bn/asm/rsaz-avx2.pl: fix digit correction bug in rsaz_1024_mul_avx2.

Credit to OSS-Fuzz for finding this. CVE-2017-3738 (Imported from upstream's 5630661aecbea5fe3c4740f5fea744a1f07a6253 and 77d75993651b63e872244a3256e37967bb3c3e9e.) Confirmed with Intel SDE that the fix makes the test vector pass and that, without the fix, the test vector does not. (Well, we knew the latter already, since it was our test vector.) Change-Id: I167aa3407ddab3b434bacbd18e099c55aa40ac4c Reviewed-on: https://boringssl-review.googlesource.com/23884 Reviewed-by: Adam Langley <agl@google.com> (cherry picked from commit 296a61d600) Reviewed-on: https://boringssl-review.googlesource.com/23964 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Revert "Support high tag numbers in CBS/CBB."
2017-12-11 19:33:36 +00:00 · 2017-12-07 17:56:58 +00:00 · 2017-11-28 21:48:00 +00:00 · 2017-11-28 18:37:39 +00:00 · 2017-11-28 17:42:49 +00:00 · 2017-11-28 17:03:39 +00:00
4904 changed files with 540149 additions and 146151 deletions
@@ -14,8 +14,11 @@ util/bot/cmake-win32
 util/bot/cmake-win32.zip
 util/bot/golang
 util/bot/gyp
+util/bot/libFuzzer
 util/bot/llvm-build
 util/bot/perl-win32
 util/bot/perl-win32.zip
+util/bot/sde-linux64
+util/bot/sde-linux64.tar.bz2
 util/bot/win_toolchain.json
 util/bot/yasm-win32.exe
@@ -2,7 +2,7 @@

 ## Build Prerequisites

-  * [CMake](https://cmake.org/download/) 2.8.10 or later is required.
+  * [CMake](https://cmake.org/download/) 2.8.11 or later is required.

  * Perl 5.6.1 or later is required. On Windows,
    [Active State Perl](http://www.activestate.com/activeperl/) has been
@@ -33,7 +33,7 @@
    executable may be configured explicitly by setting `GO_EXECUTABLE`.

  * To build the x86 and x86\_64 assembly, your assembler must support AVX2
-    instructions and MOVBE. If using GNU binutils, you must have 2.22 or later.
+    instructions and MOVBE. If using GNU binutils, you must have 2.22 or later

 ## Building

@@ -96,6 +96,15 @@ higher to build aarch64 binaries.

 For other options, see [android-cmake's documentation](./third_party/android-cmake/README.md).

+### Building for iOS
+
+To build for iOS, pass `-DCMAKE_OSX_SYSROOT=iphoneos` and
+`-DCMAKE_OSX_ARCHITECTURES=ARCH` to CMake, where `ARCH` is the desired
+architecture, matching values used in the `-arch` flag in Apple's toolchain.
+
+Passing multiple architectures for a multiple-architecture build is not
+supported.
+
 ## Known Limitations on Windows

  * Versions of CMake since 3.0.2 have a bug in its Ninja generator that causes
@@ -116,16 +125,18 @@ ARM, unlike Intel, does not have an instruction that allows applications to
 discover the capabilities of the processor. Instead, the capability information
 has to be provided by the operating system somehow.

-BoringSSL will try to use `getauxval` to discover the capabilities and, failing
-that, will probe for NEON support by executing a NEON instruction and handling
-any illegal-instruction signal. But some environments don't support that sort
-of thing and, for them, it's possible to configure the CPU capabilities
-at compile time.
+By default, on Linux-based systems, BoringSSL will try to use `getauxval` and
+`/proc` to discover the capabilities. But some environments don't support that
+sort of thing and, for them, it's possible to configure the CPU capabilities at
+compile time.

-If you define `OPENSSL_STATIC_ARMCAP` then you can define any of the following
-to enabling the corresponding ARM feature.
+On iOS or builds which define `OPENSSL_STATIC_ARMCAP`, features will be
+determined based on the `__ARM_NEON__` and `__ARM_FEATURE_CRYPTO` preprocessor
+symbols reported by the compiler. These values are usually controlled by the
+`-march` flag. You can also define any of the following to enable the
+corresponding ARM feature.

-  * `OPENSSL_STATIC_ARMCAP_NEON` or `__ARM_NEON__` (note that the latter is set by compilers when NEON support is enabled).
+  * `OPENSSL_STATIC_ARMCAP_NEON`
  * `OPENSSL_STATIC_ARMCAP_AES`
  * `OPENSSL_STATIC_ARMCAP_SHA1`
  * `OPENSSL_STATIC_ARMCAP_SHA256`
@@ -1,4 +1,4 @@
-cmake_minimum_required (VERSION 2.8.10)
+cmake_minimum_required (VERSION 2.8.11)

 # Defer enabling C and CXX languages.
 project (BoringSSL NONE)
@@ -9,6 +9,8 @@ if(WIN32)
  set(CMAKE_GENERATOR_CC cl)
 endif()

+include(sources.cmake)
+
 enable_language(C)
 enable_language(CXX)

@@ -30,19 +32,74 @@ if (NOT GO_EXECUTABLE)
  message(FATAL_ERROR "Could not find Go")
 endif()

-if(CMAKE_COMPILER_IS_GNUCXX OR CMAKE_CXX_COMPILER_ID MATCHES "Clang")
-  set(C_CXX_FLAGS "-Wall -Werror -Wformat=2 -Wsign-compare -Wmissing-field-initializers -Wwrite-strings -ggdb -fvisibility=hidden -fno-common")
-  if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
-    set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wnewline-eof")
+if (BORINGSSL_ALLOW_CXX_RUNTIME)
+  add_definitions(-DBORINGSSL_ALLOW_CXX_RUNTIME)
+endif()
+
+if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  set(CLANG 1)
+endif()
+
+if(CMAKE_COMPILER_IS_GNUCXX OR CLANG)
+  # Note clang-cl is odd and sets both CLANG and MSVC. We base our configuration
+  # primarily on our normal Clang one because the MSVC one is mostly
+  # suppressions for an overaggressive -Wall.
+  set(C_CXX_FLAGS "-Wall -Werror -Wformat=2 -Wsign-compare -Wmissing-field-initializers -Wwrite-strings")
+  if(MSVC)
+    # clang-cl sets different default warnings than clang.
+    set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wno-unused-parameter -fmsc-version=1900")
+    # googletest suppresses warning C4996 via a pragma, but clang-cl does not
+    # honor it. Suppress it here to compensate. See https://crbug.com/772117.
+    set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wno-deprecated-declarations")
+  else()
+    set(C_CXX_FLAGS "${C_CXX_FLAGS} -ggdb -fvisibility=hidden -fno-common")
  endif()
+
+  if(CLANG)
+    set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wnewline-eof -fcolor-diagnostics")
+  else()
+    # GCC (at least 4.8.4) has a bug where it'll find unreachable free() calls
+    # and declare that the code is trying to free a stack pointer.
+    set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wno-free-nonheap-object")
+  endif()
+
+  if(CLANG OR NOT "7.0.0" VERSION_GREATER CMAKE_C_COMPILER_VERSION)
+    set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wimplicit-fallthrough")
+  endif()
+
  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${C_CXX_FLAGS} -Wmissing-prototypes -Wold-style-definition -Wstrict-prototypes")
-  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++11 ${C_CXX_FLAGS} -Wmissing-declarations")
-  # Clang's integerated assembler does not support debug symbols.
-  if(NOT CMAKE_CXX_COMPILER_ID MATCHES "Clang")
-    set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -Wa,-g")
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${C_CXX_FLAGS} -Wmissing-declarations")
+
+  if(NOT MSVC)
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++11")
+    if(APPLE)
+      set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -stdlib=libc++")
+    endif()
+    if(NOT BORINGSSL_ALLOW_CXX_RUNTIME)
+      set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-exceptions -fno-rtti")
+    endif()
  endif()
+
+  # In GCC, -Wmissing-declarations is the C++ spelling of -Wmissing-prototypes
+  # and using the wrong one is an error. In Clang, -Wmissing-prototypes is the
+  # spelling for both and -Wmissing-declarations is some other warning.
+  #
+  # https://gcc.gnu.org/onlinedocs/gcc-7.1.0/gcc/Warning-Options.html#Warning-Options
+  # https://clang.llvm.org/docs/DiagnosticsReference.html#wmissing-prototypes
+  # https://clang.llvm.org/docs/DiagnosticsReference.html#wmissing-declarations
+  if(CLANG)
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wmissing-prototypes")
+  endif()
+
+  if(CMAKE_COMPILER_IS_GNUCXX AND "4.8" VERSION_GREATER CMAKE_C_COMPILER_VERSION)
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-array-bounds")
+  endif()
+
 elseif(MSVC)
  set(MSVC_DISABLED_WARNINGS_LIST
+      "C4061" # enumerator 'identifier' in switch of enum 'enumeration' is not
+              # explicitly handled by a case label
+              # Disable this because it flags even when there is a default.
      "C4100" # 'exarg' : unreferenced formal parameter
      "C4127" # conditional expression is constant
      "C4200" # nonstandard extension used : zero-sized array in
@@ -54,8 +111,6 @@ elseif(MSVC)
              # possible loss of data
      "C4244" # 'function' : conversion from 'int' to 'uint8_t',
              # possible loss of data
-      "C4245" # 'initializing' : conversion from 'long' to
-              # 'unsigned long', signed/unsigned mismatch
      "C4267" # conversion from 'size_t' to 'int', possible loss of data
      "C4371" # layout of class may have changed from a previous version of the
              # compiler due to better packing of member '...'
@@ -78,12 +133,16 @@ elseif(MSVC)
              # copy constructor is inaccessible or deleted
      "C4626" # assignment operator could not be generated because a base class
              # assignment operator is inaccessible or deleted
+      "C4668" # 'symbol' is not defined as a preprocessor macro, replacing with
+              # '0' for 'directives'
+              # Disable this because GTest uses it everywhere.
      "C4706" # assignment within conditional expression
      "C4710" # 'function': function not inlined
      "C4711" # function 'function' selected for inline expansion
      "C4800" # 'int' : forcing value to bool 'true' or 'false'
              # (performance warning)
      "C4820" # 'bytes' bytes padding added after construct 'member_name'
+      "C5026" # move constructor was implicitly defined as deleted
      "C5027" # move assignment operator was implicitly defined as deleted
      )
  set(MSVC_LEVEL4_WARNINGS_LIST
@@ -96,22 +155,26 @@ elseif(MSVC)
                            ${MSVC_LEVEL4_WARNINGS_LIST})
  set(CMAKE_C_FLAGS   "-Wall -WX ${MSVC_DISABLED_WARNINGS_STR} ${MSVC_LEVEL4_WARNINGS_STR}")
  set(CMAKE_CXX_FLAGS "-Wall -WX ${MSVC_DISABLED_WARNINGS_STR} ${MSVC_LEVEL4_WARNINGS_STR}")
-  set(CMAKE_ASM_NASM_FLAGS "-g cv8")
+endif()
+
+if(WIN32)
  add_definitions(-D_HAS_EXCEPTIONS=0)
  add_definitions(-DWIN32_LEAN_AND_MEAN)
  add_definitions(-DNOMINMAX)
-  add_definitions(-D_CRT_SECURE_NO_WARNINGS) # Allow use of fopen
+  # Allow use of fopen.
+  add_definitions(-D_CRT_SECURE_NO_WARNINGS)
+  # VS 2017 and higher supports STL-only warning suppressions.
+  add_definitions("-D_STL_EXTRA_DISABLED_WARNINGS=4774 4987")
 endif()

 if((CMAKE_COMPILER_IS_GNUCXX AND CMAKE_C_COMPILER_VERSION VERSION_GREATER "4.7.99") OR
-   CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+   CLANG)
  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wshadow")
  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wshadow")
 endif()

 if(CMAKE_COMPILER_IS_GNUCXX)
-  if ((CMAKE_C_COMPILER_VERSION VERSION_GREATER "4.8.99") OR
-      CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  if ((CMAKE_C_COMPILER_VERSION VERSION_GREATER "4.8.99") OR CLANG)
    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=c11")
  else()
    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=c99")
@@ -124,7 +187,7 @@ if(NOT WIN32)
 endif()

 if(FUZZ)
-  if(NOT CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  if(NOT CLANG)
    message(FATAL_ERROR "You need to build with Clang for fuzzing to work")
  endif()

@@ -136,8 +199,8 @@ if(FUZZ)
    set(RUNNER_ARGS ${RUNNER_ARGS} "-fuzzer" "-shim-config" "fuzzer_mode.json")
  endif()

-  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address -fsanitize-coverage=edge,indirect-calls,8bit-counters")
-  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address -fsanitize-coverage=edge,indirect-calls,8bit-counters")
+  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address -fsanitize-coverage=edge,indirect-calls,trace-pc-guard")
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address -fsanitize-coverage=edge,indirect-calls,trace-pc-guard")
  set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address")
  link_directories(.)
 endif()
@@ -151,7 +214,82 @@ if (BUILD_SHARED_LIBS)
  set(CMAKE_POSITION_INDEPENDENT_CODE TRUE)
 endif()

-if (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "x86_64")
+if (MSAN)
+  if(NOT CLANG)
+    message(FATAL_ERROR "Cannot enable MSAN unless using Clang")
+  endif()
+
+  if (ASAN)
+    message(FATAL_ERROR "ASAN and MSAN are mutually exclusive")
+  endif()
+
+  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer")
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer")
+  set(OPENSSL_NO_ASM "1")
+endif()
+
+if (ASAN)
+  if(NOT CLANG)
+    message(FATAL_ERROR "Cannot enable ASAN unless using Clang")
+  endif()
+
+  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address -fsanitize-address-use-after-scope -fno-omit-frame-pointer")
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address -fsanitize-address-use-after-scope -fno-omit-frame-pointer")
+  set(OPENSSL_NO_ASM "1")
+endif()
+
+if(CFI)
+  if(NOT CLANG)
+    message(FATAL_ERROR "Cannot enable CFI unless using Clang")
+  endif()
+
+  # TODO(crbug.com/785442): Remove -fsanitize-cfi-icall-generalize-pointers.
+  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=cfi -fno-sanitize-trap=cfi -fsanitize-cfi-icall-generalize-pointers -flto")
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=cfi -fno-sanitize-trap=cfi -fsanitize-cfi-icall-generalize-pointers -flto")
+  # We use Chromium's copy of clang, which requires -fuse-ld=lld if building
+  # with -flto. That, in turn, can't handle -ggdb.
+  set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -fuse-ld=lld")
+  string(REPLACE "-ggdb" "-g" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}")
+  string(REPLACE "-ggdb" "-g" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}")
+  # -flto causes object files to contain LLVM bitcode. Mixing those with
+  # assembly output in the same static library breaks the linker.
+  set(OPENSSL_NO_ASM "1")
+endif()
+
+if (GCOV)
+  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fprofile-arcs -ftest-coverage")
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fprofile-arcs -ftest-coverage")
+endif()
+
+if(FIPS)
+  add_definitions(-DBORINGSSL_FIPS)
+  if(FIPS_BREAK_TEST)
+    add_definitions("-DBORINGSSL_FIPS_BREAK_${FIPS_BREAK_TEST}=1")
+  endif()
+  # Delocate does not work for ASan and MSan builds.
+  if(NOT ASAN AND NOT MSAN)
+    set(FIPS_DELOCATE "1")
+  endif()
+endif()
+
+# CMake's iOS support uses Apple's multiple-architecture toolchain. It takes an
+# architecture list from CMAKE_OSX_ARCHITECTURES, leaves CMAKE_SYSTEM_PROCESSOR
+# alone, and expects all architecture-specific logic to be conditioned within
+# the source files rather than the build. This does not work for our assembly
+# files, so we fix CMAKE_SYSTEM_PROCESSOR and only support single-architecture
+# builds.
+if (NOT OPENSSL_NO_ASM AND CMAKE_OSX_ARCHITECTURES)
+  list(LENGTH CMAKE_OSX_ARCHITECTURES NUM_ARCHES)
+  if (NOT ${NUM_ARCHES} EQUAL 1)
+    message(FATAL_ERROR "Universal binaries not supported.")
+  endif()
+  list(GET CMAKE_OSX_ARCHITECTURES 0 CMAKE_SYSTEM_PROCESSOR)
+endif()
+
+if (OPENSSL_NO_ASM)
+  add_definitions(-DOPENSSL_NO_ASM)
+  set(ARCH "generic")
+elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "x86_64")
  set(ARCH "x86_64")
 elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "amd64")
  set(ARCH "x86_64")
@@ -168,12 +306,15 @@ elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "i386")
  set(ARCH "x86")
 elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "i686")
  set(ARCH "x86")
-elseif (${CMAKE_SYSTEM_PROCESSOR} MATCHES "^arm*")
-  set(ARCH "arm")
 elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "aarch64")
  set(ARCH "aarch64")
+elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "arm64")
+  set(ARCH "aarch64")
+elseif (${CMAKE_SYSTEM_PROCESSOR} MATCHES "^arm*")
+  set(ARCH "arm")
 elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "mips")
  # Just to avoid the “unknown processor” error.
+  set(ARCH "generic")
 elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "ppc64le")
  set(ARCH "ppc64le")
 else()
@@ -187,58 +328,50 @@ if (ANDROID AND ${ARCH} STREQUAL "arm")
  set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -march=${CMAKE_SYSTEM_PROCESSOR}")
 endif()

-if (${ARCH} STREQUAL "x86" AND APPLE)
+if (${ARCH} STREQUAL "x86" AND APPLE AND ${CMAKE_VERSION} VERSION_LESS "3.0")
  # With CMake 2.8.x, ${CMAKE_SYSTEM_PROCESSOR} evalutes to i386 on OS X,
  # but clang defaults to 64-bit builds on OS X unless otherwise told.
  # Set ARCH to x86_64 so clang and CMake agree. This is fixed in CMake 3.
  set(ARCH "x86_64")
 endif()

-if (MSAN)
-  if(NOT CMAKE_CXX_COMPILER_ID MATCHES "Clang")
-    message(FATAL_ERROR "Cannot enable MSAN unless using Clang")
-  endif()
+# Add minimal googletest targets. The provided one has many side-effects, and
+# googletest has a very straightforward build.
+add_library(gtest third_party/googletest/src/gtest-all.cc)
+target_include_directories(gtest PRIVATE third_party/googletest)

-  if (ASAN)
-    message(FATAL_ERROR "ASAN and MSAN are mutually exclusive")
-  endif()
-
-  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer")
-  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer")
-  set(OPENSSL_NO_ASM "1")
-endif()
-
-if (ASAN)
-  if(NOT CMAKE_CXX_COMPILER_ID MATCHES "Clang")
-    message(FATAL_ERROR "Cannot enable ASAN unless using Clang")
-  endif()
-
-  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address -fno-omit-frame-pointer")
-  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address -fno-omit-frame-pointer")
-  set(OPENSSL_NO_ASM "1")
-endif()
-
-if (GCOV)
-  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fprofile-arcs -ftest-coverage")
-  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fprofile-arcs -ftest-coverage")
-endif()
-
-if (OPENSSL_NO_ASM)
-  add_definitions(-DOPENSSL_NO_ASM)
-  set(ARCH "generic")
-endif()
+include_directories(third_party/googletest/include)

 # Declare a dummy target to build all unit tests. Test targets should inject
 # themselves as dependencies next to the target definition.
 add_custom_target(all_tests)

+add_custom_command(
+  OUTPUT crypto_test_data.cc
+  COMMAND ${GO_EXECUTABLE} run util/embed_test_data.go ${CRYPTO_TEST_DATA} >
+  ${CMAKE_CURRENT_BINARY_DIR}/crypto_test_data.cc
+  DEPENDS util/embed_test_data.go ${CRYPTO_TEST_DATA}
+  WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})
+
+add_library(crypto_test_data OBJECT crypto_test_data.cc)
+
 add_subdirectory(crypto)
+add_subdirectory(third_party/fiat)
 add_subdirectory(ssl)
 add_subdirectory(ssl/test)
+add_subdirectory(fipstools)
 add_subdirectory(tool)
 add_subdirectory(decrepit)

 if(FUZZ)
+  if(LIBFUZZER_FROM_DEPS)
+    file(GLOB LIBFUZZER_SOURCES "util/bot/libFuzzer/*.cpp")
+    add_library(Fuzzer STATIC ${LIBFUZZER_SOURCES})
+    # libFuzzer does not pass our aggressive warnings. It also must be built
+    # without -fsanitize-coverage options or clang crashes.
+    set_target_properties(Fuzzer PROPERTIES COMPILE_FLAGS "-Wno-shadow -Wno-format-nonliteral -Wno-missing-prototypes -fsanitize-coverage=0")
+  endif()
+
  add_subdirectory(fuzz)
 endif()

@@ -68,17 +68,19 @@ Additionally, if `BORINGSSL_UNSAFE_FUZZER_MODE` is set, BoringSSL will:

 * Tickets are unencrypted and the MAC check is performed but ignored.

+* renegotiation\_info checks are ignored.
+
 This is to prevent the fuzzer from getting stuck at a cryptographic invariant in the protocol.

 ## TLS transcripts

 The `client` and `server` corpora are seeded from the test suite. The test suite has a `-fuzzer` flag which mirrors the fuzzer mode changes above and a `-deterministic` flag which removes all non-determinism on the Go side. Not all tests pass, so `ssl/test/runner/fuzzer_mode.json` contains the necessary suppressions. The `run_tests` target will pass appropriate command-line flags.

-There are separate corpora, `client_corpus_no_fuzzer_mode` and `server_corpus_no_fuzzer_mode`. These are transcripts for fuzzers with only `BORINGSSL_UNSAFE_DETERMINISTIC_MODE` defined. To build in this mode, pass `-DNO_FUZZER_MODE=1` into CMake. This configuration is run in the same way but without `-fuzzer` and `-shim-path` flags.
+There are separate corpora, `client_corpus_no_fuzzer_mode` and `server_corpus_no_fuzzer_mode`. These are transcripts for fuzzers with only `BORINGSSL_UNSAFE_DETERMINISTIC_MODE` defined. To build in this mode, pass `-DNO_FUZZER_MODE=1` into CMake. This configuration is run in the same way but without `-fuzzer` and `-shim-config` flags.

 If both sets of tests pass, refresh the fuzzer corpora with `refresh_ssl_corpora.sh`:

 ```
 cd fuzz
-./refresh_fuzzer_corpora.sh /path/to/fuzzer/mode/build /path/to/non/fuzzer/mode/build
+./refresh_ssl_corpora.sh /path/to/fuzzer/mode/build /path/to/non/fuzzer/mode/build
 ```
@@ -6,7 +6,9 @@ Contributors to BoringSSL are required to follow the CLA rules for Chromium:
 https://cla.developers.google.com/clas

 Some files from Intel are under yet another license, which is also included
-underneath.
+underneath. Files in third_party/ have their own licenses, as described
+therein. The MIT license, for third_party/fiat, which, unlike other third_party
+directories, is compiled into non-test libraries, is included below.

 The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the
 OpenSSL License and the original SSLeay license apply to the toolkit. See below
@@ -190,3 +192,27 @@ Some files from Intel carry the following license:
 # LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 # NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+The code in third_party/fiat carries the MIT license:
+
+Copyright (c) 2015-2016 the fiat-crypto authors (see
+https://github.com/mit-plv/fiat-crypto/blob/master/AUTHORS).
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
@@ -6,17 +6,27 @@ BoringSSL support, provided they do not use removed APIs. In general, see if the
 library compiles and, on failure, consult the documentation in the header files
 and see if problematic features can be removed.

-In some cases, BoringSSL-specific code may be necessary. In that case, the
-`OPENSSL_IS_BORINGSSL` preprocessor macro may be used in `#ifdef`s. This macro
-should also be used in lieu of the presence of any particular function to detect
-OpenSSL vs BoringSSL in configure scripts, etc., where those are necessary.
-Before using the preprocessor, however, contact the BoringSSL maintainers about
-the missing APIs. If not an intentionally removed feature, BoringSSL will
-typically add compatibility functions for convenience.
+BoringSSL's `OPENSSL_VERSION_NUMBER` matches the OpenSSL version it targets.
+Version checks for OpenSSL should ideally work as-is in BoringSSL. BoringSSL
+also defines upstream's `OPENSSL_NO_*` feature macros corresponding to removed
+features. If the preprocessor is needed, use these version checks or feature
+macros where possible, especially when patching third-party projects. Such
+patches are more generally useful to OpenSSL consumers and thus more
+appropriate to send upstream.

-For convenience, BoringSSL defines upstream's `OPENSSL_NO_*` feature macros
-corresponding to removed features. These may also be used to disable code which
-uses a removed feature.
+In some cases, BoringSSL-specific code may be necessary. Use the
+`OPENSSL_IS_BORINGSSL` preprocessor macro in `#ifdef`s. However, first contact
+the BoringSSL maintainers about the missing APIs. We will typically add
+compatibility functions for convenience. In particular, *contact BoringSSL
+maintainers before working around missing OpenSSL 1.1.0 accessors*. BoringSSL
+was originally derived from OpenSSL 1.0.2 but now targets OpenSSL 1.1.0. Some
+newer APIs may be missing but can be added on request. (Not all projects have
+been ported to OpenSSL 1.1.0, so BoringSSL also remains largely compatible with
+OpenSSL 1.0.2.)
+
+The `OPENSSL_IS_BORINGSSL` macro may also be used to distinguish OpenSSL from
+BoringSSL in configure scripts. Do not use the presence or absence of particular
+symbols to detect BoringSSL.

 Note: BoringSSL does *not* have a stable API or ABI. It must be updated with its
 consumers. It is not suitable for, say, a system library in a traditional Linux
@@ -39,15 +49,19 @@ code, particularly to avoid compiler warnings.
 Most notably, the `STACK_OF(T)` types have all been converted to use `size_t`
 instead of `int` for indices and lengths.

-### Reference counts
+### Reference counts and opaque types

 Some external consumers increment reference counts directly by calling
-`CRYPTO_add` with the corresponding `CRYPTO_LOCK_*` value.
+`CRYPTO_add` with the corresponding `CRYPTO_LOCK_*` value. These APIs no longer
+exist in BoringSSL. Instead, code which increments reference counts should call
+the corresponding `FOO_up_ref` function, such as `EVP_PKEY_up_ref`.

-These APIs no longer exist in BoringSSL. Instead, code which increments
-reference counts should call the corresponding `FOO_up_ref` function, such as
-`EVP_PKEY_up_ref`. Note that not all of these APIs are present in OpenSSL and
-may require `#ifdef`s.
+BoringSSL also hides some structs which were previously exposed in OpenSSL
+1.0.2, particularly in libssl. Use the relevant accessors instead.
+
+Note that some of these APIs were added in OpenSSL 1.1.0, so projects which do
+not yet support 1.1.0 may need additional `#ifdef`s. Projects supporting OpenSSL
+1.1.0 should not require modification.

 ### Error codes

@@ -116,7 +130,9 @@ response in (unpipelined) HTTP/1.1.

 Things which do not work:

-* There is no support for renegotiation as a server.
+* There is no support for renegotiation as a server. (Attempts by clients will
+  result in a fatal alert so that ClientHello messages cannot be used to flood
+  a server and escape higher-level limits.)

 * There is no support for renegotiation in DTLS.

@@ -128,6 +144,17 @@ Things which do not work:
 * If a HelloRequest is received while `SSL_write` has unsent application data,
  the renegotiation is rejected.

+* Renegotiation does not participate in session resumption. The client will
+  not offer a session on renegotiation or resume any session established by a
+  renegotiation handshake.
+
+* The server may not change its certificate in the renegotiation. This mitigates
+  the [triple handshake attack](https://mitls.org/pages/attacks/3SHAKE). Any new
+  stapled OCSP response and SCT list will be ignored. As no authentication state
+  may change, BoringSSL will not re-verify the certificate on a renegotiation.
+  Callbacks such as `SSL_CTX_set_custom_verify` will only run on the initial
+  handshake.
+
 ### Lowercase hexadecimal

 BoringSSL's `BN_bn2hex` function uses lowercase hexadecimal digits instead of
@@ -152,6 +179,17 @@ recommended to avoid the `out` parameter completely and always pass in `NULL`.
 Note that less error-prone APIs are available for BoringSSL-specific code (see
 below).

+### Memory allocation
+
+OpenSSL provides wrappers `OPENSSL_malloc` and `OPENSSL_free` over the standard
+`malloc` and `free`. Memory allocated by OpenSSL should be released with
+`OPENSSL_free`, not the standard `free`. However, by default, they are
+implemented directly using `malloc` and `free`, so code which mixes them up
+usually works.
+
+In BoringSSL, these functions maintain additional book-keeping to zero memory
+on `OPENSSL_free`, so any mixups must be fixed.
+
 ## Optional BoringSSL-specific simplifications

 BoringSSL makes some changes to OpenSSL which simplify the API but remain
@@ -227,6 +265,7 @@ parameter.
 `SSL_CTRL_OPTIONS` | `SSL_CTX_get_options` or `SSL_CTX_set_options`
 `SSL_CTRL_SESS_NUMBER` | `SSL_CTX_sess_number`
 `SSL_CTRL_SET_CURVES` | `SSL_CTX_set1_curves`
+`SSL_CTRL_SET_ECDH_AUTO` | `SSL_CTX_set_ecdh_auto`
 `SSL_CTRL_SET_MAX_CERT_LIST` | `SSL_CTX_set_max_cert_list`
 `SSL_CTRL_SET_MAX_SEND_FRAGMENT` | `SSL_CTX_set_max_send_fragment`
 `SSL_CTRL_SET_MSG_CALLBACK` | `SSL_set_msg_callback`
@@ -246,3 +285,27 @@ parameter.
 `SSL_CTRL_SET_TMP_ECDH_CB` | `SSL_CTX_set_tmp_ecdh_callback`
 `SSL_CTRL_SET_TMP_RSA` | `SSL_CTX_set_tmp_rsa` is equivalent, but [*do not use this function*](https://freakattack.com/). (It is a no-op in BoringSSL.)
 `SSL_CTRL_SET_TMP_RSA_CB` | `SSL_CTX_set_tmp_rsa_callback` is equivalent, but [*do not use this function*](https://freakattack.com/). (It is a no-op in BoringSSL.)
+
+## Significant API additions
+
+In some places, BoringSSL has added significant APIs. Use of these APIs goes beyound “porting” and means giving up on OpenSSL compatibility.
+
+One example of this has already been mentioned: the [CBS and CBB](https://commondatastorage.googleapis.com/chromium-boringssl-docs/bytestring.h.html) functions should be used whenever parsing or serialising data.
+
+### CRYPTO\_BUFFER
+
+With the standard OpenSSL APIs, when making many TLS connections, the certificate data for each connection is retained in memory in an expensive `X509` structure. Additionally, common certificates often appear in the chains for multiple connections and are needlessly duplicated in memory.
+
+A [`CRYPTO_BUFFER`](https://commondatastorage.googleapis.com/chromium-boringssl-docs/pool.h.html) is just an opaque byte string. A `CRYPTO_BUFFER_POOL` is an intern table for these buffers, i.e. it ensures that only a single copy of any given byte string is kept for each pool.
+
+The function `TLS_with_buffers_method` returns an `SSL_METHOD` that avoids creating `X509` objects for certificates. Additionally, `SSL_CTX_set0_buffer_pool` can be used to install a pool on an `SSL_CTX` so that certificates can be deduplicated across connections and across `SSL_CTX`s.
+
+When using these functions, the application also needs to ensure that it doesn't call other functions that deal with `X509` or `X509_NAME` objects. For example, `SSL_get_peer_certificate` or `SSL_get_peer_cert_chain`. Doing so will trigger an assert in debug mode and will result in NULLs in release mode. Instead, call the buffer-based alternatives such as `SSL_get0_peer_certificates`. (See [ssl.h](https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html) for functions taking or returning `CRYPTO_BUFFER`.) The buffer-based alternative functions will work even when not using `TLS_with_buffers_method`, thus application code can transition gradually.
+
+In order to use buffers, the application code also needs to implement its own certificate verification using `SSL_[CTX_]set_custom_verify`. Otherwise all connections will fail with a verification error. Auto-chaining is also disabled when using buffers.
+
+Once those changes have been completed, the whole of the OpenSSL X.509 and ASN.1 code should be eliminated by the linker if BoringSSL is linked statically.
+
+### Asynchronous and opaque private keys
+
+OpenSSL offers the ENGINE API for implementing opaque private keys (i.e. private keys where software only has oracle access because the secrets are held in special hardware or on another machine). While the ENGINE API has been mostly removed from BoringSSL, it is still possible to support opaque keys in this way. However, when using such keys with TLS and BoringSSL, you should strongly prefer using `SSL_PRIVATE_KEY_METHOD` via `SSL[_CTX]_set_private_key_method`. This allows a handshake to be suspended while the private operation is in progress. It also supports more forms of opaque key as it exposes higher-level information about the operation to be performed.
@@ -31,10 +31,10 @@ Variable declarations in the middle of a function or inside a `for` loop are
 allowed and preferred where possible. Note that the common `goto err` cleanup
 pattern requires lifting some variable declarations.

-Comments should be `/* C-style */` for consistency.
+Comments should be `// C99-style` for consistency with C++.

-When declaration pointer types, `*` should be placed next to the variable
-name, not the type. So
+When declaring pointer types, `*` should be placed next to the variable name,
+not the type. So

    uint8_t *ptr;

@@ -60,6 +60,19 @@ constants for flags. If adding values to an existing set of `#define`s,
 continue with `#define`.


+## libssl
+
+libssl was originally written in C but is being incrementally rewritten in
+C++11. As of writing, much of the style matches our C conventions rather than
+Google C++. Additionally, libssl on Linux currently may not depend on the C++
+runtime. See the C++ utilities in `ssl/internal.h` for replacements for
+problematic C++ constructs. The `util/check_imported_libraries.go` script may be
+used with a shared library build to check if a new construct is okay.
+
+If unsure, match surrounding code. Discrepancies between it and Google C++ style
+will be fixed over time.
+
+
 ## Formatting

 Single-statement blocks are not allowed. All conditions and loops must
@@ -185,25 +198,36 @@ behavior of the function. Pay special note to success/failure behaviors
 and caller obligations on object lifetimes. If this sacrifices
 conciseness, consider simplifying the function's behavior.

-    /* EVP_DigestVerifyUpdate appends |len| bytes from |data| to the data which
-     * will be verified by |EVP_DigestVerifyFinal|. It returns one on success and
-     * zero otherwise. */
+    // EVP_DigestVerifyUpdate appends |len| bytes from |data| to the data which
+    // will be verified by |EVP_DigestVerifyFinal|. It returns one on success and
+    // zero otherwise.
    OPENSSL_EXPORT int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data,
                                              size_t len);

 Explicitly mention any surprising edge cases or deviations from common
 return value patterns in legacy functions.

-    /* RSA_private_encrypt encrypts |flen| bytes from |from| with the private key in
-     * |rsa| and writes the encrypted data to |to|. The |to| buffer must have at
-     * least |RSA_size| bytes of space. It returns the number of bytes written, or
-     * -1 on error. The |padding| argument must be one of the |RSA_*_PADDING|
-     * values. If in doubt, |RSA_PKCS1_PADDING| is the most common.
-     *
-     * WARNING: this function is dangerous because it breaks the usual return value
-     * convention. Use |RSA_sign_raw| instead. */
+    // RSA_private_encrypt encrypts |flen| bytes from |from| with the private key in
+    // |rsa| and writes the encrypted data to |to|. The |to| buffer must have at
+    // least |RSA_size| bytes of space. It returns the number of bytes written, or
+    // -1 on error. The |padding| argument must be one of the |RSA_*_PADDING|
+    // values. If in doubt, |RSA_PKCS1_PADDING| is the most common.
+    //
+    // WARNING: this function is dangerous because it breaks the usual return value
+    // convention. Use |RSA_sign_raw| instead.
    OPENSSL_EXPORT int RSA_private_encrypt(int flen, const uint8_t *from,
                                           uint8_t *to, RSA *rsa, int padding);

 Document private functions in their `internal.h` header or, if static,
 where defined.
+
+
+## Build logic
+
+BoringSSL is used by many projects with many different build tools.
+Reimplementing and maintaining build logic in each downstream build is
+cumbersome, so build logic should be avoided where possible. Platform-specific
+files should be excluded by wrapping the contents in `#ifdef`s, rather than
+computing platform-specific file lists. Generated source files such as perlasm
+and `err_data.c` may be used in the standalone CMake build but, for downstream
+builds, they should be pre-generated in `generate_build_files.py`.
@@ -1,43 +1,64 @@
 include_directories(../include)

-if(APPLE)
-  if (${ARCH} STREQUAL "x86")
-    set(PERLASM_FLAGS "-fPIC -DOPENSSL_IA32_SSE2")
-  endif()
-  set(PERLASM_STYLE macosx)
-  set(ASM_EXT S)
-  enable_language(ASM)
-elseif(UNIX)
-  if (${ARCH} STREQUAL "aarch64")
-    # The "armx" Perl scripts look for "64" in the style argument
-    # in order to decide whether to generate 32- or 64-bit asm.
-    set(PERLASM_STYLE linux64)
-  elseif (${ARCH} STREQUAL "arm")
-    set(PERLASM_STYLE linux32)
-  elseif (${ARCH} STREQUAL "x86")
-    set(PERLASM_FLAGS "-fPIC -DOPENSSL_IA32_SSE2")
-    set(PERLASM_STYLE elf)
-  elseif (${ARCH} STREQUAL "ppc64le")
-    set(PERLASM_STYLE ppc64le)
-  else()
-    set(PERLASM_STYLE elf)
-  endif()
-  set(ASM_EXT S)
-  enable_language(ASM)
-  set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -Wa,--noexecstack")
-else()
-  if (CMAKE_CL_64)
-    message("Using nasm")
-    set(PERLASM_STYLE nasm)
-  else()
-    message("Using win32n")
-    set(PERLASM_STYLE win32n)
-    set(PERLASM_FLAGS "-DOPENSSL_IA32_SSE2")
-  endif()
+if(NOT OPENSSL_NO_ASM)
+  if(UNIX)
+    if (${ARCH} STREQUAL "aarch64")
+      # The "armx" Perl scripts look for "64" in the style argument
+      # in order to decide whether to generate 32- or 64-bit asm.
+      if (APPLE)
+        set(PERLASM_STYLE ios64)
+      else()
+        set(PERLASM_STYLE linux64)
+      endif()
+    elseif (${ARCH} STREQUAL "arm")
+      if (APPLE)
+        set(PERLASM_STYLE ios32)
+      else()
+        set(PERLASM_STYLE linux32)
+      endif()
+    elseif (${ARCH} STREQUAL "ppc64le")
+      set(PERLASM_STYLE linux64le)
+    else()
+      if (${ARCH} STREQUAL "x86")
+        set(PERLASM_FLAGS "-fPIC -DOPENSSL_IA32_SSE2")
+      endif()
+      if (APPLE)
+        set(PERLASM_STYLE macosx)
+      else()
+        set(PERLASM_STYLE elf)
+      endif()
+    endif()
+    set(ASM_EXT S)
+    enable_language(ASM)
+    set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -Wa,--noexecstack")

-  # On Windows, we use the NASM output, specifically built with Yasm.
-  set(ASM_EXT asm)
-  enable_language(ASM_NASM)
+    # Clang's integerated assembler does not support debug symbols.
+    if(NOT CMAKE_ASM_COMPILER_ID MATCHES "Clang")
+      set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -Wa,-g")
+    endif()
+
+    # CMake does not add -isysroot and -arch flags to assembly.
+    if (APPLE)
+      if (CMAKE_OSX_SYSROOT)
+        set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -isysroot \"${CMAKE_OSX_SYSROOT}\"")
+      endif()
+      foreach(arch ${CMAKE_OSX_ARCHITECTURES})
+        set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -arch ${arch}")
+      endforeach()
+    endif()
+  else()
+    if (${ARCH} STREQUAL "x86_64")
+      set(PERLASM_STYLE nasm)
+    else()
+      set(PERLASM_STYLE win32n)
+      set(PERLASM_FLAGS "-DOPENSSL_IA32_SSE2")
+    endif()
+    set(CMAKE_ASM_NASM_FLAGS "-g cv8")
+
+    # On Windows, we use the NASM output, specifically built with Yasm.
+    set(ASM_EXT asm)
+    enable_language(ASM_NASM)
+  endif()
 endif()

 function(perlasm dest src)
@@ -67,12 +88,6 @@ add_subdirectory(bytestring)
 add_subdirectory(pool)

 # Level 0.2 - depends on nothing but itself
-add_subdirectory(sha)
-add_subdirectory(md4)
-add_subdirectory(md5)
-add_subdirectory(modes)
-add_subdirectory(aes)
-add_subdirectory(des)
 add_subdirectory(rc4)
 add_subdirectory(conf)
 add_subdirectory(chacha)
@@ -80,11 +95,11 @@ add_subdirectory(poly1305)
 add_subdirectory(curve25519)

 # Level 1, depends only on 0.*
-add_subdirectory(digest)
-add_subdirectory(cipher)
-add_subdirectory(rand)
+add_subdirectory(digest_extra)
+add_subdirectory(cipher_extra)
+add_subdirectory(rand_extra)
 add_subdirectory(bio)
-add_subdirectory(bn)
+add_subdirectory(bn_extra)
 add_subdirectory(obj)
 add_subdirectory(asn1)

@@ -92,11 +107,10 @@ add_subdirectory(asn1)
 add_subdirectory(engine)
 add_subdirectory(dh)
 add_subdirectory(dsa)
-add_subdirectory(rsa)
-add_subdirectory(ec)
+add_subdirectory(rsa_extra)
+add_subdirectory(ec_extra)
 add_subdirectory(ecdh)
-add_subdirectory(ecdsa)
-add_subdirectory(hmac)
+add_subdirectory(ecdsa_extra)

 # Level 3
 add_subdirectory(cmac)
@@ -107,13 +121,18 @@ add_subdirectory(x509)
 add_subdirectory(x509v3)

 # Level 4
+add_subdirectory(pkcs7)
 add_subdirectory(pkcs8)

 # Test support code
 add_subdirectory(test)

+add_subdirectory(fipsmodule)
+
 add_library(
-  crypto
+  crypto_base
+
+  OBJECT

  cpu-aarch64-linux.c
  cpu-arm.c
@@ -129,81 +148,131 @@ add_library(
  thread_none.c
  thread_pthread.c
  thread_win.c
-  time_support.c
+)

+if(FIPS_DELOCATE)
+  SET_SOURCE_FILES_PROPERTIES(fipsmodule/bcm.o PROPERTIES EXTERNAL_OBJECT true)
+  SET_SOURCE_FILES_PROPERTIES(fipsmodule/bcm.o PROPERTIES GENERATED true)
+
+  set(
+    CRYPTO_FIPS_OBJECTS
+
+    fipsmodule/bcm.o
+  )
+endif()
+
+add_library(
+  crypto
+
+  $<TARGET_OBJECTS:crypto_base>
  $<TARGET_OBJECTS:stack>
  $<TARGET_OBJECTS:lhash>
  $<TARGET_OBJECTS:err>
  $<TARGET_OBJECTS:base64>
  $<TARGET_OBJECTS:bytestring>
  $<TARGET_OBJECTS:pool>
-  $<TARGET_OBJECTS:sha>
-  $<TARGET_OBJECTS:md4>
-  $<TARGET_OBJECTS:md5>
-  $<TARGET_OBJECTS:digest>
-  $<TARGET_OBJECTS:cipher>
-  $<TARGET_OBJECTS:modes>
-  $<TARGET_OBJECTS:aes>
-  $<TARGET_OBJECTS:des>
+  $<TARGET_OBJECTS:fipsmodule>
+  $<TARGET_OBJECTS:digest_extra>
+  $<TARGET_OBJECTS:cipher_extra>
  $<TARGET_OBJECTS:rc4>
  $<TARGET_OBJECTS:conf>
  $<TARGET_OBJECTS:chacha>
  $<TARGET_OBJECTS:poly1305>
  $<TARGET_OBJECTS:curve25519>
+  $<TARGET_OBJECTS:fiat>
  $<TARGET_OBJECTS:buf>
-  $<TARGET_OBJECTS:bn>
+  $<TARGET_OBJECTS:bn_extra>
  $<TARGET_OBJECTS:bio>
-  $<TARGET_OBJECTS:rand>
+  $<TARGET_OBJECTS:rand_extra>
  $<TARGET_OBJECTS:obj>
  $<TARGET_OBJECTS:asn1>
  $<TARGET_OBJECTS:engine>
  $<TARGET_OBJECTS:dh>
  $<TARGET_OBJECTS:dsa>
-  $<TARGET_OBJECTS:rsa>
-  $<TARGET_OBJECTS:ec>
+  $<TARGET_OBJECTS:rsa_extra>
+  $<TARGET_OBJECTS:ec_extra>
  $<TARGET_OBJECTS:ecdh>
-  $<TARGET_OBJECTS:ecdsa>
-  $<TARGET_OBJECTS:hmac>
+  $<TARGET_OBJECTS:ecdsa_extra>
  $<TARGET_OBJECTS:cmac>
  $<TARGET_OBJECTS:evp>
  $<TARGET_OBJECTS:hkdf>
  $<TARGET_OBJECTS:pem>
  $<TARGET_OBJECTS:x509>
  $<TARGET_OBJECTS:x509v3>
+  $<TARGET_OBJECTS:pkcs7>
  $<TARGET_OBJECTS:pkcs8_lib>
+
+  ${CRYPTO_FIPS_OBJECTS}
 )

+if(FIPS_DELOCATE)
+  add_dependencies(crypto bcm_o_target)
+endif()
+
+SET_TARGET_PROPERTIES(crypto PROPERTIES LINKER_LANGUAGE C)
+
 if(NOT MSVC AND NOT ANDROID)
  target_link_libraries(crypto pthread)
 endif()

+# TODO(davidben): Convert the remaining tests to GTest.
 add_executable(
-  constant_time_test
+  crypto_test

+  asn1/asn1_test.cc
+  base64/base64_test.cc
+  buf/buf_test.cc
+  bio/bio_test.cc
+  bytestring/bytestring_test.cc
+  chacha/chacha_test.cc
+  cipher_extra/aead_test.cc
+  cipher_extra/cipher_test.cc
+  cmac/cmac_test.cc
+  compiler_test.cc
  constant_time_test.cc
-
-  $<TARGET_OBJECTS:test_support>
-)
-
-target_link_libraries(constant_time_test crypto)
-add_dependencies(all_tests constant_time_test)
-
-add_executable(
-  thread_test
-
-  thread_test.c
-
-  $<TARGET_OBJECTS:test_support>
-)
-
-target_link_libraries(thread_test crypto)
-add_dependencies(all_tests thread_test)
-
-add_executable(
-  refcount_test
-
+  curve25519/ed25519_test.cc
+  curve25519/spake25519_test.cc
+  curve25519/x25519_test.cc
+  ecdh/ecdh_test.cc
+  dh/dh_test.cc
+  digest_extra/digest_test.cc
+  dsa/dsa_test.cc
+  err/err_test.cc
+  evp/evp_extra_test.cc
+  evp/evp_test.cc
+  evp/pbkdf_test.cc
+  evp/scrypt_test.cc
+  fipsmodule/aes/aes_test.cc
+  fipsmodule/bn/bn_test.cc
+  fipsmodule/ec/ec_test.cc
+  fipsmodule/ec/p256-x86_64_test.cc
+  fipsmodule/ecdsa/ecdsa_test.cc
+  fipsmodule/modes/gcm_test.cc
+  fipsmodule/rand/ctrdrbg_test.cc
+  hkdf/hkdf_test.cc
+  hmac_extra/hmac_test.cc
+  lhash/lhash_test.cc
+  obj/obj_test.cc
+  pkcs7/pkcs7_test.cc
+  pkcs8/pkcs8_test.cc
+  pkcs8/pkcs12_test.cc
+  poly1305/poly1305_test.cc
+  pool/pool_test.cc
  refcount_test.cc
+  rsa_extra/rsa_test.cc
+  test/file_test_gtest.cc
+  thread_test.cc
+  x509/x509_test.cc
+  x509v3/tab_test.cc
+  x509v3/v3name_test.cc
+
+  $<TARGET_OBJECTS:crypto_test_data>
+  $<TARGET_OBJECTS:gtest_main>
+  $<TARGET_OBJECTS:test_support>
 )

-target_link_libraries(refcount_test crypto)
-add_dependencies(all_tests refcount_test)
+target_link_libraries(crypto_test crypto gtest)
+if (WIN32)
+  target_link_libraries(crypto_test ws2_32)
+endif()
+add_dependencies(all_tests crypto_test)
@@ -1,82 +0,0 @@
-include_directories(../../include)
-
-if (${ARCH} STREQUAL "x86_64")
-  set(
-    AES_ARCH_SOURCES
-
-    aes-x86_64.${ASM_EXT}
-    aesni-x86_64.${ASM_EXT}
-    bsaes-x86_64.${ASM_EXT}
-    vpaes-x86_64.${ASM_EXT}
-  )
-endif()
-
-if (${ARCH} STREQUAL "x86")
-  set(
-    AES_ARCH_SOURCES
-
-    aes-586.${ASM_EXT}
-    vpaes-x86.${ASM_EXT}
-    aesni-x86.${ASM_EXT}
-  )
-endif()
-
-if (${ARCH} STREQUAL "arm")
-  set(
-    AES_ARCH_SOURCES
-
-    aes-armv4.${ASM_EXT}
-    bsaes-armv7.${ASM_EXT}
-    aesv8-armx.${ASM_EXT}
-  )
-endif()
-
-if (${ARCH} STREQUAL "aarch64")
-  set(
-    AES_ARCH_SOURCES
-
-    aesv8-armx.${ASM_EXT}
-  )
-endif()
-
-if (${ARCH} STREQUAL "ppc64le")
-  set(
-    AES_ARCH_SOURCES
-
-    aesp8-ppc.${ASM_EXT}
-  )
-endif()
-
-add_library(
-  aes
-
-  OBJECT
-
-  aes.c
-  key_wrap.c
-  mode_wrappers.c
-
-  ${AES_ARCH_SOURCES}
-)
-
-perlasm(aes-x86_64.${ASM_EXT} asm/aes-x86_64.pl)
-perlasm(aesni-x86_64.${ASM_EXT} asm/aesni-x86_64.pl)
-perlasm(bsaes-x86_64.${ASM_EXT} asm/bsaes-x86_64.pl)
-perlasm(vpaes-x86_64.${ASM_EXT} asm/vpaes-x86_64.pl)
-perlasm(aes-586.${ASM_EXT} asm/aes-586.pl)
-perlasm(vpaes-x86.${ASM_EXT} asm/vpaes-x86.pl)
-perlasm(aesni-x86.${ASM_EXT} asm/aesni-x86.pl)
-perlasm(aes-armv4.${ASM_EXT} asm/aes-armv4.pl)
-perlasm(bsaes-armv7.${ASM_EXT} asm/bsaes-armv7.pl)
-perlasm(aesv8-armx.${ASM_EXT} asm/aesv8-armx.pl)
-perlasm(aesp8-ppc.${ASM_EXT} asm/aesp8-ppc.pl)
-
-add_executable(
-  aes_test
-
-  aes_test.cc
-  $<TARGET_OBJECTS:test_support>
-)
-
-target_link_libraries(aes_test crypto)
-add_dependencies(all_tests aes_test)
@@ -1,190 +0,0 @@
-/* Copyright (c) 2015, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <stdio.h>
-#include <string.h>
-
-#include <memory>
-#include <vector>
-
-#include <openssl/aes.h>
-#include <openssl/crypto.h>
-
-#include "../internal.h"
-#include "../test/file_test.h"
-
-
-static bool TestRaw(FileTest *t) {
-  std::vector<uint8_t> key, plaintext, ciphertext;
-  if (!t->GetBytes(&key, "Key") ||
-      !t->GetBytes(&plaintext, "Plaintext") ||
-      !t->GetBytes(&ciphertext, "Ciphertext")) {
-    return false;
-  }
-
-  if (plaintext.size() != AES_BLOCK_SIZE ||
-      ciphertext.size() != AES_BLOCK_SIZE) {
-    t->PrintLine("Plaintext or Ciphertext not a block size.");
-    return false;
-  }
-
-  AES_KEY aes_key;
-  if (AES_set_encrypt_key(key.data(), 8 * key.size(), &aes_key) != 0) {
-    t->PrintLine("AES_set_encrypt_key failed.");
-    return false;
-  }
-
-  // Test encryption.
-  uint8_t block[AES_BLOCK_SIZE];
-  AES_encrypt(plaintext.data(), block, &aes_key);
-  if (!t->ExpectBytesEqual(block, AES_BLOCK_SIZE, ciphertext.data(),
-                           ciphertext.size())) {
-    t->PrintLine("AES_encrypt gave the wrong output.");
-    return false;
-  }
-
-  // Test in-place encryption.
-  OPENSSL_memcpy(block, plaintext.data(), AES_BLOCK_SIZE);
-  AES_encrypt(block, block, &aes_key);
-  if (!t->ExpectBytesEqual(block, AES_BLOCK_SIZE, ciphertext.data(),
-                           ciphertext.size())) {
-    t->PrintLine("In-place AES_encrypt gave the wrong output.");
-    return false;
-  }
-
-  if (AES_set_decrypt_key(key.data(), 8 * key.size(), &aes_key) != 0) {
-    t->PrintLine("AES_set_decrypt_key failed.");
-    return false;
-  }
-
-  // Test decryption.
-  AES_decrypt(ciphertext.data(), block, &aes_key);
-  if (!t->ExpectBytesEqual(block, AES_BLOCK_SIZE, plaintext.data(),
-                           plaintext.size())) {
-    t->PrintLine("AES_decrypt gave the wrong output.");
-    return false;
-  }
-
-  // Test in-place decryption.
-  OPENSSL_memcpy(block, ciphertext.data(), AES_BLOCK_SIZE);
-  AES_decrypt(block, block, &aes_key);
-  if (!t->ExpectBytesEqual(block, AES_BLOCK_SIZE, plaintext.data(),
-                           plaintext.size())) {
-    t->PrintLine("In-place AES_decrypt gave the wrong output.");
-    return false;
-  }
-
-  return true;
-}
-
-static bool TestKeyWrap(FileTest *t) {
-  // All test vectors use the default IV, so test both with implicit and
-  // explicit IV.
-  //
-  // TODO(davidben): Find test vectors that use a different IV.
-  static const uint8_t kDefaultIV[] = {
-      0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6,
-  };
-
-  std::vector<uint8_t> key, plaintext, ciphertext;
-  if (!t->GetBytes(&key, "Key") ||
-      !t->GetBytes(&plaintext, "Plaintext") ||
-      !t->GetBytes(&ciphertext, "Ciphertext")) {
-    return false;
-  }
-
-  if (plaintext.size() + 8 != ciphertext.size()) {
-    t->PrintLine("Invalid Plaintext and Ciphertext lengths.");
-    return false;
-  }
-
-  AES_KEY aes_key;
-  if (AES_set_encrypt_key(key.data(), 8 * key.size(), &aes_key) != 0) {
-    t->PrintLine("AES_set_encrypt_key failed.");
-    return false;
-  }
-
-  std::unique_ptr<uint8_t[]> buf(new uint8_t[ciphertext.size()]);
-  if (AES_wrap_key(&aes_key, nullptr /* iv */, buf.get(), plaintext.data(),
-                   plaintext.size()) != static_cast<int>(ciphertext.size()) ||
-      !t->ExpectBytesEqual(buf.get(), ciphertext.size(), ciphertext.data(),
-                           ciphertext.size())) {
-    t->PrintLine("AES_wrap_key with implicit IV failed.");
-    return false;
-  }
-
-  OPENSSL_memset(buf.get(), 0, ciphertext.size());
-  if (AES_wrap_key(&aes_key, kDefaultIV, buf.get(), plaintext.data(),
-                   plaintext.size()) != static_cast<int>(ciphertext.size()) ||
-      !t->ExpectBytesEqual(buf.get(), ciphertext.size(), ciphertext.data(),
-                           ciphertext.size())) {
-    t->PrintLine("AES_wrap_key with explicit IV failed.");
-    return false;
-  }
-
-  if (AES_set_decrypt_key(key.data(), 8 * key.size(), &aes_key) != 0) {
-    t->PrintLine("AES_set_decrypt_key failed.");
-    return false;
-  }
-
-  buf.reset(new uint8_t[plaintext.size()]);
-  if (AES_unwrap_key(&aes_key, nullptr /* iv */, buf.get(), ciphertext.data(),
-                     ciphertext.size()) != static_cast<int>(plaintext.size()) ||
-      !t->ExpectBytesEqual(buf.get(), plaintext.size(), plaintext.data(),
-                           plaintext.size())) {
-    t->PrintLine("AES_unwrap_key with implicit IV failed.");
-    return false;
-  }
-
-  OPENSSL_memset(buf.get(), 0, plaintext.size());
-  if (AES_unwrap_key(&aes_key, kDefaultIV, buf.get(), ciphertext.data(),
-                     ciphertext.size()) != static_cast<int>(plaintext.size()) ||
-      !t->ExpectBytesEqual(buf.get(), plaintext.size(), plaintext.data(),
-                           plaintext.size())) {
-    t->PrintLine("AES_unwrap_key with explicit IV failed.");
-    return false;
-  }
-
-  ciphertext[0] ^= 1;
-  if (AES_unwrap_key(&aes_key, nullptr /* iv */, buf.get(), ciphertext.data(),
-                     ciphertext.size()) != -1) {
-    t->PrintLine("AES_unwrap_key with bad input unexpectedly succeeded.");
-    return false;
-  }
-
-  return true;
-}
-
-static bool TestAES(FileTest *t, void *arg) {
-  if (t->GetParameter() == "Raw") {
-    return TestRaw(t);
-  }
-  if (t->GetParameter() == "KeyWrap") {
-    return TestKeyWrap(t);
-  }
-
-  t->PrintLine("Unknown mode '%s'.", t->GetParameter().c_str());
-  return false;
-}
-
-int main(int argc, char **argv) {
-  CRYPTO_library_init();
-
-  if (argc != 2) {
-    fprintf(stderr, "%s <test file.txt>\n", argv[0]);
-    return 1;
-  }
-
-  return FileTestMain(TestAES, nullptr, argv[1]);
-}
@@ -1,87 +0,0 @@
-/* ====================================================================
- * Copyright (c) 2002-2006 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ==================================================================== */
-
-#ifndef OPENSSL_HEADER_AES_INTERNAL_H
-#define OPENSSL_HEADER_AES_INTERNAL_H
-
-#include <openssl/base.h>
-
-#if defined(__cplusplus)
-extern "C" {
-#endif
-
-
-#if defined(_MSC_VER) && \
-    (defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64))
-#define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
-#define GETU32(p) SWAP(*((uint32_t *)(p)))
-#define PUTU32(ct, st) \
-  { *((uint32_t *)(ct)) = SWAP((st)); }
-#else
-#define GETU32(pt)                                         \
-  (((uint32_t)(pt)[0] << 24) ^ ((uint32_t)(pt)[1] << 16) ^ \
-   ((uint32_t)(pt)[2] << 8) ^ ((uint32_t)(pt)[3]))
-#define PUTU32(ct, st)          \
-  {                             \
-    (ct)[0] = (uint8_t)((st) >> 24); \
-    (ct)[1] = (uint8_t)((st) >> 16); \
-    (ct)[2] = (uint8_t)((st) >> 8);  \
-    (ct)[3] = (uint8_t)(st);         \
-  }
-#endif
-
-#define MAXKC (256 / 32)
-#define MAXKB (256 / 8)
-#define MAXNR 14
-
-
-#if defined(__cplusplus)
-} /* extern C */
-#endif
-
-#endif /* OPENSSL_HEADER_AES_INTERNAL_H */
@@ -28,24 +28,11 @@ add_library(
  f_enum.c
  f_int.c
  f_string.c
-  t_bitst.c
  tasn_dec.c
  tasn_enc.c
  tasn_fre.c
  tasn_new.c
  tasn_typ.c
  tasn_utl.c
-  x_bignum.c
-  x_long.c
+  time_support.c
 )
-
-add_executable(
-  asn1_test
-
-  asn1_test.cc
-
-  $<TARGET_OBJECTS:test_support>
-)
-
-target_link_libraries(asn1_test crypto)
-add_dependencies(all_tests asn1_test)
@@ -56,6 +56,7 @@

 #include <openssl/asn1.h>

+#include <limits.h>
 #include <string.h>

 #include <openssl/err.h>
@@ -139,6 +140,11 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,
        goto err;
    }

+    if (len > INT_MAX) {
+      OPENSSL_PUT_ERROR(ASN1, ASN1_R_STRING_TOO_LONG);
+      goto err;
+    }
+
    if ((a == NULL) || ((*a) == NULL)) {
        if ((ret = M_ASN1_BIT_STRING_new()) == NULL)
            return (NULL);
@@ -211,8 +217,7 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
        if (a->data == NULL)
            c = (unsigned char *)OPENSSL_malloc(w + 1);
        else
-            c = (unsigned char *)OPENSSL_realloc_clean(a->data,
-                                                       a->length, w + 1);
+            c = (unsigned char *)OPENSSL_realloc(a->data, w + 1);
        if (c == NULL) {
            OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
            return 0;
@@ -140,6 +140,21 @@ void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x)
 }
 #endif

+typedef struct asn1_const_ctx_st
+    {
+    const unsigned char *p;/* work char pointer */
+    int eos;    /* end of sequence read for indefinite encoding */
+    int error;  /* error code to use when returning an error */
+    int inf;    /* constructed if 0x20, indefinite is 0x21 */
+    int tag;    /* tag from last 'get object' */
+    int xclass; /* class from last 'get object' */
+    long slen;  /* length of last 'get object' */
+    const unsigned char *max; /* largest value of p allowed */
+    const unsigned char *q;/* temporary variable */
+    const unsigned char **pp;/* variable */
+    int line;   /* used in error processing */
+    } ASN1_const_CTX;
+
 #define HEADER_SIZE   8
 #define ASN1_CHUNK_INITIAL_SIZE (16 * 1024)
 static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
@@ -56,6 +56,7 @@

 #include <openssl/asn1.h>

+#include <limits.h>
 #include <string.h>

 #include <openssl/err.h>
@@ -110,7 +111,6 @@ int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v)
 long ASN1_ENUMERATED_get(ASN1_ENUMERATED *a)
 {
    int neg = 0, i;
-    long r = 0;

    if (a == NULL)
        return (0L);
@@ -120,20 +120,31 @@ long ASN1_ENUMERATED_get(ASN1_ENUMERATED *a)
    else if (i != V_ASN1_ENUMERATED)
        return -1;

-    if (a->length > (int)sizeof(long)) {
-        /* hmm... a bit ugly */
-        return (0xffffffffL);
-    }
-    if (a->data == NULL)
-        return 0;
+    OPENSSL_COMPILE_ASSERT(sizeof(uint64_t) >= sizeof(long),
+                           long_larger_than_uint64_t);

-    for (i = 0; i < a->length; i++) {
-        r <<= 8;
-        r |= (unsigned char)a->data[i];
+    if (a->length > (int)sizeof(uint64_t)) {
+        /* hmm... a bit ugly */
+        return -1;
    }
+
+    uint64_t r64 = 0;
+    if (a->data != NULL) {
+      for (i = 0; i < a->length; i++) {
+          r64 <<= 8;
+          r64 |= (unsigned char)a->data[i];
+      }
+
+      if (r64 > LONG_MAX) {
+          return -1;
+      }
+    }
+
+    long r = (long) r64;
    if (neg)
        r = -r;
-    return (r);
+
+    return r;
 }

 ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai)
@@ -61,7 +61,6 @@

 #include <openssl/err.h>
 #include <openssl/mem.h>
-#include <openssl/time_support.h>

 #include "asn1_locl.h"

@@ -149,7 +148,7 @@ int asn1_generalizedtime_to_tm(struct tm *tm, const ASN1_GENERALIZEDTIME *d)
    if (a[o] == 'Z')
        o++;
    else if ((a[o] == '+') || (a[o] == '-')) {
-        int offsign = a[o] == '-' ? -1 : 1, offset = 0;
+        int offsign = a[o] == '-' ? 1 : -1, offset = 0;
        o++;
        if (o + 4 > l)
            goto err;
@@ -81,6 +81,9 @@ int ASN1_i2d_bio(i2d_of_void *i2d, BIO *out, void *x)
    int i, j = 0, n, ret = 1;

    n = i2d(x, NULL);
+    if (n <= 0)
+        return 0;
+
    b = (char *)OPENSSL_malloc(n);
    if (b == NULL) {
        OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
@@ -57,6 +57,7 @@
 #include <openssl/asn1.h>

 #include <string.h>
+#include <limits.h>

 #include <openssl/err.h>
 #include <openssl/mem.h>
@@ -385,7 +386,6 @@ int ASN1_INTEGER_set(ASN1_INTEGER *a, long v)
 long ASN1_INTEGER_get(const ASN1_INTEGER *a)
 {
    int neg = 0, i;
-    long r = 0;

    if (a == NULL)
        return (0L);
@@ -395,20 +395,31 @@ long ASN1_INTEGER_get(const ASN1_INTEGER *a)
    else if (i != V_ASN1_INTEGER)
        return -1;

-    if (a->length > (int)sizeof(long)) {
+    OPENSSL_COMPILE_ASSERT(sizeof(uint64_t) >= sizeof(long),
+                           long_larger_than_uint64_t);
+
+    if (a->length > (int)sizeof(uint64_t)) {
        /* hmm... a bit ugly, return all ones */
        return -1;
    }
-    if (a->data == NULL)
-        return 0;

-    for (i = 0; i < a->length; i++) {
-        r <<= 8;
-        r |= (unsigned char)a->data[i];
+    uint64_t r64 = 0;
+    if (a->data != NULL) {
+      for (i = 0; i < a->length; i++) {
+          r64 <<= 8;
+          r64 |= (unsigned char)a->data[i];
+      }
+
+      if (r64 > LONG_MAX) {
+          return -1;
+      }
    }
+
+    long r = (long) r64;
    if (neg)
        r = -r;
-    return (r);
+
+    return r;
 }

 ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai)
@@ -87,134 +87,6 @@ int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp)
    return (objsize);
 }

-int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num)
-{
-    int i, first, len = 0, c, use_bn;
-    char ftmp[24], *tmp = ftmp;
-    int tmpsize = sizeof ftmp;
-    const char *p;
-    unsigned long l;
-    BIGNUM *bl = NULL;
-
-    if (num == 0)
-        return (0);
-    else if (num == -1)
-        num = strlen(buf);
-
-    p = buf;
-    c = *(p++);
-    num--;
-    if ((c >= '0') && (c <= '2')) {
-        first = c - '0';
-    } else {
-        OPENSSL_PUT_ERROR(ASN1, ASN1_R_FIRST_NUM_TOO_LARGE);
-        goto err;
-    }
-
-    if (num <= 0) {
-        OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_SECOND_NUMBER);
-        goto err;
-    }
-    c = *(p++);
-    num--;
-    for (;;) {
-        if (num <= 0)
-            break;
-        if ((c != '.') && (c != ' ')) {
-            OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_SEPARATOR);
-            goto err;
-        }
-        l = 0;
-        use_bn = 0;
-        for (;;) {
-            if (num <= 0)
-                break;
-            num--;
-            c = *(p++);
-            if ((c == ' ') || (c == '.'))
-                break;
-            if ((c < '0') || (c > '9')) {
-                OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_DIGIT);
-                goto err;
-            }
-            if (!use_bn && l >= ((ULONG_MAX - 80) / 10L)) {
-                use_bn = 1;
-                if (!bl)
-                    bl = BN_new();
-                if (!bl || !BN_set_word(bl, l))
-                    goto err;
-            }
-            if (use_bn) {
-                if (!BN_mul_word(bl, 10L)
-                    || !BN_add_word(bl, c - '0'))
-                    goto err;
-            } else
-                l = l * 10L + (long)(c - '0');
-        }
-        if (len == 0) {
-            if ((first < 2) && (l >= 40)) {
-                OPENSSL_PUT_ERROR(ASN1, ASN1_R_SECOND_NUMBER_TOO_LARGE);
-                goto err;
-            }
-            if (use_bn) {
-                if (!BN_add_word(bl, first * 40))
-                    goto err;
-            } else
-                l += (long)first *40;
-        }
-        i = 0;
-        if (use_bn) {
-            int blsize;
-            blsize = BN_num_bits(bl);
-            blsize = (blsize + 6) / 7;
-            if (blsize > tmpsize) {
-                if (tmp != ftmp)
-                    OPENSSL_free(tmp);
-                tmpsize = blsize + 32;
-                tmp = OPENSSL_malloc(tmpsize);
-                if (!tmp)
-                    goto err;
-            }
-            while (blsize--) {
-                BN_ULONG t = BN_div_word(bl, 0x80L);
-                if (t == (BN_ULONG)-1)
-                    goto err;
-                tmp[i++] = (unsigned char)t;
-            }
-        } else {
-
-            for (;;) {
-                tmp[i++] = (unsigned char)l & 0x7f;
-                l >>= 7L;
-                if (l == 0L)
-                    break;
-            }
-
-        }
-        if (out != NULL) {
-            if (len + i > olen) {
-                OPENSSL_PUT_ERROR(ASN1, ASN1_R_BUFFER_TOO_SMALL);
-                goto err;
-            }
-            while (--i > 0)
-                out[len++] = tmp[i] | 0x80;
-            out[len++] = tmp[0];
-        } else
-            len += i;
-    }
-    if (tmp != ftmp)
-        OPENSSL_free(tmp);
-    if (bl)
-        BN_free(bl);
-    return (len);
- err:
-    if (tmp != ftmp)
-        OPENSSL_free(tmp);
-    if (bl)
-        BN_free(bl);
-    return (0);
-}
-
 int i2t_ASN1_OBJECT(char *buf, int buf_len, ASN1_OBJECT *a)
 {
    return OBJ_obj2txt(buf, buf_len, a, 0);
@@ -91,31 +91,3 @@ int ASN1_PRINTABLE_type(const unsigned char *s, int len)
        return (V_ASN1_IA5STRING);
    return (V_ASN1_PRINTABLESTRING);
 }
-
-int ASN1_UNIVERSALSTRING_to_string(ASN1_UNIVERSALSTRING *s)
-{
-    int i;
-    unsigned char *p;
-
-    if (s->type != V_ASN1_UNIVERSALSTRING)
-        return (0);
-    if ((s->length % 4) != 0)
-        return (0);
-    p = s->data;
-    for (i = 0; i < s->length; i += 4) {
-        if ((p[0] != '\0') || (p[1] != '\0') || (p[2] != '\0'))
-            break;
-        else
-            p += 4;
-    }
-    if (i < s->length)
-        return (0);
-    p = s->data;
-    for (i = 3; i < s->length; i += 4) {
-        *(p++) = s->data[i];
-    }
-    *(p) = '\0';
-    s->length /= 4;
-    s->type = ASN1_PRINTABLE_type(s->data, s->length);
-    return (1);
-}
@@ -62,6 +62,9 @@
 #include <openssl/err.h>
 #include <openssl/mem.h>
 #include <openssl/obj.h>
+#include <openssl/stack.h>
+
+DEFINE_STACK_OF(ASN1_STRING_TABLE)

 static STACK_OF(ASN1_STRING_TABLE) *stable = NULL;
 static void st_free(ASN1_STRING_TABLE *tbl);
@@ -63,7 +63,6 @@
 #include <openssl/buf.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
-#include <openssl/time_support.h>

 #include "asn1_locl.h"

@@ -115,7 +114,7 @@ int ASN1_TIME_check(ASN1_TIME *t)
 ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t,
                                                   ASN1_GENERALIZEDTIME **out)
 {
-    ASN1_GENERALIZEDTIME *ret;
+    ASN1_GENERALIZEDTIME *ret = NULL;
    char *str;
    int newlen;

@@ -124,22 +123,21 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t,

    if (!out || !*out) {
        if (!(ret = ASN1_GENERALIZEDTIME_new()))
-            return NULL;
-        if (out)
-            *out = ret;
-    } else
+            goto err;
+    } else {
        ret = *out;
+    }

    /* If already GeneralizedTime just copy across */
    if (t->type == V_ASN1_GENERALIZEDTIME) {
        if (!ASN1_STRING_set(ret, t->data, t->length))
-            return NULL;
-        return ret;
+            goto err;
+        goto done;
    }

    /* grow the string */
    if (!ASN1_STRING_set(ret, NULL, t->length + 2))
-        return NULL;
+        goto err;
    /* ASN1_STRING_set() allocated 'len + 1' bytes. */
    newlen = t->length + 2 + 1;
    str = (char *)ret->data;
@@ -151,9 +149,18 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t,

    BUF_strlcat(str, (char *)t->data, newlen);

-    return ret;
+ done:
+   if (out != NULL && *out == NULL)
+       *out = ret;
+   return ret;
+
+ err:
+    if (out == NULL || *out != ret)
+        ASN1_GENERALIZEDTIME_free(ret);
+    return NULL;
 }

+
 int ASN1_TIME_set_string(ASN1_TIME *s, const char *str)
 {
    ASN1_TIME t;
@@ -61,7 +61,6 @@

 #include <openssl/err.h>
 #include <openssl/mem.h>
-#include <openssl/time_support.h>

 #include "asn1_locl.h"

@@ -128,7 +127,7 @@ int asn1_utctime_to_tm(struct tm *tm, const ASN1_UTCTIME *d)
    if (a[o] == 'Z')
        o++;
    else if ((a[o] == '+') || (a[o] == '-')) {
-        int offsign = a[o] == '-' ? -1 : 1, offset = 0;
+        int offsign = a[o] == '-' ? 1 : -1, offset = 0;
        o++;
        if (o + 4 > l)
            goto err;
@@ -107,30 +107,6 @@ static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
                           long max);
 static void asn1_put_length(unsigned char **pp, int length);

-static int _asn1_check_infinite_end(const unsigned char **p, long len)
-{
-    /*
-     * If there is 0 or 1 byte left, the length check should pick things up
-     */
-    if (len <= 0)
-        return (1);
-    else if ((len >= 2) && ((*p)[0] == 0) && ((*p)[1] == 0)) {
-        (*p) += 2;
-        return (1);
-    }
-    return (0);
-}
-
-int ASN1_check_infinite_end(unsigned char **p, long len)
-{
-    return _asn1_check_infinite_end((const unsigned char **)p, len);
-}
-
-int ASN1_const_check_infinite_end(const unsigned char **p, long len)
-{
-    return _asn1_check_infinite_end(p, len);
-}
-
 int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag,
                    int *pclass, long omax)
 {
@@ -327,31 +303,6 @@ int ASN1_object_size(int constructed, int length, int tag)
    return ret + length;
 }

-static int _asn1_Finish(ASN1_const_CTX *c)
-{
-    if ((c->inf == (1 | V_ASN1_CONSTRUCTED)) && (!c->eos)) {
-        if (!ASN1_const_check_infinite_end(&c->p, c->slen)) {
-            c->error = ASN1_R_MISSING_ASN1_EOS;
-            return (0);
-        }
-    }
-    if (((c->slen != 0) && !(c->inf & 1)) || ((c->slen < 0) && (c->inf & 1))) {
-        c->error = ASN1_R_ASN1_LENGTH_MISMATCH;
-        return (0);
-    }
-    return (1);
-}
-
-int asn1_Finish(ASN1_CTX *c)
-{
-    return _asn1_Finish((ASN1_const_CTX *)c);
-}
-
-int asn1_const_Finish(ASN1_const_CTX *c)
-{
-    return _asn1_Finish(c);
-}
-
 int ASN1_STRING_copy(ASN1_STRING *dst, const ASN1_STRING *str)
 {
    if (str == NULL)
@@ -484,3 +435,8 @@ unsigned char *ASN1_STRING_data(ASN1_STRING *x)
 {
    return M_ASN1_STRING_data(x);
 }
+
+const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x)
+{
+    return x->data;
+}
@@ -57,7 +57,45 @@
 *
 */

+#ifndef OPENSSL_HEADER_ASN1_ASN1_LOCL_H
+#define OPENSSL_HEADER_ASN1_ASN1_LOCL_H
+
+#include <time.h>
+
+#include <openssl/asn1.h>
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+/* Wrapper functions for time functions. */
+
+/* OPENSSL_gmtime wraps |gmtime_r|. See the manual page for that function. */
+struct tm *OPENSSL_gmtime(const time_t *time, struct tm *result);
+
+/* OPENSSL_gmtime_adj updates |tm| by adding |offset_day| days and |offset_sec|
+ * seconds. */
+int OPENSSL_gmtime_adj(struct tm *tm, int offset_day, long offset_sec);
+
+/* OPENSSL_gmtime_diff calculates the difference between |from| and |to| and
+ * outputs the difference as a number of days and seconds in |*out_days| and
+ * |*out_secs|. */
+int OPENSSL_gmtime_diff(int *out_days, int *out_secs, const struct tm *from,
+                        const struct tm *to);
+
+
 /* Internal ASN1 structures and functions: not for application use */

 int asn1_utctime_to_tm(struct tm *tm, const ASN1_UTCTIME *d);
 int asn1_generalizedtime_to_tm(struct tm *tm, const ASN1_GENERALIZEDTIME *d);
+
+void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it,
+                            int combine);
+
+
+#if defined(__cplusplus)
+}  /* extern C */
+#endif
+
+#endif  /* OPENSSL_HEADER_ASN1_ASN1_LOCL_H */
@@ -14,10 +14,13 @@

 #include <stdio.h>

+#include <gtest/gtest.h>
+
 #include <openssl/asn1.h>
-#include <openssl/crypto.h>
 #include <openssl/err.h>

+#include "../test/test_util.h"
+

 // kTag128 is an ASN.1 structure with a universal tag with number 128.
 static const uint8_t kTag128[] = {
@@ -38,42 +41,22 @@ static const uint8_t kTagOverflow[] = {
    0x1f, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x01, 0x00,
 };

-static bool TestLargeTags() {
+TEST(ASN1Test, LargeTags) {
  const uint8_t *p = kTag258;
  bssl::UniquePtr<ASN1_TYPE> obj(d2i_ASN1_TYPE(NULL, &p, sizeof(kTag258)));
-  if (obj) {
-    fprintf(stderr, "Parsed value with illegal tag (type = %d).\n", obj->type);
-    return false;
-  }
+  EXPECT_FALSE(obj) << "Parsed value with illegal tag" << obj->type;
  ERR_clear_error();

  p = kTagOverflow;
  obj.reset(d2i_ASN1_TYPE(NULL, &p, sizeof(kTagOverflow)));
-  if (obj) {
-    fprintf(stderr, "Parsed value with tag overflow (type = %d).\n", obj->type);
-    return false;
-  }
+  EXPECT_FALSE(obj) << "Parsed value with tag overflow" << obj->type;
  ERR_clear_error();

  p = kTag128;
  obj.reset(d2i_ASN1_TYPE(NULL, &p, sizeof(kTag128)));
-  if (!obj || obj->type != 128 || obj->value.asn1_string->length != 1 ||
-      obj->value.asn1_string->data[0] != 0) {
-    fprintf(stderr, "Failed to parse value with tag 128.\n");
-    ERR_print_errors_fp(stderr);
-    return false;
-  }
-
-  return true;
-}
-
-int main() {
-  CRYPTO_library_init();
-
-  if (!TestLargeTags()) {
-    return 1;
-  }
-
-  printf("PASS\n");
-  return 0;
+  ASSERT_TRUE(obj);
+  EXPECT_EQ(128, obj->type);
+  const uint8_t kZero = 0;
+  EXPECT_EQ(Bytes(&kZero, 1), Bytes(obj->value.asn1_string->data,
+                                    obj->value.asn1_string->length));
 }
@@ -1,103 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.] */
-
-#include <openssl/asn1.h>
-
-#include <string.h>
-
-#include <openssl/mem.h>
-
-int ASN1_BIT_STRING_name_print(BIO *out, ASN1_BIT_STRING *bs,
-                               BIT_STRING_BITNAME *tbl, int indent)
-{
-    BIT_STRING_BITNAME *bnam;
-    char first = 1;
-    BIO_printf(out, "%*s", indent, "");
-    for (bnam = tbl; bnam->lname; bnam++) {
-        if (ASN1_BIT_STRING_get_bit(bs, bnam->bitnum)) {
-            if (!first)
-                BIO_puts(out, ", ");
-            BIO_puts(out, bnam->lname);
-            first = 0;
-        }
-    }
-    BIO_puts(out, "\n");
-    return 1;
-}
-
-int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, char *name, int value,
-                            BIT_STRING_BITNAME *tbl)
-{
-    int bitnum;
-    bitnum = ASN1_BIT_STRING_num_asc(name, tbl);
-    if (bitnum < 0)
-        return 0;
-    if (bs) {
-        if (!ASN1_BIT_STRING_set_bit(bs, bitnum, value))
-            return 0;
-    }
-    return 1;
-}
-
-int ASN1_BIT_STRING_num_asc(char *name, BIT_STRING_BITNAME *tbl)
-{
-    BIT_STRING_BITNAME *bnam;
-    for (bnam = tbl; bnam->lname; bnam++) {
-        if (!strcmp(bnam->sname, name) || !strcmp(bnam->lname, name))
-            return bnam->bitnum;
-    }
-    return -1;
-}
@@ -56,6 +56,7 @@

 #include <openssl/asn1.h>

+#include <limits.h>
 #include <string.h>

 #include <openssl/asn1t.h>
@@ -147,15 +148,6 @@ ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval,
    return NULL;
 }

-int ASN1_template_d2i(ASN1_VALUE **pval,
-                      const unsigned char **in, long len,
-                      const ASN1_TEMPLATE *tt)
-{
-    ASN1_TLC c;
-    asn1_tlc_clear_nc(&c);
-    return asn1_template_ex_d2i(pval, in, len, tt, 0, &c);
-}
-
 /*
 * Decode an item, taking care of IMPLICIT tagging, if any. If 'opt' set and
 * tag mismatch return -1 to handle OPTIONAL
@@ -180,6 +172,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
    int ret = 0;
    ASN1_VALUE **pchptr, *ptmpval;
    int combine = aclass & ASN1_TFLG_COMBINE;
+    aclass &= ~ASN1_TFLG_COMBINE;
    if (!pval)
        return 0;
    if (aux && aux->asn1_cb)
@@ -187,6 +180,14 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
    else
        asn1_cb = 0;

+    /*
+     * Bound |len| to comfortably fit in an int. Lengths in this module often
+     * switch between int and long without overflow checks.
+     */
+    if (len > INT_MAX/2) {
+        len = INT_MAX/2;
+    }
+
    switch (it->itype) {
    case ASN1_ITYPE_PRIMITIVE:
        if (it->templates) {
@@ -667,6 +668,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
            }
            len -= p - q;
            if (!sk_ASN1_VALUE_push((STACK_OF(ASN1_VALUE) *)*val, skfield)) {
+                ASN1_item_ex_free(&skfield, ASN1_ITEM_ptr(tt->item));
                OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
                goto err;
            }
@@ -256,12 +256,6 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
    return 0;
 }

-int ASN1_template_i2d(ASN1_VALUE **pval, unsigned char **out,
-                      const ASN1_TEMPLATE *tt)
-{
-    return asn1_template_ex_i2d(pval, out, tt, -1, 0);
-}
-
 static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
                                const ASN1_TEMPLATE *tt, int tag, int iclass)
 {
@@ -59,8 +59,7 @@
 #include <openssl/asn1t.h>
 #include <openssl/mem.h>

-static void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it,
-                                   int combine);
+#include "asn1_locl.h"

 /* Free up an ASN1 structure */

@@ -74,8 +73,7 @@ void ASN1_item_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
    asn1_item_combine_free(pval, it, 0);
 }

-static void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it,
-                                   int combine)
+void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine)
 {
    const ASN1_TEMPLATE *tt = NULL, *seqtt;
    const ASN1_EXTERN_FUNCS *ef;
@@ -63,6 +63,7 @@
 #include <openssl/mem.h>
 #include <openssl/obj.h>

+#include "asn1_locl.h"
 #include "../internal.h"


@@ -160,7 +161,7 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
        }
        asn1_set_choice_selector(pval, -1, it);
        if (asn1_cb && !asn1_cb(ASN1_OP_NEW_POST, pval, it, NULL))
-            goto auxerr;
+            goto auxerr2;
        break;

    case ASN1_ITYPE_NDEF_SEQUENCE:
@@ -188,10 +189,10 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
        for (i = 0, tt = it->templates; i < it->tcount; tt++, i++) {
            pseqval = asn1_get_field_ptr(pval, tt);
            if (!ASN1_template_new(pseqval, tt))
-                goto memerr;
+                goto memerr2;
        }
        if (asn1_cb && !asn1_cb(ASN1_OP_NEW_POST, pval, it, NULL))
-            goto auxerr;
+            goto auxerr2;
        break;
    }
 #ifdef CRYPTO_MDEBUG
@@ -200,18 +201,20 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
 #endif
    return 1;

+ memerr2:
+    asn1_item_combine_free(pval, it, combine);
 memerr:
    OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
-    ASN1_item_ex_free(pval, it);
 #ifdef CRYPTO_MDEBUG
    if (it->sname)
        CRYPTO_pop_info();
 #endif
    return 0;

+ auxerr2:
+    asn1_item_combine_free(pval, it, combine);
 auxerr:
    OPENSSL_PUT_ERROR(ASN1, ASN1_R_AUX_ERROR);
-    ASN1_item_ex_free(pval, it);
 #ifdef CRYPTO_MDEBUG
    if (it->sname)
        CRYPTO_pop_info();
@@ -59,7 +59,7 @@
 #define _POSIX_C_SOURCE 201410L  /* for gmtime_r */
 #endif

-#include <openssl/time_support.h>
+#include "asn1_locl.h"

 #include <time.h>

@@ -171,7 +171,7 @@ int OPENSSL_gmtime_adj(struct tm *tm, int off_day, long offset_sec) {
  return 1;
 }

-int OPENSSL_gmtime_diff(int *pday, int *psec, const struct tm *from,
+int OPENSSL_gmtime_diff(int *out_days, int *out_secs, const struct tm *from,
                        const struct tm *to) {
  int from_sec, to_sec, diff_sec;
  long from_jd, to_jd, diff_day;
@@ -195,11 +195,11 @@ int OPENSSL_gmtime_diff(int *pday, int *psec, const struct tm *from,
    diff_sec -= SECS_PER_DAY;
  }

-  if (pday) {
-    *pday = (int)diff_day;
+  if (out_days) {
+    *out_days = (int)diff_day;
  }
-  if (psec) {
-    *psec = diff_sec;
+  if (out_secs) {
+    *out_secs = diff_sec;
  }

  return 1;
@@ -1,153 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.] */
-
-#include <openssl/asn1.h>
-
-#include <openssl/asn1t.h>
-#include <openssl/bn.h>
-
-/*
- * Custom primitive type for BIGNUM handling. This reads in an ASN1_INTEGER
- * as a BIGNUM directly. Currently it ignores the sign which isn't a problem
- * since all BIGNUMs used are non negative and anything that looks negative
- * is normally due to an encoding error.
- */
-
-#define BN_SENSITIVE    1
-
-static int bn_new(ASN1_VALUE **pval, const ASN1_ITEM *it);
-static void bn_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
-
-static int bn_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype,
-                  const ASN1_ITEM *it);
-static int bn_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
-                  int utype, char *free_cont, const ASN1_ITEM *it);
-
-static const ASN1_PRIMITIVE_FUNCS bignum_pf = {
-    NULL, 0,
-    bn_new,
-    bn_free,
-    0,
-    bn_c2i,
-    bn_i2c,
-    NULL /* prim_print */ ,
-};
-
-ASN1_ITEM_start(BIGNUM)
-        ASN1_ITYPE_PRIMITIVE, V_ASN1_INTEGER, NULL, 0, &bignum_pf, 0, "BIGNUM"
-ASN1_ITEM_end(BIGNUM)
-
-ASN1_ITEM_start(CBIGNUM)
-        ASN1_ITYPE_PRIMITIVE, V_ASN1_INTEGER, NULL, 0, &bignum_pf, BN_SENSITIVE, "BIGNUM"
-ASN1_ITEM_end(CBIGNUM)
-
-static int bn_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
-{
-    *pval = (ASN1_VALUE *)BN_new();
-    if (*pval)
-        return 1;
-    else
-        return 0;
-}
-
-static void bn_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
-{
-    if (!*pval)
-        return;
-    if (it->size & BN_SENSITIVE)
-        BN_clear_free((BIGNUM *)*pval);
-    else
-        BN_free((BIGNUM *)*pval);
-    *pval = NULL;
-}
-
-static int bn_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype,
-                  const ASN1_ITEM *it)
-{
-    BIGNUM *bn;
-    int pad;
-    if (!*pval)
-        return -1;
-    bn = (BIGNUM *)*pval;
-    /* If MSB set in an octet we need a padding byte */
-    if (BN_num_bits(bn) & 0x7)
-        pad = 0;
-    else
-        pad = 1;
-    if (cont) {
-        if (pad)
-            *cont++ = 0;
-        BN_bn2bin(bn, cont);
-    }
-    return pad + BN_num_bytes(bn);
-}
-
-static int bn_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
-                  int utype, char *free_cont, const ASN1_ITEM *it)
-{
-    BIGNUM *bn;
-    if (!*pval) {
-        if (!bn_new(pval, it)) {
-            return 0;
-        }
-    }
-    bn = (BIGNUM *)*pval;
-    if (!BN_bin2bn(cont, len, bn)) {
-        bn_free(pval, it);
-        return 0;
-    }
-    return 1;
-}
@@ -1,200 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.] */
-
-#include <openssl/asn1.h>
-
-#include <string.h>
-
-#include <openssl/asn1t.h>
-#include <openssl/bn.h>
-#include <openssl/err.h>
-#include <openssl/mem.h>
-
-#include "../internal.h"
-
-
-/*
- * Custom primitive type for long handling. This converts between an
- * ASN1_INTEGER and a long directly.
- */
-
-static int long_new(ASN1_VALUE **pval, const ASN1_ITEM *it);
-static void long_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
-
-static int long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype,
-                    const ASN1_ITEM *it);
-static int long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
-                    int utype, char *free_cont, const ASN1_ITEM *it);
-static int long_print(BIO *out, ASN1_VALUE **pval, const ASN1_ITEM *it,
-                      int indent, const ASN1_PCTX *pctx);
-
-static const ASN1_PRIMITIVE_FUNCS long_pf = {
-    NULL, 0,
-    long_new,
-    long_free,
-    long_free,                  /* Clear should set to initial value */
-    long_c2i,
-    long_i2c,
-    long_print
-};
-
-ASN1_ITEM_start(LONG)
-        ASN1_ITYPE_PRIMITIVE, V_ASN1_INTEGER, NULL, 0, &long_pf, ASN1_LONG_UNDEF, "LONG"
-ASN1_ITEM_end(LONG)
-
-ASN1_ITEM_start(ZLONG)
-        ASN1_ITYPE_PRIMITIVE, V_ASN1_INTEGER, NULL, 0, &long_pf, 0, "ZLONG"
-ASN1_ITEM_end(ZLONG)
-
-static int long_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
-{
-    *(long *)pval = it->size;
-    return 1;
-}
-
-static void long_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
-{
-    *(long *)pval = it->size;
-}
-
-static int long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype,
-                    const ASN1_ITEM *it)
-{
-    long ltmp;
-    unsigned long utmp;
-    int clen, pad, i;
-    /* this exists to bypass broken gcc optimization */
-    char *cp = (char *)pval;
-
-    /* use memcpy, because we may not be long aligned */
-    OPENSSL_memcpy(&ltmp, cp, sizeof(long));
-
-    if (ltmp == it->size)
-        return -1;
-    /*
-     * Convert the long to positive: we subtract one if negative so we can
-     * cleanly handle the padding if only the MSB of the leading octet is
-     * set.
-     */
-    if (ltmp < 0)
-        utmp = -ltmp - 1;
-    else
-        utmp = ltmp;
-    clen = BN_num_bits_word(utmp);
-    /* If MSB of leading octet set we need to pad */
-    if (!(clen & 0x7))
-        pad = 1;
-    else
-        pad = 0;
-
-    /* Convert number of bits to number of octets */
-    clen = (clen + 7) >> 3;
-
-    if (cont) {
-        if (pad)
-            *cont++ = (ltmp < 0) ? 0xff : 0;
-        for (i = clen - 1; i >= 0; i--) {
-            cont[i] = (unsigned char)(utmp & 0xff);
-            if (ltmp < 0)
-                cont[i] ^= 0xff;
-            utmp >>= 8;
-        }
-    }
-    return clen + pad;
-}
-
-static int long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
-                    int utype, char *free_cont, const ASN1_ITEM *it)
-{
-    int neg, i;
-    long ltmp;
-    unsigned long utmp = 0;
-    char *cp = (char *)pval;
-    if (len > (int)sizeof(long)) {
-        OPENSSL_PUT_ERROR(ASN1, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
-        return 0;
-    }
-    /* Is it negative? */
-    if (len && (cont[0] & 0x80))
-        neg = 1;
-    else
-        neg = 0;
-    utmp = 0;
-    for (i = 0; i < len; i++) {
-        utmp <<= 8;
-        if (neg)
-            utmp |= cont[i] ^ 0xff;
-        else
-            utmp |= cont[i];
-    }
-    ltmp = (long)utmp;
-    if (neg) {
-        ltmp++;
-        ltmp = -ltmp;
-    }
-    if (ltmp == it->size) {
-        OPENSSL_PUT_ERROR(ASN1, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
-        return 0;
-    }
-    OPENSSL_memcpy(cp, &ltmp, sizeof(long));
-    return 1;
-}
-
-static int long_print(BIO *out, ASN1_VALUE **pval, const ASN1_ITEM *it,
-                      int indent, const ASN1_PCTX *pctx)
-{
-    return BIO_printf(out, "%ld\n", *(long *)pval);
-}
@@ -7,14 +7,3 @@ add_library(

  base64.c
 )
-
-add_executable(
-  base64_test
-
-  base64_test.cc
-
-  $<TARGET_OBJECTS:test_support>
-)
-
-target_link_libraries(base64_test crypto)
-add_dependencies(all_tests base64_test)
@@ -65,12 +65,38 @@
 #include "../internal.h"


-/* Encoding. */
+// constant_time_lt_args_8 behaves like |constant_time_lt_8| but takes |uint8_t|
+// arguments for a slightly simpler implementation.
+static inline uint8_t constant_time_lt_args_8(uint8_t a, uint8_t b) {
+  crypto_word_t aw = a;
+  crypto_word_t bw = b;
+  // |crypto_word_t| is larger than |uint8_t|, so |aw| and |bw| have the same
+  // MSB. |aw| < |bw| iff MSB(|aw| - |bw|) is 1.
+  return constant_time_msb_w(aw - bw);
+}

-static const unsigned char data_bin2ascii[65] =
-    "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+// constant_time_in_range_8 returns |CONSTTIME_TRUE_8| if |min| <= |a| <= |max|
+// and |CONSTTIME_FALSE_8| otherwise.
+static inline uint8_t constant_time_in_range_8(uint8_t a, uint8_t min,
+                                               uint8_t max) {
+  a -= min;
+  return constant_time_lt_args_8(a, max - min + 1);
+}

-#define conv_bin2ascii(a) (data_bin2ascii[(a) & 0x3f])
+// Encoding.
+
+static uint8_t conv_bin2ascii(uint8_t a) {
+  // Since PEM is sometimes used to carry private keys, we encode base64 data
+  // itself in constant-time.
+  a &= 0x3f;
+  uint8_t ret = constant_time_select_8(constant_time_eq_8(a, 62), '+', '/');
+  ret =
+      constant_time_select_8(constant_time_lt_args_8(a, 62), a - 52 + '0', ret);
+  ret =
+      constant_time_select_8(constant_time_lt_args_8(a, 52), a - 26 + 'a', ret);
+  ret = constant_time_select_8(constant_time_lt_args_8(a, 26), a + 'A', ret);
+  return ret;
+}

 OPENSSL_COMPILE_ASSERT(sizeof(((EVP_ENCODE_CTX *)(NULL))->data) % 3 == 0,
                       data_length_must_be_multiple_of_base64_chunk_size);
@@ -157,8 +183,8 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len,
  ctx->data_used = (unsigned)in_len;

  if (total > INT_MAX) {
-    /* We cannot signal an error, but we can at least avoid making *out_len
-     * negative. */
+    // We cannot signal an error, but we can at least avoid making *out_len
+    // negative.
    total = 0;
  }
  *out_len = (int)total;
@@ -175,8 +201,8 @@ void EVP_EncodeFinal(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len) {
  out[encoded] = '\0';
  ctx->data_used = 0;

-  /* ctx->data_used is bounded by sizeof(ctx->data), so this does not
-   * overflow. */
+  // ctx->data_used is bounded by sizeof(ctx->data), so this does not
+  // overflow.
  assert(encoded <= INT_MAX);
  *out_len = (int)encoded;
 }
@@ -214,7 +240,7 @@ size_t EVP_EncodeBlock(uint8_t *dst, const uint8_t *src, size_t src_len) {
 }


-/* Decoding. */
+// Decoding.

 int EVP_DecodedLength(size_t *out_len, size_t len) {
  if (len % 4 != 0) {
@@ -229,35 +255,31 @@ void EVP_DecodeInit(EVP_ENCODE_CTX *ctx) {
  OPENSSL_memset(ctx, 0, sizeof(EVP_ENCODE_CTX));
 }

-/* kBase64ASCIIToBinData maps characters (c < 128) to their base64 value, or
- * else 0xff if they are invalid. As a special case, the padding character
- * ('=') is mapped to zero. */
-static const uint8_t kBase64ASCIIToBinData[128] = {
-    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
-    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff,
-    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3e, 0xff, 0xff, 0xff, 0x3f,
-    0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0xff, 0xff,
-    0xff, 0x00, 0xff, 0xff, 0xff, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06,
-    0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12,
-    0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0xff, 0xff, 0xff, 0xff, 0xff,
-    0xff, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24,
-    0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30,
-    0x31, 0x32, 0x33, 0xff, 0xff, 0xff, 0xff, 0xff,
-};
-
 static uint8_t base64_ascii_to_bin(uint8_t a) {
-  if (a >= 128) {
-    return 0xFF;
-  }
+  // Since PEM is sometimes used to carry private keys, we decode base64 data
+  // itself in constant-time.
+  const uint8_t is_upper = constant_time_in_range_8(a, 'A', 'Z');
+  const uint8_t is_lower = constant_time_in_range_8(a, 'a', 'z');
+  const uint8_t is_digit = constant_time_in_range_8(a, '0', '9');
+  const uint8_t is_plus = constant_time_eq_8(a, '+');
+  const uint8_t is_slash = constant_time_eq_8(a, '/');
+  const uint8_t is_equals = constant_time_eq_8(a, '=');

-  return kBase64ASCIIToBinData[a];
+  uint8_t ret = 0xff;  // 0xff signals invalid.
+  ret = constant_time_select_8(is_upper, a - 'A', ret);       // [0,26)
+  ret = constant_time_select_8(is_lower, a - 'a' + 26, ret);  // [26,52)
+  ret = constant_time_select_8(is_digit, a - '0' + 52, ret);  // [52,62)
+  ret = constant_time_select_8(is_plus, 62, ret);
+  ret = constant_time_select_8(is_slash, 63, ret);
+  // Padding maps to zero, to be further handled by the caller.
+  ret = constant_time_select_8(is_equals, 0, ret);
+  return ret;
 }

-/* base64_decode_quad decodes a single “quad” (i.e. four characters) of base64
- * data and writes up to three bytes to |out|. It sets |*out_num_bytes| to the
- * number of bytes written, which will be less than three if the quad ended
- * with padding.  It returns one on success or zero on error. */
+// base64_decode_quad decodes a single “quad” (i.e. four characters) of base64
+// data and writes up to three bytes to |out|. It sets |*out_num_bytes| to the
+// number of bytes written, which will be less than three if the quad ended
+// with padding.  It returns one on success or zero on error.
 static int base64_decode_quad(uint8_t *out, size_t *out_num_bytes,
                              const uint8_t *in) {
  const uint8_t a = base64_ascii_to_bin(in[0]);
@@ -278,20 +300,20 @@ static int base64_decode_quad(uint8_t *out, size_t *out_num_bytes,

  switch (padding_pattern) {
    case 0:
-      /* The common case of no padding. */
+      // The common case of no padding.
      *out_num_bytes = 3;
      out[0] = v >> 16;
      out[1] = v >> 8;
      out[2] = v;
      break;

-    case 1: /* xxx= */
+    case 1:  // xxx=
      *out_num_bytes = 2;
      out[0] = v >> 16;
      out[1] = v >> 8;
      break;

-    case 3: /* xx== */
+    case 3:  // xx==
      *out_num_bytes = 1;
      out[0] = v >> 16;
      break;
@@ -322,7 +344,7 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len,
        continue;
    }

-    if (base64_ascii_to_bin(c) == 0xff || ctx->eof_seen) {
+    if (ctx->eof_seen) {
      ctx->error_encountered = 1;
      return -1;
    }
@@ -402,7 +424,7 @@ int EVP_DecodeBase64(uint8_t *out, size_t *out_len, size_t max_out,
 }

 int EVP_DecodeBlock(uint8_t *dst, const uint8_t *src, size_t src_len) {
-  /* Trim spaces and tabs from the beginning of the input. */
+  // Trim spaces and tabs from the beginning of the input.
  while (src_len > 0) {
    if (src[0] != ' ' && src[0] != '\t') {
      break;
@@ -412,7 +434,7 @@ int EVP_DecodeBlock(uint8_t *dst, const uint8_t *src, size_t src_len) {
    src_len--;
  }

-  /* Trim newlines, spaces and tabs from the end of the line. */
+  // Trim newlines, spaces and tabs from the end of the line.
  while (src_len > 0) {
    switch (src[src_len-1]) {
      case ' ':
@@ -433,8 +455,8 @@ int EVP_DecodeBlock(uint8_t *dst, const uint8_t *src, size_t src_len) {
    return -1;
  }

-  /* EVP_DecodeBlock does not take padding into account, so put the
-   * NULs back in... so the caller can strip them back out. */
+  // EVP_DecodeBlock does not take padding into account, so put the
+  // NULs back in... so the caller can strip them back out.
  while (dst_len % 3 != 0) {
    dst[dst_len++] = '\0';
  }
@@ -18,11 +18,14 @@
 #include <string>
 #include <vector>

+#include <gtest/gtest.h>
+
 #include <openssl/base64.h>
 #include <openssl/crypto.h>
 #include <openssl/err.h>

 #include "../internal.h"
+#include "../test/test_util.h"


 enum encoding_relation {
@@ -100,7 +103,9 @@ static const TestVector kTestVectors[] = {
     "=======\n"},
 };

-static const size_t kNumTests = OPENSSL_ARRAY_SIZE(kTestVectors);
+class Base64Test : public testing::TestWithParam<TestVector> {};
+
+INSTANTIATE_TEST_CASE_P(, Base64Test, testing::ValuesIn(kTestVectors));

 // RemoveNewlines returns a copy of |in| with all '\n' characters removed.
 static std::string RemoveNewlines(const char *in) {
@@ -116,281 +121,187 @@ static std::string RemoveNewlines(const char *in) {
  return ret;
 }

-static bool TestEncodeBlock() {
-  for (unsigned i = 0; i < kNumTests; i++) {
-    const TestVector *t = &kTestVectors[i];
-    if (t->relation != canonical) {
-      continue;
-    }
+TEST_P(Base64Test, EncodeBlock) {
+  const TestVector &t = GetParam();
+  if (t.relation != canonical) {
+    return;
+  }

-    const size_t decoded_len = strlen(t->decoded);
+  const size_t decoded_len = strlen(t.decoded);
+  size_t max_encoded_len;
+  ASSERT_TRUE(EVP_EncodedLength(&max_encoded_len, decoded_len));
+
+  std::vector<uint8_t> out_vec(max_encoded_len);
+  uint8_t *out = out_vec.data();
+  size_t len = EVP_EncodeBlock(out, (const uint8_t *)t.decoded, decoded_len);
+
+  std::string encoded(RemoveNewlines(t.encoded));
+  EXPECT_EQ(Bytes(encoded), Bytes(out, len));
+}
+
+TEST_P(Base64Test, DecodeBase64) {
+  const TestVector &t = GetParam();
+  if (t.relation == valid) {
+    // The non-canonical encodings will generally have odd whitespace etc
+    // that |EVP_DecodeBase64| will reject.
+    return;
+  }
+
+  const std::string encoded(RemoveNewlines(t.encoded));
+  std::vector<uint8_t> out_vec(encoded.size());
+  uint8_t *out = out_vec.data();
+
+  size_t len;
+  int ok = EVP_DecodeBase64(out, &len, out_vec.size(),
+                            (const uint8_t *)encoded.data(), encoded.size());
+
+  if (t.relation == invalid) {
+    EXPECT_FALSE(ok);
+  } else if (t.relation == canonical) {
+    ASSERT_TRUE(ok);
+    EXPECT_EQ(Bytes(t.decoded), Bytes(out, len));
+  }
+}
+
+TEST_P(Base64Test, DecodeBlock) {
+  const TestVector &t = GetParam();
+  if (t.relation != canonical) {
+    return;
+  }
+
+  std::string encoded(RemoveNewlines(t.encoded));
+
+  std::vector<uint8_t> out_vec(encoded.size());
+  uint8_t *out = out_vec.data();
+
+  // Test that the padding behavior of the deprecated API is preserved.
+  int ret =
+      EVP_DecodeBlock(out, (const uint8_t *)encoded.data(), encoded.size());
+  ASSERT_GE(ret, 0);
+  // EVP_DecodeBlock should ignore padding.
+  ASSERT_EQ(0, ret % 3);
+  size_t expected_len = strlen(t.decoded);
+  if (expected_len % 3 != 0) {
+    ret -= 3 - (expected_len % 3);
+  }
+  EXPECT_EQ(Bytes(t.decoded), Bytes(out, static_cast<size_t>(ret)));
+}
+
+TEST_P(Base64Test, EncodeDecode) {
+  const TestVector &t = GetParam();
+
+  EVP_ENCODE_CTX ctx;
+  const size_t decoded_len = strlen(t.decoded);
+
+  if (t.relation == canonical) {
    size_t max_encoded_len;
-    if (!EVP_EncodedLength(&max_encoded_len, decoded_len)) {
-      fprintf(stderr, "#%u: EVP_EncodedLength failed\n", i);
-      return false;
-    }
+    ASSERT_TRUE(EVP_EncodedLength(&max_encoded_len, decoded_len));

+    // EVP_EncodeUpdate will output new lines every 64 bytes of output so we
+    // need slightly more than |EVP_EncodedLength| returns. */
+    max_encoded_len += (max_encoded_len + 63) >> 6;
    std::vector<uint8_t> out_vec(max_encoded_len);
    uint8_t *out = out_vec.data();
-    size_t len = EVP_EncodeBlock(out, (const uint8_t *)t->decoded, decoded_len);

-    std::string encoded(RemoveNewlines(t->encoded));
-    if (len != encoded.size() ||
-        OPENSSL_memcmp(out, encoded.data(), len) != 0) {
-      fprintf(stderr, "encode(\"%s\") = \"%.*s\", want \"%s\"\n",
-              t->decoded, (int)len, (const char*)out, encoded.c_str());
-      return false;
-    }
-  }
+    EVP_EncodeInit(&ctx);

-  return true;
-}
-
-static bool TestDecodeBase64() {
-  size_t len;
-
-  for (unsigned i = 0; i < kNumTests; i++) {
-    const TestVector *t = &kTestVectors[i];
-
-    if (t->relation == valid) {
-      // The non-canonical encodings will generally have odd whitespace etc
-      // that |EVP_DecodeBase64| will reject.
-      continue;
-    }
-
-    const std::string encoded(RemoveNewlines(t->encoded));
-    std::vector<uint8_t> out_vec(encoded.size());
-    uint8_t *out = out_vec.data();
-
-    int ok = EVP_DecodeBase64(out, &len, out_vec.size(),
-                              (const uint8_t *)encoded.data(), encoded.size());
-
-    if (t->relation == invalid) {
-      if (ok) {
-        fprintf(stderr, "decode(\"%s\") didn't fail but should have\n",
-                encoded.c_str());
-        return false;
-      }
-    } else if (t->relation == canonical) {
-      if (!ok) {
-        fprintf(stderr, "decode(\"%s\") failed\n", encoded.c_str());
-        return false;
-      }
-
-      if (len != strlen(t->decoded) ||
-          OPENSSL_memcmp(out, t->decoded, len) != 0) {
-        fprintf(stderr, "decode(\"%s\") = \"%.*s\", want \"%s\"\n",
-                encoded.c_str(), (int)len, (const char*)out, t->decoded);
-        return false;
-      }
-    }
-  }
-
-  return true;
-}
-
-static bool TestDecodeBlock() {
-  for (unsigned i = 0; i < kNumTests; i++) {
-    const TestVector *t = &kTestVectors[i];
-    if (t->relation != canonical) {
-      continue;
-    }
-
-    std::string encoded(RemoveNewlines(t->encoded));
-
-    std::vector<uint8_t> out_vec(encoded.size());
-    uint8_t *out = out_vec.data();
-
-    // Test that the padding behavior of the deprecated API is preserved.
-    int ret =
-        EVP_DecodeBlock(out, (const uint8_t *)encoded.data(), encoded.size());
-    if (ret < 0) {
-      fprintf(stderr, "EVP_DecodeBlock(\"%s\") failed\n", t->encoded);
-      return false;
-    }
-    if (ret % 3 != 0) {
-      fprintf(stderr, "EVP_DecodeBlock did not ignore padding\n");
-      return false;
-    }
-    size_t expected_len = strlen(t->decoded);
-    if (expected_len % 3 != 0) {
-      ret -= 3 - (expected_len % 3);
-    }
-    if (static_cast<size_t>(ret) != strlen(t->decoded) ||
-        OPENSSL_memcmp(out, t->decoded, ret) != 0) {
-      fprintf(stderr, "decode(\"%s\") = \"%.*s\", want \"%s\"\n",
-              t->encoded, ret, (const char*)out, t->decoded);
-      return false;
-    }
-  }
-
-  return true;
-}
-
-static bool TestEncodeDecode() {
-  for (unsigned test_num = 0; test_num < kNumTests; test_num++) {
-    const TestVector *t = &kTestVectors[test_num];
-
-    EVP_ENCODE_CTX ctx;
-    const size_t decoded_len = strlen(t->decoded);
-
-    if (t->relation == canonical) {
-      size_t max_encoded_len;
-      if (!EVP_EncodedLength(&max_encoded_len, decoded_len)) {
-        fprintf(stderr, "#%u: EVP_EncodedLength failed\n", test_num);
-        return false;
-      }
-
-      // EVP_EncodeUpdate will output new lines every 64 bytes of output so we
-      // need slightly more than |EVP_EncodedLength| returns. */
-      max_encoded_len += (max_encoded_len + 63) >> 6;
-      std::vector<uint8_t> out_vec(max_encoded_len);
-      uint8_t *out = out_vec.data();
-
-      EVP_EncodeInit(&ctx);
-
-      int out_len;
-      EVP_EncodeUpdate(&ctx, out, &out_len,
-                       reinterpret_cast<const uint8_t *>(t->decoded),
-                       decoded_len);
-      size_t total = out_len;
-
-      EVP_EncodeFinal(&ctx, out + total, &out_len);
-      total += out_len;
-
-      if (total != strlen(t->encoded) ||
-          OPENSSL_memcmp(out, t->encoded, total) != 0) {
-        fprintf(stderr, "#%u: EVP_EncodeUpdate produced different output: '%s' (%u)\n",
-                test_num, out, static_cast<unsigned>(total));
-        return false;
-      }
-    }
-
-    std::vector<uint8_t> out_vec(strlen(t->encoded));
-    uint8_t *out = out_vec.data();
-
-    EVP_DecodeInit(&ctx);
    int out_len;
-    size_t total = 0;
-    int ret = EVP_DecodeUpdate(&ctx, out, &out_len,
-                               reinterpret_cast<const uint8_t *>(t->encoded),
-                               strlen(t->encoded));
-    if (ret != -1) {
-      total = out_len;
-      ret = EVP_DecodeFinal(&ctx, out + total, &out_len);
-      total += out_len;
-    }
+    EVP_EncodeUpdate(&ctx, out, &out_len,
+                     reinterpret_cast<const uint8_t *>(t.decoded),
+                     decoded_len);
+    size_t total = out_len;

-    switch (t->relation) {
-      case canonical:
-      case valid:
-        if (ret == -1) {
-          fprintf(stderr, "#%u: EVP_DecodeUpdate failed\n", test_num);
-          return false;
-        }
-        if (total != decoded_len ||
-            OPENSSL_memcmp(out, t->decoded, decoded_len)) {
-          fprintf(stderr, "#%u: EVP_DecodeUpdate produced incorrect output\n",
-                  test_num);
-          return false;
-        }
-        break;
+    EVP_EncodeFinal(&ctx, out + total, &out_len);
+    total += out_len;

-      case invalid:
-        if (ret != -1) {
-          fprintf(stderr, "#%u: EVP_DecodeUpdate was successful but shouldn't have been\n", test_num);
-          return false;
-        }
-        break;
-    }
+    EXPECT_EQ(Bytes(t.encoded), Bytes(out, total));
  }

-  return true;
+  std::vector<uint8_t> out_vec(strlen(t.encoded));
+  uint8_t *out = out_vec.data();
+
+  EVP_DecodeInit(&ctx);
+  int out_len;
+  size_t total = 0;
+  int ret = EVP_DecodeUpdate(&ctx, out, &out_len,
+                             reinterpret_cast<const uint8_t *>(t.encoded),
+                             strlen(t.encoded));
+  if (ret != -1) {
+    total = out_len;
+    ret = EVP_DecodeFinal(&ctx, out + total, &out_len);
+    total += out_len;
+  }
+
+  switch (t.relation) {
+    case canonical:
+    case valid:
+      ASSERT_NE(-1, ret);
+      EXPECT_EQ(Bytes(t.decoded), Bytes(out, total));
+      break;
+
+    case invalid:
+      EXPECT_EQ(-1, ret);
+      break;
+  }
 }

-static bool TestDecodeUpdateStreaming() {
-  for (unsigned test_num = 0; test_num < kNumTests; test_num++) {
-    const TestVector *t = &kTestVectors[test_num];
-    if (t->relation == invalid) {
-      continue;
-    }
+TEST_P(Base64Test, DecodeUpdateStreaming) {
+  const TestVector &t = GetParam();
+  if (t.relation == invalid) {
+    return;
+  }

-    const size_t encoded_len = strlen(t->encoded);
+  const size_t encoded_len = strlen(t.encoded);

-    std::vector<uint8_t> out(encoded_len);
+  std::vector<uint8_t> out(encoded_len);

-    for (size_t chunk_size = 1; chunk_size <= encoded_len; chunk_size++) {
-      size_t out_len = 0;
-      EVP_ENCODE_CTX ctx;
-      EVP_DecodeInit(&ctx);
+  for (size_t chunk_size = 1; chunk_size <= encoded_len; chunk_size++) {
+    SCOPED_TRACE(chunk_size);
+    size_t out_len = 0;
+    EVP_ENCODE_CTX ctx;
+    EVP_DecodeInit(&ctx);

-      for (size_t i = 0; i < encoded_len;) {
-        size_t todo = encoded_len - i;
-        if (todo > chunk_size) {
-          todo = chunk_size;
-        }
-
-        int bytes_written;
-        int ret = EVP_DecodeUpdate(
-            &ctx, out.data() + out_len, &bytes_written,
-            reinterpret_cast<const uint8_t *>(t->encoded + i), todo);
-        i += todo;
-
-        switch (ret) {
-          case -1:
-            fprintf(stderr, "#%u: EVP_DecodeUpdate returned error\n", test_num);
-            return 0;
-          case 0:
-            out_len += bytes_written;
-            if (i == encoded_len ||
-                (i + 1 == encoded_len && t->encoded[i] == '\n') ||
-                /* If there was an '-' in the input (which means “EOF”) then
-                 * this loop will continue to test that |EVP_DecodeUpdate| will
-                 * ignore the remainder of the input. */
-                strchr(t->encoded, '-') != nullptr) {
-              break;
-            }
-
-            fprintf(stderr,
-                    "#%u: EVP_DecodeUpdate returned zero before end of "
-                    "encoded data\n",
-                    test_num);
-            return 0;
-          default:
-            out_len += bytes_written;
-        }
+    for (size_t i = 0; i < encoded_len;) {
+      size_t todo = encoded_len - i;
+      if (todo > chunk_size) {
+        todo = chunk_size;
      }

      int bytes_written;
-      int ret = EVP_DecodeFinal(&ctx, out.data() + out_len, &bytes_written);
-      if (ret == -1) {
-        fprintf(stderr, "#%u: EVP_DecodeFinal returned error\n", test_num);
-        return 0;
-      }
-      out_len += bytes_written;
+      int ret = EVP_DecodeUpdate(
+          &ctx, out.data() + out_len, &bytes_written,
+          reinterpret_cast<const uint8_t *>(t.encoded + i), todo);
+      i += todo;

-      if (out_len != strlen(t->decoded) ||
-          OPENSSL_memcmp(out.data(), t->decoded, out_len) != 0) {
-        fprintf(stderr, "#%u: incorrect output\n", test_num);
-        return 0;
+      switch (ret) {
+        case -1:
+          FAIL() << "EVP_DecodeUpdate failed";
+        case 0:
+          out_len += bytes_written;
+          if (i == encoded_len ||
+              (i + 1 == encoded_len && t.encoded[i] == '\n') ||
+              // If there was an '-' in the input (which means “EOF”) then
+              // this loop will continue to test that |EVP_DecodeUpdate| will
+              // ignore the remainder of the input.
+              strchr(t.encoded, '-') != nullptr) {
+            break;
+          }
+
+          FAIL()
+              << "EVP_DecodeUpdate returned zero before end of encoded data.";
+        case 1:
+          out_len += bytes_written;
+          break;
+        default:
+          FAIL() << "Invalid return value " << ret;
      }
    }
+
+    int bytes_written;
+    int ret = EVP_DecodeFinal(&ctx, out.data() + out_len, &bytes_written);
+    ASSERT_NE(ret, -1);
+    out_len += bytes_written;
+
+    EXPECT_EQ(Bytes(t.decoded), Bytes(out.data(), out_len));
  }
-
-  return true;
-}
-
-int main(void) {
-  CRYPTO_library_init();
-
-  if (!TestEncodeBlock() ||
-      !TestDecodeBase64() ||
-      !TestDecodeBlock() ||
-      !TestDecodeUpdateStreaming() ||
-      !TestEncodeDecode()) {
-    return 1;
-  }
-
-  printf("PASS\n");
-  return 0;
 }
@@ -7,7 +7,6 @@ add_library(

  bio.c
  bio_mem.c
-  buffer.c
  connect.c
  fd.c
  file.c
@@ -17,17 +16,3 @@ add_library(
  socket.c
  socket_helper.c
 )
-
-add_executable(
-  bio_test
-
-  bio_test.cc
-
-  $<TARGET_OBJECTS:test_support>
-)
-
-target_link_libraries(bio_test crypto)
-if (WIN32)
-  target_link_libraries(bio_test ws2_32)
-endif()
-add_dependencies(all_tests bio_test)
@@ -96,13 +96,6 @@ int BIO_free(BIO *bio) {
      return 0;
    }

-    if (bio->callback != NULL) {
-      int i = (int)bio->callback(bio, BIO_CB_FREE, NULL, 0, 0, 1);
-      if (i <= 0) {
-        return i;
-      }
-    }
-
    next_bio = BIO_pop(bio);

    if (bio->method != NULL && bio->method->destroy != NULL) {
@@ -127,64 +120,61 @@ void BIO_free_all(BIO *bio) {
  BIO_free(bio);
 }

-static int bio_io(BIO *bio, void *buf, int len, size_t method_offset,
-                  int callback_flags, size_t *num) {
-  int i;
-  typedef int (*io_func_t)(BIO *, char *, int);
-  io_func_t io_func = NULL;
-
-  if (bio != NULL && bio->method != NULL) {
-    io_func =
-        *((const io_func_t *)(((const uint8_t *)bio->method) + method_offset));
-  }
-
-  if (io_func == NULL) {
+int BIO_read(BIO *bio, void *buf, int len) {
+  if (bio == NULL || bio->method == NULL || bio->method->bread == NULL) {
    OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
    return -2;
  }
-
-  if (bio->callback != NULL) {
-    i = (int) bio->callback(bio, callback_flags, buf, len, 0L, 1L);
-    if (i <= 0) {
-      return i;
-    }
-  }
-
  if (!bio->init) {
    OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED);
    return -2;
  }
-
-  i = 0;
-  if (buf != NULL && len > 0) {
-    i = io_func(bio, buf, len);
+  if (len <= 0) {
+    return 0;
  }
-
-  if (i > 0) {
-    *num += i;
+  int ret = bio->method->bread(bio, buf, len);
+  if (ret > 0) {
+    bio->num_read += ret;
  }
-
-  if (bio->callback != NULL) {
-    i = (int)(bio->callback(bio, callback_flags | BIO_CB_RETURN, buf, len, 0L,
-                            (long)i));
-  }
-
-  return i;
-}
-
-int BIO_read(BIO *bio, void *buf, int len) {
-  return bio_io(bio, buf, len, offsetof(BIO_METHOD, bread), BIO_CB_READ,
-                &bio->num_read);
+  return ret;
 }

 int BIO_gets(BIO *bio, char *buf, int len) {
-  return bio_io(bio, buf, len, offsetof(BIO_METHOD, bgets), BIO_CB_GETS,
-                &bio->num_read);
+  if (bio == NULL || bio->method == NULL || bio->method->bgets == NULL) {
+    OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
+    return -2;
+  }
+  if (!bio->init) {
+    OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED);
+    return -2;
+  }
+  if (len <= 0) {
+    return 0;
+  }
+  int ret = bio->method->bgets(bio, buf, len);
+  if (ret > 0) {
+    bio->num_read += ret;
+  }
+  return ret;
 }

 int BIO_write(BIO *bio, const void *in, int inl) {
-  return bio_io(bio, (char *)in, inl, offsetof(BIO_METHOD, bwrite),
-                BIO_CB_WRITE, &bio->num_write);
+  if (bio == NULL || bio->method == NULL || bio->method->bwrite == NULL) {
+    OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
+    return -2;
+  }
+  if (!bio->init) {
+    OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED);
+    return -2;
+  }
+  if (inl <= 0) {
+    return 0;
+  }
+  int ret = bio->method->bwrite(bio, in, inl);
+  if (ret > 0) {
+    bio->num_write += ret;
+  }
+  return ret;
 }

 int BIO_puts(BIO *bio, const char *in) {
@@ -196,8 +186,6 @@ int BIO_flush(BIO *bio) {
 }

 long BIO_ctrl(BIO *bio, int cmd, long larg, void *parg) {
-  long ret;
-
  if (bio == NULL) {
    return 0;
  }
@@ -207,20 +195,7 @@ long BIO_ctrl(BIO *bio, int cmd, long larg, void *parg) {
    return -2;
  }

-  if (bio->callback != NULL) {
-    ret = bio->callback(bio, BIO_CB_CTRL, parg, cmd, larg, 1);
-    if (ret <= 0) {
-      return ret;
-    }
-  }
-
-  ret = bio->method->ctrl(bio, cmd, larg, parg);
-
-  if (bio->callback != NULL) {
-    ret = bio->callback(bio, BIO_CB_CTRL | BIO_CB_RETURN, parg, cmd, larg, ret);
-  }
-
-  return ret;
+  return bio->method->ctrl(bio, cmd, larg, parg);
 }

 char *BIO_ptr_ctrl(BIO *b, int cmd, long larg) {
@@ -305,9 +280,6 @@ void BIO_copy_next_retry(BIO *bio) {
 }

 long BIO_callback_ctrl(BIO *bio, int cmd, bio_info_cb fp) {
-  long ret;
-  bio_info_cb cb;
-
  if (bio == NULL) {
    return 0;
  }
@@ -317,22 +289,7 @@ long BIO_callback_ctrl(BIO *bio, int cmd, bio_info_cb fp) {
    return 0;
  }

-  cb = bio->callback;
-
-  if (cb != NULL) {
-    ret = cb(bio, BIO_CB_CTRL, (void *)&fp, cmd, 0, 1L);
-    if (ret <= 0) {
-      return ret;
-    }
-  }
-
-  ret = bio->method->callback_ctrl(bio, cmd, fp);
-
-  if (cb != NULL) {
-    ret = cb(bio, BIO_CB_CTRL | BIO_CB_RETURN, (void *)&fp, cmd, 0, ret);
-  }
-
-  return ret;
+  return bio->method->callback_ctrl(bio, cmd, fp);
 }

 size_t BIO_pending(const BIO *bio) {
@@ -363,18 +320,6 @@ int BIO_set_close(BIO *bio, int close_flag) {
  return BIO_ctrl(bio, BIO_CTRL_SET_CLOSE, close_flag, NULL);
 }

-void BIO_set_callback(BIO *bio, bio_info_cb callback_func) {
-  bio->callback = callback_func;
-}
-
-void BIO_set_callback_arg(BIO *bio, char *arg) {
-  bio->cb_arg = arg;
-}
-
-char *BIO_get_callback_arg(const BIO *bio) {
-  return bio->cb_arg;
-}
-
 OPENSSL_EXPORT size_t BIO_number_read(const BIO *bio) {
  return bio->num_read;
 }
@@ -464,14 +409,14 @@ void ERR_print_errors(BIO *bio) {
  ERR_print_errors_cb(print_bio, bio);
 }

-/* bio_read_all reads everything from |bio| and prepends |prefix| to it. On
- * success, |*out| is set to an allocated buffer (which should be freed with
- * |OPENSSL_free|), |*out_len| is set to its length and one is returned. The
- * buffer will contain |prefix| followed by the contents of |bio|. On failure,
- * zero is returned.
- *
- * The function will fail if the size of the output would equal or exceed
- * |max_len|. */
+// bio_read_all reads everything from |bio| and prepends |prefix| to it. On
+// success, |*out| is set to an allocated buffer (which should be freed with
+// |OPENSSL_free|), |*out_len| is set to its length and one is returned. The
+// buffer will contain |prefix| followed by the contents of |bio|. On failure,
+// zero is returned.
+//
+// The function will fail if the size of the output would equal or exceed
+// |max_len|.
 static int bio_read_all(BIO *bio, uint8_t **out, size_t *out_len,
                        const uint8_t *prefix, size_t prefix_len,
                        size_t max_len) {
@@ -535,20 +480,20 @@ int BIO_read_asn1(BIO *bio, uint8_t **out, size_t *out_len, size_t max_len) {
  const uint8_t length_byte = header[1];

  if ((tag & 0x1f) == 0x1f) {
-    /* Long form tags are not supported. */
+    // Long form tags are not supported.
    return 0;
  }

  size_t len, header_len;
  if ((length_byte & 0x80) == 0) {
-    /* Short form length. */
+    // Short form length.
    len = length_byte;
    header_len = kInitialHeaderLen;
  } else {
    const size_t num_bytes = length_byte & 0x7f;

    if ((tag & 0x20 /* constructed */) != 0 && num_bytes == 0) {
-      /* indefinite length. */
+      // indefinite length.
      return bio_read_all(bio, out, out_len, header, kInitialHeaderLen,
                          max_len);
    }
@@ -571,12 +516,12 @@ int BIO_read_asn1(BIO *bio, uint8_t **out, size_t *out_len, size_t max_len) {
    }

    if (len32 < 128) {
-      /* Length should have used short-form encoding. */
+      // Length should have used short-form encoding.
      return 0;
    }

    if ((len32 >> ((num_bytes-1)*8)) == 0) {
-      /* Length should have been at least one byte shorter. */
+      // Length should have been at least one byte shorter.
      return 0;
    }

@@ -608,3 +553,84 @@ int BIO_read_asn1(BIO *bio, uint8_t **out, size_t *out_len, size_t max_len) {
 void BIO_set_retry_special(BIO *bio) {
  bio->flags |= BIO_FLAGS_READ | BIO_FLAGS_IO_SPECIAL;
 }
+
+int BIO_set_write_buffer_size(BIO *bio, int buffer_size) { return 0; }
+
+static struct CRYPTO_STATIC_MUTEX g_index_lock = CRYPTO_STATIC_MUTEX_INIT;
+static int g_index = BIO_TYPE_START;
+
+int BIO_get_new_index(void) {
+  CRYPTO_STATIC_MUTEX_lock_write(&g_index_lock);
+  // If |g_index| exceeds 255, it will collide with the flags bits.
+  int ret = g_index > 255 ? -1 : g_index++;
+  CRYPTO_STATIC_MUTEX_unlock_write(&g_index_lock);
+  return ret;
+}
+
+BIO_METHOD *BIO_meth_new(int type, const char *name) {
+  BIO_METHOD *method = OPENSSL_malloc(sizeof(BIO_METHOD));
+  if (method == NULL) {
+    return NULL;
+  }
+  OPENSSL_memset(method, 0, sizeof(BIO_METHOD));
+  method->type = type;
+  method->name = name;
+  return method;
+}
+
+void BIO_meth_free(BIO_METHOD *method) {
+  OPENSSL_free(method);
+}
+
+int BIO_meth_set_create(BIO_METHOD *method,
+                        int (*create)(BIO *)) {
+  method->create = create;
+  return 1;
+}
+
+int BIO_meth_set_destroy(BIO_METHOD *method,
+                         int (*destroy)(BIO *)) {
+  method->destroy = destroy;
+  return 1;
+}
+
+int BIO_meth_set_write(BIO_METHOD *method,
+                       int (*write)(BIO *, const char *, int)) {
+  method->bwrite = write;
+  return 1;
+}
+
+int BIO_meth_set_read(BIO_METHOD *method,
+                      int (*read)(BIO *, char *, int)) {
+  method->bread = read;
+  return 1;
+}
+
+int BIO_meth_set_gets(BIO_METHOD *method,
+                      int (*gets)(BIO *, char *, int)) {
+  method->bgets = gets;
+  return 1;
+}
+
+int BIO_meth_set_ctrl(BIO_METHOD *method,
+                      long (*ctrl)(BIO *, int, long, void *)) {
+  method->ctrl = ctrl;
+  return 1;
+}
+
+void BIO_set_data(BIO *bio, void *ptr) { bio->ptr = ptr; }
+
+void *BIO_get_data(BIO *bio) { return bio->ptr; }
+
+void BIO_set_init(BIO *bio, int init) { bio->init = init; }
+
+int BIO_get_init(BIO *bio) { return bio->init; }
+
+void BIO_set_shutdown(BIO *bio, int shutdown) { bio->shutdown = shutdown; }
+
+int BIO_get_shutdown(BIO *bio) { return bio->shutdown; }
+
+int BIO_meth_set_puts(BIO_METHOD *method, int (*puts)(BIO *, const char *)) {
+  // Ignore the parameter. We implement |BIO_puts| using |BIO_write|.
+  return 1;
+}
@@ -82,16 +82,16 @@ BIO *BIO_new_mem_buf(const void *buf, int len) {
  }

  b = (BUF_MEM *)ret->ptr;
-  /* BIO_FLAGS_MEM_RDONLY ensures |b->data| is not written to. */
+  // BIO_FLAGS_MEM_RDONLY ensures |b->data| is not written to.
  b->data = (void *)buf;
  b->length = size;
  b->max = size;

  ret->flags |= BIO_FLAGS_MEM_RDONLY;

-  /* |num| is used to store the value that this BIO will return when it runs
-   * out of data. If it's negative then the retry flags will also be set. Since
-   * this is static data, retrying wont help */
+  // |num| is used to store the value that this BIO will return when it runs
+  // out of data. If it's negative then the retry flags will also be set. Since
+  // this is static data, retrying wont help
  ret->num = 0;

  return ret;
@@ -105,8 +105,8 @@ static int mem_new(BIO *bio) {
    return 0;
  }

-  /* |shutdown| is used to store the close flag: whether the BIO has ownership
-   * of the BUF_MEM. */
+  // |shutdown| is used to store the close flag: whether the BIO has ownership
+  // of the BUF_MEM.
  bio->shutdown = 1;
  bio->init = 1;
  bio->num = -1;
@@ -189,10 +189,6 @@ err:
  return ret;
 }

-static int mem_puts(BIO *bp, const char *str) {
-  return mem_write(bp, str, strlen(str));
-}
-
 static int mem_gets(BIO *bio, char *buf, int size) {
  int i, j;
  char *p;
@@ -218,8 +214,8 @@ static int mem_gets(BIO *bio, char *buf, int size) {
    }
  }

-  /* i is now the max num of bytes to copy, either j or up to and including the
-   * first newline */
+  // i is now the max num of bytes to copy, either j or up to and including the
+  // first newline

  i = mem_read(bio, buf, i);
  if (i > 0) {
@@ -237,7 +233,7 @@ static long mem_ctrl(BIO *bio, int cmd, long num, void *ptr) {
  switch (cmd) {
    case BIO_CTRL_RESET:
      if (b->data != NULL) {
-        /* For read only case reset to the start again */
+        // For read only case reset to the start again
        if (bio->flags & BIO_FLAGS_MEM_RDONLY) {
          b->data -= b->max - b->length;
          b->length = b->max;
@@ -295,8 +291,12 @@ static long mem_ctrl(BIO *bio, int cmd, long num, void *ptr) {
 }

 static const BIO_METHOD mem_method = {
-    BIO_TYPE_MEM, "memory buffer", mem_write, mem_read, mem_puts,
-    mem_gets,     mem_ctrl,        mem_new,   mem_free, NULL, };
+    BIO_TYPE_MEM,    "memory buffer",
+    mem_write,       mem_read,
+    NULL /* puts */, mem_gets,
+    mem_ctrl,        mem_new,
+    mem_free,        NULL /* callback_ctrl */,
+};

 const BIO_METHOD *BIO_s_mem(void) { return &mem_method; }

@@ -12,11 +12,18 @@
 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

-#if !defined(_POSIX_C_SOURCE)
-#define _POSIX_C_SOURCE 201410L
-#endif
+#include <algorithm>
+#include <string>

-#include <openssl/base.h>
+#include <gtest/gtest.h>
+
+#include <openssl/bio.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/mem.h>
+
+#include "../internal.h"
+#include "../test/test_util.h"

 #if !defined(OPENSSL_WINDOWS)
 #include <arpa/inet.h>
@@ -33,27 +40,15 @@ OPENSSL_MSVC_PRAGMA(warning(push, 3))
 OPENSSL_MSVC_PRAGMA(warning(pop))
 #endif

-#include <openssl/bio.h>
-#include <openssl/crypto.h>
-#include <openssl/err.h>
-#include <openssl/mem.h>
-
-#include <algorithm>
-
-#include "../internal.h"
-

 #if !defined(OPENSSL_WINDOWS)
-static int closesocket(int sock) {
-  return close(sock);
-}
-
-static void PrintSocketError(const char *func) {
-  perror(func);
-}
+static int closesocket(int sock) { return close(sock); }
+static std::string LastSocketError() { return strerror(errno); }
 #else
-static void PrintSocketError(const char *func) {
-  fprintf(stderr, "%s: %d\n", func, WSAGetLastError());
+static std::string LastSocketError() {
+  char buf[DECIMAL_SIZE(int) + 1];
+  BIO_snprintf(buf, sizeof(buf), "%d", WSAGetLastError());
+  return buf;
 }
 #endif

@@ -68,356 +63,262 @@ class ScopedSocket {
  const int sock_;
 };

-static bool TestSocketConnect() {
+TEST(BIOTest, SocketConnect) {
  static const char kTestMessage[] = "test";
+  int listening_sock = -1;
+  socklen_t len = 0;
+  sockaddr_storage ss;
+  struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *) &ss;
+  struct sockaddr_in *sin = (struct sockaddr_in *) &ss;
+  OPENSSL_memset(&ss, 0, sizeof(ss));

-  int listening_sock = socket(AF_INET, SOCK_STREAM, 0);
-  if (listening_sock == -1) {
-    PrintSocketError("socket");
-    return false;
+  ss.ss_family = AF_INET6;
+  listening_sock = socket(AF_INET6, SOCK_STREAM, 0);
+  ASSERT_NE(-1, listening_sock) << LastSocketError();
+  len = sizeof(*sin6);
+  ASSERT_EQ(1, inet_pton(AF_INET6, "::1", &sin6->sin6_addr))
+      << LastSocketError();
+  if (bind(listening_sock, (struct sockaddr *)sin6, sizeof(*sin6)) == -1) {
+    closesocket(listening_sock);
+
+    ss.ss_family = AF_INET;
+    listening_sock = socket(AF_INET, SOCK_STREAM, 0);
+    ASSERT_NE(-1, listening_sock) << LastSocketError();
+    len = sizeof(*sin);
+    ASSERT_EQ(1, inet_pton(AF_INET, "127.0.0.1", &sin->sin_addr))
+        << LastSocketError();
+    ASSERT_EQ(0, bind(listening_sock, (struct sockaddr *)sin, sizeof(*sin)))
+        << LastSocketError();
  }
+
  ScopedSocket listening_sock_closer(listening_sock);
-
-  struct sockaddr_in sin;
-  OPENSSL_memset(&sin, 0, sizeof(sin));
-  sin.sin_family = AF_INET;
-  if (!inet_pton(AF_INET, "127.0.0.1", &sin.sin_addr)) {
-    PrintSocketError("inet_pton");
-    return false;
-  }
-  if (bind(listening_sock, (struct sockaddr *)&sin, sizeof(sin)) != 0) {
-    PrintSocketError("bind");
-    return false;
-  }
-  if (listen(listening_sock, 1)) {
-    PrintSocketError("listen");
-    return false;
-  }
-  socklen_t sockaddr_len = sizeof(sin);
-  if (getsockname(listening_sock, (struct sockaddr *)&sin, &sockaddr_len) ||
-      sockaddr_len != sizeof(sin)) {
-    PrintSocketError("getsockname");
-    return false;
-  }
+  ASSERT_EQ(0, listen(listening_sock, 1)) << LastSocketError();
+  ASSERT_EQ(0, getsockname(listening_sock, (struct sockaddr *)&ss, &len))
+        << LastSocketError();

  char hostname[80];
-  BIO_snprintf(hostname, sizeof(hostname), "%s:%d", "127.0.0.1",
-               ntohs(sin.sin_port));
+  if (ss.ss_family == AF_INET6) {
+    BIO_snprintf(hostname, sizeof(hostname), "[::1]:%d",
+                 ntohs(sin6->sin6_port));
+  } else if (ss.ss_family == AF_INET) {
+    BIO_snprintf(hostname, sizeof(hostname), "127.0.0.1:%d",
+                 ntohs(sin->sin_port));
+  }
+
+  // Connect to it with a connect BIO.
  bssl::UniquePtr<BIO> bio(BIO_new_connect(hostname));
-  if (!bio) {
-    fprintf(stderr, "BIO_new_connect failed.\n");
-    return false;
-  }
+  ASSERT_TRUE(bio);

-  if (BIO_write(bio.get(), kTestMessage, sizeof(kTestMessage)) !=
-      sizeof(kTestMessage)) {
-    fprintf(stderr, "BIO_write failed.\n");
-    ERR_print_errors_fp(stderr);
-    return false;
-  }
+  // Write a test message to the BIO.
+  ASSERT_EQ(static_cast<int>(sizeof(kTestMessage)),
+            BIO_write(bio.get(), kTestMessage, sizeof(kTestMessage)));

-  int sock = accept(listening_sock, (struct sockaddr *) &sin, &sockaddr_len);
-  if (sock == -1) {
-    PrintSocketError("accept");
-    return false;
-  }
+  // Accept the socket.
+  int sock = accept(listening_sock, (struct sockaddr *) &ss, &len);
+  ASSERT_NE(-1, sock) << LastSocketError();
  ScopedSocket sock_closer(sock);

-  char buf[5];
-  if (recv(sock, buf, sizeof(buf), 0) != sizeof(kTestMessage)) {
-    PrintSocketError("read");
-    return false;
-  }
-  if (OPENSSL_memcmp(buf, kTestMessage, sizeof(kTestMessage))) {
-    return false;
-  }
-
-  return true;
+  // Check the same message is read back out.
+  char buf[sizeof(kTestMessage)];
+  ASSERT_EQ(static_cast<int>(sizeof(kTestMessage)),
+            recv(sock, buf, sizeof(buf), 0))
+      << LastSocketError();
+  EXPECT_EQ(Bytes(kTestMessage, sizeof(kTestMessage)), Bytes(buf, sizeof(buf)));
 }

-static bool TestPrintf() {
+TEST(BIOTest, Printf) {
  // Test a short output, a very long one, and various sizes around
  // 256 (the size of the buffer) to ensure edge cases are correct.
-  static const size_t kLengths[] = { 5, 250, 251, 252, 253, 254, 1023 };
+  static const size_t kLengths[] = {5, 250, 251, 252, 253, 254, 1023};

  bssl::UniquePtr<BIO> bio(BIO_new(BIO_s_mem()));
-  if (!bio) {
-    fprintf(stderr, "BIO_new failed\n");
-    return false;
-  }
+  ASSERT_TRUE(bio);

-  for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kLengths); i++) {
-    char string[1024];
-    if (kLengths[i] >= sizeof(string)) {
-      fprintf(stderr, "Bad test string length\n");
-      return false;
-    }
-    OPENSSL_memset(string, 'a', sizeof(string));
-    string[kLengths[i]] = '\0';
+  for (size_t length : kLengths) {
+    SCOPED_TRACE(length);
+
+    std::string in(length, 'a');
+
+    int ret = BIO_printf(bio.get(), "test %s", in.c_str());
+    ASSERT_GE(ret, 0);
+    EXPECT_EQ(5 + length, static_cast<size_t>(ret));

-    int ret = BIO_printf(bio.get(), "test %s", string);
-    if (ret < 0 || static_cast<size_t>(ret) != 5 + kLengths[i]) {
-      fprintf(stderr, "BIO_printf failed: %d\n", ret);
-      return false;
-    }
    const uint8_t *contents;
    size_t len;
-    if (!BIO_mem_contents(bio.get(), &contents, &len)) {
-      fprintf(stderr, "BIO_mem_contents failed\n");
-      return false;
-    }
-    if (len != 5 + kLengths[i] ||
-        strncmp((const char *)contents, "test ", 5) != 0 ||
-        strncmp((const char *)contents + 5, string, kLengths[i]) != 0) {
-      fprintf(stderr, "Contents did not match: %.*s\n", (int)len, contents);
-      return false;
-    }
+    ASSERT_TRUE(BIO_mem_contents(bio.get(), &contents, &len));
+    EXPECT_EQ("test " + in,
+              std::string(reinterpret_cast<const char *>(contents), len));

-    if (!BIO_reset(bio.get())) {
-      fprintf(stderr, "BIO_reset failed\n");
-      return false;
-    }
+    ASSERT_TRUE(BIO_reset(bio.get()));
  }
-
-  return true;
 }

-static bool ReadASN1(bool should_succeed, const uint8_t *data, size_t data_len,
-                     size_t expected_len, size_t max_len) {
-  bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(data, data_len));
+static const size_t kLargeASN1PayloadLen = 8000;
+
+struct ASN1TestParam {
+  bool should_succeed;
+  std::vector<uint8_t> input;
+  // suffix_len is the number of zeros to append to |input|.
+  size_t suffix_len;
+  // expected_len, if |should_succeed| is true, is the expected length of the
+  // ASN.1 element.
+  size_t expected_len;
+  size_t max_len;
+} kASN1TestParams[] = {
+    {true, {0x30, 2, 1, 2, 0, 0}, 0, 4, 100},
+    {false /* truncated */, {0x30, 3, 1, 2}, 0, 0, 100},
+    {false /* should be short len */, {0x30, 0x81, 1, 1}, 0, 0, 100},
+    {false /* zero padded */, {0x30, 0x82, 0, 1, 1}, 0, 0, 100},
+
+    // Test a large payload.
+    {true,
+     {0x30, 0x82, kLargeASN1PayloadLen >> 8, kLargeASN1PayloadLen & 0xff},
+     kLargeASN1PayloadLen,
+     4 + kLargeASN1PayloadLen,
+     kLargeASN1PayloadLen * 2},
+    {false /* max_len too short */,
+     {0x30, 0x82, kLargeASN1PayloadLen >> 8, kLargeASN1PayloadLen & 0xff},
+     kLargeASN1PayloadLen,
+     4 + kLargeASN1PayloadLen,
+     3 + kLargeASN1PayloadLen},
+
+    // Test an indefinite-length input.
+    {true,
+     {0x30, 0x80},
+     kLargeASN1PayloadLen + 2,
+     2 + kLargeASN1PayloadLen + 2,
+     kLargeASN1PayloadLen * 2},
+    {false /* max_len too short */,
+     {0x30, 0x80},
+     kLargeASN1PayloadLen + 2,
+     2 + kLargeASN1PayloadLen + 2,
+     2 + kLargeASN1PayloadLen + 1},
+};
+
+class BIOASN1Test : public testing::TestWithParam<ASN1TestParam> {};
+
+TEST_P(BIOASN1Test, ReadASN1) {
+  const ASN1TestParam& param = GetParam();
+  std::vector<uint8_t> input = param.input;
+  input.resize(input.size() + param.suffix_len, 0);
+
+  bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(input.data(), input.size()));
+  ASSERT_TRUE(bio);

  uint8_t *out;
  size_t out_len;
-  int ok = BIO_read_asn1(bio.get(), &out, &out_len, max_len);
+  int ok = BIO_read_asn1(bio.get(), &out, &out_len, param.max_len);
  if (!ok) {
    out = nullptr;
  }
  bssl::UniquePtr<uint8_t> out_storage(out);

-  if (should_succeed != (ok == 1)) {
-    return false;
+  ASSERT_EQ(param.should_succeed, (ok == 1));
+  if (param.should_succeed) {
+    EXPECT_EQ(Bytes(input.data(), param.expected_len), Bytes(out, out_len));
  }
-
-  if (should_succeed && (out_len != expected_len ||
-                         OPENSSL_memcmp(data, out, expected_len) != 0)) {
-    return false;
-  }
-
-  return true;
 }

-static bool TestASN1() {
-  static const uint8_t kData1[] = {0x30, 2, 1, 2, 0, 0};
-  static const uint8_t kData2[] = {0x30, 3, 1, 2};  /* truncated */
-  static const uint8_t kData3[] = {0x30, 0x81, 1, 1};  /* should be short len */
-  static const uint8_t kData4[] = {0x30, 0x82, 0, 1, 1};  /* zero padded. */
+INSTANTIATE_TEST_CASE_P(, BIOASN1Test, testing::ValuesIn(kASN1TestParams));

-  if (!ReadASN1(true, kData1, sizeof(kData1), 4, 100) ||
-      !ReadASN1(false, kData2, sizeof(kData2), 0, 100) ||
-      !ReadASN1(false, kData3, sizeof(kData3), 0, 100) ||
-      !ReadASN1(false, kData4, sizeof(kData4), 0, 100)) {
-    return false;
+// Run through the tests twice, swapping |bio1| and |bio2|, for symmetry.
+class BIOPairTest : public testing::TestWithParam<bool> {};
+
+TEST_P(BIOPairTest, TestPair) {
+  BIO *bio1, *bio2;
+  ASSERT_TRUE(BIO_new_bio_pair(&bio1, 10, &bio2, 10));
+  bssl::UniquePtr<BIO> free_bio1(bio1), free_bio2(bio2);
+
+  if (GetParam()) {
+    std::swap(bio1, bio2);
  }

-  static const size_t kLargePayloadLen = 8000;
-  static const uint8_t kLargePrefix[] = {0x30, 0x82, kLargePayloadLen >> 8,
-                                         kLargePayloadLen & 0xff};
-  bssl::UniquePtr<uint8_t> large(reinterpret_cast<uint8_t *>(
-      OPENSSL_malloc(sizeof(kLargePrefix) + kLargePayloadLen)));
-  if (!large) {
-    return false;
-  }
-  OPENSSL_memset(large.get() + sizeof(kLargePrefix), 0, kLargePayloadLen);
-  OPENSSL_memcpy(large.get(), kLargePrefix, sizeof(kLargePrefix));
+  // Check initial states.
+  EXPECT_EQ(10u, BIO_ctrl_get_write_guarantee(bio1));
+  EXPECT_EQ(0u, BIO_ctrl_get_read_request(bio1));

-  if (!ReadASN1(true, large.get(), sizeof(kLargePrefix) + kLargePayloadLen,
-                sizeof(kLargePrefix) + kLargePayloadLen,
-                kLargePayloadLen * 2)) {
-    fprintf(stderr, "Large payload test failed.\n");
-    return false;
-  }
+  // Data written in one end may be read out the other.
+  uint8_t buf[20];
+  EXPECT_EQ(5, BIO_write(bio1, "12345", 5));
+  EXPECT_EQ(5u, BIO_ctrl_get_write_guarantee(bio1));
+  ASSERT_EQ(5, BIO_read(bio2, buf, sizeof(buf)));
+  EXPECT_EQ(Bytes("12345"), Bytes(buf, 5));
+  EXPECT_EQ(10u, BIO_ctrl_get_write_guarantee(bio1));

-  if (!ReadASN1(false, large.get(), sizeof(kLargePrefix) + kLargePayloadLen,
-                sizeof(kLargePrefix) + kLargePayloadLen,
-                kLargePayloadLen - 1)) {
-    fprintf(stderr, "max_len test failed.\n");
-    return false;
-  }
+  // Attempting to write more than 10 bytes will write partially.
+  EXPECT_EQ(10, BIO_write(bio1, "1234567890___", 13));
+  EXPECT_EQ(0u, BIO_ctrl_get_write_guarantee(bio1));
+  EXPECT_EQ(-1, BIO_write(bio1, "z", 1));
+  EXPECT_TRUE(BIO_should_write(bio1));
+  ASSERT_EQ(10, BIO_read(bio2, buf, sizeof(buf)));
+  EXPECT_EQ(Bytes("1234567890"), Bytes(buf, 10));
+  EXPECT_EQ(10u, BIO_ctrl_get_write_guarantee(bio1));

-  static const uint8_t kIndefPrefix[] = {0x30, 0x80};
-  OPENSSL_memcpy(large.get(), kIndefPrefix, sizeof(kIndefPrefix));
-  if (!ReadASN1(true, large.get(), sizeof(kLargePrefix) + kLargePayloadLen,
-                sizeof(kLargePrefix) + kLargePayloadLen,
-                kLargePayloadLen*2)) {
-    fprintf(stderr, "indefinite length test failed.\n");
-    return false;
-  }
+  // Unsuccessful reads update the read request.
+  EXPECT_EQ(-1, BIO_read(bio2, buf, 5));
+  EXPECT_TRUE(BIO_should_read(bio2));
+  EXPECT_EQ(5u, BIO_ctrl_get_read_request(bio1));

-  if (!ReadASN1(false, large.get(), sizeof(kLargePrefix) + kLargePayloadLen,
-                sizeof(kLargePrefix) + kLargePayloadLen,
-                kLargePayloadLen-1)) {
-    fprintf(stderr, "indefinite length, max_len test failed.\n");
-    return false;
-  }
+  // The read request is clamped to the size of the buffer.
+  EXPECT_EQ(-1, BIO_read(bio2, buf, 20));
+  EXPECT_TRUE(BIO_should_read(bio2));
+  EXPECT_EQ(10u, BIO_ctrl_get_read_request(bio1));

-  return true;
+  // Data may be written and read in chunks.
+  EXPECT_EQ(5, BIO_write(bio1, "12345", 5));
+  EXPECT_EQ(5u, BIO_ctrl_get_write_guarantee(bio1));
+  EXPECT_EQ(5, BIO_write(bio1, "67890___", 8));
+  EXPECT_EQ(0u, BIO_ctrl_get_write_guarantee(bio1));
+  ASSERT_EQ(3, BIO_read(bio2, buf, 3));
+  EXPECT_EQ(Bytes("123"), Bytes(buf, 3));
+  EXPECT_EQ(3u, BIO_ctrl_get_write_guarantee(bio1));
+  ASSERT_EQ(7, BIO_read(bio2, buf, sizeof(buf)));
+  EXPECT_EQ(Bytes("4567890"), Bytes(buf, 7));
+  EXPECT_EQ(10u, BIO_ctrl_get_write_guarantee(bio1));
+
+  // Successful reads reset the read request.
+  EXPECT_EQ(0u, BIO_ctrl_get_read_request(bio1));
+
+  // Test writes and reads starting in the middle of the ring buffer and
+  // wrapping to front.
+  EXPECT_EQ(8, BIO_write(bio1, "abcdefgh", 8));
+  EXPECT_EQ(2u, BIO_ctrl_get_write_guarantee(bio1));
+  ASSERT_EQ(3, BIO_read(bio2, buf, 3));
+  EXPECT_EQ(Bytes("abc"), Bytes(buf, 3));
+  EXPECT_EQ(5u, BIO_ctrl_get_write_guarantee(bio1));
+  EXPECT_EQ(5, BIO_write(bio1, "ijklm___", 8));
+  EXPECT_EQ(0u, BIO_ctrl_get_write_guarantee(bio1));
+  ASSERT_EQ(10, BIO_read(bio2, buf, sizeof(buf)));
+  EXPECT_EQ(Bytes("defghijklm"), Bytes(buf, 10));
+  EXPECT_EQ(10u, BIO_ctrl_get_write_guarantee(bio1));
+
+  // Data may flow from both ends in parallel.
+  EXPECT_EQ(5, BIO_write(bio1, "12345", 5));
+  EXPECT_EQ(5, BIO_write(bio2, "67890", 5));
+  ASSERT_EQ(5, BIO_read(bio2, buf, sizeof(buf)));
+  EXPECT_EQ(Bytes("12345"), Bytes(buf, 5));
+  ASSERT_EQ(5, BIO_read(bio1, buf, sizeof(buf)));
+  EXPECT_EQ(Bytes("67890"), Bytes(buf, 5));
+
+  // Closing the write end causes an EOF on the read half, after draining.
+  EXPECT_EQ(5, BIO_write(bio1, "12345", 5));
+  EXPECT_TRUE(BIO_shutdown_wr(bio1));
+  ASSERT_EQ(5, BIO_read(bio2, buf, sizeof(buf)));
+  EXPECT_EQ(Bytes("12345"), Bytes(buf, 5));
+  EXPECT_EQ(0, BIO_read(bio2, buf, sizeof(buf)));
+
+  // A closed write end may not be written to.
+  EXPECT_EQ(0u, BIO_ctrl_get_write_guarantee(bio1));
+  EXPECT_EQ(-1, BIO_write(bio1, "_____", 5));
+
+  uint32_t err = ERR_get_error();
+  EXPECT_EQ(ERR_LIB_BIO, ERR_GET_LIB(err));
+  EXPECT_EQ(BIO_R_BROKEN_PIPE, ERR_GET_REASON(err));
+
+  // The other end is still functional.
+  EXPECT_EQ(5, BIO_write(bio2, "12345", 5));
+  ASSERT_EQ(5, BIO_read(bio1, buf, sizeof(buf)));
+  EXPECT_EQ(Bytes("12345"), Bytes(buf, 5));
 }

-static bool TestPair() {
-  // Run through the tests twice, swapping |bio1| and |bio2|, for symmetry.
-  for (int i = 0; i < 2; i++) {
-    BIO *bio1, *bio2;
-    if (!BIO_new_bio_pair(&bio1, 10, &bio2, 10)) {
-      return false;
-    }
-    bssl::UniquePtr<BIO> free_bio1(bio1), free_bio2(bio2);
-
-    if (i == 1) {
-      std::swap(bio1, bio2);
-    }
-
-    // Check initial states.
-    if (BIO_ctrl_get_write_guarantee(bio1) != 10 ||
-        BIO_ctrl_get_read_request(bio1) != 0) {
-      return false;
-    }
-
-    // Data written in one end may be read out the other.
-    char buf[20];
-    if (BIO_write(bio1, "12345", 5) != 5 ||
-        BIO_ctrl_get_write_guarantee(bio1) != 5 ||
-        BIO_read(bio2, buf, sizeof(buf)) != 5 ||
-        OPENSSL_memcmp(buf, "12345", 5) != 0 ||
-        BIO_ctrl_get_write_guarantee(bio1) != 10) {
-      return false;
-    }
-
-    // Attempting to write more than 10 bytes will write partially.
-    if (BIO_write(bio1, "1234567890___", 13) != 10 ||
-        BIO_ctrl_get_write_guarantee(bio1) != 0 ||
-        BIO_write(bio1, "z", 1) != -1 ||
-        !BIO_should_write(bio1) ||
-        BIO_read(bio2, buf, sizeof(buf)) != 10 ||
-        OPENSSL_memcmp(buf, "1234567890", 10) != 0 ||
-        BIO_ctrl_get_write_guarantee(bio1) != 10) {
-      return false;
-    }
-
-    // Unsuccessful reads update the read request.
-    if (BIO_read(bio2, buf, 5) != -1 ||
-        !BIO_should_read(bio2) ||
-        BIO_ctrl_get_read_request(bio1) != 5) {
-      return false;
-    }
-
-    // The read request is clamped to the size of the buffer.
-    if (BIO_read(bio2, buf, 20) != -1 ||
-        !BIO_should_read(bio2) ||
-        BIO_ctrl_get_read_request(bio1) != 10) {
-      return false;
-    }
-
-    // Data may be written and read in chunks.
-    if (BIO_write(bio1, "12345", 5) != 5 ||
-        BIO_ctrl_get_write_guarantee(bio1) != 5 ||
-        BIO_write(bio1, "67890___", 8) != 5 ||
-        BIO_ctrl_get_write_guarantee(bio1) != 0 ||
-        BIO_read(bio2, buf, 3) != 3 ||
-        OPENSSL_memcmp(buf, "123", 3) != 0 ||
-        BIO_ctrl_get_write_guarantee(bio1) != 3 ||
-        BIO_read(bio2, buf, sizeof(buf)) != 7 ||
-        OPENSSL_memcmp(buf, "4567890", 7) != 0 ||
-        BIO_ctrl_get_write_guarantee(bio1) != 10) {
-      return false;
-    }
-
-    // Successful reads reset the read request.
-    if (BIO_ctrl_get_read_request(bio1) != 0) {
-      return false;
-    }
-
-    // Test writes and reads starting in the middle of the ring buffer and
-    // wrapping to front.
-    if (BIO_write(bio1, "abcdefgh", 8) != 8 ||
-        BIO_ctrl_get_write_guarantee(bio1) != 2 ||
-        BIO_read(bio2, buf, 3) != 3 ||
-        OPENSSL_memcmp(buf, "abc", 3) != 0 ||
-        BIO_ctrl_get_write_guarantee(bio1) != 5 ||
-        BIO_write(bio1, "ijklm___", 8) != 5 ||
-        BIO_ctrl_get_write_guarantee(bio1) != 0 ||
-        BIO_read(bio2, buf, sizeof(buf)) != 10 ||
-        OPENSSL_memcmp(buf, "defghijklm", 10) != 0 ||
-        BIO_ctrl_get_write_guarantee(bio1) != 10) {
-      return false;
-    }
-
-    // Data may flow from both ends in parallel.
-    if (BIO_write(bio1, "12345", 5) != 5 ||
-        BIO_write(bio2, "67890", 5) != 5 ||
-        BIO_read(bio2, buf, sizeof(buf)) != 5 ||
-        OPENSSL_memcmp(buf, "12345", 5) != 0 ||
-        BIO_read(bio1, buf, sizeof(buf)) != 5 ||
-        OPENSSL_memcmp(buf, "67890", 5) != 0) {
-      return false;
-    }
-
-    // Closing the write end causes an EOF on the read half, after draining.
-    if (BIO_write(bio1, "12345", 5) != 5 ||
-        !BIO_shutdown_wr(bio1) ||
-        BIO_read(bio2, buf, sizeof(buf)) != 5 ||
-        OPENSSL_memcmp(buf, "12345", 5) != 0 ||
-        BIO_read(bio2, buf, sizeof(buf)) != 0) {
-      return false;
-    }
-
-    // A closed write end may not be written to.
-    if (BIO_ctrl_get_write_guarantee(bio1) != 0 ||
-        BIO_write(bio1, "_____", 5) != -1) {
-      return false;
-    }
-
-    uint32_t err = ERR_get_error();
-    if (ERR_GET_LIB(err) != ERR_LIB_BIO ||
-        ERR_GET_REASON(err) != BIO_R_BROKEN_PIPE) {
-      return false;
-    }
-
-    // The other end is still functional.
-    if (BIO_write(bio2, "12345", 5) != 5 ||
-        BIO_read(bio1, buf, sizeof(buf)) != 5 ||
-        OPENSSL_memcmp(buf, "12345", 5) != 0) {
-      return false;
-    }
-  }
-
-  return true;
-}
-
-int main() {
-  CRYPTO_library_init();
-
-#if defined(OPENSSL_WINDOWS)
-  // Initialize Winsock.
-  WORD wsa_version = MAKEWORD(2, 2);
-  WSADATA wsa_data;
-  int wsa_err = WSAStartup(wsa_version, &wsa_data);
-  if (wsa_err != 0) {
-    fprintf(stderr, "WSAStartup failed: %d\n", wsa_err);
-    return 1;
-  }
-  if (wsa_data.wVersion != wsa_version) {
-    fprintf(stderr, "Didn't get expected version: %x\n", wsa_data.wVersion);
-    return 1;
-  }
-#endif
-
-  if (!TestSocketConnect() ||
-      !TestPrintf() ||
-      !TestASN1() ||
-      !TestPair()) {
-    return 1;
-  }
-
-  printf("PASS\n");
-  return 0;
-}
+INSTANTIATE_TEST_CASE_P(, BIOPairTest, testing::Values(false, true));
@@ -1,486 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.] */
-
-#include <openssl/bio.h>
-
-#include <string.h>
-
-#include <openssl/buf.h>
-#include <openssl/err.h>
-#include <openssl/mem.h>
-
-#include "../internal.h"
-
-
-#define DEFAULT_BUFFER_SIZE 4096
-
-typedef struct bio_f_buffer_ctx_struct {
-  /* Buffers are setup like this:
-   *
-   * <---------------------- size ----------------------->
-   * +---------------------------------------------------+
-   * | consumed | remaining          | free space        |
-   * +---------------------------------------------------+
-   * <-- off --><------- len ------->
-   */
-
-  int ibuf_size;  /* how big is the input buffer */
-  int obuf_size;  /* how big is the output buffer */
-
-  char *ibuf;   /* the char array */
-  int ibuf_len; /* how many bytes are in it */
-  int ibuf_off; /* write/read offset */
-
-  char *obuf;   /* the char array */
-  int obuf_len; /* how many bytes are in it */
-  int obuf_off; /* write/read offset */
-} BIO_F_BUFFER_CTX;
-
-static int buffer_new(BIO *bio) {
-  BIO_F_BUFFER_CTX *ctx;
-
-  ctx = OPENSSL_malloc(sizeof(BIO_F_BUFFER_CTX));
-  if (ctx == NULL) {
-    return 0;
-  }
-  OPENSSL_memset(ctx, 0, sizeof(BIO_F_BUFFER_CTX));
-
-  ctx->ibuf = OPENSSL_malloc(DEFAULT_BUFFER_SIZE);
-  if (ctx->ibuf == NULL) {
-    goto err1;
-  }
-  ctx->obuf = OPENSSL_malloc(DEFAULT_BUFFER_SIZE);
-  if (ctx->obuf == NULL) {
-    goto err2;
-  }
-  ctx->ibuf_size = DEFAULT_BUFFER_SIZE;
-  ctx->obuf_size = DEFAULT_BUFFER_SIZE;
-
-  bio->init = 1;
-  bio->ptr = (char *)ctx;
-  return 1;
-
-err2:
-  OPENSSL_free(ctx->ibuf);
-
-err1:
-  OPENSSL_free(ctx);
-  return 0;
-}
-
-static int buffer_free(BIO *bio) {
-  BIO_F_BUFFER_CTX *ctx;
-
-  if (bio == NULL || bio->ptr == NULL) {
-    return 0;
-  }
-
-  ctx = (BIO_F_BUFFER_CTX *)bio->ptr;
-  OPENSSL_free(ctx->ibuf);
-  OPENSSL_free(ctx->obuf);
-  OPENSSL_free(bio->ptr);
-
-  bio->ptr = NULL;
-  bio->init = 0;
-  bio->flags = 0;
-
-  return 1;
-}
-
-static int buffer_read(BIO *bio, char *out, int outl) {
-  int i, num = 0;
-  BIO_F_BUFFER_CTX *ctx;
-
-  ctx = (BIO_F_BUFFER_CTX *)bio->ptr;
-
-  if (ctx == NULL || bio->next_bio == NULL) {
-    return 0;
-  }
-
-  num = 0;
-  BIO_clear_retry_flags(bio);
-
-  for (;;) {
-    i = ctx->ibuf_len;
-    /* If there is stuff left over, grab it */
-    if (i != 0) {
-      if (i > outl) {
-        i = outl;
-      }
-      OPENSSL_memcpy(out, &ctx->ibuf[ctx->ibuf_off], i);
-      ctx->ibuf_off += i;
-      ctx->ibuf_len -= i;
-      num += i;
-      if (outl == i) {
-        return num;
-      }
-      outl -= i;
-      out += i;
-    }
-
-    /* We may have done a partial read. Try to do more. We have nothing in the
-     * buffer. If we get an error and have read some data, just return it and
-     * let them retry to get the error again. Copy direct to parent address
-     * space */
-    if (outl > ctx->ibuf_size) {
-      for (;;) {
-        i = BIO_read(bio->next_bio, out, outl);
-        if (i <= 0) {
-          BIO_copy_next_retry(bio);
-          if (i < 0) {
-            return (num > 0) ? num : i;
-          }
-          return num;
-        }
-        num += i;
-        if (outl == i) {
-          return num;
-        }
-        out += i;
-        outl -= i;
-      }
-    }
-    /* else */
-
-    /* we are going to be doing some buffering */
-    i = BIO_read(bio->next_bio, ctx->ibuf, ctx->ibuf_size);
-    if (i <= 0) {
-      BIO_copy_next_retry(bio);
-      if (i < 0) {
-        return (num > 0) ? num : i;
-      }
-      return num;
-    }
-    ctx->ibuf_off = 0;
-    ctx->ibuf_len = i;
-  }
-}
-
-static int buffer_write(BIO *b, const char *in, int inl) {
-  int i, num = 0;
-  BIO_F_BUFFER_CTX *ctx;
-
-  ctx = (BIO_F_BUFFER_CTX *)b->ptr;
-  if (ctx == NULL || b->next_bio == NULL) {
-    return 0;
-  }
-
-  BIO_clear_retry_flags(b);
-
-  for (;;) {
-    i = ctx->obuf_size - (ctx->obuf_off + ctx->obuf_len);
-    /* add to buffer and return */
-    if (i >= inl) {
-      OPENSSL_memcpy(&ctx->obuf[ctx->obuf_off + ctx->obuf_len], in, inl);
-      ctx->obuf_len += inl;
-      return num + inl;
-    }
-    /* else */
-    /* stuff already in buffer, so add to it first, then flush */
-    if (ctx->obuf_len != 0) {
-      if (i > 0) {
-        OPENSSL_memcpy(&ctx->obuf[ctx->obuf_off + ctx->obuf_len], in, i);
-        in += i;
-        inl -= i;
-        num += i;
-        ctx->obuf_len += i;
-      }
-
-      /* we now have a full buffer needing flushing */
-      for (;;) {
-        i = BIO_write(b->next_bio, &ctx->obuf[ctx->obuf_off], ctx->obuf_len);
-        if (i <= 0) {
-          BIO_copy_next_retry(b);
-
-          if (i < 0) {
-            return (num > 0) ? num : i;
-          }
-          return num;
-        }
-        ctx->obuf_off += i;
-        ctx->obuf_len -= i;
-        if (ctx->obuf_len == 0) {
-          break;
-        }
-      }
-    }
-
-    /* we only get here if the buffer has been flushed and we
-     * still have stuff to write */
-    ctx->obuf_off = 0;
-
-    /* we now have inl bytes to write */
-    while (inl >= ctx->obuf_size) {
-      i = BIO_write(b->next_bio, in, inl);
-      if (i <= 0) {
-        BIO_copy_next_retry(b);
-        if (i < 0) {
-          return (num > 0) ? num : i;
-        }
-        return num;
-      }
-      num += i;
-      in += i;
-      inl -= i;
-      if (inl == 0) {
-        return num;
-      }
-    }
-
-    /* copy the rest into the buffer since we have only a small
-     * amount left */
-  }
-}
-
-static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr) {
-  BIO_F_BUFFER_CTX *ctx;
-  long ret = 1;
-  char *p1, *p2;
-  int r, *ip;
-  int ibs, obs;
-
-  ctx = (BIO_F_BUFFER_CTX *)b->ptr;
-
-  switch (cmd) {
-    case BIO_CTRL_RESET:
-      ctx->ibuf_off = 0;
-      ctx->ibuf_len = 0;
-      ctx->obuf_off = 0;
-      ctx->obuf_len = 0;
-      if (b->next_bio == NULL) {
-        return 0;
-      }
-      ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
-      break;
-
-    case BIO_CTRL_INFO:
-      ret = ctx->obuf_len;
-      break;
-
-    case BIO_CTRL_WPENDING:
-      ret = (long)ctx->obuf_len;
-      break;
-
-    case BIO_CTRL_PENDING:
-      ret = (long)ctx->ibuf_len;
-      break;
-
-    case BIO_C_SET_BUFF_SIZE:
-      ip = (int *)ptr;
-      if (*ip == 0) {
-        ibs = (int)num;
-        obs = ctx->obuf_size;
-      } else /* if (*ip == 1) */ {
-        ibs = ctx->ibuf_size;
-        obs = (int)num;
-      }
-      p1 = ctx->ibuf;
-      p2 = ctx->obuf;
-      if (ibs > DEFAULT_BUFFER_SIZE && ibs != ctx->ibuf_size) {
-        p1 = OPENSSL_malloc(ibs);
-        if (p1 == NULL) {
-          goto malloc_error;
-        }
-      }
-      if (obs > DEFAULT_BUFFER_SIZE && obs != ctx->obuf_size) {
-        p2 = OPENSSL_malloc(obs);
-        if (p2 == NULL) {
-          if (p1 != ctx->ibuf) {
-            OPENSSL_free(p1);
-          }
-          goto malloc_error;
-        }
-      }
-
-      if (ctx->ibuf != p1) {
-        OPENSSL_free(ctx->ibuf);
-        ctx->ibuf = p1;
-        ctx->ibuf_size = ibs;
-      }
-      ctx->ibuf_off = 0;
-      ctx->ibuf_len = 0;
-
-      if (ctx->obuf != p2) {
-        OPENSSL_free(ctx->obuf);
-        ctx->obuf = p2;
-        ctx->obuf_size = obs;
-      }
-      ctx->obuf_off = 0;
-      ctx->obuf_len = 0;
-      break;
-
-    case BIO_CTRL_FLUSH:
-      if (b->next_bio == NULL) {
-        return 0;
-      }
-
-      while (ctx->obuf_len > 0) {
-        BIO_clear_retry_flags(b);
-        r = BIO_write(b->next_bio, &(ctx->obuf[ctx->obuf_off]),
-                      ctx->obuf_len);
-        BIO_copy_next_retry(b);
-        if (r <= 0) {
-          return r;
-        }
-        ctx->obuf_off += r;
-        ctx->obuf_len -= r;
-      }
-
-      ctx->obuf_len = 0;
-      ctx->obuf_off = 0;
-      ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
-      break;
-
-    default:
-      if (b->next_bio == NULL) {
-        return 0;
-      }
-      BIO_clear_retry_flags(b);
-      ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
-      BIO_copy_next_retry(b);
-      break;
-  }
-  return ret;
-
-malloc_error:
-  OPENSSL_PUT_ERROR(BIO, ERR_R_MALLOC_FAILURE);
-  return 0;
-}
-
-static long buffer_callback_ctrl(BIO *b, int cmd, bio_info_cb fp) {
-  long ret = 1;
-
-  if (b->next_bio == NULL) {
-    return 0;
-  }
-
-  switch (cmd) {
-    default:
-      ret = BIO_callback_ctrl(b->next_bio, cmd, fp);
-      break;
-  }
-  return ret;
-}
-
-static int buffer_gets(BIO *b, char *buf, int size) {
-  BIO_F_BUFFER_CTX *ctx;
-  int num = 0, i, flag;
-  char *p;
-
-  ctx = (BIO_F_BUFFER_CTX *)b->ptr;
-  if (buf == NULL || size <= 0) {
-    return 0;
-  }
-
-  size--; /* reserve space for a '\0' */
-  BIO_clear_retry_flags(b);
-
-  for (;;) {
-    if (ctx->ibuf_len > 0) {
-      p = &ctx->ibuf[ctx->ibuf_off];
-      flag = 0;
-      for (i = 0; (i < ctx->ibuf_len) && (i < size); i++) {
-        *(buf++) = p[i];
-        if (p[i] == '\n') {
-          flag = 1;
-          i++;
-          break;
-        }
-      }
-      num += i;
-      size -= i;
-      ctx->ibuf_len -= i;
-      ctx->ibuf_off += i;
-      if (flag || size == 0) {
-        *buf = '\0';
-        return num;
-      }
-    } else /* read another chunk */
-    {
-      i = BIO_read(b->next_bio, ctx->ibuf, ctx->ibuf_size);
-      if (i <= 0) {
-        BIO_copy_next_retry(b);
-        *buf = '\0';
-        if (i < 0) {
-          return (num > 0) ? num : i;
-        }
-        return num;
-      }
-      ctx->ibuf_len = i;
-      ctx->ibuf_off = 0;
-    }
-  }
-}
-
-static int buffer_puts(BIO *b, const char *str) {
-  return buffer_write(b, str, strlen(str));
-}
-
-static const BIO_METHOD methods_buffer = {
-    BIO_TYPE_BUFFER, "buffer",             buffer_write, buffer_read,
-    buffer_puts,     buffer_gets,          buffer_ctrl,  buffer_new,
-    buffer_free,     buffer_callback_ctrl,
-};
-
-const BIO_METHOD *BIO_f_buffer(void) { return &methods_buffer; }
-
-int BIO_set_read_buffer_size(BIO *bio, int buffer_size) {
-  return BIO_int_ctrl(bio, BIO_C_SET_BUFF_SIZE, buffer_size, 0);
-}
-
-int BIO_set_write_buffer_size(BIO *bio, int buffer_size) {
-  return BIO_int_ctrl(bio, BIO_C_SET_BUFF_SIZE, buffer_size, 1);
-}
@@ -98,12 +98,12 @@ typedef struct bio_connect_st {
  struct sockaddr_storage them;
  socklen_t them_length;

-  /* the file descriptor is kept in bio->num in order to match the socket
-   * BIO. */
+  // the file descriptor is kept in bio->num in order to match the socket
+  // BIO.

-  /* info_callback is called when the connection is initially made
-   * callback(BIO,state,ret);  The callback should return 'ret', state is for
-   * compatibility with the SSL info_callback. */
+  // info_callback is called when the connection is initially made
+  // callback(BIO,state,ret);  The callback should return 'ret', state is for
+  // compatibility with the SSL info_callback.
  int (*info_callback)(const BIO *bio, int state, int ret);
 } BIO_CONNECT;

@@ -113,9 +113,9 @@ static int closesocket(int sock) {
 }
 #endif

-/* split_host_and_port sets |*out_host| and |*out_port| to the host and port
- * parsed from |name|. It returns one on success or zero on error. Even when
- * successful, |*out_port| may be NULL on return if no port was specified. */
+// split_host_and_port sets |*out_host| and |*out_port| to the host and port
+// parsed from |name|. It returns one on success or zero on error. Even when
+// successful, |*out_port| may be NULL on return if no port was specified.
 static int split_host_and_port(char **out_host, char **out_port, const char *name) {
  const char *host, *port = NULL;
  size_t host_len = 0;
@@ -123,24 +123,24 @@ static int split_host_and_port(char **out_host, char **out_port, const char *nam
  *out_host = NULL;
  *out_port = NULL;

-  if (name[0] == '[') {  /* bracketed IPv6 address */
+  if (name[0] == '[') {  // bracketed IPv6 address
    const char *close = strchr(name, ']');
    if (close == NULL) {
      return 0;
    }
    host = name + 1;
    host_len = close - host;
-    if (close[1] == ':') {  /* [IP]:port */
+    if (close[1] == ':') {  // [IP]:port
      port = close + 2;
    } else if (close[1] != 0) {
      return 0;
    }
  } else {
    const char *colon = strchr(name, ':');
-    if (colon == NULL || strchr(colon + 1, ':') != NULL) {  /* IPv6 address */
+    if (colon == NULL || strchr(colon + 1, ':') != NULL) {  // IPv6 address
      host = name;
      host_len = strlen(name);
-    } else {  /* host:port */
+    } else {  // host:port
      host = name;
      host_len = colon - name;
      port = colon + 1;
@@ -175,9 +175,9 @@ static int conn_state(BIO *bio, BIO_CONNECT *c) {
  for (;;) {
    switch (c->state) {
      case BIO_CONN_S_BEFORE:
-        /* If there's a hostname and a port, assume that both are
-         * exactly what they say. If there is only a hostname, try
-         * (just once) to split it into a hostname and port. */
+        // If there's a hostname and a port, assume that both are
+        // exactly what they say. If there is only a hostname, try
+        // (just once) to split it into a hostname and port.

        if (c->param_hostname == NULL) {
          OPENSSL_PUT_ERROR(BIO, BIO_R_NO_HOSTNAME_SPECIFIED);
@@ -330,7 +330,7 @@ static void conn_close_socket(BIO *bio) {
    return;
  }

-  /* Only do a shutdown if things were established */
+  // Only do a shutdown if things were established
  if (c->state == BIO_CONN_S_OK) {
    shutdown(bio->num, 2);
  }
@@ -415,7 +415,7 @@ static long conn_ctrl(BIO *bio, int cmd, long num, void *ptr) {
      bio->flags = 0;
      break;
    case BIO_C_DO_STATE_MACHINE:
-      /* use this one to start the connection */
+      // use this one to start the connection
      if (data->state != BIO_CONN_S_OK) {
        ret = (long)conn_state(bio, data);
      } else {
@@ -468,14 +468,6 @@ static long conn_ctrl(BIO *bio, int cmd, long num, void *ptr) {
      break;
    case BIO_CTRL_FLUSH:
      break;
-    case BIO_CTRL_SET_CALLBACK: {
-#if 0 /* FIXME: Should this be used?  -- Richard Levitte */
-		OPENSSL_PUT_ERROR(BIO, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-		ret = -1;
-#else
-      ret = 0;
-#endif
-    } break;
    case BIO_CTRL_GET_CALLBACK: {
      int (**fptr)(const BIO *bio, int state, int xret);
      fptr = (int (**)(const BIO *bio, int state, int xret))ptr;
@@ -485,7 +477,7 @@ static long conn_ctrl(BIO *bio, int cmd, long num, void *ptr) {
      ret = 0;
      break;
  }
-  return (ret);
+  return ret;
 }

 static long conn_callback_ctrl(BIO *bio, int cmd, bio_info_cb fp) {
@@ -495,9 +487,9 @@ static long conn_callback_ctrl(BIO *bio, int cmd, bio_info_cb fp) {
  data = (BIO_CONNECT *)bio->ptr;

  switch (cmd) {
-    case BIO_CTRL_SET_CALLBACK: {
+    case BIO_CTRL_SET_CALLBACK:
      data->info_callback = (int (*)(const struct bio_st *, int, int))fp;
-    } break;
+      break;
    default:
      ret = 0;
      break;
@@ -505,10 +497,6 @@ static long conn_callback_ctrl(BIO *bio, int cmd, bio_info_cb fp) {
  return ret;
 }

-static int conn_puts(BIO *bp, const char *str) {
-  return conn_write(bp, str, strlen(str));
-}
-
 BIO *BIO_new_connect(const char *hostname) {
  BIO *ret;

@@ -524,8 +512,8 @@ BIO *BIO_new_connect(const char *hostname) {
 }

 static const BIO_METHOD methods_connectp = {
-    BIO_TYPE_CONNECT, "socket connect",         conn_write, conn_read,
-    conn_puts,        NULL /* connect_gets, */, conn_ctrl,  conn_new,
+    BIO_TYPE_CONNECT, "socket connect",   conn_write, conn_read,
+    NULL /* puts */,  NULL /* gets */,    conn_ctrl,  conn_new,
    conn_free,        conn_callback_ctrl,
 };

@@ -138,7 +138,7 @@ BIO *BIO_new_fd(int fd, int close_flag) {
 }

 static int fd_new(BIO *bio) {
-  /* num is used to store the file descriptor. */
+  // num is used to store the file descriptor.
  bio->num = -1;
  return 1;
 }
@@ -190,6 +190,7 @@ static long fd_ctrl(BIO *b, int cmd, long num, void *ptr) {
  switch (cmd) {
    case BIO_CTRL_RESET:
      num = 0;
+      OPENSSL_FALLTHROUGH;
    case BIO_C_FILE_SEEK:
      ret = 0;
      if (b->init) {
@@ -241,10 +242,6 @@ static long fd_ctrl(BIO *b, int cmd, long num, void *ptr) {
  return ret;
 }

-static int fd_puts(BIO *bp, const char *str) {
-  return fd_write(bp, str, strlen(str));
-}
-
 static int fd_gets(BIO *bp, char *buf, int size) {
  char *ptr = buf;
  char *end = buf + size - 1;
@@ -263,8 +260,9 @@ static int fd_gets(BIO *bp, char *buf, int size) {
 }

 static const BIO_METHOD methods_fdp = {
-    BIO_TYPE_FD, "file descriptor", fd_write, fd_read, fd_puts,
-    fd_gets,     fd_ctrl,           fd_new,   fd_free, NULL, };
+    BIO_TYPE_FD, "file descriptor", fd_write, fd_read, NULL /* puts */,
+    fd_gets,     fd_ctrl,           fd_new,   fd_free, NULL /* callback_ctrl */,
+};

 const BIO_METHOD *BIO_s_fd(void) { return &methods_fdp; }

@@ -55,18 +55,17 @@
 * [including the GNU Public Licence.] */

 #if defined(__linux) || defined(__sun) || defined(__hpux)
-/* Following definition aliases fopen to fopen64 on above mentioned
- * platforms. This makes it possible to open and sequentially access
- * files larger than 2GB from 32-bit application. It does not allow to
- * traverse them beyond 2GB with fseek/ftell, but on the other hand *no*
- * 32-bit platform permits that, not with fseek/ftell. Not to mention
- * that breaking 2GB limit for seeking would require surgery to *our*
- * API. But sequential access suffices for practical cases when you
- * can run into large files, such as fingerprinting, so we can let API
- * alone. For reference, the list of 32-bit platforms which allow for
- * sequential access of large files without extra "magic" comprise *BSD,
- * Darwin, IRIX...
- */
+// Following definition aliases fopen to fopen64 on above mentioned
+// platforms. This makes it possible to open and sequentially access
+// files larger than 2GB from 32-bit application. It does not allow to
+// traverse them beyond 2GB with fseek/ftell, but on the other hand *no*
+// 32-bit platform permits that, not with fseek/ftell. Not to mention
+// that breaking 2GB limit for seeking would require surgery to *our*
+// API. But sequential access suffices for practical cases when you
+// can run into large files, such as fingerprinting, so we can let API
+// alone. For reference, the list of 32-bit platforms which allow for
+// sequential access of large files without extra "magic" comprise *BSD,
+// Darwin, IRIX...
 #ifndef _FILE_OFFSET_BITS
 #define _FILE_OFFSET_BITS 64
 #endif
@@ -157,7 +156,7 @@ static int file_read(BIO *b, char *out, int outl) {
    return -1;
  }

-  /* fread reads at most |outl| bytes, so |ret| fits in an int. */
+  // fread reads at most |outl| bytes, so |ret| fits in an int.
  return (int)ret;
 }

@@ -184,6 +183,7 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr) {
  switch (cmd) {
    case BIO_CTRL_RESET:
      num = 0;
+      OPENSSL_FALLTHROUGH;
    case BIO_C_FILE_SEEK:
      ret = (long)fseek(fp, num, 0);
      break;
@@ -232,7 +232,7 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr) {
      b->init = 1;
      break;
    case BIO_C_GET_FILE_PTR:
-      /* the ptr parameter is actually a FILE ** in this case. */
+      // the ptr parameter is actually a FILE ** in this case.
      if (ptr != NULL) {
        fpp = (FILE **)ptr;
        *fpp = (FILE *)b->ptr;
@@ -273,13 +273,13 @@ err:
  return ret;
 }

-static int file_puts(BIO *bp, const char *str) {
-  return file_write(bp, str, strlen(str));
-}
-
 static const BIO_METHOD methods_filep = {
-    BIO_TYPE_FILE, "FILE pointer", file_write, file_read, file_puts,
-    file_gets,     file_ctrl,      file_new,   file_free, NULL, };
+    BIO_TYPE_FILE,   "FILE pointer",
+    file_write,      file_read,
+    NULL /* puts */, file_gets,
+    file_ctrl,       file_new,
+    file_free,       NULL /* callback_ctrl */,
+};

 const BIO_METHOD *BIO_s_file(void) { return &methods_filep; }

@@ -62,12 +62,12 @@
 #include "../internal.h"


-/* hexdump_ctx contains the state of a hexdump. */
+// hexdump_ctx contains the state of a hexdump.
 struct hexdump_ctx {
  BIO *bio;
-  char right_chars[18]; /* the contents of the right-hand side, ASCII dump. */
-  unsigned used;        /* number of bytes in the current line. */
-  size_t n;             /* number of bytes total. */
+  char right_chars[18];  // the contents of the right-hand side, ASCII dump.
+  unsigned used;         // number of bytes in the current line.
+  size_t n;              // number of bytes total.
  unsigned indent;
 };

@@ -84,21 +84,20 @@ static char to_char(uint8_t b) {
  return b;
 }

-/* hexdump_write adds |len| bytes of |data| to the current hex dump described by
- * |ctx|. */
+// hexdump_write adds |len| bytes of |data| to the current hex dump described by
+// |ctx|.
 static int hexdump_write(struct hexdump_ctx *ctx, const uint8_t *data,
                         size_t len) {
  char buf[10];
  unsigned l;

-  /* Output lines look like:
-   * 00000010  2e 2f 30 31 32 33 34 35  36 37 38 ... 3c 3d // |./0123456789:;<=|
-   * ^ offset                          ^ extra space           ^ ASCII of line
-   */
+  // Output lines look like:
+  // 00000010  2e 2f 30 31 32 33 34 35  36 37 38 ... 3c 3d // |./0123456789:;<=|
+  // ^ offset                          ^ extra space           ^ ASCII of line

  for (size_t i = 0; i < len; i++) {
    if (ctx->used == 0) {
-      /* The beginning of a line. */
+      // The beginning of a line.
      BIO_indent(ctx->bio, ctx->indent, UINT_MAX);

      hexbyte(&buf[0], ctx->n >> 24);
@@ -115,12 +114,12 @@ static int hexdump_write(struct hexdump_ctx *ctx, const uint8_t *data,
    buf[2] = ' ';
    l = 3;
    if (ctx->used == 7) {
-      /* There's an additional space after the 8th byte. */
+      // There's an additional space after the 8th byte.
      buf[3] = ' ';
      l = 4;
    } else if (ctx->used == 15) {
-      /* At the end of the line there's an extra space and the bar for the
-       * right column. */
+      // At the end of the line there's an extra space and the bar for the
+      // right column.
      buf[3] = ' ';
      buf[4] = '|';
      l = 5;
@@ -145,9 +144,9 @@ static int hexdump_write(struct hexdump_ctx *ctx, const uint8_t *data,
  return 1;
 }

-/* finish flushes any buffered data in |ctx|. */
+// finish flushes any buffered data in |ctx|.
 static int finish(struct hexdump_ctx *ctx) {
-  /* See the comments in |hexdump| for the details of this format. */
+  // See the comments in |hexdump| for the details of this format.
  const unsigned n_bytes = ctx->used;
  unsigned l;
  char buf[5];
@@ -61,7 +61,7 @@

 #if !defined(OPENSSL_WINDOWS)
 #if defined(OPENSSL_PNACL)
-/* newlib uses u_short in socket.h without defining it. */
+// newlib uses u_short in socket.h without defining it.
 typedef unsigned short u_short;
 #endif
 #include <sys/types.h>
@@ -78,34 +78,34 @@ extern "C" {
 #endif


-/* BIO_ip_and_port_to_socket_and_addr creates a socket and fills in |*out_addr|
- * and |*out_addr_length| with the correct values for connecting to |hostname|
- * on |port_str|. It returns one on success or zero on error. */
+// BIO_ip_and_port_to_socket_and_addr creates a socket and fills in |*out_addr|
+// and |*out_addr_length| with the correct values for connecting to |hostname|
+// on |port_str|. It returns one on success or zero on error.
 int bio_ip_and_port_to_socket_and_addr(int *out_sock,
                                       struct sockaddr_storage *out_addr,
                                       socklen_t *out_addr_length,
                                       const char *hostname,
                                       const char *port_str);

-/* BIO_socket_nbio sets whether |sock| is non-blocking. It returns one on
- * success and zero otherwise. */
+// BIO_socket_nbio sets whether |sock| is non-blocking. It returns one on
+// success and zero otherwise.
 int bio_socket_nbio(int sock, int on);

-/* BIO_clear_socket_error clears the last system socket error.
- *
- * TODO(fork): remove all callers of this. */
+// BIO_clear_socket_error clears the last system socket error.
+//
+// TODO(fork): remove all callers of this.
 void bio_clear_socket_error(void);

-/* BIO_sock_error returns the last socket error on |sock|. */
+// BIO_sock_error returns the last socket error on |sock|.
 int bio_sock_error(int sock);

-/* BIO_fd_should_retry returns non-zero if |return_value| indicates an error
- * and |errno| indicates that it's non-fatal. */
+// BIO_fd_should_retry returns non-zero if |return_value| indicates an error
+// and |errno| indicates that it's non-fatal.
 int bio_fd_should_retry(int return_value);


 #if defined(__cplusplus)
-}  /* extern C */
+}  // extern C
 #endif

-#endif  /* OPENSSL_HEADER_BIO_INTERNAL_H */
+#endif  // OPENSSL_HEADER_BIO_INTERNAL_H
@@ -63,22 +63,22 @@


 struct bio_bio_st {
-  BIO *peer; /* NULL if buf == NULL.
-              * If peer != NULL, then peer->ptr is also a bio_bio_st,
-              * and its "peer" member points back to us.
-              * peer != NULL iff init != 0 in the BIO. */
+  BIO *peer;  // NULL if buf == NULL.
+              // If peer != NULL, then peer->ptr is also a bio_bio_st,
+              // and its "peer" member points back to us.
+              // peer != NULL iff init != 0 in the BIO.

-  /* This is for what we write (i.e. reading uses peer's struct): */
-  int closed;    /* valid iff peer != NULL */
-  size_t len;    /* valid iff buf != NULL; 0 if peer == NULL */
-  size_t offset; /* valid iff buf != NULL; 0 if len == 0 */
+  // This is for what we write (i.e. reading uses peer's struct):
+  int closed;     // valid iff peer != NULL
+  size_t len;     // valid iff buf != NULL; 0 if peer == NULL
+  size_t offset;  // valid iff buf != NULL; 0 if len == 0
  size_t size;
-  uint8_t *buf; /* "size" elements (if != NULL) */
+  uint8_t *buf;  // "size" elements (if != NULL)

-  size_t request; /* valid iff peer != NULL; 0 if len != 0,
-                   * otherwise set by peer to number of bytes
-                   * it (unsuccessfully) tried to read,
-                   * never more than buffer space (size-len) warrants. */
+  size_t request;  // valid iff peer != NULL; 0 if len != 0,
+                   // otherwise set by peer to number of bytes
+                   // it (unsuccessfully) tried to read,
+                   // never more than buffer space (size-len) warrants.
 };

 static int bio_new(BIO *bio) {
@@ -90,7 +90,7 @@ static int bio_new(BIO *bio) {
  }
  OPENSSL_memset(b, 0, sizeof(struct bio_bio_st));

-  b->size = 17 * 1024; /* enough for one TLS record (just a default) */
+  b->size = 17 * 1024;  // enough for one TLS record (just a default)
  bio->ptr = b;
  return 1;
 }
@@ -165,7 +165,7 @@ static int bio_read(BIO *bio, char *buf, int size_) {
  assert(peer_b != NULL);
  assert(peer_b->buf != NULL);

-  peer_b->request = 0; /* will be set in "retry_read" situation */
+  peer_b->request = 0;  // will be set in "retry_read" situation

  if (buf == NULL || size == 0) {
    return 0;
@@ -173,30 +173,30 @@ static int bio_read(BIO *bio, char *buf, int size_) {

  if (peer_b->len == 0) {
    if (peer_b->closed) {
-      return 0; /* writer has closed, and no data is left */
+      return 0;  // writer has closed, and no data is left
    } else {
-      BIO_set_retry_read(bio); /* buffer is empty */
+      BIO_set_retry_read(bio);  // buffer is empty
      if (size <= peer_b->size) {
        peer_b->request = size;
      } else {
-        /* don't ask for more than the peer can
-         * deliver in one write */
+        // don't ask for more than the peer can
+        // deliver in one write
        peer_b->request = peer_b->size;
      }
      return -1;
    }
  }

-  /* we can read */
+  // we can read
  if (peer_b->len < size) {
    size = peer_b->len;
  }

-  /* now read "size" bytes */
+  // now read "size" bytes
  rest = size;

  assert(rest > 0);
-  /* one or two iterations */
+  // one or two iterations
  do {
    size_t chunk;

@@ -204,7 +204,7 @@ static int bio_read(BIO *bio, char *buf, int size_) {
    if (peer_b->offset + rest <= peer_b->size) {
      chunk = rest;
    } else {
-      /* wrap around ring buffer */
+      // wrap around ring buffer
      chunk = peer_b->size - peer_b->offset;
    }
    assert(peer_b->offset + chunk <= peer_b->size);
@@ -220,7 +220,7 @@ static int bio_read(BIO *bio, char *buf, int size_) {
      }
      buf += chunk;
    } else {
-      /* buffer now empty, no need to advance "buf" */
+      // buffer now empty, no need to advance "buf"
      assert(chunk == rest);
      peer_b->offset = 0;
    }
@@ -248,7 +248,7 @@ static int bio_write(BIO *bio, const char *buf, int num_) {

  b->request = 0;
  if (b->closed) {
-    /* we already closed */
+    // we already closed
    OPENSSL_PUT_ERROR(BIO, BIO_R_BROKEN_PIPE);
    return -1;
  }
@@ -256,20 +256,20 @@ static int bio_write(BIO *bio, const char *buf, int num_) {
  assert(b->len <= b->size);

  if (b->len == b->size) {
-    BIO_set_retry_write(bio); /* buffer is full */
+    BIO_set_retry_write(bio);  // buffer is full
    return -1;
  }

-  /* we can write */
+  // we can write
  if (num > b->size - b->len) {
    num = b->size - b->len;
  }

-  /* now write "num" bytes */
+  // now write "num" bytes
  rest = num;

  assert(rest > 0);
-  /* one or two iterations */
+  // one or two iterations
  do {
    size_t write_offset;
    size_t chunk;
@@ -280,12 +280,12 @@ static int bio_write(BIO *bio, const char *buf, int num_) {
    if (write_offset >= b->size) {
      write_offset -= b->size;
    }
-    /* b->buf[write_offset] is the first byte we can write to. */
+    // b->buf[write_offset] is the first byte we can write to.

    if (write_offset + rest <= b->size) {
      chunk = rest;
    } else {
-      /* wrap around ring buffer */
+      // wrap around ring buffer
      chunk = b->size - write_offset;
    }

@@ -363,15 +363,15 @@ static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr) {
  assert(b != NULL);

  switch (cmd) {
-    /* specific CTRL codes */
+    // specific CTRL codes

    case BIO_C_GET_WRITE_BUF_SIZE:
      ret = (long)b->size;
      break;

    case BIO_C_GET_WRITE_GUARANTEE:
-      /* How many bytes can the caller feed to the next write
-       * without having to keep any? */
+      // How many bytes can the caller feed to the next write
+      // without having to keep any?
      if (b->peer == NULL || b->closed) {
        ret = 0;
      } else {
@@ -380,28 +380,28 @@ static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr) {
      break;

    case BIO_C_GET_READ_REQUEST:
-      /* If the peer unsuccessfully tried to read, how many bytes
-       * were requested?  (As with BIO_CTRL_PENDING, that number
-       * can usually be treated as boolean.) */
+      // If the peer unsuccessfully tried to read, how many bytes
+      // were requested?  (As with BIO_CTRL_PENDING, that number
+      // can usually be treated as boolean.)
      ret = (long)b->request;
      break;

    case BIO_C_RESET_READ_REQUEST:
-      /* Reset request.  (Can be useful after read attempts
-       * at the other side that are meant to be non-blocking,
-       * e.g. when probing SSL_read to see if any data is
-       * available.) */
+      // Reset request.  (Can be useful after read attempts
+      // at the other side that are meant to be non-blocking,
+      // e.g. when probing SSL_read to see if any data is
+      // available.)
      b->request = 0;
      ret = 1;
      break;

    case BIO_C_SHUTDOWN_WR:
-      /* similar to shutdown(..., SHUT_WR) */
+      // similar to shutdown(..., SHUT_WR)
      b->closed = 1;
      ret = 1;
      break;

-    /* standard CTRL codes follow */
+    // standard CTRL codes follow

    case BIO_CTRL_GET_CLOSE:
      ret = bio->shutdown;
@@ -450,14 +450,10 @@ static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr) {
  return ret;
 }

-static int bio_puts(BIO *bio, const char *str) {
-  return bio_write(bio, str, strlen(str));
-}

 static const BIO_METHOD methods_biop = {
-    BIO_TYPE_BIO, "BIO pair",             bio_write, bio_read,
-    bio_puts,     NULL /* no bio_gets */, bio_ctrl,  bio_new,
-    bio_free,     NULL /* no bio_callback_ctrl */
+    BIO_TYPE_BIO,    "BIO pair", bio_write, bio_read, NULL /* puts */,
+    NULL /* gets */, bio_ctrl,   bio_new,   bio_free, NULL /* callback_ctrl */,
 };

 static const BIO_METHOD *bio_s_bio(void) { return &methods_biop; }
@@ -54,10 +54,6 @@
 * copied and put under another distribution licence
 * [including the GNU Public Licence.] */

-#if !defined(_POSIX_C_SOURCE)
-#define _POSIX_C_SOURCE 201410L  /* for snprintf, vprintf etc */
-#endif
-
 #include <openssl/bio.h>

 #include <assert.h>
@@ -77,13 +73,13 @@ int BIO_printf(BIO *bio, const char *format, ...) {
  va_end(args);

 #if defined(OPENSSL_WINDOWS)
-  /* On Windows, vsnprintf returns -1 rather than the requested length on
-   * truncation */
+  // On Windows, vsnprintf returns -1 rather than the requested length on
+  // truncation
  if (out_len < 0) {
    va_start(args, format);
    out_len = _vscprintf(format, args);
    va_end(args);
-    assert(out_len >= sizeof(buf));
+    assert(out_len >= (int)sizeof(buf));
  }
 #endif

@@ -93,9 +89,9 @@ int BIO_printf(BIO *bio, const char *format, ...) {

  if ((size_t) out_len >= sizeof(buf)) {
    const int requested_len = out_len;
-    /* The output was truncated. Note that vsnprintf's return value
-     * does not include a trailing NUL, but the buffer must be sized
-     * for it. */
+    // The output was truncated. Note that vsnprintf's return value
+    // does not include a trailing NUL, but the buffer must be sized
+    // for it.
    out = OPENSSL_malloc(requested_len + 1);
    out_malloced = 1;
    if (out == NULL) {
@@ -142,10 +142,6 @@ static int sock_write(BIO *b, const char *in, int inl) {
  return ret;
 }

-static int sock_puts(BIO *bp, const char *str) {
-  return sock_write(bp, str, strlen(str));
-}
-
 static long sock_ctrl(BIO *b, int cmd, long num, void *ptr) {
  long ret = 1;
  int *ip;
@@ -185,8 +181,11 @@ static long sock_ctrl(BIO *b, int cmd, long num, void *ptr) {
 }

 static const BIO_METHOD methods_sockp = {
-    BIO_TYPE_SOCKET,  "socket",  sock_write, sock_read, sock_puts,
-    NULL /* gets, */, sock_ctrl, sock_new,   sock_free, NULL,
+    BIO_TYPE_SOCKET, "socket",
+    sock_write,      sock_read,
+    NULL /* puts */, NULL /* gets, */,
+    sock_ctrl,       sock_new,
+    sock_free,       NULL /* callback_ctrl */,
 };

 const BIO_METHOD *BIO_s_socket(void) { return &methods_sockp; }
@@ -1,87 +0,0 @@
-include_directories(../../include)
-
-if (${ARCH} STREQUAL "x86_64")
-  set(
-    BN_ARCH_SOURCES
-
-    x86_64-mont.${ASM_EXT}
-    x86_64-mont5.${ASM_EXT}
-    rsaz-avx2.${ASM_EXT}
-
-    rsaz_exp.c
-  )
-endif()
-
-if (${ARCH} STREQUAL "x86")
-  set(
-    BN_ARCH_SOURCES
-
-    bn-586.${ASM_EXT}
-    co-586.${ASM_EXT}
-    x86-mont.${ASM_EXT}
-  )
-endif()
-
-if (${ARCH} STREQUAL "arm")
-  set(
-    BN_ARCH_SOURCES
-
-    armv4-mont.${ASM_EXT}
-  )
-endif()
-
-if (${ARCH} STREQUAL "aarch64")
-  set(
-    BN_ARCH_SOURCES
-
-    armv8-mont.${ASM_EXT}
-  )
-endif()
-
-add_library(
-  bn
-
-  OBJECT
-
-  add.c
-  asm/x86_64-gcc.c
-  bn.c
-  bn_asn1.c
-  cmp.c
-  convert.c
-  ctx.c
-  div.c
-  exponentiation.c
-  generic.c
-  gcd.c
-  kronecker.c
-  montgomery.c
-  montgomery_inv.c
-  mul.c
-  prime.c
-  random.c
-  shift.c
-  sqrt.c
-
-  ${BN_ARCH_SOURCES}
-)
-
-perlasm(x86_64-mont.${ASM_EXT} asm/x86_64-mont.pl)
-perlasm(x86_64-mont5.${ASM_EXT} asm/x86_64-mont5.pl)
-perlasm(rsaz-avx2.${ASM_EXT} asm/rsaz-avx2.pl)
-perlasm(bn-586.${ASM_EXT} asm/bn-586.pl)
-perlasm(co-586.${ASM_EXT} asm/co-586.pl)
-perlasm(x86-mont.${ASM_EXT} asm/x86-mont.pl)
-perlasm(armv4-mont.${ASM_EXT} asm/armv4-mont.pl)
-perlasm(armv8-mont.${ASM_EXT} asm/armv8-mont.pl)
-
-add_executable(
-  bn_test
-
-  bn_test.cc
-
-  $<TARGET_OBJECTS:test_support>
-)
-
-target_link_libraries(bn_test crypto)
-add_dependencies(all_tests bn_test)
@@ -1,693 +0,0 @@
-#!/usr/bin/env perl
-
-# ====================================================================
-# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
-# project. The module is, however, dual licensed under OpenSSL and
-# CRYPTOGAMS licenses depending on where you obtain it. For further
-# details see http://www.openssl.org/~appro/cryptogams/.
-# ====================================================================
-
-# January 2007.
-
-# Montgomery multiplication for ARMv4.
-#
-# Performance improvement naturally varies among CPU implementations
-# and compilers. The code was observed to provide +65-35% improvement
-# [depending on key length, less for longer keys] on ARM920T, and
-# +115-80% on Intel IXP425. This is compared to pre-bn_mul_mont code
-# base and compiler generated code with in-lined umull and even umlal
-# instructions. The latter means that this code didn't really have an 
-# "advantage" of utilizing some "secret" instruction.
-#
-# The code is interoperable with Thumb ISA and is rather compact, less
-# than 1/2KB. Windows CE port would be trivial, as it's exclusively
-# about decorations, ABI and instruction syntax are identical.
-
-# November 2013
-#
-# Add NEON code path, which handles lengths divisible by 8. RSA/DSA
-# performance improvement on Cortex-A8 is ~45-100% depending on key
-# length, more for longer keys. On Cortex-A15 the span is ~10-105%.
-# On Snapdragon S4 improvement was measured to vary from ~70% to
-# incredible ~380%, yes, 4.8x faster, for RSA4096 sign. But this is
-# rather because original integer-only code seems to perform
-# suboptimally on S4. Situation on Cortex-A9 is unfortunately
-# different. It's being looked into, but the trouble is that
-# performance for vectors longer than 256 bits is actually couple
-# of percent worse than for integer-only code. The code is chosen
-# for execution on all NEON-capable processors, because gain on
-# others outweighs the marginal loss on Cortex-A9.
-
-$flavour = shift;
-if ($flavour=~/\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; }
-else { while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {} }
-
-if ($flavour && $flavour ne "void") {
-    $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-    ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
-    ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
-    die "can't locate arm-xlate.pl";
-
-    open STDOUT,"| \"$^X\" $xlate $flavour $output";
-} else {
-    open STDOUT,">$output";
-}
-
-$num="r0";	# starts as num argument, but holds &tp[num-1]
-$ap="r1";
-$bp="r2"; $bi="r2"; $rp="r2";
-$np="r3";
-$tp="r4";
-$aj="r5";
-$nj="r6";
-$tj="r7";
-$n0="r8";
-###########	# r9 is reserved by ELF as platform specific, e.g. TLS pointer
-$alo="r10";	# sl, gcc uses it to keep @GOT
-$ahi="r11";	# fp
-$nlo="r12";	# ip
-###########	# r13 is stack pointer
-$nhi="r14";	# lr
-###########	# r15 is program counter
-
-#### argument block layout relative to &tp[num-1], a.k.a. $num
-$_rp="$num,#12*4";
-# ap permanently resides in r1
-$_bp="$num,#13*4";
-# np permanently resides in r3
-$_n0="$num,#14*4";
-$_num="$num,#15*4";	$_bpend=$_num;
-
-$code=<<___;
-#include <openssl/arm_arch.h>
-
-.text
-.code	32
-
-#if __ARM_MAX_ARCH__>=7
-.align	5
-.LOPENSSL_armcap:
-.word	OPENSSL_armcap_P-.Lbn_mul_mont
-#endif
-
-.global	bn_mul_mont
-.type	bn_mul_mont,%function
-
-.align	5
-bn_mul_mont:
-.Lbn_mul_mont:
-	ldr	ip,[sp,#4]		@ load num
-	stmdb	sp!,{r0,r2}		@ sp points at argument block
-#if __ARM_MAX_ARCH__>=7
-	tst	ip,#7
-	bne	.Lialu
-	adr	r0,bn_mul_mont
-	ldr	r2,.LOPENSSL_armcap
-	ldr	r0,[r0,r2]
-#ifdef	__APPLE__
-	ldr	r0,[r0]
-#endif
-	tst	r0,#ARMV7_NEON		@ NEON available?
-	ldmia	sp, {r0,r2}
-	beq	.Lialu
-	add	sp,sp,#8
-	b	bn_mul8x_mont_neon
-.align	4
-.Lialu:
-#endif
-	cmp	ip,#2
-	mov	$num,ip			@ load num
-	movlt	r0,#0
-	addlt	sp,sp,#2*4
-	blt	.Labrt
-
-	stmdb	sp!,{r4-r12,lr}		@ save 10 registers
-
-	mov	$num,$num,lsl#2		@ rescale $num for byte count
-	sub	sp,sp,$num		@ alloca(4*num)
-	sub	sp,sp,#4		@ +extra dword
-	sub	$num,$num,#4		@ "num=num-1"
-	add	$tp,$bp,$num		@ &bp[num-1]
-
-	add	$num,sp,$num		@ $num to point at &tp[num-1]
-	ldr	$n0,[$_n0]		@ &n0
-	ldr	$bi,[$bp]		@ bp[0]
-	ldr	$aj,[$ap],#4		@ ap[0],ap++
-	ldr	$nj,[$np],#4		@ np[0],np++
-	ldr	$n0,[$n0]		@ *n0
-	str	$tp,[$_bpend]		@ save &bp[num]
-
-	umull	$alo,$ahi,$aj,$bi	@ ap[0]*bp[0]
-	str	$n0,[$_n0]		@ save n0 value
-	mul	$n0,$alo,$n0		@ "tp[0]"*n0
-	mov	$nlo,#0
-	umlal	$alo,$nlo,$nj,$n0	@ np[0]*n0+"t[0]"
-	mov	$tp,sp
-
-.L1st:
-	ldr	$aj,[$ap],#4		@ ap[j],ap++
-	mov	$alo,$ahi
-	ldr	$nj,[$np],#4		@ np[j],np++
-	mov	$ahi,#0
-	umlal	$alo,$ahi,$aj,$bi	@ ap[j]*bp[0]
-	mov	$nhi,#0
-	umlal	$nlo,$nhi,$nj,$n0	@ np[j]*n0
-	adds	$nlo,$nlo,$alo
-	str	$nlo,[$tp],#4		@ tp[j-1]=,tp++
-	adc	$nlo,$nhi,#0
-	cmp	$tp,$num
-	bne	.L1st
-
-	adds	$nlo,$nlo,$ahi
-	ldr	$tp,[$_bp]		@ restore bp
-	mov	$nhi,#0
-	ldr	$n0,[$_n0]		@ restore n0
-	adc	$nhi,$nhi,#0
-	str	$nlo,[$num]		@ tp[num-1]=
-	str	$nhi,[$num,#4]		@ tp[num]=
-
-.Louter:
-	sub	$tj,$num,sp		@ "original" $num-1 value
-	sub	$ap,$ap,$tj		@ "rewind" ap to &ap[1]
-	ldr	$bi,[$tp,#4]!		@ *(++bp)
-	sub	$np,$np,$tj		@ "rewind" np to &np[1]
-	ldr	$aj,[$ap,#-4]		@ ap[0]
-	ldr	$alo,[sp]		@ tp[0]
-	ldr	$nj,[$np,#-4]		@ np[0]
-	ldr	$tj,[sp,#4]		@ tp[1]
-
-	mov	$ahi,#0
-	umlal	$alo,$ahi,$aj,$bi	@ ap[0]*bp[i]+tp[0]
-	str	$tp,[$_bp]		@ save bp
-	mul	$n0,$alo,$n0
-	mov	$nlo,#0
-	umlal	$alo,$nlo,$nj,$n0	@ np[0]*n0+"tp[0]"
-	mov	$tp,sp
-
-.Linner:
-	ldr	$aj,[$ap],#4		@ ap[j],ap++
-	adds	$alo,$ahi,$tj		@ +=tp[j]
-	ldr	$nj,[$np],#4		@ np[j],np++
-	mov	$ahi,#0
-	umlal	$alo,$ahi,$aj,$bi	@ ap[j]*bp[i]
-	mov	$nhi,#0
-	umlal	$nlo,$nhi,$nj,$n0	@ np[j]*n0
-	adc	$ahi,$ahi,#0
-	ldr	$tj,[$tp,#8]		@ tp[j+1]
-	adds	$nlo,$nlo,$alo
-	str	$nlo,[$tp],#4		@ tp[j-1]=,tp++
-	adc	$nlo,$nhi,#0
-	cmp	$tp,$num
-	bne	.Linner
-
-	adds	$nlo,$nlo,$ahi
-	mov	$nhi,#0
-	ldr	$tp,[$_bp]		@ restore bp
-	adc	$nhi,$nhi,#0
-	ldr	$n0,[$_n0]		@ restore n0
-	adds	$nlo,$nlo,$tj
-	ldr	$tj,[$_bpend]		@ restore &bp[num]
-	adc	$nhi,$nhi,#0
-	str	$nlo,[$num]		@ tp[num-1]=
-	str	$nhi,[$num,#4]		@ tp[num]=
-
-	cmp	$tp,$tj
-	bne	.Louter
-
-	ldr	$rp,[$_rp]		@ pull rp
-	add	$num,$num,#4		@ $num to point at &tp[num]
-	sub	$aj,$num,sp		@ "original" num value
-	mov	$tp,sp			@ "rewind" $tp
-	mov	$ap,$tp			@ "borrow" $ap
-	sub	$np,$np,$aj		@ "rewind" $np to &np[0]
-
-	subs	$tj,$tj,$tj		@ "clear" carry flag
-.Lsub:	ldr	$tj,[$tp],#4
-	ldr	$nj,[$np],#4
-	sbcs	$tj,$tj,$nj		@ tp[j]-np[j]
-	str	$tj,[$rp],#4		@ rp[j]=
-	teq	$tp,$num		@ preserve carry
-	bne	.Lsub
-	sbcs	$nhi,$nhi,#0		@ upmost carry
-	mov	$tp,sp			@ "rewind" $tp
-	sub	$rp,$rp,$aj		@ "rewind" $rp
-
-	and	$ap,$tp,$nhi
-	bic	$np,$rp,$nhi
-	orr	$ap,$ap,$np		@ ap=borrow?tp:rp
-
-.Lcopy:	ldr	$tj,[$ap],#4		@ copy or in-place refresh
-	str	sp,[$tp],#4		@ zap tp
-	str	$tj,[$rp],#4
-	cmp	$tp,$num
-	bne	.Lcopy
-
-	add	sp,$num,#4		@ skip over tp[num+1]
-	ldmia	sp!,{r4-r12,lr}		@ restore registers
-	add	sp,sp,#2*4		@ skip over {r0,r2}
-	mov	r0,#1
-.Labrt:
-#if __ARM_ARCH__>=5
-	ret				@ bx lr
-#else
-	tst	lr,#1
-	moveq	pc,lr			@ be binary compatible with V4, yet
-	bx	lr			@ interoperable with Thumb ISA:-)
-#endif
-.size	bn_mul_mont,.-bn_mul_mont
-___
-{
-sub Dlo()   { shift=~m|q([1]?[0-9])|?"d".($1*2):"";     }
-sub Dhi()   { shift=~m|q([1]?[0-9])|?"d".($1*2+1):"";   }
-
-my ($A0,$A1,$A2,$A3)=map("d$_",(0..3));
-my ($N0,$N1,$N2,$N3)=map("d$_",(4..7));
-my ($Z,$Temp)=("q4","q5");
-my ($A0xB,$A1xB,$A2xB,$A3xB,$A4xB,$A5xB,$A6xB,$A7xB)=map("q$_",(6..13));
-my ($Bi,$Ni,$M0)=map("d$_",(28..31));
-my $zero=&Dlo($Z);
-my $temp=&Dlo($Temp);
-
-my ($rptr,$aptr,$bptr,$nptr,$n0,$num)=map("r$_",(0..5));
-my ($tinptr,$toutptr,$inner,$outer)=map("r$_",(6..9));
-
-$code.=<<___;
-#if __ARM_MAX_ARCH__>=7
-.arch	armv7-a
-.fpu	neon
-
-.type	bn_mul8x_mont_neon,%function
-.align	5
-bn_mul8x_mont_neon:
-	mov	ip,sp
-	stmdb	sp!,{r4-r11}
-	vstmdb	sp!,{d8-d15}		@ ABI specification says so
-	ldmia	ip,{r4-r5}		@ load rest of parameter block
-
-	sub		$toutptr,sp,#16
-	vld1.32		{${Bi}[0]}, [$bptr,:32]!
-	sub		$toutptr,$toutptr,$num,lsl#4
-	vld1.32		{$A0-$A3},  [$aptr]!		@ can't specify :32 :-(
-	and		$toutptr,$toutptr,#-64
-	vld1.32		{${M0}[0]}, [$n0,:32]
-	mov		sp,$toutptr			@ alloca
-	veor		$zero,$zero,$zero
-	subs		$inner,$num,#8
-	vzip.16		$Bi,$zero
-
-	vmull.u32	$A0xB,$Bi,${A0}[0]
-	vmull.u32	$A1xB,$Bi,${A0}[1]
-	vmull.u32	$A2xB,$Bi,${A1}[0]
-	vshl.i64	$temp,`&Dhi("$A0xB")`,#16
-	vmull.u32	$A3xB,$Bi,${A1}[1]
-
-	vadd.u64	$temp,$temp,`&Dlo("$A0xB")`
-	veor		$zero,$zero,$zero
-	vmul.u32	$Ni,$temp,$M0
-
-	vmull.u32	$A4xB,$Bi,${A2}[0]
-	 vld1.32	{$N0-$N3}, [$nptr]!
-	vmull.u32	$A5xB,$Bi,${A2}[1]
-	vmull.u32	$A6xB,$Bi,${A3}[0]
-	vzip.16		$Ni,$zero
-	vmull.u32	$A7xB,$Bi,${A3}[1]
-
-	bne	.LNEON_1st
-
-	@ special case for num=8, everything is in register bank...
-
-	vmlal.u32	$A0xB,$Ni,${N0}[0]
-	sub		$outer,$num,#1
-	vmlal.u32	$A1xB,$Ni,${N0}[1]
-	vmlal.u32	$A2xB,$Ni,${N1}[0]
-	vmlal.u32	$A3xB,$Ni,${N1}[1]
-
-	vmlal.u32	$A4xB,$Ni,${N2}[0]
-	vmov		$Temp,$A0xB
-	vmlal.u32	$A5xB,$Ni,${N2}[1]
-	vmov		$A0xB,$A1xB
-	vmlal.u32	$A6xB,$Ni,${N3}[0]
-	vmov		$A1xB,$A2xB
-	vmlal.u32	$A7xB,$Ni,${N3}[1]
-	vmov		$A2xB,$A3xB
-	vmov		$A3xB,$A4xB
-	vshr.u64	$temp,$temp,#16
-	vmov		$A4xB,$A5xB
-	vmov		$A5xB,$A6xB
-	vadd.u64	$temp,$temp,`&Dhi("$Temp")`
-	vmov		$A6xB,$A7xB
-	veor		$A7xB,$A7xB
-	vshr.u64	$temp,$temp,#16
-
-	b	.LNEON_outer8
-
-.align	4
-.LNEON_outer8:
-	vld1.32		{${Bi}[0]}, [$bptr,:32]!
-	veor		$zero,$zero,$zero
-	vzip.16		$Bi,$zero
-	vadd.u64	`&Dlo("$A0xB")`,`&Dlo("$A0xB")`,$temp
-
-	vmlal.u32	$A0xB,$Bi,${A0}[0]
-	vmlal.u32	$A1xB,$Bi,${A0}[1]
-	vmlal.u32	$A2xB,$Bi,${A1}[0]
-	vshl.i64	$temp,`&Dhi("$A0xB")`,#16
-	vmlal.u32	$A3xB,$Bi,${A1}[1]
-
-	vadd.u64	$temp,$temp,`&Dlo("$A0xB")`
-	veor		$zero,$zero,$zero
-	subs		$outer,$outer,#1
-	vmul.u32	$Ni,$temp,$M0
-
-	vmlal.u32	$A4xB,$Bi,${A2}[0]
-	vmlal.u32	$A5xB,$Bi,${A2}[1]
-	vmlal.u32	$A6xB,$Bi,${A3}[0]
-	vzip.16		$Ni,$zero
-	vmlal.u32	$A7xB,$Bi,${A3}[1]
-
-	vmlal.u32	$A0xB,$Ni,${N0}[0]
-	vmlal.u32	$A1xB,$Ni,${N0}[1]
-	vmlal.u32	$A2xB,$Ni,${N1}[0]
-	vmlal.u32	$A3xB,$Ni,${N1}[1]
-
-	vmlal.u32	$A4xB,$Ni,${N2}[0]
-	vmov		$Temp,$A0xB
-	vmlal.u32	$A5xB,$Ni,${N2}[1]
-	vmov		$A0xB,$A1xB
-	vmlal.u32	$A6xB,$Ni,${N3}[0]
-	vmov		$A1xB,$A2xB
-	vmlal.u32	$A7xB,$Ni,${N3}[1]
-	vmov		$A2xB,$A3xB
-	vmov		$A3xB,$A4xB
-	vshr.u64	$temp,$temp,#16
-	vmov		$A4xB,$A5xB
-	vmov		$A5xB,$A6xB
-	vadd.u64	$temp,$temp,`&Dhi("$Temp")`
-	vmov		$A6xB,$A7xB
-	veor		$A7xB,$A7xB
-	vshr.u64	$temp,$temp,#16
-
-	bne	.LNEON_outer8
-
-	vadd.u64	`&Dlo("$A0xB")`,`&Dlo("$A0xB")`,$temp
-	mov		$toutptr,sp
-	vshr.u64	$temp,`&Dlo("$A0xB")`,#16
-	mov		$inner,$num
-	vadd.u64	`&Dhi("$A0xB")`,`&Dhi("$A0xB")`,$temp
-	add		$tinptr,sp,#16
-	vshr.u64	$temp,`&Dhi("$A0xB")`,#16
-	vzip.16		`&Dlo("$A0xB")`,`&Dhi("$A0xB")`
-
-	b	.LNEON_tail2
-
-.align	4
-.LNEON_1st:
-	vmlal.u32	$A0xB,$Ni,${N0}[0]
-	 vld1.32	{$A0-$A3}, [$aptr]!
-	vmlal.u32	$A1xB,$Ni,${N0}[1]
-	subs		$inner,$inner,#8
-	vmlal.u32	$A2xB,$Ni,${N1}[0]
-	vmlal.u32	$A3xB,$Ni,${N1}[1]
-
-	vmlal.u32	$A4xB,$Ni,${N2}[0]
-	 vld1.32	{$N0-$N1}, [$nptr]!
-	vmlal.u32	$A5xB,$Ni,${N2}[1]
-	 vst1.64	{$A0xB-$A1xB}, [$toutptr,:256]!
-	vmlal.u32	$A6xB,$Ni,${N3}[0]
-	vmlal.u32	$A7xB,$Ni,${N3}[1]
-	 vst1.64	{$A2xB-$A3xB}, [$toutptr,:256]!
-
-	vmull.u32	$A0xB,$Bi,${A0}[0]
-	 vld1.32	{$N2-$N3}, [$nptr]!
-	vmull.u32	$A1xB,$Bi,${A0}[1]
-	 vst1.64	{$A4xB-$A5xB}, [$toutptr,:256]!
-	vmull.u32	$A2xB,$Bi,${A1}[0]
-	vmull.u32	$A3xB,$Bi,${A1}[1]
-	 vst1.64	{$A6xB-$A7xB}, [$toutptr,:256]!
-
-	vmull.u32	$A4xB,$Bi,${A2}[0]
-	vmull.u32	$A5xB,$Bi,${A2}[1]
-	vmull.u32	$A6xB,$Bi,${A3}[0]
-	vmull.u32	$A7xB,$Bi,${A3}[1]
-
-	bne	.LNEON_1st
-
-	vmlal.u32	$A0xB,$Ni,${N0}[0]
-	add		$tinptr,sp,#16
-	vmlal.u32	$A1xB,$Ni,${N0}[1]
-	sub		$aptr,$aptr,$num,lsl#2		@ rewind $aptr
-	vmlal.u32	$A2xB,$Ni,${N1}[0]
-	 vld1.64	{$Temp}, [sp,:128]
-	vmlal.u32	$A3xB,$Ni,${N1}[1]
-	sub		$outer,$num,#1
-
-	vmlal.u32	$A4xB,$Ni,${N2}[0]
-	vst1.64		{$A0xB-$A1xB}, [$toutptr,:256]!
-	vmlal.u32	$A5xB,$Ni,${N2}[1]
-	vshr.u64	$temp,$temp,#16
-	 vld1.64	{$A0xB},       [$tinptr, :128]!
-	vmlal.u32	$A6xB,$Ni,${N3}[0]
-	vst1.64		{$A2xB-$A3xB}, [$toutptr,:256]!
-	vmlal.u32	$A7xB,$Ni,${N3}[1]
-
-	vst1.64		{$A4xB-$A5xB}, [$toutptr,:256]!
-	vadd.u64	$temp,$temp,`&Dhi("$Temp")`
-	veor		$Z,$Z,$Z
-	vst1.64		{$A6xB-$A7xB}, [$toutptr,:256]!
-	 vld1.64	{$A1xB-$A2xB}, [$tinptr, :256]!
-	vst1.64		{$Z},          [$toutptr,:128]
-	vshr.u64	$temp,$temp,#16
-
-	b		.LNEON_outer
-
-.align	4
-.LNEON_outer:
-	vld1.32		{${Bi}[0]}, [$bptr,:32]!
-	sub		$nptr,$nptr,$num,lsl#2		@ rewind $nptr
-	vld1.32		{$A0-$A3},  [$aptr]!
-	veor		$zero,$zero,$zero
-	mov		$toutptr,sp
-	vzip.16		$Bi,$zero
-	sub		$inner,$num,#8
-	vadd.u64	`&Dlo("$A0xB")`,`&Dlo("$A0xB")`,$temp
-
-	vmlal.u32	$A0xB,$Bi,${A0}[0]
-	 vld1.64	{$A3xB-$A4xB},[$tinptr,:256]!
-	vmlal.u32	$A1xB,$Bi,${A0}[1]
-	vmlal.u32	$A2xB,$Bi,${A1}[0]
-	 vld1.64	{$A5xB-$A6xB},[$tinptr,:256]!
-	vmlal.u32	$A3xB,$Bi,${A1}[1]
-
-	vshl.i64	$temp,`&Dhi("$A0xB")`,#16
-	veor		$zero,$zero,$zero
-	vadd.u64	$temp,$temp,`&Dlo("$A0xB")`
-	 vld1.64	{$A7xB},[$tinptr,:128]!
-	vmul.u32	$Ni,$temp,$M0
-
-	vmlal.u32	$A4xB,$Bi,${A2}[0]
-	 vld1.32	{$N0-$N3}, [$nptr]!
-	vmlal.u32	$A5xB,$Bi,${A2}[1]
-	vmlal.u32	$A6xB,$Bi,${A3}[0]
-	vzip.16		$Ni,$zero
-	vmlal.u32	$A7xB,$Bi,${A3}[1]
-
-.LNEON_inner:
-	vmlal.u32	$A0xB,$Ni,${N0}[0]
-	 vld1.32	{$A0-$A3}, [$aptr]!
-	vmlal.u32	$A1xB,$Ni,${N0}[1]
-	 subs		$inner,$inner,#8
-	vmlal.u32	$A2xB,$Ni,${N1}[0]
-	vmlal.u32	$A3xB,$Ni,${N1}[1]
-	vst1.64		{$A0xB-$A1xB}, [$toutptr,:256]!
-
-	vmlal.u32	$A4xB,$Ni,${N2}[0]
-	 vld1.64	{$A0xB},       [$tinptr, :128]!
-	vmlal.u32	$A5xB,$Ni,${N2}[1]
-	vst1.64		{$A2xB-$A3xB}, [$toutptr,:256]!
-	vmlal.u32	$A6xB,$Ni,${N3}[0]
-	 vld1.64	{$A1xB-$A2xB}, [$tinptr, :256]!
-	vmlal.u32	$A7xB,$Ni,${N3}[1]
-	vst1.64		{$A4xB-$A5xB}, [$toutptr,:256]!
-
-	vmlal.u32	$A0xB,$Bi,${A0}[0]
-	 vld1.64	{$A3xB-$A4xB}, [$tinptr, :256]!
-	vmlal.u32	$A1xB,$Bi,${A0}[1]
-	vst1.64		{$A6xB-$A7xB}, [$toutptr,:256]!
-	vmlal.u32	$A2xB,$Bi,${A1}[0]
-	 vld1.64	{$A5xB-$A6xB}, [$tinptr, :256]!
-	vmlal.u32	$A3xB,$Bi,${A1}[1]
-	 vld1.32	{$N0-$N3}, [$nptr]!
-
-	vmlal.u32	$A4xB,$Bi,${A2}[0]
-	 vld1.64	{$A7xB},       [$tinptr, :128]!
-	vmlal.u32	$A5xB,$Bi,${A2}[1]
-	vmlal.u32	$A6xB,$Bi,${A3}[0]
-	vmlal.u32	$A7xB,$Bi,${A3}[1]
-
-	bne	.LNEON_inner
-
-	vmlal.u32	$A0xB,$Ni,${N0}[0]
-	add		$tinptr,sp,#16
-	vmlal.u32	$A1xB,$Ni,${N0}[1]
-	sub		$aptr,$aptr,$num,lsl#2		@ rewind $aptr
-	vmlal.u32	$A2xB,$Ni,${N1}[0]
-	 vld1.64	{$Temp}, [sp,:128]
-	vmlal.u32	$A3xB,$Ni,${N1}[1]
-	subs		$outer,$outer,#1
-
-	vmlal.u32	$A4xB,$Ni,${N2}[0]
-	vst1.64		{$A0xB-$A1xB}, [$toutptr,:256]!
-	vmlal.u32	$A5xB,$Ni,${N2}[1]
-	 vld1.64	{$A0xB},       [$tinptr, :128]!
-	vshr.u64	$temp,$temp,#16
-	vst1.64		{$A2xB-$A3xB}, [$toutptr,:256]!
-	vmlal.u32	$A6xB,$Ni,${N3}[0]
-	 vld1.64	{$A1xB-$A2xB}, [$tinptr, :256]!
-	vmlal.u32	$A7xB,$Ni,${N3}[1]
-
-	vst1.64		{$A4xB-$A5xB}, [$toutptr,:256]!
-	vadd.u64	$temp,$temp,`&Dhi("$Temp")`
-	vst1.64		{$A6xB-$A7xB}, [$toutptr,:256]!
-	vshr.u64	$temp,$temp,#16
-
-	bne	.LNEON_outer
-
-	mov		$toutptr,sp
-	mov		$inner,$num
-
-.LNEON_tail:
-	vadd.u64	`&Dlo("$A0xB")`,`&Dlo("$A0xB")`,$temp
-	vld1.64		{$A3xB-$A4xB}, [$tinptr, :256]!
-	vshr.u64	$temp,`&Dlo("$A0xB")`,#16
-	vadd.u64	`&Dhi("$A0xB")`,`&Dhi("$A0xB")`,$temp
-	vld1.64		{$A5xB-$A6xB}, [$tinptr, :256]!
-	vshr.u64	$temp,`&Dhi("$A0xB")`,#16
-	vld1.64		{$A7xB},       [$tinptr, :128]!
-	vzip.16		`&Dlo("$A0xB")`,`&Dhi("$A0xB")`
-
-.LNEON_tail2:
-	vadd.u64	`&Dlo("$A1xB")`,`&Dlo("$A1xB")`,$temp
-	vst1.32		{`&Dlo("$A0xB")`[0]}, [$toutptr, :32]!
-	vshr.u64	$temp,`&Dlo("$A1xB")`,#16
-	vadd.u64	`&Dhi("$A1xB")`,`&Dhi("$A1xB")`,$temp
-	vshr.u64	$temp,`&Dhi("$A1xB")`,#16
-	vzip.16		`&Dlo("$A1xB")`,`&Dhi("$A1xB")`
-
-	vadd.u64	`&Dlo("$A2xB")`,`&Dlo("$A2xB")`,$temp
-	vst1.32		{`&Dlo("$A1xB")`[0]}, [$toutptr, :32]!
-	vshr.u64	$temp,`&Dlo("$A2xB")`,#16
-	vadd.u64	`&Dhi("$A2xB")`,`&Dhi("$A2xB")`,$temp
-	vshr.u64	$temp,`&Dhi("$A2xB")`,#16
-	vzip.16		`&Dlo("$A2xB")`,`&Dhi("$A2xB")`
-
-	vadd.u64	`&Dlo("$A3xB")`,`&Dlo("$A3xB")`,$temp
-	vst1.32		{`&Dlo("$A2xB")`[0]}, [$toutptr, :32]!
-	vshr.u64	$temp,`&Dlo("$A3xB")`,#16
-	vadd.u64	`&Dhi("$A3xB")`,`&Dhi("$A3xB")`,$temp
-	vshr.u64	$temp,`&Dhi("$A3xB")`,#16
-	vzip.16		`&Dlo("$A3xB")`,`&Dhi("$A3xB")`
-
-	vadd.u64	`&Dlo("$A4xB")`,`&Dlo("$A4xB")`,$temp
-	vst1.32		{`&Dlo("$A3xB")`[0]}, [$toutptr, :32]!
-	vshr.u64	$temp,`&Dlo("$A4xB")`,#16
-	vadd.u64	`&Dhi("$A4xB")`,`&Dhi("$A4xB")`,$temp
-	vshr.u64	$temp,`&Dhi("$A4xB")`,#16
-	vzip.16		`&Dlo("$A4xB")`,`&Dhi("$A4xB")`
-
-	vadd.u64	`&Dlo("$A5xB")`,`&Dlo("$A5xB")`,$temp
-	vst1.32		{`&Dlo("$A4xB")`[0]}, [$toutptr, :32]!
-	vshr.u64	$temp,`&Dlo("$A5xB")`,#16
-	vadd.u64	`&Dhi("$A5xB")`,`&Dhi("$A5xB")`,$temp
-	vshr.u64	$temp,`&Dhi("$A5xB")`,#16
-	vzip.16		`&Dlo("$A5xB")`,`&Dhi("$A5xB")`
-
-	vadd.u64	`&Dlo("$A6xB")`,`&Dlo("$A6xB")`,$temp
-	vst1.32		{`&Dlo("$A5xB")`[0]}, [$toutptr, :32]!
-	vshr.u64	$temp,`&Dlo("$A6xB")`,#16
-	vadd.u64	`&Dhi("$A6xB")`,`&Dhi("$A6xB")`,$temp
-	vld1.64		{$A0xB}, [$tinptr, :128]!
-	vshr.u64	$temp,`&Dhi("$A6xB")`,#16
-	vzip.16		`&Dlo("$A6xB")`,`&Dhi("$A6xB")`
-
-	vadd.u64	`&Dlo("$A7xB")`,`&Dlo("$A7xB")`,$temp
-	vst1.32		{`&Dlo("$A6xB")`[0]}, [$toutptr, :32]!
-	vshr.u64	$temp,`&Dlo("$A7xB")`,#16
-	vadd.u64	`&Dhi("$A7xB")`,`&Dhi("$A7xB")`,$temp
-	vld1.64		{$A1xB-$A2xB},	[$tinptr, :256]!
-	vshr.u64	$temp,`&Dhi("$A7xB")`,#16
-	vzip.16		`&Dlo("$A7xB")`,`&Dhi("$A7xB")`
-	subs		$inner,$inner,#8
-	vst1.32		{`&Dlo("$A7xB")`[0]}, [$toutptr, :32]!
-
-	bne	.LNEON_tail
-
-	vst1.32	{${temp}[0]}, [$toutptr, :32]		@ top-most bit
-	sub	$nptr,$nptr,$num,lsl#2			@ rewind $nptr
-	subs	$aptr,sp,#0				@ clear carry flag
-	add	$bptr,sp,$num,lsl#2
-
-.LNEON_sub:
-	ldmia	$aptr!, {r4-r7}
-	ldmia	$nptr!, {r8-r11}
-	sbcs	r8, r4,r8
-	sbcs	r9, r5,r9
-	sbcs	r10,r6,r10
-	sbcs	r11,r7,r11
-	teq	$aptr,$bptr				@ preserves carry
-	stmia	$rptr!, {r8-r11}
-	bne	.LNEON_sub
-
-	ldr	r10, [$aptr]				@ load top-most bit
-	veor	q0,q0,q0
-	sub	r11,$bptr,sp				@ this is num*4
-	veor	q1,q1,q1
-	mov	$aptr,sp
-	sub	$rptr,$rptr,r11				@ rewind $rptr
-	mov	$nptr,$bptr				@ second 3/4th of frame
-	sbcs	r10,r10,#0				@ result is carry flag
-
-.LNEON_copy_n_zap:
-	ldmia	$aptr!, {r4-r7}
-	ldmia	$rptr,  {r8-r11}
-	movcc	r8, r4
-	vst1.64	{q0-q1}, [$nptr,:256]!			@ wipe
-	movcc	r9, r5
-	movcc	r10,r6
-	vst1.64	{q0-q1}, [$nptr,:256]!			@ wipe
-	movcc	r11,r7
-	ldmia	$aptr, {r4-r7}
-	stmia	$rptr!, {r8-r11}
-	sub	$aptr,$aptr,#16
-	ldmia	$rptr, {r8-r11}
-	movcc	r8, r4
-	vst1.64	{q0-q1}, [$aptr,:256]!			@ wipe
-	movcc	r9, r5
-	movcc	r10,r6
-	vst1.64	{q0-q1}, [$nptr,:256]!			@ wipe
-	movcc	r11,r7
-	teq	$aptr,$bptr				@ preserves carry
-	stmia	$rptr!, {r8-r11}
-	bne	.LNEON_copy_n_zap
-
-	sub	sp,ip,#96
-        vldmia  sp!,{d8-d15}
-        ldmia   sp!,{r4-r11}
-	ret						@ bx lr
-.size	bn_mul8x_mont_neon,.-bn_mul8x_mont_neon
-#endif
-___
-}
-$code.=<<___;
-.asciz	"Montgomery multiplication for ARMv4/NEON, CRYPTOGAMS by <appro\@openssl.org>"
-.align	2
-#if __ARM_MAX_ARCH__>=7
-.comm	OPENSSL_armcap_P,4,4
-.hidden	OPENSSL_armcap_P
-#endif
-___
-
-$code =~ s/\`([^\`]*)\`/eval $1/gem;
-$code =~ s/\bbx\s+lr\b/.word\t0xe12fff1e/gm;	# make it possible to compile with -march=armv4
-$code =~ s/\bret\b/bx	lr/gm;
-print $code;
-close STDOUT;
@@ -1,532 +0,0 @@
-/* x86_64 BIGNUM accelerator version 0.1, December 2002.
- *
- * Implemented by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
- * project.
- *
- * Rights for redistribution and usage in source and binary forms are
- * granted according to the OpenSSL license. Warranty of any kind is
- * disclaimed.
- *
- * Q. Version 0.1? It doesn't sound like Andy, he used to assign real
- *    versions, like 1.0...
- * A. Well, that's because this code is basically a quick-n-dirty
- *    proof-of-concept hack. As you can see it's implemented with
- *    inline assembler, which means that you're bound to GCC and that
- *    there might be enough room for further improvement.
- *
- * Q. Why inline assembler?
- * A. x86_64 features own ABI which I'm not familiar with. This is
- *    why I decided to let the compiler take care of subroutine
- *    prologue/epilogue as well as register allocation. For reference.
- *    Win64 implements different ABI for AMD64, different from Linux.
- *
- * Q. How much faster does it get?
- * A. 'apps/openssl speed rsa dsa' output with no-asm:
- *
- *	                  sign    verify    sign/s verify/s
- *	rsa  512 bits   0.0006s   0.0001s   1683.8  18456.2
- *	rsa 1024 bits   0.0028s   0.0002s    356.0   6407.0
- *	rsa 2048 bits   0.0172s   0.0005s     58.0   1957.8
- *	rsa 4096 bits   0.1155s   0.0018s      8.7    555.6
- *	                  sign    verify    sign/s verify/s
- *	dsa  512 bits   0.0005s   0.0006s   2100.8   1768.3
- *	dsa 1024 bits   0.0014s   0.0018s    692.3    559.2
- *	dsa 2048 bits   0.0049s   0.0061s    204.7    165.0
- *
- *    'apps/openssl speed rsa dsa' output with this module:
- *
- *	                  sign    verify    sign/s verify/s
- *	rsa  512 bits   0.0004s   0.0000s   2767.1  33297.9
- *	rsa 1024 bits   0.0012s   0.0001s    867.4  14674.7
- *	rsa 2048 bits   0.0061s   0.0002s    164.0   5270.0
- *	rsa 4096 bits   0.0384s   0.0006s     26.1   1650.8
- *	                  sign    verify    sign/s verify/s
- *	dsa  512 bits   0.0002s   0.0003s   4442.2   3786.3
- *	dsa 1024 bits   0.0005s   0.0007s   1835.1   1497.4
- *	dsa 2048 bits   0.0016s   0.0020s    620.4    504.6
- *
- *    For the reference. IA-32 assembler implementation performs
- *    very much like 64-bit code compiled with no-asm on the same
- *    machine.
- */
-
-#include <openssl/bn.h>
-
-/* TODO(davidben): Get this file working on Windows x64. */
-#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__GNUC__)
-
-#include "../internal.h"
-
-
-#undef mul
-#undef mul_add
-
-#define asm __asm__
-
-/*
- * "m"(a), "+m"(r)	is the way to favor DirectPath µ-code;
- * "g"(0)		let the compiler to decide where does it
- *			want to keep the value of zero;
- */
-#define mul_add(r, a, word, carry)                                     \
-  do {                                                                 \
-    register BN_ULONG high, low;                                       \
-    asm("mulq %3" : "=a"(low), "=d"(high) : "a"(word), "m"(a) : "cc"); \
-    asm("addq %2,%0; adcq %3,%1"                                       \
-        : "+r"(carry), "+d"(high)                                      \
-        : "a"(low), "g"(0)                                             \
-        : "cc");                                                       \
-    asm("addq %2,%0; adcq %3,%1"                                       \
-        : "+m"(r), "+d"(high)                                          \
-        : "r"(carry), "g"(0)                                           \
-        : "cc");                                                       \
-    (carry) = high;                                                    \
-  } while (0)
-
-#define mul(r, a, word, carry)                                         \
-  do {                                                                 \
-    register BN_ULONG high, low;                                       \
-    asm("mulq %3" : "=a"(low), "=d"(high) : "a"(word), "g"(a) : "cc"); \
-    asm("addq %2,%0; adcq %3,%1"                                       \
-        : "+r"(carry), "+d"(high)                                      \
-        : "a"(low), "g"(0)                                             \
-        : "cc");                                                       \
-    (r) = (carry);                                                     \
-    (carry) = high;                                                    \
-  } while (0)
-#undef sqr
-#define sqr(r0, r1, a) asm("mulq %2" : "=a"(r0), "=d"(r1) : "a"(a) : "cc");
-
-BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num,
-                          BN_ULONG w) {
-  BN_ULONG c1 = 0;
-
-  if (num <= 0) {
-    return (c1);
-  }
-
-  while (num & ~3) {
-    mul_add(rp[0], ap[0], w, c1);
-    mul_add(rp[1], ap[1], w, c1);
-    mul_add(rp[2], ap[2], w, c1);
-    mul_add(rp[3], ap[3], w, c1);
-    ap += 4;
-    rp += 4;
-    num -= 4;
-  }
-  if (num) {
-    mul_add(rp[0], ap[0], w, c1);
-    if (--num == 0) {
-      return c1;
-    }
-    mul_add(rp[1], ap[1], w, c1);
-    if (--num == 0) {
-      return c1;
-    }
-    mul_add(rp[2], ap[2], w, c1);
-    return c1;
-  }
-
-  return c1;
-}
-
-BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w) {
-  BN_ULONG c1 = 0;
-
-  if (num <= 0) {
-    return c1;
-  }
-
-  while (num & ~3) {
-    mul(rp[0], ap[0], w, c1);
-    mul(rp[1], ap[1], w, c1);
-    mul(rp[2], ap[2], w, c1);
-    mul(rp[3], ap[3], w, c1);
-    ap += 4;
-    rp += 4;
-    num -= 4;
-  }
-  if (num) {
-    mul(rp[0], ap[0], w, c1);
-    if (--num == 0) {
-      return c1;
-    }
-    mul(rp[1], ap[1], w, c1);
-    if (--num == 0) {
-      return c1;
-    }
-    mul(rp[2], ap[2], w, c1);
-  }
-  return c1;
-}
-
-void bn_sqr_words(BN_ULONG *r, const BN_ULONG *a, int n) {
-  if (n <= 0) {
-    return;
-  }
-
-  while (n & ~3) {
-    sqr(r[0], r[1], a[0]);
-    sqr(r[2], r[3], a[1]);
-    sqr(r[4], r[5], a[2]);
-    sqr(r[6], r[7], a[3]);
-    a += 4;
-    r += 8;
-    n -= 4;
-  }
-  if (n) {
-    sqr(r[0], r[1], a[0]);
-    if (--n == 0) {
-      return;
-    }
-    sqr(r[2], r[3], a[1]);
-    if (--n == 0) {
-      return;
-    }
-    sqr(r[4], r[5], a[2]);
-  }
-}
-
-BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
-                      int n) {
-  BN_ULONG ret;
-  size_t i = 0;
-
-  if (n <= 0) {
-    return 0;
-  }
-
-  asm volatile (
-      "	subq	%0,%0		\n" /* clear carry */
-      "	jmp	1f		\n"
-      ".p2align 4			\n"
-      "1:	movq	(%4,%2,8),%0	\n"
-      "	adcq	(%5,%2,8),%0	\n"
-      "	movq	%0,(%3,%2,8)	\n"
-      "	lea	1(%2),%2	\n"
-      "	loop	1b		\n"
-      "	sbbq	%0,%0		\n"
-      : "=&r"(ret), "+c"(n), "+r"(i)
-      : "r"(rp), "r"(ap), "r"(bp)
-      : "cc", "memory");
-
-  return ret & 1;
-}
-
-BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
-                      int n) {
-  BN_ULONG ret;
-  size_t i = 0;
-
-  if (n <= 0) {
-    return 0;
-  }
-
-  asm volatile (
-      "	subq	%0,%0		\n" /* clear borrow */
-      "	jmp	1f		\n"
-      ".p2align 4			\n"
-      "1:	movq	(%4,%2,8),%0	\n"
-      "	sbbq	(%5,%2,8),%0	\n"
-      "	movq	%0,(%3,%2,8)	\n"
-      "	lea	1(%2),%2	\n"
-      "	loop	1b		\n"
-      "	sbbq	%0,%0		\n"
-      : "=&r"(ret), "+c"(n), "+r"(i)
-      : "r"(rp), "r"(ap), "r"(bp)
-      : "cc", "memory");
-
-  return ret & 1;
-}
-
-/* mul_add_c(a,b,c0,c1,c2)  -- c+=a*b for three word number c=(c2,c1,c0) */
-/* mul_add_c2(a,b,c0,c1,c2) -- c+=2*a*b for three word number c=(c2,c1,c0) */
-/* sqr_add_c(a,i,c0,c1,c2)  -- c+=a[i]^2 for three word number c=(c2,c1,c0) */
-/* sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0)
- */
-
-/* Keep in mind that carrying into high part of multiplication result can not
- * overflow, because it cannot be all-ones. */
-#define mul_add_c(a, b, c0, c1, c2)          \
-  do {                                       \
-    BN_ULONG t1, t2;                \
-    asm("mulq %3" : "=a"(t1), "=d"(t2) : "a"(a), "m"(b) : "cc"); \
-    asm("addq %3,%0; adcq %4,%1; adcq %5,%2" \
-        : "+r"(c0), "+r"(c1), "+r"(c2)       \
-        : "r"(t1), "r"(t2), "g"(0)           \
-        : "cc");                             \
-  } while (0)
-
-#define sqr_add_c(a, i, c0, c1, c2)                           \
-  do {                                                        \
-    BN_ULONG t1, t2;                                          \
-    asm("mulq %2" : "=a"(t1), "=d"(t2) : "a"((a)[i]) : "cc"); \
-    asm("addq %3,%0; adcq %4,%1; adcq %5,%2"                  \
-        : "+r"(c0), "+r"(c1), "+r"(c2)                        \
-        : "r"(t1), "r"(t2), "g"(0)                            \
-        : "cc");                                              \
-  } while (0)
-
-#define mul_add_c2(a, b, c0, c1, c2)         \
-  do {                                       \
-    BN_ULONG t1, t2;                                                    \
-    asm("mulq %3" : "=a"(t1), "=d"(t2) : "a"(a), "m"(b) : "cc");        \
-    asm("addq %3,%0; adcq %4,%1; adcq %5,%2" \
-        : "+r"(c0), "+r"(c1), "+r"(c2)       \
-        : "r"(t1), "r"(t2), "g"(0)           \
-        : "cc");                             \
-    asm("addq %3,%0; adcq %4,%1; adcq %5,%2" \
-        : "+r"(c0), "+r"(c1), "+r"(c2)       \
-        : "r"(t1), "r"(t2), "g"(0)           \
-        : "cc");                             \
-  } while (0)
-
-#define sqr_add_c2(a, i, j, c0, c1, c2) mul_add_c2((a)[i], (a)[j], c0, c1, c2)
-
-void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b) {
-  BN_ULONG c1, c2, c3;
-
-  c1 = 0;
-  c2 = 0;
-  c3 = 0;
-  mul_add_c(a[0], b[0], c1, c2, c3);
-  r[0] = c1;
-  c1 = 0;
-  mul_add_c(a[0], b[1], c2, c3, c1);
-  mul_add_c(a[1], b[0], c2, c3, c1);
-  r[1] = c2;
-  c2 = 0;
-  mul_add_c(a[2], b[0], c3, c1, c2);
-  mul_add_c(a[1], b[1], c3, c1, c2);
-  mul_add_c(a[0], b[2], c3, c1, c2);
-  r[2] = c3;
-  c3 = 0;
-  mul_add_c(a[0], b[3], c1, c2, c3);
-  mul_add_c(a[1], b[2], c1, c2, c3);
-  mul_add_c(a[2], b[1], c1, c2, c3);
-  mul_add_c(a[3], b[0], c1, c2, c3);
-  r[3] = c1;
-  c1 = 0;
-  mul_add_c(a[4], b[0], c2, c3, c1);
-  mul_add_c(a[3], b[1], c2, c3, c1);
-  mul_add_c(a[2], b[2], c2, c3, c1);
-  mul_add_c(a[1], b[3], c2, c3, c1);
-  mul_add_c(a[0], b[4], c2, c3, c1);
-  r[4] = c2;
-  c2 = 0;
-  mul_add_c(a[0], b[5], c3, c1, c2);
-  mul_add_c(a[1], b[4], c3, c1, c2);
-  mul_add_c(a[2], b[3], c3, c1, c2);
-  mul_add_c(a[3], b[2], c3, c1, c2);
-  mul_add_c(a[4], b[1], c3, c1, c2);
-  mul_add_c(a[5], b[0], c3, c1, c2);
-  r[5] = c3;
-  c3 = 0;
-  mul_add_c(a[6], b[0], c1, c2, c3);
-  mul_add_c(a[5], b[1], c1, c2, c3);
-  mul_add_c(a[4], b[2], c1, c2, c3);
-  mul_add_c(a[3], b[3], c1, c2, c3);
-  mul_add_c(a[2], b[4], c1, c2, c3);
-  mul_add_c(a[1], b[5], c1, c2, c3);
-  mul_add_c(a[0], b[6], c1, c2, c3);
-  r[6] = c1;
-  c1 = 0;
-  mul_add_c(a[0], b[7], c2, c3, c1);
-  mul_add_c(a[1], b[6], c2, c3, c1);
-  mul_add_c(a[2], b[5], c2, c3, c1);
-  mul_add_c(a[3], b[4], c2, c3, c1);
-  mul_add_c(a[4], b[3], c2, c3, c1);
-  mul_add_c(a[5], b[2], c2, c3, c1);
-  mul_add_c(a[6], b[1], c2, c3, c1);
-  mul_add_c(a[7], b[0], c2, c3, c1);
-  r[7] = c2;
-  c2 = 0;
-  mul_add_c(a[7], b[1], c3, c1, c2);
-  mul_add_c(a[6], b[2], c3, c1, c2);
-  mul_add_c(a[5], b[3], c3, c1, c2);
-  mul_add_c(a[4], b[4], c3, c1, c2);
-  mul_add_c(a[3], b[5], c3, c1, c2);
-  mul_add_c(a[2], b[6], c3, c1, c2);
-  mul_add_c(a[1], b[7], c3, c1, c2);
-  r[8] = c3;
-  c3 = 0;
-  mul_add_c(a[2], b[7], c1, c2, c3);
-  mul_add_c(a[3], b[6], c1, c2, c3);
-  mul_add_c(a[4], b[5], c1, c2, c3);
-  mul_add_c(a[5], b[4], c1, c2, c3);
-  mul_add_c(a[6], b[3], c1, c2, c3);
-  mul_add_c(a[7], b[2], c1, c2, c3);
-  r[9] = c1;
-  c1 = 0;
-  mul_add_c(a[7], b[3], c2, c3, c1);
-  mul_add_c(a[6], b[4], c2, c3, c1);
-  mul_add_c(a[5], b[5], c2, c3, c1);
-  mul_add_c(a[4], b[6], c2, c3, c1);
-  mul_add_c(a[3], b[7], c2, c3, c1);
-  r[10] = c2;
-  c2 = 0;
-  mul_add_c(a[4], b[7], c3, c1, c2);
-  mul_add_c(a[5], b[6], c3, c1, c2);
-  mul_add_c(a[6], b[5], c3, c1, c2);
-  mul_add_c(a[7], b[4], c3, c1, c2);
-  r[11] = c3;
-  c3 = 0;
-  mul_add_c(a[7], b[5], c1, c2, c3);
-  mul_add_c(a[6], b[6], c1, c2, c3);
-  mul_add_c(a[5], b[7], c1, c2, c3);
-  r[12] = c1;
-  c1 = 0;
-  mul_add_c(a[6], b[7], c2, c3, c1);
-  mul_add_c(a[7], b[6], c2, c3, c1);
-  r[13] = c2;
-  c2 = 0;
-  mul_add_c(a[7], b[7], c3, c1, c2);
-  r[14] = c3;
-  r[15] = c1;
-}
-
-void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b) {
-  BN_ULONG c1, c2, c3;
-
-  c1 = 0;
-  c2 = 0;
-  c3 = 0;
-  mul_add_c(a[0], b[0], c1, c2, c3);
-  r[0] = c1;
-  c1 = 0;
-  mul_add_c(a[0], b[1], c2, c3, c1);
-  mul_add_c(a[1], b[0], c2, c3, c1);
-  r[1] = c2;
-  c2 = 0;
-  mul_add_c(a[2], b[0], c3, c1, c2);
-  mul_add_c(a[1], b[1], c3, c1, c2);
-  mul_add_c(a[0], b[2], c3, c1, c2);
-  r[2] = c3;
-  c3 = 0;
-  mul_add_c(a[0], b[3], c1, c2, c3);
-  mul_add_c(a[1], b[2], c1, c2, c3);
-  mul_add_c(a[2], b[1], c1, c2, c3);
-  mul_add_c(a[3], b[0], c1, c2, c3);
-  r[3] = c1;
-  c1 = 0;
-  mul_add_c(a[3], b[1], c2, c3, c1);
-  mul_add_c(a[2], b[2], c2, c3, c1);
-  mul_add_c(a[1], b[3], c2, c3, c1);
-  r[4] = c2;
-  c2 = 0;
-  mul_add_c(a[2], b[3], c3, c1, c2);
-  mul_add_c(a[3], b[2], c3, c1, c2);
-  r[5] = c3;
-  c3 = 0;
-  mul_add_c(a[3], b[3], c1, c2, c3);
-  r[6] = c1;
-  r[7] = c2;
-}
-
-void bn_sqr_comba8(BN_ULONG *r, const BN_ULONG *a) {
-  BN_ULONG c1, c2, c3;
-
-  c1 = 0;
-  c2 = 0;
-  c3 = 0;
-  sqr_add_c(a, 0, c1, c2, c3);
-  r[0] = c1;
-  c1 = 0;
-  sqr_add_c2(a, 1, 0, c2, c3, c1);
-  r[1] = c2;
-  c2 = 0;
-  sqr_add_c(a, 1, c3, c1, c2);
-  sqr_add_c2(a, 2, 0, c3, c1, c2);
-  r[2] = c3;
-  c3 = 0;
-  sqr_add_c2(a, 3, 0, c1, c2, c3);
-  sqr_add_c2(a, 2, 1, c1, c2, c3);
-  r[3] = c1;
-  c1 = 0;
-  sqr_add_c(a, 2, c2, c3, c1);
-  sqr_add_c2(a, 3, 1, c2, c3, c1);
-  sqr_add_c2(a, 4, 0, c2, c3, c1);
-  r[4] = c2;
-  c2 = 0;
-  sqr_add_c2(a, 5, 0, c3, c1, c2);
-  sqr_add_c2(a, 4, 1, c3, c1, c2);
-  sqr_add_c2(a, 3, 2, c3, c1, c2);
-  r[5] = c3;
-  c3 = 0;
-  sqr_add_c(a, 3, c1, c2, c3);
-  sqr_add_c2(a, 4, 2, c1, c2, c3);
-  sqr_add_c2(a, 5, 1, c1, c2, c3);
-  sqr_add_c2(a, 6, 0, c1, c2, c3);
-  r[6] = c1;
-  c1 = 0;
-  sqr_add_c2(a, 7, 0, c2, c3, c1);
-  sqr_add_c2(a, 6, 1, c2, c3, c1);
-  sqr_add_c2(a, 5, 2, c2, c3, c1);
-  sqr_add_c2(a, 4, 3, c2, c3, c1);
-  r[7] = c2;
-  c2 = 0;
-  sqr_add_c(a, 4, c3, c1, c2);
-  sqr_add_c2(a, 5, 3, c3, c1, c2);
-  sqr_add_c2(a, 6, 2, c3, c1, c2);
-  sqr_add_c2(a, 7, 1, c3, c1, c2);
-  r[8] = c3;
-  c3 = 0;
-  sqr_add_c2(a, 7, 2, c1, c2, c3);
-  sqr_add_c2(a, 6, 3, c1, c2, c3);
-  sqr_add_c2(a, 5, 4, c1, c2, c3);
-  r[9] = c1;
-  c1 = 0;
-  sqr_add_c(a, 5, c2, c3, c1);
-  sqr_add_c2(a, 6, 4, c2, c3, c1);
-  sqr_add_c2(a, 7, 3, c2, c3, c1);
-  r[10] = c2;
-  c2 = 0;
-  sqr_add_c2(a, 7, 4, c3, c1, c2);
-  sqr_add_c2(a, 6, 5, c3, c1, c2);
-  r[11] = c3;
-  c3 = 0;
-  sqr_add_c(a, 6, c1, c2, c3);
-  sqr_add_c2(a, 7, 5, c1, c2, c3);
-  r[12] = c1;
-  c1 = 0;
-  sqr_add_c2(a, 7, 6, c2, c3, c1);
-  r[13] = c2;
-  c2 = 0;
-  sqr_add_c(a, 7, c3, c1, c2);
-  r[14] = c3;
-  r[15] = c1;
-}
-
-void bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a) {
-  BN_ULONG c1, c2, c3;
-
-  c1 = 0;
-  c2 = 0;
-  c3 = 0;
-  sqr_add_c(a, 0, c1, c2, c3);
-  r[0] = c1;
-  c1 = 0;
-  sqr_add_c2(a, 1, 0, c2, c3, c1);
-  r[1] = c2;
-  c2 = 0;
-  sqr_add_c(a, 1, c3, c1, c2);
-  sqr_add_c2(a, 2, 0, c3, c1, c2);
-  r[2] = c3;
-  c3 = 0;
-  sqr_add_c2(a, 3, 0, c1, c2, c3);
-  sqr_add_c2(a, 2, 1, c1, c2, c3);
-  r[3] = c1;
-  c1 = 0;
-  sqr_add_c(a, 2, c2, c3, c1);
-  sqr_add_c2(a, 3, 1, c2, c3, c1);
-  r[4] = c2;
-  c2 = 0;
-  sqr_add_c2(a, 3, 2, c3, c1, c2);
-  r[5] = c3;
-  c3 = 0;
-  sqr_add_c(a, 3, c1, c2, c3);
-  r[6] = c1;
-  r[7] = c2;
-}
-
-#endif  /* !NO_ASM && X86_64 && __GNUC__ */
@@ -1,80 +0,0 @@
-/* Copyright (c) 2015, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/bn.h>
-
-#include <openssl/bytestring.h>
-#include <openssl/err.h>
-
-
-int BN_parse_asn1_unsigned(CBS *cbs, BIGNUM *ret) {
-  CBS child;
-  if (!CBS_get_asn1(cbs, &child, CBS_ASN1_INTEGER) ||
-      CBS_len(&child) == 0) {
-    OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING);
-    return 0;
-  }
-
-  if (CBS_data(&child)[0] & 0x80) {
-    OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);
-    return 0;
-  }
-
-  /* INTEGERs must be minimal. */
-  if (CBS_data(&child)[0] == 0x00 &&
-      CBS_len(&child) > 1 &&
-      !(CBS_data(&child)[1] & 0x80)) {
-    OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING);
-    return 0;
-  }
-
-  return BN_bin2bn(CBS_data(&child), CBS_len(&child), ret) != NULL;
-}
-
-int BN_parse_asn1_unsigned_buggy(CBS *cbs, BIGNUM *ret) {
-  CBS child;
-  if (!CBS_get_asn1(cbs, &child, CBS_ASN1_INTEGER) ||
-      CBS_len(&child) == 0) {
-    OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING);
-    return 0;
-  }
-
-  /* This function intentionally does not reject negative numbers or non-minimal
-   * encodings. Estonian IDs issued between September 2014 to September 2015 are
-   * broken. See https://crbug.com/532048 and https://crbug.com/534766.
-   *
-   * TODO(davidben): Remove this code and callers in March 2016. */
-  return BN_bin2bn(CBS_data(&child), CBS_len(&child), ret) != NULL;
-}
-
-int BN_marshal_asn1(CBB *cbb, const BIGNUM *bn) {
-  /* Negative numbers are unsupported. */
-  if (BN_is_negative(bn)) {
-    OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);
-    return 0;
-  }
-
-  CBB child;
-  if (!CBB_add_asn1(cbb, &child, CBS_ASN1_INTEGER) ||
-      /* The number must be padded with a leading zero if the high bit would
-       * otherwise be set or if |bn| is zero. */
-      (BN_num_bits(bn) % 8 == 0 && !CBB_add_u8(&child, 0x00)) ||
-      !BN_bn2cbb_padded(&child, BN_num_bytes(bn), bn) ||
-      !CBB_flush(cbb)) {
-    OPENSSL_PUT_ERROR(BN, BN_R_ENCODE_ERROR);
-    return 0;
-  }
-
-  return 1;
-}
@@ -1,670 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.] */
-
-#include <openssl/bn.h>
-
-#include <assert.h>
-#include <ctype.h>
-#include <limits.h>
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/bio.h>
-#include <openssl/bytestring.h>
-#include <openssl/err.h>
-#include <openssl/mem.h>
-
-#include "internal.h"
-
-BIGNUM *BN_bin2bn(const uint8_t *in, size_t len, BIGNUM *ret) {
-  size_t num_words;
-  unsigned m;
-  BN_ULONG word = 0;
-  BIGNUM *bn = NULL;
-
-  if (ret == NULL) {
-    ret = bn = BN_new();
-  }
-
-  if (ret == NULL) {
-    return NULL;
-  }
-
-  if (len == 0) {
-    ret->top = 0;
-    return ret;
-  }
-
-  num_words = ((len - 1) / BN_BYTES) + 1;
-  m = (len - 1) % BN_BYTES;
-  if (bn_wexpand(ret, num_words) == NULL) {
-    if (bn) {
-      BN_free(bn);
-    }
-    return NULL;
-  }
-
-  /* |bn_wexpand| must check bounds on |num_words| to write it into
-   * |ret->dmax|. */
-  assert(num_words <= INT_MAX);
-  ret->top = (int)num_words;
-  ret->neg = 0;
-
-  while (len--) {
-    word = (word << 8) | *(in++);
-    if (m-- == 0) {
-      ret->d[--num_words] = word;
-      word = 0;
-      m = BN_BYTES - 1;
-    }
-  }
-
-  /* need to call this due to clear byte at top if avoiding having the top bit
-   * set (-ve number) */
-  bn_correct_top(ret);
-  return ret;
-}
-
-BIGNUM *BN_le2bn(const uint8_t *in, size_t len, BIGNUM *ret) {
-  BIGNUM *bn = NULL;
-  if (ret == NULL) {
-    bn = BN_new();
-    ret = bn;
-  }
-
-  if (ret == NULL) {
-    return NULL;
-  }
-
-  if (len == 0) {
-    ret->top = 0;
-    ret->neg = 0;
-    return ret;
-  }
-
-  /* Reserve enough space in |ret|. */
-  size_t num_words = ((len - 1) / BN_BYTES) + 1;
-  if (!bn_wexpand(ret, num_words)) {
-    BN_free(bn);
-    return NULL;
-  }
-  ret->top = num_words;
-
-  /* Make sure the top bytes will be zeroed. */
-  ret->d[num_words - 1] = 0;
-
-  /* We only support little-endian platforms, so we can simply memcpy the
-   * internal representation. */
-  OPENSSL_memcpy(ret->d, in, len);
-
-  bn_correct_top(ret);
-  return ret;
-}
-
-size_t BN_bn2bin(const BIGNUM *in, uint8_t *out) {
-  size_t n, i;
-  BN_ULONG l;
-
-  n = i = BN_num_bytes(in);
-  while (i--) {
-    l = in->d[i / BN_BYTES];
-    *(out++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff;
-  }
-  return n;
-}
-
-int BN_bn2le_padded(uint8_t *out, size_t len, const BIGNUM *in) {
-  /* If we don't have enough space, fail out. */
-  size_t num_bytes = BN_num_bytes(in);
-  if (len < num_bytes) {
-    return 0;
-  }
-
-  /* We only support little-endian platforms, so we can simply memcpy into the
-   * internal representation. */
-  OPENSSL_memcpy(out, in->d, num_bytes);
-
-  /* Pad out the rest of the buffer with zeroes. */
-  OPENSSL_memset(out + num_bytes, 0, len - num_bytes);
-
-  return 1;
-}
-
-/* constant_time_select_ulong returns |x| if |v| is 1 and |y| if |v| is 0. Its
- * behavior is undefined if |v| takes any other value. */
-static BN_ULONG constant_time_select_ulong(int v, BN_ULONG x, BN_ULONG y) {
-  BN_ULONG mask = v;
-  mask--;
-
-  return (~mask & x) | (mask & y);
-}
-
-/* constant_time_le_size_t returns 1 if |x| <= |y| and 0 otherwise. |x| and |y|
- * must not have their MSBs set. */
-static int constant_time_le_size_t(size_t x, size_t y) {
-  return ((x - y - 1) >> (sizeof(size_t) * 8 - 1)) & 1;
-}
-
-/* read_word_padded returns the |i|'th word of |in|, if it is not out of
- * bounds. Otherwise, it returns 0. It does so without branches on the size of
- * |in|, however it necessarily does not have the same memory access pattern. If
- * the access would be out of bounds, it reads the last word of |in|. |in| must
- * not be zero. */
-static BN_ULONG read_word_padded(const BIGNUM *in, size_t i) {
-  /* Read |in->d[i]| if valid. Otherwise, read the last word. */
-  BN_ULONG l = in->d[constant_time_select_ulong(
-      constant_time_le_size_t(in->dmax, i), in->dmax - 1, i)];
-
-  /* Clamp to zero if above |d->top|. */
-  return constant_time_select_ulong(constant_time_le_size_t(in->top, i), 0, l);
-}
-
-int BN_bn2bin_padded(uint8_t *out, size_t len, const BIGNUM *in) {
-  /* Special case for |in| = 0. Just branch as the probability is negligible. */
-  if (BN_is_zero(in)) {
-    OPENSSL_memset(out, 0, len);
-    return 1;
-  }
-
-  /* Check if the integer is too big. This case can exit early in non-constant
-   * time. */
-  if ((size_t)in->top > (len + (BN_BYTES - 1)) / BN_BYTES) {
-    return 0;
-  }
-  if ((len % BN_BYTES) != 0) {
-    BN_ULONG l = read_word_padded(in, len / BN_BYTES);
-    if (l >> (8 * (len % BN_BYTES)) != 0) {
-      return 0;
-    }
-  }
-
-  /* Write the bytes out one by one. Serialization is done without branching on
-   * the bits of |in| or on |in->top|, but if the routine would otherwise read
-   * out of bounds, the memory access pattern can't be fixed. However, for an
-   * RSA key of size a multiple of the word size, the probability of BN_BYTES
-   * leading zero octets is low.
-   *
-   * See Falko Stenzke, "Manger's Attack revisited", ICICS 2010. */
-  size_t i = len;
-  while (i--) {
-    BN_ULONG l = read_word_padded(in, i / BN_BYTES);
-    *(out++) = (uint8_t)(l >> (8 * (i % BN_BYTES))) & 0xff;
-  }
-  return 1;
-}
-
-int BN_bn2cbb_padded(CBB *out, size_t len, const BIGNUM *in) {
-  uint8_t *ptr;
-  return CBB_add_space(out, &ptr, len) && BN_bn2bin_padded(ptr, len, in);
-}
-
-static const char hextable[] = "0123456789abcdef";
-
-char *BN_bn2hex(const BIGNUM *bn) {
-  char *buf = OPENSSL_malloc(1 /* leading '-' */ + 1 /* zero is non-empty */ +
-                             bn->top * BN_BYTES * 2 + 1 /* trailing NUL */);
-  if (buf == NULL) {
-    OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
-    return NULL;
-  }
-
-  char *p = buf;
-  if (bn->neg) {
-    *(p++) = '-';
-  }
-
-  if (BN_is_zero(bn)) {
-    *(p++) = '0';
-  }
-
-  int z = 0;
-  for (int i = bn->top - 1; i >= 0; i--) {
-    for (int j = BN_BITS2 - 8; j >= 0; j -= 8) {
-      /* strip leading zeros */
-      int v = ((int)(bn->d[i] >> (long)j)) & 0xff;
-      if (z || v != 0) {
-        *(p++) = hextable[v >> 4];
-        *(p++) = hextable[v & 0x0f];
-        z = 1;
-      }
-    }
-  }
-  *p = '\0';
-
-  return buf;
-}
-
-/* decode_hex decodes |in_len| bytes of hex data from |in| and updates |bn|. */
-static int decode_hex(BIGNUM *bn, const char *in, int in_len) {
-  if (in_len > INT_MAX/4) {
-    OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG);
-    return 0;
-  }
-  /* |in_len| is the number of hex digits. */
-  if (bn_expand(bn, in_len * 4) == NULL) {
-    return 0;
-  }
-
-  int i = 0;
-  while (in_len > 0) {
-    /* Decode one |BN_ULONG| at a time. */
-    int todo = BN_BYTES * 2;
-    if (todo > in_len) {
-      todo = in_len;
-    }
-
-    BN_ULONG word = 0;
-    int j;
-    for (j = todo; j > 0; j--) {
-      char c = in[in_len - j];
-
-      BN_ULONG hex;
-      if (c >= '0' && c <= '9') {
-        hex = c - '0';
-      } else if (c >= 'a' && c <= 'f') {
-        hex = c - 'a' + 10;
-      } else if (c >= 'A' && c <= 'F') {
-        hex = c - 'A' + 10;
-      } else {
-        hex = 0;
-        /* This shouldn't happen. The caller checks |isxdigit|. */
-        assert(0);
-      }
-      word = (word << 4) | hex;
-    }
-
-    bn->d[i++] = word;
-    in_len -= todo;
-  }
-  assert(i <= bn->dmax);
-  bn->top = i;
-  return 1;
-}
-
-/* decode_dec decodes |in_len| bytes of decimal data from |in| and updates |bn|. */
-static int decode_dec(BIGNUM *bn, const char *in, int in_len) {
-  int i, j;
-  BN_ULONG l = 0;
-
-  /* Decode |BN_DEC_NUM| digits at a time. */
-  j = BN_DEC_NUM - (in_len % BN_DEC_NUM);
-  if (j == BN_DEC_NUM) {
-    j = 0;
-  }
-  l = 0;
-  for (i = 0; i < in_len; i++) {
-    l *= 10;
-    l += in[i] - '0';
-    if (++j == BN_DEC_NUM) {
-      if (!BN_mul_word(bn, BN_DEC_CONV) ||
-          !BN_add_word(bn, l)) {
-        return 0;
-      }
-      l = 0;
-      j = 0;
-    }
-  }
-  return 1;
-}
-
-typedef int (*decode_func) (BIGNUM *bn, const char *in, int in_len);
-typedef int (*char_test_func) (int c);
-
-static int bn_x2bn(BIGNUM **outp, const char *in, decode_func decode, char_test_func want_char) {
-  BIGNUM *ret = NULL;
-  int neg = 0, i;
-  int num;
-
-  if (in == NULL || *in == 0) {
-    return 0;
-  }
-
-  if (*in == '-') {
-    neg = 1;
-    in++;
-  }
-
-  for (i = 0; want_char((unsigned char)in[i]) && i + neg < INT_MAX; i++) {}
-
-  num = i + neg;
-  if (outp == NULL) {
-    return num;
-  }
-
-  /* in is the start of the hex digits, and it is 'i' long */
-  if (*outp == NULL) {
-    ret = BN_new();
-    if (ret == NULL) {
-      return 0;
-    }
-  } else {
-    ret = *outp;
-    BN_zero(ret);
-  }
-
-  if (!decode(ret, in, i)) {
-    goto err;
-  }
-
-  bn_correct_top(ret);
-  if (!BN_is_zero(ret)) {
-    ret->neg = neg;
-  }
-
-  *outp = ret;
-  return num;
-
-err:
-  if (*outp == NULL) {
-    BN_free(ret);
-  }
-
-  return 0;
-}
-
-int BN_hex2bn(BIGNUM **outp, const char *in) {
-  return bn_x2bn(outp, in, decode_hex, isxdigit);
-}
-
-char *BN_bn2dec(const BIGNUM *a) {
-  /* It is easier to print strings little-endian, so we assemble it in reverse
-   * and fix at the end. */
-  BIGNUM *copy = NULL;
-  CBB cbb;
-  if (!CBB_init(&cbb, 16) ||
-      !CBB_add_u8(&cbb, 0 /* trailing NUL */)) {
-    goto cbb_err;
-  }
-
-  if (BN_is_zero(a)) {
-    if (!CBB_add_u8(&cbb, '0')) {
-      goto cbb_err;
-    }
-  } else {
-    copy = BN_dup(a);
-    if (copy == NULL) {
-      goto err;
-    }
-
-    while (!BN_is_zero(copy)) {
-      BN_ULONG word = BN_div_word(copy, BN_DEC_CONV);
-      if (word == (BN_ULONG)-1) {
-        goto err;
-      }
-
-      const int add_leading_zeros = !BN_is_zero(copy);
-      for (int i = 0; i < BN_DEC_NUM && (add_leading_zeros || word != 0); i++) {
-        if (!CBB_add_u8(&cbb, '0' + word % 10)) {
-          goto cbb_err;
-        }
-        word /= 10;
-      }
-      assert(word == 0);
-    }
-  }
-
-  if (BN_is_negative(a) &&
-      !CBB_add_u8(&cbb, '-')) {
-    goto cbb_err;
-  }
-
-  uint8_t *data;
-  size_t len;
-  if (!CBB_finish(&cbb, &data, &len)) {
-    goto cbb_err;
-  }
-
-  /* Reverse the buffer. */
-  for (size_t i = 0; i < len/2; i++) {
-    uint8_t tmp = data[i];
-    data[i] = data[len - 1 - i];
-    data[len - 1 - i] = tmp;
-  }
-
-  BN_free(copy);
-  return (char *)data;
-
-cbb_err:
-  OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
-err:
-  BN_free(copy);
-  CBB_cleanup(&cbb);
-  return NULL;
-}
-
-int BN_dec2bn(BIGNUM **outp, const char *in) {
-  return bn_x2bn(outp, in, decode_dec, isdigit);
-}
-
-int BN_asc2bn(BIGNUM **outp, const char *in) {
-  const char *const orig_in = in;
-  if (*in == '-') {
-    in++;
-  }
-
-  if (in[0] == '0' && (in[1] == 'X' || in[1] == 'x')) {
-    if (!BN_hex2bn(outp, in+2)) {
-      return 0;
-    }
-  } else {
-    if (!BN_dec2bn(outp, in)) {
-      return 0;
-    }
-  }
-
-  if (*orig_in == '-' && !BN_is_zero(*outp)) {
-    (*outp)->neg = 1;
-  }
-
-  return 1;
-}
-
-int BN_print(BIO *bp, const BIGNUM *a) {
-  int i, j, v, z = 0;
-  int ret = 0;
-
-  if (a->neg && BIO_write(bp, "-", 1) != 1) {
-    goto end;
-  }
-
-  if (BN_is_zero(a) && BIO_write(bp, "0", 1) != 1) {
-    goto end;
-  }
-
-  for (i = a->top - 1; i >= 0; i--) {
-    for (j = BN_BITS2 - 4; j >= 0; j -= 4) {
-      /* strip leading zeros */
-      v = ((int)(a->d[i] >> (long)j)) & 0x0f;
-      if (z || v != 0) {
-        if (BIO_write(bp, &hextable[v], 1) != 1) {
-          goto end;
-        }
-        z = 1;
-      }
-    }
-  }
-  ret = 1;
-
-end:
-  return ret;
-}
-
-int BN_print_fp(FILE *fp, const BIGNUM *a) {
-  BIO *b;
-  int ret;
-
-  b = BIO_new(BIO_s_file());
-  if (b == NULL) {
-    return 0;
-  }
-  BIO_set_fp(b, fp, BIO_NOCLOSE);
-  ret = BN_print(b, a);
-  BIO_free(b);
-
-  return ret;
-}
-
-BN_ULONG BN_get_word(const BIGNUM *bn) {
-  switch (bn->top) {
-    case 0:
-      return 0;
-    case 1:
-      return bn->d[0];
-    default:
-      return BN_MASK2;
-  }
-}
-
-int BN_get_u64(const BIGNUM *bn, uint64_t *out) {
-  switch (bn->top) {
-    case 0:
-      *out = 0;
-      return 1;
-    case 1:
-      *out = bn->d[0];
-      return 1;
-#if defined(OPENSSL_32_BIT)
-    case 2:
-      *out = (uint64_t) bn->d[0] | (((uint64_t) bn->d[1]) << 32);
-      return 1;
-#endif
-    default:
-      return 0;
-  }
-}
-
-size_t BN_bn2mpi(const BIGNUM *in, uint8_t *out) {
-  const size_t bits = BN_num_bits(in);
-  const size_t bytes = (bits + 7) / 8;
-  /* If the number of bits is a multiple of 8, i.e. if the MSB is set,
-   * prefix with a zero byte. */
-  int extend = 0;
-  if (bytes != 0 && (bits & 0x07) == 0) {
-    extend = 1;
-  }
-
-  const size_t len = bytes + extend;
-  if (len < bytes ||
-      4 + len < len ||
-      (len & 0xffffffff) != len) {
-    /* If we cannot represent the number then we emit zero as the interface
-     * doesn't allow an error to be signalled. */
-    if (out) {
-      OPENSSL_memset(out, 0, 4);
-    }
-    return 4;
-  }
-
-  if (out == NULL) {
-    return 4 + len;
-  }
-
-  out[0] = len >> 24;
-  out[1] = len >> 16;
-  out[2] = len >> 8;
-  out[3] = len;
-  if (extend) {
-    out[4] = 0;
-  }
-  BN_bn2bin(in, out + 4 + extend);
-  if (in->neg && len > 0) {
-    out[4] |= 0x80;
-  }
-  return len + 4;
-}
-
-BIGNUM *BN_mpi2bn(const uint8_t *in, size_t len, BIGNUM *out) {
-  if (len < 4) {
-    OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING);
-    return NULL;
-  }
-  const size_t in_len = ((size_t)in[0] << 24) |
-                        ((size_t)in[1] << 16) |
-                        ((size_t)in[2] << 8) |
-                        ((size_t)in[3]);
-  if (in_len != len - 4) {
-    OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING);
-    return NULL;
-  }
-
-  int out_is_alloced = 0;
-  if (out == NULL) {
-    out = BN_new();
-    if (out == NULL) {
-      OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
-      return NULL;
-    }
-    out_is_alloced = 1;
-  }
-
-  if (in_len == 0) {
-    BN_zero(out);
-    return out;
-  }
-
-  in += 4;
-  if (BN_bin2bn(in, in_len, out) == NULL) {
-    if (out_is_alloced) {
-      BN_free(out);
-    }
-    return NULL;
-  }
-  out->neg = ((*in) & 0x80) != 0;
-  if (out->neg) {
-    BN_clear_bit(out, BN_num_bits(out) - 1);
-  }
-  return out;
-}
@@ -1,648 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.] */
-
-#include <openssl/bn.h>
-
-#include <assert.h>
-#include <limits.h>
-#include <openssl/err.h>
-
-#include "internal.h"
-
-
-#if !defined(BN_ULLONG)
-/* bn_div_words divides a double-width |h|,|l| by |d| and returns the result,
- * which must fit in a |BN_ULONG|. */
-static BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d) {
-  BN_ULONG dh, dl, q, ret = 0, th, tl, t;
-  int i, count = 2;
-
-  if (d == 0) {
-    return BN_MASK2;
-  }
-
-  i = BN_num_bits_word(d);
-  assert((i == BN_BITS2) || (h <= (BN_ULONG)1 << i));
-
-  i = BN_BITS2 - i;
-  if (h >= d) {
-    h -= d;
-  }
-
-  if (i) {
-    d <<= i;
-    h = (h << i) | (l >> (BN_BITS2 - i));
-    l <<= i;
-  }
-  dh = (d & BN_MASK2h) >> BN_BITS4;
-  dl = (d & BN_MASK2l);
-  for (;;) {
-    if ((h >> BN_BITS4) == dh) {
-      q = BN_MASK2l;
-    } else {
-      q = h / dh;
-    }
-
-    th = q * dh;
-    tl = dl * q;
-    for (;;) {
-      t = h - th;
-      if ((t & BN_MASK2h) ||
-          ((tl) <= ((t << BN_BITS4) | ((l & BN_MASK2h) >> BN_BITS4)))) {
-        break;
-      }
-      q--;
-      th -= dh;
-      tl -= dl;
-    }
-    t = (tl >> BN_BITS4);
-    tl = (tl << BN_BITS4) & BN_MASK2h;
-    th += t;
-
-    if (l < tl) {
-      th++;
-    }
-    l -= tl;
-    if (h < th) {
-      h += d;
-      q--;
-    }
-    h -= th;
-
-    if (--count == 0) {
-      break;
-    }
-
-    ret = q << BN_BITS4;
-    h = ((h << BN_BITS4) | (l >> BN_BITS4)) & BN_MASK2;
-    l = (l & BN_MASK2l) << BN_BITS4;
-  }
-
-  ret |= q;
-  return ret;
-}
-#endif /* !defined(BN_ULLONG) */
-
-static inline void bn_div_rem_words(BN_ULONG *quotient_out, BN_ULONG *rem_out,
-                                    BN_ULONG n0, BN_ULONG n1, BN_ULONG d0) {
-  /* GCC and Clang generate function calls to |__udivdi3| and |__umoddi3| when
-   * the |BN_ULLONG|-based C code is used.
-   *
-   * GCC bugs:
-   *   * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=14224
-   *   * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=43721
-   *   * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=54183
-   *   * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58897
-   *   * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65668
-   *
-   * Clang bugs:
-   *   * https://llvm.org/bugs/show_bug.cgi?id=6397
-   *   * https://llvm.org/bugs/show_bug.cgi?id=12418
-   *
-   * These issues aren't specific to x86 and x86_64, so it might be worthwhile
-   * to add more assembly language implementations. */
-#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__GNUC__)
-  __asm__ volatile (
-    "divl %4"
-    : "=a"(*quotient_out), "=d"(*rem_out)
-    : "a"(n1), "d"(n0), "rm"(d0)
-    : "cc" );
-#elif !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__GNUC__)
-  __asm__ volatile (
-    "divq %4"
-    : "=a"(*quotient_out), "=d"(*rem_out)
-    : "a"(n1), "d"(n0), "rm"(d0)
-    : "cc" );
-#else
-#if defined(BN_ULLONG)
-  BN_ULLONG n = (((BN_ULLONG)n0) << BN_BITS2) | n1;
-  *quotient_out = (BN_ULONG)(n / d0);
-#else
-  *quotient_out = bn_div_words(n0, n1, d0);
-#endif
-  *rem_out = n1 - (*quotient_out * d0);
-#endif
-}
-
-/* BN_div computes  dv := num / divisor,  rounding towards
- * zero, and sets up rm  such that  dv*divisor + rm = num  holds.
- * Thus:
- *     dv->neg == num->neg ^ divisor->neg  (unless the result is zero)
- *     rm->neg == num->neg                 (unless the remainder is zero)
- * If 'dv' or 'rm' is NULL, the respective value is not returned.
- *
- * This was specifically designed to contain fewer branches that may leak
- * sensitive information; see "New Branch Prediction Vulnerabilities in OpenSSL
- * and Necessary Software Countermeasures" by Onur Acıçmez, Shay Gueron, and
- * Jean-Pierre Seifert. */
-int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
-           BN_CTX *ctx) {
-  int norm_shift, i, loop;
-  BIGNUM *tmp, wnum, *snum, *sdiv, *res;
-  BN_ULONG *resp, *wnump;
-  BN_ULONG d0, d1;
-  int num_n, div_n;
-
-  /* Invalid zero-padding would have particularly bad consequences
-   * so don't just rely on bn_check_top() here */
-  if ((num->top > 0 && num->d[num->top - 1] == 0) ||
-      (divisor->top > 0 && divisor->d[divisor->top - 1] == 0)) {
-    OPENSSL_PUT_ERROR(BN, BN_R_NOT_INITIALIZED);
-    return 0;
-  }
-
-  if (BN_is_zero(divisor)) {
-    OPENSSL_PUT_ERROR(BN, BN_R_DIV_BY_ZERO);
-    return 0;
-  }
-
-  BN_CTX_start(ctx);
-  tmp = BN_CTX_get(ctx);
-  snum = BN_CTX_get(ctx);
-  sdiv = BN_CTX_get(ctx);
-  if (dv == NULL) {
-    res = BN_CTX_get(ctx);
-  } else {
-    res = dv;
-  }
-  if (sdiv == NULL || res == NULL || tmp == NULL || snum == NULL) {
-    goto err;
-  }
-
-  /* First we normalise the numbers */
-  norm_shift = BN_BITS2 - ((BN_num_bits(divisor)) % BN_BITS2);
-  if (!(BN_lshift(sdiv, divisor, norm_shift))) {
-    goto err;
-  }
-  sdiv->neg = 0;
-  norm_shift += BN_BITS2;
-  if (!(BN_lshift(snum, num, norm_shift))) {
-    goto err;
-  }
-  snum->neg = 0;
-
-  /* Since we don't want to have special-case logic for the case where snum is
-   * larger than sdiv, we pad snum with enough zeroes without changing its
-   * value. */
-  if (snum->top <= sdiv->top + 1) {
-    if (bn_wexpand(snum, sdiv->top + 2) == NULL) {
-      goto err;
-    }
-    for (i = snum->top; i < sdiv->top + 2; i++) {
-      snum->d[i] = 0;
-    }
-    snum->top = sdiv->top + 2;
-  } else {
-    if (bn_wexpand(snum, snum->top + 1) == NULL) {
-      goto err;
-    }
-    snum->d[snum->top] = 0;
-    snum->top++;
-  }
-
-  div_n = sdiv->top;
-  num_n = snum->top;
-  loop = num_n - div_n;
-  /* Lets setup a 'window' into snum
-   * This is the part that corresponds to the current
-   * 'area' being divided */
-  wnum.neg = 0;
-  wnum.d = &(snum->d[loop]);
-  wnum.top = div_n;
-  /* only needed when BN_ucmp messes up the values between top and max */
-  wnum.dmax = snum->dmax - loop; /* so we don't step out of bounds */
-
-  /* Get the top 2 words of sdiv */
-  /* div_n=sdiv->top; */
-  d0 = sdiv->d[div_n - 1];
-  d1 = (div_n == 1) ? 0 : sdiv->d[div_n - 2];
-
-  /* pointer to the 'top' of snum */
-  wnump = &(snum->d[num_n - 1]);
-
-  /* Setup to 'res' */
-  res->neg = (num->neg ^ divisor->neg);
-  if (!bn_wexpand(res, (loop + 1))) {
-    goto err;
-  }
-  res->top = loop - 1;
-  resp = &(res->d[loop - 1]);
-
-  /* space for temp */
-  if (!bn_wexpand(tmp, (div_n + 1))) {
-    goto err;
-  }
-
-  /* if res->top == 0 then clear the neg value otherwise decrease
-   * the resp pointer */
-  if (res->top == 0) {
-    res->neg = 0;
-  } else {
-    resp--;
-  }
-
-  for (i = 0; i < loop - 1; i++, wnump--, resp--) {
-    BN_ULONG q, l0;
-    /* the first part of the loop uses the top two words of snum and sdiv to
-     * calculate a BN_ULONG q such that | wnum - sdiv * q | < sdiv */
-    BN_ULONG n0, n1, rem = 0;
-
-    n0 = wnump[0];
-    n1 = wnump[-1];
-    if (n0 == d0) {
-      q = BN_MASK2;
-    } else {
-      /* n0 < d0 */
-      bn_div_rem_words(&q, &rem, n0, n1, d0);
-
-#ifdef BN_ULLONG
-      BN_ULLONG t2 = (BN_ULLONG)d1 * q;
-      for (;;) {
-        if (t2 <= ((((BN_ULLONG)rem) << BN_BITS2) | wnump[-2])) {
-          break;
-        }
-        q--;
-        rem += d0;
-        if (rem < d0) {
-          break; /* don't let rem overflow */
-        }
-        t2 -= d1;
-      }
-#else /* !BN_ULLONG */
-      BN_ULONG t2l, t2h;
-      BN_UMULT_LOHI(t2l, t2h, d1, q);
-      for (;;) {
-        if ((t2h < rem) || ((t2h == rem) && (t2l <= wnump[-2]))) {
-          break;
-        }
-        q--;
-        rem += d0;
-        if (rem < d0) {
-          break; /* don't let rem overflow */
-        }
-        if (t2l < d1) {
-          t2h--;
-        }
-        t2l -= d1;
-      }
-#endif /* !BN_ULLONG */
-    }
-
-    l0 = bn_mul_words(tmp->d, sdiv->d, div_n, q);
-    tmp->d[div_n] = l0;
-    wnum.d--;
-    /* ingore top values of the bignums just sub the two
-     * BN_ULONG arrays with bn_sub_words */
-    if (bn_sub_words(wnum.d, wnum.d, tmp->d, div_n + 1)) {
-      /* Note: As we have considered only the leading
-       * two BN_ULONGs in the calculation of q, sdiv * q
-       * might be greater than wnum (but then (q-1) * sdiv
-       * is less or equal than wnum)
-       */
-      q--;
-      if (bn_add_words(wnum.d, wnum.d, sdiv->d, div_n)) {
-        /* we can't have an overflow here (assuming
-         * that q != 0, but if q == 0 then tmp is
-         * zero anyway) */
-        (*wnump)++;
-      }
-    }
-    /* store part of the result */
-    *resp = q;
-  }
-  bn_correct_top(snum);
-  if (rm != NULL) {
-    /* Keep a copy of the neg flag in num because if rm==num
-     * BN_rshift() will overwrite it.
-     */
-    int neg = num->neg;
-    if (!BN_rshift(rm, snum, norm_shift)) {
-      goto err;
-    }
-    if (!BN_is_zero(rm)) {
-      rm->neg = neg;
-    }
-  }
-  bn_correct_top(res);
-  BN_CTX_end(ctx);
-  return 1;
-
-err:
-  BN_CTX_end(ctx);
-  return 0;
-}
-
-int BN_nnmod(BIGNUM *r, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx) {
-  if (!(BN_mod(r, m, d, ctx))) {
-    return 0;
-  }
-  if (!r->neg) {
-    return 1;
-  }
-
-  /* now -|d| < r < 0, so we have to set r := r + |d|. */
-  return (d->neg ? BN_sub : BN_add)(r, r, d);
-}
-
-int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
-               BN_CTX *ctx) {
-  if (!BN_add(r, a, b)) {
-    return 0;
-  }
-  return BN_nnmod(r, r, m, ctx);
-}
-
-int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
-                     const BIGNUM *m) {
-  if (!BN_uadd(r, a, b)) {
-    return 0;
-  }
-  if (BN_ucmp(r, m) >= 0) {
-    return BN_usub(r, r, m);
-  }
-  return 1;
-}
-
-int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
-               BN_CTX *ctx) {
-  if (!BN_sub(r, a, b)) {
-    return 0;
-  }
-  return BN_nnmod(r, r, m, ctx);
-}
-
-/* BN_mod_sub variant that may be used if both  a  and  b  are non-negative
- * and less than  m */
-int BN_mod_sub_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
-                     const BIGNUM *m) {
-  if (!BN_sub(r, a, b)) {
-    return 0;
-  }
-  if (r->neg) {
-    return BN_add(r, r, m);
-  }
-  return 1;
-}
-
-int BN_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
-               BN_CTX *ctx) {
-  BIGNUM *t;
-  int ret = 0;
-
-  BN_CTX_start(ctx);
-  t = BN_CTX_get(ctx);
-  if (t == NULL) {
-    goto err;
-  }
-
-  if (a == b) {
-    if (!BN_sqr(t, a, ctx)) {
-      goto err;
-    }
-  } else {
-    if (!BN_mul(t, a, b, ctx)) {
-      goto err;
-    }
-  }
-
-  if (!BN_nnmod(r, t, m, ctx)) {
-    goto err;
-  }
-
-  ret = 1;
-
-err:
-  BN_CTX_end(ctx);
-  return ret;
-}
-
-int BN_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx) {
-  if (!BN_sqr(r, a, ctx)) {
-    return 0;
-  }
-
-  /* r->neg == 0,  thus we don't need BN_nnmod */
-  return BN_mod(r, r, m, ctx);
-}
-
-int BN_mod_lshift(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m,
-                  BN_CTX *ctx) {
-  BIGNUM *abs_m = NULL;
-  int ret;
-
-  if (!BN_nnmod(r, a, m, ctx)) {
-    return 0;
-  }
-
-  if (m->neg) {
-    abs_m = BN_dup(m);
-    if (abs_m == NULL) {
-      return 0;
-    }
-    abs_m->neg = 0;
-  }
-
-  ret = BN_mod_lshift_quick(r, r, n, (abs_m ? abs_m : m));
-
-  BN_free(abs_m);
-  return ret;
-}
-
-int BN_mod_lshift_quick(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m) {
-  if (r != a) {
-    if (BN_copy(r, a) == NULL) {
-      return 0;
-    }
-  }
-
-  while (n > 0) {
-    int max_shift;
-
-    /* 0 < r < m */
-    max_shift = BN_num_bits(m) - BN_num_bits(r);
-    /* max_shift >= 0 */
-
-    if (max_shift < 0) {
-      OPENSSL_PUT_ERROR(BN, BN_R_INPUT_NOT_REDUCED);
-      return 0;
-    }
-
-    if (max_shift > n) {
-      max_shift = n;
-    }
-
-    if (max_shift) {
-      if (!BN_lshift(r, r, max_shift)) {
-        return 0;
-      }
-      n -= max_shift;
-    } else {
-      if (!BN_lshift1(r, r)) {
-        return 0;
-      }
-      --n;
-    }
-
-    /* BN_num_bits(r) <= BN_num_bits(m) */
-    if (BN_cmp(r, m) >= 0) {
-      if (!BN_sub(r, r, m)) {
-        return 0;
-      }
-    }
-  }
-
-  return 1;
-}
-
-int BN_mod_lshift1(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx) {
-  if (!BN_lshift1(r, a)) {
-    return 0;
-  }
-
-  return BN_nnmod(r, r, m, ctx);
-}
-
-int BN_mod_lshift1_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *m) {
-  if (!BN_lshift1(r, a)) {
-    return 0;
-  }
-  if (BN_cmp(r, m) >= 0) {
-    return BN_sub(r, r, m);
-  }
-
-  return 1;
-}
-
-BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w) {
-  BN_ULONG ret = 0;
-  int i, j;
-
-  w &= BN_MASK2;
-
-  if (!w) {
-    /* actually this an error (division by zero) */
-    return (BN_ULONG) - 1;
-  }
-
-  if (a->top == 0) {
-    return 0;
-  }
-
-  /* normalize input for |bn_div_rem_words|. */
-  j = BN_BITS2 - BN_num_bits_word(w);
-  w <<= j;
-  if (!BN_lshift(a, a, j)) {
-    return (BN_ULONG) - 1;
-  }
-
-  for (i = a->top - 1; i >= 0; i--) {
-    BN_ULONG l = a->d[i];
-    BN_ULONG d;
-    BN_ULONG unused_rem;
-    bn_div_rem_words(&d, &unused_rem, ret, l, w);
-    ret = (l - ((d * w) & BN_MASK2)) & BN_MASK2;
-    a->d[i] = d;
-  }
-
-  if ((a->top > 0) && (a->d[a->top - 1] == 0)) {
-    a->top--;
-  }
-
-  if (a->top == 0) {
-    a->neg = 0;
-  }
-
-  ret >>= j;
-  return ret;
-}
-
-BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w) {
-#ifndef BN_ULLONG
-  BN_ULONG ret = 0;
-#else
-  BN_ULLONG ret = 0;
-#endif
-  int i;
-
-  if (w == 0) {
-    return (BN_ULONG) -1;
-  }
-
-#ifndef BN_ULLONG
-  /* If |w| is too long and we don't have |BN_ULLONG| then we need to fall back
-   * to using |BN_div_word|. */
-  if (w > ((BN_ULONG)1 << BN_BITS4)) {
-    BIGNUM *tmp = BN_dup(a);
-    if (tmp == NULL) {
-      return (BN_ULONG)-1;
-    }
-    ret = BN_div_word(tmp, w);
-    BN_free(tmp);
-    return ret;
-  }
-#endif
-
-  w &= BN_MASK2;
-  for (i = a->top - 1; i >= 0; i--) {
-#ifndef BN_ULLONG
-    ret = ((ret << BN_BITS4) | ((a->d[i] >> BN_BITS4) & BN_MASK2l)) % w;
-    ret = ((ret << BN_BITS4) | (a->d[i] & BN_MASK2l)) % w;
-#else
-    ret = (BN_ULLONG)(((ret << (BN_ULLONG)BN_BITS2) | a->d[i]) % (BN_ULLONG)w);
-#endif
-  }
-  return (BN_ULONG)ret;
-}
@@ -1,258 +0,0 @@
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-/* ====================================================================
- * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
- *
- * Portions of the attached software ("Contribution") are developed by
- * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
- *
- * The Contribution is licensed pursuant to the Eric Young open source
- * license provided above.
- *
- * The binary polynomial arithmetic software is originally written by
- * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems
- * Laboratories. */
-
-#ifndef OPENSSL_HEADER_BN_INTERNAL_H
-#define OPENSSL_HEADER_BN_INTERNAL_H
-
-#include <openssl/base.h>
-
-#if defined(OPENSSL_X86_64) && defined(_MSC_VER)
-OPENSSL_MSVC_PRAGMA(warning(push, 3))
-#include <intrin.h>
-OPENSSL_MSVC_PRAGMA(warning(pop))
-#pragma intrinsic(__umulh, _umul128)
-#endif
-
-#include "../internal.h"
-
-#if defined(__cplusplus)
-extern "C" {
-#endif
-
-/* bn_expand acts the same as |bn_wexpand|, but takes a number of bits rather
- * than a number of words. */
-BIGNUM *bn_expand(BIGNUM *bn, size_t bits);
-
-#if defined(OPENSSL_64_BIT)
-
-#if !defined(_MSC_VER)
-/* MSVC doesn't support two-word integers on 64-bit. */
-#define BN_ULLONG	uint128_t
-#endif
-
-#define BN_BITS2	64
-#define BN_BYTES	8
-#define BN_BITS4	32
-#define BN_MASK2	(0xffffffffffffffffUL)
-#define BN_MASK2l	(0xffffffffUL)
-#define BN_MASK2h	(0xffffffff00000000UL)
-#define BN_MASK2h1	(0xffffffff80000000UL)
-#define BN_MONT_CTX_N0_LIMBS 1
-#define BN_TBIT		(0x8000000000000000UL)
-#define BN_DEC_CONV	(10000000000000000000UL)
-#define BN_DEC_NUM	19
-#define TOBN(hi, lo) ((BN_ULONG)(hi) << 32 | (lo))
-
-#elif defined(OPENSSL_32_BIT)
-
-#define BN_ULLONG	uint64_t
-#define BN_BITS2	32
-#define BN_BYTES	4
-#define BN_BITS4	16
-#define BN_MASK2	(0xffffffffUL)
-#define BN_MASK2l	(0xffffUL)
-#define BN_MASK2h1	(0xffff8000UL)
-#define BN_MASK2h	(0xffff0000UL)
-/* On some 32-bit platforms, Montgomery multiplication is done using 64-bit
- * arithmetic with SIMD instructions. On such platforms, |BN_MONT_CTX::n0|
- * needs to be two words long. Only certain 32-bit platforms actually make use
- * of n0[1] and shorter R value would suffice for the others. However,
- * currently only the assembly files know which is which. */
-#define BN_MONT_CTX_N0_LIMBS 2
-#define BN_TBIT		(0x80000000UL)
-#define BN_DEC_CONV	(1000000000UL)
-#define BN_DEC_NUM	9
-#define TOBN(hi, lo) (lo), (hi)
-
-#else
-#error "Must define either OPENSSL_32_BIT or OPENSSL_64_BIT"
-#endif
-
-
-#define STATIC_BIGNUM(x)                                    \
-  {                                                         \
-    (BN_ULONG *)(x), sizeof(x) / sizeof(BN_ULONG),          \
-        sizeof(x) / sizeof(BN_ULONG), 0, BN_FLG_STATIC_DATA \
-  }
-
-#if defined(BN_ULLONG)
-#define Lw(t) (((BN_ULONG)(t))&BN_MASK2)
-#define Hw(t) (((BN_ULONG)((t)>>BN_BITS2))&BN_MASK2)
-#endif
-
-/* bn_set_words sets |bn| to the value encoded in the |num| words in |words|,
- * least significant word first. */
-int bn_set_words(BIGNUM *bn, const BN_ULONG *words, size_t num);
-
-BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
-BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
-void     bn_sqr_words(BN_ULONG *rp, const BN_ULONG *ap, int num);
-BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int num);
-BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int num);
-
-void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
-void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
-void bn_sqr_comba8(BN_ULONG *r, const BN_ULONG *a);
-void bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a);
-
-/* bn_cmp_words returns a value less than, equal to or greater than zero if
- * the, length |n|, array |a| is less than, equal to or greater than |b|. */
-int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n);
-
-/* bn_cmp_words returns a value less than, equal to or greater than zero if the
- * array |a| is less than, equal to or greater than |b|. The arrays can be of
- * different lengths: |cl| gives the minimum of the two lengths and |dl| gives
- * the length of |a| minus the length of |b|. */
-int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl);
-
-int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
-                const BN_ULONG *np, const BN_ULONG *n0, int num);
-
-uint64_t bn_mont_n0(const BIGNUM *n);
-int bn_mod_exp_base_2_vartime(BIGNUM *r, unsigned p, const BIGNUM *n);
-
-#if defined(OPENSSL_X86_64) && defined(_MSC_VER)
-#define BN_UMULT_LOHI(low, high, a, b) ((low) = _umul128((a), (b), &(high)))
-#endif
-
-#if !defined(BN_ULLONG) && !defined(BN_UMULT_LOHI)
-#error "Either BN_ULLONG or BN_UMULT_LOHI must be defined on every platform."
-#endif
-
-/* bn_mod_inverse_prime sets |out| to the modular inverse of |a| modulo |p|,
- * computed with Fermat's Little Theorem. It returns one on success and zero on
- * error. If |mont_p| is NULL, one will be computed temporarily. */
-int bn_mod_inverse_prime(BIGNUM *out, const BIGNUM *a, const BIGNUM *p,
-                         BN_CTX *ctx, const BN_MONT_CTX *mont_p);
-
-/* bn_mod_inverse_secret_prime behaves like |bn_mod_inverse_prime| but uses
- * |BN_mod_exp_mont_consttime| instead of |BN_mod_exp_mont| in hopes of
- * protecting the exponent. */
-int bn_mod_inverse_secret_prime(BIGNUM *out, const BIGNUM *a, const BIGNUM *p,
-                                BN_CTX *ctx, const BN_MONT_CTX *mont_p);
-
-
-#if defined(__cplusplus)
-}  /* extern C */
-#endif
-
-#endif  /* OPENSSL_HEADER_BN_INTERNAL_H */
@@ -1,176 +0,0 @@
-/* ====================================================================
- * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com). */
-
-#include <openssl/bn.h>
-
-#include "internal.h"
-
-
-/* least significant word */
-#define BN_lsw(n) (((n)->top == 0) ? (BN_ULONG) 0 : (n)->d[0])
-
-/* Returns -2 for errors because both -1 and 0 are valid results. */
-int BN_kronecker(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) {
-  int i;
-  int ret = -2;
-  BIGNUM *A, *B, *tmp;
-  /* In 'tab', only odd-indexed entries are relevant:
-   * For any odd BIGNUM n,
-   *     tab[BN_lsw(n) & 7]
-   * is $(-1)^{(n^2-1)/8}$ (using TeX notation).
-   * Note that the sign of n does not matter. */
-  static const int tab[8] = {0, 1, 0, -1, 0, -1, 0, 1};
-
-  BN_CTX_start(ctx);
-  A = BN_CTX_get(ctx);
-  B = BN_CTX_get(ctx);
-  if (B == NULL) {
-    goto end;
-  }
-
-  if (!BN_copy(A, a) ||
-      !BN_copy(B, b)) {
-    goto end;
-  }
-
-  /* Kronecker symbol, imlemented according to Henri Cohen,
-   * "A Course in Computational Algebraic Number Theory"
-   * (algorithm 1.4.10). */
-
-  /* Cohen's step 1: */
-
-  if (BN_is_zero(B)) {
-    ret = BN_abs_is_word(A, 1);
-    goto end;
-  }
-
-  /* Cohen's step 2: */
-
-  if (!BN_is_odd(A) && !BN_is_odd(B)) {
-    ret = 0;
-    goto end;
-  }
-
-  /* now B is non-zero */
-  i = 0;
-  while (!BN_is_bit_set(B, i)) {
-    i++;
-  }
-  if (!BN_rshift(B, B, i)) {
-    goto end;
-  }
-  if (i & 1) {
-    /* i is odd */
-    /* (thus B was even, thus A must be odd!)  */
-
-    /* set 'ret' to $(-1)^{(A^2-1)/8}$ */
-    ret = tab[BN_lsw(A) & 7];
-  } else {
-    /* i is even */
-    ret = 1;
-  }
-
-  if (B->neg) {
-    B->neg = 0;
-    if (A->neg) {
-      ret = -ret;
-    }
-  }
-
-  /* now B is positive and odd, so what remains to be done is to compute the
-   * Jacobi symbol (A/B) and multiply it by 'ret' */
-
-  while (1) {
-    /* Cohen's step 3: */
-
-    /* B is positive and odd */
-    if (BN_is_zero(A)) {
-      ret = BN_is_one(B) ? ret : 0;
-      goto end;
-    }
-
-    /* now A is non-zero */
-    i = 0;
-    while (!BN_is_bit_set(A, i)) {
-      i++;
-    }
-    if (!BN_rshift(A, A, i)) {
-      ret = -2;
-      goto end;
-    }
-    if (i & 1) {
-      /* i is odd */
-      /* multiply 'ret' by  $(-1)^{(B^2-1)/8}$ */
-      ret = ret * tab[BN_lsw(B) & 7];
-    }
-
-    /* Cohen's step 4: */
-    /* multiply 'ret' by  $(-1)^{(A-1)(B-1)/4}$ */
-    if ((A->neg ? ~BN_lsw(A) : BN_lsw(A)) & BN_lsw(B) & 2) {
-      ret = -ret;
-    }
-
-    /* (A, B) := (B mod |A|, |A|) */
-    if (!BN_nnmod(B, B, A, ctx)) {
-      ret = -2;
-      goto end;
-    }
-    tmp = A;
-    A = B;
-    B = tmp;
-    tmp->neg = 0;
-  }
-
-end:
-  BN_CTX_end(ctx);
-  return ret;
-}
@@ -1,409 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com). */
-
-#include <openssl/bn.h>
-
-#include <assert.h>
-#include <string.h>
-
-#include <openssl/err.h>
-#include <openssl/mem.h>
-#include <openssl/thread.h>
-
-#include "internal.h"
-#include "../internal.h"
-
-
-#if !defined(OPENSSL_NO_ASM) &&                         \
-    (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \
-     defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64))
-#define OPENSSL_BN_ASM_MONT
-#endif
-
-BN_MONT_CTX *BN_MONT_CTX_new(void) {
-  BN_MONT_CTX *ret = OPENSSL_malloc(sizeof(BN_MONT_CTX));
-
-  if (ret == NULL) {
-    return NULL;
-  }
-
-  OPENSSL_memset(ret, 0, sizeof(BN_MONT_CTX));
-  BN_init(&ret->RR);
-  BN_init(&ret->N);
-
-  return ret;
-}
-
-void BN_MONT_CTX_free(BN_MONT_CTX *mont) {
-  if (mont == NULL) {
-    return;
-  }
-
-  BN_free(&mont->RR);
-  BN_free(&mont->N);
-  OPENSSL_free(mont);
-}
-
-BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, const BN_MONT_CTX *from) {
-  if (to == from) {
-    return to;
-  }
-
-  if (!BN_copy(&to->RR, &from->RR) ||
-      !BN_copy(&to->N, &from->N)) {
-    return NULL;
-  }
-  to->n0[0] = from->n0[0];
-  to->n0[1] = from->n0[1];
-  return to;
-}
-
-OPENSSL_COMPILE_ASSERT(BN_MONT_CTX_N0_LIMBS == 1 || BN_MONT_CTX_N0_LIMBS == 2,
-                       BN_MONT_CTX_N0_LIMBS_VALUE_INVALID);
-OPENSSL_COMPILE_ASSERT(sizeof(BN_ULONG) * BN_MONT_CTX_N0_LIMBS ==
-                       sizeof(uint64_t), BN_MONT_CTX_set_64_bit_mismatch);
-
-int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) {
-  if (BN_is_zero(mod)) {
-    OPENSSL_PUT_ERROR(BN, BN_R_DIV_BY_ZERO);
-    return 0;
-  }
-  if (!BN_is_odd(mod)) {
-    OPENSSL_PUT_ERROR(BN, BN_R_CALLED_WITH_EVEN_MODULUS);
-    return 0;
-  }
-  if (BN_is_negative(mod)) {
-    OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);
-    return 0;
-  }
-
-  /* Save the modulus. */
-  if (!BN_copy(&mont->N, mod)) {
-    OPENSSL_PUT_ERROR(BN, ERR_R_INTERNAL_ERROR);
-    return 0;
-  }
-
-  /* Find n0 such that n0 * N == -1 (mod r).
-   *
-   * Only certain BN_BITS2<=32 platforms actually make use of n0[1]. For the
-   * others, we could use a shorter R value and use faster |BN_ULONG|-based
-   * math instead of |uint64_t|-based math, which would be double-precision.
-   * However, currently only the assembler files know which is which. */
-  uint64_t n0 = bn_mont_n0(mod);
-  mont->n0[0] = (BN_ULONG)n0;
-#if BN_MONT_CTX_N0_LIMBS == 2
-  mont->n0[1] = (BN_ULONG)(n0 >> BN_BITS2);
-#else
-  mont->n0[1] = 0;
-#endif
-
-  /* Save RR = R**2 (mod N). R is the smallest power of 2**BN_BITS such that R
-   * > mod. Even though the assembly on some 32-bit platforms works with 64-bit
-   * values, using |BN_BITS2| here, rather than |BN_MONT_CTX_N0_LIMBS *
-   * BN_BITS2|, is correct because R**2 will still be a multiple of the latter
-   * as |BN_MONT_CTX_N0_LIMBS| is either one or two.
-   *
-   * XXX: This is not constant time with respect to |mont->N|, but it should
-   * be. */
-  unsigned lgBigR = (BN_num_bits(mod) + (BN_BITS2 - 1)) / BN_BITS2 * BN_BITS2;
-  if (!bn_mod_exp_base_2_vartime(&mont->RR, lgBigR * 2, &mont->N)) {
-    return 0;
-  }
-
-  return 1;
-}
-
-int BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, CRYPTO_MUTEX *lock,
-                           const BIGNUM *mod, BN_CTX *bn_ctx) {
-  CRYPTO_MUTEX_lock_read(lock);
-  BN_MONT_CTX *ctx = *pmont;
-  CRYPTO_MUTEX_unlock_read(lock);
-
-  if (ctx) {
-    return 1;
-  }
-
-  CRYPTO_MUTEX_lock_write(lock);
-  ctx = *pmont;
-  if (ctx) {
-    goto out;
-  }
-
-  ctx = BN_MONT_CTX_new();
-  if (ctx == NULL) {
-    goto out;
-  }
-  if (!BN_MONT_CTX_set(ctx, mod, bn_ctx)) {
-    BN_MONT_CTX_free(ctx);
-    ctx = NULL;
-    goto out;
-  }
-  *pmont = ctx;
-
-out:
-  CRYPTO_MUTEX_unlock_write(lock);
-  return ctx != NULL;
-}
-
-int BN_to_montgomery(BIGNUM *ret, const BIGNUM *a, const BN_MONT_CTX *mont,
-                     BN_CTX *ctx) {
-  return BN_mod_mul_montgomery(ret, a, &mont->RR, mont, ctx);
-}
-
-static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r,
-                                   const BN_MONT_CTX *mont) {
-  BN_ULONG *ap, *np, *rp, n0, v, carry;
-  int nl, max, i;
-
-  const BIGNUM *n = &mont->N;
-  nl = n->top;
-  if (nl == 0) {
-    ret->top = 0;
-    return 1;
-  }
-
-  max = (2 * nl); /* carry is stored separately */
-  if (bn_wexpand(r, max) == NULL) {
-    return 0;
-  }
-
-  r->neg ^= n->neg;
-  np = n->d;
-  rp = r->d;
-
-  /* clear the top words of T */
-  if (max > r->top) {
-    OPENSSL_memset(&rp[r->top], 0, (max - r->top) * sizeof(BN_ULONG));
-  }
-
-  r->top = max;
-  n0 = mont->n0[0];
-
-  for (carry = 0, i = 0; i < nl; i++, rp++) {
-    v = bn_mul_add_words(rp, np, nl, (rp[0] * n0) & BN_MASK2);
-    v = (v + carry + rp[nl]) & BN_MASK2;
-    carry |= (v != rp[nl]);
-    carry &= (v <= rp[nl]);
-    rp[nl] = v;
-  }
-
-  if (bn_wexpand(ret, nl) == NULL) {
-    return 0;
-  }
-  ret->top = nl;
-  ret->neg = r->neg;
-
-  rp = ret->d;
-  ap = &(r->d[nl]);
-
-  {
-    BN_ULONG *nrp;
-    uintptr_t m;
-
-    v = bn_sub_words(rp, ap, np, nl) - carry;
-    /* if subtraction result is real, then trick unconditional memcpy below to
-     * perform in-place "refresh" instead of actual copy. */
-    m = (0u - (uintptr_t)v);
-    nrp = (BN_ULONG *)(((uintptr_t)rp & ~m) | ((uintptr_t)ap & m));
-
-    for (i = 0, nl -= 4; i < nl; i += 4) {
-      BN_ULONG t1, t2, t3, t4;
-
-      t1 = nrp[i + 0];
-      t2 = nrp[i + 1];
-      t3 = nrp[i + 2];
-      ap[i + 0] = 0;
-      t4 = nrp[i + 3];
-      ap[i + 1] = 0;
-      rp[i + 0] = t1;
-      ap[i + 2] = 0;
-      rp[i + 1] = t2;
-      ap[i + 3] = 0;
-      rp[i + 2] = t3;
-      rp[i + 3] = t4;
-    }
-
-    for (nl += 4; i < nl; i++) {
-      rp[i] = nrp[i], ap[i] = 0;
-    }
-  }
-
-  bn_correct_top(r);
-  bn_correct_top(ret);
-
-  return 1;
-}
-
-int BN_from_montgomery(BIGNUM *r, const BIGNUM *a, const BN_MONT_CTX *mont,
-                       BN_CTX *ctx) {
-  int ret = 0;
-  BIGNUM *t;
-
-  BN_CTX_start(ctx);
-  t = BN_CTX_get(ctx);
-  if (t == NULL ||
-      !BN_copy(t, a)) {
-    goto err;
-  }
-
-  ret = BN_from_montgomery_word(r, t, mont);
-
-err:
-  BN_CTX_end(ctx);
-
-  return ret;
-}
-
-int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
-                          const BN_MONT_CTX *mont, BN_CTX *ctx) {
-  BIGNUM *tmp;
-  int ret = 0;
-
-#if defined(OPENSSL_BN_ASM_MONT)
-  int num = mont->N.top;
-
-  if (num > 1 && a->top == num && b->top == num) {
-    if (bn_wexpand(r, num) == NULL) {
-      return 0;
-    }
-    if (bn_mul_mont(r->d, a->d, b->d, mont->N.d, mont->n0, num)) {
-      r->neg = a->neg ^ b->neg;
-      r->top = num;
-      bn_correct_top(r);
-      return 1;
-    }
-  }
-#endif
-
-  BN_CTX_start(ctx);
-  tmp = BN_CTX_get(ctx);
-  if (tmp == NULL) {
-    goto err;
-  }
-
-  if (a == b) {
-    if (!BN_sqr(tmp, a, ctx)) {
-      goto err;
-    }
-  } else {
-    if (!BN_mul(tmp, a, b, ctx)) {
-      goto err;
-    }
-  }
-
-  /* reduce from aRR to aR */
-  if (!BN_from_montgomery_word(r, tmp, mont)) {
-    goto err;
-  }
-
-  ret = 1;
-
-err:
-  BN_CTX_end(ctx);
-  return ret;
-}
@@ -1,207 +0,0 @@
-/* Copyright 2016 Brian Smith.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/bn.h>
-
-#include <assert.h>
-
-#include "internal.h"
-#include "../internal.h"
-
-
-static uint64_t bn_neg_inv_mod_r_u64(uint64_t n);
-
-OPENSSL_COMPILE_ASSERT(BN_MONT_CTX_N0_LIMBS == 1 || BN_MONT_CTX_N0_LIMBS == 2,
-                       BN_MONT_CTX_N0_LIMBS_VALUE_INVALID);
-OPENSSL_COMPILE_ASSERT(sizeof(uint64_t) ==
-                       BN_MONT_CTX_N0_LIMBS * sizeof(BN_ULONG),
-                       BN_MONT_CTX_N0_LIMBS_DOES_NOT_MATCH_UINT64_T);
-
-/* LG_LITTLE_R is log_2(r). */
-#define LG_LITTLE_R (BN_MONT_CTX_N0_LIMBS * BN_BITS2)
-
-uint64_t bn_mont_n0(const BIGNUM *n) {
-  /* These conditions are checked by the caller, |BN_MONT_CTX_set|. */
-  assert(!BN_is_zero(n));
-  assert(!BN_is_negative(n));
-  assert(BN_is_odd(n));
-
-  /* r == 2**(BN_MONT_CTX_N0_LIMBS * BN_BITS2) and LG_LITTLE_R == lg(r). This
-   * ensures that we can do integer division by |r| by simply ignoring
-   * |BN_MONT_CTX_N0_LIMBS| limbs. Similarly, we can calculate values modulo
-   * |r| by just looking at the lowest |BN_MONT_CTX_N0_LIMBS| limbs. This is
-   * what makes Montgomery multiplication efficient.
-   *
-   * As shown in Algorithm 1 of "Fast Prime Field Elliptic Curve Cryptography
-   * with 256 Bit Primes" by Shay Gueron and Vlad Krasnov, in the loop of a
-   * multi-limb Montgomery multiplication of |a * b (mod n)|, given the
-   * unreduced product |t == a * b|, we repeatedly calculate:
-   *
-   *    t1 := t % r         |t1| is |t|'s lowest limb (see previous paragraph).
-   *    t2 := t1*n0*n
-   *    t3 := t + t2
-   *    t := t3 / r         copy all limbs of |t3| except the lowest to |t|.
-   *
-   * In the last step, it would only make sense to ignore the lowest limb of
-   * |t3| if it were zero. The middle steps ensure that this is the case:
-   *
-   *                            t3 ==  0 (mod r)
-   *                        t + t2 ==  0 (mod r)
-   *                   t + t1*n0*n ==  0 (mod r)
-   *                       t1*n0*n == -t (mod r)
-   *                        t*n0*n == -t (mod r)
-   *                          n0*n == -1 (mod r)
-   *                            n0 == -1/n (mod r)
-   *
-   * Thus, in each iteration of the loop, we multiply by the constant factor
-   * |n0|, the negative inverse of n (mod r). */
-
-  /* n_mod_r = n % r. As explained above, this is done by taking the lowest
-   * |BN_MONT_CTX_N0_LIMBS| limbs of |n|. */
-  uint64_t n_mod_r = n->d[0];
-#if BN_MONT_CTX_N0_LIMBS == 2
-  if (n->top > 1) {
-    n_mod_r |= (uint64_t)n->d[1] << BN_BITS2;
-  }
-#endif
-
-  return bn_neg_inv_mod_r_u64(n_mod_r);
-}
-
-/* bn_neg_inv_r_mod_n_u64 calculates the -1/n mod r; i.e. it calculates |v|
- * such that u*r - v*n == 1. |r| is the constant defined in |bn_mont_n0|. |n|
- * must be odd.
- *
- * This is derived from |xbinGCD| in Henry S. Warren, Jr.'s "Montgomery
- * Multiplication" (http://www.hackersdelight.org/MontgomeryMultiplication.pdf).
- * It is very similar to the MODULAR-INVERSE function in Stephen R. Dussé's and
- * Burton S. Kaliski Jr.'s "A Cryptographic Library for the Motorola DSP56000"
- * (http://link.springer.com/chapter/10.1007%2F3-540-46877-3_21).
- *
- * This is inspired by Joppe W. Bos's "Constant Time Modular Inversion"
- * (http://www.joppebos.com/files/CTInversion.pdf) so that the inversion is
- * constant-time with respect to |n|. We assume uint64_t additions,
- * subtractions, shifts, and bitwise operations are all constant time, which
- * may be a large leap of faith on 32-bit targets. We avoid division and
- * multiplication, which tend to be the most problematic in terms of timing
- * leaks.
- *
- * Most GCD implementations return values such that |u*r + v*n == 1|, so the
- * caller would have to negate the resultant |v| for the purpose of Montgomery
- * multiplication. This implementation does the negation implicitly by doing
- * the computations as a difference instead of a sum. */
-static uint64_t bn_neg_inv_mod_r_u64(uint64_t n) {
-  assert(n % 2 == 1);
-
-  /* alpha == 2**(lg r - 1) == r / 2. */
-  static const uint64_t alpha = UINT64_C(1) << (LG_LITTLE_R - 1);
-
-  const uint64_t beta = n;
-
-  uint64_t u = 1;
-  uint64_t v = 0;
-
-  /* The invariant maintained from here on is:
-   * 2**(lg r - i) == u*2*alpha - v*beta. */
-  for (size_t i = 0; i < LG_LITTLE_R; ++i) {
-#if BN_BITS2 == 64 && defined(BN_ULLONG)
-    assert((BN_ULLONG)(1) << (LG_LITTLE_R - i) ==
-           ((BN_ULLONG)u * 2 * alpha) - ((BN_ULLONG)v * beta));
-#endif
-
-    /* Delete a common factor of 2 in u and v if |u| is even. Otherwise, set
-     * |u = (u + beta) / 2| and |v = (v / 2) + alpha|. */
-
-    uint64_t u_is_odd = UINT64_C(0) - (u & 1); /* Either 0xff..ff or 0. */
-
-    /* The addition can overflow, so use Dietz's method for it.
-     *
-     * Dietz calculates (x+y)/2 by (x⊕y)>>1 + x&y. This is valid for all
-     * (unsigned) x and y, even when x+y overflows. Evidence for 32-bit values
-     * (embedded in 64 bits to so that overflow can be ignored):
-     *
-     * (declare-fun x () (_ BitVec 64))
-     * (declare-fun y () (_ BitVec 64))
-     * (assert (let (
-     *    (one (_ bv1 64))
-     *    (thirtyTwo (_ bv32 64)))
-     *    (and
-     *      (bvult x (bvshl one thirtyTwo))
-     *      (bvult y (bvshl one thirtyTwo))
-     *      (not (=
-     *        (bvadd (bvlshr (bvxor x y) one) (bvand x y))
-     *        (bvlshr (bvadd x y) one)))
-     * )))
-     * (check-sat) */
-    uint64_t beta_if_u_is_odd = beta & u_is_odd; /* Either |beta| or 0. */
-    u = ((u ^ beta_if_u_is_odd) >> 1) + (u & beta_if_u_is_odd);
-
-    uint64_t alpha_if_u_is_odd = alpha & u_is_odd; /* Either |alpha| or 0. */
-    v = (v >> 1) + alpha_if_u_is_odd;
-  }
-
-  /* The invariant now shows that u*r - v*n == 1 since r == 2 * alpha. */
-#if BN_BITS2 == 64 && defined(BN_ULLONG)
-  assert(1 == ((BN_ULLONG)u * 2 * alpha) - ((BN_ULLONG)v * beta));
-#endif
-
-  return v;
-}
-
-/* bn_mod_exp_base_2_vartime calculates r = 2**p (mod n). |p| must be larger
- * than log_2(n); i.e. 2**p must be larger than |n|. |n| must be positive and
- * odd. */
-int bn_mod_exp_base_2_vartime(BIGNUM *r, unsigned p, const BIGNUM *n) {
-  assert(!BN_is_zero(n));
-  assert(!BN_is_negative(n));
-  assert(BN_is_odd(n));
-
-  BN_zero(r);
-
-  unsigned n_bits = BN_num_bits(n);
-  assert(n_bits != 0);
-  if (n_bits == 1) {
-    return 1;
-  }
-
-  /* Set |r| to the smallest power of two larger than |n|. */
-  assert(p > n_bits);
-  if (!BN_set_bit(r, n_bits)) {
-    return 0;
-  }
-
-  /* Unconditionally reduce |r|. */
-  assert(BN_cmp(r, n) > 0);
-  if (!BN_usub(r, r, n)) {
-    return 0;
-  }
-  assert(BN_cmp(r, n) < 0);
-
-  for (unsigned i = n_bits; i < p; ++i) {
-    /* This is like |BN_mod_lshift1_quick| except using |BN_usub|.
-     *
-     * TODO: Replace this with the use of a constant-time variant of
-     * |BN_mod_lshift1_quick|. */
-    if (!BN_lshift1(r, r)) {
-      return 0;
-    }
-    if (BN_cmp(r, n) >= 0) {
-      if (!BN_usub(r, r, n)) {
-        return 0;
-      }
-    }
-  }
-
-  return 1;
-}
@@ -1,871 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.] */
-
-#include <openssl/bn.h>
-
-#include <assert.h>
-#include <string.h>
-
-#include "internal.h"
-
-
-#define BN_MUL_RECURSIVE_SIZE_NORMAL 16
-#define BN_SQR_RECURSIVE_SIZE_NORMAL BN_MUL_RECURSIVE_SIZE_NORMAL
-
-
-static void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b,
-                          int nb) {
-  BN_ULONG *rr;
-
-  if (na < nb) {
-    int itmp;
-    BN_ULONG *ltmp;
-
-    itmp = na;
-    na = nb;
-    nb = itmp;
-    ltmp = a;
-    a = b;
-    b = ltmp;
-  }
-  rr = &(r[na]);
-  if (nb <= 0) {
-    (void)bn_mul_words(r, a, na, 0);
-    return;
-  } else {
-    rr[0] = bn_mul_words(r, a, na, b[0]);
-  }
-
-  for (;;) {
-    if (--nb <= 0) {
-      return;
-    }
-    rr[1] = bn_mul_add_words(&(r[1]), a, na, b[1]);
-    if (--nb <= 0) {
-      return;
-    }
-    rr[2] = bn_mul_add_words(&(r[2]), a, na, b[2]);
-    if (--nb <= 0) {
-      return;
-    }
-    rr[3] = bn_mul_add_words(&(r[3]), a, na, b[3]);
-    if (--nb <= 0) {
-      return;
-    }
-    rr[4] = bn_mul_add_words(&(r[4]), a, na, b[4]);
-    rr += 4;
-    r += 4;
-    b += 4;
-  }
-}
-
-#if !defined(OPENSSL_X86) || defined(OPENSSL_NO_ASM)
-/* Here follows specialised variants of bn_add_words() and bn_sub_words(). They
- * have the property performing operations on arrays of different sizes. The
- * sizes of those arrays is expressed through cl, which is the common length (
- * basicall, min(len(a),len(b)) ), and dl, which is the delta between the two
- * lengths, calculated as len(a)-len(b). All lengths are the number of
- * BN_ULONGs...  For the operations that require a result array as parameter,
- * it must have the length cl+abs(dl). These functions should probably end up
- * in bn_asm.c as soon as there are assembler counterparts for the systems that
- * use assembler files.  */
-
-static BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a,
-                                  const BN_ULONG *b, int cl, int dl) {
-  BN_ULONG c, t;
-
-  assert(cl >= 0);
-  c = bn_sub_words(r, a, b, cl);
-
-  if (dl == 0) {
-    return c;
-  }
-
-  r += cl;
-  a += cl;
-  b += cl;
-
-  if (dl < 0) {
-    for (;;) {
-      t = b[0];
-      r[0] = (0 - t - c) & BN_MASK2;
-      if (t != 0) {
-        c = 1;
-      }
-      if (++dl >= 0) {
-        break;
-      }
-
-      t = b[1];
-      r[1] = (0 - t - c) & BN_MASK2;
-      if (t != 0) {
-        c = 1;
-      }
-      if (++dl >= 0) {
-        break;
-      }
-
-      t = b[2];
-      r[2] = (0 - t - c) & BN_MASK2;
-      if (t != 0) {
-        c = 1;
-      }
-      if (++dl >= 0) {
-        break;
-      }
-
-      t = b[3];
-      r[3] = (0 - t - c) & BN_MASK2;
-      if (t != 0) {
-        c = 1;
-      }
-      if (++dl >= 0) {
-        break;
-      }
-
-      b += 4;
-      r += 4;
-    }
-  } else {
-    int save_dl = dl;
-    while (c) {
-      t = a[0];
-      r[0] = (t - c) & BN_MASK2;
-      if (t != 0) {
-        c = 0;
-      }
-      if (--dl <= 0) {
-        break;
-      }
-
-      t = a[1];
-      r[1] = (t - c) & BN_MASK2;
-      if (t != 0) {
-        c = 0;
-      }
-      if (--dl <= 0) {
-        break;
-      }
-
-      t = a[2];
-      r[2] = (t - c) & BN_MASK2;
-      if (t != 0) {
-        c = 0;
-      }
-      if (--dl <= 0) {
-        break;
-      }
-
-      t = a[3];
-      r[3] = (t - c) & BN_MASK2;
-      if (t != 0) {
-        c = 0;
-      }
-      if (--dl <= 0) {
-        break;
-      }
-
-      save_dl = dl;
-      a += 4;
-      r += 4;
-    }
-    if (dl > 0) {
-      if (save_dl > dl) {
-        switch (save_dl - dl) {
-          case 1:
-            r[1] = a[1];
-            if (--dl <= 0) {
-              break;
-            }
-          case 2:
-            r[2] = a[2];
-            if (--dl <= 0) {
-              break;
-            }
-          case 3:
-            r[3] = a[3];
-            if (--dl <= 0) {
-              break;
-            }
-        }
-        a += 4;
-        r += 4;
-      }
-    }
-
-    if (dl > 0) {
-      for (;;) {
-        r[0] = a[0];
-        if (--dl <= 0) {
-          break;
-        }
-        r[1] = a[1];
-        if (--dl <= 0) {
-          break;
-        }
-        r[2] = a[2];
-        if (--dl <= 0) {
-          break;
-        }
-        r[3] = a[3];
-        if (--dl <= 0) {
-          break;
-        }
-
-        a += 4;
-        r += 4;
-      }
-    }
-  }
-
-  return c;
-}
-#else
-/* On other platforms the function is defined in asm. */
-BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
-                           int cl, int dl);
-#endif
-
-/* Karatsuba recursive multiplication algorithm
- * (cf. Knuth, The Art of Computer Programming, Vol. 2) */
-
-/* r is 2*n2 words in size,
- * a and b are both n2 words in size.
- * n2 must be a power of 2.
- * We multiply and return the result.
- * t must be 2*n2 words in size
- * We calculate
- * a[0]*b[0]
- * a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0])
- * a[1]*b[1]
- */
-/* dnX may not be positive, but n2/2+dnX has to be */
-static void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
-                             int dna, int dnb, BN_ULONG *t) {
-  int n = n2 / 2, c1, c2;
-  int tna = n + dna, tnb = n + dnb;
-  unsigned int neg, zero;
-  BN_ULONG ln, lo, *p;
-
-  /* Only call bn_mul_comba 8 if n2 == 8 and the
-   * two arrays are complete [steve]
-   */
-  if (n2 == 8 && dna == 0 && dnb == 0) {
-    bn_mul_comba8(r, a, b);
-    return;
-  }
-
-  /* Else do normal multiply */
-  if (n2 < BN_MUL_RECURSIVE_SIZE_NORMAL) {
-    bn_mul_normal(r, a, n2 + dna, b, n2 + dnb);
-    if ((dna + dnb) < 0) {
-      OPENSSL_memset(&r[2 * n2 + dna + dnb], 0,
-                     sizeof(BN_ULONG) * -(dna + dnb));
-    }
-    return;
-  }
-
-  /* r=(a[0]-a[1])*(b[1]-b[0]) */
-  c1 = bn_cmp_part_words(a, &(a[n]), tna, n - tna);
-  c2 = bn_cmp_part_words(&(b[n]), b, tnb, tnb - n);
-  zero = neg = 0;
-  switch (c1 * 3 + c2) {
-    case -4:
-      bn_sub_part_words(t, &(a[n]), a, tna, tna - n);       /* - */
-      bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); /* - */
-      break;
-    case -3:
-      zero = 1;
-      break;
-    case -2:
-      bn_sub_part_words(t, &(a[n]), a, tna, tna - n);       /* - */
-      bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n); /* + */
-      neg = 1;
-      break;
-    case -1:
-    case 0:
-    case 1:
-      zero = 1;
-      break;
-    case 2:
-      bn_sub_part_words(t, a, &(a[n]), tna, n - tna);       /* + */
-      bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); /* - */
-      neg = 1;
-      break;
-    case 3:
-      zero = 1;
-      break;
-    case 4:
-      bn_sub_part_words(t, a, &(a[n]), tna, n - tna);
-      bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n);
-      break;
-  }
-
-  if (n == 4 && dna == 0 && dnb == 0) {
-    /* XXX: bn_mul_comba4 could take extra args to do this well */
-    if (!zero) {
-      bn_mul_comba4(&(t[n2]), t, &(t[n]));
-    } else {
-      OPENSSL_memset(&(t[n2]), 0, 8 * sizeof(BN_ULONG));
-    }
-
-    bn_mul_comba4(r, a, b);
-    bn_mul_comba4(&(r[n2]), &(a[n]), &(b[n]));
-  } else if (n == 8 && dna == 0 && dnb == 0) {
-    /* XXX: bn_mul_comba8 could take extra args to do this well */
-    if (!zero) {
-      bn_mul_comba8(&(t[n2]), t, &(t[n]));
-    } else {
-      OPENSSL_memset(&(t[n2]), 0, 16 * sizeof(BN_ULONG));
-    }
-
-    bn_mul_comba8(r, a, b);
-    bn_mul_comba8(&(r[n2]), &(a[n]), &(b[n]));
-  } else {
-    p = &(t[n2 * 2]);
-    if (!zero) {
-      bn_mul_recursive(&(t[n2]), t, &(t[n]), n, 0, 0, p);
-    } else {
-      OPENSSL_memset(&(t[n2]), 0, n2 * sizeof(BN_ULONG));
-    }
-    bn_mul_recursive(r, a, b, n, 0, 0, p);
-    bn_mul_recursive(&(r[n2]), &(a[n]), &(b[n]), n, dna, dnb, p);
-  }
-
-  /* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
-   * r[10] holds (a[0]*b[0])
-   * r[32] holds (b[1]*b[1]) */
-
-  c1 = (int)(bn_add_words(t, r, &(r[n2]), n2));
-
-  if (neg) {
-    /* if t[32] is negative */
-    c1 -= (int)(bn_sub_words(&(t[n2]), t, &(t[n2]), n2));
-  } else {
-    /* Might have a carry */
-    c1 += (int)(bn_add_words(&(t[n2]), &(t[n2]), t, n2));
-  }
-
-  /* t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
-   * r[10] holds (a[0]*b[0])
-   * r[32] holds (b[1]*b[1])
-   * c1 holds the carry bits */
-  c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2));
-  if (c1) {
-    p = &(r[n + n2]);
-    lo = *p;
-    ln = (lo + c1) & BN_MASK2;
-    *p = ln;
-
-    /* The overflow will stop before we over write
-     * words we should not overwrite */
-    if (ln < (BN_ULONG)c1) {
-      do {
-        p++;
-        lo = *p;
-        ln = (lo + 1) & BN_MASK2;
-        *p = ln;
-      } while (ln == 0);
-    }
-  }
-}
-
-/* n+tn is the word length
- * t needs to be n*4 is size, as does r */
-/* tnX may not be negative but less than n */
-static void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
-                                  int tna, int tnb, BN_ULONG *t) {
-  int i, j, n2 = n * 2;
-  int c1, c2, neg;
-  BN_ULONG ln, lo, *p;
-
-  if (n < 8) {
-    bn_mul_normal(r, a, n + tna, b, n + tnb);
-    return;
-  }
-
-  /* r=(a[0]-a[1])*(b[1]-b[0]) */
-  c1 = bn_cmp_part_words(a, &(a[n]), tna, n - tna);
-  c2 = bn_cmp_part_words(&(b[n]), b, tnb, tnb - n);
-  neg = 0;
-  switch (c1 * 3 + c2) {
-    case -4:
-      bn_sub_part_words(t, &(a[n]), a, tna, tna - n);       /* - */
-      bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); /* - */
-      break;
-    case -3:
-    /* break; */
-    case -2:
-      bn_sub_part_words(t, &(a[n]), a, tna, tna - n);       /* - */
-      bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n); /* + */
-      neg = 1;
-      break;
-    case -1:
-    case 0:
-    case 1:
-    /* break; */
-    case 2:
-      bn_sub_part_words(t, a, &(a[n]), tna, n - tna);       /* + */
-      bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); /* - */
-      neg = 1;
-      break;
-    case 3:
-    /* break; */
-    case 4:
-      bn_sub_part_words(t, a, &(a[n]), tna, n - tna);
-      bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n);
-      break;
-  }
-
-  if (n == 8) {
-    bn_mul_comba8(&(t[n2]), t, &(t[n]));
-    bn_mul_comba8(r, a, b);
-    bn_mul_normal(&(r[n2]), &(a[n]), tna, &(b[n]), tnb);
-    OPENSSL_memset(&(r[n2 + tna + tnb]), 0, sizeof(BN_ULONG) * (n2 - tna - tnb));
-  } else {
-    p = &(t[n2 * 2]);
-    bn_mul_recursive(&(t[n2]), t, &(t[n]), n, 0, 0, p);
-    bn_mul_recursive(r, a, b, n, 0, 0, p);
-    i = n / 2;
-    /* If there is only a bottom half to the number,
-     * just do it */
-    if (tna > tnb) {
-      j = tna - i;
-    } else {
-      j = tnb - i;
-    }
-
-    if (j == 0) {
-      bn_mul_recursive(&(r[n2]), &(a[n]), &(b[n]), i, tna - i, tnb - i, p);
-      OPENSSL_memset(&(r[n2 + i * 2]), 0, sizeof(BN_ULONG) * (n2 - i * 2));
-    } else if (j > 0) {
-      /* eg, n == 16, i == 8 and tn == 11 */
-      bn_mul_part_recursive(&(r[n2]), &(a[n]), &(b[n]), i, tna - i, tnb - i, p);
-      OPENSSL_memset(&(r[n2 + tna + tnb]), 0,
-                     sizeof(BN_ULONG) * (n2 - tna - tnb));
-    } else {
-      /* (j < 0) eg, n == 16, i == 8 and tn == 5 */
-      OPENSSL_memset(&(r[n2]), 0, sizeof(BN_ULONG) * n2);
-      if (tna < BN_MUL_RECURSIVE_SIZE_NORMAL &&
-          tnb < BN_MUL_RECURSIVE_SIZE_NORMAL) {
-        bn_mul_normal(&(r[n2]), &(a[n]), tna, &(b[n]), tnb);
-      } else {
-        for (;;) {
-          i /= 2;
-          /* these simplified conditions work
-           * exclusively because difference
-           * between tna and tnb is 1 or 0 */
-          if (i < tna || i < tnb) {
-            bn_mul_part_recursive(&(r[n2]), &(a[n]), &(b[n]), i, tna - i,
-                                  tnb - i, p);
-            break;
-          } else if (i == tna || i == tnb) {
-            bn_mul_recursive(&(r[n2]), &(a[n]), &(b[n]), i, tna - i, tnb - i,
-                             p);
-            break;
-          }
-        }
-      }
-    }
-  }
-
-  /* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
-   * r[10] holds (a[0]*b[0])
-   * r[32] holds (b[1]*b[1])
-   */
-
-  c1 = (int)(bn_add_words(t, r, &(r[n2]), n2));
-
-  if (neg) {
-    /* if t[32] is negative */
-    c1 -= (int)(bn_sub_words(&(t[n2]), t, &(t[n2]), n2));
-  } else {
-    /* Might have a carry */
-    c1 += (int)(bn_add_words(&(t[n2]), &(t[n2]), t, n2));
-  }
-
-  /* t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
-   * r[10] holds (a[0]*b[0])
-   * r[32] holds (b[1]*b[1])
-   * c1 holds the carry bits */
-  c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2));
-  if (c1) {
-    p = &(r[n + n2]);
-    lo = *p;
-    ln = (lo + c1) & BN_MASK2;
-    *p = ln;
-
-    /* The overflow will stop before we over write
-     * words we should not overwrite */
-    if (ln < (BN_ULONG)c1) {
-      do {
-        p++;
-        lo = *p;
-        ln = (lo + 1) & BN_MASK2;
-        *p = ln;
-      } while (ln == 0);
-    }
-  }
-}
-
-int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) {
-  int ret = 0;
-  int top, al, bl;
-  BIGNUM *rr;
-  int i;
-  BIGNUM *t = NULL;
-  int j = 0, k;
-
-  al = a->top;
-  bl = b->top;
-
-  if ((al == 0) || (bl == 0)) {
-    BN_zero(r);
-    return 1;
-  }
-  top = al + bl;
-
-  BN_CTX_start(ctx);
-  if ((r == a) || (r == b)) {
-    if ((rr = BN_CTX_get(ctx)) == NULL) {
-      goto err;
-    }
-  } else {
-    rr = r;
-  }
-  rr->neg = a->neg ^ b->neg;
-
-  i = al - bl;
-  if (i == 0) {
-    if (al == 8) {
-      if (bn_wexpand(rr, 16) == NULL) {
-        goto err;
-      }
-      rr->top = 16;
-      bn_mul_comba8(rr->d, a->d, b->d);
-      goto end;
-    }
-  }
-
-  static const int kMulNormalSize = 16;
-  if (al >= kMulNormalSize && bl >= kMulNormalSize) {
-    if (i >= -1 && i <= 1) {
-      /* Find out the power of two lower or equal
-         to the longest of the two numbers */
-      if (i >= 0) {
-        j = BN_num_bits_word((BN_ULONG)al);
-      }
-      if (i == -1) {
-        j = BN_num_bits_word((BN_ULONG)bl);
-      }
-      j = 1 << (j - 1);
-      assert(j <= al || j <= bl);
-      k = j + j;
-      t = BN_CTX_get(ctx);
-      if (t == NULL) {
-        goto err;
-      }
-      if (al > j || bl > j) {
-        if (bn_wexpand(t, k * 4) == NULL) {
-          goto err;
-        }
-        if (bn_wexpand(rr, k * 4) == NULL) {
-          goto err;
-        }
-        bn_mul_part_recursive(rr->d, a->d, b->d, j, al - j, bl - j, t->d);
-      } else {
-        /* al <= j || bl <= j */
-        if (bn_wexpand(t, k * 2) == NULL) {
-          goto err;
-        }
-        if (bn_wexpand(rr, k * 2) == NULL) {
-          goto err;
-        }
-        bn_mul_recursive(rr->d, a->d, b->d, j, al - j, bl - j, t->d);
-      }
-      rr->top = top;
-      goto end;
-    }
-  }
-
-  if (bn_wexpand(rr, top) == NULL) {
-    goto err;
-  }
-  rr->top = top;
-  bn_mul_normal(rr->d, a->d, al, b->d, bl);
-
-end:
-  bn_correct_top(rr);
-  if (r != rr && !BN_copy(r, rr)) {
-    goto err;
-  }
-  ret = 1;
-
-err:
-  BN_CTX_end(ctx);
-  return ret;
-}
-
-/* tmp must have 2*n words */
-static void bn_sqr_normal(BN_ULONG *r, const BN_ULONG *a, int n, BN_ULONG *tmp) {
-  int i, j, max;
-  const BN_ULONG *ap;
-  BN_ULONG *rp;
-
-  max = n * 2;
-  ap = a;
-  rp = r;
-  rp[0] = rp[max - 1] = 0;
-  rp++;
-  j = n;
-
-  if (--j > 0) {
-    ap++;
-    rp[j] = bn_mul_words(rp, ap, j, ap[-1]);
-    rp += 2;
-  }
-
-  for (i = n - 2; i > 0; i--) {
-    j--;
-    ap++;
-    rp[j] = bn_mul_add_words(rp, ap, j, ap[-1]);
-    rp += 2;
-  }
-
-  bn_add_words(r, r, r, max);
-
-  /* There will not be a carry */
-
-  bn_sqr_words(tmp, a, n);
-
-  bn_add_words(r, r, tmp, max);
-}
-
-/* r is 2*n words in size,
- * a and b are both n words in size.    (There's not actually a 'b' here ...)
- * n must be a power of 2.
- * We multiply and return the result.
- * t must be 2*n words in size
- * We calculate
- * a[0]*b[0]
- * a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0])
- * a[1]*b[1]
- */
-static void bn_sqr_recursive(BN_ULONG *r, const BN_ULONG *a, int n2, BN_ULONG *t) {
-  int n = n2 / 2;
-  int zero, c1;
-  BN_ULONG ln, lo, *p;
-
-  if (n2 == 4) {
-    bn_sqr_comba4(r, a);
-    return;
-  } else if (n2 == 8) {
-    bn_sqr_comba8(r, a);
-    return;
-  }
-  if (n2 < BN_SQR_RECURSIVE_SIZE_NORMAL) {
-    bn_sqr_normal(r, a, n2, t);
-    return;
-  }
-  /* r=(a[0]-a[1])*(a[1]-a[0]) */
-  c1 = bn_cmp_words(a, &(a[n]), n);
-  zero = 0;
-  if (c1 > 0) {
-    bn_sub_words(t, a, &(a[n]), n);
-  } else if (c1 < 0) {
-    bn_sub_words(t, &(a[n]), a, n);
-  } else {
-    zero = 1;
-  }
-
-  /* The result will always be negative unless it is zero */
-  p = &(t[n2 * 2]);
-
-  if (!zero) {
-    bn_sqr_recursive(&(t[n2]), t, n, p);
-  } else {
-    OPENSSL_memset(&(t[n2]), 0, n2 * sizeof(BN_ULONG));
-  }
-  bn_sqr_recursive(r, a, n, p);
-  bn_sqr_recursive(&(r[n2]), &(a[n]), n, p);
-
-  /* t[32] holds (a[0]-a[1])*(a[1]-a[0]), it is negative or zero
-   * r[10] holds (a[0]*b[0])
-   * r[32] holds (b[1]*b[1]) */
-
-  c1 = (int)(bn_add_words(t, r, &(r[n2]), n2));
-
-  /* t[32] is negative */
-  c1 -= (int)(bn_sub_words(&(t[n2]), t, &(t[n2]), n2));
-
-  /* t[32] holds (a[0]-a[1])*(a[1]-a[0])+(a[0]*a[0])+(a[1]*a[1])
-   * r[10] holds (a[0]*a[0])
-   * r[32] holds (a[1]*a[1])
-   * c1 holds the carry bits */
-  c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2));
-  if (c1) {
-    p = &(r[n + n2]);
-    lo = *p;
-    ln = (lo + c1) & BN_MASK2;
-    *p = ln;
-
-    /* The overflow will stop before we over write
-     * words we should not overwrite */
-    if (ln < (BN_ULONG)c1) {
-      do {
-        p++;
-        lo = *p;
-        ln = (lo + 1) & BN_MASK2;
-        *p = ln;
-      } while (ln == 0);
-    }
-  }
-}
-
-int BN_mul_word(BIGNUM *bn, BN_ULONG w) {
-  BN_ULONG ll;
-
-  w &= BN_MASK2;
-  if (!bn->top) {
-    return 1;
-  }
-
-  if (w == 0) {
-    BN_zero(bn);
-    return 1;
-  }
-
-  ll = bn_mul_words(bn->d, bn->d, bn->top, w);
-  if (ll) {
-    if (bn_wexpand(bn, bn->top + 1) == NULL) {
-      return 0;
-    }
-    bn->d[bn->top++] = ll;
-  }
-
-  return 1;
-}
-
-int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) {
-  int max, al;
-  int ret = 0;
-  BIGNUM *tmp, *rr;
-
-  al = a->top;
-  if (al <= 0) {
-    r->top = 0;
-    r->neg = 0;
-    return 1;
-  }
-
-  BN_CTX_start(ctx);
-  rr = (a != r) ? r : BN_CTX_get(ctx);
-  tmp = BN_CTX_get(ctx);
-  if (!rr || !tmp) {
-    goto err;
-  }
-
-  max = 2 * al; /* Non-zero (from above) */
-  if (bn_wexpand(rr, max) == NULL) {
-    goto err;
-  }
-
-  if (al == 4) {
-    bn_sqr_comba4(rr->d, a->d);
-  } else if (al == 8) {
-    bn_sqr_comba8(rr->d, a->d);
-  } else {
-    if (al < BN_SQR_RECURSIVE_SIZE_NORMAL) {
-      BN_ULONG t[BN_SQR_RECURSIVE_SIZE_NORMAL * 2];
-      bn_sqr_normal(rr->d, a->d, al, t);
-    } else {
-      int j, k;
-
-      j = BN_num_bits_word((BN_ULONG)al);
-      j = 1 << (j - 1);
-      k = j + j;
-      if (al == j) {
-        if (bn_wexpand(tmp, k * 2) == NULL) {
-          goto err;
-        }
-        bn_sqr_recursive(rr->d, a->d, al, tmp->d);
-      } else {
-        if (bn_wexpand(tmp, max) == NULL) {
-          goto err;
-        }
-        bn_sqr_normal(rr->d, a->d, al, tmp->d);
-      }
-    }
-  }
-
-  rr->neg = 0;
-  /* If the most-significant half of the top word of 'a' is zero, then
-   * the square of 'a' will max-1 words. */
-  if (a->d[al - 1] == (a->d[al - 1] & BN_MASK2l)) {
-    rr->top = max - 1;
-  } else {
-    rr->top = max;
-  }
-
-  if (rr != r && !BN_copy(r, rr)) {
-    goto err;
-  }
-  ret = 1;
-
-err:
-  BN_CTX_end(ctx);
-  return ret;
-}
@@ -1,343 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com). */
-
-#include <openssl/bn.h>
-
-#include <string.h>
-
-#include <openssl/err.h>
-#include <openssl/mem.h>
-#include <openssl/rand.h>
-#include <openssl/sha.h>
-
-#include "../internal.h"
-
-
-int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) {
-  uint8_t *buf = NULL;
-  int ret = 0, bit, bytes, mask;
-
-  if (rnd == NULL) {
-    return 0;
-  }
-
-  if (top != BN_RAND_TOP_ANY && top != BN_RAND_TOP_ONE &&
-      top != BN_RAND_TOP_TWO) {
-    OPENSSL_PUT_ERROR(BN, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-    return 0;
-  }
-
-  if (bottom != BN_RAND_BOTTOM_ANY && bottom != BN_RAND_BOTTOM_ODD) {
-    OPENSSL_PUT_ERROR(BN, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-    return 0;
-  }
-
-  if (bits == 0) {
-    BN_zero(rnd);
-    return 1;
-  }
-
-  bytes = (bits + 7) / 8;
-  bit = (bits - 1) % 8;
-  mask = 0xff << (bit + 1);
-
-  buf = OPENSSL_malloc(bytes);
-  if (buf == NULL) {
-    OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
-    goto err;
-  }
-
-  /* Make a random number and set the top and bottom bits. */
-  if (!RAND_bytes(buf, bytes)) {
-    goto err;
-  }
-
-  if (top != BN_RAND_TOP_ANY) {
-    if (top == BN_RAND_TOP_TWO && bits > 1) {
-      if (bit == 0) {
-        buf[0] = 1;
-        buf[1] |= 0x80;
-      } else {
-        buf[0] |= (3 << (bit - 1));
-      }
-    } else {
-      buf[0] |= (1 << bit);
-    }
-  }
-
-  buf[0] &= ~mask;
-
-  /* Set the bottom bit if requested, */
-  if (bottom == BN_RAND_BOTTOM_ODD)  {
-    buf[bytes - 1] |= 1;
-  }
-
-  if (!BN_bin2bn(buf, bytes, rnd)) {
-    goto err;
-  }
-
-  ret = 1;
-
-err:
-  if (buf != NULL) {
-    OPENSSL_cleanse(buf, bytes);
-    OPENSSL_free(buf);
-  }
-  return (ret);
-}
-
-int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom) {
-  return BN_rand(rnd, bits, top, bottom);
-}
-
-int BN_rand_range_ex(BIGNUM *r, BN_ULONG min_inclusive,
-                     const BIGNUM *max_exclusive) {
-  unsigned n;
-  unsigned count = 100;
-
-  if (BN_cmp_word(max_exclusive, min_inclusive) <= 0) {
-    OPENSSL_PUT_ERROR(BN, BN_R_INVALID_RANGE);
-    return 0;
-  }
-
-  n = BN_num_bits(max_exclusive); /* n > 0 */
-
-  /* BN_is_bit_set(range, n - 1) always holds */
-  if (n == 1) {
-    BN_zero(r);
-    return 1;
-  }
-
-  do {
-    if (!--count) {
-      OPENSSL_PUT_ERROR(BN, BN_R_TOO_MANY_ITERATIONS);
-      return 0;
-    }
-
-    if (!BN_is_bit_set(max_exclusive, n - 2) &&
-        !BN_is_bit_set(max_exclusive, n - 3)) {
-      /* range = 100..._2, so 3*range (= 11..._2) is exactly one bit longer
-       * than range. This is a common scenario when generating a random value
-       * modulo an RSA public modulus, e.g. for RSA base blinding. */
-      if (!BN_rand(r, n + 1, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY)) {
-        return 0;
-      }
-
-      /* If r < 3*range, use r := r MOD range (which is either r, r - range, or
-       * r - 2*range). Otherwise, iterate again. Since 3*range = 11..._2, each
-       * iteration succeeds with probability >= .75. */
-      if (BN_cmp(r, max_exclusive) >= 0) {
-        if (!BN_sub(r, r, max_exclusive)) {
-          return 0;
-        }
-        if (BN_cmp(r, max_exclusive) >= 0) {
-          if (!BN_sub(r, r, max_exclusive)) {
-            return 0;
-          }
-        }
-      }
-    } else {
-      /* range = 11..._2  or  range = 101..._2 */
-      if (!BN_rand(r, n, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY)) {
-        return 0;
-      }
-    }
-  } while (BN_cmp_word(r, min_inclusive) < 0 ||
-           BN_cmp(r, max_exclusive) >= 0);
-
-  return 1;
-}
-
-int BN_rand_range(BIGNUM *r, const BIGNUM *range) {
-  return BN_rand_range_ex(r, 0, range);
-}
-
-int BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range) {
-  return BN_rand_range(r, range);
-}
-
-int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, const BIGNUM *priv,
-                          const uint8_t *message, size_t message_len,
-                          BN_CTX *ctx) {
-  SHA512_CTX sha;
-  /* We use 512 bits of random data per iteration to
-   * ensure that we have at least |range| bits of randomness. */
-  uint8_t random_bytes[64];
-  uint8_t digest[SHA512_DIGEST_LENGTH];
-  size_t done, todo, attempt;
-  const unsigned num_k_bytes = BN_num_bytes(range);
-  const unsigned bits_to_mask = (8 - (BN_num_bits(range) % 8)) % 8;
-  uint8_t private_bytes[96];
-  uint8_t *k_bytes = NULL;
-  int ret = 0;
-
-  if (out == NULL) {
-    return 0;
-  }
-
-  if (BN_is_zero(range)) {
-    OPENSSL_PUT_ERROR(BN, BN_R_DIV_BY_ZERO);
-    goto err;
-  }
-
-  k_bytes = OPENSSL_malloc(num_k_bytes);
-  if (!k_bytes) {
-    OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
-    goto err;
-  }
-
-  /* We copy |priv| into a local buffer to avoid furthur exposing its
-   * length. */
-  todo = sizeof(priv->d[0]) * priv->top;
-  if (todo > sizeof(private_bytes)) {
-    /* No reasonable DSA or ECDSA key should have a private key
-     * this large and we don't handle this case in order to avoid
-     * leaking the length of the private key. */
-    OPENSSL_PUT_ERROR(BN, BN_R_PRIVATE_KEY_TOO_LARGE);
-    goto err;
-  }
-  OPENSSL_memcpy(private_bytes, priv->d, todo);
-  OPENSSL_memset(private_bytes + todo, 0, sizeof(private_bytes) - todo);
-
-  for (attempt = 0;; attempt++) {
-    for (done = 0; done < num_k_bytes;) {
-      if (!RAND_bytes(random_bytes, sizeof(random_bytes))) {
-        goto err;
-      }
-      SHA512_Init(&sha);
-      SHA512_Update(&sha, &attempt, sizeof(attempt));
-      SHA512_Update(&sha, &done, sizeof(done));
-      SHA512_Update(&sha, private_bytes, sizeof(private_bytes));
-      SHA512_Update(&sha, message, message_len);
-      SHA512_Update(&sha, random_bytes, sizeof(random_bytes));
-      SHA512_Final(digest, &sha);
-
-      todo = num_k_bytes - done;
-      if (todo > SHA512_DIGEST_LENGTH) {
-        todo = SHA512_DIGEST_LENGTH;
-      }
-      OPENSSL_memcpy(k_bytes + done, digest, todo);
-      done += todo;
-    }
-
-    k_bytes[0] &= 0xff >> bits_to_mask;
-
-    if (!BN_bin2bn(k_bytes, num_k_bytes, out)) {
-      goto err;
-    }
-    if (BN_cmp(out, range) < 0) {
-      break;
-    }
-  }
-
-  ret = 1;
-
-err:
-  OPENSSL_free(k_bytes);
-  return ret;
-}
@@ -1,506 +0,0 @@
-/* Written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
- * and Bodo Moeller for the OpenSSL project. */
-/* ====================================================================
- * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com). */
-
-#include <openssl/bn.h>
-
-#include <openssl/err.h>
-
-
-BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) {
-  /* Compute a square root of |a| mod |p| using the Tonelli/Shanks algorithm
-   * (cf. Henri Cohen, "A Course in Algebraic Computational Number Theory",
-   * algorithm 1.5.1). |p| is assumed to be a prime. */
-
-  BIGNUM *ret = in;
-  int err = 1;
-  int r;
-  BIGNUM *A, *b, *q, *t, *x, *y;
-  int e, i, j;
-
-  if (!BN_is_odd(p) || BN_abs_is_word(p, 1)) {
-    if (BN_abs_is_word(p, 2)) {
-      if (ret == NULL) {
-        ret = BN_new();
-      }
-      if (ret == NULL) {
-        goto end;
-      }
-      if (!BN_set_word(ret, BN_is_bit_set(a, 0))) {
-        if (ret != in) {
-          BN_free(ret);
-        }
-        return NULL;
-      }
-      return ret;
-    }
-
-    OPENSSL_PUT_ERROR(BN, BN_R_P_IS_NOT_PRIME);
-    return (NULL);
-  }
-
-  if (BN_is_zero(a) || BN_is_one(a)) {
-    if (ret == NULL) {
-      ret = BN_new();
-    }
-    if (ret == NULL) {
-      goto end;
-    }
-    if (!BN_set_word(ret, BN_is_one(a))) {
-      if (ret != in) {
-        BN_free(ret);
-      }
-      return NULL;
-    }
-    return ret;
-  }
-
-  BN_CTX_start(ctx);
-  A = BN_CTX_get(ctx);
-  b = BN_CTX_get(ctx);
-  q = BN_CTX_get(ctx);
-  t = BN_CTX_get(ctx);
-  x = BN_CTX_get(ctx);
-  y = BN_CTX_get(ctx);
-  if (y == NULL) {
-    goto end;
-  }
-
-  if (ret == NULL) {
-    ret = BN_new();
-  }
-  if (ret == NULL) {
-    goto end;
-  }
-
-  /* A = a mod p */
-  if (!BN_nnmod(A, a, p, ctx)) {
-    goto end;
-  }
-
-  /* now write  |p| - 1  as  2^e*q  where  q  is odd */
-  e = 1;
-  while (!BN_is_bit_set(p, e)) {
-    e++;
-  }
-  /* we'll set  q  later (if needed) */
-
-  if (e == 1) {
-    /* The easy case:  (|p|-1)/2  is odd, so 2 has an inverse
-     * modulo  (|p|-1)/2,  and square roots can be computed
-     * directly by modular exponentiation.
-     * We have
-     *     2 * (|p|+1)/4 == 1   (mod (|p|-1)/2),
-     * so we can use exponent  (|p|+1)/4,  i.e.  (|p|-3)/4 + 1.
-     */
-    if (!BN_rshift(q, p, 2)) {
-      goto end;
-    }
-    q->neg = 0;
-    if (!BN_add_word(q, 1) ||
-        !BN_mod_exp(ret, A, q, p, ctx)) {
-      goto end;
-    }
-    err = 0;
-    goto vrfy;
-  }
-
-  if (e == 2) {
-    /* |p| == 5  (mod 8)
-     *
-     * In this case  2  is always a non-square since
-     * Legendre(2,p) = (-1)^((p^2-1)/8)  for any odd prime.
-     * So if  a  really is a square, then  2*a  is a non-square.
-     * Thus for
-     *      b := (2*a)^((|p|-5)/8),
-     *      i := (2*a)*b^2
-     * we have
-     *     i^2 = (2*a)^((1 + (|p|-5)/4)*2)
-     *         = (2*a)^((p-1)/2)
-     *         = -1;
-     * so if we set
-     *      x := a*b*(i-1),
-     * then
-     *     x^2 = a^2 * b^2 * (i^2 - 2*i + 1)
-     *         = a^2 * b^2 * (-2*i)
-     *         = a*(-i)*(2*a*b^2)
-     *         = a*(-i)*i
-     *         = a.
-     *
-     * (This is due to A.O.L. Atkin,
-     * <URL:
-     *http://listserv.nodak.edu/scripts/wa.exe?A2=ind9211&L=nmbrthry&O=T&P=562>,
-     * November 1992.)
-     */
-
-    /* t := 2*a */
-    if (!BN_mod_lshift1_quick(t, A, p)) {
-      goto end;
-    }
-
-    /* b := (2*a)^((|p|-5)/8) */
-    if (!BN_rshift(q, p, 3)) {
-      goto end;
-    }
-    q->neg = 0;
-    if (!BN_mod_exp(b, t, q, p, ctx)) {
-      goto end;
-    }
-
-    /* y := b^2 */
-    if (!BN_mod_sqr(y, b, p, ctx)) {
-      goto end;
-    }
-
-    /* t := (2*a)*b^2 - 1*/
-    if (!BN_mod_mul(t, t, y, p, ctx) ||
-        !BN_sub_word(t, 1)) {
-      goto end;
-    }
-
-    /* x = a*b*t */
-    if (!BN_mod_mul(x, A, b, p, ctx) ||
-        !BN_mod_mul(x, x, t, p, ctx)) {
-      goto end;
-    }
-
-    if (!BN_copy(ret, x)) {
-      goto end;
-    }
-    err = 0;
-    goto vrfy;
-  }
-
-  /* e > 2, so we really have to use the Tonelli/Shanks algorithm.
-   * First, find some  y  that is not a square. */
-  if (!BN_copy(q, p)) {
-    goto end; /* use 'q' as temp */
-  }
-  q->neg = 0;
-  i = 2;
-  do {
-    /* For efficiency, try small numbers first;
-     * if this fails, try random numbers.
-     */
-    if (i < 22) {
-      if (!BN_set_word(y, i)) {
-        goto end;
-      }
-    } else {
-      if (!BN_pseudo_rand(y, BN_num_bits(p), 0, 0)) {
-        goto end;
-      }
-      if (BN_ucmp(y, p) >= 0) {
-        if (!(p->neg ? BN_add : BN_sub)(y, y, p)) {
-          goto end;
-        }
-      }
-      /* now 0 <= y < |p| */
-      if (BN_is_zero(y)) {
-        if (!BN_set_word(y, i)) {
-          goto end;
-        }
-      }
-    }
-
-    r = BN_kronecker(y, q, ctx); /* here 'q' is |p| */
-    if (r < -1) {
-      goto end;
-    }
-    if (r == 0) {
-      /* m divides p */
-      OPENSSL_PUT_ERROR(BN, BN_R_P_IS_NOT_PRIME);
-      goto end;
-    }
-  } while (r == 1 && ++i < 82);
-
-  if (r != -1) {
-    /* Many rounds and still no non-square -- this is more likely
-     * a bug than just bad luck.
-     * Even if  p  is not prime, we should have found some  y
-     * such that r == -1.
-     */
-    OPENSSL_PUT_ERROR(BN, BN_R_TOO_MANY_ITERATIONS);
-    goto end;
-  }
-
-  /* Here's our actual 'q': */
-  if (!BN_rshift(q, q, e)) {
-    goto end;
-  }
-
-  /* Now that we have some non-square, we can find an element
-   * of order  2^e  by computing its q'th power. */
-  if (!BN_mod_exp(y, y, q, p, ctx)) {
-    goto end;
-  }
-  if (BN_is_one(y)) {
-    OPENSSL_PUT_ERROR(BN, BN_R_P_IS_NOT_PRIME);
-    goto end;
-  }
-
-  /* Now we know that (if  p  is indeed prime) there is an integer
-   * k,  0 <= k < 2^e,  such that
-   *
-   *      a^q * y^k == 1   (mod p).
-   *
-   * As  a^q  is a square and  y  is not,  k  must be even.
-   * q+1  is even, too, so there is an element
-   *
-   *     X := a^((q+1)/2) * y^(k/2),
-   *
-   * and it satisfies
-   *
-   *     X^2 = a^q * a     * y^k
-   *         = a,
-   *
-   * so it is the square root that we are looking for.
-   */
-
-  /* t := (q-1)/2  (note that  q  is odd) */
-  if (!BN_rshift1(t, q)) {
-    goto end;
-  }
-
-  /* x := a^((q-1)/2) */
-  if (BN_is_zero(t)) /* special case: p = 2^e + 1 */
-  {
-    if (!BN_nnmod(t, A, p, ctx)) {
-      goto end;
-    }
-    if (BN_is_zero(t)) {
-      /* special case: a == 0  (mod p) */
-      BN_zero(ret);
-      err = 0;
-      goto end;
-    } else if (!BN_one(x)) {
-      goto end;
-    }
-  } else {
-    if (!BN_mod_exp(x, A, t, p, ctx)) {
-      goto end;
-    }
-    if (BN_is_zero(x)) {
-      /* special case: a == 0  (mod p) */
-      BN_zero(ret);
-      err = 0;
-      goto end;
-    }
-  }
-
-  /* b := a*x^2  (= a^q) */
-  if (!BN_mod_sqr(b, x, p, ctx) ||
-      !BN_mod_mul(b, b, A, p, ctx)) {
-    goto end;
-  }
-
-  /* x := a*x    (= a^((q+1)/2)) */
-  if (!BN_mod_mul(x, x, A, p, ctx)) {
-    goto end;
-  }
-
-  while (1) {
-    /* Now  b  is  a^q * y^k  for some even  k  (0 <= k < 2^E
-     * where  E  refers to the original value of  e,  which we
-     * don't keep in a variable),  and  x  is  a^((q+1)/2) * y^(k/2).
-     *
-     * We have  a*b = x^2,
-     *    y^2^(e-1) = -1,
-     *    b^2^(e-1) = 1.
-     */
-
-    if (BN_is_one(b)) {
-      if (!BN_copy(ret, x)) {
-        goto end;
-      }
-      err = 0;
-      goto vrfy;
-    }
-
-
-    /* find smallest  i  such that  b^(2^i) = 1 */
-    i = 1;
-    if (!BN_mod_sqr(t, b, p, ctx)) {
-      goto end;
-    }
-    while (!BN_is_one(t)) {
-      i++;
-      if (i == e) {
-        OPENSSL_PUT_ERROR(BN, BN_R_NOT_A_SQUARE);
-        goto end;
-      }
-      if (!BN_mod_mul(t, t, t, p, ctx)) {
-        goto end;
-      }
-    }
-
-
-    /* t := y^2^(e - i - 1) */
-    if (!BN_copy(t, y)) {
-      goto end;
-    }
-    for (j = e - i - 1; j > 0; j--) {
-      if (!BN_mod_sqr(t, t, p, ctx)) {
-        goto end;
-      }
-    }
-    if (!BN_mod_mul(y, t, t, p, ctx) ||
-        !BN_mod_mul(x, x, t, p, ctx) ||
-        !BN_mod_mul(b, b, y, p, ctx)) {
-      goto end;
-    }
-    e = i;
-  }
-
-vrfy:
-  if (!err) {
-    /* verify the result -- the input might have been not a square
-     * (test added in 0.9.8) */
-
-    if (!BN_mod_sqr(x, ret, p, ctx)) {
-      err = 1;
-    }
-
-    if (!err && 0 != BN_cmp(x, A)) {
-      OPENSSL_PUT_ERROR(BN, BN_R_NOT_A_SQUARE);
-      err = 1;
-    }
-  }
-
-end:
-  if (err) {
-    if (ret != in) {
-      BN_clear_free(ret);
-    }
-    ret = NULL;
-  }
-  BN_CTX_end(ctx);
-  return ret;
-}
-
-int BN_sqrt(BIGNUM *out_sqrt, const BIGNUM *in, BN_CTX *ctx) {
-  BIGNUM *estimate, *tmp, *delta, *last_delta, *tmp2;
-  int ok = 0, last_delta_valid = 0;
-
-  if (in->neg) {
-    OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);
-    return 0;
-  }
-  if (BN_is_zero(in)) {
-    BN_zero(out_sqrt);
-    return 1;
-  }
-
-  BN_CTX_start(ctx);
-  if (out_sqrt == in) {
-    estimate = BN_CTX_get(ctx);
-  } else {
-    estimate = out_sqrt;
-  }
-  tmp = BN_CTX_get(ctx);
-  last_delta = BN_CTX_get(ctx);
-  delta = BN_CTX_get(ctx);
-  if (estimate == NULL || tmp == NULL || last_delta == NULL || delta == NULL) {
-    OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
-    goto err;
-  }
-
-  /* We estimate that the square root of an n-bit number is 2^{n/2}. */
-  if (!BN_lshift(estimate, BN_value_one(), BN_num_bits(in)/2)) {
-    goto err;
-  }
-
-  /* This is Newton's method for finding a root of the equation |estimate|^2 -
-   * |in| = 0. */
-  for (;;) {
-    /* |estimate| = 1/2 * (|estimate| + |in|/|estimate|) */
-    if (!BN_div(tmp, NULL, in, estimate, ctx) ||
-        !BN_add(tmp, tmp, estimate) ||
-        !BN_rshift1(estimate, tmp) ||
-        /* |tmp| = |estimate|^2 */
-        !BN_sqr(tmp, estimate, ctx) ||
-        /* |delta| = |in| - |tmp| */
-        !BN_sub(delta, in, tmp)) {
-      OPENSSL_PUT_ERROR(BN, ERR_R_BN_LIB);
-      goto err;
-    }
-
-    delta->neg = 0;
-    /* The difference between |in| and |estimate| squared is required to always
-     * decrease. This ensures that the loop always terminates, but I don't have
-     * a proof that it always finds the square root for a given square. */
-    if (last_delta_valid && BN_cmp(delta, last_delta) >= 0) {
-      break;
-    }
-
-    last_delta_valid = 1;
-
-    tmp2 = last_delta;
-    last_delta = delta;
-    delta = tmp2;
-  }
-
-  if (BN_cmp(tmp, in) != 0) {
-    OPENSSL_PUT_ERROR(BN, BN_R_NOT_A_SQUARE);
-    goto err;
-  }
-
-  ok = 1;
-
-err:
-  if (ok && out_sqrt == in && !BN_copy(out_sqrt, estimate)) {
-    ok = 0;
-  }
-  BN_CTX_end(ctx);
-  return ok;
-}
@@ -0,0 +1,10 @@
+include_directories(../../include)
+
+add_library(
+  bn_extra
+
+  OBJECT
+
+  bn_asn1.c
+  convert.c
+)
@@ -0,0 +1,64 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/bn.h>
+
+#include <openssl/bytestring.h>
+#include <openssl/err.h>
+
+
+int BN_parse_asn1_unsigned(CBS *cbs, BIGNUM *ret) {
+  CBS child;
+  if (!CBS_get_asn1(cbs, &child, CBS_ASN1_INTEGER) ||
+      CBS_len(&child) == 0) {
+    OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING);
+    return 0;
+  }
+
+  if (CBS_data(&child)[0] & 0x80) {
+    OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);
+    return 0;
+  }
+
+  // INTEGERs must be minimal.
+  if (CBS_data(&child)[0] == 0x00 &&
+      CBS_len(&child) > 1 &&
+      !(CBS_data(&child)[1] & 0x80)) {
+    OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING);
+    return 0;
+  }
+
+  return BN_bin2bn(CBS_data(&child), CBS_len(&child), ret) != NULL;
+}
+
+int BN_marshal_asn1(CBB *cbb, const BIGNUM *bn) {
+  // Negative numbers are unsupported.
+  if (BN_is_negative(bn)) {
+    OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);
+    return 0;
+  }
+
+  CBB child;
+  if (!CBB_add_asn1(cbb, &child, CBS_ASN1_INTEGER) ||
+      // The number must be padded with a leading zero if the high bit would
+      // otherwise be set or if |bn| is zero.
+      (BN_num_bits(bn) % 8 == 0 && !CBB_add_u8(&child, 0x00)) ||
+      !BN_bn2cbb_padded(&child, BN_num_bytes(bn), bn) ||
+      !CBB_flush(cbb)) {
+    OPENSSL_PUT_ERROR(BN, BN_R_ENCODE_ERROR);
+    return 0;
+  }
+
+  return 1;
+}
@@ -0,0 +1,465 @@
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.] */
+
+#include <openssl/bn.h>
+
+#include <assert.h>
+#include <ctype.h>
+#include <limits.h>
+#include <stdio.h>
+
+#include <openssl/bio.h>
+#include <openssl/bytestring.h>
+#include <openssl/err.h>
+#include <openssl/mem.h>
+
+#include "../fipsmodule/bn/internal.h"
+
+
+int BN_bn2cbb_padded(CBB *out, size_t len, const BIGNUM *in) {
+  uint8_t *ptr;
+  return CBB_add_space(out, &ptr, len) && BN_bn2bin_padded(ptr, len, in);
+}
+
+static const char hextable[] = "0123456789abcdef";
+
+char *BN_bn2hex(const BIGNUM *bn) {
+  char *buf = OPENSSL_malloc(1 /* leading '-' */ + 1 /* zero is non-empty */ +
+                             bn->top * BN_BYTES * 2 + 1 /* trailing NUL */);
+  if (buf == NULL) {
+    OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
+    return NULL;
+  }
+
+  char *p = buf;
+  if (bn->neg) {
+    *(p++) = '-';
+  }
+
+  if (BN_is_zero(bn)) {
+    *(p++) = '0';
+  }
+
+  int z = 0;
+  for (int i = bn->top - 1; i >= 0; i--) {
+    for (int j = BN_BITS2 - 8; j >= 0; j -= 8) {
+      // strip leading zeros
+      int v = ((int)(bn->d[i] >> (long)j)) & 0xff;
+      if (z || v != 0) {
+        *(p++) = hextable[v >> 4];
+        *(p++) = hextable[v & 0x0f];
+        z = 1;
+      }
+    }
+  }
+  *p = '\0';
+
+  return buf;
+}
+
+// decode_hex decodes |in_len| bytes of hex data from |in| and updates |bn|.
+static int decode_hex(BIGNUM *bn, const char *in, int in_len) {
+  if (in_len > INT_MAX/4) {
+    OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG);
+    return 0;
+  }
+  // |in_len| is the number of hex digits.
+  if (!bn_expand(bn, in_len * 4)) {
+    return 0;
+  }
+
+  int i = 0;
+  while (in_len > 0) {
+    // Decode one |BN_ULONG| at a time.
+    int todo = BN_BYTES * 2;
+    if (todo > in_len) {
+      todo = in_len;
+    }
+
+    BN_ULONG word = 0;
+    int j;
+    for (j = todo; j > 0; j--) {
+      char c = in[in_len - j];
+
+      BN_ULONG hex;
+      if (c >= '0' && c <= '9') {
+        hex = c - '0';
+      } else if (c >= 'a' && c <= 'f') {
+        hex = c - 'a' + 10;
+      } else if (c >= 'A' && c <= 'F') {
+        hex = c - 'A' + 10;
+      } else {
+        hex = 0;
+        // This shouldn't happen. The caller checks |isxdigit|.
+        assert(0);
+      }
+      word = (word << 4) | hex;
+    }
+
+    bn->d[i++] = word;
+    in_len -= todo;
+  }
+  assert(i <= bn->dmax);
+  bn->top = i;
+  return 1;
+}
+
+// decode_dec decodes |in_len| bytes of decimal data from |in| and updates |bn|.
+static int decode_dec(BIGNUM *bn, const char *in, int in_len) {
+  int i, j;
+  BN_ULONG l = 0;
+
+  // Decode |BN_DEC_NUM| digits at a time.
+  j = BN_DEC_NUM - (in_len % BN_DEC_NUM);
+  if (j == BN_DEC_NUM) {
+    j = 0;
+  }
+  l = 0;
+  for (i = 0; i < in_len; i++) {
+    l *= 10;
+    l += in[i] - '0';
+    if (++j == BN_DEC_NUM) {
+      if (!BN_mul_word(bn, BN_DEC_CONV) ||
+          !BN_add_word(bn, l)) {
+        return 0;
+      }
+      l = 0;
+      j = 0;
+    }
+  }
+  return 1;
+}
+
+typedef int (*decode_func) (BIGNUM *bn, const char *in, int in_len);
+typedef int (*char_test_func) (int c);
+
+static int bn_x2bn(BIGNUM **outp, const char *in, decode_func decode, char_test_func want_char) {
+  BIGNUM *ret = NULL;
+  int neg = 0, i;
+  int num;
+
+  if (in == NULL || *in == 0) {
+    return 0;
+  }
+
+  if (*in == '-') {
+    neg = 1;
+    in++;
+  }
+
+  for (i = 0; want_char((unsigned char)in[i]) && i + neg < INT_MAX; i++) {}
+
+  num = i + neg;
+  if (outp == NULL) {
+    return num;
+  }
+
+  // in is the start of the hex digits, and it is 'i' long
+  if (*outp == NULL) {
+    ret = BN_new();
+    if (ret == NULL) {
+      return 0;
+    }
+  } else {
+    ret = *outp;
+    BN_zero(ret);
+  }
+
+  if (!decode(ret, in, i)) {
+    goto err;
+  }
+
+  bn_correct_top(ret);
+  if (!BN_is_zero(ret)) {
+    ret->neg = neg;
+  }
+
+  *outp = ret;
+  return num;
+
+err:
+  if (*outp == NULL) {
+    BN_free(ret);
+  }
+
+  return 0;
+}
+
+int BN_hex2bn(BIGNUM **outp, const char *in) {
+  return bn_x2bn(outp, in, decode_hex, isxdigit);
+}
+
+char *BN_bn2dec(const BIGNUM *a) {
+  // It is easier to print strings little-endian, so we assemble it in reverse
+  // and fix at the end.
+  BIGNUM *copy = NULL;
+  CBB cbb;
+  if (!CBB_init(&cbb, 16) ||
+      !CBB_add_u8(&cbb, 0 /* trailing NUL */)) {
+    goto cbb_err;
+  }
+
+  if (BN_is_zero(a)) {
+    if (!CBB_add_u8(&cbb, '0')) {
+      goto cbb_err;
+    }
+  } else {
+    copy = BN_dup(a);
+    if (copy == NULL) {
+      goto err;
+    }
+
+    while (!BN_is_zero(copy)) {
+      BN_ULONG word = BN_div_word(copy, BN_DEC_CONV);
+      if (word == (BN_ULONG)-1) {
+        goto err;
+      }
+
+      const int add_leading_zeros = !BN_is_zero(copy);
+      for (int i = 0; i < BN_DEC_NUM && (add_leading_zeros || word != 0); i++) {
+        if (!CBB_add_u8(&cbb, '0' + word % 10)) {
+          goto cbb_err;
+        }
+        word /= 10;
+      }
+      assert(word == 0);
+    }
+  }
+
+  if (BN_is_negative(a) &&
+      !CBB_add_u8(&cbb, '-')) {
+    goto cbb_err;
+  }
+
+  uint8_t *data;
+  size_t len;
+  if (!CBB_finish(&cbb, &data, &len)) {
+    goto cbb_err;
+  }
+
+  // Reverse the buffer.
+  for (size_t i = 0; i < len/2; i++) {
+    uint8_t tmp = data[i];
+    data[i] = data[len - 1 - i];
+    data[len - 1 - i] = tmp;
+  }
+
+  BN_free(copy);
+  return (char *)data;
+
+cbb_err:
+  OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
+err:
+  BN_free(copy);
+  CBB_cleanup(&cbb);
+  return NULL;
+}
+
+int BN_dec2bn(BIGNUM **outp, const char *in) {
+  return bn_x2bn(outp, in, decode_dec, isdigit);
+}
+
+int BN_asc2bn(BIGNUM **outp, const char *in) {
+  const char *const orig_in = in;
+  if (*in == '-') {
+    in++;
+  }
+
+  if (in[0] == '0' && (in[1] == 'X' || in[1] == 'x')) {
+    if (!BN_hex2bn(outp, in+2)) {
+      return 0;
+    }
+  } else {
+    if (!BN_dec2bn(outp, in)) {
+      return 0;
+    }
+  }
+
+  if (*orig_in == '-' && !BN_is_zero(*outp)) {
+    (*outp)->neg = 1;
+  }
+
+  return 1;
+}
+
+int BN_print(BIO *bp, const BIGNUM *a) {
+  int i, j, v, z = 0;
+  int ret = 0;
+
+  if (a->neg && BIO_write(bp, "-", 1) != 1) {
+    goto end;
+  }
+
+  if (BN_is_zero(a) && BIO_write(bp, "0", 1) != 1) {
+    goto end;
+  }
+
+  for (i = a->top - 1; i >= 0; i--) {
+    for (j = BN_BITS2 - 4; j >= 0; j -= 4) {
+      // strip leading zeros
+      v = ((int)(a->d[i] >> (long)j)) & 0x0f;
+      if (z || v != 0) {
+        if (BIO_write(bp, &hextable[v], 1) != 1) {
+          goto end;
+        }
+        z = 1;
+      }
+    }
+  }
+  ret = 1;
+
+end:
+  return ret;
+}
+
+int BN_print_fp(FILE *fp, const BIGNUM *a) {
+  BIO *b;
+  int ret;
+
+  b = BIO_new(BIO_s_file());
+  if (b == NULL) {
+    return 0;
+  }
+  BIO_set_fp(b, fp, BIO_NOCLOSE);
+  ret = BN_print(b, a);
+  BIO_free(b);
+
+  return ret;
+}
+
+
+size_t BN_bn2mpi(const BIGNUM *in, uint8_t *out) {
+  const size_t bits = BN_num_bits(in);
+  const size_t bytes = (bits + 7) / 8;
+  // If the number of bits is a multiple of 8, i.e. if the MSB is set,
+  // prefix with a zero byte.
+  int extend = 0;
+  if (bytes != 0 && (bits & 0x07) == 0) {
+    extend = 1;
+  }
+
+  const size_t len = bytes + extend;
+  if (len < bytes ||
+      4 + len < len ||
+      (len & 0xffffffff) != len) {
+    // If we cannot represent the number then we emit zero as the interface
+    // doesn't allow an error to be signalled.
+    if (out) {
+      OPENSSL_memset(out, 0, 4);
+    }
+    return 4;
+  }
+
+  if (out == NULL) {
+    return 4 + len;
+  }
+
+  out[0] = len >> 24;
+  out[1] = len >> 16;
+  out[2] = len >> 8;
+  out[3] = len;
+  if (extend) {
+    out[4] = 0;
+  }
+  BN_bn2bin(in, out + 4 + extend);
+  if (in->neg && len > 0) {
+    out[4] |= 0x80;
+  }
+  return len + 4;
+}
+
+BIGNUM *BN_mpi2bn(const uint8_t *in, size_t len, BIGNUM *out) {
+  if (len < 4) {
+    OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING);
+    return NULL;
+  }
+  const size_t in_len = ((size_t)in[0] << 24) |
+                        ((size_t)in[1] << 16) |
+                        ((size_t)in[2] << 8) |
+                        ((size_t)in[3]);
+  if (in_len != len - 4) {
+    OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING);
+    return NULL;
+  }
+
+  int out_is_alloced = 0;
+  if (out == NULL) {
+    out = BN_new();
+    if (out == NULL) {
+      OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE);
+      return NULL;
+    }
+    out_is_alloced = 1;
+  }
+
+  if (in_len == 0) {
+    BN_zero(out);
+    return out;
+  }
+
+  in += 4;
+  if (BN_bin2bn(in, in_len, out) == NULL) {
+    if (out_is_alloced) {
+      BN_free(out);
+    }
+    return NULL;
+  }
+  out->neg = ((*in) & 0x80) != 0;
+  if (out->neg) {
+    BN_clear_bit(out, BN_num_bits(out) - 1);
+  }
+  return out;
+}
@@ -82,44 +82,30 @@ void BUF_MEM_free(BUF_MEM *buf) {
    return;
  }

-  if (buf->data != NULL) {
-    OPENSSL_cleanse(buf->data, buf->max);
-    OPENSSL_free(buf->data);
-  }
-
+  OPENSSL_free(buf->data);
  OPENSSL_free(buf);
 }

-static int buf_mem_reserve(BUF_MEM *buf, size_t cap, int clean) {
+int BUF_MEM_reserve(BUF_MEM *buf, size_t cap) {
  if (buf->max >= cap) {
    return 1;
  }

  size_t n = cap + 3;
  if (n < cap) {
-    /* overflow */
+    // overflow
    OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
    return 0;
  }
  n = n / 3;
  size_t alloc_size = n * 4;
  if (alloc_size / 4 != n) {
-    /* overflow */
+    // overflow
    OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
    return 0;
  }

-  char *new_buf;
-  if (buf->data == NULL) {
-    new_buf = OPENSSL_malloc(alloc_size);
-  } else {
-    if (clean) {
-      new_buf = OPENSSL_realloc_clean(buf->data, buf->max, alloc_size);
-    } else {
-      new_buf = OPENSSL_realloc(buf->data, alloc_size);
-    }
-  }
-
+  char *new_buf = OPENSSL_realloc(buf->data, alloc_size);
  if (new_buf == NULL) {
    OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
    return 0;
@@ -130,12 +116,8 @@ static int buf_mem_reserve(BUF_MEM *buf, size_t cap, int clean) {
  return 1;
 }

-int BUF_MEM_reserve(BUF_MEM *buf, size_t cap) {
-  return buf_mem_reserve(buf, cap, 0 /* don't clear old buffer contents. */);
-}
-
-static size_t buf_mem_grow(BUF_MEM *buf, size_t len, int clean) {
-  if (!buf_mem_reserve(buf, len, clean)) {
+size_t BUF_MEM_grow(BUF_MEM *buf, size_t len) {
+  if (!BUF_MEM_reserve(buf, len)) {
    return 0;
  }
  if (buf->length < len) {
@@ -145,20 +127,30 @@ static size_t buf_mem_grow(BUF_MEM *buf, size_t len, int clean) {
  return len;
 }

-size_t BUF_MEM_grow(BUF_MEM *buf, size_t len) {
-  return buf_mem_grow(buf, len, 0 /* don't clear old buffer contents. */);
-}
-
 size_t BUF_MEM_grow_clean(BUF_MEM *buf, size_t len) {
-  return buf_mem_grow(buf, len, 1 /* clear old buffer contents. */);
+  return BUF_MEM_grow(buf, len);
 }

-char *BUF_strdup(const char *buf) {
-  if (buf == NULL) {
+int BUF_MEM_append(BUF_MEM *buf, const void *in, size_t len) {
+  size_t new_len = buf->length + len;
+  if (new_len < len) {
+    OPENSSL_PUT_ERROR(BUF, ERR_R_OVERFLOW);
+    return 0;
+  }
+  if (!BUF_MEM_reserve(buf, new_len)) {
+    return 0;
+  }
+  OPENSSL_memcpy(buf->data + buf->length, in, len);
+  buf->length = new_len;
+  return 1;
+}
+
+char *BUF_strdup(const char *str) {
+  if (str == NULL) {
    return NULL;
  }

-  return BUF_strndup(buf, strlen(buf));
+  return BUF_strndup(str, strlen(str));
 }

 size_t BUF_strnlen(const char *str, size_t max_len) {
@@ -173,19 +165,19 @@ size_t BUF_strnlen(const char *str, size_t max_len) {
  return i;
 }

-char *BUF_strndup(const char *buf, size_t size) {
+char *BUF_strndup(const char *str, size_t size) {
  char *ret;
  size_t alloc_size;

-  if (buf == NULL) {
+  if (str == NULL) {
    return NULL;
  }

-  size = BUF_strnlen(buf, size);
+  size = BUF_strnlen(str, size);

  alloc_size = size + 1;
  if (alloc_size < size) {
-    /* overflow */
+    // overflow
    OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
    return NULL;
  }
@@ -195,7 +187,7 @@ char *BUF_strndup(const char *buf, size_t size) {
    return NULL;
  }

-  OPENSSL_memcpy(ret, buf, size);
+  OPENSSL_memcpy(ret, str, size);
  ret[size] = '\0';
  return ret;
 }
@@ -223,19 +215,17 @@ size_t BUF_strlcat(char *dst, const char *src, size_t dst_size) {
  return l + BUF_strlcpy(dst, src, dst_size);
 }

-void *BUF_memdup(const void *data, size_t dst_size) {
-  void *ret;
-
-  if (dst_size == 0) {
+void *BUF_memdup(const void *data, size_t size) {
+  if (size == 0) {
    return NULL;
  }

-  ret = OPENSSL_malloc(dst_size);
+  void *ret = OPENSSL_malloc(size);
  if (ret == NULL) {
    OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
    return NULL;
  }

-  OPENSSL_memcpy(ret, data, dst_size);
+  OPENSSL_memcpy(ret, data, size);
  return ret;
 }
@@ -0,0 +1,97 @@
+/* Copyright (c) 2017, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/buf.h>
+
+#include <string.h>
+
+#include <string>
+
+#include <gtest/gtest.h>
+
+
+TEST(BufTest, Basic) {
+  bssl::UniquePtr<BUF_MEM> buf(BUF_MEM_new());
+  ASSERT_TRUE(buf);
+  EXPECT_EQ(0u, buf->length);
+
+  // Use BUF_MEM_reserve to increase buf->max.
+  ASSERT_TRUE(BUF_MEM_reserve(buf.get(), 200));
+  EXPECT_GE(buf->max, 200u);
+  EXPECT_EQ(0u, buf->length);
+
+  // BUF_MEM_reserve with a smaller cap is a no-op.
+  size_t old_max = buf->max;
+  ASSERT_TRUE(BUF_MEM_reserve(buf.get(), 100));
+  EXPECT_EQ(old_max, buf->max);
+  EXPECT_EQ(0u, buf->length);
+
+  // BUF_MEM_grow can increase the length without reallocating.
+  ASSERT_EQ(100u, BUF_MEM_grow(buf.get(), 100));
+  EXPECT_EQ(100u, buf->length);
+  EXPECT_EQ(old_max, buf->max);
+  memset(buf->data, 'A', buf->length);
+
+  // If BUF_MEM_reserve reallocates, it preserves the contents.
+  ASSERT_TRUE(BUF_MEM_reserve(buf.get(), old_max + 1));
+  ASSERT_GE(buf->max, old_max + 1);
+  EXPECT_EQ(100u, buf->length);
+  for (size_t i = 0; i < 100; i++) {
+    EXPECT_EQ('A', buf->data[i]);
+  }
+
+  // BUF_MEM_grow should zero everything beyond buf->length.
+  memset(buf->data, 'B', buf->max);
+  ASSERT_EQ(150u, BUF_MEM_grow(buf.get(), 150));
+  EXPECT_EQ(150u, buf->length);
+  for (size_t i = 0; i < 100; i++) {
+    EXPECT_EQ('B', buf->data[i]);
+  }
+  for (size_t i = 100; i < 150; i++) {
+    EXPECT_EQ(0, buf->data[i]);
+  }
+
+  // BUF_MEM_grow can rellocate if necessary.
+  size_t new_len = buf->max + 1;
+  ASSERT_EQ(new_len, BUF_MEM_grow(buf.get(), new_len));
+  EXPECT_GE(buf->max, new_len);
+  EXPECT_EQ(new_len, buf->length);
+  for (size_t i = 0; i < 100; i++) {
+    EXPECT_EQ('B', buf->data[i]);
+  }
+  for (size_t i = 100; i < new_len; i++) {
+    EXPECT_EQ(0, buf->data[i]);
+  }
+
+  // BUF_MEM_grow can shink.
+  ASSERT_EQ(50u, BUF_MEM_grow(buf.get(), 50));
+  EXPECT_EQ(50u, buf->length);
+  for (size_t i = 0; i < 50; i++) {
+    EXPECT_EQ('B', buf->data[i]);
+  }
+}
+
+TEST(BufTest, Append) {
+  bssl::UniquePtr<BUF_MEM> buf(BUF_MEM_new());
+  ASSERT_TRUE(buf);
+
+  ASSERT_TRUE(BUF_MEM_append(buf.get(), nullptr, 0));
+  ASSERT_TRUE(BUF_MEM_append(buf.get(), "hello ", 6));
+  ASSERT_TRUE(BUF_MEM_append(buf.get(), nullptr, 0));
+  ASSERT_TRUE(BUF_MEM_append(buf.get(), "world", 5));
+  std::string str(128, 'A');
+  ASSERT_TRUE(BUF_MEM_append(buf.get(), str.data(), str.size()));
+
+  EXPECT_EQ("hello world" + str, std::string(buf->data, buf->length));
+}
@@ -10,14 +10,3 @@ add_library(
  cbs.c
  cbb.c
 )
-
-add_executable(
-  bytestring_test
-
-  bytestring_test.cc
-
-  $<TARGET_OBJECTS:test_support>
-)
-
-target_link_libraries(bytestring_test crypto)
-add_dependencies(all_tests bytestring_test)
@@ -21,13 +21,13 @@
 #include "../internal.h"


-/* kMaxDepth is a just a sanity limit. The code should be such that the length
- * of the input being processes always decreases. None the less, a very large
- * input could otherwise cause the stack to overflow. */
+// kMaxDepth is a just a sanity limit. The code should be such that the length
+// of the input being processes always decreases. None the less, a very large
+// input could otherwise cause the stack to overflow.
 static const unsigned kMaxDepth = 2048;

-/* is_string_type returns one if |tag| is a string type and zero otherwise. It
- * ignores the constructed bit. */
+// is_string_type returns one if |tag| is a string type and zero otherwise. It
+// ignores the constructed bit.
 static int is_string_type(unsigned tag) {
  if ((tag & 0xc0) != 0) {
    return 0;
@@ -38,7 +38,7 @@ static int is_string_type(unsigned tag) {
    case CBS_ASN1_UTF8STRING:
    case CBS_ASN1_NUMERICSTRING:
    case CBS_ASN1_PRINTABLESTRING:
-    case CBS_ASN1_T16STRING:
+    case CBS_ASN1_T61STRING:
    case CBS_ASN1_VIDEOTEXSTRING:
    case CBS_ASN1_IA5STRING:
    case CBS_ASN1_GRAPHICSTRING:
@@ -52,10 +52,10 @@ static int is_string_type(unsigned tag) {
  }
 }

-/* cbs_find_ber walks an ASN.1 structure in |orig_in| and sets |*ber_found|
- * depending on whether an indefinite length element or constructed string was
- * found. The value of |orig_in| is not changed. It returns one on success (i.e.
- * |*ber_found| was set) and zero on error. */
+// cbs_find_ber walks an ASN.1 structure in |orig_in| and sets |*ber_found|
+// depending on whether an indefinite length element or constructed string was
+// found. The value of |orig_in| is not changed. It returns one on success (i.e.
+// |*ber_found| was set) and zero on error.
 static int cbs_find_ber(const CBS *orig_in, char *ber_found, unsigned depth) {
  CBS in;

@@ -77,13 +77,13 @@ static int cbs_find_ber(const CBS *orig_in, char *ber_found, unsigned depth) {
    if (CBS_len(&contents) == header_len &&
        header_len > 0 &&
        CBS_data(&contents)[header_len-1] == 0x80) {
-      /* Found an indefinite-length element. */
+      // Found an indefinite-length element.
      *ber_found = 1;
      return 1;
    }
    if (tag & CBS_ASN1_CONSTRUCTED) {
      if (is_string_type(tag)) {
-        /* Constructed strings are only legal in BER and require conversion. */
+        // Constructed strings are only legal in BER and require conversion.
        *ber_found = 1;
        return 1;
      }
@@ -97,20 +97,20 @@ static int cbs_find_ber(const CBS *orig_in, char *ber_found, unsigned depth) {
  return 1;
 }

-/* is_eoc returns true if |header_len| and |contents|, as returned by
- * |CBS_get_any_ber_asn1_element|, indicate an "end of contents" (EOC) value. */
+// is_eoc returns true if |header_len| and |contents|, as returned by
+// |CBS_get_any_ber_asn1_element|, indicate an "end of contents" (EOC) value.
 static char is_eoc(size_t header_len, CBS *contents) {
  return header_len == 2 && CBS_len(contents) == 2 &&
         OPENSSL_memcmp(CBS_data(contents), "\x00\x00", 2) == 0;
 }

-/* cbs_convert_ber reads BER data from |in| and writes DER data to |out|. If
- * |string_tag| is non-zero, then all elements must match |string_tag| up to the
- * constructed bit and primitive element bodies are written to |out| without
- * element headers. This is used when concatenating the fragments of a
- * constructed string. If |looking_for_eoc| is set then any EOC elements found
- * will cause the function to return after consuming it. It returns one on
- * success and zero on error. */
+// cbs_convert_ber reads BER data from |in| and writes DER data to |out|. If
+// |string_tag| is non-zero, then all elements must match |string_tag| up to the
+// constructed bit and primitive element bodies are written to |out| without
+// element headers. This is used when concatenating the fragments of a
+// constructed string. If |looking_for_eoc| is set then any EOC elements found
+// will cause the function to return after consuming it. It returns one on
+// success and zero on error.
 static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag,
                           char looking_for_eoc, unsigned depth) {
  assert(!(string_tag & CBS_ASN1_CONSTRUCTED));
@@ -134,9 +134,9 @@ static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag,
    }

    if (string_tag != 0) {
-      /* This is part of a constructed string. All elements must match
-       * |string_tag| up to the constructed bit and get appended to |out|
-       * without a child element. */
+      // This is part of a constructed string. All elements must match
+      // |string_tag| up to the constructed bit and get appended to |out|
+      // without a child element.
      if ((tag & ~CBS_ASN1_CONSTRUCTED) != string_tag) {
        return 0;
      }
@@ -144,8 +144,8 @@ static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag,
    } else {
      unsigned out_tag = tag;
      if ((tag & CBS_ASN1_CONSTRUCTED) && is_string_type(tag)) {
-        /* If a constructed string, clear the constructed bit and inform
-         * children to concatenate bodies. */
+        // If a constructed string, clear the constructed bit and inform
+        // children to concatenate bodies.
        out_tag &= ~CBS_ASN1_CONSTRUCTED;
        child_string_tag = out_tag;
      }
@@ -157,7 +157,7 @@ static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag,

    if (CBS_len(&contents) == header_len && header_len > 0 &&
        CBS_data(&contents)[header_len - 1] == 0x80) {
-      /* This is an indefinite length element. */
+      // This is an indefinite length element.
      if (!cbs_convert_ber(in, out_contents, child_string_tag,
                           1 /* looking for eoc */, depth + 1) ||
          !CBB_flush(out)) {
@@ -171,13 +171,13 @@ static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag,
    }

    if (tag & CBS_ASN1_CONSTRUCTED) {
-      /* Recurse into children. */
+      // Recurse into children.
      if (!cbs_convert_ber(&contents, out_contents, child_string_tag,
                           0 /* not looking for eoc */, depth + 1)) {
        return 0;
      }
    } else {
-      /* Copy primitive contents as-is. */
+      // Copy primitive contents as-is.
      if (!CBB_add_bytes(out_contents, CBS_data(&contents),
                         CBS_len(&contents))) {
        return 0;
@@ -195,8 +195,8 @@ static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag,
 int CBS_asn1_ber_to_der(CBS *in, uint8_t **out, size_t *out_len) {
  CBB cbb;

-  /* First, do a quick walk to find any indefinite-length elements. Most of the
-   * time we hope that there aren't any and thus we can quickly return. */
+  // First, do a quick walk to find any indefinite-length elements. Most of the
+  // time we hope that there aren't any and thus we can quickly return.
  char conversion_needed;
  if (!cbs_find_ber(in, &conversion_needed, 0)) {
    return 0;
@@ -225,14 +225,14 @@ int CBS_get_asn1_implicit_string(CBS *in, CBS *out, uint8_t **out_storage,
  assert(is_string_type(inner_tag));

  if (CBS_peek_asn1_tag(in, outer_tag)) {
-    /* Normal implicitly-tagged string. */
+    // Normal implicitly-tagged string.
    *out_storage = NULL;
    return CBS_get_asn1(in, out, outer_tag);
  }

-  /* Otherwise, try to parse an implicitly-tagged constructed string.
-   * |CBS_asn1_ber_to_der| is assumed to have run, so only allow one level deep
-   * of nesting. */
+  // Otherwise, try to parse an implicitly-tagged constructed string.
+  // |CBS_asn1_ber_to_der| is assumed to have run, so only allow one level deep
+  // of nesting.
  CBB result;
  CBS child;
  if (!CBB_init(&result, CBS_len(in)) ||
@@ -15,6 +15,7 @@
 #include <openssl/bytestring.h>

 #include <assert.h>
+#include <limits.h>
 #include <string.h>

 #include <openssl/mem.h>
@@ -27,7 +28,7 @@ void CBB_zero(CBB *cbb) {
 }

 static int cbb_init(CBB *cbb, uint8_t *buf, size_t cap) {
-  /* This assumes that |cbb| has already been zeroed. */
+  // This assumes that |cbb| has already been zeroed.
  struct cbb_buffer_st *base;

  base = OPENSSL_malloc(sizeof(struct cbb_buffer_st));
@@ -75,8 +76,8 @@ int CBB_init_fixed(CBB *cbb, uint8_t *buf, size_t len) {

 void CBB_cleanup(CBB *cbb) {
  if (cbb->base) {
-    /* Only top-level |CBB|s are cleaned up. Child |CBB|s are non-owning. They
-     * are implicitly discarded when the parent is flushed or cleaned up. */
+    // Only top-level |CBB|s are cleaned up. Child |CBB|s are non-owning. They
+    // are implicitly discarded when the parent is flushed or cleaned up.
    assert(cbb->is_top_level);

    if (cbb->base->can_resize) {
@@ -97,7 +98,7 @@ static int cbb_buffer_reserve(struct cbb_buffer_st *base, uint8_t **out,

  newlen = base->len + len;
  if (newlen < base->len) {
-    /* Overflow */
+    // Overflow
    goto err;
  }

@@ -137,7 +138,7 @@ static int cbb_buffer_add(struct cbb_buffer_st *base, uint8_t **out,
  if (!cbb_buffer_reserve(base, out, len)) {
    return 0;
  }
-  /* This will not overflow or |cbb_buffer_reserve| would have failed. */
+  // This will not overflow or |cbb_buffer_reserve| would have failed.
  base->len += len;
  return 1;
 }
@@ -176,7 +177,7 @@ int CBB_finish(CBB *cbb, uint8_t **out_data, size_t *out_len) {
  }

  if (cbb->base->can_resize && (out_data == NULL || out_len == NULL)) {
-    /* |out_data| and |out_len| can only be NULL if the CBB is fixed. */
+    // |out_data| and |out_len| can only be NULL if the CBB is fixed.
    return 0;
  }

@@ -191,15 +192,15 @@ int CBB_finish(CBB *cbb, uint8_t **out_data, size_t *out_len) {
  return 1;
 }

-/* CBB_flush recurses and then writes out any pending length prefix. The
- * current length of the underlying base is taken to be the length of the
- * length-prefixed data. */
+// CBB_flush recurses and then writes out any pending length prefix. The
+// current length of the underlying base is taken to be the length of the
+// length-prefixed data.
 int CBB_flush(CBB *cbb) {
  size_t child_start, i, len;

-  /* If |cbb->base| has hit an error, the buffer is in an undefined state, so
-   * fail all following calls. In particular, |cbb->child| may point to invalid
-   * memory. */
+  // If |cbb->base| has hit an error, the buffer is in an undefined state, so
+  // fail all following calls. In particular, |cbb->child| may point to invalid
+  // memory.
  if (cbb->base == NULL || cbb->base->error) {
    return 0;
  }
@@ -219,16 +220,16 @@ int CBB_flush(CBB *cbb) {
  len = cbb->base->len - child_start;

  if (cbb->child->pending_is_asn1) {
-    /* For ASN.1 we assume that we'll only need a single byte for the length.
-     * If that turned out to be incorrect, we have to move the contents along
-     * in order to make space. */
+    // For ASN.1 we assume that we'll only need a single byte for the length.
+    // If that turned out to be incorrect, we have to move the contents along
+    // in order to make space.
    uint8_t len_len;
    uint8_t initial_length_byte;

    assert (cbb->child->pending_len_len == 1);

    if (len > 0xfffffffe) {
-      /* Too large. */
+      // Too large.
      goto err;
    } else if (len > 0xffffff) {
      len_len = 5;
@@ -249,7 +250,7 @@ int CBB_flush(CBB *cbb) {
    }

    if (len_len != 1) {
-      /* We need to move the contents along in order to make space. */
+      // We need to move the contents along in order to make space.
      size_t extra_bytes = len_len - 1;
      if (!cbb_buffer_add(cbb->base, NULL, extra_bytes)) {
        goto err;
@@ -328,17 +329,43 @@ int CBB_add_u24_length_prefixed(CBB *cbb, CBB *out_contents) {
  return cbb_add_length_prefixed(cbb, out_contents, 3);
 }

+// add_base128_integer encodes |v| as a big-endian base-128 integer where the
+// high bit of each byte indicates where there is more data. This is the
+// encoding used in DER for both high tag number form and OID components.
+static int add_base128_integer(CBB *cbb, uint32_t v) {
+  unsigned len_len = 0;
+  unsigned copy = v;
+  while (copy > 0) {
+    len_len++;
+    copy >>= 7;
+  }
+  if (len_len == 0) {
+    len_len = 1;  // Zero is encoded with one byte.
+  }
+  for (unsigned i = len_len - 1; i < len_len; i--) {
+    uint8_t byte = (v >> (7 * i)) & 0x7f;
+    if (i != 0) {
+      // The high bit denotes whether there is more data.
+      byte |= 0x80;
+    }
+    if (!CBB_add_u8(cbb, byte)) {
+      return 0;
+    }
+  }
+  return 1;
+}
+
 int CBB_add_asn1(CBB *cbb, CBB *out_contents, unsigned tag) {
  if (tag > 0xff ||
      (tag & 0x1f) == 0x1f) {
-    /* Long form identifier octets are not supported. Further, all current valid
-     * tag serializations are 8 bits. */
+    // Long form identifier octets are not supported. Further, all current valid
+    // tag serializations are 8 bits.
    cbb->base->error = 1;
    return 0;
  }

  if (!CBB_flush(cbb) ||
-      /* |tag|'s representation matches the DER encoding. */
+      // |tag|'s representation matches the DER encoding.
      !CBB_add_u8(cbb, (uint8_t)tag)) {
    return 0;
  }
@@ -451,11 +478,11 @@ int CBB_add_asn1_uint64(CBB *cbb, uint64_t value) {
    uint8_t byte = (value >> 8*(7-i)) & 0xff;
    if (!started) {
      if (byte == 0) {
-        /* Don't encode leading zeros. */
+        // Don't encode leading zeros.
        continue;
      }
-      /* If the high bit is set, add a padding byte to make it
-       * unsigned. */
+      // If the high bit is set, add a padding byte to make it
+      // unsigned.
      if ((byte & 0x80) && !CBB_add_u8(&child, 0)) {
        return 0;
      }
@@ -466,10 +493,76 @@ int CBB_add_asn1_uint64(CBB *cbb, uint64_t value) {
    }
  }

-  /* 0 is encoded as a single 0, not the empty string. */
+  // 0 is encoded as a single 0, not the empty string.
  if (!started && !CBB_add_u8(&child, 0)) {
    return 0;
  }

  return CBB_flush(cbb);
 }
+
+// parse_dotted_decimal parses one decimal component from |cbs|, where |cbs| is
+// an OID literal, e.g., "1.2.840.113554.4.1.72585". It consumes both the
+// component and the dot, so |cbs| may be passed into the function again for the
+// next value.
+static int parse_dotted_decimal(CBS *cbs, uint32_t *out) {
+  *out = 0;
+  int seen_digit = 0;
+  for (;;) {
+    // Valid terminators for a component are the end of the string or a
+    // non-terminal dot. If the string ends with a dot, this is not a valid OID
+    // string.
+    uint8_t u;
+    if (!CBS_get_u8(cbs, &u) ||
+        (u == '.' && CBS_len(cbs) > 0)) {
+      break;
+    }
+    if (u < '0' || u > '9' ||
+        // Forbid stray leading zeros.
+        (seen_digit && *out == 0) ||
+        // Check for overflow.
+        *out > UINT32_MAX / 10 ||
+        *out * 10 > UINT32_MAX - (u - '0')) {
+      return 0;
+    }
+    *out = *out * 10 + (u - '0');
+    seen_digit = 1;
+  }
+  // The empty string is not a legal OID component.
+  return seen_digit;
+}
+
+int CBB_add_asn1_oid_from_text(CBB *cbb, const char *text, size_t len) {
+  if (!CBB_flush(cbb)) {
+    return 0;
+  }
+
+  CBS cbs;
+  CBS_init(&cbs, (const uint8_t *)text, len);
+
+  // OIDs must have at least two components.
+  uint32_t a, b;
+  if (!parse_dotted_decimal(&cbs, &a) ||
+      !parse_dotted_decimal(&cbs, &b)) {
+    return 0;
+  }
+
+  // The first component is encoded as 40 * |a| + |b|. This assumes that |a| is
+  // 0, 1, or 2 and that, when it is 0 or 1, |b| is at most 39.
+  if (a > 2 ||
+      (a < 2 && b > 39) ||
+      b > UINT32_MAX - 80 ||
+      !add_base128_integer(cbb, 40 * a + b)) {
+    return 0;
+  }
+
+  // The remaining components are encoded unmodified.
+  while (CBS_len(&cbs) > 0) {
+    if (!parse_dotted_decimal(&cbs, &a) ||
+        !add_base128_integer(cbb, a)) {
+      return 0;
+    }
+  }
+
+  return 1;
+}
@@ -190,13 +190,13 @@ static int cbs_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag,
    return 0;
  }

-  /* ITU-T X.690 section 8.1.2.3 specifies the format for identifiers with a tag
-   * number no greater than 30.
-   *
-   * If the number portion is 31 (0x1f, the largest value that fits in the
-   * allotted bits), then the tag is more than one byte long and the
-   * continuation bytes contain the tag number. This parser only supports tag
-   * numbers less than 31 (and thus single-byte tags). */
+  // ITU-T X.690 section 8.1.2.3 specifies the format for identifiers with a tag
+  // number no greater than 30.
+  //
+  // If the number portion is 31 (0x1f, the largest value that fits in the
+  // allotted bits), then the tag is more than one byte long and the
+  // continuation bytes contain the tag number. This parser only supports tag
+  // numbers less than 31 (and thus single-byte tags).
  if ((tag & 0x1f) == 0x1f) {
    return 0;
  }
@@ -206,52 +206,51 @@ static int cbs_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag,
  }

  size_t len;
-  /* The format for the length encoding is specified in ITU-T X.690 section
-   * 8.1.3. */
+  // The format for the length encoding is specified in ITU-T X.690 section
+  // 8.1.3.
  if ((length_byte & 0x80) == 0) {
-    /* Short form length. */
+    // Short form length.
    len = ((size_t) length_byte) + 2;
    if (out_header_len != NULL) {
      *out_header_len = 2;
    }
  } else {
-    /* The high bit indicate that this is the long form, while the next 7 bits
-     * encode the number of subsequent octets used to encode the length (ITU-T
-     * X.690 clause 8.1.3.5.b). */
+    // The high bit indicate that this is the long form, while the next 7 bits
+    // encode the number of subsequent octets used to encode the length (ITU-T
+    // X.690 clause 8.1.3.5.b).
    const size_t num_bytes = length_byte & 0x7f;
    uint32_t len32;

    if (ber_ok && (tag & CBS_ASN1_CONSTRUCTED) != 0 && num_bytes == 0) {
-      /* indefinite length */
+      // indefinite length
      if (out_header_len != NULL) {
        *out_header_len = 2;
      }
      return CBS_get_bytes(cbs, out, 2);
    }

-    /* ITU-T X.690 clause 8.1.3.5.c specifies that the value 0xff shall not be
-     * used as the first byte of the length. If this parser encounters that
-     * value, num_bytes will be parsed as 127, which will fail the check below.
-     */
+    // ITU-T X.690 clause 8.1.3.5.c specifies that the value 0xff shall not be
+    // used as the first byte of the length. If this parser encounters that
+    // value, num_bytes will be parsed as 127, which will fail the check below.
    if (num_bytes == 0 || num_bytes > 4) {
      return 0;
    }
    if (!cbs_get_u(&header, &len32, num_bytes)) {
      return 0;
    }
-    /* ITU-T X.690 section 10.1 (DER length forms) requires encoding the length
-     * with the minimum number of octets. */
+    // ITU-T X.690 section 10.1 (DER length forms) requires encoding the length
+    // with the minimum number of octets.
    if (len32 < 128) {
-      /* Length should have used short-form encoding. */
+      // Length should have used short-form encoding.
      return 0;
    }
    if ((len32 >> ((num_bytes-1)*8)) == 0) {
-      /* Length should have been at least one byte shorter. */
+      // Length should have been at least one byte shorter.
      return 0;
    }
    len = len32;
    if (len + 2 + num_bytes < len) {
-      /* Overflow. */
+      // Overflow.
      return 0;
    }
    len += 2 + num_bytes;
@@ -329,35 +328,32 @@ int CBS_peek_asn1_tag(const CBS *cbs, unsigned tag_value) {

 int CBS_get_asn1_uint64(CBS *cbs, uint64_t *out) {
  CBS bytes;
-  const uint8_t *data;
-  size_t i, len;
-
  if (!CBS_get_asn1(cbs, &bytes, CBS_ASN1_INTEGER)) {
    return 0;
  }

  *out = 0;
-  data = CBS_data(&bytes);
-  len = CBS_len(&bytes);
+  const uint8_t *data = CBS_data(&bytes);
+  size_t len = CBS_len(&bytes);

  if (len == 0) {
-    /* An INTEGER is encoded with at least one octet. */
+    // An INTEGER is encoded with at least one octet.
    return 0;
  }

  if ((data[0] & 0x80) != 0) {
-    /* Negative number. */
+    // Negative number.
    return 0;
  }

  if (data[0] == 0 && len > 1 && (data[1] & 0x80) == 0) {
-    /* Extra leading zeros. */
+    // Extra leading zeros.
    return 0;
  }

-  for (i = 0; i < len; i++) {
+  for (size_t i = 0; i < len; i++) {
    if ((*out >> 56) != 0) {
-      /* Too large to represent as a uint64_t. */
+      // Too large to represent as a uint64_t.
      return 0;
    }
    *out <<= 8;
@@ -465,7 +461,7 @@ int CBS_is_valid_asn1_bitstring(const CBS *cbs) {
    return 1;
  }

-  /* All num_unused_bits bits must exist and be zeros. */
+  // All num_unused_bits bits must exist and be zeros.
  uint8_t last;
  if (!CBS_get_last_u8(&in, &last) ||
      (last & ((1 << num_unused_bits) - 1)) != 0) {
@@ -483,9 +479,9 @@ int CBS_asn1_bitstring_has_bit(const CBS *cbs, unsigned bit) {
  const unsigned byte_num = (bit >> 3) + 1;
  const unsigned bit_num = 7 - (bit & 7);

-  /* Unused bits are zero, and this function does not distinguish between
-   * missing and unset bits. Thus it is sufficient to do a byte-level length
-   * check. */
+  // Unused bits are zero, and this function does not distinguish between
+  // missing and unset bits. Thus it is sufficient to do a byte-level length
+  // check.
  return byte_num < CBS_len(cbs) &&
         (CBS_data(cbs)[byte_num] & (1 << bit_num)) != 0;
 }
@@ -22,54 +22,54 @@ extern "C" {
 #endif


-/* CBS_asn1_ber_to_der reads a BER element from |in|. If it finds
- * indefinite-length elements or constructed strings then it converts the BER
- * data to DER and sets |*out| and |*out_length| to describe a malloced buffer
- * containing the DER data. Additionally, |*in| will be advanced over the BER
- * element.
- *
- * If it doesn't find any indefinite-length elements or constructed strings then
- * it sets |*out| to NULL and |*in| is unmodified.
- *
- * This function should successfully process any valid BER input, however it
- * will not convert all of BER's deviations from DER. BER is ambiguous between
- * implicitly-tagged SEQUENCEs of strings and implicitly-tagged constructed
- * strings. Implicitly-tagged strings must be parsed with
- * |CBS_get_ber_implicitly_tagged_string| instead of |CBS_get_asn1|. The caller
- * must also account for BER variations in the contents of a primitive.
- *
- * It returns one on success and zero otherwise. */
+// CBS_asn1_ber_to_der reads a BER element from |in|. If it finds
+// indefinite-length elements or constructed strings then it converts the BER
+// data to DER and sets |*out| and |*out_length| to describe a malloced buffer
+// containing the DER data. Additionally, |*in| will be advanced over the BER
+// element.
+//
+// If it doesn't find any indefinite-length elements or constructed strings then
+// it sets |*out| to NULL and |*in| is unmodified.
+//
+// This function should successfully process any valid BER input, however it
+// will not convert all of BER's deviations from DER. BER is ambiguous between
+// implicitly-tagged SEQUENCEs of strings and implicitly-tagged constructed
+// strings. Implicitly-tagged strings must be parsed with
+// |CBS_get_ber_implicitly_tagged_string| instead of |CBS_get_asn1|. The caller
+// must also account for BER variations in the contents of a primitive.
+//
+// It returns one on success and zero otherwise.
 OPENSSL_EXPORT int CBS_asn1_ber_to_der(CBS *in, uint8_t **out, size_t *out_len);

-/* CBS_get_asn1_implicit_string parses a BER string of primitive type
- * |inner_tag| implicitly-tagged with |outer_tag|. It sets |out| to the
- * contents. If concatenation was needed, it sets |*out_storage| to a buffer
- * which the caller must release with |OPENSSL_free|. Otherwise, it sets
- * |*out_storage| to NULL.
- *
- * This function does not parse all of BER. It requires the string be
- * definite-length. Constructed strings are allowed, but all children of the
- * outermost element must be primitive. The caller should use
- * |CBS_asn1_ber_to_der| before running this function.
- *
- * It returns one on success and zero otherwise. */
+// CBS_get_asn1_implicit_string parses a BER string of primitive type
+// |inner_tag| implicitly-tagged with |outer_tag|. It sets |out| to the
+// contents. If concatenation was needed, it sets |*out_storage| to a buffer
+// which the caller must release with |OPENSSL_free|. Otherwise, it sets
+// |*out_storage| to NULL.
+//
+// This function does not parse all of BER. It requires the string be
+// definite-length. Constructed strings are allowed, but all children of the
+// outermost element must be primitive. The caller should use
+// |CBS_asn1_ber_to_der| before running this function.
+//
+// It returns one on success and zero otherwise.
 OPENSSL_EXPORT int CBS_get_asn1_implicit_string(CBS *in, CBS *out,
                                                uint8_t **out_storage,
                                                unsigned outer_tag,
                                                unsigned inner_tag);

-/* CBB_finish_i2d calls |CBB_finish| on |cbb| which must have been initialized
- * with |CBB_init|. If |outp| is not NULL then the result is written to |*outp|
- * and |*outp| is advanced just past the output. It returns the number of bytes
- * in the result, whether written or not, or a negative value on error. On
- * error, it calls |CBB_cleanup| on |cbb|.
- *
- * This function may be used to help implement legacy i2d ASN.1 functions. */
+// CBB_finish_i2d calls |CBB_finish| on |cbb| which must have been initialized
+// with |CBB_init|. If |outp| is not NULL then the result is written to |*outp|
+// and |*outp| is advanced just past the output. It returns the number of bytes
+// in the result, whether written or not, or a negative value on error. On
+// error, it calls |CBB_cleanup| on |cbb|.
+//
+// This function may be used to help implement legacy i2d ASN.1 functions.
 int CBB_finish_i2d(CBB *cbb, uint8_t **outp);


 #if defined(__cplusplus)
-}  /* extern C */
+}  // extern C
 #endif

-#endif  /* OPENSSL_HEADER_BYTESTRING_INTERNAL_H */
+#endif  // OPENSSL_HEADER_BYTESTRING_INTERNAL_H
@@ -42,17 +42,7 @@ add_library(
  ${CHACHA_ARCH_SOURCES}
 )

-add_executable(
-  chacha_test
-
-  chacha_test.cc
-  $<TARGET_OBJECTS:test_support>
-)
-
-target_link_libraries(chacha_test crypto)
-add_dependencies(all_tests chacha_test)
-
 perlasm(chacha-armv4.${ASM_EXT} asm/chacha-armv4.pl)
 perlasm(chacha-armv8.${ASM_EXT} asm/chacha-armv8.pl)
 perlasm(chacha-x86.${ASM_EXT} asm/chacha-x86.pl)
-perlasm(chacha-x86_64.${ASM_EXT} asm/chacha-x86_64.pl)
+perlasm(chacha-x86_64.${ASM_EXT} asm/chacha-x86_64.pl)
@@ -1,4 +1,11 @@
-#!/usr/bin/env perl
+#! /usr/bin/env perl
+# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
 #
 # ====================================================================
 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
@@ -8,7 +15,7 @@
 # ====================================================================
 #
 # December 2014
-# 
+#
 # ChaCha20 for ARMv4.
 #
 # Performance in cycles per byte out of large buffer.
@@ -165,8 +172,10 @@ $code.=<<___;
 #include <openssl/arm_arch.h>

 .text
-#if defined(__thumb2__)
+#if defined(__thumb2__) || defined(__clang__)
 .syntax	unified
+#endif
+#if defined(__thumb2__)
 .thumb
 #else
 .code	32
@@ -713,7 +722,7 @@ ChaCha20_neon:
 	vadd.i32	$d2,$d1,$t0		@ counter+2
 	str		@t[3], [sp,#4*(16+15)]
 	mov		@t[3],#10
-	add		@x[12],@x[12],#3	@ counter+3 
+	add		@x[12],@x[12],#3	@ counter+3
 	b		.Loop_neon

 .align	4
@@ -1127,7 +1136,7 @@ $code.=<<___;
 	ldrb		@t[1],[r12],#1		@ read input
 	subs		@t[3],@t[3],#1
 	eor		@t[0],@t[0],@t[1]
-	strb		@t[0],[r14],#1		@ store ouput
+	strb		@t[0],[r14],#1		@ store output
 	bne		.Loop_tail_neon

 .Ldone_neon:
@@ -1,4 +1,11 @@
-#!/usr/bin/env perl
+#! /usr/bin/env perl
+# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
 #
 # ====================================================================
 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
@@ -8,7 +15,7 @@
 # ====================================================================
 #
 # June 2015
-# 
+#
 # ChaCha20 for ARMv8.
 #
 # Performance in cycles per byte out of large buffer.
@@ -20,6 +27,7 @@
 # Cortex-A57		8.06/+43%       4.90            4.43(**)
 # Denver		4.50/+82%       2.63		2.67(*)
 # X-Gene		9.50/+46%       8.82		8.89(*)
+# Mongoose		8.00/+44%	3.64		3.25
 #
 # (*)	it's expected that doubling interleave factor doesn't help
 #	all processors, only those with higher NEON latency and
@@ -193,7 +201,7 @@ ChaCha20_ctr32:
 	mov	$ctr,#10
 	subs	$len,$len,#64
 .Loop:
-	sub	$ctr,$ctr,#1	
+	sub	$ctr,$ctr,#1
 ___
 	foreach (&ROUND(0, 4, 8,12)) { eval; }
 	foreach (&ROUND(0, 5,10,15)) { eval; }
@@ -21,7 +21,9 @@
 # Westmere	9.50/+45%	3.35
 # Sandy Bridge	10.5/+47%	3.20
 # Haswell	8.15/+50%	2.83
+# Skylake	7.53/+22%	2.75
 # Silvermont	17.4/+36%	8.35
+# Goldmont	13.4/+40%	4.36
 # Sledgehammer	10.2/+54%
 # Bulldozer	13.4/+50%	4.38(*)
 #
@@ -36,12 +38,10 @@ require "x86asm.pl";
 $output=pop;
 open STDOUT,">$output";

-&asm_init($ARGV[0],"chacha-x86.pl",$ARGV[$#ARGV] eq "386");
+&asm_init($ARGV[0],$ARGV[$#ARGV] eq "386");

-$xmm=$ymm=0;
-for (@ARGV) { $xmm=1 if (/-DOPENSSL_IA32_SSE2/); }
-
-$ymm=$xmm;
+$xmm=$ymm=1;
+$gasver=999;  # enable everything

 $a="eax";
 ($b,$b_)=("ebx","ebp");
@@ -438,6 +438,12 @@ my ($ap,$bp,$cp,$dp)=map(($_&~3)+(($_-1)&3),($ai,$bi,$ci,$di));	# previous
 				    &label("pic_point"),"eax"));
 	&movdqu		("xmm3",&QWP(0,"ebx"));		# counter and nonce

+if (defined($gasver) && $gasver>=2.17) {		# even though we encode
+							# pshufb manually, we
+							# handle only register
+							# operands, while this
+							# segment uses memory
+							# operand...
 	&cmp		($len,64*4);
 	&jb		(&label("1x"));

@@ -619,6 +625,7 @@ my ($ap,$bp,$cp,$dp)=map(($_&~3)+(($_-1)&3),($ai,$bi,$ci,$di));	# previous
 	&paddd		("xmm2",&QWP(16*6,"eax"));	# +four
 	&pand		("xmm3",&QWP(16*7,"eax"));
 	&por		("xmm3","xmm2");		# counter value
+}
 {
 my ($a,$b,$c,$d,$t,$t1,$rot16,$rot24)=map("xmm$_",(0..7));

@@ -12,7 +12,7 @@
 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

-/* Adapted from the public domain, estream code by D. Bernstein. */
+// Adapted from the public domain, estream code by D. Bernstein.

 #include <openssl/chacha.h>

@@ -32,7 +32,7 @@
    (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \
     defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64))

-/* ChaCha20_ctr32 is defined in asm/chacha-*.pl. */
+// ChaCha20_ctr32 is defined in asm/chacha-*.pl.
 void ChaCha20_ctr32(uint8_t *out, const uint8_t *in, size_t in_len,
                    const uint32_t key[8], const uint32_t counter[4]);

@@ -48,7 +48,7 @@ void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len,

  const uint32_t *key_ptr = (const uint32_t *)key;
 #if !defined(OPENSSL_X86) && !defined(OPENSSL_X86_64)
-  /* The assembly expects the key to be four-byte aligned. */
+  // The assembly expects the key to be four-byte aligned.
  uint32_t key_u32[8];
  if ((((uintptr_t)key) & 3) != 0) {
    key_u32[0] = U8TO32_LITTLE(key + 0);
@@ -69,7 +69,7 @@ void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len,

 #else

-/* sigma contains the ChaCha constants, which happen to be an ASCII string. */
+// sigma contains the ChaCha constants, which happen to be an ASCII string.
 static const uint8_t sigma[16] = { 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3',
                                   '2', '-', 'b', 'y', 't', 'e', ' ', 'k' };

@@ -83,15 +83,15 @@ static const uint8_t sigma[16] = { 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3',
    (p)[3] = (v >> 24) & 0xff; \
  }

-/* QUARTERROUND updates a, b, c, d with a ChaCha "quarter" round. */
+// QUARTERROUND updates a, b, c, d with a ChaCha "quarter" round.
 #define QUARTERROUND(a, b, c, d)                \
  x[a] += x[b]; x[d] = ROTATE(x[d] ^ x[a], 16); \
  x[c] += x[d]; x[b] = ROTATE(x[b] ^ x[c], 12); \
  x[a] += x[b]; x[d] = ROTATE(x[d] ^ x[a],  8); \
  x[c] += x[d]; x[b] = ROTATE(x[b] ^ x[c],  7);

-/* chacha_core performs 20 rounds of ChaCha on the input words in
- * |input| and writes the 64 output bytes to |output|. */
+// chacha_core performs 20 rounds of ChaCha on the input words in
+// |input| and writes the 64 output bytes to |output|.
 static void chacha_core(uint8_t output[64], const uint32_t input[16]) {
  uint32_t x[16];
  int i;
@@ -18,10 +18,13 @@

 #include <memory>

+#include <gtest/gtest.h>
+
 #include <openssl/crypto.h>
 #include <openssl/chacha.h>

 #include "../internal.h"
+#include "../test/test_util.h"


 static const uint8_t kKey[32] = {
@@ -216,35 +219,18 @@ static const uint8_t kOutput[] = {
 static_assert(sizeof(kInput) == sizeof(kOutput),
              "Input and output lengths don't match.");

-static bool TestChaCha20(size_t len) {
-  std::unique_ptr<uint8_t[]> buf(new uint8_t[len]);
-  CRYPTO_chacha_20(buf.get(), kInput, len, kKey, kNonce, kCounter);
-  if (OPENSSL_memcmp(buf.get(), kOutput, len) != 0) {
-    fprintf(stderr, "Mismatch at length %zu.\n", len);
-    return false;
-  }
-
-  // Test in-place.
-  OPENSSL_memcpy(buf.get(), kInput, len);
-  CRYPTO_chacha_20(buf.get(), buf.get(), len, kKey, kNonce, kCounter);
-  if (OPENSSL_memcmp(buf.get(), kOutput, len) != 0) {
-    fprintf(stderr, "Mismatch at length %zu, in-place.\n", len);
-    return false;
-  }
-
-  return true;
-}
-
-int main(int argc, char **argv) {
-  CRYPTO_library_init();
-
+TEST(ChaChaTest, TestVector) {
  // Run the test with the test vector at all lengths.
  for (size_t len = 0; len <= sizeof(kInput); len++) {
-    if (!TestChaCha20(len)) {
-      return 1;
-    }
-  }
+    SCOPED_TRACE(len);

-  printf("PASS\n");
-  return 0;
+    std::unique_ptr<uint8_t[]> buf(new uint8_t[len]);
+    CRYPTO_chacha_20(buf.get(), kInput, len, kKey, kNonce, kCounter);
+    EXPECT_EQ(Bytes(kOutput, len), Bytes(buf.get(), len));
+
+    // Test the in-place version.
+    OPENSSL_memcpy(buf.get(), kInput, len);
+    CRYPTO_chacha_20(buf.get(), buf.get(), len, kKey, kNonce, kCounter);
+    EXPECT_EQ(Bytes(kOutput, len), Bytes(buf.get(), len));
+  }
 }
@@ -1,40 +0,0 @@
-include_directories(../../include)
-
-add_library(
-  cipher
-
-  OBJECT
-
-  cipher.c
-  derive_key.c
-  aead.c
-
-  e_null.c
-  e_rc2.c
-  e_rc4.c
-  e_des.c
-  e_aes.c
-  e_chacha20poly1305.c
-
-  tls_cbc.c
-  e_tls.c
-  e_ssl3.c
-)
-
-add_executable(
-  cipher_test
-
-  cipher_test.cc
-  $<TARGET_OBJECTS:test_support>
-)
-
-add_executable(
-  aead_test
-
-  aead_test.cc
-  $<TARGET_OBJECTS:test_support>
-)
-
-target_link_libraries(cipher_test crypto)
-target_link_libraries(aead_test crypto)
-add_dependencies(all_tests cipher_test aead_test)
@@ -1,156 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/aead.h>
-
-#include <string.h>
-
-#include <openssl/cipher.h>
-#include <openssl/err.h>
-
-#include "internal.h"
-#include "../internal.h"
-
-
-size_t EVP_AEAD_key_length(const EVP_AEAD *aead) { return aead->key_len; }
-
-size_t EVP_AEAD_nonce_length(const EVP_AEAD *aead) { return aead->nonce_len; }
-
-size_t EVP_AEAD_max_overhead(const EVP_AEAD *aead) { return aead->overhead; }
-
-size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead) { return aead->max_tag_len; }
-
-void EVP_AEAD_CTX_zero(EVP_AEAD_CTX *ctx) {
-  OPENSSL_memset(ctx, 0, sizeof(EVP_AEAD_CTX));
-}
-
-int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
-                      const uint8_t *key, size_t key_len, size_t tag_len,
-                      ENGINE *impl) {
-  if (!aead->init) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_NO_DIRECTION_SET);
-    ctx->aead = NULL;
-    return 0;
-  }
-  return EVP_AEAD_CTX_init_with_direction(ctx, aead, key, key_len, tag_len,
-                                          evp_aead_open);
-}
-
-int EVP_AEAD_CTX_init_with_direction(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
-                                     const uint8_t *key, size_t key_len,
-                                     size_t tag_len,
-                                     enum evp_aead_direction_t dir) {
-  if (key_len != aead->key_len) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_KEY_SIZE);
-    ctx->aead = NULL;
-    return 0;
-  }
-
-  ctx->aead = aead;
-
-  int ok;
-  if (aead->init) {
-    ok = aead->init(ctx, key, key_len, tag_len);
-  } else {
-    ok = aead->init_with_direction(ctx, key, key_len, tag_len, dir);
-  }
-
-  if (!ok) {
-    ctx->aead = NULL;
-  }
-
-  return ok;
-}
-
-void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx) {
-  if (ctx->aead == NULL) {
-    return;
-  }
-  ctx->aead->cleanup(ctx);
-  ctx->aead = NULL;
-}
-
-/* check_alias returns 1 if |out| is compatible with |in| and 0 otherwise. If
- * |in| and |out| alias, we require that |in| == |out|. */
-static int check_alias(const uint8_t *in, size_t in_len, const uint8_t *out,
-                       size_t out_len) {
-  if (!buffers_alias(in, in_len, out, out_len)) {
-    return 1;
-  }
-
-  return in == out;
-}
-
-int EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,
-                      size_t max_out_len, const uint8_t *nonce,
-                      size_t nonce_len, const uint8_t *in, size_t in_len,
-                      const uint8_t *ad, size_t ad_len) {
-  size_t possible_out_len = in_len + ctx->aead->overhead;
-
-  if (possible_out_len < in_len /* overflow */) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
-    goto error;
-  }
-
-  if (!check_alias(in, in_len, out, max_out_len)) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_OUTPUT_ALIASES_INPUT);
-    goto error;
-  }
-
-  if (ctx->aead->seal(ctx, out, out_len, max_out_len, nonce, nonce_len, in,
-                      in_len, ad, ad_len)) {
-    return 1;
-  }
-
-error:
-  /* In the event of an error, clear the output buffer so that a caller
-   * that doesn't check the return value doesn't send raw data. */
-  OPENSSL_memset(out, 0, max_out_len);
-  *out_len = 0;
-  return 0;
-}
-
-int EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,
-                      size_t max_out_len, const uint8_t *nonce,
-                      size_t nonce_len, const uint8_t *in, size_t in_len,
-                      const uint8_t *ad, size_t ad_len) {
-  if (!check_alias(in, in_len, out, max_out_len)) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_OUTPUT_ALIASES_INPUT);
-    goto error;
-  }
-
-  if (ctx->aead->open(ctx, out, out_len, max_out_len, nonce, nonce_len, in,
-                      in_len, ad, ad_len)) {
-    return 1;
-  }
-
-error:
-  /* In the event of an error, clear the output buffer so that a caller
-   * that doesn't check the return value doesn't try and process bad
-   * data. */
-  OPENSSL_memset(out, 0, max_out_len);
-  *out_len = 0;
-  return 0;
-}
-
-const EVP_AEAD *EVP_AEAD_CTX_aead(const EVP_AEAD_CTX *ctx) { return ctx->aead; }
-
-int EVP_AEAD_CTX_get_iv(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv,
-                        size_t *out_len) {
-  if (ctx->aead->get_iv == NULL) {
-    return 0;
-  }
-
-  return ctx->aead->get_iv(ctx, out_iv, out_len);
-}
@@ -1,372 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <stdint.h>
-#include <string.h>
-
-#include <vector>
-
-#include <openssl/aead.h>
-#include <openssl/crypto.h>
-#include <openssl/err.h>
-
-#include "../internal.h"
-#include "../test/file_test.h"
-
-
-#if defined(OPENSSL_SMALL)
-const EVP_AEAD* EVP_aead_aes_128_gcm_siv(void) {
-  return nullptr;
-}
-const EVP_AEAD* EVP_aead_aes_256_gcm_siv(void) {
-  return nullptr;
-}
-#endif
-
-// This program tests an AEAD against a series of test vectors from a file,
-// using the FileTest format. As an example, here's a valid test case:
-//
-//   KEY: 5a19f3173586b4c42f8412f4d5a786531b3231753e9e00998aec12fda8df10e4
-//   NONCE: 978105dfce667bf4
-//   IN: 6a4583908d
-//   AD: b654574932
-//   CT: 5294265a60
-//   TAG: 1d45758621762e061368e68868e2f929
-
-static bool TestAEAD(FileTest *t, void *arg) {
-  const EVP_AEAD *aead = reinterpret_cast<const EVP_AEAD*>(arg);
-
-  std::vector<uint8_t> key, nonce, in, ad, ct, tag;
-  if (!t->GetBytes(&key, "KEY") ||
-      !t->GetBytes(&nonce, "NONCE") ||
-      !t->GetBytes(&in, "IN") ||
-      !t->GetBytes(&ad, "AD") ||
-      !t->GetBytes(&ct, "CT") ||
-      !t->GetBytes(&tag, "TAG")) {
-    return false;
-  }
-
-  bssl::ScopedEVP_AEAD_CTX ctx;
-  if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, key.data(), key.size(),
-                                        tag.size(), evp_aead_seal)) {
-    t->PrintLine("Failed to init AEAD.");
-    return false;
-  }
-
-  std::vector<uint8_t> out(in.size() + EVP_AEAD_max_overhead(aead));
-  if (!t->HasAttribute("NO_SEAL")) {
-    size_t out_len;
-    if (!EVP_AEAD_CTX_seal(ctx.get(), out.data(), &out_len, out.size(),
-                           nonce.data(), nonce.size(), in.data(), in.size(),
-                           ad.data(), ad.size())) {
-      t->PrintLine("Failed to run AEAD.");
-      return false;
-    }
-    out.resize(out_len);
-
-    if (out.size() != ct.size() + tag.size()) {
-      t->PrintLine("Bad output length: %u vs %u.", (unsigned)out_len,
-                   (unsigned)(ct.size() + tag.size()));
-      return false;
-    }
-    if (!t->ExpectBytesEqual(ct.data(), ct.size(), out.data(), ct.size()) ||
-        !t->ExpectBytesEqual(tag.data(), tag.size(), out.data() + ct.size(),
-                             tag.size())) {
-      return false;
-    }
-  } else {
-    out.resize(ct.size() + tag.size());
-    OPENSSL_memcpy(out.data(), ct.data(), ct.size());
-    OPENSSL_memcpy(out.data() + ct.size(), tag.data(), tag.size());
-  }
-
-  // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
-  // reset after each operation.
-  ctx.Reset();
-  if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, key.data(), key.size(),
-                                        tag.size(), evp_aead_open)) {
-    t->PrintLine("Failed to init AEAD.");
-    return false;
-  }
-
-  std::vector<uint8_t> out2(out.size());
-  size_t out2_len;
-  int ret = EVP_AEAD_CTX_open(ctx.get(), out2.data(), &out2_len, out2.size(),
-                              nonce.data(), nonce.size(), out.data(),
-                              out.size(), ad.data(), ad.size());
-  if (t->HasAttribute("FAILS")) {
-    if (ret) {
-      t->PrintLine("Decrypted bad data.");
-      return false;
-    }
-    ERR_clear_error();
-    return true;
-  }
-
-  if (!ret) {
-    t->PrintLine("Failed to decrypt.");
-    return false;
-  }
-  out2.resize(out2_len);
-  if (!t->ExpectBytesEqual(in.data(), in.size(), out2.data(), out2.size())) {
-    return false;
-  }
-
-  // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
-  // reset after each operation.
-  ctx.Reset();
-  if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, key.data(), key.size(),
-                                        tag.size(), evp_aead_open)) {
-    t->PrintLine("Failed to init AEAD.");
-    return false;
-  }
-
-  // Garbage at the end isn't ignored.
-  out.push_back(0);
-  out2.resize(out.size());
-  if (EVP_AEAD_CTX_open(ctx.get(), out2.data(), &out2_len, out2.size(),
-                        nonce.data(), nonce.size(), out.data(), out.size(),
-                        ad.data(), ad.size())) {
-    t->PrintLine("Decrypted bad data with trailing garbage.");
-    return false;
-  }
-  ERR_clear_error();
-
-  // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
-  // reset after each operation.
-  ctx.Reset();
-  if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, key.data(), key.size(),
-                                        tag.size(), evp_aead_open)) {
-    t->PrintLine("Failed to init AEAD.");
-    return false;
-  }
-
-  // Verify integrity is checked.
-  out[0] ^= 0x80;
-  out.resize(out.size() - 1);
-  out2.resize(out.size());
-  if (EVP_AEAD_CTX_open(ctx.get(), out2.data(), &out2_len, out2.size(),
-                        nonce.data(), nonce.size(), out.data(), out.size(),
-                        ad.data(), ad.size())) {
-    t->PrintLine("Decrypted bad data with corrupted byte.");
-    return false;
-  }
-  ERR_clear_error();
-
-  return true;
-}
-
-static int TestCleanupAfterInitFailure(const EVP_AEAD *aead) {
-  EVP_AEAD_CTX ctx;
-  uint8_t key[128];
-
-  OPENSSL_memset(key, 0, sizeof(key));
-  const size_t key_len = EVP_AEAD_key_length(aead);
-  if (key_len > sizeof(key)) {
-    fprintf(stderr, "Key length of AEAD too long.\n");
-    return 0;
-  }
-
-  if (EVP_AEAD_CTX_init(&ctx, aead, key, key_len,
-                        9999 /* a silly tag length to trigger an error */,
-                        NULL /* ENGINE */) != 0) {
-    fprintf(stderr, "A silly tag length didn't trigger an error!\n");
-    return 0;
-  }
-  ERR_clear_error();
-
-  /* Running a second, failed _init should not cause a memory leak. */
-  if (EVP_AEAD_CTX_init(&ctx, aead, key, key_len,
-                        9999 /* a silly tag length to trigger an error */,
-                        NULL /* ENGINE */) != 0) {
-    fprintf(stderr, "A silly tag length didn't trigger an error!\n");
-    return 0;
-  }
-  ERR_clear_error();
-
-  /* Calling _cleanup on an |EVP_AEAD_CTX| after a failed _init should be a
-   * no-op. */
-  EVP_AEAD_CTX_cleanup(&ctx);
-  return 1;
-}
-
-static bool TestWithAliasedBuffers(const EVP_AEAD *aead) {
-  const size_t key_len = EVP_AEAD_key_length(aead);
-  const size_t nonce_len = EVP_AEAD_nonce_length(aead);
-  const size_t max_overhead = EVP_AEAD_max_overhead(aead);
-
-  std::vector<uint8_t> key(key_len, 'a');
-  bssl::ScopedEVP_AEAD_CTX ctx;
-  if (!EVP_AEAD_CTX_init(ctx.get(), aead, key.data(), key_len,
-                         EVP_AEAD_DEFAULT_TAG_LENGTH, nullptr)) {
-    return false;
-  }
-
-  static const uint8_t kPlaintext[260] =
-      "testing123456testing123456testing123456testing123456testing123456testing"
-      "123456testing123456testing123456testing123456testing123456testing123456t"
-      "esting123456testing123456testing123456testing123456testing123456testing1"
-      "23456testing123456testing123456testing12345";
-  const std::vector<size_t> offsets = {
-      0,  1,  2,  8,  15, 16,  17,  31,  32,  33,  63,
-      64, 65, 95, 96, 97, 127, 128, 129, 255, 256, 257,
-  };
-
-  std::vector<uint8_t> nonce(nonce_len, 'b');
-  std::vector<uint8_t> valid_encryption(sizeof(kPlaintext) + max_overhead);
-  size_t valid_encryption_len;
-  if (!EVP_AEAD_CTX_seal(
-          ctx.get(), valid_encryption.data(), &valid_encryption_len,
-          sizeof(kPlaintext) + max_overhead, nonce.data(), nonce_len,
-          kPlaintext, sizeof(kPlaintext), nullptr, 0)) {
-    fprintf(stderr, "EVP_AEAD_CTX_seal failed with disjoint buffers.\n");
-    return false;
-  }
-
-  // Test with out != in which we expect to fail.
-  std::vector<uint8_t> buffer(2 + valid_encryption_len);
-  uint8_t *in = buffer.data() + 1;
-  uint8_t *out1 = buffer.data();
-  uint8_t *out2 = buffer.data() + 2;
-
-  OPENSSL_memcpy(in, kPlaintext, sizeof(kPlaintext));
-  size_t out_len;
-  if (EVP_AEAD_CTX_seal(ctx.get(), out1, &out_len,
-                        sizeof(kPlaintext) + max_overhead, nonce.data(),
-                        nonce_len, in, sizeof(kPlaintext), nullptr, 0) ||
-      EVP_AEAD_CTX_seal(ctx.get(), out2, &out_len,
-                        sizeof(kPlaintext) + max_overhead, nonce.data(),
-                        nonce_len, in, sizeof(kPlaintext), nullptr, 0)) {
-    fprintf(stderr, "EVP_AEAD_CTX_seal unexpectedly succeeded.\n");
-    return false;
-  }
-  ERR_clear_error();
-
-  OPENSSL_memcpy(in, valid_encryption.data(), valid_encryption_len);
-  if (EVP_AEAD_CTX_open(ctx.get(), out1, &out_len, valid_encryption_len,
-                        nonce.data(), nonce_len, in, valid_encryption_len,
-                        nullptr, 0) ||
-      EVP_AEAD_CTX_open(ctx.get(), out2, &out_len, valid_encryption_len,
-                        nonce.data(), nonce_len, in, valid_encryption_len,
-                        nullptr, 0)) {
-    fprintf(stderr, "EVP_AEAD_CTX_open unexpectedly succeeded.\n");
-    return false;
-  }
-  ERR_clear_error();
-
-  // Test with out == in, which we expect to work.
-  OPENSSL_memcpy(in, kPlaintext, sizeof(kPlaintext));
-
-  if (!EVP_AEAD_CTX_seal(ctx.get(), in, &out_len,
-                         sizeof(kPlaintext) + max_overhead, nonce.data(),
-                         nonce_len, in, sizeof(kPlaintext), nullptr, 0)) {
-    fprintf(stderr, "EVP_AEAD_CTX_seal failed in-place.\n");
-    return false;
-  }
-
-  if (out_len != valid_encryption_len ||
-      OPENSSL_memcmp(in, valid_encryption.data(), out_len) != 0) {
-    fprintf(stderr, "EVP_AEAD_CTX_seal produced bad output in-place.\n");
-    return false;
-  }
-
-  OPENSSL_memcpy(in, valid_encryption.data(), valid_encryption_len);
-  if (!EVP_AEAD_CTX_open(ctx.get(), in, &out_len, valid_encryption_len,
-                         nonce.data(), nonce_len, in, valid_encryption_len,
-                         nullptr, 0)) {
-    fprintf(stderr, "EVP_AEAD_CTX_open failed in-place.\n");
-    return false;
-  }
-
-  if (out_len != sizeof(kPlaintext) ||
-      OPENSSL_memcmp(in, kPlaintext, out_len) != 0) {
-    fprintf(stderr, "EVP_AEAD_CTX_open produced bad output in-place.\n");
-    return false;
-  }
-
-  return true;
-}
-
-struct KnownAEAD {
-  const char name[40];
-  const EVP_AEAD *(*func)(void);
-  // limited_implementation indicates that tests that assume a generic AEAD
-  // interface should not be performed. For example, the key-wrap AEADs only
-  // handle inputs that are a multiple of eight bytes in length and the
-  // SSLv3/TLS AEADs have the concept of “direction”.
-  bool limited_implementation;
-};
-
-static const struct KnownAEAD kAEADs[] = {
-  { "aes-128-gcm", EVP_aead_aes_128_gcm, false },
-  { "aes-256-gcm", EVP_aead_aes_256_gcm, false },
-  { "aes-128-gcm-siv", EVP_aead_aes_128_gcm_siv, false },
-  { "aes-256-gcm-siv", EVP_aead_aes_256_gcm_siv, false },
-  { "chacha20-poly1305", EVP_aead_chacha20_poly1305, false },
-  { "chacha20-poly1305-old", EVP_aead_chacha20_poly1305_old, false },
-  { "aes-128-cbc-sha1-tls", EVP_aead_aes_128_cbc_sha1_tls, true },
-  { "aes-128-cbc-sha1-tls-implicit-iv", EVP_aead_aes_128_cbc_sha1_tls_implicit_iv, true },
-  { "aes-128-cbc-sha256-tls", EVP_aead_aes_128_cbc_sha256_tls, true },
-  { "aes-256-cbc-sha1-tls", EVP_aead_aes_256_cbc_sha1_tls, true },
-  { "aes-256-cbc-sha1-tls-implicit-iv", EVP_aead_aes_256_cbc_sha1_tls_implicit_iv, true },
-  { "aes-256-cbc-sha256-tls", EVP_aead_aes_256_cbc_sha256_tls, true },
-  { "aes-256-cbc-sha384-tls", EVP_aead_aes_256_cbc_sha384_tls, true },
-  { "des-ede3-cbc-sha1-tls", EVP_aead_des_ede3_cbc_sha1_tls, true },
-  { "des-ede3-cbc-sha1-tls-implicit-iv", EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv, true },
-  { "aes-128-cbc-sha1-ssl3", EVP_aead_aes_128_cbc_sha1_ssl3, true },
-  { "aes-256-cbc-sha1-ssl3", EVP_aead_aes_256_cbc_sha1_ssl3, true },
-  { "des-ede3-cbc-sha1-ssl3", EVP_aead_des_ede3_cbc_sha1_ssl3, true },
-  { "aes-128-ctr-hmac-sha256", EVP_aead_aes_128_ctr_hmac_sha256, false },
-  { "aes-256-ctr-hmac-sha256", EVP_aead_aes_256_ctr_hmac_sha256, false },
-  { "", NULL, false },
-};
-
-int main(int argc, char **argv) {
-  CRYPTO_library_init();
-
-  if (argc != 3) {
-    fprintf(stderr, "%s <aead> <test file.txt>\n", argv[0]);
-    return 1;
-  }
-
-  const struct KnownAEAD *known_aead;
-  for (unsigned i = 0;; i++) {
-    known_aead = &kAEADs[i];
-    if (known_aead->func == NULL) {
-      fprintf(stderr, "Unknown AEAD: %s\n", argv[1]);
-      return 2;
-    }
-    if (strcmp(known_aead->name, argv[1]) == 0) {
-      break;
-    }
-  }
-
-  const EVP_AEAD *const aead = known_aead->func();
-  if (aead == NULL) {
-    // AEAD is not compiled in this configuration.
-    printf("PASS\n");
-    return 0;
-  }
-
-  if (!TestCleanupAfterInitFailure(aead)) {
-    return 1;
-  }
-
-  if (!known_aead->limited_implementation && !TestWithAliasedBuffers(aead)) {
-    fprintf(stderr, "Aliased buffers test failed for %s.\n", known_aead->name);
-    return 1;
-  }
-
-  return FileTestMain(TestAEAD, const_cast<EVP_AEAD*>(aead), argv[2]);
-}
@@ -1,295 +0,0 @@
-/*
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project.
- */
-/* ====================================================================
- * Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- */
-
-#include <stdlib.h>
-#include <string.h>
-
-#include <string>
-#include <vector>
-
-#include <openssl/cipher.h>
-#include <openssl/crypto.h>
-#include <openssl/err.h>
-
-#include "../test/file_test.h"
-
-
-static const EVP_CIPHER *GetCipher(const std::string &name) {
-  if (name == "DES-CBC") {
-    return EVP_des_cbc();
-  } else if (name == "DES-ECB") {
-    return EVP_des_ecb();
-  } else if (name == "DES-EDE") {
-    return EVP_des_ede();
-  } else if (name == "DES-EDE-CBC") {
-    return EVP_des_ede_cbc();
-  } else if (name == "DES-EDE3-CBC") {
-    return EVP_des_ede3_cbc();
-  } else if (name == "RC4") {
-    return EVP_rc4();
-  } else if (name == "AES-128-ECB") {
-    return EVP_aes_128_ecb();
-  } else if (name == "AES-256-ECB") {
-    return EVP_aes_256_ecb();
-  } else if (name == "AES-128-CBC") {
-    return EVP_aes_128_cbc();
-  } else if (name == "AES-128-GCM") {
-    return EVP_aes_128_gcm();
-  } else if (name == "AES-128-OFB") {
-    return EVP_aes_128_ofb();
-  } else if (name == "AES-192-CBC") {
-    return EVP_aes_192_cbc();
-  } else if (name == "AES-192-ECB") {
-    return EVP_aes_192_ecb();
-  } else if (name == "AES-256-CBC") {
-    return EVP_aes_256_cbc();
-  } else if (name == "AES-128-CTR") {
-    return EVP_aes_128_ctr();
-  } else if (name == "AES-256-CTR") {
-    return EVP_aes_256_ctr();
-  } else if (name == "AES-256-GCM") {
-    return EVP_aes_256_gcm();
-  } else if (name == "AES-256-OFB") {
-    return EVP_aes_256_ofb();
-  }
-  return nullptr;
-}
-
-static bool TestOperation(FileTest *t,
-                          const EVP_CIPHER *cipher,
-                          bool encrypt,
-                          size_t chunk_size,
-                          const std::vector<uint8_t> &key,
-                          const std::vector<uint8_t> &iv,
-                          const std::vector<uint8_t> &plaintext,
-                          const std::vector<uint8_t> &ciphertext,
-                          const std::vector<uint8_t> &aad,
-                          const std::vector<uint8_t> &tag) {
-  const std::vector<uint8_t> *in, *out;
-  if (encrypt) {
-    in = &plaintext;
-    out = &ciphertext;
-  } else {
-    in = &ciphertext;
-    out = &plaintext;
-  }
-
-  bool is_aead = EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE;
-
-  bssl::ScopedEVP_CIPHER_CTX ctx;
-  if (!EVP_CipherInit_ex(ctx.get(), cipher, nullptr, nullptr, nullptr,
-                         encrypt ? 1 : 0)) {
-    return false;
-  }
-  if (t->HasAttribute("IV")) {
-    if (is_aead) {
-      if (!EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_IVLEN,
-                               iv.size(), 0)) {
-        return false;
-      }
-    } else if (iv.size() != EVP_CIPHER_CTX_iv_length(ctx.get())) {
-      t->PrintLine("Bad IV length.");
-      return false;
-    }
-  }
-  if (is_aead && !encrypt &&
-      !EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_TAG, tag.size(),
-                           const_cast<uint8_t*>(tag.data()))) {
-    return false;
-  }
-  // The ciphers are run with no padding. For each of the ciphers we test, the
-  // output size matches the input size.
-  std::vector<uint8_t> result(in->size());
-  if (in->size() != out->size()) {
-    t->PrintLine("Input/output size mismatch (%u vs %u).", (unsigned)in->size(),
-                 (unsigned)out->size());
-    return false;
-  }
-  // Note: the deprecated |EVP_CIPHER|-based AES-GCM API is sensitive to whether
-  // parameters are NULL, so it is important to skip the |in| and |aad|
-  // |EVP_CipherUpdate| calls when empty.
-  int unused, result_len1 = 0, result_len2;
-  if (!EVP_CIPHER_CTX_set_key_length(ctx.get(), key.size()) ||
-      !EVP_CipherInit_ex(ctx.get(), nullptr, nullptr, key.data(), iv.data(),
-                         -1) ||
-      (!aad.empty() &&
-       !EVP_CipherUpdate(ctx.get(), nullptr, &unused, aad.data(),
-                         aad.size())) ||
-      !EVP_CIPHER_CTX_set_padding(ctx.get(), 0)) {
-    t->PrintLine("Operation failed.");
-    return false;
-  }
-  if (chunk_size != 0) {
-    for (size_t i = 0; i < in->size();) {
-      size_t todo = chunk_size;
-      if (i + todo > in->size()) {
-        todo = in->size() - i;
-      }
-
-      int len;
-      if (!EVP_CipherUpdate(ctx.get(), result.data() + result_len1, &len,
-                            in->data() + i, todo)) {
-        t->PrintLine("Operation failed.");
-        return false;
-      }
-      result_len1 += len;
-      i += todo;
-    }
-  } else if (!in->empty() &&
-             !EVP_CipherUpdate(ctx.get(), result.data(), &result_len1,
-                               in->data(), in->size())) {
-    t->PrintLine("Operation failed.");
-    return false;
-  }
-  if (!EVP_CipherFinal_ex(ctx.get(), result.data() + result_len1,
-                          &result_len2)) {
-    t->PrintLine("Operation failed.");
-    return false;
-  }
-  result.resize(result_len1 + result_len2);
-  if (!t->ExpectBytesEqual(out->data(), out->size(), result.data(),
-                           result.size())) {
-    return false;
-  }
-  if (encrypt && is_aead) {
-    uint8_t rtag[16];
-    if (tag.size() > sizeof(rtag)) {
-      t->PrintLine("Bad tag length.");
-      return false;
-    }
-    if (!EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_GET_TAG, tag.size(),
-                             rtag) ||
-        !t->ExpectBytesEqual(tag.data(), tag.size(), rtag,
-                             tag.size())) {
-      return false;
-    }
-  }
-  return true;
-}
-
-static bool TestCipher(FileTest *t, void *arg) {
-  std::string cipher_str;
-  if (!t->GetAttribute(&cipher_str, "Cipher")) {
-    return false;
-  }
-  const EVP_CIPHER *cipher = GetCipher(cipher_str);
-  if (cipher == nullptr) {
-    t->PrintLine("Unknown cipher: '%s'.", cipher_str.c_str());
-    return false;
-  }
-
-  std::vector<uint8_t> key, iv, plaintext, ciphertext, aad, tag;
-  if (!t->GetBytes(&key, "Key") ||
-      !t->GetBytes(&plaintext, "Plaintext") ||
-      !t->GetBytes(&ciphertext, "Ciphertext")) {
-    return false;
-  }
-  if (EVP_CIPHER_iv_length(cipher) > 0 &&
-      !t->GetBytes(&iv, "IV")) {
-    return false;
-  }
-  if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) {
-    if (!t->GetBytes(&aad, "AAD") ||
-        !t->GetBytes(&tag, "Tag")) {
-      return false;
-    }
-  }
-
-  enum {
-    kEncrypt,
-    kDecrypt,
-    kBoth,
-  } operation = kBoth;
-  if (t->HasAttribute("Operation")) {
-    const std::string &str = t->GetAttributeOrDie("Operation");
-    if (str == "ENCRYPT") {
-      operation = kEncrypt;
-    } else if (str == "DECRYPT") {
-      operation = kDecrypt;
-    } else {
-      t->PrintLine("Unknown operation: '%s'.", str.c_str());
-      return false;
-    }
-  }
-
-  const std::vector<size_t> chunk_sizes = {0,  1,  2,  5,  7,  8,  9,  15, 16,
-                                           17, 31, 32, 33, 63, 64, 65, 512};
-
-  for (size_t chunk_size : chunk_sizes) {
-    // By default, both directions are run, unless overridden by the operation.
-    if (operation != kDecrypt &&
-        !TestOperation(t, cipher, true /* encrypt */, chunk_size, key, iv,
-                       plaintext, ciphertext, aad, tag)) {
-      return false;
-    }
-
-    if (operation != kEncrypt &&
-        !TestOperation(t, cipher, false /* decrypt */, chunk_size, key, iv,
-                       plaintext, ciphertext, aad, tag)) {
-      return false;
-    }
-  }
-
-  return true;
-}
-
-int main(int argc, char **argv) {
-  CRYPTO_library_init();
-
-  if (argc != 2) {
-    fprintf(stderr, "%s <test file>\n", argv[0]);
-    return 1;
-  }
-
-  return FileTestMain(TestCipher, nullptr, argv[1]);
-}
@@ -1,300 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/aead.h>
-
-#include <string.h>
-
-#include <openssl/chacha.h>
-#include <openssl/cipher.h>
-#include <openssl/err.h>
-#include <openssl/mem.h>
-#include <openssl/poly1305.h>
-
-#include "internal.h"
-#include "../internal.h"
-
-
-#define POLY1305_TAG_LEN 16
-
-struct aead_chacha20_poly1305_ctx {
-  unsigned char key[32];
-  unsigned char tag_len;
-};
-
-static int aead_chacha20_poly1305_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                       size_t key_len, size_t tag_len) {
-  struct aead_chacha20_poly1305_ctx *c20_ctx;
-
-  if (tag_len == 0) {
-    tag_len = POLY1305_TAG_LEN;
-  }
-
-  if (tag_len > POLY1305_TAG_LEN) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
-    return 0;
-  }
-
-  if (key_len != sizeof(c20_ctx->key)) {
-    return 0; /* internal error - EVP_AEAD_CTX_init should catch this. */
-  }
-
-  c20_ctx = OPENSSL_malloc(sizeof(struct aead_chacha20_poly1305_ctx));
-  if (c20_ctx == NULL) {
-    return 0;
-  }
-
-  OPENSSL_memcpy(c20_ctx->key, key, key_len);
-  c20_ctx->tag_len = tag_len;
-  ctx->aead_state = c20_ctx;
-
-  return 1;
-}
-
-static void aead_chacha20_poly1305_cleanup(EVP_AEAD_CTX *ctx) {
-  struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
-  OPENSSL_cleanse(c20_ctx->key, sizeof(c20_ctx->key));
-  OPENSSL_free(c20_ctx);
-}
-
-static void poly1305_update_length(poly1305_state *poly1305, size_t data_len) {
-  uint8_t length_bytes[8];
-  unsigned i;
-
-  for (i = 0; i < sizeof(length_bytes); i++) {
-    length_bytes[i] = data_len;
-    data_len >>= 8;
-  }
-
-  CRYPTO_poly1305_update(poly1305, length_bytes, sizeof(length_bytes));
-}
-
-typedef void (*aead_poly1305_update)(poly1305_state *ctx, const uint8_t *ad,
-                                     size_t ad_len, const uint8_t *ciphertext,
-                                     size_t ciphertext_len);
-
-/* aead_poly1305 fills |tag| with the authentication tag for the given
- * inputs, using |update| to control the order and format that the inputs are
- * signed/authenticated. */
-static void aead_poly1305(aead_poly1305_update update,
-                          uint8_t tag[POLY1305_TAG_LEN],
-                          const struct aead_chacha20_poly1305_ctx *c20_ctx,
-                          const uint8_t nonce[12], const uint8_t *ad,
-                          size_t ad_len, const uint8_t *ciphertext,
-                          size_t ciphertext_len) {
-  alignas(16) uint8_t poly1305_key[32];
-  OPENSSL_memset(poly1305_key, 0, sizeof(poly1305_key));
-  CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key),
-                   c20_ctx->key, nonce, 0);
-  poly1305_state ctx;
-  CRYPTO_poly1305_init(&ctx, poly1305_key);
-  update(&ctx, ad, ad_len, ciphertext, ciphertext_len);
-  CRYPTO_poly1305_finish(&ctx, tag);
-}
-
-static int seal_impl(aead_poly1305_update poly1305_update,
-                     const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,
-                     size_t max_out_len, const uint8_t nonce[12],
-                     const uint8_t *in, size_t in_len, const uint8_t *ad,
-                     size_t ad_len) {
-  const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
-  const uint64_t in_len_64 = in_len;
-
-  /* |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow
-   * individual operations that work on more than 256GB at a time.
-   * |in_len_64| is needed because, on 32-bit platforms, size_t is only
-   * 32-bits and this produces a warning because it's always false.
-   * Casting to uint64_t inside the conditional is not sufficient to stop
-   * the warning. */
-  if (in_len_64 >= (UINT64_C(1) << 32) * 64 - 64) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
-    return 0;
-  }
-
-  if (in_len + c20_ctx->tag_len < in_len) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
-    return 0;
-  }
-
-  if (max_out_len < in_len + c20_ctx->tag_len) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
-    return 0;
-  }
-
-  CRYPTO_chacha_20(out, in, in_len, c20_ctx->key, nonce, 1);
-
-  alignas(16) uint8_t tag[POLY1305_TAG_LEN];
-  aead_poly1305(poly1305_update, tag, c20_ctx, nonce, ad, ad_len, out, in_len);
-
-  OPENSSL_memcpy(out + in_len, tag, c20_ctx->tag_len);
-  *out_len = in_len + c20_ctx->tag_len;
-  return 1;
-}
-
-static int open_impl(aead_poly1305_update poly1305_update,
-                     const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,
-                     size_t max_out_len, const uint8_t nonce[12],
-                     const uint8_t *in, size_t in_len, const uint8_t *ad,
-                     size_t ad_len) {
-  const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state;
-  size_t plaintext_len;
-  const uint64_t in_len_64 = in_len;
-
-  if (in_len < c20_ctx->tag_len) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
-    return 0;
-  }
-
-  /* |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow
-   * individual operations that work on more than 256GB at a time.
-   * |in_len_64| is needed because, on 32-bit platforms, size_t is only
-   * 32-bits and this produces a warning because it's always false.
-   * Casting to uint64_t inside the conditional is not sufficient to stop
-   * the warning. */
-  if (in_len_64 >= (UINT64_C(1) << 32) * 64 - 64) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
-    return 0;
-  }
-
-  plaintext_len = in_len - c20_ctx->tag_len;
-  alignas(16) uint8_t tag[POLY1305_TAG_LEN];
-  aead_poly1305(poly1305_update, tag, c20_ctx, nonce, ad, ad_len, in,
-                plaintext_len);
-  if (CRYPTO_memcmp(tag, in + plaintext_len, c20_ctx->tag_len) != 0) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
-    return 0;
-  }
-
-  CRYPTO_chacha_20(out, in, plaintext_len, c20_ctx->key, nonce, 1);
-  *out_len = plaintext_len;
-  return 1;
-}
-
-static void poly1305_update_padded_16(poly1305_state *poly1305,
-                                      const uint8_t *data, size_t data_len) {
-  static const uint8_t padding[16] = { 0 }; /* Padding is all zeros. */
-
-  CRYPTO_poly1305_update(poly1305, data, data_len);
-  if (data_len % 16 != 0) {
-    CRYPTO_poly1305_update(poly1305, padding, sizeof(padding) - (data_len % 16));
-  }
-}
-
-static void poly1305_update(poly1305_state *ctx, const uint8_t *ad,
-                            size_t ad_len, const uint8_t *ciphertext,
-                            size_t ciphertext_len) {
-  poly1305_update_padded_16(ctx, ad, ad_len);
-  poly1305_update_padded_16(ctx, ciphertext, ciphertext_len);
-  poly1305_update_length(ctx, ad_len);
-  poly1305_update_length(ctx, ciphertext_len);
-}
-
-static int aead_chacha20_poly1305_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
-                                       size_t *out_len, size_t max_out_len,
-                                       const uint8_t *nonce, size_t nonce_len,
-                                       const uint8_t *in, size_t in_len,
-                                       const uint8_t *ad, size_t ad_len) {
-  if (nonce_len != 12) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
-    return 0;
-  }
-  return seal_impl(poly1305_update, ctx, out, out_len, max_out_len, nonce, in,
-                   in_len, ad, ad_len);
-}
-
-static int aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
-                                       size_t *out_len, size_t max_out_len,
-                                       const uint8_t *nonce, size_t nonce_len,
-                                       const uint8_t *in, size_t in_len,
-                                       const uint8_t *ad, size_t ad_len) {
-  if (nonce_len != 12) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
-    return 0;
-  }
-  return open_impl(poly1305_update, ctx, out, out_len, max_out_len, nonce, in,
-                   in_len, ad, ad_len);
-}
-
-static const EVP_AEAD aead_chacha20_poly1305 = {
-    32,                 /* key len */
-    12,                 /* nonce len */
-    POLY1305_TAG_LEN,   /* overhead */
-    POLY1305_TAG_LEN,   /* max tag length */
-    aead_chacha20_poly1305_init,
-    NULL, /* init_with_direction */
-    aead_chacha20_poly1305_cleanup,
-    aead_chacha20_poly1305_seal,
-    aead_chacha20_poly1305_open,
-    NULL,               /* get_iv */
-};
-
-const EVP_AEAD *EVP_aead_chacha20_poly1305(void) {
-  return &aead_chacha20_poly1305;
-}
-
-static void poly1305_update_old(poly1305_state *ctx, const uint8_t *ad,
-                                size_t ad_len, const uint8_t *ciphertext,
-                                size_t ciphertext_len) {
-  CRYPTO_poly1305_update(ctx, ad, ad_len);
-  poly1305_update_length(ctx, ad_len);
-  CRYPTO_poly1305_update(ctx, ciphertext, ciphertext_len);
-  poly1305_update_length(ctx, ciphertext_len);
-}
-
-static int aead_chacha20_poly1305_old_seal(
-    const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, size_t max_out_len,
-    const uint8_t *nonce, size_t nonce_len, const uint8_t *in, size_t in_len,
-    const uint8_t *ad, size_t ad_len) {
-  if (nonce_len != 8) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
-    return 0;
-  }
-  uint8_t nonce_96[12];
-  OPENSSL_memset(nonce_96, 0, 4);
-  OPENSSL_memcpy(nonce_96 + 4, nonce, 8);
-  return seal_impl(poly1305_update_old, ctx, out, out_len, max_out_len,
-                   nonce_96, in, in_len, ad, ad_len);
-}
-
-static int aead_chacha20_poly1305_old_open(
-    const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, size_t max_out_len,
-    const uint8_t *nonce, size_t nonce_len, const uint8_t *in, size_t in_len,
-    const uint8_t *ad, size_t ad_len) {
-  if (nonce_len != 8) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
-    return 0;
-  }
-  uint8_t nonce_96[12];
-  OPENSSL_memset(nonce_96, 0, 4);
-  OPENSSL_memcpy(nonce_96 + 4, nonce, 8);
-  return open_impl(poly1305_update_old, ctx, out, out_len, max_out_len,
-                   nonce_96, in, in_len, ad, ad_len);
-}
-
-static const EVP_AEAD aead_chacha20_poly1305_old = {
-    32,                 /* key len */
-    8,                  /* nonce len */
-    POLY1305_TAG_LEN,   /* overhead */
-    POLY1305_TAG_LEN,   /* max tag length */
-    aead_chacha20_poly1305_init,
-    NULL, /* init_with_direction */
-    aead_chacha20_poly1305_cleanup,
-    aead_chacha20_poly1305_old_seal,
-    aead_chacha20_poly1305_old_open,
-    NULL,               /* get_iv */
-};
-
-const EVP_AEAD *EVP_aead_chacha20_poly1305_old(void) {
-  return &aead_chacha20_poly1305_old;
-}
@@ -1,404 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <assert.h>
-#include <limits.h>
-#include <string.h>
-
-#include <openssl/aead.h>
-#include <openssl/cipher.h>
-#include <openssl/err.h>
-#include <openssl/hmac.h>
-#include <openssl/md5.h>
-#include <openssl/mem.h>
-#include <openssl/sha.h>
-
-#include "internal.h"
-#include "../internal.h"
-
-
-typedef struct {
-  EVP_CIPHER_CTX cipher_ctx;
-  EVP_MD_CTX md_ctx;
-} AEAD_SSL3_CTX;
-
-static int ssl3_mac(AEAD_SSL3_CTX *ssl3_ctx, uint8_t *out, unsigned *out_len,
-                    const uint8_t *ad, size_t ad_len, const uint8_t *in,
-                    size_t in_len) {
-  size_t md_size = EVP_MD_CTX_size(&ssl3_ctx->md_ctx);
-  size_t pad_len = (md_size == 20) ? 40 : 48;
-
-  /* To allow for CBC mode which changes cipher length, |ad| doesn't include the
-   * length for legacy ciphers. */
-  uint8_t ad_extra[2];
-  ad_extra[0] = (uint8_t)(in_len >> 8);
-  ad_extra[1] = (uint8_t)(in_len & 0xff);
-
-  EVP_MD_CTX md_ctx;
-  EVP_MD_CTX_init(&md_ctx);
-
-  uint8_t pad[48];
-  uint8_t tmp[EVP_MAX_MD_SIZE];
-  OPENSSL_memset(pad, 0x36, pad_len);
-  if (!EVP_MD_CTX_copy_ex(&md_ctx, &ssl3_ctx->md_ctx) ||
-      !EVP_DigestUpdate(&md_ctx, pad, pad_len) ||
-      !EVP_DigestUpdate(&md_ctx, ad, ad_len) ||
-      !EVP_DigestUpdate(&md_ctx, ad_extra, sizeof(ad_extra)) ||
-      !EVP_DigestUpdate(&md_ctx, in, in_len) ||
-      !EVP_DigestFinal_ex(&md_ctx, tmp, NULL)) {
-    EVP_MD_CTX_cleanup(&md_ctx);
-    return 0;
-  }
-
-  OPENSSL_memset(pad, 0x5c, pad_len);
-  if (!EVP_MD_CTX_copy_ex(&md_ctx, &ssl3_ctx->md_ctx) ||
-      !EVP_DigestUpdate(&md_ctx, pad, pad_len) ||
-      !EVP_DigestUpdate(&md_ctx, tmp, md_size) ||
-      !EVP_DigestFinal_ex(&md_ctx, out, out_len)) {
-    EVP_MD_CTX_cleanup(&md_ctx);
-    return 0;
-  }
-  EVP_MD_CTX_cleanup(&md_ctx);
-  return 1;
-}
-
-static void aead_ssl3_cleanup(EVP_AEAD_CTX *ctx) {
-  AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
-  EVP_CIPHER_CTX_cleanup(&ssl3_ctx->cipher_ctx);
-  EVP_MD_CTX_cleanup(&ssl3_ctx->md_ctx);
-  OPENSSL_free(ssl3_ctx);
-  ctx->aead_state = NULL;
-}
-
-static int aead_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
-                          size_t tag_len, enum evp_aead_direction_t dir,
-                          const EVP_CIPHER *cipher, const EVP_MD *md) {
-  if (tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH &&
-      tag_len != EVP_MD_size(md)) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_TAG_SIZE);
-    return 0;
-  }
-
-  if (key_len != EVP_AEAD_key_length(ctx->aead)) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
-    return 0;
-  }
-
-  size_t mac_key_len = EVP_MD_size(md);
-  size_t enc_key_len = EVP_CIPHER_key_length(cipher);
-  assert(mac_key_len + enc_key_len + EVP_CIPHER_iv_length(cipher) == key_len);
-
-  AEAD_SSL3_CTX *ssl3_ctx = OPENSSL_malloc(sizeof(AEAD_SSL3_CTX));
-  if (ssl3_ctx == NULL) {
-    OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE);
-    return 0;
-  }
-  EVP_CIPHER_CTX_init(&ssl3_ctx->cipher_ctx);
-  EVP_MD_CTX_init(&ssl3_ctx->md_ctx);
-
-  ctx->aead_state = ssl3_ctx;
-  if (!EVP_CipherInit_ex(&ssl3_ctx->cipher_ctx, cipher, NULL, &key[mac_key_len],
-                         &key[mac_key_len + enc_key_len],
-                         dir == evp_aead_seal) ||
-      !EVP_DigestInit_ex(&ssl3_ctx->md_ctx, md, NULL) ||
-      !EVP_DigestUpdate(&ssl3_ctx->md_ctx, key, mac_key_len)) {
-    aead_ssl3_cleanup(ctx);
-    ctx->aead_state = NULL;
-    return 0;
-  }
-  EVP_CIPHER_CTX_set_padding(&ssl3_ctx->cipher_ctx, 0);
-
-  return 1;
-}
-
-static int aead_ssl3_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
-                         size_t *out_len, size_t max_out_len,
-                         const uint8_t *nonce, size_t nonce_len,
-                         const uint8_t *in, size_t in_len,
-                         const uint8_t *ad, size_t ad_len) {
-  AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
-  size_t total = 0;
-
-  if (!ssl3_ctx->cipher_ctx.encrypt) {
-    /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
-    return 0;
-  }
-
-  if (in_len + EVP_AEAD_max_overhead(ctx->aead) < in_len ||
-      in_len > INT_MAX) {
-    /* EVP_CIPHER takes int as input. */
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
-    return 0;
-  }
-
-  if (max_out_len < in_len + EVP_AEAD_max_overhead(ctx->aead)) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
-    return 0;
-  }
-
-  if (nonce_len != 0) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_IV_TOO_LARGE);
-    return 0;
-  }
-
-  if (ad_len != 11 - 2 /* length bytes */) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE);
-    return 0;
-  }
-
-  /* Compute the MAC. This must be first in case the operation is being done
-   * in-place. */
-  uint8_t mac[EVP_MAX_MD_SIZE];
-  unsigned mac_len;
-  if (!ssl3_mac(ssl3_ctx, mac, &mac_len, ad, ad_len, in, in_len)) {
-    return 0;
-  }
-
-  /* Encrypt the input. */
-  int len;
-  if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out, &len, in,
-                         (int)in_len)) {
-    return 0;
-  }
-  total = len;
-
-  /* Feed the MAC into the cipher. */
-  if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out + total, &len, mac,
-                         (int)mac_len)) {
-    return 0;
-  }
-  total += len;
-
-  unsigned block_size = EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx);
-  if (block_size > 1) {
-    assert(block_size <= 256);
-    assert(EVP_CIPHER_CTX_mode(&ssl3_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE);
-
-    /* Compute padding and feed that into the cipher. */
-    uint8_t padding[256];
-    unsigned padding_len = block_size - ((in_len + mac_len) % block_size);
-    OPENSSL_memset(padding, 0, padding_len - 1);
-    padding[padding_len - 1] = padding_len - 1;
-    if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out + total, &len, padding,
-                           (int)padding_len)) {
-      return 0;
-    }
-    total += len;
-  }
-
-  if (!EVP_EncryptFinal_ex(&ssl3_ctx->cipher_ctx, out + total, &len)) {
-    return 0;
-  }
-  total += len;
-
-  *out_len = total;
-  return 1;
-}
-
-static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
-                         size_t *out_len, size_t max_out_len,
-                         const uint8_t *nonce, size_t nonce_len,
-                         const uint8_t *in, size_t in_len,
-                         const uint8_t *ad, size_t ad_len) {
-  AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
-
-  if (ssl3_ctx->cipher_ctx.encrypt) {
-    /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
-    return 0;
-  }
-
-  size_t mac_len = EVP_MD_CTX_size(&ssl3_ctx->md_ctx);
-  if (in_len < mac_len) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
-    return 0;
-  }
-
-  if (max_out_len < in_len) {
-    /* This requires that the caller provide space for the MAC, even though it
-     * will always be removed on return. */
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
-    return 0;
-  }
-
-  if (nonce_len != 0) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
-    return 0;
-  }
-
-  if (ad_len != 11 - 2 /* length bytes */) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE);
-    return 0;
-  }
-
-  if (in_len > INT_MAX) {
-    /* EVP_CIPHER takes int as input. */
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
-    return 0;
-  }
-
-  /* Decrypt to get the plaintext + MAC + padding. */
-  size_t total = 0;
-  int len;
-  if (!EVP_DecryptUpdate(&ssl3_ctx->cipher_ctx, out, &len, in, (int)in_len)) {
-    return 0;
-  }
-  total += len;
-  if (!EVP_DecryptFinal_ex(&ssl3_ctx->cipher_ctx, out + total, &len)) {
-    return 0;
-  }
-  total += len;
-  assert(total == in_len);
-
-  /* Remove CBC padding and MAC. This would normally be timing-sensitive, but
-   * SSLv3 CBC ciphers are already broken. Support will be removed eventually.
-   * https://www.openssl.org/~bodo/ssl-poodle.pdf */
-  size_t data_len;
-  if (EVP_CIPHER_CTX_mode(&ssl3_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) {
-    unsigned padding_length = out[total - 1];
-    if (total < padding_length + 1 + mac_len) {
-      OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
-      return 0;
-    }
-    /* The padding must be minimal. */
-    if (padding_length + 1 > EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx)) {
-      OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
-      return 0;
-    }
-    data_len = total - padding_length - 1 - mac_len;
-  } else {
-    data_len = total - mac_len;
-  }
-
-  /* Compute the MAC and compare against the one in the record. */
-  uint8_t mac[EVP_MAX_MD_SIZE];
-  if (!ssl3_mac(ssl3_ctx, mac, NULL, ad, ad_len, out, data_len)) {
-    return 0;
-  }
-  if (CRYPTO_memcmp(&out[data_len], mac, mac_len) != 0) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
-    return 0;
-  }
-
-  *out_len = data_len;
-  return 1;
-}
-
-static int aead_ssl3_get_iv(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv,
-                            size_t *out_iv_len) {
-  AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
-  const size_t iv_len = EVP_CIPHER_CTX_iv_length(&ssl3_ctx->cipher_ctx);
-  if (iv_len <= 1) {
-    return 0;
-  }
-
-  *out_iv = ssl3_ctx->cipher_ctx.iv;
-  *out_iv_len = iv_len;
-  return 1;
-}
-
-static int aead_aes_128_cbc_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                           size_t key_len, size_t tag_len,
-                                           enum evp_aead_direction_t dir) {
-  return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
-                        EVP_sha1());
-}
-
-static int aead_aes_256_cbc_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                           size_t key_len, size_t tag_len,
-                                           enum evp_aead_direction_t dir) {
-  return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
-                        EVP_sha1());
-}
-static int aead_des_ede3_cbc_sha1_ssl3_init(EVP_AEAD_CTX *ctx,
-                                            const uint8_t *key, size_t key_len,
-                                            size_t tag_len,
-                                            enum evp_aead_direction_t dir) {
-  return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(),
-                        EVP_sha1());
-}
-
-static int aead_null_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                    size_t key_len, size_t tag_len,
-                                    enum evp_aead_direction_t dir) {
-  return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_enc_null(),
-                        EVP_sha1());
-}
-
-static const EVP_AEAD aead_aes_128_cbc_sha1_ssl3 = {
-    SHA_DIGEST_LENGTH + 16 + 16, /* key len (SHA1 + AES128 + IV) */
-    0,                           /* nonce len */
-    16 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,           /* max tag length */
-    NULL, /* init */
-    aead_aes_128_cbc_sha1_ssl3_init,
-    aead_ssl3_cleanup,
-    aead_ssl3_seal,
-    aead_ssl3_open,
-    aead_ssl3_get_iv,
-};
-
-static const EVP_AEAD aead_aes_256_cbc_sha1_ssl3 = {
-    SHA_DIGEST_LENGTH + 32 + 16, /* key len (SHA1 + AES256 + IV) */
-    0,                           /* nonce len */
-    16 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,           /* max tag length */
-    NULL, /* init */
-    aead_aes_256_cbc_sha1_ssl3_init,
-    aead_ssl3_cleanup,
-    aead_ssl3_seal,
-    aead_ssl3_open,
-    aead_ssl3_get_iv,
-};
-
-static const EVP_AEAD aead_des_ede3_cbc_sha1_ssl3 = {
-    SHA_DIGEST_LENGTH + 24 + 8, /* key len (SHA1 + 3DES + IV) */
-    0,                          /* nonce len */
-    8 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,          /* max tag length */
-    NULL, /* init */
-    aead_des_ede3_cbc_sha1_ssl3_init,
-    aead_ssl3_cleanup,
-    aead_ssl3_seal,
-    aead_ssl3_open,
-    aead_ssl3_get_iv,
-};
-
-static const EVP_AEAD aead_null_sha1_ssl3 = {
-    SHA_DIGEST_LENGTH,          /* key len */
-    0,                          /* nonce len */
-    SHA_DIGEST_LENGTH,          /* overhead (SHA1) */
-    SHA_DIGEST_LENGTH,          /* max tag length */
-    NULL,                       /* init */
-    aead_null_sha1_ssl3_init,
-    aead_ssl3_cleanup,
-    aead_ssl3_seal,
-    aead_ssl3_open,
-    NULL,                       /* get_iv */
-};
-
-const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_ssl3(void) {
-  return &aead_aes_128_cbc_sha1_ssl3;
-}
-
-const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_ssl3(void) {
-  return &aead_aes_256_cbc_sha1_ssl3;
-}
-
-const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_ssl3(void) {
-  return &aead_des_ede3_cbc_sha1_ssl3;
-}
-
-const EVP_AEAD *EVP_aead_null_sha1_ssl3(void) { return &aead_null_sha1_ssl3; }
@@ -1,602 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <assert.h>
-#include <limits.h>
-#include <string.h>
-
-#include <openssl/aead.h>
-#include <openssl/cipher.h>
-#include <openssl/err.h>
-#include <openssl/hmac.h>
-#include <openssl/md5.h>
-#include <openssl/mem.h>
-#include <openssl/sha.h>
-#include <openssl/type_check.h>
-
-#include "../internal.h"
-#include "internal.h"
-
-
-typedef struct {
-  EVP_CIPHER_CTX cipher_ctx;
-  HMAC_CTX hmac_ctx;
-  /* mac_key is the portion of the key used for the MAC. It is retained
-   * separately for the constant-time CBC code. */
-  uint8_t mac_key[EVP_MAX_MD_SIZE];
-  uint8_t mac_key_len;
-  /* implicit_iv is one iff this is a pre-TLS-1.1 CBC cipher without an explicit
-   * IV. */
-  char implicit_iv;
-} AEAD_TLS_CTX;
-
-OPENSSL_COMPILE_ASSERT(EVP_MAX_MD_SIZE < 256, mac_key_len_fits_in_uint8_t);
-
-static void aead_tls_cleanup(EVP_AEAD_CTX *ctx) {
-  AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
-  EVP_CIPHER_CTX_cleanup(&tls_ctx->cipher_ctx);
-  HMAC_CTX_cleanup(&tls_ctx->hmac_ctx);
-  OPENSSL_cleanse(&tls_ctx->mac_key, sizeof(tls_ctx->mac_key));
-  OPENSSL_free(tls_ctx);
-  ctx->aead_state = NULL;
-}
-
-static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
-                         size_t tag_len, enum evp_aead_direction_t dir,
-                         const EVP_CIPHER *cipher, const EVP_MD *md,
-                         char implicit_iv) {
-  if (tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH &&
-      tag_len != EVP_MD_size(md)) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_TAG_SIZE);
-    return 0;
-  }
-
-  if (key_len != EVP_AEAD_key_length(ctx->aead)) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
-    return 0;
-  }
-
-  size_t mac_key_len = EVP_MD_size(md);
-  size_t enc_key_len = EVP_CIPHER_key_length(cipher);
-  assert(mac_key_len + enc_key_len +
-         (implicit_iv ? EVP_CIPHER_iv_length(cipher) : 0) == key_len);
-
-  AEAD_TLS_CTX *tls_ctx = OPENSSL_malloc(sizeof(AEAD_TLS_CTX));
-  if (tls_ctx == NULL) {
-    OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE);
-    return 0;
-  }
-  EVP_CIPHER_CTX_init(&tls_ctx->cipher_ctx);
-  HMAC_CTX_init(&tls_ctx->hmac_ctx);
-  assert(mac_key_len <= EVP_MAX_MD_SIZE);
-  OPENSSL_memcpy(tls_ctx->mac_key, key, mac_key_len);
-  tls_ctx->mac_key_len = (uint8_t)mac_key_len;
-  tls_ctx->implicit_iv = implicit_iv;
-
-  ctx->aead_state = tls_ctx;
-  if (!EVP_CipherInit_ex(&tls_ctx->cipher_ctx, cipher, NULL, &key[mac_key_len],
-                         implicit_iv ? &key[mac_key_len + enc_key_len] : NULL,
-                         dir == evp_aead_seal) ||
-      !HMAC_Init_ex(&tls_ctx->hmac_ctx, key, mac_key_len, md, NULL)) {
-    aead_tls_cleanup(ctx);
-    ctx->aead_state = NULL;
-    return 0;
-  }
-  EVP_CIPHER_CTX_set_padding(&tls_ctx->cipher_ctx, 0);
-
-  return 1;
-}
-
-static int aead_tls_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
-                         size_t *out_len, size_t max_out_len,
-                         const uint8_t *nonce, size_t nonce_len,
-                         const uint8_t *in, size_t in_len,
-                         const uint8_t *ad, size_t ad_len) {
-  AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
-  size_t total = 0;
-
-  if (!tls_ctx->cipher_ctx.encrypt) {
-    /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
-    return 0;
-  }
-
-  if (in_len + EVP_AEAD_max_overhead(ctx->aead) < in_len ||
-      in_len > INT_MAX) {
-    /* EVP_CIPHER takes int as input. */
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
-    return 0;
-  }
-
-  if (max_out_len < in_len + EVP_AEAD_max_overhead(ctx->aead)) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
-    return 0;
-  }
-
-  if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);
-    return 0;
-  }
-
-  if (ad_len != 13 - 2 /* length bytes */) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE);
-    return 0;
-  }
-
-  /* To allow for CBC mode which changes cipher length, |ad| doesn't include the
-   * length for legacy ciphers. */
-  uint8_t ad_extra[2];
-  ad_extra[0] = (uint8_t)(in_len >> 8);
-  ad_extra[1] = (uint8_t)(in_len & 0xff);
-
-  /* Compute the MAC. This must be first in case the operation is being done
-   * in-place. */
-  uint8_t mac[EVP_MAX_MD_SIZE];
-  unsigned mac_len;
-  if (!HMAC_Init_ex(&tls_ctx->hmac_ctx, NULL, 0, NULL, NULL) ||
-      !HMAC_Update(&tls_ctx->hmac_ctx, ad, ad_len) ||
-      !HMAC_Update(&tls_ctx->hmac_ctx, ad_extra, sizeof(ad_extra)) ||
-      !HMAC_Update(&tls_ctx->hmac_ctx, in, in_len) ||
-      !HMAC_Final(&tls_ctx->hmac_ctx, mac, &mac_len)) {
-    return 0;
-  }
-
-  /* Configure the explicit IV. */
-  if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&
-      !tls_ctx->implicit_iv &&
-      !EVP_EncryptInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, NULL, nonce)) {
-    return 0;
-  }
-
-  /* Encrypt the input. */
-  int len;
-  if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out, &len, in,
-                         (int)in_len)) {
-    return 0;
-  }
-  total = len;
-
-  /* Feed the MAC into the cipher. */
-  if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out + total, &len, mac,
-                         (int)mac_len)) {
-    return 0;
-  }
-  total += len;
-
-  unsigned block_size = EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx);
-  if (block_size > 1) {
-    assert(block_size <= 256);
-    assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE);
-
-    /* Compute padding and feed that into the cipher. */
-    uint8_t padding[256];
-    unsigned padding_len = block_size - ((in_len + mac_len) % block_size);
-    OPENSSL_memset(padding, padding_len - 1, padding_len);
-    if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out + total, &len, padding,
-                           (int)padding_len)) {
-      return 0;
-    }
-    total += len;
-  }
-
-  if (!EVP_EncryptFinal_ex(&tls_ctx->cipher_ctx, out + total, &len)) {
-    return 0;
-  }
-  total += len;
-
-  *out_len = total;
-  return 1;
-}
-
-static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
-                         size_t *out_len, size_t max_out_len,
-                         const uint8_t *nonce, size_t nonce_len,
-                         const uint8_t *in, size_t in_len,
-                         const uint8_t *ad, size_t ad_len) {
-  AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
-
-  if (tls_ctx->cipher_ctx.encrypt) {
-    /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
-    return 0;
-  }
-
-  if (in_len < HMAC_size(&tls_ctx->hmac_ctx)) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
-    return 0;
-  }
-
-  if (max_out_len < in_len) {
-    /* This requires that the caller provide space for the MAC, even though it
-     * will always be removed on return. */
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
-    return 0;
-  }
-
-  if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);
-    return 0;
-  }
-
-  if (ad_len != 13 - 2 /* length bytes */) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE);
-    return 0;
-  }
-
-  if (in_len > INT_MAX) {
-    /* EVP_CIPHER takes int as input. */
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
-    return 0;
-  }
-
-  /* Configure the explicit IV. */
-  if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&
-      !tls_ctx->implicit_iv &&
-      !EVP_DecryptInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, NULL, nonce)) {
-    return 0;
-  }
-
-  /* Decrypt to get the plaintext + MAC + padding. */
-  size_t total = 0;
-  int len;
-  if (!EVP_DecryptUpdate(&tls_ctx->cipher_ctx, out, &len, in, (int)in_len)) {
-    return 0;
-  }
-  total += len;
-  if (!EVP_DecryptFinal_ex(&tls_ctx->cipher_ctx, out + total, &len)) {
-    return 0;
-  }
-  total += len;
-  assert(total == in_len);
-
-  /* Remove CBC padding. Code from here on is timing-sensitive with respect to
-   * |padding_ok| and |data_plus_mac_len| for CBC ciphers. */
-  unsigned padding_ok, data_plus_mac_len;
-  if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) {
-    if (!EVP_tls_cbc_remove_padding(
-            &padding_ok, &data_plus_mac_len, out, total,
-            EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx),
-            (unsigned)HMAC_size(&tls_ctx->hmac_ctx))) {
-      /* Publicly invalid. This can be rejected in non-constant time. */
-      OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
-      return 0;
-    }
-  } else {
-    padding_ok = ~0u;
-    data_plus_mac_len = total;
-    /* |data_plus_mac_len| = |total| = |in_len| at this point. |in_len| has
-     * already been checked against the MAC size at the top of the function. */
-    assert(data_plus_mac_len >= HMAC_size(&tls_ctx->hmac_ctx));
-  }
-  unsigned data_len = data_plus_mac_len - HMAC_size(&tls_ctx->hmac_ctx);
-
-  /* At this point, if the padding is valid, the first |data_plus_mac_len| bytes
-   * after |out| are the plaintext and MAC. Otherwise, |data_plus_mac_len| is
-   * still large enough to extract a MAC, but it will be irrelevant. */
-
-  /* To allow for CBC mode which changes cipher length, |ad| doesn't include the
-   * length for legacy ciphers. */
-  uint8_t ad_fixed[13];
-  OPENSSL_memcpy(ad_fixed, ad, 11);
-  ad_fixed[11] = (uint8_t)(data_len >> 8);
-  ad_fixed[12] = (uint8_t)(data_len & 0xff);
-  ad_len += 2;
-
-  /* Compute the MAC and extract the one in the record. */
-  uint8_t mac[EVP_MAX_MD_SIZE];
-  size_t mac_len;
-  uint8_t record_mac_tmp[EVP_MAX_MD_SIZE];
-  uint8_t *record_mac;
-  if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&
-      EVP_tls_cbc_record_digest_supported(tls_ctx->hmac_ctx.md)) {
-    if (!EVP_tls_cbc_digest_record(tls_ctx->hmac_ctx.md, mac, &mac_len,
-                                   ad_fixed, out, data_plus_mac_len, total,
-                                   tls_ctx->mac_key, tls_ctx->mac_key_len)) {
-      OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
-      return 0;
-    }
-    assert(mac_len == HMAC_size(&tls_ctx->hmac_ctx));
-
-    record_mac = record_mac_tmp;
-    EVP_tls_cbc_copy_mac(record_mac, mac_len, out, data_plus_mac_len, total);
-  } else {
-    /* We should support the constant-time path for all CBC-mode ciphers
-     * implemented. */
-    assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) != EVP_CIPH_CBC_MODE);
-
-    unsigned mac_len_u;
-    if (!HMAC_Init_ex(&tls_ctx->hmac_ctx, NULL, 0, NULL, NULL) ||
-        !HMAC_Update(&tls_ctx->hmac_ctx, ad_fixed, ad_len) ||
-        !HMAC_Update(&tls_ctx->hmac_ctx, out, data_len) ||
-        !HMAC_Final(&tls_ctx->hmac_ctx, mac, &mac_len_u)) {
-      return 0;
-    }
-    mac_len = mac_len_u;
-
-    assert(mac_len == HMAC_size(&tls_ctx->hmac_ctx));
-    record_mac = &out[data_len];
-  }
-
-  /* Perform the MAC check and the padding check in constant-time. It should be
-   * safe to simply perform the padding check first, but it would not be under a
-   * different choice of MAC location on padding failure. See
-   * EVP_tls_cbc_remove_padding. */
-  unsigned good = constant_time_eq_int(CRYPTO_memcmp(record_mac, mac, mac_len),
-                                       0);
-  good &= padding_ok;
-  if (!good) {
-    OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
-    return 0;
-  }
-
-  /* End of timing-sensitive code. */
-
-  *out_len = data_len;
-  return 1;
-}
-
-static int aead_aes_128_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                          size_t key_len, size_t tag_len,
-                                          enum evp_aead_direction_t dir) {
-  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
-                       EVP_sha1(), 0);
-}
-
-static int aead_aes_128_cbc_sha1_tls_implicit_iv_init(
-    EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,
-    enum evp_aead_direction_t dir) {
-  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
-                       EVP_sha1(), 1);
-}
-
-static int aead_aes_128_cbc_sha256_tls_init(EVP_AEAD_CTX *ctx,
-                                            const uint8_t *key, size_t key_len,
-                                            size_t tag_len,
-                                            enum evp_aead_direction_t dir) {
-  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
-                       EVP_sha256(), 0);
-}
-
-static int aead_aes_256_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                          size_t key_len, size_t tag_len,
-                                          enum evp_aead_direction_t dir) {
-  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
-                       EVP_sha1(), 0);
-}
-
-static int aead_aes_256_cbc_sha1_tls_implicit_iv_init(
-    EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,
-    enum evp_aead_direction_t dir) {
-  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
-                       EVP_sha1(), 1);
-}
-
-static int aead_aes_256_cbc_sha256_tls_init(EVP_AEAD_CTX *ctx,
-                                            const uint8_t *key, size_t key_len,
-                                            size_t tag_len,
-                                            enum evp_aead_direction_t dir) {
-  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
-                       EVP_sha256(), 0);
-}
-
-static int aead_aes_256_cbc_sha384_tls_init(EVP_AEAD_CTX *ctx,
-                                            const uint8_t *key, size_t key_len,
-                                            size_t tag_len,
-                                            enum evp_aead_direction_t dir) {
-  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
-                       EVP_sha384(), 0);
-}
-
-static int aead_des_ede3_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx,
-                                           const uint8_t *key, size_t key_len,
-                                           size_t tag_len,
-                                           enum evp_aead_direction_t dir) {
-  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(),
-                       EVP_sha1(), 0);
-}
-
-static int aead_des_ede3_cbc_sha1_tls_implicit_iv_init(
-    EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,
-    enum evp_aead_direction_t dir) {
-  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(),
-                       EVP_sha1(), 1);
-}
-
-static int aead_tls_get_iv(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv,
-                           size_t *out_iv_len) {
-  const AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX*) ctx->aead_state;
-  const size_t iv_len = EVP_CIPHER_CTX_iv_length(&tls_ctx->cipher_ctx);
-  if (iv_len <= 1) {
-    return 0;
-  }
-
-  *out_iv = tls_ctx->cipher_ctx.iv;
-  *out_iv_len = iv_len;
-  return 1;
-}
-
-static int aead_null_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                   size_t key_len, size_t tag_len,
-                                   enum evp_aead_direction_t dir) {
-  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_enc_null(),
-                       EVP_sha1(), 1 /* implicit iv */);
-}
-
-static const EVP_AEAD aead_aes_128_cbc_sha1_tls = {
-    SHA_DIGEST_LENGTH + 16, /* key len (SHA1 + AES128) */
-    16,                     /* nonce len (IV) */
-    16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,      /* max tag length */
-    NULL, /* init */
-    aead_aes_128_cbc_sha1_tls_init,
-    aead_tls_cleanup,
-    aead_tls_seal,
-    aead_tls_open,
-    NULL,                   /* get_iv */
-};
-
-static const EVP_AEAD aead_aes_128_cbc_sha1_tls_implicit_iv = {
-    SHA_DIGEST_LENGTH + 16 + 16, /* key len (SHA1 + AES128 + IV) */
-    0,                           /* nonce len */
-    16 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,           /* max tag length */
-    NULL, /* init */
-    aead_aes_128_cbc_sha1_tls_implicit_iv_init,
-    aead_tls_cleanup,
-    aead_tls_seal,
-    aead_tls_open,
-    aead_tls_get_iv,             /* get_iv */
-};
-
-static const EVP_AEAD aead_aes_128_cbc_sha256_tls = {
-    SHA256_DIGEST_LENGTH + 16, /* key len (SHA256 + AES128) */
-    16,                        /* nonce len (IV) */
-    16 + SHA256_DIGEST_LENGTH, /* overhead (padding + SHA256) */
-    SHA256_DIGEST_LENGTH,      /* max tag length */
-    NULL, /* init */
-    aead_aes_128_cbc_sha256_tls_init,
-    aead_tls_cleanup,
-    aead_tls_seal,
-    aead_tls_open,
-    NULL,                      /* get_iv */
-};
-
-static const EVP_AEAD aead_aes_256_cbc_sha1_tls = {
-    SHA_DIGEST_LENGTH + 32, /* key len (SHA1 + AES256) */
-    16,                     /* nonce len (IV) */
-    16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,      /* max tag length */
-    NULL, /* init */
-    aead_aes_256_cbc_sha1_tls_init,
-    aead_tls_cleanup,
-    aead_tls_seal,
-    aead_tls_open,
-    NULL,                   /* get_iv */
-};
-
-static const EVP_AEAD aead_aes_256_cbc_sha1_tls_implicit_iv = {
-    SHA_DIGEST_LENGTH + 32 + 16, /* key len (SHA1 + AES256 + IV) */
-    0,                           /* nonce len */
-    16 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,           /* max tag length */
-    NULL, /* init */
-    aead_aes_256_cbc_sha1_tls_implicit_iv_init,
-    aead_tls_cleanup,
-    aead_tls_seal,
-    aead_tls_open,
-    aead_tls_get_iv,             /* get_iv */
-};
-
-static const EVP_AEAD aead_aes_256_cbc_sha256_tls = {
-    SHA256_DIGEST_LENGTH + 32, /* key len (SHA256 + AES256) */
-    16,                        /* nonce len (IV) */
-    16 + SHA256_DIGEST_LENGTH, /* overhead (padding + SHA256) */
-    SHA256_DIGEST_LENGTH,      /* max tag length */
-    NULL, /* init */
-    aead_aes_256_cbc_sha256_tls_init,
-    aead_tls_cleanup,
-    aead_tls_seal,
-    aead_tls_open,
-    NULL,                      /* get_iv */
-};
-
-static const EVP_AEAD aead_aes_256_cbc_sha384_tls = {
-    SHA384_DIGEST_LENGTH + 32, /* key len (SHA384 + AES256) */
-    16,                        /* nonce len (IV) */
-    16 + SHA384_DIGEST_LENGTH, /* overhead (padding + SHA384) */
-    SHA384_DIGEST_LENGTH,      /* max tag length */
-    NULL, /* init */
-    aead_aes_256_cbc_sha384_tls_init,
-    aead_tls_cleanup,
-    aead_tls_seal,
-    aead_tls_open,
-    NULL,                      /* get_iv */
-};
-
-static const EVP_AEAD aead_des_ede3_cbc_sha1_tls = {
-    SHA_DIGEST_LENGTH + 24, /* key len (SHA1 + 3DES) */
-    8,                      /* nonce len (IV) */
-    8 + SHA_DIGEST_LENGTH,  /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,      /* max tag length */
-    NULL, /* init */
-    aead_des_ede3_cbc_sha1_tls_init,
-    aead_tls_cleanup,
-    aead_tls_seal,
-    aead_tls_open,
-    NULL,                   /* get_iv */
-};
-
-static const EVP_AEAD aead_des_ede3_cbc_sha1_tls_implicit_iv = {
-    SHA_DIGEST_LENGTH + 24 + 8, /* key len (SHA1 + 3DES + IV) */
-    0,                          /* nonce len */
-    8 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
-    SHA_DIGEST_LENGTH,          /* max tag length */
-    NULL, /* init */
-    aead_des_ede3_cbc_sha1_tls_implicit_iv_init,
-    aead_tls_cleanup,
-    aead_tls_seal,
-    aead_tls_open,
-    aead_tls_get_iv,            /* get_iv */
-};
-
-static const EVP_AEAD aead_null_sha1_tls = {
-    SHA_DIGEST_LENGTH,          /* key len */
-    0,                          /* nonce len */
-    SHA_DIGEST_LENGTH,          /* overhead (SHA1) */
-    SHA_DIGEST_LENGTH,          /* max tag length */
-    NULL,                       /* init */
-    aead_null_sha1_tls_init,
-    aead_tls_cleanup,
-    aead_tls_seal,
-    aead_tls_open,
-    NULL,                       /* get_iv */
-};
-
-const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void) {
-  return &aead_aes_128_cbc_sha1_tls;
-}
-
-const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(void) {
-  return &aead_aes_128_cbc_sha1_tls_implicit_iv;
-}
-
-const EVP_AEAD *EVP_aead_aes_128_cbc_sha256_tls(void) {
-  return &aead_aes_128_cbc_sha256_tls;
-}
-
-const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls(void) {
-  return &aead_aes_256_cbc_sha1_tls;
-}
-
-const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(void) {
-  return &aead_aes_256_cbc_sha1_tls_implicit_iv;
-}
-
-const EVP_AEAD *EVP_aead_aes_256_cbc_sha256_tls(void) {
-  return &aead_aes_256_cbc_sha256_tls;
-}
-
-const EVP_AEAD *EVP_aead_aes_256_cbc_sha384_tls(void) {
-  return &aead_aes_256_cbc_sha384_tls;
-}
-
-const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void) {
-  return &aead_des_ede3_cbc_sha1_tls;
-}
-
-const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void) {
-  return &aead_des_ede3_cbc_sha1_tls_implicit_iv;
-}
-
-const EVP_AEAD *EVP_aead_null_sha1_tls(void) { return &aead_null_sha1_tls; }
@@ -1,162 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.] */
-
-#ifndef OPENSSL_HEADER_CIPHER_INTERNAL_H
-#define OPENSSL_HEADER_CIPHER_INTERNAL_H
-
-#include <openssl/base.h>
-
-#include <openssl/aead.h>
-
-#if defined(__cplusplus)
-extern "C" {
-#endif
-
-
-/* EVP_CIPH_MODE_MASK contains the bits of |flags| that represent the mode. */
-#define EVP_CIPH_MODE_MASK 0x3f
-
-
-/* EVP_AEAD represents a specific AEAD algorithm. */
-struct evp_aead_st {
-  uint8_t key_len;
-  uint8_t nonce_len;
-  uint8_t overhead;
-  uint8_t max_tag_len;
-
-  /* init initialises an |EVP_AEAD_CTX|. If this call returns zero then
-   * |cleanup| will not be called for that context. */
-  int (*init)(EVP_AEAD_CTX *, const uint8_t *key, size_t key_len,
-              size_t tag_len);
-  int (*init_with_direction)(EVP_AEAD_CTX *, const uint8_t *key, size_t key_len,
-                             size_t tag_len, enum evp_aead_direction_t dir);
-  void (*cleanup)(EVP_AEAD_CTX *);
-
-  int (*seal)(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,
-              size_t max_out_len, const uint8_t *nonce, size_t nonce_len,
-              const uint8_t *in, size_t in_len, const uint8_t *ad,
-              size_t ad_len);
-
-  int (*open)(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,
-              size_t max_out_len, const uint8_t *nonce, size_t nonce_len,
-              const uint8_t *in, size_t in_len, const uint8_t *ad,
-              size_t ad_len);
-
-  int (*get_iv)(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv,
-                size_t *out_len);
-};
-
-
-/* EVP_tls_cbc_get_padding determines the padding from the decrypted, TLS, CBC
- * record in |in|. This decrypted record should not include any "decrypted"
- * explicit IV. If the record is publicly invalid, it returns zero. Otherwise,
- * it returns one and sets |*out_padding_ok| to all ones (0xfff..f) if the
- * padding is valid and zero otherwise. It then sets |*out_len| to the length
- * with the padding removed or |in_len| if invalid.
- *
- * If the function returns one, it runs in time independent of the contents of
- * |in|. It is also guaranteed that |*out_len| >= |mac_size|, satisfying
- * |EVP_tls_cbc_copy_mac|'s precondition. */
-int EVP_tls_cbc_remove_padding(unsigned *out_padding_ok, unsigned *out_len,
-                               const uint8_t *in, unsigned in_len,
-                               unsigned block_size, unsigned mac_size);
-
-/* EVP_tls_cbc_copy_mac copies |md_size| bytes from the end of the first
- * |in_len| bytes of |in| to |out| in constant time (independent of the concrete
- * value of |in_len|, which may vary within a 256-byte window). |in| must point
- * to a buffer of |orig_len| bytes.
- *
- * On entry:
- *   orig_len >= in_len >= md_size
- *   md_size <= EVP_MAX_MD_SIZE */
-void EVP_tls_cbc_copy_mac(uint8_t *out, unsigned md_size,
-                          const uint8_t *in, unsigned in_len,
-                          unsigned orig_len);
-
-/* EVP_tls_cbc_record_digest_supported returns 1 iff |md| is a hash function
- * which EVP_tls_cbc_digest_record supports. */
-int EVP_tls_cbc_record_digest_supported(const EVP_MD *md);
-
-/* EVP_tls_cbc_digest_record computes the MAC of a decrypted, padded TLS
- * record.
- *
- *   md: the hash function used in the HMAC.
- *     EVP_tls_cbc_record_digest_supported must return true for this hash.
- *   md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written.
- *   md_out_size: the number of output bytes is written here.
- *   header: the 13-byte, TLS record header.
- *   data: the record data itself
- *   data_plus_mac_size: the secret, reported length of the data and MAC
- *     once the padding has been removed.
- *   data_plus_mac_plus_padding_size: the public length of the whole
- *     record, including padding.
- *
- * On entry: by virtue of having been through one of the remove_padding
- * functions, above, we know that data_plus_mac_size is large enough to contain
- * a padding byte and MAC. (If the padding was invalid, it might contain the
- * padding too. ) */
-int EVP_tls_cbc_digest_record(const EVP_MD *md, uint8_t *md_out,
-                              size_t *md_out_size, const uint8_t header[13],
-                              const uint8_t *data, size_t data_plus_mac_size,
-                              size_t data_plus_mac_plus_padding_size,
-                              const uint8_t *mac_secret,
-                              unsigned mac_secret_length);
-
-#if defined(__cplusplus)
-} /* extern C */
-#endif
-
-#endif /* OPENSSL_HEADER_CIPHER_INTERNAL_H */
@@ -1,245 +0,0 @@
-# This is the example from
-# https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02#section-8
-
-KEY: ee8e1ed9ff2540ae8f2ba9f50bc2f27c
-NONCE: 752abad3e0afb5f434dc4310f71f3d21
-IN: "Hello world"
-AD: "example"
-CT: 810649724764545b3625ff
-TAG: 010a10f4942710781d2948ac0192572f
-
-# Test vectors from
-# https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02#appendix-B
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 
-AD: 
-CT: 
-TAG: cb52de357fad226ae428d0ed5a575496
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 0100000000000000
-AD: 
-CT: 7e139f58002d68ee
-TAG: 715835541f2136f03b6dc80ae0a8ac46
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 010000000000000000000000
-AD: 
-CT: 4a87f0cd26e5d5086e90da02
-TAG: 4dff905e48d512e9c34ae8f3be66ec43
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 01000000000000000000000000000000
-AD: 
-CT: 048ca58c46d2368ce00132389f40b511
-TAG: 971da9aa385283522c4f67a9aedb37e5
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 0100000000000000000000000000000002000000000000000000000000000000
-AD: 
-CT: e1cf1cf545d2743ec005b26bd2c836ac1a4233d646c195ffa401f28063127baa
-TAG: 1071338b8c2930d3ec4c17cecbefa4b4
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 010000000000000000000000000000000200000000000000000000000000000003000000000000000000000000000000
-AD: 
-CT: 2e7e6881a02d57b877794b2fbfbfef5484f1cf74f4ad53a751b2582c0e698466bd9a49dcab53806d8e31d864c4632d00
-TAG: 04b1b8a9c1630ff028b14d2e57bca429
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 01000000000000000000000000000000020000000000000000000000000000000300000000000000000000000000000004000000000000000000000000000000
-AD: 
-CT: 0ac5be860726209d9218de3e9d533743e1efe1595bc58f93f00e9bb9a7558dc1e1b14a9c0d49eb5064c7efa79842f9c7cfdd77614709f0b545d3227498e774d5
-TAG: 860b73a1ed8a5b9acd925c3f3f49c5c5
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 0200000000000000
-AD: 01
-CT: 4919e29e9890e452
-TAG: 1433a5c0284c911163888dbd128e6874
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 020000000000000000000000
-AD: 01
-CT: db55d6da719fe0473538294e
-TAG: 5a8ab948ccd205a70c78e8fdf954693b
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 02000000000000000000000000000000
-AD: 01
-CT: aea3c54272abc1b58ed34a536743f4da
-TAG: da10d98bfe23784cfdfd0af97b6d5b78
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 0200000000000000000000000000000003000000000000000000000000000000
-AD: 01
-CT: aa694c0cfe148100cb5c6e27a77a7ff7b4233d6af251d9faa3d84f7c0d1113f1
-TAG: 778c5b68356a1a6a6f3c14a8f96c35ca
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 020000000000000000000000000000000300000000000000000000000000000004000000000000000000000000000000
-AD: 01
-CT: 9ac909928bcde79c2afa885df9c035c85a9eab136f6f6ea11034456bd306ea3c5dd542f706fffe538b5f139fa9dc622e
-TAG: 26c0c0d146d38787ca0fcbc3f911577a
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 02000000000000000000000000000000030000000000000000000000000000000400000000000000000000000000000005000000000000000000000000000000
-AD: 01
-CT: c56be9d61ecf6a31a6289cddc9b91aaf84cdb53a3913b825d6eb5e157906dfb0a308c6b0b095d6fd1a5b761ca7fa0e39ca92f38ae206eec844c0c4ab0c1c165e
-TAG: a60986309b99431a35dd8c5ebeef8375
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 02000000
-AD: 010000000000000000000000
-CT: 47995b96
-TAG: 16b668094202cadde992e0c16205793c
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 0300000000000000000000000000000004000000
-AD: 010000000000000000000000000000000200
-CT: 8fe25de75089e9f849150e57ab7f7810981cd319
-TAG: 89ca91ebc560709432fe9496746404cc
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 030000000000000000000000000000000400
-AD: 0100000000000000000000000000000002000000
-CT: b26d43ae158316ac37f41579ccf1d461274e
-TAG: 13b7c01d08dd6969d51d1bf0fbbdc4d2
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 
-AD: 
-CT: 
-TAG: cb52de357fad226ae428d0ed5a575496
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 0100000000000000
-AD: 
-CT: 7e139f58002d68ee
-TAG: 715835541f2136f03b6dc80ae0a8ac46
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 010000000000000000000000
-AD: 
-CT: 4a87f0cd26e5d5086e90da02
-TAG: 4dff905e48d512e9c34ae8f3be66ec43
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 01000000000000000000000000000000
-AD: 
-CT: 048ca58c46d2368ce00132389f40b511
-TAG: 971da9aa385283522c4f67a9aedb37e5
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 0100000000000000000000000000000002000000000000000000000000000000
-AD: 
-CT: e1cf1cf545d2743ec005b26bd2c836ac1a4233d646c195ffa401f28063127baa
-TAG: 1071338b8c2930d3ec4c17cecbefa4b4
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 010000000000000000000000000000000200000000000000000000000000000003000000000000000000000000000000
-AD: 
-CT: 2e7e6881a02d57b877794b2fbfbfef5484f1cf74f4ad53a751b2582c0e698466bd9a49dcab53806d8e31d864c4632d00
-TAG: 04b1b8a9c1630ff028b14d2e57bca429
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 01000000000000000000000000000000020000000000000000000000000000000300000000000000000000000000000004000000000000000000000000000000
-AD: 
-CT: 0ac5be860726209d9218de3e9d533743e1efe1595bc58f93f00e9bb9a7558dc1e1b14a9c0d49eb5064c7efa79842f9c7cfdd77614709f0b545d3227498e774d5
-TAG: 860b73a1ed8a5b9acd925c3f3f49c5c5
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 0200000000000000
-AD: 01
-CT: 4919e29e9890e452
-TAG: 1433a5c0284c911163888dbd128e6874
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 020000000000000000000000
-AD: 01
-CT: db55d6da719fe0473538294e
-TAG: 5a8ab948ccd205a70c78e8fdf954693b
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 02000000000000000000000000000000
-AD: 01
-CT: aea3c54272abc1b58ed34a536743f4da
-TAG: da10d98bfe23784cfdfd0af97b6d5b78
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 0200000000000000000000000000000003000000000000000000000000000000
-AD: 01
-CT: aa694c0cfe148100cb5c6e27a77a7ff7b4233d6af251d9faa3d84f7c0d1113f1
-TAG: 778c5b68356a1a6a6f3c14a8f96c35ca
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 020000000000000000000000000000000300000000000000000000000000000004000000000000000000000000000000
-AD: 01
-CT: 9ac909928bcde79c2afa885df9c035c85a9eab136f6f6ea11034456bd306ea3c5dd542f706fffe538b5f139fa9dc622e
-TAG: 26c0c0d146d38787ca0fcbc3f911577a
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 02000000000000000000000000000000030000000000000000000000000000000400000000000000000000000000000005000000000000000000000000000000
-AD: 01
-CT: c56be9d61ecf6a31a6289cddc9b91aaf84cdb53a3913b825d6eb5e157906dfb0a308c6b0b095d6fd1a5b761ca7fa0e39ca92f38ae206eec844c0c4ab0c1c165e
-TAG: a60986309b99431a35dd8c5ebeef8375
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 02000000
-AD: 010000000000000000000000
-CT: 47995b96
-TAG: 16b668094202cadde992e0c16205793c
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 0300000000000000000000000000000004000000
-AD: 010000000000000000000000000000000200
-CT: 8fe25de75089e9f849150e57ab7f7810981cd319
-TAG: 89ca91ebc560709432fe9496746404cc
-
-KEY: 01000000000000000000000000000000
-NONCE: 03000000000000000000000000000000
-IN: 030000000000000000000000000000000400
-AD: 0100000000000000000000000000000002000000
-CT: b26d43ae158316ac37f41579ccf1d461274e
-TAG: 13b7c01d08dd6969d51d1bf0fbbdc4d2
-
-# Sample large random test vector.
-
-KEY: ee0f62a965fa640d1c95d79b215dca71
-NONCE: 7df5a22c91e6b6f37594dfef54847bd9
-IN: 5d90037e677666fbc0215305096301d852609e1380992d8c2e3594344a7f9a0521fdeda53de07d3184d590667fc7151a93ba097f20c67da0b1da8c23bd05887a4b66ab50333874819035eafd775fcfa86b380968f15d8cd46483d418b2c074f0dc18407108f63abe89c5448e83d064b6544a275dd75a21dd0241dafa086beb8446f398f6c1b2b117ad6f2cdb04031640852b5e15560d39b8d9088824f728ae66b2214e4cd70f60174313a5f0286741caeb4b66d0513b63c4a1325306f79f1f79bb28ccf6448fa3160876eefd85ca03c196a3e5568b0f3c818e7cf9d661423ed6a50a6911d52217a1b81e94ba040f336e74ac71b33964c3a7d960a32c255e22fcb7dcc41b9b136815b784ce4015b61b55e305e2ab1f96d17b561eb0281476cbaec54e942a186fbf3df92358960182c3c034066364e80fa492b36d36ee68f2738220f249a69f24405fe9995dab0b0b338ee68d85f0e59870903ca9d02f32ee6a24efc85434610586470b938daa9d14206c360339f7ec50857f4e5075a29bb51720d9a6f399f7b8bd45b402b0eed8f6e427d5dd358a0c3f10a58582be8934ebd7903497cc6622a977d6045f97a58f5ed7a3470583ebf88f71150499047e4b624f8018cffaca0d5a9db7f73da2db6770c98cd628d2d6682a4c41d584f37ea0ff7e8763616a548027e29cb3ec3e02a82eab205f7af46b6c9b02a15de54fc301a9845d50396cf3826b23296c360fafbaf65e5f48c4998085d7dac07736b106a8bb1e8e69dca15464d1bf156a5f84b62170f680826dcca7bf1c126cdb70dc872a005806d423cee46ab0d84d2d8d490c8eaec8b17b12913d4856c59f5348c6956c96a32595eef8c89ee5ae99706c92e748714dae4ae45685710261cd66d3ef93ed01bb862bfeb3b4fb5074ffec5517c8845173fde2774cd3b5a25cc1dc11d833c29614b7272bf213aeb19f83603aee97a9bc43e8b88c8789c520f634028cce2b0be343e74c8c341a153a36f797f38a4ebb53589e45f1e64299fedd2e9bbdeb9ad9ab4e2eccb4bd2b57000a5d7b064e6b6fb5cb9c743d6afe697bac549ade238c7a3a094e799e9c7e6cef6e6d4b8c8f1d862bc8ab9b96238c7d5393b2f684c5b4826df6c5f48cadb43fd6d6cb189ca56125bfee9dd44d22a2e28d7a9e63565321c9ecad96b3ae7376c984c44cab978002ff78d947230fe15918b3a73232ff5c05586c4b0e2e0d737be6abef80414b008ad2deea1944a4248f02063500a9276217ceabeca39ec4d6af647395a9c91401dcbe8f9645ef97eca5624029f942cc9979fd31636d65ed181a65763c5c16e65f8673a3cc6143ede8144d894559dedfac3000e8d86590b0ced25dd8666d71f237fd3511d7f8a20dbb4e95e3aca9807a2351bf705a7eec5a80f2b390ef9df496c5cd7ca9f5d8846df291025beb9781c793613efe7798
-AD: 4b7531e0a946b20c80f70dea4d437833f3dd26ae6f6dc37b7b99e82122acf2b7975f6d8efcb7ec4c6ff3c0ce4a5864adba0e658aeb8d9b839f3509f033827bc69a1ab080a0a1cc63559b00a3a259c53c145b0282f5e56930fc35b11c83b6564f2e80f186c2ef2e8886641fe6c4966dc9f86c567e73902d1a8fc33be1551e8359aa585bd2b8da83c0cd78a086cdebf8904d1b66a2fee176fa19714f062b752653d75a0e441ff7fba0c5a0cb6ded48f68b38af82faa985f9d97ba3c0978e1d23d8eb8899072fbec9379ca5f2b91293cb57eac81a6d711f9cccb36ff16b0de86d27d62e136ddbc1a2be38d5a1284e4620f4f9ab1f16729630e16dd2901f24f5ad6e
-CT: 1b5a273ee4e1f87516bb711bd97c559fd5139286d90d3f64813f88c697ff448c7ce57ff3a2b70479c0f904f0c6de92234ef72b4ad62038a32108804042e07ad94e49a327bd28f1c49786c2b1537392c582031f52e3bd27336dab9d237ce47ffd0c8002b60b1055226cf28c6d99be0e4f75afb72c6953ffa0b033f74304efe19601d34dfda29874efdc9ebfa74c9d55c7273561c46b7cd4d631ab05ca7172111c13f0703ff9cec063988b7bf1bd9557b8d8a914162d2f31113f1682e951acaba4a314aabf901bdc5117184109fca1cecfe552f2e7d003eab51ceb992c2bb11245e1cd7e230398a3d18bab59c9acf033bde779166bfd3f98792902f84e4ef32cf5f410af2cec9cbe67ebb28f3fceb497abf4b1c240cab4852d840de9dec20f0e21853be6227784beee276ea3a4c6092654f7d62af614e5ea976791195415befa1f4a9d77c35a84b0d54b5eb1e00f55bbafac209468532b18d020e16798256aab9ea3989d876822cc68135ee103169962965a9383b2cff70213f9c52bcf2441e7b8ec07bee0c225be5353bcfe6d9ff546d30889813a13e1e966028dd80ec096202a26e478278af8b15bcf29137d536658d51293c6cfecde110e5b17ec39ce5317db5a03a1919f52f89ceeec0b5f48875e9692501b34303110e52ef4ea96d98cc28ab6e9ca24a8bb124629ac480b06fa8321b5712f2ae22e750848404ac20232716e195b343adebb52234cbc002c602574a7fbad638c1a7201eb38d4404b3d672119617e1190402b57568ee1e776ba18087164ddfbbf77f26ae5ee229ef101f10306f6449920b08d4e46bb2039d4777319547d7b4ef32e61c3cc897bc36cc2d5983c63e38814276a28125468112b646b877bbe2d206e578a8fd402be6d963b1d79c8b14dbca801bb92d7217cb7375d5e126702270158c89db653f1ee34e1c1ca066fe854532a36b74d36d9bc077506349a4cb8143dca1be3241f64cdc410c4d362982500aeea2a12172ccac996a333a2bff5393e0be9bcb93ca0fd62a22f0f72618325e233b42214ce8683c57dcf3113edbc5102e84b265aa031e26ec5fa18b1a7fa72358072d47b85e045cd52541e49b94d74fb21bb19725675c0d014ca8f8219c26cb8158f5d84b2cafb0474b2b39cb7f21c3320b5cbd57cff7133243a462e492de6340ee7d60ef888d639ca50380529f09b9eb279c49ad04662b7ec4f579fcec011790f18b2c0ad081eaf2be13d6f6a5969db46d56df9daea2cb332e719135109fd1d7caa84af315c0054f37177312c01a9f3f05a6e9bca719f906d1e8af7fdc24a3677c922f435e6e4c069073ea779c2b74c98f9374f5a38961a4354e74803f0f4042b91fb82a0c593c13f9ff720a70136d0b108acdb762a08f98a222f48c2858c0cc9a27edc9e79fe0f71ebe2940c60a279476975926eab478685ebf8a74705
-TAG: 6f5223329c07cbf6b038d307cbb8a719
--- a/Show More
+++ b/Show More