top(res);
-  }
-  BN_CTX_end(ctx);
-  return 1;
-
-err:
-  BN_CTX_end(ctx);
-  return 0;
-}
-
-int BN_nnmod(BIGNUM *r, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx) {
-  if (!(BN_mod(r, m, d, ctx))) {
-    return 0;
-  }
-  if (!r->neg) {
-    return 1;
-  }
-
-  /* now -|d| < r < 0, so we have to set r := r + |d|. */
-  return (d->neg ? BN_sub : BN_add)(r, r, d);
-}
-
-int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
-               BN_CTX *ctx) {
-  if (!BN_add(r, a, b)) {
-    return 0;
-  }
-  return BN_nnmod(r, r, m, ctx);
-}
-
-int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
-                     const BIGNUM *m) {
-  if (!BN_uadd(r, a, b)) {
-    return 0;
-  }
-  if (BN_ucmp(r, m) >= 0) {
-    return BN_usub(r, r, m);
-  }
-  return 1;
-}
-
-int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
-               BN_CTX *ctx) {
-  if (!BN_sub(r, a, b)) {
-    return 0;
-  }
-  return BN_nnmod(r, r, m, ctx);
-}
-
-/* BN_mod_sub variant that may be used if both  a  and  b  are non-negative
- * and less than  m */
-int BN_mod_sub_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
-                     const BIGNUM *m) {
-  if (!BN_sub(r, a, b)) {
-    return 0;
-  }
-  if (r->neg) {
-    return BN_add(r, r, m);
-  }
-  return 1;
-}
-
-int BN_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
-               BN_CTX *ctx) {
-  BIGNUM *t;
-  int ret = 0;
-
-  BN_CTX_start(ctx);
-  t = BN_CTX_get(ctx);
-  if (t == NULL) {
-    goto err;
-  }
-
-  if (a == b) {
-    if (!BN_sqr(t, a, ctx)) {
-      goto err;
-    }
-  } else {
-    if (!BN_mul(t, a, b, ctx)) {
-      goto err;
-    }
-  }
-
-  if (!BN_nnmod(r, t, m, ctx)) {
-    goto err;
-  }
-
-  ret = 1;
-
-err:
-  BN_CTX_end(ctx);
-  return ret;
-}
-
-int BN_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx) {
-  if (!BN_sqr(r, a, ctx)) {
-    return 0;
-  }
-
-  /* r->neg == 0,  thus we don't need BN_nnmod */
-  return BN_mod(r, r, m, ctx);
-}
-
-int BN_mod_lshift(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m,
-                  BN_CTX *ctx) {
-  BIGNUM *abs_m = NULL;
-  int ret;
-
-  if (!BN_nnmod(r, a, m, ctx)) {
-    return 0;
-  }
-
-  if (m->neg) {
-    abs_m = BN_dup(m);
-    if (abs_m == NULL) {
-      return 0;
-    }
-    abs_m->neg = 0;
-  }
-
-  ret = BN_mod_lshift_quick(r, r, n, (abs_m ? abs_m : m));
-
-  BN_free(abs_m);
-  return ret;
-}
-
-int BN_mod_lshift_quick(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m) {
-  if (r != a) {
-    if (BN_copy(r, a) == NULL) {
-      return 0;
-    }
-  }
-
-  while (n > 0) {
-    int max_shift;
-
-    /* 0 < r < m */
-    max_shift = BN_num_bits(m) - BN_num_bits(r);
-    /* max_shift >= 0 */
-
-    if (max_shift < 0) {
-      OPENSSL_PUT_ERROR(BN, BN_R_INPUT_NOT_REDUCED);
-      return 0;
-    }
-
-    if (max_shift > n) {
-      max_shift = n;
-    }
-
-    if (max_shift) {
-      if (!BN_lshift(r, r, max_shift)) {
-        return 0;
-      }
-      n -= max_shift;
-    } else {
-      if (!BN_lshift1(r, r)) {
-        return 0;
-      }
-      --n;
-    }
-
-    /* BN_num_bits(r) <= BN_num_bits(m) */
-    if (BN_cmp(r, m) >= 0) {
-      if (!BN_sub(r, r, m)) {
-        return 0;
-      }
-    }
-  }
-
-  return 1;
-}
-
-int BN_mod_lshift1(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx) {
-  if (!BN_lshift1(r, a)) {
-    return 0;
-  }
-
-  return BN_nnmod(r, r, m, ctx);
-}
-
-int BN_mod_lshift1_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *m) {
-  if (!BN_lshift1(r, a)) {
-    return 0;
-  }
-  if (BN_cmp(r, m) >= 0) {
-    return BN_sub(r, r, m);
-  }
-
-  return 1;
-}
-
-BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w) {
-  BN_ULONG ret = 0;
-  int i, j;
-
-  w &= BN_MASK2;
-
-  if (!w) {
-    /* actually this an error (division by zero) */
-    return (BN_ULONG) - 1;
-  }
-
-  if (a->top == 0) {
-    return 0;
-  }
-
-  /* normalize input for |bn_div_rem_words|. */
-  j = BN_BITS2 - BN_num_bits_word(w);
-  w <<= j;
-  if (!BN_lshift(a, a, j)) {
-    return (BN_ULONG) - 1;
-  }
-
-  for (i = a->top - 1; i >= 0; i--) {
-    BN_ULONG l = a->d[i];
-    BN_ULONG d;
-    BN_ULONG unused_rem;
-    bn_div_rem_words(&d, &unused_rem, ret, l, w);
-    ret = (l - ((d * w) & BN_MASK2)) & BN_MASK2;
-    a->d[i] = d;
-  }
-
-  if ((a->top > 0) && (a->d[a->top - 1] == 0)) {
-    a->top--;
-  }
-
-  ret >>= j;
-  return ret;
-}
-
-BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w) {
-#ifndef BN_ULLONG
-  BN_ULONG ret = 0;
-#else
-  BN_ULLONG ret = 0;
-#endif
-  int i;
-
-  if (w == 0) {
-    return (BN_ULONG) -1;
-  }
-
-#ifndef BN_ULLONG
-  /* If |w| is too long and we don't have |BN_ULLONG| then we need to fall back
-   * to using |BN_div_word|. */
-  if (w > ((BN_ULONG)1 << BN_BITS4)) {
-    BIGNUM *tmp = BN_dup(a);
-    if (tmp == NULL) {
-      return (BN_ULONG)-1;
-    }
-    ret = BN_div_word(tmp, w);
-    BN_free(tmp);
-    return ret;
-  }
-#endif
-
-  w &= BN_MASK2;
-  for (i = a->top - 1; i >= 0; i--) {
-#ifndef BN_ULLONG
-    ret = ((ret << BN_BITS4) | ((a->d[i] >> BN_BITS4) & BN_MASK2l)) % w;
-    ret = ((ret << BN_BITS4) | (a->d[i] & BN_MASK2l)) % w;
-#else
-    ret = (BN_ULLONG)(((ret << (BN_ULLONG)BN_BITS2) | a->d[i]) % (BN_ULLONG)w);
-#endif
-  }
-  return (BN_ULONG)ret;
-}
@@ -1,628 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com). */
-
-#include <openssl/bn.h>
-
-#include <assert.h>
-
-#include <openssl/err.h>
-
-#include "internal.h"
-
-static BIGNUM *euclid(BIGNUM *a, BIGNUM *b) {
-  BIGNUM *t;
-  int shifts = 0;
-
-  /* 0 <= b <= a */
-  while (!BN_is_zero(b)) {
-    /* 0 < b <= a */
-
-    if (BN_is_odd(a)) {
-      if (BN_is_odd(b)) {
-        if (!BN_sub(a, a, b)) {
-          goto err;
-        }
-        if (!BN_rshift1(a, a)) {
-          goto err;
-        }
-        if (BN_cmp(a, b) < 0) {
-          t = a;
-          a = b;
-          b = t;
-        }
-      } else {
-        /* a odd - b even */
-        if (!BN_rshift1(b, b)) {
-          goto err;
-        }
-        if (BN_cmp(a, b) < 0) {
-          t = a;
-          a = b;
-          b = t;
-        }
-      }
-    } else {
-      /* a is even */
-      if (BN_is_odd(b)) {
-        if (!BN_rshift1(a, a)) {
-          goto err;
-        }
-        if (BN_cmp(a, b) < 0) {
-          t = a;
-          a = b;
-          b = t;
-        }
-      } else {
-        /* a even - b even */
-        if (!BN_rshift1(a, a)) {
-          goto err;
-        }
-        if (!BN_rshift1(b, b)) {
-          goto err;
-        }
-        shifts++;
-      }
-    }
-    /* 0 <= b <= a */
-  }
-
-  if (shifts) {
-    if (!BN_lshift(a, a, shifts)) {
-      goto err;
-    }
-  }
-
-  return a;
-
-err:
-  return NULL;
-}
-
-int BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx) {
-  BIGNUM *a, *b, *t;
-  int ret = 0;
-
-  BN_CTX_start(ctx);
-  a = BN_CTX_get(ctx);
-  b = BN_CTX_get(ctx);
-
-  if (a == NULL || b == NULL) {
-    goto err;
-  }
-  if (BN_copy(a, in_a) == NULL) {
-    goto err;
-  }
-  if (BN_copy(b, in_b) == NULL) {
-    goto err;
-  }
-
-  a->neg = 0;
-  b->neg = 0;
-
-  if (BN_cmp(a, b) < 0) {
-    t = a;
-    a = b;
-    b = t;
-  }
-  t = euclid(a, b);
-  if (t == NULL) {
-    goto err;
-  }
-
-  if (BN_copy(r, t) == NULL) {
-    goto err;
-  }
-  ret = 1;
-
-err:
-  BN_CTX_end(ctx);
-  return ret;
-}
-
-/* solves ax == 1 (mod n) */
-static int bn_mod_inverse_general(BIGNUM *out, int *out_no_inverse,
-                                  const BIGNUM *a, const BIGNUM *n,
-                                  BN_CTX *ctx);
-
-int BN_mod_inverse_odd(BIGNUM *out, int *out_no_inverse, const BIGNUM *a,
-                       const BIGNUM *n, BN_CTX *ctx) {
-  *out_no_inverse = 0;
-
-  if (!BN_is_odd(n)) {
-    OPENSSL_PUT_ERROR(BN, BN_R_CALLED_WITH_EVEN_MODULUS);
-    return 0;
-  }
-
-  if (BN_is_negative(a) || BN_cmp(a, n) >= 0) {
-    OPENSSL_PUT_ERROR(BN, BN_R_INPUT_NOT_REDUCED);
-    return 0;
-  }
-
-  BIGNUM *A, *B, *X, *Y;
-  int ret = 0;
-  int sign;
-
-  BN_CTX_start(ctx);
-  A = BN_CTX_get(ctx);
-  B = BN_CTX_get(ctx);
-  X = BN_CTX_get(ctx);
-  Y = BN_CTX_get(ctx);
-  if (Y == NULL) {
-    goto err;
-  }
-
-  BIGNUM *R = out;
-
-  BN_zero(Y);
-  if (!BN_one(X) || BN_copy(B, a) == NULL || BN_copy(A, n) == NULL) {
-    goto err;
-  }
-  A->neg = 0;
-  sign = -1;
-  /* From  B = a mod |n|,  A = |n|  it follows that
-   *
-   *      0 <= B < A,
-   *     -sign*X*a  ==  B   (mod |n|),
-   *      sign*Y*a  ==  A   (mod |n|).
-   */
-
-  /* Binary inversion algorithm; requires odd modulus. This is faster than the
-   * general algorithm if the modulus is sufficiently small (about 400 .. 500
-   * bits on 32-bit systems, but much more on 64-bit systems) */
-  int shift;
-
-  while (!BN_is_zero(B)) {
-    /*      0 < B < |n|,
-     *      0 < A <= |n|,
-     * (1) -sign*X*a  ==  B   (mod |n|),
-     * (2)  sign*Y*a  ==  A   (mod |n|) */
-
-    /* Now divide  B  by the maximum possible power of two in the integers,
-     * and divide  X  by the same value mod |n|.
-     * When we're done, (1) still holds. */
-    shift = 0;
-    while (!BN_is_bit_set(B, shift)) {
-      /* note that 0 < B */
-      shift++;
-
-      if (BN_is_odd(X)) {
-        if (!BN_uadd(X, X, n)) {
-          goto err;
-        }
-      }
-      /* now X is even, so we can easily divide it by two */
-      if (!BN_rshift1(X, X)) {
-        goto err;
-      }
-    }
-    if (shift > 0) {
-      if (!BN_rshift(B, B, shift)) {
-        goto err;
-      }
-    }
-
-    /* Same for A and Y. Afterwards, (2) still holds. */
-    shift = 0;
-    while (!BN_is_bit_set(A, shift)) {
-      /* note that 0 < A */
-      shift++;
-
-      if (BN_is_odd(Y)) {
-        if (!BN_uadd(Y, Y, n)) {
-          goto err;
-        }
-      }
-      /* now Y is even */
-      if (!BN_rshift1(Y, Y)) {
-        goto err;
-      }
-    }
-    if (shift > 0) {
-      if (!BN_rshift(A, A, shift)) {
-        goto err;
-      }
-    }
-
-    /* We still have (1) and (2).
-     * Both  A  and  B  are odd.
-     * The following computations ensure that
-     *
-     *     0 <= B < |n|,
-     *      0 < A < |n|,
-     * (1) -sign*X*a  ==  B   (mod |n|),
-     * (2)  sign*Y*a  ==  A   (mod |n|),
-     *
-     * and that either  A  or  B  is even in the next iteration. */
-    if (BN_ucmp(B, A) >= 0) {
-      /* -sign*(X + Y)*a == B - A  (mod |n|) */
-      if (!BN_uadd(X, X, Y)) {
-        goto err;
-      }
-      /* NB: we could use BN_mod_add_quick(X, X, Y, n), but that
-       * actually makes the algorithm slower */
-      if (!BN_usub(B, B, A)) {
-        goto err;
-      }
-    } else {
-      /*  sign*(X + Y)*a == A - B  (mod |n|) */
-      if (!BN_uadd(Y, Y, X)) {
-        goto err;
-      }
-      /* as above, BN_mod_add_quick(Y, Y, X, n) would slow things down */
-      if (!BN_usub(A, A, B)) {
-        goto err;
-      }
-    }
-  }
-
-  if (!BN_is_one(A)) {
-    *out_no_inverse = 1;
-    OPENSSL_PUT_ERROR(BN, BN_R_NO_INVERSE);
-    goto err;
-  }
-
-  /* The while loop (Euclid's algorithm) ends when
-   *      A == gcd(a,n);
-   * we have
-   *       sign*Y*a  ==  A  (mod |n|),
-   * where  Y  is non-negative. */
-
-  if (sign < 0) {
-    if (!BN_sub(Y, n, Y)) {
-      goto err;
-    }
-  }
-  /* Now  Y*a  ==  A  (mod |n|).  */
-
-  /* Y*a == 1  (mod |n|) */
-  if (!Y->neg && BN_ucmp(Y, n) < 0) {
-    if (!BN_copy(R, Y)) {
-      goto err;
-    }
-  } else {
-    if (!BN_nnmod(R, Y, n, ctx)) {
-      goto err;
-    }
-  }
-
-  ret = 1;
-
-err:
-  BN_CTX_end(ctx);
-  return ret;
-}
-
-BIGNUM *BN_mod_inverse(BIGNUM *out, const BIGNUM *a, const BIGNUM *n,
-                       BN_CTX *ctx) {
-  int no_inverse;
-
-  BIGNUM *a_reduced = NULL;
-
-  BIGNUM *new_out = NULL;
-  if (out == NULL) {
-    new_out = BN_new();
-    if (new_out == NULL) {
-      OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
-      return NULL;
-    }
-    out = new_out;
-  }
-
-  int ok = 0;
-
-  int no_branch =
-      (a->flags & BN_FLG_CONSTTIME) != 0 || (n->flags & BN_FLG_CONSTTIME) != 0;
-
-  if (a->neg || BN_ucmp(a, n) >= 0) {
-    a_reduced = BN_dup(a);
-    if (a_reduced == NULL) {
-      goto err;
-    }
-    if (no_branch) {
-      BN_set_flags(a_reduced, BN_FLG_CONSTTIME);
-    }
-    if (!BN_nnmod(a_reduced, a_reduced, n, ctx)) {
-      goto err;
-    }
-    a = a_reduced;
-  }
-
-  if (no_branch || !BN_is_odd(n)) {
-    if (!bn_mod_inverse_general(out, &no_inverse, a, n, ctx)) {
-      goto err;
-    }
-  } else if (!BN_mod_inverse_odd(out, &no_inverse, a, n, ctx)) {
-    goto err;
-  }
-
-  ok = 1;
-
-err:
-  if (!ok) {
-    BN_free(new_out);
-    out = NULL;
-  }
-  BN_free(a_reduced);
-  return out;
-}
-
-int BN_mod_inverse_blinded(BIGNUM *out, int *out_no_inverse, const BIGNUM *a,
-                           const BN_MONT_CTX *mont, BN_CTX *ctx) {
-  *out_no_inverse = 0;
-
-  if (BN_is_negative(a) || BN_cmp(a, &mont->N) >= 0) {
-    OPENSSL_PUT_ERROR(BN, BN_R_INPUT_NOT_REDUCED);
-    return 0;
-  }
-
-  int ret = 0;
-  BIGNUM blinding_factor;
-  BN_init(&blinding_factor);
-
-  if (!BN_rand_range_ex(&blinding_factor, 1, &mont->N) ||
-      !BN_mod_mul_montgomery(out, &blinding_factor, a, mont, ctx) ||
-      !BN_mod_inverse_odd(out, out_no_inverse, out, &mont->N, ctx) ||
-      !BN_mod_mul_montgomery(out, &blinding_factor, out, mont, ctx)) {
-    OPENSSL_PUT_ERROR(BN, ERR_R_BN_LIB);
-    goto err;
-  }
-
-  ret = 1;
-
-err:
-  BN_free(&blinding_factor);
-  return ret;
-}
-
-/* bn_mod_inverse_general is the general inversion algorithm that works for
- * both even and odd |n|. It was specifically designed to contain fewer
- * branches that may leak sensitive information. See "New Branch Prediction
- * Vulnerabilities in OpenSSL and Necessary Software Countermeasures" by
- * Onur Acıçmez, Shay Gueron, and Jean-Pierre Seifert. */
-static int bn_mod_inverse_general(BIGNUM *out, int *out_no_inverse,
-                                  const BIGNUM *a, const BIGNUM *n,
-                                  BN_CTX *ctx) {
-  BIGNUM *A, *B, *X, *Y, *M, *D, *T;
-  BIGNUM local_A;
-  BIGNUM *pA;
-  int ret = 0;
-  int sign;
-
-  *out_no_inverse = 0;
-
-  BN_CTX_start(ctx);
-  A = BN_CTX_get(ctx);
-  B = BN_CTX_get(ctx);
-  X = BN_CTX_get(ctx);
-  D = BN_CTX_get(ctx);
-  M = BN_CTX_get(ctx);
-  Y = BN_CTX_get(ctx);
-  T = BN_CTX_get(ctx);
-  if (T == NULL) {
-    goto err;
-  }
-
-  BIGNUM *R = out;
-
-  BN_zero(Y);
-  if (!BN_one(X) || BN_copy(B, a) == NULL || BN_copy(A, n) == NULL) {
-    goto err;
-  }
-  A->neg = 0;
-
-  sign = -1;
-  /* From  B = a mod |n|,  A = |n|  it follows that
-   *
-   *      0 <= B < A,
-   *     -sign*X*a  ==  B   (mod |n|),
-   *      sign*Y*a  ==  A   (mod |n|).
-   */
-
-  while (!BN_is_zero(B)) {
-    BIGNUM *tmp;
-
-    /*
-     *      0 < B < A,
-     * (*) -sign*X*a  ==  B   (mod |n|),
-     *      sign*Y*a  ==  A   (mod |n|)
-     */
-
-    /* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
-     * BN_div_no_branch will be called eventually.
-     */
-    pA = &local_A;
-    BN_with_flags(pA, A, BN_FLG_CONSTTIME);
-
-    /* (D, M) := (A/B, A%B) ... */
-    if (!BN_div(D, M, pA, B, ctx)) {
-      goto err;
-    }
-
-    /* Now
-     *      A = D*B + M;
-     * thus we have
-     * (**)  sign*Y*a  ==  D*B + M   (mod |n|).
-     */
-
-    tmp = A; /* keep the BIGNUM object, the value does not matter */
-
-    /* (A, B) := (B, A mod B) ... */
-    A = B;
-    B = M;
-    /* ... so we have  0 <= B < A  again */
-
-    /* Since the former  M  is now  B  and the former  B  is now  A,
-     * (**) translates into
-     *       sign*Y*a  ==  D*A + B    (mod |n|),
-     * i.e.
-     *       sign*Y*a - D*A  ==  B    (mod |n|).
-     * Similarly, (*) translates into
-     *      -sign*X*a  ==  A          (mod |n|).
-     *
-     * Thus,
-     *   sign*Y*a + D*sign*X*a  ==  B  (mod |n|),
-     * i.e.
-     *        sign*(Y + D*X)*a  ==  B  (mod |n|).
-     *
-     * So if we set  (X, Y, sign) := (Y + D*X, X, -sign),  we arrive back at
-     *      -sign*X*a  ==  B   (mod |n|),
-     *       sign*Y*a  ==  A   (mod |n|).
-     * Note that  X  and  Y  stay non-negative all the time.
-     */
-
-    if (!BN_mul(tmp, D, X, ctx)) {
-      goto err;
-    }
-    if (!BN_add(tmp, tmp, Y)) {
-      goto err;
-    }
-
-    M = Y; /* keep the BIGNUM object, the value does not matter */
-    Y = X;
-    X = tmp;
-    sign = -sign;
-  }
-
-  if (!BN_is_one(A)) {
-    *out_no_inverse = 1;
-    OPENSSL_PUT_ERROR(BN, BN_R_NO_INVERSE);
-    goto err;
-  }
-
-  /*
-   * The while loop (Euclid's algorithm) ends when
-   *      A == gcd(a,n);
-   * we have
-   *       sign*Y*a  ==  A  (mod |n|),
-   * where  Y  is non-negative.
-   */
-
-  if (sign < 0) {
-    if (!BN_sub(Y, n, Y)) {
-      goto err;
-    }
-  }
-  /* Now  Y*a  ==  A  (mod |n|).  */
-
-  /* Y*a == 1  (mod |n|) */
-  if (!Y->neg && BN_ucmp(Y, n) < 0) {
-    if (!BN_copy(R, Y)) {
-      goto err;
-    }
-  } else {
-    if (!BN_nnmod(R, Y, n, ctx)) {
-      goto err;
-    }
-  }
-
-  ret = 1;
-
-err:
-  BN_CTX_end(ctx);
-  return ret;
-}
@@ -1,245 +0,0 @@
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-/* ====================================================================
- * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
- *
- * Portions of the attached software ("Contribution") are developed by
- * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
- *
- * The Contribution is licensed pursuant to the Eric Young open source
- * license provided above.
- *
- * The binary polynomial arithmetic software is originally written by
- * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems
- * Laboratories. */
-
-#ifndef OPENSSL_HEADER_BN_INTERNAL_H
-#define OPENSSL_HEADER_BN_INTERNAL_H
-
-#include <openssl/base.h>
-
-#if defined(OPENSSL_X86_64) && defined(_MSC_VER)
-OPENSSL_MSVC_PRAGMA(warning(push, 3))
-#include <intrin.h>
-OPENSSL_MSVC_PRAGMA(warning(pop))
-#pragma intrinsic(__umulh, _umul128)
-#endif
-
-#include "../internal.h"
-
-#if defined(__cplusplus)
-extern "C" {
-#endif
-
-/* bn_expand acts the same as |bn_wexpand|, but takes a number of bits rather
- * than a number of words. */
-BIGNUM *bn_expand(BIGNUM *bn, size_t bits);
-
-#if defined(OPENSSL_64_BIT)
-
-#if !defined(_MSC_VER)
-/* MSVC doesn't support two-word integers on 64-bit. */
-#define BN_ULLONG	uint128_t
-#endif
-
-#define BN_BITS2	64
-#define BN_BYTES	8
-#define BN_BITS4	32
-#define BN_MASK2	(0xffffffffffffffffUL)
-#define BN_MASK2l	(0xffffffffUL)
-#define BN_MASK2h	(0xffffffff00000000UL)
-#define BN_MASK2h1	(0xffffffff80000000UL)
-#define BN_MONT_CTX_N0_LIMBS 1
-#define BN_TBIT		(0x8000000000000000UL)
-#define BN_DEC_CONV	(10000000000000000000UL)
-#define BN_DEC_NUM	19
-#define TOBN(hi, lo) ((BN_ULONG)hi << 32 | lo)
-
-#elif defined(OPENSSL_32_BIT)
-
-#define BN_ULLONG	uint64_t
-#define BN_BITS2	32
-#define BN_BYTES	4
-#define BN_BITS4	16
-#define BN_MASK2	(0xffffffffUL)
-#define BN_MASK2l	(0xffffUL)
-#define BN_MASK2h1	(0xffff8000UL)
-#define BN_MASK2h	(0xffff0000UL)
-/* On some 32-bit platforms, Montgomery multiplication is done using 64-bit
- * arithmetic with SIMD instructions. On such platforms, |BN_MONT_CTX::n0|
- * needs to be two words long. Only certain 32-bit platforms actually make use
- * of n0[1] and shorter R value would suffice for the others. However,
- * currently only the assembly files know which is which. */
-#define BN_MONT_CTX_N0_LIMBS 2
-#define BN_TBIT		(0x80000000UL)
-#define BN_DEC_CONV	(1000000000UL)
-#define BN_DEC_NUM	9
-#define TOBN(hi, lo) lo, hi
-
-#else
-#error "Must define either OPENSSL_32_BIT or OPENSSL_64_BIT"
-#endif
-
-
-#define STATIC_BIGNUM(x)                                \
-  {                                                     \
-    (BN_ULONG *)x, sizeof(x) / sizeof(BN_ULONG),        \
-    sizeof(x) / sizeof(BN_ULONG), 0, BN_FLG_STATIC_DATA \
-  }
-
-#if defined(BN_ULLONG)
-#define Lw(t) (((BN_ULONG)(t))&BN_MASK2)
-#define Hw(t) (((BN_ULONG)((t)>>BN_BITS2))&BN_MASK2)
-#endif
-
-/* bn_set_words sets |bn| to the value encoded in the |num| words in |words|,
- * least significant word first. */
-int bn_set_words(BIGNUM *bn, const BN_ULONG *words, size_t num);
-
-BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
-BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
-void     bn_sqr_words(BN_ULONG *rp, const BN_ULONG *ap, int num);
-BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int num);
-BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int num);
-
-void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
-void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
-void bn_sqr_comba8(BN_ULONG *r, const BN_ULONG *a);
-void bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a);
-
-/* bn_cmp_words returns a value less than, equal to or greater than zero if
- * the, length |n|, array |a| is less than, equal to or greater than |b|. */
-int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n);
-
-/* bn_cmp_words returns a value less than, equal to or greater than zero if the
- * array |a| is less than, equal to or greater than |b|. The arrays can be of
- * different lengths: |cl| gives the minimum of the two lengths and |dl| gives
- * the length of |a| minus the length of |b|. */
-int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl);
-
-int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
-                const BN_ULONG *np, const BN_ULONG *n0, int num);
-
-uint64_t bn_mont_n0(const BIGNUM *n);
-
-#if defined(OPENSSL_X86_64) && defined(_MSC_VER)
-#define BN_UMULT_LOHI(low, high, a, b) ((low) = _umul128((a), (b), &(high)))
-#endif
-
-#if !defined(BN_ULLONG) && !defined(BN_UMULT_LOHI)
-#error "Either BN_ULLONG or BN_UMULT_LOHI must be defined on every platform."
-#endif
-
-
-#if defined(__cplusplus)
-}  /* extern C */
-#endif
-
-#endif  /* OPENSSL_HEADER_BN_INTERNAL_H */
@@ -1,175 +0,0 @@
-/* ====================================================================
- * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com). */
-
-#include <openssl/bn.h>
-
-#include "internal.h"
-
-
-/* least significant word */
-#define BN_lsw(n) (((n)->top == 0) ? (BN_ULONG) 0 : (n)->d[0])
-
-/* Returns -2 for errors because both -1 and 0 are valid results. */
-int BN_kronecker(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) {
-  int i;
-  int ret = -2;
-  BIGNUM *A, *B, *tmp;
-  /* In 'tab', only odd-indexed entries are relevant:
-   * For any odd BIGNUM n,
-   *     tab[BN_lsw(n) & 7]
-   * is $(-1)^{(n^2-1)/8}$ (using TeX notation).
-   * Note that the sign of n does not matter. */
-  static const int tab[8] = {0, 1, 0, -1, 0, -1, 0, 1};
-
-  BN_CTX_start(ctx);
-  A = BN_CTX_get(ctx);
-  B = BN_CTX_get(ctx);
-  if (B == NULL) {
-    goto end;
-  }
-
-  if (!BN_copy(A, a) ||
-      !BN_copy(B, b)) {
-    goto end;
-  }
-
-  /* Kronecker symbol, imlemented according to Henri Cohen,
-   * "A Course in Computational Algebraic Number Theory"
-   * (algorithm 1.4.10). */
-
-  /* Cohen's step 1: */
-
-  if (BN_is_zero(B)) {
-    ret = BN_abs_is_word(A, 1);
-    goto end;
-  }
-
-  /* Cohen's step 2: */
-
-  if (!BN_is_odd(A) && !BN_is_odd(B)) {
-    ret = 0;
-    goto end;
-  }
-
-  /* now B is non-zero */
-  i = 0;
-  while (!BN_is_bit_set(B, i)) {
-    i++;
-  }
-  if (!BN_rshift(B, B, i)) {
-    goto end;
-  }
-  if (i & 1) {
-    /* i is odd */
-    /* (thus B was even, thus A must be odd!)  */
-
-    /* set 'ret' to $(-1)^{(A^2-1)/8}$ */
-    ret = tab[BN_lsw(A) & 7];
-  } else {
-    /* i is even */
-    ret = 1;
-  }
-
-  if (B->neg) {
-    B->neg = 0;
-    if (A->neg) {
-      ret = -ret;
-    }
-  }
-
-  /* now B is positive and odd, so what remains to be done is to compute the
-   * Jacobi symbol (A/B) and multiply it by 'ret' */
-
-  while (1) {
-    /* Cohen's step 3: */
-
-    /* B is positive and odd */
-    if (BN_is_zero(A)) {
-      ret = BN_is_one(B) ? ret : 0;
-      goto end;
-    }
-
-    /* now A is non-zero */
-    i = 0;
-    while (!BN_is_bit_set(A, i)) {
-      i++;
-    }
-    if (!BN_rshift(A, A, i)) {
-      goto end;
-    }
-    if (i & 1) {
-      /* i is odd */
-      /* multiply 'ret' by  $(-1)^{(B^2-1)/8}$ */
-      ret = ret * tab[BN_lsw(B) & 7];
-    }
-
-    /* Cohen's step 4: */
-    /* multiply 'ret' by  $(-1)^{(A-1)(B-1)/4}$ */
-    if ((A->neg ? ~BN_lsw(A) : BN_lsw(A)) & BN_lsw(B) & 2) {
-      ret = -ret;
-    }
-
-    /* (A, B) := (B mod |A|, |A|) */
-    if (!BN_nnmod(B, B, A, ctx)) {
-      ret = -2;
-      goto end;
-    }
-    tmp = A;
-    A = B;
-    B = tmp;
-    tmp->neg = 0;
-  }
-
-end:
-  BN_CTX_end(ctx);
-  return ret;
-}
@@ -1,160 +0,0 @@
-/* Copyright 2016 Brian Smith.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/bn.h>
-
-#include <assert.h>
-
-#include "internal.h"
-#include "../internal.h"
-
-
-static uint64_t bn_neg_inv_mod_r_u64(uint64_t n);
-
-OPENSSL_COMPILE_ASSERT(BN_MONT_CTX_N0_LIMBS == 1 || BN_MONT_CTX_N0_LIMBS == 2,
-                       BN_MONT_CTX_N0_LIMBS_VALUE_INVALID);
-OPENSSL_COMPILE_ASSERT(sizeof(uint64_t) ==
-                       BN_MONT_CTX_N0_LIMBS * sizeof(BN_ULONG),
-                       BN_MONT_CTX_N0_LIMBS_DOES_NOT_MATCH_UINT64_T);
-
-/* LG_LITTLE_R is log_2(r). */
-#define LG_LITTLE_R (BN_MONT_CTX_N0_LIMBS * BN_BITS2)
-
-uint64_t bn_mont_n0(const BIGNUM *n) {
-  /* These conditions are checked by the caller, |BN_MONT_CTX_set|. */
-  assert(!BN_is_zero(n));
-  assert(!BN_is_negative(n));
-  assert(BN_is_odd(n));
-
-  /* r == 2**(BN_MONT_CTX_N0_LIMBS * BN_BITS2) and LG_LITTLE_R == lg(r). This
-   * ensures that we can do integer division by |r| by simply ignoring
-   * |BN_MONT_CTX_N0_LIMBS| limbs. Similarly, we can calculate values modulo
-   * |r| by just looking at the lowest |BN_MONT_CTX_N0_LIMBS| limbs. This is
-   * what makes Montgomery multiplication efficient.
-   *
-   * As shown in Algorithm 1 of "Fast Prime Field Elliptic Curve Cryptography
-   * with 256 Bit Primes" by Shay Gueron and Vlad Krasnov, in the loop of a
-   * multi-limb Montgomery multiplication of |a * b (mod n)|, given the
-   * unreduced product |t == a * b|, we repeatedly calculate:
-   *
-   *    t1 := t % r         |t1| is |t|'s lowest limb (see previous paragraph).
-   *    t2 := t1*n0*n
-   *    t3 := t + t2
-   *    t := t3 / r         copy all limbs of |t3| except the lowest to |t|.
-   *
-   * In the last step, it would only make sense to ignore the lowest limb of
-   * |t3| if it were zero. The middle steps ensure that this is the case:
-   *
-   *                            t3 ==  0 (mod r)
-   *                        t + t2 ==  0 (mod r)
-   *                   t + t1*n0*n ==  0 (mod r)
-   *                       t1*n0*n == -t (mod r)
-   *                        t*n0*n == -t (mod r)
-   *                          n0*n == -1 (mod r)
-   *                            n0 == -1/n (mod r)
-   *
-   * Thus, in each iteration of the loop, we multiply by the constant factor
-   * |n0|, the negative inverse of n (mod r). */
-
-  /* n_mod_r = n % r. As explained above, this is done by taking the lowest
-   * |BN_MONT_CTX_N0_LIMBS| limbs of |n|. */
-  uint64_t n_mod_r = n->d[0];
-#if BN_MONT_CTX_N0_LIMBS == 2
-  if (n->top > 1) {
-    n_mod_r |= (uint64_t)n->d[1] << BN_BITS2;
-  }
-#endif
-
-  return bn_neg_inv_mod_r_u64(n_mod_r);
-}
-
-/* bn_neg_inv_r_mod_n_u64 calculates the -1/n mod r; i.e. it calculates |v|
- * such that u*r - v*n == 1. |r| is the constant defined in |bn_mont_n0|. |n|
- * must be odd.
- *
- * This is derived from |xbinGCD| in Henry S. Warren, Jr.'s "Montgomery
- * Multiplication" (http://www.hackersdelight.org/MontgomeryMultiplication.pdf).
- * It is very similar to the MODULAR-INVERSE function in Stephen R. Dussé's and
- * Burton S. Kaliski Jr.'s "A Cryptographic Library for the Motorola DSP56000"
- * (http://link.springer.com/chapter/10.1007%2F3-540-46877-3_21).
- *
- * This is inspired by Joppe W. Bos's "Constant Time Modular Inversion"
- * (http://www.joppebos.com/files/CTInversion.pdf) so that the inversion is
- * constant-time with respect to |n|. We assume uint64_t additions,
- * subtractions, shifts, and bitwise operations are all constant time, which
- * may be a large leap of faith on 32-bit targets. We avoid division and
- * multiplication, which tend to be the most problematic in terms of timing
- * leaks.
- *
- * Most GCD implementations return values such that |u*r + v*n == 1|, so the
- * caller would have to negate the resultant |v| for the purpose of Montgomery
- * multiplication. This implementation does the negation implicitly by doing
- * the computations as a difference instead of a sum. */
-static uint64_t bn_neg_inv_mod_r_u64(uint64_t n) {
-  assert(n % 2 == 1);
-
-  /* alpha == 2**(lg r - 1) == r / 2. */
-  static const uint64_t alpha = UINT64_C(1) << (LG_LITTLE_R - 1);
-
-  const uint64_t beta = n;
-
-  uint64_t u = 1;
-  uint64_t v = 0;
-
-  /* The invariant maintained from here on is:
-   * 2**(lg r - i) == u*2*alpha - v*beta. */
-  for (size_t i = 0; i < LG_LITTLE_R; ++i) {
-#if BN_BITS2 == 64 && defined(BN_ULLONG)
-    assert((BN_ULLONG)(1) << (LG_LITTLE_R - i) ==
-           ((BN_ULLONG)u * 2 * alpha) - ((BN_ULLONG)v * beta));
-#endif
-
-    /* Delete a common factor of 2 in u and v if |u| is even. Otherwise, set
-     * |u = (u + beta) / 2| and |v = (v / 2) + alpha|. */
-
-    uint64_t u_is_odd = UINT64_C(0) - (u & 1); /* Either 0xff..ff or 0. */
-
-    /* The addition can overflow, so use Dietz's method for it.
-     *
-     * Dietz calculates (x+y)/2 by (x⊕y)>>1 + x&y. This is valid for all
-     * (unsigned) x and y, even when x+y overflows. Evidence for 32-bit values
-     * (embedded in 64 bits to so that overflow can be ignored):
-     *
-     * (declare-fun x () (_ BitVec 64))
-     * (declare-fun y () (_ BitVec 64))
-     * (assert (let (
-     *    (one (_ bv1 64))
-     *    (thirtyTwo (_ bv32 64)))
-     *    (and
-     *      (bvult x (bvshl one thirtyTwo))
-     *      (bvult y (bvshl one thirtyTwo))
-     *      (not (=
-     *        (bvadd (bvlshr (bvxor x y) one) (bvand x y))
-     *        (bvlshr (bvadd x y) one)))
-     * )))
-     * (check-sat) */
-    uint64_t beta_if_u_is_odd = beta & u_is_odd; /* Either |beta| or 0. */
-    u = ((u ^ beta_if_u_is_odd) >> 1) + (u & beta_if_u_is_odd);
-
-    uint64_t alpha_if_u_is_odd = alpha & u_is_odd; /* Either |alpha| or 0. */
-    v = (v >> 1) + alpha_if_u_is_odd;
-  }
-
-  /* The invariant now shows that u*r - v*n == 1 since r == 2 * alpha. */
-#if BN_BITS2 == 64 && defined(BN_ULLONG)
-  assert(1 == ((BN_ULLONG)u * 2 * alpha) - ((BN_ULLONG)v * beta));
-#endif
-
-  return v;
-}
@@ -1,869 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.] */
-
-#include <openssl/bn.h>
-
-#include <assert.h>
-#include <string.h>
-
-#include "internal.h"
-
-
-#define BN_MUL_RECURSIVE_SIZE_NORMAL 16
-#define BN_SQR_RECURSIVE_SIZE_NORMAL BN_MUL_RECURSIVE_SIZE_NORMAL
-
-
-static void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b,
-                          int nb) {
-  BN_ULONG *rr;
-
-  if (na < nb) {
-    int itmp;
-    BN_ULONG *ltmp;
-
-    itmp = na;
-    na = nb;
-    nb = itmp;
-    ltmp = a;
-    a = b;
-    b = ltmp;
-  }
-  rr = &(r[na]);
-  if (nb <= 0) {
-    (void)bn_mul_words(r, a, na, 0);
-    return;
-  } else {
-    rr[0] = bn_mul_words(r, a, na, b[0]);
-  }
-
-  for (;;) {
-    if (--nb <= 0) {
-      return;
-    }
-    rr[1] = bn_mul_add_words(&(r[1]), a, na, b[1]);
-    if (--nb <= 0) {
-      return;
-    }
-    rr[2] = bn_mul_add_words(&(r[2]), a, na, b[2]);
-    if (--nb <= 0) {
-      return;
-    }
-    rr[3] = bn_mul_add_words(&(r[3]), a, na, b[3]);
-    if (--nb <= 0) {
-      return;
-    }
-    rr[4] = bn_mul_add_words(&(r[4]), a, na, b[4]);
-    rr += 4;
-    r += 4;
-    b += 4;
-  }
-}
-
-#if !defined(OPENSSL_X86) || defined(OPENSSL_NO_ASM)
-/* Here follows specialised variants of bn_add_words() and bn_sub_words(). They
- * have the property performing operations on arrays of different sizes. The
- * sizes of those arrays is expressed through cl, which is the common length (
- * basicall, min(len(a),len(b)) ), and dl, which is the delta between the two
- * lengths, calculated as len(a)-len(b). All lengths are the number of
- * BN_ULONGs...  For the operations that require a result array as parameter,
- * it must have the length cl+abs(dl). These functions should probably end up
- * in bn_asm.c as soon as there are assembler counterparts for the systems that
- * use assembler files.  */
-
-static BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a,
-                                  const BN_ULONG *b, int cl, int dl) {
-  BN_ULONG c, t;
-
-  assert(cl >= 0);
-  c = bn_sub_words(r, a, b, cl);
-
-  if (dl == 0) {
-    return c;
-  }
-
-  r += cl;
-  a += cl;
-  b += cl;
-
-  if (dl < 0) {
-    for (;;) {
-      t = b[0];
-      r[0] = (0 - t - c) & BN_MASK2;
-      if (t != 0) {
-        c = 1;
-      }
-      if (++dl >= 0) {
-        break;
-      }
-
-      t = b[1];
-      r[1] = (0 - t - c) & BN_MASK2;
-      if (t != 0) {
-        c = 1;
-      }
-      if (++dl >= 0) {
-        break;
-      }
-
-      t = b[2];
-      r[2] = (0 - t - c) & BN_MASK2;
-      if (t != 0) {
-        c = 1;
-      }
-      if (++dl >= 0) {
-        break;
-      }
-
-      t = b[3];
-      r[3] = (0 - t - c) & BN_MASK2;
-      if (t != 0) {
-        c = 1;
-      }
-      if (++dl >= 0) {
-        break;
-      }
-
-      b += 4;
-      r += 4;
-    }
-  } else {
-    int save_dl = dl;
-    while (c) {
-      t = a[0];
-      r[0] = (t - c) & BN_MASK2;
-      if (t != 0) {
-        c = 0;
-      }
-      if (--dl <= 0) {
-        break;
-      }
-
-      t = a[1];
-      r[1] = (t - c) & BN_MASK2;
-      if (t != 0) {
-        c = 0;
-      }
-      if (--dl <= 0) {
-        break;
-      }
-
-      t = a[2];
-      r[2] = (t - c) & BN_MASK2;
-      if (t != 0) {
-        c = 0;
-      }
-      if (--dl <= 0) {
-        break;
-      }
-
-      t = a[3];
-      r[3] = (t - c) & BN_MASK2;
-      if (t != 0) {
-        c = 0;
-      }
-      if (--dl <= 0) {
-        break;
-      }
-
-      save_dl = dl;
-      a += 4;
-      r += 4;
-    }
-    if (dl > 0) {
-      if (save_dl > dl) {
-        switch (save_dl - dl) {
-          case 1:
-            r[1] = a[1];
-            if (--dl <= 0) {
-              break;
-            }
-          case 2:
-            r[2] = a[2];
-            if (--dl <= 0) {
-              break;
-            }
-          case 3:
-            r[3] = a[3];
-            if (--dl <= 0) {
-              break;
-            }
-        }
-        a += 4;
-        r += 4;
-      }
-    }
-
-    if (dl > 0) {
-      for (;;) {
-        r[0] = a[0];
-        if (--dl <= 0) {
-          break;
-        }
-        r[1] = a[1];
-        if (--dl <= 0) {
-          break;
-        }
-        r[2] = a[2];
-        if (--dl <= 0) {
-          break;
-        }
-        r[3] = a[3];
-        if (--dl <= 0) {
-          break;
-        }
-
-        a += 4;
-        r += 4;
-      }
-    }
-  }
-
-  return c;
-}
-#else
-/* On other platforms the function is defined in asm. */
-BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
-                           int cl, int dl);
-#endif
-
-/* Karatsuba recursive multiplication algorithm
- * (cf. Knuth, The Art of Computer Programming, Vol. 2) */
-
-/* r is 2*n2 words in size,
- * a and b are both n2 words in size.
- * n2 must be a power of 2.
- * We multiply and return the result.
- * t must be 2*n2 words in size
- * We calculate
- * a[0]*b[0]
- * a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0])
- * a[1]*b[1]
- */
-/* dnX may not be positive, but n2/2+dnX has to be */
-static void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
-                             int dna, int dnb, BN_ULONG *t) {
-  int n = n2 / 2, c1, c2;
-  int tna = n + dna, tnb = n + dnb;
-  unsigned int neg, zero;
-  BN_ULONG ln, lo, *p;
-
-  /* Only call bn_mul_comba 8 if n2 == 8 and the
-   * two arrays are complete [steve]
-   */
-  if (n2 == 8 && dna == 0 && dnb == 0) {
-    bn_mul_comba8(r, a, b);
-    return;
-  }
-
-  /* Else do normal multiply */
-  if (n2 < BN_MUL_RECURSIVE_SIZE_NORMAL) {
-    bn_mul_normal(r, a, n2 + dna, b, n2 + dnb);
-    if ((dna + dnb) < 0) {
-      memset(&r[2 * n2 + dna + dnb], 0, sizeof(BN_ULONG) * -(dna + dnb));
-    }
-    return;
-  }
-
-  /* r=(a[0]-a[1])*(b[1]-b[0]) */
-  c1 = bn_cmp_part_words(a, &(a[n]), tna, n - tna);
-  c2 = bn_cmp_part_words(&(b[n]), b, tnb, tnb - n);
-  zero = neg = 0;
-  switch (c1 * 3 + c2) {
-    case -4:
-      bn_sub_part_words(t, &(a[n]), a, tna, tna - n);       /* - */
-      bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); /* - */
-      break;
-    case -3:
-      zero = 1;
-      break;
-    case -2:
-      bn_sub_part_words(t, &(a[n]), a, tna, tna - n);       /* - */
-      bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n); /* + */
-      neg = 1;
-      break;
-    case -1:
-    case 0:
-    case 1:
-      zero = 1;
-      break;
-    case 2:
-      bn_sub_part_words(t, a, &(a[n]), tna, n - tna);       /* + */
-      bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); /* - */
-      neg = 1;
-      break;
-    case 3:
-      zero = 1;
-      break;
-    case 4:
-      bn_sub_part_words(t, a, &(a[n]), tna, n - tna);
-      bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n);
-      break;
-  }
-
-  if (n == 4 && dna == 0 && dnb == 0) {
-    /* XXX: bn_mul_comba4 could take extra args to do this well */
-    if (!zero) {
-      bn_mul_comba4(&(t[n2]), t, &(t[n]));
-    } else {
-      memset(&(t[n2]), 0, 8 * sizeof(BN_ULONG));
-    }
-
-    bn_mul_comba4(r, a, b);
-    bn_mul_comba4(&(r[n2]), &(a[n]), &(b[n]));
-  } else if (n == 8 && dna == 0 && dnb == 0) {
-    /* XXX: bn_mul_comba8 could take extra args to do this well */
-    if (!zero) {
-      bn_mul_comba8(&(t[n2]), t, &(t[n]));
-    } else {
-      memset(&(t[n2]), 0, 16 * sizeof(BN_ULONG));
-    }
-
-    bn_mul_comba8(r, a, b);
-    bn_mul_comba8(&(r[n2]), &(a[n]), &(b[n]));
-  } else {
-    p = &(t[n2 * 2]);
-    if (!zero) {
-      bn_mul_recursive(&(t[n2]), t, &(t[n]), n, 0, 0, p);
-    } else {
-      memset(&(t[n2]), 0, n2 * sizeof(BN_ULONG));
-    }
-    bn_mul_recursive(r, a, b, n, 0, 0, p);
-    bn_mul_recursive(&(r[n2]), &(a[n]), &(b[n]), n, dna, dnb, p);
-  }
-
-  /* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
-   * r[10] holds (a[0]*b[0])
-   * r[32] holds (b[1]*b[1]) */
-
-  c1 = (int)(bn_add_words(t, r, &(r[n2]), n2));
-
-  if (neg) {
-    /* if t[32] is negative */
-    c1 -= (int)(bn_sub_words(&(t[n2]), t, &(t[n2]), n2));
-  } else {
-    /* Might have a carry */
-    c1 += (int)(bn_add_words(&(t[n2]), &(t[n2]), t, n2));
-  }
-
-  /* t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
-   * r[10] holds (a[0]*b[0])
-   * r[32] holds (b[1]*b[1])
-   * c1 holds the carry bits */
-  c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2));
-  if (c1) {
-    p = &(r[n + n2]);
-    lo = *p;
-    ln = (lo + c1) & BN_MASK2;
-    *p = ln;
-
-    /* The overflow will stop before we over write
-     * words we should not overwrite */
-    if (ln < (BN_ULONG)c1) {
-      do {
-        p++;
-        lo = *p;
-        ln = (lo + 1) & BN_MASK2;
-        *p = ln;
-      } while (ln == 0);
-    }
-  }
-}
-
-/* n+tn is the word length
- * t needs to be n*4 is size, as does r */
-/* tnX may not be negative but less than n */
-static void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
-                                  int tna, int tnb, BN_ULONG *t) {
-  int i, j, n2 = n * 2;
-  int c1, c2, neg;
-  BN_ULONG ln, lo, *p;
-
-  if (n < 8) {
-    bn_mul_normal(r, a, n + tna, b, n + tnb);
-    return;
-  }
-
-  /* r=(a[0]-a[1])*(b[1]-b[0]) */
-  c1 = bn_cmp_part_words(a, &(a[n]), tna, n - tna);
-  c2 = bn_cmp_part_words(&(b[n]), b, tnb, tnb - n);
-  neg = 0;
-  switch (c1 * 3 + c2) {
-    case -4:
-      bn_sub_part_words(t, &(a[n]), a, tna, tna - n);       /* - */
-      bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); /* - */
-      break;
-    case -3:
-    /* break; */
-    case -2:
-      bn_sub_part_words(t, &(a[n]), a, tna, tna - n);       /* - */
-      bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n); /* + */
-      neg = 1;
-      break;
-    case -1:
-    case 0:
-    case 1:
-    /* break; */
-    case 2:
-      bn_sub_part_words(t, a, &(a[n]), tna, n - tna);       /* + */
-      bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); /* - */
-      neg = 1;
-      break;
-    case 3:
-    /* break; */
-    case 4:
-      bn_sub_part_words(t, a, &(a[n]), tna, n - tna);
-      bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n);
-      break;
-  }
-
-  if (n == 8) {
-    bn_mul_comba8(&(t[n2]), t, &(t[n]));
-    bn_mul_comba8(r, a, b);
-    bn_mul_normal(&(r[n2]), &(a[n]), tna, &(b[n]), tnb);
-    memset(&(r[n2 + tna + tnb]), 0, sizeof(BN_ULONG) * (n2 - tna - tnb));
-  } else {
-    p = &(t[n2 * 2]);
-    bn_mul_recursive(&(t[n2]), t, &(t[n]), n, 0, 0, p);
-    bn_mul_recursive(r, a, b, n, 0, 0, p);
-    i = n / 2;
-    /* If there is only a bottom half to the number,
-     * just do it */
-    if (tna > tnb) {
-      j = tna - i;
-    } else {
-      j = tnb - i;
-    }
-
-    if (j == 0) {
-      bn_mul_recursive(&(r[n2]), &(a[n]), &(b[n]), i, tna - i, tnb - i, p);
-      memset(&(r[n2 + i * 2]), 0, sizeof(BN_ULONG) * (n2 - i * 2));
-    } else if (j > 0) {
-      /* eg, n == 16, i == 8 and tn == 11 */
-      bn_mul_part_recursive(&(r[n2]), &(a[n]), &(b[n]), i, tna - i, tnb - i, p);
-      memset(&(r[n2 + tna + tnb]), 0, sizeof(BN_ULONG) * (n2 - tna - tnb));
-    } else {
-      /* (j < 0) eg, n == 16, i == 8 and tn == 5 */
-      memset(&(r[n2]), 0, sizeof(BN_ULONG) * n2);
-      if (tna < BN_MUL_RECURSIVE_SIZE_NORMAL &&
-          tnb < BN_MUL_RECURSIVE_SIZE_NORMAL) {
-        bn_mul_normal(&(r[n2]), &(a[n]), tna, &(b[n]), tnb);
-      } else {
-        for (;;) {
-          i /= 2;
-          /* these simplified conditions work
-           * exclusively because difference
-           * between tna and tnb is 1 or 0 */
-          if (i < tna || i < tnb) {
-            bn_mul_part_recursive(&(r[n2]), &(a[n]), &(b[n]), i, tna - i,
-                                  tnb - i, p);
-            break;
-          } else if (i == tna || i == tnb) {
-            bn_mul_recursive(&(r[n2]), &(a[n]), &(b[n]), i, tna - i, tnb - i,
-                             p);
-            break;
-          }
-        }
-      }
-    }
-  }
-
-  /* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
-   * r[10] holds (a[0]*b[0])
-   * r[32] holds (b[1]*b[1])
-   */
-
-  c1 = (int)(bn_add_words(t, r, &(r[n2]), n2));
-
-  if (neg) {
-    /* if t[32] is negative */
-    c1 -= (int)(bn_sub_words(&(t[n2]), t, &(t[n2]), n2));
-  } else {
-    /* Might have a carry */
-    c1 += (int)(bn_add_words(&(t[n2]), &(t[n2]), t, n2));
-  }
-
-  /* t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
-   * r[10] holds (a[0]*b[0])
-   * r[32] holds (b[1]*b[1])
-   * c1 holds the carry bits */
-  c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2));
-  if (c1) {
-    p = &(r[n + n2]);
-    lo = *p;
-    ln = (lo + c1) & BN_MASK2;
-    *p = ln;
-
-    /* The overflow will stop before we over write
-     * words we should not overwrite */
-    if (ln < (BN_ULONG)c1) {
-      do {
-        p++;
-        lo = *p;
-        ln = (lo + 1) & BN_MASK2;
-        *p = ln;
-      } while (ln == 0);
-    }
-  }
-}
-
-int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) {
-  int ret = 0;
-  int top, al, bl;
-  BIGNUM *rr;
-  int i;
-  BIGNUM *t = NULL;
-  int j = 0, k;
-
-  al = a->top;
-  bl = b->top;
-
-  if ((al == 0) || (bl == 0)) {
-    BN_zero(r);
-    return 1;
-  }
-  top = al + bl;
-
-  BN_CTX_start(ctx);
-  if ((r == a) || (r == b)) {
-    if ((rr = BN_CTX_get(ctx)) == NULL) {
-      goto err;
-    }
-  } else {
-    rr = r;
-  }
-  rr->neg = a->neg ^ b->neg;
-
-  i = al - bl;
-  if (i == 0) {
-    if (al == 8) {
-      if (bn_wexpand(rr, 16) == NULL) {
-        goto err;
-      }
-      rr->top = 16;
-      bn_mul_comba8(rr->d, a->d, b->d);
-      goto end;
-    }
-  }
-
-  static const int kMulNormalSize = 16;
-  if (al >= kMulNormalSize && bl >= kMulNormalSize) {
-    if (i >= -1 && i <= 1) {
-      /* Find out the power of two lower or equal
-         to the longest of the two numbers */
-      if (i >= 0) {
-        j = BN_num_bits_word((BN_ULONG)al);
-      }
-      if (i == -1) {
-        j = BN_num_bits_word((BN_ULONG)bl);
-      }
-      j = 1 << (j - 1);
-      assert(j <= al || j <= bl);
-      k = j + j;
-      t = BN_CTX_get(ctx);
-      if (t == NULL) {
-        goto err;
-      }
-      if (al > j || bl > j) {
-        if (bn_wexpand(t, k * 4) == NULL) {
-          goto err;
-        }
-        if (bn_wexpand(rr, k * 4) == NULL) {
-          goto err;
-        }
-        bn_mul_part_recursive(rr->d, a->d, b->d, j, al - j, bl - j, t->d);
-      } else {
-        /* al <= j || bl <= j */
-        if (bn_wexpand(t, k * 2) == NULL) {
-          goto err;
-        }
-        if (bn_wexpand(rr, k * 2) == NULL) {
-          goto err;
-        }
-        bn_mul_recursive(rr->d, a->d, b->d, j, al - j, bl - j, t->d);
-      }
-      rr->top = top;
-      goto end;
-    }
-  }
-
-  if (bn_wexpand(rr, top) == NULL) {
-    goto err;
-  }
-  rr->top = top;
-  bn_mul_normal(rr->d, a->d, al, b->d, bl);
-
-end:
-  bn_correct_top(rr);
-  if (r != rr && !BN_copy(r, rr)) {
-    goto err;
-  }
-  ret = 1;
-
-err:
-  BN_CTX_end(ctx);
-  return ret;
-}
-
-/* tmp must have 2*n words */
-static void bn_sqr_normal(BN_ULONG *r, const BN_ULONG *a, int n, BN_ULONG *tmp) {
-  int i, j, max;
-  const BN_ULONG *ap;
-  BN_ULONG *rp;
-
-  max = n * 2;
-  ap = a;
-  rp = r;
-  rp[0] = rp[max - 1] = 0;
-  rp++;
-  j = n;
-
-  if (--j > 0) {
-    ap++;
-    rp[j] = bn_mul_words(rp, ap, j, ap[-1]);
-    rp += 2;
-  }
-
-  for (i = n - 2; i > 0; i--) {
-    j--;
-    ap++;
-    rp[j] = bn_mul_add_words(rp, ap, j, ap[-1]);
-    rp += 2;
-  }
-
-  bn_add_words(r, r, r, max);
-
-  /* There will not be a carry */
-
-  bn_sqr_words(tmp, a, n);
-
-  bn_add_words(r, r, tmp, max);
-}
-
-/* r is 2*n words in size,
- * a and b are both n words in size.    (There's not actually a 'b' here ...)
- * n must be a power of 2.
- * We multiply and return the result.
- * t must be 2*n words in size
- * We calculate
- * a[0]*b[0]
- * a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0])
- * a[1]*b[1]
- */
-static void bn_sqr_recursive(BN_ULONG *r, const BN_ULONG *a, int n2, BN_ULONG *t) {
-  int n = n2 / 2;
-  int zero, c1;
-  BN_ULONG ln, lo, *p;
-
-  if (n2 == 4) {
-    bn_sqr_comba4(r, a);
-    return;
-  } else if (n2 == 8) {
-    bn_sqr_comba8(r, a);
-    return;
-  }
-  if (n2 < BN_SQR_RECURSIVE_SIZE_NORMAL) {
-    bn_sqr_normal(r, a, n2, t);
-    return;
-  }
-  /* r=(a[0]-a[1])*(a[1]-a[0]) */
-  c1 = bn_cmp_words(a, &(a[n]), n);
-  zero = 0;
-  if (c1 > 0) {
-    bn_sub_words(t, a, &(a[n]), n);
-  } else if (c1 < 0) {
-    bn_sub_words(t, &(a[n]), a, n);
-  } else {
-    zero = 1;
-  }
-
-  /* The result will always be negative unless it is zero */
-  p = &(t[n2 * 2]);
-
-  if (!zero) {
-    bn_sqr_recursive(&(t[n2]), t, n, p);
-  } else {
-    memset(&(t[n2]), 0, n2 * sizeof(BN_ULONG));
-  }
-  bn_sqr_recursive(r, a, n, p);
-  bn_sqr_recursive(&(r[n2]), &(a[n]), n, p);
-
-  /* t[32] holds (a[0]-a[1])*(a[1]-a[0]), it is negative or zero
-   * r[10] holds (a[0]*b[0])
-   * r[32] holds (b[1]*b[1]) */
-
-  c1 = (int)(bn_add_words(t, r, &(r[n2]), n2));
-
-  /* t[32] is negative */
-  c1 -= (int)(bn_sub_words(&(t[n2]), t, &(t[n2]), n2));
-
-  /* t[32] holds (a[0]-a[1])*(a[1]-a[0])+(a[0]*a[0])+(a[1]*a[1])
-   * r[10] holds (a[0]*a[0])
-   * r[32] holds (a[1]*a[1])
-   * c1 holds the carry bits */
-  c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2));
-  if (c1) {
-    p = &(r[n + n2]);
-    lo = *p;
-    ln = (lo + c1) & BN_MASK2;
-    *p = ln;
-
-    /* The overflow will stop before we over write
-     * words we should not overwrite */
-    if (ln < (BN_ULONG)c1) {
-      do {
-        p++;
-        lo = *p;
-        ln = (lo + 1) & BN_MASK2;
-        *p = ln;
-      } while (ln == 0);
-    }
-  }
-}
-
-int BN_mul_word(BIGNUM *bn, BN_ULONG w) {
-  BN_ULONG ll;
-
-  w &= BN_MASK2;
-  if (!bn->top) {
-    return 1;
-  }
-
-  if (w == 0) {
-    BN_zero(bn);
-    return 1;
-  }
-
-  ll = bn_mul_words(bn->d, bn->d, bn->top, w);
-  if (ll) {
-    if (bn_wexpand(bn, bn->top + 1) == NULL) {
-      return 0;
-    }
-    bn->d[bn->top++] = ll;
-  }
-
-  return 1;
-}
-
-int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) {
-  int max, al;
-  int ret = 0;
-  BIGNUM *tmp, *rr;
-
-  al = a->top;
-  if (al <= 0) {
-    r->top = 0;
-    r->neg = 0;
-    return 1;
-  }
-
-  BN_CTX_start(ctx);
-  rr = (a != r) ? r : BN_CTX_get(ctx);
-  tmp = BN_CTX_get(ctx);
-  if (!rr || !tmp) {
-    goto err;
-  }
-
-  max = 2 * al; /* Non-zero (from above) */
-  if (bn_wexpand(rr, max) == NULL) {
-    goto err;
-  }
-
-  if (al == 4) {
-    bn_sqr_comba4(rr->d, a->d);
-  } else if (al == 8) {
-    bn_sqr_comba8(rr->d, a->d);
-  } else {
-    if (al < BN_SQR_RECURSIVE_SIZE_NORMAL) {
-      BN_ULONG t[BN_SQR_RECURSIVE_SIZE_NORMAL * 2];
-      bn_sqr_normal(rr->d, a->d, al, t);
-    } else {
-      int j, k;
-
-      j = BN_num_bits_word((BN_ULONG)al);
-      j = 1 << (j - 1);
-      k = j + j;
-      if (al == j) {
-        if (bn_wexpand(tmp, k * 2) == NULL) {
-          goto err;
-        }
-        bn_sqr_recursive(rr->d, a->d, al, tmp->d);
-      } else {
-        if (bn_wexpand(tmp, max) == NULL) {
-          goto err;
-        }
-        bn_sqr_normal(rr->d, a->d, al, tmp->d);
-      }
-    }
-  }
-
-  rr->neg = 0;
-  /* If the most-significant half of the top word of 'a' is zero, then
-   * the square of 'a' will max-1 words. */
-  if (a->d[al - 1] == (a->d[al - 1] & BN_MASK2l)) {
-    rr->top = max - 1;
-  } else {
-    rr->top = max;
-  }
-
-  if (rr != r && !BN_copy(r, rr)) {
-    goto err;
-  }
-  ret = 1;
-
-err:
-  BN_CTX_end(ctx);
-  return ret;
-}
@@ -1,340 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com). */
-
-#include <openssl/bn.h>
-
-#include <string.h>
-
-#include <openssl/err.h>
-#include <openssl/mem.h>
-#include <openssl/rand.h>
-#include <openssl/sha.h>
-
-int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) {
-  uint8_t *buf = NULL;
-  int ret = 0, bit, bytes, mask;
-
-  if (rnd == NULL) {
-    return 0;
-  }
-
-  if (top != BN_RAND_TOP_ANY && top != BN_RAND_TOP_ONE &&
-      top != BN_RAND_TOP_TWO) {
-    OPENSSL_PUT_ERROR(BN, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-    return 0;
-  }
-
-  if (bottom != BN_RAND_BOTTOM_ANY && bottom != BN_RAND_BOTTOM_ODD) {
-    OPENSSL_PUT_ERROR(BN, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-    return 0;
-  }
-
-  if (bits == 0) {
-    BN_zero(rnd);
-    return 1;
-  }
-
-  bytes = (bits + 7) / 8;
-  bit = (bits - 1) % 8;
-  mask = 0xff << (bit + 1);
-
-  buf = OPENSSL_malloc(bytes);
-  if (buf == NULL) {
-    OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
-    goto err;
-  }
-
-  /* Make a random number and set the top and bottom bits. */
-  if (!RAND_bytes(buf, bytes)) {
-    goto err;
-  }
-
-  if (top != BN_RAND_TOP_ANY) {
-    if (top == BN_RAND_TOP_TWO && bits > 1) {
-      if (bit == 0) {
-        buf[0] = 1;
-        buf[1] |= 0x80;
-      } else {
-        buf[0] |= (3 << (bit - 1));
-      }
-    } else {
-      buf[0] |= (1 << bit);
-    }
-  }
-
-  buf[0] &= ~mask;
-
-  /* Set the bottom bit if requested, */
-  if (bottom == BN_RAND_BOTTOM_ODD)  {
-    buf[bytes - 1] |= 1;
-  }
-
-  if (!BN_bin2bn(buf, bytes, rnd)) {
-    goto err;
-  }
-
-  ret = 1;
-
-err:
-  if (buf != NULL) {
-    OPENSSL_cleanse(buf, bytes);
-    OPENSSL_free(buf);
-  }
-  return (ret);
-}
-
-int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom) {
-  return BN_rand(rnd, bits, top, bottom);
-}
-
-int BN_rand_range_ex(BIGNUM *r, BN_ULONG min_inclusive,
-                     const BIGNUM *max_exclusive) {
-  unsigned n;
-  unsigned count = 100;
-
-  if (BN_cmp_word(max_exclusive, min_inclusive) <= 0) {
-    OPENSSL_PUT_ERROR(BN, BN_R_INVALID_RANGE);
-    return 0;
-  }
-
-  n = BN_num_bits(max_exclusive); /* n > 0 */
-
-  /* BN_is_bit_set(range, n - 1) always holds */
-  if (n == 1) {
-    BN_zero(r);
-    return 1;
-  }
-
-  do {
-    if (!--count) {
-      OPENSSL_PUT_ERROR(BN, BN_R_TOO_MANY_ITERATIONS);
-      return 0;
-    }
-
-    if (!BN_is_bit_set(max_exclusive, n - 2) &&
-        !BN_is_bit_set(max_exclusive, n - 3)) {
-      /* range = 100..._2, so 3*range (= 11..._2) is exactly one bit longer
-       * than range. This is a common scenario when generating a random value
-       * modulo an RSA public modulus, e.g. for RSA base blinding. */
-      if (!BN_rand(r, n + 1, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY)) {
-        return 0;
-      }
-
-      /* If r < 3*range, use r := r MOD range (which is either r, r - range, or
-       * r - 2*range). Otherwise, iterate again. Since 3*range = 11..._2, each
-       * iteration succeeds with probability >= .75. */
-      if (BN_cmp(r, max_exclusive) >= 0) {
-        if (!BN_sub(r, r, max_exclusive)) {
-          return 0;
-        }
-        if (BN_cmp(r, max_exclusive) >= 0) {
-          if (!BN_sub(r, r, max_exclusive)) {
-            return 0;
-          }
-        }
-      }
-    } else {
-      /* range = 11..._2  or  range = 101..._2 */
-      if (!BN_rand(r, n, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY)) {
-        return 0;
-      }
-    }
-  } while (BN_cmp_word(r, min_inclusive) < 0 ||
-           BN_cmp(r, max_exclusive) >= 0);
-
-  return 1;
-}
-
-int BN_rand_range(BIGNUM *r, const BIGNUM *range) {
-  return BN_rand_range_ex(r, 0, range);
-}
-
-int BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range) {
-  return BN_rand_range(r, range);
-}
-
-int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, const BIGNUM *priv,
-                          const uint8_t *message, size_t message_len,
-                          BN_CTX *ctx) {
-  SHA512_CTX sha;
-  /* We use 512 bits of random data per iteration to
-   * ensure that we have at least |range| bits of randomness. */
-  uint8_t random_bytes[64];
-  uint8_t digest[SHA512_DIGEST_LENGTH];
-  size_t done, todo, attempt;
-  const unsigned num_k_bytes = BN_num_bytes(range);
-  const unsigned bits_to_mask = (8 - (BN_num_bits(range) % 8)) % 8;
-  uint8_t private_bytes[96];
-  uint8_t *k_bytes = NULL;
-  int ret = 0;
-
-  if (out == NULL) {
-    return 0;
-  }
-
-  if (BN_is_zero(range)) {
-    OPENSSL_PUT_ERROR(BN, BN_R_DIV_BY_ZERO);
-    goto err;
-  }
-
-  k_bytes = OPENSSL_malloc(num_k_bytes);
-  if (!k_bytes) {
-    OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
-    goto err;
-  }
-
-  /* We copy |priv| into a local buffer to avoid furthur exposing its
-   * length. */
-  todo = sizeof(priv->d[0]) * priv->top;
-  if (todo > sizeof(private_bytes)) {
-    /* No reasonable DSA or ECDSA key should have a private key
-     * this large and we don't handle this case in order to avoid
-     * leaking the length of the private key. */
-    OPENSSL_PUT_ERROR(BN, BN_R_PRIVATE_KEY_TOO_LARGE);
-    goto err;
-  }
-  memcpy(private_bytes, priv->d, todo);
-  memset(private_bytes + todo, 0, sizeof(private_bytes) - todo);
-
-  for (attempt = 0;; attempt++) {
-    for (done = 0; done < num_k_bytes;) {
-      if (!RAND_bytes(random_bytes, sizeof(random_bytes))) {
-        goto err;
-      }
-      SHA512_Init(&sha);
-      SHA512_Update(&sha, &attempt, sizeof(attempt));
-      SHA512_Update(&sha, &done, sizeof(done));
-      SHA512_Update(&sha, private_bytes, sizeof(private_bytes));
-      SHA512_Update(&sha, message, message_len);
-      SHA512_Update(&sha, random_bytes, sizeof(random_bytes));
-      SHA512_Final(digest, &sha);
-
-      todo = num_k_bytes - done;
-      if (todo > SHA512_DIGEST_LENGTH) {
-        todo = SHA512_DIGEST_LENGTH;
-      }
-      memcpy(k_bytes + done, digest, todo);
-      done += todo;
-    }
-
-    k_bytes[0] &= 0xff >> bits_to_mask;
-
-    if (!BN_bin2bn(k_bytes, num_k_bytes, out)) {
-      goto err;
-    }
-    if (BN_cmp(out, range) < 0) {
-      break;
-    }
-  }
-
-  ret = 1;
-
-err:
-  OPENSSL_free(k_bytes);
-  return ret;
-}
@@ -1,504 +0,0 @@
-/* Written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
- * and Bodo Moeller for the OpenSSL project. */
-/* ====================================================================
- * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com). */
-
-#include <openssl/bn.h>
-
-#include <openssl/err.h>
-
-
-BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) {
-  /* Compute a square root of |a| mod |p| using the Tonelli/Shanks algorithm
-   * (cf. Henri Cohen, "A Course in Algebraic Computational Number Theory",
-   * algorithm 1.5.1). |p| is assumed to be a prime. */
-
-  BIGNUM *ret = in;
-  int err = 1;
-  int r;
-  BIGNUM *A, *b, *q, *t, *x, *y;
-  int e, i, j;
-
-  if (!BN_is_odd(p) || BN_abs_is_word(p, 1)) {
-    if (BN_abs_is_word(p, 2)) {
-      if (ret == NULL) {
-        ret = BN_new();
-      }
-      if (ret == NULL) {
-        goto end;
-      }
-      if (!BN_set_word(ret, BN_is_bit_set(a, 0))) {
-        if (ret != in) {
-          BN_free(ret);
-        }
-        return NULL;
-      }
-      return ret;
-    }
-
-    OPENSSL_PUT_ERROR(BN, BN_R_P_IS_NOT_PRIME);
-    return (NULL);
-  }
-
-  if (BN_is_zero(a) || BN_is_one(a)) {
-    if (ret == NULL) {
-      ret = BN_new();
-    }
-    if (ret == NULL) {
-      goto end;
-    }
-    if (!BN_set_word(ret, BN_is_one(a))) {
-      if (ret != in) {
-        BN_free(ret);
-      }
-      return NULL;
-    }
-    return ret;
-  }
-
-  BN_CTX_start(ctx);
-  A = BN_CTX_get(ctx);
-  b = BN_CTX_get(ctx);
-  q = BN_CTX_get(ctx);
-  t = BN_CTX_get(ctx);
-  x = BN_CTX_get(ctx);
-  y = BN_CTX_get(ctx);
-  if (y == NULL) {
-    goto end;
-  }
-
-  if (ret == NULL) {
-    ret = BN_new();
-  }
-  if (ret == NULL) {
-    goto end;
-  }
-
-  /* A = a mod p */
-  if (!BN_nnmod(A, a, p, ctx)) {
-    goto end;
-  }
-
-  /* now write  |p| - 1  as  2^e*q  where  q  is odd */
-  e = 1;
-  while (!BN_is_bit_set(p, e)) {
-    e++;
-  }
-  /* we'll set  q  later (if needed) */
-
-  if (e == 1) {
-    /* The easy case:  (|p|-1)/2  is odd, so 2 has an inverse
-     * modulo  (|p|-1)/2,  and square roots can be computed
-     * directly by modular exponentiation.
-     * We have
-     *     2 * (|p|+1)/4 == 1   (mod (|p|-1)/2),
-     * so we can use exponent  (|p|+1)/4,  i.e.  (|p|-3)/4 + 1.
-     */
-    if (!BN_rshift(q, p, 2)) {
-      goto end;
-    }
-    q->neg = 0;
-    if (!BN_add_word(q, 1) ||
-        !BN_mod_exp(ret, A, q, p, ctx)) {
-      goto end;
-    }
-    err = 0;
-    goto vrfy;
-  }
-
-  if (e == 2) {
-    /* |p| == 5  (mod 8)
-     *
-     * In this case  2  is always a non-square since
-     * Legendre(2,p) = (-1)^((p^2-1)/8)  for any odd prime.
-     * So if  a  really is a square, then  2*a  is a non-square.
-     * Thus for
-     *      b := (2*a)^((|p|-5)/8),
-     *      i := (2*a)*b^2
-     * we have
-     *     i^2 = (2*a)^((1 + (|p|-5)/4)*2)
-     *         = (2*a)^((p-1)/2)
-     *         = -1;
-     * so if we set
-     *      x := a*b*(i-1),
-     * then
-     *     x^2 = a^2 * b^2 * (i^2 - 2*i + 1)
-     *         = a^2 * b^2 * (-2*i)
-     *         = a*(-i)*(2*a*b^2)
-     *         = a*(-i)*i
-     *         = a.
-     *
-     * (This is due to A.O.L. Atkin,
-     * <URL:
-     *http://listserv.nodak.edu/scripts/wa.exe?A2=ind9211&L=nmbrthry&O=T&P=562>,
-     * November 1992.)
-     */
-
-    /* t := 2*a */
-    if (!BN_mod_lshift1_quick(t, A, p)) {
-      goto end;
-    }
-
-    /* b := (2*a)^((|p|-5)/8) */
-    if (!BN_rshift(q, p, 3)) {
-      goto end;
-    }
-    q->neg = 0;
-    if (!BN_mod_exp(b, t, q, p, ctx)) {
-      goto end;
-    }
-
-    /* y := b^2 */
-    if (!BN_mod_sqr(y, b, p, ctx)) {
-      goto end;
-    }
-
-    /* t := (2*a)*b^2 - 1*/
-    if (!BN_mod_mul(t, t, y, p, ctx) ||
-        !BN_sub_word(t, 1)) {
-      goto end;
-    }
-
-    /* x = a*b*t */
-    if (!BN_mod_mul(x, A, b, p, ctx) ||
-        !BN_mod_mul(x, x, t, p, ctx)) {
-      goto end;
-    }
-
-    if (!BN_copy(ret, x)) {
-      goto end;
-    }
-    err = 0;
-    goto vrfy;
-  }
-
-  /* e > 2, so we really have to use the Tonelli/Shanks algorithm.
-   * First, find some  y  that is not a square. */
-  if (!BN_copy(q, p)) {
-    goto end; /* use 'q' as temp */
-  }
-  q->neg = 0;
-  i = 2;
-  do {
-    /* For efficiency, try small numbers first;
-     * if this fails, try random numbers.
-     */
-    if (i < 22) {
-      if (!BN_set_word(y, i)) {
-        goto end;
-      }
-    } else {
-      if (!BN_pseudo_rand(y, BN_num_bits(p), 0, 0)) {
-        goto end;
-      }
-      if (BN_ucmp(y, p) >= 0) {
-        if (!(p->neg ? BN_add : BN_sub)(y, y, p)) {
-          goto end;
-        }
-      }
-      /* now 0 <= y < |p| */
-      if (BN_is_zero(y)) {
-        if (!BN_set_word(y, i)) {
-          goto end;
-        }
-      }
-    }
-
-    r = BN_kronecker(y, q, ctx); /* here 'q' is |p| */
-    if (r < -1) {
-      goto end;
-    }
-    if (r == 0) {
-      /* m divides p */
-      OPENSSL_PUT_ERROR(BN, BN_R_P_IS_NOT_PRIME);
-      goto end;
-    }
-  } while (r == 1 && ++i < 82);
-
-  if (r != -1) {
-    /* Many rounds and still no non-square -- this is more likely
-     * a bug than just bad luck.
-     * Even if  p  is not prime, we should have found some  y
-     * such that r == -1.
-     */
-    OPENSSL_PUT_ERROR(BN, BN_R_TOO_MANY_ITERATIONS);
-    goto end;
-  }
-
-  /* Here's our actual 'q': */
-  if (!BN_rshift(q, q, e)) {
-    goto end;
-  }
-
-  /* Now that we have some non-square, we can find an element
-   * of order  2^e  by computing its q'th power. */
-  if (!BN_mod_exp(y, y, q, p, ctx)) {
-    goto end;
-  }
-  if (BN_is_one(y)) {
-    OPENSSL_PUT_ERROR(BN, BN_R_P_IS_NOT_PRIME);
-    goto end;
-  }
-
-  /* Now we know that (if  p  is indeed prime) there is an integer
-   * k,  0 <= k < 2^e,  such that
-   *
-   *      a^q * y^k == 1   (mod p).
-   *
-   * As  a^q  is a square and  y  is not,  k  must be even.
-   * q+1  is even, too, so there is an element
-   *
-   *     X := a^((q+1)/2) * y^(k/2),
-   *
-   * and it satisfies
-   *
-   *     X^2 = a^q * a     * y^k
-   *         = a,
-   *
-   * so it is the square root that we are looking for.
-   */
-
-  /* t := (q-1)/2  (note that  q  is odd) */
-  if (!BN_rshift1(t, q)) {
-    goto end;
-  }
-
-  /* x := a^((q-1)/2) */
-  if (BN_is_zero(t)) /* special case: p = 2^e + 1 */
-  {
-    if (!BN_nnmod(t, A, p, ctx)) {
-      goto end;
-    }
-    if (BN_is_zero(t)) {
-      /* special case: a == 0  (mod p) */
-      BN_zero(ret);
-      err = 0;
-      goto end;
-    } else if (!BN_one(x)) {
-      goto end;
-    }
-  } else {
-    if (!BN_mod_exp(x, A, t, p, ctx)) {
-      goto end;
-    }
-    if (BN_is_zero(x)) {
-      /* special case: a == 0  (mod p) */
-      BN_zero(ret);
-      err = 0;
-      goto end;
-    }
-  }
-
-  /* b := a*x^2  (= a^q) */
-  if (!BN_mod_sqr(b, x, p, ctx) ||
-      !BN_mod_mul(b, b, A, p, ctx)) {
-    goto end;
-  }
-
-  /* x := a*x    (= a^((q+1)/2)) */
-  if (!BN_mod_mul(x, x, A, p, ctx)) {
-    goto end;
-  }
-
-  while (1) {
-    /* Now  b  is  a^q * y^k  for some even  k  (0 <= k < 2^E
-     * where  E  refers to the original value of  e,  which we
-     * don't keep in a variable),  and  x  is  a^((q+1)/2) * y^(k/2).
-     *
-     * We have  a*b = x^2,
-     *    y^2^(e-1) = -1,
-     *    b^2^(e-1) = 1.
-     */
-
-    if (BN_is_one(b)) {
-      if (!BN_copy(ret, x)) {
-        goto end;
-      }
-      err = 0;
-      goto vrfy;
-    }
-
-
-    /* find smallest  i  such that  b^(2^i) = 1 */
-    i = 1;
-    if (!BN_mod_sqr(t, b, p, ctx)) {
-      goto end;
-    }
-    while (!BN_is_one(t)) {
-      i++;
-      if (i == e) {
-        OPENSSL_PUT_ERROR(BN, BN_R_NOT_A_SQUARE);
-        goto end;
-      }
-      if (!BN_mod_mul(t, t, t, p, ctx)) {
-        goto end;
-      }
-    }
-
-
-    /* t := y^2^(e - i - 1) */
-    if (!BN_copy(t, y)) {
-      goto end;
-    }
-    for (j = e - i - 1; j > 0; j--) {
-      if (!BN_mod_sqr(t, t, p, ctx)) {
-        goto end;
-      }
-    }
-    if (!BN_mod_mul(y, t, t, p, ctx) ||
-        !BN_mod_mul(x, x, t, p, ctx) ||
-        !BN_mod_mul(b, b, y, p, ctx)) {
-      goto end;
-    }
-    e = i;
-  }
-
-vrfy:
-  if (!err) {
-    /* verify the result -- the input might have been not a square
-     * (test added in 0.9.8) */
-
-    if (!BN_mod_sqr(x, ret, p, ctx)) {
-      err = 1;
-    }
-
-    if (!err && 0 != BN_cmp(x, A)) {
-      OPENSSL_PUT_ERROR(BN, BN_R_NOT_A_SQUARE);
-      err = 1;
-    }
-  }
-
-end:
-  if (err) {
-    if (ret != in) {
-      BN_clear_free(ret);
-    }
-    ret = NULL;
-  }
-  BN_CTX_end(ctx);
-  return ret;
-}
-
-int BN_sqrt(BIGNUM *out_sqrt, const BIGNUM *in, BN_CTX *ctx) {
-  BIGNUM *estimate, *tmp, *delta, *last_delta, *tmp2;
-  int ok = 0, last_delta_valid = 0;
-
-  if (in->neg) {
-    OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);
-    return 0;
-  }
-  if (BN_is_zero(in)) {
-    BN_zero(out_sqrt);
-    return 1;
-  }
-
-  BN_CTX_start(ctx);
-  if (out_sqrt == in) {
-    estimate = BN_CTX_get(ctx);
-  } else {
-    estimate = out_sqrt;
-  }
-  tmp = BN_CTX_get(ctx);
-  last_delta = BN_CTX_get(ctx);
-  delta = BN_CTX_get(ctx);
-  if (estimate == NULL || tmp == NULL || last_delta == NULL || delta == NULL) {
-    OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
-    goto err;
-  }
-
-  /* We estimate that the square root of an n-bit number is 2^{n/2}. */
-  BN_lshift(estimate, BN_value_one(), BN_num_bits(in)/2);
-
-  /* This is Newton's method for finding a root of the equation |estimate|^2 -
-   * |in| = 0. */
-  for (;;) {
-    /* |estimate| = 1/2 * (|estimate| + |in|/|estimate|) */
-    if (!BN_div(tmp, NULL, in, estimate, ctx) ||
-        !BN_add(tmp, tmp, estimate) ||
-        !BN_rshift1(estimate, tmp) ||
-        /* |tmp| = |estimate|^2 */
-        !BN_sqr(tmp, estimate, ctx) ||
-        /* |delta| = |in| - |tmp| */
-        !BN_sub(delta, in, tmp)) {
-      OPENSSL_PUT_ERROR(BN, ERR_R_BN_LIB);
-      goto err;
-    }
-
-    delta->neg = 0;
-    /* The difference between |in| and |estimate| squared is required to always
-     * decrease. This ensures that the loop always terminates, but I don't have
-     * a proof that it always finds the square root for a given square. */
-    if (last_delta_valid && BN_cmp(delta, last_delta) >= 0) {
-      break;
-    }
-
-    last_delta_valid = 1;
-
-    tmp2 = last_delta;
-    last_delta = delta;
-    delta = tmp2;
-  }
-
-  if (BN_cmp(tmp, in) != 0) {
-    OPENSSL_PUT_ERROR(BN, BN_R_NOT_A_SQUARE);
-    goto err;
-  }
-
-  ok = 1;
-
-err:
-  if (ok && out_sqrt == in && !BN_copy(out_sqrt, estimate)) {
-    ok = 0;
-  }
-  BN_CTX_end(ctx);
-  return ok;
-}
@@ -0,0 +1,10 @@
+include_directories(../../include)
+
+add_library(
+  bn_extra
+
+  OBJECT
+
+  bn_asn1.c
+  convert.c
+)
@@ -31,7 +31,7 @@ int BN_parse_asn1_unsigned(CBS *cbs, BIGNUM *ret) {
    return 0;
  }

-  /* INTEGERs must be minimal. */
+  // INTEGERs must be minimal.
  if (CBS_data(&child)[0] == 0x00 &&
      CBS_len(&child) > 1 &&
      !(CBS_data(&child)[1] & 0x80)) {
@@ -50,16 +50,16 @@ int BN_parse_asn1_unsigned_buggy(CBS *cbs, BIGNUM *ret) {
    return 0;
  }

-  /* This function intentionally does not reject negative numbers or non-minimal
-   * encodings. Estonian IDs issued between September 2014 to September 2015 are
-   * broken. See https://crbug.com/532048 and https://crbug.com/534766.
-   *
-   * TODO(davidben): Remove this code and callers in March 2016. */
+  // This function intentionally does not reject negative numbers or non-minimal
+  // encodings. Estonian IDs issued between September 2014 to September 2015 are
+  // broken. See https://crbug.com/532048 and https://crbug.com/534766.
+  //
+  // TODO(davidben): Remove this code and callers in March 2016.
  return BN_bin2bn(CBS_data(&child), CBS_len(&child), ret) != NULL;
 }

 int BN_marshal_asn1(CBB *cbb, const BIGNUM *bn) {
-  /* Negative numbers are unsupported. */
+  // Negative numbers are unsupported.
  if (BN_is_negative(bn)) {
    OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);
    return 0;
@@ -67,8 +67,8 @@ int BN_marshal_asn1(CBB *cbb, const BIGNUM *bn) {

  CBB child;
  if (!CBB_add_asn1(cbb, &child, CBS_ASN1_INTEGER) ||
-      /* The number must be padded with a leading zero if the high bit would
-       * otherwise be set or if |bn| is zero. */
+      // The number must be padded with a leading zero if the high bit would
+      // otherwise be set or if |bn| is zero.
      (BN_num_bits(bn) % 8 == 0 && !CBB_add_u8(&child, 0x00)) ||
      !BN_bn2cbb_padded(&child, BN_num_bytes(bn), bn) ||
      !CBB_flush(cbb)) {
@@ -0,0 +1,465 @@
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.] */
+
+#include <openssl/bn.h>
+
+#include <assert.h>
+#include <ctype.h>
+#include <limits.h>
+#include <stdio.h>
+
+#include <openssl/bio.h>
+#include <openssl/bytestring.h>
+#include <openssl/err.h>
+#include <openssl/mem.h>
+
+#include "../fipsmodule/bn/internal.h"
+
+
+int BN_bn2cbb_padded(CBB *out, size_t len, const BIGNUM *in) {
+  uint8_t *ptr;
+  return CBB_add_space(out, &ptr, len) && BN_bn2bin_padded(ptr, len, in);
+}
+
+static const char hextable[] = "0123456789abcdef";
+
+char *BN_bn2hex(const BIGNUM *bn) {
+  char *buf = OPENSSL_malloc(1 /* leading '-' */ + 1 /* zero is non-empty */ +
+                             bn->top * BN_BYTES * 2 + 1 /* trailing NUL */);
+  if (buf == NULL) {
+    OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
+    return NULL;
+  }
+
+  char *p = buf;
+  if (bn->neg) {
+    *(p++) = '-';
+  }
+
+  if (BN_is_zero(bn)) {
+    *(p++) = '0';
+  }
+
+  int z = 0;
+  for (int i = bn->top - 1; i >= 0; i--) {
+    for (int j = BN_BITS2 - 8; j >= 0; j -= 8) {
+      // strip leading zeros
+      int v = ((int)(bn->d[i] >> (long)j)) & 0xff;
+      if (z || v != 0) {
+        *(p++) = hextable[v >> 4];
+        *(p++) = hextable[v & 0x0f];
+        z = 1;
+      }
+    }
+  }
+  *p = '\0';
+
+  return buf;
+}
+
+// decode_hex decodes |in_len| bytes of hex data from |in| and updates |bn|.
+static int decode_hex(BIGNUM *bn, const char *in, int in_len) {
+  if (in_len > INT_MAX/4) {
+    OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG);
+    return 0;
+  }
+  // |in_len| is the number of hex digits.
+  if (!bn_expand(bn, in_len * 4)) {
+    return 0;
+  }
+
+  int i = 0;
+  while (in_len > 0) {
+    // Decode one |BN_ULONG| at a time.
+    int todo = BN_BYTES * 2;
+    if (todo > in_len) {
+      todo = in_len;
+    }
+
+    BN_ULONG word = 0;
+    int j;
+    for (j = todo; j > 0; j--) {
+      char c = in[in_len - j];
+
+      BN_ULONG hex;
+      if (c >= '0' && c <= '9') {
+        hex = c - '0';
+      } else if (c >= 'a' && c <= 'f') {
+        hex = c - 'a' + 10;
+      } else if (c >= 'A' && c <= 'F') {
+        hex = c - 'A' + 10;
+      } else {
+        hex = 0;
+        // This shouldn't happen. The caller checks |isxdigit|.
+        assert(0);
+      }
+      word = (word << 4) | hex;
+    }
+
+    bn->d[i++] = word;
+    in_len -= todo;
+  }
+  assert(i <= bn->dmax);
+  bn->top = i;
+  return 1;
+}
+
+// decode_dec decodes |in_len| bytes of decimal data from |in| and updates |bn|.
+static int decode_dec(BIGNUM *bn, const char *in, int in_len) {
+  int i, j;
+  BN_ULONG l = 0;
+
+  // Decode |BN_DEC_NUM| digits at a time.
+  j = BN_DEC_NUM - (in_len % BN_DEC_NUM);
+  if (j == BN_DEC_NUM) {
+    j = 0;
+  }
+  l = 0;
+  for (i = 0; i < in_len; i++) {
+    l *= 10;
+    l += in[i] - '0';
+    if (++j == BN_DEC_NUM) {
+      if (!BN_mul_word(bn, BN_DEC_CONV) ||
+          !BN_add_word(bn, l)) {
+        return 0;
+      }
+      l = 0;
+      j = 0;
+    }
+  }
+  return 1;
+}
+
+typedef int (*decode_func) (BIGNUM *bn, const char *in, int in_len);
+typedef int (*char_test_func) (int c);
+
+static int bn_x2bn(BIGNUM **outp, const char *in, decode_func decode, char_test_func want_char) {
+  BIGNUM *ret = NULL;
+  int neg = 0, i;
+  int num;
+
+  if (in == NULL || *in == 0) {
+    return 0;
+  }
+
+  if (*in == '-') {
+    neg = 1;
+    in++;
+  }
+
+  for (i = 0; want_char((unsigned char)in[i]) && i + neg < INT_MAX; i++) {}
+
+  num = i + neg;
+  if (outp == NULL) {
+    return num;
+  }
+
+  // in is the start of the hex digits, and it is 'i' long
+  if (*outp == NULL) {
+    ret = BN_new();
+    if (ret == NULL) {
+      return 0;
+    }
+  } else {
+    ret = *outp;
+    BN_zero(ret);
+  }
+
+  if (!decode(ret, in, i)) {
+    goto err;
+  }
+
+  bn_correct_top(ret);
+  if (!BN_is_zero(ret)) {
+    ret->neg = neg;
+  }
+
+  *outp = ret;
+  return num;
+
+err:
+  if (*outp == NULL) {
+    BN_free(ret);
+  }
+
+  return 0;
+}
+
+int BN_hex2bn(BIGNUM **outp, const char *in) {
+  return bn_x2bn(outp, in, decode_hex, isxdigit);
+}
+
+char *BN_bn2dec(const BIGNUM *a) {
+  // It is easier to print strings little-endian, so we assemble it in reverse
+  // and fix at the end.
+  BIGNUM *copy = NULL;
+  CBB cbb;
+  if (!CBB_init(&cbb, 16) ||
+      !CBB_add_u8(&cbb, 0 /* trailing NUL */)) {
+    goto cbb_err;
+  }
+
+  if (BN_is_zero(a)) {
+    if (!CBB_add_u8(&cbb, '0')) {
+      goto cbb_err;
+    }
+  } else {
+    copy = BN_dup(a);
+    if (copy == NULL) {
+      goto err;
+    }
+
+    while (!BN_is_zero(copy)) {
+      BN_ULONG word = BN_div_word(copy, BN_DEC_CONV);
+      if (word == (BN_ULONG)-1) {
+        goto err;
+      }
+
+      const int add_leading_zeros = !BN_is_zero(copy);
+      for (int i = 0; i < BN_DEC_NUM && (add_leading_zeros || word != 0); i++) {
+        if (!CBB_add_u8(&cbb, '0' + word % 10)) {
+          goto cbb_err;
+        }
+        word /= 10;
+      }
+      assert(word == 0);
+    }
+  }
+
+  if (BN_is_negative(a) &&
+      !CBB_add_u8(&cbb, '-')) {
+    goto cbb_err;
+  }
+
+  uint8_t *data;
+  size_t len;
+  if (!CBB_finish(&cbb, &data, &len)) {
+    goto cbb_err;
+  }
+
+  // Reverse the buffer.
+  for (size_t i = 0; i < len/2; i++) {
+    uint8_t tmp = data[i];
+    data[i] = data[len - 1 - i];
+    data[len - 1 - i] = tmp;
+  }
+
+  BN_free(copy);
+  return (char *)data;
+
+cbb_err:
+  OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
+err:
+  BN_free(copy);
+  CBB_cleanup(&cbb);
+  return NULL;
+}
+
+int BN_dec2bn(BIGNUM **outp, const char *in) {
+  return bn_x2bn(outp, in, decode_dec, isdigit);
+}
+
+int BN_asc2bn(BIGNUM **outp, const char *in) {
+  const char *const orig_in = in;
+  if (*in == '-') {
+    in++;
+  }
+
+  if (in[0] == '0' && (in[1] == 'X' || in[1] == 'x')) {
+    if (!BN_hex2bn(outp, in+2)) {
+      return 0;
+    }
+  } else {
+    if (!BN_dec2bn(outp, in)) {
+      return 0;
+    }
+  }
+
+  if (*orig_in == '-' && !BN_is_zero(*outp)) {
+    (*outp)->neg = 1;
+  }
+
+  return 1;
+}
+
+int BN_print(BIO *bp, const BIGNUM *a) {
+  int i, j, v, z = 0;
+  int ret = 0;
+
+  if (a->neg && BIO_write(bp, "-", 1) != 1) {
+    goto end;
+  }
+
+  if (BN_is_zero(a) && BIO_write(bp, "0", 1) != 1) {
+    goto end;
+  }
+
+  for (i = a->top - 1; i >= 0; i--) {
+    for (j = BN_BITS2 - 4; j >= 0; j -= 4) {
+      // strip leading zeros
+      v = ((int)(a->d[i] >> (long)j)) & 0x0f;
+      if (z || v != 0) {
+        if (BIO_write(bp, &hextable[v], 1) != 1) {
+          goto end;
+        }
+        z = 1;
+      }
+    }
+  }
+  ret = 1;
+
+end:
+  return ret;
+}
+
+int BN_print_fp(FILE *fp, const BIGNUM *a) {
+  BIO *b;
+  int ret;
+
+  b = BIO_new(BIO_s_file());
+  if (b == NULL) {
+    return 0;
+  }
+  BIO_set_fp(b, fp, BIO_NOCLOSE);
+  ret = BN_print(b, a);
+  BIO_free(b);
+
+  return ret;
+}
+
+
+size_t BN_bn2mpi(const BIGNUM *in, uint8_t *out) {
+  const size_t bits = BN_num_bits(in);
+  const size_t bytes = (bits + 7) / 8;
+  // If the number of bits is a multiple of 8, i.e. if the MSB is set,
+  // prefix with a zero byte.
+  int extend = 0;
+  if (bytes != 0 && (bits & 0x07) == 0) {
+    extend = 1;
+  }
+
+  const size_t len = bytes + extend;
+  if (len < bytes ||
+      4 + len < len ||
+      (len & 0xffffffff) != len) {
+    // If we cannot represent the number then we emit zero as the interface
+    // doesn't allow an error to be signalled.
+    if (out) {
+      OPENSSL_memset(out, 0, 4);
+    }
+    return 4;
+  }
+
+  if (out == NULL) {
+    return 4 + len;
+  }
+
+  out[0] = len >> 24;
+  out[1] = len >> 16;
+  out[2] = len >> 8;
+  out[3] = len;
+  if (extend) {
+    out[4] = 0;
+  }
+  BN_bn2bin(in, out + 4 + extend);
+  if (in->neg && len > 0) {
+    out[4] |= 0x80;
+  }
+  return len + 4;
+}
+
+BIGNUM *BN_mpi2bn(const uint8_t *in, size_t len, BIGNUM *out) {
+  if (len < 4) {
+    OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING);
+    return NULL;
+  }
+  const size_t in_len = ((size_t)in[0] << 24) |
+                        ((size_t)in[1] << 16) |
+                        ((size_t)in[2] << 8) |
+                        ((size_t)in[3]);
+  if (in_len != len - 4) {
+    OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING);
+    return NULL;
+  }
+
+  int out_is_alloced = 0;
+  if (out == NULL) {
+    out = BN_new();
+    if (out == NULL) {
+      OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
+      return NULL;
+    }
+    out_is_alloced = 1;
+  }
+
+  if (in_len == 0) {
+    BN_zero(out);
+    return out;
+  }
+
+  in += 4;
+  if (BN_bin2bn(in, in_len, out) == NULL) {
+    if (out_is_alloced) {
+      BN_free(out);
+    }
+    return NULL;
+  }
+  out->neg = ((*in) & 0x80) != 0;
+  if (out->neg) {
+    BN_clear_bit(out, BN_num_bits(out) - 1);
+  }
+  return out;
+}
@@ -61,6 +61,8 @@
 #include <openssl/mem.h>
 #include <openssl/err.h>

+#include "../internal.h"
+

 BUF_MEM *BUF_MEM_new(void) {
  BUF_MEM *ret;
@@ -71,7 +73,7 @@ BUF_MEM *BUF_MEM_new(void) {
    return NULL;
  }

-  memset(ret, 0, sizeof(BUF_MEM));
+  OPENSSL_memset(ret, 0, sizeof(BUF_MEM));
  return ret;
 }

@@ -95,14 +97,14 @@ static int buf_mem_reserve(BUF_MEM *buf, size_t cap, int clean) {

  size_t n = cap + 3;
  if (n < cap) {
-    /* overflow */
+    // overflow
    OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
    return 0;
  }
  n = n / 3;
  size_t alloc_size = n * 4;
  if (alloc_size / 4 != n) {
-    /* overflow */
+    // overflow
    OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
    return 0;
  }
@@ -137,7 +139,7 @@ static size_t buf_mem_grow(BUF_MEM *buf, size_t len, int clean) {
    return 0;
  }
  if (buf->length < len) {
-    memset(&buf->data[buf->length], 0, len - buf->length);
+    OPENSSL_memset(&buf->data[buf->length], 0, len - buf->length);
  }
  buf->length = len;
  return len;
@@ -151,12 +153,12 @@ size_t BUF_MEM_grow_clean(BUF_MEM *buf, size_t len) {
  return buf_mem_grow(buf, len, 1 /* clear old buffer contents. */);
 }

-char *BUF_strdup(const char *buf) {
-  if (buf == NULL) {
+char *BUF_strdup(const char *str) {
+  if (str == NULL) {
    return NULL;
  }

-  return BUF_strndup(buf, strlen(buf));
+  return BUF_strndup(str, strlen(str));
 }

 size_t BUF_strnlen(const char *str, size_t max_len) {
@@ -171,19 +173,19 @@ size_t BUF_strnlen(const char *str, size_t max_len) {
  return i;
 }

-char *BUF_strndup(const char *buf, size_t size) {
+char *BUF_strndup(const char *str, size_t size) {
  char *ret;
  size_t alloc_size;

-  if (buf == NULL) {
+  if (str == NULL) {
    return NULL;
  }

-  size = BUF_strnlen(buf, size);
+  size = BUF_strnlen(str, size);

  alloc_size = size + 1;
  if (alloc_size < size) {
-    /* overflow */
+    // overflow
    OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
    return NULL;
  }
@@ -193,7 +195,7 @@ char *BUF_strndup(const char *buf, size_t size) {
    return NULL;
  }

-  memcpy(ret, buf, size);
+  OPENSSL_memcpy(ret, str, size);
  ret[size] = '\0';
  return ret;
 }
@@ -221,19 +223,17 @@ size_t BUF_strlcat(char *dst, const char *src, size_t dst_size) {
  return l + BUF_strlcpy(dst, src, dst_size);
 }

-void *BUF_memdup(const void *data, size_t dst_size) {
-  void *ret;
-
-  if (dst_size == 0) {
+void *BUF_memdup(const void *data, size_t size) {
+  if (size == 0) {
    return NULL;
  }

-  ret = OPENSSL_malloc(dst_size);
+  void *ret = OPENSSL_malloc(size);
  if (ret == NULL) {
    OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
    return NULL;
  }

-  memcpy(ret, data, dst_size);
+  OPENSSL_memcpy(ret, data, size);
  return ret;
 }
@@ -10,14 +10,3 @@ add_library(
  cbs.c
  cbb.c
 )
-
-add_executable(
-  bytestring_test
-
-  bytestring_test.cc
-
-  $<TARGET_OBJECTS:test_support>
-)
-
-target_link_libraries(bytestring_test crypto)
-add_dependencies(all_tests bytestring_test)
@@ -22,6 +22,7 @@
 #include <openssl/mem.h>

 #include "internal.h"
+#include "../internal.h"


 int CBB_finish_i2d(CBB *cbb, uint8_t **outp) {
@@ -42,7 +43,7 @@ int CBB_finish_i2d(CBB *cbb, uint8_t **outp) {
      *outp = der;
      der = NULL;
    } else {
-      memcpy(*outp, der, der_len);
+      OPENSSL_memcpy(*outp, der, der_len);
      *outp += der_len;
    }
  }
@@ -18,15 +18,16 @@
 #include <string.h>

 #include "internal.h"
+#include "../internal.h"


-/* kMaxDepth is a just a sanity limit. The code should be such that the length
- * of the input being processes always decreases. None the less, a very large
- * input could otherwise cause the stack to overflow. */
+// kMaxDepth is a just a sanity limit. The code should be such that the length
+// of the input being processes always decreases. None the less, a very large
+// input could otherwise cause the stack to overflow.
 static const unsigned kMaxDepth = 2048;

-/* is_string_type returns one if |tag| is a string type and zero otherwise. It
- * ignores the constructed bit. */
+// is_string_type returns one if |tag| is a string type and zero otherwise. It
+// ignores the constructed bit.
 static int is_string_type(unsigned tag) {
  if ((tag & 0xc0) != 0) {
    return 0;
@@ -37,7 +38,7 @@ static int is_string_type(unsigned tag) {
    case CBS_ASN1_UTF8STRING:
    case CBS_ASN1_NUMERICSTRING:
    case CBS_ASN1_PRINTABLESTRING:
-    case CBS_ASN1_T16STRING:
+    case CBS_ASN1_T61STRING:
    case CBS_ASN1_VIDEOTEXSTRING:
    case CBS_ASN1_IA5STRING:
    case CBS_ASN1_GRAPHICSTRING:
@@ -51,10 +52,10 @@ static int is_string_type(unsigned tag) {
  }
 }

-/* cbs_find_ber walks an ASN.1 structure in |orig_in| and sets |*ber_found|
- * depending on whether an indefinite length element or constructed string was
- * found. The value of |orig_in| is not changed. It returns one on success (i.e.
- * |*ber_found| was set) and zero on error. */
+// cbs_find_ber walks an ASN.1 structure in |orig_in| and sets |*ber_found|
+// depending on whether an indefinite length element or constructed string was
+// found. The value of |orig_in| is not changed. It returns one on success (i.e.
+// |*ber_found| was set) and zero on error.
 static int cbs_find_ber(const CBS *orig_in, char *ber_found, unsigned depth) {
  CBS in;

@@ -76,13 +77,13 @@ static int cbs_find_ber(const CBS *orig_in, char *ber_found, unsigned depth) {
    if (CBS_len(&contents) == header_len &&
        header_len > 0 &&
        CBS_data(&contents)[header_len-1] == 0x80) {
-      /* Found an indefinite-length element. */
+      // Found an indefinite-length element.
      *ber_found = 1;
      return 1;
    }
    if (tag & CBS_ASN1_CONSTRUCTED) {
      if (is_string_type(tag)) {
-        /* Constructed strings are only legal in BER and require conversion. */
+        // Constructed strings are only legal in BER and require conversion.
        *ber_found = 1;
        return 1;
      }
@@ -96,20 +97,20 @@ static int cbs_find_ber(const CBS *orig_in, char *ber_found, unsigned depth) {
  return 1;
 }

-/* is_eoc returns true if |header_len| and |contents|, as returned by
- * |CBS_get_any_ber_asn1_element|, indicate an "end of contents" (EOC) value. */
+// is_eoc returns true if |header_len| and |contents|, as returned by
+// |CBS_get_any_ber_asn1_element|, indicate an "end of contents" (EOC) value.
 static char is_eoc(size_t header_len, CBS *contents) {
  return header_len == 2 && CBS_len(contents) == 2 &&
-         memcmp(CBS_data(contents), "\x00\x00", 2) == 0;
+         OPENSSL_memcmp(CBS_data(contents), "\x00\x00", 2) == 0;
 }

-/* cbs_convert_ber reads BER data from |in| and writes DER data to |out|. If
- * |string_tag| is non-zero, then all elements must match |string_tag| up to the
- * constructed bit and primitive element bodies are written to |out| without
- * element headers. This is used when concatenating the fragments of a
- * constructed string. If |looking_for_eoc| is set then any EOC elements found
- * will cause the function to return after consuming it. It returns one on
- * success and zero on error. */
+// cbs_convert_ber reads BER data from |in| and writes DER data to |out|. If
+// |string_tag| is non-zero, then all elements must match |string_tag| up to the
+// constructed bit and primitive element bodies are written to |out| without
+// element headers. This is used when concatenating the fragments of a
+// constructed string. If |looking_for_eoc| is set then any EOC elements found
+// will cause the function to return after consuming it. It returns one on
+// success and zero on error.
 static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag,
                           char looking_for_eoc, unsigned depth) {
  assert(!(string_tag & CBS_ASN1_CONSTRUCTED));
@@ -133,9 +134,9 @@ static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag,
    }

    if (string_tag != 0) {
-      /* This is part of a constructed string. All elements must match
-       * |string_tag| up to the constructed bit and get appended to |out|
-       * without a child element. */
+      // This is part of a constructed string. All elements must match
+      // |string_tag| up to the constructed bit and get appended to |out|
+      // without a child element.
      if ((tag & ~CBS_ASN1_CONSTRUCTED) != string_tag) {
        return 0;
      }
@@ -143,8 +144,8 @@ static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag,
    } else {
      unsigned out_tag = tag;
      if ((tag & CBS_ASN1_CONSTRUCTED) && is_string_type(tag)) {
-        /* If a constructed string, clear the constructed bit and inform
-         * children to concatenate bodies. */
+        // If a constructed string, clear the constructed bit and inform
+        // children to concatenate bodies.
        out_tag &= ~CBS_ASN1_CONSTRUCTED;
        child_string_tag = out_tag;
      }
@@ -156,7 +157,7 @@ static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag,

    if (CBS_len(&contents) == header_len && header_len > 0 &&
        CBS_data(&contents)[header_len - 1] == 0x80) {
-      /* This is an indefinite length element. */
+      // This is an indefinite length element.
      if (!cbs_convert_ber(in, out_contents, child_string_tag,
                           1 /* looking for eoc */, depth + 1) ||
          !CBB_flush(out)) {
@@ -170,13 +171,13 @@ static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag,
    }

    if (tag & CBS_ASN1_CONSTRUCTED) {
-      /* Recurse into children. */
+      // Recurse into children.
      if (!cbs_convert_ber(&contents, out_contents, child_string_tag,
                           0 /* not looking for eoc */, depth + 1)) {
        return 0;
      }
    } else {
-      /* Copy primitive contents as-is. */
+      // Copy primitive contents as-is.
      if (!CBB_add_bytes(out_contents, CBS_data(&contents),
                         CBS_len(&contents))) {
        return 0;
@@ -194,8 +195,8 @@ static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag,
 int CBS_asn1_ber_to_der(CBS *in, uint8_t **out, size_t *out_len) {
  CBB cbb;

-  /* First, do a quick walk to find any indefinite-length elements. Most of the
-   * time we hope that there aren't any and thus we can quickly return. */
+  // First, do a quick walk to find any indefinite-length elements. Most of the
+  // time we hope that there aren't any and thus we can quickly return.
  char conversion_needed;
  if (!cbs_find_ber(in, &conversion_needed, 0)) {
    return 0;
@@ -224,14 +225,14 @@ int CBS_get_asn1_implicit_string(CBS *in, CBS *out, uint8_t **out_storage,
  assert(is_string_type(inner_tag));

  if (CBS_peek_asn1_tag(in, outer_tag)) {
-    /* Normal implicitly-tagged string. */
+    // Normal implicitly-tagged string.
    *out_storage = NULL;
    return CBS_get_asn1(in, out, outer_tag);
  }

-  /* Otherwise, try to parse an implicitly-tagged constructed string.
-   * |CBS_asn1_ber_to_der| is assumed to have run, so only allow one level deep
-   * of nesting. */
+  // Otherwise, try to parse an implicitly-tagged constructed string.
+  // |CBS_asn1_ber_to_der| is assumed to have run, so only allow one level deep
+  // of nesting.
  CBB result;
  CBS child;
  if (!CBB_init(&result, CBS_len(in)) ||
@@ -19,13 +19,15 @@

 #include <openssl/mem.h>

+#include "../internal.h"
+

 void CBB_zero(CBB *cbb) {
-  memset(cbb, 0, sizeof(CBB));
+  OPENSSL_memset(cbb, 0, sizeof(CBB));
 }

 static int cbb_init(CBB *cbb, uint8_t *buf, size_t cap) {
-  /* This assumes that |cbb| has already been zeroed. */
+  // This assumes that |cbb| has already been zeroed.
  struct cbb_buffer_st *base;

  base = OPENSSL_malloc(sizeof(struct cbb_buffer_st));
@@ -73,8 +75,8 @@ int CBB_init_fixed(CBB *cbb, uint8_t *buf, size_t len) {

 void CBB_cleanup(CBB *cbb) {
  if (cbb->base) {
-    /* Only top-level |CBB|s are cleaned up. Child |CBB|s are non-owning. They
-     * are implicitly discarded when the parent is flushed or cleaned up. */
+    // Only top-level |CBB|s are cleaned up. Child |CBB|s are non-owning. They
+    // are implicitly discarded when the parent is flushed or cleaned up.
    assert(cbb->is_top_level);

    if (cbb->base->can_resize) {
@@ -95,7 +97,7 @@ static int cbb_buffer_reserve(struct cbb_buffer_st *base, uint8_t **out,

  newlen = base->len + len;
  if (newlen < base->len) {
-    /* Overflow */
+    // Overflow
    goto err;
  }

@@ -135,7 +137,7 @@ static int cbb_buffer_add(struct cbb_buffer_st *base, uint8_t **out,
  if (!cbb_buffer_reserve(base, out, len)) {
    return 0;
  }
-  /* This will not overflow or |cbb_buffer_reserve| would have failed. */
+  // This will not overflow or |cbb_buffer_reserve| would have failed.
  base->len += len;
  return 1;
 }
@@ -174,7 +176,7 @@ int CBB_finish(CBB *cbb, uint8_t **out_data, size_t *out_len) {
  }

  if (cbb->base->can_resize && (out_data == NULL || out_len == NULL)) {
-    /* |out_data| and |out_len| can only be NULL if the CBB is fixed. */
+    // |out_data| and |out_len| can only be NULL if the CBB is fixed.
    return 0;
  }

@@ -189,15 +191,15 @@ int CBB_finish(CBB *cbb, uint8_t **out_data, size_t *out_len) {
  return 1;
 }

-/* CBB_flush recurses and then writes out any pending length prefix. The
- * current length of the underlying base is taken to be the length of the
- * length-prefixed data. */
+// CBB_flush recurses and then writes out any pending length prefix. The
+// current length of the underlying base is taken to be the length of the
+// length-prefixed data.
 int CBB_flush(CBB *cbb) {
  size_t child_start, i, len;

-  /* If |cbb->base| has hit an error, the buffer is in an undefined state, so
-   * fail all following calls. In particular, |cbb->child| may point to invalid
-   * memory. */
+  // If |cbb->base| has hit an error, the buffer is in an undefined state, so
+  // fail all following calls. In particular, |cbb->child| may point to invalid
+  // memory.
  if (cbb->base == NULL || cbb->base->error) {
    return 0;
  }
@@ -217,16 +219,16 @@ int CBB_flush(CBB *cbb) {
  len = cbb->base->len - child_start;

  if (cbb->child->pending_is_asn1) {
-    /* For ASN.1 we assume that we'll only need a single byte for the length.
-     * If that turned out to be incorrect, we have to move the contents along
-     * in order to make space. */
+    // For ASN.1 we assume that we'll only need a single byte for the length.
+    // If that turned out to be incorrect, we have to move the contents along
+    // in order to make space.
    uint8_t len_len;
    uint8_t initial_length_byte;

    assert (cbb->child->pending_len_len == 1);

    if (len > 0xfffffffe) {
-      /* Too large. */
+      // Too large.
      goto err;
    } else if (len > 0xffffff) {
      len_len = 5;
@@ -247,13 +249,13 @@ int CBB_flush(CBB *cbb) {
    }

    if (len_len != 1) {
-      /* We need to move the contents along in order to make space. */
+      // We need to move the contents along in order to make space.
      size_t extra_bytes = len_len - 1;
      if (!cbb_buffer_add(cbb->base, NULL, extra_bytes)) {
        goto err;
      }
-      memmove(cbb->base->buf + child_start + extra_bytes,
-              cbb->base->buf + child_start, len);
+      OPENSSL_memmove(cbb->base->buf + child_start + extra_bytes,
+                      cbb->base->buf + child_start, len);
    }
    cbb->base->buf[cbb->child->offset++] = initial_length_byte;
    cbb->child->pending_len_len = len_len - 1;
@@ -303,8 +305,8 @@ static int cbb_add_length_prefixed(CBB *cbb, CBB *out_contents,
    return 0;
  }

-  memset(prefix_bytes, 0, len_len);
-  memset(out_contents, 0, sizeof(CBB));
+  OPENSSL_memset(prefix_bytes, 0, len_len);
+  OPENSSL_memset(out_contents, 0, sizeof(CBB));
  out_contents->base = cbb->base;
  cbb->child = out_contents;
  cbb->child->offset = offset;
@@ -329,14 +331,14 @@ int CBB_add_u24_length_prefixed(CBB *cbb, CBB *out_contents) {
 int CBB_add_asn1(CBB *cbb, CBB *out_contents, unsigned tag) {
  if (tag > 0xff ||
      (tag & 0x1f) == 0x1f) {
-    /* Long form identifier octets are not supported. Further, all current valid
-     * tag serializations are 8 bits. */
+    // Long form identifier octets are not supported. Further, all current valid
+    // tag serializations are 8 bits.
    cbb->base->error = 1;
    return 0;
  }

  if (!CBB_flush(cbb) ||
-      /* |tag|'s representation matches the DER encoding. */
+      // |tag|'s representation matches the DER encoding.
      !CBB_add_u8(cbb, (uint8_t)tag)) {
    return 0;
  }
@@ -346,7 +348,7 @@ int CBB_add_asn1(CBB *cbb, CBB *out_contents, unsigned tag) {
    return 0;
  }

-  memset(out_contents, 0, sizeof(CBB));
+  OPENSSL_memset(out_contents, 0, sizeof(CBB));
  out_contents->base = cbb->base;
  cbb->child = out_contents;
  cbb->child->offset = offset;
@@ -363,7 +365,7 @@ int CBB_add_bytes(CBB *cbb, const uint8_t *data, size_t len) {
      !cbb_buffer_add(cbb->base, &dest, len)) {
    return 0;
  }
-  memcpy(dest, data, len);
+  OPENSSL_memcpy(dest, data, len);
  return 1;
 }

@@ -449,11 +451,11 @@ int CBB_add_asn1_uint64(CBB *cbb, uint64_t value) {
    uint8_t byte = (value >> 8*(7-i)) & 0xff;
    if (!started) {
      if (byte == 0) {
-        /* Don't encode leading zeros. */
+        // Don't encode leading zeros.
        continue;
      }
-      /* If the high bit is set, add a padding byte to make it
-       * unsigned. */
+      // If the high bit is set, add a padding byte to make it
+      // unsigned.
      if ((byte & 0x80) && !CBB_add_u8(&child, 0)) {
        return 0;
      }
@@ -464,7 +466,7 @@ int CBB_add_asn1_uint64(CBB *cbb, uint64_t value) {
    }
  }

-  /* 0 is encoded as a single 0, not the empty string. */
+  // 0 is encoded as a single 0, not the empty string.
  if (!started && !CBB_add_u8(&child, 0)) {
    return 0;
  }
@@ -20,6 +20,7 @@
 #include <string.h>

 #include "internal.h"
+#include "../internal.h"


 void CBS_init(CBS *cbs, const uint8_t *data, size_t len) {
@@ -76,7 +77,7 @@ int CBS_strdup(const CBS *cbs, char **out_ptr) {
 }

 int CBS_contains_zero_byte(const CBS *cbs) {
-  return memchr(cbs->data, 0, cbs->len) != NULL;
+  return OPENSSL_memchr(cbs->data, 0, cbs->len) != NULL;
 }

 int CBS_mem_equal(const CBS *cbs, const uint8_t *data, size_t len) {
@@ -150,7 +151,7 @@ int CBS_copy_bytes(CBS *cbs, uint8_t *out, size_t len) {
  if (!cbs_get(cbs, &v, len)) {
    return 0;
  }
-  memcpy(out, v, len);
+  OPENSSL_memcpy(out, v, len);
  return 1;
 }

@@ -189,13 +190,13 @@ static int cbs_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag,
    return 0;
  }

-  /* ITU-T X.690 section 8.1.2.3 specifies the format for identifiers with a tag
-   * number no greater than 30.
-   *
-   * If the number portion is 31 (0x1f, the largest value that fits in the
-   * allotted bits), then the tag is more than one byte long and the
-   * continuation bytes contain the tag number. This parser only supports tag
-   * numbers less than 31 (and thus single-byte tags). */
+  // ITU-T X.690 section 8.1.2.3 specifies the format for identifiers with a tag
+  // number no greater than 30.
+  //
+  // If the number portion is 31 (0x1f, the largest value that fits in the
+  // allotted bits), then the tag is more than one byte long and the
+  // continuation bytes contain the tag number. This parser only supports tag
+  // numbers less than 31 (and thus single-byte tags).
  if ((tag & 0x1f) == 0x1f) {
    return 0;
  }
@@ -205,52 +206,51 @@ static int cbs_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag,
  }

  size_t len;
-  /* The format for the length encoding is specified in ITU-T X.690 section
-   * 8.1.3. */
+  // The format for the length encoding is specified in ITU-T X.690 section
+  // 8.1.3.
  if ((length_byte & 0x80) == 0) {
-    /* Short form length. */
+    // Short form length.
    len = ((size_t) length_byte) + 2;
    if (out_header_len != NULL) {
      *out_header_len = 2;
    }
  } else {
-    /* The high bit indicate that this is the long form, while the next 7 bits
-     * encode the number of subsequent octets used to encode the length (ITU-T
-     * X.690 clause 8.1.3.5.b). */
+    // The high bit indicate that this is the long form, while the next 7 bits
+    // encode the number of subsequent octets used to encode the length (ITU-T
+    // X.690 clause 8.1.3.5.b).
    const size_t num_bytes = length_byte & 0x7f;
    uint32_t len32;

    if (ber_ok && (tag & CBS_ASN1_CONSTRUCTED) != 0 && num_bytes == 0) {
-      /* indefinite length */
+      // indefinite length
      if (out_header_len != NULL) {
        *out_header_len = 2;
      }
      return CBS_get_bytes(cbs, out, 2);
    }

-    /* ITU-T X.690 clause 8.1.3.5.c specifies that the value 0xff shall not be
-     * used as the first byte of the length. If this parser encounters that
-     * value, num_bytes will be parsed as 127, which will fail the check below.
-     */
+    // ITU-T X.690 clause 8.1.3.5.c specifies that the value 0xff shall not be
+    // used as the first byte of the length. If this parser encounters that
+    // value, num_bytes will be parsed as 127, which will fail the check below.
    if (num_bytes == 0 || num_bytes > 4) {
      return 0;
    }
    if (!cbs_get_u(&header, &len32, num_bytes)) {
      return 0;
    }
-    /* ITU-T X.690 section 10.1 (DER length forms) requires encoding the length
-     * with the minimum number of octets. */
+    // ITU-T X.690 section 10.1 (DER length forms) requires encoding the length
+    // with the minimum number of octets.
    if (len32 < 128) {
-      /* Length should have used short-form encoding. */
+      // Length should have used short-form encoding.
      return 0;
    }
    if ((len32 >> ((num_bytes-1)*8)) == 0) {
-      /* Length should have been at least one byte shorter. */
+      // Length should have been at least one byte shorter.
      return 0;
    }
    len = len32;
    if (len + 2 + num_bytes < len) {
-      /* Overflow. */
+      // Overflow.
      return 0;
    }
    len += 2 + num_bytes;
@@ -262,6 +262,20 @@ static int cbs_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag,
  return CBS_get_bytes(cbs, out, len);
 }

+int CBS_get_any_asn1(CBS *cbs, CBS *out, unsigned *out_tag) {
+  size_t header_len;
+  if (!CBS_get_any_asn1_element(cbs, out, out_tag, &header_len)) {
+    return 0;
+  }
+
+  if (!CBS_skip(out, header_len)) {
+    assert(0);
+    return 0;
+  }
+
+  return 1;
+}
+
 int CBS_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag,
                                    size_t *out_header_len) {
  return cbs_get_any_asn1_element(cbs, out, out_tag, out_header_len,
@@ -314,35 +328,32 @@ int CBS_peek_asn1_tag(const CBS *cbs, unsigned tag_value) {

 int CBS_get_asn1_uint64(CBS *cbs, uint64_t *out) {
  CBS bytes;
-  const uint8_t *data;
-  size_t i, len;
-
  if (!CBS_get_asn1(cbs, &bytes, CBS_ASN1_INTEGER)) {
    return 0;
  }

  *out = 0;
-  data = CBS_data(&bytes);
-  len = CBS_len(&bytes);
+  const uint8_t *data = CBS_data(&bytes);
+  size_t len = CBS_len(&bytes);

  if (len == 0) {
-    /* An INTEGER is encoded with at least one octet. */
+    // An INTEGER is encoded with at least one octet.
    return 0;
  }

  if ((data[0] & 0x80) != 0) {
-    /* Negative number. */
+    // Negative number.
    return 0;
  }

  if (data[0] == 0 && len > 1 && (data[1] & 0x80) == 0) {
-    /* Extra leading zeros. */
+    // Extra leading zeros.
    return 0;
  }

-  for (i = 0; i < len; i++) {
+  for (size_t i = 0; i < len; i++) {
    if ((*out >> 56) != 0) {
-      /* Too large to represent as a uint64_t. */
+      // Too large to represent as a uint64_t.
      return 0;
    }
    *out <<= 8;
@@ -437,3 +448,40 @@ int CBS_get_optional_asn1_bool(CBS *cbs, int *out, unsigned tag,
  }
  return 1;
 }
+
+int CBS_is_valid_asn1_bitstring(const CBS *cbs) {
+  CBS in = *cbs;
+  uint8_t num_unused_bits;
+  if (!CBS_get_u8(&in, &num_unused_bits) ||
+      num_unused_bits > 7) {
+    return 0;
+  }
+
+  if (num_unused_bits == 0) {
+    return 1;
+  }
+
+  // All num_unused_bits bits must exist and be zeros.
+  uint8_t last;
+  if (!CBS_get_last_u8(&in, &last) ||
+      (last & ((1 << num_unused_bits) - 1)) != 0) {
+    return 0;
+  }
+
+  return 1;
+}
+
+int CBS_asn1_bitstring_has_bit(const CBS *cbs, unsigned bit) {
+  if (!CBS_is_valid_asn1_bitstring(cbs)) {
+    return 0;
+  }
+
+  const unsigned byte_num = (bit >> 3) + 1;
+  const unsigned bit_num = 7 - (bit & 7);
+
+  // Unused bits are zero, and this function does not distinguish between
+  // missing and unset bits. Thus it is sufficient to do a byte-level length
+  // check.
+  return byte_num < CBS_len(cbs) &&
+         (CBS_data(cbs)[byte_num] & (1 << bit_num)) != 0;
+}
@@ -22,54 +22,54 @@ extern "C" {
 #endif


-/* CBS_asn1_ber_to_der reads a BER element from |in|. If it finds
- * indefinite-length elements or constructed strings then it converts the BER
- * data to DER and sets |*out| and |*out_length| to describe a malloced buffer
- * containing the DER data. Additionally, |*in| will be advanced over the BER
- * element.
- *
- * If it doesn't find any indefinite-length elements or constructed strings then
- * it sets |*out| to NULL and |*in| is unmodified.
- *
- * This function should successfully process any valid BER input, however it
- * will not convert all of BER's deviations from DER. BER is ambiguous between
- * implicitly-tagged SEQUENCEs of strings and implicitly-tagged constructed
- * strings. Implicitly-tagged strings must be parsed with
- * |CBS_get_ber_implicitly_tagged_string| instead of |CBS_get_asn1|. The caller
- * must also account for BER variations in the contents of a primitive.
- *
- * It returns one on success and zero otherwise. */
+// CBS_asn1_ber_to_der reads a BER element from |in|. If it finds
+// indefinite-length elements or constructed strings then it converts the BER
+// data to DER and sets |*out| and |*out_length| to describe a malloced buffer
+// containing the DER data. Additionally, |*in| will be advanced over the BER
+// element.
+//
+// If it doesn't find any indefinite-length elements or constructed strings then
+// it sets |*out| to NULL and |*in| is unmodified.
+//
+// This function should successfully process any valid BER input, however it
+// will not convert all of BER's deviations from DER. BER is ambiguous between
+// implicitly-tagged SEQUENCEs of strings and implicitly-tagged constructed
+// strings. Implicitly-tagged strings must be parsed with
+// |CBS_get_ber_implicitly_tagged_string| instead of |CBS_get_asn1|. The caller
+// must also account for BER variations in the contents of a primitive.
+//
+// It returns one on success and zero otherwise.
 OPENSSL_EXPORT int CBS_asn1_ber_to_der(CBS *in, uint8_t **out, size_t *out_len);

-/* CBS_get_asn1_implicit_string parses a BER string of primitive type
- * |inner_tag| implicitly-tagged with |outer_tag|. It sets |out| to the
- * contents. If concatenation was needed, it sets |*out_storage| to a buffer
- * which the caller must release with |OPENSSL_free|. Otherwise, it sets
- * |*out_storage| to NULL.
- *
- * This function does not parse all of BER. It requires the string be
- * definite-length. Constructed strings are allowed, but all children of the
- * outermost element must be primitive. The caller should use
- * |CBS_asn1_ber_to_der| before running this function.
- *
- * It returns one on success and zero otherwise. */
+// CBS_get_asn1_implicit_string parses a BER string of primitive type
+// |inner_tag| implicitly-tagged with |outer_tag|. It sets |out| to the
+// contents. If concatenation was needed, it sets |*out_storage| to a buffer
+// which the caller must release with |OPENSSL_free|. Otherwise, it sets
+// |*out_storage| to NULL.
+//
+// This function does not parse all of BER. It requires the string be
+// definite-length. Constructed strings are allowed, but all children of the
+// outermost element must be primitive. The caller should use
+// |CBS_asn1_ber_to_der| before running this function.
+//
+// It returns one on success and zero otherwise.
 OPENSSL_EXPORT int CBS_get_asn1_implicit_string(CBS *in, CBS *out,
                                                uint8_t **out_storage,
                                                unsigned outer_tag,
                                                unsigned inner_tag);

-/* CBB_finish_i2d calls |CBB_finish| on |cbb| which must have been initialized
- * with |CBB_init|. If |outp| is not NULL then the result is written to |*outp|
- * and |*outp| is advanced just past the output. It returns the number of bytes
- * in the result, whether written or not, or a negative value on error. On
- * error, it calls |CBB_cleanup| on |cbb|.
- *
- * This function may be used to help implement legacy i2d ASN.1 functions. */
+// CBB_finish_i2d calls |CBB_finish| on |cbb| which must have been initialized
+// with |CBB_init|. If |outp| is not NULL then the result is written to |*outp|
+// and |*outp| is advanced just past the output. It returns the number of bytes
+// in the result, whether written or not, or a negative value on error. On
+// error, it calls |CBB_cleanup| on |cbb|.
+//
+// This function may be used to help implement legacy i2d ASN.1 functions.
 int CBB_finish_i2d(CBB *cbb, uint8_t **outp);


 #if defined(__cplusplus)
-}  /* extern C */
+}  // extern C
 #endif

-#endif  /* OPENSSL_HEADER_BYTESTRING_INTERNAL_H */
+#endif  // OPENSSL_HEADER_BYTESTRING_INTERNAL_H
@@ -42,17 +42,7 @@ add_library(
  ${CHACHA_ARCH_SOURCES}
 )

-add_executable(
-  chacha_test
-
-  chacha_test.cc
-  $<TARGET_OBJECTS:test_support>
-)
-
-target_link_libraries(chacha_test crypto)
-add_dependencies(all_tests chacha_test)
-
 perlasm(chacha-armv4.${ASM_EXT} asm/chacha-armv4.pl)
 perlasm(chacha-armv8.${ASM_EXT} asm/chacha-armv8.pl)
 perlasm(chacha-x86.${ASM_EXT} asm/chacha-x86.pl)
-perlasm(chacha-x86_64.${ASM_EXT} asm/chacha-x86_64.pl)
+perlasm(chacha-x86_64.${ASM_EXT} asm/chacha-x86_64.pl)
@@ -1,4 +1,11 @@
-#!/usr/bin/env perl
+#! /usr/bin/env perl
+# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
 #
 # ====================================================================
 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
@@ -8,7 +15,7 @@
 # ====================================================================
 #
 # December 2014
-# 
+#
 # ChaCha20 for ARMv4.
 #
 # Performance in cycles per byte out of large buffer.
@@ -165,8 +172,10 @@ $code.=<<___;
 #include <openssl/arm_arch.h>

 .text
-#if defined(__thumb2__)
+#if defined(__thumb2__) || defined(__clang__)
 .syntax	unified
+#endif
+#if defined(__thumb2__)
 .thumb
 #else
 .code	32
@@ -713,7 +722,7 @@ ChaCha20_neon:
 	vadd.i32	$d2,$d1,$t0		@ counter+2
 	str		@t[3], [sp,#4*(16+15)]
 	mov		@t[3],#10
-	add		@x[12],@x[12],#3	@ counter+3 
+	add		@x[12],@x[12],#3	@ counter+3
 	b		.Loop_neon

 .align	4
@@ -1127,7 +1136,7 @@ $code.=<<___;
 	ldrb		@t[1],[r12],#1		@ read input
 	subs		@t[3],@t[3],#1
 	eor		@t[0],@t[0],@t[1]
-	strb		@t[0],[r14],#1		@ store ouput
+	strb		@t[0],[r14],#1		@ store output
 	bne		.Loop_tail_neon

 .Ldone_neon:
@@ -1,4 +1,11 @@
-#!/usr/bin/env perl
+#! /usr/bin/env perl
+# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
 #
 # ====================================================================
 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
@@ -8,7 +15,7 @@
 # ====================================================================
 #
 # June 2015
-# 
+#
 # ChaCha20 for ARMv8.
 #
 # Performance in cycles per byte out of large buffer.
@@ -20,6 +27,7 @@
 # Cortex-A57		8.06/+43%       4.90            4.43(**)
 # Denver		4.50/+82%       2.63		2.67(*)
 # X-Gene		9.50/+46%       8.82		8.89(*)
+# Mongoose		8.00/+44%	3.64		3.25
 #
 # (*)	it's expected that doubling interleave factor doesn't help
 #	all processors, only those with higher NEON latency and
@@ -193,7 +201,7 @@ ChaCha20_ctr32:
 	mov	$ctr,#10
 	subs	$len,$len,#64
 .Loop:
-	sub	$ctr,$ctr,#1	
+	sub	$ctr,$ctr,#1
 ___
 	foreach (&ROUND(0, 4, 8,12)) { eval; }
 	foreach (&ROUND(0, 5,10,15)) { eval; }
@@ -21,7 +21,9 @@
 # Westmere	9.50/+45%	3.35
 # Sandy Bridge	10.5/+47%	3.20
 # Haswell	8.15/+50%	2.83
+# Skylake	7.53/+22%	2.75
 # Silvermont	17.4/+36%	8.35
+# Goldmont	13.4/+40%	4.36
 # Sledgehammer	10.2/+54%
 # Bulldozer	13.4/+50%	4.38(*)
 #
@@ -36,12 +38,10 @@ require "x86asm.pl";
 $output=pop;
 open STDOUT,">$output";

-&asm_init($ARGV[0],"chacha-x86.pl",$ARGV[$#ARGV] eq "386");
+&asm_init($ARGV[0],$ARGV[$#ARGV] eq "386");

-$xmm=$ymm=0;
-for (@ARGV) { $xmm=1 if (/-DOPENSSL_IA32_SSE2/); }
-
-$ymm=$xmm;
+$xmm=$ymm=1;
+$gasver=999;  # enable everything

 $a="eax";
 ($b,$b_)=("ebx","ebp");
@@ -438,6 +438,12 @@ my ($ap,$bp,$cp,$dp)=map(($_&~3)+(($_-1)&3),($ai,$bi,$ci,$di));	# previous
 				    &label("pic_point"),"eax"));
 	&movdqu		("xmm3",&QWP(0,"ebx"));		# counter and nonce

+if (defined($gasver) && $gasver>=2.17) {		# even though we encode
+							# pshufb manually, we
+							# handle only register
+							# operands, while this
+							# segment uses memory
+							# operand...
 	&cmp		($len,64*4);
 	&jb		(&label("1x"));

@@ -619,6 +625,7 @@ my ($ap,$bp,$cp,$dp)=map(($_&~3)+(($_-1)&3),($ai,$bi,$ci,$di));	# previous
 	&paddd		("xmm2",&QWP(16*6,"eax"));	# +four
 	&pand		("xmm3",&QWP(16*7,"eax"));
 	&por		("xmm3","xmm2");		# counter value
+}
 {
 my ($a,$b,$c,$d,$t,$t1,$rot16,$rot24)=map("xmm$_",(0..7));

@@ -12,7 +12,7 @@
 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

-/* Adapted from the public domain, estream code by D. Bernstein. */
+// Adapted from the public domain, estream code by D. Bernstein.

 #include <openssl/chacha.h>

@@ -32,7 +32,7 @@
    (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \
     defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64))

-/* ChaCha20_ctr32 is defined in asm/chacha-*.pl. */
+// ChaCha20_ctr32 is defined in asm/chacha-*.pl.
 void ChaCha20_ctr32(uint8_t *out, const uint8_t *in, size_t in_len,
                    const uint32_t key[8], const uint32_t counter[4]);

@@ -48,7 +48,7 @@ void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len,

  const uint32_t *key_ptr = (const uint32_t *)key;
 #if !defined(OPENSSL_X86) && !defined(OPENSSL_X86_64)
-  /* The assembly expects the key to be four-byte aligned. */
+  // The assembly expects the key to be four-byte aligned.
  uint32_t key_u32[8];
  if ((((uintptr_t)key) & 3) != 0) {
    key_u32[0] = U8TO32_LITTLE(key + 0);
@@ -69,7 +69,7 @@ void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len,

 #else

-/* sigma contains the ChaCha constants, which happen to be an ASCII string. */
+// sigma contains the ChaCha constants, which happen to be an ASCII string.
 static const uint8_t sigma[16] = { 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3',
                                   '2', '-', 'b', 'y', 't', 'e', ' ', 'k' };

@@ -83,20 +83,20 @@ static const uint8_t sigma[16] = { 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3',
    (p)[3] = (v >> 24) & 0xff; \
  }

-/* QUARTERROUND updates a, b, c, d with a ChaCha "quarter" round. */
+// QUARTERROUND updates a, b, c, d with a ChaCha "quarter" round.
 #define QUARTERROUND(a, b, c, d)                \
  x[a] += x[b]; x[d] = ROTATE(x[d] ^ x[a], 16); \
  x[c] += x[d]; x[b] = ROTATE(x[b] ^ x[c], 12); \
  x[a] += x[b]; x[d] = ROTATE(x[d] ^ x[a],  8); \
  x[c] += x[d]; x[b] = ROTATE(x[b] ^ x[c],  7);

-/* chacha_core performs 20 rounds of ChaCha on the input words in
- * |input| and writes the 64 output bytes to |output|. */
+// chacha_core performs 20 rounds of ChaCha on the input words in
+// |input| and writes the 64 output bytes to |output|.
 static void chacha_core(uint8_t output[64], const uint32_t input[16]) {
  uint32_t x[16];
  int i;

-  memcpy(x, input, sizeof(uint32_t) * 16);
+  OPENSSL_memcpy(x, input, sizeof(uint32_t) * 16);
  for (i = 20; i > 0; i -= 2) {
    QUARTERROUND(0, 4, 8, 12)
    QUARTERROUND(1, 5, 9, 13)
@@ -18,9 +18,14 @@

 #include <memory>

+#include <gtest/gtest.h>
+
 #include <openssl/crypto.h>
 #include <openssl/chacha.h>

+#include "../internal.h"
+#include "../test/test_util.h"
+

 static const uint8_t kKey[32] = {
    0x98, 0xbe, 0xf1, 0x46, 0x9b, 0xe7, 0x26, 0x98, 0x37, 0xa4, 0x5b,
@@ -214,35 +219,18 @@ static const uint8_t kOutput[] = {
 static_assert(sizeof(kInput) == sizeof(kOutput),
              "Input and output lengths don't match.");

-static bool TestChaCha20(size_t len) {
-  std::unique_ptr<uint8_t[]> buf(new uint8_t[len]);
-  CRYPTO_chacha_20(buf.get(), kInput, len, kKey, kNonce, kCounter);
-  if (memcmp(buf.get(), kOutput, len) != 0) {
-    fprintf(stderr, "Mismatch at length %zu.\n", len);
-    return false;
-  }
-
-  // Test in-place.
-  memcpy(buf.get(), kInput, len);
-  CRYPTO_chacha_20(buf.get(), buf.get(), len, kKey, kNonce, kCounter);
-  if (memcmp(buf.get(), kOutput, len) != 0) {
-    fprintf(stderr, "Mismatch at length %zu, in-place.\n", len);
-    return false;
-  }
-
-  return true;
-}
-
-int main(int argc, char **argv) {
-  CRYPTO_library_init();
-
+TEST(ChaChaTest, TestVector) {
  // Run the test with the test vector at all lengths.
  for (size_t len = 0; len <= sizeof(kInput); len++) {
-    if (!TestChaCha20(len)) {
-      return 1;
-    }
-  }
+    SCOPED_TRACE(len);

-  printf("PASS\n");
-  return 0;
+    std::unique_ptr<uint8_t[]> buf(new uint8_t[len]);
+    CRYPTO_chacha_20(buf.get(), kInput, len, kKey, kNonce, kCounter);
+    EXPECT_EQ(Bytes(kOutput, len), Bytes(buf.get(), len));
+
+    // Test the in-place version.
+    OPENSSL_memcpy(buf.get(), kInput, len);
+    CRYPTO_chacha_20(buf.get(), buf.get(), len, kKey, kNonce, kCounter);
+    EXPECT_EQ(Bytes(kOutput, len), Bytes(buf.get(), len));
+  }
 }
@@ -1,40 +0,0 @@
-include_directories(../../include)
-
-add_library(
-  cipher
-
-  OBJECT
-
-  cipher.c
-  derive_key.c
-  aead.c
-
-  e_null.c
-  e_rc2.c
-  e_rc4.c
-  e_des.c
-  e_aes.c
-  e_chacha20poly1305.c
-
-  tls_cbc.c
-  e_tls.c
-  e_ssl3.c
-)
-
-add_executable(
-  cipher_test
-
-  cipher_test.cc
-  $<TARGET_OBJECTS:test_support>
-)
-
-add_executable(
-  aead_test
-
-  aead_test.cc
-  $<TARGET_OBJECTS:test_support>
-)
-
-target_link_libraries(cipher_test crypto)
-target_link_libraries(aead_test crypto)
-add_dependencies(all_tests cipher_test aead_test)
@@ -1,156 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/aead.h>
-
-#include <string.h>
-
-#include <openssl/cipher.h>
-#include <openssl/err.h>
-
-#include "internal.h"
-#include "../internal.h"
-
-
-size_t EVP_AEAD_key_length(const EVP_AEAD *aead) { return aead->key_len; }
-
-size_t EVP_AEAD_nonce_length(const EVP_AEAD *aead) { return aead->nonce_len; }
-
-size_t EVP_AEAD_max_overhead(const EVP_AEAD *aead) { return aead->overhead; }
-
-size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead) { return aead->max_tag_len; }
-
-void EVP_AEAD_CTX_zero(EVP_AEAD_CTX *ctx) {
-  memset(ctx, 0, sizeof(EVP_AEAD_CTX));
-}
-
-int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
-                      const uint8_t *key, size_t key_len, size_t tag_len,
-                      ENGINE *impl) {
-  if (!aead->init) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_NO_DIRECTION_SET);
-    ctx->aead = NULL;
-    return 0;
-  }
-  return EVP_AEAD_CTX_init_with_direction(ctx, aead, key, key_len, tag_len,
-                                          evp_aead_open);
-}
-
-int EVP_AEAD_CTX_init_with_direction(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
-                                     const uint8_t *key, size_t key_len,
-                                     size_t tag_len,
-                                     enum evp_aead_direction_t dir) {
-  if (key_len != aead->key_len) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_KEY_SIZE);
-    ctx->aead = NULL;
-    return 0;
-  }
-
-  ctx->aead = aead;
-
-  int ok;
-  if (aead->init) {
-    ok = aead->init(ctx, key, key_len, tag_len);
-  } else {
-    ok = aead->init_with_direction(ctx, key, key_len, tag_len, dir);
-  }
-
-  if (!ok) {
-    ctx->aead = NULL;
-  }
-
-  return ok;
-}
-
-void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx) {
-  if (ctx->aead == NULL) {
-    return;
-  }
-  ctx->aead->cleanup(ctx);
-  ctx->aead = NULL;
-}
-
-/* check_alias returns 1 if |out| is compatible with |in| and 0 otherwise. If
- * |in| and |out| alias, we require that |in| == |out|. */
-static int check_alias(const uint8_t *in, size_t in_len, const uint8_t *out,
-                       size_t out_len) {
-  if (!buffers_alias(in, in_len, out, out_len)) {
-    return 1;
-  }
-
-  return in == out;
-}
-
-int EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,
-                      size_t max_out_len, const uint8_t *nonce,
-                      size_t nonce_len, const uint8_t *in, size_t in_len,
-                      const uint8_t *ad, size_t ad_len) {
-  size_t possible_out_len = in_len + ctx->aead->overhead;
-
-  if (possible_out_len < in_len /* overflow */) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
-    goto error;
-  }
-
-  if (!check_alias(in, in_len, out, max_out_len)) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_OUTPUT_ALIASES_INPUT);
-    goto error;
-  }
-
-  if (ctx->aead->seal(ctx, out, out_len, max_out_len, nonce, nonce_len, in,
-                      in_len, ad, ad_len)) {
-    return 1;
-  }
-
-error:
-  /* In the event of an error, clear the output buffer so that a caller
-   * that doesn't check the return value doesn't send raw data. */
-  memset(out, 0, max_out_len);
-  *out_len = 0;
-  return 0;
-}
-
-int EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,
-                      size_t max_out_len, const uint8_t *nonce,
-                      size_t nonce_len, const uint8_t *in, size_t in_len,
-                      const uint8_t *ad, size_t ad_len) {
-  if (!check_alias(in, in_len, out, max_out_len)) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_OUTPUT_ALIASES_INPUT);
-    goto error;
-  }
-
-  if (ctx->aead->open(ctx, out, out_len, max_out_len, nonce, nonce_len, in,
-                      in_len, ad, ad_len)) {
-    return 1;
-  }
-
-error:
-  /* In the event of an error, clear the output buffer so that a caller
-   * that doesn't check the return value doesn't try and process bad
-   * data. */
-  memset(out, 0, max_out_len);
-  *out_len = 0;
-  return 0;
-}
-
-const EVP_AEAD *EVP_AEAD_CTX_aead(const EVP_AEAD_CTX *ctx) { return ctx->aead; }
-
-int EVP_AEAD_CTX_get_iv(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv,
-                        size_t *out_len) {
-  if (ctx->aead->get_iv == NULL) {
-    return 0;
-  }
-
-  return ctx->aead->get_iv(ctx, out_iv, out_len);
-}
@@ -1,364 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <stdint.h>
-#include <string.h>
-
-#include <vector>
-
-#include <openssl/aead.h>
-#include <openssl/crypto.h>
-#include <openssl/err.h>
-
-#include "../test/file_test.h"
-
-namespace bssl {
-
-// This program tests an AEAD against a series of test vectors from a file,
-// using the FileTest format. As an example, here's a valid test case:
-//
-//   KEY: 5a19f3173586b4c42f8412f4d5a786531b3231753e9e00998aec12fda8df10e4
-//   NONCE: 978105dfce667bf4
-//   IN: 6a4583908d
-//   AD: b654574932
-//   CT: 5294265a60
-//   TAG: 1d45758621762e061368e68868e2f929
-
-static bool TestAEAD(FileTest *t, void *arg) {
-  const EVP_AEAD *aead = reinterpret_cast<const EVP_AEAD*>(arg);
-
-  std::vector<uint8_t> key, nonce, in, ad, ct, tag;
-  if (!t->GetBytes(&key, "KEY") ||
-      !t->GetBytes(&nonce, "NONCE") ||
-      !t->GetBytes(&in, "IN") ||
-      !t->GetBytes(&ad, "AD") ||
-      !t->GetBytes(&ct, "CT") ||
-      !t->GetBytes(&tag, "TAG")) {
-    return false;
-  }
-
-  ScopedEVP_AEAD_CTX ctx;
-  if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, key.data(), key.size(),
-                                        tag.size(), evp_aead_seal)) {
-    t->PrintLine("Failed to init AEAD.");
-    return false;
-  }
-
-  std::vector<uint8_t> out(in.size() + EVP_AEAD_max_overhead(aead));
-  if (!t->HasAttribute("NO_SEAL")) {
-    size_t out_len;
-    if (!EVP_AEAD_CTX_seal(ctx.get(), out.data(), &out_len, out.size(),
-                           nonce.data(), nonce.size(), in.data(), in.size(),
-                           ad.data(), ad.size())) {
-      t->PrintLine("Failed to run AEAD.");
-      return false;
-    }
-    out.resize(out_len);
-
-    if (out.size() != ct.size() + tag.size()) {
-      t->PrintLine("Bad output length: %u vs %u.", (unsigned)out_len,
-                   (unsigned)(ct.size() + tag.size()));
-      return false;
-    }
-    if (!t->ExpectBytesEqual(ct.data(), ct.size(), out.data(), ct.size()) ||
-        !t->ExpectBytesEqual(tag.data(), tag.size(), out.data() + ct.size(),
-                             tag.size())) {
-      return false;
-    }
-  } else {
-    out.resize(ct.size() + tag.size());
-    memcpy(out.data(), ct.data(), ct.size());
-    memcpy(out.data() + ct.size(), tag.data(), tag.size());
-  }
-
-  // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
-  // reset after each operation.
-  ctx.Reset();
-  if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, key.data(), key.size(),
-                                        tag.size(), evp_aead_open)) {
-    t->PrintLine("Failed to init AEAD.");
-    return false;
-  }
-
-  std::vector<uint8_t> out2(out.size());
-  size_t out2_len;
-  int ret = EVP_AEAD_CTX_open(ctx.get(), out2.data(), &out2_len, out2.size(),
-                              nonce.data(), nonce.size(), out.data(),
-                              out.size(), ad.data(), ad.size());
-  if (t->HasAttribute("FAILS")) {
-    if (ret) {
-      t->PrintLine("Decrypted bad data.");
-      return false;
-    }
-    ERR_clear_error();
-    return true;
-  }
-
-  if (!ret) {
-    t->PrintLine("Failed to decrypt.");
-    return false;
-  }
-  out2.resize(out2_len);
-  if (!t->ExpectBytesEqual(in.data(), in.size(), out2.data(), out2.size())) {
-    return false;
-  }
-
-  // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
-  // reset after each operation.
-  ctx.Reset();
-  if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, key.data(), key.size(),
-                                        tag.size(), evp_aead_open)) {
-    t->PrintLine("Failed to init AEAD.");
-    return false;
-  }
-
-  // Garbage at the end isn't ignored.
-  out.push_back(0);
-  out2.resize(out.size());
-  if (EVP_AEAD_CTX_open(ctx.get(), out2.data(), &out2_len, out2.size(),
-                        nonce.data(), nonce.size(), out.data(), out.size(),
-                        ad.data(), ad.size())) {
-    t->PrintLine("Decrypted bad data with trailing garbage.");
-    return false;
-  }
-  ERR_clear_error();
-
-  // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
-  // reset after each operation.
-  ctx.Reset();
-  if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, key.data(), key.size(),
-                                        tag.size(), evp_aead_open)) {
-    t->PrintLine("Failed to init AEAD.");
-    return false;
-  }
-
-  // Verify integrity is checked.
-  out[0] ^= 0x80;
-  out.resize(out.size() - 1);
-  out2.resize(out.size());
-  if (EVP_AEAD_CTX_open(ctx.get(), out2.data(), &out2_len, out2.size(),
-                        nonce.data(), nonce.size(), out.data(), out.size(),
-                        ad.data(), ad.size())) {
-    t->PrintLine("Decrypted bad data with corrupted byte.");
-    return false;
-  }
-  ERR_clear_error();
-
-  return true;
-}
-
-static int TestCleanupAfterInitFailure(const EVP_AEAD *aead) {
-  EVP_AEAD_CTX ctx;
-  uint8_t key[128];
-
-  memset(key, 0, sizeof(key));
-  const size_t key_len = EVP_AEAD_key_length(aead);
-  if (key_len > sizeof(key)) {
-    fprintf(stderr, "Key length of AEAD too long.\n");
-    return 0;
-  }
-
-  if (EVP_AEAD_CTX_init(&ctx, aead, key, key_len,
-                        9999 /* a silly tag length to trigger an error */,
-                        NULL /* ENGINE */) != 0) {
-    fprintf(stderr, "A silly tag length didn't trigger an error!\n");
-    return 0;
-  }
-  ERR_clear_error();
-
-  /* Running a second, failed _init should not cause a memory leak. */
-  if (EVP_AEAD_CTX_init(&ctx, aead, key, key_len,
-                        9999 /* a silly tag length to trigger an error */,
-                        NULL /* ENGINE */) != 0) {
-    fprintf(stderr, "A silly tag length didn't trigger an error!\n");
-    return 0;
-  }
-  ERR_clear_error();
-
-  /* Calling _cleanup on an |EVP_AEAD_CTX| after a failed _init should be a
-   * no-op. */
-  EVP_AEAD_CTX_cleanup(&ctx);
-  return 1;
-}
-
-static bool TestWithAliasedBuffers(const EVP_AEAD *aead) {
-  const size_t key_len = EVP_AEAD_key_length(aead);
-  const size_t nonce_len = EVP_AEAD_nonce_length(aead);
-  const size_t max_overhead = EVP_AEAD_max_overhead(aead);
-
-  std::vector<uint8_t> key(key_len, 'a');
-  ScopedEVP_AEAD_CTX ctx;
-  if (!EVP_AEAD_CTX_init(ctx.get(), aead, key.data(), key_len,
-                         EVP_AEAD_DEFAULT_TAG_LENGTH, nullptr)) {
-    return false;
-  }
-
-  static const uint8_t kPlaintext[260] =
-      "testing123456testing123456testing123456testing123456testing123456testing"
-      "123456testing123456testing123456testing123456testing123456testing123456t"
-      "esting123456testing123456testing123456testing123456testing123456testing1"
-      "23456testing123456testing123456testing12345";
-  const std::vector<size_t> offsets = {
-      0,  1,  2,  8,  15, 16,  17,  31,  32,  33,  63,
-      64, 65, 95, 96, 97, 127, 128, 129, 255, 256, 257,
-  };
-
-  std::vector<uint8_t> nonce(nonce_len, 'b');
-  std::vector<uint8_t> valid_encryption(sizeof(kPlaintext) + max_overhead);
-  size_t valid_encryption_len;
-  if (!EVP_AEAD_CTX_seal(
-          ctx.get(), valid_encryption.data(), &valid_encryption_len,
-          sizeof(kPlaintext) + max_overhead, nonce.data(), nonce_len,
-          kPlaintext, sizeof(kPlaintext), nullptr, 0)) {
-    fprintf(stderr, "EVP_AEAD_CTX_seal failed with disjoint buffers.\n");
-    return false;
-  }
-
-  // Test with out != in which we expect to fail.
-  std::vector<uint8_t> buffer(2 + valid_encryption_len);
-  uint8_t *in = buffer.data() + 1;
-  uint8_t *out1 = buffer.data();
-  uint8_t *out2 = buffer.data() + 2;
-
-  memcpy(in, kPlaintext, sizeof(kPlaintext));
-  size_t out_len;
-  if (EVP_AEAD_CTX_seal(ctx.get(), out1, &out_len,
-                        sizeof(kPlaintext) + max_overhead, nonce.data(),
-                        nonce_len, in, sizeof(kPlaintext), nullptr, 0) ||
-      EVP_AEAD_CTX_seal(ctx.get(), out2, &out_len,
-                        sizeof(kPlaintext) + max_overhead, nonce.data(),
-                        nonce_len, in, sizeof(kPlaintext), nullptr, 0)) {
-    fprintf(stderr, "EVP_AEAD_CTX_seal unexpectedly succeeded.\n");
-    return false;
-  }
-  ERR_clear_error();
-
-  memcpy(in, valid_encryption.data(), valid_encryption_len);
-  if (EVP_AEAD_CTX_open(ctx.get(), out1, &out_len, valid_encryption_len,
-                        nonce.data(), nonce_len, in, valid_encryption_len,
-                        nullptr, 0) ||
-      EVP_AEAD_CTX_open(ctx.get(), out2, &out_len, valid_encryption_len,
-                        nonce.data(), nonce_len, in, valid_encryption_len,
-                        nullptr, 0)) {
-    fprintf(stderr, "EVP_AEAD_CTX_open unexpectedly succeeded.\n");
-    return false;
-  }
-  ERR_clear_error();
-
-  // Test with out == in, which we expect to work.
-  memcpy(in, kPlaintext, sizeof(kPlaintext));
-
-  if (!EVP_AEAD_CTX_seal(ctx.get(), in, &out_len,
-                         sizeof(kPlaintext) + max_overhead, nonce.data(),
-                         nonce_len, in, sizeof(kPlaintext), nullptr, 0)) {
-    fprintf(stderr, "EVP_AEAD_CTX_seal failed in-place.\n");
-    return false;
-  }
-
-  if (out_len != valid_encryption_len ||
-      memcmp(in, valid_encryption.data(), out_len) != 0) {
-    fprintf(stderr, "EVP_AEAD_CTX_seal produced bad output in-place.\n");
-    return false;
-  }
-
-  memcpy(in, valid_encryption.data(), valid_encryption_len);
-  if (!EVP_AEAD_CTX_open(ctx.get(), in, &out_len, valid_encryption_len,
-                         nonce.data(), nonce_len, in, valid_encryption_len,
-                         nullptr, 0)) {
-    fprintf(stderr, "EVP_AEAD_CTX_open failed in-place.\n");
-    return false;
-  }
-
-  if (out_len != sizeof(kPlaintext) ||
-      memcmp(in, kPlaintext, out_len) != 0) {
-    fprintf(stderr, "EVP_AEAD_CTX_open produced bad output in-place.\n");
-    return false;
-  }
-
-  return true;
-}
-
-struct KnownAEAD {
-  const char name[40];
-  const EVP_AEAD *(*func)(void);
-  // limited_implementation indicates that tests that assume a generic AEAD
-  // interface should not be performed. For example, the key-wrap AEADs only
-  // handle inputs that are a multiple of eight bytes in length and the
-  // SSLv3/TLS AEADs have the concept of “direction”.
-  bool limited_implementation;
-};
-
-static const struct KnownAEAD kAEADs[] = {
-  { "aes-128-gcm", EVP_aead_aes_128_gcm, false },
-  { "aes-256-gcm", EVP_aead_aes_256_gcm, false },
-  { "chacha20-poly1305", EVP_aead_chacha20_poly1305, false },
-  { "chacha20-poly1305-old", EVP_aead_chacha20_poly1305_old, false },
-  { "aes-128-cbc-sha1-tls", EVP_aead_aes_128_cbc_sha1_tls, true },
-  { "aes-128-cbc-sha1-tls-implicit-iv", EVP_aead_aes_128_cbc_sha1_tls_implicit_iv, true },
-  { "aes-128-cbc-sha256-tls", EVP_aead_aes_128_cbc_sha256_tls, true },
-  { "aes-256-cbc-sha1-tls", EVP_aead_aes_256_cbc_sha1_tls, true },
-  { "aes-256-cbc-sha1-tls-implicit-iv", EVP_aead_aes_256_cbc_sha1_tls_implicit_iv, true },
-  { "aes-256-cbc-sha256-tls", EVP_aead_aes_256_cbc_sha256_tls, true },
-  { "aes-256-cbc-sha384-tls", EVP_aead_aes_256_cbc_sha384_tls, true },
-  { "des-ede3-cbc-sha1-tls", EVP_aead_des_ede3_cbc_sha1_tls, true },
-  { "des-ede3-cbc-sha1-tls-implicit-iv", EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv, true },
-  { "aes-128-cbc-sha1-ssl3", EVP_aead_aes_128_cbc_sha1_ssl3, true },
-  { "aes-256-cbc-sha1-ssl3", EVP_aead_aes_256_cbc_sha1_ssl3, true },
-  { "des-ede3-cbc-sha1-ssl3", EVP_aead_des_ede3_cbc_sha1_ssl3, true },
-  { "aes-128-key-wrap", EVP_aead_aes_128_key_wrap, true },
-  { "aes-256-key-wrap", EVP_aead_aes_256_key_wrap, true },
-  { "aes-128-ctr-hmac-sha256", EVP_aead_aes_128_ctr_hmac_sha256, false },
-  { "aes-256-ctr-hmac-sha256", EVP_aead_aes_256_ctr_hmac_sha256, false },
-  { "", NULL, false },
-};
-
-static int Main(int argc, char **argv) {
-  CRYPTO_library_init();
-
-  if (argc != 3) {
-    fprintf(stderr, "%s <aead> <test file.txt>\n", argv[0]);
-    return 1;
-  }
-
-  const struct KnownAEAD *known_aead;
-  for (unsigned i = 0;; i++) {
-    known_aead = &kAEADs[i];
-    if (known_aead->func == NULL) {
-      fprintf(stderr, "Unknown AEAD: %s\n", argv[1]);
-      return 2;
-    }
-    if (strcmp(known_aead->name, argv[1]) == 0) {
-      break;
-    }
-  }
-
-  const EVP_AEAD *const aead = known_aead->func();
-
-  if (!TestCleanupAfterInitFailure(aead)) {
-    return 1;
-  }
-
-  if (!known_aead->limited_implementation && !TestWithAliasedBuffers(aead)) {
-    fprintf(stderr, "Aliased buffers test failed for %s.\n", known_aead->name);
-    return 1;
-  }
-
-  return FileTestMain(TestAEAD, const_cast<EVP_AEAD*>(aead), argv[2]);
-}
-
-}  // namespace bssl
-
-int main(int argc, char **argv) {
-  return bssl::Main(argc, argv);
-}
@@ -1,302 +0,0 @@
-/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project.
- */
-/* ====================================================================
- * Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- */
-
-#include <stdlib.h>
-#include <string.h>
-
-#include <string>
-#include <vector>
-
-#include <openssl/cipher.h>
-#include <openssl/crypto.h>
-#include <openssl/err.h>
-
-#include "../test/file_test.h"
-
-namespace bssl {
-
-static const EVP_CIPHER *GetCipher(const std::string &name) {
-  if (name == "DES-CBC") {
-    return EVP_des_cbc();
-  } else if (name == "DES-ECB") {
-    return EVP_des_ecb();
-  } else if (name == "DES-EDE") {
-    return EVP_des_ede();
-  } else if (name == "DES-EDE-CBC") {
-    return EVP_des_ede_cbc();
-  } else if (name == "DES-EDE3-CBC") {
-    return EVP_des_ede3_cbc();
-  } else if (name == "RC4") {
-    return EVP_rc4();
-  } else if (name == "AES-128-ECB") {
-    return EVP_aes_128_ecb();
-  } else if (name == "AES-256-ECB") {
-    return EVP_aes_256_ecb();
-  } else if (name == "AES-128-CBC") {
-    return EVP_aes_128_cbc();
-  } else if (name == "AES-128-GCM") {
-    return EVP_aes_128_gcm();
-  } else if (name == "AES-128-OFB") {
-    return EVP_aes_128_ofb();
-  } else if (name == "AES-192-CBC") {
-    return EVP_aes_192_cbc();
-  } else if (name == "AES-192-ECB") {
-    return EVP_aes_192_ecb();
-  } else if (name == "AES-256-CBC") {
-    return EVP_aes_256_cbc();
-  } else if (name == "AES-128-CTR") {
-    return EVP_aes_128_ctr();
-  } else if (name == "AES-256-CTR") {
-    return EVP_aes_256_ctr();
-  } else if (name == "AES-256-GCM") {
-    return EVP_aes_256_gcm();
-  } else if (name == "AES-256-OFB") {
-    return EVP_aes_256_ofb();
-  }
-  return nullptr;
-}
-
-static bool TestOperation(FileTest *t,
-                          const EVP_CIPHER *cipher,
-                          bool encrypt,
-                          size_t chunk_size,
-                          const std::vector<uint8_t> &key,
-                          const std::vector<uint8_t> &iv,
-                          const std::vector<uint8_t> &plaintext,
-                          const std::vector<uint8_t> &ciphertext,
-                          const std::vector<uint8_t> &aad,
-                          const std::vector<uint8_t> &tag) {
-  const std::vector<uint8_t> *in, *out;
-  if (encrypt) {
-    in = &plaintext;
-    out = &ciphertext;
-  } else {
-    in = &ciphertext;
-    out = &plaintext;
-  }
-
-  bool is_aead = EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE;
-
-  ScopedEVP_CIPHER_CTX ctx;
-  if (!EVP_CipherInit_ex(ctx.get(), cipher, nullptr, nullptr, nullptr,
-                         encrypt ? 1 : 0)) {
-    return false;
-  }
-  if (t->HasAttribute("IV")) {
-    if (is_aead) {
-      if (!EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_IVLEN,
-                               iv.size(), 0)) {
-        return false;
-      }
-    } else if (iv.size() != EVP_CIPHER_CTX_iv_length(ctx.get())) {
-      t->PrintLine("Bad IV length.");
-      return false;
-    }
-  }
-  if (is_aead && !encrypt &&
-      !EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_TAG, tag.size(),
-                           const_cast<uint8_t*>(tag.data()))) {
-    return false;
-  }
-  // The ciphers are run with no padding. For each of the ciphers we test, the
-  // output size matches the input size.
-  std::vector<uint8_t> result(in->size());
-  if (in->size() != out->size()) {
-    t->PrintLine("Input/output size mismatch (%u vs %u).", (unsigned)in->size(),
-                 (unsigned)out->size());
-    return false;
-  }
-  // Note: the deprecated |EVP_CIPHER|-based AES-GCM API is sensitive to whether
-  // parameters are NULL, so it is important to skip the |in| and |aad|
-  // |EVP_CipherUpdate| calls when empty.
-  int unused, result_len1 = 0, result_len2;
-  if (!EVP_CIPHER_CTX_set_key_length(ctx.get(), key.size()) ||
-      !EVP_CipherInit_ex(ctx.get(), nullptr, nullptr, key.data(), iv.data(),
-                         -1) ||
-      (!aad.empty() &&
-       !EVP_CipherUpdate(ctx.get(), nullptr, &unused, aad.data(),
-                         aad.size())) ||
-      !EVP_CIPHER_CTX_set_padding(ctx.get(), 0)) {
-    t->PrintLine("Operation failed.");
-    return false;
-  }
-  if (chunk_size != 0) {
-    for (size_t i = 0; i < in->size();) {
-      size_t todo = chunk_size;
-      if (i + todo > in->size()) {
-        todo = in->size() - i;
-      }
-
-      int len;
-      if (!EVP_CipherUpdate(ctx.get(), result.data() + result_len1, &len,
-                            in->data() + i, todo)) {
-        t->PrintLine("Operation failed.");
-        return false;
-      }
-      result_len1 += len;
-      i += todo;
-    }
-  } else if (!in->empty() &&
-             !EVP_CipherUpdate(ctx.get(), result.data(), &result_len1,
-                               in->data(), in->size())) {
-    t->PrintLine("Operation failed.");
-    return false;
-  }
-  if (!EVP_CipherFinal_ex(ctx.get(), result.data() + result_len1,
-                          &result_len2)) {
-    t->PrintLine("Operation failed.");
-    return false;
-  }
-  result.resize(result_len1 + result_len2);
-  if (!t->ExpectBytesEqual(out->data(), out->size(), result.data(),
-                           result.size())) {
-    return false;
-  }
-  if (encrypt && is_aead) {
-    uint8_t rtag[16];
-    if (tag.size() > sizeof(rtag)) {
-      t->PrintLine("Bad tag length.");
-      return false;
-    }
-    if (!EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_GET_TAG, tag.size(),
-                             rtag) ||
-        !t->ExpectBytesEqual(tag.data(), tag.size(), rtag,
-                             tag.size())) {
-      return false;
-    }
-  }
-  return true;
-}
-
-static bool TestCipher(FileTest *t, void *arg) {
-  std::string cipher_str;
-  if (!t->GetAttribute(&cipher_str, "Cipher")) {
-    return false;
-  }
-  const EVP_CIPHER *cipher = GetCipher(cipher_str);
-  if (cipher == nullptr) {
-    t->PrintLine("Unknown cipher: '%s'.", cipher_str.c_str());
-    return false;
-  }
-
-  std::vector<uint8_t> key, iv, plaintext, ciphertext, aad, tag;
-  if (!t->GetBytes(&key, "Key") ||
-      !t->GetBytes(&plaintext, "Plaintext") ||
-      !t->GetBytes(&ciphertext, "Ciphertext")) {
-    return false;
-  }
-  if (EVP_CIPHER_iv_length(cipher) > 0 &&
-      !t->GetBytes(&iv, "IV")) {
-    return false;
-  }
-  if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) {
-    if (!t->GetBytes(&aad, "AAD") ||
-        !t->GetBytes(&tag, "Tag")) {
-      return false;
-    }
-  }
-
-  enum {
-    kEncrypt,
-    kDecrypt,
-    kBoth,
-  } operation = kBoth;
-  if (t->HasAttribute("Operation")) {
-    const std::string &str = t->GetAttributeOrDie("Operation");
-    if (str == "ENCRYPT") {
-      operation = kEncrypt;
-    } else if (str == "DECRYPT") {
-      operation = kDecrypt;
-    } else {
-      t->PrintLine("Unknown operation: '%s'.", str.c_str());
-      return false;
-    }
-  }
-
-  const std::vector<size_t> chunk_sizes = {0,  1,  2,  5,  7,  8,  9,  15, 16,
-                                           17, 31, 32, 33, 63, 64, 65, 512};
-
-  for (size_t chunk_size : chunk_sizes) {
-    // By default, both directions are run, unless overridden by the operation.
-    if (operation != kDecrypt &&
-        !TestOperation(t, cipher, true /* encrypt */, chunk_size, key, iv,
-                       plaintext, ciphertext, aad, tag)) {
-      return false;
-    }
-
-    if (operation != kEncrypt &&
-        !TestOperation(t, cipher, false /* decrypt */, chunk_size, key, iv,
-                       plaintext, ciphertext, aad, tag)) {
-      return false;
-    }
-  }
-
-  return true;
-}
-
-static int Main(int argc, char **argv) {
-  CRYPTO_library_init();
-
-  if (argc != 2) {
-    fprintf(stderr, "%s <test file>\n", argv[0]);
-    return 1;
-  }
-
-  return FileTestMain(TestCipher, nullptr, argv[1]);
-}
-
-}  // namespace bssl
-
-int main(int argc, char **argv) {
-  return bssl::Main(argc, argv);
-}
@@ -1,300 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/aead.h>
-
-#include <string.h>
-
-#include <openssl/chacha.h>
-#include <openssl/cipher.h>
-#include <openssl/err.h>
-#include <openssl/mem.h>
-#include <openssl/poly1305.h>
-
-#include "internal.h"
-#include "../internal.h"
-
-
-#define POLY1305_TAG_LEN 16
-
-struct aead_chacha20_poly1305_ctx {
-  unsigned char key[32];
-  unsigned char tag_len;
-};
-
-static int aead_chacha20_poly1305_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                       size_t key_len, size_t tag_len) {
-  struct aead_chacha20_poly1305_ctx *c20_ctx;
-
-  if (tag_len == 0) {
-    tag_len = POLY1305_TAG_LEN;
-  }
-
-  if (tag_len > POLY1305_TAG_LEN) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
-    return 0;
-  }
-
-  if (key_len != sizeof(c20_ctx->key)) {
-    return 0; /* internal error - EVP_AEAD_CTX_init should catch this. */
-  }
-
-  c20_ctx = OPENSSL_malloc(sizeof(struct aead_chacha20_poly1305_ctx));
-  if (c20_ctx == NULL) {
-    return 0;
-  }
-
-  memcpy(c20_ctx->key, key, key_len);
-  c20_ctx->tag_len = tag_len;
-  ctx->aead_state = c20_ctx;
-
-  return 1;
-}
-
-static void aead_chacha20_poly1305_cleanup(EVP_AEAD_CTX *ctx) {
-  struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
-  OPENSSL_cleanse(c20_ctx->key, sizeof(c20_ctx->key));
-  OPENSSL_free(c20_ctx);
-}
-
-static void poly1305_update_length(poly1305_state *poly1305, size_t data_len) {
-  uint8_t length_bytes[8];
-  unsigned i;
-
-  for (i = 0; i < sizeof(length_bytes); i++) {
-    length_bytes[i] = data_len;
-    data_len >>= 8;
-  }
-
-  CRYPTO_poly1305_update(poly1305, length_bytes, sizeof(length_bytes));
-}
-
-typedef void (*aead_poly1305_update)(poly1305_state *ctx, const uint8_t *ad,
-                                     size_t ad_len, const uint8_t *ciphertext,
-                                     size_t ciphertext_len);
-
-/* aead_poly1305 fills |tag| with the authentication tag for the given
- * inputs, using |update| to control the order and format that the inputs are
- * signed/authenticated. */
-static void aead_poly1305(aead_poly1305_update update,
-                          uint8_t tag[POLY1305_TAG_LEN],
-                          const struct aead_chacha20_poly1305_ctx *c20_ctx,
-                          const uint8_t nonce[12], const uint8_t *ad,
-                          size_t ad_len, const uint8_t *ciphertext,
-                          size_t ciphertext_len) {
-  alignas(16) uint8_t poly1305_key[32];
-  memset(poly1305_key, 0, sizeof(poly1305_key));
-  CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key),
-                   c20_ctx->key, nonce, 0);
-  poly1305_state ctx;
-  CRYPTO_poly1305_init(&ctx, poly1305_key);
-  update(&ctx, ad, ad_len, ciphertext, ciphertext_len);
-  CRYPTO_poly1305_finish(&ctx, tag);
-}
-
-static int seal_impl(aead_poly1305_update poly1305_update,
-                     const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,
-                     size_t max_out_len, const uint8_t nonce[12],
-                     const uint8_t *in, size_t in_len, const uint8_t *ad,
-                     size_t ad_len) {
-  const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
-  const uint64_t in_len_64 = in_len;
-
-  /* |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow
-   * individual operations that work on more than 256GB at a time.
-   * |in_len_64| is needed because, on 32-bit platforms, size_t is only
-   * 32-bits and this produces a warning because it's always false.
-   * Casting to uint64_t inside the conditional is not sufficient to stop
-   * the warning. */
-  if (in_len_64 >= (UINT64_C(1) << 32) * 64 - 64) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
-    return 0;
-  }
-
-  if (in_len + c20_ctx->tag_len < in_len) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
-    return 0;
-  }
-
-  if (max_out_len < in_len + c20_ctx->tag_len) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
-    return 0;
-  }
-
-  CRYPTO_chacha_20(out, in, in_len, c20_ctx->key, nonce, 1);
-
-  alignas(16) uint8_t tag[POLY1305_TAG_LEN];
-  aead_poly1305(poly1305_update, tag, c20_ctx, nonce, ad, ad_len, out, in_len);
-
-  memcpy(out + in_len, tag, c20_ctx->tag_len);
-  *out_len = in_len + c20_ctx->tag_len;
-  return 1;
-}
-
-static int open_impl(aead_poly1305_update poly1305_update,
-                     const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,
-                     size_t max_out_len, const uint8_t nonce[12],
-                     const uint8_t *in, size_t in_len, const uint8_t *ad,
-                     size_t ad_len) {
-  const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
-  size_t plaintext_len;
-  const uint64_t in_len_64 = in_len;
-
-  if (in_len < c20_ctx->tag_len) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
-    return 0;
-  }
-
-  /* |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow
-   * individual operations that work on more than 256GB at a time.
-   * |in_len_64| is needed because, on 32-bit platforms, size_t is only
-   * 32-bits and this produces a warning because it's always false.
-   * Casting to uint64_t inside the conditional is not sufficient to stop
-   * the warning. */
-  if (in_len_64 >= (UINT64_C(1) << 32) * 64 - 64) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
-    return 0;
-  }
-
-  plaintext_len = in_len - c20_ctx->tag_len;
-  alignas(16) uint8_t tag[POLY1305_TAG_LEN];
-  aead_poly1305(poly1305_update, tag, c20_ctx, nonce, ad, ad_len, in,
-                plaintext_len);
-  if (CRYPTO_memcmp(tag, in + plaintext_len, c20_ctx->tag_len) != 0) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
-    return 0;
-  }
-
-  CRYPTO_chacha_20(out, in, plaintext_len, c20_ctx->key, nonce, 1);
-  *out_len = plaintext_len;
-  return 1;
-}
-
-static void poly1305_update_padded_16(poly1305_state *poly1305,
-                                      const uint8_t *data, size_t data_len) {
-  static const uint8_t padding[16] = { 0 }; /* Padding is all zeros. */
-
-  CRYPTO_poly1305_update(poly1305, data, data_len);
-  if (data_len % 16 != 0) {
-    CRYPTO_poly1305_update(poly1305, padding, sizeof(padding) - (data_len % 16));
-  }
-}
-
-static void poly1305_update(poly1305_state *ctx, const uint8_t *ad,
-                            size_t ad_len, const uint8_t *ciphertext,
-                            size_t ciphertext_len) {
-  poly1305_update_padded_16(ctx, ad, ad_len);
-  poly1305_update_padded_16(ctx, ciphertext, ciphertext_len);
-  poly1305_update_length(ctx, ad_len);
-  poly1305_update_length(ctx, ciphertext_len);
-}
-
-static int aead_chacha20_poly1305_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
-                                       size_t *out_len, size_t max_out_len,
-                                       const uint8_t *nonce, size_t nonce_len,
-                                       const uint8_t *in, size_t in_len,
-                                       const uint8_t *ad, size_t ad_len) {
-  if (nonce_len != 12) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
-    return 0;
-  }
-  return seal_impl(poly1305_update, ctx, out, out_len, max_out_len, nonce, in,
-                   in_len, ad, ad_len);
-}
-
-static int aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
-                                       size_t *out_len, size_t max_out_len,
-                                       const uint8_t *nonce, size_t nonce_len,
-                                       const uint8_t *in, size_t in_len,
-                                       const uint8_t *ad, size_t ad_len) {
-  if (nonce_len != 12) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
-    return 0;
-  }
-  return open_impl(poly1305_update, ctx, out, out_len, max_out_len, nonce, in,
-                   in_len, ad, ad_len);
-}
-
-static const EVP_AEAD aead_chacha20_poly1305 = {
-    32,                 /* key len */
-    12,                 /* nonce len */
-    POLY1305_TAG_LEN,   /* overhead */
-    POLY1305_TAG_LEN,   /* max tag length */
-    aead_chacha20_poly1305_init,
-    NULL, /* init_with_direction */
-    aead_chacha20_poly1305_cleanup,
-    aead_chacha20_poly1305_seal,
-    aead_chacha20_poly1305_open,
-    NULL,               /* get_iv */
-};
-
-const EVP_AEAD *EVP_aead_chacha20_poly1305(void) {
-  return &aead_chacha20_poly1305;
-}
-
-static void poly1305_update_old(poly1305_state *ctx, const uint8_t *ad,
-                                size_t ad_len, const uint8_t *ciphertext,
-                                size_t ciphertext_len) {
-  CRYPTO_poly1305_update(ctx, ad, ad_len);
-  poly1305_update_length(ctx, ad_len);
-  CRYPTO_poly1305_update(ctx, ciphertext, ciphertext_len);
-  poly1305_update_length(ctx, ciphertext_len);
-}
-
-static int aead_chacha20_poly1305_old_seal(
-    const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, size_t max_out_len,
-    const uint8_t *nonce, size_t nonce_len, const uint8_t *in, size_t in_len,
-    const uint8_t *ad, size_t ad_len) {
-  if (nonce_len != 8) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
-    return 0;
-  }
-  uint8_t nonce_96[12];
-  memset(nonce_96, 0, 4);
-  memcpy(nonce_96 + 4, nonce, 8);
-  return seal_impl(poly1305_update_old, ctx, out, out_len, max_out_len,
-                   nonce_96, in, in_len, ad, ad_len);
-}
-
-static int aead_chacha20_poly1305_old_open(
-    const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, size_t max_out_len,
-    const uint8_t *nonce, size_t nonce_len, const uint8_t *in, size_t in_len,
-    const uint8_t *ad, size_t ad_len) {
-  if (nonce_len != 8) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
-    return 0;
-  }
-  uint8_t nonce_96[12];
-  memset(nonce_96, 0, 4);
-  memcpy(nonce_96 + 4, nonce, 8);
-  return open_impl(poly1305_update_old, ctx, out, out_len, max_out_len,
-                   nonce_96, in, in_len, ad, ad_len);
-}
-
-static const EVP_AEAD aead_chacha20_poly1305_old = {
-    32,                 /* key len */
-    8,                  /* nonce len */
-    POLY1305_TAG_LEN,   /* overhead */
-    POLY1305_TAG_LEN,   /* max tag length */
-    aead_chacha20_poly1305_init,
-    NULL, /* init_with_direction */
-    aead_chacha20_poly1305_cleanup,
-    aead_chacha20_poly1305_old_seal,
-    aead_chacha20_poly1305_old_open,
-    NULL,               /* get_iv */
-};
-
-const EVP_AEAD *EVP_aead_chacha20_poly1305_old(void) {
-  return &aead_chacha20_poly1305_old;
-}
@@ -1,403 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <assert.h>
-#include <limits.h>
-#include <string.h>
-
-#include <openssl/aead.h>
-#include <openssl/cipher.h>
-#include <openssl/err.h>
-#include <openssl/hmac.h>
-#include <openssl/md5.h>
-#include <openssl/mem.h>
-#include <openssl/sha.h>
-
-#include "internal.h"
-
-
-typedef struct {
-  EVP_CIPHER_CTX cipher_ctx;
-  EVP_MD_CTX md_ctx;
-} AEAD_SSL3_CTX;
-
-static int ssl3_mac(AEAD_SSL3_CTX *ssl3_ctx, uint8_t *out, unsigned *out_len,
-                    const uint8_t *ad, size_t ad_len, const uint8_t *in,
-                    size_t in_len) {
-  size_t md_size = EVP_MD_CTX_size(&ssl3_ctx->md_ctx);
-  size_t pad_len = (md_size == 20) ? 40 : 48;
-
-  /* To allow for CBC mode which changes cipher length, |ad| doesn't include the
-   * length for legacy ciphers. */
-  uint8_t ad_extra[2];
-  ad_extra[0] = (uint8_t)(in_len >> 8);
-  ad_extra[1] = (uint8_t)(in_len & 0xff);
-
-  EVP_MD_CTX md_ctx;
-  EVP_MD_CTX_init(&md_ctx);
-
-  uint8_t pad[48];
-  uint8_t tmp[EVP_MAX_MD_SIZE];
-  memset(pad, 0x36, pad_len);
-  if (!EVP_MD_CTX_copy_ex(&md_ctx, &ssl3_ctx->md_ctx) ||
-      !EVP_DigestUpdate(&md_ctx, pad, pad_len) ||
-      !EVP_DigestUpdate(&md_ctx, ad, ad_len) ||
-      !EVP_DigestUpdate(&md_ctx, ad_extra, sizeof(ad_extra)) ||
-      !EVP_DigestUpdate(&md_ctx, in, in_len) ||
-      !EVP_DigestFinal_ex(&md_ctx, tmp, NULL)) {
-    EVP_MD_CTX_cleanup(&md_ctx);
-    return 0;
-  }
-
-  memset(pad, 0x5c, pad_len);
-  if (!EVP_MD_CTX_copy_ex(&md_ctx, &ssl3_ctx->md_ctx) ||
-      !EVP_DigestUpdate(&md_ctx, pad, pad_len) ||
-      !EVP_DigestUpdate(&md_ctx, tmp, md_size) ||
-      !EVP_DigestFinal_ex(&md_ctx, out, out_len)) {
-    EVP_MD_CTX_cleanup(&md_ctx);
-    return 0;
-  }
-  EVP_MD_CTX_cleanup(&md_ctx);
-  return 1;
-}
-
-static void aead_ssl3_cleanup(EVP_AEAD_CTX *ctx) {
-  AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
-  EVP_CIPHER_CTX_cleanup(&ssl3_ctx->cipher_ctx);
-  EVP_MD_CTX_cleanup(&ssl3_ctx->md_ctx);
-  OPENSSL_free(ssl3_ctx);
-  ctx->aead_state = NULL;
-}
-
-static int aead_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
-                          size_t tag_len, enum evp_aead_direction_t dir,
-                          const EVP_CIPHER *cipher, const EVP_MD *md) {
-  if (tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH &&
-      tag_len != EVP_MD_size(md)) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_TAG_SIZE);
-    return 0;
-  }
-
-  if (key_len != EVP_AEAD_key_length(ctx->aead)) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
-    return 0;
-  }
-
-  size_t mac_key_len = EVP_MD_size(md);
-  size_t enc_key_len = EVP_CIPHER_key_length(cipher);
-  assert(mac_key_len + enc_key_len + EVP_CIPHER_iv_length(cipher) == key_len);
-
-  AEAD_SSL3_CTX *ssl3_ctx = OPENSSL_malloc(sizeof(AEAD_SSL3_CTX));
-  if (ssl3_ctx == NULL) {
-    OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE);
-    return 0;
-  }
-  EVP_CIPHER_CTX_init(&ssl3_ctx->cipher_ctx);
-  EVP_MD_CTX_init(&ssl3_ctx->md_ctx);
-
-  ctx->aead_state = ssl3_ctx;
-  if (!EVP_CipherInit_ex(&ssl3_ctx->cipher_ctx, cipher, NULL, &key[mac_key_len],
-                         &key[mac_key_len + enc_key_len],
-                         dir == evp_aead_seal) ||
-      !EVP_DigestInit_ex(&ssl3_ctx->md_ctx, md, NULL) ||
-      !EVP_DigestUpdate(&ssl3_ctx->md_ctx, key, mac_key_len)) {
-    aead_ssl3_cleanup(ctx);
-    ctx->aead_state = NULL;
-    return 0;
-  }
-  EVP_CIPHER_CTX_set_padding(&ssl3_ctx->cipher_ctx, 0);
-
-  return 1;
-}
-
-static int aead_ssl3_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
-                         size_t *out_len, size_t max_out_len,
-                         const uint8_t *nonce, size_t nonce_len,
-                         const uint8_t *in, size_t in_len,
-                         const uint8_t *ad, size_t ad_len) {
-  AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
-  size_t total = 0;
-
-  if (!ssl3_ctx->cipher_ctx.encrypt) {
-    /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
-    return 0;
-  }
-
-  if (in_len + EVP_AEAD_max_overhead(ctx->aead) < in_len ||
-      in_len > INT_MAX) {
-    /* EVP_CIPHER takes int as input. */
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
-    return 0;
-  }
-
-  if (max_out_len < in_len + EVP_AEAD_max_overhead(ctx->aead)) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
-    return 0;
-  }
-
-  if (nonce_len != 0) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_IV_TOO_LARGE);
-    return 0;
-  }
-
-  if (ad_len != 11 - 2 /* length bytes */) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE);
-    return 0;
-  }
-
-  /* Compute the MAC. This must be first in case the operation is being done
-   * in-place. */
-  uint8_t mac[EVP_MAX_MD_SIZE];
-  unsigned mac_len;
-  if (!ssl3_mac(ssl3_ctx, mac, &mac_len, ad, ad_len, in, in_len)) {
-    return 0;
-  }
-
-  /* Encrypt the input. */
-  int len;
-  if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out, &len, in,
-                         (int)in_len)) {
-    return 0;
-  }
-  total = len;
-
-  /* Feed the MAC into the cipher. */
-  if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out + total, &len, mac,
-                         (int)mac_len)) {
-    return 0;
-  }
-  total += len;
-
-  unsigned block_size = EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx);
-  if (block_size > 1) {
-    assert(block_size <= 256);
-    assert(EVP_CIPHER_CTX_mode(&ssl3_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE);
-
-    /* Compute padding and feed that into the cipher. */
-    uint8_t padding[256];
-    unsigned padding_len = block_size - ((in_len + mac_len) % block_size);
-    memset(padding, 0, padding_len - 1);
-    padding[padding_len - 1] = padding_len - 1;
-    if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out + total, &len, padding,
-                           (int)padding_len)) {
-      return 0;
-    }
-    total += len;
-  }
-
-  if (!EVP_EncryptFinal_ex(&ssl3_ctx->cipher_ctx, out + total, &len)) {
-    return 0;
-  }
-  total += len;
-
-  *out_len = total;
-  return 1;
-}
-
-static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
-                         size_t *out_len, size_t max_out_len,
-                         const uint8_t *nonce, size_t nonce_len,
-                         const uint8_t *in, size_t in_len,
-                         const uint8_t *ad, size_t ad_len) {
-  AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
-
-  if (ssl3_ctx->cipher_ctx.encrypt) {
-    /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
-    return 0;
-  }
-
-  size_t mac_len = EVP_MD_CTX_size(&ssl3_ctx->md_ctx);
-  if (in_len < mac_len) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
-    return 0;
-  }
-
-  if (max_out_len < in_len) {
-    /* This requires that the caller provide space for the MAC, even though it
-     * will always be removed on return. */
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
-    return 0;
-  }
-
-  if (nonce_len != 0) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
-    return 0;
-  }
-
-  if (ad_len != 11 - 2 /* length bytes */) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE);
-    return 0;
-  }
-
-  if (in_len > INT_MAX) {
-    /* EVP_CIPHER takes int as input. */
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
-    return 0;
-  }
-
-  /* Decrypt to get the plaintext + MAC + padding. */
-  size_t total = 0;
-  int len;
-  if (!EVP_DecryptUpdate(&ssl3_ctx->cipher_ctx, out, &len, in, (int)in_len)) {
-    return 0;
-  }
-  total += len;
-  if (!EVP_DecryptFinal_ex(&ssl3_ctx->cipher_ctx, out + total, &len)) {
-    return 0;
-  }
-  total += len;
-  assert(total == in_len);
-
-  /* Remove CBC padding and MAC. This would normally be timing-sensitive, but
-   * SSLv3 CBC ciphers are already broken. Support will be removed eventually.
-   * https://www.openssl.org/~bodo/ssl-poodle.pdf */
-  size_t data_len;
-  if (EVP_CIPHER_CTX_mode(&ssl3_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) {
-    unsigned padding_length = out[total - 1];
-    if (total < padding_length + 1 + mac_len) {
-      OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
-      return 0;
-    }
-    /* The padding must be minimal. */
-    if (padding_length + 1 > EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx)) {
-      OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
-      return 0;
-    }
-    data_len = total - padding_length - 1 - mac_len;
-  } else {
-    data_len = total - mac_len;
-  }
-
-  /* Compute the MAC and compare against the one in the record. */
-  uint8_t mac[EVP_MAX_MD_SIZE];
-  if (!ssl3_mac(ssl3_ctx, mac, NULL, ad, ad_len, out, data_len)) {
-    return 0;
-  }
-  if (CRYPTO_memcmp(&out[data_len], mac, mac_len) != 0) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
-    return 0;
-  }
-
-  *out_len = data_len;
-  return 1;
-}
-
-static int aead_ssl3_get_iv(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv,
-                            size_t *out_iv_len) {
-  AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
-  const size_t iv_len = EVP_CIPHER_CTX_iv_length(&ssl3_ctx->cipher_ctx);
-  if (iv_len <= 1) {
-    return 0;
-  }
-
-  *out_iv = ssl3_ctx->cipher_ctx.iv;
-  *out_iv_len = iv_len;
-  return 1;
-}
-
-static int aead_aes_128_cbc_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                           size_t key_len, size_t tag_len,
-                                           enum evp_aead_direction_t dir) {
-  return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
-                        EVP_sha1());
-}
-
-static int aead_aes_256_cbc_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                           size_t key_len, size_t tag_len,
-                                           enum evp_aead_direction_t dir) {
-  return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
-                        EVP_sha1());
-}
-static int aead_des_ede3_cbc_sha1_ssl3_init(EVP_AEAD_CTX *ctx,
-                                            const uint8_t *key, size_t key_len,
-                                            size_t tag_len,
-                                            enum evp_aead_direction_t dir) {
-  return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(),
-                        EVP_sha1());
-}
-
-static int aead_null_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                    size_t key_len, size_t tag_len,
-                                    enum evp_aead_direction_t dir) {
-  return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_enc_null(),
-                        EVP_sha1());
-}
-
-static const EVP_AEAD aead_aes_128_cbc_sha1_ssl3 = {
-    SHA_DIGEST_LENGTH + 16 + 16, /* key len (SHA1 + AES128 + IV) */
-    0,                           /* nonce len */
-    16 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,           /* max tag length */
-    NULL, /* init */
-    aead_aes_128_cbc_sha1_ssl3_init,
-    aead_ssl3_cleanup,
-    aead_ssl3_seal,
-    aead_ssl3_open,
-    aead_ssl3_get_iv,
-};
-
-static const EVP_AEAD aead_aes_256_cbc_sha1_ssl3 = {
-    SHA_DIGEST_LENGTH + 32 + 16, /* key len (SHA1 + AES256 + IV) */
-    0,                           /* nonce len */
-    16 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,           /* max tag length */
-    NULL, /* init */
-    aead_aes_256_cbc_sha1_ssl3_init,
-    aead_ssl3_cleanup,
-    aead_ssl3_seal,
-    aead_ssl3_open,
-    aead_ssl3_get_iv,
-};
-
-static const EVP_AEAD aead_des_ede3_cbc_sha1_ssl3 = {
-    SHA_DIGEST_LENGTH + 24 + 8, /* key len (SHA1 + 3DES + IV) */
-    0,                          /* nonce len */
-    8 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,          /* max tag length */
-    NULL, /* init */
-    aead_des_ede3_cbc_sha1_ssl3_init,
-    aead_ssl3_cleanup,
-    aead_ssl3_seal,
-    aead_ssl3_open,
-    aead_ssl3_get_iv,
-};
-
-static const EVP_AEAD aead_null_sha1_ssl3 = {
-    SHA_DIGEST_LENGTH,          /* key len */
-    0,                          /* nonce len */
-    SHA_DIGEST_LENGTH,          /* overhead (SHA1) */
-    SHA_DIGEST_LENGTH,          /* max tag length */
-    NULL,                       /* init */
-    aead_null_sha1_ssl3_init,
-    aead_ssl3_cleanup,
-    aead_ssl3_seal,
-    aead_ssl3_open,
-    NULL,                       /* get_iv */
-};
-
-const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_ssl3(void) {
-  return &aead_aes_128_cbc_sha1_ssl3;
-}
-
-const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_ssl3(void) {
-  return &aead_aes_256_cbc_sha1_ssl3;
-}
-
-const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_ssl3(void) {
-  return &aead_des_ede3_cbc_sha1_ssl3;
-}
-
-const EVP_AEAD *EVP_aead_null_sha1_ssl3(void) { return &aead_null_sha1_ssl3; }
@@ -1,602 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <assert.h>
-#include <limits.h>
-#include <string.h>
-
-#include <openssl/aead.h>
-#include <openssl/cipher.h>
-#include <openssl/err.h>
-#include <openssl/hmac.h>
-#include <openssl/md5.h>
-#include <openssl/mem.h>
-#include <openssl/sha.h>
-#include <openssl/type_check.h>
-
-#include "../internal.h"
-#include "internal.h"
-
-
-typedef struct {
-  EVP_CIPHER_CTX cipher_ctx;
-  HMAC_CTX hmac_ctx;
-  /* mac_key is the portion of the key used for the MAC. It is retained
-   * separately for the constant-time CBC code. */
-  uint8_t mac_key[EVP_MAX_MD_SIZE];
-  uint8_t mac_key_len;
-  /* implicit_iv is one iff this is a pre-TLS-1.1 CBC cipher without an explicit
-   * IV. */
-  char implicit_iv;
-} AEAD_TLS_CTX;
-
-OPENSSL_COMPILE_ASSERT(EVP_MAX_MD_SIZE < 256, mac_key_len_fits_in_uint8_t);
-
-static void aead_tls_cleanup(EVP_AEAD_CTX *ctx) {
-  AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
-  EVP_CIPHER_CTX_cleanup(&tls_ctx->cipher_ctx);
-  HMAC_CTX_cleanup(&tls_ctx->hmac_ctx);
-  OPENSSL_cleanse(&tls_ctx->mac_key, sizeof(tls_ctx->mac_key));
-  OPENSSL_free(tls_ctx);
-  ctx->aead_state = NULL;
-}
-
-static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
-                         size_t tag_len, enum evp_aead_direction_t dir,
-                         const EVP_CIPHER *cipher, const EVP_MD *md,
-                         char implicit_iv) {
-  if (tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH &&
-      tag_len != EVP_MD_size(md)) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_TAG_SIZE);
-    return 0;
-  }
-
-  if (key_len != EVP_AEAD_key_length(ctx->aead)) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
-    return 0;
-  }
-
-  size_t mac_key_len = EVP_MD_size(md);
-  size_t enc_key_len = EVP_CIPHER_key_length(cipher);
-  assert(mac_key_len + enc_key_len +
-         (implicit_iv ? EVP_CIPHER_iv_length(cipher) : 0) == key_len);
-
-  AEAD_TLS_CTX *tls_ctx = OPENSSL_malloc(sizeof(AEAD_TLS_CTX));
-  if (tls_ctx == NULL) {
-    OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE);
-    return 0;
-  }
-  EVP_CIPHER_CTX_init(&tls_ctx->cipher_ctx);
-  HMAC_CTX_init(&tls_ctx->hmac_ctx);
-  assert(mac_key_len <= EVP_MAX_MD_SIZE);
-  memcpy(tls_ctx->mac_key, key, mac_key_len);
-  tls_ctx->mac_key_len = (uint8_t)mac_key_len;
-  tls_ctx->implicit_iv = implicit_iv;
-
-  ctx->aead_state = tls_ctx;
-  if (!EVP_CipherInit_ex(&tls_ctx->cipher_ctx, cipher, NULL, &key[mac_key_len],
-                         implicit_iv ? &key[mac_key_len + enc_key_len] : NULL,
-                         dir == evp_aead_seal) ||
-      !HMAC_Init_ex(&tls_ctx->hmac_ctx, key, mac_key_len, md, NULL)) {
-    aead_tls_cleanup(ctx);
-    ctx->aead_state = NULL;
-    return 0;
-  }
-  EVP_CIPHER_CTX_set_padding(&tls_ctx->cipher_ctx, 0);
-
-  return 1;
-}
-
-static int aead_tls_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
-                         size_t *out_len, size_t max_out_len,
-                         const uint8_t *nonce, size_t nonce_len,
-                         const uint8_t *in, size_t in_len,
-                         const uint8_t *ad, size_t ad_len) {
-  AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
-  size_t total = 0;
-
-  if (!tls_ctx->cipher_ctx.encrypt) {
-    /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
-    return 0;
-  }
-
-  if (in_len + EVP_AEAD_max_overhead(ctx->aead) < in_len ||
-      in_len > INT_MAX) {
-    /* EVP_CIPHER takes int as input. */
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
-    return 0;
-  }
-
-  if (max_out_len < in_len + EVP_AEAD_max_overhead(ctx->aead)) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
-    return 0;
-  }
-
-  if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);
-    return 0;
-  }
-
-  if (ad_len != 13 - 2 /* length bytes */) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE);
-    return 0;
-  }
-
-  /* To allow for CBC mode which changes cipher length, |ad| doesn't include the
-   * length for legacy ciphers. */
-  uint8_t ad_extra[2];
-  ad_extra[0] = (uint8_t)(in_len >> 8);
-  ad_extra[1] = (uint8_t)(in_len & 0xff);
-
-  /* Compute the MAC. This must be first in case the operation is being done
-   * in-place. */
-  uint8_t mac[EVP_MAX_MD_SIZE];
-  unsigned mac_len;
-  if (!HMAC_Init_ex(&tls_ctx->hmac_ctx, NULL, 0, NULL, NULL) ||
-      !HMAC_Update(&tls_ctx->hmac_ctx, ad, ad_len) ||
-      !HMAC_Update(&tls_ctx->hmac_ctx, ad_extra, sizeof(ad_extra)) ||
-      !HMAC_Update(&tls_ctx->hmac_ctx, in, in_len) ||
-      !HMAC_Final(&tls_ctx->hmac_ctx, mac, &mac_len)) {
-    return 0;
-  }
-
-  /* Configure the explicit IV. */
-  if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&
-      !tls_ctx->implicit_iv &&
-      !EVP_EncryptInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, NULL, nonce)) {
-    return 0;
-  }
-
-  /* Encrypt the input. */
-  int len;
-  if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out, &len, in,
-                         (int)in_len)) {
-    return 0;
-  }
-  total = len;
-
-  /* Feed the MAC into the cipher. */
-  if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out + total, &len, mac,
-                         (int)mac_len)) {
-    return 0;
-  }
-  total += len;
-
-  unsigned block_size = EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx);
-  if (block_size > 1) {
-    assert(block_size <= 256);
-    assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE);
-
-    /* Compute padding and feed that into the cipher. */
-    uint8_t padding[256];
-    unsigned padding_len = block_size - ((in_len + mac_len) % block_size);
-    memset(padding, padding_len - 1, padding_len);
-    if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out + total, &len, padding,
-                           (int)padding_len)) {
-      return 0;
-    }
-    total += len;
-  }
-
-  if (!EVP_EncryptFinal_ex(&tls_ctx->cipher_ctx, out + total, &len)) {
-    return 0;
-  }
-  total += len;
-
-  *out_len = total;
-  return 1;
-}
-
-static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
-                         size_t *out_len, size_t max_out_len,
-                         const uint8_t *nonce, size_t nonce_len,
-                         const uint8_t *in, size_t in_len,
-                         const uint8_t *ad, size_t ad_len) {
-  AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
-
-  if (tls_ctx->cipher_ctx.encrypt) {
-    /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
-    return 0;
-  }
-
-  if (in_len < HMAC_size(&tls_ctx->hmac_ctx)) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
-    return 0;
-  }
-
-  if (max_out_len < in_len) {
-    /* This requires that the caller provide space for the MAC, even though it
-     * will always be removed on return. */
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
-    return 0;
-  }
-
-  if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);
-    return 0;
-  }
-
-  if (ad_len != 13 - 2 /* length bytes */) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE);
-    return 0;
-  }
-
-  if (in_len > INT_MAX) {
-    /* EVP_CIPHER takes int as input. */
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
-    return 0;
-  }
-
-  /* Configure the explicit IV. */
-  if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&
-      !tls_ctx->implicit_iv &&
-      !EVP_DecryptInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, NULL, nonce)) {
-    return 0;
-  }
-
-  /* Decrypt to get the plaintext + MAC + padding. */
-  size_t total = 0;
-  int len;
-  if (!EVP_DecryptUpdate(&tls_ctx->cipher_ctx, out, &len, in, (int)in_len)) {
-    return 0;
-  }
-  total += len;
-  if (!EVP_DecryptFinal_ex(&tls_ctx->cipher_ctx, out + total, &len)) {
-    return 0;
-  }
-  total += len;
-  assert(total == in_len);
-
-  /* Remove CBC padding. Code from here on is timing-sensitive with respect to
-   * |padding_ok| and |data_plus_mac_len| for CBC ciphers. */
-  unsigned padding_ok, data_plus_mac_len, data_len;
-  if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) {
-    if (!EVP_tls_cbc_remove_padding(
-            &padding_ok, &data_plus_mac_len, out, total,
-            EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx),
-            (unsigned)HMAC_size(&tls_ctx->hmac_ctx))) {
-      /* Publicly invalid. This can be rejected in non-constant time. */
-      OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
-      return 0;
-    }
-  } else {
-    padding_ok = ~0u;
-    data_plus_mac_len = total;
-    /* |data_plus_mac_len| = |total| = |in_len| at this point. |in_len| has
-     * already been checked against the MAC size at the top of the function. */
-    assert(data_plus_mac_len >= HMAC_size(&tls_ctx->hmac_ctx));
-  }
-  data_len = data_plus_mac_len - HMAC_size(&tls_ctx->hmac_ctx);
-
-  /* At this point, if the padding is valid, the first |data_plus_mac_len| bytes
-   * after |out| are the plaintext and MAC. Otherwise, |data_plus_mac_len| is
-   * still large enough to extract a MAC, but it will be irrelevant. */
-
-  /* To allow for CBC mode which changes cipher length, |ad| doesn't include the
-   * length for legacy ciphers. */
-  uint8_t ad_fixed[13];
-  memcpy(ad_fixed, ad, 11);
-  ad_fixed[11] = (uint8_t)(data_len >> 8);
-  ad_fixed[12] = (uint8_t)(data_len & 0xff);
-  ad_len += 2;
-
-  /* Compute the MAC and extract the one in the record. */
-  uint8_t mac[EVP_MAX_MD_SIZE];
-  size_t mac_len;
-  uint8_t record_mac_tmp[EVP_MAX_MD_SIZE];
-  uint8_t *record_mac;
-  if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&
-      EVP_tls_cbc_record_digest_supported(tls_ctx->hmac_ctx.md)) {
-    if (!EVP_tls_cbc_digest_record(tls_ctx->hmac_ctx.md, mac, &mac_len,
-                                   ad_fixed, out, data_plus_mac_len, total,
-                                   tls_ctx->mac_key, tls_ctx->mac_key_len)) {
-      OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
-      return 0;
-    }
-    assert(mac_len == HMAC_size(&tls_ctx->hmac_ctx));
-
-    record_mac = record_mac_tmp;
-    EVP_tls_cbc_copy_mac(record_mac, mac_len, out, data_plus_mac_len, total);
-  } else {
-    /* We should support the constant-time path for all CBC-mode ciphers
-     * implemented. */
-    assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) != EVP_CIPH_CBC_MODE);
-
-    unsigned mac_len_u;
-    if (!HMAC_Init_ex(&tls_ctx->hmac_ctx, NULL, 0, NULL, NULL) ||
-        !HMAC_Update(&tls_ctx->hmac_ctx, ad_fixed, ad_len) ||
-        !HMAC_Update(&tls_ctx->hmac_ctx, out, data_len) ||
-        !HMAC_Final(&tls_ctx->hmac_ctx, mac, &mac_len_u)) {
-      return 0;
-    }
-    mac_len = mac_len_u;
-
-    assert(mac_len == HMAC_size(&tls_ctx->hmac_ctx));
-    record_mac = &out[data_len];
-  }
-
-  /* Perform the MAC check and the padding check in constant-time. It should be
-   * safe to simply perform the padding check first, but it would not be under a
-   * different choice of MAC location on padding failure. See
-   * EVP_tls_cbc_remove_padding. */
-  unsigned good = constant_time_eq_int(CRYPTO_memcmp(record_mac, mac, mac_len),
-                                       0);
-  good &= padding_ok;
-  if (!good) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
-    return 0;
-  }
-
-  /* End of timing-sensitive code. */
-
-  *out_len = data_len;
-  return 1;
-}
-
-static int aead_aes_128_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                          size_t key_len, size_t tag_len,
-                                          enum evp_aead_direction_t dir) {
-  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
-                       EVP_sha1(), 0);
-}
-
-static int aead_aes_128_cbc_sha1_tls_implicit_iv_init(
-    EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,
-    enum evp_aead_direction_t dir) {
-  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
-                       EVP_sha1(), 1);
-}
-
-static int aead_aes_128_cbc_sha256_tls_init(EVP_AEAD_CTX *ctx,
-                                            const uint8_t *key, size_t key_len,
-                                            size_t tag_len,
-                                            enum evp_aead_direction_t dir) {
-  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
-                       EVP_sha256(), 0);
-}
-
-static int aead_aes_256_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                          size_t key_len, size_t tag_len,
-                                          enum evp_aead_direction_t dir) {
-  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
-                       EVP_sha1(), 0);
-}
-
-static int aead_aes_256_cbc_sha1_tls_implicit_iv_init(
-    EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,
-    enum evp_aead_direction_t dir) {
-  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
-                       EVP_sha1(), 1);
-}
-
-static int aead_aes_256_cbc_sha256_tls_init(EVP_AEAD_CTX *ctx,
-                                            const uint8_t *key, size_t key_len,
-                                            size_t tag_len,
-                                            enum evp_aead_direction_t dir) {
-  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
-                       EVP_sha256(), 0);
-}
-
-static int aead_aes_256_cbc_sha384_tls_init(EVP_AEAD_CTX *ctx,
-                                            const uint8_t *key, size_t key_len,
-                                            size_t tag_len,
-                                            enum evp_aead_direction_t dir) {
-  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
-                       EVP_sha384(), 0);
-}
-
-static int aead_des_ede3_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx,
-                                           const uint8_t *key, size_t key_len,
-                                           size_t tag_len,
-                                           enum evp_aead_direction_t dir) {
-  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(),
-                       EVP_sha1(), 0);
-}
-
-static int aead_des_ede3_cbc_sha1_tls_implicit_iv_init(
-    EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,
-    enum evp_aead_direction_t dir) {
-  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(),
-                       EVP_sha1(), 1);
-}
-
-static int aead_tls_get_iv(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv,
-                           size_t *out_iv_len) {
-  const AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX*) ctx->aead_state;
-  const size_t iv_len = EVP_CIPHER_CTX_iv_length(&tls_ctx->cipher_ctx);
-  if (iv_len <= 1) {
-    return 0;
-  }
-
-  *out_iv = tls_ctx->cipher_ctx.iv;
-  *out_iv_len = iv_len;
-  return 1;
-}
-
-static int aead_null_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                   size_t key_len, size_t tag_len,
-                                   enum evp_aead_direction_t dir) {
-  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_enc_null(),
-                       EVP_sha1(), 1 /* implicit iv */);
-}
-
-static const EVP_AEAD aead_aes_128_cbc_sha1_tls = {
-    SHA_DIGEST_LENGTH + 16, /* key len (SHA1 + AES128) */
-    16,                     /* nonce len (IV) */
-    16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,      /* max tag length */
-    NULL, /* init */
-    aead_aes_128_cbc_sha1_tls_init,
-    aead_tls_cleanup,
-    aead_tls_seal,
-    aead_tls_open,
-    NULL,                   /* get_iv */
-};
-
-static const EVP_AEAD aead_aes_128_cbc_sha1_tls_implicit_iv = {
-    SHA_DIGEST_LENGTH + 16 + 16, /* key len (SHA1 + AES128 + IV) */
-    0,                           /* nonce len */
-    16 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,           /* max tag length */
-    NULL, /* init */
-    aead_aes_128_cbc_sha1_tls_implicit_iv_init,
-    aead_tls_cleanup,
-    aead_tls_seal,
-    aead_tls_open,
-    aead_tls_get_iv,             /* get_iv */
-};
-
-static const EVP_AEAD aead_aes_128_cbc_sha256_tls = {
-    SHA256_DIGEST_LENGTH + 16, /* key len (SHA256 + AES128) */
-    16,                        /* nonce len (IV) */
-    16 + SHA256_DIGEST_LENGTH, /* overhead (padding + SHA256) */
-    SHA256_DIGEST_LENGTH,      /* max tag length */
-    NULL, /* init */
-    aead_aes_128_cbc_sha256_tls_init,
-    aead_tls_cleanup,
-    aead_tls_seal,
-    aead_tls_open,
-    NULL,                      /* get_iv */
-};
-
-static const EVP_AEAD aead_aes_256_cbc_sha1_tls = {
-    SHA_DIGEST_LENGTH + 32, /* key len (SHA1 + AES256) */
-    16,                     /* nonce len (IV) */
-    16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,      /* max tag length */
-    NULL, /* init */
-    aead_aes_256_cbc_sha1_tls_init,
-    aead_tls_cleanup,
-    aead_tls_seal,
-    aead_tls_open,
-    NULL,                   /* get_iv */
-};
-
-static const EVP_AEAD aead_aes_256_cbc_sha1_tls_implicit_iv = {
-    SHA_DIGEST_LENGTH + 32 + 16, /* key len (SHA1 + AES256 + IV) */
-    0,                           /* nonce len */
-    16 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,           /* max tag length */
-    NULL, /* init */
-    aead_aes_256_cbc_sha1_tls_implicit_iv_init,
-    aead_tls_cleanup,
-    aead_tls_seal,
-    aead_tls_open,
-    aead_tls_get_iv,             /* get_iv */
-};
-
-static const EVP_AEAD aead_aes_256_cbc_sha256_tls = {
-    SHA256_DIGEST_LENGTH + 32, /* key len (SHA256 + AES256) */
-    16,                        /* nonce len (IV) */
-    16 + SHA256_DIGEST_LENGTH, /* overhead (padding + SHA256) */
-    SHA256_DIGEST_LENGTH,      /* max tag length */
-    NULL, /* init */
-    aead_aes_256_cbc_sha256_tls_init,
-    aead_tls_cleanup,
-    aead_tls_seal,
-    aead_tls_open,
-    NULL,                      /* get_iv */
-};
-
-static const EVP_AEAD aead_aes_256_cbc_sha384_tls = {
-    SHA384_DIGEST_LENGTH + 32, /* key len (SHA384 + AES256) */
-    16,                        /* nonce len (IV) */
-    16 + SHA384_DIGEST_LENGTH, /* overhead (padding + SHA384) */
-    SHA384_DIGEST_LENGTH,      /* max tag length */
-    NULL, /* init */
-    aead_aes_256_cbc_sha384_tls_init,
-    aead_tls_cleanup,
-    aead_tls_seal,
-    aead_tls_open,
-    NULL,                      /* get_iv */
-};
-
-static const EVP_AEAD aead_des_ede3_cbc_sha1_tls = {
-    SHA_DIGEST_LENGTH + 24, /* key len (SHA1 + 3DES) */
-    8,                      /* nonce len (IV) */
-    8 + SHA_DIGEST_LENGTH,  /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,      /* max tag length */
-    NULL, /* init */
-    aead_des_ede3_cbc_sha1_tls_init,
-    aead_tls_cleanup,
-    aead_tls_seal,
-    aead_tls_open,
-    NULL,                   /* get_iv */
-};
-
-static const EVP_AEAD aead_des_ede3_cbc_sha1_tls_implicit_iv = {
-    SHA_DIGEST_LENGTH + 24 + 8, /* key len (SHA1 + 3DES + IV) */
-    0,                          /* nonce len */
-    8 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,          /* max tag length */
-    NULL, /* init */
-    aead_des_ede3_cbc_sha1_tls_implicit_iv_init,
-    aead_tls_cleanup,
-    aead_tls_seal,
-    aead_tls_open,
-    aead_tls_get_iv,            /* get_iv */
-};
-
-static const EVP_AEAD aead_null_sha1_tls = {
-    SHA_DIGEST_LENGTH,          /* key len */
-    0,                          /* nonce len */
-    SHA_DIGEST_LENGTH,          /* overhead (SHA1) */
-    SHA_DIGEST_LENGTH,          /* max tag length */
-    NULL,                       /* init */
-    aead_null_sha1_tls_init,
-    aead_tls_cleanup,
-    aead_tls_seal,
-    aead_tls_open,
-    NULL,                       /* get_iv */
-};
-
-const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void) {
-  return &aead_aes_128_cbc_sha1_tls;
-}
-
-const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(void) {
-  return &aead_aes_128_cbc_sha1_tls_implicit_iv;
-}
-
-const EVP_AEAD *EVP_aead_aes_128_cbc_sha256_tls(void) {
-  return &aead_aes_128_cbc_sha256_tls;
-}
-
-const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls(void) {
-  return &aead_aes_256_cbc_sha1_tls;
-}
-
-const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(void) {
-  return &aead_aes_256_cbc_sha1_tls_implicit_iv;
-}
-
-const EVP_AEAD *EVP_aead_aes_256_cbc_sha256_tls(void) {
-  return &aead_aes_256_cbc_sha256_tls;
-}
-
-const EVP_AEAD *EVP_aead_aes_256_cbc_sha384_tls(void) {
-  return &aead_aes_256_cbc_sha384_tls;
-}
-
-const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void) {
-  return &aead_des_ede3_cbc_sha1_tls;
-}
-
-const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void) {
-  return &aead_des_ede3_cbc_sha1_tls_implicit_iv;
-}
-
-const EVP_AEAD *EVP_aead_null_sha1_tls(void) { return &aead_null_sha1_tls; }
@@ -1,162 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.] */
-
-#ifndef OPENSSL_HEADER_CIPHER_INTERNAL_H
-#define OPENSSL_HEADER_CIPHER_INTERNAL_H
-
-#include <openssl/base.h>
-
-#include <openssl/aead.h>
-
-#if defined(__cplusplus)
-extern "C" {
-#endif
-
-
-/* EVP_CIPH_MODE_MASK contains the bits of |flags| that represent the mode. */
-#define EVP_CIPH_MODE_MASK 0x3f
-
-
-/* EVP_AEAD represents a specific AEAD algorithm. */
-struct evp_aead_st {
-  uint8_t key_len;
-  uint8_t nonce_len;
-  uint8_t overhead;
-  uint8_t max_tag_len;
-
-  /* init initialises an |EVP_AEAD_CTX|. If this call returns zero then
-   * |cleanup| will not be called for that context. */
-  int (*init)(EVP_AEAD_CTX *, const uint8_t *key, size_t key_len,
-              size_t tag_len);
-  int (*init_with_direction)(EVP_AEAD_CTX *, const uint8_t *key, size_t key_len,
-                             size_t tag_len, enum evp_aead_direction_t dir);
-  void (*cleanup)(EVP_AEAD_CTX *);
-
-  int (*seal)(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,
-              size_t max_out_len, const uint8_t *nonce, size_t nonce_len,
-              const uint8_t *in, size_t in_len, const uint8_t *ad,
-              size_t ad_len);
-
-  int (*open)(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,
-              size_t max_out_len, const uint8_t *nonce, size_t nonce_len,
-              const uint8_t *in, size_t in_len, const uint8_t *ad,
-              size_t ad_len);
-
-  int (*get_iv)(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv,
-                size_t *out_len);
-};
-
-
-/* EVP_tls_cbc_get_padding determines the padding from the decrypted, TLS, CBC
- * record in |in|. This decrypted record should not include any "decrypted"
- * explicit IV. If the record is publicly invalid, it returns zero. Otherwise,
- * it returns one and sets |*out_padding_ok| to all ones (0xfff..f) if the
- * padding is valid and zero otherwise. It then sets |*out_len| to the length
- * with the padding removed or |in_len| if invalid.
- *
- * If the function returns one, it runs in time independent of the contents of
- * |in|. It is also guaranteed that |*out_len| >= |mac_size|, satisfying
- * |EVP_tls_cbc_copy_mac|'s precondition. */
-int EVP_tls_cbc_remove_padding(unsigned *out_padding_ok, unsigned *out_len,
-                               const uint8_t *in, unsigned in_len,
-                               unsigned block_size, unsigned mac_size);
-
-/* EVP_tls_cbc_copy_mac copies |md_size| bytes from the end of the first
- * |in_len| bytes of |in| to |out| in constant time (independent of the concrete
- * value of |in_len|, which may vary within a 256-byte window). |in| must point
- * to a buffer of |orig_len| bytes.
- *
- * On entry:
- *   orig_len >= in_len >= md_size
- *   md_size <= EVP_MAX_MD_SIZE */
-void EVP_tls_cbc_copy_mac(uint8_t *out, unsigned md_size,
-                          const uint8_t *in, unsigned in_len,
-                          unsigned orig_len);
-
-/* EVP_tls_cbc_record_digest_supported returns 1 iff |md| is a hash function
- * which EVP_tls_cbc_digest_record supports. */
-int EVP_tls_cbc_record_digest_supported(const EVP_MD *md);
-
-/* EVP_tls_cbc_digest_record computes the MAC of a decrypted, padded TLS
- * record.
- *
- *   md: the hash function used in the HMAC.
- *     EVP_tls_cbc_record_digest_supported must return true for this hash.
- *   md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written.
- *   md_out_size: the number of output bytes is written here.
- *   header: the 13-byte, TLS record header.
- *   data: the record data itself
- *   data_plus_mac_size: the secret, reported length of the data and MAC
- *     once the padding has been removed.
- *   data_plus_mac_plus_padding_size: the public length of the whole
- *     record, including padding.
- *
- * On entry: by virtue of having been through one of the remove_padding
- * functions, above, we know that data_plus_mac_size is large enough to contain
- * a padding byte and MAC. (If the padding was invalid, it might contain the
- * padding too. ) */
-int EVP_tls_cbc_digest_record(const EVP_MD *md, uint8_t *md_out,
-                              size_t *md_out_size, const uint8_t header[13],
-                              const uint8_t *data, size_t data_plus_mac_size,
-                              size_t data_plus_mac_plus_padding_size,
-                              const uint8_t *mac_secret,
-                              unsigned mac_secret_length);
-
-#if defined(__cplusplus)
-} /* extern C */
-#endif
-
-#endif /* OPENSSL_HEADER_CIPHER_INTERNAL_H */
@@ -1,9 +0,0 @@
-# These test vectors have been taken from
-# http://csrc.nist.gov/groups/ST/toolkit/documents/kms/key-wrap.pdf
-
-KEY: 000102030405060708090A0B0C0D0E0F
-NONCE:
-IN: 00112233445566778899AABBCCDDEEFF
-AD:
-CT: 1FA68B0A8112B447AEF34BD8FB5A7B82
-TAG: 9D3E862371D2CFE5
--- a/Show More
+++ b/Show More