external/boringssl: bump revision.

This change bumps the BoringSSL revision to the current tip-of-tree.

Change-Id: I91d5bf467e16e8d86cb19a4de873985f524e5faa

441 files changed, 32149 insertions, 21367 deletions

diff --git a/src/BUILDING b/src/BUILDING
index 18ddde1..d818f95 100644
--- a/src/BUILDING
+++ b/src/BUILDING
@@ -3,7 +3,8 @@ Build Prerequisites:
   * CMake[1] 2.8.8 or later is required.
 
   * Perl 5.6.1 or later is required. On Windows, Strawberry Perl and MSYS Perl
-    have both been reported to work.
+    have both been reported to work. If not found by CMake, it may be configured
+    explicitly by setting PERL_EXECUTABLE.
 
   * On Windows you currently must use Ninja[2] to build; on other platforms,
     it is not required, but recommended, because it makes builds faster.
@@ -11,16 +12,15 @@ Build Prerequisites:
   * If you need to build Ninja from source, then a recent version of
     Python[3] is required (Python 2.7.5 works).
 
-  * On Windows only, Yasm[4] is required.
+  * On Windows only, Yasm[4] is required. If not found by CMake, it may be
+    configured explicitly by setting CMAKE_ASM_NASM_COMPILER.
 
   * A C compiler is required. On Windows, MSVC 12 (Visual Studio 2013) or later
     with Platform SDK 8.1 or later are supported. Recent versions of GCC and
     Clang should work on non-Windows platforms, and maybe on Windows too.
 
-  * Bash is required for running some tests, but not for building.
-
-  * Go[5] is required for running some tests, but not for building. Note that
-    these tests do not work on Windows.
+  * Go[5] is required. If not found by CMake, the go executable may be
+    configured explicitly by setting GO_EXECUTABLE.
 
 Using Ninja (note the 'N' is capitalized in the cmake invocation):
 
@@ -43,17 +43,37 @@ automatically.
 Note that the default build flags in the top-level CMakeLists.txt are for
 debugging - optimisation isn't enabled.
 
-If you want to cross-compile then there are example toolchain files for 32-bit
-Intel and ARM in util/. Wipe out the build directory, recreate it and run cmake
+If you want to cross-compile then there is an example toolchain file for
+32-bit Intel in util/. Wipe out the build directory, recreate it and run cmake
 like this:
 
-  cmake -DCMAKE_TOOLCHAIN_FILE=../util/arm-toolchain.cmake -GNinja ..
+  cmake -DCMAKE_TOOLCHAIN_FILE=../util/32-bit-toolchain.cmake -GNinja ..
 
 If you want to build as a shared library, pass -DBUILD_SHARED_LIBS=1. On
 Windows, where functions need to be tagged with "dllimport" when coming from a
 shared library, define BORINGSSL_SHARED_LIBRARY in any code which #includes the
 BoringSSL headers.
 
+
+Building for Android:
+
+It's possible to build BoringSSL with the Android NDK using CMake. This has
+been tested with version 10d of the NDK.
+
+Unpack the Android NDK somewhere and export ANDROID_NDK to point to the
+directory. Clone https://github.com/taka-no-me/android-cmake into util/.
+Then make a build directory as above and run CMake *twice* like this:
+
+  cmake -DANDROID_NATIVE_API_LEVEL=android-9 \
+        -DANDROID_ABI=armeabi-v7a \
+        -DCMAKE_TOOLCHAIN_FILE=../util/android-cmake/android.toolchain.cmake \
+        -GNinja ..
+
+Once you've run that twice, ninja should produce Android-compatible binaries.
+You can replace "armeabi-v7a" in the above with "arm64-v8a" to build aarch64
+binaries.
+
+
 Known Limitations on Windows:
 
   * Versions of cmake since 3.0.2 have a bug in its Ninja generator that causes
@@ -65,8 +85,6 @@ Known Limitations on Windows:
     don't have steps for assembling the assembly language source files, so they
     currently cannot be used to build BoringSSL.
 
-  * The tests written in Go do not work.
-
 [1] http://www.cmake.org/download/
 
 [2] https://martine.github.io/ninja/
@@ -75,7 +93,4 @@ Known Limitations on Windows:
 
 [4] http://yasm.tortall.net/
 
-    Either ensure yasm.exe is in %PATH% or configure CMAKE_ASM_NASM_COMPILER
-    appropriately.
-
 [5] https://golang.org/dl/
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 9a61495..6e41ee9 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -2,6 +2,20 @@ cmake_minimum_required (VERSION 2.8.10)
 
 project (BoringSSL)
 
+if(ANDROID)
+  # Android-NDK CMake files reconfigure the path and so Go and Perl won't be
+  # found. However, ninja will still find them in $PATH if we just name them.
+  set(PERL_EXECUTABLE "perl")
+  set(GO_EXECUTABLE "go")
+else()
+  find_package(Perl REQUIRED)
+  find_program(GO_EXECUTABLE go)
+endif()
+
+if (NOT GO_EXECUTABLE)
+  message(FATAL_ERROR "Could not find Go")
+endif()
+
 if(CMAKE_COMPILER_IS_GNUCXX OR CMAKE_CXX_COMPILER_ID MATCHES "Clang")
   set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Werror -ggdb -fvisibility=hidden")
   set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wall -Werror -ggdb -std=c++0x -fvisibility=hidden")
@@ -11,12 +25,17 @@ elseif(MSVC)
       "C4127" # conditional expression is constant
       "C4200" # nonstandard extension used : zero-sized array in
               # struct/union.
+      "C4210" # nonstandard extension used : function given file scope
       "C4242" # 'function' : conversion from 'int' to 'uint8_t',
               # possible loss of data
       "C4244" # 'function' : conversion from 'int' to 'uint8_t',
               # possible loss of data
       "C4245" # 'initializing' : conversion from 'long' to
               # 'unsigned long', signed/unsigned mismatch
+      "C4267" # conversion from 'size_t' to 'int', possible loss of data
+      "C4371" # layout of class may have changed from a previous version of the
+              # compiler due to better packing of member '...'
+      "C4388" # signed/unsigned mismatch
       "C4296" # '>=' : expression is always true
       "C4350" # behavior change: 'std::_Wrap_alloc...'
       "C4365" # '=' : conversion from 'size_t' to 'int',
@@ -29,7 +48,10 @@ elseif(MSVC)
               # side-effect" caused by FD_* macros.
       "C4610" # struct 'argument' can never be instantiated - user defined
               # constructor required.
-      "C4701" # potentially uninitialized local variable 'mdlen' used
+      "C4625" # copy constructor could not be generated because a base class
+              # copy constructor is inaccessible or deleted
+      "C4626" # assignment operator could not be generated because a base class
+              # assignment operator is inaccessible or deleted
       "C4706" # assignment within conditional expression
       "C4710" # 'function': function not inlined
       "C4711" # function 'function' selected for inline expansion
@@ -45,9 +67,10 @@ elseif(MSVC)
   set(CMAKE_CXX_FLAGS "-Wall -WX ${MSVC_DISABLED_WARNINGS_STR}")
   add_definitions(-D_HAS_EXCEPTIONS=0)
   add_definitions(-DWIN32_LEAN_AND_MEAN)
+  add_definitions(-DNOMINMAX)
 endif()
 
-if((CMAKE_COMPILER_IS_GNUCXX AND CMAKE_C_COMPILER_VERSION VERSION_GREATER "4.5.99") OR
+if((CMAKE_COMPILER_IS_GNUCXX AND CMAKE_C_COMPILER_VERSION VERSION_GREATER "4.7.99") OR
    CMAKE_CXX_COMPILER_ID MATCHES "Clang")
   set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wshadow")
   set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wshadow")
@@ -81,12 +104,21 @@ elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "i686")
   set(ARCH "x86")
 elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "arm")
   set(ARCH "arm")
+elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "armv7-a")
+  set(ARCH "arm")
 elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "aarch64")
   set(ARCH "aarch64")
 else()
   message(FATAL_ERROR "Unknown processor:" ${CMAKE_SYSTEM_PROCESSOR})
 endif()
 
+if (ANDROID AND ${ARCH} STREQUAL "arm")
+  # The Android-NDK CMake files somehow fail to set the -march flag for
+  # assembly files. Without this flag, the compiler believes that it's
+  # building for ARMv5.
+  set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -march=armv7-a")
+endif()
+
 if (${ARCH} STREQUAL "x86" AND APPLE)
   # With CMake 2.8.x, ${CMAKE_SYSTEM_PROCESSOR} evalutes to i386 on OS X,
   # but clang defaults to 64-bit builds on OS X unless otherwise told.
@@ -94,7 +126,13 @@ if (${ARCH} STREQUAL "x86" AND APPLE)
   set(ARCH "x86_64")
 endif()
 
+if (OPENSSL_NO_ASM)
+  add_definitions(-DOPENSSL_NO_ASM)
+  set(ARCH "generic")
+endif()
+
 add_subdirectory(crypto)
 add_subdirectory(ssl)
 add_subdirectory(ssl/test)
 add_subdirectory(tool)
+add_subdirectory(decrepit)
diff --git a/src/STYLE b/src/STYLE
new file mode 100644
index 0000000..578da68
--- /dev/null
+++ b/src/STYLE
@@ -0,0 +1,198 @@
+BoringSSL Style Guide.
+
+BoringSSL usually follows the Google C++ style guide, found below. The
+rest of this document describes differences and clarifications on top
+of the base guide.
+
+https://google-styleguide.googlecode.com/svn/trunk/cppguide.html
+
+
+Legacy code.
+
+As a derivative of OpenSSL, BoringSSL contains a lot of legacy code
+that does not follow this style guide. Particularly where public API
+is concerned, balance consistency within a module with the benefits of
+a given rule. Module-wide deviations on naming should be respected
+while integer and return value conventions take precedence over
+consistency.
+
+Some modules have seen few changes, so they still retain the original
+indentation style for now. When editing these, try to retain the
+original style. For Emacs, doc/c-indentation.el from OpenSSL may be
+helpful in this.
+
+
+Language.
+
+The majority of the project is in C, so C++-specific rules in the
+Google style guide do not apply. Support for C99 features depends on
+our target platforms. Typically, Chromium's target MSVC is the most
+restrictive.
+
+Variable declarations in the middle of a function are allowed.
+
+Comments should be /* C-style */ for consistency.
+
+When declaration pointer types, * should be placed next to the variable
+name, not the type. So
+
+  uint8_t *ptr;
+
+not
+
+  uint8_t* ptr;
+
+Rather than malloc() and free(), use the wrappers OPENSSL_malloc() and
+OPENSSL_free(). Use the standard C assert() function freely.
+
+For new constants, prefer enums when the values are sequential and typed
+constants for flags. If adding values to an existing set of #defines, continue
+with #define.
+
+
+Formatting.
+
+Single-statement blocks are not allowed. All conditions and loops must
+use braces:
+
+  if (foo) {
+    do_something();
+  }
+
+not
+
+  if (foo)
+    do_something();
+
+
+Integers.
+
+Prefer using explicitly-sized integers where appropriate rather than
+generic C ones. For instance, to represent a byte, use uint8_t, not
+unsigned char. Likewise, represent a two-byte field as uint16_t, not
+unsigned short.
+
+Sizes are represented as size_t.
+
+Within a struct that is retained across the lifetime of an SSL
+connection, if bounds of a size are known and it's easy, use a smaller
+integer type like uint8_t. This is a "free" connection footprint
+optimization for servers. Don't make code significantly more complex
+for it, and do still check the bounds when passing in and out of the
+struct. This narrowing should not propagate to local variables and
+function parameters.
+
+When doing arithmetic, account for overflow conditions.
+
+Except with platform APIs, do not use ssize_t. MSVC lacks it, and
+prefer out-of-band error signaling for size_t (see Return values).
+
+
+Naming.
+
+Follow Google naming conventions in C++ files. In C files, use the
+following naming conventions for consistency with existing OpenSSL and C
+styles:
+
+Define structs with typedef named TYPE_NAME. The corresponding struct
+should be named struct type_name_st.
+
+Name public functions as MODULE_function_name, unless the module
+already uses a different naming scheme for legacy reasons. The module
+name should be a type name if the function is a method of a particular
+type.
+
+Some types are allocated within the library while others are
+initialized into a struct allocated by the caller, often on the
+stack. Name these functions TYPE_NAME_new/TYPE_NAME_free and
+TYPE_NAME_init/TYPE_NAME_cleanup, respectively. All TYPE_NAME_free
+functions must do nothing on NULL input.
+
+If a variable is the length of a pointer value, it has the suffix
+_len. An output parameter is named out or has an out_ prefix. For
+instance, For instance:
+
+  uint8_t *out,
+  size_t *out_len,
+  const uint8_t *in,
+  size_t in_len,
+
+Name public headers like include/openssl/evp.h with header guards like
+OPENSSL_HEADER_EVP_H. Name internal headers like crypto/ec/internal.h
+with header guards like OPENSSL_HEADER_EC_INTERNAL_H.
+
+Name enums like unix_hacker_t. For instance:
+
+enum should_free_handshake_buffer_t {
+  free_handshake_buffer,
+  dont_free_handshake_buffer,
+};
+
+
+Return values.
+
+As even malloc may fail in BoringSSL, the vast majority of functions
+will have a failure case. Functions should return int with one on
+success and zero on error. Do not overload the return value to both
+signal success/failure and output an integer. For example:
+
+  OPENSSL_EXPORT int CBS_get_u16(CBS *cbs, uint16_t *out);
+
+If a function needs more than a true/false result code, define an enum
+rather than arbitrarily assigning meaning to int values.
+
+If a function outputs a pointer to an object on success and there are no
+other outputs, return the pointer directly and NULL on error.
+
+
+Parameters.
+
+Where not constrained by legacy code, parameter order should be:
+
+1. context parameters
+2. output parameters
+3. input parameters
+
+For example,
+
+/* CBB_add_asn sets |*out_contents| to a |CBB| into which the contents of an
+ * ASN.1 object can be written. The |tag| argument will be used as the tag for
+ * the object. It returns one on success or zero on error. */
+OPENSSL_EXPORT int CBB_add_asn1(CBB *cbb, CBB *out_contents, uint8_t tag);
+
+
+Documentation.
+
+All public symbols must have a documentation comment in their header
+file. The style is based on that of Go. The first sentence begins with
+the symbol name, optionally prefixed with "A" or "An". Apart from the
+initial mention of symbol, references to other symbols or parameter
+names should be surrounded by |pipes|.
+
+Documentation should be concise but completely describe the exposed
+behavior of the function. Pay special note to success/failure behaviors
+and caller obligations on object lifetimes. If this sacrifices
+conciseness, consider simplifying the function's behavior.
+
+/* EVP_DigestVerifyUpdate appends |len| bytes from |data| to the data which
+ * will be verified by |EVP_DigestVerifyFinal|. It returns one on success and
+ * zero otherwise. */
+OPENSSL_EXPORT int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data,
+                                          size_t len);
+
+Explicitly mention any surprising edge cases or deviations from common
+return value patterns in legacy functions.
+
+/* RSA_private_encrypt encrypts |flen| bytes from |from| with the private key in
+ * |rsa| and writes the encrypted data to |to|. The |to| buffer must have at
+ * least |RSA_size| bytes of space. It returns the number of bytes written, or
+ * -1 on error. The |padding| argument must be one of the |RSA_*_PADDING|
+ * values. If in doubt, |RSA_PKCS1_PADDING| is the most common.
+ *
+ * WARNING: this function is dangerous because it breaks the usual return value
+ * convention. Use |RSA_sign_raw| instead. */
+OPENSSL_EXPORT int RSA_private_encrypt(int flen, const uint8_t *from,
+                                       uint8_t *to, RSA *rsa, int padding);
+
+Document private functions in their internal.h header or, if static,
+where defined.
diff --git a/src/crypto/CMakeLists.txt b/src/crypto/CMakeLists.txt
index cb8f63a..6433dc6 100644
--- a/src/crypto/CMakeLists.txt
+++ b/src/crypto/CMakeLists.txt
@@ -2,7 +2,7 @@ include_directories(. ../include)
 
 if(APPLE)
   if (${ARCH} STREQUAL "x86")
-    set(PERLASM_FLAGS "-fPIC")
+    set(PERLASM_FLAGS "-fPIC -DOPENSSL_IA32_SSE2")
   endif()
   set(PERLASM_STYLE macosx)
   set(ASM_EXT S)
@@ -12,8 +12,10 @@ elseif(UNIX)
     # The "armx" Perl scripts look for "64" in the style argument
     # in order to decide whether to generate 32- or 64-bit asm.
     set(PERLASM_STYLE linux64)
+  elseif (${ARCH} STREQUAL "arm")
+    set(PERLASM_STYLE linux32)
   elseif (${ARCH} STREQUAL "x86")
-    set(PERLASM_FLAGS "-fPIC")
+    set(PERLASM_FLAGS "-fPIC -DOPENSSL_IA32_SSE2")
     set(PERLASM_STYLE elf)
   else()
     set(PERLASM_STYLE elf)
@@ -27,6 +29,7 @@ else()
   else()
     message("Using win32n")
     set(PERLASM_STYLE win32n)
+    set(PERLASM_FLAGS "-DOPENSSL_IA32_SSE2")
   endif()
 
   # On Windows, we use the NASM output, specifically built with Yasm.
@@ -37,9 +40,10 @@ endif()
 function(perlasm dest src)
   add_custom_command(
     OUTPUT ${dest}
-    COMMAND perl ${CMAKE_CURRENT_SOURCE_DIR}/${src} ${PERLASM_STYLE} ${PERLASM_FLAGS} ${ARGN} > ${dest}
+    COMMAND ${PERL_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/${src} ${PERLASM_STYLE} ${PERLASM_FLAGS} ${ARGN} > ${dest}
     DEPENDS
     ${src}
+    ${PROJECT_SOURCE_DIR}/crypto/perlasm/arm-xlate.pl
     ${PROJECT_SOURCE_DIR}/crypto/perlasm/x86_64-xlate.pl
     ${PROJECT_SOURCE_DIR}/crypto/perlasm/x86asm.pl
     ${PROJECT_SOURCE_DIR}/crypto/perlasm/x86gas.pl
@@ -72,6 +76,7 @@ if (${ARCH} STREQUAL "arm")
     CRYPTO_ARCH_SOURCES
 
     cpu-arm.c
+    cpu-arm-asm.S
   )
 endif()
 
@@ -123,6 +128,7 @@ add_subdirectory(ecdsa)
 add_subdirectory(hmac)
 
 # Level 3
+add_subdirectory(cmac)
 add_subdirectory(evp)
 add_subdirectory(hkdf)
 add_subdirectory(pem)
@@ -132,15 +138,19 @@ add_subdirectory(x509v3)
 # Level 4
 add_subdirectory(pkcs8)
 
+# Test support code
+add_subdirectory(test)
+
 add_library(
   crypto
 
   crypto.c
-  crypto_error.c
   mem.c
   thread.c
+  thread_none.c
+  thread_pthread.c
+  thread_win.c
   ex_data.c
-  ex_data_impl.c
   time_support.c
   directory_posix.c
   directory_win.c
@@ -178,6 +188,7 @@ add_library(
   $<TARGET_OBJECTS:ecdh>
   $<TARGET_OBJECTS:ecdsa>
   $<TARGET_OBJECTS:hmac>
+  $<TARGET_OBJECTS:cmac>
   $<TARGET_OBJECTS:evp>
   $<TARGET_OBJECTS:hkdf>
   $<TARGET_OBJECTS:pem>
@@ -186,6 +197,10 @@ add_library(
   $<TARGET_OBJECTS:pkcs8>
 )
 
+if(NOT MSVC AND NOT ANDROID)
+  target_link_libraries(crypto pthread)
+endif()
+
 add_executable(
   constant_time_test
 
@@ -194,5 +209,13 @@ add_executable(
 
 target_link_libraries(constant_time_test crypto)
 
+add_executable(
+  thread_test
+
+  thread_test.c
+)
+
+target_link_libraries(thread_test crypto)
+
 perlasm(cpu-x86_64-asm.${ASM_EXT} cpu-x86_64-asm.pl)
 perlasm(cpu-x86-asm.${ASM_EXT} cpu-x86-asm.pl)
diff --git a/src/crypto/aes/aes.c b/src/crypto/aes/aes.c
index 97b4fbd..933aa07 100644
--- a/src/crypto/aes/aes.c
+++ b/src/crypto/aes/aes.c
@@ -1033,17 +1033,25 @@ void AES_decrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key) {
 #endif /* ?FULL_UNROLL */
   /* apply last round and
    * map cipher state to byte array block: */
-  s0 = (Td4[(t0 >> 24)] << 24) ^ (Td4[(t3 >> 16) & 0xff] << 16) ^
-       (Td4[(t2 >> 8) & 0xff] << 8) ^ (Td4[(t1) & 0xff]) ^ rk[0];
+  s0 = ((uint32_t)Td4[(t0 >> 24)] << 24) ^
+       ((uint32_t)Td4[(t3 >> 16) & 0xff] << 16) ^
+       ((uint32_t)Td4[(t2 >> 8) & 0xff] << 8) ^
+       ((uint32_t)Td4[(t1) & 0xff]) ^ rk[0];
   PUTU32(out, s0);
-  s1 = (Td4[(t1 >> 24)] << 24) ^ (Td4[(t0 >> 16) & 0xff] << 16) ^
-       (Td4[(t3 >> 8) & 0xff] << 8) ^ (Td4[(t2) & 0xff]) ^ rk[1];
+  s1 = ((uint32_t)Td4[(t1 >> 24)] << 24) ^
+       ((uint32_t)Td4[(t0 >> 16) & 0xff] << 16) ^
+       ((uint32_t)Td4[(t3 >> 8) & 0xff] << 8) ^
+       ((uint32_t)Td4[(t2) & 0xff]) ^ rk[1];
   PUTU32(out + 4, s1);
-  s2 = (Td4[(t2 >> 24)] << 24) ^ (Td4[(t1 >> 16) & 0xff] << 16) ^
-       (Td4[(t0 >> 8) & 0xff] << 8) ^ (Td4[(t3) & 0xff]) ^ rk[2];
+  s2 = ((uint32_t)Td4[(t2 >> 24)] << 24) ^
+       ((uint32_t)Td4[(t1 >> 16) & 0xff] << 16) ^
+       ((uint32_t)Td4[(t0 >> 8) & 0xff] << 8) ^
+       ((uint32_t)Td4[(t3) & 0xff]) ^ rk[2];
   PUTU32(out + 8, s2);
-  s3 = (Td4[(t3 >> 24)] << 24) ^ (Td4[(t2 >> 16) & 0xff] << 16) ^
-       (Td4[(t1 >> 8) & 0xff] << 8) ^ (Td4[(t0) & 0xff]) ^ rk[3];
+  s3 = ((uint32_t)Td4[(t3 >> 24)] << 24) ^
+       ((uint32_t)Td4[(t2 >> 16) & 0xff] << 16) ^
+       ((uint32_t)Td4[(t1 >> 8) & 0xff] << 8) ^
+       ((uint32_t)Td4[(t0) & 0xff]) ^ rk[3];
   PUTU32(out + 12, s3);
 }
 
diff --git a/src/crypto/aes/asm/aes-armv4.pl b/src/crypto/aes/asm/aes-armv4.pl
index 3bd9a6d..36cd3b6 100644
--- a/src/crypto/aes/asm/aes-armv4.pl
+++ b/src/crypto/aes/asm/aes-armv4.pl
@@ -32,8 +32,20 @@
 # Profiler-assisted and platform-specific optimization resulted in 16%
 # improvement on Cortex A8 core and ~21.5 cycles per byte.
 
-while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {}
-open STDOUT,">$output";
+$flavour = shift;
+if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; }
+else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} }
+
+if ($flavour && $flavour ne "void") {
+    $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+    ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+    ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+    die "can't locate arm-xlate.pl";
+
+    open STDOUT,"| \"$^X\" $xlate $flavour $output";
+} else {
+    open STDOUT,">$output";
+}
 
 $s0="r0";
 $s1="r1";
@@ -63,7 +75,7 @@ $code=<<___;
 .code	32
 #else
 .syntax	unified
-# ifdef __thumb2__
+# if defined(__thumb2__) && !defined(__APPLE__)
 .thumb
 # else
 .code	32
@@ -189,9 +201,13 @@ asm_AES_encrypt:
 	adr	r3,asm_AES_encrypt
 #endif
 	stmdb   sp!,{r1,r4-r12,lr}
+#ifdef	__APPLE__
+	adr	$tbl,AES_Te
+#else
+	sub	$tbl,r3,#asm_AES_encrypt-AES_Te	@ Te
+#endif
 	mov	$rounds,r0		@ inp
 	mov	$key,r2
-	sub	$tbl,r3,#asm_AES_encrypt-AES_Te	@ Te
 #if __ARM_ARCH__<7
 	ldrb	$s0,[$rounds,#3]	@ load input data in endian-neutral
 	ldrb	$t1,[$rounds,#2]	@ manner...
@@ -460,12 +476,16 @@ _armv4_AES_set_encrypt_key:
 	bne	.Labrt
 
 .Lok:	stmdb   sp!,{r4-r12,lr}
-	sub	$tbl,r3,#_armv4_AES_set_encrypt_key-AES_Te-1024	@ Te4
-
 	mov	$rounds,r0		@ inp
 	mov	lr,r1			@ bits
 	mov	$key,r2			@ key
 
+#ifdef	__APPLE__
+	adr	$tbl,AES_Te+1024				@ Te4
+#else
+	sub	$tbl,r3,#_armv4_AES_set_encrypt_key-AES_Te-1024	@ Te4
+#endif
+
 #if __ARM_ARCH__<7
 	ldrb	$s0,[$rounds,#3]	@ load input data in endian-neutral
 	ldrb	$t1,[$rounds,#2]	@ manner...
@@ -718,8 +738,8 @@ _armv4_AES_set_encrypt_key:
 .Ldone:	mov	r0,#0
 	ldmia   sp!,{r4-r12,lr}
 .Labrt:
-#if defined(__thumb2__) && __ARM_ARCH__>=7
-	.short	0x4770			@ bx lr in Thumb2 encoding
+#if __ARM_ARCH__>=5
+	ret				@ bx lr
 #else
 	tst	lr,#1
 	moveq	pc,lr			@ be binary compatible with V4, yet
@@ -961,9 +981,13 @@ asm_AES_decrypt:
 	adr	r3,asm_AES_decrypt
 #endif
 	stmdb   sp!,{r1,r4-r12,lr}
+#ifdef	__APPLE__
+	adr	$tbl,AES_Td
+#else
+	sub	$tbl,r3,#asm_AES_decrypt-AES_Td	@ Td
+#endif
 	mov	$rounds,r0		@ inp
 	mov	$key,r2
-	sub	$tbl,r3,#asm_AES_decrypt-AES_Td		@ Td
 #if __ARM_ARCH__<7
 	ldrb	$s0,[$rounds,#3]	@ load input data in endian-neutral
 	ldrb	$t1,[$rounds,#2]	@ manner...
@@ -1211,6 +1235,7 @@ _armv4_AES_decrypt:
 ___
 
 $code =~ s/\bbx\s+lr\b/.word\t0xe12fff1e/gm;	# make it possible to compile with -march=armv4
+$code =~ s/\bret\b/bx\tlr/gm;
 
 open SELF,$0;
 while(<SELF>) {
diff --git a/src/crypto/aes/asm/aesni-x86.pl b/src/crypto/aes/asm/aesni-x86.pl
index 3deb86a..f67df8c 100644
--- a/src/crypto/aes/asm/aesni-x86.pl
+++ b/src/crypto/aes/asm/aesni-x86.pl
@@ -51,7 +51,7 @@
 # Westmere	3.77/1.37	1.37	1.52	1.27
 # * Bridge	5.07/0.98	0.99	1.09	0.91
 # Haswell	4.44/0.80	0.97	1.03	0.72
-# Atom		5.77/3.56	3.67	4.03	3.46
+# Silvermont	5.77/3.56	3.67	4.03	3.46
 # Bulldozer	5.80/0.98	1.05	1.24	0.93
 
 $PREFIX="aesni";	# if $PREFIX is set to "AES", the script
@@ -65,6 +65,9 @@ require "x86asm.pl";
 
 &asm_init($ARGV[0],$0);
 
+&external_label("OPENSSL_ia32cap_P");
+&static_label("key_const");
+
 if ($PREFIX eq "aesni")	{ $movekey=\&movups; }
 else			{ $movekey=\&movups; }
 
@@ -181,7 +184,10 @@ sub aesni_generate1	# fully unrolled loop
 	{   &aesni_inline_generate1("enc");	}
 	else
 	{   &call	("_aesni_encrypt1");	}
+	&pxor	($rndkey0,$rndkey0);		# clear register bank
+	&pxor	($rndkey1,$rndkey1);
 	&movups	(&QWP(0,"eax"),$inout0);
+	&pxor	($inout0,$inout0);
 	&ret	();
 &function_end_B("${PREFIX}_encrypt");
 
@@ -197,7 +203,10 @@ sub aesni_generate1	# fully unrolled loop
 	{   &aesni_inline_generate1("dec");	}
 	else
 	{   &call	("_aesni_decrypt1");	}
+	&pxor	($rndkey0,$rndkey0);		# clear register bank
+	&pxor	($rndkey1,$rndkey1);
 	&movups	(&QWP(0,"eax"),$inout0);
+	&pxor	($inout0,$inout0);
 	&ret	();
 &function_end_B("${PREFIX}_decrypt");
 
@@ -349,17 +358,15 @@ sub aesni_generate6
 	&neg		($rounds);
 	eval"&aes${p}	($inout2,$rndkey1)";
 	&pxor		($inout5,$rndkey0);
+	&$movekey	($rndkey0,&QWP(0,$key,$rounds));
 	&add		($rounds,16);
-	eval"&aes${p}	($inout3,$rndkey1)";
-	eval"&aes${p}	($inout4,$rndkey1)";
-	eval"&aes${p}	($inout5,$rndkey1)";
-	&$movekey	($rndkey0,&QWP(-16,$key,$rounds));
-	&jmp		(&label("_aesni_${p}rypt6_enter"));
+	&jmp		(&label("_aesni_${p}rypt6_inner"));
 
     &set_label("${p}6_loop",16);
 	eval"&aes${p}	($inout0,$rndkey1)";
 	eval"&aes${p}	($inout1,$rndkey1)";
 	eval"&aes${p}	($inout2,$rndkey1)";
+    &set_label("_aesni_${p}rypt6_inner");
 	eval"&aes${p}	($inout3,$rndkey1)";
 	eval"&aes${p}	($inout4,$rndkey1)";
 	eval"&aes${p}	($inout5,$rndkey1)";
@@ -615,6 +622,14 @@ if ($PREFIX eq "aesni") {
 	&movups	(&QWP(0x30,$out),$inout3);
 
 &set_label("ecb_ret");
+	&pxor	("xmm0","xmm0");		# clear register bank
+	&pxor	("xmm1","xmm1");
+	&pxor	("xmm2","xmm2");
+	&pxor	("xmm3","xmm3");
+	&pxor	("xmm4","xmm4");
+	&pxor	("xmm5","xmm5");
+	&pxor	("xmm6","xmm6");
+	&pxor	("xmm7","xmm7");
 &function_end("aesni_ecb_encrypt");
 
 ######################################################################
@@ -704,6 +719,15 @@ if ($PREFIX eq "aesni") {
 	&mov	("esp",&DWP(48,"esp"));
 	&mov	($out,&wparam(5));
 	&movups	(&QWP(0,$out),$cmac);
+
+	&pxor	("xmm0","xmm0");		# clear register bank
+	&pxor	("xmm1","xmm1");
+	&pxor	("xmm2","xmm2");
+	&pxor	("xmm3","xmm3");
+	&pxor	("xmm4","xmm4");
+	&pxor	("xmm5","xmm5");
+	&pxor	("xmm6","xmm6");
+	&pxor	("xmm7","xmm7");
 &function_end("aesni_ccm64_encrypt_blocks");
 
 &function_begin("aesni_ccm64_decrypt_blocks");
@@ -804,6 +828,15 @@ if ($PREFIX eq "aesni") {
 	&mov	("esp",&DWP(48,"esp"));
 	&mov	($out,&wparam(5));
 	&movups	(&QWP(0,$out),$cmac);
+
+	&pxor	("xmm0","xmm0");		# clear register bank
+	&pxor	("xmm1","xmm1");
+	&pxor	("xmm2","xmm2");
+	&pxor	("xmm3","xmm3");
+	&pxor	("xmm4","xmm4");
+	&pxor	("xmm5","xmm5");
+	&pxor	("xmm6","xmm6");
+	&pxor	("xmm7","xmm7");
 &function_end("aesni_ccm64_decrypt_blocks");
 }
 
@@ -1053,6 +1086,17 @@ if ($PREFIX eq "aesni") {
 	&movups	(&QWP(0x30,$out),$inout3);
 
 &set_label("ctr32_ret");
+	&pxor	("xmm0","xmm0");		# clear register bank
+	&pxor	("xmm1","xmm1");
+	&pxor	("xmm2","xmm2");
+	&pxor	("xmm3","xmm3");
+	&pxor	("xmm4","xmm4");
+	&movdqa	(&QWP(32,"esp"),"xmm0");	# clear stack
+	&pxor	("xmm5","xmm5");
+	&movdqa	(&QWP(48,"esp"),"xmm0");
+	&pxor	("xmm6","xmm6");
+	&movdqa	(&QWP(64,"esp"),"xmm0");
+	&pxor	("xmm7","xmm7");
 	&mov	("esp",&DWP(80,"esp"));
 &function_end("aesni_ctr32_encrypt_blocks");
 
@@ -1394,6 +1438,20 @@ if ($PREFIX eq "aesni") {
 	&movups	(&QWP(-16,$out),$inout0);	# write output
 
 &set_label("xts_enc_ret");
+	&pxor	("xmm0","xmm0");		# clear register bank
+	&pxor	("xmm1","xmm1");
+	&pxor	("xmm2","xmm2");
+	&movdqa	(&QWP(16*0,"esp"),"xmm0");	# clear stack
+	&pxor	("xmm3","xmm3");
+	&movdqa	(&QWP(16*1,"esp"),"xmm0");
+	&pxor	("xmm4","xmm4");
+	&movdqa	(&QWP(16*2,"esp"),"xmm0");
+	&pxor	("xmm5","xmm5");
+	&movdqa	(&QWP(16*3,"esp"),"xmm0");
+	&pxor	("xmm6","xmm6");
+	&movdqa	(&QWP(16*4,"esp"),"xmm0");
+	&pxor	("xmm7","xmm7");
+	&movdqa	(&QWP(16*5,"esp"),"xmm0");
 	&mov	("esp",&DWP(16*7+4,"esp"));	# restore %esp
 &function_end("aesni_xts_encrypt");
 
@@ -1756,6 +1814,20 @@ if ($PREFIX eq "aesni") {
 	&movups	(&QWP(0,$out),$inout0);		# write output
 
 &set_label("xts_dec_ret");
+	&pxor	("xmm0","xmm0");		# clear register bank
+	&pxor	("xmm1","xmm1");
+	&pxor	("xmm2","xmm2");
+	&movdqa	(&QWP(16*0,"esp"),"xmm0");	# clear stack
+	&pxor	("xmm3","xmm3");
+	&movdqa	(&QWP(16*1,"esp"),"xmm0");
+	&pxor	("xmm4","xmm4");
+	&movdqa	(&QWP(16*2,"esp"),"xmm0");
+	&pxor	("xmm5","xmm5");
+	&movdqa	(&QWP(16*3,"esp"),"xmm0");
+	&pxor	("xmm6","xmm6");
+	&movdqa	(&QWP(16*4,"esp"),"xmm0");
+	&pxor	("xmm7","xmm7");
+	&movdqa	(&QWP(16*5,"esp"),"xmm0");
 	&mov	("esp",&DWP(16*7+4,"esp"));	# restore %esp
 &function_end("aesni_xts_decrypt");
 }
@@ -1808,6 +1880,7 @@ if ($PREFIX eq "aesni") {
 	&add	($len,16);
 	&jnz	(&label("cbc_enc_tail"));
 	&movaps	($ivec,$inout0);
+	&pxor	($inout0,$inout0);
 	&jmp	(&label("cbc_ret"));
 
 &set_label("cbc_enc_tail");
@@ -1871,7 +1944,7 @@ if ($PREFIX eq "aesni") {
 	&movaps	($inout0,$inout5);
 	&movaps	($ivec,$rndkey0);
 	&add	($len,0x50);
-	&jle	(&label("cbc_dec_tail_collected"));
+	&jle	(&label("cbc_dec_clear_tail_collected"));
 	&movups	(&QWP(0,$out),$inout0);
 	&lea	($out,&DWP(0x10,$out));
 &set_label("cbc_dec_tail");
@@ -1910,10 +1983,14 @@ if ($PREFIX eq "aesni") {
 	&xorps	($inout4,$rndkey0);
 	&movups	(&QWP(0,$out),$inout0);
 	&movups	(&QWP(0x10,$out),$inout1);
+	&pxor	($inout1,$inout1);
 	&movups	(&QWP(0x20,$out),$inout2);
+	&pxor	($inout2,$inout2);
 	&movups	(&QWP(0x30,$out),$inout3);
+	&pxor	($inout3,$inout3);
 	&lea	($out,&DWP(0x40,$out));
 	&movaps	($inout0,$inout4);
+	&pxor	($inout4,$inout4);
 	&sub	($len,0x50);
 	&jmp	(&label("cbc_dec_tail_collected"));
 
@@ -1933,6 +2010,7 @@ if ($PREFIX eq "aesni") {
 	&xorps	($inout1,$in0);
 	&movups	(&QWP(0,$out),$inout0);
 	&movaps	($inout0,$inout1);
+	&pxor	($inout1,$inout1);
 	&lea	($out,&DWP(0x10,$out));
 	&movaps	($ivec,$in1);
 	&sub	($len,0x20);
@@ -1945,7 +2023,9 @@ if ($PREFIX eq "aesni") {
 	&xorps	($inout2,$in1);
 	&movups	(&QWP(0,$out),$inout0);
 	&movaps	($inout0,$inout2);
+	&pxor	($inout2,$inout2);
 	&movups	(&QWP(0x10,$out),$inout1);
+	&pxor	($inout1,$inout1);
 	&lea	($out,&DWP(0x20,$out));
 	&movups	($ivec,&QWP(0x20,$inp));
 	&sub	($len,0x30);
@@ -1961,29 +2041,44 @@ if ($PREFIX eq "aesni") {
 	&movups	(&QWP(0,$out),$inout0);
 	&xorps	($inout2,$rndkey1);
 	&movups	(&QWP(0x10,$out),$inout1);
+	&pxor	($inout1,$inout1);
 	&xorps	($inout3,$rndkey0);
 	&movups	(&QWP(0x20,$out),$inout2);
+	&pxor	($inout2,$inout2);
 	&lea	($out,&DWP(0x30,$out));
 	&movaps	($inout0,$inout3);
+	&pxor	($inout3,$inout3);
 	&sub	($len,0x40);
+	&jmp	(&label("cbc_dec_tail_collected"));
 
+&set_label("cbc_dec_clear_tail_collected",16);
+	&pxor	($inout1,$inout1);
+	&pxor	($inout2,$inout2);
+	&pxor	($inout3,$inout3);
+	&pxor	($inout4,$inout4);
 &set_label("cbc_dec_tail_collected");
 	&and	($len,15);
 	&jnz	(&label("cbc_dec_tail_partial"));
 	&movups	(&QWP(0,$out),$inout0);
+	&pxor	($rndkey0,$rndkey0);
 	&jmp	(&label("cbc_ret"));
 
 &set_label("cbc_dec_tail_partial",16);
 	&movaps	(&QWP(0,"esp"),$inout0);
+	&pxor	($rndkey0,$rndkey0);
 	&mov	("ecx",16);
 	&mov	($inp,"esp");
 	&sub	("ecx",$len);
 	&data_word(0xA4F3F689);		# rep movsb
+	&movdqa	(&QWP(0,"esp"),$inout0);
 
 &set_label("cbc_ret");
 	&mov	("esp",&DWP(16,"esp"));	# pull original %esp
 	&mov	($key_,&wparam(4));
+	&pxor	($inout0,$inout0);
+	&pxor	($rndkey1,$rndkey1);
 	&movups	(&QWP(0,$key_),$ivec);	# output IV
+	&pxor	($ivec,$ivec);
 &set_label("cbc_abort");
 &function_end("${PREFIX}_cbc_encrypt");
 
@@ -2000,14 +2095,24 @@ if ($PREFIX eq "aesni") {
 #	$round	rounds
 
 &function_begin_B("_aesni_set_encrypt_key");
+	&push	("ebp");
+	&push	("ebx");
 	&test	("eax","eax");
 	&jz	(&label("bad_pointer"));
 	&test	($key,$key);
 	&jz	(&label("bad_pointer"));
 
+	&call	(&label("pic"));
+&set_label("pic");
+	&blindpop("ebx");
+	&lea	("ebx",&DWP(&label("key_const")."-".&label("pic"),"ebx"));
+
+	&picmeup("ebp","OPENSSL_ia32cap_P","ebx",&label("key_const"));
 	&movups	("xmm0",&QWP(0,"eax"));	# pull first 128 bits of *userKey
 	&xorps	("xmm4","xmm4");	# low dword of xmm4 is assumed 0
+	&mov	("ebp",&DWP(4,"ebp"));
 	&lea	($key,&DWP(16,$key));
+	&and	("ebp",1<<28|1<<11);	# AVX and XOP bits
 	&cmp	($rounds,256);
 	&je	(&label("14rounds"));
 	&cmp	($rounds,192);
@@ -2016,6 +2121,9 @@ if ($PREFIX eq "aesni") {
 	&jne	(&label("bad_keybits"));
 
 &set_label("10rounds",16);
+	&cmp		("ebp",1<<28);
+	&je		(&label("10rounds_alt"));
+
 	&mov		($rounds,9);
 	&$movekey	(&QWP(-16,$key),"xmm0");	# round 0
 	&aeskeygenassist("xmm1","xmm0",0x01);		# round 1
@@ -2040,8 +2148,8 @@ if ($PREFIX eq "aesni") {
 	&call		(&label("key_128"));
 	&$movekey	(&QWP(0,$key),"xmm0");
 	&mov		(&DWP(80,$key),$rounds);
-	&xor		("eax","eax");
-	&ret();
+
+	&jmp	(&label("good_key"));
 
 &set_label("key_128",16);
 	&$movekey	(&QWP(0,$key),"xmm0");
@@ -2055,8 +2163,76 @@ if ($PREFIX eq "aesni") {
 	&xorps		("xmm0","xmm1");
 	&ret();
 
+&set_label("10rounds_alt",16);
+	&movdqa		("xmm5",&QWP(0x00,"ebx"));
+	&mov		($rounds,8);
+	&movdqa		("xmm4",&QWP(0x20,"ebx"));
+	&movdqa		("xmm2","xmm0");
+	&movdqu		(&QWP(-16,$key),"xmm0");
+
+&set_label("loop_key128");
+	&pshufb		("xmm0","xmm5");
+	&aesenclast	("xmm0","xmm4");
+	&pslld		("xmm4",1);
+	&lea		($key,&DWP(16,$key));
+
+	&movdqa		("xmm3","xmm2");
+	&pslldq		("xmm2",4);
+	&pxor		("xmm3","xmm2");
+	&pslldq		("xmm2",4);
+	&pxor		("xmm3","xmm2");
+	&pslldq		("xmm2",4);
+	&pxor		("xmm2","xmm3");
+
+	&pxor		("xmm0","xmm2");
+	&movdqu		(&QWP(-16,$key),"xmm0");
+	&movdqa		("xmm2","xmm0");
+
+	&dec		($rounds);
+	&jnz		(&label("loop_key128"));
+
+	&movdqa		("xmm4",&QWP(0x30,"ebx"));
+
+	&pshufb		("xmm0","xmm5");
+	&aesenclast	("xmm0","xmm4");
+	&pslld		("xmm4",1);
+
+	&movdqa		("xmm3","xmm2");
+	&pslldq		("xmm2",4);
+	&pxor		("xmm3","xmm2");
+	&pslldq		("xmm2",4);
+	&pxor		("xmm3","xmm2");
+	&pslldq		("xmm2",4);
+	&pxor		("xmm2","xmm3");
+
+	&pxor		("xmm0","xmm2");
+	&movdqu		(&QWP(0,$key),"xmm0");
+
+	&movdqa		("xmm2","xmm0");
+	&pshufb		("xmm0","xmm5");
+	&aesenclast	("xmm0","xmm4");
+
+	&movdqa		("xmm3","xmm2");
+	&pslldq		("xmm2",4);
+	&pxor		("xmm3","xmm2");
+	&pslldq		("xmm2",4);
+	&pxor		("xmm3","xmm2");
+	&pslldq		("xmm2",4);
+	&pxor		("xmm2","xmm3");
+
+	&pxor		("xmm0","xmm2");
+	&movdqu		(&QWP(16,$key),"xmm0");
+
+	&mov		($rounds,9);
+	&mov		(&DWP(96,$key),$rounds);
+
+	&jmp	(&label("good_key"));
+
 &set_label("12rounds",16);
 	&movq		("xmm2",&QWP(16,"eax"));	# remaining 1/3 of *userKey
+	&cmp		("ebp",1<<28);
+	&je		(&label("12rounds_alt"));
+
 	&mov		($rounds,11);
 	&$movekey	(&QWP(-16,$key),"xmm0");	# round 0
 	&aeskeygenassist("xmm1","xmm2",0x01);		# round 1,2
@@ -2077,8 +2253,8 @@ if ($PREFIX eq "aesni") {
 	&call		(&label("key_192b"));
 	&$movekey	(&QWP(0,$key),"xmm0");
 	&mov		(&DWP(48,$key),$rounds);
-	&xor		("eax","eax");
-	&ret();
+
+	&jmp	(&label("good_key"));
 
 &set_label("key_192a",16);
 	&$movekey	(&QWP(0,$key),"xmm0");
@@ -2108,10 +2284,52 @@ if ($PREFIX eq "aesni") {
 	&lea		($key,&DWP(32,$key));
 	&jmp		(&label("key_192b_warm"));
 
+&set_label("12rounds_alt",16);
+	&movdqa		("xmm5",&QWP(0x10,"ebx"));
+	&movdqa		("xmm4",&QWP(0x20,"ebx"));
+	&mov		($rounds,8);
+	&movdqu		(&QWP(-16,$key),"xmm0");
+
+&set_label("loop_key192");
+	&movq		(&QWP(0,$key),"xmm2");
+	&movdqa		("xmm1","xmm2");
+	&pshufb		("xmm2","xmm5");
+	&aesenclast	("xmm2","xmm4");
+	&pslld		("xmm4",1);
+	&lea		($key,&DWP(24,$key));
+
+	&movdqa		("xmm3","xmm0");
+	&pslldq		("xmm0",4);
+	&pxor		("xmm3","xmm0");
+	&pslldq		("xmm0",4);
+	&pxor		("xmm3","xmm0");
+	&pslldq		("xmm0",4);
+	&pxor		("xmm0","xmm3");
+
+	&pshufd		("xmm3","xmm0",0xff);
+	&pxor		("xmm3","xmm1");
+	&pslldq		("xmm1",4);
+	&pxor		("xmm3","xmm1");
+
+	&pxor		("xmm0","xmm2");
+	&pxor		("xmm2","xmm3");
+	&movdqu		(&QWP(-16,$key),"xmm0");
+
+	&dec		($rounds);
+	&jnz		(&label("loop_key192"));
+
+	&mov	($rounds,11);
+	&mov	(&DWP(32,$key),$rounds);
+
+	&jmp	(&label("good_key"));
+
 &set_label("14rounds",16);
 	&movups		("xmm2",&QWP(16,"eax"));	# remaining half of *userKey
-	&mov		($rounds,13);
 	&lea		($key,&DWP(16,$key));
+	&cmp		("ebp",1<<28);
+	&je		(&label("14rounds_alt"));
+
+	&mov		($rounds,13);
 	&$movekey	(&QWP(-32,$key),"xmm0");	# round 0
 	&$movekey	(&QWP(-16,$key),"xmm2");	# round 1
 	&aeskeygenassist("xmm1","xmm2",0x01);		# round 2
@@ -2143,7 +2361,8 @@ if ($PREFIX eq "aesni") {
 	&$movekey	(&QWP(0,$key),"xmm0");
 	&mov		(&DWP(16,$key),$rounds);
 	&xor		("eax","eax");
-	&ret();
+
+	&jmp	(&label("good_key"));
 
 &set_label("key_256a",16);
 	&$movekey	(&QWP(0,$key),"xmm2");
@@ -2169,11 +2388,77 @@ if ($PREFIX eq "aesni") {
 	&xorps		("xmm2","xmm1");
 	&ret();
 
+&set_label("14rounds_alt",16);
+	&movdqa		("xmm5",&QWP(0x00,"ebx"));
+	&movdqa		("xmm4",&QWP(0x20,"ebx"));
+	&mov		($rounds,7);
+	&movdqu		(&QWP(-32,$key),"xmm0");
+	&movdqa		("xmm1","xmm2");
+	&movdqu		(&QWP(-16,$key),"xmm2");
+
+&set_label("loop_key256");
+	&pshufb		("xmm2","xmm5");
+	&aesenclast	("xmm2","xmm4");
+
+	&movdqa		("xmm3","xmm0");
+	&pslldq		("xmm0",4);
+	&pxor		("xmm3","xmm0");
+	&pslldq		("xmm0",4);
+	&pxor		("xmm3","xmm0");
+	&pslldq		("xmm0",4);
+	&pxor		("xmm0","xmm3");
+	&pslld		("xmm4",1);
+
+	&pxor		("xmm0","xmm2");
+	&movdqu		(&QWP(0,$key),"xmm0");
+
+	&dec		($rounds);
+	&jz		(&label("done_key256"));
+
+	&pshufd		("xmm2","xmm0",0xff);
+	&pxor		("xmm3","xmm3");
+	&aesenclast	("xmm2","xmm3");
+
+	&movdqa		("xmm3","xmm1")
+	&pslldq		("xmm1",4);
+	&pxor		("xmm3","xmm1");
+	&pslldq		("xmm1",4);
+	&pxor		("xmm3","xmm1");
+	&pslldq		("xmm1",4);
+	&pxor		("xmm1","xmm3");
+
+	&pxor		("xmm2","xmm1");
+	&movdqu		(&QWP(16,$key),"xmm2");
+	&lea		($key,&DWP(32,$key));
+	&movdqa		("xmm1","xmm2");
+	&jmp		(&label("loop_key256"));
+
+&set_label("done_key256");
+	&mov		($rounds,13);
+	&mov		(&DWP(16,$key),$rounds);
+
+&set_label("good_key");
+	&pxor	("xmm0","xmm0");
+	&pxor	("xmm1","xmm1");
+	&pxor	("xmm2","xmm2");
+	&pxor	("xmm3","xmm3");
+	&pxor	("xmm4","xmm4");
+	&pxor	("xmm5","xmm5");
+	&xor	("eax","eax");
+	&pop	("ebx");
+	&pop	("ebp");
+	&ret	();
+
 &set_label("bad_pointer",4);
 	&mov	("eax",-1);
+	&pop	("ebx");
+	&pop	("ebp");
 	&ret	();
 &set_label("bad_keybits",4);
+	&pxor	("xmm0","xmm0");
 	&mov	("eax",-2);
+	&pop	("ebx");
+	&pop	("ebp");
 	&ret	();
 &function_end_B("_aesni_set_encrypt_key");
 
@@ -2223,10 +2508,18 @@ if ($PREFIX eq "aesni") {
 	&aesimc		("xmm0","xmm0");
 	&$movekey	(&QWP(0,$key),"xmm0");
 
+	&pxor		("xmm0","xmm0");
+	&pxor		("xmm1","xmm1");
 	&xor		("eax","eax");		# return success
 &set_label("dec_key_ret");
 	&ret	();
 &function_end_B("${PREFIX}_set_decrypt_key");
+
+&set_label("key_const",64);
+&data_word(0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d);
+&data_word(0x04070605,0x04070605,0x04070605,0x04070605);
+&data_word(1,1,1,1);
+&data_word(0x1b,0x1b,0x1b,0x1b);
 &asciz("AES for Intel AES-NI, CRYPTOGAMS by <appro\@openssl.org>");
 
 &asm_finish();
diff --git a/src/crypto/aes/asm/aesni-x86_64.pl b/src/crypto/aes/asm/aesni-x86_64.pl
index 5f61746..25ca574 100644
--- a/src/crypto/aes/asm/aesni-x86_64.pl
+++ b/src/crypto/aes/asm/aesni-x86_64.pl
@@ -165,11 +165,11 @@
 # Westmere	3.77/1.25	1.25	1.25	1.26
 # * Bridge	5.07/0.74	0.75	0.90	0.85
 # Haswell	4.44/0.63	0.63	0.73	0.63
-# Atom		5.75/3.54	3.56	4.12	3.87(*)
+# Silvermont	5.75/3.54	3.56	4.12	3.87(*)
 # Bulldozer	5.77/0.70	0.72	0.90	0.70
 #
-# (*)	Atom ECB result is suboptimal because of penalties incurred
-#	by operations on %xmm8-15. As ECB is not considered
+# (*)	Atom Silvermont ECB result is suboptimal because of penalties
+#	incurred by operations on %xmm8-15. As ECB is not considered
 #	critical, nothing was done to mitigate the problem.
 
 $PREFIX="aesni";	# if $PREFIX is set to "AES", the script
@@ -263,7 +263,10 @@ ${PREFIX}_encrypt:
 ___
 	&aesni_generate1("enc",$key,$rounds);
 $code.=<<___;
+	 pxor	$rndkey0,$rndkey0	# clear register bank
+	 pxor	$rndkey1,$rndkey1
 	movups	$inout0,($out)		# output
+	 pxor	$inout0,$inout0
 	ret
 .size	${PREFIX}_encrypt,.-${PREFIX}_encrypt
 
@@ -276,7 +279,10 @@ ${PREFIX}_decrypt:
 ___
 	&aesni_generate1("dec",$key,$rounds);
 $code.=<<___;
+	 pxor	$rndkey0,$rndkey0	# clear register bank
+	 pxor	$rndkey1,$rndkey1
 	movups	$inout0,($out)		# output
+	 pxor	$inout0,$inout0
 	ret
 .size	${PREFIX}_decrypt, .-${PREFIX}_decrypt
 ___
@@ -445,21 +451,18 @@ _aesni_${dir}rypt6:
 	pxor		$rndkey0,$inout4
 	aes${dir}	$rndkey1,$inout2
 	pxor		$rndkey0,$inout5
+	$movkey		($key,%rax),$rndkey0
 	add		\$16,%rax
-	aes${dir}	$rndkey1,$inout3
-	aes${dir}	$rndkey1,$inout4
-	aes${dir}	$rndkey1,$inout5
-	$movkey		-16($key,%rax),$rndkey0
 	jmp		.L${dir}_loop6_enter
 .align	16
 .L${dir}_loop6:
 	aes${dir}	$rndkey1,$inout0
 	aes${dir}	$rndkey1,$inout1
 	aes${dir}	$rndkey1,$inout2
+.L${dir}_loop6_enter:
 	aes${dir}	$rndkey1,$inout3
 	aes${dir}	$rndkey1,$inout4
 	aes${dir}	$rndkey1,$inout5
-.L${dir}_loop6_enter:
 	$movkey		($key,%rax),$rndkey1
 	add		\$32,%rax
 	aes${dir}	$rndkey0,$inout0
@@ -506,23 +509,18 @@ _aesni_${dir}rypt8:
 	lea		32($key,$rounds),$key
 	neg		%rax			# $rounds
 	aes${dir}	$rndkey1,$inout0
-	add		\$16,%rax
 	pxor		$rndkey0,$inout5
-	aes${dir}	$rndkey1,$inout1
 	pxor		$rndkey0,$inout6
+	aes${dir}	$rndkey1,$inout1
 	pxor		$rndkey0,$inout7
-	aes${dir}	$rndkey1,$inout2
-	aes${dir}	$rndkey1,$inout3
-	aes${dir}	$rndkey1,$inout4
-	aes${dir}	$rndkey1,$inout5
-	aes${dir}	$rndkey1,$inout6
-	aes${dir}	$rndkey1,$inout7
-	$movkey		-16($key,%rax),$rndkey0
-	jmp		.L${dir}_loop8_enter
+	$movkey		($key,%rax),$rndkey0
+	add		\$16,%rax
+	jmp		.L${dir}_loop8_inner
 .align	16
 .L${dir}_loop8:
 	aes${dir}	$rndkey1,$inout0
 	aes${dir}	$rndkey1,$inout1
+.L${dir}_loop8_inner:
 	aes${dir}	$rndkey1,$inout2
 	aes${dir}	$rndkey1,$inout3
 	aes${dir}	$rndkey1,$inout4
@@ -587,15 +585,15 @@ aesni_ecb_encrypt:
 ___
 $code.=<<___ if ($win64);
 	lea	-0x58(%rsp),%rsp
-	movaps	%xmm6,(%rsp)
+	movaps	%xmm6,(%rsp)		# offload $inout4..7
 	movaps	%xmm7,0x10(%rsp)
 	movaps	%xmm8,0x20(%rsp)
 	movaps	%xmm9,0x30(%rsp)
 .Lecb_enc_body:
 ___
 $code.=<<___;
-	and	\$-16,$len
-	jz	.Lecb_ret
+	and	\$-16,$len		# if ($len<16)
+	jz	.Lecb_ret		# return
 
 	mov	240($key),$rounds	# key->rounds
 	$movkey	($key),$rndkey0
@@ -604,10 +602,10 @@ $code.=<<___;
 	test	%r8d,%r8d		# 5th argument
 	jz	.Lecb_decrypt
 #--------------------------- ECB ENCRYPT ------------------------------#
-	cmp	\$0x80,$len
-	jb	.Lecb_enc_tail
+	cmp	\$0x80,$len		# if ($len<8*16)
+	jb	.Lecb_enc_tail		# short input
 
-	movdqu	($inp),$inout0
+	movdqu	($inp),$inout0		# load 8 input blocks
 	movdqu	0x10($inp),$inout1
 	movdqu	0x20($inp),$inout2
 	movdqu	0x30($inp),$inout3
@@ -615,14 +613,14 @@ $code.=<<___;
 	movdqu	0x50($inp),$inout5
 	movdqu	0x60($inp),$inout6
 	movdqu	0x70($inp),$inout7
-	lea	0x80($inp),$inp
-	sub	\$0x80,$len
+	lea	0x80($inp),$inp		# $inp+=8*16
+	sub	\$0x80,$len		# $len-=8*16 (can be zero)
 	jmp	.Lecb_enc_loop8_enter
 .align 16
 .Lecb_enc_loop8:
-	movups	$inout0,($out)
+	movups	$inout0,($out)		# store 8 output blocks
 	mov	$key_,$key		# restore $key
-	movdqu	($inp),$inout0
+	movdqu	($inp),$inout0		# load 8 input blocks
 	mov	$rnds_,$rounds		# restore $rounds
 	movups	$inout1,0x10($out)
 	movdqu	0x10($inp),$inout1
@@ -637,17 +635,17 @@ $code.=<<___;
 	movups	$inout6,0x60($out)
 	movdqu	0x60($inp),$inout6
 	movups	$inout7,0x70($out)
-	lea	0x80($out),$out
+	lea	0x80($out),$out		# $out+=8*16
 	movdqu	0x70($inp),$inout7
-	lea	0x80($inp),$inp
+	lea	0x80($inp),$inp		# $inp+=8*16
 .Lecb_enc_loop8_enter:
 
 	call	_aesni_encrypt8
 
 	sub	\$0x80,$len
-	jnc	.Lecb_enc_loop8
+	jnc	.Lecb_enc_loop8		# loop if $len-=8*16 didn't borrow
 
-	movups	$inout0,($out)
+	movups	$inout0,($out)		# store 8 output blocks
 	mov	$key_,$key		# restore $key
 	movups	$inout1,0x10($out)
 	mov	$rnds_,$rounds		# restore $rounds
@@ -657,11 +655,11 @@ $code.=<<___;
 	movups	$inout5,0x50($out)
 	movups	$inout6,0x60($out)
 	movups	$inout7,0x70($out)
-	lea	0x80($out),$out
-	add	\$0x80,$len
-	jz	.Lecb_ret
+	lea	0x80($out),$out		# $out+=8*16
+	add	\$0x80,$len		# restore real remaining $len
+	jz	.Lecb_ret		# done if ($len==0)
 
-.Lecb_enc_tail:
+.Lecb_enc_tail:				# $len is less than 8*16
 	movups	($inp),$inout0
 	cmp	\$0x20,$len
 	jb	.Lecb_enc_one
@@ -678,8 +676,9 @@ $code.=<<___;
 	movups	0x50($inp),$inout5
 	je	.Lecb_enc_six
 	movdqu	0x60($inp),$inout6
+	xorps	$inout7,$inout7
 	call	_aesni_encrypt8
-	movups	$inout0,($out)
+	movups	$inout0,($out)		# store 7 output blocks
 	movups	$inout1,0x10($out)
 	movups	$inout2,0x20($out)
 	movups	$inout3,0x30($out)
@@ -692,25 +691,25 @@ $code.=<<___;
 ___
 	&aesni_generate1("enc",$key,$rounds);
 $code.=<<___;
-	movups	$inout0,($out)
+	movups	$inout0,($out)		# store one output block
 	jmp	.Lecb_ret
 .align	16
 .Lecb_enc_two:
 	call	_aesni_encrypt2
-	movups	$inout0,($out)
+	movups	$inout0,($out)		# store 2 output blocks
 	movups	$inout1,0x10($out)
 	jmp	.Lecb_ret
 .align	16
 .Lecb_enc_three:
 	call	_aesni_encrypt3
-	movups	$inout0,($out)
+	movups	$inout0,($out)		# store 3 output blocks
 	movups	$inout1,0x10($out)
 	movups	$inout2,0x20($out)
 	jmp	.Lecb_ret
 .align	16
 .Lecb_enc_four:
 	call	_aesni_encrypt4
-	movups	$inout0,($out)
+	movups	$inout0,($out)		# store 4 output blocks
 	movups	$inout1,0x10($out)
 	movups	$inout2,0x20($out)
 	movups	$inout3,0x30($out)
@@ -719,7 +718,7 @@ $code.=<<___;
 .Lecb_enc_five:
 	xorps	$inout5,$inout5
 	call	_aesni_encrypt6
-	movups	$inout0,($out)
+	movups	$inout0,($out)		# store 5 output blocks
 	movups	$inout1,0x10($out)
 	movups	$inout2,0x20($out)
 	movups	$inout3,0x30($out)
@@ -728,7 +727,7 @@ $code.=<<___;
 .align	16
 .Lecb_enc_six:
 	call	_aesni_encrypt6
-	movups	$inout0,($out)
+	movups	$inout0,($out)		# store 6 output blocks
 	movups	$inout1,0x10($out)
 	movups	$inout2,0x20($out)
 	movups	$inout3,0x30($out)
@@ -738,10 +737,10 @@ $code.=<<___;
 #--------------------------- ECB DECRYPT ------------------------------#
 .align	16
 .Lecb_decrypt:
-	cmp	\$0x80,$len
-	jb	.Lecb_dec_tail
+	cmp	\$0x80,$len		# if ($len<8*16)
+	jb	.Lecb_dec_tail		# short input
 
-	movdqu	($inp),$inout0
+	movdqu	($inp),$inout0		# load 8 input blocks
 	movdqu	0x10($inp),$inout1
 	movdqu	0x20($inp),$inout2
 	movdqu	0x30($inp),$inout3
@@ -749,14 +748,14 @@ $code.=<<___;
 	movdqu	0x50($inp),$inout5
 	movdqu	0x60($inp),$inout6
 	movdqu	0x70($inp),$inout7
-	lea	0x80($inp),$inp
-	sub	\$0x80,$len
+	lea	0x80($inp),$inp		# $inp+=8*16
+	sub	\$0x80,$len		# $len-=8*16 (can be zero)
 	jmp	.Lecb_dec_loop8_enter
 .align 16
 .Lecb_dec_loop8:
-	movups	$inout0,($out)
+	movups	$inout0,($out)		# store 8 output blocks
 	mov	$key_,$key		# restore $key
-	movdqu	($inp),$inout0
+	movdqu	($inp),$inout0		# load 8 input blocks
 	mov	$rnds_,$rounds		# restore $rounds
 	movups	$inout1,0x10($out)
 	movdqu	0x10($inp),$inout1
@@ -771,30 +770,38 @@ $code.=<<___;
 	movups	$inout6,0x60($out)
 	movdqu	0x60($inp),$inout6
 	movups	$inout7,0x70($out)
-	lea	0x80($out),$out
+	lea	0x80($out),$out		# $out+=8*16
 	movdqu	0x70($inp),$inout7
-	lea	0x80($inp),$inp
+	lea	0x80($inp),$inp		# $inp+=8*16
 .Lecb_dec_loop8_enter:
 
 	call	_aesni_decrypt8
 
 	$movkey	($key_),$rndkey0
 	sub	\$0x80,$len
-	jnc	.Lecb_dec_loop8
+	jnc	.Lecb_dec_loop8		# loop if $len-=8*16 didn't borrow
 
-	movups	$inout0,($out)
+	movups	$inout0,($out)		# store 8 output blocks
+	 pxor	$inout0,$inout0		# clear register bank
 	mov	$key_,$key		# restore $key
 	movups	$inout1,0x10($out)
+	 pxor	$inout1,$inout1
 	mov	$rnds_,$rounds		# restore $rounds
 	movups	$inout2,0x20($out)
+	 pxor	$inout2,$inout2
 	movups	$inout3,0x30($out)
+	 pxor	$inout3,$inout3
 	movups	$inout4,0x40($out)
+	 pxor	$inout4,$inout4
 	movups	$inout5,0x50($out)
+	 pxor	$inout5,$inout5
 	movups	$inout6,0x60($out)
+	 pxor	$inout6,$inout6
 	movups	$inout7,0x70($out)
-	lea	0x80($out),$out
-	add	\$0x80,$len
-	jz	.Lecb_ret
+	 pxor	$inout7,$inout7
+	lea	0x80($out),$out		# $out+=8*16
+	add	\$0x80,$len		# restore real remaining $len
+	jz	.Lecb_ret		# done if ($len==0)
 
 .Lecb_dec_tail:
 	movups	($inp),$inout0
@@ -814,70 +821,107 @@ $code.=<<___;
 	je	.Lecb_dec_six
 	movups	0x60($inp),$inout6
 	$movkey	($key),$rndkey0
+	xorps	$inout7,$inout7
 	call	_aesni_decrypt8
-	movups	$inout0,($out)
+	movups	$inout0,($out)		# store 7 output blocks
+	 pxor	$inout0,$inout0		# clear register bank
 	movups	$inout1,0x10($out)
+	 pxor	$inout1,$inout1
 	movups	$inout2,0x20($out)
+	 pxor	$inout2,$inout2
 	movups	$inout3,0x30($out)
+	 pxor	$inout3,$inout3
 	movups	$inout4,0x40($out)
+	 pxor	$inout4,$inout4
 	movups	$inout5,0x50($out)
+	 pxor	$inout5,$inout5
 	movups	$inout6,0x60($out)
+	 pxor	$inout6,$inout6
+	 pxor	$inout7,$inout7
 	jmp	.Lecb_ret
 .align	16
 .Lecb_dec_one:
 ___
 	&aesni_generate1("dec",$key,$rounds);
 $code.=<<___;
-	movups	$inout0,($out)
+	movups	$inout0,($out)		# store one output block
+	 pxor	$inout0,$inout0		# clear register bank
 	jmp	.Lecb_ret
 .align	16
 .Lecb_dec_two:
 	call	_aesni_decrypt2
-	movups	$inout0,($out)
+	movups	$inout0,($out)		# store 2 output blocks
+	 pxor	$inout0,$inout0		# clear register bank
 	movups	$inout1,0x10($out)
+	 pxor	$inout1,$inout1
 	jmp	.Lecb_ret
 .align	16
 .Lecb_dec_three:
 	call	_aesni_decrypt3
-	movups	$inout0,($out)
+	movups	$inout0,($out)		# store 3 output blocks
+	 pxor	$inout0,$inout0		# clear register bank
 	movups	$inout1,0x10($out)
+	 pxor	$inout1,$inout1
 	movups	$inout2,0x20($out)
+	 pxor	$inout2,$inout2
 	jmp	.Lecb_ret
 .align	16
 .Lecb_dec_four:
 	call	_aesni_decrypt4
-	movups	$inout0,($out)
+	movups	$inout0,($out)		# store 4 output blocks
+	 pxor	$inout0,$inout0		# clear register bank
 	movups	$inout1,0x10($out)
+	 pxor	$inout1,$inout1
 	movups	$inout2,0x20($out)
+	 pxor	$inout2,$inout2
 	movups	$inout3,0x30($out)
+	 pxor	$inout3,$inout3
 	jmp	.Lecb_ret
 .align	16
 .Lecb_dec_five:
 	xorps	$inout5,$inout5
 	call	_aesni_decrypt6
-	movups	$inout0,($out)
+	movups	$inout0,($out)		# store 5 output blocks
+	 pxor	$inout0,$inout0		# clear register bank
 	movups	$inout1,0x10($out)
+	 pxor	$inout1,$inout1
 	movups	$inout2,0x20($out)
+	 pxor	$inout2,$inout2
 	movups	$inout3,0x30($out)
+	 pxor	$inout3,$inout3
 	movups	$inout4,0x40($out)
+	 pxor	$inout4,$inout4
+	 pxor	$inout5,$inout5
 	jmp	.Lecb_ret
 .align	16
 .Lecb_dec_six:
 	call	_aesni_decrypt6
-	movups	$inout0,($out)
+	movups	$inout0,($out)		# store 6 output blocks
+	 pxor	$inout0,$inout0		# clear register bank
 	movups	$inout1,0x10($out)
+	 pxor	$inout1,$inout1
 	movups	$inout2,0x20($out)
+	 pxor	$inout2,$inout2
 	movups	$inout3,0x30($out)
+	 pxor	$inout3,$inout3
 	movups	$inout4,0x40($out)
+	 pxor	$inout4,$inout4
 	movups	$inout5,0x50($out)
+	 pxor	$inout5,$inout5
 
 .Lecb_ret:
+	xorps	$rndkey0,$rndkey0	# %xmm0
+	pxor	$rndkey1,$rndkey1
 ___
 $code.=<<___ if ($win64);
 	movaps	(%rsp),%xmm6
+	movaps	%xmm0,(%rsp)		# clear stack
 	movaps	0x10(%rsp),%xmm7
+	movaps	%xmm0,0x10(%rsp)
 	movaps	0x20(%rsp),%xmm8
+	movaps	%xmm0,0x20(%rsp)
 	movaps	0x30(%rsp),%xmm9
+	movaps	%xmm0,0x30(%rsp)
 	lea	0x58(%rsp),%rsp
 .Lecb_enc_ret:
 ___
@@ -911,10 +955,10 @@ aesni_ccm64_encrypt_blocks:
 ___
 $code.=<<___ if ($win64);
 	lea	-0x58(%rsp),%rsp
-	movaps	%xmm6,(%rsp)
-	movaps	%xmm7,0x10(%rsp)
-	movaps	%xmm8,0x20(%rsp)
-	movaps	%xmm9,0x30(%rsp)
+	movaps	%xmm6,(%rsp)		# $iv
+	movaps	%xmm7,0x10(%rsp)	# $bswap_mask
+	movaps	%xmm8,0x20(%rsp)	# $in0
+	movaps	%xmm9,0x30(%rsp)	# $increment
 .Lccm64_enc_body:
 ___
 $code.=<<___;
@@ -956,7 +1000,7 @@ $code.=<<___;
 	aesenc	$rndkey1,$inout0
 	aesenc	$rndkey1,$inout1
 	paddq	$increment,$iv
-	dec	$len
+	dec	$len				# $len-- ($len is in blocks)
 	aesenclast	$rndkey0,$inout0
 	aesenclast	$rndkey0,$inout1
 
@@ -965,16 +1009,26 @@ $code.=<<___;
 	movdqa	$iv,$inout0
 	movups	$in0,($out)			# save output
 	pshufb	$bswap_mask,$inout0
-	lea	16($out),$out
-	jnz	.Lccm64_enc_outer
+	lea	16($out),$out			# $out+=16
+	jnz	.Lccm64_enc_outer		# loop if ($len!=0)
 
-	movups	$inout1,($cmac)
+	 pxor	$rndkey0,$rndkey0		# clear register bank
+	 pxor	$rndkey1,$rndkey1
+	 pxor	$inout0,$inout0
+	movups	$inout1,($cmac)			# store resulting mac
+	 pxor	$inout1,$inout1
+	 pxor	$in0,$in0
+	 pxor	$iv,$iv
 ___
 $code.=<<___ if ($win64);
 	movaps	(%rsp),%xmm6
+	movaps	%xmm0,(%rsp)			# clear stack
 	movaps	0x10(%rsp),%xmm7
+	movaps	%xmm0,0x10(%rsp)
 	movaps	0x20(%rsp),%xmm8
+	movaps	%xmm0,0x20(%rsp)
 	movaps	0x30(%rsp),%xmm9
+	movaps	%xmm0,0x30(%rsp)
 	lea	0x58(%rsp),%rsp
 .Lccm64_enc_ret:
 ___
@@ -991,10 +1045,10 @@ aesni_ccm64_decrypt_blocks:
 ___
 $code.=<<___ if ($win64);
 	lea	-0x58(%rsp),%rsp
-	movaps	%xmm6,(%rsp)
-	movaps	%xmm7,0x10(%rsp)
-	movaps	%xmm8,0x20(%rsp)
-	movaps	%xmm9,0x30(%rsp)
+	movaps	%xmm6,(%rsp)		# $iv
+	movaps	%xmm7,0x10(%rsp)	# $bswap_mask
+	movaps	%xmm8,0x20(%rsp)	# $in8
+	movaps	%xmm9,0x30(%rsp)	# $increment
 .Lccm64_dec_body:
 ___
 $code.=<<___;
@@ -1015,7 +1069,7 @@ $code.=<<___;
 	mov	\$16,$rounds
 	movups	($inp),$in0			# load inp
 	paddq	$increment,$iv
-	lea	16($inp),$inp
+	lea	16($inp),$inp			# $inp+=16
 	sub	%r10,%rax			# twisted $rounds
 	lea	32($key_,$rnds_),$key		# end of key schedule
 	mov	%rax,%r10
@@ -1025,11 +1079,11 @@ $code.=<<___;
 	xorps	$inout0,$in0			# inp ^= E(iv)
 	movdqa	$iv,$inout0
 	movups	$in0,($out)			# save output
-	lea	16($out),$out
+	lea	16($out),$out			# $out+=16
 	pshufb	$bswap_mask,$inout0
 
-	sub	\$1,$len
-	jz	.Lccm64_dec_break
+	sub	\$1,$len			# $len-- ($len is in blocks)
+	jz	.Lccm64_dec_break		# if ($len==0) break
 
 	$movkey	($key_),$rndkey0
 	mov	%r10,%rax
@@ -1049,13 +1103,13 @@ $code.=<<___;
 	aesenc	$rndkey0,$inout1
 	$movkey	-16($key,%rax),$rndkey0
 	jnz	.Lccm64_dec2_loop
-	movups	($inp),$in0			# load inp
+	movups	($inp),$in0			# load input
 	paddq	$increment,$iv
 	aesenc	$rndkey1,$inout0
 	aesenc	$rndkey1,$inout1
 	aesenclast	$rndkey0,$inout0
 	aesenclast	$rndkey0,$inout1
-	lea	16($inp),$inp
+	lea	16($inp),$inp			# $inp+=16
 	jmp	.Lccm64_dec_outer
 
 .align	16
@@ -1065,13 +1119,23 @@ $code.=<<___;
 ___
 	&aesni_generate1("enc",$key_,$rounds,$inout1,$in0);
 $code.=<<___;
-	movups	$inout1,($cmac)
+	 pxor	$rndkey0,$rndkey0		# clear register bank
+	 pxor	$rndkey1,$rndkey1
+	 pxor	$inout0,$inout0
+	movups	$inout1,($cmac)			# store resulting mac
+	 pxor	$inout1,$inout1
+	 pxor	$in0,$in0
+	 pxor	$iv,$iv
 ___
 $code.=<<___ if ($win64);
 	movaps	(%rsp),%xmm6
+	movaps	%xmm0,(%rsp)			# clear stack
 	movaps	0x10(%rsp),%xmm7
+	movaps	%xmm0,0x10(%rsp)
 	movaps	0x20(%rsp),%xmm8
+	movaps	%xmm0,0x20(%rsp)
 	movaps	0x30(%rsp),%xmm9
+	movaps	%xmm0,0x30(%rsp)
 	lea	0x58(%rsp),%rsp
 .Lccm64_dec_ret:
 ___
@@ -1102,13 +1166,34 @@ $code.=<<___;
 .type	aesni_ctr32_encrypt_blocks,\@function,5
 .align	16
 aesni_ctr32_encrypt_blocks:
+	cmp	\$1,$len
+	jne	.Lctr32_bulk
+
+	# handle single block without allocating stack frame,
+	# useful when handling edges
+	movups	($ivp),$inout0
+	movups	($inp),$inout1
+	mov	240($key),%edx			# key->rounds
+___
+	&aesni_generate1("enc",$key,"%edx");
+$code.=<<___;
+	 pxor	$rndkey0,$rndkey0		# clear register bank
+	 pxor	$rndkey1,$rndkey1
+	xorps	$inout1,$inout0
+	 pxor	$inout1,$inout1
+	movups	$inout0,($out)
+	 xorps	$inout0,$inout0
+	jmp	.Lctr32_epilogue
+
+.align	16
+.Lctr32_bulk:
 	lea	(%rsp),%rax
 	push	%rbp
 	sub	\$$frame_size,%rsp
 	and	\$-16,%rsp	# Linux kernel stack can be incorrectly seeded
 ___
 $code.=<<___ if ($win64);
-	movaps	%xmm6,-0xa8(%rax)
+	movaps	%xmm6,-0xa8(%rax)		# offload everything
 	movaps	%xmm7,-0x98(%rax)
 	movaps	%xmm8,-0x88(%rax)
 	movaps	%xmm9,-0x78(%rax)
@@ -1123,8 +1208,8 @@ ___
 $code.=<<___;
 	lea	-8(%rax),%rbp
 
-	cmp	\$1,$len
-	je	.Lctr32_one_shortcut
+	# 8 16-byte words on top of stack are counter values
+	# xor-ed with zero-round key
 
 	movdqu	($ivp),$inout0
 	movdqu	($key),$rndkey0
@@ -1139,7 +1224,7 @@ $code.=<<___;
 	movdqa	$inout0,0x40(%rsp)
 	movdqa	$inout0,0x50(%rsp)
 	movdqa	$inout0,0x60(%rsp)
-	mov	%rdx,%r10			# borrow %rdx
+	mov	%rdx,%r10			# about to borrow %rdx
 	movdqa	$inout0,0x70(%rsp)
 
 	lea	1($ctr),%rax
@@ -1183,15 +1268,15 @@ $code.=<<___;
 	movdqa	0x40(%rsp),$inout4
 	movdqa	0x50(%rsp),$inout5
 
-	cmp	\$8,$len
-	jb	.Lctr32_tail
+	cmp	\$8,$len		# $len is in blocks
+	jb	.Lctr32_tail		# short input if ($len<8)
 
-	sub	\$6,$len
+	sub	\$6,$len		# $len is biased by -6
 	cmp	\$`1<<22`,%r10d		# check for MOVBE without XSAVE
-	je	.Lctr32_6x
+	je	.Lctr32_6x		# [which denotes Atom Silvermont]
 
 	lea	0x80($key),$key		# size optimization
-	sub	\$2,$len
+	sub	\$2,$len		# $len is biased by -8
 	jmp	.Lctr32_loop8
 
 .align	16
@@ -1205,13 +1290,13 @@ $code.=<<___;
 
 .align	16
 .Lctr32_loop6:
-	 add	\$6,$ctr
+	 add	\$6,$ctr		# next counter value
 	$movkey	-48($key,$rnds_),$rndkey0
 	aesenc	$rndkey1,$inout0
 	 mov	$ctr,%eax
 	 xor	$key0,%eax
 	aesenc	$rndkey1,$inout1
-	 movbe	%eax,`0x00+12`(%rsp)
+	 movbe	%eax,`0x00+12`(%rsp)	# store next counter value
 	 lea	1($ctr),%eax
 	aesenc	$rndkey1,$inout2
 	 xor	$key0,%eax
@@ -1244,16 +1329,16 @@ $code.=<<___;
 
 	call	.Lenc_loop6
 
-	movdqu	($inp),$inout6
+	movdqu	($inp),$inout6		# load 6 input blocks
 	movdqu	0x10($inp),$inout7
 	movdqu	0x20($inp),$in0
 	movdqu	0x30($inp),$in1
 	movdqu	0x40($inp),$in2
 	movdqu	0x50($inp),$in3
-	lea	0x60($inp),$inp
+	lea	0x60($inp),$inp		# $inp+=6*16
 	$movkey	-64($key,$rnds_),$rndkey1
-	pxor	$inout0,$inout6
-	movaps	0x00(%rsp),$inout0
+	pxor	$inout0,$inout6		# inp^=E(ctr)
+	movaps	0x00(%rsp),$inout0	# load next counter [xor-ed with 0 round]
 	pxor	$inout1,$inout7
 	movaps	0x10(%rsp),$inout1
 	pxor	$inout2,$in0
@@ -1264,19 +1349,19 @@ $code.=<<___;
 	movaps	0x40(%rsp),$inout4
 	pxor	$inout5,$in3
 	movaps	0x50(%rsp),$inout5
-	movdqu	$inout6,($out)
+	movdqu	$inout6,($out)		# store 6 output blocks
 	movdqu	$inout7,0x10($out)
 	movdqu	$in0,0x20($out)
 	movdqu	$in1,0x30($out)
 	movdqu	$in2,0x40($out)
 	movdqu	$in3,0x50($out)
-	lea	0x60($out),$out
-	
+	lea	0x60($out),$out		# $out+=6*16
+
 	sub	\$6,$len
-	jnc	.Lctr32_loop6
+	jnc	.Lctr32_loop6		# loop if $len-=6 didn't borrow
 
-	add	\$6,$len
-	jz	.Lctr32_done
+	add	\$6,$len		# restore real remaining $len
+	jz	.Lctr32_done		# done if ($len==0)
 
 	lea	-48($rnds_),$rounds
 	lea	-80($key,$rnds_),$key	# restore $key
@@ -1286,7 +1371,7 @@ $code.=<<___;
 
 .align	32
 .Lctr32_loop8:
-	 add		\$8,$ctr
+	 add		\$8,$ctr		# next counter value
 	movdqa		0x60(%rsp),$inout6
 	aesenc		$rndkey1,$inout0
 	 mov		$ctr,%r9d
@@ -1298,7 +1383,7 @@ $code.=<<___;
 	 xor		$key0,%r9d
 	 nop
 	aesenc		$rndkey1,$inout3
-	 mov		%r9d,0x00+12(%rsp)
+	 mov		%r9d,0x00+12(%rsp)	# store next counter value
 	 lea		1($ctr),%r9
 	aesenc		$rndkey1,$inout4
 	aesenc		$rndkey1,$inout5
@@ -1331,7 +1416,7 @@ $code.=<<___;
 	aesenc		$rndkey0,$inout1
 	aesenc		$rndkey0,$inout2
 	 xor		$key0,%r9d
-	 movdqu		0x00($inp),$in0
+	 movdqu		0x00($inp),$in0		# start loading input
 	aesenc		$rndkey0,$inout3
 	 mov		%r9d,0x70+12(%rsp)
 	 cmp		\$11,$rounds
@@ -1388,7 +1473,7 @@ $code.=<<___;
 .align	16
 .Lctr32_enc_done:
 	movdqu		0x10($inp),$in1
-	pxor		$rndkey0,$in0
+	pxor		$rndkey0,$in0		# input^=round[last]
 	movdqu		0x20($inp),$in2
 	pxor		$rndkey0,$in1
 	movdqu		0x30($inp),$in3
@@ -1406,11 +1491,11 @@ $code.=<<___;
 	aesenc		$rndkey1,$inout5
 	aesenc		$rndkey1,$inout6
 	aesenc		$rndkey1,$inout7
-	movdqu		0x60($inp),$rndkey1
-	lea		0x80($inp),$inp
+	movdqu		0x60($inp),$rndkey1	# borrow $rndkey1 for inp[6]
+	lea		0x80($inp),$inp		# $inp+=8*16
 
-	aesenclast	$in0,$inout0
-	pxor		$rndkey0,$rndkey1
+	aesenclast	$in0,$inout0		# $inN is inp[N]^round[last]
+	pxor		$rndkey0,$rndkey1	# borrowed $rndkey
 	movdqu		0x70-0x80($inp),$in0
 	aesenclast	$in1,$inout1
 	pxor		$rndkey0,$in0
@@ -1425,10 +1510,10 @@ $code.=<<___;
 	movdqa		0x40(%rsp),$in5
 	aesenclast	$rndkey1,$inout6
 	movdqa		0x50(%rsp),$rndkey0
-	$movkey		0x10-0x80($key),$rndkey1
+	$movkey		0x10-0x80($key),$rndkey1#real 1st-round key
 	aesenclast	$in0,$inout7
 
-	movups		$inout0,($out)		# store output
+	movups		$inout0,($out)		# store 8 output blocks
 	movdqa		$in1,$inout0
 	movups		$inout1,0x10($out)
 	movdqa		$in2,$inout1
@@ -1442,21 +1527,24 @@ $code.=<<___;
 	movdqa		$rndkey0,$inout5
 	movups		$inout6,0x60($out)
 	movups		$inout7,0x70($out)
-	lea		0x80($out),$out
-	
+	lea		0x80($out),$out		# $out+=8*16
+
 	sub	\$8,$len
-	jnc	.Lctr32_loop8
+	jnc	.Lctr32_loop8			# loop if $len-=8 didn't borrow
 
-	add	\$8,$len
-	jz	.Lctr32_done
+	add	\$8,$len			# restore real remainig $len
+	jz	.Lctr32_done			# done if ($len==0)
 	lea	-0x80($key),$key
 
 .Lctr32_tail:
+	# note that at this point $inout0..5 are populated with
+	# counter values xor-ed with 0-round key 
 	lea	16($key),$key
 	cmp	\$4,$len
 	jb	.Lctr32_loop3
 	je	.Lctr32_loop4
 
+	# if ($len>4) compute 7 E(counter)
 	shl		\$4,$rounds
 	movdqa		0x60(%rsp),$inout6
 	pxor		$inout7,$inout7
@@ -1464,14 +1552,14 @@ $code.=<<___;
 	$movkey		16($key),$rndkey0
 	aesenc		$rndkey1,$inout0
 	aesenc		$rndkey1,$inout1
-	lea		32-16($key,$rounds),$key
+	lea		32-16($key,$rounds),$key# prepare for .Lenc_loop8_enter
 	neg		%rax
 	aesenc		$rndkey1,$inout2
-	add		\$16,%rax
+	add		\$16,%rax		# prepare for .Lenc_loop8_enter
 	 movups		($inp),$in0
 	aesenc		$rndkey1,$inout3
 	aesenc		$rndkey1,$inout4
-	 movups		0x10($inp),$in1
+	 movups		0x10($inp),$in1		# pre-load input
 	 movups		0x20($inp),$in2
 	aesenc		$rndkey1,$inout5
 	aesenc		$rndkey1,$inout6
@@ -1482,7 +1570,7 @@ $code.=<<___;
 	pxor	$in0,$inout0
 	movdqu	0x40($inp),$in0
 	pxor	$in1,$inout1
-	movdqu	$inout0,($out)
+	movdqu	$inout0,($out)			# store output
 	pxor	$in2,$inout2
 	movdqu	$inout1,0x10($out)
 	pxor	$in3,$inout3
@@ -1491,17 +1579,17 @@ $code.=<<___;
 	movdqu	$inout3,0x30($out)
 	movdqu	$inout4,0x40($out)
 	cmp	\$6,$len
-	jb	.Lctr32_done
+	jb	.Lctr32_done			# $len was 5, stop store
 
 	movups	0x50($inp),$in1
 	xorps	$in1,$inout5
 	movups	$inout5,0x50($out)
-	je	.Lctr32_done
+	je	.Lctr32_done			# $len was 6, stop store
 
 	movups	0x60($inp),$in2
 	xorps	$in2,$inout6
 	movups	$inout6,0x60($out)
-	jmp	.Lctr32_done
+	jmp	.Lctr32_done			# $len was 7, stop store
 
 .align	32
 .Lctr32_loop4:
@@ -1515,7 +1603,7 @@ $code.=<<___;
 	jnz		.Lctr32_loop4
 	aesenclast	$rndkey1,$inout0
 	aesenclast	$rndkey1,$inout1
-	 movups		($inp),$in0
+	 movups		($inp),$in0		# load input
 	 movups		0x10($inp),$in1
 	aesenclast	$rndkey1,$inout2
 	aesenclast	$rndkey1,$inout3
@@ -1523,14 +1611,14 @@ $code.=<<___;
 	 movups		0x30($inp),$in3
 
 	xorps	$in0,$inout0
-	movups	$inout0,($out)
+	movups	$inout0,($out)			# store output
 	xorps	$in1,$inout1
 	movups	$inout1,0x10($out)
 	pxor	$in2,$inout2
 	movdqu	$inout2,0x20($out)
 	pxor	$in3,$inout3
 	movdqu	$inout3,0x30($out)
-	jmp	.Lctr32_done
+	jmp	.Lctr32_done			# $len was 4, stop store
 
 .align	32
 .Lctr32_loop3:
@@ -1545,48 +1633,79 @@ $code.=<<___;
 	aesenclast	$rndkey1,$inout1
 	aesenclast	$rndkey1,$inout2
 
-	movups	($inp),$in0
+	movups	($inp),$in0			# load input
 	xorps	$in0,$inout0
-	movups	$inout0,($out)
+	movups	$inout0,($out)			# store output
 	cmp	\$2,$len
-	jb	.Lctr32_done
+	jb	.Lctr32_done			# $len was 1, stop store
 
 	movups	0x10($inp),$in1
 	xorps	$in1,$inout1
 	movups	$inout1,0x10($out)
-	je	.Lctr32_done
+	je	.Lctr32_done			# $len was 2, stop store
 
 	movups	0x20($inp),$in2
 	xorps	$in2,$inout2
-	movups	$inout2,0x20($out)
-	jmp	.Lctr32_done
-
-.align	16
-.Lctr32_one_shortcut:
-	movups	($ivp),$inout0
-	movups	($inp),$in0
-	mov	240($key),$rounds		# key->rounds
-___
-	&aesni_generate1("enc",$key,$rounds);
-$code.=<<___;
-	xorps	$in0,$inout0
-	movups	$inout0,($out)
-	jmp	.Lctr32_done
+	movups	$inout2,0x20($out)		# $len was 3, stop store
 
-.align	16
 .Lctr32_done:
+	xorps	%xmm0,%xmm0			# clear regiser bank
+	xor	$key0,$key0
+	pxor	%xmm1,%xmm1
+	pxor	%xmm2,%xmm2
+	pxor	%xmm3,%xmm3
+	pxor	%xmm4,%xmm4
+	pxor	%xmm5,%xmm5
+___
+$code.=<<___ if (!$win64);
+	pxor	%xmm6,%xmm6
+	pxor	%xmm7,%xmm7
+	movaps	%xmm0,0x00(%rsp)		# clear stack
+	pxor	%xmm8,%xmm8
+	movaps	%xmm0,0x10(%rsp)
+	pxor	%xmm9,%xmm9
+	movaps	%xmm0,0x20(%rsp)
+	pxor	%xmm10,%xmm10
+	movaps	%xmm0,0x30(%rsp)
+	pxor	%xmm11,%xmm11
+	movaps	%xmm0,0x40(%rsp)
+	pxor	%xmm12,%xmm12
+	movaps	%xmm0,0x50(%rsp)
+	pxor	%xmm13,%xmm13
+	movaps	%xmm0,0x60(%rsp)
+	pxor	%xmm14,%xmm14
+	movaps	%xmm0,0x70(%rsp)
+	pxor	%xmm15,%xmm15
 ___
 $code.=<<___ if ($win64);
 	movaps	-0xa0(%rbp),%xmm6
+	movaps	%xmm0,-0xa0(%rbp)		# clear stack
 	movaps	-0x90(%rbp),%xmm7
+	movaps	%xmm0,-0x90(%rbp)
 	movaps	-0x80(%rbp),%xmm8
+	movaps	%xmm0,-0x80(%rbp)
 	movaps	-0x70(%rbp),%xmm9
+	movaps	%xmm0,-0x70(%rbp)
 	movaps	-0x60(%rbp),%xmm10
+	movaps	%xmm0,-0x60(%rbp)
 	movaps	-0x50(%rbp),%xmm11
+	movaps	%xmm0,-0x50(%rbp)
 	movaps	-0x40(%rbp),%xmm12
+	movaps	%xmm0,-0x40(%rbp)
 	movaps	-0x30(%rbp),%xmm13
+	movaps	%xmm0,-0x30(%rbp)
 	movaps	-0x20(%rbp),%xmm14
+	movaps	%xmm0,-0x20(%rbp)
 	movaps	-0x10(%rbp),%xmm15
+	movaps	%xmm0,-0x10(%rbp)
+	movaps	%xmm0,0x00(%rsp)
+	movaps	%xmm0,0x10(%rsp)
+	movaps	%xmm0,0x20(%rsp)
+	movaps	%xmm0,0x30(%rsp)
+	movaps	%xmm0,0x40(%rsp)
+	movaps	%xmm0,0x50(%rsp)
+	movaps	%xmm0,0x60(%rsp)
+	movaps	%xmm0,0x70(%rsp)
 ___
 $code.=<<___;
 	lea	(%rbp),%rsp
@@ -1619,7 +1738,7 @@ aesni_xts_encrypt:
 	and	\$-16,%rsp	# Linux kernel stack can be incorrectly seeded
 ___
 $code.=<<___ if ($win64);
-	movaps	%xmm6,-0xa8(%rax)
+	movaps	%xmm6,-0xa8(%rax)		# offload everything
 	movaps	%xmm7,-0x98(%rax)
 	movaps	%xmm8,-0x88(%rax)
 	movaps	%xmm9,-0x78(%rax)
@@ -1679,7 +1798,7 @@ $code.=<<___;
 	movaps	$rndkey1,0x60(%rsp)		# save round[0]^round[last]
 
 	sub	\$16*6,$len
-	jc	.Lxts_enc_short
+	jc	.Lxts_enc_short			# if $len-=6*16 borrowed
 
 	mov	\$16+96,$rounds
 	lea	32($key_,$rnds_),$key		# end of key schedule
@@ -1694,7 +1813,7 @@ $code.=<<___;
 	movdqu	`16*0`($inp),$inout0		# load input
 	movdqa	$rndkey0,$twmask
 	movdqu	`16*1`($inp),$inout1
-	pxor	@tweak[0],$inout0
+	pxor	@tweak[0],$inout0		# input^=tweak^round[0]
 	movdqu	`16*2`($inp),$inout2
 	pxor	@tweak[1],$inout1
 	 aesenc		$rndkey1,$inout0
@@ -1713,10 +1832,10 @@ $code.=<<___;
 	lea	`16*6`($inp),$inp
 	pxor	$twmask,$inout5
 
-	 pxor	$twres,@tweak[0]
+	 pxor	$twres,@tweak[0]		# calclulate tweaks^round[last]
 	aesenc		$rndkey1,$inout4
 	 pxor	$twres,@tweak[1]
-	 movdqa	@tweak[0],`16*0`(%rsp)		# put aside tweaks^last round key
+	 movdqa	@tweak[0],`16*0`(%rsp)		# put aside tweaks^round[last]
 	aesenc		$rndkey1,$inout5
 	$movkey		48($key_),$rndkey1
 	 pxor	$twres,@tweak[2]
@@ -1757,7 +1876,7 @@ $code.=<<___;
 	$movkey		-80($key,%rax),$rndkey0
 	jnz		.Lxts_enc_loop6
 
-	movdqa	(%r8),$twmask
+	movdqa	(%r8),$twmask			# start calculating next tweak
 	movdqa	$twres,$twtmp
 	paddd	$twres,$twres
 	 aesenc		$rndkey1,$inout0
@@ -1851,15 +1970,15 @@ $code.=<<___;
 	 aesenclast	`16*5`(%rsp),$inout5
 	pxor	$twres,@tweak[5]
 
-	lea	`16*6`($out),$out
-	movups	$inout0,`-16*6`($out)		# write output
+	lea	`16*6`($out),$out		# $out+=6*16
+	movups	$inout0,`-16*6`($out)		# store 6 output blocks
 	movups	$inout1,`-16*5`($out)
 	movups	$inout2,`-16*4`($out)
 	movups	$inout3,`-16*3`($out)
 	movups	$inout4,`-16*2`($out)
 	movups	$inout5,`-16*1`($out)
 	sub	\$16*6,$len
-	jnc	.Lxts_enc_grandloop
+	jnc	.Lxts_enc_grandloop		# loop if $len-=6*16 didn't borrow
 
 	mov	\$16+96,$rounds
 	sub	$rnds_,$rounds
@@ -1867,34 +1986,36 @@ $code.=<<___;
 	shr	\$4,$rounds			# restore original value
 
 .Lxts_enc_short:
+	# at the point @tweak[0..5] are populated with tweak values
 	mov	$rounds,$rnds_			# backup $rounds
 	pxor	$rndkey0,@tweak[0]
-	add	\$16*6,$len
-	jz	.Lxts_enc_done
+	add	\$16*6,$len			# restore real remaining $len
+	jz	.Lxts_enc_done			# done if ($len==0)
 
 	pxor	$rndkey0,@tweak[1]
 	cmp	\$0x20,$len
-	jb	.Lxts_enc_one
+	jb	.Lxts_enc_one			# $len is 1*16
 	pxor	$rndkey0,@tweak[2]
-	je	.Lxts_enc_two
+	je	.Lxts_enc_two			# $len is 2*16
 
 	pxor	$rndkey0,@tweak[3]
 	cmp	\$0x40,$len
-	jb	.Lxts_enc_three
+	jb	.Lxts_enc_three			# $len is 3*16
 	pxor	$rndkey0,@tweak[4]
-	je	.Lxts_enc_four
+	je	.Lxts_enc_four			# $len is 4*16
 
-	movdqu	($inp),$inout0
+	movdqu	($inp),$inout0			# $len is 5*16
 	movdqu	16*1($inp),$inout1
 	movdqu	16*2($inp),$inout2
 	pxor	@tweak[0],$inout0
 	movdqu	16*3($inp),$inout3
 	pxor	@tweak[1],$inout1
 	movdqu	16*4($inp),$inout4
-	lea	16*5($inp),$inp
+	lea	16*5($inp),$inp			# $inp+=5*16
 	pxor	@tweak[2],$inout2
 	pxor	@tweak[3],$inout3
 	pxor	@tweak[4],$inout4
+	pxor	$inout5,$inout5
 
 	call	_aesni_encrypt6
 
@@ -1902,35 +2023,35 @@ $code.=<<___;
 	movdqa	@tweak[5],@tweak[0]
 	xorps	@tweak[1],$inout1
 	xorps	@tweak[2],$inout2
-	movdqu	$inout0,($out)
+	movdqu	$inout0,($out)			# store 5 output blocks
 	xorps	@tweak[3],$inout3
 	movdqu	$inout1,16*1($out)
 	xorps	@tweak[4],$inout4
 	movdqu	$inout2,16*2($out)
 	movdqu	$inout3,16*3($out)
 	movdqu	$inout4,16*4($out)
-	lea	16*5($out),$out
+	lea	16*5($out),$out			# $out+=5*16
 	jmp	.Lxts_enc_done
 
 .align	16
 .Lxts_enc_one:
 	movups	($inp),$inout0
-	lea	16*1($inp),$inp
+	lea	16*1($inp),$inp			# inp+=1*16
 	xorps	@tweak[0],$inout0
 ___
 	&aesni_generate1("enc",$key,$rounds);
 $code.=<<___;
 	xorps	@tweak[0],$inout0
 	movdqa	@tweak[1],@tweak[0]
-	movups	$inout0,($out)
-	lea	16*1($out),$out
+	movups	$inout0,($out)			# store one output block
+	lea	16*1($out),$out			# $out+=1*16
 	jmp	.Lxts_enc_done
 
 .align	16
 .Lxts_enc_two:
 	movups	($inp),$inout0
 	movups	16($inp),$inout1
-	lea	32($inp),$inp
+	lea	32($inp),$inp			# $inp+=2*16
 	xorps	@tweak[0],$inout0
 	xorps	@tweak[1],$inout1
 
@@ -1939,9 +2060,9 @@ $code.=<<___;
 	xorps	@tweak[0],$inout0
 	movdqa	@tweak[2],@tweak[0]
 	xorps	@tweak[1],$inout1
-	movups	$inout0,($out)
+	movups	$inout0,($out)			# store 2 output blocks
 	movups	$inout1,16*1($out)
-	lea	16*2($out),$out
+	lea	16*2($out),$out			# $out+=2*16
 	jmp	.Lxts_enc_done
 
 .align	16
@@ -1949,7 +2070,7 @@ $code.=<<___;
 	movups	($inp),$inout0
 	movups	16*1($inp),$inout1
 	movups	16*2($inp),$inout2
-	lea	16*3($inp),$inp
+	lea	16*3($inp),$inp			# $inp+=3*16
 	xorps	@tweak[0],$inout0
 	xorps	@tweak[1],$inout1
 	xorps	@tweak[2],$inout2
@@ -1960,10 +2081,10 @@ $code.=<<___;
 	movdqa	@tweak[3],@tweak[0]
 	xorps	@tweak[1],$inout1
 	xorps	@tweak[2],$inout2
-	movups	$inout0,($out)
+	movups	$inout0,($out)			# store 3 output blocks
 	movups	$inout1,16*1($out)
 	movups	$inout2,16*2($out)
-	lea	16*3($out),$out
+	lea	16*3($out),$out			# $out+=3*16
 	jmp	.Lxts_enc_done
 
 .align	16
@@ -1973,7 +2094,7 @@ $code.=<<___;
 	movups	16*2($inp),$inout2
 	xorps	@tweak[0],$inout0
 	movups	16*3($inp),$inout3
-	lea	16*4($inp),$inp
+	lea	16*4($inp),$inp			# $inp+=4*16
 	xorps	@tweak[1],$inout1
 	xorps	@tweak[2],$inout2
 	xorps	@tweak[3],$inout3
@@ -1984,17 +2105,17 @@ $code.=<<___;
 	movdqa	@tweak[4],@tweak[0]
 	pxor	@tweak[1],$inout1
 	pxor	@tweak[2],$inout2
-	movdqu	$inout0,($out)
+	movdqu	$inout0,($out)			# store 4 output blocks
 	pxor	@tweak[3],$inout3
 	movdqu	$inout1,16*1($out)
 	movdqu	$inout2,16*2($out)
 	movdqu	$inout3,16*3($out)
-	lea	16*4($out),$out
+	lea	16*4($out),$out			# $out+=4*16
 	jmp	.Lxts_enc_done
 
 .align	16
 .Lxts_enc_done:
-	and	\$15,$len_
+	and	\$15,$len_			# see if $len%16 is 0
 	jz	.Lxts_enc_ret
 	mov	$len_,$len
 
@@ -2021,18 +2142,60 @@ $code.=<<___;
 	movups	$inout0,-16($out)
 
 .Lxts_enc_ret:
+	xorps	%xmm0,%xmm0			# clear register bank
+	pxor	%xmm1,%xmm1
+	pxor	%xmm2,%xmm2
+	pxor	%xmm3,%xmm3
+	pxor	%xmm4,%xmm4
+	pxor	%xmm5,%xmm5
+___
+$code.=<<___ if (!$win64);
+	pxor	%xmm6,%xmm6
+	pxor	%xmm7,%xmm7
+	movaps	%xmm0,0x00(%rsp)		# clear stack
+	pxor	%xmm8,%xmm8
+	movaps	%xmm0,0x10(%rsp)
+	pxor	%xmm9,%xmm9
+	movaps	%xmm0,0x20(%rsp)
+	pxor	%xmm10,%xmm10
+	movaps	%xmm0,0x30(%rsp)
+	pxor	%xmm11,%xmm11
+	movaps	%xmm0,0x40(%rsp)
+	pxor	%xmm12,%xmm12
+	movaps	%xmm0,0x50(%rsp)
+	pxor	%xmm13,%xmm13
+	movaps	%xmm0,0x60(%rsp)
+	pxor	%xmm14,%xmm14
+	pxor	%xmm15,%xmm15
 ___
 $code.=<<___ if ($win64);
 	movaps	-0xa0(%rbp),%xmm6
+	movaps	%xmm0,-0xa0(%rbp)		# clear stack
 	movaps	-0x90(%rbp),%xmm7
+	movaps	%xmm0,-0x90(%rbp)
 	movaps	-0x80(%rbp),%xmm8
+	movaps	%xmm0,-0x80(%rbp)
 	movaps	-0x70(%rbp),%xmm9
+	movaps	%xmm0,-0x70(%rbp)
 	movaps	-0x60(%rbp),%xmm10
+	movaps	%xmm0,-0x60(%rbp)
 	movaps	-0x50(%rbp),%xmm11
+	movaps	%xmm0,-0x50(%rbp)
 	movaps	-0x40(%rbp),%xmm12
+	movaps	%xmm0,-0x40(%rbp)
 	movaps	-0x30(%rbp),%xmm13
+	movaps	%xmm0,-0x30(%rbp)
 	movaps	-0x20(%rbp),%xmm14
+	movaps	%xmm0,-0x20(%rbp)
 	movaps	-0x10(%rbp),%xmm15
+	movaps	%xmm0,-0x10(%rbp)
+	movaps	%xmm0,0x00(%rsp)
+	movaps	%xmm0,0x10(%rsp)
+	movaps	%xmm0,0x20(%rsp)
+	movaps	%xmm0,0x30(%rsp)
+	movaps	%xmm0,0x40(%rsp)
+	movaps	%xmm0,0x50(%rsp)
+	movaps	%xmm0,0x60(%rsp)
 ___
 $code.=<<___;
 	lea	(%rbp),%rsp
@@ -2053,7 +2216,7 @@ aesni_xts_decrypt:
 	and	\$-16,%rsp	# Linux kernel stack can be incorrectly seeded
 ___
 $code.=<<___ if ($win64);
-	movaps	%xmm6,-0xa8(%rax)
+	movaps	%xmm6,-0xa8(%rax)		# offload everything
 	movaps	%xmm7,-0x98(%rax)
 	movaps	%xmm8,-0x88(%rax)
 	movaps	%xmm9,-0x78(%rax)
@@ -2116,7 +2279,7 @@ $code.=<<___;
 	movaps	$rndkey1,0x60(%rsp)		# save round[0]^round[last]
 
 	sub	\$16*6,$len
-	jc	.Lxts_dec_short
+	jc	.Lxts_dec_short			# if $len-=6*16 borrowed
 
 	mov	\$16+96,$rounds
 	lea	32($key_,$rnds_),$key		# end of key schedule
@@ -2131,7 +2294,7 @@ $code.=<<___;
 	movdqu	`16*0`($inp),$inout0		# load input
 	movdqa	$rndkey0,$twmask
 	movdqu	`16*1`($inp),$inout1
-	pxor	@tweak[0],$inout0
+	pxor	@tweak[0],$inout0		# intput^=tweak^round[0]
 	movdqu	`16*2`($inp),$inout2
 	pxor	@tweak[1],$inout1
 	 aesdec		$rndkey1,$inout0
@@ -2150,7 +2313,7 @@ $code.=<<___;
 	lea	`16*6`($inp),$inp
 	pxor	$twmask,$inout5
 
-	 pxor	$twres,@tweak[0]
+	 pxor	$twres,@tweak[0]		# calclulate tweaks^round[last]
 	aesdec		$rndkey1,$inout4
 	 pxor	$twres,@tweak[1]
 	 movdqa	@tweak[0],`16*0`(%rsp)		# put aside tweaks^last round key
@@ -2194,7 +2357,7 @@ $code.=<<___;
 	$movkey		-80($key,%rax),$rndkey0
 	jnz		.Lxts_dec_loop6
 
-	movdqa	(%r8),$twmask
+	movdqa	(%r8),$twmask			# start calculating next tweak
 	movdqa	$twres,$twtmp
 	paddd	$twres,$twres
 	 aesdec		$rndkey1,$inout0
@@ -2288,15 +2451,15 @@ $code.=<<___;
 	 aesdeclast	`16*5`(%rsp),$inout5
 	pxor	$twres,@tweak[5]
 
-	lea	`16*6`($out),$out
-	movups	$inout0,`-16*6`($out)		# write output
+	lea	`16*6`($out),$out		# $out+=6*16
+	movups	$inout0,`-16*6`($out)		# store 6 output blocks
 	movups	$inout1,`-16*5`($out)
 	movups	$inout2,`-16*4`($out)
 	movups	$inout3,`-16*3`($out)
 	movups	$inout4,`-16*2`($out)
 	movups	$inout5,`-16*1`($out)
 	sub	\$16*6,$len
-	jnc	.Lxts_dec_grandloop
+	jnc	.Lxts_dec_grandloop		# loop if $len-=6*16 didn't borrow
 
 	mov	\$16+96,$rounds
 	sub	$rnds_,$rounds
@@ -2304,31 +2467,32 @@ $code.=<<___;
 	shr	\$4,$rounds			# restore original value
 
 .Lxts_dec_short:
+	# at the point @tweak[0..5] are populated with tweak values
 	mov	$rounds,$rnds_			# backup $rounds
 	pxor	$rndkey0,@tweak[0]
 	pxor	$rndkey0,@tweak[1]
-	add	\$16*6,$len
-	jz	.Lxts_dec_done
+	add	\$16*6,$len			# restore real remaining $len
+	jz	.Lxts_dec_done			# done if ($len==0)
 
 	pxor	$rndkey0,@tweak[2]
 	cmp	\$0x20,$len
-	jb	.Lxts_dec_one
+	jb	.Lxts_dec_one			# $len is 1*16
 	pxor	$rndkey0,@tweak[3]
-	je	.Lxts_dec_two
+	je	.Lxts_dec_two			# $len is 2*16
 
 	pxor	$rndkey0,@tweak[4]
 	cmp	\$0x40,$len
-	jb	.Lxts_dec_three
-	je	.Lxts_dec_four
+	jb	.Lxts_dec_three			# $len is 3*16
+	je	.Lxts_dec_four			# $len is 4*16
 
-	movdqu	($inp),$inout0
+	movdqu	($inp),$inout0			# $len is 5*16
 	movdqu	16*1($inp),$inout1
 	movdqu	16*2($inp),$inout2
 	pxor	@tweak[0],$inout0
 	movdqu	16*3($inp),$inout3
 	pxor	@tweak[1],$inout1
 	movdqu	16*4($inp),$inout4
-	lea	16*5($inp),$inp
+	lea	16*5($inp),$inp			# $inp+=5*16
 	pxor	@tweak[2],$inout2
 	pxor	@tweak[3],$inout3
 	pxor	@tweak[4],$inout4
@@ -2338,7 +2502,7 @@ $code.=<<___;
 	xorps	@tweak[0],$inout0
 	xorps	@tweak[1],$inout1
 	xorps	@tweak[2],$inout2
-	movdqu	$inout0,($out)
+	movdqu	$inout0,($out)			# store 5 output blocks
 	xorps	@tweak[3],$inout3
 	movdqu	$inout1,16*1($out)
 	xorps	@tweak[4],$inout4
@@ -2347,7 +2511,7 @@ $code.=<<___;
 	movdqu	$inout3,16*3($out)
 	 pcmpgtd	@tweak[5],$twtmp
 	movdqu	$inout4,16*4($out)
-	lea	16*5($out),$out
+	lea	16*5($out),$out			# $out+=5*16
 	 pshufd		\$0x13,$twtmp,@tweak[1]	# $twres
 	and	\$15,$len_
 	jz	.Lxts_dec_ret
@@ -2361,23 +2525,23 @@ $code.=<<___;
 .align	16
 .Lxts_dec_one:
 	movups	($inp),$inout0
-	lea	16*1($inp),$inp
+	lea	16*1($inp),$inp			# $inp+=1*16
 	xorps	@tweak[0],$inout0
 ___
 	&aesni_generate1("dec",$key,$rounds);
 $code.=<<___;
 	xorps	@tweak[0],$inout0
 	movdqa	@tweak[1],@tweak[0]
-	movups	$inout0,($out)
+	movups	$inout0,($out)			# store one output block
 	movdqa	@tweak[2],@tweak[1]
-	lea	16*1($out),$out
+	lea	16*1($out),$out			# $out+=1*16
 	jmp	.Lxts_dec_done
 
 .align	16
 .Lxts_dec_two:
 	movups	($inp),$inout0
 	movups	16($inp),$inout1
-	lea	32($inp),$inp
+	lea	32($inp),$inp			# $inp+=2*16
 	xorps	@tweak[0],$inout0
 	xorps	@tweak[1],$inout1
 
@@ -2387,9 +2551,9 @@ $code.=<<___;
 	movdqa	@tweak[2],@tweak[0]
 	xorps	@tweak[1],$inout1
 	movdqa	@tweak[3],@tweak[1]
-	movups	$inout0,($out)
+	movups	$inout0,($out)			# store 2 output blocks
 	movups	$inout1,16*1($out)
-	lea	16*2($out),$out
+	lea	16*2($out),$out			# $out+=2*16
 	jmp	.Lxts_dec_done
 
 .align	16
@@ -2397,7 +2561,7 @@ $code.=<<___;
 	movups	($inp),$inout0
 	movups	16*1($inp),$inout1
 	movups	16*2($inp),$inout2
-	lea	16*3($inp),$inp
+	lea	16*3($inp),$inp			# $inp+=3*16
 	xorps	@tweak[0],$inout0
 	xorps	@tweak[1],$inout1
 	xorps	@tweak[2],$inout2
@@ -2409,10 +2573,10 @@ $code.=<<___;
 	xorps	@tweak[1],$inout1
 	movdqa	@tweak[4],@tweak[1]
 	xorps	@tweak[2],$inout2
-	movups	$inout0,($out)
+	movups	$inout0,($out)			# store 3 output blocks
 	movups	$inout1,16*1($out)
 	movups	$inout2,16*2($out)
-	lea	16*3($out),$out
+	lea	16*3($out),$out			# $out+=3*16
 	jmp	.Lxts_dec_done
 
 .align	16
@@ -2422,7 +2586,7 @@ $code.=<<___;
 	movups	16*2($inp),$inout2
 	xorps	@tweak[0],$inout0
 	movups	16*3($inp),$inout3
-	lea	16*4($inp),$inp
+	lea	16*4($inp),$inp			# $inp+=4*16
 	xorps	@tweak[1],$inout1
 	xorps	@tweak[2],$inout2
 	xorps	@tweak[3],$inout3
@@ -2434,17 +2598,17 @@ $code.=<<___;
 	pxor	@tweak[1],$inout1
 	movdqa	@tweak[5],@tweak[1]
 	pxor	@tweak[2],$inout2
-	movdqu	$inout0,($out)
+	movdqu	$inout0,($out)			# store 4 output blocks
 	pxor	@tweak[3],$inout3
 	movdqu	$inout1,16*1($out)
 	movdqu	$inout2,16*2($out)
 	movdqu	$inout3,16*3($out)
-	lea	16*4($out),$out
+	lea	16*4($out),$out			# $out+=4*16
 	jmp	.Lxts_dec_done
 
 .align	16
 .Lxts_dec_done:
-	and	\$15,$len_
+	and	\$15,$len_			# see if $len%16 is 0
 	jz	.Lxts_dec_ret
 .Lxts_dec_done2:
 	mov	$len_,$len
@@ -2482,18 +2646,60 @@ $code.=<<___;
 	movups	$inout0,($out)
 
 .Lxts_dec_ret:
+	xorps	%xmm0,%xmm0			# clear register bank
+	pxor	%xmm1,%xmm1
+	pxor	%xmm2,%xmm2
+	pxor	%xmm3,%xmm3
+	pxor	%xmm4,%xmm4
+	pxor	%xmm5,%xmm5
+___
+$code.=<<___ if (!$win64);
+	pxor	%xmm6,%xmm6
+	pxor	%xmm7,%xmm7
+	movaps	%xmm0,0x00(%rsp)		# clear stack
+	pxor	%xmm8,%xmm8
+	movaps	%xmm0,0x10(%rsp)
+	pxor	%xmm9,%xmm9
+	movaps	%xmm0,0x20(%rsp)
+	pxor	%xmm10,%xmm10
+	movaps	%xmm0,0x30(%rsp)
+	pxor	%xmm11,%xmm11
+	movaps	%xmm0,0x40(%rsp)
+	pxor	%xmm12,%xmm12
+	movaps	%xmm0,0x50(%rsp)
+	pxor	%xmm13,%xmm13
+	movaps	%xmm0,0x60(%rsp)
+	pxor	%xmm14,%xmm14
+	pxor	%xmm15,%xmm15
 ___
 $code.=<<___ if ($win64);
 	movaps	-0xa0(%rbp),%xmm6
+	movaps	%xmm0,-0xa0(%rbp)		# clear stack
 	movaps	-0x90(%rbp),%xmm7
+	movaps	%xmm0,-0x90(%rbp)
 	movaps	-0x80(%rbp),%xmm8
+	movaps	%xmm0,-0x80(%rbp)
 	movaps	-0x70(%rbp),%xmm9
+	movaps	%xmm0,-0x70(%rbp)
 	movaps	-0x60(%rbp),%xmm10
+	movaps	%xmm0,-0x60(%rbp)
 	movaps	-0x50(%rbp),%xmm11
+	movaps	%xmm0,-0x50(%rbp)
 	movaps	-0x40(%rbp),%xmm12
+	movaps	%xmm0,-0x40(%rbp)
 	movaps	-0x30(%rbp),%xmm13
+	movaps	%xmm0,-0x30(%rbp)
 	movaps	-0x20(%rbp),%xmm14
+	movaps	%xmm0,-0x20(%rbp)
 	movaps	-0x10(%rbp),%xmm15
+	movaps	%xmm0,-0x10(%rbp)
+	movaps	%xmm0,0x00(%rsp)
+	movaps	%xmm0,0x10(%rsp)
+	movaps	%xmm0,0x20(%rsp)
+	movaps	%xmm0,0x30(%rsp)
+	movaps	%xmm0,0x40(%rsp)
+	movaps	%xmm0,0x50(%rsp)
+	movaps	%xmm0,0x60(%rsp)
 ___
 $code.=<<___;
 	lea	(%rbp),%rsp
@@ -2548,7 +2754,11 @@ $code.=<<___;
 	jnc	.Lcbc_enc_loop
 	add	\$16,$len
 	jnz	.Lcbc_enc_tail
+	 pxor	$rndkey0,$rndkey0	# clear register bank
+	 pxor	$rndkey1,$rndkey1
 	movups	$inout0,($ivp)
+	 pxor	$inout0,$inout0
+	 pxor	$inout1,$inout1
 	jmp	.Lcbc_ret
 
 .Lcbc_enc_tail:
@@ -2568,6 +2778,27 @@ $code.=<<___;
 #--------------------------- CBC DECRYPT ------------------------------#
 .align	16
 .Lcbc_decrypt:
+	cmp	\$16,$len
+	jne	.Lcbc_decrypt_bulk
+
+	# handle single block without allocating stack frame,
+	# useful in ciphertext stealing mode
+	movdqu	($inp),$inout0		# load input
+	movdqu	($ivp),$inout1		# load iv
+	movdqa	$inout0,$inout2		# future iv
+___
+	&aesni_generate1("dec",$key,$rnds_);
+$code.=<<___;
+	 pxor	$rndkey0,$rndkey0	# clear register bank
+	 pxor	$rndkey1,$rndkey1
+	movdqu	$inout2,($ivp)		# store iv
+	xorps	$inout1,$inout0		# ^=iv
+	 pxor	$inout1,$inout1
+	movups	$inout0,($out)		# store output
+	 pxor	$inout0,$inout0
+	jmp	.Lcbc_ret
+.align	16
+.Lcbc_decrypt_bulk:
 	lea	(%rsp),%rax
 	push	%rbp
 	sub	\$$frame_size,%rsp
@@ -2609,11 +2840,11 @@ $code.=<<___;
 	cmp	\$0x70,$len
 	jbe	.Lcbc_dec_six_or_seven
 
-	and	\$`1<<26|1<<22`,%r9d	# isolate XSAVE+MOVBE	
-	sub	\$0x50,$len
+	and	\$`1<<26|1<<22`,%r9d	# isolate XSAVE+MOVBE
+	sub	\$0x50,$len		# $len is biased by -5*16
 	cmp	\$`1<<22`,%r9d		# check for MOVBE without XSAVE
-	je	.Lcbc_dec_loop6_enter
-	sub	\$0x20,$len
+	je	.Lcbc_dec_loop6_enter	# [which denotes Atom Silvermont]
+	sub	\$0x20,$len		# $len is biased by -7*16
 	lea	0x70($key),$key		# size optimization
 	jmp	.Lcbc_dec_loop8_enter
 .align	16
@@ -2740,7 +2971,7 @@ $code.=<<___;
 	movaps	$inout7,$inout0
 	lea	-0x70($key),$key
 	add	\$0x70,$len
-	jle	.Lcbc_dec_tail_collected
+	jle	.Lcbc_dec_clear_tail_collected
 	movups	$inout7,($out)
 	lea	0x10($out),$out
 	cmp	\$0x50,$len
@@ -2759,14 +2990,19 @@ $code.=<<___;
 	movdqu	$inout0,($out)
 	pxor	$in1,$inout2
 	movdqu	$inout1,0x10($out)
+	 pxor	$inout1,$inout1		# clear register bank
 	pxor	$in2,$inout3
 	movdqu	$inout2,0x20($out)
+	 pxor	$inout2,$inout2
 	pxor	$in3,$inout4
 	movdqu	$inout3,0x30($out)
+	 pxor	$inout3,$inout3
 	pxor	$in4,$inout5
 	movdqu	$inout4,0x40($out)
+	 pxor	$inout4,$inout4
 	lea	0x50($out),$out
 	movdqa	$inout5,$inout0
+	 pxor	$inout5,$inout5
 	jmp	.Lcbc_dec_tail_collected
 
 .align	16
@@ -2781,16 +3017,23 @@ $code.=<<___;
 	movdqu	$inout0,($out)
 	pxor	$in1,$inout2
 	movdqu	$inout1,0x10($out)
+	 pxor	$inout1,$inout1		# clear register bank
 	pxor	$in2,$inout3
 	movdqu	$inout2,0x20($out)
+	 pxor	$inout2,$inout2
 	pxor	$in3,$inout4
 	movdqu	$inout3,0x30($out)
+	 pxor	$inout3,$inout3
 	pxor	$in4,$inout5
 	movdqu	$inout4,0x40($out)
+	 pxor	$inout4,$inout4
 	pxor	$inout7,$inout6
 	movdqu	$inout5,0x50($out)
+	 pxor	$inout5,$inout5
 	lea	0x60($out),$out
 	movdqa	$inout6,$inout0
+	 pxor	$inout6,$inout6
+	 pxor	$inout7,$inout7
 	jmp	.Lcbc_dec_tail_collected
 
 .align	16
@@ -2834,31 +3077,31 @@ $code.=<<___;
 
 	movdqa	$inout5,$inout0
 	add	\$0x50,$len
-	jle	.Lcbc_dec_tail_collected
+	jle	.Lcbc_dec_clear_tail_collected
 	movups	$inout5,($out)
 	lea	0x10($out),$out
 
 .Lcbc_dec_tail:
 	movups	($inp),$inout0
 	sub	\$0x10,$len
-	jbe	.Lcbc_dec_one
+	jbe	.Lcbc_dec_one		# $len is 1*16 or less
 
 	movups	0x10($inp),$inout1
 	movaps	$inout0,$in0
 	sub	\$0x10,$len
-	jbe	.Lcbc_dec_two
+	jbe	.Lcbc_dec_two		# $len is 2*16 or less
 
 	movups	0x20($inp),$inout2
 	movaps	$inout1,$in1
 	sub	\$0x10,$len
-	jbe	.Lcbc_dec_three
+	jbe	.Lcbc_dec_three		# $len is 3*16 or less
 
 	movups	0x30($inp),$inout3
 	movaps	$inout2,$in2
 	sub	\$0x10,$len
-	jbe	.Lcbc_dec_four
+	jbe	.Lcbc_dec_four		# $len is 4*16 or less
 
-	movups	0x40($inp),$inout4
+	movups	0x40($inp),$inout4	# $len is 5*16 or less
 	movaps	$inout3,$in3
 	movaps	$inout4,$in4
 	xorps	$inout5,$inout5
@@ -2869,12 +3112,17 @@ $code.=<<___;
 	movdqu	$inout0,($out)
 	pxor	$in1,$inout2
 	movdqu	$inout1,0x10($out)
+	 pxor	$inout1,$inout1		# clear register bank
 	pxor	$in2,$inout3
 	movdqu	$inout2,0x20($out)
+	 pxor	$inout2,$inout2
 	pxor	$in3,$inout4
 	movdqu	$inout3,0x30($out)
+	 pxor	$inout3,$inout3
 	lea	0x40($out),$out
 	movdqa	$inout4,$inout0
+	 pxor	$inout4,$inout4
+	 pxor	$inout5,$inout5
 	sub	\$0x10,$len
 	jmp	.Lcbc_dec_tail_collected
 
@@ -2896,6 +3144,7 @@ $code.=<<___;
 	pxor	$in0,$inout1
 	movdqu	$inout0,($out)
 	movdqa	$inout1,$inout0
+	 pxor	$inout1,$inout1		# clear register bank
 	lea	0x10($out),$out
 	jmp	.Lcbc_dec_tail_collected
 .align	16
@@ -2908,7 +3157,9 @@ $code.=<<___;
 	movdqu	$inout0,($out)
 	pxor	$in1,$inout2
 	movdqu	$inout1,0x10($out)
+	 pxor	$inout1,$inout1		# clear register bank
 	movdqa	$inout2,$inout0
+	 pxor	$inout2,$inout2
 	lea	0x20($out),$out
 	jmp	.Lcbc_dec_tail_collected
 .align	16
@@ -2921,41 +3172,71 @@ $code.=<<___;
 	movdqu	$inout0,($out)
 	pxor	$in1,$inout2
 	movdqu	$inout1,0x10($out)
+	 pxor	$inout1,$inout1		# clear register bank
 	pxor	$in2,$inout3
 	movdqu	$inout2,0x20($out)
+	 pxor	$inout2,$inout2
 	movdqa	$inout3,$inout0
+	 pxor	$inout3,$inout3
 	lea	0x30($out),$out
 	jmp	.Lcbc_dec_tail_collected
 
 .align	16
+.Lcbc_dec_clear_tail_collected:
+	pxor	$inout1,$inout1		# clear register bank
+	pxor	$inout2,$inout2
+	pxor	$inout3,$inout3
+___
+$code.=<<___ if (!$win64);
+	pxor	$inout4,$inout4		# %xmm6..9
+	pxor	$inout5,$inout5
+	pxor	$inout6,$inout6
+	pxor	$inout7,$inout7
+___
+$code.=<<___;
 .Lcbc_dec_tail_collected:
 	movups	$iv,($ivp)
 	and	\$15,$len
 	jnz	.Lcbc_dec_tail_partial
 	movups	$inout0,($out)
+	pxor	$inout0,$inout0
 	jmp	.Lcbc_dec_ret
 .align	16
 .Lcbc_dec_tail_partial:
 	movaps	$inout0,(%rsp)
+	pxor	$inout0,$inout0
 	mov	\$16,%rcx
 	mov	$out,%rdi
 	sub	$len,%rcx
 	lea	(%rsp),%rsi
-	.long	0x9066A4F3	# rep movsb
+	.long	0x9066A4F3		# rep movsb
+	movdqa	$inout0,(%rsp)
 
 .Lcbc_dec_ret:
+	xorps	$rndkey0,$rndkey0	# %xmm0
+	pxor	$rndkey1,$rndkey1
 ___
 $code.=<<___ if ($win64);
 	movaps	0x10(%rsp),%xmm6
+	movaps	%xmm0,0x10(%rsp)	# clear stack
 	movaps	0x20(%rsp),%xmm7
+	movaps	%xmm0,0x20(%rsp)
 	movaps	0x30(%rsp),%xmm8
+	movaps	%xmm0,0x30(%rsp)
 	movaps	0x40(%rsp),%xmm9
+	movaps	%xmm0,0x40(%rsp)
 	movaps	0x50(%rsp),%xmm10
+	movaps	%xmm0,0x50(%rsp)
 	movaps	0x60(%rsp),%xmm11
+	movaps	%xmm0,0x60(%rsp)
 	movaps	0x70(%rsp),%xmm12
+	movaps	%xmm0,0x70(%rsp)
 	movaps	0x80(%rsp),%xmm13
+	movaps	%xmm0,0x80(%rsp)
 	movaps	0x90(%rsp),%xmm14
+	movaps	%xmm0,0x90(%rsp)
 	movaps	0xa0(%rsp),%xmm15
+	movaps	%xmm0,0xa0(%rsp)
 ___
 $code.=<<___;
 	lea	(%rbp),%rsp
@@ -2965,8 +3246,15 @@ $code.=<<___;
 .size	${PREFIX}_cbc_encrypt,.-${PREFIX}_cbc_encrypt
 ___
 } 
-# int $PREFIX_set_[en|de]crypt_key (const unsigned char *userKey,
+# int ${PREFIX}_set_decrypt_key(const unsigned char *inp,
 #				int bits, AES_KEY *key)
+#
+# input:	$inp	user-supplied key
+#		$bits	$inp length in bits
+#		$key	pointer to key schedule
+# output:	%eax	0 denoting success, -1 or -2 - failure (see C)
+#		*$key	key schedule
+#
 { my ($inp,$bits,$key) = @_4args;
   $bits =~ s/%r/%e/;
 
@@ -3003,7 +3291,9 @@ ${PREFIX}_set_decrypt_key:
 
 	$movkey	($key),%xmm0		# inverse middle
 	aesimc	%xmm0,%xmm0
+	pxor	%xmm1,%xmm1
 	$movkey	%xmm0,($inp)
+	pxor	%xmm0,%xmm0
 .Ldec_key_ret:
 	add	\$8,%rsp
 	ret
@@ -3020,6 +3310,22 @@ ___
 # Agressively optimized in respect to aeskeygenassist's critical path
 # and is contained in %xmm0-5 to meet Win64 ABI requirement.
 #
+# int ${PREFIX}_set_encrypt_key(const unsigned char *inp,
+#				int bits, AES_KEY * const key);
+#
+# input:	$inp	user-supplied key
+#		$bits	$inp length in bits
+#		$key	pointer to key schedule
+# output:	%eax	0 denoting success, -1 or -2 - failure (see C)
+#		$bits	rounds-1 (used in aesni_set_decrypt_key)
+#		*$key	key schedule
+#		$key	pointer to key schedule (used in
+#			aesni_set_decrypt_key)
+#
+# Subroutine is frame-less, which means that only volatile registers
+# are used. Note that it's declared "abi-omnipotent", which means that
+# amount of volatile registers is smaller on Windows.
+#
 $code.=<<___;
 .globl	${PREFIX}_set_encrypt_key
 .type	${PREFIX}_set_encrypt_key,\@abi-omnipotent
@@ -3033,9 +3339,11 @@ __aesni_set_encrypt_key:
 	test	$key,$key
 	jz	.Lenc_key_ret
 
+	mov	\$`1<<28|1<<11`,%r10d	# AVX and XOP bits
 	movups	($inp),%xmm0		# pull first 128 bits of *userKey
 	xorps	%xmm4,%xmm4		# low dword of xmm4 is assumed 0
-	lea	16($key),%rax
+	and	OPENSSL_ia32cap_P+4(%rip),%r10d
+	lea	16($key),%rax		# %rax is used as modifiable copy of $key
 	cmp	\$256,$bits
 	je	.L14rounds
 	cmp	\$192,$bits
@@ -3045,6 +3353,9 @@ __aesni_set_encrypt_key:
 
 .L10rounds:
 	mov	\$9,$bits			# 10 rounds for 128-bit key
+	cmp	\$`1<<28`,%r10d			# AVX, bit no XOP
+	je	.L10rounds_alt
+
 	$movkey	%xmm0,($key)			# round 0
 	aeskeygenassist	\$0x1,%xmm0,%xmm1	# round 1
 	call		.Lkey_expansion_128_cold
@@ -3072,9 +3383,79 @@ __aesni_set_encrypt_key:
 	jmp	.Lenc_key_ret
 
 .align	16
+.L10rounds_alt:
+	movdqa	.Lkey_rotate(%rip),%xmm5
+	mov	\$8,%r10d
+	movdqa	.Lkey_rcon1(%rip),%xmm4
+	movdqa	%xmm0,%xmm2
+	movdqu	%xmm0,($key)
+	jmp	.Loop_key128
+
+.align	16
+.Loop_key128:
+	pshufb		%xmm5,%xmm0
+	aesenclast	%xmm4,%xmm0
+	pslld		\$1,%xmm4
+	lea		16(%rax),%rax
+
+	movdqa		%xmm2,%xmm3
+	pslldq		\$4,%xmm2
+	pxor		%xmm2,%xmm3
+	pslldq		\$4,%xmm2
+	pxor		%xmm2,%xmm3
+	pslldq		\$4,%xmm2
+	pxor		%xmm3,%xmm2
+
+	pxor		%xmm2,%xmm0
+	movdqu		%xmm0,-16(%rax)
+	movdqa		%xmm0,%xmm2
+
+	dec	%r10d
+	jnz	.Loop_key128
+
+	movdqa		.Lkey_rcon1b(%rip),%xmm4
+
+	pshufb		%xmm5,%xmm0
+	aesenclast	%xmm4,%xmm0
+	pslld		\$1,%xmm4
+
+	movdqa		%xmm2,%xmm3
+	pslldq		\$4,%xmm2
+	pxor		%xmm2,%xmm3
+	pslldq		\$4,%xmm2
+	pxor		%xmm2,%xmm3
+	pslldq		\$4,%xmm2
+	pxor		%xmm3,%xmm2
+
+	pxor		%xmm2,%xmm0
+	movdqu		%xmm0,(%rax)
+
+	movdqa		%xmm0,%xmm2
+	pshufb		%xmm5,%xmm0
+	aesenclast	%xmm4,%xmm0
+
+	movdqa		%xmm2,%xmm3
+	pslldq		\$4,%xmm2
+	pxor		%xmm2,%xmm3
+	pslldq		\$4,%xmm2
+	pxor		%xmm2,%xmm3
+	pslldq		\$4,%xmm2
+	pxor		%xmm3,%xmm2
+
+	pxor		%xmm2,%xmm0
+	movdqu		%xmm0,16(%rax)
+
+	mov	$bits,96(%rax)	# 240($key)
+	xor	%eax,%eax
+	jmp	.Lenc_key_ret
+
+.align	16
 .L12rounds:
 	movq	16($inp),%xmm2			# remaining 1/3 of *userKey
 	mov	\$11,$bits			# 12 rounds for 192
+	cmp	\$`1<<28`,%r10d			# AVX, but no XOP
+	je	.L12rounds_alt
+
 	$movkey	%xmm0,($key)			# round 0
 	aeskeygenassist	\$0x1,%xmm2,%xmm1	# round 1,2
 	call		.Lkey_expansion_192a_cold
@@ -3098,10 +3479,54 @@ __aesni_set_encrypt_key:
 	jmp	.Lenc_key_ret
 
 .align	16
+.L12rounds_alt:
+	movdqa	.Lkey_rotate192(%rip),%xmm5
+	movdqa	.Lkey_rcon1(%rip),%xmm4
+	mov	\$8,%r10d
+	movdqu	%xmm0,($key)
+	jmp	.Loop_key192
+
+.align	16
+.Loop_key192:
+	movq		%xmm2,0(%rax)
+	movdqa		%xmm2,%xmm1
+	pshufb		%xmm5,%xmm2
+	aesenclast	%xmm4,%xmm2
+	pslld		\$1, %xmm4
+	lea		24(%rax),%rax
+
+	movdqa		%xmm0,%xmm3
+	pslldq		\$4,%xmm0
+	pxor		%xmm0,%xmm3
+	pslldq		\$4,%xmm0
+	pxor		%xmm0,%xmm3
+	pslldq		\$4,%xmm0
+	pxor		%xmm3,%xmm0
+
+	pshufd		\$0xff,%xmm0,%xmm3
+	pxor		%xmm1,%xmm3
+	pslldq		\$4,%xmm1
+	pxor		%xmm1,%xmm3
+
+	pxor		%xmm2,%xmm0
+	pxor		%xmm3,%xmm2
+	movdqu		%xmm0,-16(%rax)
+
+	dec	%r10d
+	jnz	.Loop_key192
+
+	mov	$bits,32(%rax)	# 240($key)
+	xor	%eax,%eax
+	jmp	.Lenc_key_ret
+
+.align	16
 .L14rounds:
 	movups	16($inp),%xmm2			# remaning half of *userKey
 	mov	\$13,$bits			# 14 rounds for 256
 	lea	16(%rax),%rax
+	cmp	\$`1<<28`,%r10d			# AVX, but no XOP
+	je	.L14rounds_alt
+
 	$movkey	%xmm0,($key)			# round 0
 	$movkey	%xmm2,16($key)			# round 1
 	aeskeygenassist	\$0x1,%xmm2,%xmm1	# round 2
@@ -3136,9 +3561,69 @@ __aesni_set_encrypt_key:
 	jmp	.Lenc_key_ret
 
 .align	16
+.L14rounds_alt:
+	movdqa	.Lkey_rotate(%rip),%xmm5
+	movdqa	.Lkey_rcon1(%rip),%xmm4
+	mov	\$7,%r10d
+	movdqu	%xmm0,0($key)
+	movdqa	%xmm2,%xmm1
+	movdqu	%xmm2,16($key)
+	jmp	.Loop_key256
+
+.align	16
+.Loop_key256:
+	pshufb		%xmm5,%xmm2
+	aesenclast	%xmm4,%xmm2
+
+	movdqa		%xmm0,%xmm3
+	pslldq		\$4,%xmm0
+	pxor		%xmm0,%xmm3
+	pslldq		\$4,%xmm0
+	pxor		%xmm0,%xmm3
+	pslldq		\$4,%xmm0
+	pxor		%xmm3,%xmm0
+	pslld		\$1,%xmm4
+
+	pxor		%xmm2,%xmm0
+	movdqu		%xmm0,(%rax)
+
+	dec	%r10d
+	jz	.Ldone_key256
+
+	pshufd		\$0xff,%xmm0,%xmm2
+	pxor		%xmm3,%xmm3
+	aesenclast	%xmm3,%xmm2
+
+	movdqa		%xmm1,%xmm3
+	pslldq		\$4,%xmm1
+	pxor		%xmm1,%xmm3
+	pslldq		\$4,%xmm1
+	pxor		%xmm1,%xmm3
+	pslldq		\$4,%xmm1
+	pxor		%xmm3,%xmm1
+
+	pxor		%xmm1,%xmm2
+	movdqu		%xmm2,16(%rax)
+	lea		32(%rax),%rax
+	movdqa		%xmm2,%xmm1
+
+	jmp	.Loop_key256
+
+.Ldone_key256:
+	mov	$bits,16(%rax)	# 240($key)
+	xor	%eax,%eax
+	jmp	.Lenc_key_ret
+
+.align	16
 .Lbad_keybits:
 	mov	\$-2,%rax
 .Lenc_key_ret:
+	pxor	%xmm0,%xmm0
+	pxor	%xmm1,%xmm1
+	pxor	%xmm2,%xmm2
+	pxor	%xmm3,%xmm3
+	pxor	%xmm4,%xmm4
+	pxor	%xmm5,%xmm5
 	add	\$8,%rsp
 	ret
 .LSEH_end_set_encrypt_key:
@@ -3228,6 +3713,14 @@ $code.=<<___;
 	.long	0x87,0,1,0
 .Lincrement1:
 	.byte	0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1
+.Lkey_rotate:
+	.long	0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d
+.Lkey_rotate192:
+	.long	0x04070605,0x04070605,0x04070605,0x04070605
+.Lkey_rcon1:
+	.long	1,1,1,1
+.Lkey_rcon1b:
+	.long	0x1b,0x1b,0x1b,0x1b
 
 .asciz  "AES for Intel AES-NI, CRYPTOGAMS by <appro\@openssl.org>"
 .align	64
@@ -3345,7 +3838,7 @@ cbc_se_handler:
 	mov	152($context),%rax	# pull context->Rsp
 	mov	248($context),%rbx	# pull context->Rip
 
-	lea	.Lcbc_decrypt(%rip),%r10
+	lea	.Lcbc_decrypt_bulk(%rip),%r10
 	cmp	%r10,%rbx		# context->Rip<"prologue" label
 	jb	.Lcommon_seh_tail
 
diff --git a/src/crypto/aes/asm/aesv8-armx.pl b/src/crypto/aes/asm/aesv8-armx.pl
index 703da04..b0916f6 100644
--- a/src/crypto/aes/asm/aesv8-armx.pl
+++ b/src/crypto/aes/asm/aesv8-armx.pl
@@ -24,11 +24,23 @@
 #
 #		CBC enc		CBC dec		CTR
 # Apple A7	2.39		1.20		1.20
-# Cortex-A53	2.45		1.87		1.94
-# Cortex-A57	3.64		1.34		1.32
+# Cortex-A53	1.32		1.29		1.46
+# Cortex-A57(*)	1.95		0.85		0.93
+# Denver	1.96		0.86		0.80
+#
+# (*)	original 3.64/1.34/1.32 results were for r0p0 revision
+#	and are still same even for updated module;
 
 $flavour = shift;
-open STDOUT,">".shift;
+$output  = shift;
+
+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+die "can't locate arm-xlate.pl";
+
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 $prefix="aes_v8";
 
@@ -38,10 +50,9 @@ $code=<<___;
 #if __ARM_MAX_ARCH__>=7
 .text
 ___
-
-$code.=<<___	if ($flavour =~ /64/);
+$code.=<<___ if ($flavour =~ /64/);
 #if !defined(__clang__)
-.arch	armv8-a+crypto
+.arch  armv8-a+crypto
 #endif
 ___
 $code.=".arch	armv7-a\n.fpu	neon\n.code	32\n"	if ($flavour !~ /64/);
@@ -61,7 +72,7 @@ my ($zero,$rcon,$mask,$in0,$in1,$tmp,$key)=
 
 $code.=<<___;
 .align	5
-rcon:
+.Lrcon:
 .long	0x01,0x01,0x01,0x01
 .long	0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d	// rotate-n-splat
 .long	0x1b,0x1b,0x1b,0x1b
@@ -90,7 +101,7 @@ $code.=<<___;
 	tst	$bits,#0x3f
 	b.ne	.Lenc_key_abort
 
-	adr	$ptr,rcon
+	adr	$ptr,.Lrcon
 	cmp	$bits,#192
 
 	veor	$zero,$zero,$zero
@@ -313,17 +324,17 @@ ${prefix}_${dir}crypt:
 
 .Loop_${dir}c:
 	aes$e	$inout,$rndkey0
-	vld1.32	{$rndkey0},[$key],#16
 	aes$mc	$inout,$inout
+	vld1.32	{$rndkey0},[$key],#16
 	subs	$rounds,$rounds,#2
 	aes$e	$inout,$rndkey1
-	vld1.32	{$rndkey1},[$key],#16
 	aes$mc	$inout,$inout
+	vld1.32	{$rndkey1},[$key],#16
 	b.gt	.Loop_${dir}c
 
 	aes$e	$inout,$rndkey0
-	vld1.32	{$rndkey0},[$key]
 	aes$mc	$inout,$inout
+	vld1.32	{$rndkey0},[$key]
 	aes$e	$inout,$rndkey1
 	veor	$inout,$inout,$rndkey0
 
@@ -341,6 +352,7 @@ my ($rounds,$cnt,$key_,$step,$step1)=($enc,"w6","x7","x8","x12");
 my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$ivec,$rndlast)=map("q$_",(0..7));
 
 my ($dat,$tmp,$rndzero_n_last)=($dat0,$tmp0,$tmp1);
+my ($key4,$key5,$key6,$key7)=("x6","x12","x14",$key);
 
 ### q8-q15	preloaded key schedule
 
@@ -390,25 +402,50 @@ $code.=<<___;
 	veor	$rndzero_n_last,q8,$rndlast
 	b.eq	.Lcbc_enc128
 
+	vld1.32	{$in0-$in1},[$key_]
+	add	$key_,$key,#16
+	add	$key4,$key,#16*4
+	add	$key5,$key,#16*5
+	aese	$dat,q8
+	aesmc	$dat,$dat
+	add	$key6,$key,#16*6
+	add	$key7,$key,#16*7
+	b	.Lenter_cbc_enc
+
+.align	4
 .Loop_cbc_enc:
 	aese	$dat,q8
-	vld1.32	{q8},[$key_],#16
 	aesmc	$dat,$dat
-	subs	$cnt,$cnt,#2
+	 vst1.8	{$ivec},[$out],#16
+.Lenter_cbc_enc:
 	aese	$dat,q9
-	vld1.32	{q9},[$key_],#16
 	aesmc	$dat,$dat
-	b.gt	.Loop_cbc_enc
+	aese	$dat,$in0
+	aesmc	$dat,$dat
+	vld1.32	{q8},[$key4]
+	cmp	$rounds,#4
+	aese	$dat,$in1
+	aesmc	$dat,$dat
+	vld1.32	{q9},[$key5]
+	b.eq	.Lcbc_enc192
 
 	aese	$dat,q8
 	aesmc	$dat,$dat
+	vld1.32	{q8},[$key6]
+	aese	$dat,q9
+	aesmc	$dat,$dat
+	vld1.32	{q9},[$key7]
+	nop
+
+.Lcbc_enc192:
+	aese	$dat,q8
+	aesmc	$dat,$dat
 	 subs	$len,$len,#16
 	aese	$dat,q9
 	aesmc	$dat,$dat
 	 cclr	$step,eq
 	aese	$dat,q10
 	aesmc	$dat,$dat
-	 add	$key_,$key,#16
 	aese	$dat,q11
 	aesmc	$dat,$dat
 	 vld1.8	{q8},[$inp],$step
@@ -417,16 +454,14 @@ $code.=<<___;
 	 veor	q8,q8,$rndzero_n_last
 	aese	$dat,q13
 	aesmc	$dat,$dat
-	 vld1.32 {q9},[$key_],#16	// re-pre-load rndkey[1]
+	 vld1.32 {q9},[$key_]		// re-pre-load rndkey[1]
 	aese	$dat,q14
 	aesmc	$dat,$dat
 	aese	$dat,q15
-
-	 mov	$cnt,$rounds
 	veor	$ivec,$dat,$rndlast
-	vst1.8	{$ivec},[$out],#16
 	b.hs	.Loop_cbc_enc
 
+	vst1.8	{$ivec},[$out],#16
 	b	.Lcbc_done
 
 .align	5
@@ -488,79 +523,78 @@ $code.=<<___;
 
 .Loop3x_cbc_dec:
 	aesd	$dat0,q8
-	aesd	$dat1,q8
-	aesd	$dat2,q8
-	vld1.32	{q8},[$key_],#16
 	aesimc	$dat0,$dat0
+	aesd	$dat1,q8
 	aesimc	$dat1,$dat1
+	aesd	$dat2,q8
 	aesimc	$dat2,$dat2
+	vld1.32	{q8},[$key_],#16
 	subs	$cnt,$cnt,#2
 	aesd	$dat0,q9
-	aesd	$dat1,q9
-	aesd	$dat2,q9
-	vld1.32	{q9},[$key_],#16
 	aesimc	$dat0,$dat0
+	aesd	$dat1,q9
 	aesimc	$dat1,$dat1
+	aesd	$dat2,q9
 	aesimc	$dat2,$dat2
+	vld1.32	{q9},[$key_],#16
 	b.gt	.Loop3x_cbc_dec
 
 	aesd	$dat0,q8
-	aesd	$dat1,q8
-	aesd	$dat2,q8
-	 veor	$tmp0,$ivec,$rndlast
 	aesimc	$dat0,$dat0
+	aesd	$dat1,q8
 	aesimc	$dat1,$dat1
+	aesd	$dat2,q8
 	aesimc	$dat2,$dat2
+	 veor	$tmp0,$ivec,$rndlast
+	 subs	$len,$len,#0x30
 	 veor	$tmp1,$in0,$rndlast
+	 mov.lo	x6,$len			// x6, $cnt, is zero at this point
 	aesd	$dat0,q9
-	aesd	$dat1,q9
-	aesd	$dat2,q9
-	 veor	$tmp2,$in1,$rndlast
-	 subs	$len,$len,#0x30
 	aesimc	$dat0,$dat0
+	aesd	$dat1,q9
 	aesimc	$dat1,$dat1
+	aesd	$dat2,q9
 	aesimc	$dat2,$dat2
-	 vorr	$ivec,$in2,$in2
-	 mov.lo	x6,$len			// x6, $cnt, is zero at this point
-	aesd	$dat0,q12
-	aesd	$dat1,q12
-	aesd	$dat2,q12
+	 veor	$tmp2,$in1,$rndlast
 	 add	$inp,$inp,x6		// $inp is adjusted in such way that
 					// at exit from the loop $dat1-$dat2
 					// are loaded with last "words"
+	 vorr	$ivec,$in2,$in2
+	 mov	$key_,$key
+	aesd	$dat0,q12
 	aesimc	$dat0,$dat0
+	aesd	$dat1,q12
 	aesimc	$dat1,$dat1
+	aesd	$dat2,q12
 	aesimc	$dat2,$dat2
-	 mov	$key_,$key
-	aesd	$dat0,q13
-	aesd	$dat1,q13
-	aesd	$dat2,q13
 	 vld1.8	{$in0},[$inp],#16
+	aesd	$dat0,q13
 	aesimc	$dat0,$dat0
+	aesd	$dat1,q13
 	aesimc	$dat1,$dat1
+	aesd	$dat2,q13
 	aesimc	$dat2,$dat2
 	 vld1.8	{$in1},[$inp],#16
 	aesd	$dat0,q14
-	aesd	$dat1,q14
-	aesd	$dat2,q14
-	 vld1.8	{$in2},[$inp],#16
 	aesimc	$dat0,$dat0
+	aesd	$dat1,q14
 	aesimc	$dat1,$dat1
+	aesd	$dat2,q14
 	aesimc	$dat2,$dat2
-	 vld1.32 {q8},[$key_],#16	// re-pre-load rndkey[0]
+	 vld1.8	{$in2},[$inp],#16
 	aesd	$dat0,q15
 	aesd	$dat1,q15
 	aesd	$dat2,q15
-
+	 vld1.32 {q8},[$key_],#16	// re-pre-load rndkey[0]
 	 add	$cnt,$rounds,#2
 	veor	$tmp0,$tmp0,$dat0
 	veor	$tmp1,$tmp1,$dat1
 	veor	$dat2,$dat2,$tmp2
 	 vld1.32 {q9},[$key_],#16	// re-pre-load rndkey[1]
-	 vorr	$dat0,$in0,$in0
 	vst1.8	{$tmp0},[$out],#16
-	 vorr	$dat1,$in1,$in1
+	 vorr	$dat0,$in0,$in0
 	vst1.8	{$tmp1},[$out],#16
+	 vorr	$dat1,$in1,$in1
 	vst1.8	{$dat2},[$out],#16
 	 vorr	$dat2,$in2,$in2
 	b.hs	.Loop3x_cbc_dec
@@ -571,39 +605,39 @@ $code.=<<___;
 
 .Lcbc_dec_tail:
 	aesd	$dat1,q8
-	aesd	$dat2,q8
-	vld1.32	{q8},[$key_],#16
 	aesimc	$dat1,$dat1
+	aesd	$dat2,q8
 	aesimc	$dat2,$dat2
+	vld1.32	{q8},[$key_],#16
 	subs	$cnt,$cnt,#2
 	aesd	$dat1,q9
-	aesd	$dat2,q9
-	vld1.32	{q9},[$key_],#16
 	aesimc	$dat1,$dat1
+	aesd	$dat2,q9
 	aesimc	$dat2,$dat2
+	vld1.32	{q9},[$key_],#16
 	b.gt	.Lcbc_dec_tail
 
 	aesd	$dat1,q8
-	aesd	$dat2,q8
 	aesimc	$dat1,$dat1
+	aesd	$dat2,q8
 	aesimc	$dat2,$dat2
 	aesd	$dat1,q9
-	aesd	$dat2,q9
 	aesimc	$dat1,$dat1
+	aesd	$dat2,q9
 	aesimc	$dat2,$dat2
 	aesd	$dat1,q12
-	aesd	$dat2,q12
 	aesimc	$dat1,$dat1
+	aesd	$dat2,q12
 	aesimc	$dat2,$dat2
 	 cmn	$len,#0x20
 	aesd	$dat1,q13
-	aesd	$dat2,q13
 	aesimc	$dat1,$dat1
+	aesd	$dat2,q13
 	aesimc	$dat2,$dat2
 	 veor	$tmp1,$ivec,$rndlast
 	aesd	$dat1,q14
-	aesd	$dat2,q14
 	aesimc	$dat1,$dat1
+	aesd	$dat2,q14
 	aesimc	$dat2,$dat2
 	 veor	$tmp2,$in1,$rndlast
 	aesd	$dat1,q15
@@ -704,70 +738,69 @@ $code.=<<___;
 .align	4
 .Loop3x_ctr32:
 	aese		$dat0,q8
-	aese		$dat1,q8
-	aese		$dat2,q8
-	vld1.32		{q8},[$key_],#16
 	aesmc		$dat0,$dat0
+	aese		$dat1,q8
 	aesmc		$dat1,$dat1
+	aese		$dat2,q8
 	aesmc		$dat2,$dat2
+	vld1.32		{q8},[$key_],#16
 	subs		$cnt,$cnt,#2
 	aese		$dat0,q9
-	aese		$dat1,q9
-	aese		$dat2,q9
-	vld1.32		{q9},[$key_],#16
 	aesmc		$dat0,$dat0
+	aese		$dat1,q9
 	aesmc		$dat1,$dat1
+	aese		$dat2,q9
 	aesmc		$dat2,$dat2
+	vld1.32		{q9},[$key_],#16
 	b.gt		.Loop3x_ctr32
 
 	aese		$dat0,q8
-	aese		$dat1,q8
-	aese		$dat2,q8
-	 mov		$key_,$key
 	aesmc		$tmp0,$dat0
-	 vld1.8		{$in0},[$inp],#16
+	aese		$dat1,q8
 	aesmc		$tmp1,$dat1
-	aesmc		$dat2,$dat2
+	 vld1.8		{$in0},[$inp],#16
 	 vorr		$dat0,$ivec,$ivec
-	aese		$tmp0,q9
+	aese		$dat2,q8
+	aesmc		$dat2,$dat2
 	 vld1.8		{$in1},[$inp],#16
-	aese		$tmp1,q9
-	aese		$dat2,q9
 	 vorr		$dat1,$ivec,$ivec
+	aese		$tmp0,q9
 	aesmc		$tmp0,$tmp0
-	 vld1.8		{$in2},[$inp],#16
+	aese		$tmp1,q9
 	aesmc		$tmp1,$tmp1
+	 vld1.8		{$in2},[$inp],#16
+	 mov		$key_,$key
+	aese		$dat2,q9
 	aesmc		$tmp2,$dat2
 	 vorr		$dat2,$ivec,$ivec
 	 add		$tctr0,$ctr,#1
 	aese		$tmp0,q12
+	aesmc		$tmp0,$tmp0
 	aese		$tmp1,q12
-	aese		$tmp2,q12
+	aesmc		$tmp1,$tmp1
 	 veor		$in0,$in0,$rndlast
 	 add		$tctr1,$ctr,#2
-	aesmc		$tmp0,$tmp0
-	aesmc		$tmp1,$tmp1
+	aese		$tmp2,q12
 	aesmc		$tmp2,$tmp2
 	 veor		$in1,$in1,$rndlast
 	 add		$ctr,$ctr,#3
 	aese		$tmp0,q13
+	aesmc		$tmp0,$tmp0
 	aese		$tmp1,q13
-	aese		$tmp2,q13
+	aesmc		$tmp1,$tmp1
 	 veor		$in2,$in2,$rndlast
 	 rev		$tctr0,$tctr0
-	aesmc		$tmp0,$tmp0
-	 vld1.32	 {q8},[$key_],#16	// re-pre-load rndkey[0]
-	aesmc		$tmp1,$tmp1
+	aese		$tmp2,q13
 	aesmc		$tmp2,$tmp2
 	 vmov.32	${dat0}[3], $tctr0
 	 rev		$tctr1,$tctr1
 	aese		$tmp0,q14
+	aesmc		$tmp0,$tmp0
 	aese		$tmp1,q14
-	aese		$tmp2,q14
+	aesmc		$tmp1,$tmp1
 	 vmov.32	${dat1}[3], $tctr1
 	 rev		$tctr2,$ctr
-	aesmc		$tmp0,$tmp0
-	aesmc		$tmp1,$tmp1
+	aese		$tmp2,q14
 	aesmc		$tmp2,$tmp2
 	 vmov.32	${dat2}[3], $tctr2
 	 subs		$len,$len,#3
@@ -775,13 +808,14 @@ $code.=<<___;
 	aese		$tmp1,q15
 	aese		$tmp2,q15
 
-	 mov		$cnt,$rounds
 	veor		$in0,$in0,$tmp0
+	 vld1.32	 {q8},[$key_],#16	// re-pre-load rndkey[0]
+	vst1.8		{$in0},[$out],#16
 	veor		$in1,$in1,$tmp1
+	 mov		$cnt,$rounds
+	vst1.8		{$in1},[$out],#16
 	veor		$in2,$in2,$tmp2
 	 vld1.32	 {q9},[$key_],#16	// re-pre-load rndkey[1]
-	vst1.8		{$in0},[$out],#16
-	vst1.8		{$in1},[$out],#16
 	vst1.8		{$in2},[$out],#16
 	b.hs		.Loop3x_ctr32
 
@@ -793,40 +827,40 @@ $code.=<<___;
 
 .Lctr32_tail:
 	aese		$dat0,q8
-	aese		$dat1,q8
-	vld1.32		{q8},[$key_],#16
 	aesmc		$dat0,$dat0
+	aese		$dat1,q8
 	aesmc		$dat1,$dat1
+	vld1.32		{q8},[$key_],#16
 	subs		$cnt,$cnt,#2
 	aese		$dat0,q9
-	aese		$dat1,q9
-	vld1.32		{q9},[$key_],#16
 	aesmc		$dat0,$dat0
+	aese		$dat1,q9
 	aesmc		$dat1,$dat1
+	vld1.32		{q9},[$key_],#16
 	b.gt		.Lctr32_tail
 
 	aese		$dat0,q8
-	aese		$dat1,q8
 	aesmc		$dat0,$dat0
+	aese		$dat1,q8
 	aesmc		$dat1,$dat1
 	aese		$dat0,q9
-	aese		$dat1,q9
 	aesmc		$dat0,$dat0
+	aese		$dat1,q9
 	aesmc		$dat1,$dat1
 	 vld1.8		{$in0},[$inp],$step
 	aese		$dat0,q12
-	aese		$dat1,q12
-	 vld1.8		{$in1},[$inp]
 	aesmc		$dat0,$dat0
+	aese		$dat1,q12
 	aesmc		$dat1,$dat1
+	 vld1.8		{$in1},[$inp]
 	aese		$dat0,q13
-	aese		$dat1,q13
 	aesmc		$dat0,$dat0
+	aese		$dat1,q13
 	aesmc		$dat1,$dat1
-	aese		$dat0,q14
-	aese		$dat1,q14
 	 veor		$in0,$in0,$rndlast
+	aese		$dat0,q14
 	aesmc		$dat0,$dat0
+	aese		$dat1,q14
 	aesmc		$dat1,$dat1
 	 veor		$in1,$in1,$rndlast
 	aese		$dat0,q15
diff --git a/src/crypto/aes/asm/bsaes-armv7.pl b/src/crypto/aes/asm/bsaes-armv7.pl
index d70f3ea..a5e4a98 100644
--- a/src/crypto/aes/asm/bsaes-armv7.pl
+++ b/src/crypto/aes/asm/bsaes-armv7.pl
@@ -47,8 +47,20 @@
 #
 #					<ard.biesheuvel@linaro.org>
 
-while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {}
-open STDOUT,">$output";
+$flavour = shift;
+if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; }
+else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} }
+
+if ($flavour && $flavour ne "void") {
+    $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+    ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+    ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+    die "can't locate arm-xlate.pl";
+
+    open STDOUT,"| \"$^X\" $xlate $flavour $output";
+} else {
+    open STDOUT,">$output";
+}
 
 my ($inp,$out,$len,$key)=("r0","r1","r2","r3");
 my @XMM=map("q$_",(0..15));
@@ -703,29 +715,35 @@ $code.=<<___;
 # define BSAES_ASM_EXTENDED_KEY
 # define XTS_CHAIN_TWEAK
 # define __ARM_ARCH__ __LINUX_ARM_ARCH__
+# define __ARM_MAX_ARCH__ 7
 #endif
 
 #ifdef __thumb__
 # define adrl adr
 #endif
 
-#if __ARM_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7
+.arch	armv7-a
+.fpu	neon
+
 .text
 .syntax	unified 	@ ARMv7-capable assembler is expected to handle this
-#ifdef __thumb2__
+#if defined(__thumb2__) && !defined(__APPLE__)
 .thumb
 #else
 .code   32
 #endif
 
-.fpu	neon
-
 .type	_bsaes_decrypt8,%function
 .align	4
 _bsaes_decrypt8:
 	adr	$const,_bsaes_decrypt8
 	vldmia	$key!, {@XMM[9]}		@ round 0 key
+#ifdef	__APPLE__
+	adr	$const,.LM0ISR
+#else
 	add	$const,$const,#.LM0ISR-_bsaes_decrypt8
+#endif
 
 	vldmia	$const!, {@XMM[8]}		@ .LM0ISR
 	veor	@XMM[10], @XMM[0], @XMM[9]	@ xor with round0 key
@@ -820,7 +838,11 @@ _bsaes_const:
 _bsaes_encrypt8:
 	adr	$const,_bsaes_encrypt8
 	vldmia	$key!, {@XMM[9]}		@ round 0 key
+#ifdef	__APPLE__
+	adr	$const,.LM0SR
+#else
 	sub	$const,$const,#_bsaes_encrypt8-.LM0SR
+#endif
 
 	vldmia	$const!, {@XMM[8]}		@ .LM0SR
 _bsaes_encrypt8_alt:
@@ -924,7 +946,11 @@ $code.=<<___;
 _bsaes_key_convert:
 	adr	$const,_bsaes_key_convert
 	vld1.8	{@XMM[7]},  [$inp]!		@ load round 0 key
+#ifdef	__APPLE__
+	adr	$const,.LM0
+#else
 	sub	$const,$const,#_bsaes_key_convert-.LM0
+#endif
 	vld1.8	{@XMM[15]}, [$inp]!		@ load round 1 key
 
 	vmov.i8	@XMM[8],  #0x01			@ bit masks
@@ -1397,7 +1423,12 @@ bsaes_ctr32_encrypt_blocks:
 	vstmia	r12, {@XMM[7]}			@ save last round key
 
 	vld1.8	{@XMM[0]}, [$ctr]		@ load counter
+#ifdef	__APPLE__
+	mov	$ctr, #.LREVM0SR-.LM0
+	add	$ctr, $const, $ctr
+#else
 	add	$ctr, $const, #.LREVM0SR-.LM0	@ borrow $ctr
+#endif
 	vldmia	$keysched, {@XMM[4]}		@ load round0 key
 #else
 	ldr	r12, [$key, #244]
@@ -1454,7 +1485,12 @@ bsaes_ctr32_encrypt_blocks:
 	vldmia		$ctr, {@XMM[8]}			@ .LREVM0SR
 	mov		r5, $rounds			@ pass rounds
 	vstmia		$fp, {@XMM[10]}			@ save next counter
+#ifdef	__APPLE__
+	mov		$const, #.LREVM0SR-.LSR
+	sub		$const, $ctr, $const
+#else
 	sub		$const, $ctr, #.LREVM0SR-.LSR	@ pass constants
+#endif
 
 	bl		_bsaes_encrypt8_alt
 
@@ -1555,7 +1591,7 @@ bsaes_ctr32_encrypt_blocks:
 	rev	r8, r8
 #endif
 	sub	sp, sp, #0x10
-	vst1.8	{@XMM[1]}, [sp,:64]	@ copy counter value
+	vst1.8	{@XMM[1]}, [sp]		@ copy counter value
 	sub	sp, sp, #0x10
 
 .Lctr_enc_short_loop:
@@ -1566,7 +1602,7 @@ bsaes_ctr32_encrypt_blocks:
 	bl	AES_encrypt
 
 	vld1.8	{@XMM[0]}, [r4]!	@ load input
-	vld1.8	{@XMM[1]}, [sp,:64]	@ load encrypted counter
+	vld1.8	{@XMM[1]}, [sp]		@ load encrypted counter
 	add	r8, r8, #1
 #ifdef __ARMEL__
 	rev	r0, r8
@@ -2085,9 +2121,11 @@ bsaes_xts_decrypt:
 	vld1.8	{@XMM[8]}, [r0]			@ initial tweak
 	adr	$magic, .Lxts_magic
 
+#ifndef	XTS_CHAIN_TWEAK
 	tst	$len, #0xf			@ if not multiple of 16
 	it	ne				@ Thumb2 thing, sanity check in ARM
 	subne	$len, #0x10			@ subtract another 16 bytes
+#endif
 	subs	$len, #0x80
 
 	blo	.Lxts_dec_short
diff --git a/src/crypto/asn1/CMakeLists.txt b/src/crypto/asn1/CMakeLists.txt
index 35e1bec..283636e 100644
--- a/src/crypto/asn1/CMakeLists.txt
+++ b/src/crypto/asn1/CMakeLists.txt
@@ -23,7 +23,6 @@ add_library(
   a_type.c
   a_utctm.c
   a_utf8.c
-  asn1_error.c
   asn1_lib.c
   asn1_par.c
   asn_pack.c
diff --git a/src/crypto/asn1/a_d2i_fp.c b/src/crypto/asn1/a_d2i_fp.c
index c28532b..6022c74 100644
--- a/src/crypto/asn1/a_d2i_fp.c
+++ b/src/crypto/asn1/a_d2i_fp.c
@@ -194,7 +194,7 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 			len-off);
 		if (c.inf & 0x80)
 			{
-			unsigned long e;
+			uint32_t e;
 
 			e=ERR_GET_REASON(ERR_peek_error());
 			if (e != ASN1_R_TOO_LONG)
diff --git a/src/crypto/asn1/a_gentm.c b/src/crypto/asn1/a_gentm.c
index 355feff..be093a4 100644
--- a/src/crypto/asn1/a_gentm.c
+++ b/src/crypto/asn1/a_gentm.c
@@ -57,6 +57,7 @@
 #include <openssl/asn1.h>
 
 #include <string.h>
+#include <time.h>
 
 #include <openssl/err.h>
 #include <openssl/mem.h>
diff --git a/src/crypto/asn1/a_time.c b/src/crypto/asn1/a_time.c
index f0badcc..e02e858 100644
--- a/src/crypto/asn1/a_time.c
+++ b/src/crypto/asn1/a_time.c
@@ -57,6 +57,7 @@
 #include <openssl/asn1.h>
 
 #include <string.h>
+#include <time.h>
 
 #include <openssl/asn1t.h>
 #include <openssl/buf.h>
diff --git a/src/crypto/asn1/a_type.c b/src/crypto/asn1/a_type.c
index 75a17d5..fd3d5b1 100644
--- a/src/crypto/asn1/a_type.c
+++ b/src/crypto/asn1/a_type.c
@@ -125,6 +125,9 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b)
 	case V_ASN1_NULL:
 		result = 0;	/* They do not have content. */
 		break;
+	case V_ASN1_BOOLEAN:
+		result = a->value.boolean - b->value.boolean;
+		break;
 	case V_ASN1_INTEGER:
 	case V_ASN1_NEG_INTEGER:
 	case V_ASN1_ENUMERATED:
diff --git a/src/crypto/asn1/a_utctm.c b/src/crypto/asn1/a_utctm.c
index 7a3f5f6..52b010f 100644
--- a/src/crypto/asn1/a_utctm.c
+++ b/src/crypto/asn1/a_utctm.c
@@ -57,6 +57,7 @@
 #include <openssl/asn1.h>
 
 #include <string.h>
+#include <time.h>
 
 #include <openssl/err.h>
 #include <openssl/mem.h>
@@ -287,7 +288,7 @@ int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t)
 	if (!OPENSSL_gmtime(&t, &ttm))
 		return -2;
 
-	if (!OPENSSL_gmtime_diff(&day, &sec, &stm, &ttm))
+	if (!OPENSSL_gmtime_diff(&day, &sec, &ttm, &stm))
 		return -2;
 
 	if (day > 0)
diff --git a/src/crypto/asn1/asn1_error.c b/src/crypto/asn1/asn1_error.c
deleted file mode 100644
index 5e9fcaa..0000000
--- a/src/crypto/asn1/asn1_error.c
+++ /dev/null
@@ -1,203 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/asn1.h>
-
-const ERR_STRING_DATA ASN1_error_string_data[] = {
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_BIT_STRING_set_bit, 0), "ASN1_BIT_STRING_set_bit"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ENUMERATED_set, 0), "ASN1_ENUMERATED_set"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ENUMERATED_to_BN, 0), "ASN1_ENUMERATED_to_BN"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_GENERALIZEDTIME_adj, 0), "ASN1_GENERALIZEDTIME_adj"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_INTEGER_set, 0), "ASN1_INTEGER_set"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_INTEGER_to_BN, 0), "ASN1_INTEGER_to_BN"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_OBJECT_new, 0), "ASN1_OBJECT_new"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_PCTX_new, 0), "ASN1_PCTX_new"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_STRING_TABLE_add, 0), "ASN1_STRING_TABLE_add"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_STRING_set, 0), "ASN1_STRING_set"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_STRING_type_new, 0), "ASN1_STRING_type_new"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_TIME_adj, 0), "ASN1_TIME_adj"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_UTCTIME_adj, 0), "ASN1_UTCTIME_adj"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_d2i_fp, 0), "ASN1_d2i_fp"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_dup, 0), "ASN1_dup"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_get_object, 0), "ASN1_get_object"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_i2d_bio, 0), "ASN1_i2d_bio"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_i2d_fp, 0), "ASN1_i2d_fp"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_item_d2i_fp, 0), "ASN1_item_d2i_fp"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_item_dup, 0), "ASN1_item_dup"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_item_ex_d2i, 0), "ASN1_item_ex_d2i"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_item_i2d_bio, 0), "ASN1_item_i2d_bio"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_item_i2d_fp, 0), "ASN1_item_i2d_fp"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_item_pack, 0), "ASN1_item_pack"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_item_unpack, 0), "ASN1_item_unpack"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_mbstring_ncopy, 0), "ASN1_mbstring_ncopy"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_pack_string, 0), "ASN1_pack_string"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_seq_pack, 0), "ASN1_seq_pack"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_seq_unpack, 0), "ASN1_seq_unpack"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_template_new, 0), "ASN1_template_new"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_unpack_string, 0), "ASN1_unpack_string"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_BIO_new_NDEF, 0), "BIO_new_NDEF"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_BN_to_ASN1_ENUMERATED, 0), "BN_to_ASN1_ENUMERATED"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_BN_to_ASN1_INTEGER, 0), "BN_to_ASN1_INTEGER"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_a2d_ASN1_OBJECT, 0), "a2d_ASN1_OBJECT"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_a2i_ASN1_ENUMERATED, 0), "a2i_ASN1_ENUMERATED"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_a2i_ASN1_INTEGER, 0), "a2i_ASN1_INTEGER"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_a2i_ASN1_STRING, 0), "a2i_ASN1_STRING"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_asn1_check_tlen, 0), "asn1_check_tlen"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_asn1_collate_primitive, 0), "asn1_collate_primitive"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_asn1_collect, 0), "asn1_collect"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_asn1_d2i_ex_primitive, 0), "asn1_d2i_ex_primitive"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_asn1_d2i_read_bio, 0), "asn1_d2i_read_bio"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_asn1_do_adb, 0), "asn1_do_adb"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_asn1_ex_c2i, 0), "asn1_ex_c2i"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_asn1_find_end, 0), "asn1_find_end"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_asn1_item_ex_combine_new, 0), "asn1_item_ex_combine_new"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_asn1_template_ex_d2i, 0), "asn1_template_ex_d2i"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_asn1_template_noexp_d2i, 0), "asn1_template_noexp_d2i"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_c2i_ASN1_BIT_STRING, 0), "c2i_ASN1_BIT_STRING"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_c2i_ASN1_INTEGER, 0), "c2i_ASN1_INTEGER"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_c2i_ASN1_OBJECT, 0), "c2i_ASN1_OBJECT"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_collect_data, 0), "collect_data"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_d2i_ASN1_BOOLEAN, 0), "d2i_ASN1_BOOLEAN"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_d2i_ASN1_OBJECT, 0), "d2i_ASN1_OBJECT"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_d2i_ASN1_UINTEGER, 0), "d2i_ASN1_UINTEGER"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_d2i_ASN1_UTCTIME, 0), "d2i_ASN1_UTCTIME"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_d2i_ASN1_bytes, 0), "d2i_ASN1_bytes"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_d2i_ASN1_type_bytes, 0), "d2i_ASN1_type_bytes"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_i2d_ASN1_TIME, 0), "i2d_ASN1_TIME"},
-  {ERR_PACK(ERR_LIB_ASN1, ASN1_F_long_c2i, 0), "long_c2i"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ADDING_OBJECT), "ADDING_OBJECT"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ASN1_LENGTH_MISMATCH), "ASN1_LENGTH_MISMATCH"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ASN1_PARSE_ERROR), "ASN1_PARSE_ERROR"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ASN1_SIG_PARSE_ERROR), "ASN1_SIG_PARSE_ERROR"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_AUX_ERROR), "AUX_ERROR"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BAD_CLASS), "BAD_CLASS"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BAD_GET_ASN1_OBJECT_CALL), "BAD_GET_ASN1_OBJECT_CALL"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BAD_OBJECT_HEADER), "BAD_OBJECT_HEADER"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BAD_PASSWORD_READ), "BAD_PASSWORD_READ"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BAD_TAG), "BAD_TAG"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BMPSTRING_IS_WRONG_LENGTH), "BMPSTRING_IS_WRONG_LENGTH"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BN_LIB), "BN_LIB"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BOOLEAN_IS_WRONG_LENGTH), "BOOLEAN_IS_WRONG_LENGTH"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BUFFER_TOO_SMALL), "BUFFER_TOO_SMALL"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER), "CIPHER_HAS_NO_OBJECT_IDENTIFIER"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_CONTEXT_NOT_INITIALISED), "CONTEXT_NOT_INITIALISED"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_DATA_IS_WRONG), "DATA_IS_WRONG"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_DECODE_ERROR), "DECODE_ERROR"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_DECODING_ERROR), "DECODING_ERROR"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_DEPTH_EXCEEDED), "DEPTH_EXCEEDED"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ENCODE_ERROR), "ENCODE_ERROR"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ERROR_GETTING_TIME), "ERROR_GETTING_TIME"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ERROR_LOADING_SECTION), "ERROR_LOADING_SECTION"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ERROR_PARSING_SET_ELEMENT), "ERROR_PARSING_SET_ELEMENT"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ERROR_SETTING_CIPHER_PARAMS), "ERROR_SETTING_CIPHER_PARAMS"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_EXPECTING_AN_ASN1_SEQUENCE), "EXPECTING_AN_ASN1_SEQUENCE"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_EXPECTING_AN_INTEGER), "EXPECTING_AN_INTEGER"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_EXPECTING_AN_OBJECT), "EXPECTING_AN_OBJECT"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_EXPECTING_A_BOOLEAN), "EXPECTING_A_BOOLEAN"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_EXPECTING_A_TIME), "EXPECTING_A_TIME"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_EXPLICIT_LENGTH_MISMATCH), "EXPLICIT_LENGTH_MISMATCH"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED), "EXPLICIT_TAG_NOT_CONSTRUCTED"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_FIELD_MISSING), "FIELD_MISSING"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_FIRST_NUM_TOO_LARGE), "FIRST_NUM_TOO_LARGE"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_HEADER_TOO_LONG), "HEADER_TOO_LONG"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_BITSTRING_FORMAT), "ILLEGAL_BITSTRING_FORMAT"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_BOOLEAN), "ILLEGAL_BOOLEAN"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_CHARACTERS), "ILLEGAL_CHARACTERS"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_FORMAT), "ILLEGAL_FORMAT"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_HEX), "ILLEGAL_HEX"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_IMPLICIT_TAG), "ILLEGAL_IMPLICIT_TAG"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_INTEGER), "ILLEGAL_INTEGER"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_NESTED_TAGGING), "ILLEGAL_NESTED_TAGGING"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_NULL), "ILLEGAL_NULL"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_NULL_VALUE), "ILLEGAL_NULL_VALUE"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_OBJECT), "ILLEGAL_OBJECT"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_OPTIONAL_ANY), "ILLEGAL_OPTIONAL_ANY"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE), "ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_TAGGED_ANY), "ILLEGAL_TAGGED_ANY"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_TIME_VALUE), "ILLEGAL_TIME_VALUE"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INTEGER_NOT_ASCII_FORMAT), "INTEGER_NOT_ASCII_FORMAT"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG), "INTEGER_TOO_LARGE_FOR_LONG"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_BIT_STRING_BITS_LEFT), "INVALID_BIT_STRING_BITS_LEFT"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_BMPSTRING_LENGTH), "INVALID_BMPSTRING_LENGTH"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_DIGIT), "INVALID_DIGIT"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_MIME_TYPE), "INVALID_MIME_TYPE"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_MODIFIER), "INVALID_MODIFIER"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_NUMBER), "INVALID_NUMBER"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_OBJECT_ENCODING), "INVALID_OBJECT_ENCODING"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_SEPARATOR), "INVALID_SEPARATOR"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_TIME_FORMAT), "INVALID_TIME_FORMAT"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_UNIVERSALSTRING_LENGTH), "INVALID_UNIVERSALSTRING_LENGTH"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_UTF8STRING), "INVALID_UTF8STRING"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_IV_TOO_LARGE), "IV_TOO_LARGE"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_LENGTH_ERROR), "LENGTH_ERROR"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_LIST_ERROR), "LIST_ERROR"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_MALLOC_FAILURE), "MALLOC_FAILURE"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_MIME_NO_CONTENT_TYPE), "MIME_NO_CONTENT_TYPE"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_MIME_PARSE_ERROR), "MIME_PARSE_ERROR"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_MIME_SIG_PARSE_ERROR), "MIME_SIG_PARSE_ERROR"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_MISSING_ASN1_EOS), "MISSING_ASN1_EOS"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_MISSING_EOC), "MISSING_EOC"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_MISSING_SECOND_NUMBER), "MISSING_SECOND_NUMBER"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_MISSING_VALUE), "MISSING_VALUE"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_MSTRING_NOT_UNIVERSAL), "MSTRING_NOT_UNIVERSAL"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_MSTRING_WRONG_TAG), "MSTRING_WRONG_TAG"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_NESTED_ASN1_ERROR), "NESTED_ASN1_ERROR"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_NESTED_ASN1_STRING), "NESTED_ASN1_STRING"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_NON_HEX_CHARACTERS), "NON_HEX_CHARACTERS"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_NOT_ASCII_FORMAT), "NOT_ASCII_FORMAT"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_NOT_ENOUGH_DATA), "NOT_ENOUGH_DATA"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_NO_CONTENT_TYPE), "NO_CONTENT_TYPE"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_NO_DEFAULT_DIGEST), "NO_DEFAULT_DIGEST"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_NO_MATCHING_CHOICE_TYPE), "NO_MATCHING_CHOICE_TYPE"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_NO_MULTIPART_BODY_FAILURE), "NO_MULTIPART_BODY_FAILURE"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_NO_MULTIPART_BOUNDARY), "NO_MULTIPART_BOUNDARY"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_NO_SIG_CONTENT_TYPE), "NO_SIG_CONTENT_TYPE"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_NULL_IS_WRONG_LENGTH), "NULL_IS_WRONG_LENGTH"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_OBJECT_NOT_ASCII_FORMAT), "OBJECT_NOT_ASCII_FORMAT"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ODD_NUMBER_OF_CHARS), "ODD_NUMBER_OF_CHARS"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_PRIVATE_KEY_HEADER_MISSING), "PRIVATE_KEY_HEADER_MISSING"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_SECOND_NUMBER_TOO_LARGE), "SECOND_NUMBER_TOO_LARGE"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_SEQUENCE_LENGTH_MISMATCH), "SEQUENCE_LENGTH_MISMATCH"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_SEQUENCE_NOT_CONSTRUCTED), "SEQUENCE_NOT_CONSTRUCTED"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG), "SEQUENCE_OR_SET_NEEDS_CONFIG"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_SHORT_LINE), "SHORT_LINE"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_SIG_INVALID_MIME_TYPE), "SIG_INVALID_MIME_TYPE"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_STREAMING_NOT_SUPPORTED), "STREAMING_NOT_SUPPORTED"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_STRING_TOO_LONG), "STRING_TOO_LONG"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_STRING_TOO_SHORT), "STRING_TOO_SHORT"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_TAG_VALUE_TOO_HIGH), "TAG_VALUE_TOO_HIGH"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD), "THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_TIME_NOT_ASCII_FORMAT), "TIME_NOT_ASCII_FORMAT"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_TOO_LONG), "TOO_LONG"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_TYPE_NOT_CONSTRUCTED), "TYPE_NOT_CONSTRUCTED"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_TYPE_NOT_PRIMITIVE), "TYPE_NOT_PRIMITIVE"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNABLE_TO_DECODE_RSA_KEY), "UNABLE_TO_DECODE_RSA_KEY"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY), "UNABLE_TO_DECODE_RSA_PRIVATE_KEY"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNEXPECTED_EOC), "UNEXPECTED_EOC"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH), "UNIVERSALSTRING_IS_WRONG_LENGTH"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNKNOWN_FORMAT), "UNKNOWN_FORMAT"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNKNOWN_OBJECT_TYPE), "UNKNOWN_OBJECT_TYPE"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE), "UNKNOWN_PUBLIC_KEY_TYPE"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNKNOWN_TAG), "UNKNOWN_TAG"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE), "UNSUPPORTED_ANY_DEFINED_BY_TYPE"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNSUPPORTED_CIPHER), "UNSUPPORTED_CIPHER"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM), "UNSUPPORTED_ENCRYPTION_ALGORITHM"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE), "UNSUPPORTED_PUBLIC_KEY_TYPE"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNSUPPORTED_TYPE), "UNSUPPORTED_TYPE"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_WRONG_TAG), "WRONG_TAG"},
-  {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_WRONG_TYPE), "WRONG_TYPE"},
-  {0, NULL},
-};
diff --git a/src/crypto/asn1/asn1_lib.c b/src/crypto/asn1/asn1_lib.c
index 1fc2c06..9aa2678 100644
--- a/src/crypto/asn1/asn1_lib.c
+++ b/src/crypto/asn1/asn1_lib.c
@@ -63,8 +63,46 @@
 #include <openssl/err.h>
 #include <openssl/mem.h>
 
+
+/* Used in asn1_mac.h.
+ * TODO(davidben): Remove this once asn1_mac.h is gone or trimmed. */
 OPENSSL_DECLARE_ERROR_REASON(ASN1, MALLOC_FAILURE);
 
+/* Cross-module errors from crypto/x509/i2d_pr.c */
+OPENSSL_DECLARE_ERROR_FUNCTION(ASN1, i2d_PrivateKey);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, UNSUPPORTED_PUBLIC_KEY_TYPE);
+
+/* Cross-module errors from crypto/x509/asn1_gen.c.
+ * TODO(davidben): Remove these once asn1_gen.c is gone. */
+OPENSSL_DECLARE_ERROR_FUNCTION(ASN1, ASN1_generate_v3);
+OPENSSL_DECLARE_ERROR_FUNCTION(ASN1, asn1_cb);
+OPENSSL_DECLARE_ERROR_FUNCTION(ASN1, parse_tagging);
+OPENSSL_DECLARE_ERROR_FUNCTION(ASN1, append_exp);
+OPENSSL_DECLARE_ERROR_FUNCTION(ASN1, asn1_str2type);
+OPENSSL_DECLARE_ERROR_FUNCTION(ASN1, bitstr_cb);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, DEPTH_EXCEEDED);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_BITSTRING_FORMAT);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_BOOLEAN);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_FORMAT);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_HEX);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_IMPLICIT_TAG);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_INTEGER);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_NESTED_TAGGING);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_NULL_VALUE);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_OBJECT);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_TIME_VALUE);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, INTEGER_NOT_ASCII_FORMAT);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, INVALID_MODIFIER);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, INVALID_NUMBER);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, LIST_ERROR);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, MISSING_VALUE);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, NOT_ASCII_FORMAT);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, OBJECT_NOT_ASCII_FORMAT);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, SEQUENCE_OR_SET_NEEDS_CONFIG);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, TIME_NOT_ASCII_FORMAT);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, UNKNOWN_FORMAT);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, UNKNOWN_TAG);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, UNSUPPORTED_TYPE);
 
 static int asn1_get_length(const unsigned char **pp,int *inf,long *rl,int max);
 static void asn1_put_length(unsigned char **pp, int length);
@@ -466,15 +504,6 @@ int ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
 		return(i);
 	}
 
-void asn1_add_error(const unsigned char *address, int offset)
-	{
-	char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1];
-
-	BIO_snprintf(buf1,sizeof buf1,"%lu",(unsigned long)address);
-	BIO_snprintf(buf2,sizeof buf2,"%d",offset);
-	ERR_add_error_data(4,"address=",buf1," offset=",buf2);
-	}
-
 int ASN1_STRING_length(const ASN1_STRING *x)
 { return M_ASN1_STRING_length(x); }
 
diff --git a/src/crypto/asn1/asn1_par.c b/src/crypto/asn1/asn1_par.c
index 53b11fe..aff3e2b 100644
--- a/src/crypto/asn1/asn1_par.c
+++ b/src/crypto/asn1/asn1_par.c
@@ -137,7 +137,7 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offse
 #endif
 		if (j & 0x80)
 			{
-			if (BIO_write(bp,"Error in encoding\n",18) <= 0)
+			if (BIO_puts(bp, "Error in encoding\n") <= 0)
 				goto end;
 			ret=0;
 			goto end;
@@ -165,7 +165,7 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offse
 		if (j & V_ASN1_CONSTRUCTED)
 			{
 			ep=p+len;
-			if (BIO_write(bp,"\n",1) <= 0) goto end;
+			if (BIO_puts(bp, "\n") <= 0) goto end;
 			if (len > length)
 				{
 				BIO_printf(bp,
@@ -196,7 +196,7 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offse
 		else if (xclass != 0)
 			{
 			p+=len;
-			if (BIO_write(bp,"\n",1) <= 0) goto end;
+			if (BIO_puts(bp, "\n") <= 0) goto end;
 			}
 		else
 			{
@@ -210,7 +210,7 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offse
 				(tag == V_ASN1_UTCTIME) ||
 				(tag == V_ASN1_GENERALIZEDTIME))
 				{
-				if (BIO_write(bp,":",1) <= 0) goto end;
+				if (BIO_puts(bp, ":") <= 0) goto end;
 				if ((len > 0) &&
 					BIO_write(bp,(const char *)p,(int)len)
 					!= (int)len)
@@ -221,12 +221,12 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offse
 				opp=op;
 				if (d2i_ASN1_OBJECT(&o,&opp,len+hl) != NULL)
 					{
-					if (BIO_write(bp,":",1) <= 0) goto end;
+					if (BIO_puts(bp, ":") <= 0) goto end;
 					i2a_ASN1_OBJECT(bp,o);
 					}
 				else
 					{
-					if (BIO_write(bp,":BAD OBJECT",11) <= 0)
+					if (BIO_puts(bp, ":BAD OBJECT") <= 0)
 						goto end;
 					}
 				}
@@ -238,7 +238,7 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offse
 				ii=d2i_ASN1_BOOLEAN(NULL,&opp,len+hl);
 				if (ii < 0)
 					{
-					if (BIO_write(bp,"Bad boolean\n",12) <= 0)
+					if (BIO_puts(bp, "Bad boolean\n") <= 0)
 						goto end;
 					}
 				BIO_printf(bp,":%d",ii);
@@ -273,7 +273,7 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offse
 					if (printable)
 					/* printable string */
 						{
-						if (BIO_write(bp,":",1) <= 0)
+						if (BIO_puts(bp, ":") <= 0)
 							goto end;
 						if (BIO_write(bp,(const char *)opp,
 							os->length) <= 0)
@@ -283,7 +283,7 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offse
 					/* not printable => print octet string
 					 * as hex dump */
 						{
-						if (BIO_write(bp,"[HEX DUMP]:",11) <= 0)
+						if (BIO_puts(bp, "[HEX DUMP]:") <= 0)
 							goto end;
 						for (i=0; i<os->length; i++)
 							{
@@ -297,7 +297,7 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offse
 						{
 						if (!nl) 
 							{
-							if (BIO_write(bp,"\n",1) <= 0)
+							if (BIO_puts(bp, "\n") <= 0)
 								goto end;
 							}
 						if (!BIO_hexdump(bp, opp,
@@ -323,9 +323,9 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offse
 				bs=d2i_ASN1_INTEGER(NULL,&opp,len+hl);
 				if (bs != NULL)
 					{
-					if (BIO_write(bp,":",1) <= 0) goto end;
+					if (BIO_puts(bp, ":") <= 0) goto end;
 					if (bs->type == V_ASN1_NEG_INTEGER)
-						if (BIO_write(bp,"-",1) <= 0)
+						if (BIO_puts(bp, "-") <= 0)
 							goto end;
 					for (i=0; i<bs->length; i++)
 						{
@@ -335,13 +335,13 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offse
 						}
 					if (bs->length == 0)
 						{
-						if (BIO_write(bp,"00",2) <= 0)
+						if (BIO_puts(bp, "00") <= 0)
 							goto end;
 						}
 					}
 				else
 					{
-					if (BIO_write(bp,"BAD INTEGER",11) <= 0)
+					if (BIO_puts(bp, "BAD INTEGER") <= 0)
 						goto end;
 					}
 				M_ASN1_INTEGER_free(bs);
@@ -355,9 +355,9 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offse
 				bs=d2i_ASN1_ENUMERATED(NULL,&opp,len+hl);
 				if (bs != NULL)
 					{
-					if (BIO_write(bp,":",1) <= 0) goto end;
+					if (BIO_puts(bp, ":") <= 0) goto end;
 					if (bs->type == V_ASN1_NEG_ENUMERATED)
-						if (BIO_write(bp,"-",1) <= 0)
+						if (BIO_puts(bp, "-") <= 0)
 							goto end;
 					for (i=0; i<bs->length; i++)
 						{
@@ -367,13 +367,13 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offse
 						}
 					if (bs->length == 0)
 						{
-						if (BIO_write(bp,"00",2) <= 0)
+						if (BIO_puts(bp, "00") <= 0)
 							goto end;
 						}
 					}
 				else
 					{
-					if (BIO_write(bp,"BAD ENUMERATED",11) <= 0)
+					if (BIO_puts(bp, "BAD ENUMERATED") <= 0)
 						goto end;
 					}
 				M_ASN1_ENUMERATED_free(bs);
@@ -382,7 +382,7 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offse
 				{
 				if (!nl) 
 					{
-					if (BIO_write(bp,"\n",1) <= 0)
+					if (BIO_puts(bp, "\n") <= 0)
 						goto end;
 					}
 				if (!BIO_hexdump(bp,p,
@@ -394,7 +394,7 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offse
 
 			if (!nl) 
 				{
-				if (BIO_write(bp,"\n",1) <= 0) goto end;
+				if (BIO_puts(bp, "\n") <= 0) goto end;
 				}
 			p+=len;
 			if ((tag == V_ASN1_EOC) && (xclass == 0))
diff --git a/src/crypto/asn1/bio_ndef.c b/src/crypto/asn1/bio_ndef.c
index c814814..2f7105d 100644
--- a/src/crypto/asn1/bio_ndef.c
+++ b/src/crypto/asn1/bio_ndef.c
@@ -170,6 +170,9 @@ static int ndef_prefix(BIO *b, unsigned char **pbuf, int *plen, void *parg)
 
 	derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it);
 	p = OPENSSL_malloc(derlen);
+	if (p == NULL)
+		return 0;
+
 	ndef_aux->derbuf = p;
 	*pbuf = p;
 	derlen = ASN1_item_ndef_i2d(ndef_aux->val, &p, ndef_aux->it);
@@ -235,6 +238,9 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg)
 
 	derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it);
 	p = OPENSSL_malloc(derlen);
+	if (p == NULL)
+		return 0;
+
 	ndef_aux->derbuf = p;
 	*pbuf = p;
 	derlen = ASN1_item_ndef_i2d(ndef_aux->val, &p, ndef_aux->it);
diff --git a/src/crypto/asn1/tasn_dec.c b/src/crypto/asn1/tasn_dec.c
index 4cece89..73d3bb3 100644
--- a/src/crypto/asn1/tasn_dec.c
+++ b/src/crypto/asn1/tasn_dec.c
@@ -63,6 +63,8 @@
 #include <openssl/err.h>
 #include <openssl/mem.h>
 
+#include "../internal.h"
+
 
 static int asn1_check_eoc(const unsigned char **in, long len);
 static int asn1_find_end(const unsigned char **in, long len, char inf);
@@ -304,8 +306,19 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 		if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
 				goto auxerr;
 
-		/* Allocate structure */
-		if (!*pval && !ASN1_item_ex_new(pval, it))
+		if (*pval)
+			{
+			/* Free up and zero CHOICE value if initialised */
+			i = asn1_get_choice_selector(pval, it);
+			if ((i >= 0) && (i < it->tcount))
+				{
+				tt = it->templates + i;
+				pchptr = asn1_get_field_ptr(pval, tt);
+				ASN1_template_free(pchptr, tt);
+				asn1_set_choice_selector(pval, -1, it);
+				}
+			}
+		else if (!ASN1_item_ex_new(pval, it))
 			{
 			OPENSSL_PUT_ERROR(ASN1, ASN1_item_ex_d2i,  ASN1_R_NESTED_ASN1_ERROR);
 			goto err;
@@ -394,6 +407,19 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
 		if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
 				goto auxerr;
 
+		/* Free up and zero any ADB found */
+		for (i = 0, tt = it->templates; i < it->tcount; i++, tt++)
+			{
+			if (tt->flags & ASN1_TFLG_ADB_MASK)
+				{
+				const ASN1_TEMPLATE *seqtt;
+				ASN1_VALUE **pseqval;
+				seqtt = asn1_do_adb(pval, tt, 1);
+				pseqval = asn1_get_field_ptr(pval, seqtt);
+				ASN1_template_free(pseqval, seqtt);
+				}
+			}
+
 		/* Get each field entry */
 		for (i = 0, tt = it->templates; i < it->tcount; i++, tt++)
 			{
@@ -738,6 +764,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
 				const unsigned char **in, long inlen, 
 				const ASN1_ITEM *it,
 				int tag, int aclass, char opt, ASN1_TLC *ctx)
+        OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS
 	{
 	int ret = 0, utype;
 	long plen;
@@ -1193,7 +1220,7 @@ static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen)
 		len = buf->length;
 		if (!BUF_MEM_grow_clean(buf, len + plen))
 			{
-			OPENSSL_PUT_ERROR(ASN1, asn1_collect,  ERR_R_MALLOC_FAILURE);
+			OPENSSL_PUT_ERROR(ASN1, collect_data,  ERR_R_MALLOC_FAILURE);
 			return 0;
 			}
 		memcpy(buf->data + len, *p, plen);
diff --git a/src/crypto/asn1/tasn_new.c b/src/crypto/asn1/tasn_new.c
index b68eed7..918aba7 100644
--- a/src/crypto/asn1/tasn_new.c
+++ b/src/crypto/asn1/tasn_new.c
@@ -100,8 +100,6 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
 	else
 		asn1_cb = 0;
 
-	if (!combine) *pval = NULL;
-
 #ifdef CRYPTO_MDEBUG
 	if (it->sname)
 		CRYPTO_push_info(it->sname);
@@ -212,6 +210,7 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
 
 	memerr:
 	OPENSSL_PUT_ERROR(ASN1, asn1_item_ex_combine_new,  ERR_R_MALLOC_FAILURE);
+	ASN1_item_ex_free(pval, it);
 #ifdef CRYPTO_MDEBUG
 	if (it->sname) CRYPTO_pop_info();
 #endif
@@ -328,14 +327,17 @@ int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
 	ASN1_STRING *str;
 	int utype;
 
-	if (it && it->funcs)
+	if (!it)
+		return 0;
+
+	if (it->funcs)
 		{
 		const ASN1_PRIMITIVE_FUNCS *pf = it->funcs;
 		if (pf->prim_new)
 			return pf->prim_new(pval, it);
 		}
 
-	if (!it || (it->itype == ASN1_ITYPE_MSTRING))
+	if (it->itype == ASN1_ITYPE_MSTRING)
 		utype = -1;
 	else
 		utype = it->utype;
diff --git a/src/crypto/asn1/tasn_prn.c b/src/crypto/asn1/tasn_prn.c
index 4eb522d..df19ff0 100644
--- a/src/crypto/asn1/tasn_prn.c
+++ b/src/crypto/asn1/tasn_prn.c
@@ -229,6 +229,7 @@ static int asn1_item_print_ctx(BIO *out, ASN1_VALUE **fld, int indent,
 			if (!asn1_template_print_ctx(out, fld, indent,
 							it->templates, pctx))
 				return 0;
+			break;
 			}
 		/* fall thru */
 		case ASN1_ITYPE_MSTRING:
@@ -309,6 +310,8 @@ static int asn1_item_print_ctx(BIO *out, ASN1_VALUE **fld, int indent,
 			{
 			const ASN1_TEMPLATE *seqtt;
 			seqtt = asn1_do_adb(fld, tt, 1);
+			if (!seqtt)
+				return 0;
 			tmpfld = asn1_get_field_ptr(fld, seqtt);
 			if (!asn1_template_print_ctx(out, tmpfld,
 						indent + 2, seqtt, pctx))
diff --git a/src/crypto/asn1/tasn_typ.c b/src/crypto/asn1/tasn_typ.c
index f2bbbc8..f004b0d 100644
--- a/src/crypto/asn1/tasn_typ.c
+++ b/src/crypto/asn1/tasn_typ.c
@@ -61,53 +61,38 @@
 
 /* Declarations for string types */
 
-IMPLEMENT_ASN1_TYPE(ASN1_INTEGER);
-IMPLEMENT_ASN1_FUNCTIONS(ASN1_INTEGER);
-
-IMPLEMENT_ASN1_TYPE(ASN1_ENUMERATED);
-IMPLEMENT_ASN1_FUNCTIONS(ASN1_ENUMERATED);
-
-IMPLEMENT_ASN1_TYPE(ASN1_BIT_STRING);
-IMPLEMENT_ASN1_FUNCTIONS(ASN1_BIT_STRING);
-
-IMPLEMENT_ASN1_TYPE(ASN1_OCTET_STRING);
-IMPLEMENT_ASN1_FUNCTIONS(ASN1_OCTET_STRING);
+#define IMPLEMENT_ASN1_STRING_FUNCTIONS(sname) \
+	IMPLEMENT_ASN1_TYPE(sname) \
+	IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(sname, sname, sname) \
+	sname *sname##_new(void) \
+	{ \
+		return ASN1_STRING_type_new(V_##sname); \
+	} \
+	void sname##_free(sname *x) \
+	{ \
+		ASN1_STRING_free(x); \
+	}
+
+IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_OCTET_STRING)
+IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_INTEGER)
+IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_ENUMERATED)
+IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_BIT_STRING)
+IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_UTF8STRING)
+IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_PRINTABLESTRING)
+IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_T61STRING)
+IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_IA5STRING)
+IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_GENERALSTRING)
+IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_UTCTIME)
+IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_GENERALIZEDTIME)
+IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_VISIBLESTRING)
+IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_UNIVERSALSTRING)
+IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_BMPSTRING)
 
 IMPLEMENT_ASN1_TYPE(ASN1_NULL);
 IMPLEMENT_ASN1_FUNCTIONS(ASN1_NULL);
 
 IMPLEMENT_ASN1_TYPE(ASN1_OBJECT);
 
-IMPLEMENT_ASN1_TYPE(ASN1_UTF8STRING);
-IMPLEMENT_ASN1_FUNCTIONS(ASN1_UTF8STRING);
-
-IMPLEMENT_ASN1_TYPE(ASN1_PRINTABLESTRING);
-IMPLEMENT_ASN1_FUNCTIONS(ASN1_PRINTABLESTRING);
-
-IMPLEMENT_ASN1_TYPE(ASN1_T61STRING);
-IMPLEMENT_ASN1_FUNCTIONS(ASN1_T61STRING);
-
-IMPLEMENT_ASN1_TYPE(ASN1_IA5STRING);
-IMPLEMENT_ASN1_FUNCTIONS(ASN1_IA5STRING);
-
-IMPLEMENT_ASN1_TYPE(ASN1_GENERALSTRING);
-IMPLEMENT_ASN1_FUNCTIONS(ASN1_GENERALSTRING);
-
-IMPLEMENT_ASN1_TYPE(ASN1_UTCTIME);
-IMPLEMENT_ASN1_FUNCTIONS(ASN1_UTCTIME);
-
-IMPLEMENT_ASN1_TYPE(ASN1_GENERALIZEDTIME);
-IMPLEMENT_ASN1_FUNCTIONS(ASN1_GENERALIZEDTIME);
-
-IMPLEMENT_ASN1_TYPE(ASN1_VISIBLESTRING);
-IMPLEMENT_ASN1_FUNCTIONS(ASN1_VISIBLESTRING);
-
-IMPLEMENT_ASN1_TYPE(ASN1_UNIVERSALSTRING);
-IMPLEMENT_ASN1_FUNCTIONS(ASN1_UNIVERSALSTRING);
-
-IMPLEMENT_ASN1_TYPE(ASN1_BMPSTRING);
-IMPLEMENT_ASN1_FUNCTIONS(ASN1_BMPSTRING);
-
 IMPLEMENT_ASN1_TYPE(ASN1_ANY);
 
 /* Just swallow an ASN1_SEQUENCE in an ASN1_STRING */;
diff --git a/src/crypto/asn1/tasn_utl.c b/src/crypto/asn1/tasn_utl.c
index f6045e4..1b9de94 100644
--- a/src/crypto/asn1/tasn_utl.c
+++ b/src/crypto/asn1/tasn_utl.c
@@ -62,6 +62,7 @@
 #include <openssl/mem.h>
 #include <openssl/obj.h>
 #include <openssl/err.h>
+#include <openssl/thread.h>
 
 
 /* Utility functions for manipulating fields and offsets */
diff --git a/src/crypto/base64/CMakeLists.txt b/src/crypto/base64/CMakeLists.txt
index 2b4f081..8bc531a 100644
--- a/src/crypto/base64/CMakeLists.txt
+++ b/src/crypto/base64/CMakeLists.txt
@@ -11,7 +11,7 @@ add_library(
 add_executable(
   base64_test
 
-  base64_test.c
+  base64_test.cc
 )
 
 target_link_libraries(base64_test crypto)
diff --git a/src/crypto/base64/base64.c b/src/crypto/base64/base64.c
index 12a52cf..4822fb8 100644
--- a/src/crypto/base64/base64.c
+++ b/src/crypto/base64/base64.c
@@ -373,6 +373,10 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len,
           rv = 0;
           goto end;
         }
+        if (eof > v) {
+          rv = -1;
+          goto end;
+        }
         ret += (v - eof);
       } else {
         eof = 1;
diff --git a/src/crypto/base64/base64_test.c b/src/crypto/base64/base64_test.cc
index 411323f..fde0b46 100644
--- a/src/crypto/base64/base64_test.c
+++ b/src/crypto/base64/base64_test.cc
@@ -20,13 +20,13 @@
 #include <openssl/err.h>
 
 
-typedef struct {
+struct TestVector {
   const char *decoded;
   const char *encoded;
-} TEST_VECTOR;
+};
 
-/* Test vectors from RFC 4648. */
-static const TEST_VECTOR test_vectors[] = {
+// Test vectors from RFC 4648.
+static const TestVector kTestVectors[] = {
   { "", "" },
   { "f" , "Zg==" },
   { "fo", "Zm8=" },
@@ -36,95 +36,90 @@ static const TEST_VECTOR test_vectors[] = {
   { "foobar", "Zm9vYmFy" },
 };
 
-static const size_t kNumTests = sizeof(test_vectors) / sizeof(test_vectors[0]);
-
-static int test_encode(void) {
-  uint8_t out[9];
-  size_t i, len;
+static const size_t kNumTests = sizeof(kTestVectors) / sizeof(kTestVectors[0]);
 
-  for (i = 0; i < kNumTests; i++) {
-    const TEST_VECTOR *t = &test_vectors[i];
-    len = EVP_EncodeBlock(out, (const uint8_t*)t->decoded, strlen(t->decoded));
+static bool TestEncode() {
+  for (size_t i = 0; i < kNumTests; i++) {
+    const TestVector *t = &kTestVectors[i];
+    uint8_t out[9];
+    size_t len = EVP_EncodeBlock(out, (const uint8_t*)t->decoded,
+                                 strlen(t->decoded));
     if (len != strlen(t->encoded) ||
         memcmp(out, t->encoded, len) != 0) {
       fprintf(stderr, "encode(\"%s\") = \"%.*s\", want \"%s\"\n",
               t->decoded, (int)len, (const char*)out, t->encoded);
-      return 0;
+      return false;
     }
   }
-  return 1;
+  return true;
 }
 
-static int test_decode(void) {
+static bool TestDecode() {
   uint8_t out[6];
-  size_t i, len;
-  int ret;
+  size_t len;
 
-  for (i = 0; i < kNumTests; i++) {
-    /* Test the normal API. */
-    const TEST_VECTOR *t = &test_vectors[i];
+  for (size_t i = 0; i < kNumTests; i++) {
+    // Test the normal API.
+    const TestVector *t = &kTestVectors[i];
     size_t expected_len = strlen(t->decoded);
     if (!EVP_DecodeBase64(out, &len, sizeof(out),
                           (const uint8_t*)t->encoded, strlen(t->encoded))) {
       fprintf(stderr, "decode(\"%s\") failed\n", t->encoded);
-      return 0;
+      return false;
     }
     if (len != strlen(t->decoded) ||
         memcmp(out, t->decoded, len) != 0) {
       fprintf(stderr, "decode(\"%s\") = \"%.*s\", want \"%s\"\n",
               t->encoded, (int)len, (const char*)out, t->decoded);
-      return 0;
+      return false;
     }
 
-    /* Test that the padding behavior of the deprecated API is
-     * preserved. */
-    ret = EVP_DecodeBlock(out, (const uint8_t*)t->encoded, strlen(t->encoded));
+    // Test that the padding behavior of the deprecated API is preserved.
+    int ret = EVP_DecodeBlock(out, (const uint8_t*)t->encoded,
+                              strlen(t->encoded));
     if (ret < 0) {
       fprintf(stderr, "decode(\"%s\") failed\n", t->encoded);
-      return 0;
+      return false;
     }
     if (ret % 3 != 0) {
       fprintf(stderr, "EVP_DecodeBlock did not ignore padding\n");
-      return 0;
+      return false;
     }
     if (expected_len % 3 != 0) {
       ret -= 3 - (expected_len % 3);
     }
-    if (ret != strlen(t->decoded) ||
+    if (static_cast<size_t>(ret) != strlen(t->decoded) ||
         memcmp(out, t->decoded, ret) != 0) {
       fprintf(stderr, "decode(\"%s\") = \"%.*s\", want \"%s\"\n",
               t->encoded, ret, (const char*)out, t->decoded);
-      return 0;
+      return false;
     }
   }
 
   if (EVP_DecodeBase64(out, &len, sizeof(out), (const uint8_t*)"a!bc", 4)) {
     fprintf(stderr, "Failed to reject invalid characters in the middle.\n");
-    return 0;
+    return false;
   }
 
   if (EVP_DecodeBase64(out, &len, sizeof(out), (const uint8_t*)"a=bc", 4)) {
     fprintf(stderr, "Failed to reject invalid characters in the middle.\n");
-    return 0;
+    return false;
   }
 
   if (EVP_DecodeBase64(out, &len, sizeof(out), (const uint8_t*)"abc", 4)) {
     fprintf(stderr, "Failed to reject invalid input length.\n");
-    return 0;
+    return false;
   }
 
-  return 1;
+  return true;
 }
 
 int main(void) {
   CRYPTO_library_init();
   ERR_load_crypto_strings();
 
-  if (!test_encode()) {
-    return 1;
-  }
-
-  if (!test_decode()) {
+  if (!TestEncode() ||
+      !TestDecode()) {
     return 1;
   }
 
diff --git a/src/crypto/bio/CMakeLists.txt b/src/crypto/bio/CMakeLists.txt
index 6211e85..f4122c4 100644
--- a/src/crypto/bio/CMakeLists.txt
+++ b/src/crypto/bio/CMakeLists.txt
@@ -6,7 +6,6 @@ add_library(
   OBJECT
 
   bio.c
-  bio_error.c
   bio_mem.c
   buffer.c
   connect.c
@@ -22,7 +21,7 @@ add_library(
 add_executable(
   bio_test
 
-  bio_test.c
+  bio_test.cc
 )
 
 target_link_libraries(bio_test crypto)
diff --git a/src/crypto/bio/bio.c b/src/crypto/bio/bio.c
index 4d947a6..48c1466 100644
--- a/src/crypto/bio/bio.c
+++ b/src/crypto/bio/bio.c
@@ -58,7 +58,6 @@
 
 #include <errno.h>
 #include <limits.h>
-#include <stddef.h>
 #include <string.h>
 
 #include <openssl/err.h>
@@ -78,17 +77,10 @@ static int bio_set(BIO *bio, const BIO_METHOD *method) {
   bio->shutdown = 1;
   bio->references = 1;
 
-  if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_BIO, bio, &bio->ex_data)) {
+  if (method->create != NULL && !method->create(bio)) {
     return 0;
   }
 
-  if (method->create != NULL) {
-    if (!method->create(bio)) {
-      CRYPTO_free_ex_data(CRYPTO_EX_INDEX_BIO, bio, &bio->ex_data);
-      return 0;
-    }
-  }
-
   return 1;
 }
 
@@ -125,8 +117,6 @@ int BIO_free(BIO *bio) {
 
     next_bio = BIO_pop(bio);
 
-    CRYPTO_free_ex_data(CRYPTO_EX_INDEX_BIO, bio, &bio->ex_data);
-
     if (bio->method != NULL && bio->method->destroy != NULL) {
       bio->method->destroy(bio);
     }
@@ -136,6 +126,11 @@ int BIO_free(BIO *bio) {
   return 1;
 }
 
+BIO *BIO_up_ref(BIO *bio) {
+  CRYPTO_add(&bio->references, 1, CRYPTO_LOCK_BIO);
+  return bio;
+}
+
 void BIO_vfree(BIO *bio) {
   BIO_free(bio);
 }
@@ -397,10 +392,6 @@ BIO *BIO_push(BIO *bio, BIO *appended_bio) {
   }
 
   last_bio->next_bio = appended_bio;
-  /* TODO(fork): this seems very suspect. If we got rid of BIO SSL, we could
-   * get rid of this. */
-  BIO_ctrl(bio, BIO_CTRL_PUSH, 0, bio);
-
   return bio;
 }
 
@@ -411,7 +402,6 @@ BIO *BIO_pop(BIO *bio) {
     return NULL;
   }
   ret = bio->next_bio;
-  BIO_ctrl(bio, BIO_CTRL_POP, 0, bio);
   bio->next_bio = NULL;
   return ret;
 }
@@ -462,12 +452,6 @@ int BIO_indent(BIO *bio, unsigned indent, unsigned max_indent) {
   return 1;
 }
 
-void BIO_print_errors_fp(FILE *out) {
-  BIO *bio = BIO_new_fp(out, BIO_NOCLOSE);
-  BIO_print_errors(bio);
-  BIO_free(bio);
-}
-
 static int print_bio(const char *str, size_t len, void *bio) {
   return BIO_write((BIO *)bio, str, len);
 }
diff --git a/src/crypto/bio/bio_error.c b/src/crypto/bio/bio_error.c
deleted file mode 100644
index 09585e4..0000000
--- a/src/crypto/bio/bio_error.c
+++ /dev/null
@@ -1,59 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/bio.h>
-
-const ERR_STRING_DATA BIO_error_string_data[] = {
-  {ERR_PACK(ERR_LIB_BIO, BIO_F_BIO_callback_ctrl, 0), "BIO_callback_ctrl"},
-  {ERR_PACK(ERR_LIB_BIO, BIO_F_BIO_ctrl, 0), "BIO_ctrl"},
-  {ERR_PACK(ERR_LIB_BIO, BIO_F_BIO_new, 0), "BIO_new"},
-  {ERR_PACK(ERR_LIB_BIO, BIO_F_BIO_new_file, 0), "BIO_new_file"},
-  {ERR_PACK(ERR_LIB_BIO, BIO_F_BIO_new_mem_buf, 0), "BIO_new_mem_buf"},
-  {ERR_PACK(ERR_LIB_BIO, BIO_F_BIO_zero_copy_get_read_buf, 0), "BIO_zero_copy_get_read_buf"},
-  {ERR_PACK(ERR_LIB_BIO, BIO_F_BIO_zero_copy_get_read_buf_done, 0), "BIO_zero_copy_get_read_buf_done"},
-  {ERR_PACK(ERR_LIB_BIO, BIO_F_BIO_zero_copy_get_write_buf, 0), "BIO_zero_copy_get_write_buf"},
-  {ERR_PACK(ERR_LIB_BIO, BIO_F_BIO_zero_copy_get_write_buf_done, 0), "BIO_zero_copy_get_write_buf_done"},
-  {ERR_PACK(ERR_LIB_BIO, BIO_F_bio_ctrl, 0), "bio_ctrl"},
-  {ERR_PACK(ERR_LIB_BIO, BIO_F_bio_io, 0), "bio_io"},
-  {ERR_PACK(ERR_LIB_BIO, BIO_F_bio_ip_and_port_to_socket_and_addr, 0), "bio_ip_and_port_to_socket_and_addr"},
-  {ERR_PACK(ERR_LIB_BIO, BIO_F_bio_make_pair, 0), "bio_make_pair"},
-  {ERR_PACK(ERR_LIB_BIO, BIO_F_bio_write, 0), "bio_write"},
-  {ERR_PACK(ERR_LIB_BIO, BIO_F_buffer_ctrl, 0), "buffer_ctrl"},
-  {ERR_PACK(ERR_LIB_BIO, BIO_F_conn_ctrl, 0), "conn_ctrl"},
-  {ERR_PACK(ERR_LIB_BIO, BIO_F_conn_state, 0), "conn_state"},
-  {ERR_PACK(ERR_LIB_BIO, BIO_F_file_ctrl, 0), "file_ctrl"},
-  {ERR_PACK(ERR_LIB_BIO, BIO_F_file_read, 0), "file_read"},
-  {ERR_PACK(ERR_LIB_BIO, BIO_F_mem_write, 0), "mem_write"},
-  {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_ASN1_OBJECT_TOO_LONG), "ASN1_OBJECT_TOO_LONG"},
-  {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_BAD_FOPEN_MODE), "BAD_FOPEN_MODE"},
-  {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_BROKEN_PIPE), "BROKEN_PIPE"},
-  {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_CONNECT_ERROR), "CONNECT_ERROR"},
-  {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_ERROR_SETTING_NBIO), "ERROR_SETTING_NBIO"},
-  {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_INVALID_ARGUMENT), "INVALID_ARGUMENT"},
-  {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_IN_USE), "IN_USE"},
-  {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_KEEPALIVE), "KEEPALIVE"},
-  {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_NBIO_CONNECT_ERROR), "NBIO_CONNECT_ERROR"},
-  {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_NO_HOSTNAME_SPECIFIED), "NO_HOSTNAME_SPECIFIED"},
-  {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_NO_PORT_SPECIFIED), "NO_PORT_SPECIFIED"},
-  {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_NO_SUCH_FILE), "NO_SUCH_FILE"},
-  {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_NULL_PARAMETER), "NULL_PARAMETER"},
-  {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_SYS_LIB), "SYS_LIB"},
-  {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_UNABLE_TO_CREATE_SOCKET), "UNABLE_TO_CREATE_SOCKET"},
-  {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_UNINITIALIZED), "UNINITIALIZED"},
-  {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_UNSUPPORTED_METHOD), "UNSUPPORTED_METHOD"},
-  {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_WRITE_TO_READ_ONLY_BIO), "WRITE_TO_READ_ONLY_BIO"},
-  {0, NULL},
-};
diff --git a/src/crypto/bio/bio_test.c b/src/crypto/bio/bio_test.cc
index ee11acc..4c88df5 100644
--- a/src/crypto/bio/bio_test.c
+++ b/src/crypto/bio/bio_test.cc
@@ -36,96 +36,109 @@
 #include <openssl/bio.h>
 #include <openssl/crypto.h>
 #include <openssl/err.h>
+#include <openssl/mem.h>
+
+#include <algorithm>
+
+#include "../test/scoped_types.h"
 
-#define MIN(a, b) ((a < b) ? a : b)
 
 #if !defined(OPENSSL_WINDOWS)
 static int closesocket(int sock) {
   return close(sock);
 }
 
-static void print_socket_error(const char *func) {
+static void PrintSocketError(const char *func) {
   perror(func);
 }
 #else
-static void print_socket_error(const char *func) {
+static void PrintSocketError(const char *func) {
   fprintf(stderr, "%s: %d\n", func, WSAGetLastError());
 }
 #endif
 
-static int test_socket_connect(void) {
-  int listening_sock = socket(AF_INET, SOCK_STREAM, 0);
-  int sock;
-  struct sockaddr_in sin;
-  socklen_t sockaddr_len = sizeof(sin);
+class ScopedSocket {
+ public:
+  ScopedSocket(int sock) : sock_(sock) {}
+  ~ScopedSocket() {
+    closesocket(sock_);
+  }
+
+ private:
+  const int sock_;
+};
+
+static bool TestSocketConnect() {
   static const char kTestMessage[] = "test";
-  char hostname[80], buf[5];
-  BIO *bio;
 
+  int listening_sock = socket(AF_INET, SOCK_STREAM, 0);
+  if (listening_sock == -1) {
+    PrintSocketError("socket");
+    return false;
+  }
+  ScopedSocket listening_sock_closer(listening_sock);
+
+  struct sockaddr_in sin;
   memset(&sin, 0, sizeof(sin));
   sin.sin_family = AF_INET;
   if (!inet_pton(AF_INET, "127.0.0.1", &sin.sin_addr)) {
-    print_socket_error("inet_pton");
-    return 0;
+    PrintSocketError("inet_pton");
+    return false;
   }
-
   if (bind(listening_sock, (struct sockaddr *)&sin, sizeof(sin)) != 0) {
-    print_socket_error("bind");
-    return 0;
+    PrintSocketError("bind");
+    return false;
   }
-
   if (listen(listening_sock, 1)) {
-    print_socket_error("listen");
-    return 0;
+    PrintSocketError("listen");
+    return false;
   }
-
+  socklen_t sockaddr_len = sizeof(sin);
   if (getsockname(listening_sock, (struct sockaddr *)&sin, &sockaddr_len) ||
       sockaddr_len != sizeof(sin)) {
-    print_socket_error("getsockname");
-    return 0;
+    PrintSocketError("getsockname");
+    return false;
   }
 
+  char hostname[80];
   BIO_snprintf(hostname, sizeof(hostname), "%s:%d", "127.0.0.1",
                ntohs(sin.sin_port));
-  bio = BIO_new_connect(hostname);
+  ScopedBIO bio(BIO_new_connect(hostname));
   if (!bio) {
     fprintf(stderr, "BIO_new_connect failed.\n");
-    return 0;
+    return false;
   }
 
-  if (BIO_write(bio, kTestMessage, sizeof(kTestMessage)) !=
+  if (BIO_write(bio.get(), kTestMessage, sizeof(kTestMessage)) !=
       sizeof(kTestMessage)) {
     fprintf(stderr, "BIO_write failed.\n");
-    BIO_print_errors_fp(stderr);
-    return 0;
+    ERR_print_errors_fp(stderr);
+    return false;
   }
 
-  sock = accept(listening_sock, (struct sockaddr *) &sin, &sockaddr_len);
-  if (sock < 0) {
-    print_socket_error("accept");
-    return 0;
+  int sock = accept(listening_sock, (struct sockaddr *) &sin, &sockaddr_len);
+  if (sock == -1) {
+    PrintSocketError("accept");
+    return false;
   }
+  ScopedSocket sock_closer(sock);
 
+  char buf[5];
   if (recv(sock, buf, sizeof(buf), 0) != sizeof(kTestMessage)) {
-    print_socket_error("read");
-    return 0;
+    PrintSocketError("read");
+    return false;
   }
-
   if (memcmp(buf, kTestMessage, sizeof(kTestMessage))) {
-    return 0;
+    return false;
   }
 
-  closesocket(sock);
-  closesocket(listening_sock);
-  BIO_free(bio);
-
-  return 1;
+  return true;
 }
 
 
-/* bio_read_zero_copy_wrapper is a wrapper around the zero-copy APIs to make
- * testing easier. */
-static size_t bio_read_zero_copy_wrapper(BIO *bio, uint8_t *data, size_t len) {
+// BioReadZeroCopyWrapper is a wrapper around the zero-copy APIs to make
+// testing easier.
+static size_t BioReadZeroCopyWrapper(BIO *bio, uint8_t *data, size_t len) {
   uint8_t *read_buf;
   size_t read_buf_offset;
   size_t available_bytes;
@@ -137,7 +150,7 @@ static size_t bio_read_zero_copy_wrapper(BIO *bio, uint8_t *data, size_t len) {
       return 0;
     }
 
-    available_bytes = MIN(available_bytes, len - len_read);
+    available_bytes = std::min(available_bytes, len - len_read);
     memmove(data + len_read, read_buf + read_buf_offset, available_bytes);
 
     BIO_zero_copy_get_read_buf_done(bio, available_bytes);
@@ -148,10 +161,10 @@ static size_t bio_read_zero_copy_wrapper(BIO *bio, uint8_t *data, size_t len) {
   return len_read;
 }
 
-/* bio_write_zero_copy_wrapper is a wrapper around the zero-copy APIs to make
- * testing easier. */
-static size_t bio_write_zero_copy_wrapper(BIO *bio, const uint8_t *data,
-                                          size_t len) {
+// BioWriteZeroCopyWrapper is a wrapper around the zero-copy APIs to make
+// testing easier.
+static size_t BioWriteZeroCopyWrapper(BIO *bio, const uint8_t *data,
+                                      size_t len) {
   uint8_t *write_buf;
   size_t write_buf_offset;
   size_t available_bytes;
@@ -163,7 +176,7 @@ static size_t bio_write_zero_copy_wrapper(BIO *bio, const uint8_t *data,
       return 0;
     }
 
-    available_bytes = MIN(available_bytes, len - len_written);
+    available_bytes = std::min(available_bytes, len - len_written);
     memmove(write_buf + write_buf_offset, data + len_written, available_bytes);
 
     BIO_zero_copy_get_write_buf_done(bio, available_bytes);
@@ -174,167 +187,157 @@ static size_t bio_write_zero_copy_wrapper(BIO *bio, const uint8_t *data,
   return len_written;
 }
 
-static int test_zero_copy_bio_pairs(void) {
-  /* Test read and write, especially triggering the ring buffer wrap-around.*/
-  BIO* bio1;
-  BIO* bio2;
-  size_t i, j;
+static bool TestZeroCopyBioPairs() {
+  // Test read and write, especially triggering the ring buffer wrap-around.
   uint8_t bio1_application_send_buffer[1024];
   uint8_t bio2_application_recv_buffer[1024];
-  size_t total_read = 0;
-  size_t total_write = 0;
-  uint8_t* write_buf;
-  size_t write_buf_offset;
-  size_t available_bytes;
-  size_t bytes_left;
 
   const size_t kLengths[] = {254, 255, 256, 257, 510, 511, 512, 513};
 
-  /* These trigger ring buffer wrap around. */
+  // These trigger ring buffer wrap around.
   const size_t kPartialLengths[] = {0, 1, 2, 3, 128, 255, 256, 257, 511, 512};
 
   static const size_t kBufferSize = 512;
 
   srand(1);
-  for (i = 0; i < sizeof(bio1_application_send_buffer); i++) {
+  for (size_t i = 0; i < sizeof(bio1_application_send_buffer); i++) {
     bio1_application_send_buffer[i] = rand() & 255;
   }
 
-  /* Transfer bytes from bio1_application_send_buffer to
-   * bio2_application_recv_buffer in various ways. */
-  for (i = 0; i < sizeof(kLengths) / sizeof(kLengths[0]); i++) {
-    for (j = 0; j < sizeof(kPartialLengths) / sizeof(kPartialLengths[0]); j++) {
-      total_write = 0;
-      total_read = 0;
-
-      BIO_new_bio_pair(&bio1, kBufferSize, &bio2, kBufferSize);
+  // Transfer bytes from bio1_application_send_buffer to
+  // bio2_application_recv_buffer in various ways.
+  for (size_t i = 0; i < sizeof(kLengths) / sizeof(kLengths[0]); i++) {
+    for (size_t j = 0; j < sizeof(kPartialLengths) / sizeof(kPartialLengths[0]);
+         j++) {
+      size_t total_write = 0;
+      size_t total_read = 0;
+
+      BIO *bio1, *bio2;
+      if (!BIO_new_bio_pair(&bio1, kBufferSize, &bio2, kBufferSize)) {
+        return false;
+      }
+      ScopedBIO bio1_scoper(bio1);
+      ScopedBIO bio2_scoper(bio2);
 
-      total_write += bio_write_zero_copy_wrapper(
+      total_write += BioWriteZeroCopyWrapper(
           bio1, bio1_application_send_buffer, kLengths[i]);
 
-      /* This tests interleaved read/write calls. Do a read between zero copy
-       * write calls. */
+      // This tests interleaved read/write calls. Do a read between zero copy
+      // write calls.
+      uint8_t *write_buf;
+      size_t write_buf_offset;
+      size_t available_bytes;
       if (!BIO_zero_copy_get_write_buf(bio1, &write_buf, &write_buf_offset,
                                        &available_bytes)) {
-        return 0;
+        return false;
       }
 
-      /* Free kPartialLengths[j] bytes in the beginning of bio1 write buffer.
-       * This enables ring buffer wrap around for the next write. */
+      // Free kPartialLengths[j] bytes in the beginning of bio1 write buffer.
+      // This enables ring buffer wrap around for the next write.
       total_read += BIO_read(bio2, bio2_application_recv_buffer + total_read,
                              kPartialLengths[j]);
 
-      size_t interleaved_write_len = MIN(kPartialLengths[j], available_bytes);
+      size_t interleaved_write_len = std::min(kPartialLengths[j],
+                                              available_bytes);
 
-      /* Write the data for the interleaved write call. If the buffer becomes
-       * empty after a read, the write offset is normally set to 0. Check that
-       * this does not happen for interleaved read/write and that
-       * |write_buf_offset| is still valid. */
+      // Write the data for the interleaved write call. If the buffer becomes
+      // empty after a read, the write offset is normally set to 0. Check that
+      // this does not happen for interleaved read/write and that
+      // |write_buf_offset| is still valid.
       memcpy(write_buf + write_buf_offset,
              bio1_application_send_buffer + total_write, interleaved_write_len);
       if (BIO_zero_copy_get_write_buf_done(bio1, interleaved_write_len)) {
         total_write += interleaved_write_len;
       }
 
-      /* Do another write in case |write_buf_offset| was wrapped */
-      total_write += bio_write_zero_copy_wrapper(
+      // Do another write in case |write_buf_offset| was wrapped.
+      total_write += BioWriteZeroCopyWrapper(
           bio1, bio1_application_send_buffer + total_write,
           kPartialLengths[j] - interleaved_write_len);
 
-      /* Drain the rest. */
-      bytes_left = BIO_pending(bio2);
-      total_read += bio_read_zero_copy_wrapper(
+      // Drain the rest.
+      size_t bytes_left = BIO_pending(bio2);
+      total_read += BioReadZeroCopyWrapper(
           bio2, bio2_application_recv_buffer + total_read, bytes_left);
 
-      BIO_free(bio1);
-      BIO_free(bio2);
-
       if (total_read != total_write) {
         fprintf(stderr, "Lengths not equal in round (%u, %u)\n", (unsigned)i,
                 (unsigned)j);
-        return 0;
+        return false;
       }
       if (total_read > kLengths[i] + kPartialLengths[j]) {
         fprintf(stderr, "Bad lengths in round (%u, %u)\n", (unsigned)i,
                 (unsigned)j);
-        return 0;
+        return false;
       }
       if (memcmp(bio1_application_send_buffer, bio2_application_recv_buffer,
                  total_read) != 0) {
         fprintf(stderr, "Buffers not equal in round (%u, %u)\n", (unsigned)i,
                 (unsigned)j);
-        return 0;
+        return false;
       }
     }
   }
 
-  return 1;
+  return true;
 }
 
-static int test_printf(void) {
-  /* Test a short output, a very long one, and various sizes around
-   * 256 (the size of the buffer) to ensure edge cases are correct. */
+static bool TestPrintf() {
+  // Test a short output, a very long one, and various sizes around
+  // 256 (the size of the buffer) to ensure edge cases are correct.
   static const size_t kLengths[] = { 5, 250, 251, 252, 253, 254, 1023 };
-  BIO *bio;
-  char string[1024];
-  int ret;
-  const uint8_t *contents;
-  size_t i, len;
 
-  bio = BIO_new(BIO_s_mem());
+  ScopedBIO bio(BIO_new(BIO_s_mem()));
   if (!bio) {
     fprintf(stderr, "BIO_new failed\n");
-    return 0;
+    return false;
   }
 
-  for (i = 0; i < sizeof(kLengths) / sizeof(kLengths[0]); i++) {
+  for (size_t i = 0; i < sizeof(kLengths) / sizeof(kLengths[0]); i++) {
+    char string[1024];
     if (kLengths[i] >= sizeof(string)) {
       fprintf(stderr, "Bad test string length\n");
-      return 0;
+      return false;
     }
     memset(string, 'a', sizeof(string));
     string[kLengths[i]] = '\0';
 
-    ret = BIO_printf(bio, "test %s", string);
-    if (ret != 5 + kLengths[i]) {
+    int ret = BIO_printf(bio.get(), "test %s", string);
+    if (ret < 0 || static_cast<size_t>(ret) != 5 + kLengths[i]) {
       fprintf(stderr, "BIO_printf failed: %d\n", ret);
-      return 0;
+      return false;
     }
-    if (!BIO_mem_contents(bio, &contents, &len)) {
+    const uint8_t *contents;
+    size_t len;
+    if (!BIO_mem_contents(bio.get(), &contents, &len)) {
       fprintf(stderr, "BIO_mem_contents failed\n");
-      return 0;
+      return false;
     }
     if (len != 5 + kLengths[i] ||
         strncmp((const char *)contents, "test ", 5) != 0 ||
         strncmp((const char *)contents + 5, string, kLengths[i]) != 0) {
       fprintf(stderr, "Contents did not match: %.*s\n", (int)len, contents);
-      return 0;
+      return false;
     }
 
-    if (!BIO_reset(bio)) {
+    if (!BIO_reset(bio.get())) {
       fprintf(stderr, "BIO_reset failed\n");
-      return 0;
+      return false;
     }
   }
 
-  BIO_free(bio);
-  return 1;
+  return true;
 }
 
 int main(void) {
-#if defined(OPENSSL_WINDOWS)
-  WSADATA wsa_data;
-  WORD wsa_version;
-  int wsa_err;
-#endif
-
   CRYPTO_library_init();
   ERR_load_crypto_strings();
 
 #if defined(OPENSSL_WINDOWS)
-  /* Initialize Winsock. */
-  wsa_version = MAKEWORD(2, 2);
-  wsa_err = WSAStartup(wsa_version, &wsa_data);
+  // Initialize Winsock.
+  WORD wsa_version = MAKEWORD(2, 2);
+  WSADATA wsa_data;
+  int wsa_err = WSAStartup(wsa_version, &wsa_data);
   if (wsa_err != 0) {
     fprintf(stderr, "WSAStartup failed: %d\n", wsa_err);
     return 1;
@@ -345,15 +348,9 @@ int main(void) {
   }
 #endif
 
-  if (!test_socket_connect()) {
-    return 1;
-  }
-
-  if (!test_printf()) {
-    return 1;
-  }
-
-  if (!test_zero_copy_bio_pairs()) {
+  if (!TestSocketConnect() ||
+      !TestPrintf() ||
+      !TestZeroCopyBioPairs()) {
     return 1;
   }
 
diff --git a/src/crypto/bio/buffer.c b/src/crypto/bio/buffer.c
index 5e423a1..3fc0685 100644
--- a/src/crypto/bio/buffer.c
+++ b/src/crypto/bio/buffer.c
@@ -122,17 +122,13 @@ err1:
 static int buffer_free(BIO *bio) {
   BIO_F_BUFFER_CTX *ctx;
 
-  if (bio == NULL) {
+  if (bio == NULL || bio->ptr == NULL) {
     return 0;
   }
 
   ctx = (BIO_F_BUFFER_CTX *)bio->ptr;
-  if (ctx->ibuf != NULL) {
-    OPENSSL_free(ctx->ibuf);
-  }
-  if (ctx->obuf != NULL) {
-    OPENSSL_free(ctx->obuf);
-  }
+  OPENSSL_free(ctx->ibuf);
+  OPENSSL_free(ctx->obuf);
   OPENSSL_free(bio->ptr);
 
   bio->ptr = NULL;
@@ -315,8 +311,9 @@ static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr) {
     case BIO_CTRL_WPENDING:
       ret = (long)ctx->obuf_len;
       if (ret == 0) {
-        if (b->next_bio == NULL)
+        if (b->next_bio == NULL) {
           return 0;
+        }
         ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
       }
       break;
diff --git a/src/crypto/bio/connect.c b/src/crypto/bio/connect.c
index cbb1bb6..32361bf 100644
--- a/src/crypto/bio/connect.c
+++ b/src/crypto/bio/connect.c
@@ -161,9 +161,7 @@ static int conn_state(BIO *bio, BIO_CONNECT *c) {
                 break;
               }
             }
-            if (c->param_port != NULL) {
-              OPENSSL_free(c->param_port);
-            }
+            OPENSSL_free(c->param_port);
             c->param_port = BUF_strdup(p);
           }
         }
@@ -286,12 +284,8 @@ static void BIO_CONNECT_free(BIO_CONNECT *c) {
     return;
   }
 
-  if (c->param_hostname != NULL) {
-    OPENSSL_free(c->param_hostname);
-  }
-  if (c->param_port != NULL) {
-    OPENSSL_free(c->param_port);
-  }
+  OPENSSL_free(c->param_hostname);
+  OPENSSL_free(c->param_port);
   OPENSSL_free(c);
 }
 
@@ -397,10 +391,11 @@ static long conn_ctrl(BIO *bio, int cmd, long num, void *ptr) {
       break;
     case BIO_C_DO_STATE_MACHINE:
       /* use this one to start the connection */
-      if (data->state != BIO_CONN_S_OK)
+      if (data->state != BIO_CONN_S_OK) {
         ret = (long)conn_state(bio, data);
-      else
+      } else {
         ret = 1;
+      }
       break;
     case BIO_C_GET_CONNECT:
       /* TODO(fork): can this be removed? (Or maybe this whole file). */
@@ -425,15 +420,17 @@ static long conn_ctrl(BIO *bio, int cmd, long num, void *ptr) {
       if (ptr != NULL) {
         bio->init = 1;
         if (num == 0) {
-          if (data->param_hostname != NULL) {
-            OPENSSL_free(data->param_hostname);
-          }
+          OPENSSL_free(data->param_hostname);
           data->param_hostname = BUF_strdup(ptr);
-        } else if (num == 1) {
-          if (data->param_port != NULL) {
-            OPENSSL_free(data->param_port);
+          if (data->param_hostname == NULL) {
+            ret = 0;
           }
+        } else if (num == 1) {
+          OPENSSL_free(data->param_port);
           data->param_port = BUF_strdup(ptr);
+          if (data->param_port == NULL) {
+            ret = 0;
+          }
         } else {
           ret = 0;
         }
diff --git a/src/crypto/bio/pair.c b/src/crypto/bio/pair.c
index de2b4cb..cc55950 100644
--- a/src/crypto/bio/pair.c
+++ b/src/crypto/bio/pair.c
@@ -145,7 +145,7 @@ static int bio_free(BIO *bio) {
     bio_destroy_pair(bio);
   }
 
-  if (b->buf != NULL && !b->buf_externally_allocated) {
+  if (!b->buf_externally_allocated) {
     OPENSSL_free(b->buf);
   }
 
@@ -793,14 +793,10 @@ int BIO_new_bio_pair_external_buf(BIO** bio1_p, size_t writebuf1_len,
 
 err:
   if (ret == 0) {
-    if (bio1) {
-      BIO_free(bio1);
-      bio1 = NULL;
-    }
-    if (bio2) {
-      BIO_free(bio2);
-      bio2 = NULL;
-    }
+    BIO_free(bio1);
+    bio1 = NULL;
+    BIO_free(bio2);
+    bio2 = NULL;
   }
 
   *bio1_p = bio1;
diff --git a/src/crypto/bio/socket.c b/src/crypto/bio/socket.c
index e86befe..98f32a6 100644
--- a/src/crypto/bio/socket.c
+++ b/src/crypto/bio/socket.c
@@ -66,6 +66,8 @@
 #pragma warning(push, 3)
 #include <winsock2.h>
 #pragma warning(pop)
+
+#pragma comment(lib, "Ws2_32.lib")
 #endif
 
 #include "internal.h"
@@ -150,11 +152,13 @@ static long sock_ctrl(BIO *b, int cmd, long num, void *ptr) {
     case BIO_C_GET_FD:
       if (b->init) {
         ip = (int *)ptr;
-        if (ip != NULL)
+        if (ip != NULL) {
           *ip = b->num;
+        }
         ret = b->num;
-      } else
+      } else {
         ret = -1;
+      }
       break;
     case BIO_CTRL_GET_CLOSE:
       ret = b->shutdown;
diff --git a/src/crypto/bn/CMakeLists.txt b/src/crypto/bn/CMakeLists.txt
index 600be4d..25663af 100644
--- a/src/crypto/bn/CMakeLists.txt
+++ b/src/crypto/bn/CMakeLists.txt
@@ -37,7 +37,6 @@ add_library(
 
   OBJECT
 
-  bn_error.c
   add.c
   bn.c
   cmp.c
@@ -70,7 +69,7 @@ perlasm(armv4-mont.${ASM_EXT} asm/armv4-mont.pl)
 add_executable(
   bn_test
 
-  bn_test.c
+  bn_test.cc
 )
 
 target_link_libraries(bn_test crypto)
diff --git a/src/crypto/bn/asm/armv4-mont.pl b/src/crypto/bn/asm/armv4-mont.pl
index 5cc1328..0f1b6a9 100644
--- a/src/crypto/bn/asm/armv4-mont.pl
+++ b/src/crypto/bn/asm/armv4-mont.pl
@@ -38,8 +38,20 @@
 # for execution on all NEON-capable processors, because gain on
 # others outweighs the marginal loss on Cortex-A9.
 
-while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {}
-open STDOUT,">$output";
+$flavour = shift;
+if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; }
+else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} }
+
+if ($flavour && $flavour ne "void") {
+    $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+    ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+    ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+    die "can't locate arm-xlate.pl";
+
+    open STDOUT,"| \"$^X\" $xlate $flavour $output";
+} else {
+    open STDOUT,">$output";
+}
 
 $num="r0";	# starts as num argument, but holds &tp[num-1]
 $ap="r1";
@@ -72,10 +84,10 @@ $code=<<___;
 .text
 .code	32
 
-#if __ARM_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7
 .align	5
 .LOPENSSL_armcap:
-.word	OPENSSL_armcap_P-bn_mul_mont
+.word	OPENSSL_armcap_P-.Lbn_mul_mont
 #endif
 
 .global	bn_mul_mont
@@ -84,14 +96,18 @@ $code=<<___;
 
 .align	5
 bn_mul_mont:
+.Lbn_mul_mont:
 	ldr	ip,[sp,#4]		@ load num
 	stmdb	sp!,{r0,r2}		@ sp points at argument block
-#if __ARM_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7
 	tst	ip,#7
 	bne	.Lialu
 	adr	r0,bn_mul_mont
 	ldr	r2,.LOPENSSL_armcap
 	ldr	r0,[r0,r2]
+#ifdef	__APPLE__
+	ldr	r0,[r0]
+#endif
 	tst	r0,#1			@ NEON available?
 	ldmia	sp, {r0,r2}
 	beq	.Lialu
@@ -231,9 +247,14 @@ bn_mul_mont:
 	ldmia	sp!,{r4-r12,lr}		@ restore registers
 	add	sp,sp,#2*4		@ skip over {r0,r2}
 	mov	r0,#1
-.Labrt:	tst	lr,#1
+.Labrt:
+#if __ARM_ARCH__>=5
+	ret				@ bx lr
+#else
+	tst	lr,#1
 	moveq	pc,lr			@ be binary compatible with V4, yet
 	bx	lr			@ interoperable with Thumb ISA:-)
+#endif
 .size	bn_mul_mont,.-bn_mul_mont
 ___
 {
@@ -252,7 +273,8 @@ my ($rptr,$aptr,$bptr,$nptr,$n0,$num)=map("r$_",(0..5));
 my ($tinptr,$toutptr,$inner,$outer)=map("r$_",(6..9));
 
 $code.=<<___;
-#if __ARM_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7
+.arch	armv7-a
 .fpu	neon
 
 .type	bn_mul8x_mont_neon,%function
@@ -651,7 +673,7 @@ bn_mul8x_mont_neon:
 	sub	sp,ip,#96
         vldmia  sp!,{d8-d15}
         ldmia   sp!,{r4-r11}
-	bx	lr
+	ret						@ bx lr
 .size	bn_mul8x_mont_neon,.-bn_mul8x_mont_neon
 #endif
 ___
@@ -659,12 +681,14 @@ ___
 $code.=<<___;
 .asciz	"Montgomery multiplication for ARMv4/NEON, CRYPTOGAMS by <appro\@openssl.org>"
 .align	2
-#if __ARM_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7
 .comm	OPENSSL_armcap_P,4,4
+.hidden	OPENSSL_armcap_P
 #endif
 ___
 
 $code =~ s/\`([^\`]*)\`/eval $1/gem;
 $code =~ s/\bbx\s+lr\b/.word\t0xe12fff1e/gm;	# make it possible to compile with -march=armv4
+$code =~ s/\bret\b/bx	lr/gm;
 print $code;
 close STDOUT;
diff --git a/src/crypto/bn/asm/x86_64-gcc.c b/src/crypto/bn/asm/x86_64-gcc.c
index c05e433..ac63934 100644
--- a/src/crypto/bn/asm/x86_64-gcc.c
+++ b/src/crypto/bn/asm/x86_64-gcc.c
@@ -1,6 +1,6 @@
 #include <openssl/bn.h>
 
-#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && !defined(OPENSSL_WINDOWS)
+#if defined(OPENSSL_X86_64) && !defined(OPENSSL_WINDOWS)
 
 #include "../internal.h"
 
@@ -100,8 +100,9 @@ BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num,
                           BN_ULONG w) {
   BN_ULONG c1 = 0;
 
-  if (num <= 0)
+  if (num <= 0) {
     return (c1);
+  }
 
   while (num & ~3) {
     mul_add(rp[0], ap[0], w, c1);
@@ -114,23 +115,26 @@ BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num,
   }
   if (num) {
     mul_add(rp[0], ap[0], w, c1);
-    if (--num == 0)
+    if (--num == 0) {
       return c1;
+    }
     mul_add(rp[1], ap[1], w, c1);
-    if (--num == 0)
+    if (--num == 0) {
       return c1;
+    }
     mul_add(rp[2], ap[2], w, c1);
     return c1;
   }
 
-  return (c1);
+  return c1;
 }
 
 BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w) {
   BN_ULONG c1 = 0;
 
-  if (num <= 0)
-    return (c1);
+  if (num <= 0) {
+    return c1;
+  }
 
   while (num & ~3) {
     mul(rp[0], ap[0], w, c1);
@@ -143,19 +147,22 @@ BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w) {
   }
   if (num) {
     mul(rp[0], ap[0], w, c1);
-    if (--num == 0)
+    if (--num == 0) {
       return c1;
+    }
     mul(rp[1], ap[1], w, c1);
-    if (--num == 0)
+    if (--num == 0) {
       return c1;
+    }
     mul(rp[2], ap[2], w, c1);
   }
-  return (c1);
+  return c1;
 }
 
 void bn_sqr_words(BN_ULONG *r, const BN_ULONG *a, int n) {
-  if (n <= 0)
+  if (n <= 0) {
     return;
+  }
 
   while (n & ~3) {
     sqr(r[0], r[1], a[0]);
@@ -168,11 +175,13 @@ void bn_sqr_words(BN_ULONG *r, const BN_ULONG *a, int n) {
   }
   if (n) {
     sqr(r[0], r[1], a[0]);
-    if (--n == 0)
+    if (--n == 0) {
       return;
+    }
     sqr(r[2], r[3], a[1]);
-    if (--n == 0)
+    if (--n == 0) {
       return;
+    }
     sqr(r[4], r[5], a[2]);
   }
 }
@@ -190,8 +199,9 @@ BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
   BN_ULONG ret;
   size_t i = 0;
 
-  if (n <= 0)
+  if (n <= 0) {
     return 0;
+  }
 
   asm volatile (
       "	subq	%0,%0		\n" /* clear carry */
@@ -216,8 +226,9 @@ BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
   BN_ULONG ret;
   size_t i = 0;
 
-  if (n <= 0)
+  if (n <= 0) {
     return 0;
+  }
 
   asm volatile (
       "	subq	%0,%0		\n" /* clear borrow */
@@ -242,47 +253,56 @@ BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n) {
   BN_ULONG t1, t2;
   int c = 0;
 
-  if (n <= 0)
-    return ((BN_ULONG)0);
+  if (n <= 0) {
+    return (BN_ULONG)0;
+  }
 
   for (;;) {
     t1 = a[0];
     t2 = b[0];
     r[0] = (t1 - t2 - c) & BN_MASK2;
-    if (t1 != t2)
+    if (t1 != t2) {
       c = (t1 < t2);
-    if (--n <= 0)
+    }
+    if (--n <= 0) {
       break;
+    }
 
     t1 = a[1];
     t2 = b[1];
     r[1] = (t1 - t2 - c) & BN_MASK2;
-    if (t1 != t2)
+    if (t1 != t2) {
       c = (t1 < t2);
-    if (--n <= 0)
+    }
+    if (--n <= 0) {
       break;
+    }
 
     t1 = a[2];
     t2 = b[2];
     r[2] = (t1 - t2 - c) & BN_MASK2;
-    if (t1 != t2)
+    if (t1 != t2) {
       c = (t1 < t2);
-    if (--n <= 0)
+    }
+    if (--n <= 0) {
       break;
+    }
 
     t1 = a[3];
     t2 = b[3];
     r[3] = (t1 - t2 - c) & BN_MASK2;
-    if (t1 != t2)
+    if (t1 != t2) {
       c = (t1 < t2);
-    if (--n <= 0)
+    }
+    if (--n <= 0) {
       break;
+    }
 
     a += 4;
     b += 4;
     r += 4;
   }
-  return (c);
+  return c;
 }
 #endif
 
@@ -576,4 +596,4 @@ void bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a) {
   r[7] = c2;
 }
 
-#endif  /* !NO_ASM && X86_64 && !WINDOWS */
+#endif  /* defined(OPENSSL_X86_64) && !defined(OPENSSL_WINDOWS) */
diff --git a/src/crypto/bn/bn.c b/src/crypto/bn/bn.c
index 368c4f1..f32d6b0 100644
--- a/src/crypto/bn/bn.c
+++ b/src/crypto/bn/bn.c
@@ -88,7 +88,7 @@ void BN_free(BIGNUM *bn) {
     return;
   }
 
-  if (bn->d != NULL && (bn->flags & BN_FLG_STATIC_DATA) == 0) {
+  if ((bn->flags & BN_FLG_STATIC_DATA) == 0) {
     OPENSSL_free(bn->d);
   }
 
@@ -200,13 +200,15 @@ unsigned BN_num_bits_word(BN_ULONG l) {
     if (l & 0xffff000000000000L) {
       if (l & 0xff00000000000000L) {
         return (bits[(int)(l >> 56)] + 56);
-      } else
+      } else {
         return (bits[(int)(l >> 48)] + 48);
+      }
     } else {
       if (l & 0x0000ff0000000000L) {
         return (bits[(int)(l >> 40)] + 40);
-      } else
+      } else {
         return (bits[(int)(l >> 32)] + 32);
+      }
     }
   } else
 #endif
@@ -302,9 +304,7 @@ BIGNUM *bn_wexpand(BIGNUM *bn, unsigned words) {
 
   memcpy(a, bn->d, sizeof(BN_ULONG) * bn->top);
 
-  if (bn->d) {
-    OPENSSL_free(bn->d);
-  }
+  OPENSSL_free(bn->d);
   bn->d = a;
   bn->dmax = words;
 
diff --git a/src/crypto/bn/bn_error.c b/src/crypto/bn/bn_error.c
deleted file mode 100644
index b522c2a..0000000
--- a/src/crypto/bn/bn_error.c
+++ /dev/null
@@ -1,63 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/bn.h>
-
-const ERR_STRING_DATA BN_error_string_data[] = {
-  {ERR_PACK(ERR_LIB_BN, BN_F_BN_CTX_get, 0), "BN_CTX_get"},
-  {ERR_PACK(ERR_LIB_BN, BN_F_BN_CTX_new, 0), "BN_CTX_new"},
-  {ERR_PACK(ERR_LIB_BN, BN_F_BN_CTX_start, 0), "BN_CTX_start"},
-  {ERR_PACK(ERR_LIB_BN, BN_F_BN_bn2dec, 0), "BN_bn2dec"},
-  {ERR_PACK(ERR_LIB_BN, BN_F_BN_bn2hex, 0), "BN_bn2hex"},
-  {ERR_PACK(ERR_LIB_BN, BN_F_BN_div, 0), "BN_div"},
-  {ERR_PACK(ERR_LIB_BN, BN_F_BN_div_recp, 0), "BN_div_recp"},
-  {ERR_PACK(ERR_LIB_BN, BN_F_BN_exp, 0), "BN_exp"},
-  {ERR_PACK(ERR_LIB_BN, BN_F_BN_generate_dsa_nonce, 0), "BN_generate_dsa_nonce"},
-  {ERR_PACK(ERR_LIB_BN, BN_F_BN_generate_prime_ex, 0), "BN_generate_prime_ex"},
-  {ERR_PACK(ERR_LIB_BN, BN_F_BN_mod_exp2_mont, 0), "BN_mod_exp2_mont"},
-  {ERR_PACK(ERR_LIB_BN, BN_F_BN_mod_exp_mont, 0), "BN_mod_exp_mont"},
-  {ERR_PACK(ERR_LIB_BN, BN_F_BN_mod_exp_mont_consttime, 0), "BN_mod_exp_mont_consttime"},
-  {ERR_PACK(ERR_LIB_BN, BN_F_BN_mod_exp_mont_word, 0), "BN_mod_exp_mont_word"},
-  {ERR_PACK(ERR_LIB_BN, BN_F_BN_mod_inverse, 0), "BN_mod_inverse"},
-  {ERR_PACK(ERR_LIB_BN, BN_F_BN_mod_inverse_no_branch, 0), "BN_mod_inverse_no_branch"},
-  {ERR_PACK(ERR_LIB_BN, BN_F_BN_mod_lshift_quick, 0), "BN_mod_lshift_quick"},
-  {ERR_PACK(ERR_LIB_BN, BN_F_BN_mod_sqrt, 0), "BN_mod_sqrt"},
-  {ERR_PACK(ERR_LIB_BN, BN_F_BN_new, 0), "BN_new"},
-  {ERR_PACK(ERR_LIB_BN, BN_F_BN_rand, 0), "BN_rand"},
-  {ERR_PACK(ERR_LIB_BN, BN_F_BN_rand_range, 0), "BN_rand_range"},
-  {ERR_PACK(ERR_LIB_BN, BN_F_BN_sqrt, 0), "BN_sqrt"},
-  {ERR_PACK(ERR_LIB_BN, BN_F_BN_usub, 0), "BN_usub"},
-  {ERR_PACK(ERR_LIB_BN, BN_F_bn_wexpand, 0), "bn_wexpand"},
-  {ERR_PACK(ERR_LIB_BN, BN_F_mod_exp_recp, 0), "mod_exp_recp"},
-  {ERR_PACK(ERR_LIB_BN, 0, BN_R_ARG2_LT_ARG3), "ARG2_LT_ARG3"},
-  {ERR_PACK(ERR_LIB_BN, 0, BN_R_BAD_RECIPROCAL), "BAD_RECIPROCAL"},
-  {ERR_PACK(ERR_LIB_BN, 0, BN_R_BIGNUM_TOO_LONG), "BIGNUM_TOO_LONG"},
-  {ERR_PACK(ERR_LIB_BN, 0, BN_R_BITS_TOO_SMALL), "BITS_TOO_SMALL"},
-  {ERR_PACK(ERR_LIB_BN, 0, BN_R_CALLED_WITH_EVEN_MODULUS), "CALLED_WITH_EVEN_MODULUS"},
-  {ERR_PACK(ERR_LIB_BN, 0, BN_R_DIV_BY_ZERO), "DIV_BY_ZERO"},
-  {ERR_PACK(ERR_LIB_BN, 0, BN_R_EXPAND_ON_STATIC_BIGNUM_DATA), "EXPAND_ON_STATIC_BIGNUM_DATA"},
-  {ERR_PACK(ERR_LIB_BN, 0, BN_R_INPUT_NOT_REDUCED), "INPUT_NOT_REDUCED"},
-  {ERR_PACK(ERR_LIB_BN, 0, BN_R_INVALID_RANGE), "INVALID_RANGE"},
-  {ERR_PACK(ERR_LIB_BN, 0, BN_R_NEGATIVE_NUMBER), "NEGATIVE_NUMBER"},
-  {ERR_PACK(ERR_LIB_BN, 0, BN_R_NOT_A_SQUARE), "NOT_A_SQUARE"},
-  {ERR_PACK(ERR_LIB_BN, 0, BN_R_NOT_INITIALIZED), "NOT_INITIALIZED"},
-  {ERR_PACK(ERR_LIB_BN, 0, BN_R_NO_INVERSE), "NO_INVERSE"},
-  {ERR_PACK(ERR_LIB_BN, 0, BN_R_PRIVATE_KEY_TOO_LARGE), "PRIVATE_KEY_TOO_LARGE"},
-  {ERR_PACK(ERR_LIB_BN, 0, BN_R_P_IS_NOT_PRIME), "P_IS_NOT_PRIME"},
-  {ERR_PACK(ERR_LIB_BN, 0, BN_R_TOO_MANY_ITERATIONS), "TOO_MANY_ITERATIONS"},
-  {ERR_PACK(ERR_LIB_BN, 0, BN_R_TOO_MANY_TEMPORARY_VARIABLES), "TOO_MANY_TEMPORARY_VARIABLES"},
-  {0, NULL},
-};
diff --git a/src/crypto/bn/bn_test.c b/src/crypto/bn/bn_test.c
deleted file mode 100644
index e342ed8..0000000
--- a/src/crypto/bn/bn_test.c
+++ /dev/null
@@ -1,1471 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
- *
- * Portions of the attached software ("Contribution") are developed by
- * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
- *
- * The Contribution is licensed pursuant to the Eric Young open source
- * license provided above.
- *
- * The binary polynomial arithmetic software is originally written by
- * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems
- * Laboratories. */
-
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/bio.h>
-#include <openssl/bn.h>
-#include <openssl/crypto.h>
-#include <openssl/err.h>
-#include <openssl/mem.h>
-
-#include "internal.h"
-
-
-static const int num0 = 100; /* number of tests */
-static const int num1 = 50;  /* additional tests for some functions */
-static const int num2 = 5;   /* number of tests for slow functions */
-
-int test_add(BIO *bp);
-int test_sub(BIO *bp);
-int test_lshift1(BIO *bp);
-int test_lshift(BIO *bp, BN_CTX *ctx, BIGNUM *a_);
-int test_rshift1(BIO *bp);
-int test_rshift(BIO *bp, BN_CTX *ctx);
-int test_sqr(BIO *bp, BN_CTX *ctx);
-int test_mul(BIO *bp);
-int test_div(BIO *bp, BN_CTX *ctx);
-int rand_neg(void);
-
-int test_div_word(BIO *bp);
-int test_mont(BIO *bp, BN_CTX *ctx);
-int test_mod(BIO *bp, BN_CTX *ctx);
-int test_mod_mul(BIO *bp, BN_CTX *ctx);
-int test_mod_exp(BIO *bp, BN_CTX *ctx);
-int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx);
-int test_exp(BIO *bp, BN_CTX *ctx);
-int test_mod_sqrt(BIO *bp, BN_CTX *ctx);
-static int test_exp_mod_zero(void);
-int test_small_prime(BIO *bp,BN_CTX *ctx);
-int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx);
-int test_sqrt(BIO *bp, BN_CTX *ctx);
-int test_bn2bin_padded(BIO *bp, BN_CTX *ctx);
-#if 0
-int test_gf2m_add(BIO *bp);
-int test_gf2m_mod(BIO *bp);
-int test_gf2m_mod_mul(BIO *bp, BN_CTX *ctx);
-int test_gf2m_mod_sqr(BIO *bp, BN_CTX *ctx);
-int test_gf2m_mod_inv(BIO *bp, BN_CTX *ctx);
-int test_gf2m_mod_div(BIO *bp, BN_CTX *ctx);
-int test_gf2m_mod_exp(BIO *bp, BN_CTX *ctx);
-int test_gf2m_mod_sqrt(BIO *bp, BN_CTX *ctx);
-int test_gf2m_mod_solve_quad(BIO *bp, BN_CTX *ctx);
-#endif
-static int results = 0;
-
-static unsigned char lst[] =
-    "\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9"
-    "\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0";
-
-static void ERR_print_errors_fp(FILE *out) {
-}
-
-static void message(BIO *out, char *m) {
-  BIO_puts(out, "print \"test ");
-  BIO_puts(out, m);
-  BIO_puts(out, "\\n\"\n");
-}
-
-int main(int argc, char *argv[]) {
-  BN_CTX *ctx;
-  BIO *out = NULL;
-  char *outfile = NULL;
-
-  CRYPTO_library_init();
-
-  results = 0;
-
-  argc--;
-  argv++;
-  while (argc >= 1) {
-    if (strcmp(*argv, "-results") == 0)
-      results = 1;
-    else if (strcmp(*argv, "-out") == 0) {
-      if (--argc < 1)
-        break;
-      outfile = *(++argv);
-    }
-    argc--;
-    argv++;
-  }
-
-
-  ctx = BN_CTX_new();
-  if (ctx == NULL)
-    return 1;
-
-  out = BIO_new(BIO_s_file());
-  if (out == NULL) {
-    return 1;
-  }
-
-  if (outfile == NULL) {
-    BIO_set_fp(out, stdout, BIO_NOCLOSE);
-  } else {
-    if (!BIO_write_filename(out, outfile)) {
-      perror(outfile);
-      return 1;
-    }
-  }
-
-  if (!results)
-    BIO_puts(out, "obase=16\nibase=16\n");
-
-  message(out, "BN_add");
-  if (!test_add(out))
-    goto err;
-  (void)BIO_flush(out);
-
-  message(out, "BN_sub");
-  if (!test_sub(out))
-    goto err;
-  (void)BIO_flush(out);
-
-  message(out, "BN_lshift1");
-  if (!test_lshift1(out))
-    goto err;
-  (void)BIO_flush(out);
-
-  message(out, "BN_lshift (fixed)");
-  if (!test_lshift(out, ctx, BN_bin2bn(lst, sizeof(lst) - 1, NULL)))
-    goto err;
-  (void)BIO_flush(out);
-
-  message(out, "BN_lshift");
-  if (!test_lshift(out, ctx, NULL))
-    goto err;
-  (void)BIO_flush(out);
-
-  message(out, "BN_rshift1");
-  if (!test_rshift1(out))
-    goto err;
-  (void)BIO_flush(out);
-
-  message(out, "BN_rshift");
-  if (!test_rshift(out, ctx))
-    goto err;
-  (void)BIO_flush(out);
-
-  message(out, "BN_sqr");
-  if (!test_sqr(out, ctx))
-    goto err;
-  (void)BIO_flush(out);
-
-  message(out, "BN_mul");
-  if (!test_mul(out))
-    goto err;
-  (void)BIO_flush(out);
-
-  message(out, "BN_div");
-  if (!test_div(out, ctx))
-    goto err;
-  (void)BIO_flush(out);
-
-  message(out, "BN_div_word");
-  if (!test_div_word(out))
-    goto err;
-  (void)BIO_flush(out);
-
-  message(out, "BN_mod");
-  if (!test_mod(out, ctx))
-    goto err;
-  (void)BIO_flush(out);
-
-  message(out, "BN_mod_mul");
-  if (!test_mod_mul(out, ctx))
-    goto err;
-  (void)BIO_flush(out);
-
-  message(out, "BN_mont");
-  if (!test_mont(out, ctx))
-    goto err;
-  (void)BIO_flush(out);
-
-  message(out, "BN_mod_exp");
-  if (!test_mod_exp(out, ctx))
-    goto err;
-  (void)BIO_flush(out);
-
-  message(out, "BN_mod_exp_mont_consttime");
-  if (!test_mod_exp_mont_consttime(out, ctx) ||
-      !test_mod_exp_mont5(out, ctx)) {
-    goto err;
-  }
-  (void)BIO_flush(out);
-
-  message(out, "BN_exp");
-  if (!test_exp(out, ctx) ||
-      !test_exp_mod_zero()) {
-    goto err;
-  }
-  (void)BIO_flush(out);
-
-  message(out, "BN_mod_sqrt");
-  if (!test_mod_sqrt(out, ctx))
-    goto err;
-  (void)BIO_flush(out);
-
-  message(out, "Small prime generation");
-  if (!test_small_prime(out, ctx))
-    goto err;
-  (void)BIO_flush(out);
-
-  message(out, "BN_sqrt");
-  if (!test_sqrt(out, ctx))
-    goto err;
-  (void)BIO_flush(out);
-
-  message(out, "BN_bn2bin_padded");
-  if (!test_bn2bin_padded(out, ctx))
-    goto err;
-  (void)BIO_flush(out);
-
-  BN_CTX_free(ctx);
-  BIO_free(out);
-
-  printf("PASS\n");
-  return 0;
-
-err:
-  BIO_puts(out, "1\n"); /* make sure the Perl script fed by bc notices
-                         * the failure, see test_bn in test/Makefile.ssl*/
-  (void)BIO_flush(out);
-
-  return 1;
-}
-
-int test_add(BIO *bp) {
-  BIGNUM a, b, c;
-  int i;
-
-  BN_init(&a);
-  BN_init(&b);
-  BN_init(&c);
-
-  BN_rand(&a, 512, 0, 0);
-  for (i = 0; i < num0; i++) {
-    BN_rand(&b, 450 + i, 0, 0);
-    a.neg = rand_neg();
-    b.neg = rand_neg();
-    BN_add(&c, &a, &b);
-    if (bp != NULL) {
-      if (!results) {
-        BN_print(bp, &a);
-        BIO_puts(bp, " + ");
-        BN_print(bp, &b);
-        BIO_puts(bp, " - ");
-      }
-      BN_print(bp, &c);
-      BIO_puts(bp, "\n");
-    }
-    a.neg = !a.neg;
-    b.neg = !b.neg;
-    BN_add(&c, &c, &b);
-    BN_add(&c, &c, &a);
-    if (!BN_is_zero(&c)) {
-      fprintf(stderr, "Add test failed!\n");
-      return 0;
-    }
-  }
-  BN_free(&a);
-  BN_free(&b);
-  BN_free(&c);
-  return (1);
-}
-
-int test_sub(BIO *bp) {
-  BIGNUM a, b, c;
-  int i;
-
-  BN_init(&a);
-  BN_init(&b);
-  BN_init(&c);
-
-  for (i = 0; i < num0 + num1; i++) {
-    if (i < num1) {
-      BN_rand(&a, 512, 0, 0);
-      BN_copy(&b, &a);
-      if (BN_set_bit(&a, i) == 0)
-        return (0);
-      BN_add_word(&b, i);
-    } else {
-      BN_rand(&b, 400 + i - num1, 0, 0);
-      a.neg = rand_neg();
-      b.neg = rand_neg();
-    }
-    BN_sub(&c, &a, &b);
-    if (bp != NULL) {
-      if (!results) {
-        BN_print(bp, &a);
-        BIO_puts(bp, " - ");
-        BN_print(bp, &b);
-        BIO_puts(bp, " - ");
-      }
-      BN_print(bp, &c);
-      BIO_puts(bp, "\n");
-    }
-    BN_add(&c, &c, &b);
-    BN_sub(&c, &c, &a);
-    if (!BN_is_zero(&c)) {
-      fprintf(stderr, "Subtract test failed!\n");
-      return 0;
-    }
-  }
-  BN_free(&a);
-  BN_free(&b);
-  BN_free(&c);
-  return (1);
-}
-
-int test_div(BIO *bp, BN_CTX *ctx) {
-  BIGNUM a, b, c, d, e;
-  int i;
-
-  BN_init(&a);
-  BN_init(&b);
-  BN_init(&c);
-  BN_init(&d);
-  BN_init(&e);
-
-  for (i = 0; i < num0 + num1; i++) {
-    if (i < num1) {
-      BN_rand(&a, 400, 0, 0);
-      BN_copy(&b, &a);
-      BN_lshift(&a, &a, i);
-      BN_add_word(&a, i);
-    } else
-      BN_rand(&b, 50 + 3 * (i - num1), 0, 0);
-    a.neg = rand_neg();
-    b.neg = rand_neg();
-    BN_div(&d, &c, &a, &b, ctx);
-    if (bp != NULL) {
-      if (!results) {
-        BN_print(bp, &a);
-        BIO_puts(bp, " / ");
-        BN_print(bp, &b);
-        BIO_puts(bp, " - ");
-      }
-      BN_print(bp, &d);
-      BIO_puts(bp, "\n");
-
-      if (!results) {
-        BN_print(bp, &a);
-        BIO_puts(bp, " % ");
-        BN_print(bp, &b);
-        BIO_puts(bp, " - ");
-      }
-      BN_print(bp, &c);
-      BIO_puts(bp, "\n");
-    }
-    BN_mul(&e, &d, &b, ctx);
-    BN_add(&d, &e, &c);
-    BN_sub(&d, &d, &a);
-    if (!BN_is_zero(&d)) {
-      fprintf(stderr, "Division test failed!\n");
-      return 0;
-    }
-  }
-  BN_free(&a);
-  BN_free(&b);
-  BN_free(&c);
-  BN_free(&d);
-  BN_free(&e);
-  return (1);
-}
-
-int test_lshift1(BIO *bp) {
-  BIGNUM *a, *b, *c;
-  int i;
-
-  a = BN_new();
-  b = BN_new();
-  c = BN_new();
-
-  BN_rand(a, 200, 0, 0); /**/
-  a->neg = rand_neg();
-  for (i = 0; i < num0; i++) {
-    BN_lshift1(b, a);
-    if (bp != NULL) {
-      if (!results) {
-        BN_print(bp, a);
-        BIO_puts(bp, " * 2");
-        BIO_puts(bp, " - ");
-      }
-      BN_print(bp, b);
-      BIO_puts(bp, "\n");
-    }
-    BN_add(c, a, a);
-    BN_sub(a, b, c);
-    if (!BN_is_zero(a)) {
-      fprintf(stderr, "Left shift one test failed!\n");
-      return 0;
-    }
-
-    BN_copy(a, b);
-  }
-  BN_free(a);
-  BN_free(b);
-  BN_free(c);
-  return (1);
-}
-
-int test_rshift(BIO *bp, BN_CTX *ctx) {
-  BIGNUM *a, *b, *c, *d, *e;
-  int i;
-
-  a = BN_new();
-  b = BN_new();
-  c = BN_new();
-  d = BN_new();
-  e = BN_new();
-  BN_one(c);
-
-  BN_rand(a, 200, 0, 0); /**/
-  a->neg = rand_neg();
-  for (i = 0; i < num0; i++) {
-    BN_rshift(b, a, i + 1);
-    BN_add(c, c, c);
-    if (bp != NULL) {
-      if (!results) {
-        BN_print(bp, a);
-        BIO_puts(bp, " / ");
-        BN_print(bp, c);
-        BIO_puts(bp, " - ");
-      }
-      BN_print(bp, b);
-      BIO_puts(bp, "\n");
-    }
-    BN_div(d, e, a, c, ctx);
-    BN_sub(d, d, b);
-    if (!BN_is_zero(d)) {
-      fprintf(stderr, "Right shift test failed!\n");
-      return 0;
-    }
-  }
-  BN_free(a);
-  BN_free(b);
-  BN_free(c);
-  BN_free(d);
-  BN_free(e);
-  return (1);
-}
-
-int test_rshift1(BIO *bp) {
-  BIGNUM *a, *b, *c;
-  int i;
-
-  a = BN_new();
-  b = BN_new();
-  c = BN_new();
-
-  BN_rand(a, 200, 0, 0); /**/
-  a->neg = rand_neg();
-  for (i = 0; i < num0; i++) {
-    BN_rshift1(b, a);
-    if (bp != NULL) {
-      if (!results) {
-        BN_print(bp, a);
-        BIO_puts(bp, " / 2");
-        BIO_puts(bp, " - ");
-      }
-      BN_print(bp, b);
-      BIO_puts(bp, "\n");
-    }
-    BN_sub(c, a, b);
-    BN_sub(c, c, b);
-    if (!BN_is_zero(c) && !BN_abs_is_word(c, 1)) {
-      fprintf(stderr, "Right shift one test failed!\n");
-      return 0;
-    }
-    BN_copy(a, b);
-  }
-  BN_free(a);
-  BN_free(b);
-  BN_free(c);
-  return (1);
-}
-
-int test_lshift(BIO *bp, BN_CTX *ctx, BIGNUM *a_) {
-  BIGNUM *a, *b, *c, *d;
-  int i;
-
-  b = BN_new();
-  c = BN_new();
-  d = BN_new();
-  BN_one(c);
-
-  if (a_)
-    a = a_;
-  else {
-    a = BN_new();
-    BN_rand(a, 200, 0, 0); /**/
-    a->neg = rand_neg();
-  }
-  for (i = 0; i < num0; i++) {
-    BN_lshift(b, a, i + 1);
-    BN_add(c, c, c);
-    if (bp != NULL) {
-      if (!results) {
-        BN_print(bp, a);
-        BIO_puts(bp, " * ");
-        BN_print(bp, c);
-        BIO_puts(bp, " - ");
-      }
-      BN_print(bp, b);
-      BIO_puts(bp, "\n");
-    }
-    BN_mul(d, a, c, ctx);
-    BN_sub(d, d, b);
-    if (!BN_is_zero(d)) {
-      fprintf(stderr, "Left shift test failed!\n");
-      fprintf(stderr, "a=");
-      BN_print_fp(stderr, a);
-      fprintf(stderr, "\nb=");
-      BN_print_fp(stderr, b);
-      fprintf(stderr, "\nc=");
-      BN_print_fp(stderr, c);
-      fprintf(stderr, "\nd=");
-      BN_print_fp(stderr, d);
-      fprintf(stderr, "\n");
-      return 0;
-    }
-  }
-  BN_free(a);
-  BN_free(b);
-  BN_free(c);
-  BN_free(d);
-  return (1);
-}
-
-int test_mul(BIO *bp) {
-  BIGNUM a, b, c, d, e;
-  int i;
-  BN_CTX *ctx;
-
-  ctx = BN_CTX_new();
-  if (ctx == NULL)
-    abort();
-
-  BN_init(&a);
-  BN_init(&b);
-  BN_init(&c);
-  BN_init(&d);
-  BN_init(&e);
-
-  for (i = 0; i < num0 + num1; i++) {
-    if (i <= num1) {
-      BN_rand(&a, 100, 0, 0);
-      BN_rand(&b, 100, 0, 0);
-    } else
-      BN_rand(&b, i - num1, 0, 0);
-    a.neg = rand_neg();
-    b.neg = rand_neg();
-    BN_mul(&c, &a, &b, ctx);
-    if (bp != NULL) {
-      if (!results) {
-        BN_print(bp, &a);
-        BIO_puts(bp, " * ");
-        BN_print(bp, &b);
-        BIO_puts(bp, " - ");
-      }
-      BN_print(bp, &c);
-      BIO_puts(bp, "\n");
-    }
-    BN_div(&d, &e, &c, &a, ctx);
-    BN_sub(&d, &d, &b);
-    if (!BN_is_zero(&d) || !BN_is_zero(&e)) {
-      fprintf(stderr, "Multiplication test failed!\n");
-      return 0;
-    }
-  }
-  BN_free(&a);
-  BN_free(&b);
-  BN_free(&c);
-  BN_free(&d);
-  BN_free(&e);
-  BN_CTX_free(ctx);
-  return (1);
-}
-
-int test_sqr(BIO *bp, BN_CTX *ctx) {
-  BIGNUM *a, *c, *d, *e;
-  int i, ret = 0;
-
-  a = BN_new();
-  c = BN_new();
-  d = BN_new();
-  e = BN_new();
-  if (a == NULL || c == NULL || d == NULL || e == NULL) {
-    goto err;
-  }
-
-  for (i = 0; i < num0; i++) {
-    BN_rand(a, 40 + i * 10, 0, 0);
-    a->neg = rand_neg();
-    BN_sqr(c, a, ctx);
-    if (bp != NULL) {
-      if (!results) {
-        BN_print(bp, a);
-        BIO_puts(bp, " * ");
-        BN_print(bp, a);
-        BIO_puts(bp, " - ");
-      }
-      BN_print(bp, c);
-      BIO_puts(bp, "\n");
-    }
-    BN_div(d, e, c, a, ctx);
-    BN_sub(d, d, a);
-    if (!BN_is_zero(d) || !BN_is_zero(e)) {
-      fprintf(stderr, "Square test failed!\n");
-      goto err;
-    }
-  }
-
-  /* Regression test for a BN_sqr overflow bug. */
-  BN_hex2bn(&a,
-            "80000000000000008000000000000001FFFFFFFFFFFFFFFE0000000000000000");
-  BN_sqr(c, a, ctx);
-  if (bp != NULL) {
-    if (!results) {
-      BN_print(bp, a);
-      BIO_puts(bp, " * ");
-      BN_print(bp, a);
-      BIO_puts(bp, " - ");
-    }
-    BN_print(bp, c);
-    BIO_puts(bp, "\n");
-  }
-  BN_mul(d, a, a, ctx);
-  if (BN_cmp(c, d)) {
-    fprintf(stderr,
-            "Square test failed: BN_sqr and BN_mul produce "
-            "different results!\n");
-    goto err;
-  }
-
-  /* Regression test for a BN_sqr overflow bug. */
-  BN_hex2bn(&a,
-            "80000000000000000000000080000001FFFFFFFE000000000000000000000000");
-  BN_sqr(c, a, ctx);
-  if (bp != NULL) {
-    if (!results) {
-      BN_print(bp, a);
-      BIO_puts(bp, " * ");
-      BN_print(bp, a);
-      BIO_puts(bp, " - ");
-    }
-    BN_print(bp, c);
-    BIO_puts(bp, "\n");
-  }
-  BN_mul(d, a, a, ctx);
-  if (BN_cmp(c, d)) {
-    fprintf(stderr,
-            "Square test failed: BN_sqr and BN_mul produce "
-            "different results!\n");
-    goto err;
-  }
-  ret = 1;
-
-err:
-  if (a != NULL) {
-    BN_free(a);
-  }
-  if (c != NULL) {
-    BN_free(c);
-  }
-  if (d != NULL) {
-    BN_free(d);
-  }
-  if (e != NULL) {
-    BN_free(e);
-  }
-  return ret;
-}
-
-
-int rand_neg(void) {
-  static unsigned int neg = 0;
-  static int sign[8] = {0, 0, 0, 1, 1, 0, 1, 1};
-
-  return (sign[(neg++) % 8]);
-}
-
-static void print_word(BIO *bp, BN_ULONG w) {
-  BIO_printf(bp, BN_HEX_FMT1, w);
-}
-
-int test_div_word(BIO *bp) {
-  BIGNUM a, b;
-  BN_ULONG r, s;
-  int i;
-
-  BN_init(&a);
-  BN_init(&b);
-
-  for (i = 0; i < num0; i++) {
-    do {
-      BN_rand(&a, 512, -1, 0);
-      BN_rand(&b, BN_BITS2, -1, 0);
-      s = b.d[0];
-    } while (!s);
-
-    BN_copy(&b, &a);
-    r = BN_div_word(&b, s);
-
-    if (bp != NULL) {
-      if (!results) {
-        BN_print(bp, &a);
-        BIO_puts(bp, " / ");
-        print_word(bp, s);
-        BIO_puts(bp, " - ");
-      }
-      BN_print(bp, &b);
-      BIO_puts(bp, "\n");
-
-      if (!results) {
-        BN_print(bp, &a);
-        BIO_puts(bp, " % ");
-        print_word(bp, s);
-        BIO_puts(bp, " - ");
-      }
-      print_word(bp, r);
-      BIO_puts(bp, "\n");
-    }
-    BN_mul_word(&b, s);
-    BN_add_word(&b, r);
-    BN_sub(&b, &a, &b);
-    if (!BN_is_zero(&b)) {
-      fprintf(stderr, "Division (word) test failed!\n");
-      return 0;
-    }
-  }
-  BN_free(&a);
-  BN_free(&b);
-  return (1);
-}
-
-int test_mont(BIO *bp, BN_CTX *ctx) {
-  BIGNUM a, b, c, d, A, B;
-  BIGNUM n;
-  int i;
-  BN_MONT_CTX *mont;
-
-  BN_init(&a);
-  BN_init(&b);
-  BN_init(&c);
-  BN_init(&d);
-  BN_init(&A);
-  BN_init(&B);
-  BN_init(&n);
-
-  mont = BN_MONT_CTX_new();
-  if (mont == NULL)
-    return 0;
-
-  BN_rand(&a, 100, 0, 0); /**/
-  BN_rand(&b, 100, 0, 0); /**/
-  for (i = 0; i < num2; i++) {
-    int bits = (200 * (i + 1)) / num2;
-
-    if (bits == 0)
-      continue;
-    BN_rand(&n, bits, 0, 1);
-    BN_MONT_CTX_set(mont, &n, ctx);
-
-    BN_nnmod(&a, &a, &n, ctx);
-    BN_nnmod(&b, &b, &n, ctx);
-
-    BN_to_montgomery(&A, &a, mont, ctx);
-    BN_to_montgomery(&B, &b, mont, ctx);
-
-    BN_mod_mul_montgomery(&c, &A, &B, mont, ctx); /**/
-    BN_from_montgomery(&A, &c, mont, ctx);        /**/
-    if (bp != NULL) {
-      if (!results) {
-#ifdef undef
-        fprintf(stderr, "%d * %d %% %d\n", BN_num_bits(&a), BN_num_bits(&b),
-                BN_num_bits(mont->N));
-#endif
-        BN_print(bp, &a);
-        BIO_puts(bp, " * ");
-        BN_print(bp, &b);
-        BIO_puts(bp, " % ");
-        BN_print(bp, &(mont->N));
-        BIO_puts(bp, " - ");
-      }
-      BN_print(bp, &A);
-      BIO_puts(bp, "\n");
-    }
-    BN_mod_mul(&d, &a, &b, &n, ctx);
-    BN_sub(&d, &d, &A);
-    if (!BN_is_zero(&d)) {
-      fprintf(stderr, "Montgomery multiplication test failed!\n");
-      return 0;
-    }
-  }
-  BN_MONT_CTX_free(mont);
-  BN_free(&a);
-  BN_free(&b);
-  BN_free(&c);
-  BN_free(&d);
-  BN_free(&A);
-  BN_free(&B);
-  BN_free(&n);
-  return (1);
-}
-
-int test_mod(BIO *bp, BN_CTX *ctx) {
-  BIGNUM *a, *b, *c, *d, *e;
-  int i;
-
-  a = BN_new();
-  b = BN_new();
-  c = BN_new();
-  d = BN_new();
-  e = BN_new();
-
-  BN_rand(a, 1024, 0, 0); /**/
-  for (i = 0; i < num0; i++) {
-    BN_rand(b, 450 + i * 10, 0, 0); /**/
-    a->neg = rand_neg();
-    b->neg = rand_neg();
-    BN_mod(c, a, b, ctx); /**/
-    if (bp != NULL) {
-      if (!results) {
-        BN_print(bp, a);
-        BIO_puts(bp, " % ");
-        BN_print(bp, b);
-        BIO_puts(bp, " - ");
-      }
-      BN_print(bp, c);
-      BIO_puts(bp, "\n");
-    }
-    BN_div(d, e, a, b, ctx);
-    BN_sub(e, e, c);
-    if (!BN_is_zero(e)) {
-      fprintf(stderr, "Modulo test failed!\n");
-      return 0;
-    }
-  }
-  BN_free(a);
-  BN_free(b);
-  BN_free(c);
-  BN_free(d);
-  BN_free(e);
-  return (1);
-}
-
-int test_mod_mul(BIO *bp, BN_CTX *ctx) {
-  BIGNUM *a, *b, *c, *d, *e;
-  int i, j;
-
-  a = BN_new();
-  b = BN_new();
-  c = BN_new();
-  d = BN_new();
-  e = BN_new();
-
-  for (j = 0; j < 3; j++) {
-    BN_rand(c, 1024, 0, 0); /**/
-    for (i = 0; i < num0; i++) {
-      BN_rand(a, 475 + i * 10, 0, 0); /**/
-      BN_rand(b, 425 + i * 11, 0, 0); /**/
-      a->neg = rand_neg();
-      b->neg = rand_neg();
-      if (!BN_mod_mul(e, a, b, c, ctx)) {
-        unsigned long l;
-
-        while ((l = ERR_get_error()))
-          fprintf(stderr, "ERROR:%s\n", ERR_error_string(l, NULL));
-        abort();
-      }
-      if (bp != NULL) {
-        if (!results) {
-          BN_print(bp, a);
-          BIO_puts(bp, " * ");
-          BN_print(bp, b);
-          BIO_puts(bp, " % ");
-          BN_print(bp, c);
-          if ((a->neg ^ b->neg) && !BN_is_zero(e)) {
-            /* If  (a*b) % c  is negative,  c  must be added
-             * in order to obtain the normalized remainder
-             * (new with OpenSSL 0.9.7, previous versions of
-             * BN_mod_mul could generate negative results)
-             */
-            BIO_puts(bp, " + ");
-            BN_print(bp, c);
-          }
-          BIO_puts(bp, " - ");
-        }
-        BN_print(bp, e);
-        BIO_puts(bp, "\n");
-      }
-      BN_mul(d, a, b, ctx);
-      BN_sub(d, d, e);
-      BN_div(a, b, d, c, ctx);
-      if (!BN_is_zero(b)) {
-        fprintf(stderr, "Modulo multiply test failed!\n");
-        ERR_print_errors_fp(stderr);
-        return 0;
-      }
-    }
-  }
-  BN_free(a);
-  BN_free(b);
-  BN_free(c);
-  BN_free(d);
-  BN_free(e);
-  return (1);
-}
-
-int test_mod_exp(BIO *bp, BN_CTX *ctx) {
-  BIGNUM *a, *b, *c, *d, *e;
-  int i;
-
-  a = BN_new();
-  b = BN_new();
-  c = BN_new();
-  d = BN_new();
-  e = BN_new();
-
-  BN_rand(c, 30, 0, 1); /* must be odd for montgomery */
-  for (i = 0; i < num2; i++) {
-    BN_rand(a, 20 + i * 5, 0, 0); /**/
-    BN_rand(b, 2 + i, 0, 0);      /**/
-
-    if (!BN_mod_exp(d, a, b, c, ctx))
-      return (0);
-
-    if (bp != NULL) {
-      if (!results) {
-        BN_print(bp, a);
-        BIO_puts(bp, " ^ ");
-        BN_print(bp, b);
-        BIO_puts(bp, " % ");
-        BN_print(bp, c);
-        BIO_puts(bp, " - ");
-      }
-      BN_print(bp, d);
-      BIO_puts(bp, "\n");
-    }
-    BN_exp(e, a, b, ctx);
-    BN_sub(e, e, d);
-    BN_div(a, b, e, c, ctx);
-    if (!BN_is_zero(b)) {
-      fprintf(stderr, "Modulo exponentiation test failed!\n");
-      return 0;
-    }
-  }
-  BN_free(a);
-  BN_free(b);
-  BN_free(c);
-  BN_free(d);
-  BN_free(e);
-  return (1);
-}
-
-int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx) {
-  BIGNUM *a, *b, *c, *d, *e;
-  int i;
-
-  a = BN_new();
-  b = BN_new();
-  c = BN_new();
-  d = BN_new();
-  e = BN_new();
-
-  BN_rand(c, 30, 0, 1); /* must be odd for montgomery */
-  for (i = 0; i < num2; i++) {
-    BN_rand(a, 20 + i * 5, 0, 0); /**/
-    BN_rand(b, 2 + i, 0, 0);      /**/
-
-    if (!BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL))
-      return (00);
-
-    if (bp != NULL) {
-      if (!results) {
-        BN_print(bp, a);
-        BIO_puts(bp, " ^ ");
-        BN_print(bp, b);
-        BIO_puts(bp, " % ");
-        BN_print(bp, c);
-        BIO_puts(bp, " - ");
-      }
-      BN_print(bp, d);
-      BIO_puts(bp, "\n");
-    }
-    BN_exp(e, a, b, ctx);
-    BN_sub(e, e, d);
-    BN_div(a, b, e, c, ctx);
-    if (!BN_is_zero(b)) {
-      fprintf(stderr, "Modulo exponentiation test failed!\n");
-      return 0;
-    }
-  }
-  BN_free(a);
-  BN_free(b);
-  BN_free(c);
-  BN_free(d);
-  BN_free(e);
-  return (1);
-}
-
-/* Test constant-time modular exponentiation with 1024-bit inputs,
- * which on x86_64 cause a different code branch to be taken. */
-int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx) {
-  BIGNUM *a, *p, *m, *d, *e;
-
-  BN_MONT_CTX *mont;
-
-  a = BN_new();
-  p = BN_new();
-  m = BN_new();
-  d = BN_new();
-  e = BN_new();
-
-  mont = BN_MONT_CTX_new();
-
-  BN_rand(m, 1024, 0, 1); /* must be odd for montgomery */
-  /* Zero exponent */
-  BN_rand(a, 1024, 0, 0);
-  BN_zero(p);
-  if (!BN_mod_exp_mont_consttime(d, a, p, m, ctx, NULL))
-    return 0;
-  if (!BN_is_one(d)) {
-    fprintf(stderr, "Modular exponentiation test failed!\n");
-    return 0;
-  }
-  /* Zero input */
-  BN_rand(p, 1024, 0, 0);
-  BN_zero(a);
-  if (!BN_mod_exp_mont_consttime(d, a, p, m, ctx, NULL))
-    return 0;
-  if (!BN_is_zero(d)) {
-    fprintf(stderr, "Modular exponentiation test failed!\n");
-    return 0;
-  }
-  /* Craft an input whose Montgomery representation is 1,
-   * i.e., shorter than the modulus m, in order to test
-   * the const time precomputation scattering/gathering.
-   */
-  BN_one(a);
-  BN_MONT_CTX_set(mont, m, ctx);
-  if (!BN_from_montgomery(e, a, mont, ctx) ||
-      !BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL) ||
-      !BN_mod_exp(a, e, p, m, ctx)) {
-    return 0;
-  }
-  if (BN_cmp(a, d) != 0) {
-    fprintf(stderr, "Modular exponentiation test failed!\n");
-    return 0;
-  }
-  /* Finally, some regular test vectors. */
-  BN_rand(e, 1024, 0, 0);
-  if (!BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL))
-    return 0;
-  if (!BN_mod_exp(a, e, p, m, ctx))
-    return 0;
-  if (BN_cmp(a, d) != 0) {
-    fprintf(stderr, "Modular exponentiation test failed!\n");
-    return 0;
-  }
-
-  BN_MONT_CTX_free(mont);
-  BN_free(a);
-  BN_free(p);
-  BN_free(m);
-  BN_free(d);
-  BN_free(e);
-  return (1);
-}
-
-int test_exp(BIO *bp, BN_CTX *ctx) {
-  BIGNUM *a, *b, *d, *e, *one;
-  int i;
-
-  a = BN_new();
-  b = BN_new();
-  d = BN_new();
-  e = BN_new();
-  one = BN_new();
-  BN_one(one);
-
-  for (i = 0; i < num2; i++) {
-    BN_rand(a, 20 + i * 5, 0, 0); /**/
-    BN_rand(b, 2 + i, 0, 0);      /**/
-
-    if (BN_exp(d, a, b, ctx) <= 0)
-      return (0);
-
-    if (bp != NULL) {
-      if (!results) {
-        BN_print(bp, a);
-        BIO_puts(bp, " ^ ");
-        BN_print(bp, b);
-        BIO_puts(bp, " - ");
-      }
-      BN_print(bp, d);
-      BIO_puts(bp, "\n");
-    }
-    BN_one(e);
-    for (; !BN_is_zero(b); BN_sub(b, b, one))
-      BN_mul(e, e, a, ctx);
-    BN_sub(e, e, d);
-    if (!BN_is_zero(e)) {
-      fprintf(stderr, "Exponentiation test failed!\n");
-      return 0;
-    }
-  }
-  BN_free(a);
-  BN_free(b);
-  BN_free(d);
-  BN_free(e);
-  BN_free(one);
-  return (1);
-}
-
-/* test_exp_mod_zero tests that x**0 mod 1 == 0. */
-static int test_exp_mod_zero(void) {
-  BIGNUM a, p, m;
-  BIGNUM r;
-  BN_CTX *ctx = BN_CTX_new();
-  int ret = 0;
-
-  BN_init(&m);
-  BN_one(&m);
-
-  BN_init(&a);
-  BN_one(&a);
-
-  BN_init(&p);
-  BN_zero(&p);
-
-  BN_init(&r);
-  BN_mod_exp(&r, &a, &p, &m, ctx);
-  BN_CTX_free(ctx);
-
-  if (BN_is_zero(&r)) {
-    ret = 1;
-  } else {
-    printf("1**0 mod 1 = ");
-    BN_print_fp(stdout, &r);
-    printf(", should be 0\n");
-  }
-
-  BN_free(&r);
-  BN_free(&a);
-  BN_free(&p);
-  BN_free(&m);
-
-  return ret;
-}
-
-static int genprime_cb(int p, int n, BN_GENCB *arg) {
-  char c = '*';
-
-  if (p == 0)
-    c = '.';
-  if (p == 1)
-    c = '+';
-  if (p == 2)
-    c = '*';
-  if (p == 3)
-    c = '\n';
-  putc(c, stdout);
-  fflush(stdout);
-  return 1;
-}
-
-int test_mod_sqrt(BIO *bp, BN_CTX *ctx) {
-  BN_GENCB cb;
-  BIGNUM *a, *p, *r;
-  int i, j;
-  int ret = 0;
-
-  a = BN_new();
-  p = BN_new();
-  r = BN_new();
-  if (a == NULL || p == NULL || r == NULL)
-    goto err;
-
-  BN_GENCB_set(&cb, genprime_cb, NULL);
-
-  for (i = 0; i < 16; i++) {
-    if (i < 8) {
-      unsigned primes[8] = {2, 3, 5, 7, 11, 13, 17, 19};
-
-      if (!BN_set_word(p, primes[i]))
-        goto err;
-    } else {
-      if (!BN_set_word(a, 32))
-        goto err;
-      if (!BN_set_word(r, 2 * i + 1))
-        goto err;
-
-      if (!BN_generate_prime_ex(p, 256, 0, a, r, &cb))
-        goto err;
-      putc('\n', stdout);
-    }
-    p->neg = rand_neg();
-
-    for (j = 0; j < num2; j++) {
-      /* construct 'a' such that it is a square modulo p,
-       * but in general not a proper square and not reduced modulo p */
-      if (!BN_rand(r, 256, 0, 3))
-        goto err;
-      if (!BN_nnmod(r, r, p, ctx))
-        goto err;
-      if (!BN_mod_sqr(r, r, p, ctx))
-        goto err;
-      if (!BN_rand(a, 256, 0, 3))
-        goto err;
-      if (!BN_nnmod(a, a, p, ctx))
-        goto err;
-      if (!BN_mod_sqr(a, a, p, ctx))
-        goto err;
-      if (!BN_mul(a, a, r, ctx))
-        goto err;
-      if (rand_neg())
-        if (!BN_sub(a, a, p))
-          goto err;
-
-      if (!BN_mod_sqrt(r, a, p, ctx))
-        goto err;
-      if (!BN_mod_sqr(r, r, p, ctx))
-        goto err;
-
-      if (!BN_nnmod(a, a, p, ctx))
-        goto err;
-
-      if (BN_cmp(a, r) != 0) {
-        fprintf(stderr, "BN_mod_sqrt failed: a = ");
-        BN_print_fp(stderr, a);
-        fprintf(stderr, ", r = ");
-        BN_print_fp(stderr, r);
-        fprintf(stderr, ", p = ");
-        BN_print_fp(stderr, p);
-        fprintf(stderr, "\n");
-        goto err;
-      }
-
-      putc('.', stdout);
-      fflush(stdout);
-    }
-
-    putc('\n', stdout);
-    fflush(stderr);
-  }
-  ret = 1;
-err:
-  if (a != NULL)
-    BN_free(a);
-  if (p != NULL)
-    BN_free(p);
-  if (r != NULL)
-    BN_free(r);
-  return ret;
-}
-
-int test_small_prime(BIO *bp, BN_CTX *ctx) {
-  static const int bits = 10;
-  int ret = 0;
-  BIGNUM r;
-
-  BN_init(&r);
-  if (!BN_generate_prime_ex(&r, bits, 0, NULL, NULL, NULL)) {
-    goto err;
-  }
-  if (BN_num_bits(&r) != bits) {
-    BIO_printf(bp, "Expected %d bit prime, got %d bit number\n", bits,
-               BN_num_bits(&r));
-    goto err;
-  }
-
-  ret = 1;
-
-err:
-  BN_free(&r);
-  return ret;
-}
-
-int test_sqrt(BIO *bp, BN_CTX *ctx) {
-  BIGNUM *n = BN_new(), *nn = BN_new(), *sqrt = BN_new();
-  unsigned i;
-
-  /* Test some random squares. */
-  for (i = 0; i < 100; i++) {
-    if (!BN_rand(n, 1024 /* bit length */, -1 /* no modification of top bits */,
-                 0 /* don't modify bottom bit */) ||
-        !BN_mul(nn, n, n, ctx) ||
-        !BN_sqrt(sqrt, nn, ctx)) {
-      BIO_print_errors_fp(stderr);
-      return 0;
-    }
-    if (BN_cmp(n, sqrt) != 0) {
-      fprintf(stderr, "Bad result from BN_sqrt.\n");
-      return 0;
-    }
-  }
-
-  /* Test some non-squares */
-  for (i = 0; i < 100; i++) {
-    if (!BN_rand(n, 1024 /* bit length */, -1 /* no modification of top bits */,
-                 0 /* don't modify bottom bit */) ||
-        !BN_mul(nn, n, n, ctx) ||
-        !BN_add(nn, nn, BN_value_one())) {
-      BIO_print_errors_fp(stderr);
-      return 0;
-    }
-
-    if (BN_sqrt(sqrt, nn, ctx)) {
-      char *nn_str = BN_bn2dec(nn);
-      fprintf(stderr, "BIO_sqrt didn't fail on a non-square: %s\n", nn_str);
-      OPENSSL_free(nn_str);
-    }
-  }
-
-  BN_free(n);
-  BN_free(sqrt);
-  BN_free(nn);
-
-  return 1;
-}
-
-int test_bn2bin_padded(BIO *bp, BN_CTX *ctx) {
-  BIGNUM *n = BN_new();
-  uint8_t zeros[256], out[256], reference[128];
-  size_t bytes;
-
-  memset(zeros, 0, sizeof(zeros));
-
-  /* Test edge case at 0. */
-  if (!BN_bn2bin_padded(NULL, 0, n)) {
-    fprintf(stderr,
-            "BN_bn2bin_padded failed to encode 0 in an empty buffer.\n");
-    return 0;
-  }
-  memset(out, -1, sizeof(out));
-  if (!BN_bn2bin_padded(out, sizeof(out), n)) {
-    fprintf(stderr,
-            "BN_bn2bin_padded failed to encode 0 in a non-empty buffer.\n");
-    return 0;
-  }
-  if (memcmp(zeros, out, sizeof(out))) {
-    fprintf(stderr, "BN_bn2bin_padded did not zero buffer.\n");
-    return 0;
-  }
-
-  /* Test a random numbers at various byte lengths. */
-  for (bytes = 128 - 7; bytes <= 128; bytes++) {
-    if (!BN_rand(n, bytes * 8, 0 /* make sure top bit is 1 */,
-                 0 /* don't modify bottom bit */)) {
-      BIO_print_errors_fp(stderr);
-      return 0;
-    }
-    if (BN_num_bytes(n) != bytes || BN_bn2bin(n, reference) != bytes) {
-      fprintf(stderr, "Bad result from BN_rand; bytes.\n");
-      return 0;
-    }
-    /* Empty buffer should fail. */
-    if (BN_bn2bin_padded(NULL, 0, n)) {
-      fprintf(stderr,
-              "BN_bn2bin_padded incorrectly succeeded on empty buffer.\n");
-      return 0;
-    }
-    /* One byte short should fail. */
-    if (BN_bn2bin_padded(out, bytes - 1, n)) {
-      fprintf(stderr, "BN_bn2bin_padded incorrectly succeeded on short.\n");
-      return 0;
-    }
-    /* Exactly right size should encode. */
-    if (!BN_bn2bin_padded(out, bytes, n) ||
-        memcmp(out, reference, bytes) != 0) {
-      fprintf(stderr, "BN_bn2bin_padded gave a bad result.\n");
-      return 0;
-    }
-    /* Pad up one byte extra. */
-    if (!BN_bn2bin_padded(out, bytes + 1, n) ||
-        memcmp(out + 1, reference, bytes) || memcmp(out, zeros, 1)) {
-      fprintf(stderr, "BN_bn2bin_padded gave a bad result.\n");
-      return 0;
-    }
-    /* Pad up to 256. */
-    if (!BN_bn2bin_padded(out, sizeof(out), n) ||
-        memcmp(out + sizeof(out) - bytes, reference, bytes) ||
-        memcmp(out, zeros, sizeof(out) - bytes)) {
-      fprintf(stderr, "BN_bn2bin_padded gave a bad result.\n");
-      return 0;
-    }
-  }
-
-  BN_free(n);
-
-  return 1;
-}
diff --git a/src/crypto/bn/bn_test.cc b/src/crypto/bn/bn_test.cc
new file mode 100644
index 0000000..9aa2bf5
--- /dev/null
+++ b/src/crypto/bn/bn_test.cc
@@ -0,0 +1,1619 @@
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * Portions of the attached software ("Contribution") are developed by
+ * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
+ *
+ * The Contribution is licensed pursuant to the Eric Young open source
+ * license provided above.
+ *
+ * The binary polynomial arithmetic software is originally written by
+ * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems
+ * Laboratories. */
+
+/* For BIGNUM format macros. */
+#if !defined(__STDC_FORMAT_MACROS)
+#define __STDC_FORMAT_MACROS
+#endif
+
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/bn.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/mem.h>
+
+#include "../crypto/test/scoped_types.h"
+
+
+static const int num0 = 100; // number of tests
+static const int num1 = 50;  // additional tests for some functions
+static const int num2 = 5;   // number of tests for slow functions
+
+static bool test_add(FILE *fp);
+static bool test_sub(FILE *fp);
+static bool test_lshift1(FILE *fp);
+static bool test_lshift(FILE *fp, BN_CTX *ctx, ScopedBIGNUM a);
+static bool test_rshift1(FILE *fp);
+static bool test_rshift(FILE *fp, BN_CTX *ctx);
+static bool test_sqr(FILE *fp, BN_CTX *ctx);
+static bool test_mul(FILE *fp);
+static bool test_div(FILE *fp, BN_CTX *ctx);
+static int rand_neg();
+
+static bool test_div_word(FILE *fp);
+static bool test_mont(FILE *fp, BN_CTX *ctx);
+static bool test_mod(FILE *fp, BN_CTX *ctx);
+static bool test_mod_mul(FILE *fp, BN_CTX *ctx);
+static bool test_mod_exp(FILE *fp, BN_CTX *ctx);
+static bool test_mod_exp_mont_consttime(FILE *fp, BN_CTX *ctx);
+static bool test_exp(FILE *fp, BN_CTX *ctx);
+static bool test_mod_sqrt(FILE *fp, BN_CTX *ctx);
+static bool test_exp_mod_zero(void);
+static bool test_small_prime(FILE *fp, BN_CTX *ctx);
+static bool test_mod_exp_mont5(FILE *fp, BN_CTX *ctx);
+static bool test_sqrt(FILE *fp, BN_CTX *ctx);
+static bool test_bn2bin_padded(FILE *fp, BN_CTX *ctx);
+static bool test_dec2bn(FILE *fp, BN_CTX *ctx);
+static bool test_hex2bn(FILE *fp, BN_CTX *ctx);
+static bool test_asc2bn(FILE *fp, BN_CTX *ctx);
+
+// g_results can be set to true to cause the result of each computation to be
+// printed.
+static bool g_results = false;
+
+static const uint8_t kSample[] =
+    "\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9"
+    "\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0";
+
+// A wrapper around puts that takes its arguments in the same order as our *_fp
+// functions.
+static void puts_fp(FILE *out, const char *m) {
+  fputs(m, out);
+}
+
+static void message(FILE *out, const char *m) {
+  puts_fp(out, "print \"test ");
+  puts_fp(out, m);
+  puts_fp(out, "\\n\"\n");
+}
+
+int main(int argc, char *argv[]) {
+  CRYPTO_library_init();
+
+  argc--;
+  argv++;
+  while (argc >= 1) {
+    if (strcmp(*argv, "-results") == 0) {
+      g_results = true;
+    }
+    argc--;
+    argv++;
+  }
+
+
+  ScopedBN_CTX ctx(BN_CTX_new());
+  if (!ctx) {
+    return 1;
+  }
+
+  if (!g_results) {
+    puts_fp(stdout, "obase=16\nibase=16\n");
+  }
+
+  message(stdout, "BN_add");
+  if (!test_add(stdout)) {
+    return 1;
+  }
+  fflush(stdout);
+
+  message(stdout, "BN_sub");
+  if (!test_sub(stdout)) {
+    return 1;
+  }
+  fflush(stdout);
+
+  message(stdout, "BN_lshift1");
+  if (!test_lshift1(stdout)) {
+    return 1;
+  }
+  fflush(stdout);
+
+  message(stdout, "BN_lshift (fixed)");
+  ScopedBIGNUM sample(BN_bin2bn(kSample, sizeof(kSample) - 1, NULL));
+  if (!sample) {
+    return 1;
+  }
+  if (!test_lshift(stdout, ctx.get(), bssl::move(sample))) {
+    return 1;
+  }
+  fflush(stdout);
+
+  message(stdout, "BN_lshift");
+  if (!test_lshift(stdout, ctx.get(), nullptr)) {
+    return 1;
+  }
+  fflush(stdout);
+
+  message(stdout, "BN_rshift1");
+  if (!test_rshift1(stdout)) {
+    return 1;
+  }
+  fflush(stdout);
+
+  message(stdout, "BN_rshift");
+  if (!test_rshift(stdout, ctx.get())) {
+    return 1;
+  }
+  fflush(stdout);
+
+  message(stdout, "BN_sqr");
+  if (!test_sqr(stdout, ctx.get())) {
+    return 1;
+  }
+  fflush(stdout);
+
+  message(stdout, "BN_mul");
+  if (!test_mul(stdout)) {
+    return 1;
+  }
+  fflush(stdout);
+
+  message(stdout, "BN_div");
+  if (!test_div(stdout, ctx.get())) {
+    return 1;
+  }
+  fflush(stdout);
+
+  message(stdout, "BN_div_word");
+  if (!test_div_word(stdout)) {
+    return 1;
+  }
+  fflush(stdout);
+
+  message(stdout, "BN_mod");
+  if (!test_mod(stdout, ctx.get())) {
+    return 1;
+  }
+  fflush(stdout);
+
+  message(stdout, "BN_mod_mul");
+  if (!test_mod_mul(stdout, ctx.get())) {
+    return 1;
+  }
+  fflush(stdout);
+
+  message(stdout, "BN_mont");
+  if (!test_mont(stdout, ctx.get())) {
+    return 1;
+  }
+  fflush(stdout);
+
+  message(stdout, "BN_mod_exp");
+  if (!test_mod_exp(stdout, ctx.get())) {
+    return 1;
+  }
+  fflush(stdout);
+
+  message(stdout, "BN_mod_exp_mont_consttime");
+  if (!test_mod_exp_mont_consttime(stdout, ctx.get()) ||
+      !test_mod_exp_mont5(stdout, ctx.get())) {
+    return 1;
+  }
+  fflush(stdout);
+
+  message(stdout, "BN_exp");
+  if (!test_exp(stdout, ctx.get()) ||
+      !test_exp_mod_zero()) {
+    return 1;
+  }
+  fflush(stdout);
+
+  message(stdout, "BN_mod_sqrt");
+  if (!test_mod_sqrt(stdout, ctx.get())) {
+    return 1;
+  }
+  fflush(stdout);
+
+  message(stdout, "Small prime generation");
+  if (!test_small_prime(stdout, ctx.get())) {
+    return 1;
+  }
+  fflush(stdout);
+
+  message(stdout, "BN_sqrt");
+  if (!test_sqrt(stdout, ctx.get())) {
+    return 1;
+  }
+  fflush(stdout);
+
+  message(stdout, "BN_bn2bin_padded");
+  if (!test_bn2bin_padded(stdout, ctx.get())) {
+    return 1;
+  }
+  fflush(stdout);
+
+  message(stdout, "BN_dec2bn");
+  if (!test_dec2bn(stdout, ctx.get())) {
+    return 1;
+  }
+  fflush(stdout);
+
+  message(stdout, "BN_hex2bn");
+  if (!test_hex2bn(stdout, ctx.get())) {
+    return 1;
+  }
+  fflush(stdout);
+
+  message(stdout, "BN_asc2bn");
+  if (!test_asc2bn(stdout, ctx.get())) {
+    return 1;
+  }
+  fflush(stdout);
+
+  printf("PASS\n");
+  return 0;
+}
+
+static bool test_add(FILE *fp) {
+  ScopedBIGNUM a(BN_new());
+  ScopedBIGNUM b(BN_new());
+  ScopedBIGNUM c(BN_new());
+  if (!a || !b || !c || !BN_rand(a.get(), 512, 0, 0)) {
+    return false;
+  }
+
+  for (int i = 0; i < num0; i++) {
+    if (!BN_rand(b.get(), 450 + i, 0, 0)) {
+      return false;
+    }
+    a->neg = rand_neg();
+    b->neg = rand_neg();
+    if (!BN_add(c.get(), a.get(), b.get())) {
+      return false;
+    }
+    if (fp != NULL) {
+      if (!g_results) {
+        BN_print_fp(fp, a.get());
+        puts_fp(fp, " + ");
+        BN_print_fp(fp, b.get());
+        puts_fp(fp, " - ");
+      }
+      BN_print_fp(fp, c.get());
+      puts_fp(fp, "\n");
+    }
+    a->neg = !a->neg;
+    b->neg = !b->neg;
+    if (!BN_add(c.get(), c.get(), b.get()) ||
+        !BN_add(c.get(), c.get(), a.get())) {
+      return false;
+    }
+    if (!BN_is_zero(c.get())) {
+      fprintf(stderr, "Add test failed!\n");
+      return false;
+    }
+  }
+  return true;
+}
+
+static bool test_sub(FILE *fp) {
+  ScopedBIGNUM a(BN_new());
+  ScopedBIGNUM b(BN_new());
+  ScopedBIGNUM c(BN_new());
+  if (!a || !b || !c) {
+    return false;
+  }
+
+  for (int i = 0; i < num0 + num1; i++) {
+    if (i < num1) {
+      if (!BN_rand(a.get(), 512, 0, 0) ||
+          !BN_copy(b.get(), a.get()) ||
+          !BN_set_bit(a.get(), i) ||
+          !BN_add_word(b.get(), i)) {
+        return false;
+      }
+    } else {
+      if (!BN_rand(b.get(), 400 + i - num1, 0, 0)) {
+        return false;
+      }
+      a->neg = rand_neg();
+      b->neg = rand_neg();
+    }
+    if (!BN_sub(c.get(), a.get(), b.get())) {
+      return false;
+    }
+    if (fp != NULL) {
+      if (!g_results) {
+        BN_print_fp(fp, a.get());
+        puts_fp(fp, " - ");
+        BN_print_fp(fp, b.get());
+        puts_fp(fp, " - ");
+      }
+      BN_print_fp(fp, c.get());
+      puts_fp(fp, "\n");
+    }
+    if (!BN_add(c.get(), c.get(), b.get()) ||
+        !BN_sub(c.get(), c.get(), a.get())) {
+      return false;
+    }
+    if (!BN_is_zero(c.get())) {
+      fprintf(stderr, "Subtract test failed!\n");
+      return false;
+    }
+  }
+  return true;
+}
+
+static bool test_div(FILE *fp, BN_CTX *ctx) {
+  ScopedBIGNUM a(BN_new());
+  ScopedBIGNUM b(BN_new());
+  ScopedBIGNUM c(BN_new());
+  ScopedBIGNUM d(BN_new());
+  ScopedBIGNUM e(BN_new());
+  if (!a || !b || !c || !d || !e) {
+    return false;
+  }
+
+  for (int i = 0; i < num0 + num1; i++) {
+    if (i < num1) {
+      if (!BN_rand(a.get(), 400, 0, 0) ||
+          !BN_copy(b.get(), a.get()) ||
+          !BN_lshift(a.get(), a.get(), i) ||
+          !BN_add_word(a.get(), i)) {
+        return false;
+      }
+    } else if (!BN_rand(b.get(), 50 + 3 * (i - num1), 0, 0)) {
+      return false;
+    }
+    a->neg = rand_neg();
+    b->neg = rand_neg();
+    if (!BN_div(d.get(), c.get(), a.get(), b.get(), ctx)) {
+      return false;
+    }
+    if (fp != NULL) {
+      if (!g_results) {
+        BN_print_fp(fp, a.get());
+        puts_fp(fp, " / ");
+        BN_print_fp(fp, b.get());
+        puts_fp(fp, " - ");
+      }
+      BN_print_fp(fp, d.get());
+      puts_fp(fp, "\n");
+
+      if (!g_results) {
+        BN_print_fp(fp, a.get());
+        puts_fp(fp, " % ");
+        BN_print_fp(fp, b.get());
+        puts_fp(fp, " - ");
+      }
+      BN_print_fp(fp, c.get());
+      puts_fp(fp, "\n");
+    }
+    if (!BN_mul(e.get(), d.get(), b.get(), ctx) ||
+        !BN_add(d.get(), e.get(), c.get()) ||
+        !BN_sub(d.get(), d.get(), a.get())) {
+      return false;
+    }
+    if (!BN_is_zero(d.get())) {
+      fprintf(stderr, "Division test failed!\n");
+      return false;
+    }
+  }
+
+  // Test that BN_div never gives negative zero in the quotient.
+  if (!BN_set_word(a.get(), 1) ||
+      !BN_set_word(b.get(), 2)) {
+    return false;
+  }
+  BN_set_negative(a.get(), 1);
+  if (!BN_div(d.get(), c.get(), a.get(), b.get(), ctx)) {
+    return false;
+  }
+  if (!BN_is_zero(d.get()) || BN_is_negative(d.get())) {
+    fprintf(stderr, "Division test failed!\n");
+    return false;
+  }
+
+  // Test that BN_div never gives negative zero in the remainder.
+  if (!BN_set_word(b.get(), 1)) {
+    return false;
+  }
+  if (!BN_div(d.get(), c.get(), a.get(), b.get(), ctx)) {
+    return false;
+  }
+  if (!BN_is_zero(c.get()) || BN_is_negative(c.get())) {
+    fprintf(stderr, "Division test failed!\n");
+    return false;
+  }
+
+  return true;
+}
+
+static bool test_lshift1(FILE *fp) {
+  ScopedBIGNUM a(BN_new());
+  ScopedBIGNUM b(BN_new());
+  ScopedBIGNUM c(BN_new());
+  if (!a || !b || !c || !BN_rand(a.get(), 200, 0, 0)) {
+    return false;
+  }
+  a->neg = rand_neg();
+  for (int i = 0; i < num0; i++) {
+    if (!BN_lshift1(b.get(), a.get())) {
+      return false;
+    }
+    if (fp != NULL) {
+      if (!g_results) {
+        BN_print_fp(fp, a.get());
+        puts_fp(fp, " * 2");
+        puts_fp(fp, " - ");
+      }
+      BN_print_fp(fp, b.get());
+      puts_fp(fp, "\n");
+    }
+    if (!BN_add(c.get(), a.get(), a.get()) ||
+        !BN_sub(a.get(), b.get(), c.get())) {
+      return false;
+    }
+    if (!BN_is_zero(a.get())) {
+      fprintf(stderr, "Left shift one test failed!\n");
+      return false;
+    }
+
+    if (!BN_copy(a.get(), b.get())) {
+      return false;
+    }
+  }
+  return true;
+}
+
+static bool test_rshift(FILE *fp, BN_CTX *ctx) {
+  ScopedBIGNUM a(BN_new());
+  ScopedBIGNUM b(BN_new());
+  ScopedBIGNUM c(BN_new());
+  ScopedBIGNUM d(BN_new());
+  ScopedBIGNUM e(BN_new());
+  if (!a || !b || !c || !d || !e || !BN_one(c.get()) ||
+      !BN_rand(a.get(), 200, 0, 0)) {
+    return false;
+  }
+  a->neg = rand_neg();
+  for (int i = 0; i < num0; i++) {
+    if (!BN_rshift(b.get(), a.get(), i + 1) ||
+        !BN_add(c.get(), c.get(), c.get())) {
+      return false;
+    }
+    if (fp != NULL) {
+      if (!g_results) {
+        BN_print_fp(fp, a.get());
+        puts_fp(fp, " / ");
+        BN_print_fp(fp, c.get());
+        puts_fp(fp, " - ");
+      }
+      BN_print_fp(fp, b.get());
+      puts_fp(fp, "\n");
+    }
+    if (!BN_div(d.get(), e.get(), a.get(), c.get(), ctx) ||
+        !BN_sub(d.get(), d.get(), b.get())) {
+      return false;
+    }
+    if (!BN_is_zero(d.get())) {
+      fprintf(stderr, "Right shift test failed!\n");
+      return false;
+    }
+  }
+  return true;
+}
+
+static bool test_rshift1(FILE *fp) {
+  ScopedBIGNUM a(BN_new());
+  ScopedBIGNUM b(BN_new());
+  ScopedBIGNUM c(BN_new());
+  if (!a || !b || !c || !BN_rand(a.get(), 200, 0, 0)) {
+    return false;
+  }
+  a->neg = rand_neg();
+
+  for (int i = 0; i < num0; i++) {
+    if (!BN_rshift1(b.get(), a.get())) {
+      return false;
+    }
+    if (fp != NULL) {
+      if (!g_results) {
+        BN_print_fp(fp, a.get());
+        puts_fp(fp, " / 2");
+        puts_fp(fp, " - ");
+      }
+      BN_print_fp(fp, b.get());
+      puts_fp(fp, "\n");
+    }
+    if (!BN_sub(c.get(), a.get(), b.get()) ||
+        !BN_sub(c.get(), c.get(), b.get())) {
+      return false;
+    }
+    if (!BN_is_zero(c.get()) && !BN_abs_is_word(c.get(), 1)) {
+      fprintf(stderr, "Right shift one test failed!\n");
+      return false;
+    }
+    if (!BN_copy(a.get(), b.get())) {
+      return false;
+    }
+  }
+  return true;
+}
+
+static bool test_lshift(FILE *fp, BN_CTX *ctx, ScopedBIGNUM a) {
+  if (!a) {
+    a.reset(BN_new());
+    if (!a || !BN_rand(a.get(), 200, 0, 0)) {
+      return false;
+    }
+    a->neg = rand_neg();
+  }
+
+  ScopedBIGNUM b(BN_new());
+  ScopedBIGNUM c(BN_new());
+  ScopedBIGNUM d(BN_new());
+  if (!b || !c || !d || !BN_one(c.get())) {
+    return false;
+  }
+
+  for (int i = 0; i < num0; i++) {
+    if (!BN_lshift(b.get(), a.get(), i + 1) ||
+        !BN_add(c.get(), c.get(), c.get())) {
+      return false;
+    }
+    if (fp != NULL) {
+      if (!g_results) {
+        BN_print_fp(fp, a.get());
+        puts_fp(fp, " * ");
+        BN_print_fp(fp, c.get());
+        puts_fp(fp, " - ");
+      }
+      BN_print_fp(fp, b.get());
+      puts_fp(fp, "\n");
+    }
+    if (!BN_mul(d.get(), a.get(), c.get(), ctx) ||
+        !BN_sub(d.get(), d.get(), b.get())) {
+      return false;
+    }
+    if (!BN_is_zero(d.get())) {
+      fprintf(stderr, "Left shift test failed!\n");
+      fprintf(stderr, "a=");
+      BN_print_fp(stderr, a.get());
+      fprintf(stderr, "\nb=");
+      BN_print_fp(stderr, b.get());
+      fprintf(stderr, "\nc=");
+      BN_print_fp(stderr, c.get());
+      fprintf(stderr, "\nd=");
+      BN_print_fp(stderr, d.get());
+      fprintf(stderr, "\n");
+      return false;
+    }
+  }
+  return true;
+}
+
+static bool test_mul(FILE *fp) {
+  ScopedBN_CTX ctx(BN_CTX_new());
+  ScopedBIGNUM a(BN_new());
+  ScopedBIGNUM b(BN_new());
+  ScopedBIGNUM c(BN_new());
+  ScopedBIGNUM d(BN_new());
+  ScopedBIGNUM e(BN_new());
+  if (!ctx || !a || !b || !c || !d || !e) {
+    return false;
+  }
+
+  for (int i = 0; i < num0 + num1; i++) {
+    if (i <= num1) {
+      if (!BN_rand(a.get(), 100, 0, 0) ||
+          !BN_rand(b.get(), 100, 0, 0)) {
+        return false;
+      }
+    } else if (!BN_rand(b.get(), i - num1, 0, 0)) {
+      return false;
+    }
+    a->neg = rand_neg();
+    b->neg = rand_neg();
+    if (!BN_mul(c.get(), a.get(), b.get(), ctx.get())) {
+      return false;
+    }
+    if (fp != NULL) {
+      if (!g_results) {
+        BN_print_fp(fp, a.get());
+        puts_fp(fp, " * ");
+        BN_print_fp(fp, b.get());
+        puts_fp(fp, " - ");
+      }
+      BN_print_fp(fp, c.get());
+      puts_fp(fp, "\n");
+    }
+    if (!BN_div(d.get(), e.get(), c.get(), a.get(), ctx.get()) ||
+        !BN_sub(d.get(), d.get(), b.get())) {
+      return false;
+    }
+    if (!BN_is_zero(d.get()) || !BN_is_zero(e.get())) {
+      fprintf(stderr, "Multiplication test failed!\n");
+      return false;
+    }
+  }
+
+  // Test that BN_mul never gives negative zero.
+  if (!BN_set_word(a.get(), 1)) {
+    return false;
+  }
+  BN_set_negative(a.get(), 1);
+  BN_zero(b.get());
+  if (!BN_mul(c.get(), a.get(), b.get(), ctx.get())) {
+    return false;
+  }
+  if (!BN_is_zero(c.get()) || BN_is_negative(c.get())) {
+    fprintf(stderr, "Multiplication test failed!\n");
+    return false;
+  }
+
+  return true;
+}
+
+static bool test_sqr(FILE *fp, BN_CTX *ctx) {
+  ScopedBIGNUM a(BN_new());
+  ScopedBIGNUM c(BN_new());
+  ScopedBIGNUM d(BN_new());
+  ScopedBIGNUM e(BN_new());
+  if (!a || !c || !d || !e) {
+    return false;
+  }
+
+  for (int i = 0; i < num0; i++) {
+    if (!BN_rand(a.get(), 40 + i * 10, 0, 0)) {
+      return false;
+    }
+    a->neg = rand_neg();
+    if (!BN_sqr(c.get(), a.get(), ctx)) {
+      return false;
+    }
+    if (fp != NULL) {
+      if (!g_results) {
+        BN_print_fp(fp, a.get());
+        puts_fp(fp, " * ");
+        BN_print_fp(fp, a.get());
+        puts_fp(fp, " - ");
+      }
+      BN_print_fp(fp, c.get());
+      puts_fp(fp, "\n");
+    }
+    if (!BN_div(d.get(), e.get(), c.get(), a.get(), ctx) ||
+        !BN_sub(d.get(), d.get(), a.get())) {
+      return false;
+    }
+    if (!BN_is_zero(d.get()) || !BN_is_zero(e.get())) {
+      fprintf(stderr, "Square test failed!\n");
+      return false;
+    }
+  }
+
+  // Regression test for a BN_sqr overflow bug.
+  BIGNUM *a_raw = a.get();
+  if (!BN_hex2bn(
+          &a_raw,
+          "80000000000000008000000000000001FFFFFFFFFFFFFFFE0000000000000000") ||
+      !BN_sqr(c.get(), a.get(), ctx)) {
+    return false;
+  }
+  if (fp != NULL) {
+    if (!g_results) {
+      BN_print_fp(fp, a.get());
+      puts_fp(fp, " * ");
+      BN_print_fp(fp, a.get());
+      puts_fp(fp, " - ");
+    }
+    BN_print_fp(fp, c.get());
+    puts_fp(fp, "\n");
+  }
+  if (!BN_mul(d.get(), a.get(), a.get(), ctx)) {
+    return false;
+  }
+  if (BN_cmp(c.get(), d.get())) {
+    fprintf(stderr,
+            "Square test failed: BN_sqr and BN_mul produce "
+            "different results!\n");
+    return false;
+  }
+
+  // Regression test for a BN_sqr overflow bug.
+  a_raw = a.get();
+  if (!BN_hex2bn(
+          &a_raw,
+          "80000000000000000000000080000001FFFFFFFE000000000000000000000000") ||
+      !BN_sqr(c.get(), a.get(), ctx)) {
+    return false;
+  }
+  if (fp != NULL) {
+    if (!g_results) {
+      BN_print_fp(fp, a.get());
+      puts_fp(fp, " * ");
+      BN_print_fp(fp, a.get());
+      puts_fp(fp, " - ");
+    }
+    BN_print_fp(fp, c.get());
+    puts_fp(fp, "\n");
+  }
+  if (!BN_mul(d.get(), a.get(), a.get(), ctx)) {
+    return false;
+  }
+  if (BN_cmp(c.get(), d.get())) {
+    fprintf(stderr,
+            "Square test failed: BN_sqr and BN_mul produce "
+            "different results!\n");
+    return false;
+  }
+
+  return true;
+}
+
+
+static int rand_neg() {
+  static unsigned int neg = 0;
+  static const int sign[8] = {0, 0, 0, 1, 1, 0, 1, 1};
+
+  return sign[(neg++) % 8];
+}
+
+static void print_word(FILE *fp, BN_ULONG w) {
+  fprintf(fp, BN_HEX_FMT1, w);
+}
+
+static bool test_div_word(FILE *fp) {
+  ScopedBIGNUM a(BN_new());
+  ScopedBIGNUM b(BN_new());
+  if (!a || !b) {
+    return false;
+  }
+
+  for (int i = 0; i < num0; i++) {
+    BN_ULONG s;
+    do {
+      if (!BN_rand(a.get(), 512, -1, 0) ||
+          !BN_rand(b.get(), BN_BITS2, -1, 0)) {
+        return false;
+      }
+      s = b->d[0];
+    } while (!s);
+
+    if (!BN_copy(b.get(), a.get())) {
+      return false;
+    }
+    BN_ULONG r = BN_div_word(b.get(), s);
+    if (r == (BN_ULONG)-1) {
+      return false;
+    }
+
+    if (fp != NULL) {
+      if (!g_results) {
+        BN_print_fp(fp, a.get());
+        puts_fp(fp, " / ");
+        print_word(fp, s);
+        puts_fp(fp, " - ");
+      }
+      BN_print_fp(fp, b.get());
+      puts_fp(fp, "\n");
+
+      if (!g_results) {
+        BN_print_fp(fp, a.get());
+        puts_fp(fp, " % ");
+        print_word(fp, s);
+        puts_fp(fp, " - ");
+      }
+      print_word(fp, r);
+      puts_fp(fp, "\n");
+    }
+    if (!BN_mul_word(b.get(), s) ||
+        !BN_add_word(b.get(), r) ||
+        !BN_sub(b.get(), a.get(), b.get())) {
+      return false;
+    }
+    if (!BN_is_zero(b.get())) {
+      fprintf(stderr, "Division (word) test failed!\n");
+      return false;
+    }
+  }
+  return true;
+}
+
+static bool test_mont(FILE *fp, BN_CTX *ctx) {
+  ScopedBIGNUM a(BN_new());
+  ScopedBIGNUM b(BN_new());
+  ScopedBIGNUM c(BN_new());
+  ScopedBIGNUM d(BN_new());
+  ScopedBIGNUM A(BN_new());
+  ScopedBIGNUM B(BN_new());
+  ScopedBIGNUM n(BN_new());
+  ScopedBN_MONT_CTX mont(BN_MONT_CTX_new());
+  if (!a || !b || !c || !d || !A || !B || !n || !mont ||
+      !BN_rand(a.get(), 100, 0, 0) ||
+      !BN_rand(b.get(), 100, 0, 0)) {
+    return false;
+  }
+
+  for (int i = 0; i < num2; i++) {
+    int bits = (200 * (i + 1)) / num2;
+
+    if (bits == 0) {
+      continue;
+    }
+    if (!BN_rand(n.get(), bits, 0, 1) ||
+        !BN_MONT_CTX_set(mont.get(), n.get(), ctx) ||
+        !BN_nnmod(a.get(), a.get(), n.get(), ctx) ||
+        !BN_nnmod(b.get(), b.get(), n.get(), ctx) ||
+        !BN_to_montgomery(A.get(), a.get(), mont.get(), ctx) ||
+        !BN_to_montgomery(B.get(), b.get(), mont.get(), ctx) ||
+        !BN_mod_mul_montgomery(c.get(), A.get(), B.get(), mont.get(), ctx) ||
+        !BN_from_montgomery(A.get(), c.get(), mont.get(), ctx)) {
+      return false;
+    }
+    if (fp != NULL) {
+      if (!g_results) {
+        BN_print_fp(fp, a.get());
+        puts_fp(fp, " * ");
+        BN_print_fp(fp, b.get());
+        puts_fp(fp, " % ");
+        BN_print_fp(fp, &mont->N);
+        puts_fp(fp, " - ");
+      }
+      BN_print_fp(fp, A.get());
+      puts_fp(fp, "\n");
+    }
+    if (!BN_mod_mul(d.get(), a.get(), b.get(), n.get(), ctx) ||
+        !BN_sub(d.get(), d.get(), A.get())) {
+      return false;
+    }
+    if (!BN_is_zero(d.get())) {
+      fprintf(stderr, "Montgomery multiplication test failed!\n");
+      return false;
+    }
+  }
+  return true;
+}
+
+static bool test_mod(FILE *fp, BN_CTX *ctx) {
+  ScopedBIGNUM a(BN_new());
+  ScopedBIGNUM b(BN_new());
+  ScopedBIGNUM c(BN_new());
+  ScopedBIGNUM d(BN_new());
+  ScopedBIGNUM e(BN_new());
+  if (!a || !b || !c || !d || !e ||
+      !BN_rand(a.get(), 1024, 0, 0)) {
+    return false;
+  }
+
+  for (int i = 0; i < num0; i++) {
+    if (!BN_rand(b.get(), 450 + i * 10, 0, 0)) {
+      return false;
+    }
+    a->neg = rand_neg();
+    b->neg = rand_neg();
+    if (!BN_mod(c.get(), a.get(), b.get(), ctx)) {
+      return false;
+    }
+    if (fp != NULL) {
+      if (!g_results) {
+        BN_print_fp(fp, a.get());
+        puts_fp(fp, " % ");
+        BN_print_fp(fp, b.get());
+        puts_fp(fp, " - ");
+      }
+      BN_print_fp(fp, c.get());
+      puts_fp(fp, "\n");
+    }
+    if (!BN_div(d.get(), e.get(), a.get(), b.get(), ctx) ||
+        !BN_sub(e.get(), e.get(), c.get())) {
+      return false;
+    }
+    if (!BN_is_zero(e.get())) {
+      fprintf(stderr, "Modulo test failed!\n");
+      return false;
+    }
+  }
+  return true;
+}
+
+static bool test_mod_mul(FILE *fp, BN_CTX *ctx) {
+  ScopedBIGNUM a(BN_new());
+  ScopedBIGNUM b(BN_new());
+  ScopedBIGNUM c(BN_new());
+  ScopedBIGNUM d(BN_new());
+  ScopedBIGNUM e(BN_new());
+  if (!a || !b || !c || !d || !e) {
+    return false;
+  }
+
+  for (int j = 0; j < 3; j++) {
+    if (!BN_rand(c.get(), 1024, 0, 0)) {
+      return false;
+    }
+    for (int i = 0; i < num0; i++) {
+      if (!BN_rand(a.get(), 475 + i * 10, 0, 0) ||
+          !BN_rand(b.get(), 425 + i * 11, 0, 0)) {
+        return false;
+      }
+      a->neg = rand_neg();
+      b->neg = rand_neg();
+      if (!BN_mod_mul(e.get(), a.get(), b.get(), c.get(), ctx)) {
+        ERR_print_errors_fp(stderr);
+        return false;
+      }
+      if (fp != NULL) {
+        if (!g_results) {
+          BN_print_fp(fp, a.get());
+          puts_fp(fp, " * ");
+          BN_print_fp(fp, b.get());
+          puts_fp(fp, " % ");
+          BN_print_fp(fp, c.get());
+          if (a->neg != b->neg && !BN_is_zero(e.get())) {
+            // If  (a*b) % c  is negative,  c  must be added
+            // in order to obtain the normalized remainder
+            // (new with OpenSSL 0.9.7, previous versions of
+            // BN_mod_mul could generate negative results)
+            puts_fp(fp, " + ");
+            BN_print_fp(fp, c.get());
+          }
+          puts_fp(fp, " - ");
+        }
+        BN_print_fp(fp, e.get());
+        puts_fp(fp, "\n");
+      }
+      if (!BN_mul(d.get(), a.get(), b.get(), ctx) ||
+          !BN_sub(d.get(), d.get(), e.get()) ||
+          !BN_div(a.get(), b.get(), d.get(), c.get(), ctx)) {
+        return false;
+      }
+      if (!BN_is_zero(b.get())) {
+        fprintf(stderr, "Modulo multiply test failed!\n");
+        ERR_print_errors_fp(stderr);
+        return false;
+      }
+    }
+  }
+  return true;
+}
+
+static bool test_mod_exp(FILE *fp, BN_CTX *ctx) {
+  ScopedBIGNUM a(BN_new());
+  ScopedBIGNUM b(BN_new());
+  ScopedBIGNUM c(BN_new());
+  ScopedBIGNUM d(BN_new());
+  ScopedBIGNUM e(BN_new());
+  if (!a || !b || !c || !d || !e ||
+      !BN_rand(c.get(), 30, 0, 1)) {  // must be odd for montgomery
+    return false;
+  }
+  for (int i = 0; i < num2; i++) {
+    if (!BN_rand(a.get(), 20 + i * 5, 0, 0) ||
+        !BN_rand(b.get(), 2 + i, 0, 0) ||
+        !BN_mod_exp(d.get(), a.get(), b.get(), c.get(), ctx)) {
+      return false;
+    }
+
+    if (fp != NULL) {
+      if (!g_results) {
+        BN_print_fp(fp, a.get());
+        puts_fp(fp, " ^ ");
+        BN_print_fp(fp, b.get());
+        puts_fp(fp, " % ");
+        BN_print_fp(fp, c.get());
+        puts_fp(fp, " - ");
+      }
+      BN_print_fp(fp, d.get());
+      puts_fp(fp, "\n");
+    }
+    if (!BN_exp(e.get(), a.get(), b.get(), ctx) ||
+        !BN_sub(e.get(), e.get(), d.get()) ||
+        !BN_div(a.get(), b.get(), e.get(), c.get(), ctx)) {
+      return false;
+    }
+    if (!BN_is_zero(b.get())) {
+      fprintf(stderr, "Modulo exponentiation test failed!\n");
+      return false;
+    }
+  }
+  return true;
+}
+
+static bool test_mod_exp_mont_consttime(FILE *fp, BN_CTX *ctx) {
+  ScopedBIGNUM a(BN_new());
+  ScopedBIGNUM b(BN_new());
+  ScopedBIGNUM c(BN_new());
+  ScopedBIGNUM d(BN_new());
+  ScopedBIGNUM e(BN_new());
+  if (!a || !b || !c || !d || !e ||
+      !BN_rand(c.get(), 30, 0, 1)) {  // must be odd for montgomery
+    return false;
+  }
+  for (int i = 0; i < num2; i++) {
+    if (!BN_rand(a.get(), 20 + i * 5, 0, 0) ||
+        !BN_rand(b.get(), 2 + i, 0, 0) ||
+        !BN_mod_exp_mont_consttime(d.get(), a.get(), b.get(), c.get(), ctx,
+                                   NULL)) {
+      return false;
+    }
+
+    if (fp != NULL) {
+      if (!g_results) {
+        BN_print_fp(fp, a.get());
+        puts_fp(fp, " ^ ");
+        BN_print_fp(fp, b.get());
+        puts_fp(fp, " % ");
+        BN_print_fp(fp, c.get());
+        puts_fp(fp, " - ");
+      }
+      BN_print_fp(fp, d.get());
+      puts_fp(fp, "\n");
+    }
+    if (!BN_exp(e.get(), a.get(), b.get(), ctx) ||
+        !BN_sub(e.get(), e.get(), d.get()) ||
+        !BN_div(a.get(), b.get(), e.get(), c.get(), ctx)) {
+      return false;
+    }
+    if (!BN_is_zero(b.get())) {
+      fprintf(stderr, "Modulo exponentiation test failed!\n");
+      return false;
+    }
+  }
+  return true;
+}
+
+// Test constant-time modular exponentiation with 1024-bit inputs,
+// which on x86_64 cause a different code branch to be taken.
+static bool test_mod_exp_mont5(FILE *fp, BN_CTX *ctx) {
+  ScopedBIGNUM a(BN_new());
+  ScopedBIGNUM p(BN_new());
+  ScopedBIGNUM m(BN_new());
+  ScopedBIGNUM d(BN_new());
+  ScopedBIGNUM e(BN_new());
+  if (!a || !p || !m || !d || !e ||
+      !BN_rand(m.get(), 1024, 0, 1) ||  // must be odd for montgomery
+      !BN_rand(a.get(), 1024, 0, 0)) {
+    return false;
+  }
+  // Zero exponent.
+  BN_zero(p.get());
+  if (!BN_mod_exp_mont_consttime(d.get(), a.get(), p.get(), m.get(), ctx,
+                                 NULL)) {
+    return false;
+  }
+  if (!BN_is_one(d.get())) {
+    fprintf(stderr, "Modular exponentiation test failed!\n");
+    return false;
+  }
+  if (!BN_rand(p.get(), 1024, 0, 0)) {
+    return false;
+  }
+  // Zero input.
+  BN_zero(a.get());
+  if (!BN_mod_exp_mont_consttime(d.get(), a.get(), p.get(), m.get(), ctx,
+                                 NULL)) {
+    return false;
+  }
+  if (!BN_is_zero(d.get())) {
+    fprintf(stderr, "Modular exponentiation test failed!\n");
+    return false;
+  }
+  // Craft an input whose Montgomery representation is 1, i.e., shorter than the
+  // modulus m, in order to test the const time precomputation
+  // scattering/gathering.
+  ScopedBN_MONT_CTX mont(BN_MONT_CTX_new());
+  if (!mont || !BN_one(a.get()) ||
+      !BN_MONT_CTX_set(mont.get(), m.get(), ctx) ||
+      !BN_from_montgomery(e.get(), a.get(), mont.get(), ctx) ||
+      !BN_mod_exp_mont_consttime(d.get(), e.get(), p.get(), m.get(), ctx,
+                                 NULL) ||
+      !BN_mod_exp(a.get(), e.get(), p.get(), m.get(), ctx)) {
+    return false;
+  }
+  if (BN_cmp(a.get(), d.get()) != 0) {
+    fprintf(stderr, "Modular exponentiation test failed!\n");
+    return false;
+  }
+  // Finally, some regular test vectors.
+  if (!BN_rand(e.get(), 1024, 0, 0) ||
+      !BN_mod_exp_mont_consttime(d.get(), e.get(), p.get(), m.get(), ctx,
+                                 NULL) ||
+      !BN_mod_exp(a.get(), e.get(), p.get(), m.get(), ctx)) {
+    return false;
+  }
+  if (BN_cmp(a.get(), d.get()) != 0) {
+    fprintf(stderr, "Modular exponentiation test failed!\n");
+    return false;
+  }
+
+  return true;
+}
+
+static bool test_exp(FILE *fp, BN_CTX *ctx) {
+  ScopedBIGNUM a(BN_new());
+  ScopedBIGNUM b(BN_new());
+  ScopedBIGNUM d(BN_new());
+  ScopedBIGNUM e(BN_new());
+  if (!a || !b || !d || !e) {
+    return false;
+  }
+
+  for (int i = 0; i < num2; i++) {
+    if (!BN_rand(a.get(), 20 + i * 5, 0, 0) ||
+        !BN_rand(b.get(), 2 + i, 0, 0) ||
+        !BN_exp(d.get(), a.get(), b.get(), ctx)) {
+      return false;
+    }
+
+    if (fp != NULL) {
+      if (!g_results) {
+        BN_print_fp(fp, a.get());
+        puts_fp(fp, " ^ ");
+        BN_print_fp(fp, b.get());
+        puts_fp(fp, " - ");
+      }
+      BN_print_fp(fp, d.get());
+      puts_fp(fp, "\n");
+    }
+    if (!BN_one(e.get())) {
+      return false;
+    }
+    for (; !BN_is_zero(b.get()); BN_sub(b.get(), b.get(), BN_value_one())) {
+      if (!BN_mul(e.get(), e.get(), a.get(), ctx)) {
+        return false;
+      }
+    }
+    if (!BN_sub(e.get(), e.get(), d.get())) {
+      return false;
+    }
+    if (!BN_is_zero(e.get())) {
+      fprintf(stderr, "Exponentiation test failed!\n");
+      return false;
+    }
+  }
+  return true;
+}
+
+// test_exp_mod_zero tests that 1**0 mod 1 == 0.
+static bool test_exp_mod_zero(void) {
+  ScopedBIGNUM zero(BN_new());
+  if (!zero) {
+    return false;
+  }
+  BN_zero(zero.get());
+
+  ScopedBN_CTX ctx(BN_CTX_new());
+  ScopedBIGNUM r(BN_new());
+  if (!ctx || !r ||
+      !BN_mod_exp(r.get(), BN_value_one(), zero.get(), BN_value_one(), ctx.get())) {
+    return false;
+  }
+
+  if (!BN_is_zero(r.get())) {
+    printf("1**0 mod 1 = ");
+    BN_print_fp(stdout, r.get());
+    printf(", should be 0\n");
+    return false;
+  }
+
+  return true;
+}
+
+static int genprime_cb(int p, int n, BN_GENCB *arg) {
+  char c = '*';
+
+  if (p == 0) {
+    c = '.';
+  } else if (p == 1) {
+    c = '+';
+  } else if (p == 2) {
+    c = '*';
+  } else if (p == 3) {
+    c = '\n';
+  }
+  putc(c, stdout);
+  fflush(stdout);
+  return 1;
+}
+
+static bool test_mod_sqrt(FILE *fp, BN_CTX *ctx) {
+  ScopedBIGNUM a(BN_new());
+  ScopedBIGNUM p(BN_new());
+  ScopedBIGNUM r(BN_new());
+  if (!a || !p || !r) {
+    return false;
+  }
+
+  BN_GENCB cb;
+  BN_GENCB_set(&cb, genprime_cb, NULL);
+
+  for (int i = 0; i < 16; i++) {
+    if (i < 8) {
+      const unsigned kPrimes[8] = {2, 3, 5, 7, 11, 13, 17, 19};
+      if (!BN_set_word(p.get(), kPrimes[i])) {
+        return false;
+      }
+    } else {
+      if (!BN_set_word(a.get(), 32) ||
+          !BN_set_word(r.get(), 2 * i + 1) ||
+          !BN_generate_prime_ex(p.get(), 256, 0, a.get(), r.get(), &cb)) {
+        return false;
+      }
+      putc('\n', stdout);
+    }
+    p->neg = rand_neg();
+
+    for (int j = 0; j < num2; j++) {
+      // construct 'a' such that it is a square modulo p, but in general not a
+      // proper square and not reduced modulo p
+      if (!BN_rand(r.get(), 256, 0, 3) ||
+          !BN_nnmod(r.get(), r.get(), p.get(), ctx) ||
+          !BN_mod_sqr(r.get(), r.get(), p.get(), ctx) ||
+          !BN_rand(a.get(), 256, 0, 3) ||
+          !BN_nnmod(a.get(), a.get(), p.get(), ctx) ||
+          !BN_mod_sqr(a.get(), a.get(), p.get(), ctx) ||
+          !BN_mul(a.get(), a.get(), r.get(), ctx)) {
+        return false;
+      }
+      if (rand_neg() && !BN_sub(a.get(), a.get(), p.get())) {
+        return false;
+      }
+
+      if (!BN_mod_sqrt(r.get(), a.get(), p.get(), ctx) ||
+          !BN_mod_sqr(r.get(), r.get(), p.get(), ctx) ||
+          !BN_nnmod(a.get(), a.get(), p.get(), ctx)) {
+        return false;
+      }
+
+      if (BN_cmp(a.get(), r.get()) != 0) {
+        fprintf(stderr, "BN_mod_sqrt failed: a = ");
+        BN_print_fp(stderr, a.get());
+        fprintf(stderr, ", r = ");
+        BN_print_fp(stderr, r.get());
+        fprintf(stderr, ", p = ");
+        BN_print_fp(stderr, p.get());
+        fprintf(stderr, "\n");
+        return false;
+      }
+
+      putc('.', stdout);
+      fflush(stdout);
+    }
+
+    putc('\n', stdout);
+    fflush(stderr);
+  }
+  return true;
+}
+
+static bool test_small_prime(FILE *fp, BN_CTX *ctx) {
+  static const int kBits = 10;
+
+  ScopedBIGNUM r(BN_new());
+  if (!r || !BN_generate_prime_ex(r.get(), kBits, 0, NULL, NULL, NULL)) {
+    return false;
+  }
+  if (BN_num_bits(r.get()) != kBits) {
+    fprintf(fp, "Expected %d bit prime, got %d bit number\n", kBits,
+            BN_num_bits(r.get()));
+    return false;
+  }
+
+  return true;
+}
+
+static bool test_sqrt(FILE *fp, BN_CTX *ctx) {
+  ScopedBIGNUM n(BN_new());
+  ScopedBIGNUM nn(BN_new());
+  ScopedBIGNUM sqrt(BN_new());
+  if (!n || !nn || !sqrt) {
+    return false;
+  }
+
+  // Test some random squares.
+  for (int i = 0; i < 100; i++) {
+    if (!BN_rand(n.get(), 1024 /* bit length */,
+                 -1 /* no modification of top bits */,
+                 0 /* don't modify bottom bit */) ||
+        !BN_mul(nn.get(), n.get(), n.get(), ctx) ||
+        !BN_sqrt(sqrt.get(), nn.get(), ctx)) {
+      ERR_print_errors_fp(stderr);
+      return false;
+    }
+    if (BN_cmp(n.get(), sqrt.get()) != 0) {
+      fprintf(stderr, "Bad result from BN_sqrt.\n");
+      return false;
+    }
+  }
+
+  // Test some non-squares.
+  for (int i = 0; i < 100; i++) {
+    if (!BN_rand(n.get(), 1024 /* bit length */,
+                 -1 /* no modification of top bits */,
+                 0 /* don't modify bottom bit */) ||
+        !BN_mul(nn.get(), n.get(), n.get(), ctx) ||
+        !BN_add(nn.get(), nn.get(), BN_value_one())) {
+      ERR_print_errors_fp(stderr);
+      return false;
+    }
+
+    if (BN_sqrt(sqrt.get(), nn.get(), ctx)) {
+      char *nn_str = BN_bn2dec(nn.get());
+      fprintf(stderr, "BIO_sqrt didn't fail on a non-square: %s\n", nn_str);
+      OPENSSL_free(nn_str);
+    }
+  }
+
+  return true;
+}
+
+static bool test_bn2bin_padded(FILE *fp, BN_CTX *ctx) {
+  uint8_t zeros[256], out[256], reference[128];
+
+  memset(zeros, 0, sizeof(zeros));
+
+  // Test edge case at 0.
+  ScopedBIGNUM n(BN_new());
+  if (!n || !BN_bn2bin_padded(NULL, 0, n.get())) {
+    fprintf(stderr,
+            "BN_bn2bin_padded failed to encode 0 in an empty buffer.\n");
+    return false;
+  }
+  memset(out, -1, sizeof(out));
+  if (!BN_bn2bin_padded(out, sizeof(out), n.get())) {
+    fprintf(stderr,
+            "BN_bn2bin_padded failed to encode 0 in a non-empty buffer.\n");
+    return false;
+  }
+  if (memcmp(zeros, out, sizeof(out))) {
+    fprintf(stderr, "BN_bn2bin_padded did not zero buffer.\n");
+    return false;
+  }
+
+  // Test a random numbers at various byte lengths.
+  for (size_t bytes = 128 - 7; bytes <= 128; bytes++) {
+    if (!BN_rand(n.get(), bytes * 8, 0 /* make sure top bit is 1 */,
+                 0 /* don't modify bottom bit */)) {
+      ERR_print_errors_fp(stderr);
+      return false;
+    }
+    if (BN_num_bytes(n.get()) != bytes ||
+        BN_bn2bin(n.get(), reference) != bytes) {
+      fprintf(stderr, "Bad result from BN_rand; bytes.\n");
+      return false;
+    }
+    // Empty buffer should fail.
+    if (BN_bn2bin_padded(NULL, 0, n.get())) {
+      fprintf(stderr,
+              "BN_bn2bin_padded incorrectly succeeded on empty buffer.\n");
+      return false;
+    }
+    // One byte short should fail.
+    if (BN_bn2bin_padded(out, bytes - 1, n.get())) {
+      fprintf(stderr, "BN_bn2bin_padded incorrectly succeeded on short.\n");
+      return false;
+    }
+    // Exactly right size should encode.
+    if (!BN_bn2bin_padded(out, bytes, n.get()) ||
+        memcmp(out, reference, bytes) != 0) {
+      fprintf(stderr, "BN_bn2bin_padded gave a bad result.\n");
+      return false;
+    }
+    // Pad up one byte extra.
+    if (!BN_bn2bin_padded(out, bytes + 1, n.get()) ||
+        memcmp(out + 1, reference, bytes) || memcmp(out, zeros, 1)) {
+      fprintf(stderr, "BN_bn2bin_padded gave a bad result.\n");
+      return false;
+    }
+    // Pad up to 256.
+    if (!BN_bn2bin_padded(out, sizeof(out), n.get()) ||
+        memcmp(out + sizeof(out) - bytes, reference, bytes) ||
+        memcmp(out, zeros, sizeof(out) - bytes)) {
+      fprintf(stderr, "BN_bn2bin_padded gave a bad result.\n");
+      return false;
+    }
+  }
+
+  return true;
+}
+
+static int DecimalToBIGNUM(ScopedBIGNUM *out, const char *in) {
+  BIGNUM *raw = NULL;
+  int ret = BN_dec2bn(&raw, in);
+  out->reset(raw);
+  return ret;
+}
+
+static bool test_dec2bn(FILE *fp, BN_CTX *ctx) {
+  ScopedBIGNUM bn;
+  int ret = DecimalToBIGNUM(&bn, "0");
+  if (ret != 1 || !BN_is_zero(bn.get()) || BN_is_negative(bn.get())) {
+    fprintf(stderr, "BN_dec2bn gave a bad result.\n");
+    return false;
+  }
+
+  ret = DecimalToBIGNUM(&bn, "256");
+  if (ret != 3 || !BN_is_word(bn.get(), 256) || BN_is_negative(bn.get())) {
+    fprintf(stderr, "BN_dec2bn gave a bad result.\n");
+    return false;
+  }
+
+  ret = DecimalToBIGNUM(&bn, "-42");
+  if (ret != 3 || !BN_abs_is_word(bn.get(), 42) || !BN_is_negative(bn.get())) {
+    fprintf(stderr, "BN_dec2bn gave a bad result.\n");
+    return false;
+  }
+
+  ret = DecimalToBIGNUM(&bn, "-0");
+  if (ret != 2 || !BN_is_zero(bn.get()) || BN_is_negative(bn.get())) {
+    fprintf(stderr, "BN_dec2bn gave a bad result.\n");
+    return false;
+  }
+
+  ret = DecimalToBIGNUM(&bn, "42trailing garbage is ignored");
+  if (ret != 2 || !BN_abs_is_word(bn.get(), 42) || BN_is_negative(bn.get())) {
+    fprintf(stderr, "BN_dec2bn gave a bad result.\n");
+    return false;
+  }
+
+  return true;
+}
+
+static int HexToBIGNUM(ScopedBIGNUM *out, const char *in) {
+  BIGNUM *raw = NULL;
+  int ret = BN_hex2bn(&raw, in);
+  out->reset(raw);
+  return ret;
+}
+
+static bool test_hex2bn(FILE *fp, BN_CTX *ctx) {
+  ScopedBIGNUM bn;
+  int ret = HexToBIGNUM(&bn, "0");
+  if (ret != 1 || !BN_is_zero(bn.get()) || BN_is_negative(bn.get())) {
+    fprintf(stderr, "BN_hex2bn gave a bad result.\n");
+    return false;
+  }
+
+  ret = HexToBIGNUM(&bn, "256");
+  if (ret != 3 || !BN_is_word(bn.get(), 0x256) || BN_is_negative(bn.get())) {
+    fprintf(stderr, "BN_hex2bn gave a bad result.\n");
+    return false;
+  }
+
+  ret = HexToBIGNUM(&bn, "-42");
+  if (ret != 3 || !BN_abs_is_word(bn.get(), 0x42) || !BN_is_negative(bn.get())) {
+    fprintf(stderr, "BN_hex2bn gave a bad result.\n");
+    return false;
+  }
+
+  ret = HexToBIGNUM(&bn, "-0");
+  if (ret != 2 || !BN_is_zero(bn.get()) || BN_is_negative(bn.get())) {
+    fprintf(stderr, "BN_hex2bn gave a bad result.\n");
+    return false;
+  }
+
+  ret = HexToBIGNUM(&bn, "abctrailing garbage is ignored");
+  if (ret != 3 || !BN_is_word(bn.get(), 0xabc) || BN_is_negative(bn.get())) {
+    fprintf(stderr, "BN_hex2bn gave a bad result.\n");
+    return false;
+  }
+
+  return true;
+}
+
+static ScopedBIGNUM ASCIIToBIGNUM(const char *in) {
+  BIGNUM *raw = NULL;
+  if (!BN_asc2bn(&raw, in)) {
+    return nullptr;
+  }
+  return ScopedBIGNUM(raw);
+}
+
+static bool test_asc2bn(FILE *fp, BN_CTX *ctx) {
+  ScopedBIGNUM bn = ASCIIToBIGNUM("0");
+  if (!bn || !BN_is_zero(bn.get()) || BN_is_negative(bn.get())) {
+    fprintf(stderr, "BN_asc2bn gave a bad result.\n");
+    return false;
+  }
+
+  bn = ASCIIToBIGNUM("256");
+  if (!bn || !BN_is_word(bn.get(), 256) || BN_is_negative(bn.get())) {
+    fprintf(stderr, "BN_asc2bn gave a bad result.\n");
+    return false;
+  }
+
+  bn = ASCIIToBIGNUM("-42");
+  if (!bn || !BN_abs_is_word(bn.get(), 42) || !BN_is_negative(bn.get())) {
+    fprintf(stderr, "BN_asc2bn gave a bad result.\n");
+    return false;
+  }
+
+  bn = ASCIIToBIGNUM("0x1234");
+  if (!bn || !BN_is_word(bn.get(), 0x1234) || BN_is_negative(bn.get())) {
+    fprintf(stderr, "BN_asc2bn gave a bad result.\n");
+    return false;
+  }
+
+  bn = ASCIIToBIGNUM("0X1234");
+  if (!bn || !BN_is_word(bn.get(), 0x1234) || BN_is_negative(bn.get())) {
+    fprintf(stderr, "BN_asc2bn gave a bad result.\n");
+    return false;
+  }
+
+  bn = ASCIIToBIGNUM("-0xabcd");
+  if (!bn || !BN_abs_is_word(bn.get(), 0xabcd) || !BN_is_negative(bn.get())) {
+    fprintf(stderr, "BN_asc2bn gave a bad result.\n");
+    return false;
+  }
+
+  bn = ASCIIToBIGNUM("-0");
+  if (!bn || !BN_is_zero(bn.get()) || BN_is_negative(bn.get())) {
+    fprintf(stderr, "BN_asc2bn gave a bad result.\n");
+    return false;
+  }
+
+  bn = ASCIIToBIGNUM("123trailing garbage is ignored");
+  if (!bn || !BN_is_word(bn.get(), 123) || BN_is_negative(bn.get())) {
+    fprintf(stderr, "BN_asc2bn gave a bad result.\n");
+    return false;
+  }
+
+  return true;
+}
diff --git a/src/crypto/bn/convert.c b/src/crypto/bn/convert.c
index 9c7b9be..531b661 100644
--- a/src/crypto/bn/convert.c
+++ b/src/crypto/bn/convert.c
@@ -407,13 +407,9 @@ char *BN_bn2dec(const BIGNUM *a) {
   ok = 1;
 
 err:
-  if (bn_data != NULL) {
-    OPENSSL_free(bn_data);
-  }
-  if (t != NULL) {
-    BN_free(t);
-  }
-  if (!ok && buf) {
+  OPENSSL_free(bn_data);
+  BN_free(t);
+  if (!ok) {
     OPENSSL_free(buf);
     buf = NULL;
   }
diff --git a/src/crypto/bn/ctx.c b/src/crypto/bn/ctx.c
index e54007b..0578376 100644
--- a/src/crypto/bn/ctx.c
+++ b/src/crypto/bn/ctx.c
@@ -205,14 +205,12 @@ static void BN_STACK_init(BN_STACK *st) {
 }
 
 static void BN_STACK_finish(BN_STACK *st) {
-  if (st->size)
-    OPENSSL_free(st->indexes);
+  OPENSSL_free(st->indexes);
 }
 
 static int BN_STACK_push(BN_STACK *st, unsigned int idx) {
-  if (st->depth == st->size)
-      /* Need to expand */
-  {
+  if (st->depth == st->size) {
+    /* Need to expand */
     unsigned int newsize =
         (st->size ? (st->size * 3 / 2) : BN_CTX_START_FRAMES);
     unsigned int *newitems = OPENSSL_malloc(newsize * sizeof(unsigned int));
@@ -222,9 +220,7 @@ static int BN_STACK_push(BN_STACK *st, unsigned int idx) {
     if (st->depth) {
       memcpy(newitems, st->indexes, st->depth * sizeof(unsigned int));
     }
-    if (st->size) {
-      OPENSSL_free(st->indexes);
-    }
+    OPENSSL_free(st->indexes);
     st->indexes = newitems;
     st->size = newsize;
   }
diff --git a/src/crypto/bn/div.c b/src/crypto/bn/div.c
index d65957a..3588ea1 100644
--- a/src/crypto/bn/div.c
+++ b/src/crypto/bn/div.c
@@ -278,12 +278,14 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
       t2 = (BN_ULLONG)d1 * q;
 
       for (;;) {
-        if (t2 <= ((((BN_ULLONG)rem) << BN_BITS2) | wnump[-2]))
+        if (t2 <= ((((BN_ULLONG)rem) << BN_BITS2) | wnump[-2])) {
           break;
+        }
         q--;
         rem += d0;
-        if (rem < d0)
+        if (rem < d0) {
           break; /* don't let rem overflow */
+        }
         t2 -= d1;
       }
 #else /* !BN_LLONG */
@@ -316,14 +318,17 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 #endif
 
       for (;;) {
-        if ((t2h < rem) || ((t2h == rem) && (t2l <= wnump[-2])))
+        if ((t2h < rem) || ((t2h == rem) && (t2l <= wnump[-2]))) {
           break;
+        }
         q--;
         rem += d0;
-        if (rem < d0)
+        if (rem < d0) {
           break; /* don't let rem overflow */
-        if (t2l < d1)
+        }
+        if (t2l < d1) {
           t2h--;
+        }
         t2l -= d1;
       }
 #endif /* !BN_LLONG */
@@ -357,7 +362,9 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
      * BN_rshift() will overwrite it.
      */
     int neg = num->neg;
-    BN_rshift(rm, snum, norm_shift);
+    if (!BN_rshift(rm, snum, norm_shift)) {
+      goto err;
+    }
     if (!BN_is_zero(rm)) {
       rm->neg = neg;
     }
@@ -485,9 +492,7 @@ int BN_mod_lshift(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m,
 
   ret = BN_mod_lshift_quick(r, r, n, (abs_m ? abs_m : m));
 
-  if (abs_m) {
-    BN_free(abs_m);
-  }
+  BN_free(abs_m);
   return ret;
 }
 
diff --git a/src/crypto/bn/exponentiation.c b/src/crypto/bn/exponentiation.c
index 53f3e9c..d3063c9 100644
--- a/src/crypto/bn/exponentiation.c
+++ b/src/crypto/bn/exponentiation.c
@@ -172,12 +172,13 @@ int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) {
       }
     }
   }
-  ret = 1;
 
-err:
   if (r != rr) {
     BN_copy(r, rr);
   }
+  ret = 1;
+
+err:
   BN_CTX_end(ctx);
   return ret;
 }
@@ -685,12 +686,14 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
 
   j = m->top; /* borrow j */
   if (m->d[j - 1] & (((BN_ULONG)1) << (BN_BITS2 - 1))) {
-    if (bn_wexpand(r, j) == NULL)
+    if (bn_wexpand(r, j) == NULL) {
       goto err;
+    }
     /* 2^(top*BN_BITS2) - m */
     r->d[0] = (0 - m->d[0]) & BN_MASK2;
-    for (i = 1; i < j; i++)
+    for (i = 1; i < j; i++) {
       r->d[i] = (~m->d[i]) & BN_MASK2;
+    }
     r->top = j;
     /* Upper words will be zero if the corresponding words of 'm'
      * were 0xfff[...], so decrement r->top accordingly. */
@@ -704,9 +707,8 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
     int wend; /* The bottom bit of the window */
 
     if (BN_is_bit_set(p, wstart) == 0) {
-      if (!start) {
-        if (!BN_mod_mul_montgomery(r, r, r, mont, ctx))
-          goto err;
+      if (!start && !BN_mod_mul_montgomery(r, r, r, mont, ctx)) {
+        goto err;
       }
       if (wstart == 0) {
         break;
@@ -761,7 +763,7 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
   ret = 1;
 
 err:
-  if (in_mont == NULL && mont != NULL) {
+  if (in_mont == NULL) {
     BN_MONT_CTX_free(mont);
   }
   BN_CTX_end(ctx);
@@ -876,15 +878,14 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
   BN_CTX_start(ctx);
 
   /* Allocate a montgomery context if it was not supplied by the caller.
-   * If this is not done, things will break in the montgomery part.
-   */
-  if (in_mont != NULL)
+   * If this is not done, things will break in the montgomery part. */
+  if (in_mont != NULL) {
     mont = in_mont;
-  else {
-    if ((mont = BN_MONT_CTX_new()) == NULL)
-      goto err;
-    if (!BN_MONT_CTX_set(mont, m, ctx))
+  } else {
+    mont = BN_MONT_CTX_new();
+    if (mont == NULL || !BN_MONT_CTX_set(mont, m, ctx)) {
       goto err;
+    }
   }
 
 #ifdef RSAZ_ENABLED
@@ -893,8 +894,9 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
    * crypto/bn/rsaz_exp.c and accompanying assembly modules. */
   if ((16 == a->top) && (16 == p->top) && (BN_num_bits(m) == 1024) &&
       rsaz_avx2_eligible()) {
-    if (NULL == bn_wexpand(rr, 16))
+    if (NULL == bn_wexpand(rr, 16)) {
       goto err;
+    }
     RSAZ_1024_mod_exp_avx2(rr->d, a->d, p->d, m->d, mont->RR.d, mont->n0[0]);
     rr->top = 16;
     rr->neg = 0;
@@ -902,8 +904,9 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
     ret = 1;
     goto err;
   } else if ((8 == a->top) && (8 == p->top) && (BN_num_bits(m) == 512)) {
-    if (NULL == bn_wexpand(rr, 8))
+    if (NULL == bn_wexpand(rr, 8)) {
       goto err;
+    }
     RSAZ_512_mod_exp(rr->d, a->d, p->d, m->d, mont->n0[0], mont->RR.d);
     rr->top = 8;
     rr->neg = 0;
@@ -918,8 +921,9 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
 #if defined(OPENSSL_BN_ASM_MONT5)
   if (window >= 5) {
     window = 5; /* ~5% improvement for RSA2048 sign, and even for RSA4096 */
-    if ((top & 7) == 0)
+    if ((top & 7) == 0) {
       powerbufLen += 2 * top * sizeof(m->d[0]);
+    }
   }
 #endif
   (void)0;
@@ -932,20 +936,24 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
       sizeof(m->d[0]) *
       (top * numPowers + ((2 * top) > numPowers ? (2 * top) : numPowers));
 #ifdef alloca
-  if (powerbufLen < 3072)
+  if (powerbufLen < 3072) {
     powerbufFree = alloca(powerbufLen + MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH);
-  else
+  } else
 #endif
-      if ((powerbufFree = (unsigned char *)OPENSSL_malloc(
-               powerbufLen + MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH)) == NULL)
-    goto err;
+  {
+    if ((powerbufFree = (unsigned char *)OPENSSL_malloc(
+            powerbufLen + MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH)) == NULL) {
+      goto err;
+    }
+  }
 
   powerbuf = MOD_EXP_CTIME_ALIGN(powerbufFree);
   memset(powerbuf, 0, powerbufLen);
 
 #ifdef alloca
-  if (powerbufLen < 3072)
+  if (powerbufLen < 3072) {
     powerbufFree = NULL;
+  }
 #endif
 
   /* lay down tmp and am right after powers table */
@@ -961,20 +969,23 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
   if (m->d[top - 1] & (((BN_ULONG)1) << (BN_BITS2 - 1))) {
     /* 2^(top*BN_BITS2) - m */
     tmp.d[0] = (0 - m->d[0]) & BN_MASK2;
-    for (i = 1; i < top; i++)
+    for (i = 1; i < top; i++) {
       tmp.d[i] = (~m->d[i]) & BN_MASK2;
+    }
     tmp.top = top;
-  } else if (!BN_to_montgomery(&tmp, BN_value_one(), mont, ctx))
+  } else if (!BN_to_montgomery(&tmp, BN_value_one(), mont, ctx)) {
     goto err;
+  }
 
   /* prepare a^1 in Montgomery domain */
   if (a->neg || BN_ucmp(a, m) >= 0) {
-    if (!BN_mod(&am, a, m, ctx))
-      goto err;
-    if (!BN_to_montgomery(&am, &am, mont, ctx))
+    if (!BN_mod(&am, a, m, ctx) ||
+        !BN_to_montgomery(&am, &am, mont, ctx)) {
       goto err;
-  } else if (!BN_to_montgomery(&am, a, mont, ctx))
+    }
+  } else if (!BN_to_montgomery(&am, a, mont, ctx)) {
     goto err;
+  }
 
 #if defined(OPENSSL_BN_ASM_MONT5)
   /* This optimization uses ideas from http://eprint.iacr.org/2011/239,
@@ -1001,16 +1012,20 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
 
     /* BN_to_montgomery can contaminate words above .top
      * [in BN_DEBUG[_DEBUG] build]... */
-    for (i = am.top; i < top; i++)
+    for (i = am.top; i < top; i++) {
       am.d[i] = 0;
-    for (i = tmp.top; i < top; i++)
+    }
+    for (i = tmp.top; i < top; i++) {
       tmp.d[i] = 0;
+    }
 
-    if (top & 7)
+    if (top & 7) {
       np2 = np;
-    else
-      for (np2 = am.d + top, i = 0; i < top; i++)
+    } else {
+      for (np2 = am.d + top, i = 0; i < top; i++) {
         np2[2 * i] = np[i];
+      }
+    }
 
     bn_scatter5(tmp.d, top, powerbuf, 0);
     bn_scatter5(am.d, am.top, powerbuf, 1);
@@ -1043,8 +1058,9 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
     }
 
     bits--;
-    for (wvalue = 0, i = bits % 5; i >= 0; i--, bits--)
+    for (wvalue = 0, i = bits % 5; i >= 0; i--, bits--) {
       wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);
+    }
     bn_gather5(tmp.d, top, powerbuf, wvalue);
 
     /* At this point |bits| is 4 mod 5 and at least -1. (|bits| is the first bit
@@ -1056,8 +1072,9 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
      */
     if (top & 7) {
       while (bits >= 0) {
-        for (wvalue = 0, i = 0; i < 5; i++, bits--)
+        for (wvalue = 0, i = 0; i < 5; i++, bits--) {
           wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);
+        }
 
         bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
         bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
@@ -1101,17 +1118,18 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
     tmp.top = top;
     bn_correct_top(&tmp);
     if (ret) {
-      if (!BN_copy(rr, &tmp))
+      if (!BN_copy(rr, &tmp)) {
         ret = 0;
+      }
       goto err; /* non-zero ret means it's not error */
     }
   } else
 #endif
   {
-    if (!copy_to_prebuf(&tmp, top, powerbuf, 0, numPowers))
-      goto err;
-    if (!copy_to_prebuf(&am, top, powerbuf, 1, numPowers))
+    if (!copy_to_prebuf(&tmp, top, powerbuf, 0, numPowers) ||
+        !copy_to_prebuf(&am, top, powerbuf, 1, numPowers)) {
       goto err;
+    }
 
     /* If the window size is greater than 1, then calculate
      * val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1)
@@ -1119,24 +1137,26 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
      * to use the slight performance advantage of sqr over mul).
      */
     if (window > 1) {
-      if (!BN_mod_mul_montgomery(&tmp, &am, &am, mont, ctx))
-        goto err;
-      if (!copy_to_prebuf(&tmp, top, powerbuf, 2, numPowers))
+      if (!BN_mod_mul_montgomery(&tmp, &am, &am, mont, ctx) ||
+          !copy_to_prebuf(&tmp, top, powerbuf, 2, numPowers)) {
         goto err;
+      }
       for (i = 3; i < numPowers; i++) {
         /* Calculate a^i = a^(i-1) * a */
-        if (!BN_mod_mul_montgomery(&tmp, &am, &tmp, mont, ctx))
-          goto err;
-        if (!copy_to_prebuf(&tmp, top, powerbuf, i, numPowers))
+        if (!BN_mod_mul_montgomery(&tmp, &am, &tmp, mont, ctx) ||
+            !copy_to_prebuf(&tmp, top, powerbuf, i, numPowers)) {
           goto err;
+        }
       }
     }
 
     bits--;
-    for (wvalue = 0, i = bits % window; i >= 0; i--, bits--)
+    for (wvalue = 0, i = bits % window; i >= 0; i--, bits--) {
       wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);
-    if (!copy_from_prebuf(&tmp, top, powerbuf, wvalue, numPowers))
+    }
+    if (!copy_from_prebuf(&tmp, top, powerbuf, wvalue, numPowers)) {
       goto err;
+    }
 
     /* Scan the exponent one window at a time starting from the most
      * significant bits.
@@ -1146,32 +1166,36 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
 
       /* Scan the window, squaring the result as we go */
       for (i = 0; i < window; i++, bits--) {
-        if (!BN_mod_mul_montgomery(&tmp, &tmp, &tmp, mont, ctx))
+        if (!BN_mod_mul_montgomery(&tmp, &tmp, &tmp, mont, ctx)) {
           goto err;
+        }
         wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);
       }
 
       /* Fetch the appropriate pre-computed value from the pre-buf */
-      if (!copy_from_prebuf(&am, top, powerbuf, wvalue, numPowers))
+      if (!copy_from_prebuf(&am, top, powerbuf, wvalue, numPowers)) {
         goto err;
+      }
 
       /* Multiply the result into the intermediate result */
-      if (!BN_mod_mul_montgomery(&tmp, &tmp, &am, mont, ctx))
+      if (!BN_mod_mul_montgomery(&tmp, &tmp, &am, mont, ctx)) {
         goto err;
+      }
     }
   }
 
   /* Convert the final result from montgomery to standard format */
-  if (!BN_from_montgomery(rr, &tmp, mont, ctx))
+  if (!BN_from_montgomery(rr, &tmp, mont, ctx)) {
     goto err;
+  }
   ret = 1;
 err:
-  if ((in_mont == NULL) && (mont != NULL))
+  if (in_mont == NULL) {
     BN_MONT_CTX_free(mont);
+  }
   if (powerbuf != NULL) {
     OPENSSL_cleanse(powerbuf, powerbufLen);
-    if (powerbufFree)
-      OPENSSL_free(powerbufFree);
+    OPENSSL_free(powerbufFree);
   }
   BN_CTX_end(ctx);
   return (ret);
@@ -1238,13 +1262,11 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
     goto err;
   }
 
-  if (in_mont != NULL)
+  if (in_mont != NULL) {
     mont = in_mont;
-  else {
-    if ((mont = BN_MONT_CTX_new()) == NULL) {
-      goto err;
-    }
-    if (!BN_MONT_CTX_set(mont, m, ctx)) {
+  } else {
+    mont = BN_MONT_CTX_new();
+    if (mont == NULL || !BN_MONT_CTX_set(mont, m, ctx)) {
       goto err;
     }
   }
@@ -1328,7 +1350,7 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
   ret = 1;
 
 err:
-  if (in_mont == NULL && mont != NULL) {
+  if (in_mont == NULL) {
     BN_MONT_CTX_free(mont);
   }
   BN_CTX_end(ctx);
@@ -1477,28 +1499,33 @@ int BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,
     if (!wvalue1 && BN_is_bit_set(p1, b)) {
       /* consider bits b-window1+1 .. b for this window */
       i = b - window1 + 1;
-      while (!BN_is_bit_set(p1, i)) /* works for i<0 */
+      /* works for i<0 */
+      while (!BN_is_bit_set(p1, i)) {
         i++;
+      }
       wpos1 = i;
       wvalue1 = 1;
       for (i = b - 1; i >= wpos1; i--) {
         wvalue1 <<= 1;
-        if (BN_is_bit_set(p1, i))
+        if (BN_is_bit_set(p1, i)) {
           wvalue1++;
+        }
       }
     }
 
     if (!wvalue2 && BN_is_bit_set(p2, b)) {
       /* consider bits b-window2+1 .. b for this window */
       i = b - window2 + 1;
-      while (!BN_is_bit_set(p2, i))
+      while (!BN_is_bit_set(p2, i)) {
         i++;
+      }
       wpos2 = i;
       wvalue2 = 1;
       for (i = b - 1; i >= wpos2; i--) {
         wvalue2 <<= 1;
-        if (BN_is_bit_set(p2, i))
+        if (BN_is_bit_set(p2, i)) {
           wvalue2++;
+        }
       }
     }
 
@@ -1527,7 +1554,7 @@ int BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,
   ret = 1;
 
 err:
-  if (in_mont == NULL && mont != NULL) {
+  if (in_mont == NULL) {
     BN_MONT_CTX_free(mont);
   }
   BN_CTX_end(ctx);
diff --git a/src/crypto/bn/gcd.c b/src/crypto/bn/gcd.c
index 2dce296..3132c29 100644
--- a/src/crypto/bn/gcd.c
+++ b/src/crypto/bn/gcd.c
@@ -258,12 +258,8 @@ BIGNUM *BN_mod_inverse(BIGNUM *out, const BIGNUM *a, const BIGNUM *n,
     goto err;
   }
 
-  BN_one(X);
   BN_zero(Y);
-  if (BN_copy(B, a) == NULL) {
-    goto err;
-  }
-  if (BN_copy(A, n) == NULL) {
+  if (!BN_one(X) || BN_copy(B, a) == NULL || BN_copy(A, n) == NULL) {
     goto err;
   }
   A->neg = 0;
@@ -570,12 +566,8 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *out, const BIGNUM *a,
     goto err;
   }
 
-  BN_one(X);
   BN_zero(Y);
-  if (BN_copy(B, a) == NULL) {
-    goto err;
-  }
-  if (BN_copy(A, n) == NULL) {
+  if (!BN_one(X) || BN_copy(B, a) == NULL || BN_copy(A, n) == NULL) {
     goto err;
   }
   A->neg = 0;
@@ -586,8 +578,9 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *out, const BIGNUM *a,
      */
     pB = &local_B;
     BN_with_flags(pB, B, BN_FLG_CONSTTIME);
-    if (!BN_nnmod(B, pB, A, ctx))
+    if (!BN_nnmod(B, pB, A, ctx)) {
       goto err;
+    }
   }
   sign = -1;
   /* From  B = a mod |n|,  A = |n|  it follows that
diff --git a/src/crypto/bn/generic.c b/src/crypto/bn/generic.c
index 224a47c..0e7d867 100644
--- a/src/crypto/bn/generic.c
+++ b/src/crypto/bn/generic.c
@@ -585,23 +585,27 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
     t1 = a[0];
     t2 = b[0];
     r[0] = (t1 - t2 - c) & BN_MASK2;
-    if (t1 != t2)
+    if (t1 != t2) {
       c = (t1 < t2);
+    }
     t1 = a[1];
     t2 = b[1];
     r[1] = (t1 - t2 - c) & BN_MASK2;
-    if (t1 != t2)
+    if (t1 != t2) {
       c = (t1 < t2);
+    }
     t1 = a[2];
     t2 = b[2];
     r[2] = (t1 - t2 - c) & BN_MASK2;
-    if (t1 != t2)
+    if (t1 != t2) {
       c = (t1 < t2);
+    }
     t1 = a[3];
     t2 = b[3];
     r[3] = (t1 - t2 - c) & BN_MASK2;
-    if (t1 != t2)
+    if (t1 != t2) {
       c = (t1 < t2);
+    }
     a += 4;
     b += 4;
     r += 4;
@@ -611,8 +615,9 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
     t1 = a[0];
     t2 = b[0];
     r[0] = (t1 - t2 - c) & BN_MASK2;
-    if (t1 != t2)
+    if (t1 != t2) {
       c = (t1 < t2);
+    }
     a++;
     b++;
     r++;
@@ -1050,11 +1055,13 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
 #ifdef mul64
   mh = HBITS(ml);
   ml = LBITS(ml);
-  for (j = 0; j < num; ++j)
+  for (j = 0; j < num; ++j) {
     mul(tp[j], ap[j], ml, mh, c0);
+  }
 #else
-  for (j = 0; j < num; ++j)
+  for (j = 0; j < num; ++j) {
     mul(tp[j], ap[j], ml, c0);
+  }
 #endif
 
   tp[num] = c0;
@@ -1067,11 +1074,13 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
 #ifdef mul64
     mh = HBITS(ml);
     ml = LBITS(ml);
-    for (j = 0; j < num; ++j)
+    for (j = 0; j < num; ++j) {
       mul_add(tp[j], ap[j], ml, mh, c0);
+    }
 #else
-    for (j = 0; j < num; ++j)
+    for (j = 0; j < num; ++j) {
       mul_add(tp[j], ap[j], ml, c0);
+    }
 #endif
     c1 = (tp[num] + c0) & BN_MASK2;
     tp[num] = c1;
@@ -1104,13 +1113,15 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
   if (tp[num] != 0 || tp[num - 1] >= np[num - 1]) {
     c0 = bn_sub_words(rp, tp, np, num);
     if (tp[num] != 0 || c0 == 0) {
-      for (i = 0; i < num + 2; i++)
+      for (i = 0; i < num + 2; i++) {
         vp[i] = 0;
+      }
       return 1;
     }
   }
-  for (i = 0; i < num; i++)
+  for (i = 0; i < num; i++) {
     rp[i] = tp[i], vp[i] = 0;
+  }
   vp[num] = 0;
   vp[num + 1] = 0;
   return 1;
diff --git a/src/crypto/bn/internal.h b/src/crypto/bn/internal.h
index d421cf3..2674b3c 100644
--- a/src/crypto/bn/internal.h
+++ b/src/crypto/bn/internal.h
@@ -125,10 +125,10 @@
 
 #include <openssl/base.h>
 
-#include <inttypes.h>
-
 #if defined(OPENSSL_X86_64) && defined(_MSC_VER) && _MSC_VER >= 1400
+#pragma warning(push, 3)
 #include <intrin.h>
+#pragma warning(pop)
 #pragma intrinsic(__umulh, _umul128)
 #endif
 
@@ -159,10 +159,7 @@ BIGNUM *bn_expand(BIGNUM *bn, unsigned bits);
 #define BN_MASK2h1	(0xffffffff80000000L)
 #define BN_TBIT		(0x8000000000000000L)
 #define BN_DEC_CONV	(10000000000000000000UL)
-#define BN_DEC_FMT1	"%" PRIu64
-#define BN_DEC_FMT2	"%019" PRIu64
 #define BN_DEC_NUM	19
-#define BN_HEX_FMT1	"%" PRIx64
 
 #elif defined(OPENSSL_32_BIT)
 
@@ -179,10 +176,7 @@ BIGNUM *bn_expand(BIGNUM *bn, unsigned bits);
 #define BN_MASK2h	(0xffff0000L)
 #define BN_TBIT		(0x80000000L)
 #define BN_DEC_CONV	(1000000000L)
-#define BN_DEC_FMT1	"%" PRIu32
-#define BN_DEC_FMT2	"%09" PRIu32
 #define BN_DEC_NUM	9
-#define BN_HEX_FMT1	"%" PRIx32
 
 #else
 #error "Must define either OPENSSL_32_BIT or OPENSSL_64_BIT"
diff --git a/src/crypto/bn/montgomery.c b/src/crypto/bn/montgomery.c
index 65e177c..152cf2d 100644
--- a/src/crypto/bn/montgomery.c
+++ b/src/crypto/bn/montgomery.c
@@ -114,6 +114,7 @@
 #include <openssl/thread.h>
 
 #include "internal.h"
+#include "../internal.h"
 
 
 #if !defined(OPENSSL_NO_ASM) && \
@@ -292,44 +293,36 @@ err:
   return ret;
 }
 
-BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock,
-                                    const BIGNUM *mod, BN_CTX *ctx) {
-  BN_MONT_CTX *ret;
-
-  CRYPTO_r_lock(lock);
-  ret = *pmont;
-  CRYPTO_r_unlock(lock);
-  if (ret) {
-    return ret;
-  }
-
-  /* We don't want to serialise globally while doing our lazy-init math in
-   * BN_MONT_CTX_set. That punishes threads that are doing independent
-   * things. Instead, punish the case where more than one thread tries to
-   * lazy-init the same 'pmont', by having each do the lazy-init math work
-   * independently and only use the one from the thread that wins the race
-   * (the losers throw away the work they've done). */
-  ret = BN_MONT_CTX_new();
-  if (!ret) {
-    return NULL;
-  }
-  if (!BN_MONT_CTX_set(ret, mod, ctx)) {
-    BN_MONT_CTX_free(ret);
-    return NULL;
+BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, CRYPTO_MUTEX *lock,
+                                    const BIGNUM *mod, BN_CTX *bn_ctx) {
+  CRYPTO_MUTEX_lock_read(lock);
+  BN_MONT_CTX *ctx = *pmont;
+  CRYPTO_MUTEX_unlock(lock);
+
+  if (ctx) {
+    return ctx;
   }
 
-  /* The locked compare-and-set, after the local work is done. */
-  CRYPTO_w_lock(lock);
-  if (*pmont) {
-    BN_MONT_CTX_free(ret);
-    ret = *pmont;
-  } else {
-    *pmont = ret;
+  CRYPTO_MUTEX_lock_write(lock);
+  ctx = *pmont;
+  if (ctx) {
+    goto out;
   }
 
-  CRYPTO_w_unlock(lock);
+  ctx = BN_MONT_CTX_new();
+  if (ctx == NULL) {
+    goto out;
+  }
+  if (!BN_MONT_CTX_set(ctx, mod, bn_ctx)) {
+    BN_MONT_CTX_free(ctx);
+    ctx = NULL;
+    goto out;
+  }
+  *pmont = ctx;
 
-  return ret;
+out:
+  CRYPTO_MUTEX_unlock(lock);
+  return ctx;
 }
 
 int BN_to_montgomery(BIGNUM *ret, const BIGNUM *a, const BN_MONT_CTX *mont,
@@ -514,8 +507,9 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, const BN_MONT_CTX *mont,
     return 0;
   }
 
-  if (BN_copy(t, a))
+  if (BN_copy(t, a)) {
     retn = BN_from_montgomery_word(ret, t, mont);
+  }
   BN_CTX_end(ctx);
 
   return retn;
diff --git a/src/crypto/bn/mul.c b/src/crypto/bn/mul.c
index 80c6288..a17d766 100644
--- a/src/crypto/bn/mul.c
+++ b/src/crypto/bn/mul.c
@@ -150,8 +150,9 @@ static BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a,
   assert(cl >= 0);
   c = bn_sub_words(r, a, b, cl);
 
-  if (dl == 0)
+  if (dl == 0) {
     return c;
+  }
 
   r += cl;
   a += cl;
@@ -330,8 +331,9 @@ static void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
   /* Else do normal multiply */
   if (n2 < BN_MUL_RECURSIVE_SIZE_NORMAL) {
     bn_mul_normal(r, a, n2 + dna, b, n2 + dnb);
-    if ((dna + dnb) < 0)
+    if ((dna + dnb) < 0) {
       memset(&r[2 * n2 + dna + dnb], 0, sizeof(BN_ULONG) * -(dna + dnb));
+    }
     return;
   }
 
diff --git a/src/crypto/bn/prime.c b/src/crypto/bn/prime.c
index fc9a3d5..cf3afcf 100644
--- a/src/crypto/bn/prime.c
+++ b/src/crypto/bn/prime.c
@@ -659,7 +659,13 @@ again:
   /* If bits is so small that it fits into a single word then we
    * additionally don't want to exceed that many bits. */
   if (is_single_word) {
-    BN_ULONG size_limit = (((BN_ULONG)1) << bits) - get_word(rnd) - 1;
+    BN_ULONG size_limit;
+    if (bits == BN_BITS2) {
+      /* Avoid undefined behavior. */
+      size_limit = ~((BN_ULONG)0) - get_word(rnd);
+    } else {
+      size_limit = (((BN_ULONG)1) << bits) - get_word(rnd) - 1;
+    }
     if (size_limit < maxdelta) {
       maxdelta = size_limit;
     }
@@ -682,8 +688,9 @@ loop:
     for (i = 1; i < NUMPRIMES && primes[i] < rnd_word; i++) {
       if ((mods[i] + delta) % primes[i] == 0) {
         delta += 2;
-        if (delta > maxdelta)
+        if (delta > maxdelta) {
           goto again;
+        }
         goto loop;
       }
     }
@@ -693,8 +700,9 @@ loop:
        * that gcd(rnd-1,primes) == 1 (except for 2) */
       if (((mods[i] + delta) % primes[i]) <= 1) {
         delta += 2;
-        if (delta > maxdelta)
+        if (delta > maxdelta) {
           goto again;
+        }
         goto loop;
       }
     }
diff --git a/src/crypto/bn/random.c b/src/crypto/bn/random.c
index 285bf26..3be7510 100644
--- a/src/crypto/bn/random.c
+++ b/src/crypto/bn/random.c
@@ -321,8 +321,6 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, const BIGNUM *priv,
   ret = 1;
 
 err:
-  if (k_bytes) {
-    OPENSSL_free(k_bytes);
-  }
+  OPENSSL_free(k_bytes);
   return ret;
 }
diff --git a/src/crypto/bn/sqrt.c b/src/crypto/bn/sqrt.c
index 07041f9..e71a818 100644
--- a/src/crypto/bn/sqrt.c
+++ b/src/crypto/bn/sqrt.c
@@ -420,7 +420,7 @@ vrfy:
 
 end:
   if (err) {
-    if (ret != NULL && ret != in) {
+    if (ret != in) {
       BN_clear_free(ret);
     }
     ret = NULL;
diff --git a/src/crypto/buf/CMakeLists.txt b/src/crypto/buf/CMakeLists.txt
index dabf8d1..19edf7d 100644
--- a/src/crypto/buf/CMakeLists.txt
+++ b/src/crypto/buf/CMakeLists.txt
@@ -6,5 +6,4 @@ add_library(
   OBJECT
 
   buf.c
-  buf_error.c
 )
diff --git a/src/crypto/bytestring/CMakeLists.txt b/src/crypto/bytestring/CMakeLists.txt
index 8d6be7b..d1f0441 100644
--- a/src/crypto/bytestring/CMakeLists.txt
+++ b/src/crypto/bytestring/CMakeLists.txt
@@ -13,7 +13,7 @@ add_library(
 add_executable(
   bytestring_test
 
-  bytestring_test.c
+  bytestring_test.cc
 )
 
 target_link_libraries(bytestring_test crypto)
diff --git a/src/crypto/bytestring/bytestring_test.c b/src/crypto/bytestring/bytestring_test.cc
index cd0155e..66e9c1e 100644
--- a/src/crypto/bytestring/bytestring_test.c
+++ b/src/crypto/bytestring/bytestring_test.cc
@@ -16,14 +16,17 @@
 #include <stdlib.h>
 #include <string.h>
 
+#include <vector>
+
 #include <openssl/crypto.h>
 #include <openssl/bytestring.h>
 
 #include "internal.h"
 #include "../internal.h"
+#include "../test/scoped_types.h"
 
 
-static int test_skip(void) {
+static bool TestSkip() {
   static const uint8_t kData[] = {1, 2, 3};
   CBS data;
 
@@ -36,7 +39,7 @@ static int test_skip(void) {
       !CBS_skip(&data, 1);
 }
 
-static int test_get_u(void) {
+static bool TestGetUint() {
   static const uint8_t kData[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10};
   uint8_t u8;
   uint16_t u16;
@@ -55,7 +58,7 @@ static int test_get_u(void) {
     !CBS_get_u8(&data, &u8);
 }
 
-static int test_get_prefixed(void) {
+static bool TestGetPrefixed() {
   static const uint8_t kData[] = {1, 2, 0, 2, 3, 4, 0, 0, 3, 3, 2, 1};
   uint8_t u8;
   uint16_t u16;
@@ -77,7 +80,7 @@ static int test_get_prefixed(void) {
     u32 == 0x30201;
 }
 
-static int test_get_prefixed_bad(void) {
+static bool TestGetPrefixedBad() {
   static const uint8_t kData1[] = {2, 1};
   static const uint8_t kData2[] = {0, 2, 1};
   static const uint8_t kData3[] = {0, 0, 2, 1};
@@ -85,23 +88,23 @@ static int test_get_prefixed_bad(void) {
 
   CBS_init(&data, kData1, sizeof(kData1));
   if (CBS_get_u8_length_prefixed(&data, &prefixed)) {
-    return 0;
+    return false;
   }
 
   CBS_init(&data, kData2, sizeof(kData2));
   if (CBS_get_u16_length_prefixed(&data, &prefixed)) {
-    return 0;
+    return false;
   }
 
   CBS_init(&data, kData3, sizeof(kData3));
   if (CBS_get_u24_length_prefixed(&data, &prefixed)) {
-    return 0;
+    return false;
   }
 
-  return 1;
+  return true;
 }
 
-static int test_get_asn1(void) {
+static bool TestGetASN1() {
   static const uint8_t kData1[] = {0x30, 2, 1, 2};
   static const uint8_t kData2[] = {0x30, 3, 1, 2};
   static const uint8_t kData3[] = {0x30, 0x80};
@@ -119,52 +122,52 @@ static int test_get_asn1(void) {
   CBS_init(&data, kData1, sizeof(kData1));
   if (CBS_peek_asn1_tag(&data, 0x1) ||
       !CBS_peek_asn1_tag(&data, 0x30)) {
-    return 0;
+    return false;
   }
   if (!CBS_get_asn1(&data, &contents, 0x30) ||
       CBS_len(&contents) != 2 ||
       memcmp(CBS_data(&contents), "\x01\x02", 2) != 0) {
-    return 0;
+    return false;
   }
 
   CBS_init(&data, kData2, sizeof(kData2));
-  /* data is truncated */
+  // data is truncated
   if (CBS_get_asn1(&data, &contents, 0x30)) {
-    return 0;
+    return false;
   }
 
   CBS_init(&data, kData3, sizeof(kData3));
-  /* zero byte length of length */
+  // zero byte length of length
   if (CBS_get_asn1(&data, &contents, 0x30)) {
-    return 0;
+    return false;
   }
 
   CBS_init(&data, kData4, sizeof(kData4));
-  /* long form mistakenly used. */
+  // long form mistakenly used.
   if (CBS_get_asn1(&data, &contents, 0x30)) {
-    return 0;
+    return false;
   }
 
   CBS_init(&data, kData5, sizeof(kData5));
-  /* length takes too many bytes. */
+  // length takes too many bytes.
   if (CBS_get_asn1(&data, &contents, 0x30)) {
-    return 0;
+    return false;
   }
 
   CBS_init(&data, kData1, sizeof(kData1));
-  /* wrong tag. */
+  // wrong tag.
   if (CBS_get_asn1(&data, &contents, 0x31)) {
-    return 0;
+    return false;
   }
 
   CBS_init(&data, NULL, 0);
-  /* peek at empty data. */
+  // peek at empty data.
   if (CBS_peek_asn1_tag(&data, 0x30)) {
-    return 0;
+    return false;
   }
 
   CBS_init(&data, NULL, 0);
-  /* optional elements at empty data. */
+  // optional elements at empty data.
   if (!CBS_get_optional_asn1(&data, &contents, &present, 0xa0) ||
       present ||
       !CBS_get_optional_asn1_octet_string(&data, &contents, &present, 0xa0) ||
@@ -174,22 +177,22 @@ static int test_get_asn1(void) {
       CBS_len(&contents) != 0 ||
       !CBS_get_optional_asn1_uint64(&data, &value, 0xa0, 42) ||
       value != 42) {
-    return 0;
+    return false;
   }
 
   CBS_init(&data, kData6, sizeof(kData6));
-  /* optional element. */
+  // optional element.
   if (!CBS_get_optional_asn1(&data, &contents, &present, 0xa0) ||
       present ||
       !CBS_get_optional_asn1(&data, &contents, &present, 0xa1) ||
       !present ||
       CBS_len(&contents) != 3 ||
       memcmp(CBS_data(&contents), "\x04\x01\x01", 3) != 0) {
-    return 0;
+    return false;
   }
 
   CBS_init(&data, kData6, sizeof(kData6));
-  /* optional octet string. */
+  // optional octet string.
   if (!CBS_get_optional_asn1_octet_string(&data, &contents, &present, 0xa0) ||
       present ||
       CBS_len(&contents) != 0 ||
@@ -197,97 +200,96 @@ static int test_get_asn1(void) {
       !present ||
       CBS_len(&contents) != 1 ||
       CBS_data(&contents)[0] != 1) {
-    return 0;
+    return false;
   }
 
   CBS_init(&data, kData7, sizeof(kData7));
-  /* invalid optional octet string. */
+  // invalid optional octet string.
   if (CBS_get_optional_asn1_octet_string(&data, &contents, &present, 0xa1)) {
-    return 0;
+    return false;
   }
 
   CBS_init(&data, kData8, sizeof(kData8));
-  /* optional octet string. */
+  // optional octet string.
   if (!CBS_get_optional_asn1_uint64(&data, &value, 0xa0, 42) ||
       value != 42 ||
       !CBS_get_optional_asn1_uint64(&data, &value, 0xa1, 42) ||
       value != 1) {
-    return 0;
+    return false;
   }
 
   CBS_init(&data, kData9, sizeof(kData9));
-  /* invalid optional integer. */
+  // invalid optional integer.
   if (CBS_get_optional_asn1_uint64(&data, &value, 0xa1, 42)) {
-    return 0;
+    return false;
   }
 
-  return 1;
+  return true;
 }
 
-static int test_get_optional_asn1_bool(void) {
-  CBS data;
-  int val;
-
+static bool TestGetOptionalASN1Bool() {
   static const uint8_t kTrue[] = {0x0a, 3, CBS_ASN1_BOOLEAN, 1, 0xff};
   static const uint8_t kFalse[] = {0x0a, 3, CBS_ASN1_BOOLEAN, 1, 0x00};
   static const uint8_t kInvalid[] = {0x0a, 3, CBS_ASN1_BOOLEAN, 1, 0x01};
 
+  CBS data;
   CBS_init(&data, NULL, 0);
-  val = 2;
+  int val = 2;
   if (!CBS_get_optional_asn1_bool(&data, &val, 0x0a, 0) ||
       val != 0) {
-    return 0;
+    return false;
   }
 
   CBS_init(&data, kTrue, sizeof(kTrue));
   val = 2;
   if (!CBS_get_optional_asn1_bool(&data, &val, 0x0a, 0) ||
       val != 1) {
-    return 0;
+    return false;
   }
 
   CBS_init(&data, kFalse, sizeof(kFalse));
   val = 2;
   if (!CBS_get_optional_asn1_bool(&data, &val, 0x0a, 1) ||
       val != 0) {
-    return 0;
+    return false;
   }
 
   CBS_init(&data, kInvalid, sizeof(kInvalid));
   if (CBS_get_optional_asn1_bool(&data, &val, 0x0a, 1)) {
-    return 0;
+    return false;
   }
 
-  return 1;
+  return true;
 }
 
-static int test_cbb_basic(void) {
+static bool TestCBBBasic() {
   static const uint8_t kExpected[] = {1, 2, 3, 4, 5, 6, 7, 8};
   uint8_t *buf;
   size_t buf_len;
-  int ok;
   CBB cbb;
 
   if (!CBB_init(&cbb, 100)) {
-    return 0;
+    return false;
   }
   CBB_cleanup(&cbb);
 
-  if (!CBB_init(&cbb, 0) ||
-      !CBB_add_u8(&cbb, 1) ||
+  if (!CBB_init(&cbb, 0)) {
+    return false;
+  }
+  if (!CBB_add_u8(&cbb, 1) ||
       !CBB_add_u16(&cbb, 0x203) ||
       !CBB_add_u24(&cbb, 0x40506) ||
       !CBB_add_bytes(&cbb, (const uint8_t*) "\x07\x08", 2) ||
       !CBB_finish(&cbb, &buf, &buf_len)) {
-    return 0;
+    CBB_cleanup(&cbb);
+    return false;
   }
 
-  ok = buf_len == sizeof(kExpected) && memcmp(buf, kExpected, buf_len) == 0;
-  free(buf);
-  return ok;
+  ScopedOpenSSLBytes scoper(buf);
+  return buf_len == sizeof(kExpected) && memcmp(buf, kExpected, buf_len) == 0;
 }
 
-static int test_cbb_fixed(void) {
+static bool TestCBBFixed() {
   CBB cbb;
   uint8_t buf[1];
   uint8_t *out_buf;
@@ -298,7 +300,7 @@ static int test_cbb_fixed(void) {
       !CBB_finish(&cbb, &out_buf, &out_size) ||
       out_buf != NULL ||
       out_size != 0) {
-    return 0;
+    return false;
   }
 
   if (!CBB_init_fixed(&cbb, buf, 1) ||
@@ -308,40 +310,41 @@ static int test_cbb_fixed(void) {
       out_buf != buf ||
       out_size != 1 ||
       buf[0] != 1) {
-    return 0;
+    return false;
   }
 
-  return 1;
+  return true;
 }
 
-static int test_cbb_finish_child(void) {
+static bool TestCBBFinishChild() {
   CBB cbb, child;
   uint8_t *out_buf;
   size_t out_size;
 
-  if (!CBB_init(&cbb, 16) ||
-      !CBB_add_u8_length_prefixed(&cbb, &child) ||
+  if (!CBB_init(&cbb, 16)) {
+    return false;
+  }
+  if (!CBB_add_u8_length_prefixed(&cbb, &child) ||
       CBB_finish(&child, &out_buf, &out_size) ||
-      !CBB_finish(&cbb, &out_buf, &out_size) ||
-      out_size != 1 ||
-      out_buf[0] != 0) {
-    return 0;
+      !CBB_finish(&cbb, &out_buf, &out_size)) {
+    CBB_cleanup(&cbb);
+    return false;
   }
-
-  free(out_buf);
-  return 1;
+  ScopedOpenSSLBytes scoper(out_buf);
+  return out_size == 1 && out_buf[0] == 0;
 }
 
-static int test_cbb_prefixed(void) {
+static bool TestCBBPrefixed() {
   static const uint8_t kExpected[] = {0, 1, 1, 0, 2, 2, 3, 0, 0, 3,
                                       4, 5, 6, 5, 4, 1, 0, 1, 2};
   uint8_t *buf;
   size_t buf_len;
   CBB cbb, contents, inner_contents, inner_inner_contents;
-  int ok;
 
-  if (!CBB_init(&cbb, 0) ||
-      !CBB_add_u8_length_prefixed(&cbb, &contents) ||
+  if (!CBB_init(&cbb, 0)) {
+    return false;
+  }
+  if (!CBB_add_u8_length_prefixed(&cbb, &contents) ||
       !CBB_add_u8_length_prefixed(&cbb, &contents) ||
       !CBB_add_u8(&contents, 1) ||
       !CBB_add_u16_length_prefixed(&cbb, &contents) ||
@@ -354,28 +357,31 @@ static int test_cbb_prefixed(void) {
       !CBB_add_u16_length_prefixed(&inner_contents, &inner_inner_contents) ||
       !CBB_add_u8(&inner_inner_contents, 2) ||
       !CBB_finish(&cbb, &buf, &buf_len)) {
-    return 0;
+    CBB_cleanup(&cbb);
+    return false;
   }
 
-  ok = buf_len == sizeof(kExpected) && memcmp(buf, kExpected, buf_len) == 0;
-  free(buf);
-  return ok;
+  ScopedOpenSSLBytes scoper(buf);
+  return buf_len == sizeof(kExpected) && memcmp(buf, kExpected, buf_len) == 0;
 }
 
-static int test_cbb_misuse(void) {
+static bool TestCBBMisuse() {
   CBB cbb, child, contents;
   uint8_t *buf;
   size_t buf_len;
 
-  if (!CBB_init(&cbb, 0) ||
-      !CBB_add_u8_length_prefixed(&cbb, &child) ||
+  if (!CBB_init(&cbb, 0)) {
+    return false;
+  }
+  if (!CBB_add_u8_length_prefixed(&cbb, &child) ||
       !CBB_add_u8(&child, 1) ||
       !CBB_add_u8(&cbb, 2)) {
-    return 0;
+    CBB_cleanup(&cbb);
+    return false;
   }
 
-  /* Since we wrote to |cbb|, |child| is now invalid and attempts to write to
-   * it should fail. */
+  // Since we wrote to |cbb|, |child| is now invalid and attempts to write to
+  // it should fail.
   if (CBB_add_u8(&child, 1) ||
       CBB_add_u16(&child, 1) ||
       CBB_add_u24(&child, 1) ||
@@ -384,91 +390,104 @@ static int test_cbb_misuse(void) {
       CBB_add_asn1(&child, &contents, 1) ||
       CBB_add_bytes(&child, (const uint8_t*) "a", 1)) {
     fprintf(stderr, "CBB operation on invalid CBB did not fail.\n");
-    return 0;
+    CBB_cleanup(&cbb);
+    return false;
   }
 
-  if (!CBB_finish(&cbb, &buf, &buf_len) ||
-      buf_len != 3 ||
-      memcmp(buf, "\x01\x01\x02", 3) != 0) {
-    return 0;
+  if (!CBB_finish(&cbb, &buf, &buf_len)) {
+    CBB_cleanup(&cbb);
+    return false;
   }
+  ScopedOpenSSLBytes scoper(buf);
 
-  free(buf);
-
-  return 1;
+  if (buf_len != 3 ||
+      memcmp(buf, "\x01\x01\x02", 3) != 0) {
+    return false;
+  }
+  return true;
 }
 
-static int test_cbb_asn1(void) {
+static bool TestCBBASN1() {
   static const uint8_t kExpected[] = {0x30, 3, 1, 2, 3};
-  uint8_t *buf, *test_data;
+  uint8_t *buf;
   size_t buf_len;
   CBB cbb, contents, inner_contents;
 
-  if (!CBB_init(&cbb, 0) ||
-      !CBB_add_asn1(&cbb, &contents, 0x30) ||
+  if (!CBB_init(&cbb, 0)) {
+    return false;
+  }
+  if (!CBB_add_asn1(&cbb, &contents, 0x30) ||
       !CBB_add_bytes(&contents, (const uint8_t*) "\x01\x02\x03", 3) ||
       !CBB_finish(&cbb, &buf, &buf_len)) {
-    return 0;
+    CBB_cleanup(&cbb);
+    return false;
   }
+  ScopedOpenSSLBytes scoper(buf);
 
   if (buf_len != sizeof(kExpected) || memcmp(buf, kExpected, buf_len) != 0) {
-    return 0;
+    return false;
   }
-  free(buf);
 
-  test_data = malloc(100000);
-  memset(test_data, 0x42, 100000);
+  std::vector<uint8_t> test_data(100000, 0x42);
 
-  if (!CBB_init(&cbb, 0) ||
-      !CBB_add_asn1(&cbb, &contents, 0x30) ||
-      !CBB_add_bytes(&contents, test_data, 130) ||
+  if (!CBB_init(&cbb, 0)) {
+    return false;
+  }
+  if (!CBB_add_asn1(&cbb, &contents, 0x30) ||
+      !CBB_add_bytes(&contents, bssl::vector_data(&test_data), 130) ||
       !CBB_finish(&cbb, &buf, &buf_len)) {
-    return 0;
+    CBB_cleanup(&cbb);
+    return false;
   }
+  scoper.reset(buf);
 
   if (buf_len != 3 + 130 ||
       memcmp(buf, "\x30\x81\x82", 3) != 0 ||
-      memcmp(buf + 3, test_data, 130) != 0) {
-    return 0;
+      memcmp(buf + 3, bssl::vector_data(&test_data), 130) != 0) {
+    return false;
   }
-  free(buf);
 
-  if (!CBB_init(&cbb, 0) ||
-      !CBB_add_asn1(&cbb, &contents, 0x30) ||
-      !CBB_add_bytes(&contents, test_data, 1000) ||
+  if (!CBB_init(&cbb, 0)) {
+    return false;
+  }
+  if (!CBB_add_asn1(&cbb, &contents, 0x30) ||
+      !CBB_add_bytes(&contents, bssl::vector_data(&test_data), 1000) ||
       !CBB_finish(&cbb, &buf, &buf_len)) {
-    return 0;
+    CBB_cleanup(&cbb);
+    return false;
   }
+  scoper.reset(buf);
 
   if (buf_len != 4 + 1000 ||
       memcmp(buf, "\x30\x82\x03\xe8", 4) != 0 ||
-      memcmp(buf + 4, test_data, 1000)) {
-    return 0;
+      memcmp(buf + 4, bssl::vector_data(&test_data), 1000)) {
+    return false;
   }
-  free(buf);
 
-  if (!CBB_init(&cbb, 0) ||
-      !CBB_add_asn1(&cbb, &contents, 0x30) ||
+  if (!CBB_init(&cbb, 0)) {
+    return false;
+  }
+  if (!CBB_add_asn1(&cbb, &contents, 0x30) ||
       !CBB_add_asn1(&contents, &inner_contents, 0x30) ||
-      !CBB_add_bytes(&inner_contents, test_data, 100000) ||
+      !CBB_add_bytes(&inner_contents, bssl::vector_data(&test_data), 100000) ||
       !CBB_finish(&cbb, &buf, &buf_len)) {
-    return 0;
+    CBB_cleanup(&cbb);
+    return false;
   }
+  scoper.reset(buf);
 
   if (buf_len != 5 + 5 + 100000 ||
       memcmp(buf, "\x30\x83\x01\x86\xa5\x30\x83\x01\x86\xa0", 10) != 0 ||
-      memcmp(buf + 10, test_data, 100000)) {
-    return 0;
+      memcmp(buf + 10, bssl::vector_data(&test_data), 100000)) {
+    return false;
   }
-  free(buf);
 
-  free(test_data);
-  return 1;
+  return true;
 }
 
-static int do_ber_convert(const char *name,
-                          const uint8_t *der_expected, size_t der_len,
-                          const uint8_t *ber, size_t ber_len) {
+static bool DoBerConvert(const char *name,
+                         const uint8_t *der_expected, size_t der_len,
+                         const uint8_t *ber, size_t ber_len) {
   CBS in;
   uint8_t *out;
   size_t out_len;
@@ -476,44 +495,44 @@ static int do_ber_convert(const char *name,
   CBS_init(&in, ber, ber_len);
   if (!CBS_asn1_ber_to_der(&in, &out, &out_len)) {
     fprintf(stderr, "%s: CBS_asn1_ber_to_der failed.\n", name);
-    return 0;
+    return false;
   }
+  ScopedOpenSSLBytes scoper(out);
 
   if (out == NULL) {
     if (ber_len != der_len ||
         memcmp(der_expected, ber, ber_len) != 0) {
       fprintf(stderr, "%s: incorrect unconverted result.\n", name);
-      return 0;
+      return false;
     }
 
-    return 1;
+    return true;
   }
 
   if (out_len != der_len ||
       memcmp(out, der_expected, der_len) != 0) {
     fprintf(stderr, "%s: incorrect converted result.\n", name);
-    return 0;
+    return false;
   }
 
-  free(out);
-  return 1;
+  return true;
 }
 
-static int test_ber_convert(void) {
+static bool TestBerConvert() {
   static const uint8_t kSimpleBER[] = {0x01, 0x01, 0x00};
 
-  /* kIndefBER contains a SEQUENCE with an indefinite length. */
+  // kIndefBER contains a SEQUENCE with an indefinite length.
   static const uint8_t kIndefBER[] = {0x30, 0x80, 0x01, 0x01, 0x02, 0x00, 0x00};
   static const uint8_t kIndefDER[] = {0x30, 0x03, 0x01, 0x01, 0x02};
 
-  /* kOctetStringBER contains an indefinite length OCTETSTRING with two parts.
-   * These parts need to be concatenated in DER form. */
+  // kOctetStringBER contains an indefinite length OCTETSTRING with two parts.
+  // These parts need to be concatenated in DER form.
   static const uint8_t kOctetStringBER[] = {0x24, 0x80, 0x04, 0x02, 0,    1,
                                             0x04, 0x02, 2,    3,    0x00, 0x00};
   static const uint8_t kOctetStringDER[] = {0x04, 0x04, 0, 1, 2, 3};
 
-  /* kNSSBER is part of a PKCS#12 message generated by NSS that uses indefinite
-   * length elements extensively. */
+  // kNSSBER is part of a PKCS#12 message generated by NSS that uses indefinite
+  // length elements extensively.
   static const uint8_t kNSSBER[] = {
       0x30, 0x80, 0x02, 0x01, 0x03, 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48,
       0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x80, 0x24, 0x80, 0x04, 0x04,
@@ -536,56 +555,57 @@ static int test_ber_convert(void) {
       0x6e, 0x10, 0x9b, 0xb8, 0x02, 0x02, 0x07, 0xd0,
   };
 
-  return do_ber_convert("kSimpleBER", kSimpleBER, sizeof(kSimpleBER),
-                        kSimpleBER, sizeof(kSimpleBER)) &&
-         do_ber_convert("kIndefBER", kIndefDER, sizeof(kIndefDER), kIndefBER,
-                        sizeof(kIndefBER)) &&
-         do_ber_convert("kOctetStringBER", kOctetStringDER,
-                        sizeof(kOctetStringDER), kOctetStringBER,
-                        sizeof(kOctetStringBER)) &&
-         do_ber_convert("kNSSBER", kNSSDER, sizeof(kNSSDER), kNSSBER,
-                        sizeof(kNSSBER));
+  return DoBerConvert("kSimpleBER", kSimpleBER, sizeof(kSimpleBER),
+                      kSimpleBER, sizeof(kSimpleBER)) &&
+         DoBerConvert("kIndefBER", kIndefDER, sizeof(kIndefDER), kIndefBER,
+                      sizeof(kIndefBER)) &&
+         DoBerConvert("kOctetStringBER", kOctetStringDER,
+                      sizeof(kOctetStringDER), kOctetStringBER,
+                      sizeof(kOctetStringBER)) &&
+         DoBerConvert("kNSSBER", kNSSDER, sizeof(kNSSDER), kNSSBER,
+                      sizeof(kNSSBER));
 }
 
-typedef struct {
+struct ASN1Uint64Test {
   uint64_t value;
   const char *encoding;
   size_t encoding_len;
-} ASN1_UINT64_TEST;
-
-static const ASN1_UINT64_TEST kAsn1Uint64Tests[] = {
-  {0, "\x02\x01\x00", 3},
-  {1, "\x02\x01\x01", 3},
-  {127, "\x02\x01\x7f", 3},
-  {128, "\x02\x02\x00\x80", 4},
-  {0xdeadbeef, "\x02\x05\x00\xde\xad\xbe\xef", 7},
-  {OPENSSL_U64(0x0102030405060708),
-   "\x02\x08\x01\x02\x03\x04\x05\x06\x07\x08", 10},
-  {OPENSSL_U64(0xffffffffffffffff),
-    "\x02\x09\x00\xff\xff\xff\xff\xff\xff\xff\xff", 11},
 };
 
-typedef struct {
+static const ASN1Uint64Test kASN1Uint64Tests[] = {
+    {0, "\x02\x01\x00", 3},
+    {1, "\x02\x01\x01", 3},
+    {127, "\x02\x01\x7f", 3},
+    {128, "\x02\x02\x00\x80", 4},
+    {0xdeadbeef, "\x02\x05\x00\xde\xad\xbe\xef", 7},
+    {OPENSSL_U64(0x0102030405060708),
+     "\x02\x08\x01\x02\x03\x04\x05\x06\x07\x08", 10},
+    {OPENSSL_U64(0xffffffffffffffff),
+      "\x02\x09\x00\xff\xff\xff\xff\xff\xff\xff\xff", 11},
+};
+
+struct ASN1InvalidUint64Test {
   const char *encoding;
   size_t encoding_len;
-} ASN1_INVALID_UINT64_TEST;
-
-static const ASN1_INVALID_UINT64_TEST kAsn1InvalidUint64Tests[] = {
-  /* Bad tag. */
-  {"\x03\x01\x00", 3},
-  /* Empty contents. */
-  {"\x02\x00", 2},
-  /* Negative number. */
-  {"\x02\x01\x80", 3},
-  /* Overflow */
-  {"\x02\x09\x01\x00\x00\x00\x00\x00\x00\x00\x00", 11},
 };
 
-static int test_asn1_uint64(void) {
-  size_t i;
+static const ASN1InvalidUint64Test kASN1InvalidUint64Tests[] = {
+    // Bad tag.
+    {"\x03\x01\x00", 3},
+    // Empty contents.
+    {"\x02\x00", 2},
+    // Negative number.
+    {"\x02\x01\x80", 3},
+    // Overflow.
+    {"\x02\x09\x01\x00\x00\x00\x00\x00\x00\x00\x00", 11},
+    // Leading zeros.
+    {"\x02\x02\x00\x01", 4},
+};
 
-  for (i = 0; i < sizeof(kAsn1Uint64Tests) / sizeof(kAsn1Uint64Tests[0]); i++) {
-    const ASN1_UINT64_TEST *test = &kAsn1Uint64Tests[i];
+static bool TestASN1Uint64() {
+  for (size_t i = 0; i < sizeof(kASN1Uint64Tests) / sizeof(kASN1Uint64Tests[0]);
+       i++) {
+    const ASN1Uint64Test *test = &kASN1Uint64Tests[i];
     CBS cbs;
     uint64_t value;
     CBB cbb;
@@ -596,57 +616,56 @@ static int test_asn1_uint64(void) {
     if (!CBS_get_asn1_uint64(&cbs, &value) ||
         CBS_len(&cbs) != 0 ||
         value != test->value) {
-      return 0;
+      return false;
     }
 
     if (!CBB_init(&cbb, 0)) {
-      return 0;
+      return false;
     }
     if (!CBB_add_asn1_uint64(&cbb, test->value) ||
         !CBB_finish(&cbb, &out, &len)) {
       CBB_cleanup(&cbb);
-      return 0;
+      return false;
     }
+    ScopedOpenSSLBytes scoper(out);
     if (len != test->encoding_len || memcmp(out, test->encoding, len) != 0) {
-      free(out);
-      return 0;
+      return false;
     }
-    free(out);
   }
 
-  for (i = 0;
-       i < sizeof(kAsn1InvalidUint64Tests) / sizeof(kAsn1InvalidUint64Tests[0]);
+  for (size_t i = 0;
+       i < sizeof(kASN1InvalidUint64Tests) / sizeof(kASN1InvalidUint64Tests[0]);
        i++) {
-    const ASN1_INVALID_UINT64_TEST *test = &kAsn1InvalidUint64Tests[i];
+    const ASN1InvalidUint64Test *test = &kASN1InvalidUint64Tests[i];
     CBS cbs;
     uint64_t value;
 
     CBS_init(&cbs, (const uint8_t *)test->encoding, test->encoding_len);
     if (CBS_get_asn1_uint64(&cbs, &value)) {
-      return 0;
+      return false;
     }
   }
 
-  return 1;
+  return true;
 }
 
 int main(void) {
   CRYPTO_library_init();
 
-  if (!test_skip() ||
-      !test_get_u() ||
-      !test_get_prefixed() ||
-      !test_get_prefixed_bad() ||
-      !test_get_asn1() ||
-      !test_cbb_basic() ||
-      !test_cbb_fixed() ||
-      !test_cbb_finish_child() ||
-      !test_cbb_misuse() ||
-      !test_cbb_prefixed() ||
-      !test_cbb_asn1() ||
-      !test_ber_convert() ||
-      !test_asn1_uint64() ||
-      !test_get_optional_asn1_bool()) {
+  if (!TestSkip() ||
+      !TestGetUint() ||
+      !TestGetPrefixed() ||
+      !TestGetPrefixedBad() ||
+      !TestGetASN1() ||
+      !TestCBBBasic() ||
+      !TestCBBFixed() ||
+      !TestCBBFinishChild() ||
+      !TestCBBMisuse() ||
+      !TestCBBPrefixed() ||
+      !TestCBBASN1() ||
+      !TestBerConvert() ||
+      !TestASN1Uint64() ||
+      !TestGetOptionalASN1Bool()) {
     return 1;
   }
 
diff --git a/src/crypto/bytestring/cbb.c b/src/crypto/bytestring/cbb.c
index 4428836..f1e09a2 100644
--- a/src/crypto/bytestring/cbb.c
+++ b/src/crypto/bytestring/cbb.c
@@ -25,7 +25,6 @@ static int cbb_init(CBB *cbb, uint8_t *buf, size_t cap) {
 
   base = OPENSSL_malloc(sizeof(struct cbb_buffer_st));
   if (base == NULL) {
-    OPENSSL_free(buf);
     return 0;
   }
 
@@ -48,7 +47,12 @@ int CBB_init(CBB *cbb, size_t initial_capacity) {
     return 0;
   }
 
-  return cbb_init(cbb, buf, initial_capacity);
+  if (!cbb_init(cbb, buf, initial_capacity)) {
+    OPENSSL_free(buf);
+    return 0;
+  }
+
+  return 1;
 }
 
 int CBB_init_fixed(CBB *cbb, uint8_t *buf, size_t len) {
@@ -62,7 +66,7 @@ int CBB_init_fixed(CBB *cbb, uint8_t *buf, size_t len) {
 
 void CBB_cleanup(CBB *cbb) {
   if (cbb->base) {
-    if (cbb->base->buf && cbb->base->can_resize) {
+    if (cbb->base->can_resize) {
       OPENSSL_free(cbb->base->buf);
     }
     OPENSSL_free(cbb->base);
@@ -276,6 +280,11 @@ int CBB_add_u24_length_prefixed(CBB *cbb, CBB *out_contents) {
 }
 
 int CBB_add_asn1(CBB *cbb, CBB *out_contents, uint8_t tag) {
+  if ((tag & 0x1f) == 0x1f) {
+    /* Long form identifier octets are not supported. */
+    return 0;
+  }
+
   if (!CBB_flush(cbb) ||
       !CBB_add_u8(cbb, tag)) {
     return 0;
diff --git a/src/crypto/bytestring/cbs.c b/src/crypto/bytestring/cbs.c
index b417716..10f1a99 100644
--- a/src/crypto/bytestring/cbs.c
+++ b/src/crypto/bytestring/cbs.c
@@ -52,10 +52,8 @@ size_t CBS_len(const CBS *cbs) {
 }
 
 int CBS_stow(const CBS *cbs, uint8_t **out_ptr, size_t *out_len) {
-  if (*out_ptr != NULL) {
-    OPENSSL_free(*out_ptr);
-    *out_ptr = NULL;
-  }
+  OPENSSL_free(*out_ptr);
+  *out_ptr = NULL;
   *out_len = 0;
 
   if (cbs->len == 0) {
@@ -82,8 +80,9 @@ int CBS_contains_zero_byte(const CBS *cbs) {
 }
 
 int CBS_mem_equal(const CBS *cbs, const uint8_t *data, size_t len) {
-  if (len != cbs->len)
+  if (len != cbs->len) {
     return 0;
+  }
   return CRYPTO_memcmp(cbs->data, data, len) == 0;
 }
 
@@ -290,7 +289,12 @@ int CBS_get_asn1_uint64(CBS *cbs, uint64_t *out) {
   }
 
   if ((data[0] & 0x80) != 0) {
-    /* negative number */
+    /* Negative number. */
+    return 0;
+  }
+
+  if (data[0] == 0 && len > 1 && (data[1] & 0x80) == 0) {
+    /* Extra leading zeros. */
     return 0;
   }
 
diff --git a/src/crypto/chacha/chacha_vec.c b/src/crypto/chacha/chacha_vec.c
index 88830bc..14b54a7 100644
--- a/src/crypto/chacha/chacha_vec.c
+++ b/src/crypto/chacha/chacha_vec.c
@@ -40,6 +40,7 @@ typedef unsigned vec __attribute__((vector_size(16)));
  * This implementation supports parallel processing of multiple blocks,
  * including potentially using general-purpose registers. */
 #if __ARM_NEON__
+#include <string.h>
 #include <arm_neon.h>
 #define GPR_TOO 1
 #define VBPI 2
@@ -158,33 +159,19 @@ void CRYPTO_chacha_20(
 	{
 	unsigned iters, i, *op=(unsigned *)out, *ip=(unsigned *)in, *kp;
 #if defined(__ARM_NEON__)
-	unsigned *np;
+	uint32_t np[2];
 	uint8_t alignment_buffer[16] __attribute__((aligned(16)));
 #endif
 	vec s0, s1, s2, s3;
-#if !defined(__ARM_NEON__) && !defined(__SSE2__)
-	__attribute__ ((aligned (16))) unsigned key[8], nonce[4];
-#endif
 	__attribute__ ((aligned (16))) unsigned chacha_const[] =
 		{0x61707865,0x3320646E,0x79622D32,0x6B206574};
-#if defined(__ARM_NEON__) || defined(__SSE2__)
-	kp = (unsigned *)key;
-#else
-	((vec *)key)[0] = REVV_BE(((vec *)key)[0]);
-	((vec *)key)[1] = REVV_BE(((vec *)key)[1]);
-	nonce[0] = REVW_BE(((unsigned *)nonce)[0]);
-	nonce[1] = REVW_BE(((unsigned *)nonce)[1]);
-	nonce[2] = REVW_BE(((unsigned *)nonce)[2]);
-	nonce[3] = REVW_BE(((unsigned *)nonce)[3]);
 	kp = (unsigned *)key;
-	np = (unsigned *)nonce;
-#endif
 #if defined(__ARM_NEON__)
-	np = (unsigned*) nonce;
+	memcpy(np, nonce, 8);
 #endif
 	s0 = LOAD_ALIGNED(chacha_const);
-	s1 = LOAD_ALIGNED(&((vec*)kp)[0]);
-	s2 = LOAD_ALIGNED(&((vec*)kp)[1]);
+	s1 = LOAD(&((vec*)kp)[0]);
+	s2 = LOAD(&((vec*)kp)[1]);
 	s3 = (vec){
 		counter & 0xffffffff,
 #if __ARM_NEON__ || defined(OPENSSL_X86)
diff --git a/src/crypto/chacha/chacha_vec_arm.S b/src/crypto/chacha/chacha_vec_arm.S
index 15d4556..ddc374e 100644
--- a/src/crypto/chacha/chacha_vec_arm.S
+++ b/src/crypto/chacha/chacha_vec_arm.S
@@ -59,131 +59,147 @@
 	.thumb_func
 	.type	CRYPTO_chacha_20_neon, %function
 CRYPTO_chacha_20_neon:
-	@ args = 8, pretend = 0, frame = 128
+	@ args = 8, pretend = 0, frame = 152
 	@ frame_needed = 1, uses_anonymous_args = 0
 	push	{r4, r5, r6, r7, r8, r9, r10, fp, lr}
-	mov	r4, r2
+	mov	r8, r3
 	vpush.64	{d8, d9, d10, d11, d12, d13, d14, d15}
-	movw	r8, #43691
-	movt	r8, 43690
-	mov	ip, r3
-	umull	r8, r9, r4, r8
-	sub	sp, sp, #132
-	add	r7, sp, #0
-	sub	sp, sp, #112
+	mov	r9, r2
+	ldr	r4, .L91+16
 	mov	fp, r0
 	mov	r10, r1
+	mov	lr, r8
+.LPIC16:
+	add	r4, pc
+	sub	sp, sp, #156
+	add	r7, sp, #0
+	sub	sp, sp, #112
+	add	r6, r7, #144
+	str	r0, [r7, #88]
+	str	r1, [r7, #12]
 	str	r2, [r7, #8]
+	ldmia	r4, {r0, r1, r2, r3}
 	add	r4, sp, #15
-	ldr	r2, .L92+16
 	bic	r4, r4, #15
-	ldr	r5, [r7, #232]
-	add	lr, r4, #64
-.LPIC16:
-	add	r2, pc
-	str	r0, [r7, #60]
-	str	r1, [r7, #12]
-	str	r3, [r7, #44]
-	ldmia	r2, {r0, r1, r2, r3}
-	ldr	r6, [r5]
-	str	r4, [r7, #72]
-	ldr	r5, [r5, #4]
-	ldr	r4, [r7, #236]
-	str	r6, [r7, #120]
-	str	r5, [r7, #124]
-	str	r4, [r7, #112]
-	stmia	lr, {r0, r1, r2, r3}
-	movs	r3, #0
-	ldr	r0, [r7, #72]
-	str	r3, [r7, #116]
-	lsrs	r3, r9, #7
-	vldr	d22, [r7, #112]
-	vldr	d23, [r7, #120]
-	vldr	d24, [r0, #64]
-	vldr	d25, [r0, #72]
-	vld1.64	{d26-d27}, [ip:64]
-	vldr	d28, [ip, #16]
-	vldr	d29, [ip, #24]
+	ldr	ip, [r7, #256]
+	str	r4, [r7, #84]
+	mov	r5, r4
+	adds	r4, r4, #64
+	adds	r5, r5, #80
+	str	r8, [r7, #68]
+	stmia	r4, {r0, r1, r2, r3}
+	movw	r4, #43691
+	ldr	r0, [ip]	@ unaligned
+	movt	r4, 43690
+	ldr	r1, [ip, #4]	@ unaligned
+	ldr	r3, [r7, #84]
+	ldr	r2, [r8, #8]	@ unaligned
+	mov	r8, #0
+	stmia	r6!, {r0, r1}
+	mov	r6, r5
+	ldr	r1, [lr, #4]	@ unaligned
+	ldr	r0, [lr]	@ unaligned
+	vldr	d24, [r3, #64]
+	vldr	d25, [r3, #72]
+	ldr	r3, [lr, #12]	@ unaligned
+	str	r5, [r7, #80]
+	stmia	r5!, {r0, r1, r2, r3}
+	ldr	r0, [lr, #16]!	@ unaligned
+	ldr	r2, [r7, #84]
+	umull	r4, r5, r9, r4
+	vldr	d26, [r2, #80]
+	vldr	d27, [r2, #88]
+	ldr	r1, [lr, #4]	@ unaligned
+	ldr	r2, [lr, #8]	@ unaligned
+	ldr	r3, [lr, #12]	@ unaligned
+	ldr	r4, [r7, #260]
+	stmia	r6!, {r0, r1, r2, r3}
+	ldr	r3, [ip]
+	ldr	r1, [r7, #84]
+	ldr	r2, [ip, #4]
+	str	r3, [r7, #64]
+	vldr	d28, [r1, #80]
+	vldr	d29, [r1, #88]
+	str	r3, [r7, #136]
+	lsrs	r3, r5, #7
+	str	r4, [r7, #128]
+	str	r2, [r7, #140]
+	str	r8, [r7, #132]
+	str	r2, [r7, #60]
+	vldr	d22, [r7, #128]
+	vldr	d23, [r7, #136]
 	beq	.L26
-	ldr	r1, [r0, #64]
 	lsls	r2, r3, #8
+	ldr	r5, [r1, #64]
 	sub	r3, r2, r3, lsl #6
+	ldr	r2, [r1, #68]
+	vldr	d0, .L91
+	vldr	d1, .L91+8
+	adds	r4, r4, #2
+	str	r5, [r7, #56]
+	str	r2, [r7, #52]
+	ldr	r5, [r1, #72]
+	ldr	r2, [r1, #76]
 	str	r3, [r7, #4]
-	ldr	r2, [r0, #72]
-	str	r1, [r7, #40]
-	mov	r1, r3
-	ldr	r3, [r0, #68]
-	vldr	d0, .L92
-	vldr	d1, .L92+8
-	str	r2, [r7, #32]
-	adds	r2, r4, #2
-	str	r3, [r7, #36]
-	ldr	r3, [r0, #76]
-	str	r2, [r7, #48]
-	mov	r2, r0
-	mov	r0, fp
-	str	r10, [r7, #64]
-	str	r3, [r7, #28]
-	adds	r3, r0, r1
-	mov	r1, r6
+	str	r5, [r7, #48]
+	str	r2, [r7, #44]
+	mov	r2, fp
+	str	r4, [r7, #72]
+	adds	r3, r2, r3
+	str	r10, [r7, #76]
 	str	r3, [r7, #16]
-	add	r3, r2, #80
-	mov	r2, r5
-	str	r3, [r7, #68]
 .L4:
-	ldr	r0, [r7, #44]
-	add	r8, r7, #28
-	str	r2, [r7, #108]
+	ldr	r5, [r7, #68]
+	add	r8, r7, #44
+	ldr	r4, [r7, #72]
 	vadd.i32	q3, q11, q0
 	ldmia	r8, {r8, r9, r10, fp}
 	vmov	q8, q14  @ v4si
-	ldr	r3, [r0]
+	ldr	r2, [r5, #4]
 	vmov	q1, q13  @ v4si
+	ldr	r3, [r5]
 	vmov	q9, q12  @ v4si
+	ldr	lr, [r5, #20]
 	vmov	q2, q11  @ v4si
-	str	r3, [r7, #52]
-	mov	r3, r0
-	ldr	r5, [r3, #8]
+	mov	r0, r2
+	ldr	r2, [r5, #8]
+	str	r3, [r7, #108]
+	mov	r3, r5
+	ldr	ip, [r5, #16]
 	vmov	q15, q14  @ v4si
-	ldr	lr, [r3, #20]
+	mov	r1, r2
+	ldr	r2, [r5, #12]
+	ldr	r5, [r5, #24]
 	vmov	q5, q13  @ v4si
-	ldr	r6, [r3, #12]
+	ldr	r6, [r3, #28]
 	vmov	q10, q12  @ v4si
-	str	r5, [r7, #92]
-	mov	r5, r3
-	ldr	r4, [r5, #28]
+	ldr	r3, [r7, #64]
+	str	r5, [r7, #116]
 	movs	r5, #10
-	ldr	ip, [r3, #16]
-	ldr	r3, [r3, #24]
-	str	r4, [r7, #104]
-	ldr	r4, [r7, #48]
-	str	r3, [r7, #100]
-	mov	r3, r1
-	str	r6, [r7, #56]
-	str	r4, [r7, #96]
-	str	r8, [r7, #80]
+	str	r6, [r7, #120]
+	str	r4, [r7, #112]
+	ldr	r6, [r7, #60]
+	str	r8, [r7, #96]
 	mov	r8, r10
-	ldr	r0, [r0, #4]
+	ldr	r4, [r7, #108]
 	mov	r10, r9
-	ldr	r1, [r7, #92]
-	ldr	r2, [r7, #56]
-	ldr	r9, [r7, #100]
-	ldr	r4, [r7, #52]
-	str	lr, [r7, #88]
+	ldr	r9, [r7, #116]
+	str	lr, [r7, #104]
 	mov	lr, r3
-	str	r5, [r7, #76]
+	str	r5, [r7, #92]
 	movs	r5, #0
-	str	r5, [r7, #84]
-	b	.L93
-.L94:
+	str	r6, [r7, #124]
+	str	r5, [r7, #100]
+	b	.L92
+.L93:
 	.align	3
-.L92:
+.L91:
 	.word	1
 	.word	0
 	.word	0
 	.word	0
 	.word	.LANCHOR0-(.LPIC16+4)
-.L93:
+.L92:
 .L3:
 	vadd.i32	q9, q9, q1
 	add	r3, r8, r0
@@ -192,8 +208,8 @@ CRYPTO_chacha_20_neon:
 	veor	q3, q3, q9
 	mov	r6, r3
 	veor	q2, q2, q10
-	ldr	r3, [r7, #80]
-	str	r5, [r7, #100]
+	ldr	r3, [r7, #96]
+	str	r5, [r7, #116]
 	add	r10, r10, r1
 	vrev32.16	q3, q3
 	eor	lr, lr, r10
@@ -201,13 +217,13 @@ CRYPTO_chacha_20_neon:
 	vrev32.16	q2, q2
 	vadd.i32	q15, q15, q2
 	mov	fp, r3
-	ldr	r3, [r7, #96]
+	ldr	r3, [r7, #112]
 	veor	q4, q8, q1
-	str	r6, [r7, #96]
+	str	r6, [r7, #112]
 	veor	q6, q15, q5
 	eors	r3, r3, r5
 	mov	r5, r6
-	ldr	r6, [r7, #84]
+	ldr	r6, [r7, #100]
 	vshl.i32	q1, q4, #12
 	vshl.i32	q5, q6, #12
 	add	fp, fp, r2
@@ -216,33 +232,33 @@ CRYPTO_chacha_20_neon:
 	vsri.32	q1, q4, #20
 	ror	lr, lr, #16
 	mov	r5, r6
-	ldr	r6, [r7, #108]
+	ldr	r6, [r7, #124]
 	vsri.32	q5, q6, #20
-	str	r3, [r7, #108]
+	str	r3, [r7, #124]
 	eor	r6, r6, fp
 	ror	r5, r5, #16
 	vadd.i32	q9, q9, q1
 	add	r9, r9, lr
 	ror	r3, r6, #16
-	ldr	r6, [r7, #108]
+	ldr	r6, [r7, #124]
 	vadd.i32	q10, q10, q5
-	str	r3, [r7, #92]
+	str	r3, [r7, #108]
 	veor	q4, q9, q3
 	add	ip, ip, r6
-	ldr	r6, [r7, #88]
+	ldr	r6, [r7, #104]
 	veor	q6, q10, q2
 	eor	r4, ip, r4
 	eor	r1, r9, r1
 	vshl.i32	q3, q4, #8
 	mov	r8, r6
-	ldr	r6, [r7, #104]
+	ldr	r6, [r7, #120]
 	vshl.i32	q2, q6, #8
 	ror	r4, r4, #20
 	add	r6, r6, r3
 	vsri.32	q3, q4, #24
-	str	r6, [r7, #88]
+	str	r6, [r7, #104]
 	eors	r2, r2, r6
-	ldr	r6, [r7, #100]
+	ldr	r6, [r7, #116]
 	vsri.32	q2, q6, #24
 	add	r8, r8, r5
 	ror	r2, r2, #20
@@ -251,42 +267,42 @@ CRYPTO_chacha_20_neon:
 	eor	r0, r8, r0
 	vadd.i32	q15, q15, q2
 	mov	r3, r6
-	ldr	r6, [r7, #96]
+	ldr	r6, [r7, #112]
 	veor	q6, q4, q1
 	ror	r0, r0, #20
-	str	r3, [r7, #96]
+	str	r3, [r7, #112]
 	veor	q5, q15, q5
 	adds	r6, r0, r6
-	str	r6, [r7, #104]
+	str	r6, [r7, #120]
 	mov	r6, r3
-	ldr	r3, [r7, #108]
+	ldr	r3, [r7, #124]
 	vshl.i32	q8, q6, #7
 	add	fp, fp, r2
 	eors	r3, r3, r6
-	ldr	r6, [r7, #104]
+	ldr	r6, [r7, #120]
 	vshl.i32	q1, q5, #7
 	ror	r1, r1, #20
 	eors	r5, r5, r6
 	vsri.32	q8, q6, #25
-	ldr	r6, [r7, #92]
+	ldr	r6, [r7, #108]
 	ror	r3, r3, #24
 	ror	r5, r5, #24
 	vsri.32	q1, q5, #25
-	str	r5, [r7, #100]
+	str	r5, [r7, #116]
 	eor	r6, fp, r6
-	ldr	r5, [r7, #100]
+	ldr	r5, [r7, #116]
 	add	r10, r10, r1
 	add	ip, r3, ip
 	vext.32	q8, q8, q8, #1
-	str	ip, [r7, #108]
+	str	ip, [r7, #124]
 	add	ip, r5, r8
-	ldr	r5, [r7, #88]
+	ldr	r5, [r7, #104]
 	eor	lr, r10, lr
 	ror	r6, r6, #24
 	vext.32	q1, q1, q1, #1
 	add	r8, r6, r5
 	vadd.i32	q9, q9, q8
-	ldr	r5, [r7, #108]
+	ldr	r5, [r7, #124]
 	vext.32	q3, q3, q3, #3
 	vadd.i32	q10, q10, q1
 	ror	lr, lr, #24
@@ -295,14 +311,14 @@ CRYPTO_chacha_20_neon:
 	add	r9, r9, lr
 	eors	r4, r4, r5
 	veor	q3, q9, q3
-	ldr	r5, [r7, #96]
+	ldr	r5, [r7, #112]
 	eor	r1, r9, r1
 	ror	r0, r0, #25
 	veor	q2, q10, q2
 	adds	r5, r0, r5
 	vext.32	q4, q4, q4, #2
-	str	r5, [r7, #96]
-	ldr	r5, [r7, #104]
+	str	r5, [r7, #112]
+	ldr	r5, [r7, #120]
 	ror	r1, r1, #25
 	vrev32.16	q3, q3
 	eor	r2, r8, r2
@@ -311,10 +327,10 @@ CRYPTO_chacha_20_neon:
 	vadd.i32	q4, q4, q3
 	ror	r4, r4, #25
 	vrev32.16	q2, q2
-	str	r5, [r7, #84]
+	str	r5, [r7, #100]
 	vadd.i32	q15, q15, q2
 	eors	r3, r3, r5
-	ldr	r5, [r7, #96]
+	ldr	r5, [r7, #112]
 	add	fp, fp, r4
 	veor	q8, q4, q8
 	ror	r2, r2, #25
@@ -322,174 +338,182 @@ CRYPTO_chacha_20_neon:
 	eor	lr, fp, lr
 	eors	r6, r6, r5
 	ror	r3, r3, #16
-	ldr	r5, [r7, #100]
+	ldr	r5, [r7, #116]
 	add	r10, r10, r2
-	str	r3, [r7, #104]
+	str	r3, [r7, #120]
 	ror	lr, lr, #16
-	ldr	r3, [r7, #104]
+	ldr	r3, [r7, #120]
 	eor	r5, r10, r5
 	vshl.i32	q5, q8, #12
 	add	ip, lr, ip
 	vshl.i32	q6, q1, #12
-	str	ip, [r7, #88]
+	str	ip, [r7, #104]
 	add	ip, r3, r8
-	str	ip, [r7, #100]
-	ldr	r3, [r7, #108]
+	str	ip, [r7, #116]
+	ldr	r3, [r7, #124]
 	ror	r5, r5, #16
 	vsri.32	q5, q8, #20
 	ror	r6, r6, #16
 	add	ip, r5, r3
-	ldr	r3, [r7, #88]
+	ldr	r3, [r7, #104]
 	vsri.32	q6, q1, #20
 	add	r9, r9, r6
 	eor	r2, ip, r2
 	eors	r4, r4, r3
-	ldr	r3, [r7, #100]
+	ldr	r3, [r7, #116]
 	eor	r0, r9, r0
 	vadd.i32	q9, q9, q5
 	ror	r4, r4, #20
 	eors	r1, r1, r3
 	vadd.i32	q10, q10, q6
 	ror	r3, r2, #20
-	str	r3, [r7, #92]
-	ldr	r3, [r7, #96]
+	str	r3, [r7, #108]
+	ldr	r3, [r7, #112]
 	veor	q3, q9, q3
 	ror	r0, r0, #20
 	add	r8, r4, fp
 	veor	q2, q10, q2
 	add	fp, r0, r3
-	ldr	r3, [r7, #84]
+	ldr	r3, [r7, #100]
 	ror	r1, r1, #20
 	mov	r2, r8
 	vshl.i32	q8, q3, #8
-	str	r8, [r7, #80]
+	str	r8, [r7, #96]
 	add	r8, r1, r3
-	ldr	r3, [r7, #92]
+	ldr	r3, [r7, #108]
 	vmov	q1, q6  @ v4si
 	vshl.i32	q6, q2, #8
 	eor	r6, fp, r6
 	add	r10, r10, r3
-	ldr	r3, [r7, #104]
+	ldr	r3, [r7, #120]
 	vsri.32	q8, q3, #24
 	eor	lr, r2, lr
 	eor	r3, r8, r3
 	ror	r2, r6, #24
 	vsri.32	q6, q2, #24
 	eor	r5, r10, r5
-	str	r2, [r7, #108]
+	str	r2, [r7, #124]
 	ror	r2, r3, #24
-	ldr	r3, [r7, #88]
+	ldr	r3, [r7, #104]
 	vmov	q3, q8  @ v4si
 	vadd.i32	q15, q15, q6
 	ror	lr, lr, #24
 	vadd.i32	q8, q4, q8
 	ror	r6, r5, #24
 	add	r5, lr, r3
-	ldr	r3, [r7, #108]
+	ldr	r3, [r7, #124]
 	veor	q4, q8, q5
 	add	ip, ip, r6
 	vmov	q2, q6  @ v4si
 	add	r9, r9, r3
 	veor	q6, q15, q1
-	ldr	r3, [r7, #100]
+	ldr	r3, [r7, #116]
 	vshl.i32	q1, q4, #7
-	str	r2, [r7, #96]
+	str	r2, [r7, #112]
 	add	r3, r3, r2
-	str	r3, [r7, #104]
+	str	r3, [r7, #120]
 	vshl.i32	q5, q6, #7
 	eors	r1, r1, r3
-	ldr	r3, [r7, #92]
+	ldr	r3, [r7, #108]
 	vsri.32	q1, q4, #25
 	eors	r4, r4, r5
 	eor	r0, r9, r0
 	eor	r2, ip, r3
 	vsri.32	q5, q6, #25
-	ldr	r3, [r7, #76]
+	ldr	r3, [r7, #92]
 	ror	r4, r4, #25
-	str	r6, [r7, #84]
+	str	r6, [r7, #100]
 	ror	r0, r0, #25
 	subs	r3, r3, #1
-	str	r5, [r7, #88]
+	str	r5, [r7, #104]
 	ror	r1, r1, #25
 	ror	r2, r2, #25
 	vext.32	q15, q15, q15, #2
-	str	r3, [r7, #76]
+	str	r3, [r7, #92]
 	vext.32	q2, q2, q2, #1
 	vext.32	q8, q8, q8, #2
 	vext.32	q3, q3, q3, #1
 	vext.32	q5, q5, q5, #3
 	vext.32	q1, q1, q1, #3
 	bne	.L3
-	ldr	r3, [r7, #68]
+	ldr	r3, [r7, #80]
 	vadd.i32	q4, q12, q10
-	str	r9, [r7, #100]
+	str	r9, [r7, #116]
 	mov	r9, r10
 	mov	r10, r8
-	ldr	r8, [r7, #80]
-	str	lr, [r7, #80]
+	ldr	r8, [r7, #96]
+	str	lr, [r7, #96]
 	mov	lr, r5
-	ldr	r5, [r7, #40]
+	ldr	r5, [r7, #56]
 	vadd.i32	q5, q13, q5
-	ldr	r6, [r7, #64]
+	ldr	r6, [r7, #76]
 	vadd.i32	q15, q14, q15
 	add	fp, fp, r5
-	ldr	r5, [r7, #36]
-	str	r4, [r7, #52]
+	ldr	r5, [r7, #52]
+	str	r4, [r7, #108]
 	vadd.i32	q7, q14, q8
-	ldr	r4, [r7, #96]
+	ldr	r4, [r7, #112]
 	add	r5, r10, r5
-	str	r3, [r7, #96]
+	str	r3, [r7, #112]
 	vadd.i32	q2, q11, q2
 	ldr	r3, [r6, #12]	@ unaligned
 	vadd.i32	q6, q12, q9
-	str	r0, [r7, #76]
+	str	r0, [r7, #92]
 	vadd.i32	q1, q13, q1
 	ldr	r0, [r6]	@ unaligned
 	vadd.i32	q11, q11, q0
-	str	r1, [r7, #92]
-	str	r2, [r7, #56]
+	str	r1, [r7, #40]
+	str	r2, [r7, #36]
 	vadd.i32	q3, q11, q3
 	ldr	r1, [r6, #4]	@ unaligned
 	vadd.i32	q11, q11, q0
 	ldr	r2, [r6, #8]	@ unaligned
-	str	r5, [r7, #88]
+	str	r5, [r7, #104]
 	vadd.i32	q11, q11, q0
-	ldr	r5, [r7, #96]
-	ldr	r10, [r7, #68]
+	ldr	r5, [r7, #112]
+	ldr	r10, [r7, #80]
 	stmia	r5!, {r0, r1, r2, r3}
 	mov	r5, r10
-	ldr	r2, [r7, #72]
-	ldr	r1, [r7, #32]
-	ldr	r3, [r7, #48]
-	vldr	d20, [r2, #80]
-	vldr	d21, [r2, #88]
-	add	r9, r9, r1
+	ldr	r0, [r7, #84]
+	ldr	r2, [r7, #48]
+	ldr	r3, [r7, #72]
+	vldr	d20, [r0, #80]
+	vldr	d21, [r0, #88]
+	add	r9, r9, r2
 	veor	q10, q10, q4
-	ldr	r1, [r7, #28]
-	add	r0, r8, r1
-	str	r0, [r7, #24]
-	vstr	d20, [r2, #80]
-	vstr	d21, [r2, #88]
-	adds	r0, r4, r3
-	str	r0, [r7, #20]
+	ldr	r2, [r7, #44]
+	adds	r1, r4, r3
+	str	r1, [r7, #28]
+	add	r2, r8, r2
+	str	r2, [r7, #32]
+	vstr	d20, [r0, #80]
+	vstr	d21, [r0, #88]
 	ldmia	r5!, {r0, r1, r2, r3}
-	mov	r5, r10
+	ldr	r4, [r7, #96]
+	ldr	r5, [r7, #64]
+	add	r4, r4, r5
+	ldr	r5, [r7, #124]
+	str	r4, [r7, #96]
 	ldr	r4, [r7, #60]
+	add	r5, r5, r4
+	ldr	r4, [r7, #88]
+	str	r5, [r7, #24]
+	mov	r5, r10
 	str	r0, [r4]	@ unaligned
-	mov	r4, r10
-	ldr	r0, [r7, #60]
-	str	r1, [r0, #4]	@ unaligned
+	mov	r0, r4
+	str	r1, [r4, #4]	@ unaligned
 	mov	r8, r0
 	str	r2, [r0, #8]	@ unaligned
+	mov	r4, r10
 	str	r3, [r0, #12]	@ unaligned
 	ldr	r0, [r6, #16]!	@ unaligned
 	ldr	r1, [r6, #4]	@ unaligned
 	ldr	r2, [r6, #8]	@ unaligned
 	ldr	r3, [r6, #12]	@ unaligned
-	ldr	r6, [r7, #64]
+	ldr	r6, [r7, #76]
 	stmia	r5!, {r0, r1, r2, r3}
 	mov	r5, r10
-	ldr	r3, [r7, #72]
+	ldr	r3, [r7, #84]
 	vldr	d20, [r3, #80]
 	vldr	d21, [r3, #88]
 	veor	q10, q10, q5
@@ -501,21 +525,22 @@ CRYPTO_chacha_20_neon:
 	str	r1, [r8, #20]	@ unaligned
 	str	r2, [r8, #24]	@ unaligned
 	str	r3, [r8, #28]	@ unaligned
+	mov	r8, r4
 	ldr	r0, [r6, #32]!	@ unaligned
+	str	r10, [r7, #124]
 	ldr	r1, [r6, #4]	@ unaligned
 	ldr	r2, [r6, #8]	@ unaligned
 	ldr	r3, [r6, #12]	@ unaligned
-	ldr	r6, [r7, #64]
+	ldr	r6, [r7, #76]
 	stmia	r5!, {r0, r1, r2, r3}
 	mov	r5, r10
-	ldr	r0, [r7, #72]
-	vldr	d16, [r0, #80]
-	vldr	d17, [r0, #88]
+	ldr	r2, [r7, #84]
+	vldr	d16, [r2, #80]
+	vldr	d17, [r2, #88]
 	veor	q15, q8, q15
-	vstr	d30, [r0, #80]
-	vstr	d31, [r0, #88]
+	vstr	d30, [r2, #80]
+	vstr	d31, [r2, #88]
 	ldmia	r10!, {r0, r1, r2, r3}
-	mov	r10, r5
 	str	r0, [r4, #32]	@ unaligned
 	str	r1, [r4, #36]	@ unaligned
 	str	r2, [r4, #40]	@ unaligned
@@ -524,17 +549,18 @@ CRYPTO_chacha_20_neon:
 	ldr	r1, [r6, #4]	@ unaligned
 	ldr	r2, [r6, #8]	@ unaligned
 	ldr	r3, [r6, #12]	@ unaligned
-	ldr	r6, [r7, #64]
+	ldr	r6, [r7, #76]
 	stmia	r5!, {r0, r1, r2, r3}
-	mov	r5, r10
-	ldr	r2, [r7, #72]
-	vldr	d18, [r2, #80]
-	vldr	d19, [r2, #88]
+	ldr	r1, [r7, #84]
+	vldr	d18, [r1, #80]
+	vldr	d19, [r1, #88]
 	veor	q9, q9, q2
-	vstr	d18, [r2, #80]
-	vstr	d19, [r2, #88]
+	vstr	d18, [r1, #80]
+	vstr	d19, [r1, #88]
+	ldr	r3, [r7, #112]
+	ldr	r5, [r7, #80]
+	mov	r10, r3
 	ldmia	r10!, {r0, r1, r2, r3}
-	mov	r10, r5
 	str	r0, [r4, #48]	@ unaligned
 	str	r1, [r4, #52]	@ unaligned
 	str	r2, [r4, #56]	@ unaligned
@@ -543,34 +569,38 @@ CRYPTO_chacha_20_neon:
 	ldr	r1, [r6, #4]	@ unaligned
 	ldr	r2, [r6, #8]	@ unaligned
 	ldr	r3, [r6, #12]	@ unaligned
-	ldr	r6, [r7, #64]
+	ldr	r6, [r7, #76]
 	stmia	r5!, {r0, r1, r2, r3}
-	mov	r5, r10
-	ldr	r2, [r7, #72]
-	vldr	d18, [r2, #80]
-	vldr	d19, [r2, #88]
+	ldr	r1, [r7, #84]
+	ldr	r3, [r7, #112]
+	ldr	r5, [r7, #80]
+	vldr	d18, [r1, #80]
+	vldr	d19, [r1, #88]
 	veor	q9, q9, q6
-	vstr	d18, [r2, #80]
-	vstr	d19, [r2, #88]
+	mov	r10, r3
+	str	r5, [r7, #20]
+	vstr	d18, [r1, #80]
+	vstr	d19, [r1, #88]
 	ldmia	r10!, {r0, r1, r2, r3}
-	mov	r10, r5
-	str	r0, [r4, #64]	@ unaligned
 	str	r1, [r4, #68]	@ unaligned
 	str	r2, [r4, #72]	@ unaligned
 	str	r3, [r4, #76]	@ unaligned
+	str	r0, [r4, #64]	@ unaligned
 	ldr	r0, [r6, #80]!	@ unaligned
 	ldr	r1, [r6, #4]	@ unaligned
 	ldr	r2, [r6, #8]	@ unaligned
 	ldr	r3, [r6, #12]	@ unaligned
-	ldr	r6, [r7, #64]
+	ldr	r6, [r7, #76]
 	stmia	r5!, {r0, r1, r2, r3}
-	mov	r5, r10
-	ldr	r2, [r7, #72]
-	vldr	d18, [r2, #80]
-	vldr	d19, [r2, #88]
+	ldr	r1, [r7, #84]
+	ldr	r3, [r7, #20]
+	ldr	r5, [r7, #80]
+	vldr	d18, [r1, #80]
+	vldr	d19, [r1, #88]
 	veor	q1, q9, q1
-	vstr	d2, [r2, #80]
-	vstr	d3, [r2, #88]
+	mov	r10, r3
+	vstr	d2, [r1, #80]
+	vstr	d3, [r1, #88]
 	ldmia	r10!, {r0, r1, r2, r3}
 	mov	r10, r5
 	str	r0, [r4, #80]	@ unaligned
@@ -581,17 +611,16 @@ CRYPTO_chacha_20_neon:
 	ldr	r1, [r6, #4]	@ unaligned
 	ldr	r2, [r6, #8]	@ unaligned
 	ldr	r3, [r6, #12]	@ unaligned
-	ldr	r6, [r7, #64]
+	ldr	r6, [r7, #76]
 	stmia	r5!, {r0, r1, r2, r3}
 	mov	r5, r10
-	ldr	r3, [r7, #72]
+	ldr	r3, [r7, #84]
 	vldr	d16, [r3, #80]
 	vldr	d17, [r3, #88]
 	veor	q8, q8, q7
 	vstr	d16, [r3, #80]
 	vstr	d17, [r3, #88]
 	ldmia	r10!, {r0, r1, r2, r3}
-	mov	r10, r5
 	str	r0, [r4, #96]	@ unaligned
 	str	r1, [r4, #100]	@ unaligned
 	str	r2, [r4, #104]	@ unaligned
@@ -600,140 +629,116 @@ CRYPTO_chacha_20_neon:
 	ldr	r1, [r6, #4]	@ unaligned
 	ldr	r2, [r6, #8]	@ unaligned
 	ldr	r3, [r6, #12]	@ unaligned
-	stmia	r5!, {r0, r1, r2, r3}
-	mov	r5, r10
-	ldr	r0, [r7, #72]
-	ldr	r6, [r7, #44]
-	vldr	d16, [r0, #80]
-	vldr	d17, [r0, #88]
+	mov	r6, r5
+	stmia	r6!, {r0, r1, r2, r3}
+	ldr	r3, [r7, #84]
+	vldr	d16, [r3, #80]
+	vldr	d17, [r3, #88]
 	veor	q8, q8, q3
-	vstr	d16, [r0, #80]
-	vstr	d17, [r0, #88]
+	vstr	d16, [r3, #80]
+	vstr	d17, [r3, #88]
 	ldmia	r5!, {r0, r1, r2, r3}
-	mov	r5, r4
-	mov	r8, r5
 	str	r1, [r4, #116]	@ unaligned
-	ldr	r1, [r7, #64]
+	ldr	r1, [r7, #76]
 	str	r0, [r4, #112]	@ unaligned
-	mov	r0, r5
 	str	r2, [r4, #120]	@ unaligned
 	str	r3, [r4, #124]	@ unaligned
 	ldr	r3, [r1, #128]
-	ldr	r2, [r7, #88]
+	ldr	r2, [r7, #104]
 	eor	r3, fp, r3
 	str	r3, [r4, #128]
 	ldr	r3, [r1, #132]
-	mov	r4, r1
-	mov	r1, r5
 	eors	r2, r2, r3
 	str	r2, [r8, #132]
-	ldr	r3, [r4, #136]
-	ldr	r2, [r7, #24]
+	ldr	r3, [r1, #136]
+	ldr	r5, [r7, #68]
+	ldr	r6, [r7, #32]
 	eor	r3, r9, r3
-	str	r3, [r5, #136]
-	ldr	r3, [r4, #140]
-	eors	r3, r3, r2
-	str	r3, [r5, #140]
-	mov	r5, r4
-	ldr	r3, [r6]
-	ldr	r2, [r4, #144]
-	ldr	r4, [r7, #52]
-	add	r4, r4, r3
-	eors	r2, r2, r4
-	mov	r4, r1
-	str	r2, [r1, #144]
-	ldr	r1, [r7, #76]
-	ldr	r2, [r6, #4]
-	ldr	r3, [r5, #148]
-	mov	r8, r1
-	add	r8, r8, r2
-	mov	r2, r8
-	eors	r3, r3, r2
-	str	r3, [r0, #148]
-	mov	r0, r4
-	ldr	r2, [r6, #8]
-	ldr	r1, [r7, #92]
-	ldr	r3, [r5, #152]
-	mov	r8, r1
-	add	r8, r8, r2
-	ldr	r1, [r7, #56]
-	mov	r2, r8
-	eors	r3, r3, r2
+	str	r3, [r4, #136]
+	ldr	r3, [r1, #140]
+	ldr	r0, [r7, #92]
+	eors	r3, r3, r6
+	ldr	r6, [r7, #108]
+	str	r3, [r4, #140]
+	ldr	r3, [r5]
+	ldr	r2, [r1, #144]
+	add	r6, r6, r3
+	eors	r2, r2, r6
+	str	r2, [r4, #144]
+	ldr	r2, [r5, #4]
+	ldr	r3, [r1, #148]
+	add	r0, r0, r2
+	ldr	r6, [r7, #36]
+	eors	r3, r3, r0
+	ldr	r0, [r7, #40]
+	str	r3, [r4, #148]
+	ldr	r2, [r5, #8]
+	ldr	r3, [r1, #152]
+	add	r0, r0, r2
+	eors	r3, r3, r0
 	str	r3, [r4, #152]
-	mov	r8, r6
-	ldr	r2, [r6, #12]
-	mov	r4, r5
-	ldr	r3, [r5, #156]
-	add	r1, r1, r2
-	eors	r3, r3, r1
-	str	r3, [r0, #156]
-	ldr	r2, [r6, #16]
+	ldr	r2, [r5, #12]
+	mov	r0, r4
+	ldr	r3, [r1, #156]
+	mov	r4, r1
+	add	r6, r6, r2
 	mov	r1, r0
-	ldr	r3, [r5, #160]
+	eors	r3, r3, r6
+	str	r3, [r0, #156]
+	ldr	r2, [r5, #16]
+	ldr	r3, [r4, #160]
 	add	ip, ip, r2
 	eor	r3, ip, r3
-	str	r3, [r0, #160]
-	ldr	r2, [r6, #20]
-	mov	ip, r0
-	ldr	r3, [r5, #164]
+	str	r3, [r1, #160]
+	ldr	r2, [r5, #20]
+	ldr	r3, [r4, #164]
 	add	lr, lr, r2
-	ldr	r2, [r7, #100]
+	ldr	r2, [r7, #116]
 	eor	r3, lr, r3
 	str	r3, [r1, #164]
-	ldr	r6, [r6, #24]
+	ldr	r6, [r5, #24]
+	mov	lr, r4
 	ldr	r3, [r4, #168]
 	add	r2, r2, r6
+	mov	r6, r4
 	eors	r3, r3, r2
-	ldr	r2, [r7, #104]
-	str	r3, [r0, #168]
-	ldr	r5, [r8, #28]
+	str	r3, [r1, #168]
+	ldr	r5, [r5, #28]
+	mov	r2, r1
 	ldr	r3, [r4, #172]
-	add	r2, r2, r5
-	mov	r5, r4
-	eors	r3, r3, r2
-	mov	r2, r0
-	str	r3, [r0, #172]
-	ldr	r3, [r7, #48]
+	ldr	r0, [r7, #120]
+	add	r0, r0, r5
+	ldr	r5, [r7, #24]
+	eors	r3, r3, r0
+	str	r3, [r1, #172]
+	ldr	r3, [r7, #72]
 	ldr	r4, [r4, #176]
-	ldr	r0, [r7, #20]
+	ldr	r1, [r7, #28]
+	eors	r4, r4, r1
 	adds	r1, r3, #3
-	ldr	r3, [r7, #84]
-	eors	r4, r4, r0
 	str	r4, [r2, #176]
-	ldr	r0, [r5, #180]
-	mov	r4, r2
-	str	r1, [r7, #48]
+	ldr	r3, [r7, #100]
+	ldr	r0, [lr, #180]
+	str	r1, [r7, #72]
 	eors	r3, r3, r0
 	mov	r0, r3
-	ldr	r3, [r7, #232]
+	mov	r3, r2
 	str	r0, [r2, #180]
-	ldr	r1, [r3]
-	ldr	r3, [r5, #184]
-	ldr	r2, [r7, #80]
-	add	r2, r2, r1
-	mov	r1, r5
-	eors	r3, r3, r2
-	str	r3, [ip, #184]
-	ldr	r3, [r7, #232]
+	adds	r3, r3, #192
+	ldr	r1, [lr, #184]
+	ldr	r2, [r7, #96]
+	eors	r1, r1, r2
+	str	r1, [r3, #-8]
+	ldr	r2, [lr, #188]
+	mov	r1, r6
 	adds	r1, r1, #192
-	str	r1, [r7, #64]
-	ldr	r1, [r7, #108]
-	ldr	r2, [r3, #4]
-	ldr	r3, [r5, #188]
-	add	r1, r1, r2
-	mov	r2, r1
-	eors	r2, r2, r3
-	str	r2, [ip, #188]
-	mov	r3, r4
+	str	r1, [r7, #76]
+	eors	r2, r2, r5
+	str	r2, [r3, #-4]
 	ldr	r2, [r7, #16]
-	adds	r3, r3, #192
-	str	r3, [r7, #60]
+	str	r3, [r7, #88]
 	cmp	r2, r3
-	beq	.L85
-	ldr	r3, [r7, #232]
-	ldmia	r3, {r1, r2}
-	b	.L4
-.L85:
+	bne	.L4
 	ldr	r3, [r7, #12]
 	ldr	r2, [r7, #4]
 	add	r3, r3, r2
@@ -749,16 +754,14 @@ CRYPTO_chacha_20_neon:
 	rsb	fp, fp, r1
 	lsrs	fp, fp, #6
 	beq	.L6
-	ldr	r6, [r7, #72]
 	ldr	r5, [r7, #12]
 	ldr	r4, [r7, #16]
-	mov	r3, r6
-	adds	r3, r3, #80
-	vldr	d30, .L95
-	vldr	d31, .L95+8
-	mov	lr, r3
-	str	fp, [r7, #104]
-	str	fp, [r7, #108]
+	ldr	r6, [r7, #84]
+	ldr	lr, [r7, #80]
+	vldr	d30, .L94
+	vldr	d31, .L94+8
+	str	fp, [r7, #120]
+	str	fp, [r7, #124]
 .L8:
 	vmov	q2, q11  @ v4si
 	movs	r3, #10
@@ -883,22 +886,22 @@ CRYPTO_chacha_20_neon:
 	str	r0, [r4, #-16]	@ unaligned
 	str	r1, [r4, #-12]	@ unaligned
 	str	r3, [r10, #12]	@ unaligned
-	ldr	r3, [r7, #108]
+	ldr	r3, [r7, #124]
 	str	r2, [r10, #8]	@ unaligned
 	cmp	r3, #1
-	beq	.L88
+	beq	.L87
 	movs	r3, #1
-	str	r3, [r7, #108]
+	str	r3, [r7, #124]
 	b	.L8
-.L96:
-	.align	3
 .L95:
+	.align	3
+.L94:
 	.word	1
 	.word	0
 	.word	0
 	.word	0
-.L88:
-	ldr	fp, [r7, #104]
+.L87:
+	ldr	fp, [r7, #120]
 	ldr	r3, [r7, #12]
 	lsl	fp, fp, #6
 	add	r3, r3, fp
@@ -958,9 +961,9 @@ CRYPTO_chacha_20_neon:
 	bne	.L10
 	cmp	r5, #15
 	mov	r9, r5
-	bhi	.L89
+	bhi	.L88
 	vadd.i32	q12, q12, q10
-	ldr	r3, [r7, #72]
+	ldr	r3, [r7, #84]
 	vst1.64	{d24-d25}, [r3:128]
 .L14:
 	ldr	r3, [r7, #8]
@@ -997,7 +1000,7 @@ CRYPTO_chacha_20_neon:
 	movcs	r1, ip
 	cmp	r1, #0
 	beq	.L17
-	ldr	r5, [r7, #72]
+	ldr	r5, [r7, #84]
 	cmp	r1, #1
 	ldrb	r0, [r0]	@ zero_extendqisi2
 	add	r3, r2, #1
@@ -1132,7 +1135,7 @@ CRYPTO_chacha_20_neon:
 	ldr	r5, [r7, #16]
 	cmp	r6, #1
 	add	r0, r1, r2
-	ldr	r1, [r7, #72]
+	ldr	r1, [r7, #84]
 	add	r1, r1, r2
 	vld1.64	{d18-d19}, [r0:64]
 	add	r2, r2, r5
@@ -1170,7 +1173,7 @@ CRYPTO_chacha_20_neon:
 	add	r3, r3, lr
 	beq	.L1
 .L19:
-	ldr	r4, [r7, #72]
+	ldr	r4, [r7, #84]
 	adds	r2, r3, #1
 	ldr	r1, [r7, #12]
 	cmp	r2, r9
@@ -1285,7 +1288,7 @@ CRYPTO_chacha_20_neon:
 	eor	r1, r1, r0
 	strb	r1, [r5, r2]
 	bls	.L1
-	ldr	r2, [r7, #72]
+	ldr	r2, [r7, #84]
 	ldrb	r1, [r2, r3]	@ zero_extendqisi2
 	ldr	r2, [r7, #12]
 	ldrb	r2, [r2, r3]	@ zero_extendqisi2
@@ -1293,26 +1296,23 @@ CRYPTO_chacha_20_neon:
 	ldr	r1, [r7, #16]
 	strb	r2, [r1, r3]
 .L1:
-	adds	r7, r7, #132
+	adds	r7, r7, #156
 	mov	sp, r7
 	@ sp needed
 	vldm	sp!, {d8-d15}
 	pop	{r4, r5, r6, r7, r8, r9, r10, fp, pc}
-.L89:
-	ldr	r4, [r7, #12]
+.L88:
+	ldr	r5, [r7, #12]
 	vadd.i32	q12, q12, q10
-	ldr	r5, [r7, #72]
+	ldr	r4, [r7, #80]
 	cmp	r9, #31
-	ldr	r0, [r4]	@ unaligned
-	add	r6, r5, #80
-	ldr	r1, [r4, #4]	@ unaligned
-	ldr	r2, [r4, #8]	@ unaligned
-	mov	r5, r6
-	ldr	r3, [r4, #12]	@ unaligned
-	mov	r4, r6
-	str	r6, [r7, #68]
+	ldr	r0, [r5]	@ unaligned
+	ldr	r1, [r5, #4]	@ unaligned
+	mov	r6, r4
+	ldr	r2, [r5, #8]	@ unaligned
+	ldr	r3, [r5, #12]	@ unaligned
 	stmia	r6!, {r0, r1, r2, r3}
-	ldr	r2, [r7, #72]
+	ldr	r2, [r7, #84]
 	ldr	r6, [r7, #16]
 	vldr	d18, [r2, #80]
 	vldr	d19, [r2, #88]
@@ -1325,9 +1325,9 @@ CRYPTO_chacha_20_neon:
 	str	r0, [r6]	@ unaligned
 	str	r2, [r6, #8]	@ unaligned
 	str	r3, [r6, #12]	@ unaligned
-	bhi	.L90
+	bhi	.L89
 	vadd.i32	q13, q13, q15
-	ldr	r3, [r7, #72]
+	ldr	r3, [r7, #84]
 	vstr	d26, [r3, #16]
 	vstr	d27, [r3, #24]
 	b	.L14
@@ -1336,7 +1336,7 @@ CRYPTO_chacha_20_neon:
 	ldr	r2, [r7, #12]
 	add	r2, r2, r9
 	mov	r5, r2
-	ldr	r2, [r7, #72]
+	ldr	r2, [r7, #84]
 	add	r2, r2, r3
 	mov	r3, r2
 .L24:
@@ -1346,7 +1346,7 @@ CRYPTO_chacha_20_neon:
 	eor	r2, r2, r1
 	strb	r2, [r4], #1
 	bne	.L24
-	adds	r7, r7, #132
+	adds	r7, r7, #156
 	mov	sp, r7
 	@ sp needed
 	vldm	sp!, {d8-d15}
@@ -1354,20 +1354,20 @@ CRYPTO_chacha_20_neon:
 .L26:
 	str	fp, [r7, #16]
 	b	.L2
-.L90:
-	ldr	r3, [r7, #12]
+.L89:
+	mov	r3, r5
+	ldr	r4, [r7, #80]
+	ldr	r0, [r3, #16]!	@ unaligned
 	add	lr, r1, #16
-	mov	r4, r5
-	mov	r6, r5
 	mov	r5, r1
 	vadd.i32	q13, q13, q15
-	ldr	r0, [r3, #16]!	@ unaligned
+	mov	r6, r4
 	cmp	r9, #47
 	ldr	r1, [r3, #4]	@ unaligned
 	ldr	r2, [r3, #8]	@ unaligned
 	ldr	r3, [r3, #12]	@ unaligned
 	stmia	r6!, {r0, r1, r2, r3}
-	ldr	r2, [r7, #72]
+	ldr	r2, [r7, #84]
 	vldr	d18, [r2, #80]
 	vldr	d19, [r2, #88]
 	veor	q13, q9, q13
@@ -1378,18 +1378,18 @@ CRYPTO_chacha_20_neon:
 	str	r1, [lr, #4]	@ unaligned
 	str	r2, [lr, #8]	@ unaligned
 	str	r3, [lr, #12]	@ unaligned
-	bhi	.L91
+	bhi	.L90
 	vadd.i32	q8, q14, q8
-	ldr	r3, [r7, #72]
+	ldr	r3, [r7, #84]
 	vstr	d16, [r3, #32]
 	vstr	d17, [r3, #40]
 	b	.L14
-.L91:
+.L90:
 	ldr	r3, [r7, #12]
 	add	lr, r5, #32
-	ldr	r4, [r7, #68]
+	ldr	r4, [r7, #80]
 	vadd.i32	q8, q14, q8
-	ldr	r5, [r7, #72]
+	ldr	r5, [r7, #84]
 	vadd.i32	q11, q11, q3
 	ldr	r0, [r3, #32]!	@ unaligned
 	mov	r6, r4
diff --git a/src/crypto/chacha/chacha_vec_arm_generate.go b/src/crypto/chacha/chacha_vec_arm_generate.go
new file mode 100644
index 0000000..d681e8a
--- /dev/null
+++ b/src/crypto/chacha/chacha_vec_arm_generate.go
@@ -0,0 +1,148 @@
+// Copyright (c) 2014, Google Inc.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+// This package generates chacha_vec_arm.S from chacha_vec.c.
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"os"
+	"os/exec"
+	"strings"
+)
+
+const defaultCompiler = "/opt/gcc-linaro-4.9-2014.11-x86_64_arm-linux-gnueabihf/bin/arm-linux-gnueabihf-gcc"
+
+func main() {
+	compiler := defaultCompiler
+	if len(os.Args) > 1 {
+		compiler = os.Args[1]
+	}
+
+	args := []string{
+		"-O3",
+		"-mcpu=cortex-a8",
+		"-mfpu=neon",
+		"-fpic",
+		"-DASM_GEN",
+		"-I", "../../include",
+		"-S", "chacha_vec.c",
+		"-o", "-",
+	}
+
+	output, err := os.OpenFile("chacha_vec_arm.S", os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0644)
+	if err != nil {
+		panic(err)
+	}
+	defer output.Close()
+
+	output.WriteString(preamble)
+	output.WriteString(compiler)
+	output.WriteString(" ")
+	output.WriteString(strings.Join(args, " "))
+	output.WriteString("\n\n#if !defined(OPENSSL_NO_ASM)\n\n")
+
+	cmd := exec.Command(compiler, args...)
+	cmd.Stderr = os.Stderr
+	asm, err := cmd.StdoutPipe()
+	if err != nil {
+		panic(err)
+	}
+	if err := cmd.Start(); err != nil {
+		panic(err)
+	}
+
+	attr28 := []byte(".eabi_attribute 28,")
+	globalDirective := []byte(".global\t")
+	newLine := []byte("\n")
+	attr28Handled := false
+
+	scanner := bufio.NewScanner(asm)
+	for scanner.Scan() {
+		line := scanner.Bytes()
+
+		if bytes.Contains(line, attr28) {
+			output.WriteString(attr28Block)
+			attr28Handled = true
+			continue
+		}
+
+		output.Write(line)
+		output.Write(newLine)
+
+		if i := bytes.Index(line, globalDirective); i >= 0 {
+			output.Write(line[:i])
+			output.WriteString(".hidden\t")
+			output.Write(line[i+len(globalDirective):])
+			output.Write(newLine)
+		}
+	}
+
+	if err := scanner.Err(); err != nil {
+		panic(err)
+	}
+
+	if !attr28Handled {
+		panic("EABI attribute 28 not seen in processing")
+	}
+
+	if err := cmd.Wait(); err != nil {
+		panic(err)
+	}
+
+	output.WriteString(trailer)
+}
+
+const preamble = `# Copyright (c) 2014, Google Inc.
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+# SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+# This file contains a pre-compiled version of chacha_vec.c for ARM. This is
+# needed to support switching on NEON code at runtime. If the whole of OpenSSL
+# were to be compiled with the needed flags to build chacha_vec.c, then it
+# wouldn't be possible to run on non-NEON systems.
+#
+# This file was generated by chacha_vec_arm_generate.go using the following
+# compiler command:
+#
+#     `
+
+const attr28Block = `
+# EABI attribute 28 sets whether VFP register arguments were used to build this
+# file. If object files are inconsistent on this point, the linker will refuse
+# to link them. Thus we report whatever the compiler expects since we don't use
+# VFP arguments.
+
+#if defined(__ARM_PCS_VFP)
+	.eabi_attribute 28, 1
+#else
+	.eabi_attribute 28, 0
+#endif
+
+`
+
+const trailer = `
+#endif  /* !OPENSSL_NO_ASM */
+`
diff --git a/src/crypto/cipher/CMakeLists.txt b/src/crypto/cipher/CMakeLists.txt
index bb62b72..f428e25 100644
--- a/src/crypto/cipher/CMakeLists.txt
+++ b/src/crypto/cipher/CMakeLists.txt
@@ -6,7 +6,6 @@ add_library(
   OBJECT
 
   cipher.c
-  cipher_error.c
   derive_key.c
   aead.c
 
@@ -31,7 +30,8 @@ add_executable(
 add_executable(
   aead_test
 
-  aead_test.c
+  aead_test.cc
+  $<TARGET_OBJECTS:test_support>
 )
 
 target_link_libraries(cipher_test crypto)
diff --git a/src/crypto/cipher/aead.c b/src/crypto/cipher/aead.c
index 263e398..20d699d 100644
--- a/src/crypto/cipher/aead.c
+++ b/src/crypto/cipher/aead.c
@@ -33,12 +33,40 @@ size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead) { return aead->max_tag_len; }
 int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
                       const uint8_t *key, size_t key_len, size_t tag_len,
                       ENGINE *impl) {
-  ctx->aead = aead;
+  if (!aead->init) {
+    OPENSSL_PUT_ERROR(CIPHER, EVP_AEAD_CTX_init, CIPHER_R_NO_DIRECTION_SET);
+    ctx->aead = NULL;
+    return 0;
+  }
+  return EVP_AEAD_CTX_init_with_direction(ctx, aead, key, key_len, tag_len,
+                                          evp_aead_open);
+}
+
+int EVP_AEAD_CTX_init_with_direction(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
+                                     const uint8_t *key, size_t key_len,
+                                     size_t tag_len,
+                                     enum evp_aead_direction_t dir) {
   if (key_len != aead->key_len) {
-    OPENSSL_PUT_ERROR(CIPHER, EVP_AEAD_CTX_init, CIPHER_R_UNSUPPORTED_KEY_SIZE);
+    OPENSSL_PUT_ERROR(CIPHER, EVP_AEAD_CTX_init_with_direction,
+                      CIPHER_R_UNSUPPORTED_KEY_SIZE);
+    ctx->aead = NULL;
     return 0;
   }
-  return aead->init(ctx, key, key_len, tag_len);
+
+  ctx->aead = aead;
+
+  int ok;
+  if (aead->init) {
+    ok = aead->init(ctx, key, key_len, tag_len);
+  } else {
+    ok = aead->init_with_direction(ctx, key, key_len, tag_len, dir);
+  }
+
+  if (!ok) {
+    ctx->aead = NULL;
+  }
+
+  return ok;
 }
 
 void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx) {
@@ -117,3 +145,11 @@ error:
   *out_len = 0;
   return 0;
 }
+
+int EVP_AEAD_CTX_get_rc4_state(const EVP_AEAD_CTX *ctx, const RC4_KEY **out_key) {
+  if (ctx->aead->get_rc4_state == NULL) {
+    return 0;
+  }
+
+  return ctx->aead->get_rc4_state(ctx, out_key);
+}
diff --git a/src/crypto/cipher/aead_test.c b/src/crypto/cipher/aead_test.c
deleted file mode 100644
index 310c90c..0000000
--- a/src/crypto/cipher/aead_test.c
+++ /dev/null
@@ -1,387 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <stdint.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <openssl/aead.h>
-#include <openssl/bio.h>
-#include <openssl/crypto.h>
-#include <openssl/err.h>
-
-/* This program tests an AEAD against a series of test vectors from a file. The
- * test vector file consists of key-value lines where the key and value are
- * separated by a colon and optional whitespace. The keys are listed in
- * |NAMES|, below. The values are hex-encoded data.
- *
- * After a number of key-value lines, a blank line or EOF indicates the end of
- * the test case.
- *
- * For example, here's a valid test case:
- *
- *   KEY: 5a19f3173586b4c42f8412f4d5a786531b3231753e9e00998aec12fda8df10e4
- *   NONCE: 978105dfce667bf4
- *   IN: 6a4583908d
- *   AD: b654574932
- *   CT: 5294265a60
- *   TAG: 1d45758621762e061368e68868e2f929
- */
-
-#define BUF_MAX 512
-
-/* These are the different types of line that are found in the input file. */
-enum {
-  KEY = 0, /* hex encoded key. */
-  NONCE,   /* hex encoded nonce. */
-  IN,      /* hex encoded plaintext. */
-  AD,      /* hex encoded additional data. */
-  CT,      /* hex encoded ciphertext (not including the authenticator,
-              which is next). */
-  TAG,     /* hex encoded authenticator. */
-  NO_SEAL, /* non-zero length if seal(IN) is not expected to be CT+TAG,
-              however open(CT+TAG) should still be IN. */
-  FAILS,   /* non-zero length if open(CT+TAG) is expected to fail. */
-  NUM_TYPES,
-};
-
-static const char NAMES[8][NUM_TYPES] = {
-  "KEY", "NONCE", "IN", "AD", "CT", "TAG", "NO_SEAL", "FAILS",
-};
-
-static unsigned char hex_digit(char h) {
-  if (h >= '0' && h <= '9') {
-    return h - '0';
-  } else if (h >= 'a' && h <= 'f') {
-    return h - 'a' + 10;
-  } else if (h >= 'A' && h <= 'F') {
-    return h - 'A' + 10;
-  } else {
-    return 16;
-  }
-}
-
-static int run_test_case(const EVP_AEAD *aead,
-                         uint8_t bufs[NUM_TYPES][BUF_MAX],
-                         const unsigned int lengths[NUM_TYPES],
-                         unsigned int line_no) {
-  EVP_AEAD_CTX ctx;
-  size_t ciphertext_len, plaintext_len;
-  uint8_t out[BUF_MAX + EVP_AEAD_MAX_OVERHEAD + 1];
-  /* Note: When calling |EVP_AEAD_CTX_open|, the "stateful" AEADs require
-   * |max_out| be at least |in_len| despite the final output always being
-   * smaller by at least tag length. */
-  uint8_t out2[sizeof(out)];
-
-  if (!EVP_AEAD_CTX_init(&ctx, aead, bufs[KEY], lengths[KEY], lengths[TAG],
-                         NULL)) {
-    fprintf(stderr, "Failed to init AEAD on line %u\n", line_no);
-    return 0;
-  }
-
-  if (!lengths[NO_SEAL]) {
-    if (!EVP_AEAD_CTX_seal(&ctx, out, &ciphertext_len, sizeof(out), bufs[NONCE],
-                           lengths[NONCE], bufs[IN], lengths[IN], bufs[AD],
-                           lengths[AD])) {
-      fprintf(stderr, "Failed to run AEAD on line %u\n", line_no);
-      return 0;
-    }
-
-    if (ciphertext_len != lengths[CT] + lengths[TAG]) {
-      fprintf(stderr, "Bad output length on line %u: %u vs %u\n", line_no,
-              (unsigned)ciphertext_len, (unsigned)(lengths[CT] + lengths[TAG]));
-      return 0;
-    }
-
-    if (memcmp(out, bufs[CT], lengths[CT]) != 0) {
-      fprintf(stderr, "Bad output on line %u\n", line_no);
-      return 0;
-    }
-
-    if (memcmp(out + lengths[CT], bufs[TAG], lengths[TAG]) != 0) {
-      fprintf(stderr, "Bad tag on line %u\n", line_no);
-      return 0;
-    }
-  } else {
-    memcpy(out, bufs[CT], lengths[CT]);
-    memcpy(out + lengths[CT], bufs[TAG], lengths[TAG]);
-    ciphertext_len = lengths[CT] + lengths[TAG];
-  }
-
-  /* The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
-   * reset after each operation. */
-  EVP_AEAD_CTX_cleanup(&ctx);
-  if (!EVP_AEAD_CTX_init(&ctx, aead, bufs[KEY], lengths[KEY], lengths[TAG],
-                         NULL)) {
-    fprintf(stderr, "Failed to init AEAD on line %u\n", line_no);
-    return 0;
-  }
-
-  int ret = EVP_AEAD_CTX_open(&ctx, out2, &plaintext_len, sizeof(out2),
-                              bufs[NONCE], lengths[NONCE], out, ciphertext_len,
-                              bufs[AD], lengths[AD]);
-  if (lengths[FAILS]) {
-    if (ret) {
-      fprintf(stderr, "Decrypted bad data on line %u\n", line_no);
-      return 0;
-    }
-    ERR_clear_error();
-  } else {
-    if (!ret) {
-      fprintf(stderr, "Failed to decrypt on line %u\n", line_no);
-      return 0;
-    }
-
-    if (plaintext_len != lengths[IN]) {
-      fprintf(stderr, "Bad decrypt on line %u: %u\n", line_no,
-              (unsigned)ciphertext_len);
-      return 0;
-    }
-
-    /* The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
-     * reset after each operation. */
-    EVP_AEAD_CTX_cleanup(&ctx);
-    if (!EVP_AEAD_CTX_init(&ctx, aead, bufs[KEY], lengths[KEY], lengths[TAG],
-                           NULL)) {
-      fprintf(stderr, "Failed to init AEAD on line %u\n", line_no);
-      return 0;
-    }
-
-    /* Garbage at the end isn't ignored. */
-    out[ciphertext_len] = 0;
-    if (EVP_AEAD_CTX_open(&ctx, out2, &plaintext_len, sizeof(out2),
-                          bufs[NONCE], lengths[NONCE], out, ciphertext_len + 1,
-                          bufs[AD], lengths[AD])) {
-      fprintf(stderr, "Decrypted bad data on line %u\n", line_no);
-      return 0;
-    }
-    ERR_clear_error();
-
-    /* The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
-     * reset after each operation. */
-    EVP_AEAD_CTX_cleanup(&ctx);
-    if (!EVP_AEAD_CTX_init(&ctx, aead, bufs[KEY], lengths[KEY], lengths[TAG],
-                           NULL)) {
-      fprintf(stderr, "Failed to init AEAD on line %u\n", line_no);
-      return 0;
-    }
-
-    /* Verify integrity is checked. */
-    out[0] ^= 0x80;
-    if (EVP_AEAD_CTX_open(&ctx, out2, &plaintext_len, sizeof(out2), bufs[NONCE],
-                          lengths[NONCE], out, ciphertext_len, bufs[AD],
-                          lengths[AD])) {
-      fprintf(stderr, "Decrypted bad data on line %u\n", line_no);
-      return 0;
-    }
-    ERR_clear_error();
-  }
-
-  EVP_AEAD_CTX_cleanup(&ctx);
-  return 1;
-}
-
-int main(int argc, char **argv) {
-  FILE *f;
-  const EVP_AEAD *aead = NULL;
-  unsigned int line_no = 0, num_tests = 0, j;
-
-  unsigned char bufs[NUM_TYPES][BUF_MAX];
-  unsigned int lengths[NUM_TYPES];
-
-  CRYPTO_library_init();
-  ERR_load_crypto_strings();
-
-  if (argc != 3) {
-    fprintf(stderr, "%s <aead> <test file.txt>\n", argv[0]);
-    return 1;
-  }
-
-  if (strcmp(argv[1], "aes-128-gcm") == 0) {
-    aead = EVP_aead_aes_128_gcm();
-  } else if (strcmp(argv[1], "aes-256-gcm") == 0) {
-    aead = EVP_aead_aes_256_gcm();
-  } else if (strcmp(argv[1], "chacha20-poly1305") == 0) {
-    aead = EVP_aead_chacha20_poly1305();
-  } else if (strcmp(argv[1], "rc4-md5-tls") == 0) {
-    aead = EVP_aead_rc4_md5_tls();
-  } else if (strcmp(argv[1], "rc4-sha1-tls") == 0) {
-    aead = EVP_aead_rc4_sha1_tls();
-  } else if (strcmp(argv[1], "aes-128-cbc-sha1-tls") == 0) {
-    aead = EVP_aead_aes_128_cbc_sha1_tls();
-  } else if (strcmp(argv[1], "aes-128-cbc-sha1-tls-implicit-iv") == 0) {
-    aead = EVP_aead_aes_128_cbc_sha1_tls_implicit_iv();
-  } else if (strcmp(argv[1], "aes-128-cbc-sha256-tls") == 0) {
-    aead = EVP_aead_aes_128_cbc_sha256_tls();
-  } else if (strcmp(argv[1], "aes-256-cbc-sha1-tls") == 0) {
-    aead = EVP_aead_aes_256_cbc_sha1_tls();
-  } else if (strcmp(argv[1], "aes-256-cbc-sha1-tls-implicit-iv") == 0) {
-    aead = EVP_aead_aes_256_cbc_sha1_tls_implicit_iv();
-  } else if (strcmp(argv[1], "aes-256-cbc-sha256-tls") == 0) {
-    aead = EVP_aead_aes_256_cbc_sha256_tls();
-  } else if (strcmp(argv[1], "aes-256-cbc-sha384-tls") == 0) {
-    aead = EVP_aead_aes_256_cbc_sha384_tls();
-  } else if (strcmp(argv[1], "des-ede3-cbc-sha1-tls") == 0) {
-    aead = EVP_aead_des_ede3_cbc_sha1_tls();
-  } else if (strcmp(argv[1], "des-ede3-cbc-sha1-tls-implicit-iv") == 0) {
-    aead = EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv();
-  } else if (strcmp(argv[1], "rc4-md5-ssl3") == 0) {
-    aead = EVP_aead_rc4_md5_ssl3();
-  } else if (strcmp(argv[1], "rc4-sha1-ssl3") == 0) {
-    aead = EVP_aead_rc4_sha1_ssl3();
-  } else if (strcmp(argv[1], "aes-128-cbc-sha1-ssl3") == 0) {
-    aead = EVP_aead_aes_128_cbc_sha1_ssl3();
-  } else if (strcmp(argv[1], "aes-256-cbc-sha1-ssl3") == 0) {
-    aead = EVP_aead_aes_256_cbc_sha1_ssl3();
-  } else if (strcmp(argv[1], "des-ede3-cbc-sha1-ssl3") == 0) {
-    aead = EVP_aead_des_ede3_cbc_sha1_ssl3();
-  } else if (strcmp(argv[1], "aes-128-key-wrap") == 0) {
-    aead = EVP_aead_aes_128_key_wrap();
-  } else if (strcmp(argv[1], "aes-256-key-wrap") == 0) {
-    aead = EVP_aead_aes_256_key_wrap();
-  } else {
-    fprintf(stderr, "Unknown AEAD: %s\n", argv[1]);
-    return 2;
-  }
-
-  f = fopen(argv[2], "r");
-  if (f == NULL) {
-    perror("failed to open input");
-    return 1;
-  }
-
-  for (j = 0; j < NUM_TYPES; j++) {
-    lengths[j] = 0;
-  }
-
-  for (;;) {
-    char line[4096];
-    unsigned int i, type_len = 0;
-
-    unsigned char *buf = NULL;
-    unsigned int *buf_len = NULL;
-
-    if (!fgets(line, sizeof(line), f)) {
-      line[0] = 0;
-    }
-
-    line_no++;
-    if (line[0] == '#') {
-      continue;
-    }
-
-    if (line[0] == '\n' || line[0] == 0) {
-      /* Run a test, if possible. */
-      char any_values_set = 0;
-      for (j = 0; j < NUM_TYPES; j++) {
-        if (lengths[j] != 0) {
-          any_values_set = 1;
-          break;
-        }
-      }
-
-      if (any_values_set) {
-        if (!run_test_case(aead, bufs, lengths, line_no)) {
-          BIO_print_errors_fp(stderr);
-          return 4;
-        }
-
-        for (j = 0; j < NUM_TYPES; j++) {
-          lengths[j] = 0;
-        }
-
-        num_tests++;
-      }
-
-      if (line[0] == 0) {
-        break;
-      }
-      continue;
-    }
-
-    /* Each line looks like:
-     *   TYPE: 0123abc
-     * Where "TYPE" is the type of the data on the line,
-     * e.g. "KEY". */
-    for (i = 0; line[i] != 0 && line[i] != '\n'; i++) {
-      if (line[i] == ':') {
-        type_len = i;
-        break;
-      }
-    }
-    i++;
-
-    if (type_len == 0) {
-      fprintf(stderr, "Parse error on line %u\n", line_no);
-      return 3;
-    }
-
-    /* After the colon, there's optional whitespace. */
-    for (; line[i] != 0 && line[i] != '\n'; i++) {
-      if (line[i] != ' ' && line[i] != '\t') {
-        break;
-      }
-    }
-
-    line[type_len] = 0;
-    for (j = 0; j < NUM_TYPES; j++) {
-      if (strcmp(line, NAMES[j]) != 0) {
-        continue;
-      }
-      if (lengths[j] != 0) {
-        fprintf(stderr, "Duplicate value on line %u\n", line_no);
-        return 3;
-      }
-      buf = bufs[j];
-      buf_len = &lengths[j];
-    }
-
-    if (buf == NULL) {
-      fprintf(stderr, "Unknown line type on line %u\n", line_no);
-      return 3;
-    }
-
-    j = 0;
-    for (; line[i] != 0 && line[i] != '\n'; i++) {
-      unsigned char v, v2;
-      v = hex_digit(line[i++]);
-      if (line[i] == 0 || line[i] == '\n') {
-        fprintf(stderr, "Odd-length hex data on line %u\n", line_no);
-        return 3;
-      }
-      v2 = hex_digit(line[i]);
-      if (v > 15 || v2 > 15) {
-        fprintf(stderr, "Invalid hex char on line %u\n", line_no);
-        return 3;
-      }
-      v <<= 4;
-      v |= v2;
-
-      if (j == BUF_MAX) {
-        fprintf(stderr, "Too much hex data on line %u (max is %u bytes)\n",
-                line_no, (unsigned)BUF_MAX);
-        return 3;
-      }
-      buf[j++] = v;
-      *buf_len = *buf_len + 1;
-    }
-  }
-
-  printf("Completed %u test cases\n", num_tests);
-  printf("PASS\n");
-  fclose(f);
-
-  return 0;
-}
diff --git a/src/crypto/cipher/aead_test.cc b/src/crypto/cipher/aead_test.cc
new file mode 100644
index 0000000..e4b75d6
--- /dev/null
+++ b/src/crypto/cipher/aead_test.cc
@@ -0,0 +1,276 @@
+/* Copyright (c) 2014, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <stdint.h>
+#include <string.h>
+
+#include <vector>
+
+#include <openssl/aead.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+
+#include "../test/file_test.h"
+#include "../test/stl_compat.h"
+
+
+// This program tests an AEAD against a series of test vectors from a file,
+// using the FileTest format. As an example, here's a valid test case:
+//
+//   KEY: 5a19f3173586b4c42f8412f4d5a786531b3231753e9e00998aec12fda8df10e4
+//   NONCE: 978105dfce667bf4
+//   IN: 6a4583908d
+//   AD: b654574932
+//   CT: 5294265a60
+//   TAG: 1d45758621762e061368e68868e2f929
+
+// EVP_AEAD_CTX lacks a zero state, so it doesn't fit easily into
+// ScopedOpenSSLContext.
+class EVP_AEAD_CTXScoper {
+ public:
+  EVP_AEAD_CTXScoper(EVP_AEAD_CTX *ctx) : ctx_(ctx) {}
+  ~EVP_AEAD_CTXScoper() {
+    EVP_AEAD_CTX_cleanup(ctx_);
+  }
+ private:
+  EVP_AEAD_CTX *ctx_;
+};
+
+static bool TestAEAD(FileTest *t, void *arg) {
+  const EVP_AEAD *aead = reinterpret_cast<const EVP_AEAD*>(arg);
+
+  std::vector<uint8_t> key, nonce, in, ad, ct, tag;
+  if (!t->GetBytes(&key, "KEY") ||
+      !t->GetBytes(&nonce, "NONCE") ||
+      !t->GetBytes(&in, "IN") ||
+      !t->GetBytes(&ad, "AD") ||
+      !t->GetBytes(&ct, "CT") ||
+      !t->GetBytes(&tag, "TAG")) {
+    return false;
+  }
+
+  EVP_AEAD_CTX ctx;
+  if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, bssl::vector_data(&key),
+                                        key.size(), tag.size(),
+                                        evp_aead_seal)) {
+    t->PrintLine("Failed to init AEAD.");
+    return false;
+  }
+  EVP_AEAD_CTXScoper cleanup(&ctx);
+
+  std::vector<uint8_t> out(in.size() + EVP_AEAD_max_overhead(aead));
+  if (!t->HasAttribute("NO_SEAL")) {
+    size_t out_len;
+    if (!EVP_AEAD_CTX_seal(&ctx, bssl::vector_data(&out), &out_len, out.size(),
+                           bssl::vector_data(&nonce), nonce.size(),
+                           bssl::vector_data(&in), in.size(),
+                           bssl::vector_data(&ad), ad.size())) {
+      t->PrintLine("Failed to run AEAD.");
+      return false;
+    }
+    out.resize(out_len);
+
+    if (out.size() != ct.size() + tag.size()) {
+      t->PrintLine("Bad output length: %u vs %u.", (unsigned)out_len,
+                   (unsigned)(ct.size() + tag.size()));
+      return false;
+    }
+    if (!t->ExpectBytesEqual(bssl::vector_data(&ct), ct.size(),
+                             bssl::vector_data(&out), ct.size()) ||
+        !t->ExpectBytesEqual(bssl::vector_data(&tag), tag.size(),
+                             bssl::vector_data(&out) + ct.size(), tag.size())) {
+      return false;
+    }
+  } else {
+    out.resize(ct.size() + tag.size());
+    memcpy(bssl::vector_data(&out), bssl::vector_data(&ct), ct.size());
+    memcpy(bssl::vector_data(&out) + ct.size(), bssl::vector_data(&tag),
+           tag.size());
+  }
+
+  // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
+  // reset after each operation.
+  EVP_AEAD_CTX_cleanup(&ctx);
+  if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, bssl::vector_data(&key),
+                                        key.size(), tag.size(),
+                                        evp_aead_open)) {
+    t->PrintLine("Failed to init AEAD.");
+    return false;
+  }
+
+  std::vector<uint8_t> out2(out.size());
+  size_t out2_len;
+  int ret = EVP_AEAD_CTX_open(&ctx,
+                              bssl::vector_data(&out2), &out2_len, out2.size(),
+                              bssl::vector_data(&nonce), nonce.size(),
+                              bssl::vector_data(&out), out.size(),
+                              bssl::vector_data(&ad), ad.size());
+  if (t->HasAttribute("FAILS")) {
+    if (ret) {
+      t->PrintLine("Decrypted bad data.");
+      return false;
+    }
+    ERR_clear_error();
+    return true;
+  }
+
+  if (!ret) {
+    t->PrintLine("Failed to decrypt.");
+    return false;
+  }
+  out2.resize(out2_len);
+  if (!t->ExpectBytesEqual(bssl::vector_data(&in), in.size(),
+                           bssl::vector_data(&out2), out2.size())) {
+    return false;
+  }
+
+  // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
+  // reset after each operation.
+  EVP_AEAD_CTX_cleanup(&ctx);
+  if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, bssl::vector_data(&key),
+                                        key.size(), tag.size(),
+                                        evp_aead_open)) {
+    t->PrintLine("Failed to init AEAD.");
+    return false;
+  }
+
+  // Garbage at the end isn't ignored.
+  out.push_back(0);
+  out2.resize(out.size());
+  if (EVP_AEAD_CTX_open(&ctx, bssl::vector_data(&out2), &out2_len, out2.size(),
+                        bssl::vector_data(&nonce), nonce.size(),
+                        bssl::vector_data(&out), out.size(),
+                        bssl::vector_data(&ad), ad.size())) {
+    t->PrintLine("Decrypted bad data with trailing garbage.");
+    return false;
+  }
+  ERR_clear_error();
+
+  // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
+  // reset after each operation.
+  EVP_AEAD_CTX_cleanup(&ctx);
+  if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, bssl::vector_data(&key),
+                                        key.size(), tag.size(),
+                                        evp_aead_open)) {
+    t->PrintLine("Failed to init AEAD.");
+    return false;
+  }
+
+  // Verify integrity is checked.
+  out[0] ^= 0x80;
+  out.resize(out.size() - 1);
+  out2.resize(out.size());
+  if (EVP_AEAD_CTX_open(&ctx, bssl::vector_data(&out2), &out2_len, out2.size(),
+                        bssl::vector_data(&nonce), nonce.size(),
+                        bssl::vector_data(&out), out.size(),
+                        bssl::vector_data(&ad), ad.size())) {
+    t->PrintLine("Decrypted bad data with corrupted byte.");
+    return false;
+  }
+  ERR_clear_error();
+
+  return true;
+}
+
+static int TestCleanupAfterInitFailure(const EVP_AEAD *aead) {
+  EVP_AEAD_CTX ctx;
+  uint8_t key[128];
+
+  memset(key, 0, sizeof(key));
+  const size_t key_len = EVP_AEAD_key_length(aead);
+  if (key_len > sizeof(key)) {
+    fprintf(stderr, "Key length of AEAD too long.\n");
+    return 0;
+  }
+
+  if (EVP_AEAD_CTX_init(&ctx, aead, key, key_len,
+                        9999 /* a silly tag length to trigger an error */,
+                        NULL /* ENGINE */) != 0) {
+    fprintf(stderr, "A silly tag length didn't trigger an error!\n");
+    return 0;
+  }
+
+  /* Running a second, failed _init should not cause a memory leak. */
+  if (EVP_AEAD_CTX_init(&ctx, aead, key, key_len,
+                        9999 /* a silly tag length to trigger an error */,
+                        NULL /* ENGINE */) != 0) {
+    fprintf(stderr, "A silly tag length didn't trigger an error!\n");
+    return 0;
+  }
+
+  /* Calling _cleanup on an |EVP_AEAD_CTX| after a failed _init should be a
+   * no-op. */
+  EVP_AEAD_CTX_cleanup(&ctx);
+  return 1;
+}
+
+struct AEADName {
+  const char name[40];
+  const EVP_AEAD *(*func)(void);
+};
+
+static const struct AEADName kAEADs[] = {
+  { "aes-128-gcm", EVP_aead_aes_128_gcm },
+  { "aes-256-gcm", EVP_aead_aes_256_gcm },
+  { "chacha20-poly1305", EVP_aead_chacha20_poly1305 },
+  { "rc4-md5-tls", EVP_aead_rc4_md5_tls },
+  { "rc4-sha1-tls", EVP_aead_rc4_sha1_tls },
+  { "aes-128-cbc-sha1-tls", EVP_aead_aes_128_cbc_sha1_tls },
+  { "aes-128-cbc-sha1-tls-implicit-iv", EVP_aead_aes_128_cbc_sha1_tls_implicit_iv },
+  { "aes-128-cbc-sha256-tls", EVP_aead_aes_128_cbc_sha256_tls },
+  { "aes-256-cbc-sha1-tls", EVP_aead_aes_256_cbc_sha1_tls },
+  { "aes-256-cbc-sha1-tls-implicit-iv", EVP_aead_aes_256_cbc_sha1_tls_implicit_iv },
+  { "aes-256-cbc-sha256-tls", EVP_aead_aes_256_cbc_sha256_tls },
+  { "aes-256-cbc-sha384-tls", EVP_aead_aes_256_cbc_sha384_tls },
+  { "des-ede3-cbc-sha1-tls", EVP_aead_des_ede3_cbc_sha1_tls },
+  { "des-ede3-cbc-sha1-tls-implicit-iv", EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv },
+  { "rc4-md5-ssl3", EVP_aead_rc4_md5_ssl3 },
+  { "rc4-sha1-ssl3", EVP_aead_rc4_sha1_ssl3 },
+  { "aes-128-cbc-sha1-ssl3", EVP_aead_aes_128_cbc_sha1_ssl3 },
+  { "aes-256-cbc-sha1-ssl3", EVP_aead_aes_256_cbc_sha1_ssl3 },
+  { "des-ede3-cbc-sha1-ssl3", EVP_aead_des_ede3_cbc_sha1_ssl3 },
+  { "aes-128-key-wrap", EVP_aead_aes_128_key_wrap },
+  { "aes-256-key-wrap", EVP_aead_aes_256_key_wrap },
+  { "aes-128-ctr-hmac-sha256", EVP_aead_aes_128_ctr_hmac_sha256 },
+  { "aes-256-ctr-hmac-sha256", EVP_aead_aes_256_ctr_hmac_sha256 },
+  { "", NULL },
+};
+
+int main(int argc, char **argv) {
+  CRYPTO_library_init();
+
+  if (argc != 3) {
+    fprintf(stderr, "%s <aead> <test file.txt>\n", argv[0]);
+    return 1;
+  }
+
+  const EVP_AEAD *aead;
+  for (unsigned i = 0;; i++) {
+    const struct AEADName &aead_name = kAEADs[i];
+    if (aead_name.func == NULL) {
+      fprintf(stderr, "Unknown AEAD: %s\n", argv[1]);
+      return 2;
+    }
+    if (strcmp(aead_name.name, argv[1]) == 0) {
+      aead = aead_name.func();
+      break;
+    }
+  }
+
+  if (!TestCleanupAfterInitFailure(aead)) {
+    return 1;
+  }
+
+  return FileTestMain(TestAEAD, const_cast<EVP_AEAD*>(aead), argv[2]);
+}
diff --git a/src/crypto/cipher/cipher.c b/src/crypto/cipher/cipher.c
index 4bb4196..1dcfd06 100644
--- a/src/crypto/cipher/cipher.c
+++ b/src/crypto/cipher/cipher.c
@@ -94,8 +94,8 @@ EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void) {
 }
 
 int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c) {
-  if (c->cipher != NULL && c->cipher->cleanup && !c->cipher->cleanup(c)) {
-    return 0;
+  if (c->cipher != NULL && c->cipher->cleanup) {
+    c->cipher->cleanup(c);
   }
 
   if (c->cipher_data) {
@@ -197,7 +197,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
         break;
 
       case EVP_CIPH_CFB_MODE:
-      case EVP_CIPH_OFB_MODE:
         ctx->num = 0;
         /* fall-through */
 
@@ -210,6 +209,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
         break;
 
       case EVP_CIPH_CTR_MODE:
+      case EVP_CIPH_OFB_MODE:
         ctx->num = 0;
         /* Don't reuse IV for CTR mode */
         if (iv) {
@@ -582,10 +582,6 @@ int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *c, unsigned key_len) {
 
 int EVP_CIPHER_nid(const EVP_CIPHER *cipher) { return cipher->nid; }
 
-const char *EVP_CIPHER_name(const EVP_CIPHER *cipher) {
-  return OBJ_nid2sn(cipher->nid);
-}
-
 unsigned EVP_CIPHER_block_size(const EVP_CIPHER *cipher) {
   return cipher->block_size;
 }
diff --git a/src/crypto/cipher/cipher_error.c b/src/crypto/cipher/cipher_error.c
deleted file mode 100644
index 95230f6..0000000
--- a/src/crypto/cipher/cipher_error.c
+++ /dev/null
@@ -1,78 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/cipher.h>
-
-const ERR_STRING_DATA CIPHER_error_string_data[] = {
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_EVP_AEAD_CTX_init, 0), "EVP_AEAD_CTX_init"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_EVP_AEAD_CTX_open, 0), "EVP_AEAD_CTX_open"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_EVP_AEAD_CTX_seal, 0), "EVP_AEAD_CTX_seal"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_EVP_CIPHER_CTX_copy, 0), "EVP_CIPHER_CTX_copy"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_EVP_CIPHER_CTX_ctrl, 0), "EVP_CIPHER_CTX_ctrl"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_EVP_CIPHER_CTX_set_key_length, 0), "EVP_CIPHER_CTX_set_key_length"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_EVP_CipherInit_ex, 0), "EVP_CipherInit_ex"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_EVP_DecryptFinal_ex, 0), "EVP_DecryptFinal_ex"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_EVP_EncryptFinal_ex, 0), "EVP_EncryptFinal_ex"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_aes_gcm_init, 0), "aead_aes_gcm_init"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_aes_gcm_open, 0), "aead_aes_gcm_open"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_aes_gcm_seal, 0), "aead_aes_gcm_seal"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_aes_key_wrap_init, 0), "aead_aes_key_wrap_init"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_aes_key_wrap_open, 0), "aead_aes_key_wrap_open"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_aes_key_wrap_seal, 0), "aead_aes_key_wrap_seal"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_chacha20_poly1305_init, 0), "aead_chacha20_poly1305_init"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_chacha20_poly1305_open, 0), "aead_chacha20_poly1305_open"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_chacha20_poly1305_seal, 0), "aead_chacha20_poly1305_seal"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_rc4_md5_tls_init, 0), "aead_rc4_md5_tls_init"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_rc4_md5_tls_open, 0), "aead_rc4_md5_tls_open"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_rc4_md5_tls_seal, 0), "aead_rc4_md5_tls_seal"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_ssl3_ensure_cipher_init, 0), "aead_ssl3_ensure_cipher_init"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_ssl3_init, 0), "aead_ssl3_init"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_ssl3_open, 0), "aead_ssl3_open"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_ssl3_seal, 0), "aead_ssl3_seal"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_tls_ensure_cipher_init, 0), "aead_tls_ensure_cipher_init"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_tls_init, 0), "aead_tls_init"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_tls_open, 0), "aead_tls_open"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_tls_seal, 0), "aead_tls_seal"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aes_init_key, 0), "aes_init_key"},
-  {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aesni_init_key, 0), "aesni_init_key"},
-  {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_AES_KEY_SETUP_FAILED), "AES_KEY_SETUP_FAILED"},
-  {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_BAD_DECRYPT), "BAD_DECRYPT"},
-  {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_BAD_KEY_LENGTH), "BAD_KEY_LENGTH"},
-  {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_BUFFER_TOO_SMALL), "BUFFER_TOO_SMALL"},
-  {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_CTRL_NOT_IMPLEMENTED), "CTRL_NOT_IMPLEMENTED"},
-  {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_CTRL_OPERATION_NOT_IMPLEMENTED), "CTRL_OPERATION_NOT_IMPLEMENTED"},
-  {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH), "DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH"},
-  {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_INITIALIZATION_ERROR), "INITIALIZATION_ERROR"},
-  {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_INPUT_NOT_INITIALIZED), "INPUT_NOT_INITIALIZED"},
-  {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_INVALID_AD), "INVALID_AD"},
-  {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_INVALID_AD_SIZE), "INVALID_AD_SIZE"},
-  {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_INVALID_KEY_LENGTH), "INVALID_KEY_LENGTH"},
-  {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_INVALID_NONCE_SIZE), "INVALID_NONCE_SIZE"},
-  {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_INVALID_OPERATION), "INVALID_OPERATION"},
-  {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_IV_TOO_LARGE), "IV_TOO_LARGE"},
-  {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_NO_CIPHER_SET), "NO_CIPHER_SET"},
-  {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_OUTPUT_ALIASES_INPUT), "OUTPUT_ALIASES_INPUT"},
-  {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_TAG_TOO_LARGE), "TAG_TOO_LARGE"},
-  {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_TOO_LARGE), "TOO_LARGE"},
-  {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_UNSUPPORTED_AD_SIZE), "UNSUPPORTED_AD_SIZE"},
-  {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_UNSUPPORTED_INPUT_SIZE), "UNSUPPORTED_INPUT_SIZE"},
-  {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_UNSUPPORTED_KEY_SIZE), "UNSUPPORTED_KEY_SIZE"},
-  {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_UNSUPPORTED_NONCE_SIZE), "UNSUPPORTED_NONCE_SIZE"},
-  {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_UNSUPPORTED_TAG_SIZE), "UNSUPPORTED_TAG_SIZE"},
-  {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_WRAP_MODE_NOT_ALLOWED), "WRAP_MODE_NOT_ALLOWED"},
-  {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_WRONG_FINAL_BLOCK_LENGTH), "WRONG_FINAL_BLOCK_LENGTH"},
-  {0, NULL},
-};
diff --git a/src/crypto/cipher/cipher_test.c b/src/crypto/cipher/cipher_test.c
index 2b04ad5..390262f 100644
--- a/src/crypto/cipher/cipher_test.c
+++ b/src/crypto/cipher/cipher_test.c
@@ -54,10 +54,9 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.] */
 
-#include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
-#include <openssl/bio.h>
 #include <openssl/cipher.h>
 #include <openssl/crypto.h>
 #include <openssl/err.h>
@@ -68,8 +67,9 @@ static void hexdump(FILE *f, const char *title, const uint8_t *s, int l) {
 
   fprintf(f, "%s", title);
   for (; n < l; ++n) {
-    if ((n % 16) == 0)
+    if ((n % 16) == 0) {
       fprintf(f, "\n%04x", n);
+    }
     fprintf(f, " %02x", s[n]);
   }
   fprintf(f, "\n");
@@ -123,15 +123,16 @@ static uint8_t *ustrsep(char **p, const char *sep) {
   return (uint8_t *)sstrsep(p, sep);
 }
 
-static void test1(const EVP_CIPHER *c, const uint8_t *key, int kn,
-                  const uint8_t *iv, int in, const uint8_t *plaintext, int pn,
-                  const uint8_t *ciphertext, int cn, const uint8_t *aad, int an,
-                  const uint8_t *tag, int tn, int encdec) {
+static void test1(const char* cipher_name, const EVP_CIPHER *c,
+                  const uint8_t *key, int kn, const uint8_t *iv, int in,
+                  const uint8_t *plaintext, int pn, const uint8_t *ciphertext,
+                  int cn, const uint8_t *aad, int an, const uint8_t *tag,
+                  int tn, int encdec) {
   EVP_CIPHER_CTX ctx;
   uint8_t out[4096];
   int outl, outl2, mode;
 
-  printf("Testing cipher %s%s\n", EVP_CIPHER_name(c),
+  printf("Testing cipher %s%s\n", cipher_name,
          (encdec == 1 ? "(encrypt)"
                       : (encdec == 0 ? "(decrypt)" : "(encrypt/decrypt)")));
   hexdump(stdout, "Key", key, kn);
@@ -157,39 +158,39 @@ static void test1(const EVP_CIPHER *c, const uint8_t *key, int kn,
     if (mode == EVP_CIPH_GCM_MODE) {
       if (!EVP_EncryptInit_ex(&ctx, c, NULL, NULL, NULL)) {
         fprintf(stderr, "EncryptInit failed\n");
-        BIO_print_errors_fp(stderr);
+        ERR_print_errors_fp(stderr);
         exit(10);
       }
       if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, in, NULL)) {
         fprintf(stderr, "IV length set failed\n");
-        BIO_print_errors_fp(stderr);
+        ERR_print_errors_fp(stderr);
         exit(11);
       }
       if (!EVP_EncryptInit_ex(&ctx, NULL, NULL, key, iv)) {
         fprintf(stderr, "Key/IV set failed\n");
-        BIO_print_errors_fp(stderr);
+        ERR_print_errors_fp(stderr);
         exit(12);
       }
       if (an && !EVP_EncryptUpdate(&ctx, NULL, &outl, aad, an)) {
         fprintf(stderr, "AAD set failed\n");
-        BIO_print_errors_fp(stderr);
+        ERR_print_errors_fp(stderr);
         exit(13);
       }
     } else if (!EVP_EncryptInit_ex(&ctx, c, NULL, key, iv)) {
       fprintf(stderr, "EncryptInit failed\n");
-      BIO_print_errors_fp(stderr);
+      ERR_print_errors_fp(stderr);
       exit(10);
     }
     EVP_CIPHER_CTX_set_padding(&ctx, 0);
 
     if (!EVP_EncryptUpdate(&ctx, out, &outl, plaintext, pn)) {
       fprintf(stderr, "Encrypt failed\n");
-      BIO_print_errors_fp(stderr);
+      ERR_print_errors_fp(stderr);
       exit(6);
     }
     if (!EVP_EncryptFinal_ex(&ctx, out + outl, &outl2)) {
       fprintf(stderr, "EncryptFinal failed\n");
-      BIO_print_errors_fp(stderr);
+      ERR_print_errors_fp(stderr);
       exit(7);
     }
 
@@ -212,7 +213,7 @@ static void test1(const EVP_CIPHER *c, const uint8_t *key, int kn,
        */
       if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, tn, rtag)) {
         fprintf(stderr, "Get tag failed\n");
-        BIO_print_errors_fp(stderr);
+        ERR_print_errors_fp(stderr);
         exit(14);
       }
       if (memcmp(rtag, tag, tn)) {
@@ -228,45 +229,45 @@ static void test1(const EVP_CIPHER *c, const uint8_t *key, int kn,
     if (mode == EVP_CIPH_GCM_MODE) {
       if (!EVP_DecryptInit_ex(&ctx, c, NULL, NULL, NULL)) {
         fprintf(stderr, "EncryptInit failed\n");
-        BIO_print_errors_fp(stderr);
+        ERR_print_errors_fp(stderr);
         exit(10);
       }
       if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, in, NULL)) {
         fprintf(stderr, "IV length set failed\n");
-        BIO_print_errors_fp(stderr);
+        ERR_print_errors_fp(stderr);
         exit(11);
       }
       if (!EVP_DecryptInit_ex(&ctx, NULL, NULL, key, iv)) {
         fprintf(stderr, "Key/IV set failed\n");
-        BIO_print_errors_fp(stderr);
+        ERR_print_errors_fp(stderr);
         exit(12);
       }
       if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, tn, (void *)tag)) {
         fprintf(stderr, "Set tag failed\n");
-        BIO_print_errors_fp(stderr);
+        ERR_print_errors_fp(stderr);
         exit(14);
       }
       if (an && !EVP_DecryptUpdate(&ctx, NULL, &outl, aad, an)) {
         fprintf(stderr, "AAD set failed\n");
-        BIO_print_errors_fp(stderr);
+        ERR_print_errors_fp(stderr);
         exit(13);
       }
     } else if (!EVP_DecryptInit_ex(&ctx, c, NULL, key, iv)) {
       fprintf(stderr, "DecryptInit failed\n");
-      BIO_print_errors_fp(stderr);
+      ERR_print_errors_fp(stderr);
       exit(11);
     }
     EVP_CIPHER_CTX_set_padding(&ctx, 0);
 
     if (!EVP_DecryptUpdate(&ctx, out, &outl, ciphertext, cn)) {
       fprintf(stderr, "Decrypt failed\n");
-      BIO_print_errors_fp(stderr);
+      ERR_print_errors_fp(stderr);
       exit(6);
     }
     outl2 = 0;
     if (!EVP_DecryptFinal_ex(&ctx, out + outl, &outl2)) {
       fprintf(stderr, "DecryptFinal failed\n");
-      BIO_print_errors_fp(stderr);
+      ERR_print_errors_fp(stderr);
       exit(7);
     }
 
@@ -310,6 +311,12 @@ static int test_cipher(const char *cipher, const uint8_t *key, int kn,
     c = EVP_aes_128_cbc();
   } else if (strcmp(cipher, "AES-128-GCM") == 0) {
     c = EVP_aes_128_gcm();
+  } else if (strcmp(cipher, "AES-128-OFB") == 0) {
+    c = EVP_aes_128_ofb();
+  } else if (strcmp(cipher, "AES-192-CBC") == 0) {
+    c = EVP_aes_192_cbc();
+  } else if (strcmp(cipher, "AES-192-ECB") == 0) {
+    c = EVP_aes_192_ecb();
   } else if (strcmp(cipher, "AES-256-CBC") == 0) {
     c = EVP_aes_256_cbc();
   } else if (strcmp(cipher, "AES-128-CTR") == 0) {
@@ -318,13 +325,15 @@ static int test_cipher(const char *cipher, const uint8_t *key, int kn,
     c = EVP_aes_256_ctr();
   } else if (strcmp(cipher, "AES-256-GCM") == 0) {
     c = EVP_aes_256_gcm();
+  } else if (strcmp(cipher, "AES-256-OFB") == 0) {
+    c = EVP_aes_256_ofb();
   } else {
     fprintf(stderr, "Unknown cipher type %s\n", cipher);
     return 0;
   }
 
-  test1(c, key, kn, iv, in, plaintext, pn, ciphertext, cn, aad, an, tag, tn,
-        encdec);
+  test1(cipher, c, key, kn, iv, in, plaintext, pn, ciphertext, cn, aad, an,
+        tag, tn, encdec);
 
   return 1;
 }
@@ -388,8 +397,9 @@ int main(int argc, char **argv) {
       if (p[-1] == '\n') {
         encdec = -1;
         p[-1] = '\0';
-      } else
+      } else {
         encdec = atoi(sstrsep(&p, "\n"));
+      }
     }
 
     kn = convert(key);
diff --git a/src/crypto/cipher/e_aes.c b/src/crypto/cipher/e_aes.c
index a86e830..eacbd10 100644
--- a/src/crypto/cipher/e_aes.c
+++ b/src/crypto/cipher/e_aes.c
@@ -57,8 +57,10 @@
 #include <openssl/modes.h>
 #include <openssl/obj.h>
 #include <openssl/rand.h>
+#include <openssl/sha.h>
 
 #include "internal.h"
+#include "../internal.h"
 #include "../modes/internal.h"
 
 #if defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)
@@ -281,7 +283,8 @@ void aesni_ctr32_encrypt_blocks(const uint8_t *in, uint8_t *out, size_t blocks,
 #endif
 
 static int aes_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
-                        const uint8_t *iv, int enc) {
+                        const uint8_t *iv, int enc)
+                        OPENSSL_SUPPRESS_UNREACHABLE_CODE_WARNINGS {
   int ret, mode;
   EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
 
@@ -342,8 +345,8 @@ static int aes_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
   return 1;
 }
 
-static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-                          const unsigned char *in, size_t len) {
+static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
+                          size_t len) {
   EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
 
   if (dat->stream.cbc) {
@@ -357,8 +360,8 @@ static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
   return 1;
 }
 
-static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-                          const unsigned char *in, size_t len) {
+static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
+                          size_t len) {
   size_t bl = ctx->cipher->block_size;
   size_t i;
   EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
@@ -374,8 +377,8 @@ static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
   return 1;
 }
 
-static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-                          const unsigned char *in, size_t len) {
+static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
+                          size_t len) {
   unsigned int num = ctx->num;
   EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
 
@@ -390,28 +393,71 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
   return 1;
 }
 
-static ctr128_f aes_gcm_set_key(AES_KEY *aes_key, GCM128_CONTEXT *gcm_ctx,
-                                const uint8_t *key, size_t key_len) {
+static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
+                          size_t len) {
+  EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
+
+  CRYPTO_ofb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num, dat->block);
+  return 1;
+}
+
+static char aesni_capable(void);
+
+static ctr128_f aes_ctr_set_key(AES_KEY *aes_key, GCM128_CONTEXT *gcm_ctx,
+                                block128_f *out_block, const uint8_t *key,
+                                size_t key_len)
+                                OPENSSL_SUPPRESS_UNREACHABLE_CODE_WARNINGS {
+  if (aesni_capable()) {
+    aesni_set_encrypt_key(key, key_len * 8, aes_key);
+    if (gcm_ctx != NULL) {
+      CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)aesni_encrypt);
+    }
+    if (out_block) {
+      *out_block = (block128_f) aesni_encrypt;
+    }
+    return (ctr128_f)aesni_ctr32_encrypt_blocks;
+  }
+
   if (hwaes_capable()) {
     aes_v8_set_encrypt_key(key, key_len * 8, aes_key);
-    CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)aes_v8_encrypt);
+    if (gcm_ctx != NULL) {
+      CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)aes_v8_encrypt);
+    }
+    if (out_block) {
+      *out_block = (block128_f) aes_v8_encrypt;
+    }
     return (ctr128_f)aes_v8_ctr32_encrypt_blocks;
   }
 
   if (bsaes_capable()) {
     AES_set_encrypt_key(key, key_len * 8, aes_key);
-    CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);
+    if (gcm_ctx != NULL) {
+      CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);
+    }
+    if (out_block) {
+      *out_block = (block128_f) AES_encrypt;
+    }
     return (ctr128_f)bsaes_ctr32_encrypt_blocks;
   }
 
   if (vpaes_capable()) {
     vpaes_set_encrypt_key(key, key_len * 8, aes_key);
-    CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)vpaes_encrypt);
+    if (out_block) {
+      *out_block = (block128_f) vpaes_encrypt;
+    }
+    if (gcm_ctx != NULL) {
+      CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)vpaes_encrypt);
+    }
     return NULL;
   }
 
   AES_set_encrypt_key(key, key_len * 8, aes_key);
-  CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);
+  if (gcm_ctx != NULL) {
+    CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);
+  }
+  if (out_block) {
+    *out_block = (block128_f) AES_encrypt;
+  }
   return NULL;
 }
 
@@ -422,7 +468,8 @@ static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
     return 1;
   }
   if (key) {
-    gctx->ctr = aes_gcm_set_key(&gctx->ks.ks, &gctx->gcm, key, ctx->key_len);
+    gctx->ctr =
+        aes_ctr_set_key(&gctx->ks.ks, &gctx->gcm, NULL, key, ctx->key_len);
     /* If we have an iv can set it directly, otherwise use saved IV. */
     if (iv == NULL && gctx->iv_set) {
       iv = gctx->iv;
@@ -445,13 +492,12 @@ static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
   return 1;
 }
 
-static int aes_gcm_cleanup(EVP_CIPHER_CTX *c) {
+static void aes_gcm_cleanup(EVP_CIPHER_CTX *c) {
   EVP_AES_GCM_CTX *gctx = c->cipher_data;
   OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
   if (gctx->iv != c->iv) {
     OPENSSL_free(gctx->iv);
   }
-  return 1;
 }
 
 /* increment counter (64-bit int) by 1 */
@@ -697,6 +743,12 @@ static const EVP_CIPHER aes_128_ecb = {
     NULL /* app_data */, aes_init_key,        aes_ecb_cipher,
     NULL /* cleanup */,  NULL /* ctrl */};
 
+static const EVP_CIPHER aes_128_ofb = {
+    NID_aes_128_ofb128,  1 /* block_size */,  16 /* key_size */,
+    16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_OFB_MODE,
+    NULL /* app_data */, aes_init_key,        aes_ofb_cipher,
+    NULL /* cleanup */,  NULL /* ctrl */};
+
 static const EVP_CIPHER aes_128_gcm = {
     NID_aes_128_gcm, 1 /* block_size */, 16 /* key_size */, 12 /* iv_len */,
     sizeof(EVP_AES_GCM_CTX),
@@ -736,25 +788,31 @@ static const EVP_CIPHER aes_192_gcm = {
 
 
 static const EVP_CIPHER aes_256_cbc = {
-    NID_aes_128_cbc,     16 /* block_size */, 32 /* key_size */,
+    NID_aes_256_cbc,     16 /* block_size */, 32 /* key_size */,
     16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_CBC_MODE,
     NULL /* app_data */, aes_init_key,        aes_cbc_cipher,
     NULL /* cleanup */,  NULL /* ctrl */};
 
 static const EVP_CIPHER aes_256_ctr = {
-    NID_aes_128_ctr,     1 /* block_size */,  32 /* key_size */,
+    NID_aes_256_ctr,     1 /* block_size */,  32 /* key_size */,
     16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_CTR_MODE,
     NULL /* app_data */, aes_init_key,        aes_ctr_cipher,
     NULL /* cleanup */,  NULL /* ctrl */};
 
 static const EVP_CIPHER aes_256_ecb = {
-    NID_aes_128_ecb,     16 /* block_size */, 32 /* key_size */,
+    NID_aes_256_ecb,     16 /* block_size */, 32 /* key_size */,
     0 /* iv_len */,      sizeof(EVP_AES_KEY), EVP_CIPH_ECB_MODE,
     NULL /* app_data */, aes_init_key,        aes_ecb_cipher,
     NULL /* cleanup */,  NULL /* ctrl */};
 
+static const EVP_CIPHER aes_256_ofb = {
+    NID_aes_256_ofb128,  1 /* block_size */,  32 /* key_size */,
+    16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_OFB_MODE,
+    NULL /* app_data */, aes_init_key,        aes_ofb_cipher,
+    NULL /* cleanup */,  NULL /* ctrl */};
+
 static const EVP_CIPHER aes_256_gcm = {
-    NID_aes_128_gcm, 1 /* block_size */, 32 /* key_size */, 12 /* iv_len */,
+    NID_aes_256_gcm, 1 /* block_size */, 32 /* key_size */, 12 /* iv_len */,
     sizeof(EVP_AES_GCM_CTX),
     EVP_CIPH_GCM_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER |
         EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT |
@@ -873,6 +931,12 @@ static const EVP_CIPHER aesni_128_ecb = {
     NULL /* app_data */, aesni_init_key,      aesni_ecb_cipher,
     NULL /* cleanup */,  NULL /* ctrl */};
 
+static const EVP_CIPHER aesni_128_ofb = {
+    NID_aes_128_ofb128,  1 /* block_size */,  16 /* key_size */,
+    16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_OFB_MODE,
+    NULL /* app_data */, aesni_init_key,      aes_ofb_cipher,
+    NULL /* cleanup */,  NULL /* ctrl */};
+
 static const EVP_CIPHER aesni_128_gcm = {
     NID_aes_128_gcm, 1 /* block_size */, 16 /* key_size */, 12 /* iv_len */,
     sizeof(EVP_AES_GCM_CTX),
@@ -912,23 +976,29 @@ static const EVP_CIPHER aesni_192_gcm = {
 
 
 static const EVP_CIPHER aesni_256_cbc = {
-    NID_aes_128_cbc,     16 /* block_size */, 32 /* key_size */,
+    NID_aes_256_cbc,     16 /* block_size */, 32 /* key_size */,
     16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_CBC_MODE,
     NULL /* app_data */, aesni_init_key,      aesni_cbc_cipher,
     NULL /* cleanup */,  NULL /* ctrl */};
 
 static const EVP_CIPHER aesni_256_ctr = {
-    NID_aes_128_ctr,     1 /* block_size */,  32 /* key_size */,
+    NID_aes_256_ctr,     1 /* block_size */,  32 /* key_size */,
     16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_CTR_MODE,
     NULL /* app_data */, aesni_init_key,      aes_ctr_cipher,
     NULL /* cleanup */,  NULL /* ctrl */};
 
 static const EVP_CIPHER aesni_256_ecb = {
-    NID_aes_128_ecb,     16 /* block_size */, 32 /* key_size */,
+    NID_aes_256_ecb,     16 /* block_size */, 32 /* key_size */,
     0 /* iv_len */,      sizeof(EVP_AES_KEY), EVP_CIPH_ECB_MODE,
     NULL /* app_data */, aesni_init_key,      aesni_ecb_cipher,
     NULL /* cleanup */,  NULL /* ctrl */};
 
+static const EVP_CIPHER aesni_256_ofb = {
+    NID_aes_256_ofb128,  1 /* block_size */,  32 /* key_size */,
+    16 /* iv_len */,     sizeof(EVP_AES_KEY), EVP_CIPH_OFB_MODE,
+    NULL /* app_data */, aesni_init_key,      aes_ofb_cipher,
+    NULL /* cleanup */,  NULL /* ctrl */};
+
 static const EVP_CIPHER aesni_256_gcm = {
     NID_aes_256_gcm, 1 /* block_size */, 32 /* key_size */, 12 /* iv_len */,
     sizeof(EVP_AES_GCM_CTX),
@@ -963,6 +1033,7 @@ static char aesni_capable(void) {
 EVP_CIPHER_FUNCTION(128, cbc)
 EVP_CIPHER_FUNCTION(128, ctr)
 EVP_CIPHER_FUNCTION(128, ecb)
+EVP_CIPHER_FUNCTION(128, ofb)
 EVP_CIPHER_FUNCTION(128, gcm)
 
 EVP_CIPHER_FUNCTION(192, cbc)
@@ -973,6 +1044,7 @@ EVP_CIPHER_FUNCTION(192, gcm)
 EVP_CIPHER_FUNCTION(256, cbc)
 EVP_CIPHER_FUNCTION(256, ctr)
 EVP_CIPHER_FUNCTION(256, ecb)
+EVP_CIPHER_FUNCTION(256, ofb)
 EVP_CIPHER_FUNCTION(256, gcm)
 
 
@@ -1012,15 +1084,8 @@ static int aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
     return 0;
   }
 
-  if (aesni_capable()) {
-    aesni_set_encrypt_key(key, key_len * 8, &gcm_ctx->ks.ks);
-    CRYPTO_gcm128_init(&gcm_ctx->gcm, &gcm_ctx->ks.ks,
-                       (block128_f)aesni_encrypt);
-    gcm_ctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
-  } else {
-    gcm_ctx->ctr =
-        aes_gcm_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm, key, key_len);
-  }
+  gcm_ctx->ctr =
+      aes_ctr_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm, NULL, key, key_len);
   gcm_ctx->tag_len = tag_len;
   ctx->aead_state = gcm_ctx;
 
@@ -1133,8 +1198,12 @@ static const EVP_AEAD aead_aes_128_gcm = {
     12,                       /* nonce len */
     EVP_AEAD_AES_GCM_TAG_LEN, /* overhead */
     EVP_AEAD_AES_GCM_TAG_LEN, /* max tag length */
-    aead_aes_gcm_init,        aead_aes_gcm_cleanup,
-    aead_aes_gcm_seal,        aead_aes_gcm_open,
+    aead_aes_gcm_init,
+    NULL, /* init_with_direction */
+    aead_aes_gcm_cleanup,
+    aead_aes_gcm_seal,
+    aead_aes_gcm_open,
+    NULL,                     /* get_rc4_state */
 };
 
 static const EVP_AEAD aead_aes_256_gcm = {
@@ -1142,8 +1211,12 @@ static const EVP_AEAD aead_aes_256_gcm = {
     12,                       /* nonce len */
     EVP_AEAD_AES_GCM_TAG_LEN, /* overhead */
     EVP_AEAD_AES_GCM_TAG_LEN, /* max tag length */
-    aead_aes_gcm_init,        aead_aes_gcm_cleanup,
-    aead_aes_gcm_seal,        aead_aes_gcm_open,
+    aead_aes_gcm_init,
+    NULL, /* init_with_direction */
+    aead_aes_gcm_cleanup,
+    aead_aes_gcm_seal,
+    aead_aes_gcm_open,
+    NULL,                     /* get_rc4_state */
 };
 
 const EVP_AEAD *EVP_aead_aes_128_gcm(void) { return &aead_aes_128_gcm; }
@@ -1347,7 +1420,7 @@ static int aead_aes_key_wrap_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
   }
 
   if (in_len < 24) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_open, CIPHER_R_BAD_DECRYPT);
+    OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, CIPHER_R_BAD_DECRYPT);
     return 0;
   }
 
@@ -1384,7 +1457,7 @@ static int aead_aes_key_wrap_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
   }
 
   if (CRYPTO_memcmp(A, nonce, 8) != 0) {
-    OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_open, CIPHER_R_BAD_DECRYPT);
+    OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, CIPHER_R_BAD_DECRYPT);
     return 0;
   }
 
@@ -1397,8 +1470,12 @@ static const EVP_AEAD aead_aes_128_key_wrap = {
     8,  /* nonce len */
     8,  /* overhead */
     8,  /* max tag length */
-    aead_aes_key_wrap_init, aead_aes_key_wrap_cleanup,
-    aead_aes_key_wrap_seal, aead_aes_key_wrap_open,
+    aead_aes_key_wrap_init,
+    NULL, /* init_with_direction */
+    aead_aes_key_wrap_cleanup,
+    aead_aes_key_wrap_seal,
+    aead_aes_key_wrap_open,
+    NULL,  /* get_rc4_state */
 };
 
 static const EVP_AEAD aead_aes_256_key_wrap = {
@@ -1406,14 +1483,297 @@ static const EVP_AEAD aead_aes_256_key_wrap = {
     8,  /* nonce len */
     8,  /* overhead */
     8,  /* max tag length */
-    aead_aes_key_wrap_init, aead_aes_key_wrap_cleanup,
-    aead_aes_key_wrap_seal, aead_aes_key_wrap_open,
+    aead_aes_key_wrap_init,
+    NULL, /* init_with_direction */
+    aead_aes_key_wrap_cleanup,
+    aead_aes_key_wrap_seal,
+    aead_aes_key_wrap_open,
+    NULL,  /* get_rc4_state */
 };
 
 const EVP_AEAD *EVP_aead_aes_128_key_wrap(void) { return &aead_aes_128_key_wrap; }
 
 const EVP_AEAD *EVP_aead_aes_256_key_wrap(void) { return &aead_aes_256_key_wrap; }
 
+
+#define EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN SHA256_DIGEST_LENGTH
+#define EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN 12
+
+struct aead_aes_ctr_hmac_sha256_ctx {
+  union {
+    double align;
+    AES_KEY ks;
+  } ks;
+  ctr128_f ctr;
+  block128_f block;
+  SHA256_CTX inner_init_state;
+  SHA256_CTX outer_init_state;
+  uint8_t tag_len;
+};
+
+static void hmac_init(SHA256_CTX *out_inner, SHA256_CTX *out_outer,
+                      const uint8_t hmac_key[32]) {
+  static const size_t hmac_key_len = 32;
+  uint8_t block[SHA256_CBLOCK];
+  memcpy(block, hmac_key, hmac_key_len);
+  memset(block + hmac_key_len, 0x36, sizeof(block) - hmac_key_len);
+
+  unsigned i;
+  for (i = 0; i < hmac_key_len; i++) {
+    block[i] ^= 0x36;
+  }
+
+  SHA256_Init(out_inner);
+  SHA256_Update(out_inner, block, sizeof(block));
+
+  memset(block + hmac_key_len, 0x5c, sizeof(block) - hmac_key_len);
+  for (i = 0; i < hmac_key_len; i++) {
+    block[i] ^= (0x36 ^ 0x5c);
+  }
+
+  SHA256_Init(out_outer);
+  SHA256_Update(out_outer, block, sizeof(block));
+}
+
+static int aead_aes_ctr_hmac_sha256_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
+                                         size_t key_len, size_t tag_len) {
+  struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx;
+  static const size_t hmac_key_len = 32;
+
+  if (key_len < hmac_key_len) {
+    OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_init,
+                      CIPHER_R_BAD_KEY_LENGTH);
+    return 0; /* EVP_AEAD_CTX_init should catch this. */
+  }
+
+  const size_t aes_key_len = key_len - hmac_key_len;
+  if (aes_key_len != 16 && aes_key_len != 32) {
+    OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_init,
+                      CIPHER_R_BAD_KEY_LENGTH);
+    return 0; /* EVP_AEAD_CTX_init should catch this. */
+  }
+
+  if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {
+    tag_len = EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN;
+  }
+
+  if (tag_len > EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN) {
+    OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_init,
+                      CIPHER_R_TAG_TOO_LARGE);
+    return 0;
+  }
+
+  aes_ctx = OPENSSL_malloc(sizeof(struct aead_aes_ctr_hmac_sha256_ctx));
+  if (aes_ctx == NULL) {
+    OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_init,
+                      ERR_R_MALLOC_FAILURE);
+    return 0;
+  }
+
+  aes_ctx->ctr =
+      aes_ctr_set_key(&aes_ctx->ks.ks, NULL, &aes_ctx->block, key, aes_key_len);
+  aes_ctx->tag_len = tag_len;
+  hmac_init(&aes_ctx->inner_init_state, &aes_ctx->outer_init_state,
+            key + aes_key_len);
+
+  ctx->aead_state = aes_ctx;
+
+  return 1;
+}
+
+static void aead_aes_ctr_hmac_sha256_cleanup(EVP_AEAD_CTX *ctx) {
+  struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx = ctx->aead_state;
+  OPENSSL_cleanse(aes_ctx, sizeof(struct aead_aes_ctr_hmac_sha256_ctx));
+  OPENSSL_free(aes_ctx);
+}
+
+static void hmac_update_uint64(SHA256_CTX *sha256, uint64_t value) {
+  unsigned i;
+  uint8_t bytes[8];
+
+  for (i = 0; i < sizeof(bytes); i++) {
+    bytes[i] = value & 0xff;
+    value >>= 8;
+  }
+  SHA256_Update(sha256, bytes, sizeof(bytes));
+}
+
+static void hmac_calculate(uint8_t out[SHA256_DIGEST_LENGTH],
+                           const SHA256_CTX *inner_init_state,
+                           const SHA256_CTX *outer_init_state,
+                           const uint8_t *ad, size_t ad_len,
+                           const uint8_t *nonce, const uint8_t *ciphertext,
+                           size_t ciphertext_len) {
+  SHA256_CTX sha256;
+  memcpy(&sha256, inner_init_state, sizeof(sha256));
+  hmac_update_uint64(&sha256, ad_len);
+  hmac_update_uint64(&sha256, ciphertext_len);
+  SHA256_Update(&sha256, nonce, EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN);
+  SHA256_Update(&sha256, ad, ad_len);
+
+  /* Pad with zeros to the end of the SHA-256 block. */
+  const unsigned num_padding =
+      (SHA256_CBLOCK - ((sizeof(uint64_t)*2 +
+                         EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN + ad_len) %
+                        SHA256_CBLOCK)) %
+      SHA256_CBLOCK;
+  uint8_t padding[SHA256_CBLOCK];
+  memset(padding, 0, num_padding);
+  SHA256_Update(&sha256, padding, num_padding);
+
+  SHA256_Update(&sha256, ciphertext, ciphertext_len);
+
+  uint8_t inner_digest[SHA256_DIGEST_LENGTH];
+  SHA256_Final(inner_digest, &sha256);
+
+  memcpy(&sha256, outer_init_state, sizeof(sha256));
+  SHA256_Update(&sha256, inner_digest, sizeof(inner_digest));
+  SHA256_Final(out, &sha256);
+}
+
+static void aead_aes_ctr_hmac_sha256_crypt(
+    const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx, uint8_t *out,
+    const uint8_t *in, size_t len, const uint8_t *nonce) {
+  /* Since the AEAD operation is one-shot, keeping a buffer of unused keystream
+   * bytes is pointless. However, |CRYPTO_ctr128_encrypt| requires it. */
+  uint8_t partial_block_buffer[AES_BLOCK_SIZE];
+  unsigned partial_block_offset = 0;
+  memset(partial_block_buffer, 0, sizeof(partial_block_buffer));
+
+  uint8_t counter[AES_BLOCK_SIZE];
+  memcpy(counter, nonce, EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN);
+  memset(counter + EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN, 0, 4);
+
+  if (aes_ctx->ctr) {
+    CRYPTO_ctr128_encrypt_ctr32(in, out, len, &aes_ctx->ks.ks, counter,
+                                partial_block_buffer, &partial_block_offset,
+                                aes_ctx->ctr);
+  } else {
+    CRYPTO_ctr128_encrypt(in, out, len, &aes_ctx->ks.ks, counter,
+                          partial_block_buffer, &partial_block_offset,
+                          aes_ctx->block);
+  }
+}
+
+static int aead_aes_ctr_hmac_sha256_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
+                                         size_t *out_len, size_t max_out_len,
+                                         const uint8_t *nonce, size_t nonce_len,
+                                         const uint8_t *in, size_t in_len,
+                                         const uint8_t *ad, size_t ad_len) {
+  const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx = ctx->aead_state;
+  const uint64_t in_len_64 = in_len;
+
+  if (in_len + aes_ctx->tag_len < in_len ||
+      /* This input is so large it would overflow the 32-bit block counter. */
+      in_len_64 >= (OPENSSL_U64(1) << 32) * AES_BLOCK_SIZE) {
+    OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_seal,
+                      CIPHER_R_TOO_LARGE);
+    return 0;
+  }
+
+  if (max_out_len < in_len + aes_ctx->tag_len) {
+    OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_seal,
+                      CIPHER_R_BUFFER_TOO_SMALL);
+    return 0;
+  }
+
+  if (nonce_len != EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN) {
+    OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_seal,
+                      CIPHER_R_UNSUPPORTED_NONCE_SIZE);
+    return 0;
+  }
+
+  aead_aes_ctr_hmac_sha256_crypt(aes_ctx, out, in, in_len, nonce);
+
+  uint8_t hmac_result[SHA256_DIGEST_LENGTH];
+  hmac_calculate(hmac_result, &aes_ctx->inner_init_state,
+                 &aes_ctx->outer_init_state, ad, ad_len, nonce, out, in_len);
+  memcpy(out + in_len, hmac_result, aes_ctx->tag_len);
+  *out_len = in_len + aes_ctx->tag_len;
+
+  return 1;
+}
+
+static int aead_aes_ctr_hmac_sha256_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
+                                         size_t *out_len, size_t max_out_len,
+                                         const uint8_t *nonce, size_t nonce_len,
+                                         const uint8_t *in, size_t in_len,
+                                         const uint8_t *ad, size_t ad_len) {
+  const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx = ctx->aead_state;
+  size_t plaintext_len;
+
+  if (in_len < aes_ctx->tag_len) {
+    OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_open,
+                      CIPHER_R_BAD_DECRYPT);
+    return 0;
+  }
+
+  plaintext_len = in_len - aes_ctx->tag_len;
+
+  if (max_out_len < plaintext_len) {
+    OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_open,
+                      CIPHER_R_BUFFER_TOO_SMALL);
+    return 0;
+  }
+
+  if (nonce_len != EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN) {
+    OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_open,
+                      CIPHER_R_UNSUPPORTED_NONCE_SIZE);
+    return 0;
+  }
+
+  uint8_t hmac_result[SHA256_DIGEST_LENGTH];
+  hmac_calculate(hmac_result, &aes_ctx->inner_init_state,
+                 &aes_ctx->outer_init_state, ad, ad_len, nonce, in,
+                 plaintext_len);
+  if (CRYPTO_memcmp(hmac_result, in + plaintext_len, aes_ctx->tag_len) != 0) {
+    OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_open,
+                      CIPHER_R_BAD_DECRYPT);
+    return 0;
+  }
+
+  aead_aes_ctr_hmac_sha256_crypt(aes_ctx, out, in, plaintext_len, nonce);
+
+  *out_len = plaintext_len;
+  return 1;
+}
+
+static const EVP_AEAD aead_aes_128_ctr_hmac_sha256 = {
+    16 /* AES key */ + 32 /* HMAC key */,
+    12,                                       /* nonce length */
+    EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN,     /* overhead */
+    EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN,     /* max tag length */
+
+    aead_aes_ctr_hmac_sha256_init,
+    NULL /* init_with_direction */,
+    aead_aes_ctr_hmac_sha256_cleanup,
+    aead_aes_ctr_hmac_sha256_seal,
+    aead_aes_ctr_hmac_sha256_open,
+    NULL /* get_rc4_state */,
+};
+
+static const EVP_AEAD aead_aes_256_ctr_hmac_sha256 = {
+    32 /* AES key */ + 32 /* HMAC key */,
+    12,                                       /* nonce length */
+    EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN,     /* overhead */
+    EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN,     /* max tag length */
+
+    aead_aes_ctr_hmac_sha256_init,
+    NULL /* init_with_direction */,
+    aead_aes_ctr_hmac_sha256_cleanup,
+    aead_aes_ctr_hmac_sha256_seal,
+    aead_aes_ctr_hmac_sha256_open,
+    NULL /* get_rc4_state */,
+};
+
+const EVP_AEAD *EVP_aead_aes_128_ctr_hmac_sha256(void) {
+  return &aead_aes_128_ctr_hmac_sha256;
+}
+
+const EVP_AEAD *EVP_aead_aes_256_ctr_hmac_sha256(void) {
+  return &aead_aes_256_ctr_hmac_sha256;
+}
+
 int EVP_has_aes_hardware(void) {
 #if defined(OPENSSL_X86) || defined(OPENSSL_X86_64)
   return aesni_capable() && crypto_gcm_clmul_enabled();
diff --git a/src/crypto/cipher/e_chacha20poly1305.c b/src/crypto/cipher/e_chacha20poly1305.c
index 1cdcbca..ebf0088 100644
--- a/src/crypto/cipher/e_chacha20poly1305.c
+++ b/src/crypto/cipher/e_chacha20poly1305.c
@@ -209,8 +209,12 @@ static const EVP_AEAD aead_chacha20_poly1305 = {
     CHACHA20_NONCE_LEN, /* nonce len */
     POLY1305_TAG_LEN,   /* overhead */
     POLY1305_TAG_LEN,   /* max tag length */
-    aead_chacha20_poly1305_init, aead_chacha20_poly1305_cleanup,
-    aead_chacha20_poly1305_seal, aead_chacha20_poly1305_open,
+    aead_chacha20_poly1305_init,
+    NULL, /* init_with_direction */
+    aead_chacha20_poly1305_cleanup,
+    aead_chacha20_poly1305_seal,
+    aead_chacha20_poly1305_open,
+    NULL,               /* get_rc4_state */
 };
 
 const EVP_AEAD *EVP_aead_chacha20_poly1305(void) {
diff --git a/src/crypto/cipher/e_des.c b/src/crypto/cipher/e_des.c
index d4b04f4..74e1fce 100644
--- a/src/crypto/cipher/e_des.c
+++ b/src/crypto/cipher/e_des.c
@@ -61,8 +61,6 @@
 #include "internal.h"
 
 
-#define EVP_MAXCHUNK (1<<30)
-
 typedef struct {
   union {
     double align;
@@ -83,18 +81,8 @@ static int des_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
                           size_t in_len) {
   EVP_DES_KEY *dat = (EVP_DES_KEY *)ctx->cipher_data;
 
-  while (in_len >= EVP_MAXCHUNK) {
-    DES_ncbc_encrypt(in, out, EVP_MAXCHUNK, &dat->ks.ks, (DES_cblock *)ctx->iv,
-                     ctx->encrypt);
-    in_len -= EVP_MAXCHUNK;
-    in += EVP_MAXCHUNK;
-    out += EVP_MAXCHUNK;
-  }
-
-  if (in_len) {
-    DES_ncbc_encrypt(in, out, (long)in_len, &dat->ks.ks,
-                     (DES_cblock *)ctx->iv, ctx->encrypt);
-  }
+  DES_ncbc_encrypt(in, out, in_len, &dat->ks.ks, (DES_cblock *)ctx->iv,
+                   ctx->encrypt);
 
   return 1;
 }
@@ -132,18 +120,8 @@ static int des_ede3_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out,
                               const uint8_t *in, size_t in_len) {
   DES_EDE_KEY *dat = (DES_EDE_KEY*) ctx->cipher_data;
 
-  while (in_len >= EVP_MAXCHUNK) {
-    DES_ede3_cbc_encrypt(in, out, EVP_MAXCHUNK, &dat->ks.ks[0], &dat->ks.ks[1],
-                         &dat->ks.ks[2], (DES_cblock *)ctx->iv, ctx->encrypt);
-    in_len -= EVP_MAXCHUNK;
-    in += EVP_MAXCHUNK;
-    out += EVP_MAXCHUNK;
-  }
-
-  if (in_len) {
-    DES_ede3_cbc_encrypt(in, out, in_len, &dat->ks.ks[0], &dat->ks.ks[1],
-                         &dat->ks.ks[2], (DES_cblock *)ctx->iv, ctx->encrypt);
-  }
+  DES_ede3_cbc_encrypt(in, out, in_len, &dat->ks.ks[0], &dat->ks.ks[1],
+                       &dat->ks.ks[2], (DES_cblock *)ctx->iv, ctx->encrypt);
 
   return 1;
 }
diff --git a/src/crypto/cipher/e_rc4.c b/src/crypto/cipher/e_rc4.c
index 04ddcb6..80dea36 100644
--- a/src/crypto/cipher/e_rc4.c
+++ b/src/crypto/cipher/e_rc4.c
@@ -299,7 +299,9 @@ static int aead_rc4_md5_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
     return 0;
   }
 
-  if (max_out_len < plaintext_len) {
+  if (max_out_len < in_len) {
+    /* This requires that the caller provide space for the MAC, even though it
+     * will always be removed on return. */
     OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_open, CIPHER_R_BUFFER_TOO_SMALL);
     return 0;
   }
@@ -372,13 +374,24 @@ static int aead_rc4_md5_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
   return 1;
 }
 
+static int aead_rc4_md5_tls_get_rc4_state(const EVP_AEAD_CTX *ctx,
+                                          const RC4_KEY **out_key) {
+  struct aead_rc4_md5_tls_ctx *rc4_ctx = ctx->aead_state;
+  *out_key = &rc4_ctx->rc4;
+  return 1;
+}
+
 static const EVP_AEAD aead_rc4_md5_tls = {
     16 + MD5_DIGEST_LENGTH, /* key len (RC4 + MD5) */
     0,                      /* nonce len */
     MD5_DIGEST_LENGTH,      /* overhead */
     MD5_DIGEST_LENGTH,      /* max tag length */
-    aead_rc4_md5_tls_init,  aead_rc4_md5_tls_cleanup,
-    aead_rc4_md5_tls_seal,  aead_rc4_md5_tls_open,
+    aead_rc4_md5_tls_init,
+    NULL, /* init_with_direction */
+    aead_rc4_md5_tls_cleanup,
+    aead_rc4_md5_tls_seal,
+    aead_rc4_md5_tls_open,
+    aead_rc4_md5_tls_get_rc4_state,
 };
 
 const EVP_AEAD *EVP_aead_rc4_md5_tls(void) { return &aead_rc4_md5_tls; }
diff --git a/src/crypto/cipher/e_ssl3.c b/src/crypto/cipher/e_ssl3.c
index d9dec68..1031d9b 100644
--- a/src/crypto/cipher/e_ssl3.c
+++ b/src/crypto/cipher/e_ssl3.c
@@ -30,17 +30,6 @@
 typedef struct {
   EVP_CIPHER_CTX cipher_ctx;
   EVP_MD_CTX md_ctx;
-  /* enc_key is the portion of the key used for the stream or block cipher. It
-   * is retained separately to allow the EVP_CIPHER_CTX to be initialized once
-   * the direction is known. */
-  uint8_t enc_key[EVP_MAX_KEY_LENGTH];
-  uint8_t enc_key_len;
-  /* iv is the portion of the key used for the fixed IV. It is retained
-   * separately to allow the EVP_CIPHER_CTX to be initialized once the direction
-   * is known. */
-  uint8_t iv[EVP_MAX_IV_LENGTH];
-  uint8_t iv_len;
-  char initialized;
 } AEAD_SSL3_CTX;
 
 static int ssl3_mac(AEAD_SSL3_CTX *ssl3_ctx, uint8_t *out, unsigned *out_len,
@@ -87,15 +76,13 @@ static void aead_ssl3_cleanup(EVP_AEAD_CTX *ctx) {
   AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
   EVP_CIPHER_CTX_cleanup(&ssl3_ctx->cipher_ctx);
   EVP_MD_CTX_cleanup(&ssl3_ctx->md_ctx);
-  OPENSSL_cleanse(&ssl3_ctx->enc_key, sizeof(ssl3_ctx->enc_key));
-  OPENSSL_cleanse(&ssl3_ctx->iv, sizeof(ssl3_ctx->iv));
   OPENSSL_free(ssl3_ctx);
   ctx->aead_state = NULL;
 }
 
 static int aead_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
-                          size_t tag_len, const EVP_CIPHER *cipher,
-                          const EVP_MD *md) {
+                          size_t tag_len, enum evp_aead_direction_t dir,
+                          const EVP_CIPHER *cipher, const EVP_MD *md) {
   if (tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH &&
       tag_len != EVP_MD_size(md)) {
     OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_init, CIPHER_R_UNSUPPORTED_TAG_SIZE);
@@ -109,11 +96,7 @@ static int aead_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
 
   size_t mac_key_len = EVP_MD_size(md);
   size_t enc_key_len = EVP_CIPHER_key_length(cipher);
-  size_t iv_len = EVP_CIPHER_iv_length(cipher);
-  assert(mac_key_len + enc_key_len + iv_len == key_len);
-  assert(mac_key_len < 256);
-  assert(enc_key_len < 256);
-  assert(iv_len < 256);
+  assert(mac_key_len + enc_key_len + EVP_CIPHER_iv_length(cipher) == key_len);
   /* Although EVP_rc4() is a variable-length cipher, the default key size is
    * correct for SSL3. */
 
@@ -124,17 +107,15 @@ static int aead_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
   }
   EVP_CIPHER_CTX_init(&ssl3_ctx->cipher_ctx);
   EVP_MD_CTX_init(&ssl3_ctx->md_ctx);
-  memcpy(ssl3_ctx->enc_key, &key[mac_key_len], enc_key_len);
-  ssl3_ctx->enc_key_len = (uint8_t)enc_key_len;
-  memcpy(ssl3_ctx->iv, &key[mac_key_len + enc_key_len], iv_len);
-  ssl3_ctx->iv_len = (uint8_t)iv_len;
-  ssl3_ctx->initialized = 0;
 
   ctx->aead_state = ssl3_ctx;
-  if (!EVP_CipherInit_ex(&ssl3_ctx->cipher_ctx, cipher, NULL, NULL, NULL, 0) ||
+  if (!EVP_CipherInit_ex(&ssl3_ctx->cipher_ctx, cipher, NULL, &key[mac_key_len],
+                         &key[mac_key_len + enc_key_len],
+                         dir == evp_aead_seal) ||
       !EVP_DigestInit_ex(&ssl3_ctx->md_ctx, md, NULL) ||
       !EVP_DigestUpdate(&ssl3_ctx->md_ctx, key, mac_key_len)) {
     aead_ssl3_cleanup(ctx);
+    ctx->aead_state = NULL;
     return 0;
   }
   EVP_CIPHER_CTX_set_padding(&ssl3_ctx->cipher_ctx, 0);
@@ -142,31 +123,6 @@ static int aead_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
   return 1;
 }
 
-/* aead_ssl3_ensure_cipher_init initializes |ssl3_ctx| for encryption (or
- * decryption, if |encrypt| is zero). If it has already been initialized, it
- * ensures the direction matches and fails otherwise. It returns one on success
- * and zero on failure.
- *
- * Note that, unlike normal AEADs, legacy SSL3 AEADs may not be used concurrently
- * due to this (and bulk-cipher-internal) statefulness. */
-static int aead_ssl3_ensure_cipher_init(AEAD_SSL3_CTX *ssl3_ctx, int encrypt) {
-  if (!ssl3_ctx->initialized) {
-    /* Finish initializing the EVP_CIPHER_CTX now that the direction is
-     * known. */
-    if (!EVP_CipherInit_ex(&ssl3_ctx->cipher_ctx, NULL, NULL, ssl3_ctx->enc_key,
-                           ssl3_ctx->iv, encrypt)) {
-      return 0;
-    }
-    ssl3_ctx->initialized = 1;
-  } else if (ssl3_ctx->cipher_ctx.encrypt != encrypt) {
-    /* Unlike a normal AEAD, using an SSL3 AEAD once freezes the direction. */
-    OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_ensure_cipher_init,
-                      CIPHER_R_INVALID_OPERATION);
-    return 0;
-  }
-  return 1;
-}
-
 static int aead_ssl3_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
                          size_t *out_len, size_t max_out_len,
                          const uint8_t *nonce, size_t nonce_len,
@@ -175,6 +131,12 @@ static int aead_ssl3_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
   AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
   size_t total = 0;
 
+  if (!ssl3_ctx->cipher_ctx.encrypt) {
+    /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */
+    OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_seal, CIPHER_R_INVALID_OPERATION);
+    return 0;
+  }
+
   if (in_len + EVP_AEAD_max_overhead(ctx->aead) < in_len ||
       in_len > INT_MAX) {
     /* EVP_CIPHER takes int as input. */
@@ -197,10 +159,6 @@ static int aead_ssl3_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
     return 0;
   }
 
-  if (!aead_ssl3_ensure_cipher_init(ssl3_ctx, 1)) {
-    return 0;
-  }
-
   /* Compute the MAC. This must be first in case the operation is being done
    * in-place. */
   uint8_t mac[EVP_MAX_MD_SIZE];
@@ -257,6 +215,12 @@ static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
                          const uint8_t *ad, size_t ad_len) {
   AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
 
+  if (ssl3_ctx->cipher_ctx.encrypt) {
+    /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */
+    OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_INVALID_OPERATION);
+    return 0;
+  }
+
   size_t mac_len = EVP_MD_CTX_size(&ssl3_ctx->md_ctx);
   if (in_len < mac_len) {
     OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_BAD_DECRYPT);
@@ -286,10 +250,6 @@ static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
     return 0;
   }
 
-  if (!aead_ssl3_ensure_cipher_init(ssl3_ctx, 0)) {
-    return 0;
-  }
-
   /* Decrypt to get the plaintext + MAC + padding. */
   size_t total = 0;
   int len;
@@ -337,31 +297,46 @@ static int aead_ssl3_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
   return 1;
 }
 
+static int aead_ssl3_get_rc4_state(const EVP_AEAD_CTX *ctx, const RC4_KEY **out_key) {
+  AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
+  if (EVP_CIPHER_CTX_cipher(&ssl3_ctx->cipher_ctx) != EVP_rc4()) {
+    return 0;
+  }
+
+  *out_key = (RC4_KEY*) ssl3_ctx->cipher_ctx.cipher_data;
+  return 1;
+}
+
 static int aead_rc4_md5_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                  size_t key_len, size_t tag_len) {
-  return aead_ssl3_init(ctx, key, key_len, tag_len, EVP_rc4(), EVP_md5());
+                                  size_t key_len, size_t tag_len,
+                                  enum evp_aead_direction_t dir) {
+  return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_rc4(), EVP_md5());
 }
 
 static int aead_rc4_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                  size_t key_len, size_t tag_len) {
-  return aead_ssl3_init(ctx, key, key_len, tag_len, EVP_rc4(), EVP_sha1());
+                                   size_t key_len, size_t tag_len,
+                                   enum evp_aead_direction_t dir) {
+  return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_rc4(), EVP_sha1());
 }
 
 static int aead_aes_128_cbc_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                          size_t key_len, size_t tag_len) {
-  return aead_ssl3_init(ctx, key, key_len, tag_len, EVP_aes_128_cbc(),
+                                           size_t key_len, size_t tag_len,
+                                           enum evp_aead_direction_t dir) {
+  return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
                         EVP_sha1());
 }
 
 static int aead_aes_256_cbc_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                          size_t key_len, size_t tag_len) {
-  return aead_ssl3_init(ctx, key, key_len, tag_len, EVP_aes_256_cbc(),
+                                           size_t key_len, size_t tag_len,
+                                           enum evp_aead_direction_t dir) {
+  return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
                         EVP_sha1());
 }
 static int aead_des_ede3_cbc_sha1_ssl3_init(EVP_AEAD_CTX *ctx,
-                                           const uint8_t *key, size_t key_len,
-                                           size_t tag_len) {
-  return aead_ssl3_init(ctx, key, key_len, tag_len, EVP_des_ede3_cbc(),
+                                            const uint8_t *key, size_t key_len,
+                                            size_t tag_len,
+                                            enum evp_aead_direction_t dir) {
+  return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(),
                         EVP_sha1());
 }
 
@@ -370,10 +345,12 @@ static const EVP_AEAD aead_rc4_md5_ssl3 = {
     0,                      /* nonce len */
     MD5_DIGEST_LENGTH,      /* overhead */
     MD5_DIGEST_LENGTH,      /* max tag length */
+    NULL, /* init */
     aead_rc4_md5_ssl3_init,
     aead_ssl3_cleanup,
     aead_ssl3_seal,
     aead_ssl3_open,
+    aead_ssl3_get_rc4_state,
 };
 
 static const EVP_AEAD aead_rc4_sha1_ssl3 = {
@@ -381,10 +358,12 @@ static const EVP_AEAD aead_rc4_sha1_ssl3 = {
     0,                      /* nonce len */
     SHA_DIGEST_LENGTH,      /* overhead */
     SHA_DIGEST_LENGTH,      /* max tag length */
+    NULL, /* init */
     aead_rc4_sha1_ssl3_init,
     aead_ssl3_cleanup,
     aead_ssl3_seal,
     aead_ssl3_open,
+    aead_ssl3_get_rc4_state,
 };
 
 static const EVP_AEAD aead_aes_128_cbc_sha1_ssl3 = {
@@ -392,10 +371,12 @@ static const EVP_AEAD aead_aes_128_cbc_sha1_ssl3 = {
     0,                           /* nonce len */
     16 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
     SHA_DIGEST_LENGTH,           /* max tag length */
+    NULL, /* init */
     aead_aes_128_cbc_sha1_ssl3_init,
     aead_ssl3_cleanup,
     aead_ssl3_seal,
     aead_ssl3_open,
+    NULL,                        /* get_rc4_state */
 };
 
 static const EVP_AEAD aead_aes_256_cbc_sha1_ssl3 = {
@@ -403,10 +384,12 @@ static const EVP_AEAD aead_aes_256_cbc_sha1_ssl3 = {
     0,                           /* nonce len */
     16 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
     SHA_DIGEST_LENGTH,           /* max tag length */
+    NULL, /* init */
     aead_aes_256_cbc_sha1_ssl3_init,
     aead_ssl3_cleanup,
     aead_ssl3_seal,
     aead_ssl3_open,
+    NULL,                        /* get_rc4_state */
 };
 
 static const EVP_AEAD aead_des_ede3_cbc_sha1_ssl3 = {
@@ -414,10 +397,12 @@ static const EVP_AEAD aead_des_ede3_cbc_sha1_ssl3 = {
     0,                          /* nonce len */
     8 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
     SHA_DIGEST_LENGTH,          /* max tag length */
+    NULL, /* init */
     aead_des_ede3_cbc_sha1_ssl3_init,
     aead_ssl3_cleanup,
     aead_ssl3_seal,
     aead_ssl3_open,
+    NULL,                        /* get_rc4_state */
 };
 
 const EVP_AEAD *EVP_aead_rc4_md5_ssl3(void) { return &aead_rc4_md5_ssl3; }
diff --git a/src/crypto/cipher/e_tls.c b/src/crypto/cipher/e_tls.c
index 8ac1aae..bed02cb 100644
--- a/src/crypto/cipher/e_tls.c
+++ b/src/crypto/cipher/e_tls.c
@@ -22,6 +22,7 @@
 #include <openssl/hmac.h>
 #include <openssl/mem.h>
 #include <openssl/sha.h>
+#include <openssl/type_check.h>
 
 #include "../crypto/internal.h"
 #include "internal.h"
@@ -34,37 +35,26 @@ typedef struct {
    * separately for the constant-time CBC code. */
   uint8_t mac_key[EVP_MAX_MD_SIZE];
   uint8_t mac_key_len;
-  /* enc_key is the portion of the key used for the stream or block
-   * cipher. It is retained separately to allow the EVP_CIPHER_CTX to be
-   * initialized once the direction is known. */
-  uint8_t enc_key[EVP_MAX_KEY_LENGTH];
-  uint8_t enc_key_len;
-  /* iv is the portion of the key used for the fixed IV. It is retained
-   * separately to allow the EVP_CIPHER_CTX to be initialized once the direction
-   * is known. */
-  uint8_t iv[EVP_MAX_IV_LENGTH];
-  uint8_t iv_len;
   /* implicit_iv is one iff this is a pre-TLS-1.1 CBC cipher without an explicit
    * IV. */
   char implicit_iv;
-  char initialized;
 } AEAD_TLS_CTX;
 
+OPENSSL_COMPILE_ASSERT(EVP_MAX_MD_SIZE < 256, mac_key_len_fits_in_uint8_t);
 
 static void aead_tls_cleanup(EVP_AEAD_CTX *ctx) {
   AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
   EVP_CIPHER_CTX_cleanup(&tls_ctx->cipher_ctx);
   HMAC_CTX_cleanup(&tls_ctx->hmac_ctx);
   OPENSSL_cleanse(&tls_ctx->mac_key, sizeof(tls_ctx->mac_key));
-  OPENSSL_cleanse(&tls_ctx->enc_key, sizeof(tls_ctx->enc_key));
-  OPENSSL_cleanse(&tls_ctx->iv, sizeof(tls_ctx->iv));
   OPENSSL_free(tls_ctx);
   ctx->aead_state = NULL;
 }
 
 static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
-                         size_t tag_len, const EVP_CIPHER *cipher,
-                         const EVP_MD *md, char implicit_iv) {
+                         size_t tag_len, enum evp_aead_direction_t dir,
+                         const EVP_CIPHER *cipher, const EVP_MD *md,
+                         char implicit_iv) {
   if (tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH &&
       tag_len != EVP_MD_size(md)) {
     OPENSSL_PUT_ERROR(CIPHER, aead_tls_init, CIPHER_R_UNSUPPORTED_TAG_SIZE);
@@ -78,11 +68,8 @@ static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
 
   size_t mac_key_len = EVP_MD_size(md);
   size_t enc_key_len = EVP_CIPHER_key_length(cipher);
-  size_t iv_len = implicit_iv ? EVP_CIPHER_iv_length(cipher) : 0;
-  assert(mac_key_len + enc_key_len + iv_len == key_len);
-  assert(mac_key_len < 256);
-  assert(enc_key_len < 256);
-  assert(iv_len < 256);
+  assert(mac_key_len + enc_key_len +
+         (implicit_iv ? EVP_CIPHER_iv_length(cipher) : 0) == key_len);
   /* Although EVP_rc4() is a variable-length cipher, the default key size is
    * correct for TLS. */
 
@@ -93,19 +80,18 @@ static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
   }
   EVP_CIPHER_CTX_init(&tls_ctx->cipher_ctx);
   HMAC_CTX_init(&tls_ctx->hmac_ctx);
+  assert(mac_key_len <= EVP_MAX_MD_SIZE);
   memcpy(tls_ctx->mac_key, key, mac_key_len);
   tls_ctx->mac_key_len = (uint8_t)mac_key_len;
-  memcpy(tls_ctx->enc_key, &key[mac_key_len], enc_key_len);
-  tls_ctx->enc_key_len = (uint8_t)enc_key_len;
-  memcpy(tls_ctx->iv, &key[mac_key_len + enc_key_len], iv_len);
-  tls_ctx->iv_len = (uint8_t)iv_len;
   tls_ctx->implicit_iv = implicit_iv;
-  tls_ctx->initialized = 0;
 
   ctx->aead_state = tls_ctx;
-  if (!EVP_CipherInit_ex(&tls_ctx->cipher_ctx, cipher, NULL, NULL, NULL, 0) ||
+  if (!EVP_CipherInit_ex(&tls_ctx->cipher_ctx, cipher, NULL, &key[mac_key_len],
+                         implicit_iv ? &key[mac_key_len + enc_key_len] : NULL,
+                         dir == evp_aead_seal) ||
       !HMAC_Init_ex(&tls_ctx->hmac_ctx, key, mac_key_len, md, NULL)) {
     aead_tls_cleanup(ctx);
+    ctx->aead_state = NULL;
     return 0;
   }
   EVP_CIPHER_CTX_set_padding(&tls_ctx->cipher_ctx, 0);
@@ -113,32 +99,6 @@ static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
   return 1;
 }
 
-/* aead_tls_ensure_cipher_init initializes |tls_ctx| for encryption (or
- * decryption, if |encrypt| is zero). If it has already been initialized, it
- * ensures the direction matches and fails otherwise. It returns one on success
- * and zero on failure.
- *
- * Note that, unlike normal AEADs, legacy TLS AEADs may not be used concurrently
- * due to this (and bulk-cipher-internal) statefulness. */
-static int aead_tls_ensure_cipher_init(AEAD_TLS_CTX *tls_ctx, int encrypt) {
-  if (!tls_ctx->initialized) {
-    /* Finish initializing the EVP_CIPHER_CTX now that the direction is
-     * known. */
-    if (!EVP_CipherInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, tls_ctx->enc_key,
-                           tls_ctx->implicit_iv ? tls_ctx->iv : NULL,
-                           encrypt)) {
-      return 0;
-    }
-    tls_ctx->initialized = 1;
-  } else if (tls_ctx->cipher_ctx.encrypt != encrypt) {
-    /* Unlike a normal AEAD, using a TLS AEAD once freezes the direction. */
-    OPENSSL_PUT_ERROR(CIPHER, aead_tls_ensure_cipher_init,
-                      CIPHER_R_INVALID_OPERATION);
-    return 0;
-  }
-  return 1;
-}
-
 static int aead_tls_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
                          size_t *out_len, size_t max_out_len,
                          const uint8_t *nonce, size_t nonce_len,
@@ -147,6 +107,13 @@ static int aead_tls_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
   AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
   size_t total = 0;
 
+  if (!tls_ctx->cipher_ctx.encrypt) {
+    /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */
+    OPENSSL_PUT_ERROR(CIPHER, aead_tls_seal, CIPHER_R_INVALID_OPERATION);
+    return 0;
+
+  }
+
   if (in_len + EVP_AEAD_max_overhead(ctx->aead) < in_len ||
       in_len > INT_MAX) {
     /* EVP_CIPHER takes int as input. */
@@ -169,10 +136,6 @@ static int aead_tls_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
     return 0;
   }
 
-  if (!aead_tls_ensure_cipher_init(tls_ctx, 1)) {
-    return 0;
-  }
-
   /* To allow for CBC mode which changes cipher length, |ad| doesn't include the
    * length for legacy ciphers. */
   uint8_t ad_extra[2];
@@ -249,6 +212,13 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
                          const uint8_t *ad, size_t ad_len) {
   AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
 
+  if (tls_ctx->cipher_ctx.encrypt) {
+    /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */
+    OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_INVALID_OPERATION);
+    return 0;
+
+  }
+
   if (in_len < HMAC_size(&tls_ctx->hmac_ctx)) {
     OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_BAD_DECRYPT);
     return 0;
@@ -277,10 +247,6 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
     return 0;
   }
 
-  if (!aead_tls_ensure_cipher_init(tls_ctx, 0)) {
-    return 0;
-  }
-
   /* Configure the explicit IV. */
   if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&
       !tls_ctx->implicit_iv &&
@@ -394,83 +360,101 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
 }
 
 static int aead_rc4_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                  size_t key_len, size_t tag_len) {
-  return aead_tls_init(ctx, key, key_len, tag_len, EVP_rc4(), EVP_sha1(), 0);
+                                  size_t key_len, size_t tag_len,
+                                  enum evp_aead_direction_t dir) {
+  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_rc4(), EVP_sha1(),
+                       0);
 }
 
 static int aead_aes_128_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                          size_t key_len, size_t tag_len) {
-  return aead_tls_init(ctx, key, key_len, tag_len, EVP_aes_128_cbc(),
+                                          size_t key_len, size_t tag_len,
+                                          enum evp_aead_direction_t dir) {
+  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
                        EVP_sha1(), 0);
 }
 
-static int aead_aes_128_cbc_sha1_tls_implicit_iv_init(EVP_AEAD_CTX *ctx,
-                                                      const uint8_t *key,
-                                                      size_t key_len,
-                                                      size_t tag_len) {
-  return aead_tls_init(ctx, key, key_len, tag_len, EVP_aes_128_cbc(),
+static int aead_aes_128_cbc_sha1_tls_implicit_iv_init(
+    EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,
+    enum evp_aead_direction_t dir) {
+  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
                        EVP_sha1(), 1);
 }
 
 static int aead_aes_128_cbc_sha256_tls_init(EVP_AEAD_CTX *ctx,
                                             const uint8_t *key, size_t key_len,
-                                            size_t tag_len) {
-  return aead_tls_init(ctx, key, key_len, tag_len, EVP_aes_128_cbc(),
+                                            size_t tag_len,
+                                            enum evp_aead_direction_t dir) {
+  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
                        EVP_sha256(), 0);
 }
 
 static int aead_aes_256_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
-                                          size_t key_len, size_t tag_len) {
-  return aead_tls_init(ctx, key, key_len, tag_len, EVP_aes_256_cbc(),
+                                          size_t key_len, size_t tag_len,
+                                          enum evp_aead_direction_t dir) {
+  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
                        EVP_sha1(), 0);
 }
 
-static int aead_aes_256_cbc_sha1_tls_implicit_iv_init(EVP_AEAD_CTX *ctx,
-                                                      const uint8_t *key,
-                                                      size_t key_len,
-                                                      size_t tag_len) {
-  return aead_tls_init(ctx, key, key_len, tag_len, EVP_aes_256_cbc(),
+static int aead_aes_256_cbc_sha1_tls_implicit_iv_init(
+    EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,
+    enum evp_aead_direction_t dir) {
+  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
                        EVP_sha1(), 1);
 }
 
 static int aead_aes_256_cbc_sha256_tls_init(EVP_AEAD_CTX *ctx,
                                             const uint8_t *key, size_t key_len,
-                                            size_t tag_len) {
-  return aead_tls_init(ctx, key, key_len, tag_len, EVP_aes_256_cbc(),
+                                            size_t tag_len,
+                                            enum evp_aead_direction_t dir) {
+  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
                        EVP_sha256(), 0);
 }
 
 static int aead_aes_256_cbc_sha384_tls_init(EVP_AEAD_CTX *ctx,
                                             const uint8_t *key, size_t key_len,
-                                            size_t tag_len) {
-  return aead_tls_init(ctx, key, key_len, tag_len, EVP_aes_256_cbc(),
+                                            size_t tag_len,
+                                            enum evp_aead_direction_t dir) {
+  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
                        EVP_sha384(), 0);
 }
 
 static int aead_des_ede3_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx,
                                            const uint8_t *key, size_t key_len,
-                                           size_t tag_len) {
-  return aead_tls_init(ctx, key, key_len, tag_len, EVP_des_ede3_cbc(),
+                                           size_t tag_len,
+                                           enum evp_aead_direction_t dir) {
+  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(),
                        EVP_sha1(), 0);
 }
 
-static int aead_des_ede3_cbc_sha1_tls_implicit_iv_init(EVP_AEAD_CTX *ctx,
-                                                       const uint8_t *key,
-                                                       size_t key_len,
-                                                       size_t tag_len) {
-  return aead_tls_init(ctx, key, key_len, tag_len, EVP_des_ede3_cbc(),
+static int aead_des_ede3_cbc_sha1_tls_implicit_iv_init(
+    EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,
+    enum evp_aead_direction_t dir) {
+  return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(),
                        EVP_sha1(), 1);
 }
 
+static int aead_rc4_sha1_tls_get_rc4_state(const EVP_AEAD_CTX *ctx,
+                                           const RC4_KEY **out_key) {
+  const AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX*) ctx->aead_state;
+  if (EVP_CIPHER_CTX_cipher(&tls_ctx->cipher_ctx) != EVP_rc4()) {
+    return 0;
+  }
+
+  *out_key = (const RC4_KEY*) tls_ctx->cipher_ctx.cipher_data;
+  return 1;
+}
+
 static const EVP_AEAD aead_rc4_sha1_tls = {
     SHA_DIGEST_LENGTH + 16, /* key len (SHA1 + RC4) */
     0,                      /* nonce len */
     SHA_DIGEST_LENGTH,      /* overhead */
     SHA_DIGEST_LENGTH,      /* max tag length */
+    NULL, /* init */
     aead_rc4_sha1_tls_init,
     aead_tls_cleanup,
     aead_tls_seal,
     aead_tls_open,
+    aead_rc4_sha1_tls_get_rc4_state, /* get_rc4_state */
 };
 
 static const EVP_AEAD aead_aes_128_cbc_sha1_tls = {
@@ -478,10 +462,12 @@ static const EVP_AEAD aead_aes_128_cbc_sha1_tls = {
     16,                     /* nonce len (IV) */
     16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
     SHA_DIGEST_LENGTH,      /* max tag length */
+    NULL, /* init */
     aead_aes_128_cbc_sha1_tls_init,
     aead_tls_cleanup,
     aead_tls_seal,
     aead_tls_open,
+    NULL,                   /* get_rc4_state */
 };
 
 static const EVP_AEAD aead_aes_128_cbc_sha1_tls_implicit_iv = {
@@ -489,10 +475,12 @@ static const EVP_AEAD aead_aes_128_cbc_sha1_tls_implicit_iv = {
     0,                           /* nonce len */
     16 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
     SHA_DIGEST_LENGTH,           /* max tag length */
+    NULL, /* init */
     aead_aes_128_cbc_sha1_tls_implicit_iv_init,
     aead_tls_cleanup,
     aead_tls_seal,
     aead_tls_open,
+    NULL,                        /* get_rc4_state */
 };
 
 static const EVP_AEAD aead_aes_128_cbc_sha256_tls = {
@@ -500,10 +488,12 @@ static const EVP_AEAD aead_aes_128_cbc_sha256_tls = {
     16,                        /* nonce len (IV) */
     16 + SHA256_DIGEST_LENGTH, /* overhead (padding + SHA256) */
     SHA_DIGEST_LENGTH,         /* max tag length */
+    NULL, /* init */
     aead_aes_128_cbc_sha256_tls_init,
     aead_tls_cleanup,
     aead_tls_seal,
     aead_tls_open,
+    NULL,                      /* get_rc4_state */
 };
 
 static const EVP_AEAD aead_aes_256_cbc_sha1_tls = {
@@ -511,10 +501,12 @@ static const EVP_AEAD aead_aes_256_cbc_sha1_tls = {
     16,                     /* nonce len (IV) */
     16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
     SHA_DIGEST_LENGTH,      /* max tag length */
+    NULL, /* init */
     aead_aes_256_cbc_sha1_tls_init,
     aead_tls_cleanup,
     aead_tls_seal,
     aead_tls_open,
+    NULL,                   /* get_rc4_state */
 };
 
 static const EVP_AEAD aead_aes_256_cbc_sha1_tls_implicit_iv = {
@@ -522,10 +514,12 @@ static const EVP_AEAD aead_aes_256_cbc_sha1_tls_implicit_iv = {
     0,                           /* nonce len */
     16 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
     SHA_DIGEST_LENGTH,           /* max tag length */
+    NULL, /* init */
     aead_aes_256_cbc_sha1_tls_implicit_iv_init,
     aead_tls_cleanup,
     aead_tls_seal,
     aead_tls_open,
+    NULL,                        /* get_rc4_state */
 };
 
 static const EVP_AEAD aead_aes_256_cbc_sha256_tls = {
@@ -533,10 +527,12 @@ static const EVP_AEAD aead_aes_256_cbc_sha256_tls = {
     16,                        /* nonce len (IV) */
     16 + SHA256_DIGEST_LENGTH, /* overhead (padding + SHA256) */
     SHA_DIGEST_LENGTH,         /* max tag length */
+    NULL, /* init */
     aead_aes_256_cbc_sha256_tls_init,
     aead_tls_cleanup,
     aead_tls_seal,
     aead_tls_open,
+    NULL,                      /* get_rc4_state */
 };
 
 static const EVP_AEAD aead_aes_256_cbc_sha384_tls = {
@@ -544,10 +540,12 @@ static const EVP_AEAD aead_aes_256_cbc_sha384_tls = {
     16,                        /* nonce len (IV) */
     16 + SHA384_DIGEST_LENGTH, /* overhead (padding + SHA384) */
     SHA_DIGEST_LENGTH,         /* max tag length */
+    NULL, /* init */
     aead_aes_256_cbc_sha384_tls_init,
     aead_tls_cleanup,
     aead_tls_seal,
     aead_tls_open,
+    NULL,                      /* get_rc4_state */
 };
 
 static const EVP_AEAD aead_des_ede3_cbc_sha1_tls = {
@@ -555,10 +553,12 @@ static const EVP_AEAD aead_des_ede3_cbc_sha1_tls = {
     8,                      /* nonce len (IV) */
     8 + SHA_DIGEST_LENGTH,  /* overhead (padding + SHA1) */
     SHA_DIGEST_LENGTH,      /* max tag length */
+    NULL, /* init */
     aead_des_ede3_cbc_sha1_tls_init,
     aead_tls_cleanup,
     aead_tls_seal,
     aead_tls_open,
+    NULL,                   /* get_rc4_state */
 };
 
 static const EVP_AEAD aead_des_ede3_cbc_sha1_tls_implicit_iv = {
@@ -566,10 +566,12 @@ static const EVP_AEAD aead_des_ede3_cbc_sha1_tls_implicit_iv = {
     0,                          /* nonce len */
     8 + SHA_DIGEST_LENGTH,      /* overhead (padding + SHA1) */
     SHA_DIGEST_LENGTH,          /* max tag length */
+    NULL, /* init */
     aead_des_ede3_cbc_sha1_tls_implicit_iv_init,
     aead_tls_cleanup,
     aead_tls_seal,
     aead_tls_open,
+    NULL,                       /* get_rc4_state */
 };
 
 const EVP_AEAD *EVP_aead_rc4_sha1_tls(void) { return &aead_rc4_sha1_tls; }
diff --git a/src/crypto/cipher/internal.h b/src/crypto/cipher/internal.h
index bc1e2de..605b8cb 100644
--- a/src/crypto/cipher/internal.h
+++ b/src/crypto/cipher/internal.h
@@ -59,7 +59,7 @@
 
 #include <openssl/base.h>
 
-#include <openssl/asn1t.h>
+#include <openssl/aead.h>
 
 #if defined(__cplusplus)
 extern "C" {
@@ -79,8 +79,13 @@ struct evp_aead_st {
   uint8_t overhead;
   uint8_t max_tag_len;
 
+  /* init initialises an |evp_aead_ctx_st|. If this call returns zero then
+   * |cleanup| will not be called for that context. */
   int (*init)(struct evp_aead_ctx_st *, const uint8_t *key,
               size_t key_len, size_t tag_len);
+  int (*init_with_direction)(struct evp_aead_ctx_st *, const uint8_t *key,
+                             size_t key_len, size_t tag_len,
+                             enum evp_aead_direction_t dir);
   void (*cleanup)(struct evp_aead_ctx_st *);
 
   int (*seal)(const struct evp_aead_ctx_st *ctx, uint8_t *out,
@@ -92,6 +97,9 @@ struct evp_aead_st {
               size_t *out_len, size_t max_out_len, const uint8_t *nonce,
               size_t nonce_len, const uint8_t *in, size_t in_len,
               const uint8_t *ad, size_t ad_len);
+
+  int (*get_rc4_state)(const struct evp_aead_ctx_st *ctx,
+                       const RC4_KEY **out_key);
 };
 
 
diff --git a/src/crypto/cipher/test/aes_128_ctr_hmac_sha256.txt b/src/crypto/cipher/test/aes_128_ctr_hmac_sha256.txt
new file mode 100644
index 0000000..d4803a0
--- /dev/null
+++ b/src/crypto/cipher/test/aes_128_ctr_hmac_sha256.txt
@@ -0,0 +1,336 @@
+KEY: 067b841a2540cb467b75f2188f5da4b5aeb7e0e44582a2b668b5b1ff39e21c4e65745470fb1be1aa909c62fabcf0e6ac
+NONCE: 10e0ecb00da5345127407150
+IN: 
+AD: 
+CT: 
+TAG: a82a891565e466957ad5a499d45b579d31acaf582f54d518f8f9c128936dac4c
+
+KEY: c9d9ef2c808c3f8b22f659c12147104b08cec2390a84f0c4b887ca4c247c8c9dd45e72f48b30b67a8545750387232344
+NONCE: 58bddf96158a3a588bf3ec05
+IN: 
+AD: 5d
+CT: 
+TAG: 3580c1601d1c9a5b1595d3dee35b0cd9e1b115d8b0abee557b2c207b8d0df5ee
+
+KEY: f755dc6786e21f39b595389a51d36673e1ffb94ffc066c03873eb31839be6fa319fd31c8bea29f03ff28831861e60b6e
+NONCE: bd6c80797f1f4c563b06fd3b
+IN: 
+AD: 78d88005136e312639572343a2d0daf7483d8235291ee3ac002469456b075243dc03380c387030d546c2b1
+CT: 
+TAG: dede80d810fc449a769c79a5ecd2c0d68e9e0fae567781e623ab2098c88d8a86
+
+KEY: 43a0a28fef8b89b8fb0f76de01d802935ad561e27ca9c9fa629347be676a6af758501b6a652f369045da5fef751b56bb
+NONCE: 0f6472f1e589c16ca5ad45b2
+IN: 
+AD: 78e4eafccfc87631f0314c442ba4c07bca36f996a5b3408f9e445d6009a87ded16b33a4af9537a4619cab70d
+CT: 
+TAG: 11fa62dd8374aabe728ebf7e9aa1c02cf8f2dbc29f9aaf1940313f0b7c3e0301
+
+KEY: acf8e5f1bd64e6289370650b5b3fd773320025c8b229fd335d9461768cd0a17b4bcc946919932efdc9fc84a7f50768bf
+NONCE: 1aecfc90d28bcdcc5a8e3578
+IN: 
+AD: 6daedbdc69133b56f6a8f098f9f70cdb7e129e51115df385a6d86204a53412cd999cf2e69f45e168efed4742b6
+CT: 
+TAG: fbe0511ba0ec5709def9966a9b05facf171cddd81ee2cd56e7afc867af465f31
+
+KEY: 2773c92e6cddc9a5e5dcaf3893080fd2153f009d807df0b175c76615645f2087539e299d8411b27badb749a9845c5e29
+NONCE: 6d04ed129299651aec0465f8
+IN: 
+AD: 44219577e361a7a4681172d120a2d653a53ec74bc487ccde4954835943bca413d55c65dc665310148654d8c1e2e6bc2f06ec344473120ad1f95739b993a57f9ec0b3299cc088f385894fff876fc2ce8ce6b77ca253f177ba615101e84e17ad0e60704cff195dcd50eb48c77de409797e0b1c8c4c5b9215a4a0399954a008267b
+CT: 
+TAG: 6ab61ac4493e58e48d071d994a000f1c1f498d22f83c8d2af56b03c155afc57e
+
+KEY: 23189bf23bc4b734410d1c7ae321c42e144a25347a8029bb925e3d8ac1b92f4eb97227c1dece86ae9dea7d127eb33f9b
+NONCE: 30681944cd5d78f46d36ed8a
+IN: 59
+AD: 
+CT: 92
+TAG: 986aa8438da3cf4a98f478f90d24908c6a4e848f299873e649b256f5499d89d9
+
+KEY: 463d1148325c5f57af670877068a78203571b8b19f40e9f0373156b7448ab315df86c77d7c85ba6e54b9bc329399f687
+NONCE: cc9d015a4b5a888b36b14d05
+IN: 28
+AD: 6a
+CT: 05
+TAG: f66e8dc794b142944fa46d5c04a3e3fe00291668374846d763f2beeffd4ca4a0
+
+KEY: 937eaab44e7c7d2cd5bbb053c12e6255e0aaa42cbe7d83025b7a2887eff8f098d019c80af849b0ed7da54a5ba5b39200
+NONCE: 2b160d24df579836e1572ea2
+IN: 9a
+AD: 35841a33ba3a6ed3d89a1f76d06c61613d09834847e5a41f8616748e30c14335e5baa43d49fceaf85aeb22
+CT: 80
+TAG: 5e5799c147be0329dbcabf7ecdba6ac595ebc2d06b9d757426fbb31e8b39f62a
+
+KEY: 68a746f382fcc11c02af7b352b9d710c137a9f59bc5886dc374ca88cdc01b86fe5678fde16cfa846846539f67a429276
+NONCE: b94346c033ac1a3d709c4f09
+IN: ad
+AD: ad61c9168debf9974e19759088944e888346aff99f3e2e4522549c8ae332a0f41922972fb7c1d5ff24e7ae4b
+CT: 46
+TAG: 62ae92ff64710a9f260da2562e246356e9d749c3584fb9f40d9572307ccbbd31
+
+KEY: 6622579d1d6350fd5dff432b69d172cc51f99bdaff50b0a1c0f4cda8d5904581ba8657ba61c6936407243d7fb64b00da
+NONCE: a880caa7157a13540d2b724f
+IN: 2a
+AD: 95a23eafcff892deecaf093109d30290d819851ad5c91061510e54baa2b039b114c815da20f0e3ba2ba4875bdd
+CT: ce
+TAG: 33f09666f9fd1d92f137d9f3f7092b47b2bd71a7e3139dcd19a803a6b17f2a3a
+
+KEY: 91ce9dd87c7d11d2c4da41863b6851c40fba786a612e0fbf0d1956a71286dfc61fa10bf7d148cecd72b6ceeb82b68d3f
+NONCE: a50dc3d8fd63d3076cc70ff6
+IN: da
+AD: 9ce8e1a777c159ec775abbd67d85e84f3550c3296e848dec18b61bbd713a98a033805bfe6e2f2a011dd7fd754708e524168142aeee579cae19c7eab78fa7c42fa335f0c725baf556160beef9e4afd1050a2c8813be6bd14cc6982116d0229d53e9b4de923abf6ba99bdffe1d5f21748ae74caddb077d9f7488b394436222beca
+CT: 2b
+TAG: 1541cd745bc0259dd72a212474f5c7b8c121dd0289d674e5ba8d56a220d1f1d0
+
+KEY: 1ad577d3b47e3fff8528e336a43a7ffef72f811e05b5c69ccfe777b10f29061e289178e394a1c87ba483c7f98ea5431d
+NONCE: 1fcaa4757a9e48ed2cb3be62
+IN: 46d30dac550103006c292a9ac05d31
+AD: 
+CT: 37616eba30c55595fa0ad5d50f91ca
+TAG: 5c3ac4010f75adf90f81e775b07ab939e7551a9b8e0486ba33766728ed498245
+
+KEY: 6df310dc1847b42c68e50b03d154b73d7f3823354b32759c5369bce1a1b4cd63ccdb911c2dc792acf84b8b8f3fdfb89d
+NONCE: 92e6759a31dd556ff9124d73
+IN: 6daba76658db642209e276ff7c8d46
+AD: 32
+CT: ce1814c03037078b6be3252460af48
+TAG: 46e61913f2a1ff6e77faade9a7cd37a82eff3ebec4276fbddff9266b9c9bd873
+
+KEY: f848c2300995f5c98dcd0db24574d7c61459ca64c084421c6ad156e80e398904417ee745245ddae91be20fb07e66bdb6
+NONCE: 3b177e11063445717f417d14
+IN: bbf225131c821a6a60817cc65bf699
+AD: 4c5ab4fdbe0018344629349feed5d8c3ae0c5b64f2b093576a2aaa1225e7a50eca01a9962c9b4f8fc5c12a
+CT: 1538957e78f3ab0fed77906153d715
+TAG: 2c7760d47407ad7b0d5b85fa4967eaa7b6c0bb6eb16619adde7a191abfdf3da3
+
+KEY: d406cac07630ce2c071732a0ec95f55123486d2677465768dc7db13f90902cf172f92e19f57f5cf7c68cd7bde7ee4b4b
+NONCE: 766aede0120b634a4be6fa12
+IN: 3804d40090a38d4c97a5fff631068c
+AD: 7707b7d0f266284e84c2ecdd5a18832650c3e27d66697616c9e9bb2f8a09a3295de0119582ca3614b9608548
+CT: 91e96462a5dfbe8b7af201158a36dc
+TAG: 56623e5813070a0e2f5184aed83b9863301ca02e3108f7afc478d48305e397f8
+
+KEY: 42bb22a317ed9f9df8119746e9a1257217e5b0144051ca56f39587021d969bc0acc02795f3bd201031e8c05af08ad079
+NONCE: 0a9f6bace71a1ab21f4917df
+IN: 013f7b8c75307158f4f300450e7a78
+AD: cd95a649ae215fe73442a6991e157232cbcabecff6042b87d41557e35b97606d606c3ded54f5d3db7aa2773f67
+CT: e588dbcecbdb7667dccf7fe34f8387
+TAG: b04461748109ed9068c7e9c0446528ef09b01613c3b3aa1ffeed6685ebb550f5
+
+KEY: e1cfcbaba3a04b5108ce2a87099a6aae936ee38acd92b7e6b7df0e3bcb9ad18fc579b5d470ef3e04c23459f509852458
+NONCE: 112dd267174bcd81e6fbd924
+IN: 288a1e44b406aebec7b418674f81e7
+AD: 7809d8011c5a963df14fb8981e874119c60b7a9d897d13a05651759db5835deffdd991fbf98b9aa71c79e48bd701b228ba248b6bed874b02da7fcf28a04c38b81c0ff628846015258af30dbf28ea4f3283f664f888fca545f5fc57dccc4ad1dd476c52fba341182ecf783706c5c458bf0ee5ec83454afba78eb8b5ca17af88ec
+CT: 80f4e1012d76f6180ca00fd32c8fec
+TAG: 6de00bf2fd3c88ab34ca9390f7e559875e43e0f938303816a3a75a35729bc453
+
+KEY: 84172547d8608bd9e788a7bb60df2982963716e45f8e63f0c5033327d85c920c5e3776e314246b1694b739c39abfa29f
+NONCE: a3f1643bb504b7ce9e5b43c2
+IN: 7e76323eb13e64da9b240a57c95c855b
+AD: 
+CT: 966487c18f025d67b42a04c30d3ff4c3
+TAG: 8bb03d893f0ce8ea4a6a47245bc7f20c72acf8caa466edd01365d0f74c929463
+
+KEY: 02dee8f2e63b37fe3cbae9101fed0946e05e5090510bef3324a82e3f27456a45ab1b6cdeddb1fe515ad07aefeee6ccbc
+NONCE: 64723d21365d62926d5c2262
+IN: 4f1f132c50a01ad48882ce88655b33f7
+AD: d8
+CT: b102082e14cd9ecc0895f7a6f08ab522
+TAG: 2c09651c1a51cb8a375746236fe258a36e725936ccedbc4dfafee6c3084a4716
+
+KEY: 5db57cf6301bab815d38879b35c9db72fd40ac576d259ad5074d0828364050554e9fc08335b5f2bf066b09e50fbe6ba4
+NONCE: 36e5340d844de213c312177a
+IN: 41a6e910b14388740ea351eb1df980c9
+AD: 8316a6b9b155b2de5e724f7593ecdcee442eaef7b9ad204eda4744a5e648c2dd84f48ee81397e485953465
+CT: ee21d4d47042415ca27d2ecb11b13d79
+TAG: 5015da5a3339389d39d0fcafb56ef4005b342e69ba47930e84408d33aadf5f2a
+
+KEY: a493dd6de6fd6584599096442dd9345f6f2d8fc2d426c78eee2b992b4071aba4ce463f3ca293c84b2faf3e8644b6ec25
+NONCE: 4f9be6f788ee960adc650d86
+IN: 4de6e244251091cf13762d20685e9085
+AD: d15da312b7522c18384acdbf6348b5e105557f1790a6a203a65acd73397524681666743f3145048775ad84e3
+CT: bb1296457daa39d889c8f986938d6a39
+TAG: b93548cea90c34d03d6f5683ae2cc78814531b803d42cfe57623fd4bdc8f084c
+
+KEY: 8cc59ebe2c7375a70915c48d2978a1f720bc0aa2775ce9189ae7b3d5dda9a81e56cde0e0a29939599409b71f0b65f346
+NONCE: b0ab041f37ea1e594f1eddb3
+IN: cd0aeaf6806cb99e6bc1c8c5d830de8c
+AD: 8f4b5a9609df757826dbe7e51bb6a2c6f45f601263cf668836193513cf008ab6b36a7d5447039f1268821ec37e
+CT: 5d5375b9d9cff6d0c1dbd14221509a0d
+TAG: d8850bbc838e068b817c24d018f8f1e1cb8aac0a68392a700f48099f81b6c37c
+
+KEY: f3e9c507478d3f99dbf3e2421e45929b096ab3f3d4aa4ef9c338c5a1a2425c9936b7df602502d33cbafcf781350da77e
+NONCE: d4872a30c9d1fa9001a25afe
+IN: 25e05ea69a956b12a9be4ef03ae9d30c
+AD: 8b346c20e7c64b805d9c8d325829201753069c60b3f221f31474f55cb20315373ccd7c2a8f215e9efc407ae91b05d8b6d693a3780fdd65d7715cdded86c3d6204055812f3fce897f829d1df9ffaaf48885291701ac1765090c383162dd13d6bac88baa0cb2d748363bbb79843a1594ec6d8778854a63b7c9ffeb6d1fb17e90f1
+CT: 61325c7e0d29e9ad50b9c0fec02d7ef4
+TAG: 4b2d0caece46ce2496445883c03234e900189c22b54390b399d78ee4ebfbb7d4
+
+KEY: 3d9b651e65e9239c9e33aafb091b348161ab797901fd0468aedd014e4d5683c8f3f54f20ea6bb07bb25dd258df7bcd5e
+NONCE: 32bcf856a14437114e7814cc
+IN: 08a667c2923f87a7db6502478d32280bdc
+AD: 
+CT: 5e8e02cc91c732356bb9f1fc599426a379
+TAG: 5449e878d558beff4bc7dfbb5f0195444705cfb259773b4faec524fbaca37ea0
+
+KEY: 2124cedb5f3f2558f8b9a2304a29c0df6102333cb4aa10625aa82cd76ab645c73f3b7cbf7c96cacdcb9e0b738e40c042
+NONCE: 7ae419446a3a105beb2fbcc5
+IN: a305dc4a2e50cc8e7a65a4b10b73849636
+AD: 70
+CT: fcaea620f7e9ed1337214c4b432d9869d2
+TAG: bfc739c8504a4d9033ab1915f46c1bf65c5382fe9ed1c134026ba32c63ca131e
+
+KEY: b027feb1aced8fb3af27a9fd7f531c30991ec1abd9f230a3e5d6ee9fc6a77747013f8e14dcdbd07b0083d0ce23dfa711
+NONCE: a30a6520f933ff5265e6e305
+IN: a705f842d542cb6957fbce21854755c6dc
+AD: 447bdaf34dfab9cc3dd7777ebaf80077f391093bac9817bf02ad98db9d3f271282ecaf0ff19652f92076d1
+CT: 3ddcb07c121b498f1abb73bedb527d4df4
+TAG: 55957a0e884dea22d6ace10e5936cdac891f5b54225349ede5c44715f1064b5e
+
+KEY: ffefb7770a7cf125395703985823f3e926f3722ca0764518fd2b8996577bec03648c8d542af1c6e36b51174b0ba88316
+NONCE: 4c31394b4b24f6251a839891
+IN: f026a1d352c37b204c6c1138abee9a9a75
+AD: 1e7c0f71a3aacd87ea785521ea31f93b1efd0bdf97952e0b84ecd50c706806deffc19caea312b5a9988454d2
+CT: 23c8bae37db93ed9f55f2903e04b7c6a8e
+TAG: 89d0a7e7d921dea5bb54c28e79b612688e42506aa69b141de830c8d63bdefcee
+
+KEY: 453cf5e4f48ce5a961c94af0e1639c156965970f561ac17fe08d5b75975abe3db87412640972e463290800666be80441
+NONCE: b3e3f9708a86c7cdf139e496
+IN: 53f1b11de497cc6ecb411a777dc3d60197
+AD: afe29e074dcce850ac6640230e6b9f66a64587c5fbe8679144e065d3b1700c721833ba8f918e926c9142f5f362
+CT: 15d5f597be46a19566a72c5e843b77f70c
+TAG: a561c3375c096a116a721e9404e555a2deaf3f677a8611694281663274708f58
+
+KEY: 3d497f81d0652d475bcd85cf53bda13f79ef0afeaec09dd679a6e5ea58f87ba6576269f836096d5ac034594b17073331
+NONCE: 3fb1664830821e2b524890c8
+IN: bd75c313f5c8f6007a2185bc39d0af01bb
+AD: 50744ed959e2b8ba5b5f4807e2997ea0b96ebfcdeaa1c6b33853219844592e82ad67abf6ccbb272cfdba6a3e45c07fec4d4a0ebe4235f11d916771a764d9a129d39f6b84f0b5fb4cdf789ca2f5ea306b25d047a9b1a1e2e90905b6fba472e70b2fa25c96602cfa0031f31c68954d7487507081b8e70f8aa1342cb8b4a98ce9c2
+CT: abe3869ac43fd8b429ee8b8539c970bc86
+TAG: 33fcd301c2bf624bccb92a986c2dd5f2ecafc32649ff550eb5312fc81cbce46e
+
+KEY: 353c3e9f87b40fc0281869c68d9d9bee5c95771dd79998c059bc5ceda71f139fe447cfdf340e9eac57f232b9d230e45d
+NONCE: cc7a4b46b02f4e7f96fd34e3
+IN: 44bcb61332930f606276268ddbf3287bcaedb5b25704489cbee63ec839d7a69533dbfb6e95fe5b4694eb485beb1437f0777774868ecf45c8a5b3edafa1d62a
+AD: 
+CT: d038d67b8b690519fafa7467c9fb94135f9bf0bcd8247cd2c30da62ddf37a6d9a3a9bdcf8ec081fb4469c0fc2798e2e30afede7cda384438fd01e5d672dcb8
+TAG: db2c685a59cdf304c1fb57b66966a5ca1cc3536fe21eb1113c25868428640c7d
+
+KEY: 3b3786e38e110ec0c8b05fbdb3d9b6d117d1ebcdc0e7d942249fea6baafa31fe5caac227979fc833b104641e8e9ed01e
+NONCE: 53bf31912a3ededc01c91f84
+IN: 6de5890028382aafb186042864c5cca1a77ff80ba4f7f0942dcffa1579711093fb652c8d475dfca81a976be8ca77eb9c7a6b49dca1425610c945bf404ba65b
+AD: a9
+CT: 886939354fa117139f5e077baa186825ee7e2955c3a74f88af3a86b260ee9f9959a90409e7d602e36cea31e606aeaa8b9229e28f7fa58ace6fd217e5cce1e7
+TAG: 91a769003ec900dbb40ea9c9b959882d822421b510ba85ca826bc4af3b5c42e0
+
+KEY: 5a75c97f3583983bbc5eee4a882b766a6708d798a46f71e63b7509af69afd7cf86f9b42df04b626940914007078a8b9b
+NONCE: 426e8bcbcffb6b425706dae0
+IN: c24fa29a66197cad518c5a1a76abd9446a8f24c2dd81e953bfc5c00544c119d67986781a1c754224af234b0ec5e44e78610a4420eb78c283e9a56637c35c24
+AD: 6376835513967e4ccaff9a0c56b4d27a2bd0d013cd54abf95fe9a162d036af285ebc9567a16ed5abfa69aa
+CT: bc4daeef3ccdf9abdaa75591781685eee3fd7825bfe63132817a7e0f93817f22bfca30ed775a773f5bb290aac3a381a01085e861cab7b9fe4c5143138e17a5
+TAG: 79c779bfcb974ad9a8ac88dce5027df5691a3a1163a5d5893b4cdb1663b17aa1
+
+KEY: d1b301c029fe3b81e4b97e08e84dbc03b138f422161c0e74ccbda3172c034b99610f09a9e611f0e9a3ca40af4fcb3c56
+NONCE: 4032c79eb3ee4b63e44fa932
+IN: 71bcf5a5198787b85a66221c22e7bdb9d038dd3e10000555ec9271e54bfefc460ef4e71729ff7ae52859015b49f45df89ddf183fe1e19de3acb032dbaa4d57
+AD: f1cd18ff1e5ad2b65de41e083b5175966625ebebb3031e1027761e407dae4e8e193ffe7dea52ff61147f1b4e
+CT: 7c521a703b7d1cbd086bdc316d4f2ff0852c462eeaa1d7a586c561354be9ed412d9d9bd1f78cc85468750f1af09b7b17dc1ee84c926760d63504cd3a1dfa3a
+TAG: 831f3552890d997f0a8f2d832b6e92e26f6e865424699f0364a82d86ab7734d0
+
+KEY: fdd24bf37b36666a4f641115581ab4bd6b896dd3017006031b3675beed33f21a314363e3a07bbbf4359d9ac02eec847f
+NONCE: 7767cff1a096a9f7d8a9b32c
+IN: e62b7695dd41baf49d1b356e64c6d5504784380b75724b86f5f3185d1a530664aea0e5f9aeef347e1ea4754acaa7f3c233638db234c0e93db02e0bf988e7ab
+AD: 2d650f3daed2564b0df86fa23ed0343634663adfae2c422f80f9d5674bbb63e824f01ad3994834f889133bbc0e
+CT: a51f50a6ce77a22ec472bc18c37d08fb28e77efe55065b600e3edbd9ac97f0fd0eec93cd312ec7ef886cb04e1849526f0a38b14d862bcd578b99bf9a007c2e
+TAG: 89d83264364c9c84ba705e5549abcd496abed3900f65e3daa012275fed18a7da
+
+KEY: 0f88e2d00d2c4bd682f1591ea5f4c1a1090180e1195809cb363b27c863360a85b27814e6a724effa44f298430d6c9628
+NONCE: 6e2e62ecb2aa47c7e5921d25
+IN: 91efc710a57adb57017725cfa26d17d3e2993c5ee66942ca42e770a83763e9df8a455bd408dc1e2661cf301f1dd669cd6d5b4d92a886be0f54527779bae8f9
+AD: d060cbe84271e85f25a3dcb6dbf299551f0dcd5783e3df80468636e491c0100f3ec8316f24240482a88bc430a398b0ecaee5c48a274ffb2d835e200bc39ec0aa86a1c90c9e2dcb4217595d48826a81de90eb949846a33fc26bf8886ca0554e1b8f12cbeee36e65e33cbbf610c2d24264619fa93c44c88e0e3d9d368fdece461b
+CT: 10d99b98ed67d85a44fa57e706a8b028c61ef17f35f6713613d158cad90e826f90ef036a2190ba123f9b68b352ca94fbebf8ea947e569ad45f00e6a36975f8
+TAG: e345bebcc4a8ac01528bc5f317e5c378236b292c2baab6ae8654245da35d90d6
+
+KEY: 1ccec52c77239bdf6ca50e5b702943b23015d08cb1d9bac592b3dec4c96be904110713e52e114a8bc294df26530a758a
+NONCE: 38554b7c40027afe9721e14a
+IN: dac91fcdb3768df8d5ae9ddba1fe5917c084a5d9e6b14eee9a609cab2da34ec9f95cf2d10fff77108477e694c76f362e29b9a9287d8b190a748ed0a929967ff8
+AD: 
+CT: e6bcb38b3bfd0b428a14bb3aca01a4a9e54b0853f10bd7750f5bb58d0e7dd18006f8929d7d862e5d6601ef63be8442334b4d51a99219cfedaa31f7ab19028459
+TAG: c4f05d9415840c2325dabbcd12dbeda31e47637437514c606dedfb8ce622edd0
+
+KEY: c82ad4c6f248bc51d3a51b958ecc2460a3c64d669f6c485c2309d26abb3fa84644a0d8c28da8091f90184b53cd556413
+NONCE: 35a29938fb7a31225b08d0e4
+IN: bb0045cec5587e50b148b140b6969612425243ed1412e812aa9f4b471ed34ced6dfa9e0acf3e31455893e4ee7e66b4661c6e1f80b7d6f1159c11387ce579b80f
+AD: 12
+CT: 5f1854fc2fb11fd721755445a1efa5a28607a725ad71cda9a3464860a6a0efe3f58727c0e0cd315f867611232abd72034dfc2b9deace8cf6cb507b1cd4032b59
+TAG: e40429ca19a88da73a7654d7ed8e0621ac2e504b0245615e262ac70bd05a3f47
+
+KEY: b01bec74fe97e5af7db2a0b1432f8b4c069447d2b56dc2668371387f753b03465412213999d2394a4b79873db06c590a
+NONCE: fec7de97d54dec8d36c9f253
+IN: 88ab078d03ffacd128edbceea7ace2e6465f4076097445a5db7f0e61ed817b6e24f22874489049bee0c58d0aa2b42b4db0bbef6ec88d032da9c82ebef57c424d
+AD: cf0ceb3e80a76d1a75f6e070f5d3fee1cd1e2699434f96e7cb3adce12d4a3148dd433b08c68b9d66962f24
+CT: 8aa3c7478b0cd86fa30870957fb5307345f89346a869d508da9d3a4fe36fb3d6a9b0c3c1bc2d44c8ea31ec028012098d6032085af0b54603dc2fa65ff091fdd6
+TAG: acb670172ec3754064b366566bdccf5056eae132e2041f1a285c5883e7eff4f3
+
+KEY: 699a94f6e6eb457b186af58c25118fcea81c8f0ad265e7c16bd6cdca15c9db64bb9a537580ca0474a4b4d54d47412d88
+NONCE: ac3fb6525f4357d831529407
+IN: a7300aa94f3d357cdb272f0a739979e08aad9551dd3bfcd0b5aca6a0972a71b502639e79e1b9e0d22db2f3220b982800d9cebbac3d10d9bf86ea25d3d417fc57
+AD: 19c3d34bb9d57d0f63f14bdd3da06a43a5afe6a8c505f038cb403515876a2765c2d61aa7e4c84e11c999b81d
+CT: 8b472f1069ace78172611369b03073f751e5206dcd2ce3b45c431095f303e70c59bfad3af8006e66e4a68f8fa2ffa534bd76bdef089d07dd38988cbf723393c6
+TAG: 8e7c3c2c41b1117928ca1cd0cd48c25c319c18e009804c007d1aab0967c0d0d4
+
+KEY: f3a7b8c2a39531d5fb3c97bc9224168aa835973f48243d6f046d00937ed428e5d672e22af26e734f0c24f989fe62621a
+NONCE: 65c61af60769672f0eeda005
+IN: 59667fceb2594e002c844a47d2b3935d2c99570b1639f0887fb082499e1d36f9699ff9ef53be3b4236136aa9e441abdc63dfe536e6fc9fa8f332baa1dad577ad
+AD: f79036742501f1ac19dbb2984e09cf5000bc4bc0424082376c307b8f1e5bf74dd29c802139d7ea93d55d336464
+CT: 9375a81f016c2dc59a8e99dc33fc0db7ef99ab2f9ade4b0ba000a614ff2bd13bfbee2d4a2338109c98c1147edca6023cea43570adc503da98379326ace89d796
+TAG: f563869420699dfa0aa84751526bd75af1473bd88311001e49230b09b8ef2797
+
+KEY: 27611a8f11cb57d08648ec816b5f3c45882dae394200cdfc803d1a52bb03f225206574ea63b63423da6972bf5a994332
+NONCE: a7f617fe7a52dd76ee443dff
+IN: d6ccb950515a4a2de7c3cf5a73b568f32fe30567bb22b3b46feb7ef07205d3215a3d689b96d4b9dbaac5a5bd6ecac6ba50314b19b37179fff2557c869950e162
+AD: 777282a98b2f262ed9456fed3610a2028bcc4433eb8f028597d3bfa220bdb0c04882de03a276d0191cd1a125270ce1630c1b94e2ec0021ce5c494d2e0bdb8745e6e94a387cbb31a0898965174bcff8bba105f94dbf080059b49dee71c3194fefe679ef6c00065154ea809293b088c0c3f2ed7824aac72319a4c4ad85ea990844
+CT: 41eacc31aa3c3a282ae7638d48fc7541d2f129e4cb3455df7e60259be9a814c8e1642ea826ac1ec7ed1fcc216a6624e79845521e7a8b16702566f27f7a7f3317
+TAG: b959992feb7005410f9ea6963525e3d9244f038731ffab8da8c4ebc72489f17a
+
+KEY: 0d9322713cd132c339c38ec7a75862860de304c70486b89b0f587095c66bfd1abe56f0b34f9ca0dac577fd4262616600
+NONCE: 3298d02dd4eb85a98cb935e3
+IN: 5dfedb1d168fe262d35f78d797560b2634f71d40f438c21cdcb8e73cf9884c11570554f55a6abd23d0e7775a9ab385ae6c9bbd67f08d1aec57347a8fad5a4b8c7b042b03c25facbffc76f0b1ce2e6c07d427eaebe71255d661ac8e8bfe8867e2d947d496ce2318a601d0beed02426311ca678d036deb3b4c65b1f89bd644a410
+AD: 
+CT: ff09fe27f12a87d5208bf246378ee0740e848262442b8b9c7670c8a73fe6732192cde43c1a1246743ed49e15ec63c87dc06eb3e0c92c1f286108b2c7e0754dcf1b9c3fc87efe3683289daabf2db71d8742061f93098788c3c6f26328b86e358507a03af296d2c29009562cad3763399e0e2b89ed440f756c16214c8ab7ddfb84
+TAG: 5076c80fc76c67d6e4f9b9d470cc184db62ea7da49cae44cb3ce9e46c2f2ca9e
+
+KEY: 2695671fe86f1658d8b01ec856fb4c9d09a0c51a1b994fc87a3f72bec12052537b7429f11f7eb4aef0b128302ec8f336
+NONCE: 9739e577595418c47b9c10b7
+IN: c723c39be334a0761db795076e81e3dd85e37a57258c7e0e10fe0f48dc31bd5e683430aa70531b7c8e3a904e49bec838e760d07afa9f86b2cf78ae90f612c4560632acb7ea2d89fb1fd5396d0337111c429cdba99c6a52e863e8603aac24a83302ebf86ae69a212cb938e12085cbf73a28f75e4422995a5ec8705b12d4aa8b6d
+AD: 31
+CT: 1569b20732ee6395e605217e1cb419ce57496ba6f6e889bdfa3c93575e969eb7a0410c7930b7ea146e88577376d84f0e824b62890eb84bfe768a1513a12c2958ad1835bc1eabe602cf40f7812c7dd7da955567242cd7512090fca685fdd7306bd98a908b09464961114abbdcd610c153637400a1f81825cfdf06505947fe54ee
+TAG: d07e14a62a32ef1933abc2127cc5bfc1e43bbca663e460409c6faa3a4ccf99f3
+
+KEY: 1785ef6e7016733dd1952b3268639f231e7afa973c0a3db8780b81084c67a1783200149a1ed849ca8b5c14c7b1798b4b
+NONCE: cdf48b73c3c8d8625e52fe11
+IN: 14002f17e056d7f5524537cee6c2061e2741c01a6f9a82e2cb1747887875860d51bebf8d9b63950a051f6b228ad7567227f8a45b9fa7c4ab47eab410125303defa7e3141bd9bc5bf4ed56550801ff3bfc2dfaaf499c192b1e18879b2f59e1230778132818df8f6ad8a3dce9a1d11c98075b8b4e560edd9b5ea180f0424ab3706
+AD: a35e86e22e9a3df65e4c08e5175b4216fa9895a1be6252de911cf98349841494617eefaa007759dad7f337
+CT: 99eae989435578cb57715a7457da31b807b8078a59c2332a0a866eee9da5188baed3f517b6808095f0067e9b4b91cc1424a464f0a09fc946adbe4135a17b0e8e545d2046f81cdfdb233aa3520797319c0884ccbade8235c32d195e7b802017f88ddd86fb630de19eb97f4bf91029c001fc8f1cd2189a8ee6c120e9f1682a8703
+TAG: 1848f0b163e7b0d270e2a0ced288ea6525697170aae15038f3dcbb4ea49ef843
+
+KEY: ba9aed2bfa90eaed9b27a697bb44c715c0209cae6b2c4ddffc684bcf07ab51b0e096dbcfa26c18fc24b63408317da567
+NONCE: 4b850d6bfa64520f1aa1e79e
+IN: 5bcc2ea4d729c84340c5ceb827f239578971c595e915f0bd9d49ed51d723f8d0e8362e69fd11466230bda0dad57ad724307edcc621ebde1e57fa91fee206d81d2bb6ead94b4a804f74b6cae979f66bdfa4ad93d107ccf114c59cd3d261aa6e2fc0dfbd0df5f7c18e80d0699cc1712abbefab5029e35549d2919d0f937d444051
+AD: f80c759062e9ed0ee597406aedbcda9a14261d66a9546f1c939d20cb1d0d0974fe7a9b33d8c93287a6a8d60a
+CT: dae4fc873d302c51e55910e67482bb80ac68e9bc6ef77cb3e57a31d85fe75f9071d0b64026ba16d0b68fa9c0b7e958cf7682bcd329c4174ea0e3f3f9d2e65d82aae1350a53ea7cdcf9ab848b85cd731751f0e2917628e5066f5b1ddebc7dbda5d2d37e46a7a7ee62bb49c4431af730f9cd3da4c1d0e5f8593d8c99803f781bee
+TAG: 58b42e9117fc8cc2ba5cff74b0d92e8b381a444fa837018b15e9514fc4319fb4
+
+KEY: 37235623acb0d650f905f106dc3bfe6fd83192e53056de8795ed8d20c6e58e5efd84584007ecb17de9e76b392e12fcd7
+NONCE: dc441f1c743a92c4b975c6b6
+IN: 960ceb8d80774bd88b7c5f17042ad2e4baac71b4021c548458cffcd9a049291cb0df93076c115b54f9af878745acebc6e8f04666d053b1ed980728043c4fe7f67b2bcb0341d8a4973ed126342f9add14279f8402cbbffcecfc847379dca8a68ba4f2f26141acfca7f3ef558dbaf04629f0f46e43246b19d875be452f14e7bf56
+AD: 32579218062560f15ff966932838460f99099782e79f1f8c41cd9f6eb59b4c2c3d2dae9cd199fe66d74c7a9940
+CT: 49ad8e24a31e90ab1f8dc37dc51dff0f93f1420e79eb108f90f800274a5aa573f64e274cd52f1dbfdee363e4f86e1457bfb8f87ce57aefd34c3a5a3a93db4ebde3f73a3b4c202c993903ab378ae71042ad238e94f400c7ac1891a9890b19d445eb1db60773a3ea165f7c4b2bb2071faaf588daebac7ce09ebfc88f4d9232d9ca
+TAG: 82f908b837a5768598982f860ecea16aee84427371c4de1f1314749b70ffc173
+
+KEY: e7fc36c9fe87a38f9bb4ca67723267e80e16bf39740eb1090234a473d68aed9c96fe2f96e539795eb042276aec5d7505
+NONCE: 83d768746d40dcd695e49ff4
+IN: e61f0e02a70249b62ec9a8fdbaf6622c9c6316599daff421f1b19815707b67587d196b7e1452c7d7609f108ea946675ac5d97ed215b92a451aa6a11717ab7819f84848151007f37e2cdc8aa99969c3d5652aeeb65fc21b621865f47f44eb2c528ee1142d11f513761a6bb2d169126503db5b263a410cadd2773ff931a032a885
+AD: 59114e9f21b380ae6068609ac36688e6aa7c2533cbfe07013ad1b6663bfa42e39f20e62b45c0faa256c1d33caa9f59b1e30d8502bb7148d051451b3d0265cb9fd0d82e4f4e0489ac606956762d8e7b70abd7eca413ddb708f119c342b3d0d5df673769d8df281656d909b68b6f6438edd60339fd84ff69918b6036ad12a0a588
+CT: 4f12807736c9ab32a2be2e00c9a0236394a8bcfcec6037e7582af462a73bf10aa73bd90e2bc24b97f7001ccf653574aea294bc7b30b77540f475e0e846ab78ffcfa1fef28058e540fea43d9017d4efa05c837611b2eacf0034f26cb7903eff7874973c6da7843892bfc676170a75f839e297dc7f04c74b40f4bda20a45b2a352
+TAG: 9b05aab44ba4d1451f14e087be626232ed11c4ed04081f0d4d47ab593fc619b1
+
diff --git a/src/crypto/cipher/test/aes_256_ctr_hmac_sha256.txt b/src/crypto/cipher/test/aes_256_ctr_hmac_sha256.txt
new file mode 100644
index 0000000..2a72e1c
--- /dev/null
+++ b/src/crypto/cipher/test/aes_256_ctr_hmac_sha256.txt
@@ -0,0 +1,336 @@
+KEY: a5060fecb0a738d8ff6dd50009a757c6e58db73228534d03f32c26baa1c209f402c3e03a6947c1d9421d63ce43f6df26d30ce783f5ed0d6b88edd389d9f92d8d
+NONCE: b52227e92203630a79ec7f5c
+IN: 
+AD: 
+CT: 
+TAG: e61a28f5df7061b4236834d2034d2b62cb63c660b7de696c26b345e66b34d222
+
+KEY: d676047046bd5be9263ae39caaa0f688abb1bc67c083658894da6aeeff80b6d58ffc7ca1a1c88f49e629bf5544b2cc7669367202b158fce83fc4a4826dd90a7c
+NONCE: eabef87a00fd99ebb6ed6d25
+IN: 
+AD: 83
+CT: 
+TAG: 473cf728899cd5fdd54f18d6f934c3901f7ca118fc5ab2cbb837feefa7852a67
+
+KEY: 5eaef3b8e068fbb652bd37df4dfad6490095642cd49761a35476dffc2b5b5f75236d0351d96a9028660788893323a777ea8a2ac88bb5e500b334af02b1c2a648
+NONCE: 34d049342b9db5ffa039eac0
+IN: 
+AD: 7578949699d44dec9188a7f7e14b0a23637cddb9107dbb1f8e2a968aad0443356d7eeceff4316ba7b2e8fe
+CT: 
+TAG: 4d2612c21357638bada9290d2a272f10fb5f070337bf87bae396a1e7253633ae
+
+KEY: eb7b3d7eeb5f26010915a36837dc83da2bad07eba714566584bf1ce62fa9b61210b0ead7182bc28c8f0427699bf04786583fa32f3c3a8a6582cdc254930043bc
+NONCE: 3bee5ebcdfc72f4ab0023211
+IN: 
+AD: efecb57e79a326c6b2ce0ae74d7656992a005fbb8da5a55b9595fc5348a5489ee2e69541ec0e8a727a560625
+CT: 
+TAG: f457db1e274adabe5fc898fb1eb7c4a5a8e9a2b66f964d0958aa058c1f9e15ba
+
+KEY: 1c1abffa8a2667a8c1ab347860528162d316d58e3966050dc140fd360e6ff7c557520a8982aae97c5db5495d8951eaa485e1cac4cd8f448a13d071d759885474
+NONCE: 4fdce4e59bfdf5d9b57c78e9
+IN: 
+AD: 55125cefc919379b3b4b2a24ee1794f44ac66fd99b8b68f98d4abd45ba50a5b76e5375d08abe3b8b8d3c576bc8
+CT: 
+TAG: c021d2c73737e54ac6e7f61f9bb44818e5bdbf8d81d43842fd25a535790fafba
+
+KEY: 366cf53bc185473acf62610b74231e53aace84e9c5d6fbf71fc24db4f42956065d3eec01ecc72a6c89266565ff530075f4532c860e3192e866b41aee98c5c42a
+NONCE: 9ff54bd7b10f4fdfd8db76c7
+IN: 
+AD: 853ef59ae873bf0bfe1465e9dd8c2cddfcf123d213ba4f599d984e4ea69d3c85a23508ec7941ca740a9157ca2a788e9b519291240b307d6c5a8c6860a96b4be698659d19e31ab0ac7ae6ba31dcd609c1db67ad580fe4422e42d368c3e93a56f2a087b0d587188462310c2ebe58ecfcf7178412223808eeb2eda76446168730fe
+CT: 
+TAG: 12d869dc4bd4ac4ce9ed643cccda9e11a1ade65c76f7c1535fa4ec2bcc5eb4c3
+
+KEY: 147b41369bed390f0a9561586fd975474e3b3bbf7f7ebb7a35e5cc43b516c044dce93e154ac790a109709ac5299bb17b709a913d33fd57ebfef2b48ed66393b3
+NONCE: 85b81732d2863b41d2551763
+IN: 73
+AD: 
+CT: bc
+TAG: 47fd81f6eed8d3c66afe06d788ffe40717847785f4b4c617d75a11171690a60c
+
+KEY: 9bf35c1194659c1da634eab6707c55b853c8f61d087187162e926adbae02f8bd4d15bae5b05865d0e2236d64715fc39f32e4e3679a0309396c37eab13d1c637b
+NONCE: 8da14a98ee741a5fce0de732
+IN: 10
+AD: 8e
+CT: 17
+TAG: b76af41002a946af4947f98f42a873b7da0871f482990a70bda8f005274ca179
+
+KEY: 0befac10caec674c9f23676d121f065dbcc8c91852dd5eb4e80c41076995a2138077592fec665954d21fd6787234d32d3d54bf9c220cf2bf018b374bde29926e
+NONCE: a96bfb49f3a136840a0e32ff
+IN: 59
+AD: 236adab55e1bb8a8db384c01bb2afd30ff35da71f955fb217b8305a45ee075e7f8d863d4c0e5dbe36e297c
+CT: ac
+TAG: 7bb634357e0835b02a0642352a834ff6598c2ded1af8e8ab60b9ef0641fe863d
+
+KEY: acc672aecf6f10119ee77070abbc2b4fade7e910efd1f93a5716161f88606469a49df05b40332b390d3ac289abfdf6bf7c37c033b1671082922d939139de0d42
+NONCE: af0f57b55f1a73794b3ce5cc
+IN: ee
+AD: f385a50ef027e532635878a4df0deb23369774be47c42f17cbd44925b668f628338ea5f8256c5ad8219c13cf
+CT: 71
+TAG: 13a5296075ef23216c2f2e83b940d24e8e1e6a01967af96599360f11499ac0a6
+
+KEY: 6195ef5ce3ee01188c48b04ce7a28b3ddd04b78711a6d1233121fc8ec3db3a7a0e496d1b6a416675b1e666b9a3df167efb8ade29e4f22fc77111f32ba8bd1ec2
+NONCE: 092070b2f8b65fcfe646f6bc
+IN: 26
+AD: 98526dba4437d88f657c0b7ce2a2be44ef4951711a40747a7d14b195e4c0eae97247256bba7dbd93d6a8f738c1
+CT: 83
+TAG: b6aad3f91a26a38245031d6a7eb97be0d386939d4536b2a27c90a2ddb891de73
+
+KEY: 40335487f9958dfc00b76ff06dfec162ae5c6be4e26918bd12e3f21760cb0bd364521a11f5bfae11dee989627525ab5295ee404bce476c280d13d238dea1bd40
+NONCE: ecf77c7c827a34efd8cdf79d
+IN: 34
+AD: f6e661254bf235c7d5b8ee330cb754087480dec5fe4c31dee65d1ab4479642101404bb563522937fb2e41d3aa8a4d269a222e6e0bcfd07ec4b29c1185f99fff7cb5bd2ca8c5b38742270e586c8db19138b446833f2ee07a11dae5b6a1a4c28657f3380e84bffe1bafeccad57d9cfea3da7f728119ec5bb18b79e002954f4379c
+CT: 5c
+TAG: f3420d4cecae2c1ad79d977abbe408045bd87525c0da2b93e0af3e6c53ba7d74
+
+KEY: bf32ef44c7ca9851f397e70df736d7e0e6243cfd875ebb81d76ad7612dbcfd084cab6b0d67c6a6e8b567c93fd0c3abb78ae121fdb3051a62ccfa045692d3453c
+NONCE: 46e0cc64d6e431c1efc2bd2d
+IN: 959348a8ad6912d7d6c8eae52f19b1
+AD: 
+CT: 55e8cb6fd958f18b3c19451c5c79a7
+TAG: af09194071cb0ed4488d27e79700f938ce77386e5d772f9853b17b719f2b1ebc
+
+KEY: a6b5b8b051edf5cea0353ead88ea887fab048ef32f8303275e93d8f926da0d4b0e34b9447cf44fa70c24c9ab964380065398336bbb20be167fc6cd5e591ef50e
+NONCE: 371363612c4675a2e59ebd39
+IN: 443d16621b0cf9a12552216f9558ca
+AD: 32
+CT: b7f432eeda8e4b8a25f0445f17ca7c
+TAG: 649934922826febab4d59dfb52a7558e6d30d56e273602b98f3c55fd8e24f4da
+
+KEY: 075b75434269a3fcc57922ee8cc55b5bbe1b90516a3b71838ade73d41ed1d1f33ae1e0e86f88f6ed7e091cae3ccb05144b3ef239831554d6e79ff97c4d8f150e
+NONCE: 754d5c4ccbfb291133859de3
+IN: 62a151add825077c59459fbf82b708
+AD: c8db27487de71124a95eb6359270a8363908159200333b46ee74e2709b308878779686bd43c24e9ecabfc3
+CT: 2ffb9a9f65c9fe3daad13768ab56bf
+TAG: 4430a90fed7d4b5b2adf5a60d6854956be4feef497781ac7d864a04259e99516
+
+KEY: e787fdeca1095f2f2760a1c5e0f302e07d6b08de39ce31fe6a0db2f76e4626eb0968768ae04d37082c114573c307699707630b8c7ceef60abe3b7831d2adcd6e
+NONCE: 9dc9bcfe8b4e2ea059e349bb
+IN: 3ad57105144e544f95b82d485f80bb
+AD: 96bce5dcaf4a90f6638a7e30cfd840a1e8dbc60cb70ab9592803f8799f909cafe71a83c2d884e1e289cc61e7
+CT: e504109cdbf57b0e8a87080379e00d
+TAG: 1798a64b5261761ecd88f36eaf7f86ed3db62100aed20dc6e337bc93c459487e
+
+KEY: b43ab650bdd201cf05e0436afe89ac54867383f04c5ed2faea5db8e6784c720d905234f1f5443c550ca14edd8d697fa2d9e288aa58c9a337b30e6d41cfa56545
+NONCE: 4e3dd3efe527902b9de45a5f
+IN: e386663e249b241fb8249cfec33ac2
+AD: 3cf7a396e1bd034ea77a54ffca789f206f94263d90d98bf3e69cb42205fc5c95cfbd0481b0ec490ea447299159
+CT: 94aacf00092723e778d25ba78e9d27
+TAG: bd5fcf90b9532e7abfa858aed90d5170f08edcdd28ff2c673e0ab45b8c0a0f39
+
+KEY: b22a7c5bb38715025cd59cc0feed9ad8e51101200000168052b294fb1ead545a517dee636a7acd22b8283afb33d30adbe02c1c8557715eea7147f3d98a97cbb9
+NONCE: 3b4244c9ad9fedd3f10fdf7a
+IN: da79e1ed131856cec3250fde7bda4b
+AD: 4b77472ade3f06500169405b86a793d63cfa58f57bde0dd706f369b391142c2fa8a3e6345ccf0a9c29b2182f578e22f55c576f155a05be5e81997fbe06410034ecddd871e5ed94b5eeffc6dbd90a8e66449da01f8ef47d28a4a4bd253ffc427f868867c73b5c709b01732bd8035b1a23ff0a903def1eb136fc90d8b3c8279769
+CT: 5d8ad7abc047bfdf9d9cd0b0aaa53e
+TAG: 41d050d518d0e51ce16bc2920aa6c76eb8eabd4ed76373c59618c6354885f47a
+
+KEY: 04b3fd8126d65f851f47b3dea22cd6e32506f21effaa3e29820ac7825e01b51c5a2816f0298154f2d8addefa2fdc34c0635d4d6b80ad23eb320c4d4f2aa1de1c
+NONCE: fae1b1da40471dbdcec64d4e
+IN: 509f116ef7435b0640cf141d5b958aaf
+AD: 
+CT: ecf553eba80e6dd1fae2eab24d772a89
+TAG: 11473566e80cff5d7421f65949c34301f34de378e91ad50928cf2caeadc466d4
+
+KEY: 413d154dadc7d8869e9e0f24b3320019a04b7a37620dd9e7aa40b5c08d70dea03c12ccf7faad7009e972680e81544b647650c6ff033f56e5bcdac9a35bd7f804
+NONCE: 6a4404adae3f4a7bd2bef95c
+IN: 3539fe02b75981fad4f8762772b3c11f
+AD: eb
+CT: 3f8a96905609a4ef1a95fdb87337503d
+TAG: 8ee076fd624d90e1f6336a92165e80408ca6f0e165b201547d351177c95e8d51
+
+KEY: ddc10df673e720c00f28fdfb69f1b8fba99696f23b6f29704a0114444cc0c8a6c8606e8d37fa95aabfd65b29c655678fcec50966c8758a3fb15332a1854a8eac
+NONCE: 06331613842b4af86c13f8a2
+IN: 55d74bcfc3d1cfc716c6e6b7153c6369
+AD: acc264344ae79959f9dd5130664273ba6f345c3fc7bc33c6c1ce33312bfbd5f181a3c7a24f15e7acf72ccf
+CT: 20650d9e846eb42854692d438b21d5e8
+TAG: 973857523e7ff600cf9bcfcc98403b34ab38d939a6d76716beac42678ca5f5bd
+
+KEY: be0c884db54cf761fc24ff3dd572362910dedacece5e1d93a916df277f923f78e7dcd908e60beb0043503c5b4877a9d962a7de37cacc7387a7553949b52894ec
+NONCE: 3f027a93e2716668c7634195
+IN: 1ba8f3a87ac6738167aac1491b602ddd
+AD: d06dd1b9360a68afa3de5d239b6d91d212c5c555567545a4f133bf5a3b0f26addb9379e1cc1cd690cd427c57
+CT: 3596cc50ae72db932dd83bbc8661641d
+TAG: 44a1834b1587d0f88e34137dcebbca059dfb8f65ddab18f338a8a30152167be0
+
+KEY: 2ee848726730c64332877a4f88ad7fb241a73b71fbee8eeb4d9d6485855ea32b487e03968e1a7b9e8ac8ab7fbd84257efbce0aa207aeefa67302d5847e0d9c05
+NONCE: 526b0a79b6359d133ad51011
+IN: a0c0477e8a9ebfd275b674ed33230d42
+AD: ded2f0f3f28aea28b17aa58d4b906c6a9b3078f97ffe95b7e161b0c3dbf66879bea7603a046da4945c802ac8b3
+CT: b1691c8275f12f7d9af85e71dde9dd5d
+TAG: 65a5742dcbc49295c4805387e0a15f986ae47e51add9389dfabb6468a6e83013
+
+KEY: f4a7c0e29ff510c034778e47bb30a468a92140a707936d381b1554d421af107c578e74c53ea08c7f7d93cf67612061359ae458408a9c79250f776ca4192016c0
+NONCE: 025bc10dc99346c4d0766a7d
+IN: d449a2e812429beb5c466d344f5b5eec
+AD: 304dbf9a59bfd33b777d8dec9dddce4c365e72aed851210eb964c1da18119bd13248266a67408e88ac2eadfc54def0fb57f23743d376b11293377565d253d2bffe0309f2946cb78d4e9536dde4691fe1eef9ce2dc916a773d06b42fe2b014e7974d4aeffce25a0902c9b44265e5d6d26809b5f24875e80cc13f1f8872b04a237
+CT: f366e7b66683f52586e1c363c15b7fb1
+TAG: e0e1bb733471f150ddce1b83f3fc2d88589d286ca052574b7f0735bb598362d2
+
+KEY: eb78ea626b219e12937057155884547cb7578718f569dc8f2b370c0fea80e7f0d0f5cb590f0b7341d20c775bcd6a3c818e23b6cea949cf99eb94a23a81cd2249
+NONCE: 75a10f16d429b809cf12b9ef
+IN: 6b0203316e8108ff01b12df91ba6644382
+AD: 
+CT: 7ee07054f76471115be159259340c24391
+TAG: ab970669d1603767d588a93cf215673ad307244f9179f46fca56e97f64a5fbac
+
+KEY: 3221167926be262b7bd0591f56be6bf030365d45ab84a93a94ea41a5e07735b17245ad43787e8791e7ceaa0472b562ed17e3b609c66c868c9b08304c8bb328b1
+NONCE: a94d8417d2bb0323bcfd354d
+IN: cec81bac7b85c441b6261163d67921eb49
+AD: dd
+CT: ddd8860fa9e2e8087db30c9da1ec9f9487
+TAG: 26a3b9bc4d4cd802cc22e7647a19fc2a5092293c9f5b1c84bdab7245a6d8f4ab
+
+KEY: 4b16e2d62294f76cd2a6c8e0928279d9de40f0b169ef9465738cbfa064c520128ee89cf657da27e4e532d8c4709d992970bfc9daab2f31b3a67e53200d3d6710
+NONCE: e746d498b9031007332447f7
+IN: 16841e3fc1f53990d33f7ba525dab121a0
+AD: a785917bc9f3aaadfd170abe83bb30c0c5d595fc8b491d983131aeab1a7b8d8771f1a963c251976152dd63
+CT: 6bcf5eac15ef74cb8a706856f62eb5e8c7
+TAG: 9dc84b06e8ec8921be4bc7762e8cebb61a95ac5660022520f9438e8f77b45796
+
+KEY: ff2f5944111226df1d9a300533d3e871694fe15a418b2090265cd8c0111b249dfb7ee86bd9228f7ea5d89d8afcf10bf69942ee4c29bfa8409b63c00c2213629e
+NONCE: 477060f0c61555873bbeb225
+IN: f091891c43e2374c2755a88a11b04beb4a
+AD: f1323fd1ac4de9719dc5966dae45dd7b8ddbee3f8da4f4f4d5f25d06bdb8ebf57328dde76d0bdb9bdc5f6b12
+CT: e0d96f6f3ed0493a289d4c3b79238b9ed6
+TAG: 71276c05b52bab0063108dbf4e8ff57cf3e15079055a309d725f14bb86671ce1
+
+KEY: 1ce841bcf2ad8accc458a2d94774c3aa53a99e7dbec587376212101303ca2b42272a23fe28514be190b82e503e7772a3713800f4360fdb767e85ea5e1f7b8eca
+NONCE: a2f8afc5ceb5382882907630
+IN: 620fece1e843d1d0b5c5a541a6f615a81d
+AD: ded910647464d0fbb0a5d93ffb9839de3360c675179c5991ad3470285d79071436025111153628c563ad1b595e
+CT: 34431c3422e009373c50f3ee6c5b3fcc2d
+TAG: 6e4e8a3967307f47e233a36ce05a4826a698fada2ac19543bab7c9ac4f79451b
+
+KEY: 6bafd28a32690851fda667eb2d3c5993f13df52b2e97630527f26c498fd5019f26177a78f27c0c41616d2a4a73757fcaf9cd92a7da8498f90315d41e7479d90a
+NONCE: 75166c506c8e1d10da4da8b9
+IN: 697bea4d6eed5e6ed243cf01cc79bfd3a5
+AD: c0fa663961c3f7e09a8c7bc73e252a232977dd6c9483f02067b34fe695f341d05338ea2002952439ce08295ee5c12f38dafffeb5716908d3f1d4bfbf9eb0e4077bf8e534f19568ed04fca3bbff95da9088cb939f7a20cc97cc0994f9308e184219bf12c8af0d66df436c296ad39832d661b88c98cbb168c751719ac1383c9124
+CT: 8f37885b9602725385fd9a244ab2a156ea
+TAG: 7fa5cedd330887900f4a44d098e04d5eca16cf94e21f897fa54b0fc116b711b6
+
+KEY: 815786c7744d15afe1d6ab452cb6696fead8b88269ba3eb35c458f6248bad77b404acc744ebb74612c4f97deaccb99a7bcc6ad41917d61057c05b30c581dc4a0
+NONCE: 12342e4704f02336ebfc91df
+IN: 7f15e696b49ae5104ced5bebbf58a9d8ddcfaf46ddce9df88fe0d58a2f8546feeb83b975c66e4dafddb7fd9d17e80127e70af06b3b8b13c3390f1f50a227e7
+AD: 
+CT: 22e7c5d54a7b622c47a9edb77cfe7c094e500b0ef9595bc346de736e0088e5934dc07160aea34f24d3ab21440878213d28059551cbfdaa418af40d344674f7
+TAG: 8c271ea5c15aa771c900388267efb2f435f001c2e83f4ec297e77c608de2d579
+
+KEY: 66d87d2b18e46257476456a1f87123424477decf196b88b09acfd3ca74bdebef4c98f1b93803098a141e0acc3ce8eede065417a0c1eda9b4614558d2383762b6
+NONCE: 1ec0ca1d3b09ef186ac4bb1a
+IN: cbb59e14098c2a8ab7e84ace913515c74e056e0fb272c7b88d0dddfb62e395afb695647d97d1071eb09cc1e1776b609fceaf4e30e92640379bb8f0e762ca9c
+AD: ec
+CT: 832804b8003b0ca1b4eff1dc4da6f6a9649e5a582854bb72cd74357476bf38d81ea3bc8ac0463f21fe37683bcbe07360d0ec2d7ab90b588adf669099303ac1
+TAG: 9fecafc768fca71ffe7d640dbb7a052d97d6c8e2fc86001d71feaf284ab609f0
+
+KEY: fbff97085351f4500e73190ac139dd3ac91e268042b5926b57e0394c750b10348b47641d195d5fb5b0846256ab229f102538b81e209db5d93b4d55f30c453d9c
+NONCE: d4868c918de2af7d3e3f57d3
+IN: 4f14aa5a680d66ae15ce0ce4739888f64d827def862572f9a6cd620badbe4ee9d75f4f9bc1f73d409f519a657f53a50d50e68e22f33a8ef5aa08b1212889e5
+AD: c41253e96696a948ce500030af27086842aacb79c04cc02a42b858a65c630065a5292bb9b2e69ea5fe5a7a
+CT: 08596ac0550574e352edc13d7e390d8fd0a57406dd61e1543066b4aa0ea06670f356e26ada0d6c61c1e41de1b4fd7a251c961fae44b23523ce227eec99a338
+TAG: 72f58de3e6697c8419ef518748fe0bb3cb930907c71b6d682c5e61068206d991
+
+KEY: c78c550aba82b571d39ce21d6ecf5e5f7c2a7bf921c6162c64ec1fdff4d0b8c41bfcea0e2486cc86b9ed9e9ceb73c4ec228a2ecbcfa0379174e76475cc21ae31
+NONCE: b5adf4de19980a71cb8ae8e6
+IN: 3d5e43ce95ff9d7f797f27b904c07291a35678fe76a9c57f0c0cba724f38acbb22c6c185db864a2a17b7ef2d67a04810ee5a45fd5a4e28a15a1ae16971451d
+AD: b5eeb9a18d436ada7bd5601944784f50fb0a989397b5c781a2cdf29337315dc7664f3c1cbf17f37fd0cc8b30
+CT: f91f1f20d06ad4480ff233480228994cfa052f9bf3038d06d997d31eb68bffa4960341b93eb5ed2260341e6816519c47bf231db2a41ad8a9719f4de6a33de5
+TAG: 6e5eabda421961e26dc17a7e1f750425235df4eaf9a97934c1e1b4439fc22791
+
+KEY: 17b90dec44546d9dbc489e55a01f2cc64452a9b0e50506a8ad7c81bc6fb21328285cafed901a7204048866ff3bd543003fdcbeb3e9e2f3d580f9062362879633
+NONCE: f0c0cb247d210031f9b233bc
+IN: 75b9b524cbfd1287259da116f536aff56112a406f069aa08f545b5372d45b66d7a5d05e02728c4bc2c779609dfe251386f78c5f48b9dad90b363d324826cd6
+AD: 8a604a9b06ad595ce0b9ad1644a596c7d3cde81490abc80840c764c40d6df08fc71d1e8196eae0802f8c8dfc24
+CT: 23ad62a668f942e613c3b5a7828142048f1f6a67f7f0e0cc8bf3fffb2d1dd967da472d080353dc9c23b900a566f20afb850e4a47688ee507faa6178fef2afd
+TAG: e9e82d3221f964d9e6c09d761afa3f05d1316d39c82618a82dafa23607bb40a3
+
+KEY: d5c09fe24201fcc3ad4c9a9c4b759345f643e930301c3714f62c8dd4974bb15a026b217ac637b4f0e8d6ef40f36be967c50aaea83b2e72df18eeb9576865f1d8
+NONCE: 9cfa0df1fe0910b33ee9849d
+IN: bfeb3d86ce3f4c5ccd0c3945e1da0e75dd057aa5b4e1f070593394f4a0227abedac0b77478e04d498506245b162e909cb711d8b875d33f9c4578e80a0e2113
+AD: b874a8523799554436a1174ab124677dc2ae2042a436c85065c50d5b5e7519623379ffed9a9c2b84b9626214b13c1806b65a432ba79066ff28ed94d17628f5ff84618593954389181e997ebd245d31f520539e250b31c86b99992983820f79e74aeaacb3a95e690e2841aba5a384d0333ebaa5d1fde06b4b8e3e1cabc6639459
+CT: afa649ea47db94936f89612ece681bb175664a97aa6faae5745f49ac9fcbfd4287b73cb58e8d8aa12eccf309182f075098f339db697fc60540481dad0cd82e
+TAG: 9909335130df0326650823de5a4f5b6f45e6941a6a72ceaf80ef32fe67363944
+
+KEY: a13c4654606f532a8df47c367dab1b214166e4f7188c20560831ac30ba5e58d316d29764e4c716ec0126657c926ba2e4541da062447228ae61340a951101b4a0
+NONCE: a2df3417ebb86bbb2f954939
+IN: f1954e59a319547d32e81f846e0c79db41c681166b43eb9c10458948606ced50a44df26fad5654a7c25d3fb52539cf25fcc1c11707c4b5aca7910a76e2374740
+AD: 
+CT: 374726a4691f178a4c0a6f96108ba30c4ca8a30242c14e84380969473879d4a5de580fab4cf6ef6e465560a15028ba78a1a88f9e62322cb698b15ccce6ba83a8
+TAG: 683e5a3e61d9d9c8b170f1d4eaa4f74dcbecb1a4cb1551dc364bbb336d4e4109
+
+KEY: 0c1751677a9b7373e0c2ceab2c8e4dab50af22e2230be3187c21ed46069168d173c28a7474d8f7c3cab39401663405aebdcc474ce136e1fff9cfc520bfe17ca6
+NONCE: 38bc2efcd97998de1528b064
+IN: 8a3c6212240bdcb86da98f0e3ab3e9e78f7f61f0627ea088ab283e739a0bed5c360eeed26cea43ec09b4f3556049a1d7f8ef86abfd1118f9c0e34cc6eea4544a
+AD: 20
+CT: a1a9f7f4750be3d89fc4f25917f8ffa7dd462ce712ddf61792a01b1840bc8e428000372252f1b41055416a961db3be8fbe774f0a0a71a82e79e74927522703a0
+TAG: ae24708df0d5893a902765f6c6c2eebae0c11312936cd415bf4a74bb8498a367
+
+KEY: 154c21eb43d8d556e5f782ddd64d577ac8066fa172c2936fc2b2e875aa437f941819d9ecfaefa2e388fdeea81a0ece8dcb7647f2c68da48884aeb1315b577c09
+NONCE: e14d1bd8681373d41702a762
+IN: a2c880fcda87d9d4681a735a6790d93a1c9c68e55b87d5f7b3146665a6b2051398eb9895e1f5d522841668b9915633aa8cb40048c619baf6d63ca2da486cdeb8
+AD: b0b725cf634349ce1d3ac49d48313a09697efd9996cc5afd06b1d0817181d0374db05825dc2f08207bfb3b
+CT: 1cc0db5980863df7a40c78e323a78be6c6d556d4e3b5f930d8d0f2c6a10c6477e31c000d3f0563b46e1a4aa566a4ef4b433e17e94c43338b51a7a3f862739b6e
+TAG: fe005424112de2a5ca6e68ada40984df1ae5ac666cf5fee19e9a0f203dd69f52
+
+KEY: c34482341724ee431b5272ee2964b245d7657778f7927cad4b5a1bc30a176b1eb88a83ac9faf58215a72855edf94f8e86fade58c5b5907994bb8381c9f21b753
+NONCE: 4934d9afc32fc7e2d8851594
+IN: aa3d32adc47b0b84d1b038ddcaeb007a7d5c96cc06a943eba5da6d0d367625330556e67da099c84086b3f46bb4b72986e076eb426913e415cd20bee34e434bd0
+AD: 076a7bc587b306f3da3ba88e66a55cb8125bbf8aa000dda266e950f381e35ac938ac86f8a15a83022a25f28b
+CT: cf017d87da8927e42c1f10fd3d73cf483bae43f4e110363159a9fbb7cba363930a0364cd42a5de2c70171edc4caf15bfc7238f7087bf1402b32c7bdb1f493393
+TAG: 3961efea656aab1b83082522b801fafdae346f7d4be70db1981283f323e5b5dd
+
+KEY: 363e10d8b3fe349014d6222761bba7af86545dcd1812fe2e5ada564c5008f8ea1850f374208e87362afa135f20f9e79dd0ad32f86448263416086d3afc5d37c0
+NONCE: cc545928edd3b21c0e8bc0f1
+IN: b68e3a54d17dab6eb41b03de2df14e792201d78a9c1cbf341da421da82b026ff471d4305ede5c6baae162a098c73da5cab93f30d6d540b4eaa0ee772448dade8
+AD: e21498edf4e25ada2dd6a382eceaf737623e501db34f5c5bd5c963f45818b146a6e45aa92db2a2069e55d46a4c
+CT: e4920c1fddb5dfed2268781fbb17e9ad2ea88bf2a0f116fbb7b309b25a5b9f989e1abc334999ab175b65f87e874d8ba80792044b458dc27d2b24c989d24385e1
+TAG: f0dcfa064cdf042e0b9a0443d634c38695dd09b99dadc647195fc2ad53dde547
+
+KEY: ae93f58aefa94e4e0622f2e962529fd2efdab840fd0bce62e163ca0fb004ec3b22e246073614203d9b63fe2842ef5903ed08b3e52abf7ea18acbe16fa8f66368
+NONCE: c9ac237c87270f2d88b91b64
+IN: a75f49778a6c03b0f8915f5d09efe99c5f4e9cd928713882e6b9b78bab3541812db41792b893c7e2259debc6c660ce708851912a5b9eaf91416d86b5de114ce1
+AD: a4b198a329e9c5bb6d9f31a6415811eb33c79422b0db130b78d788c38c0b9a5122688cbc50fea811afa20789465f9ee4362336cc3701ece701179af96eb7c86d5a00ed8582f24364393287d5dbc3e83a82b7a585cee5b152b5da40aa45ccd46dc841004778998c7efe9eb43c9762d1c8581eee64e18c5a961bda5aafdd5cfec8
+CT: 453fad9395106a703ccbfe811bf775f1827ea960c71d79242d2ea0e3e31b14baa76eb6d107dfc6e484f4e5146f8cad5b389e4c0fa18260c96a193edbc8091a36
+TAG: b67082c21557b31392a9821fbce4b93706f96856d2581c92e7fb65dd2166624f
+
+KEY: a145adafac46280e1cee8696903c5f3866540f27f17a519637373d95dca4ac5ac0bfd85ca6e1f8df8ae3fcfc9158421581669db52c20a3e19c5d251952f63218
+NONCE: 90bd43611f235ff225b23208
+IN: cbe5f3a5b7a94b8665cac1a4d173a225679e1a3926d8596b5adc0ef4fd00f7d93a432ff141cc04f877be60b6a17fff40ac845a91bcee3b483862f67d9a76ef498ce5e49c361bfc018e401aff47b397e96b2982d4fdcd043ca09905be9634e83dc22a667c955bc992ec96ca1b76f73631767f64fc7151284d5aa81c1aa42eb3aa
+AD: 
+CT: 604f718dbce17dfca1fc5e0f400151cb65bea9d7d8f26d56687a76a23f89201aab01ef928006d15493f5b1501bb99c517cf123acd956ab575e687298488a88d5739c266e67ca6a20a5dbe5f5f27ac778816f04e7b1764cb716477f3aa01482cb6b25fe034ab5d942013164aa124608cacf13d6cc9487446cfba54315fc6bfc42
+TAG: 8e3e1a01945bfd9e1aa4eff1cdd0a6da6d8fdd5446e6d732a673effe8e44d76a
+
+KEY: 63ac8e2561341587bc066c87cd23f7f33e6023bdc1521a91d6ce63d3ab213825d95d674928b56da1741aad8e85a8b703239ad74e0304ad555eeadebf4ae30aa6
+NONCE: 4f3073c3b780ebb146e136c7
+IN: 7f9a05b1aead29b4d5361c2606e5db8a48122858842679cd46f8386ef9359f998cd2c6c266791429624ff634a160d08faf1523b650c30b2fcd71517da5f377000251ef23cfd2510a0630215ad45fa6d2313f9add040a07df8259b82d3f29cf1ab8477cd114c9ee579d3e2ce60c5da2f3375b68b4d6e0913d39dac9399c00bd32
+AD: 22
+CT: d4ed811c8db932348e0c311e9278ef22f22cec8af88b3ac0cef77f13bbd9b8cca037c1ea87590a0ce3f3e7b3ffe1dcc4c7cd9e721baa5f126a3e0afb26dcfa02bf44428846c0f1e07ba0e026c23a39877de1e69e16a2766ff4fa3d4e8d3a97ba28f407f459ae3520dd840e8f9e149ea582048dc6e3d0227bd86a9c26ddd59895
+TAG: 0abc9111229bcb725953d139a2dcb1aa0cb9d3d6c01ef4733482dc5edcc88958
+
+KEY: 355454fbe12f125edbc13550a7494f37efbe12b843058d29f892e1524289c2868ef0050a75a232d3083c381289e4950e352d68d64bf05f0608d694763c36641c
+NONCE: 0a344bb3da1c4260f2daf256
+IN: 362e97f8ef09f30e5db2f21d40568d347d9bc42d4c94a563484b12eb109886ccfd2c61c40dfe93eb836bb6aa4f828e77c137485da2df494cbeb6a9a0192c3777b4d7a927fba11a8eaf604b85a81ac4719ce8b595a74656286fd0b80d1ad3f3393e6038b258af97af9a77f6760d486d9caf5a451ba26dee51bda0f76d75bfc26e
+AD: c7c2e8196f37185b44515480d5d9451d79d07df4c1256bff6382f942727ce9b3a4f81ae964d8af2cd9f638
+CT: 32a67922947fd6b1c1bfaf3e1d41397173b97095e55307cae1c574daca275778d4aa4313fb1fe5b3997ff18800903ce044c7d0976abbb03b6cc1f7498d8b56d00672bd74f7cb152b677c632ef7a6f6fc13e95e82b6e35d663eb47f27c229c81174fd7c62c94c414e47216af2580fe822643e54907af77ae18e903fe856a02173
+TAG: 72d0fe5baee8090c5f8e79890b77f6d72a4213a7d1a81e0d1f1c9e6731e44d54
+
+KEY: 664478c9d30d2cbc39351ec3b3494f3edb81e32e48bd4ef05969da07e770e4181a9ada3b2f83b46f40fc2d9ad35fd8ee6864ff3d70436d6cca3f8e0563cc3b06
+NONCE: 7313df9679181ffad2972a6b
+IN: 142f073f2ce443c68822f120b5009e39bea3453017dc04c1b091adfddcb2a7e361c2b79eab1bf0818bc86e9d7964834d3775698b56a11ee07a0c9c03cb7bb895bf1a1dde3975c3662d233052824f1539f58cd6ad5cadb58fecaf2b34935ff711c45a639d642fb8fc3a52929b1296683bb13e67f2cc8ed9090126cdf28a4395c6
+AD: d0d78b94505793af546912f3780699dd72e288c775bfc75da6e306defcd868f6d40c6d6ce34fab9c11574ef5
+CT: cb913e40ea5dfe76beae612e9732d23ce352789987134822b2324db585179bf90d0ee20bee102e93a49a55fc978d19e99ba316cf8d9a10d2f2bcb75da4b135d1fcb8057edc33a180586015d8829a128f8fdc87b72497016c280f54f4d974c2c7e9d32ae137eaa1bcb670be237269fa73c3a0f273da9e70d89600ae7c231fc9d4
+TAG: dcc158c254ff7e131ad854a2158d51c643c281dfd7df342d5481384ab236a685
+
+KEY: 409d1b4e1c187c8b1c053e999f2af648583e1045d56d553cce9270d08c5643ef365eb35e3bdeaedcd164b0122ad185e71c75146a9807104d9b65b56d9bc1dc55
+NONCE: 1cce3f08a5aa5824d063a6f2
+IN: a255239e4065f3effe6aa5e88814d516236d016c51cd8eb35af7cee86418966559802f8ff7ac39c6a45acc1f1b18cc28d7cc32ae66dff43289fe44c3a2a72fbadf3a7249d76c1ba9671dfc420ddf513539f2da5f31030f2b6775c57432c2c3486621d841e80dd4894229debc12ef47d74716838f2d807e208f0fdaf733bce76e
+AD: 8f34f8b676e71844841c6a7b63fef1ad3061f2449c1044e1a281595da2d9e9fd141aea7350bd8cf9774d375e67
+CT: 969fc2c64261db415e51eee8cc5e0cf5185b8e3325dea516a70e32115a5b72233a44458c40f2daff3594d71e42ca2e3fc1c444ce171d22ef40009d798456613fa4b76beaa6d469e235997a302ac468c8bcfb8ef5de5cda58d7e554a9eab6cb568945dc37f28b0dbd674c083dfbd2e42fda1b42d0c1966e9652a21b32af71e2d5
+TAG: fa0789a83c255412501944a67bdceaff3f01d9a23b0c749be38abc956e2acae6
+
+KEY: e6fd8144cdb305bf9e62a2c901764c62902f354409d8c5b9c8cbfc0ba8ac7d0859ff8994e573e46784395d89c355a91a313f601b56e86ed3fd10ba428a5481ce
+NONCE: bae080718d3e5c5998542f15
+IN: 2258ffcd6fcf91b1723f8db0047525d61cc8ffc440acf3290690685d16384292493807312b7dfc23ac9d9c3ee1405baab21a3770a05875cfe325268b65fc877463e3208c842ea4a32cf144cc46d57afd91f6b6b5d85fb2dedb0702f0c4e7f742cf4c9b4aec02f07267ec1f7b96a5a3ef25f6c1b4c27bd829e86583e239cd854b
+AD: 51ae57749b7757718aef9b9c47da5794659516e7f98bc80e6c18c89253f8617963331f54d4f009f087d1d2bd69a083f3a4b98f2a51ce24ffc6079774f7c7b01638b6131bfccebe21fea67bc839c259a50fcc0a16a69ada3c5adee4097d9e053a03266cb9b4b39ee2a465ec1aa058e61a0b9888b93bfcfd103f91ca3a7b274a10
+CT: 5b2fe8eea3313cc04d5ec75d75d05b3242b6e3b65c6fa1761716780c9529ff8ca523096dd037c5bda27984aa93c702ce9c01c63569a90657cc6373ad5d4473028b7eef69dd79c44c38d0063e8a8b7f1aa2bf6b646711ecd4eea3fa27408e089d9c4c4aceedff29a25baa6a9069eb7eac83a53212c0b387d700547c46cdc525e3
+TAG: 60319de093aec5c0bb8d5f17e950b0f4df0dfd20ad96490f6f12db461b2a4a84
+
diff --git a/src/crypto/cipher/test/cipher_test.txt b/src/crypto/cipher/test/cipher_test.txt
index b250df3..f3c6d35 100644
--- a/src/crypto/cipher/test/cipher_test.txt
+++ b/src/crypto/cipher/test/cipher_test.txt
@@ -76,6 +76,43 @@ AES-128-GCM:00000000000000000000000000000000:000000000000000000000000:0000000000
 AES-128-GCM:00000000000000000000000000000000:000000000000000000000000:0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:0388dace60b6a392f328c2b971b2fe78f795aaab494b5923f7fd89ff948bc1e0200211214e7394da2089b6acd093abe0c94da219118e297d7b7ebcbcc9c388f28ade7d85a8ee35616f7124a9d527029195b84d1b96c690ff2f2de30bf2ec89e00253786e126504f0dab90c48a30321de3345e6b0461e7c9e6c6b7afedde83f40::cac45f60e31efd3b5a43b98a22ce1aa1
 # 192 bytes plaintext, iv is chosen so that initial counter LSB is 0xFF
 AES-128-GCM:00000000000000000000000000000000:ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:56b3373ca9ef6e4a2b64fe1e9a17b61425f10d47a75a5fce13efc6bc784af24f4141bdd48cf7c770887afd573cca5418a9aeffcd7c5ceddfc6a78397b9a85b499da558257267caab2ad0b23ca476a53cb17fb41c4b8b475cb4f3f7165094c229c9e8c4dc0a2a5ff1903e501511221376a1cdb8364c5061a20cae74bc4acd76ceb0abc9fd3217ef9f8c90be402ddf6d8697f4f880dff15bfb7a6b28241ec8fe183c2d59e3f9dfff653c7126f0acb9e64211f42bae12af462b1070bef1ab5e3606::566f8ef683078bfdeeffa869d751a017
+# 288 bytes plaintext, iv is chosen so that initial counter LSB is 0xFF
+AES-128-GCM:00000000000000000000000000000000:ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:56b3373ca9ef6e4a2b64fe1e9a17b61425f10d47a75a5fce13efc6bc784af24f4141bdd48cf7c770887afd573cca5418a9aeffcd7c5ceddfc6a78397b9a85b499da558257267caab2ad0b23ca476a53cb17fb41c4b8b475cb4f3f7165094c229c9e8c4dc0a2a5ff1903e501511221376a1cdb8364c5061a20cae74bc4acd76ceb0abc9fd3217ef9f8c90be402ddf6d8697f4f880dff15bfb7a6b28241ec8fe183c2d59e3f9dfff653c7126f0acb9e64211f42bae12af462b1070bef1ab5e3606872ca10dee15b3249b1a1b958f23134c4bccb7d03200bce420a2f8eb66dcf3644d1423c1b5699003c13ecef4bf38a3b60eedc34033bac1902783dc6d89e2e774188a439c7ebcc0672dbda4ddcfb2794613b0be41315ef778708a70ee7d75165c::8b307f6b33286d0ab026a9ed3fe1e85f
 # 80 bytes plaintext, submitted by Intel
 AES-128-GCM:843ffcf5d2b72694d19ed01d01249412:dbcca32ebf9b804617c3aa9e:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f:6268c6fa2a80b2d137467f092f657ac04d89be2beaa623d61b5a868c8f03ff95d3dcee23ad2f1ab3a6c80eaf4b140eb05de3457f0fbc111a6b43d0763aa422a3013cf1dc37fe417d1fbfc449b75d4cc5:00000000000000000000000000000000101112131415161718191a1b1c1d1e1f:3b629ccfbc1119b7319e1dce2cd6fd6d
 
+# OFB tests from OpenSSL upstream.
+AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:3B3FD92EB72DAD20333449F8E83CFB4A:1
+AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:50FE67CC996D32B6DA0937E99BAFEC60:AE2D8A571E03AC9C9EB76FAC45AF8E51:7789508D16918F03F53C52DAC54ED825:1
+AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:D9A4DADA0892239F6B8B3D7680E15674:30C81C46A35CE411E5FBC1191A0A52EF:9740051E9C5FECF64344F7A82260EDCC:1
+AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:A78819583F0308E7A6BF36B1386ABF23:F69F2445DF4F9B17AD2B417BE66C3710:304C6528F659C77866A510D9C1D6AE5E:1
+# OFB-AES128.Decrypt
+AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:3B3FD92EB72DAD20333449F8E83CFB4A:0
+AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:50FE67CC996D32B6DA0937E99BAFEC60:AE2D8A571E03AC9C9EB76FAC45AF8E51:7789508D16918F03F53C52DAC54ED825:0
+AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:D9A4DADA0892239F6B8B3D7680E15674:30C81C46A35CE411E5FBC1191A0A52EF:9740051E9C5FECF64344F7A82260EDCC:0
+AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:A78819583F0308E7A6BF36B1386ABF23:F69F2445DF4F9B17AD2B417BE66C3710:304C6528F659C77866A510D9C1D6AE5E:0
+# OFB-AES256.Encrypt
+AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:DC7E84BFDA79164B7ECD8486985D3860:1
+AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:B7BF3A5DF43989DD97F0FA97EBCE2F4A:AE2D8A571E03AC9C9EB76FAC45AF8E51:4FEBDC6740D20B3AC88F6AD82A4FB08D:1
+AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:E1C656305ED1A7A6563805746FE03EDC:30C81C46A35CE411E5FBC1191A0A52EF:71AB47A086E86EEDF39D1C5BBA97C408:1
+AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:41635BE625B48AFC1666DD42A09D96E7:F69F2445DF4F9B17AD2B417BE66C3710:0126141D67F37BE8538F5A8BE740E484:1
+# OFB-AES256.Decrypt
+AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:DC7E84BFDA79164B7ECD8486985D3860:0
+AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:B7BF3A5DF43989DD97F0FA97EBCE2F4A:AE2D8A571E03AC9C9EB76FAC45AF8E51:4FEBDC6740D20B3AC88F6AD82A4FB08D:0
+AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:E1C656305ED1A7A6563805746FE03EDC:30C81C46A35CE411E5FBC1191A0A52EF:71AB47A086E86EEDF39D1C5BBA97C408:0
+AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:41635BE625B48AFC1666DD42A09D96E7:F69F2445DF4F9B17AD2B417BE66C3710:0126141D67F37BE8538F5A8BE740E484:0
+
+# AES-192 CBC-mode test from upstream OpenSSL.
+AES-192-CBC:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:4F021DB243BC633D7178183A9FA071E8
+AES-192-CBC:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:4F021DB243BC633D7178183A9FA071E8:AE2D8A571E03AC9C9EB76FAC45AF8E51:B4D9ADA9AD7DEDF4E5E738763F69145A
+AES-192-CBC:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:B4D9ADA9AD7DEDF4E5E738763F69145A:30C81C46A35CE411E5FBC1191A0A52EF:571B242012FB7AE07FA9BAAC3DF102E0
+AES-192-CBC:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:571B242012FB7AE07FA9BAAC3DF102E0:F69F2445DF4F9B17AD2B417BE66C3710:08B0E27988598881D920A9E64F5615CD
+
+# AES-192-ECB tests from FIPS-197
+AES-192-ECB:000102030405060708090A0B0C0D0E0F1011121314151617::00112233445566778899AABBCCDDEEFF:DDA97CA4864CDFE06EAF70A0EC0D7191:1
+
+# AES-192-ECB tests from NIST document SP800-38A
+AES-192-ECB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B::6BC1BEE22E409F96E93D7E117393172A:BD334F1D6E45F25FF712A214571FA5CC:1
+AES-192-ECB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B::AE2D8A571E03AC9C9EB76FAC45AF8E51:974104846D0AD3AD7734ECB3ECEE4EEF:1
+AES-192-ECB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B::30C81C46A35CE411E5FBC1191A0A52EF:EF7AFD2270E2E60ADCE0BA2FACE6444E:1
+AES-192-ECB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B::F69F2445DF4F9B17AD2B417BE66C3710:9A4B41BA738D6C72FB16691603C18E0E:1
diff --git a/src/crypto/cmac/CMakeLists.txt b/src/crypto/cmac/CMakeLists.txt
new file mode 100644
index 0000000..8ebd80c
--- /dev/null
+++ b/src/crypto/cmac/CMakeLists.txt
@@ -0,0 +1,17 @@
+include_directories(. .. ../../include)
+
+add_library(
+  cmac
+
+  OBJECT
+
+  cmac.c
+)
+
+add_executable(
+  cmac_test
+
+  cmac_test.cc
+)
+
+target_link_libraries(cmac_test crypto)
diff --git a/src/crypto/cmac/cmac.c b/src/crypto/cmac/cmac.c
new file mode 100644
index 0000000..fa4c3c4
--- /dev/null
+++ b/src/crypto/cmac/cmac.c
@@ -0,0 +1,239 @@
+/* ====================================================================
+ * Copyright (c) 2010 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ==================================================================== */
+
+#include <openssl/cmac.h>
+
+#include <assert.h>
+#include <string.h>
+
+#include <openssl/aes.h>
+#include <openssl/cipher.h>
+#include <openssl/mem.h>
+
+
+struct cmac_ctx_st {
+  EVP_CIPHER_CTX cipher_ctx;
+  /* k1 and k2 are the CMAC subkeys. See
+   * https://tools.ietf.org/html/rfc4493#section-2.3 */
+  uint8_t k1[AES_BLOCK_SIZE];
+  uint8_t k2[AES_BLOCK_SIZE];
+  /* Last (possibly partial) scratch */
+  uint8_t block[AES_BLOCK_SIZE];
+  /* block_used contains the number of valid bytes in |block|. */
+  unsigned block_used;
+};
+
+static void CMAC_CTX_init(CMAC_CTX *ctx) {
+  EVP_CIPHER_CTX_init(&ctx->cipher_ctx);
+}
+
+static void CMAC_CTX_cleanup(CMAC_CTX *ctx) {
+  EVP_CIPHER_CTX_cleanup(&ctx->cipher_ctx);
+  OPENSSL_cleanse(ctx->k1, sizeof(ctx->k1));
+  OPENSSL_cleanse(ctx->k2, sizeof(ctx->k2));
+  OPENSSL_cleanse(ctx->block, sizeof(ctx->block));
+}
+
+int AES_CMAC(uint8_t out[16], const uint8_t *key, size_t key_len,
+             const uint8_t *in, size_t in_len) {
+  const EVP_CIPHER *cipher;
+  switch (key_len) {
+    case 16:
+      cipher = EVP_aes_128_cbc();
+      break;
+    case 32:
+      cipher = EVP_aes_256_cbc();
+      break;
+    default:
+      return 0;
+  }
+
+  size_t scratch_out_len;
+  CMAC_CTX ctx;
+  CMAC_CTX_init(&ctx);
+
+  const int ok = CMAC_Init(&ctx, key, key_len, cipher, NULL /* engine */) &&
+                 CMAC_Update(&ctx, in, in_len) &&
+                 CMAC_Final(&ctx, out, &scratch_out_len);
+
+  CMAC_CTX_cleanup(&ctx);
+  return ok;
+}
+
+CMAC_CTX *CMAC_CTX_new(void) {
+  CMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));
+  if (ctx != NULL) {
+    CMAC_CTX_init(ctx);
+  }
+  return ctx;
+}
+
+void CMAC_CTX_free(CMAC_CTX *ctx) {
+  if (ctx == NULL) {
+    return;
+  }
+
+  CMAC_CTX_cleanup(ctx);
+  OPENSSL_free(ctx);
+}
+
+/* binary_field_mul_x treats the 128 bits at |in| as an element of GF(2¹²�)
+ * with a hard-coded reduction polynomial and sets |out| as x times the
+ * input.
+ *
+ * See https://tools.ietf.org/html/rfc4493#section-2.3 */
+static void binary_field_mul_x(uint8_t out[16], const uint8_t in[16]) {
+  unsigned i;
+
+  /* Shift |in| to left, including carry. */
+  for (i = 0; i < 15; i++) {
+    out[i] = (in[i] << 1) | (in[i+1] >> 7);
+  }
+
+  /* If MSB set fixup with R. */
+  const uint8_t carry = in[0] >> 7;
+  out[i] = (in[i] << 1) ^ ((0 - carry) & 0x87);
+}
+
+static const uint8_t kZeroIV[AES_BLOCK_SIZE] = {0};
+
+int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t key_len,
+              const EVP_CIPHER *cipher, ENGINE *engine) {
+  uint8_t scratch[AES_BLOCK_SIZE];
+
+  if (EVP_CIPHER_block_size(cipher) != AES_BLOCK_SIZE ||
+      EVP_CIPHER_key_length(cipher) != key_len ||
+      !EVP_EncryptInit_ex(&ctx->cipher_ctx, cipher, NULL, key, kZeroIV) ||
+      !EVP_Cipher(&ctx->cipher_ctx, scratch, kZeroIV, AES_BLOCK_SIZE) ||
+      /* Reset context again ready for first data. */
+      !EVP_EncryptInit_ex(&ctx->cipher_ctx, NULL, NULL, NULL, kZeroIV)) {
+    return 0;
+  }
+
+  binary_field_mul_x(ctx->k1, scratch);
+  binary_field_mul_x(ctx->k2, ctx->k1);
+  ctx->block_used = 0;
+
+  return 1;
+}
+
+int CMAC_Reset(CMAC_CTX *ctx) {
+  ctx->block_used = 0;
+  return EVP_EncryptInit_ex(&ctx->cipher_ctx, NULL, NULL, NULL, kZeroIV);
+}
+
+int CMAC_Update(CMAC_CTX *ctx, const uint8_t *in, size_t in_len) {
+  uint8_t scratch[AES_BLOCK_SIZE];
+
+  if (ctx->block_used > 0) {
+    size_t todo = AES_BLOCK_SIZE - ctx->block_used;
+    if (in_len < todo) {
+      todo = in_len;
+    }
+
+    memcpy(ctx->block + ctx->block_used, in, todo);
+    in += todo;
+    in_len -= todo;
+    ctx->block_used += todo;
+
+    /* If |in_len| is zero then either |ctx->block_used| is less than
+     * |AES_BLOCK_SIZE|, in which case we can stop here, or |ctx->block_used|
+     * is exactly |AES_BLOCK_SIZE| but there's no more data to process. In the
+     * latter case we don't want to process this block now because it might be
+     * the last block and that block is treated specially. */
+    if (in_len == 0) {
+      return 1;
+    }
+
+    assert(ctx->block_used == AES_BLOCK_SIZE);
+
+    if (!EVP_Cipher(&ctx->cipher_ctx, scratch, ctx->block, AES_BLOCK_SIZE)) {
+      return 0;
+    }
+  }
+
+  /* Encrypt all but one of the remaining blocks. */
+  while (in_len > AES_BLOCK_SIZE) {
+    if (!EVP_Cipher(&ctx->cipher_ctx, scratch, in, AES_BLOCK_SIZE)) {
+      return 0;
+    }
+    in += AES_BLOCK_SIZE;
+    in_len -= AES_BLOCK_SIZE;
+  }
+
+  memcpy(ctx->block, in, in_len);
+  ctx->block_used = in_len;
+
+  return 1;
+}
+
+int CMAC_Final(CMAC_CTX *ctx, uint8_t *out, size_t *out_len) {
+  *out_len = AES_BLOCK_SIZE;
+  if (out == NULL) {
+    return 1;
+  }
+
+  const uint8_t *mask = ctx->k1;
+
+  if (ctx->block_used != AES_BLOCK_SIZE) {
+    /* If the last block is incomplete, terminate it with a single 'one' bit
+     * followed by zeros. */
+    ctx->block[ctx->block_used] = 0x80;
+    memset(ctx->block + ctx->block_used + 1, 0,
+           AES_BLOCK_SIZE - (ctx->block_used + 1));
+
+    mask = ctx->k2;
+  }
+
+  unsigned i;
+  for (i = 0; i < AES_BLOCK_SIZE; i++) {
+    out[i] = ctx->block[i] ^ mask[i];
+  }
+
+  return EVP_Cipher(&ctx->cipher_ctx, out, out, AES_BLOCK_SIZE);
+}
diff --git a/src/crypto/cmac/cmac_test.cc b/src/crypto/cmac/cmac_test.cc
new file mode 100644
index 0000000..0f06860
--- /dev/null
+++ b/src/crypto/cmac/cmac_test.cc
@@ -0,0 +1,154 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <stdio.h>
+
+#include <algorithm>
+
+#include <openssl/cmac.h>
+
+#include "../test/scoped_types.h"
+
+
+static void dump(const uint8_t *got, const uint8_t *expected, size_t len) {
+  ScopedBIO bio(BIO_new_fp(stderr, 0 /* don't close */));
+
+  BIO_puts(bio.get(), "\nGot:\n");
+  BIO_hexdump(bio.get(), got, len, 2 /* indent */);
+  BIO_puts(bio.get(), "Expected:\n");
+  BIO_hexdump(bio.get(), expected, len, 2 /* indent */);
+  BIO_flush(bio.get());
+}
+
+static int test(const char *name, const uint8_t *key, size_t key_len,
+                const uint8_t *msg, size_t msg_len, const uint8_t *expected) {
+  uint8_t out[16];
+
+  if (!AES_CMAC(out, key, key_len, msg, msg_len)) {
+    fprintf(stderr, "%s: AES_CMAC failed\n", name);
+    return 0;
+  }
+
+  if (CRYPTO_memcmp(out, expected, sizeof(out)) != 0) {
+    fprintf(stderr, "%s: CMAC result differs:\n", name);
+    dump(out, expected, sizeof(out));
+    return 0;
+  }
+
+  ScopedCMAC_CTX ctx(CMAC_CTX_new());
+  if (!CMAC_Init(ctx.get(), key, key_len, EVP_aes_128_cbc(), NULL)) {
+    fprintf(stderr, "%s: CMAC_Init failed.\n", name);
+    return 0;
+  }
+
+  for (unsigned chunk_size = 1; chunk_size <= msg_len; chunk_size++) {
+    if (!CMAC_Reset(ctx.get())) {
+      fprintf(stderr, "%s/%u: CMAC_Reset failed.\n", name, chunk_size);
+      return 0;
+    }
+
+    size_t done = 0;
+    while (done < msg_len) {
+      size_t todo = std::min(msg_len - done, static_cast<size_t>(chunk_size));
+      if (!CMAC_Update(ctx.get(), msg + done, todo)) {
+        fprintf(stderr, "%s/%u: CMAC_Update failed.\n", name, chunk_size);
+        return 0;
+      }
+
+      done += todo;
+    }
+
+    size_t out_len;
+    if (!CMAC_Final(ctx.get(), out, &out_len)) {
+      fprintf(stderr, "%s/%u: CMAC_Final failed.\n", name, chunk_size);
+      return 0;
+    }
+
+    if (out_len != sizeof(out)) {
+      fprintf(stderr, "%s/%u: incorrect out_len: %u.\n", name, chunk_size,
+              static_cast<unsigned>(out_len));
+      return 0;
+    }
+
+    if (CRYPTO_memcmp(out, expected, sizeof(out)) != 0) {
+      fprintf(stderr, "%s/%u: CMAC result differs:\n", name, chunk_size);
+      dump(out, expected, sizeof(out));
+      return 0;
+    }
+  }
+
+  return 1;
+}
+
+static int rfc_4493_test_vectors(void) {
+  static const uint8_t kKey[16] = {
+      0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
+      0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c,
+  };
+  static const uint8_t kOut1[16] = {
+      0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
+      0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46,
+  };
+  static const uint8_t kMsg2[] = {
+      0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
+      0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
+  };
+  static const uint8_t kOut2[16] = {
+      0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
+      0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c,
+  };
+  static const uint8_t kMsg3[] = {
+      0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
+      0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
+      0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
+      0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
+      0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
+  };
+  static const uint8_t kOut3[16] = {
+      0xdf, 0xa6, 0x67, 0x47, 0xde, 0x9a, 0xe6, 0x30,
+      0x30, 0xca, 0x32, 0x61, 0x14, 0x97, 0xc8, 0x27,
+  };
+  static const uint8_t kMsg4[] = {
+      0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
+      0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
+      0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
+      0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
+      0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
+      0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
+      0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
+      0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10,
+  };
+  static const uint8_t kOut4[16] = {
+      0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
+      0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe,
+  };
+
+  if (!test("RFC 4493 #1", kKey, sizeof(kKey), NULL, 0, kOut1) ||
+      !test("RFC 4493 #2", kKey, sizeof(kKey), kMsg2, sizeof(kMsg2), kOut2) ||
+      !test("RFC 4493 #3", kKey, sizeof(kKey), kMsg3, sizeof(kMsg3), kOut3) ||
+      !test("RFC 4493 #4", kKey, sizeof(kKey), kMsg4, sizeof(kMsg4), kOut4)) {
+    return 0;
+  }
+
+  return 1;
+}
+
+int main(int argc, char **argv) {
+  if (!rfc_4493_test_vectors()) {
+    return 1;
+  }
+
+  printf("PASS\n");
+  return 0;
+}
diff --git a/src/crypto/conf/CMakeLists.txt b/src/crypto/conf/CMakeLists.txt
index f54d904..8046bb8 100644
--- a/src/crypto/conf/CMakeLists.txt
+++ b/src/crypto/conf/CMakeLists.txt
@@ -6,5 +6,4 @@ add_library(
   OBJECT
 
   conf.c
-  conf_error.c
 )
diff --git a/src/crypto/conf/conf.c b/src/crypto/conf/conf.c
index b8dab95..213efc5 100644
--- a/src/crypto/conf/conf.c
+++ b/src/crypto/conf/conf.c
@@ -90,9 +90,13 @@ static int conf_value_cmp(const CONF_VALUE *a, const CONF_VALUE *b) {
   }
 }
 
-CONF *NCONF_new(void) {
+CONF *NCONF_new(void *method) {
   CONF *conf;
 
+  if (method != NULL) {
+    return NULL;
+  }
+
   conf = OPENSSL_malloc(sizeof(CONF));
   if (conf == NULL) {
     return NULL;
@@ -530,20 +534,22 @@ static int def_load_bio(CONF *conf, BIO *in, long *out_error_line) {
     BIO_gets(in, p, CONFBUFSIZE - 1);
     p[CONFBUFSIZE - 1] = '\0';
     ii = i = strlen(p);
-    if (i == 0 && !again)
+    if (i == 0 && !again) {
       break;
+    }
     again = 0;
     while (i > 0) {
-      if ((p[i - 1] != '\r') && (p[i - 1] != '\n'))
+      if ((p[i - 1] != '\r') && (p[i - 1] != '\n')) {
         break;
-      else
+      } else {
         i--;
+      }
     }
     /* we removed some trailing stuff so there is a new
      * line on the end. */
-    if (ii && i == ii)
+    if (ii && i == ii) {
       again = 1; /* long line */
-    else {
+    } else {
       p[i] = '\0';
       eline++; /* another input line */
     }
@@ -564,15 +570,17 @@ static int def_load_bio(CONF *conf, BIO *in, long *out_error_line) {
         again = 1;
       }
     }
-    if (again)
+    if (again) {
       continue;
+    }
     bufnum = 0;
     buf = buff->data;
 
     clear_comments(conf, buf);
     s = eat_ws(conf, buf);
-    if (IS_EOF(conf, *s))
+    if (IS_EOF(conf, *s)) {
       continue; /* blank line */
+    }
     if (*s == '[') {
       char *ss;
 
@@ -591,10 +599,12 @@ static int def_load_bio(CONF *conf, BIO *in, long *out_error_line) {
         goto err;
       }
       *end = '\0';
-      if (!str_copy(conf, NULL, &section, start))
+      if (!str_copy(conf, NULL, &section, start)) {
         goto err;
-      if ((sv = get_section(conf, section)) == NULL)
+      }
+      if ((sv = get_section(conf, section)) == NULL) {
         sv = NCONF_new_section(conf, section);
+      }
       if (sv == NULL) {
         OPENSSL_PUT_ERROR(CONF, def_load_bio, CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
         goto err;
@@ -619,11 +629,13 @@ static int def_load_bio(CONF *conf, BIO *in, long *out_error_line) {
       *end = '\0';
       p++;
       start = eat_ws(conf, p);
-      while (!IS_EOF(conf, *p))
+      while (!IS_EOF(conf, *p)) {
         p++;
+      }
       p--;
-      while ((p != start) && (IS_WS(conf, *p)))
+      while ((p != start) && (IS_WS(conf, *p))) {
         p--;
+      }
       p++;
       *p = '\0';
 
@@ -631,8 +643,9 @@ static int def_load_bio(CONF *conf, BIO *in, long *out_error_line) {
         OPENSSL_PUT_ERROR(CONF, def_load_bio, ERR_R_MALLOC_FAILURE);
         goto err;
       }
-      if (psection == NULL)
+      if (psection == NULL) {
         psection = section;
+      }
       v->name = (char *)OPENSSL_malloc(strlen(pname) + 1);
       v->value = NULL;
       if (v->name == NULL) {
@@ -640,18 +653,21 @@ static int def_load_bio(CONF *conf, BIO *in, long *out_error_line) {
         goto err;
       }
       BUF_strlcpy(v->name, pname, strlen(pname) + 1);
-      if (!str_copy(conf, psection, &(v->value), start))
+      if (!str_copy(conf, psection, &(v->value), start)) {
         goto err;
+      }
 
       if (strcmp(psection, section) != 0) {
-        if ((tv = get_section(conf, psection)) == NULL)
+        if ((tv = get_section(conf, psection)) == NULL) {
           tv = NCONF_new_section(conf, psection);
+        }
         if (tv == NULL) {
           OPENSSL_PUT_ERROR(CONF, def_load_bio, CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
           goto err;
         }
-      } else
+      } else {
         tv = sv;
+      }
       if (add_string(conf, tv, v) == 0) {
         OPENSSL_PUT_ERROR(CONF, def_load_bio, ERR_R_MALLOC_FAILURE);
         goto err;
@@ -659,29 +675,37 @@ static int def_load_bio(CONF *conf, BIO *in, long *out_error_line) {
       v = NULL;
     }
   }
-  if (buff != NULL)
+  if (buff != NULL) {
     BUF_MEM_free(buff);
-  if (section != NULL)
+  }
+  if (section != NULL) {
     OPENSSL_free(section);
+  }
   return 1;
 
 err:
-  if (buff != NULL)
+  if (buff != NULL) {
     BUF_MEM_free(buff);
-  if (section != NULL)
+  }
+  if (section != NULL) {
     OPENSSL_free(section);
-  if (out_error_line != NULL)
+  }
+  if (out_error_line != NULL) {
     *out_error_line = eline;
+  }
   BIO_snprintf(btmp, sizeof btmp, "%ld", eline);
   ERR_add_error_data(2, "line ", btmp);
 
   if (v != NULL) {
-    if (v->name != NULL)
+    if (v->name != NULL) {
       OPENSSL_free(v->name);
-    if (v->value != NULL)
+    }
+    if (v->value != NULL) {
       OPENSSL_free(v->value);
-    if (v != NULL)
+    }
+    if (v != NULL) {
       OPENSSL_free(v);
+    }
   }
   return 0;
 }
@@ -701,6 +725,10 @@ int NCONF_load(CONF *conf, const char *filename, long *out_error_line) {
   return ret;
 }
 
+int NCONF_load_bio(CONF *conf, BIO *bio, long *out_error_line) {
+  return def_load_bio(conf, bio, out_error_line);
+}
+
 int CONF_parse_list(const char *list, char sep, int remove_whitespace,
                     int (*list_cb)(const char *elem, int len, void *usr),
                     void *arg) {
diff --git a/src/crypto/conf/conf_error.c b/src/crypto/conf/conf_error.c
deleted file mode 100644
index b5dd001..0000000
--- a/src/crypto/conf/conf_error.c
+++ /dev/null
@@ -1,31 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/conf.h>
-
-const ERR_STRING_DATA CONF_error_string_data[] = {
-  {ERR_PACK(ERR_LIB_CONF, CONF_F_CONF_parse_list, 0), "CONF_parse_list"},
-  {ERR_PACK(ERR_LIB_CONF, CONF_F_NCONF_load, 0), "NCONF_load"},
-  {ERR_PACK(ERR_LIB_CONF, CONF_F_def_load_bio, 0), "def_load_bio"},
-  {ERR_PACK(ERR_LIB_CONF, CONF_F_str_copy, 0), "str_copy"},
-  {ERR_PACK(ERR_LIB_CONF, 0, CONF_R_LIST_CANNOT_BE_NULL), "LIST_CANNOT_BE_NULL"},
-  {ERR_PACK(ERR_LIB_CONF, 0, CONF_R_MISSING_CLOSE_SQUARE_BRACKET), "MISSING_CLOSE_SQUARE_BRACKET"},
-  {ERR_PACK(ERR_LIB_CONF, 0, CONF_R_MISSING_EQUAL_SIGN), "MISSING_EQUAL_SIGN"},
-  {ERR_PACK(ERR_LIB_CONF, 0, CONF_R_NO_CLOSE_BRACE), "NO_CLOSE_BRACE"},
-  {ERR_PACK(ERR_LIB_CONF, 0, CONF_R_UNABLE_TO_CREATE_NEW_SECTION), "UNABLE_TO_CREATE_NEW_SECTION"},
-  {ERR_PACK(ERR_LIB_CONF, 0, CONF_R_VARIABLE_HAS_NO_VALUE), "VARIABLE_HAS_NO_VALUE"},
-  {0, NULL},
-};
diff --git a/src/crypto/cpu-arm-asm.S b/src/crypto/cpu-arm-asm.S
new file mode 100644
index 0000000..faf3ad8
--- /dev/null
+++ b/src/crypto/cpu-arm-asm.S
@@ -0,0 +1,32 @@
+# Copyright (c) 2014, Google Inc.
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+# SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+#if !defined(OPENSSL_NO_ASM) && defined(__arm__)
+
+.syntax unified
+.cpu cortex-a8
+.fpu neon
+.text
+.thumb
+.align 2
+.global CRYPTO_arm_neon_probe
+.hidden CRYPTO_arm_neon_probe
+.type CRYPTO_arm_neon_probe, %function
+.thumb_func
+CRYPTO_arm_neon_probe:
+  vorr q1, q1, q1
+  bx lr
+.section .note.GNU-stack,"",%progbits
+
+#endif  /* !OPENSSL_NO_ASM && __arm__ */
diff --git a/src/crypto/cpu-arm.c b/src/crypto/cpu-arm.c
index 96392d8..74e937b 100644
--- a/src/crypto/cpu-arm.c
+++ b/src/crypto/cpu-arm.c
@@ -17,7 +17,12 @@
 #if defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)
 
 #include <inttypes.h>
-#include <stdio.h>
+#include <string.h>
+
+#if !defined(OPENSSL_TRUSTY)
+#include <setjmp.h>
+#include <signal.h>
+#endif
 
 #include "arm_arch.h"
 
@@ -28,14 +33,15 @@
 
 unsigned long getauxval(unsigned long type) __attribute__((weak));
 
-static const unsigned long AT_HWCAP = 16;
-static const unsigned long AT_HWCAP2 = 26;
-
 char CRYPTO_is_NEON_capable(void) {
   return (OPENSSL_armcap_P & ARMV7_NEON) != 0;
 }
 
+static char g_set_neon_called = 0;
+
 void CRYPTO_set_NEON_capable(char neon_capable) {
+  g_set_neon_called = 1;
+
   if (neon_capable) {
     OPENSSL_armcap_P |= ARMV7_NEON;
   } else {
@@ -56,11 +62,81 @@ void CRYPTO_set_NEON_functional(char neon_functional) {
   }
 }
 
+#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && !defined(OPENSSL_TRUSTY)
+
+static sigjmp_buf sigill_jmp;
+
+static void sigill_handler(int signal) {
+  siglongjmp(sigill_jmp, signal);
+}
+
+void CRYPTO_arm_neon_probe();
+
+// probe_for_NEON returns 1 if a NEON instruction runs successfully. Because
+// getauxval doesn't exist on Android until Jelly Bean, supporting NEON on
+// older devices requires this.
+static int probe_for_NEON() {
+  int supported = 0;
+
+  sigset_t sigmask;
+  sigfillset(&sigmask);
+  sigdelset(&sigmask, SIGILL);
+  sigdelset(&sigmask, SIGTRAP);
+  sigdelset(&sigmask, SIGFPE);
+  sigdelset(&sigmask, SIGBUS);
+  sigdelset(&sigmask, SIGSEGV);
+
+  struct sigaction sigill_original_action, sigill_action;
+  memset(&sigill_action, 0, sizeof(sigill_action));
+  sigill_action.sa_handler = sigill_handler;
+  sigill_action.sa_mask = sigmask;
+
+  sigset_t original_sigmask;
+  sigprocmask(SIG_SETMASK, &sigmask, &original_sigmask);
+
+  if (sigsetjmp(sigill_jmp, 1 /* save signals */) == 0) {
+    sigaction(SIGILL, &sigill_action, &sigill_original_action);
+
+    // This function cannot be inline asm because GCC will refuse to compile
+    // inline NEON instructions unless building with -mfpu=neon, which would
+    // defeat the point of probing for support at runtime.
+    CRYPTO_arm_neon_probe();
+    supported = 1;
+  }
+  // Note that Android up to and including Lollipop doesn't restore the signal
+  // mask correctly after returning from a sigsetjmp. So that would need to be
+  // set again here if more probes were added.
+  // See https://android-review.googlesource.com/#/c/127624/
+
+  sigaction(SIGILL, &sigill_original_action, NULL);
+  sigprocmask(SIG_SETMASK, &original_sigmask, NULL);
+
+  return supported;
+}
+
+#else
+
+static int probe_for_NEON(void) {
+  return 0;
+}
+
+#endif  /* !OPENSSL_NO_ASM && OPENSSL_ARM && !OPENSSL_TRUSTY */
+
 void OPENSSL_cpuid_setup(void) {
   if (getauxval == NULL) {
+    // On ARM, but not AArch64, try a NEON instruction and see whether it works
+    // in order to probe for NEON support.
+    //
+    // Note that |CRYPTO_is_NEON_capable| can be true even if
+    // |CRYPTO_set_NEON_capable| has never been called if the code was compiled
+    // with NEON support enabled (e.g. -mfpu=neon).
+    if (!g_set_neon_called && !CRYPTO_is_NEON_capable() && probe_for_NEON()) {
+      OPENSSL_armcap_P |= ARMV7_NEON;
+    }
     return;
   }
 
+  static const unsigned long AT_HWCAP = 16;
   unsigned long hwcap = getauxval(AT_HWCAP);
 
 #if defined(OPENSSL_ARM)
@@ -71,6 +147,7 @@ void OPENSSL_cpuid_setup(void) {
 
   /* In 32-bit mode, the ARMv8 feature bits are in a different aux vector
    * value. */
+  static const unsigned long AT_HWCAP2 = 26;
   hwcap = getauxval(AT_HWCAP2);
 
   /* See /usr/include/asm/hwcap.h on an ARM installation for the source of
@@ -93,7 +170,7 @@ void OPENSSL_cpuid_setup(void) {
   }
 #endif
 
-  OPENSSL_armcap_P |= ARMV7_NEON | ARMV7_NEON_FUNCTIONAL;
+  OPENSSL_armcap_P |= ARMV7_NEON;
 
   if (hwcap & kAES) {
     OPENSSL_armcap_P |= ARMV8_AES;
diff --git a/src/crypto/cpu-intel.c b/src/crypto/cpu-intel.c
index 69f4570..df0e127 100644
--- a/src/crypto/cpu-intel.c
+++ b/src/crypto/cpu-intel.c
@@ -64,6 +64,7 @@
 #if !defined(OPENSSL_NO_ASM) && (defined(OPENSSL_X86) || defined(OPENSSL_X86_64))
 
 #include <inttypes.h>
+#include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
 
diff --git a/src/crypto/cpu-x86-asm.pl b/src/crypto/cpu-x86-asm.pl
index 1ac7d84..319c436 100644
--- a/src/crypto/cpu-x86-asm.pl
+++ b/src/crypto/cpu-x86-asm.pl
@@ -110,10 +110,6 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
 	&cmp	("ebp",0);
 	&jne	(&label("notintel"));
 	&or	("edx",1<<30);		# set reserved bit#30 on Intel CPUs
-	&and	(&HB("eax"),15);	# familiy ID
-	&cmp	(&HB("eax"),15);	# P4?
-	&jne	(&label("notintel"));
-	&or	("edx",1<<20);		# set reserved bit#20 to engage RC4_CHAR
 &set_label("notintel");
 	&bt	("edx",28);		# test hyper-threading bit
 	&jnc	(&label("generic"));
diff --git a/src/crypto/cpu-x86_64-asm.pl b/src/crypto/cpu-x86_64-asm.pl
index 59cfd18..89d7a6c 100644
--- a/src/crypto/cpu-x86_64-asm.pl
+++ b/src/crypto/cpu-x86_64-asm.pl
@@ -122,10 +122,6 @@ OPENSSL_ia32_cpuid:
 	cmp	\$0,%r9d
 	jne	.Lnotintel
 	or	\$0x40000000,%edx	# set reserved bit#30 on Intel CPUs
-	and	\$15,%ah
-	cmp	\$15,%ah		# examine Family ID
-	jne	.Lnotintel
-	or	\$0x00100000,%edx	# set reserved bit#20 to engage RC4_CHAR
 .Lnotintel:
 	bt	\$28,%edx		# test hyper-threading bit
 	jnc	.Lgeneric
diff --git a/src/crypto/crypto_error.c b/src/crypto/crypto_error.c
deleted file mode 100644
index 3e63dca..0000000
--- a/src/crypto/crypto_error.c
+++ /dev/null
@@ -1,25 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/crypto.h>
-
-const ERR_STRING_DATA CRYPTO_error_string_data[] = {
-  {ERR_PACK(ERR_LIB_CRYPTO, CRYPTO_F_CRYPTO_set_ex_data, 0), "CRYPTO_set_ex_data"},
-  {ERR_PACK(ERR_LIB_CRYPTO, CRYPTO_F_get_class, 0), "get_class"},
-  {ERR_PACK(ERR_LIB_CRYPTO, CRYPTO_F_get_func_pointers, 0), "get_func_pointers"},
-  {ERR_PACK(ERR_LIB_CRYPTO, CRYPTO_F_get_new_index, 0), "get_new_index"},
-  {0, NULL},
-};
diff --git a/src/crypto/crypto_error.h b/src/crypto/crypto_error.h
deleted file mode 100644
index c0cb2bd..0000000
--- a/src/crypto/crypto_error.h
+++ /dev/null
@@ -1,18 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#define CRYPTO_F_CRYPTO_set_ex_data 100
-#define CRYPTO_F_get_class 101
-#define CRYPTO_F_get_new_index 102
-#define CRYPTO_F_get_func_pointers 103
diff --git a/src/crypto/des/des.c b/src/crypto/des/des.c
index 6d00011..56a2996 100644
--- a/src/crypto/des/des.c
+++ b/src/crypto/des/des.c
@@ -56,6 +56,8 @@
 
 #include <openssl/des.h>
 
+#include <stdlib.h>
+
 #include "internal.h"
 
 
@@ -349,6 +351,35 @@ void DES_set_key(const DES_cblock *key, DES_key_schedule *schedule) {
   }
 }
 
+static const uint8_t kOddParity[256] = {
+    1,   1,   2,   2,   4,   4,   7,   7,   8,   8,   11,  11,  13,  13,  14,
+    14,  16,  16,  19,  19,  21,  21,  22,  22,  25,  25,  26,  26,  28,  28,
+    31,  31,  32,  32,  35,  35,  37,  37,  38,  38,  41,  41,  42,  42,  44,
+    44,  47,  47,  49,  49,  50,  50,  52,  52,  55,  55,  56,  56,  59,  59,
+    61,  61,  62,  62,  64,  64,  67,  67,  69,  69,  70,  70,  73,  73,  74,
+    74,  76,  76,  79,  79,  81,  81,  82,  82,  84,  84,  87,  87,  88,  88,
+    91,  91,  93,  93,  94,  94,  97,  97,  98,  98,  100, 100, 103, 103, 104,
+    104, 107, 107, 109, 109, 110, 110, 112, 112, 115, 115, 117, 117, 118, 118,
+    121, 121, 122, 122, 124, 124, 127, 127, 128, 128, 131, 131, 133, 133, 134,
+    134, 137, 137, 138, 138, 140, 140, 143, 143, 145, 145, 146, 146, 148, 148,
+    151, 151, 152, 152, 155, 155, 157, 157, 158, 158, 161, 161, 162, 162, 164,
+    164, 167, 167, 168, 168, 171, 171, 173, 173, 174, 174, 176, 176, 179, 179,
+    181, 181, 182, 182, 185, 185, 186, 186, 188, 188, 191, 191, 193, 193, 194,
+    194, 196, 196, 199, 199, 200, 200, 203, 203, 205, 205, 206, 206, 208, 208,
+    211, 211, 213, 213, 214, 214, 217, 217, 218, 218, 220, 220, 223, 223, 224,
+    224, 227, 227, 229, 229, 230, 230, 233, 233, 234, 234, 236, 236, 239, 239,
+    241, 241, 242, 242, 244, 244, 247, 247, 248, 248, 251, 251, 253, 253, 254,
+    254
+};
+
+void DES_set_odd_parity(DES_cblock *key) {
+  unsigned i;
+
+  for (i = 0; i < DES_KEY_SZ; i++) {
+    key->bytes[i] = kOddParity[key->bytes[i]];
+  }
+}
+
 static void DES_encrypt1(uint32_t *data, const DES_key_schedule *ks, int enc) {
   uint32_t l, r, t, u;
   const uint32_t *s;
@@ -609,6 +640,29 @@ void DES_ncbc_encrypt(const uint8_t *in, uint8_t *out, size_t len,
   tin[0] = tin[1] = 0;
 }
 
+void DES_ecb3_encrypt(const DES_cblock *input, DES_cblock *output,
+                      const DES_key_schedule *ks1, const DES_key_schedule *ks2,
+                      const DES_key_schedule *ks3, int enc) {
+  uint32_t l0, l1;
+  uint32_t ll[2];
+  const uint8_t *in = input->bytes;
+  uint8_t *out = output->bytes;
+
+  c2l(in, l0);
+  c2l(in, l1);
+  ll[0] = l0;
+  ll[1] = l1;
+  if (enc) {
+    DES_encrypt3(ll, ks1, ks2, ks3);
+  } else {
+    DES_decrypt3(ll, ks1, ks2, ks3);
+  }
+  l0 = ll[0];
+  l1 = ll[1];
+  l2c(l0, out);
+  l2c(l1, out);
+}
+
 void DES_ede3_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len,
                           const DES_key_schedule *ks1,
                           const DES_key_schedule *ks2,
diff --git a/src/crypto/dh/CMakeLists.txt b/src/crypto/dh/CMakeLists.txt
index 4e31206..9e487d5 100644
--- a/src/crypto/dh/CMakeLists.txt
+++ b/src/crypto/dh/CMakeLists.txt
@@ -10,13 +10,12 @@ add_library(
   params.c
   check.c
   dh_asn1.c
-  dh_error.c
 )
 
 add_executable(
   dh_test
 
-  dh_test.c
+  dh_test.cc
 )
 
 target_link_libraries(dh_test crypto)
diff --git a/src/crypto/dh/dh.c b/src/crypto/dh/dh.c
index 7a50da7..ab7ed8b 100644
--- a/src/crypto/dh/dh.c
+++ b/src/crypto/dh/dh.c
@@ -66,10 +66,13 @@
 #include <openssl/thread.h>
 
 #include "internal.h"
+#include "../internal.h"
 
 
 extern const DH_METHOD DH_default_method;
 
+static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;
+
 DH *DH_new(void) { return DH_new_method(NULL); }
 
 DH *DH_new_method(const ENGINE *engine) {
@@ -90,14 +93,16 @@ DH *DH_new_method(const ENGINE *engine) {
   }
   METHOD_ref(dh->meth);
 
+  CRYPTO_MUTEX_init(&dh->method_mont_p_lock);
+
   dh->references = 1;
-  if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DH, dh, &dh->ex_data)) {
+  if (!CRYPTO_new_ex_data(&g_ex_data_class, dh, &dh->ex_data)) {
     OPENSSL_free(dh);
     return NULL;
   }
 
   if (dh->meth->init && !dh->meth->init(dh)) {
-    CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DH, dh, &dh->ex_data);
+    CRYPTO_free_ex_data(&g_ex_data_class, dh, &dh->ex_data);
     METHOD_unref(dh->meth);
     OPENSSL_free(dh);
     return NULL;
@@ -120,7 +125,7 @@ void DH_free(DH *dh) {
   }
   METHOD_unref(dh->meth);
 
-  CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DH, dh, &dh->ex_data);
+  CRYPTO_free_ex_data(&g_ex_data_class, dh, &dh->ex_data);
 
   if (dh->method_mont_p) BN_MONT_CTX_free(dh->method_mont_p);
   if (dh->p != NULL) BN_clear_free(dh->p);
@@ -131,6 +136,7 @@ void DH_free(DH *dh) {
   if (dh->counter != NULL) BN_clear_free(dh->counter);
   if (dh->pub_key != NULL) BN_clear_free(dh->pub_key);
   if (dh->priv_key != NULL) BN_clear_free(dh->priv_key);
+  CRYPTO_MUTEX_cleanup(&dh->method_mont_p_lock);
 
   OPENSSL_free(dh);
 }
@@ -173,9 +179,7 @@ static int int_dh_bn_cpy(BIGNUM **dst, const BIGNUM *src) {
     }
   }
 
-  if (*dst) {
-    BN_free(*dst);
-  }
+  BN_free(*dst);
   *dst = a;
   return 1;
 }
@@ -198,11 +202,10 @@ static int int_dh_param_copy(DH *to, const DH *from, int is_x942) {
     return 0;
   }
 
-  if (to->seed) {
-    OPENSSL_free(to->seed);
-    to->seed = NULL;
-    to->seedlen = 0;
-  }
+  OPENSSL_free(to->seed);
+  to->seed = NULL;
+  to->seedlen = 0;
+
   if (from->seed) {
     to->seed = BUF_memdup(from->seed, from->seedlen);
     if (!to->seed) {
@@ -230,8 +233,12 @@ DH *DHparams_dup(const DH *dh) {
 
 int DH_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
                         CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) {
-  return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_DH, argl, argp, new_func,
-                                 dup_func, free_func);
+  int index;
+  if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp, new_func,
+                               dup_func, free_func)) {
+    return -1;
+  }
+  return index;
 }
 
 int DH_set_ex_data(DH *d, int idx, void *arg) {
diff --git a/src/crypto/dh/dh_error.c b/src/crypto/dh/dh_error.c
deleted file mode 100644
index 5ecc5d1..0000000
--- a/src/crypto/dh/dh_error.c
+++ /dev/null
@@ -1,29 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/dh.h>
-
-const ERR_STRING_DATA DH_error_string_data[] = {
-  {ERR_PACK(ERR_LIB_DH, DH_F_DH_new_method, 0), "DH_new_method"},
-  {ERR_PACK(ERR_LIB_DH, DH_F_compute_key, 0), "compute_key"},
-  {ERR_PACK(ERR_LIB_DH, DH_F_generate_key, 0), "generate_key"},
-  {ERR_PACK(ERR_LIB_DH, DH_F_generate_parameters, 0), "generate_parameters"},
-  {ERR_PACK(ERR_LIB_DH, 0, DH_R_BAD_GENERATOR), "BAD_GENERATOR"},
-  {ERR_PACK(ERR_LIB_DH, 0, DH_R_INVALID_PUBKEY), "INVALID_PUBKEY"},
-  {ERR_PACK(ERR_LIB_DH, 0, DH_R_MODULUS_TOO_LARGE), "MODULUS_TOO_LARGE"},
-  {ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PRIVATE_VALUE), "NO_PRIVATE_VALUE"},
-  {0, NULL},
-};
diff --git a/src/crypto/dh/dh_impl.c b/src/crypto/dh/dh_impl.c
index 9f416b7..f269412 100644
--- a/src/crypto/dh/dh_impl.c
+++ b/src/crypto/dh/dh_impl.c
@@ -58,9 +58,11 @@
 
 #include <openssl/bn.h>
 #include <openssl/err.h>
+#include <openssl/thread.h>
 
 #include "internal.h"
 
+
 #define OPENSSL_DH_MAX_MODULUS_BITS 10000
 
 static int generate_parameters(DH *ret, int prime_bits, int generator, BN_GENCB *cb) {
@@ -206,8 +208,8 @@ static int generate_key(DH *dh) {
     pub_key = dh->pub_key;
   }
 
-  mont =
-      BN_MONT_CTX_set_locked(&dh->method_mont_p, CRYPTO_LOCK_DH, dh->p, ctx);
+  mont = BN_MONT_CTX_set_locked(&dh->method_mont_p, &dh->method_mont_p_lock,
+                                dh->p, ctx);
   if (!mont) {
     goto err;
   }
@@ -243,10 +245,10 @@ err:
     OPENSSL_PUT_ERROR(DH, generate_key, ERR_R_BN_LIB);
   }
 
-  if (pub_key != NULL && dh->pub_key == NULL) {
+  if (dh->pub_key == NULL) {
     BN_free(pub_key);
   }
-  if (priv_key != NULL && dh->priv_key == NULL) {
+  if (dh->priv_key == NULL) {
     BN_free(priv_key);
   }
   BN_CTX_free(ctx);
@@ -281,8 +283,8 @@ static int compute_key(DH *dh, unsigned char *out, const BIGNUM *pub_key) {
     goto err;
   }
 
-  mont =
-      BN_MONT_CTX_set_locked(&dh->method_mont_p, CRYPTO_LOCK_DH, dh->p, ctx);
+  mont = BN_MONT_CTX_set_locked(&dh->method_mont_p, &dh->method_mont_p_lock,
+                                dh->p, ctx);
   if (!mont) {
     goto err;
   }
diff --git a/src/crypto/dh/dh_test.c b/src/crypto/dh/dh_test.cc
index 3575f34..16a5ae0 100644
--- a/src/crypto/dh/dh_test.c
+++ b/src/crypto/dh/dh_test.cc
@@ -59,151 +59,153 @@
 #include <stdio.h>
 #include <string.h>
 
-#include <openssl/bio.h>
+#include <vector>
+
 #include <openssl/bn.h>
 #include <openssl/crypto.h>
+#include <openssl/err.h>
 #include <openssl/mem.h>
 
 #include "internal.h"
+#include "../test/scoped_types.h"
+#include "../test/stl_compat.h"
+
+
+static bool RunBasicTests();
+static bool RunRFC5114Tests();
+
+int main(int argc, char *argv[]) {
+  CRYPTO_library_init();
 
+  if (!RunBasicTests() ||
+      !RunRFC5114Tests()) {
+    ERR_print_errors_fp(stderr);
+    return 1;
+  }
+
+  printf("PASS\n");
+  return 0;
+}
 
-static int cb(int p, int n, BN_GENCB *arg) {
+static int GenerateCallback(int p, int n, BN_GENCB *arg) {
   char c = '*';
 
-  if (p == 0)
+  if (p == 0) {
     c = '.';
-  if (p == 1)
+  } else if (p == 1) {
     c = '+';
-  if (p == 2)
+  } else if (p == 2) {
     c = '*';
-  if (p == 3)
+  } else if (p == 3) {
     c = '\n';
-  BIO_write(arg->arg, &c, 1);
-  (void)BIO_flush(arg->arg);
+  }
+  FILE *out = reinterpret_cast<FILE*>(arg->arg);
+  fputc(c, out);
+  fflush(out);
 
   return 1;
 }
 
-static int run_rfc5114_tests(void);
-
-int main(int argc, char *argv[]) {
-  BN_GENCB _cb;
-  DH *a;
-  DH *b = NULL;
-  char buf[12];
-  unsigned char *abuf = NULL, *bbuf = NULL;
-  int i, alen, blen, aout, bout, ret = 1;
-  BIO *out;
-
-  CRYPTO_library_init();
-
-  out = BIO_new(BIO_s_file());
-  if (out == NULL) {
-    return 1;
+static bool RunBasicTests() {
+  BN_GENCB cb;
+  BN_GENCB_set(&cb, &GenerateCallback, stdout);
+  ScopedDH a(DH_new());
+  if (!a || !DH_generate_parameters_ex(a.get(), 64, DH_GENERATOR_5, &cb)) {
+    return false;
   }
-  BIO_set_fp(out, stdout, BIO_NOCLOSE);
 
-  BN_GENCB_set(&_cb, &cb, out);
-  if (((a = DH_new()) == NULL) ||
-      !DH_generate_parameters_ex(a, 64, DH_GENERATOR_5, &_cb)) {
-    goto err;
+  int check_result;
+  if (!DH_check(a.get(), &check_result)) {
+    return false;
+  }
+  if (check_result & DH_CHECK_P_NOT_PRIME) {
+    printf("p value is not prime\n");
+  }
+  if (check_result & DH_CHECK_P_NOT_SAFE_PRIME) {
+    printf("p value is not a safe prime\n");
   }
+  if (check_result & DH_CHECK_UNABLE_TO_CHECK_GENERATOR) {
+    printf("unable to check the generator value\n");
+  }
+  if (check_result & DH_CHECK_NOT_SUITABLE_GENERATOR) {
+    printf("the g value is not a generator\n");
+  }
+
+  printf("\np    = ");
+  BN_print_fp(stdout, a->p);
+  printf("\ng    = ");
+  BN_print_fp(stdout, a->g);
+  printf("\n");
 
-  if (!DH_check(a, &i))
-    goto err;
-  if (i & DH_CHECK_P_NOT_PRIME)
-    BIO_puts(out, "p value is not prime\n");
-  if (i & DH_CHECK_P_NOT_SAFE_PRIME)
-    BIO_puts(out, "p value is not a safe prime\n");
-  if (i & DH_CHECK_UNABLE_TO_CHECK_GENERATOR)
-    BIO_puts(out, "unable to check the generator value\n");
-  if (i & DH_CHECK_NOT_SUITABLE_GENERATOR)
-    BIO_puts(out, "the g value is not a generator\n");
-
-  BIO_puts(out, "\np    =");
-  BN_print(out, a->p);
-  BIO_puts(out, "\ng    =");
-  BN_print(out, a->g);
-  BIO_puts(out, "\n");
-
-  b = DH_new();
-  if (b == NULL) {
-    goto err;
+  ScopedDH b(DH_new());
+  if (!b) {
+    return false;
   }
 
   b->p = BN_dup(a->p);
   b->g = BN_dup(a->g);
-  if (b->p == NULL || b->g == NULL) {
-    goto err;
+  if (b->p == nullptr || b->g == nullptr) {
+    return false;
   }
 
-  if (!DH_generate_key(a))
-    goto err;
-  BIO_puts(out, "pri 1=");
-  BN_print(out, a->priv_key);
-  BIO_puts(out, "\npub 1=");
-  BN_print(out, a->pub_key);
-  BIO_puts(out, "\n");
-
-  if (!DH_generate_key(b))
-    goto err;
-  BIO_puts(out, "pri 2=");
-  BN_print(out, b->priv_key);
-  BIO_puts(out, "\npub 2=");
-  BN_print(out, b->pub_key);
-  BIO_puts(out, "\n");
-
-  alen = DH_size(a);
-  abuf = (unsigned char *)OPENSSL_malloc(alen);
-  aout = DH_compute_key(abuf, b->pub_key, a);
-
-  BIO_puts(out, "key1 =");
-  for (i = 0; i < aout; i++) {
-    sprintf(buf, "%02X", abuf[i]);
-    BIO_puts(out, buf);
+  if (!DH_generate_key(a.get())) {
+    return false;
   }
-  BIO_puts(out, "\n");
+  printf("pri1 = ");
+  BN_print_fp(stdout, a->priv_key);
+  printf("\npub1 = ");
+  BN_print_fp(stdout, a->pub_key);
+  printf("\n");
+
+  if (!DH_generate_key(b.get())) {
+    return false;
+  }
+  printf("pri2 = ");
+  BN_print_fp(stdout, b->priv_key);
+  printf("\npub2 = ");
+  BN_print_fp(stdout, b->pub_key);
+  printf("\n");
+
+  std::vector<uint8_t> key1(DH_size(a.get()));
+  int ret = DH_compute_key(bssl::vector_data(&key1), b->pub_key, a.get());
+  if (ret < 0) {
+    return false;
+  }
+  key1.resize(ret);
+
+  printf("key1 = ");
+  for (size_t i = 0; i < key1.size(); i++) {
+    printf("%02x", key1[i]);
+  }
+  printf("\n");
 
-  blen = DH_size(b);
-  bbuf = (unsigned char *)OPENSSL_malloc(blen);
-  bout = DH_compute_key(bbuf, a->pub_key, b);
+  std::vector<uint8_t> key2(DH_size(b.get()));
+  ret = DH_compute_key(bssl::vector_data(&key2), a->pub_key, b.get());
+  if (ret < 0) {
+    return false;
+  }
+  key2.resize(ret);
 
-  BIO_puts(out, "key2 =");
-  for (i = 0; i < bout; i++) {
-    sprintf(buf, "%02X", bbuf[i]);
-    BIO_puts(out, buf);
+  printf("key2 = ");
+  for (size_t i = 0; i < key2.size(); i++) {
+    printf("%02x", key2[i]);
   }
-  BIO_puts(out, "\n");
-  if ((aout < 4) || (bout != aout) || (memcmp(abuf, bbuf, aout) != 0)) {
+  printf("\n");
+
+  if (key1.size() < 4 || key1 != key2) {
     fprintf(stderr, "Error in DH routines\n");
-    ret = 1;
-  } else
-    ret = 0;
-
-  if (!run_rfc5114_tests())
-    ret = 1;
-
-err:
-  BIO_print_errors_fp(stderr);
-
-  if (abuf != NULL)
-    OPENSSL_free(abuf);
-  if (bbuf != NULL)
-    OPENSSL_free(bbuf);
-  if (b != NULL)
-    DH_free(b);
-  if (a != NULL)
-    DH_free(a);
-  BIO_free(out);
-  return ret;
+    return false;
+  }
+
+  return true;
 }
 
 /* Test data from RFC 5114 */
 
-static const unsigned char dhtest_1024_160_xA[] = {
+static const uint8_t kDHTest1024_160_xA[] = {
     0xB9, 0xA3, 0xB3, 0xAE, 0x8F, 0xEF, 0xC1, 0xA2, 0x93, 0x04,
     0x96, 0x50, 0x70, 0x86, 0xF8, 0x45, 0x5D, 0x48, 0x94, 0x3E};
-static const unsigned char dhtest_1024_160_yA[] = {
+static const uint8_t kDHTest1024_160_yA[] = {
     0x2A, 0x85, 0x3B, 0x3D, 0x92, 0x19, 0x75, 0x01, 0xB9, 0x01, 0x5B, 0x2D,
     0xEB, 0x3E, 0xD8, 0x4F, 0x5E, 0x02, 0x1D, 0xCC, 0x3E, 0x52, 0xF1, 0x09,
     0xD3, 0x27, 0x3D, 0x2B, 0x75, 0x21, 0x28, 0x1C, 0xBA, 0xBE, 0x0E, 0x76,
@@ -215,10 +217,10 @@ static const unsigned char dhtest_1024_160_yA[] = {
     0x8F, 0x9D, 0x45, 0x96, 0x5F, 0x75, 0xA5, 0xF3, 0xD1, 0xDF, 0x37, 0x01,
     0x16, 0x5F, 0xC9, 0xE5, 0x0C, 0x42, 0x79, 0xCE, 0xB0, 0x7F, 0x98, 0x95,
     0x40, 0xAE, 0x96, 0xD5, 0xD8, 0x8E, 0xD7, 0x76};
-static const unsigned char dhtest_1024_160_xB[] = {
+static const uint8_t kDHTest1024_160_xB[] = {
     0x93, 0x92, 0xC9, 0xF9, 0xEB, 0x6A, 0x7A, 0x6A, 0x90, 0x22,
     0xF7, 0xD8, 0x3E, 0x72, 0x23, 0xC6, 0x83, 0x5B, 0xBD, 0xDA};
-static const unsigned char dhtest_1024_160_yB[] = {
+static const uint8_t kDHTest1024_160_yB[] = {
     0x71, 0x7A, 0x6C, 0xB0, 0x53, 0x37, 0x1F, 0xF4, 0xA3, 0xB9, 0x32, 0x94,
     0x1C, 0x1E, 0x56, 0x63, 0xF8, 0x61, 0xA1, 0xD6, 0xAD, 0x34, 0xAE, 0x66,
     0x57, 0x6D, 0xFB, 0x98, 0xF6, 0xC6, 0xCB, 0xF9, 0xDD, 0xD5, 0xA5, 0x6C,
@@ -230,7 +232,7 @@ static const unsigned char dhtest_1024_160_yB[] = {
     0x31, 0x1E, 0x53, 0xFD, 0x2C, 0x14, 0xB5, 0x74, 0xE6, 0xA3, 0x10, 0x9A,
     0x3D, 0xA1, 0xBE, 0x41, 0xBD, 0xCE, 0xAA, 0x18, 0x6F, 0x5C, 0xE0, 0x67,
     0x16, 0xA2, 0xB6, 0xA0, 0x7B, 0x3C, 0x33, 0xFE};
-static const unsigned char dhtest_1024_160_Z[] = {
+static const uint8_t kDHTest1024_160_Z[] = {
     0x5C, 0x80, 0x4F, 0x45, 0x4D, 0x30, 0xD9, 0xC4, 0xDF, 0x85, 0x27, 0x1F,
     0x93, 0x52, 0x8C, 0x91, 0xDF, 0x6B, 0x48, 0xAB, 0x5F, 0x80, 0xB3, 0xB5,
     0x9C, 0xAA, 0xC1, 0xB2, 0x8F, 0x8A, 0xCB, 0xA9, 0xCD, 0x3E, 0x39, 0xF3,
@@ -242,11 +244,11 @@ static const unsigned char dhtest_1024_160_Z[] = {
     0x5B, 0xD8, 0x3A, 0x19, 0xFB, 0x0B, 0x5E, 0x96, 0xBF, 0x8F, 0xA4, 0xD0,
     0x9E, 0x34, 0x55, 0x25, 0x16, 0x7E, 0xCD, 0x91, 0x55, 0x41, 0x6F, 0x46,
     0xF4, 0x08, 0xED, 0x31, 0xB6, 0x3C, 0x6E, 0x6D};
-static const unsigned char dhtest_2048_224_xA[] = {
+static const uint8_t kDHTest2048_224_xA[] = {
     0x22, 0xE6, 0x26, 0x01, 0xDB, 0xFF, 0xD0, 0x67, 0x08, 0xA6,
     0x80, 0xF7, 0x47, 0xF3, 0x61, 0xF7, 0x6D, 0x8F, 0x4F, 0x72,
     0x1A, 0x05, 0x48, 0xE4, 0x83, 0x29, 0x4B, 0x0C};
-static const unsigned char dhtest_2048_224_yA[] = {
+static const uint8_t kDHTest2048_224_yA[] = {
     0x1B, 0x3A, 0x63, 0x45, 0x1B, 0xD8, 0x86, 0xE6, 0x99, 0xE6, 0x7B, 0x49,
     0x4E, 0x28, 0x8B, 0xD7, 0xF8, 0xE0, 0xD3, 0x70, 0xBA, 0xDD, 0xA7, 0xA0,
     0xEF, 0xD2, 0xFD, 0xE7, 0xD8, 0xF6, 0x61, 0x45, 0xCC, 0x9F, 0x28, 0x04,
@@ -269,11 +271,11 @@ static const unsigned char dhtest_2048_224_yA[] = {
     0xB7, 0x0E, 0x71, 0x03, 0x92, 0x0A, 0xA1, 0x6D, 0x85, 0xE5, 0x2B, 0xCB,
     0xAB, 0x8D, 0x78, 0x6A, 0x68, 0x17, 0x8F, 0xA8, 0xFF, 0x7C, 0x2F, 0x5C,
     0x71, 0x64, 0x8D, 0x6F};
-static const unsigned char dhtest_2048_224_xB[] = {
+static const uint8_t kDHTest2048_224_xB[] = {
     0x4F, 0xF3, 0xBC, 0x96, 0xC7, 0xFC, 0x6A, 0x6D, 0x71, 0xD3,
     0xB3, 0x63, 0x80, 0x0A, 0x7C, 0xDF, 0xEF, 0x6F, 0xC4, 0x1B,
     0x44, 0x17, 0xEA, 0x15, 0x35, 0x3B, 0x75, 0x90};
-static const unsigned char dhtest_2048_224_yB[] = {
+static const uint8_t kDHTest2048_224_yB[] = {
     0x4D, 0xCE, 0xE9, 0x92, 0xA9, 0x76, 0x2A, 0x13, 0xF2, 0xF8, 0x38, 0x44,
     0xAD, 0x3D, 0x77, 0xEE, 0x0E, 0x31, 0xC9, 0x71, 0x8B, 0x3D, 0xB6, 0xC2,
     0x03, 0x5D, 0x39, 0x61, 0x18, 0x2C, 0x3E, 0x0B, 0xA2, 0x47, 0xEC, 0x41,
@@ -296,7 +298,7 @@ static const unsigned char dhtest_2048_224_yB[] = {
     0xB8, 0x56, 0xF9, 0x68, 0x27, 0x73, 0x4C, 0x18, 0x41, 0x38, 0xE9, 0x15,
     0xD9, 0xC3, 0x00, 0x2E, 0xBC, 0xE5, 0x31, 0x20, 0x54, 0x6A, 0x7E, 0x20,
     0x02, 0x14, 0x2B, 0x6C};
-static const unsigned char dhtest_2048_224_Z[] = {
+static const uint8_t kDHTest2048_224_Z[] = {
     0x34, 0xD9, 0xBD, 0xDC, 0x1B, 0x42, 0x17, 0x6C, 0x31, 0x3F, 0xEA, 0x03,
     0x4C, 0x21, 0x03, 0x4D, 0x07, 0x4A, 0x63, 0x13, 0xBB, 0x4E, 0xCD, 0xB3,
     0x70, 0x3F, 0xFF, 0x42, 0x45, 0x67, 0xA4, 0x6B, 0xDF, 0x75, 0x53, 0x0E,
@@ -319,11 +321,11 @@ static const unsigned char dhtest_2048_224_Z[] = {
     0x03, 0xE1, 0x3F, 0x95, 0x29, 0x95, 0xFB, 0x03, 0xC6, 0x9D, 0x3C, 0xC4,
     0x7F, 0xCB, 0x51, 0x0B, 0x69, 0x98, 0xFF, 0xD3, 0xAA, 0x6D, 0xE7, 0x3C,
     0xF9, 0xF6, 0x38, 0x69};
-static const unsigned char dhtest_2048_256_xA[] = {
+static const uint8_t kDHTest2048_256_xA[] = {
     0x08, 0x81, 0x38, 0x2C, 0xDB, 0x87, 0x66, 0x0C, 0x6D, 0xC1, 0x3E,
     0x61, 0x49, 0x38, 0xD5, 0xB9, 0xC8, 0xB2, 0xF2, 0x48, 0x58, 0x1C,
     0xC5, 0xE3, 0x1B, 0x35, 0x45, 0x43, 0x97, 0xFC, 0xE5, 0x0E};
-static const unsigned char dhtest_2048_256_yA[] = {
+static const uint8_t kDHTest2048_256_yA[] = {
     0x2E, 0x93, 0x80, 0xC8, 0x32, 0x3A, 0xF9, 0x75, 0x45, 0xBC, 0x49, 0x41,
     0xDE, 0xB0, 0xEC, 0x37, 0x42, 0xC6, 0x2F, 0xE0, 0xEC, 0xE8, 0x24, 0xA6,
     0xAB, 0xDB, 0xE6, 0x6C, 0x59, 0xBE, 0xE0, 0x24, 0x29, 0x11, 0xBF, 0xB9,
@@ -346,11 +348,11 @@ static const unsigned char dhtest_2048_256_yA[] = {
     0x4E, 0x90, 0x52, 0x69, 0x34, 0x1D, 0xC0, 0x71, 0x14, 0x26, 0x68, 0x5F,
     0x4E, 0xF3, 0x7E, 0x86, 0x8A, 0x81, 0x26, 0xFF, 0x3F, 0x22, 0x79, 0xB5,
     0x7C, 0xA6, 0x7E, 0x29};
-static const unsigned char dhtest_2048_256_xB[] = {
+static const uint8_t kDHTest2048_256_xB[] = {
     0x7D, 0x62, 0xA7, 0xE3, 0xEF, 0x36, 0xDE, 0x61, 0x7B, 0x13, 0xD1,
     0xAF, 0xB8, 0x2C, 0x78, 0x0D, 0x83, 0xA2, 0x3B, 0xD4, 0xEE, 0x67,
     0x05, 0x64, 0x51, 0x21, 0xF3, 0x71, 0xF5, 0x46, 0xA5, 0x3D};
-static const unsigned char dhtest_2048_256_yB[] = {
+static const uint8_t kDHTest2048_256_yB[] = {
     0x57, 0x5F, 0x03, 0x51, 0xBD, 0x2B, 0x1B, 0x81, 0x74, 0x48, 0xBD, 0xF8,
     0x7A, 0x6C, 0x36, 0x2C, 0x1E, 0x28, 0x9D, 0x39, 0x03, 0xA3, 0x0B, 0x98,
     0x32, 0xC5, 0x74, 0x1F, 0xA2, 0x50, 0x36, 0x3E, 0x7A, 0xCB, 0xC7, 0xF7,
@@ -373,7 +375,7 @@ static const unsigned char dhtest_2048_256_yB[] = {
     0x90, 0xB8, 0x9D, 0x24, 0xF7, 0x1B, 0x0A, 0xB6, 0x97, 0x82, 0x3D, 0x7D,
     0xEB, 0x1A, 0xFF, 0x5B, 0x0E, 0x8E, 0x4A, 0x45, 0xD4, 0x9F, 0x7F, 0x53,
     0x75, 0x7E, 0x19, 0x13};
-static const unsigned char dhtest_2048_256_Z[] = {
+static const uint8_t kDHTest2048_256_Z[] = {
     0x86, 0xC7, 0x0B, 0xF8, 0xD0, 0xBB, 0x81, 0xBB, 0x01, 0x07, 0x8A, 0x17,
     0x21, 0x9C, 0xB7, 0xD2, 0x72, 0x03, 0xDB, 0x2A, 0x19, 0xC8, 0x77, 0xF1,
     0xD1, 0xF1, 0x9F, 0xD7, 0xD7, 0x7E, 0xF2, 0x25, 0x46, 0xA6, 0x8F, 0x00,
@@ -397,106 +399,82 @@ static const unsigned char dhtest_2048_256_Z[] = {
     0xEA, 0x87, 0xFE, 0xBE, 0x63, 0xB6, 0xC8, 0xF8, 0x46, 0xEC, 0x6D, 0xB0,
     0xC2, 0x6C, 0x5D, 0x7C};
 
-typedef struct {
+struct RFC5114TestData {
   DH *(*get_param)(const ENGINE *engine);
-  const unsigned char *xA;
+  const uint8_t *xA;
   size_t xA_len;
-  const unsigned char *yA;
+  const uint8_t *yA;
   size_t yA_len;
-  const unsigned char *xB;
+  const uint8_t *xB;
   size_t xB_len;
-  const unsigned char *yB;
+  const uint8_t *yB;
   size_t yB_len;
-  const unsigned char *Z;
+  const uint8_t *Z;
   size_t Z_len;
-} rfc5114_td;
+};
 
-#define make_rfc5114_td(pre)                                                  \
+#define MAKE_RFC5114_TEST_DATA(pre)                                           \
   {                                                                           \
-    DH_get_##pre, dhtest_##pre##_xA, sizeof(dhtest_##pre##_xA),               \
-        dhtest_##pre##_yA, sizeof(dhtest_##pre##_yA), dhtest_##pre##_xB,      \
-        sizeof(dhtest_##pre##_xB), dhtest_##pre##_yB,                         \
-        sizeof(dhtest_##pre##_yB), dhtest_##pre##_Z, sizeof(dhtest_##pre##_Z) \
+    DH_get_##pre, kDHTest##pre##_xA, sizeof(kDHTest##pre##_xA),               \
+        kDHTest##pre##_yA, sizeof(kDHTest##pre##_yA), kDHTest##pre##_xB,      \
+        sizeof(kDHTest##pre##_xB), kDHTest##pre##_yB,                         \
+        sizeof(kDHTest##pre##_yB), kDHTest##pre##_Z, sizeof(kDHTest##pre##_Z) \
   }
 
-static const rfc5114_td rfctd[] = {make_rfc5114_td(1024_160),
-                                   make_rfc5114_td(2048_224),
-                                   make_rfc5114_td(2048_256)};
-
-static int run_rfc5114_tests(void) {
-  int i;
-  DH *dhA = NULL, *dhB = NULL;
-  unsigned char *Z1 = NULL, *Z2 = NULL;
+static const RFC5114TestData kRFCTestData[] = {
+    MAKE_RFC5114_TEST_DATA(1024_160),
+    MAKE_RFC5114_TEST_DATA(2048_224),
+    MAKE_RFC5114_TEST_DATA(2048_256),
+ };
 
-  for (i = 0; i < (int)(sizeof(rfctd) / sizeof(rfc5114_td)); i++) {
-    const rfc5114_td *td = rfctd + i;
+static bool RunRFC5114Tests() {
+  for (unsigned i = 0; i < sizeof(kRFCTestData) / sizeof(RFC5114TestData); i++) {
+    const RFC5114TestData *td = kRFCTestData + i;
     /* Set up DH structures setting key components */
-    dhA = td->get_param(NULL);
-    dhB = td->get_param(NULL);
-    if (!dhA || !dhB)
-      goto bad_err;
-
-    dhA->priv_key = BN_bin2bn(td->xA, td->xA_len, NULL);
-    dhA->pub_key = BN_bin2bn(td->yA, td->yA_len, NULL);
-
-    dhB->priv_key = BN_bin2bn(td->xB, td->xB_len, NULL);
-    dhB->pub_key = BN_bin2bn(td->yB, td->yB_len, NULL);
-
-    if (!dhA->priv_key || !dhA->pub_key || !dhB->priv_key || !dhB->pub_key)
-      goto bad_err;
-
-    if ((td->Z_len != (size_t)DH_size(dhA)) ||
-        (td->Z_len != (size_t)DH_size(dhB)))
-      goto err;
-
-    Z1 = OPENSSL_malloc(DH_size(dhA));
-    Z2 = OPENSSL_malloc(DH_size(dhB));
+    ScopedDH dhA(td->get_param(nullptr));
+    ScopedDH dhB(td->get_param(nullptr));
+    if (!dhA || !dhB) {
+      fprintf(stderr, "Initialisation error RFC5114 set %u\n", i + 1);
+      return false;
+    }
+
+    dhA->priv_key = BN_bin2bn(td->xA, td->xA_len, nullptr);
+    dhA->pub_key = BN_bin2bn(td->yA, td->yA_len, nullptr);
+
+    dhB->priv_key = BN_bin2bn(td->xB, td->xB_len, nullptr);
+    dhB->pub_key = BN_bin2bn(td->yB, td->yB_len, nullptr);
+
+    if (!dhA->priv_key || !dhA->pub_key || !dhB->priv_key || !dhB->pub_key) {
+      fprintf(stderr, "BN_bin2bn error RFC5114 set %u\n", i + 1);
+      return false;
+    }
+
+    if ((td->Z_len != (size_t)DH_size(dhA.get())) ||
+        (td->Z_len != (size_t)DH_size(dhB.get()))) {
+      return false;
+    }
+
+    std::vector<uint8_t> Z1(DH_size(dhA.get()));
+    std::vector<uint8_t> Z2(DH_size(dhB.get()));
     /* Work out shared secrets using both sides and compare
-     * with expected values.
-     */
-    if (!DH_compute_key(Z1, dhB->pub_key, dhA))
-      goto bad_err;
-    if (!DH_compute_key(Z2, dhA->pub_key, dhB))
-      goto bad_err;
-
-    if (memcmp(Z1, td->Z, td->Z_len))
-      goto err;
-    if (memcmp(Z2, td->Z, td->Z_len))
-      goto err;
-
-    printf("RFC5114 parameter test %d OK\n", i + 1);
-
-    DH_free(dhA);
-    dhA = NULL;
-    DH_free(dhB);
-    dhB = NULL;
-    OPENSSL_free(Z1);
-    Z1 = NULL;
-    OPENSSL_free(Z2);
-    Z2 = NULL;
+     * with expected values. */
+    int ret1 = DH_compute_key(bssl::vector_data(&Z1), dhB->pub_key, dhA.get());
+    int ret2 = DH_compute_key(bssl::vector_data(&Z2), dhA->pub_key, dhB.get());
+    if (ret1 < 0 || ret2 < 0) {
+      fprintf(stderr, "DH_compute_key error RFC5114 set %u\n", i + 1);
+      return false;
+    }
+
+    if (static_cast<size_t>(ret1) != td->Z_len ||
+        memcmp(bssl::vector_data(&Z1), td->Z, td->Z_len) != 0 ||
+        static_cast<size_t>(ret2) != td->Z_len ||
+        memcmp(bssl::vector_data(&Z2), td->Z, td->Z_len) != 0) {
+      fprintf(stderr, "Test failed RFC5114 set %u\n", i + 1);
+      return false;
+    }
+
+    printf("RFC5114 parameter test %u OK\n", i + 1);
   }
 
-  printf("PASS\n");
   return 1;
-
-bad_err:
-  fprintf(stderr, "Initalisation error RFC5114 set %d\n", i + 1);
-  BIO_print_errors_fp(stderr);
-
-err:
-  if (Z1 != NULL) {
-    OPENSSL_free(Z1);
-  }
-  if (Z2 != NULL) {
-    OPENSSL_free(Z2);
-  }
-  if (dhA != NULL) {
-    DH_free(dhA);
-  }
-  if (dhB != NULL) {
-    DH_free(dhB);
-  }
-
-  fprintf(stderr, "Test failed RFC5114 set %d\n", i + 1);
-  return 0;
 }
diff --git a/src/crypto/digest/CMakeLists.txt b/src/crypto/digest/CMakeLists.txt
index 6426399..8cab46a 100644
--- a/src/crypto/digest/CMakeLists.txt
+++ b/src/crypto/digest/CMakeLists.txt
@@ -7,13 +7,12 @@ add_library(
 
   digest.c
   digests.c
-  digest_error.c
 )
 
 add_executable(
   digest_test
 
-  digest_test.c
+  digest_test.cc
 )
 
 target_link_libraries(digest_test crypto)
diff --git a/src/crypto/digest/digest.c b/src/crypto/digest/digest.c
index 3897c60..e32eafd 100644
--- a/src/crypto/digest/digest.c
+++ b/src/crypto/digest/digest.c
@@ -68,8 +68,6 @@
 
 int EVP_MD_type(const EVP_MD *md) { return md->type; }
 
-const char *EVP_MD_name(const EVP_MD *md) { return OBJ_nid2sn(md->type); }
-
 uint32_t EVP_MD_flags(const EVP_MD *md) { return md->flags; }
 
 size_t EVP_MD_size(const EVP_MD *md) { return md->md_size; }
diff --git a/src/crypto/digest/digest_error.c b/src/crypto/digest/digest_error.c
deleted file mode 100644
index 0cc6702..0000000
--- a/src/crypto/digest/digest_error.c
+++ /dev/null
@@ -1,24 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/digest.h>
-
-const ERR_STRING_DATA DIGEST_error_string_data[] = {
-  {ERR_PACK(ERR_LIB_DIGEST, DIGEST_F_EVP_DigestInit_ex, 0), "EVP_DigestInit_ex"},
-  {ERR_PACK(ERR_LIB_DIGEST, DIGEST_F_EVP_MD_CTX_copy_ex, 0), "EVP_MD_CTX_copy_ex"},
-  {ERR_PACK(ERR_LIB_DIGEST, 0, DIGEST_R_INPUT_NOT_INITIALIZED), "INPUT_NOT_INITIALIZED"},
-  {0, NULL},
-};
diff --git a/src/crypto/digest/digest_test.c b/src/crypto/digest/digest_test.cc
index 6c73e95..dcb569c 100644
--- a/src/crypto/digest/digest_test.c
+++ b/src/crypto/digest/digest_test.cc
@@ -23,102 +23,118 @@
 #include <openssl/md5.h>
 #include <openssl/sha.h>
 
+#include "../test/scoped_types.h"
 
-typedef struct {
-  /* md_func is the digest to test. */
-  const EVP_MD *(*md_func)(void);
-  /* one_shot_func is the convenience one-shot version of the
-   * digest. */
+
+struct MD {
+  // name is the name of the digest.
+  const char* name;
+  // md_func is the digest to test.
+  const EVP_MD *(*func)(void);
+  // one_shot_func is the convenience one-shot version of the
+  // digest.
   uint8_t *(*one_shot_func)(const uint8_t *, size_t, uint8_t *);
-  /* input is a NUL-terminated string to hash. */
+};
+
+static const MD md4 = { "MD4", &EVP_md4, nullptr };
+static const MD md5 = { "MD5", &EVP_md5, &MD5 };
+static const MD sha1 = { "SHA1", &EVP_sha1, &SHA1 };
+static const MD sha224 = { "SHA224", &EVP_sha224, &SHA224 };
+static const MD sha256 = { "SHA256", &EVP_sha256, &SHA256 };
+static const MD sha384 = { "SHA384", &EVP_sha384, &SHA384 };
+static const MD sha512 = { "SHA512", &EVP_sha512, &SHA512 };
+static const MD md5_sha1 = { "MD5-SHA1", &EVP_md5_sha1, nullptr };
+
+struct TestVector {
+  // md is the digest to test.
+  const MD &md;
+  // input is a NUL-terminated string to hash.
   const char *input;
-  /* repeat is the number of times to repeat input. */
+  // repeat is the number of times to repeat input.
   size_t repeat;
-  /* expected_hex is the expected digest in hexadecimal. */
+  // expected_hex is the expected digest in hexadecimal.
   const char *expected_hex;
-} TEST_VECTOR;
-
-static const TEST_VECTOR kTestVectors[] = {
-    /* MD4 tests, from RFC 1320. (crypto/md4 does not provide a
-     * one-shot MD4 function.) */
-    { &EVP_md4, NULL, "", 1, "31d6cfe0d16ae931b73c59d7e0c089c0" },
-    { &EVP_md4, NULL, "a", 1, "bde52cb31de33e46245e05fbdbd6fb24" },
-    { &EVP_md4, NULL, "abc", 1, "a448017aaf21d8525fc10ae87aa6729d" },
-    { &EVP_md4, NULL, "message digest", 1,
-      "d9130a8164549fe818874806e1c7014b" },
-    { &EVP_md4, NULL, "abcdefghijklmnopqrstuvwxyz", 1,
+};
+
+static const TestVector kTestVectors[] = {
+    // MD4 tests, from RFC 1320. (crypto/md4 does not provide a
+    // one-shot MD4 function.)
+    { md4, "", 1, "31d6cfe0d16ae931b73c59d7e0c089c0" },
+    { md4, "a", 1, "bde52cb31de33e46245e05fbdbd6fb24" },
+    { md4, "abc", 1, "a448017aaf21d8525fc10ae87aa6729d" },
+    { md4, "message digest", 1, "d9130a8164549fe818874806e1c7014b" },
+    { md4, "abcdefghijklmnopqrstuvwxyz", 1,
       "d79e1c308aa5bbcdeea8ed63df412da9" },
-    { &EVP_md4, NULL,
+    { md4,
       "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", 1,
       "043f8582f241db351ce627e153e7f0e4" },
-    { &EVP_md4, NULL, "1234567890", 8, "e33b4ddc9c38f2199c3e7b164fcc0536" },
-
-    /* MD5 tests, from RFC 1321. */
-    { &EVP_md5, &MD5, "", 1, "d41d8cd98f00b204e9800998ecf8427e" },
-    { &EVP_md5, &MD5, "a", 1, "0cc175b9c0f1b6a831c399e269772661" },
-    { &EVP_md5, &MD5, "abc", 1, "900150983cd24fb0d6963f7d28e17f72" },
-    { &EVP_md5, &MD5, "message digest", 1, "f96b697d7cb7938d525a2f31aaf161d0" },
-    { &EVP_md5, &MD5, "abcdefghijklmnopqrstuvwxyz", 1,
+    { md4, "1234567890", 8, "e33b4ddc9c38f2199c3e7b164fcc0536" },
+
+    // MD5 tests, from RFC 1321.
+    { md5, "", 1, "d41d8cd98f00b204e9800998ecf8427e" },
+    { md5, "a", 1, "0cc175b9c0f1b6a831c399e269772661" },
+    { md5, "abc", 1, "900150983cd24fb0d6963f7d28e17f72" },
+    { md5, "message digest", 1, "f96b697d7cb7938d525a2f31aaf161d0" },
+    { md5, "abcdefghijklmnopqrstuvwxyz", 1,
       "c3fcd3d76192e4007dfb496cca67e13b" },
-    { &EVP_md5, &MD5,
+    { md5,
       "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", 1,
       "d174ab98d277d9f5a5611c2c9f419d9f" },
-    { &EVP_md5, &MD5, "1234567890", 8, "57edf4a22be3c955ac49da2e2107b67a" },
+    { md5, "1234567890", 8, "57edf4a22be3c955ac49da2e2107b67a" },
 
-    /* SHA-1 tests, from RFC 3174. */
-    { &EVP_sha1, &SHA1, "abc", 1, "a9993e364706816aba3e25717850c26c9cd0d89d" },
-    { &EVP_sha1, &SHA1,
+    // SHA-1 tests, from RFC 3174.
+    { sha1, "abc", 1, "a9993e364706816aba3e25717850c26c9cd0d89d" },
+    { sha1,
       "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 1,
       "84983e441c3bd26ebaae4aa1f95129e5e54670f1" },
-    { &EVP_sha1, &SHA1, "a", 1000000,
-      "34aa973cd4c4daa4f61eeb2bdbad27316534016f" },
-    { &EVP_sha1, &SHA1,
+    { sha1, "a", 1000000, "34aa973cd4c4daa4f61eeb2bdbad27316534016f" },
+    { sha1,
       "0123456701234567012345670123456701234567012345670123456701234567", 10,
       "dea356a2cddd90c7a7ecedc5ebb563934f460452" },
 
-    /* SHA-224 tests, from RFC 3874. */
-    { &EVP_sha224, &SHA224, "abc", 1,
+    // SHA-224 tests, from RFC 3874.
+    { sha224, "abc", 1,
       "23097d223405d8228642a477bda255b32aadbce4bda0b3f7e36c9da7" },
-    { &EVP_sha224, &SHA224,
+    { sha224,
       "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 1,
       "75388b16512776cc5dba5da1fd890150b0c6455cb4f58b1952522525" },
-    { &EVP_sha224, &SHA224,
+    { sha224,
       "a", 1000000,
       "20794655980c91d8bbb4c1ea97618a4bf03f42581948b2ee4ee7ad67" },
 
-    /* SHA-256 tests, from NIST. */
-    { &EVP_sha256, &SHA256, "abc", 1,
+    // SHA-256 tests, from NIST.
+    { sha256, "abc", 1,
       "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad" },
-    { &EVP_sha256, &SHA256,
+    { sha256,
       "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 1,
       "248d6a61d20638b8e5c026930c3e6039a33ce45964ff2167f6ecedd419db06c1" },
 
-    /* SHA-384 tests, from NIST. */
-    { &EVP_sha384, &SHA384, "abc", 1,
+    // SHA-384 tests, from NIST.
+    { sha384, "abc", 1,
       "cb00753f45a35e8bb5a03d699ac65007272c32ab0eded1631a8b605a43ff5bed"
       "8086072ba1e7cc2358baeca134c825a7" },
-    { &EVP_sha384, &SHA384,
+    { sha384,
       "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
       "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu", 1,
       "09330c33f71147e83d192fc782cd1b4753111b173b3b05d22fa08086e3b0f712"
       "fcc7c71a557e2db966c3e9fa91746039" },
 
-    /* SHA-512 tests, from NIST. */
-    { &EVP_sha512, &SHA512, "abc", 1,
+    // SHA-512 tests, from NIST.
+    { sha512, "abc", 1,
       "ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a"
       "2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f" },
-    { &EVP_sha512, &SHA512,
+    { sha512,
       "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
       "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu", 1,
       "8e959b75dae313da8cf4f72814fc143f8f7779c6eb9f7fa17299aeadb6889018"
       "501d289e4900f7e4331b99dec4b5433ac7d329eeb6dd26545e96e55b874be909" },
 
-    /* MD5-SHA1 tests. */
-    { &EVP_md5_sha1, NULL, "abc", 1,
+    // MD5-SHA1 tests.
+    { md5_sha1, "abc", 1,
       "900150983cd24fb0d6963f7d28e17f72a9993e364706816aba3e25717850c26c9cd0d89d" },
 };
 
-static int compare_digest(const TEST_VECTOR *test,
+static bool CompareDigest(const TestVector *test,
                           const uint8_t *digest,
                           size_t digest_len) {
   static const char kHexTable[] = "0123456789abcdef";
@@ -133,107 +149,96 @@ static int compare_digest(const TEST_VECTOR *test,
 
   if (strcmp(digest_hex, test->expected_hex) != 0) {
     fprintf(stderr, "%s(\"%s\" * %d) = %s; want %s\n",
-            EVP_MD_name(test->md_func()), test->input, (int)test->repeat,
+            test->md.name, test->input, (int)test->repeat,
             digest_hex, test->expected_hex);
-    return 0;
+    return false;
   }
 
-  return 1;
+  return true;
 }
 
-static int test_digest(const TEST_VECTOR *test) {
-  int ret = 0;
-  EVP_MD_CTX ctx;
-  size_t i;
-  uint8_t digest[EVP_MAX_MD_SIZE];
-  unsigned digest_len;
-
-  EVP_MD_CTX_init(&ctx);
+static int TestDigest(const TestVector *test) {
+  ScopedEVP_MD_CTX ctx;
 
-  /* Test the input provided. */
-  if (!EVP_DigestInit_ex(&ctx, test->md_func(), NULL)) {
+  // Test the input provided.
+  if (!EVP_DigestInit_ex(ctx.get(), test->md.func(), NULL)) {
     fprintf(stderr, "EVP_DigestInit_ex failed\n");
-    goto done;
+    return false;
   }
-  for (i = 0; i < test->repeat; i++) {
-    if (!EVP_DigestUpdate(&ctx, test->input, strlen(test->input))) {
+  for (size_t i = 0; i < test->repeat; i++) {
+    if (!EVP_DigestUpdate(ctx.get(), test->input, strlen(test->input))) {
       fprintf(stderr, "EVP_DigestUpdate failed\n");
-      goto done;
+      return false;
     }
   }
-  if (!EVP_DigestFinal_ex(&ctx, digest, &digest_len)) {
+  uint8_t digest[EVP_MAX_MD_SIZE];
+  unsigned digest_len;
+  if (!EVP_DigestFinal_ex(ctx.get(), digest, &digest_len)) {
     fprintf(stderr, "EVP_DigestFinal_ex failed\n");
-    goto done;
+    return false;
   }
-  if (!compare_digest(test, digest, digest_len)) {
-    goto done;
+  if (!CompareDigest(test, digest, digest_len)) {
+    return false;
   }
 
-  /* Test the input one character at a time. */
-  if (!EVP_DigestInit_ex(&ctx, test->md_func(), NULL)) {
+  // Test the input one character at a time.
+  if (!EVP_DigestInit_ex(ctx.get(), test->md.func(), NULL)) {
     fprintf(stderr, "EVP_DigestInit_ex failed\n");
-    goto done;
+    return false;
   }
-  if (!EVP_DigestUpdate(&ctx, NULL, 0)) {
+  if (!EVP_DigestUpdate(ctx.get(), NULL, 0)) {
     fprintf(stderr, "EVP_DigestUpdate failed\n");
-    goto done;
+    return false;
   }
-  for (i = 0; i < test->repeat; i++) {
-    const char *p;
-    for (p = test->input; *p; p++) {
-      if (!EVP_DigestUpdate(&ctx, p, 1)) {
+  for (size_t i = 0; i < test->repeat; i++) {
+    for (const char *p = test->input; *p; p++) {
+      if (!EVP_DigestUpdate(ctx.get(), p, 1)) {
         fprintf(stderr, "EVP_DigestUpdate failed\n");
-        goto done;
+        return false;
       }
     }
   }
-  if (!EVP_DigestFinal_ex(&ctx, digest, &digest_len)) {
+  if (!EVP_DigestFinal_ex(ctx.get(), digest, &digest_len)) {
     fprintf(stderr, "EVP_DigestFinal_ex failed\n");
-    goto done;
+    return false;
   }
-  if (digest_len != EVP_MD_size(test->md_func())) {
+  if (digest_len != EVP_MD_size(test->md.func())) {
     fprintf(stderr, "EVP_MD_size output incorrect\n");
-    goto done;
+    return false;
   }
-  if (!compare_digest(test, digest, digest_len)) {
-    goto done;
+  if (!CompareDigest(test, digest, digest_len)) {
+    return false;
   }
 
-  /* Test the one-shot function. */
-  if (test->one_shot_func && test->repeat == 1) {
-    uint8_t *out = test->one_shot_func((const uint8_t *)test->input,
-                                       strlen(test->input), digest);
+  // Test the one-shot function.
+  if (test->md.one_shot_func && test->repeat == 1) {
+    uint8_t *out = test->md.one_shot_func((const uint8_t *)test->input,
+                                          strlen(test->input), digest);
     if (out != digest) {
       fprintf(stderr, "one_shot_func gave incorrect return\n");
-      goto done;
+      return false;
     }
-    if (!compare_digest(test, digest, EVP_MD_size(test->md_func()))) {
-      goto done;
+    if (!CompareDigest(test, digest, EVP_MD_size(test->md.func()))) {
+      return false;
     }
 
-    /* Test the deprecated static buffer variant, until it's removed. */
-    out = test->one_shot_func((const uint8_t *)test->input, strlen(test->input),
-                              NULL);
-    if (!compare_digest(test, out, EVP_MD_size(test->md_func()))) {
-      goto done;
+    // Test the deprecated static buffer variant, until it's removed.
+    out = test->md.one_shot_func((const uint8_t *)test->input,
+                                 strlen(test->input), NULL);
+    if (!CompareDigest(test, out, EVP_MD_size(test->md.func()))) {
+      return false;
     }
   }
 
-  ret = 1;
-
-done:
-  EVP_MD_CTX_cleanup(&ctx);
-  return ret;
+  return true;
 }
 
 int main(void) {
-  size_t i;
-
   CRYPTO_library_init();
   ERR_load_crypto_strings();
 
-  for (i = 0; i < sizeof(kTestVectors) / sizeof(kTestVectors[0]); i++) {
-    if (!test_digest(&kTestVectors[i])) {
+  for (size_t i = 0; i < sizeof(kTestVectors) / sizeof(kTestVectors[0]); i++) {
+    if (!TestDigest(&kTestVectors[i])) {
       fprintf(stderr, "Test %d failed\n", (int)i);
       return 1;
     }
diff --git a/src/crypto/digest/md32_common.h b/src/crypto/digest/md32_common.h
index a4ce355..d7caba2 100644
--- a/src/crypto/digest/md32_common.h
+++ b/src/crypto/digest/md32_common.h
@@ -51,8 +51,6 @@
 
 #include <openssl/base.h>
 
-#include <string.h>
-
 
 #if defined(__cplusplus)
 extern "C" {
@@ -74,8 +72,7 @@ extern "C" {
  * HASH_CBLOCK
  *	size of a unit chunk HASH_BLOCK operates on.
  * HASH_LONG
- *	has to be at lest 32 bit wide, if it's wider, then
- *	HASH_LONG_LOG2 *has to* be defined along
+ *	has to be at least 32 bit wide.
  * HASH_CTX
  *	context structure that at least contains following
  *	members:
@@ -103,19 +100,6 @@ extern "C" {
  * HASH_MAKE_STRING
  *	macro convering context variables to an ASCII hash string.
  *
- * MD5 example:
- *
- *	#define DATA_ORDER_IS_LITTLE_ENDIAN
- *
- *	#define HASH_LONG		MD5_LONG
- *	#define HASH_LONG_LOG2		MD5_LONG_LOG2
- *	#define HASH_CTX		MD5_CTX
- *	#define HASH_CBLOCK		MD5_CBLOCK
- *	#define HASH_UPDATE		MD5_Update
- *	#define HASH_TRANSFORM		MD5_Transform
- *	#define HASH_FINAL		MD5_Final
- *	#define HASH_BLOCK_DATA_ORDER	md5_block_data_order
- *
  *					<appro@fy.chalmers.se>
  */
 
diff --git a/src/crypto/directory_posix.c b/src/crypto/directory_posix.c
index c16701d..b944b69 100644
--- a/src/crypto/directory_posix.c
+++ b/src/crypto/directory_posix.c
@@ -35,6 +35,7 @@
 
 #include <dirent.h>
 #include <errno.h>
+#include <stdlib.h>
 #include <string.h>
 
 #if defined(OPENSSL_PNACL)
diff --git a/src/crypto/directory_win.c b/src/crypto/directory_win.c
index 2e4600f..4ebacf2 100644
--- a/src/crypto/directory_win.c
+++ b/src/crypto/directory_win.c
@@ -41,6 +41,9 @@
 #define NAME_MAX 255
 #endif
 
+#include <openssl/mem.h>
+
+
 struct OPENSSL_dir_context_st {
   WIN32_FIND_DATA ctx;
   HANDLE handle;
diff --git a/src/crypto/dsa/CMakeLists.txt b/src/crypto/dsa/CMakeLists.txt
index fbc053e..dab2c4c 100644
--- a/src/crypto/dsa/CMakeLists.txt
+++ b/src/crypto/dsa/CMakeLists.txt
@@ -8,7 +8,6 @@ add_library(
   dsa.c
   dsa_impl.c
   dsa_asn1.c
-  dsa_error.c
 )
 
 add_executable(
diff --git a/src/crypto/dsa/dsa.c b/src/crypto/dsa/dsa.c
index 8816b63..e8e3d73 100644
--- a/src/crypto/dsa/dsa.c
+++ b/src/crypto/dsa/dsa.c
@@ -67,12 +67,16 @@
 #include <openssl/err.h>
 #include <openssl/ex_data.h>
 #include <openssl/mem.h>
+#include <openssl/thread.h>
 
 #include "internal.h"
+#include "../internal.h"
 
 
 extern const DSA_METHOD DSA_default_method;
 
+static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;
+
 DSA *DSA_new(void) { return DSA_new_method(NULL); }
 
 DSA *DSA_new_method(const ENGINE *engine) {
@@ -96,14 +100,16 @@ DSA *DSA_new_method(const ENGINE *engine) {
   dsa->write_params = 1;
   dsa->references = 1;
 
-  if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DSA, dsa, &dsa->ex_data)) {
+  CRYPTO_MUTEX_init(&dsa->method_mont_p_lock);
+
+  if (!CRYPTO_new_ex_data(&g_ex_data_class, dsa, &dsa->ex_data)) {
     METHOD_unref(dsa->meth);
     OPENSSL_free(dsa);
     return NULL;
   }
 
   if (dsa->meth->init && !dsa->meth->init(dsa)) {
-    CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DSA, dsa, &dsa->ex_data);
+    CRYPTO_free_ex_data(&g_ex_data_class, dsa, &dsa->ex_data);
     METHOD_unref(dsa->meth);
     OPENSSL_free(dsa);
     return NULL;
@@ -126,22 +132,16 @@ void DSA_free(DSA *dsa) {
   }
   METHOD_unref(dsa->meth);
 
-  CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DSA, dsa, &dsa->ex_data);
-
-  if (dsa->p != NULL)
-    BN_clear_free(dsa->p);
-  if (dsa->q != NULL)
-    BN_clear_free(dsa->q);
-  if (dsa->g != NULL)
-    BN_clear_free(dsa->g);
-  if (dsa->pub_key != NULL)
-    BN_clear_free(dsa->pub_key);
-  if (dsa->priv_key != NULL)
-    BN_clear_free(dsa->priv_key);
-  if (dsa->kinv != NULL)
-    BN_clear_free(dsa->kinv);
-  if (dsa->r != NULL)
-    BN_clear_free(dsa->r);
+  CRYPTO_free_ex_data(&g_ex_data_class, dsa, &dsa->ex_data);
+
+  BN_clear_free(dsa->p);
+  BN_clear_free(dsa->q);
+  BN_clear_free(dsa->g);
+  BN_clear_free(dsa->pub_key);
+  BN_clear_free(dsa->priv_key);
+  BN_clear_free(dsa->kinv);
+  BN_clear_free(dsa->r);
+  CRYPTO_MUTEX_cleanup(&dsa->method_mont_p_lock);
   OPENSSL_free(dsa);
 }
 
@@ -184,12 +184,8 @@ void DSA_SIG_free(DSA_SIG *sig) {
     return;
   }
 
-  if (sig->r) {
-    BN_free(sig->r);
-  }
-  if (sig->s) {
-    BN_free(sig->s);
-  }
+  BN_free(sig->r);
+  BN_free(sig->s);
   OPENSSL_free(sig);
 }
 
@@ -268,12 +264,8 @@ int DSA_check_signature(int *out_valid, const uint8_t *digest,
   ret = DSA_do_check_signature(out_valid, digest, digest_len, s, dsa);
 
 err:
-  if (der != NULL) {
-    OPENSSL_free(der);
-  }
-  if (s) {
-    DSA_SIG_free(s);
-  }
+  OPENSSL_free(der);
+  DSA_SIG_free(s);
   return ret;
 }
 
@@ -309,8 +301,12 @@ int DSA_sign_setup(const DSA *dsa, BN_CTX *ctx, BIGNUM **out_kinv,
 
 int DSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
                          CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) {
-  return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_DSA, argl, argp, new_func,
-                                 dup_func, free_func);
+  int index;
+  if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp, new_func,
+                               dup_func, free_func)) {
+    return -1;
+  }
+  return index;
 }
 
 int DSA_set_ex_data(DSA *d, int idx, void *arg) {
@@ -347,8 +343,6 @@ DH *DSA_dup_DH(const DSA *r) {
   return ret;
 
 err:
-  if (ret != NULL) {
-    DH_free(ret);
-  }
+  DH_free(ret);
   return NULL;
 }
diff --git a/src/crypto/dsa/dsa_error.c b/src/crypto/dsa/dsa_error.c
deleted file mode 100644
index 5a83908..0000000
--- a/src/crypto/dsa/dsa_error.c
+++ /dev/null
@@ -1,30 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/dsa.h>
-
-const ERR_STRING_DATA DSA_error_string_data[] = {
-  {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_new_method, 0), "DSA_new_method"},
-  {ERR_PACK(ERR_LIB_DSA, DSA_F_dsa_sig_cb, 0), "dsa_sig_cb"},
-  {ERR_PACK(ERR_LIB_DSA, DSA_F_sign, 0), "sign"},
-  {ERR_PACK(ERR_LIB_DSA, DSA_F_sign_setup, 0), "sign_setup"},
-  {ERR_PACK(ERR_LIB_DSA, DSA_F_verify, 0), "verify"},
-  {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_BAD_Q_VALUE), "BAD_Q_VALUE"},
-  {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PARAMETERS), "MISSING_PARAMETERS"},
-  {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MODULUS_TOO_LARGE), "MODULUS_TOO_LARGE"},
-  {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NEED_NEW_SETUP_VALUES), "NEED_NEW_SETUP_VALUES"},
-  {0, NULL},
-};
diff --git a/src/crypto/dsa/dsa_impl.c b/src/crypto/dsa/dsa_impl.c
index 6719758..b7e1fd8 100644
--- a/src/crypto/dsa/dsa_impl.c
+++ b/src/crypto/dsa/dsa_impl.c
@@ -66,6 +66,7 @@
 #include <openssl/err.h>
 #include <openssl/rand.h>
 #include <openssl/sha.h>
+#include <openssl/thread.h>
 
 #include "internal.h"
 
@@ -122,14 +123,16 @@ static int sign_setup(const DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
 
   BN_set_flags(&k, BN_FLG_CONSTTIME);
 
-  if (!BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,
-                              CRYPTO_LOCK_DSA, dsa->p, ctx)) {
+  if (BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,
+                             (CRYPTO_MUTEX *)&dsa->method_mont_p_lock, dsa->p,
+                             ctx) == NULL) {
     goto err;
   }
 
   /* Compute r = (g^k mod p) mod q */
-  if (!BN_copy(&kq, &k))
+  if (!BN_copy(&kq, &k)) {
     goto err;
+  }
 
   /* We do not want timing information to leak the length of k,
    * so we compute g^k using an equivalent exponent of fixed length.
@@ -137,11 +140,11 @@ static int sign_setup(const DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
    * (This is a kludge that we need because the BN_mod_exp_mont()
    * does not let us specify the desired timing behaviour.) */
 
-  if (!BN_add(&kq, &kq, dsa->q))
+  if (!BN_add(&kq, &kq, dsa->q)) {
+    goto err;
+  }
+  if (BN_num_bits(&kq) <= BN_num_bits(dsa->q) && !BN_add(&kq, &kq, dsa->q)) {
     goto err;
-  if (BN_num_bits(&kq) <= BN_num_bits(dsa->q)) {
-    if (!BN_add(&kq, &kq, dsa->q))
-      goto err;
   }
 
   K = &kq;
@@ -159,14 +162,10 @@ static int sign_setup(const DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
     goto err;
   }
 
-  if (*kinvp != NULL) {
-    BN_clear_free(*kinvp);
-  }
+  BN_clear_free(*kinvp);
   *kinvp = kinv;
   kinv = NULL;
-  if (*rp != NULL) {
-    BN_clear_free(*rp);
-  }
+  BN_clear_free(*rp);
   *rp = r;
   ret = 1;
 
@@ -274,15 +273,10 @@ err:
     BN_free(r);
     BN_free(s);
   }
-  if (ctx != NULL) {
-    BN_CTX_free(ctx);
-  }
+  BN_CTX_free(ctx);
   BN_clear_free(&m);
   BN_clear_free(&xr);
-  if (kinv != NULL) {
-    /* dsa->kinv is NULL now if we used it */
-    BN_clear_free(kinv);
-  }
+  BN_clear_free(kinv);
 
   return ret;
 }
@@ -363,12 +357,14 @@ static int verify(int *out_valid, const uint8_t *dgst, size_t digest_len,
   }
 
   mont = BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,
-                                CRYPTO_LOCK_DSA, dsa->p, ctx);
+                                (CRYPTO_MUTEX *)&dsa->method_mont_p_lock,
+                                dsa->p, ctx);
   if (!mont) {
     goto err;
   }
 
-  if (!BN_mod_exp2_mont(&t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx, mont)) {
+  if (!BN_mod_exp2_mont(&t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx,
+                        mont)) {
     goto err;
   }
 
@@ -387,9 +383,7 @@ err:
   if (ret != 1) {
     OPENSSL_PUT_ERROR(DSA, verify, ERR_R_BN_LIB);
   }
-  if (ctx != NULL) {
-    BN_CTX_free(ctx);
-  }
+  BN_CTX_free(ctx);
   BN_free(&u1);
   BN_free(&u2);
   BN_free(&t1);
@@ -442,15 +436,13 @@ static int keygen(DSA *dsa) {
   ok = 1;
 
 err:
-  if (pub_key != NULL && dsa->pub_key == NULL) {
+  if (dsa->pub_key == NULL) {
     BN_free(pub_key);
   }
-  if (priv_key != NULL && dsa->priv_key == NULL) {
+  if (dsa->priv_key == NULL) {
     BN_free(priv_key);
   }
-  if (ctx != NULL) {
-    BN_CTX_free(ctx);
-  }
+  BN_CTX_free(ctx);
 
   return ok;
 }
@@ -701,15 +693,9 @@ end:
 
 err:
   if (ok) {
-    if (ret->p) {
-      BN_free(ret->p);
-    }
-    if (ret->q) {
-      BN_free(ret->q);
-    }
-    if (ret->g) {
-      BN_free(ret->g);
-    }
+    BN_free(ret->p);
+    BN_free(ret->q);
+    BN_free(ret->g);
     ret->p = BN_dup(p);
     ret->q = BN_dup(q);
     ret->g = BN_dup(g);
@@ -730,9 +716,7 @@ err:
     BN_CTX_free(ctx);
   }
 
-  if (mont != NULL) {
-    BN_MONT_CTX_free(mont);
-  }
+  BN_MONT_CTX_free(mont);
 
   return ok;
 }
diff --git a/src/crypto/dsa/dsa_test.c b/src/crypto/dsa/dsa_test.c
index 1273638..9b70dbe 100644
--- a/src/crypto/dsa/dsa_test.c
+++ b/src/crypto/dsa/dsa_test.c
@@ -61,7 +61,6 @@
 
 #include <string.h>
 
-#include <openssl/bio.h>
 #include <openssl/bn.h>
 #include <openssl/crypto.h>
 #include <openssl/err.h>
@@ -166,9 +165,6 @@ static const uint8_t fips_sig_bad_r[] = {
     0xdc, 0xd8, 0xc8,
 };
 
-static BIO *bio_err = NULL;
-static BIO *bio_out = NULL;
-
 static DSA *get_fips_dsa(void) {
   DSA *dsa = DSA_new();
   if (!dsa) {
@@ -187,7 +183,7 @@ static DSA *get_fips_dsa(void) {
   return dsa;
 }
 
-static int test_generate(void) {
+static int test_generate(FILE *out) {
   BN_GENCB cb;
   DSA *dsa = NULL;
   int counter, ok = 0, i, j;
@@ -196,49 +192,49 @@ static int test_generate(void) {
   uint8_t sig[256];
   unsigned int siglen;
 
-  BIO_printf(bio_out, "test generation of DSA parameters\n");
+  fprintf(out, "test generation of DSA parameters\n");
 
-  BN_GENCB_set(&cb, dsa_cb, bio_out);
+  BN_GENCB_set(&cb, dsa_cb, out);
   dsa = DSA_new();
   if (dsa == NULL ||
       !DSA_generate_parameters_ex(dsa, 512, seed, 20, &counter, &h, &cb)) {
     goto end;
   }
 
-  BIO_printf(bio_out, "seed\n");
+  fprintf(out, "seed\n");
   for (i = 0; i < 20; i += 4) {
-    BIO_printf(bio_out, "%02X%02X%02X%02X ", seed[i], seed[i + 1], seed[i + 2],
-               seed[i + 3]);
+    fprintf(out, "%02X%02X%02X%02X ", seed[i], seed[i + 1], seed[i + 2],
+            seed[i + 3]);
   }
-  BIO_printf(bio_out, "\ncounter=%d h=%ld\n", counter, h);
+  fprintf(out, "\ncounter=%d h=%ld\n", counter, h);
 
   if (counter != 105) {
-    BIO_printf(bio_err, "counter should be 105\n");
+    fprintf(stderr, "counter should be 105\n");
     goto end;
   }
   if (h != 2) {
-    BIO_printf(bio_err, "h should be 2\n");
+    fprintf(stderr, "h should be 2\n");
     goto end;
   }
 
   i = BN_bn2bin(dsa->q, buf);
   j = sizeof(fips_q);
   if (i != j || memcmp(buf, fips_q, i) != 0) {
-    BIO_printf(bio_err, "q value is wrong\n");
+    fprintf(stderr, "q value is wrong\n");
     goto end;
   }
 
   i = BN_bn2bin(dsa->p, buf);
   j = sizeof(fips_p);
   if (i != j || memcmp(buf, fips_p, i) != 0) {
-    BIO_printf(bio_err, "p value is wrong\n");
+    fprintf(stderr, "p value is wrong\n");
     goto end;
   }
 
   i = BN_bn2bin(dsa->g, buf);
   j = sizeof(fips_g);
   if (i != j || memcmp(buf, fips_g, i) != 0) {
-    BIO_printf(bio_err, "g value is wrong\n");
+    fprintf(stderr, "g value is wrong\n");
     goto end;
   }
 
@@ -247,13 +243,11 @@ static int test_generate(void) {
   if (DSA_verify(0, fips_digest, sizeof(fips_digest), sig, siglen, dsa) == 1) {
     ok = 1;
   } else {
-    BIO_printf(bio_err, "verification failure\n");
+    fprintf(stderr, "verification failure\n");
   }
 
 end:
-  if (dsa != NULL) {
-    DSA_free(dsa);
-  }
+  DSA_free(dsa);
 
   return ok;
 }
@@ -267,7 +261,7 @@ static int test_verify(const uint8_t *sig, size_t sig_len, int expect) {
 
   int ret = DSA_verify(0, fips_digest, sizeof(fips_digest), sig, sig_len, dsa);
   if (ret != expect) {
-    BIO_printf(bio_err, "DSA_verify returned %d, want %d\n", ret, expect);
+    fprintf(stderr, "DSA_verify returned %d, want %d\n", ret, expect);
     goto end;
   }
   ok = 1;
@@ -275,9 +269,7 @@ static int test_verify(const uint8_t *sig, size_t sig_len, int expect) {
   ERR_clear_error();
 
 end:
-  if (dsa != NULL) {
-    DSA_free(dsa);
-  }
+  DSA_free(dsa);
 
   return ok;
 }
@@ -285,23 +277,16 @@ end:
 int main(int argc, char **argv) {
   CRYPTO_library_init();
 
-  bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
-  bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
-
-  if (!test_generate() ||
+  if (!test_generate(stdout) ||
       !test_verify(fips_sig, sizeof(fips_sig), 1) ||
       !test_verify(fips_sig_negative, sizeof(fips_sig_negative), -1) ||
       !test_verify(fips_sig_extra, sizeof(fips_sig_extra), -1) ||
       !test_verify(fips_sig_bad_length, sizeof(fips_sig_bad_length), -1) ||
       !test_verify(fips_sig_bad_r, sizeof(fips_sig_bad_r), 0)) {
-    BIO_print_errors(bio_err);
-    BIO_free(bio_err);
-    BIO_free(bio_out);
+    ERR_print_errors_fp(stderr);
     return 1;
   }
 
-  BIO_free(bio_err);
-  BIO_free(bio_out);
   printf("PASS\n");
   return 0;
 }
@@ -326,11 +311,11 @@ static int dsa_cb(int p, int n, BN_GENCB *arg) {
     c = '\n';
   }
 
-  BIO_write(arg->arg, &c, 1);
-  (void)BIO_flush(arg->arg);
+  fputc(c, arg->arg);
+  fflush(arg->arg);
 
   if (!ok && p == 0 && num > 1) {
-    BIO_printf((BIO *)arg, "error in dsatest\n");
+    fprintf(stderr, "error in dsatest\n");
     return 0;
   }
 
diff --git a/src/crypto/ec/CMakeLists.txt b/src/crypto/ec/CMakeLists.txt
index 11266c6..a218c0d 100644
--- a/src/crypto/ec/CMakeLists.txt
+++ b/src/crypto/ec/CMakeLists.txt
@@ -6,13 +6,14 @@ add_library(
   OBJECT
 
   ec.c
+  ec_asn1.c
+  ec_key.c
+  ec_montgomery.c
   oct.c
+  p256-64.c
+  util-64.c
   simple.c
-  ec_montgomery.c
   wnaf.c
-  ec_key.c
-  ec_asn1.c
-  ec_error.c
 )
 
 add_executable(
@@ -24,7 +25,7 @@ add_executable(
 add_executable(
   ec_test
 
-  ec_test.c
+  ec_test.cc
 )
 
 target_link_libraries(example_mul crypto)
diff --git a/src/crypto/ec/ec.c b/src/crypto/ec/ec.c
index 6e676c9..5426b8f 100644
--- a/src/crypto/ec/ec.c
+++ b/src/crypto/ec/ec.c
@@ -219,11 +219,18 @@ static const struct curve_data P521 = {
      0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09}};
 
 const struct built_in_curve OPENSSL_built_in_curves[] = {
-  {NID_secp224r1, &P224, 0},
-  {NID_X9_62_prime256v1, &P256, 0},
-  {NID_secp384r1, &P384, 0},
-  {NID_secp521r1, &P521, 0},
-  {NID_undef, 0, 0},
+    {NID_secp224r1, &P224, 0},
+    {
+        NID_X9_62_prime256v1, &P256,
+#if defined(OPENSSL_64_BIT) && !defined(OPENSSL_WINDOWS)
+        EC_GFp_nistp256_method,
+#else
+        0,
+#endif
+    },
+    {NID_secp384r1, &P384, 0},
+    {NID_secp521r1, &P521, 0},
+    {NID_undef, 0, 0},
 };
 
 EC_GROUP *ec_group_new(const EC_METHOD *meth) {
@@ -357,22 +364,14 @@ err:
     EC_GROUP_free(group);
     group = NULL;
   }
-  if (P)
-    EC_POINT_free(P);
-  if (ctx)
-    BN_CTX_free(ctx);
-  if (p)
-    BN_free(p);
-  if (a)
-    BN_free(a);
-  if (b)
-    BN_free(b);
-  if (order)
-    BN_free(order);
-  if (x)
-    BN_free(x);
-  if (y)
-    BN_free(y);
+  EC_POINT_free(P);
+  BN_CTX_free(ctx);
+  BN_free(p);
+  BN_free(a);
+  BN_free(b);
+  BN_free(order);
+  BN_free(x);
+  BN_free(y);
   return group;
 }
 
@@ -409,16 +408,14 @@ void EC_GROUP_free(EC_GROUP *group) {
 
   ec_pre_comp_free(group->pre_comp);
 
-  if (group->generator != NULL) {
-    EC_POINT_free(group->generator);
-  }
+  EC_POINT_free(group->generator);
   BN_free(&group->order);
   BN_free(&group->cofactor);
 
   OPENSSL_free(group);
 }
 
-int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src) {
+int ec_group_copy(EC_GROUP *dest, const EC_GROUP *src) {
   if (dest->meth->group_copy == 0) {
     OPENSSL_PUT_ERROR(EC, EC_GROUP_copy, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
     return 0;
@@ -474,7 +471,7 @@ EC_GROUP *EC_GROUP_dup(const EC_GROUP *a) {
   if (t == NULL) {
     return NULL;
   }
-  if (!EC_GROUP_copy(t, a)) {
+  if (!ec_group_copy(t, a)) {
     goto err;
   }
 
@@ -482,9 +479,7 @@ EC_GROUP *EC_GROUP_dup(const EC_GROUP *a) {
 
 err:
   if (!ok) {
-    if (t) {
-      EC_GROUP_free(t);
-    }
+    EC_GROUP_free(t);
     return NULL;
   } else {
     return t;
diff --git a/src/crypto/ec/ec_asn1.c b/src/crypto/ec/ec_asn1.c
index ce9b3f4..ff3dca6 100644
--- a/src/crypto/ec/ec_asn1.c
+++ b/src/crypto/ec/ec_asn1.c
@@ -172,9 +172,7 @@ ECPKPARAMETERS *ec_asn1_group2pkparameters(const EC_GROUP *group,
       return NULL;
     }
   } else {
-    if (ret->value.named_curve) {
-      ASN1_OBJECT_free(ret->value.named_curve);
-    }
+    ASN1_OBJECT_free(ret->value.named_curve);
   }
 
   /* use the ASN.1 OID to describe the the elliptic curve parameters. */
@@ -257,10 +255,8 @@ static EC_GROUP *d2i_ECPKParameters(EC_GROUP **groupp, const uint8_t **inp,
     return NULL;
   }
 
-  if (groupp && *groupp) {
-    EC_GROUP_free(*groupp);
-  }
   if (groupp) {
+    EC_GROUP_free(*groupp);
     *groupp = group;
   }
 
@@ -290,16 +286,9 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const uint8_t **in, long len) {
   EC_KEY *ret = NULL;
   EC_PRIVATEKEY *priv_key = NULL;
 
-  priv_key = EC_PRIVATEKEY_new();
-  if (priv_key == NULL) {
-    OPENSSL_PUT_ERROR(EC, d2i_ECPrivateKey, ERR_R_MALLOC_FAILURE);
-    return NULL;
-  }
-
-  priv_key = d2i_EC_PRIVATEKEY(&priv_key, in, len);
+  priv_key = d2i_EC_PRIVATEKEY(NULL, in, len);
   if (priv_key == NULL) {
     OPENSSL_PUT_ERROR(EC, d2i_ECPrivateKey, ERR_R_EC_LIB);
-    EC_PRIVATEKEY_free(priv_key);
     return NULL;
   }
 
@@ -309,17 +298,12 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const uint8_t **in, long len) {
       OPENSSL_PUT_ERROR(EC, d2i_ECPrivateKey, ERR_R_MALLOC_FAILURE);
       goto err;
     }
-    if (a) {
-      *a = ret;
-    }
   } else {
     ret = *a;
   }
 
   if (priv_key->parameters) {
-    if (ret->group) {
-      EC_GROUP_free(ret->group);
-    }
+    EC_GROUP_free(ret->group);
     ret->group = ec_asn1_pkparameters2group(priv_key->parameters);
   }
 
@@ -343,9 +327,7 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const uint8_t **in, long len) {
     goto err;
   }
 
-  if (ret->pub_key) {
-    EC_POINT_free(ret->pub_key);
-  }
+  EC_POINT_free(ret->pub_key);
   ret->pub_key = EC_POINT_new(ret->group);
   if (ret->pub_key == NULL) {
     OPENSSL_PUT_ERROR(EC, d2i_ECPrivateKey, ERR_R_EC_LIB);
@@ -380,22 +362,20 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const uint8_t **in, long len) {
     ret->enc_flag |= EC_PKEY_NO_PUBKEY;
   }
 
+  if (a) {
+    *a = ret;
+  }
   ok = 1;
 
 err:
   if (!ok) {
-    if (ret) {
+    if (a == NULL || *a != ret) {
       EC_KEY_free(ret);
     }
     ret = NULL;
-    if (a) {
-      *a = ret;
-    }
   }
 
-  if (priv_key) {
-    EC_PRIVATEKEY_free(priv_key);
-  }
+  EC_PRIVATEKEY_free(priv_key);
 
   return ret;
 }
@@ -419,14 +399,14 @@ int i2d_ECPrivateKey(const EC_KEY *key, uint8_t **outp) {
 
   priv_key->version = key->version;
 
-  buf_len = BN_num_bytes(key->priv_key);
+  buf_len = BN_num_bytes(&key->group->order);
   buffer = OPENSSL_malloc(buf_len);
   if (buffer == NULL) {
     OPENSSL_PUT_ERROR(EC, i2d_ECPrivateKey, ERR_R_MALLOC_FAILURE);
     goto err;
   }
 
-  if (!BN_bn2bin(key->priv_key, buffer)) {
+  if (!BN_bn2bin_padded(buffer, buf_len, key->priv_key)) {
     OPENSSL_PUT_ERROR(EC, i2d_ECPrivateKey, ERR_R_BN_LIB);
     goto err;
   }
@@ -488,12 +468,8 @@ int i2d_ECPrivateKey(const EC_KEY *key, uint8_t **outp) {
   ok = 1;
 
 err:
-  if (buffer) {
-    OPENSSL_free(buffer);
-  }
-  if (priv_key) {
-    EC_PRIVATEKEY_free(priv_key);
-  }
+  OPENSSL_free(buffer);
+  EC_PRIVATEKEY_free(priv_key);
   return (ok ? ret : 0);
 }
 
@@ -519,18 +495,21 @@ EC_KEY *d2i_ECParameters(EC_KEY **key, const uint8_t **inp, long len) {
       OPENSSL_PUT_ERROR(EC, d2i_ECParameters, ERR_R_MALLOC_FAILURE);
       return NULL;
     }
-    if (key) {
-      *key = ret;
-    }
   } else {
     ret = *key;
   }
 
   if (!d2i_ECPKParameters(&ret->group, inp, len)) {
     OPENSSL_PUT_ERROR(EC, d2i_ECParameters, ERR_R_EC_LIB);
+    if (key == NULL || *key == NULL) {
+      EC_KEY_free(ret);
+    }
     return NULL;
   }
 
+  if (key) {
+    *key = ret;
+  }
   return ret;
 }
 
diff --git a/src/crypto/ec/ec_error.c b/src/crypto/ec/ec_error.c
deleted file mode 100644
index 73807c7..0000000
--- a/src/crypto/ec/ec_error.c
+++ /dev/null
@@ -1,107 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/ec.h>
-
-const ERR_STRING_DATA EC_error_string_data[] = {
-  {ERR_PACK(ERR_LIB_EC, EC_F_EC_GROUP_copy, 0), "EC_GROUP_copy"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_EC_GROUP_get_curve_GFp, 0), "EC_GROUP_get_curve_GFp"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_EC_GROUP_get_degree, 0), "EC_GROUP_get_degree"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_EC_GROUP_new_by_curve_name, 0), "EC_GROUP_new_by_curve_name"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_check_key, 0), "EC_KEY_check_key"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_copy, 0), "EC_KEY_copy"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_generate_key, 0), "EC_KEY_generate_key"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_new_method, 0), "EC_KEY_new_method"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_set_public_key_affine_coordinates, 0), "EC_KEY_set_public_key_affine_coordinates"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_add, 0), "EC_POINT_add"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_cmp, 0), "EC_POINT_cmp"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_copy, 0), "EC_POINT_copy"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_dbl, 0), "EC_POINT_dbl"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_dup, 0), "EC_POINT_dup"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_get_affine_coordinates_GFp, 0), "EC_POINT_get_affine_coordinates_GFp"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_invert, 0), "EC_POINT_invert"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_is_at_infinity, 0), "EC_POINT_is_at_infinity"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_is_on_curve, 0), "EC_POINT_is_on_curve"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_make_affine, 0), "EC_POINT_make_affine"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_new, 0), "EC_POINT_new"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_oct2point, 0), "EC_POINT_oct2point"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_point2oct, 0), "EC_POINT_point2oct"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_set_affine_coordinates_GFp, 0), "EC_POINT_set_affine_coordinates_GFp"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_set_compressed_coordinates_GFp, 0), "EC_POINT_set_compressed_coordinates_GFp"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_set_to_infinity, 0), "EC_POINT_set_to_infinity"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINTs_make_affine, 0), "EC_POINTs_make_affine"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_compute_wNAF, 0), "compute_wNAF"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_d2i_ECPKParameters, 0), "d2i_ECPKParameters"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_d2i_ECParameters, 0), "d2i_ECParameters"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_d2i_ECPrivateKey, 0), "d2i_ECPrivateKey"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_mont_field_decode, 0), "ec_GFp_mont_field_decode"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_mont_field_encode, 0), "ec_GFp_mont_field_encode"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_mont_field_mul, 0), "ec_GFp_mont_field_mul"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_mont_field_set_to_one, 0), "ec_GFp_mont_field_set_to_one"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_mont_field_sqr, 0), "ec_GFp_mont_field_sqr"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_mont_group_set_curve, 0), "ec_GFp_mont_group_set_curve"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_simple_group_check_discriminant, 0), "ec_GFp_simple_group_check_discriminant"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_simple_group_set_curve, 0), "ec_GFp_simple_group_set_curve"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_simple_make_affine, 0), "ec_GFp_simple_make_affine"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_simple_oct2point, 0), "ec_GFp_simple_oct2point"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_simple_point2oct, 0), "ec_GFp_simple_point2oct"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_simple_point_get_affine_coordinates, 0), "ec_GFp_simple_point_get_affine_coordinates"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_simple_point_set_affine_coordinates, 0), "ec_GFp_simple_point_set_affine_coordinates"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_simple_points_make_affine, 0), "ec_GFp_simple_points_make_affine"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_simple_set_compressed_coordinates, 0), "ec_GFp_simple_set_compressed_coordinates"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_ec_asn1_group2pkparameters, 0), "ec_asn1_group2pkparameters"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_ec_asn1_pkparameters2group, 0), "ec_asn1_pkparameters2group"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_ec_group_new, 0), "ec_group_new"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_ec_group_new_curve_GFp, 0), "ec_group_new_curve_GFp"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_ec_group_new_from_data, 0), "ec_group_new_from_data"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_ec_point_set_Jprojective_coordinates_GFp, 0), "ec_point_set_Jprojective_coordinates_GFp"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_ec_pre_comp_new, 0), "ec_pre_comp_new"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_ec_wNAF_mul, 0), "ec_wNAF_mul"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_ec_wNAF_precompute_mult, 0), "ec_wNAF_precompute_mult"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_i2d_ECPKParameters, 0), "i2d_ECPKParameters"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_i2d_ECParameters, 0), "i2d_ECParameters"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_i2d_ECPrivateKey, 0), "i2d_ECPrivateKey"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_i2o_ECPublicKey, 0), "i2o_ECPublicKey"},
-  {ERR_PACK(ERR_LIB_EC, EC_F_o2i_ECPublicKey, 0), "o2i_ECPublicKey"},
-  {ERR_PACK(ERR_LIB_EC, 0, EC_R_BUFFER_TOO_SMALL), "BUFFER_TOO_SMALL"},
-  {ERR_PACK(ERR_LIB_EC, 0, EC_R_COORDINATES_OUT_OF_RANGE), "COORDINATES_OUT_OF_RANGE"},
-  {ERR_PACK(ERR_LIB_EC, 0, EC_R_D2I_ECPKPARAMETERS_FAILURE), "D2I_ECPKPARAMETERS_FAILURE"},
-  {ERR_PACK(ERR_LIB_EC, 0, EC_R_EC_GROUP_NEW_BY_NAME_FAILURE), "EC_GROUP_NEW_BY_NAME_FAILURE"},
-  {ERR_PACK(ERR_LIB_EC, 0, EC_R_GF2M_NOT_SUPPORTED), "GF2M_NOT_SUPPORTED"},
-  {ERR_PACK(ERR_LIB_EC, 0, EC_R_GROUP2PKPARAMETERS_FAILURE), "GROUP2PKPARAMETERS_FAILURE"},
-  {ERR_PACK(ERR_LIB_EC, 0, EC_R_I2D_ECPKPARAMETERS_FAILURE), "I2D_ECPKPARAMETERS_FAILURE"},
-  {ERR_PACK(ERR_LIB_EC, 0, EC_R_INCOMPATIBLE_OBJECTS), "INCOMPATIBLE_OBJECTS"},
-  {ERR_PACK(ERR_LIB_EC, 0, EC_R_INVALID_COMPRESSED_POINT), "INVALID_COMPRESSED_POINT"},
-  {ERR_PACK(ERR_LIB_EC, 0, EC_R_INVALID_COMPRESSION_BIT), "INVALID_COMPRESSION_BIT"},
-  {ERR_PACK(ERR_LIB_EC, 0, EC_R_INVALID_ENCODING), "INVALID_ENCODING"},
-  {ERR_PACK(ERR_LIB_EC, 0, EC_R_INVALID_FIELD), "INVALID_FIELD"},
-  {ERR_PACK(ERR_LIB_EC, 0, EC_R_INVALID_FORM), "INVALID_FORM"},
-  {ERR_PACK(ERR_LIB_EC, 0, EC_R_INVALID_GROUP_ORDER), "INVALID_GROUP_ORDER"},
-  {ERR_PACK(ERR_LIB_EC, 0, EC_R_INVALID_PRIVATE_KEY), "INVALID_PRIVATE_KEY"},
-  {ERR_PACK(ERR_LIB_EC, 0, EC_R_MISSING_PARAMETERS), "MISSING_PARAMETERS"},
-  {ERR_PACK(ERR_LIB_EC, 0, EC_R_MISSING_PRIVATE_KEY), "MISSING_PRIVATE_KEY"},
-  {ERR_PACK(ERR_LIB_EC, 0, EC_R_NON_NAMED_CURVE), "NON_NAMED_CURVE"},
-  {ERR_PACK(ERR_LIB_EC, 0, EC_R_NOT_INITIALIZED), "NOT_INITIALIZED"},
-  {ERR_PACK(ERR_LIB_EC, 0, EC_R_PKPARAMETERS2GROUP_FAILURE), "PKPARAMETERS2GROUP_FAILURE"},
-  {ERR_PACK(ERR_LIB_EC, 0, EC_R_POINT_AT_INFINITY), "POINT_AT_INFINITY"},
-  {ERR_PACK(ERR_LIB_EC, 0, EC_R_POINT_IS_NOT_ON_CURVE), "POINT_IS_NOT_ON_CURVE"},
-  {ERR_PACK(ERR_LIB_EC, 0, EC_R_SLOT_FULL), "SLOT_FULL"},
-  {ERR_PACK(ERR_LIB_EC, 0, EC_R_UNDEFINED_GENERATOR), "UNDEFINED_GENERATOR"},
-  {ERR_PACK(ERR_LIB_EC, 0, EC_R_UNKNOWN_GROUP), "UNKNOWN_GROUP"},
-  {ERR_PACK(ERR_LIB_EC, 0, EC_R_UNKNOWN_ORDER), "UNKNOWN_ORDER"},
-  {ERR_PACK(ERR_LIB_EC, 0, EC_R_WRONG_ORDER), "WRONG_ORDER"},
-  {0, NULL},
-};
diff --git a/src/crypto/ec/ec_key.c b/src/crypto/ec/ec_key.c
index 471ea9c..3652ba5 100644
--- a/src/crypto/ec/ec_key.c
+++ b/src/crypto/ec/ec_key.c
@@ -74,10 +74,14 @@
 #include <openssl/err.h>
 #include <openssl/ex_data.h>
 #include <openssl/mem.h>
+#include <openssl/thread.h>
 
 #include "internal.h"
+#include "../internal.h"
 
 
+static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;
+
 EC_KEY *EC_KEY_new(void) { return EC_KEY_new_method(NULL); }
 
 EC_KEY *EC_KEY_new_method(const ENGINE *engine) {
@@ -100,7 +104,7 @@ EC_KEY *EC_KEY_new_method(const ENGINE *engine) {
   ret->conv_form = POINT_CONVERSION_UNCOMPRESSED;
   ret->references = 1;
 
-  if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_EC_KEY, ret, &ret->ex_data)) {
+  if (!CRYPTO_new_ex_data(&g_ex_data_class, ret, &ret->ex_data)) {
     goto err1;
   }
 
@@ -111,7 +115,7 @@ EC_KEY *EC_KEY_new_method(const ENGINE *engine) {
   return ret;
 
 err2:
-  CRYPTO_free_ex_data(CRYPTO_EX_INDEX_EC_KEY, ret, &ret->ex_data);
+  CRYPTO_free_ex_data(&g_ex_data_class, ret, &ret->ex_data);
 err1:
   if (ret->ecdsa_meth) {
     METHOD_unref(ret->ecdsa_meth);
@@ -123,6 +127,7 @@ err1:
 EC_KEY *EC_KEY_new_by_curve_name(int nid) {
   EC_KEY *ret = EC_KEY_new();
   if (ret == NULL) {
+    OPENSSL_PUT_ERROR(EC, EC_KEY_new_by_curve_name, ERR_R_MALLOC_FAILURE);
     return NULL;
   }
   ret->group = EC_GROUP_new_by_curve_name(nid);
@@ -149,17 +154,11 @@ void EC_KEY_free(EC_KEY *r) {
     METHOD_unref(r->ecdsa_meth);
   }
 
-  if (r->group != NULL) {
-    EC_GROUP_free(r->group);
-  }
-  if (r->pub_key != NULL) {
-    EC_POINT_free(r->pub_key);
-  }
-  if (r->priv_key != NULL) {
-    BN_clear_free(r->priv_key);
-  }
+  EC_GROUP_free(r->group);
+  EC_POINT_free(r->pub_key);
+  BN_clear_free(r->priv_key);
 
-  CRYPTO_free_ex_data(CRYPTO_EX_INDEX_EC_KEY, r, &r->ex_data);
+  CRYPTO_free_ex_data(&g_ex_data_class, r, &r->ex_data);
 
   OPENSSL_cleanse((void *)r, sizeof(EC_KEY));
   OPENSSL_free(r);
@@ -170,35 +169,23 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src) {
     OPENSSL_PUT_ERROR(EC, EC_KEY_copy, ERR_R_PASSED_NULL_PARAMETER);
     return NULL;
   }
-  /* copy the parameters */
+  /* Copy the parameters. */
   if (src->group) {
     /* TODO(fork): duplicating the group seems wasteful. */
-    const EC_METHOD *meth = src->group->meth;
-    /* clear the old group */
-    if (dest->group) {
-      EC_GROUP_free(dest->group);
-    }
-    dest->group = ec_group_new(meth);
+    EC_GROUP_free(dest->group);
+    dest->group = EC_GROUP_dup(src->group);
     if (dest->group == NULL) {
       return NULL;
     }
-    if (!EC_GROUP_copy(dest->group, src->group)) {
-      return NULL;
-    }
   }
 
-  /*  copy the public key */
+  /* Copy the public key. */
   if (src->pub_key && src->group) {
-    if (dest->pub_key) {
-      EC_POINT_free(dest->pub_key);
-    }
-    dest->pub_key = EC_POINT_new(src->group);
+    EC_POINT_free(dest->pub_key);
+    dest->pub_key = EC_POINT_dup(src->pub_key, src->group);
     if (dest->pub_key == NULL) {
       return NULL;
     }
-    if (!EC_POINT_copy(dest->pub_key, src->pub_key)) {
-      return NULL;
-    }
   }
 
   /* copy the private key */
@@ -214,8 +201,8 @@ EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src) {
     }
   }
   /* copy method/extra data */
-  CRYPTO_free_ex_data(CRYPTO_EX_INDEX_EC_KEY, dest, &dest->ex_data);
-  if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_EC_KEY, &dest->ex_data,
+  CRYPTO_free_ex_data(&g_ex_data_class, dest, &dest->ex_data);
+  if (!CRYPTO_dup_ex_data(&g_ex_data_class, &dest->ex_data,
                           &src->ex_data)) {
     return NULL;
   }
@@ -252,9 +239,7 @@ int EC_KEY_is_opaque(const EC_KEY *key) {
 const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key) { return key->group; }
 
 int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group) {
-  if (key->group != NULL) {
-    EC_GROUP_free(key->group);
-  }
+  EC_GROUP_free(key->group);
   /* TODO(fork): duplicating the group seems wasteful but see
    * |EC_KEY_set_conv_form|. */
   key->group = EC_GROUP_dup(group);
@@ -266,9 +251,7 @@ const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key) {
 }
 
 int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key) {
-  if (key->priv_key) {
-    BN_clear_free(key->priv_key);
-  }
+  BN_clear_free(key->priv_key);
   key->priv_key = BN_dup(priv_key);
   return (key->priv_key == NULL) ? 0 : 1;
 }
@@ -278,9 +261,7 @@ const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key) {
 }
 
 int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub_key) {
-  if (key->pub_key != NULL) {
-    EC_POINT_free(key->pub_key);
-  }
+  EC_POINT_free(key->pub_key);
   key->pub_key = EC_POINT_dup(pub_key, key->group);
   return (key->pub_key == NULL) ? 0 : 1;
 }
@@ -371,10 +352,8 @@ int EC_KEY_check_key(const EC_KEY *eckey) {
   ok = 1;
 
 err:
-  if (ctx != NULL)
-    BN_CTX_free(ctx);
-  if (point != NULL)
-    EC_POINT_free(point);
+  BN_CTX_free(ctx);
+  EC_POINT_free(point);
   return ok;
 }
 
@@ -425,10 +404,8 @@ int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x,
   ok = 1;
 
 err:
-  if (ctx)
-    BN_CTX_free(ctx);
-  if (point)
-    EC_POINT_free(point);
+  BN_CTX_free(ctx);
+  EC_POINT_free(point);
   return ok;
 }
 
@@ -489,22 +466,26 @@ int EC_KEY_generate_key(EC_KEY *eckey) {
   ok = 1;
 
 err:
-  if (order)
-    BN_free(order);
-  if (pub_key != NULL && eckey->pub_key == NULL)
+  BN_free(order);
+  if (eckey->pub_key == NULL) {
     EC_POINT_free(pub_key);
-  if (priv_key != NULL && eckey->priv_key == NULL)
+  }
+  if (eckey->priv_key == NULL) {
     BN_free(priv_key);
-  if (ctx != NULL)
-    BN_CTX_free(ctx);
+  }
+  BN_CTX_free(ctx);
   return ok;
 }
 
 int EC_KEY_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
                             CRYPTO_EX_dup *dup_func,
                             CRYPTO_EX_free *free_func) {
-  return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_EC_KEY, argl, argp, new_func,
-                                 dup_func, free_func);
+  int index;
+  if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp, new_func,
+                               dup_func, free_func)) {
+    return -1;
+  }
+  return index;
 }
 
 int EC_KEY_set_ex_data(EC_KEY *d, int idx, void *arg) {
diff --git a/src/crypto/ec/ec_montgomery.c b/src/crypto/ec/ec_montgomery.c
index ab04556..74dbc6c 100644
--- a/src/crypto/ec/ec_montgomery.c
+++ b/src/crypto/ec/ec_montgomery.c
@@ -121,68 +121,58 @@ int ec_GFp_mont_group_init(EC_GROUP *group) {
   int ok;
 
   ok = ec_GFp_simple_group_init(group);
-  group->field_data1 = NULL;
-  group->field_data2 = NULL;
+  group->mont = NULL;
+  group->one = NULL;
   return ok;
 }
 
 void ec_GFp_mont_group_finish(EC_GROUP *group) {
-  if (group->field_data1 != NULL) {
-    BN_MONT_CTX_free(group->field_data1);
-    group->field_data1 = NULL;
-  }
-  if (group->field_data2 != NULL) {
-    BN_free(group->field_data2);
-    group->field_data2 = NULL;
-  }
+  BN_MONT_CTX_free(group->mont);
+  group->mont = NULL;
+  BN_free(group->one);
+  group->one = NULL;
   ec_GFp_simple_group_finish(group);
 }
 
 void ec_GFp_mont_group_clear_finish(EC_GROUP *group) {
-  if (group->field_data1 != NULL) {
-    BN_MONT_CTX_free(group->field_data1);
-    group->field_data1 = NULL;
-  }
-  if (group->field_data2 != NULL) {
-    BN_clear_free(group->field_data2);
-    group->field_data2 = NULL;
-  }
+  BN_MONT_CTX_free(group->mont);
+  group->mont = NULL;
+  BN_clear_free(group->one);
+  group->one = NULL;
   ec_GFp_simple_group_clear_finish(group);
 }
 
 int ec_GFp_mont_group_copy(EC_GROUP *dest, const EC_GROUP *src) {
-  if (dest->field_data1 != NULL) {
-    BN_MONT_CTX_free(dest->field_data1);
-    dest->field_data1 = NULL;
-  }
-  if (dest->field_data2 != NULL) {
-    BN_clear_free(dest->field_data2);
-    dest->field_data2 = NULL;
-  }
+  BN_MONT_CTX_free(dest->mont);
+  dest->mont = NULL;
+  BN_clear_free(dest->one);
+  dest->one = NULL;
 
-  if (!ec_GFp_simple_group_copy(dest, src))
+  if (!ec_GFp_simple_group_copy(dest, src)) {
     return 0;
+  }
 
-  if (src->field_data1 != NULL) {
-    dest->field_data1 = BN_MONT_CTX_new();
-    if (dest->field_data1 == NULL)
+  if (src->mont != NULL) {
+    dest->mont = BN_MONT_CTX_new();
+    if (dest->mont == NULL) {
       return 0;
-    if (!BN_MONT_CTX_copy(dest->field_data1, src->field_data1))
+    }
+    if (!BN_MONT_CTX_copy(dest->mont, src->mont)) {
       goto err;
+    }
   }
-  if (src->field_data2 != NULL) {
-    dest->field_data2 = BN_dup(src->field_data2);
-    if (dest->field_data2 == NULL)
+  if (src->one != NULL) {
+    dest->one = BN_dup(src->one);
+    if (dest->one == NULL) {
       goto err;
+    }
   }
 
   return 1;
 
 err:
-  if (dest->field_data1 != NULL) {
-    BN_MONT_CTX_free(dest->field_data1);
-    dest->field_data1 = NULL;
-  }
+  BN_MONT_CTX_free(dest->mont);
+  dest->mont = NULL;
   return 0;
 }
 
@@ -193,104 +183,101 @@ int ec_GFp_mont_group_set_curve(EC_GROUP *group, const BIGNUM *p,
   BIGNUM *one = NULL;
   int ret = 0;
 
-  if (group->field_data1 != NULL) {
-    BN_MONT_CTX_free(group->field_data1);
-    group->field_data1 = NULL;
-  }
-  if (group->field_data2 != NULL) {
-    BN_free(group->field_data2);
-    group->field_data2 = NULL;
-  }
+  BN_MONT_CTX_free(group->mont);
+  group->mont = NULL;
+  BN_free(group->one);
+  group->one = NULL;
 
   if (ctx == NULL) {
     ctx = new_ctx = BN_CTX_new();
-    if (ctx == NULL)
+    if (ctx == NULL) {
       return 0;
+    }
   }
 
   mont = BN_MONT_CTX_new();
-  if (mont == NULL)
+  if (mont == NULL) {
     goto err;
+  }
   if (!BN_MONT_CTX_set(mont, p, ctx)) {
     OPENSSL_PUT_ERROR(EC, ec_GFp_mont_group_set_curve, ERR_R_BN_LIB);
     goto err;
   }
   one = BN_new();
-  if (one == NULL)
-    goto err;
-  if (!BN_to_montgomery(one, BN_value_one(), mont, ctx))
+  if (one == NULL || !BN_to_montgomery(one, BN_value_one(), mont, ctx)) {
     goto err;
+  }
 
-  group->field_data1 = mont;
+  group->mont = mont;
   mont = NULL;
-  group->field_data2 = one;
+  group->one = one;
   one = NULL;
 
   ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
 
   if (!ret) {
-    BN_MONT_CTX_free(group->field_data1);
-    group->field_data1 = NULL;
-    BN_free(group->field_data2);
-    group->field_data2 = NULL;
+    BN_MONT_CTX_free(group->mont);
+    group->mont = NULL;
+    BN_free(group->one);
+    group->one = NULL;
   }
 
 err:
-  if (new_ctx != NULL)
-    BN_CTX_free(new_ctx);
-  if (mont != NULL)
-    BN_MONT_CTX_free(mont);
+  BN_CTX_free(new_ctx);
+  BN_MONT_CTX_free(mont);
+  BN_free(one);
   return ret;
 }
 
 int ec_GFp_mont_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
                           const BIGNUM *b, BN_CTX *ctx) {
-  if (group->field_data1 == NULL) {
+  if (group->mont == NULL) {
     OPENSSL_PUT_ERROR(EC, ec_GFp_mont_field_mul, EC_R_NOT_INITIALIZED);
     return 0;
   }
 
-  return BN_mod_mul_montgomery(r, a, b, group->field_data1, ctx);
+  return BN_mod_mul_montgomery(r, a, b, group->mont, ctx);
 }
 
 int ec_GFp_mont_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
                           BN_CTX *ctx) {
-  if (group->field_data1 == NULL) {
+  if (group->mont == NULL) {
     OPENSSL_PUT_ERROR(EC, ec_GFp_mont_field_sqr, EC_R_NOT_INITIALIZED);
     return 0;
   }
 
-  return BN_mod_mul_montgomery(r, a, a, group->field_data1, ctx);
+  return BN_mod_mul_montgomery(r, a, a, group->mont, ctx);
 }
 
 int ec_GFp_mont_field_encode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
                              BN_CTX *ctx) {
-  if (group->field_data1 == NULL) {
+  if (group->mont == NULL) {
     OPENSSL_PUT_ERROR(EC, ec_GFp_mont_field_encode, EC_R_NOT_INITIALIZED);
     return 0;
   }
 
-  return BN_to_montgomery(r, a, (BN_MONT_CTX *)group->field_data1, ctx);
+  return BN_to_montgomery(r, a, group->mont, ctx);
 }
 
 int ec_GFp_mont_field_decode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
                              BN_CTX *ctx) {
-  if (group->field_data1 == NULL) {
+  if (group->mont == NULL) {
     OPENSSL_PUT_ERROR(EC, ec_GFp_mont_field_decode, EC_R_NOT_INITIALIZED);
     return 0;
   }
 
-  return BN_from_montgomery(r, a, group->field_data1, ctx);
+  return BN_from_montgomery(r, a, group->mont, ctx);
 }
 
 int ec_GFp_mont_field_set_to_one(const EC_GROUP *group, BIGNUM *r,
                                  BN_CTX *ctx) {
-  if (group->field_data2 == NULL) {
+  if (group->one == NULL) {
     OPENSSL_PUT_ERROR(EC, ec_GFp_mont_field_set_to_one, EC_R_NOT_INITIALIZED);
     return 0;
   }
 
-  if (!BN_copy(r, group->field_data2))
+  if (!BN_copy(r, group->one)) {
     return 0;
+  }
   return 1;
 }
diff --git a/src/crypto/ec/ec_test.c b/src/crypto/ec/ec_test.c
deleted file mode 100644
index 8d53f87..0000000
--- a/src/crypto/ec/ec_test.c
+++ /dev/null
@@ -1,124 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/bio.h>
-#include <openssl/crypto.h>
-#include <openssl/ec_key.h>
-#include <openssl/err.h>
-
-#include "internal.h"
-
-
-static const uint8_t kECKeyWithoutPublic[] = {
-  0x30, 0x31, 0x02, 0x01, 0x01, 0x04, 0x20, 0xc6, 0xc1, 0xaa, 0xda, 0x15, 0xb0,
-  0x76, 0x61, 0xf8, 0x14, 0x2c, 0x6c, 0xaf, 0x0f, 0xdb, 0x24, 0x1a, 0xff, 0x2e,
-  0xfe, 0x46, 0xc0, 0x93, 0x8b, 0x74, 0xf2, 0xbc, 0xc5, 0x30, 0x52, 0xb0, 0x77,
-  0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07,
-};
-
-int test_d2i_ECPrivateKey(void) {
-  int len, ret = 0;
-  uint8_t *out = NULL, *outp;
-  const uint8_t *inp;
-  EC_KEY *key = NULL;
-  BIGNUM *x = NULL, *y = NULL;
-  const EC_POINT *public;
-  char *x_hex = NULL, *y_hex = NULL;
-
-  inp = kECKeyWithoutPublic;
-  key = d2i_ECPrivateKey(NULL, &inp, sizeof(kECKeyWithoutPublic));
-
-  if (key == NULL || inp != kECKeyWithoutPublic + sizeof(kECKeyWithoutPublic)) {
-    fprintf(stderr, "Failed to parse private key.\n");
-    BIO_print_errors_fp(stderr);
-    goto out;
-  }
-
-  len = i2d_ECPrivateKey(key, NULL);
-  out = malloc(len);
-  outp = out;
-  if (len != i2d_ECPrivateKey(key, &outp)) {
-    fprintf(stderr, "Failed to serialize private key.\n");
-    BIO_print_errors_fp(stderr);
-    goto out;
-  }
-
-  if (0 != memcmp(out, kECKeyWithoutPublic, len)) {
-    fprintf(stderr, "Serialisation of key doesn't match original.\n");
-    goto out;
-  }
-
-  public = EC_KEY_get0_public_key(key);
-  if (public == NULL) {
-    fprintf(stderr, "Public key missing.\n");
-    goto out;
-  }
-
-  x = BN_new();
-  y = BN_new();
-  if (x == NULL || y == NULL) {
-    goto out;
-  }
-  if (!EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(key), public, x, y,
-                                           NULL)) {
-    fprintf(stderr, "Failed to get public key in affine coordinates.\n");
-    goto out;
-  }
-  x_hex = BN_bn2hex(x);
-  y_hex = BN_bn2hex(y);
-  if (0 != strcmp(x_hex, "c81561ecf2e54edefe6617db1c7a34a70744ddb261f269b83dacfcd2ade5a681") ||
-      0 != strcmp(y_hex, "e0e2afa3f9b6abe4c698ef6495f1be49a3196c5056acb3763fe4507eec596e88")) {
-    fprintf(stderr, "Incorrect public key: %s %s\n", x_hex, y_hex);
-    goto out;
-  }
-
-  ret = 1;
-
-out:
-  if (key != NULL) {
-    EC_KEY_free(key);
-  }
-  if (out != NULL) {
-    free(out);
-  }
-  if (x != NULL) {
-    BN_free(x);
-  }
-  if (y != NULL) {
-    BN_free(y);
-  }
-  if (x_hex != NULL) {
-    OPENSSL_free(x_hex);
-  }
-  if (y_hex != NULL) {
-    OPENSSL_free(y_hex);
-  }
-  return ret;
-}
-
-int main(void) {
-  CRYPTO_library_init();
-  ERR_load_crypto_strings();
-
-  if (!test_d2i_ECPrivateKey()) {
-    fprintf(stderr, "failed\n");
-    return 1;
-  }
-
-  printf("PASS\n");
-  return 0;
-}
diff --git a/src/crypto/ec/ec_test.cc b/src/crypto/ec/ec_test.cc
new file mode 100644
index 0000000..74685eb
--- /dev/null
+++ b/src/crypto/ec/ec_test.cc
@@ -0,0 +1,185 @@
+/* Copyright (c) 2014, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <vector>
+
+#include <openssl/crypto.h>
+#include <openssl/ec_key.h>
+#include <openssl/err.h>
+#include <openssl/mem.h>
+
+#include "../test/scoped_types.h"
+#include "../test/stl_compat.h"
+
+
+// kECKeyWithoutPublic is an ECPrivateKey with the optional publicKey field
+// omitted.
+static const uint8_t kECKeyWithoutPublic[] = {
+  0x30, 0x31, 0x02, 0x01, 0x01, 0x04, 0x20, 0xc6, 0xc1, 0xaa, 0xda, 0x15, 0xb0,
+  0x76, 0x61, 0xf8, 0x14, 0x2c, 0x6c, 0xaf, 0x0f, 0xdb, 0x24, 0x1a, 0xff, 0x2e,
+  0xfe, 0x46, 0xc0, 0x93, 0x8b, 0x74, 0xf2, 0xbc, 0xc5, 0x30, 0x52, 0xb0, 0x77,
+  0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07,
+};
+
+// kECKeyMissingZeros is an ECPrivateKey containing a degenerate P-256 key where
+// the private key is one. The private key is incorrectly encoded without zero
+// padding.
+static const uint8_t kECKeyMissingZeros[] = {
+  0x30, 0x58, 0x02, 0x01, 0x01, 0x04, 0x01, 0x01, 0xa0, 0x0a, 0x06, 0x08, 0x2a,
+  0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04,
+  0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47, 0xf8, 0xbc, 0xe6, 0xe5, 0x63,
+  0xa4, 0x40, 0xf2, 0x77, 0x03, 0x7d, 0x81, 0x2d, 0xeb, 0x33, 0xa0, 0xf4, 0xa1,
+  0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96, 0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f,
+  0x9b, 0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57,
+  0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5,
+};
+
+// kECKeyMissingZeros is an ECPrivateKey containing a degenerate P-256 key where
+// the private key is one. The private key is encoded with the required zero
+// padding.
+static const uint8_t kECKeyWithZeros[] = {
+  0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+  0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0xa1,
+  0x44, 0x03, 0x42, 0x00, 0x04, 0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47,
+  0xf8, 0xbc, 0xe6, 0xe5, 0x63, 0xa4, 0x40, 0xf2, 0x77, 0x03, 0x7d, 0x81, 0x2d,
+  0xeb, 0x33, 0xa0, 0xf4, 0xa1, 0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96, 0x4f, 0xe3,
+  0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0x0f, 0x9e,
+  0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68,
+  0x37, 0xbf, 0x51, 0xf5,
+};
+
+// DecodeECPrivateKey decodes |in| as an ECPrivateKey structure and returns the
+// result or nullptr on error.
+static ScopedEC_KEY DecodeECPrivateKey(const uint8_t *in, size_t in_len) {
+  const uint8_t *inp = in;
+  ScopedEC_KEY ret(d2i_ECPrivateKey(NULL, &inp, in_len));
+  if (!ret || inp != in + in_len) {
+    return nullptr;
+  }
+  return ret;
+}
+
+// EncodeECPrivateKey encodes |key| as an ECPrivateKey structure into |*out|. It
+// returns true on success or false on error.
+static bool EncodeECPrivateKey(std::vector<uint8_t> *out, EC_KEY *key) {
+  int len = i2d_ECPrivateKey(key, NULL);
+  out->resize(len);
+  uint8_t *outp = bssl::vector_data(out);
+  return i2d_ECPrivateKey(key, &outp) == len;
+}
+
+bool Testd2i_ECPrivateKey() {
+  ScopedEC_KEY key = DecodeECPrivateKey(kECKeyWithoutPublic,
+                                        sizeof(kECKeyWithoutPublic));
+  if (!key) {
+    fprintf(stderr, "Failed to parse private key.\n");
+    ERR_print_errors_fp(stderr);
+    return false;
+  }
+
+  std::vector<uint8_t> out;
+  if (!EncodeECPrivateKey(&out, key.get())) {
+    fprintf(stderr, "Failed to serialize private key.\n");
+    ERR_print_errors_fp(stderr);
+    return false;
+  }
+
+  if (std::vector<uint8_t>(kECKeyWithoutPublic,
+                           kECKeyWithoutPublic + sizeof(kECKeyWithoutPublic)) !=
+      out) {
+    fprintf(stderr, "Serialisation of key doesn't match original.\n");
+    return false;
+  }
+
+  const EC_POINT *pub_key = EC_KEY_get0_public_key(key.get());
+  if (pub_key == NULL) {
+    fprintf(stderr, "Public key missing.\n");
+    return false;
+  }
+
+  ScopedBIGNUM x(BN_new());
+  ScopedBIGNUM y(BN_new());
+  if (!x || !y) {
+    return false;
+  }
+  if (!EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(key.get()),
+                                           pub_key, x.get(), y.get(), NULL)) {
+    fprintf(stderr, "Failed to get public key in affine coordinates.\n");
+    return false;
+  }
+  ScopedOpenSSLString x_hex(BN_bn2hex(x.get()));
+  ScopedOpenSSLString y_hex(BN_bn2hex(y.get()));
+  if (0 != strcmp(
+          x_hex.get(),
+          "c81561ecf2e54edefe6617db1c7a34a70744ddb261f269b83dacfcd2ade5a681") ||
+      0 != strcmp(
+          y_hex.get(),
+          "e0e2afa3f9b6abe4c698ef6495f1be49a3196c5056acb3763fe4507eec596e88")) {
+    fprintf(stderr, "Incorrect public key: %s %s\n", x_hex.get(), y_hex.get());
+    return false;
+  }
+
+  return true;
+}
+
+static bool TestZeroPadding() {
+  // Check that the correct encoding round-trips.
+  ScopedEC_KEY key = DecodeECPrivateKey(kECKeyWithZeros,
+                                        sizeof(kECKeyWithZeros));
+  std::vector<uint8_t> out;
+  if (!key || !EncodeECPrivateKey(&out, key.get())) {
+    ERR_print_errors_fp(stderr);
+    return false;
+  }
+
+  if (std::vector<uint8_t>(kECKeyWithZeros,
+                           kECKeyWithZeros + sizeof(kECKeyWithZeros)) != out) {
+    fprintf(stderr, "Serialisation of key was incorrect.\n");
+    return false;
+  }
+
+  // Keys without leading zeros also parse, but they encode correctly.
+  key = DecodeECPrivateKey(kECKeyMissingZeros, sizeof(kECKeyMissingZeros));
+  if (!key || !EncodeECPrivateKey(&out, key.get())) {
+    ERR_print_errors_fp(stderr);
+    return false;
+  }
+
+  if (std::vector<uint8_t>(kECKeyWithZeros,
+                           kECKeyWithZeros + sizeof(kECKeyWithZeros)) != out) {
+    fprintf(stderr, "Serialisation of key was incorrect.\n");
+    return false;
+  }
+
+  return true;
+}
+
+int main(void) {
+  CRYPTO_library_init();
+  ERR_load_crypto_strings();
+
+  if (!Testd2i_ECPrivateKey() ||
+      !TestZeroPadding()) {
+    fprintf(stderr, "failed\n");
+    return 1;
+  }
+
+  printf("PASS\n");
+  return 0;
+}
diff --git a/src/crypto/ec/internal.h b/src/crypto/ec/internal.h
index da116c4..0a8bf24 100644
--- a/src/crypto/ec/internal.h
+++ b/src/crypto/ec/internal.h
@@ -81,8 +81,6 @@ extern "C" {
 /* Use default functions for poin2oct, oct2point and compressed coordinates */
 #define EC_FLAGS_DEFAULT_OCT 0x1
 
-typedef struct ec_method_st EC_METHOD;
-
 struct ec_method_st {
   /* Various method flags */
   int flags;
@@ -205,35 +203,14 @@ struct ec_group_st {
   /* The following members are handled by the method functions,
    * even if they appear generic */
 
-  BIGNUM field; /* Field specification.
-                 * For curves over GF(p), this is the modulus;
-                 * for curves over GF(2^m), this is the
-                 * irreducible polynomial defining the field. */
-
-  int poly[6]; /* Field specification for curves over GF(2^m).
-                * The irreducible f(t) is then of the form:
-                *     t^poly[0] + t^poly[1] + ... + t^poly[k]
-                * where m = poly[0] > poly[1] > ... > poly[k] = 0.
-                * The array is terminated with poly[k+1]=-1.
-                * All elliptic curve irreducibles have at most 5
-                * non-zero terms. */
-
-  BIGNUM a, b; /* Curve coefficients.
-                * (Here the assumption is that BIGNUMs can be used
-                * or abused for all kinds of fields, not just GF(p).)
-                * For characteristic  > 3,  the curve is defined
-                * by a Weierstrass equation of the form
-                *     y^2 = x^3 + a*x + b.
-                * For characteristic  2,  the curve is defined by
-                * an equation of the form
-                *     y^2 + x*y = x^3 + a*x^2 + b. */
+  BIGNUM field; /* For curves over GF(p), this is the modulus. */
+
+  BIGNUM a, b; /* Curve coefficients. */
 
   int a_is_minus3; /* enable optimized point arithmetics for special case */
 
-  void *field_data1; /* method-specific (e.g., Montgomery structure) */
-  void *field_data2; /* method-specific */
-  int (*field_mod_func)(BIGNUM *, const BIGNUM *, const BIGNUM *,
-                        BN_CTX *); /* method-specific */
+  BN_MONT_CTX *mont; /* Montgomery structure. */
+  BIGNUM *one; /* The value one */
 } /* EC_GROUP */;
 
 struct ec_point_st {
@@ -250,6 +227,7 @@ struct ec_point_st {
 } /* EC_POINT */;
 
 EC_GROUP *ec_group_new(const EC_METHOD *meth);
+int ec_group_copy(EC_GROUP *dest, const EC_GROUP *src);
 
 int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
                 size_t num, const EC_POINT *points[], const BIGNUM *scalars[],
@@ -329,6 +307,19 @@ int ec_point_set_Jprojective_coordinates_GFp(const EC_GROUP *group,
                                              const BIGNUM *y, const BIGNUM *z,
                                              BN_CTX *ctx);
 
+void ec_GFp_nistp_points_make_affine_internal(
+    size_t num, void *point_array, size_t felem_size, void *tmp_felems,
+    void (*felem_one)(void *out), int (*felem_is_zero)(const void *in),
+    void (*felem_assign)(void *out, const void *in),
+    void (*felem_square)(void *out, const void *in),
+    void (*felem_mul)(void *out, const void *in1, const void *in2),
+    void (*felem_inv)(void *out, const void *in),
+    void (*felem_contract)(void *out, const void *in));
+
+void ec_GFp_nistp_recode_scalar_bits(uint8_t *sign, uint8_t *digit, uint8_t in);
+
+const EC_METHOD *EC_GFp_nistp256_method(void);
+
 struct ec_key_st {
   int version;
 
diff --git a/src/crypto/ec/oct.c b/src/crypto/ec/oct.c
index c4729ef..816a42f 100644
--- a/src/crypto/ec/oct.c
+++ b/src/crypto/ec/oct.c
@@ -164,18 +164,14 @@ static size_t ec_GFp_simple_point2oct(const EC_GROUP *group,
   if (used_ctx) {
     BN_CTX_end(ctx);
   }
-  if (new_ctx != NULL) {
-    BN_CTX_free(new_ctx);
-  }
+  BN_CTX_free(new_ctx);
   return ret;
 
 err:
   if (used_ctx) {
     BN_CTX_end(ctx);
   }
-  if (new_ctx != NULL) {
-    BN_CTX_free(new_ctx);
-  }
+  BN_CTX_free(new_ctx);
   return 0;
 }
 
@@ -227,40 +223,46 @@ static int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
 
   if (ctx == NULL) {
     ctx = new_ctx = BN_CTX_new();
-    if (ctx == NULL)
+    if (ctx == NULL) {
       return 0;
+    }
   }
 
   BN_CTX_start(ctx);
   x = BN_CTX_get(ctx);
   y = BN_CTX_get(ctx);
-  if (y == NULL)
+  if (y == NULL) {
     goto err;
+  }
 
-  if (!BN_bin2bn(buf + 1, field_len, x))
+  if (!BN_bin2bn(buf + 1, field_len, x)) {
     goto err;
+  }
   if (BN_ucmp(x, &group->field) >= 0) {
     OPENSSL_PUT_ERROR(EC, ec_GFp_simple_oct2point, EC_R_INVALID_ENCODING);
     goto err;
   }
 
   if (form == POINT_CONVERSION_COMPRESSED) {
-    if (!EC_POINT_set_compressed_coordinates_GFp(group, point, x, y_bit, ctx))
+    if (!EC_POINT_set_compressed_coordinates_GFp(group, point, x, y_bit, ctx)) {
       goto err;
+    }
   } else {
-    if (!BN_bin2bn(buf + 1 + field_len, field_len, y))
+    if (!BN_bin2bn(buf + 1 + field_len, field_len, y)) {
       goto err;
+    }
     if (BN_ucmp(y, &group->field) >= 0) {
       OPENSSL_PUT_ERROR(EC, ec_GFp_simple_oct2point, EC_R_INVALID_ENCODING);
       goto err;
     }
 
-    if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx))
+    if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) {
       goto err;
+    }
   }
 
-  if (!EC_POINT_is_on_curve(group, point, ctx)) /* test required by X9.62 */
-  {
+  /* test required by X9.62 */
+  if (!EC_POINT_is_on_curve(group, point, ctx)) {
     OPENSSL_PUT_ERROR(EC, ec_GFp_simple_oct2point, EC_R_POINT_IS_NOT_ON_CURVE);
     goto err;
   }
@@ -269,8 +271,7 @@ static int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
 
 err:
   BN_CTX_end(ctx);
-  if (new_ctx != NULL)
-    BN_CTX_free(new_ctx);
+  BN_CTX_free(new_ctx);
   return ret;
 }
 
@@ -441,15 +442,15 @@ int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group,
     goto err;
   }
 
-  if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx))
+  if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) {
     goto err;
+  }
 
   ret = 1;
 
 err:
   BN_CTX_end(ctx);
-  if (new_ctx != NULL)
-    BN_CTX_free(new_ctx);
+  BN_CTX_free(new_ctx);
   return ret;
 }
 
diff --git a/src/crypto/ec/p256-64.c b/src/crypto/ec/p256-64.c
new file mode 100644
index 0000000..8f824de
--- /dev/null
+++ b/src/crypto/ec/p256-64.c
@@ -0,0 +1,1936 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+/* A 64-bit implementation of the NIST P-256 elliptic curve point
+ * multiplication
+ *
+ * OpenSSL integration was taken from Emilia Kasper's work in ecp_nistp224.c.
+ * Otherwise based on Emilia's P224 work, which was inspired by my curve25519
+ * work which got its smarts from Daniel J. Bernstein's work on the same. */
+
+#include <openssl/base.h>
+
+#if defined(OPENSSL_64_BIT) && !defined(OPENSSL_WINDOWS)
+
+#include <openssl/bn.h>
+#include <openssl/ec.h>
+#include <openssl/err.h>
+#include <openssl/mem.h>
+#include <openssl/obj.h>
+
+#include <string.h>
+
+#include "internal.h"
+
+
+typedef uint8_t u8;
+typedef uint64_t u64;
+typedef int64_t s64;
+typedef __uint128_t uint128_t;
+typedef __int128_t int128_t;
+
+/* The underlying field. P256 operates over GF(2^256-2^224+2^192+2^96-1). We
+ * can serialise an element of this field into 32 bytes. We call this an
+ * felem_bytearray. */
+typedef u8 felem_bytearray[32];
+
+/* These are the parameters of P256, taken from FIPS 186-3, page 86. These
+ * values are big-endian. */
+static const felem_bytearray nistp256_curve_params[5] = {
+    {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01, /* p */
+     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
+    {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01, /* a = -3 */
+     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+     0xfc}, /* b */
+    {0x5a, 0xc6, 0x35, 0xd8, 0xaa, 0x3a, 0x93, 0xe7, 0xb3, 0xeb, 0xbd, 0x55,
+     0x76, 0x98, 0x86, 0xbc, 0x65, 0x1d, 0x06, 0xb0, 0xcc, 0x53, 0xb0, 0xf6,
+     0x3b, 0xce, 0x3c, 0x3e, 0x27, 0xd2, 0x60, 0x4b},
+    {0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47, /* x */
+     0xf8, 0xbc, 0xe6, 0xe5, 0x63, 0xa4, 0x40, 0xf2, 0x77, 0x03, 0x7d, 0x81,
+     0x2d, 0xeb, 0x33, 0xa0, 0xf4, 0xa1, 0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96},
+    {0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, /* y */
+     0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57,
+     0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5}};
+
+/* The representation of field elements.
+ * ------------------------------------
+ *
+ * We represent field elements with either four 128-bit values, eight 128-bit
+ * values, or four 64-bit values. The field element represented is:
+ *   v[0]*2^0 + v[1]*2^64 + v[2]*2^128 + v[3]*2^192  (mod p)
+ * or:
+ *   v[0]*2^0 + v[1]*2^64 + v[2]*2^128 + ... + v[8]*2^512  (mod p)
+ *
+ * 128-bit values are called 'limbs'. Since the limbs are spaced only 64 bits
+ * apart, but are 128-bits wide, the most significant bits of each limb overlap
+ * with the least significant bits of the next.
+ *
+ * A field element with four limbs is an 'felem'. One with eight limbs is a
+ * 'longfelem'
+ *
+ * A field element with four, 64-bit values is called a 'smallfelem'. Small
+ * values are used as intermediate values before multiplication. */
+
+#define NLIMBS 4
+
+typedef uint128_t limb;
+typedef limb felem[NLIMBS];
+typedef limb longfelem[NLIMBS * 2];
+typedef u64 smallfelem[NLIMBS];
+
+/* This is the value of the prime as four 64-bit words, little-endian. */
+static const u64 kPrime[4] = {0xfffffffffffffffful, 0xffffffff, 0,
+                              0xffffffff00000001ul};
+static const u64 bottom63bits = 0x7ffffffffffffffful;
+
+/* bin32_to_felem takes a little-endian byte array and converts it into felem
+ * form. This assumes that the CPU is little-endian. */
+static void bin32_to_felem(felem out, const u8 in[32]) {
+  out[0] = *((u64 *)&in[0]);
+  out[1] = *((u64 *)&in[8]);
+  out[2] = *((u64 *)&in[16]);
+  out[3] = *((u64 *)&in[24]);
+}
+
+/* smallfelem_to_bin32 takes a smallfelem and serialises into a little endian,
+ * 32 byte array. This assumes that the CPU is little-endian. */
+static void smallfelem_to_bin32(u8 out[32], const smallfelem in) {
+  *((u64 *)&out[0]) = in[0];
+  *((u64 *)&out[8]) = in[1];
+  *((u64 *)&out[16]) = in[2];
+  *((u64 *)&out[24]) = in[3];
+}
+
+/* To preserve endianness when using BN_bn2bin and BN_bin2bn. */
+static void flip_endian(u8 *out, const u8 *in, unsigned len) {
+  unsigned i;
+  for (i = 0; i < len; ++i) {
+    out[i] = in[len - 1 - i];
+  }
+}
+
+/* BN_to_felem converts an OpenSSL BIGNUM into an felem. */
+static int BN_to_felem(felem out, const BIGNUM *bn) {
+  if (BN_is_negative(bn)) {
+    OPENSSL_PUT_ERROR(EC, BN_to_felem, EC_R_BIGNUM_OUT_OF_RANGE);
+    return 0;
+  }
+
+  felem_bytearray b_out;
+  /* BN_bn2bin eats leading zeroes */
+  memset(b_out, 0, sizeof(b_out));
+  unsigned num_bytes = BN_num_bytes(bn);
+  if (num_bytes > sizeof(b_out)) {
+    OPENSSL_PUT_ERROR(EC, BN_to_felem, EC_R_BIGNUM_OUT_OF_RANGE);
+    return 0;
+  }
+
+  felem_bytearray b_in;
+  num_bytes = BN_bn2bin(bn, b_in);
+  flip_endian(b_out, b_in, num_bytes);
+  bin32_to_felem(out, b_out);
+  return 1;
+}
+
+/* felem_to_BN converts an felem into an OpenSSL BIGNUM. */
+static BIGNUM *smallfelem_to_BN(BIGNUM *out, const smallfelem in) {
+  felem_bytearray b_in, b_out;
+  smallfelem_to_bin32(b_in, in);
+  flip_endian(b_out, b_in, sizeof(b_out));
+  return BN_bin2bn(b_out, sizeof(b_out), out);
+}
+
+/* Field operations. */
+
+static void smallfelem_one(smallfelem out) {
+  out[0] = 1;
+  out[1] = 0;
+  out[2] = 0;
+  out[3] = 0;
+}
+
+static void smallfelem_assign(smallfelem out, const smallfelem in) {
+  out[0] = in[0];
+  out[1] = in[1];
+  out[2] = in[2];
+  out[3] = in[3];
+}
+
+static void felem_assign(felem out, const felem in) {
+  out[0] = in[0];
+  out[1] = in[1];
+  out[2] = in[2];
+  out[3] = in[3];
+}
+
+/* felem_sum sets out = out + in. */
+static void felem_sum(felem out, const felem in) {
+  out[0] += in[0];
+  out[1] += in[1];
+  out[2] += in[2];
+  out[3] += in[3];
+}
+
+/* felem_small_sum sets out = out + in. */
+static void felem_small_sum(felem out, const smallfelem in) {
+  out[0] += in[0];
+  out[1] += in[1];
+  out[2] += in[2];
+  out[3] += in[3];
+}
+
+/* felem_scalar sets out = out * scalar */
+static void felem_scalar(felem out, const u64 scalar) {
+  out[0] *= scalar;
+  out[1] *= scalar;
+  out[2] *= scalar;
+  out[3] *= scalar;
+}
+
+/* longfelem_scalar sets out = out * scalar */
+static void longfelem_scalar(longfelem out, const u64 scalar) {
+  out[0] *= scalar;
+  out[1] *= scalar;
+  out[2] *= scalar;
+  out[3] *= scalar;
+  out[4] *= scalar;
+  out[5] *= scalar;
+  out[6] *= scalar;
+  out[7] *= scalar;
+}
+
+#define two105m41m9 (((limb)1) << 105) - (((limb)1) << 41) - (((limb)1) << 9)
+#define two105 (((limb)1) << 105)
+#define two105m41p9 (((limb)1) << 105) - (((limb)1) << 41) + (((limb)1) << 9)
+
+/* zero105 is 0 mod p */
+static const felem zero105 = {two105m41m9, two105, two105m41p9, two105m41p9};
+
+/* smallfelem_neg sets |out| to |-small|
+ * On exit:
+ *   out[i] < out[i] + 2^105 */
+static void smallfelem_neg(felem out, const smallfelem small) {
+  /* In order to prevent underflow, we subtract from 0 mod p. */
+  out[0] = zero105[0] - small[0];
+  out[1] = zero105[1] - small[1];
+  out[2] = zero105[2] - small[2];
+  out[3] = zero105[3] - small[3];
+}
+
+/* felem_diff subtracts |in| from |out|
+ * On entry:
+ *   in[i] < 2^104
+ * On exit:
+ *   out[i] < out[i] + 2^105. */
+static void felem_diff(felem out, const felem in) {
+  /* In order to prevent underflow, we add 0 mod p before subtracting. */
+  out[0] += zero105[0];
+  out[1] += zero105[1];
+  out[2] += zero105[2];
+  out[3] += zero105[3];
+
+  out[0] -= in[0];
+  out[1] -= in[1];
+  out[2] -= in[2];
+  out[3] -= in[3];
+}
+
+#define two107m43m11 (((limb)1) << 107) - (((limb)1) << 43) - (((limb)1) << 11)
+#define two107 (((limb)1) << 107)
+#define two107m43p11 (((limb)1) << 107) - (((limb)1) << 43) + (((limb)1) << 11)
+
+/* zero107 is 0 mod p */
+static const felem zero107 = {two107m43m11, two107, two107m43p11, two107m43p11};
+
+/* An alternative felem_diff for larger inputs |in|
+ * felem_diff_zero107 subtracts |in| from |out|
+ * On entry:
+ *   in[i] < 2^106
+ * On exit:
+ *   out[i] < out[i] + 2^107. */
+static void felem_diff_zero107(felem out, const felem in) {
+  /* In order to prevent underflow, we add 0 mod p before subtracting. */
+  out[0] += zero107[0];
+  out[1] += zero107[1];
+  out[2] += zero107[2];
+  out[3] += zero107[3];
+
+  out[0] -= in[0];
+  out[1] -= in[1];
+  out[2] -= in[2];
+  out[3] -= in[3];
+}
+
+/* longfelem_diff subtracts |in| from |out|
+ * On entry:
+ *   in[i] < 7*2^67
+ * On exit:
+ *   out[i] < out[i] + 2^70 + 2^40. */
+static void longfelem_diff(longfelem out, const longfelem in) {
+  static const limb two70m8p6 =
+      (((limb)1) << 70) - (((limb)1) << 8) + (((limb)1) << 6);
+  static const limb two70p40 = (((limb)1) << 70) + (((limb)1) << 40);
+  static const limb two70 = (((limb)1) << 70);
+  static const limb two70m40m38p6 = (((limb)1) << 70) - (((limb)1) << 40) -
+                                    (((limb)1) << 38) + (((limb)1) << 6);
+  static const limb two70m6 = (((limb)1) << 70) - (((limb)1) << 6);
+
+  /* add 0 mod p to avoid underflow */
+  out[0] += two70m8p6;
+  out[1] += two70p40;
+  out[2] += two70;
+  out[3] += two70m40m38p6;
+  out[4] += two70m6;
+  out[5] += two70m6;
+  out[6] += two70m6;
+  out[7] += two70m6;
+
+  /* in[i] < 7*2^67 < 2^70 - 2^40 - 2^38 + 2^6 */
+  out[0] -= in[0];
+  out[1] -= in[1];
+  out[2] -= in[2];
+  out[3] -= in[3];
+  out[4] -= in[4];
+  out[5] -= in[5];
+  out[6] -= in[6];
+  out[7] -= in[7];
+}
+
+#define two64m0 (((limb)1) << 64) - 1
+#define two110p32m0 (((limb)1) << 110) + (((limb)1) << 32) - 1
+#define two64m46 (((limb)1) << 64) - (((limb)1) << 46)
+#define two64m32 (((limb)1) << 64) - (((limb)1) << 32)
+
+/* zero110 is 0 mod p. */
+static const felem zero110 = {two64m0, two110p32m0, two64m46, two64m32};
+
+/* felem_shrink converts an felem into a smallfelem. The result isn't quite
+ * minimal as the value may be greater than p.
+ *
+ * On entry:
+ *   in[i] < 2^109
+ * On exit:
+ *   out[i] < 2^64. */
+static void felem_shrink(smallfelem out, const felem in) {
+  felem tmp;
+  u64 a, b, mask;
+  s64 high, low;
+  static const u64 kPrime3Test = 0x7fffffff00000001ul; /* 2^63 - 2^32 + 1 */
+
+  /* Carry 2->3 */
+  tmp[3] = zero110[3] + in[3] + ((u64)(in[2] >> 64));
+  /* tmp[3] < 2^110 */
+
+  tmp[2] = zero110[2] + (u64)in[2];
+  tmp[0] = zero110[0] + in[0];
+  tmp[1] = zero110[1] + in[1];
+  /* tmp[0] < 2**110, tmp[1] < 2^111, tmp[2] < 2**65 */
+
+  /* We perform two partial reductions where we eliminate the high-word of
+   * tmp[3]. We don't update the other words till the end. */
+  a = tmp[3] >> 64; /* a < 2^46 */
+  tmp[3] = (u64)tmp[3];
+  tmp[3] -= a;
+  tmp[3] += ((limb)a) << 32;
+  /* tmp[3] < 2^79 */
+
+  b = a;
+  a = tmp[3] >> 64; /* a < 2^15 */
+  b += a;           /* b < 2^46 + 2^15 < 2^47 */
+  tmp[3] = (u64)tmp[3];
+  tmp[3] -= a;
+  tmp[3] += ((limb)a) << 32;
+  /* tmp[3] < 2^64 + 2^47 */
+
+  /* This adjusts the other two words to complete the two partial
+   * reductions. */
+  tmp[0] += b;
+  tmp[1] -= (((limb)b) << 32);
+
+  /* In order to make space in tmp[3] for the carry from 2 -> 3, we
+   * conditionally subtract kPrime if tmp[3] is large enough. */
+  high = tmp[3] >> 64;
+  /* As tmp[3] < 2^65, high is either 1 or 0 */
+  high <<= 63;
+  high >>= 63;
+  /* high is:
+   *   all ones   if the high word of tmp[3] is 1
+   *   all zeros  if the high word of tmp[3] if 0 */
+  low = tmp[3];
+  mask = low >> 63;
+  /* mask is:
+   *   all ones   if the MSB of low is 1
+   *   all zeros  if the MSB of low if 0 */
+  low &= bottom63bits;
+  low -= kPrime3Test;
+  /* if low was greater than kPrime3Test then the MSB is zero */
+  low = ~low;
+  low >>= 63;
+  /* low is:
+   *   all ones   if low was > kPrime3Test
+   *   all zeros  if low was <= kPrime3Test */
+  mask = (mask & low) | high;
+  tmp[0] -= mask & kPrime[0];
+  tmp[1] -= mask & kPrime[1];
+  /* kPrime[2] is zero, so omitted */
+  tmp[3] -= mask & kPrime[3];
+  /* tmp[3] < 2**64 - 2**32 + 1 */
+
+  tmp[1] += ((u64)(tmp[0] >> 64));
+  tmp[0] = (u64)tmp[0];
+  tmp[2] += ((u64)(tmp[1] >> 64));
+  tmp[1] = (u64)tmp[1];
+  tmp[3] += ((u64)(tmp[2] >> 64));
+  tmp[2] = (u64)tmp[2];
+  /* tmp[i] < 2^64 */
+
+  out[0] = tmp[0];
+  out[1] = tmp[1];
+  out[2] = tmp[2];
+  out[3] = tmp[3];
+}
+
+/* smallfelem_expand converts a smallfelem to an felem */
+static void smallfelem_expand(felem out, const smallfelem in) {
+  out[0] = in[0];
+  out[1] = in[1];
+  out[2] = in[2];
+  out[3] = in[3];
+}
+
+/* smallfelem_square sets |out| = |small|^2
+ * On entry:
+ *   small[i] < 2^64
+ * On exit:
+ *   out[i] < 7 * 2^64 < 2^67 */
+static void smallfelem_square(longfelem out, const smallfelem small) {
+  limb a;
+  u64 high, low;
+
+  a = ((uint128_t)small[0]) * small[0];
+  low = a;
+  high = a >> 64;
+  out[0] = low;
+  out[1] = high;
+
+  a = ((uint128_t)small[0]) * small[1];
+  low = a;
+  high = a >> 64;
+  out[1] += low;
+  out[1] += low;
+  out[2] = high;
+
+  a = ((uint128_t)small[0]) * small[2];
+  low = a;
+  high = a >> 64;
+  out[2] += low;
+  out[2] *= 2;
+  out[3] = high;
+
+  a = ((uint128_t)small[0]) * small[3];
+  low = a;
+  high = a >> 64;
+  out[3] += low;
+  out[4] = high;
+
+  a = ((uint128_t)small[1]) * small[2];
+  low = a;
+  high = a >> 64;
+  out[3] += low;
+  out[3] *= 2;
+  out[4] += high;
+
+  a = ((uint128_t)small[1]) * small[1];
+  low = a;
+  high = a >> 64;
+  out[2] += low;
+  out[3] += high;
+
+  a = ((uint128_t)small[1]) * small[3];
+  low = a;
+  high = a >> 64;
+  out[4] += low;
+  out[4] *= 2;
+  out[5] = high;
+
+  a = ((uint128_t)small[2]) * small[3];
+  low = a;
+  high = a >> 64;
+  out[5] += low;
+  out[5] *= 2;
+  out[6] = high;
+  out[6] += high;
+
+  a = ((uint128_t)small[2]) * small[2];
+  low = a;
+  high = a >> 64;
+  out[4] += low;
+  out[5] += high;
+
+  a = ((uint128_t)small[3]) * small[3];
+  low = a;
+  high = a >> 64;
+  out[6] += low;
+  out[7] = high;
+}
+
+/*felem_square sets |out| = |in|^2
+ * On entry:
+ *   in[i] < 2^109
+ * On exit:
+ *   out[i] < 7 * 2^64 < 2^67. */
+static void felem_square(longfelem out, const felem in) {
+  u64 small[4];
+  felem_shrink(small, in);
+  smallfelem_square(out, small);
+}
+
+/* smallfelem_mul sets |out| = |small1| * |small2|
+ * On entry:
+ *   small1[i] < 2^64
+ *   small2[i] < 2^64
+ * On exit:
+ *   out[i] < 7 * 2^64 < 2^67. */
+static void smallfelem_mul(longfelem out, const smallfelem small1,
+                           const smallfelem small2) {
+  limb a;
+  u64 high, low;
+
+  a = ((uint128_t)small1[0]) * small2[0];
+  low = a;
+  high = a >> 64;
+  out[0] = low;
+  out[1] = high;
+
+  a = ((uint128_t)small1[0]) * small2[1];
+  low = a;
+  high = a >> 64;
+  out[1] += low;
+  out[2] = high;
+
+  a = ((uint128_t)small1[1]) * small2[0];
+  low = a;
+  high = a >> 64;
+  out[1] += low;
+  out[2] += high;
+
+  a = ((uint128_t)small1[0]) * small2[2];
+  low = a;
+  high = a >> 64;
+  out[2] += low;
+  out[3] = high;
+
+  a = ((uint128_t)small1[1]) * small2[1];
+  low = a;
+  high = a >> 64;
+  out[2] += low;
+  out[3] += high;
+
+  a = ((uint128_t)small1[2]) * small2[0];
+  low = a;
+  high = a >> 64;
+  out[2] += low;
+  out[3] += high;
+
+  a = ((uint128_t)small1[0]) * small2[3];
+  low = a;
+  high = a >> 64;
+  out[3] += low;
+  out[4] = high;
+
+  a = ((uint128_t)small1[1]) * small2[2];
+  low = a;
+  high = a >> 64;
+  out[3] += low;
+  out[4] += high;
+
+  a = ((uint128_t)small1[2]) * small2[1];
+  low = a;
+  high = a >> 64;
+  out[3] += low;
+  out[4] += high;
+
+  a = ((uint128_t)small1[3]) * small2[0];
+  low = a;
+  high = a >> 64;
+  out[3] += low;
+  out[4] += high;
+
+  a = ((uint128_t)small1[1]) * small2[3];
+  low = a;
+  high = a >> 64;
+  out[4] += low;
+  out[5] = high;
+
+  a = ((uint128_t)small1[2]) * small2[2];
+  low = a;
+  high = a >> 64;
+  out[4] += low;
+  out[5] += high;
+
+  a = ((uint128_t)small1[3]) * small2[1];
+  low = a;
+  high = a >> 64;
+  out[4] += low;
+  out[5] += high;
+
+  a = ((uint128_t)small1[2]) * small2[3];
+  low = a;
+  high = a >> 64;
+  out[5] += low;
+  out[6] = high;
+
+  a = ((uint128_t)small1[3]) * small2[2];
+  low = a;
+  high = a >> 64;
+  out[5] += low;
+  out[6] += high;
+
+  a = ((uint128_t)small1[3]) * small2[3];
+  low = a;
+  high = a >> 64;
+  out[6] += low;
+  out[7] = high;
+}
+
+/* felem_mul sets |out| = |in1| * |in2|
+ * On entry:
+ *   in1[i] < 2^109
+ *   in2[i] < 2^109
+ * On exit:
+ *   out[i] < 7 * 2^64 < 2^67 */
+static void felem_mul(longfelem out, const felem in1, const felem in2) {
+  smallfelem small1, small2;
+  felem_shrink(small1, in1);
+  felem_shrink(small2, in2);
+  smallfelem_mul(out, small1, small2);
+}
+
+/* felem_small_mul sets |out| = |small1| * |in2|
+ * On entry:
+ *   small1[i] < 2^64
+ *   in2[i] < 2^109
+ * On exit:
+ *   out[i] < 7 * 2^64 < 2^67 */
+static void felem_small_mul(longfelem out, const smallfelem small1,
+                            const felem in2) {
+  smallfelem small2;
+  felem_shrink(small2, in2);
+  smallfelem_mul(out, small1, small2);
+}
+
+#define two100m36m4 (((limb)1) << 100) - (((limb)1) << 36) - (((limb)1) << 4)
+#define two100 (((limb)1) << 100)
+#define two100m36p4 (((limb)1) << 100) - (((limb)1) << 36) + (((limb)1) << 4)
+
+/* zero100 is 0 mod p */
+static const felem zero100 = {two100m36m4, two100, two100m36p4, two100m36p4};
+
+/* Internal function for the different flavours of felem_reduce.
+ * felem_reduce_ reduces the higher coefficients in[4]-in[7].
+ * On entry:
+ *   out[0] >= in[6] + 2^32*in[6] + in[7] + 2^32*in[7]
+ *   out[1] >= in[7] + 2^32*in[4]
+ *   out[2] >= in[5] + 2^32*in[5]
+ *   out[3] >= in[4] + 2^32*in[5] + 2^32*in[6]
+ * On exit:
+ *   out[0] <= out[0] + in[4] + 2^32*in[5]
+ *   out[1] <= out[1] + in[5] + 2^33*in[6]
+ *   out[2] <= out[2] + in[7] + 2*in[6] + 2^33*in[7]
+ *   out[3] <= out[3] + 2^32*in[4] + 3*in[7] */
+static void felem_reduce_(felem out, const longfelem in) {
+  int128_t c;
+  /* combine common terms from below */
+  c = in[4] + (in[5] << 32);
+  out[0] += c;
+  out[3] -= c;
+
+  c = in[5] - in[7];
+  out[1] += c;
+  out[2] -= c;
+
+  /* the remaining terms */
+  /* 256: [(0,1),(96,-1),(192,-1),(224,1)] */
+  out[1] -= (in[4] << 32);
+  out[3] += (in[4] << 32);
+
+  /* 320: [(32,1),(64,1),(128,-1),(160,-1),(224,-1)] */
+  out[2] -= (in[5] << 32);
+
+  /* 384: [(0,-1),(32,-1),(96,2),(128,2),(224,-1)] */
+  out[0] -= in[6];
+  out[0] -= (in[6] << 32);
+  out[1] += (in[6] << 33);
+  out[2] += (in[6] * 2);
+  out[3] -= (in[6] << 32);
+
+  /* 448: [(0,-1),(32,-1),(64,-1),(128,1),(160,2),(192,3)] */
+  out[0] -= in[7];
+  out[0] -= (in[7] << 32);
+  out[2] += (in[7] << 33);
+  out[3] += (in[7] * 3);
+}
+
+/* felem_reduce converts a longfelem into an felem.
+ * To be called directly after felem_square or felem_mul.
+ * On entry:
+ *   in[0] < 2^64, in[1] < 3*2^64, in[2] < 5*2^64, in[3] < 7*2^64
+ *   in[4] < 7*2^64, in[5] < 5*2^64, in[6] < 3*2^64, in[7] < 2*64
+ * On exit:
+ *   out[i] < 2^101 */
+static void felem_reduce(felem out, const longfelem in) {
+  out[0] = zero100[0] + in[0];
+  out[1] = zero100[1] + in[1];
+  out[2] = zero100[2] + in[2];
+  out[3] = zero100[3] + in[3];
+
+  felem_reduce_(out, in);
+
+  /* out[0] > 2^100 - 2^36 - 2^4 - 3*2^64 - 3*2^96 - 2^64 - 2^96 > 0
+   * out[1] > 2^100 - 2^64 - 7*2^96 > 0
+   * out[2] > 2^100 - 2^36 + 2^4 - 5*2^64 - 5*2^96 > 0
+   * out[3] > 2^100 - 2^36 + 2^4 - 7*2^64 - 5*2^96 - 3*2^96 > 0
+   *
+   * out[0] < 2^100 + 2^64 + 7*2^64 + 5*2^96 < 2^101
+   * out[1] < 2^100 + 3*2^64 + 5*2^64 + 3*2^97 < 2^101
+   * out[2] < 2^100 + 5*2^64 + 2^64 + 3*2^65 + 2^97 < 2^101
+   * out[3] < 2^100 + 7*2^64 + 7*2^96 + 3*2^64 < 2^101 */
+}
+
+/* felem_reduce_zero105 converts a larger longfelem into an felem.
+ * On entry:
+ *   in[0] < 2^71
+ * On exit:
+ *   out[i] < 2^106 */
+static void felem_reduce_zero105(felem out, const longfelem in) {
+    out[0] = zero105[0] + in[0];
+    out[1] = zero105[1] + in[1];
+    out[2] = zero105[2] + in[2];
+    out[3] = zero105[3] + in[3];
+
+    felem_reduce_(out, in);
+
+    /* out[0] > 2^105 - 2^41 - 2^9 - 2^71 - 2^103 - 2^71 - 2^103 > 0
+     * out[1] > 2^105 - 2^71 - 2^103 > 0
+     * out[2] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 > 0
+     * out[3] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 - 2^103 > 0
+     *
+     * out[0] < 2^105 + 2^71 + 2^71 + 2^103 < 2^106
+     * out[1] < 2^105 + 2^71 + 2^71 + 2^103 < 2^106
+     * out[2] < 2^105 + 2^71 + 2^71 + 2^71 + 2^103 < 2^106
+     * out[3] < 2^105 + 2^71 + 2^103 + 2^71 < 2^106 */
+}
+
+/* subtract_u64 sets *result = *result - v and *carry to one if the
+ * subtraction underflowed. */
+static void subtract_u64(u64 *result, u64 *carry, u64 v) {
+  uint128_t r = *result;
+  r -= v;
+  *carry = (r >> 64) & 1;
+  *result = (u64)r;
+}
+
+/* felem_contract converts |in| to its unique, minimal representation. On
+ * entry: in[i] < 2^109. */
+static void felem_contract(smallfelem out, const felem in) {
+  u64 all_equal_so_far = 0, result = 0;
+
+  felem_shrink(out, in);
+  /* small is minimal except that the value might be > p */
+
+  all_equal_so_far--;
+  /* We are doing a constant time test if out >= kPrime. We need to compare
+   * each u64, from most-significant to least significant. For each one, if
+   * all words so far have been equal (m is all ones) then a non-equal
+   * result is the answer. Otherwise we continue. */
+  unsigned i;
+  for (i = 3; i < 4; i--) {
+    u64 equal;
+    uint128_t a = ((uint128_t)kPrime[i]) - out[i];
+    /* if out[i] > kPrime[i] then a will underflow and the high 64-bits
+     * will all be set. */
+    result |= all_equal_so_far & ((u64)(a >> 64));
+
+    /* if kPrime[i] == out[i] then |equal| will be all zeros and the
+     * decrement will make it all ones. */
+    equal = kPrime[i] ^ out[i];
+    equal--;
+    equal &= equal << 32;
+    equal &= equal << 16;
+    equal &= equal << 8;
+    equal &= equal << 4;
+    equal &= equal << 2;
+    equal &= equal << 1;
+    equal = ((s64)equal) >> 63;
+
+    all_equal_so_far &= equal;
+  }
+
+  /* if all_equal_so_far is still all ones then the two values are equal
+   * and so out >= kPrime is true. */
+  result |= all_equal_so_far;
+
+  /* if out >= kPrime then we subtract kPrime. */
+  u64 carry;
+  subtract_u64(&out[0], &carry, result & kPrime[0]);
+  subtract_u64(&out[1], &carry, carry);
+  subtract_u64(&out[2], &carry, carry);
+  subtract_u64(&out[3], &carry, carry);
+
+  subtract_u64(&out[1], &carry, result & kPrime[1]);
+  subtract_u64(&out[2], &carry, carry);
+  subtract_u64(&out[3], &carry, carry);
+
+  subtract_u64(&out[2], &carry, result & kPrime[2]);
+  subtract_u64(&out[3], &carry, carry);
+
+  subtract_u64(&out[3], &carry, result & kPrime[3]);
+}
+
+static void smallfelem_square_contract(smallfelem out, const smallfelem in) {
+  longfelem longtmp;
+  felem tmp;
+
+  smallfelem_square(longtmp, in);
+  felem_reduce(tmp, longtmp);
+  felem_contract(out, tmp);
+}
+
+static void smallfelem_mul_contract(smallfelem out, const smallfelem in1,
+                                    const smallfelem in2) {
+  longfelem longtmp;
+  felem tmp;
+
+  smallfelem_mul(longtmp, in1, in2);
+  felem_reduce(tmp, longtmp);
+  felem_contract(out, tmp);
+}
+
+/* felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0
+ * otherwise.
+ * On entry:
+ *   small[i] < 2^64 */
+static limb smallfelem_is_zero(const smallfelem small) {
+  limb result;
+  u64 is_p;
+
+  u64 is_zero = small[0] | small[1] | small[2] | small[3];
+  is_zero--;
+  is_zero &= is_zero << 32;
+  is_zero &= is_zero << 16;
+  is_zero &= is_zero << 8;
+  is_zero &= is_zero << 4;
+  is_zero &= is_zero << 2;
+  is_zero &= is_zero << 1;
+  is_zero = ((s64)is_zero) >> 63;
+
+  is_p = (small[0] ^ kPrime[0]) | (small[1] ^ kPrime[1]) |
+         (small[2] ^ kPrime[2]) | (small[3] ^ kPrime[3]);
+  is_p--;
+  is_p &= is_p << 32;
+  is_p &= is_p << 16;
+  is_p &= is_p << 8;
+  is_p &= is_p << 4;
+  is_p &= is_p << 2;
+  is_p &= is_p << 1;
+  is_p = ((s64)is_p) >> 63;
+
+  is_zero |= is_p;
+
+  result = is_zero;
+  result |= ((limb)is_zero) << 64;
+  return result;
+}
+
+static int smallfelem_is_zero_int(const smallfelem small) {
+  return (int)(smallfelem_is_zero(small) & ((limb)1));
+}
+
+/* felem_inv calculates |out| = |in|^{-1}
+ *
+ * Based on Fermat's Little Theorem:
+ *   a^p = a (mod p)
+ *   a^{p-1} = 1 (mod p)
+ *   a^{p-2} = a^{-1} (mod p) */
+static void felem_inv(felem out, const felem in) {
+  felem ftmp, ftmp2;
+  /* each e_I will hold |in|^{2^I - 1} */
+  felem e2, e4, e8, e16, e32, e64;
+  longfelem tmp;
+  unsigned i;
+
+  felem_square(tmp, in);
+  felem_reduce(ftmp, tmp); /* 2^1 */
+  felem_mul(tmp, in, ftmp);
+  felem_reduce(ftmp, tmp); /* 2^2 - 2^0 */
+  felem_assign(e2, ftmp);
+  felem_square(tmp, ftmp);
+  felem_reduce(ftmp, tmp); /* 2^3 - 2^1 */
+  felem_square(tmp, ftmp);
+  felem_reduce(ftmp, tmp); /* 2^4 - 2^2 */
+  felem_mul(tmp, ftmp, e2);
+  felem_reduce(ftmp, tmp); /* 2^4 - 2^0 */
+  felem_assign(e4, ftmp);
+  felem_square(tmp, ftmp);
+  felem_reduce(ftmp, tmp); /* 2^5 - 2^1 */
+  felem_square(tmp, ftmp);
+  felem_reduce(ftmp, tmp); /* 2^6 - 2^2 */
+  felem_square(tmp, ftmp);
+  felem_reduce(ftmp, tmp); /* 2^7 - 2^3 */
+  felem_square(tmp, ftmp);
+  felem_reduce(ftmp, tmp); /* 2^8 - 2^4 */
+  felem_mul(tmp, ftmp, e4);
+  felem_reduce(ftmp, tmp); /* 2^8 - 2^0 */
+  felem_assign(e8, ftmp);
+  for (i = 0; i < 8; i++) {
+    felem_square(tmp, ftmp);
+    felem_reduce(ftmp, tmp);
+  } /* 2^16 - 2^8 */
+  felem_mul(tmp, ftmp, e8);
+  felem_reduce(ftmp, tmp); /* 2^16 - 2^0 */
+  felem_assign(e16, ftmp);
+  for (i = 0; i < 16; i++) {
+    felem_square(tmp, ftmp);
+    felem_reduce(ftmp, tmp);
+  } /* 2^32 - 2^16 */
+  felem_mul(tmp, ftmp, e16);
+  felem_reduce(ftmp, tmp); /* 2^32 - 2^0 */
+  felem_assign(e32, ftmp);
+  for (i = 0; i < 32; i++) {
+    felem_square(tmp, ftmp);
+    felem_reduce(ftmp, tmp);
+  } /* 2^64 - 2^32 */
+  felem_assign(e64, ftmp);
+  felem_mul(tmp, ftmp, in);
+  felem_reduce(ftmp, tmp); /* 2^64 - 2^32 + 2^0 */
+  for (i = 0; i < 192; i++) {
+    felem_square(tmp, ftmp);
+    felem_reduce(ftmp, tmp);
+  } /* 2^256 - 2^224 + 2^192 */
+
+  felem_mul(tmp, e64, e32);
+  felem_reduce(ftmp2, tmp); /* 2^64 - 2^0 */
+  for (i = 0; i < 16; i++) {
+    felem_square(tmp, ftmp2);
+    felem_reduce(ftmp2, tmp);
+  } /* 2^80 - 2^16 */
+  felem_mul(tmp, ftmp2, e16);
+  felem_reduce(ftmp2, tmp); /* 2^80 - 2^0 */
+  for (i = 0; i < 8; i++) {
+    felem_square(tmp, ftmp2);
+    felem_reduce(ftmp2, tmp);
+  } /* 2^88 - 2^8 */
+  felem_mul(tmp, ftmp2, e8);
+  felem_reduce(ftmp2, tmp); /* 2^88 - 2^0 */
+  for (i = 0; i < 4; i++) {
+    felem_square(tmp, ftmp2);
+    felem_reduce(ftmp2, tmp);
+  } /* 2^92 - 2^4 */
+  felem_mul(tmp, ftmp2, e4);
+  felem_reduce(ftmp2, tmp); /* 2^92 - 2^0 */
+  felem_square(tmp, ftmp2);
+  felem_reduce(ftmp2, tmp); /* 2^93 - 2^1 */
+  felem_square(tmp, ftmp2);
+  felem_reduce(ftmp2, tmp); /* 2^94 - 2^2 */
+  felem_mul(tmp, ftmp2, e2);
+  felem_reduce(ftmp2, tmp); /* 2^94 - 2^0 */
+  felem_square(tmp, ftmp2);
+  felem_reduce(ftmp2, tmp); /* 2^95 - 2^1 */
+  felem_square(tmp, ftmp2);
+  felem_reduce(ftmp2, tmp); /* 2^96 - 2^2 */
+  felem_mul(tmp, ftmp2, in);
+  felem_reduce(ftmp2, tmp); /* 2^96 - 3 */
+
+  felem_mul(tmp, ftmp2, ftmp);
+  felem_reduce(out, tmp); /* 2^256 - 2^224 + 2^192 + 2^96 - 3 */
+}
+
+static void smallfelem_inv_contract(smallfelem out, const smallfelem in) {
+  felem tmp;
+
+  smallfelem_expand(tmp, in);
+  felem_inv(tmp, tmp);
+  felem_contract(out, tmp);
+}
+
+/* Group operations
+ * ----------------
+ *
+ * Building on top of the field operations we have the operations on the
+ * elliptic curve group itself. Points on the curve are represented in Jacobian
+ * coordinates. */
+
+/* point_double calculates 2*(x_in, y_in, z_in)
+ *
+ * The method is taken from:
+ *   http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b
+ *
+ * Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed.
+ * while x_out == y_in is not (maybe this works, but it's not tested). */
+static void point_double(felem x_out, felem y_out, felem z_out,
+                         const felem x_in, const felem y_in, const felem z_in) {
+  longfelem tmp, tmp2;
+  felem delta, gamma, beta, alpha, ftmp, ftmp2;
+  smallfelem small1, small2;
+
+  felem_assign(ftmp, x_in);
+  /* ftmp[i] < 2^106 */
+  felem_assign(ftmp2, x_in);
+  /* ftmp2[i] < 2^106 */
+
+  /* delta = z^2 */
+  felem_square(tmp, z_in);
+  felem_reduce(delta, tmp);
+  /* delta[i] < 2^101 */
+
+  /* gamma = y^2 */
+  felem_square(tmp, y_in);
+  felem_reduce(gamma, tmp);
+  /* gamma[i] < 2^101 */
+  felem_shrink(small1, gamma);
+
+  /* beta = x*gamma */
+  felem_small_mul(tmp, small1, x_in);
+  felem_reduce(beta, tmp);
+  /* beta[i] < 2^101 */
+
+  /* alpha = 3*(x-delta)*(x+delta) */
+  felem_diff(ftmp, delta);
+  /* ftmp[i] < 2^105 + 2^106 < 2^107 */
+  felem_sum(ftmp2, delta);
+  /* ftmp2[i] < 2^105 + 2^106 < 2^107 */
+  felem_scalar(ftmp2, 3);
+  /* ftmp2[i] < 3 * 2^107 < 2^109 */
+  felem_mul(tmp, ftmp, ftmp2);
+  felem_reduce(alpha, tmp);
+  /* alpha[i] < 2^101 */
+  felem_shrink(small2, alpha);
+
+  /* x' = alpha^2 - 8*beta */
+  smallfelem_square(tmp, small2);
+  felem_reduce(x_out, tmp);
+  felem_assign(ftmp, beta);
+  felem_scalar(ftmp, 8);
+  /* ftmp[i] < 8 * 2^101 = 2^104 */
+  felem_diff(x_out, ftmp);
+  /* x_out[i] < 2^105 + 2^101 < 2^106 */
+
+  /* z' = (y + z)^2 - gamma - delta */
+  felem_sum(delta, gamma);
+  /* delta[i] < 2^101 + 2^101 = 2^102 */
+  felem_assign(ftmp, y_in);
+  felem_sum(ftmp, z_in);
+  /* ftmp[i] < 2^106 + 2^106 = 2^107 */
+  felem_square(tmp, ftmp);
+  felem_reduce(z_out, tmp);
+  felem_diff(z_out, delta);
+  /* z_out[i] < 2^105 + 2^101 < 2^106 */
+
+  /* y' = alpha*(4*beta - x') - 8*gamma^2 */
+  felem_scalar(beta, 4);
+  /* beta[i] < 4 * 2^101 = 2^103 */
+  felem_diff_zero107(beta, x_out);
+  /* beta[i] < 2^107 + 2^103 < 2^108 */
+  felem_small_mul(tmp, small2, beta);
+  /* tmp[i] < 7 * 2^64 < 2^67 */
+  smallfelem_square(tmp2, small1);
+  /* tmp2[i] < 7 * 2^64 */
+  longfelem_scalar(tmp2, 8);
+  /* tmp2[i] < 8 * 7 * 2^64 = 7 * 2^67 */
+  longfelem_diff(tmp, tmp2);
+  /* tmp[i] < 2^67 + 2^70 + 2^40 < 2^71 */
+  felem_reduce_zero105(y_out, tmp);
+  /* y_out[i] < 2^106 */
+}
+
+/* point_double_small is the same as point_double, except that it operates on
+ * smallfelems. */
+static void point_double_small(smallfelem x_out, smallfelem y_out,
+                               smallfelem z_out, const smallfelem x_in,
+                               const smallfelem y_in, const smallfelem z_in) {
+  felem felem_x_out, felem_y_out, felem_z_out;
+  felem felem_x_in, felem_y_in, felem_z_in;
+
+  smallfelem_expand(felem_x_in, x_in);
+  smallfelem_expand(felem_y_in, y_in);
+  smallfelem_expand(felem_z_in, z_in);
+  point_double(felem_x_out, felem_y_out, felem_z_out, felem_x_in, felem_y_in,
+               felem_z_in);
+  felem_shrink(x_out, felem_x_out);
+  felem_shrink(y_out, felem_y_out);
+  felem_shrink(z_out, felem_z_out);
+}
+
+/* copy_conditional copies in to out iff mask is all ones. */
+static void copy_conditional(felem out, const felem in, limb mask) {
+  unsigned i;
+  for (i = 0; i < NLIMBS; ++i) {
+    const limb tmp = mask & (in[i] ^ out[i]);
+    out[i] ^= tmp;
+  }
+}
+
+/* copy_small_conditional copies in to out iff mask is all ones. */
+static void copy_small_conditional(felem out, const smallfelem in, limb mask) {
+  unsigned i;
+  const u64 mask64 = mask;
+  for (i = 0; i < NLIMBS; ++i) {
+    out[i] = ((limb)(in[i] & mask64)) | (out[i] & ~mask);
+  }
+}
+
+/* point_add calcuates (x1, y1, z1) + (x2, y2, z2)
+ *
+ * The method is taken from:
+ *   http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl,
+ * adapted for mixed addition (z2 = 1, or z2 = 0 for the point at infinity).
+ *
+ * This function includes a branch for checking whether the two input points
+ * are equal, (while not equal to the point at infinity). This case never
+ * happens during single point multiplication, so there is no timing leak for
+ * ECDH or ECDSA signing. */
+static void point_add(felem x3, felem y3, felem z3, const felem x1,
+                      const felem y1, const felem z1, const int mixed,
+                      const smallfelem x2, const smallfelem y2,
+                      const smallfelem z2) {
+  felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, ftmp6, x_out, y_out, z_out;
+  longfelem tmp, tmp2;
+  smallfelem small1, small2, small3, small4, small5;
+  limb x_equal, y_equal, z1_is_zero, z2_is_zero;
+
+  felem_shrink(small3, z1);
+
+  z1_is_zero = smallfelem_is_zero(small3);
+  z2_is_zero = smallfelem_is_zero(z2);
+
+  /* ftmp = z1z1 = z1**2 */
+  smallfelem_square(tmp, small3);
+  felem_reduce(ftmp, tmp);
+  /* ftmp[i] < 2^101 */
+  felem_shrink(small1, ftmp);
+
+  if (!mixed) {
+    /* ftmp2 = z2z2 = z2**2 */
+    smallfelem_square(tmp, z2);
+    felem_reduce(ftmp2, tmp);
+    /* ftmp2[i] < 2^101 */
+    felem_shrink(small2, ftmp2);
+
+    felem_shrink(small5, x1);
+
+    /* u1 = ftmp3 = x1*z2z2 */
+    smallfelem_mul(tmp, small5, small2);
+    felem_reduce(ftmp3, tmp);
+    /* ftmp3[i] < 2^101 */
+
+    /* ftmp5 = z1 + z2 */
+    felem_assign(ftmp5, z1);
+    felem_small_sum(ftmp5, z2);
+    /* ftmp5[i] < 2^107 */
+
+    /* ftmp5 = (z1 + z2)**2 - (z1z1 + z2z2) = 2z1z2 */
+    felem_square(tmp, ftmp5);
+    felem_reduce(ftmp5, tmp);
+    /* ftmp2 = z2z2 + z1z1 */
+    felem_sum(ftmp2, ftmp);
+    /* ftmp2[i] < 2^101 + 2^101 = 2^102 */
+    felem_diff(ftmp5, ftmp2);
+    /* ftmp5[i] < 2^105 + 2^101 < 2^106 */
+
+    /* ftmp2 = z2 * z2z2 */
+    smallfelem_mul(tmp, small2, z2);
+    felem_reduce(ftmp2, tmp);
+
+    /* s1 = ftmp2 = y1 * z2**3 */
+    felem_mul(tmp, y1, ftmp2);
+    felem_reduce(ftmp6, tmp);
+    /* ftmp6[i] < 2^101 */
+  } else {
+    /* We'll assume z2 = 1 (special case z2 = 0 is handled later). */
+
+    /* u1 = ftmp3 = x1*z2z2 */
+    felem_assign(ftmp3, x1);
+    /* ftmp3[i] < 2^106 */
+
+    /* ftmp5 = 2z1z2 */
+    felem_assign(ftmp5, z1);
+    felem_scalar(ftmp5, 2);
+    /* ftmp5[i] < 2*2^106 = 2^107 */
+
+    /* s1 = ftmp2 = y1 * z2**3 */
+    felem_assign(ftmp6, y1);
+    /* ftmp6[i] < 2^106 */
+  }
+
+  /* u2 = x2*z1z1 */
+  smallfelem_mul(tmp, x2, small1);
+  felem_reduce(ftmp4, tmp);
+
+  /* h = ftmp4 = u2 - u1 */
+  felem_diff_zero107(ftmp4, ftmp3);
+  /* ftmp4[i] < 2^107 + 2^101 < 2^108 */
+  felem_shrink(small4, ftmp4);
+
+  x_equal = smallfelem_is_zero(small4);
+
+  /* z_out = ftmp5 * h */
+  felem_small_mul(tmp, small4, ftmp5);
+  felem_reduce(z_out, tmp);
+  /* z_out[i] < 2^101 */
+
+  /* ftmp = z1 * z1z1 */
+  smallfelem_mul(tmp, small1, small3);
+  felem_reduce(ftmp, tmp);
+
+  /* s2 = tmp = y2 * z1**3 */
+  felem_small_mul(tmp, y2, ftmp);
+  felem_reduce(ftmp5, tmp);
+
+  /* r = ftmp5 = (s2 - s1)*2 */
+  felem_diff_zero107(ftmp5, ftmp6);
+  /* ftmp5[i] < 2^107 + 2^107 = 2^108 */
+  felem_scalar(ftmp5, 2);
+  /* ftmp5[i] < 2^109 */
+  felem_shrink(small1, ftmp5);
+  y_equal = smallfelem_is_zero(small1);
+
+  if (x_equal && y_equal && !z1_is_zero && !z2_is_zero) {
+    point_double(x3, y3, z3, x1, y1, z1);
+    return;
+  }
+
+  /* I = ftmp = (2h)**2 */
+  felem_assign(ftmp, ftmp4);
+  felem_scalar(ftmp, 2);
+  /* ftmp[i] < 2*2^108 = 2^109 */
+  felem_square(tmp, ftmp);
+  felem_reduce(ftmp, tmp);
+
+  /* J = ftmp2 = h * I */
+  felem_mul(tmp, ftmp4, ftmp);
+  felem_reduce(ftmp2, tmp);
+
+  /* V = ftmp4 = U1 * I */
+  felem_mul(tmp, ftmp3, ftmp);
+  felem_reduce(ftmp4, tmp);
+
+  /* x_out = r**2 - J - 2V */
+  smallfelem_square(tmp, small1);
+  felem_reduce(x_out, tmp);
+  felem_assign(ftmp3, ftmp4);
+  felem_scalar(ftmp4, 2);
+  felem_sum(ftmp4, ftmp2);
+  /* ftmp4[i] < 2*2^101 + 2^101 < 2^103 */
+  felem_diff(x_out, ftmp4);
+  /* x_out[i] < 2^105 + 2^101 */
+
+  /* y_out = r(V-x_out) - 2 * s1 * J */
+  felem_diff_zero107(ftmp3, x_out);
+  /* ftmp3[i] < 2^107 + 2^101 < 2^108 */
+  felem_small_mul(tmp, small1, ftmp3);
+  felem_mul(tmp2, ftmp6, ftmp2);
+  longfelem_scalar(tmp2, 2);
+  /* tmp2[i] < 2*2^67 = 2^68 */
+  longfelem_diff(tmp, tmp2);
+  /* tmp[i] < 2^67 + 2^70 + 2^40 < 2^71 */
+  felem_reduce_zero105(y_out, tmp);
+  /* y_out[i] < 2^106 */
+
+  copy_small_conditional(x_out, x2, z1_is_zero);
+  copy_conditional(x_out, x1, z2_is_zero);
+  copy_small_conditional(y_out, y2, z1_is_zero);
+  copy_conditional(y_out, y1, z2_is_zero);
+  copy_small_conditional(z_out, z2, z1_is_zero);
+  copy_conditional(z_out, z1, z2_is_zero);
+  felem_assign(x3, x_out);
+  felem_assign(y3, y_out);
+  felem_assign(z3, z_out);
+}
+
+/* point_add_small is the same as point_add, except that it operates on
+ * smallfelems. */
+static void point_add_small(smallfelem x3, smallfelem y3, smallfelem z3,
+                            smallfelem x1, smallfelem y1, smallfelem z1,
+                            smallfelem x2, smallfelem y2, smallfelem z2) {
+  felem felem_x3, felem_y3, felem_z3;
+  felem felem_x1, felem_y1, felem_z1;
+  smallfelem_expand(felem_x1, x1);
+  smallfelem_expand(felem_y1, y1);
+  smallfelem_expand(felem_z1, z1);
+  point_add(felem_x3, felem_y3, felem_z3, felem_x1, felem_y1, felem_z1, 0, x2,
+            y2, z2);
+  felem_shrink(x3, felem_x3);
+  felem_shrink(y3, felem_y3);
+  felem_shrink(z3, felem_z3);
+}
+
+/* Base point pre computation
+ * --------------------------
+ *
+ * Two different sorts of precomputed tables are used in the following code.
+ * Each contain various points on the curve, where each point is three field
+ * elements (x, y, z).
+ *
+ * For the base point table, z is usually 1 (0 for the point at infinity).
+ * This table has 2 * 16 elements, starting with the following:
+ * index | bits    | point
+ * ------+---------+------------------------------
+ *     0 | 0 0 0 0 | 0G
+ *     1 | 0 0 0 1 | 1G
+ *     2 | 0 0 1 0 | 2^64G
+ *     3 | 0 0 1 1 | (2^64 + 1)G
+ *     4 | 0 1 0 0 | 2^128G
+ *     5 | 0 1 0 1 | (2^128 + 1)G
+ *     6 | 0 1 1 0 | (2^128 + 2^64)G
+ *     7 | 0 1 1 1 | (2^128 + 2^64 + 1)G
+ *     8 | 1 0 0 0 | 2^192G
+ *     9 | 1 0 0 1 | (2^192 + 1)G
+ *    10 | 1 0 1 0 | (2^192 + 2^64)G
+ *    11 | 1 0 1 1 | (2^192 + 2^64 + 1)G
+ *    12 | 1 1 0 0 | (2^192 + 2^128)G
+ *    13 | 1 1 0 1 | (2^192 + 2^128 + 1)G
+ *    14 | 1 1 1 0 | (2^192 + 2^128 + 2^64)G
+ *    15 | 1 1 1 1 | (2^192 + 2^128 + 2^64 + 1)G
+ * followed by a copy of this with each element multiplied by 2^32.
+ *
+ * The reason for this is so that we can clock bits into four different
+ * locations when doing simple scalar multiplies against the base point,
+ * and then another four locations using the second 16 elements.
+ *
+ * Tables for other points have table[i] = iG for i in 0 .. 16. */
+
+/* gmul is the table of precomputed base points */
+static const smallfelem gmul[2][16][3] = {
+    {{{0, 0, 0, 0}, {0, 0, 0, 0}, {0, 0, 0, 0}},
+     {{0xf4a13945d898c296, 0x77037d812deb33a0, 0xf8bce6e563a440f2,
+       0x6b17d1f2e12c4247},
+      {0xcbb6406837bf51f5, 0x2bce33576b315ece, 0x8ee7eb4a7c0f9e16,
+       0x4fe342e2fe1a7f9b},
+      {1, 0, 0, 0}},
+     {{0x90e75cb48e14db63, 0x29493baaad651f7e, 0x8492592e326e25de,
+       0x0fa822bc2811aaa5},
+      {0xe41124545f462ee7, 0x34b1a65050fe82f5, 0x6f4ad4bcb3df188b,
+       0xbff44ae8f5dba80d},
+      {1, 0, 0, 0}},
+     {{0x93391ce2097992af, 0xe96c98fd0d35f1fa, 0xb257c0de95e02789,
+       0x300a4bbc89d6726f},
+      {0xaa54a291c08127a0, 0x5bb1eeada9d806a5, 0x7f1ddb25ff1e3c6f,
+       0x72aac7e0d09b4644},
+      {1, 0, 0, 0}},
+     {{0x57c84fc9d789bd85, 0xfc35ff7dc297eac3, 0xfb982fd588c6766e,
+       0x447d739beedb5e67},
+      {0x0c7e33c972e25b32, 0x3d349b95a7fae500, 0xe12e9d953a4aaff7,
+       0x2d4825ab834131ee},
+      {1, 0, 0, 0}},
+     {{0x13949c932a1d367f, 0xef7fbd2b1a0a11b7, 0xddc6068bb91dfc60,
+       0xef9519328a9c72ff},
+      {0x196035a77376d8a8, 0x23183b0895ca1740, 0xc1ee9807022c219c,
+       0x611e9fc37dbb2c9b},
+      {1, 0, 0, 0}},
+     {{0xcae2b1920b57f4bc, 0x2936df5ec6c9bc36, 0x7dea6482e11238bf,
+       0x550663797b51f5d8},
+      {0x44ffe216348a964c, 0x9fb3d576dbdefbe1, 0x0afa40018d9d50e5,
+       0x157164848aecb851},
+      {1, 0, 0, 0}},
+     {{0xe48ecafffc5cde01, 0x7ccd84e70d715f26, 0xa2e8f483f43e4391,
+       0xeb5d7745b21141ea},
+      {0xcac917e2731a3479, 0x85f22cfe2844b645, 0x0990e6a158006cee,
+       0xeafd72ebdbecc17b},
+      {1, 0, 0, 0}},
+     {{0x6cf20ffb313728be, 0x96439591a3c6b94a, 0x2736ff8344315fc5,
+       0xa6d39677a7849276},
+      {0xf2bab833c357f5f4, 0x824a920c2284059b, 0x66b8babd2d27ecdf,
+       0x674f84749b0b8816},
+      {1, 0, 0, 0}},
+     {{0x2df48c04677c8a3e, 0x74e02f080203a56b, 0x31855f7db8c7fedb,
+       0x4e769e7672c9ddad},
+      {0xa4c36165b824bbb0, 0xfb9ae16f3b9122a5, 0x1ec0057206947281,
+       0x42b99082de830663},
+      {1, 0, 0, 0}},
+     {{0x6ef95150dda868b9, 0xd1f89e799c0ce131, 0x7fdc1ca008a1c478,
+       0x78878ef61c6ce04d},
+      {0x9c62b9121fe0d976, 0x6ace570ebde08d4f, 0xde53142c12309def,
+       0xb6cb3f5d7b72c321},
+      {1, 0, 0, 0}},
+     {{0x7f991ed2c31a3573, 0x5b82dd5bd54fb496, 0x595c5220812ffcae,
+       0x0c88bc4d716b1287},
+      {0x3a57bf635f48aca8, 0x7c8181f4df2564f3, 0x18d1b5b39c04e6aa,
+       0xdd5ddea3f3901dc6},
+      {1, 0, 0, 0}},
+     {{0xe96a79fb3e72ad0c, 0x43a0a28c42ba792f, 0xefe0a423083e49f3,
+       0x68f344af6b317466},
+      {0xcdfe17db3fb24d4a, 0x668bfc2271f5c626, 0x604ed93c24d67ff3,
+       0x31b9c405f8540a20},
+      {1, 0, 0, 0}},
+     {{0xd36b4789a2582e7f, 0x0d1a10144ec39c28, 0x663c62c3edbad7a0,
+       0x4052bf4b6f461db9},
+      {0x235a27c3188d25eb, 0xe724f33999bfcc5b, 0x862be6bd71d70cc8,
+       0xfecf4d5190b0fc61},
+      {1, 0, 0, 0}},
+     {{0x74346c10a1d4cfac, 0xafdf5cc08526a7a4, 0x123202a8f62bff7a,
+       0x1eddbae2c802e41a},
+      {0x8fa0af2dd603f844, 0x36e06b7e4c701917, 0x0c45f45273db33a0,
+       0x43104d86560ebcfc},
+      {1, 0, 0, 0}},
+     {{0x9615b5110d1d78e5, 0x66b0de3225c4744b, 0x0a4a46fb6aaf363a,
+       0xb48e26b484f7a21c},
+      {0x06ebb0f621a01b2d, 0xc004e4048b7b0f98, 0x64131bcdfed6f668,
+       0xfac015404d4d3dab},
+      {1, 0, 0, 0}}},
+    {{{0, 0, 0, 0}, {0, 0, 0, 0}, {0, 0, 0, 0}},
+     {{0x3a5a9e22185a5943, 0x1ab919365c65dfb6, 0x21656b32262c71da,
+       0x7fe36b40af22af89},
+      {0xd50d152c699ca101, 0x74b3d5867b8af212, 0x9f09f40407dca6f1,
+       0xe697d45825b63624},
+      {1, 0, 0, 0}},
+     {{0xa84aa9397512218e, 0xe9a521b074ca0141, 0x57880b3a18a2e902,
+       0x4a5b506612a677a6},
+      {0x0beada7a4c4f3840, 0x626db15419e26d9d, 0xc42604fbe1627d40,
+       0xeb13461ceac089f1},
+      {1, 0, 0, 0}},
+     {{0xf9faed0927a43281, 0x5e52c4144103ecbc, 0xc342967aa815c857,
+       0x0781b8291c6a220a},
+      {0x5a8343ceeac55f80, 0x88f80eeee54a05e3, 0x97b2a14f12916434,
+       0x690cde8df0151593},
+      {1, 0, 0, 0}},
+     {{0xaee9c75df7f82f2a, 0x9e4c35874afdf43a, 0xf5622df437371326,
+       0x8a535f566ec73617},
+      {0xc5f9a0ac223094b7, 0xcde533864c8c7669, 0x37e02819085a92bf,
+       0x0455c08468b08bd7},
+      {1, 0, 0, 0}},
+     {{0x0c0a6e2c9477b5d9, 0xf9a4bf62876dc444, 0x5050a949b6cdc279,
+       0x06bada7ab77f8276},
+      {0xc8b4aed1ea48dac9, 0xdebd8a4b7ea1070f, 0x427d49101366eb70,
+       0x5b476dfd0e6cb18a},
+      {1, 0, 0, 0}},
+     {{0x7c5c3e44278c340a, 0x4d54606812d66f3b, 0x29a751b1ae23c5d8,
+       0x3e29864e8a2ec908},
+      {0x142d2a6626dbb850, 0xad1744c4765bd780, 0x1f150e68e322d1ed,
+       0x239b90ea3dc31e7e},
+      {1, 0, 0, 0}},
+     {{0x78c416527a53322a, 0x305dde6709776f8e, 0xdbcab759f8862ed4,
+       0x820f4dd949f72ff7},
+      {0x6cc544a62b5debd4, 0x75be5d937b4e8cc4, 0x1b481b1b215c14d3,
+       0x140406ec783a05ec},
+      {1, 0, 0, 0}},
+     {{0x6a703f10e895df07, 0xfd75f3fa01876bd8, 0xeb5b06e70ce08ffe,
+       0x68f6b8542783dfee},
+      {0x90c76f8a78712655, 0xcf5293d2f310bf7f, 0xfbc8044dfda45028,
+       0xcbe1feba92e40ce6},
+      {1, 0, 0, 0}},
+     {{0xe998ceea4396e4c1, 0xfc82ef0b6acea274, 0x230f729f2250e927,
+       0xd0b2f94d2f420109},
+      {0x4305adddb38d4966, 0x10b838f8624c3b45, 0x7db2636658954e7a,
+       0x971459828b0719e5},
+      {1, 0, 0, 0}},
+     {{0x4bd6b72623369fc9, 0x57f2929e53d0b876, 0xc2d5cba4f2340687,
+       0x961610004a866aba},
+      {0x49997bcd2e407a5e, 0x69ab197d92ddcb24, 0x2cf1f2438fe5131c,
+       0x7acb9fadcee75e44},
+      {1, 0, 0, 0}},
+     {{0x254e839423d2d4c0, 0xf57f0c917aea685b, 0xa60d880f6f75aaea,
+       0x24eb9acca333bf5b},
+      {0xe3de4ccb1cda5dea, 0xfeef9341c51a6b4f, 0x743125f88bac4c4d,
+       0x69f891c5acd079cc},
+      {1, 0, 0, 0}},
+     {{0xeee44b35702476b5, 0x7ed031a0e45c2258, 0xb422d1e7bd6f8514,
+       0xe51f547c5972a107},
+      {0xa25bcd6fc9cf343d, 0x8ca922ee097c184e, 0xa62f98b3a9fe9a06,
+       0x1c309a2b25bb1387},
+      {1, 0, 0, 0}},
+     {{0x9295dbeb1967c459, 0xb00148833472c98e, 0xc504977708011828,
+       0x20b87b8aa2c4e503},
+      {0x3063175de057c277, 0x1bd539338fe582dd, 0x0d11adef5f69a044,
+       0xf5c6fa49919776be},
+      {1, 0, 0, 0}},
+     {{0x8c944e760fd59e11, 0x3876cba1102fad5f, 0xa454c3fad83faa56,
+       0x1ed7d1b9332010b9},
+      {0xa1011a270024b889, 0x05e4d0dcac0cd344, 0x52b520f0eb6a2a24,
+       0x3a2b03f03217257a},
+      {1, 0, 0, 0}},
+     {{0xf20fc2afdf1d043d, 0xf330240db58d5a62, 0xfc7d229ca0058c3b,
+       0x15fee545c78dd9f6},
+      {0x501e82885bc98cda, 0x41ef80e5d046ac04, 0x557d9f49461210fb,
+       0x4ab5b6b2b8753f81},
+      {1, 0, 0, 0}}}};
+
+/* select_point selects the |idx|th point from a precomputation table and
+ * copies it to out. */
+static void select_point(const u64 idx, unsigned int size,
+                         const smallfelem pre_comp[16][3], smallfelem out[3]) {
+  unsigned i, j;
+  u64 *outlimbs = &out[0][0];
+  memset(outlimbs, 0, 3 * sizeof(smallfelem));
+
+  for (i = 0; i < size; i++) {
+    const u64 *inlimbs = (u64 *)&pre_comp[i][0][0];
+    u64 mask = i ^ idx;
+    mask |= mask >> 4;
+    mask |= mask >> 2;
+    mask |= mask >> 1;
+    mask &= 1;
+    mask--;
+    for (j = 0; j < NLIMBS * 3; j++) {
+      outlimbs[j] |= inlimbs[j] & mask;
+    }
+  }
+}
+
+/* get_bit returns the |i|th bit in |in| */
+static char get_bit(const felem_bytearray in, int i) {
+  if (i < 0 || i >= 256) {
+    return 0;
+  }
+  return (in[i >> 3] >> (i & 7)) & 1;
+}
+
+/* Interleaved point multiplication using precomputed point multiples: The
+ * small point multiples 0*P, 1*P, ..., 17*P are in pre_comp[], the scalars
+ * in scalars[]. If g_scalar is non-NULL, we also add this multiple of the
+ * generator, using certain (large) precomputed multiples in g_pre_comp.
+ * Output point (X, Y, Z) is stored in x_out, y_out, z_out. */
+static void batch_mul(felem x_out, felem y_out, felem z_out,
+                      const felem_bytearray scalars[],
+                      const unsigned num_points, const u8 *g_scalar,
+                      const int mixed, const smallfelem pre_comp[][17][3],
+                      const smallfelem g_pre_comp[2][16][3]) {
+  int i, skip;
+  unsigned num, gen_mul = (g_scalar != NULL);
+  felem nq[3], ftmp;
+  smallfelem tmp[3];
+  u64 bits;
+  u8 sign, digit;
+
+  /* set nq to the point at infinity */
+  memset(nq, 0, 3 * sizeof(felem));
+
+  /* Loop over all scalars msb-to-lsb, interleaving additions of multiples
+   * of the generator (two in each of the last 32 rounds) and additions of
+   * other points multiples (every 5th round). */
+
+  skip = 1; /* save two point operations in the first
+             * round */
+  for (i = (num_points ? 255 : 31); i >= 0; --i) {
+    /* double */
+    if (!skip) {
+      point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]);
+    }
+
+    /* add multiples of the generator */
+    if (gen_mul && i <= 31) {
+      /* first, look 32 bits upwards */
+      bits = get_bit(g_scalar, i + 224) << 3;
+      bits |= get_bit(g_scalar, i + 160) << 2;
+      bits |= get_bit(g_scalar, i + 96) << 1;
+      bits |= get_bit(g_scalar, i + 32);
+      /* select the point to add, in constant time */
+      select_point(bits, 16, g_pre_comp[1], tmp);
+
+      if (!skip) {
+        /* Arg 1 below is for "mixed" */
+        point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 1, tmp[0], tmp[1],
+                  tmp[2]);
+      } else {
+        smallfelem_expand(nq[0], tmp[0]);
+        smallfelem_expand(nq[1], tmp[1]);
+        smallfelem_expand(nq[2], tmp[2]);
+        skip = 0;
+      }
+
+      /* second, look at the current position */
+      bits = get_bit(g_scalar, i + 192) << 3;
+      bits |= get_bit(g_scalar, i + 128) << 2;
+      bits |= get_bit(g_scalar, i + 64) << 1;
+      bits |= get_bit(g_scalar, i);
+      /* select the point to add, in constant time */
+      select_point(bits, 16, g_pre_comp[0], tmp);
+      /* Arg 1 below is for "mixed" */
+      point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 1, tmp[0], tmp[1],
+                tmp[2]);
+    }
+
+    /* do other additions every 5 doublings */
+    if (num_points && (i % 5 == 0)) {
+      /* loop over all scalars */
+      for (num = 0; num < num_points; ++num) {
+        bits = get_bit(scalars[num], i + 4) << 5;
+        bits |= get_bit(scalars[num], i + 3) << 4;
+        bits |= get_bit(scalars[num], i + 2) << 3;
+        bits |= get_bit(scalars[num], i + 1) << 2;
+        bits |= get_bit(scalars[num], i) << 1;
+        bits |= get_bit(scalars[num], i - 1);
+        ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits);
+
+        /* select the point to add or subtract, in constant time. */
+        select_point(digit, 17, pre_comp[num], tmp);
+        smallfelem_neg(ftmp, tmp[1]); /* (X, -Y, Z) is the negative
+                                       * point */
+        copy_small_conditional(ftmp, tmp[1], (((limb)sign) - 1));
+        felem_contract(tmp[1], ftmp);
+
+        if (!skip) {
+          point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], mixed, tmp[0],
+                    tmp[1], tmp[2]);
+        } else {
+          smallfelem_expand(nq[0], tmp[0]);
+          smallfelem_expand(nq[1], tmp[1]);
+          smallfelem_expand(nq[2], tmp[2]);
+          skip = 0;
+        }
+      }
+    }
+  }
+  felem_assign(x_out, nq[0]);
+  felem_assign(y_out, nq[1]);
+  felem_assign(z_out, nq[2]);
+}
+
+/* Precomputation for the group generator. */
+typedef struct {
+  smallfelem g_pre_comp[2][16][3];
+  int references;
+} NISTP256_PRE_COMP;
+
+/******************************************************************************/
+/*
+ * OPENSSL EC_METHOD FUNCTIONS
+ */
+
+int ec_GFp_nistp256_group_init(EC_GROUP *group) {
+  int ret = ec_GFp_simple_group_init(group);
+  group->a_is_minus3 = 1;
+  return ret;
+}
+
+int ec_GFp_nistp256_group_set_curve(EC_GROUP *group, const BIGNUM *p,
+                                    const BIGNUM *a, const BIGNUM *b,
+                                    BN_CTX *ctx) {
+  int ret = 0;
+  BN_CTX *new_ctx = NULL;
+  BIGNUM *curve_p, *curve_a, *curve_b;
+
+  if (ctx == NULL) {
+    if ((ctx = new_ctx = BN_CTX_new()) == NULL) {
+      return 0;
+    }
+  }
+  BN_CTX_start(ctx);
+  if (((curve_p = BN_CTX_get(ctx)) == NULL) ||
+      ((curve_a = BN_CTX_get(ctx)) == NULL) ||
+      ((curve_b = BN_CTX_get(ctx)) == NULL)) {
+    goto err;
+  }
+  BN_bin2bn(nistp256_curve_params[0], sizeof(felem_bytearray), curve_p);
+  BN_bin2bn(nistp256_curve_params[1], sizeof(felem_bytearray), curve_a);
+  BN_bin2bn(nistp256_curve_params[2], sizeof(felem_bytearray), curve_b);
+  if (BN_cmp(curve_p, p) ||
+      BN_cmp(curve_a, a) ||
+      BN_cmp(curve_b, b)) {
+    OPENSSL_PUT_ERROR(EC, ec_GFp_nistp256_group_set_curve,
+                      EC_R_WRONG_CURVE_PARAMETERS);
+    goto err;
+  }
+  ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
+
+err:
+  BN_CTX_end(ctx);
+  BN_CTX_free(new_ctx);
+  return ret;
+}
+
+/* Takes the Jacobian coordinates (X, Y, Z) of a point and returns (X', Y') =
+ * (X/Z^2, Y/Z^3). */
+int ec_GFp_nistp256_point_get_affine_coordinates(const EC_GROUP *group,
+                                                 const EC_POINT *point,
+                                                 BIGNUM *x, BIGNUM *y,
+                                                 BN_CTX *ctx) {
+  felem z1, z2, x_in, y_in;
+  smallfelem x_out, y_out;
+  longfelem tmp;
+
+  if (EC_POINT_is_at_infinity(group, point)) {
+    OPENSSL_PUT_ERROR(EC, ec_GFp_nistp256_point_get_affine_coordinates,
+                      EC_R_POINT_AT_INFINITY);
+    return 0;
+  }
+  if (!BN_to_felem(x_in, &point->X) ||
+      !BN_to_felem(y_in, &point->Y) ||
+      !BN_to_felem(z1, &point->Z)) {
+    return 0;
+  }
+  felem_inv(z2, z1);
+  felem_square(tmp, z2);
+  felem_reduce(z1, tmp);
+  felem_mul(tmp, x_in, z1);
+  felem_reduce(x_in, tmp);
+  felem_contract(x_out, x_in);
+  if (x != NULL && !smallfelem_to_BN(x, x_out)) {
+    OPENSSL_PUT_ERROR(EC, ec_GFp_nistp256_point_get_affine_coordinates,
+                      ERR_R_BN_LIB);
+    return 0;
+  }
+  felem_mul(tmp, z1, z2);
+  felem_reduce(z1, tmp);
+  felem_mul(tmp, y_in, z1);
+  felem_reduce(y_in, tmp);
+  felem_contract(y_out, y_in);
+  if (y != NULL && !smallfelem_to_BN(y, y_out)) {
+    OPENSSL_PUT_ERROR(EC, ec_GFp_nistp256_point_get_affine_coordinates,
+                      ERR_R_BN_LIB);
+    return 0;
+  }
+  return 1;
+}
+
+/* points below is of size |num|, and tmp_smallfelems is of size |num+1| */
+static void make_points_affine(size_t num, smallfelem points[][3],
+                               smallfelem tmp_smallfelems[]) {
+  /* Runs in constant time, unless an input is the point at infinity (which
+   * normally shouldn't happen). */
+  ec_GFp_nistp_points_make_affine_internal(
+      num, points, sizeof(smallfelem), tmp_smallfelems,
+      (void (*)(void *))smallfelem_one,
+      (int (*)(const void *))smallfelem_is_zero_int,
+      (void (*)(void *, const void *))smallfelem_assign,
+      (void (*)(void *, const void *))smallfelem_square_contract,
+      (void (*)(void *, const void *, const void *))smallfelem_mul_contract,
+      (void (*)(void *, const void *))smallfelem_inv_contract,
+      /* nothing to contract */
+      (void (*)(void *, const void *))smallfelem_assign);
+}
+
+/* Computes scalar*generator + \sum scalars[i]*points[i], ignoring NULL
+ * values Result is stored in r (r can equal one of the inputs). */
+int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r,
+                               const BIGNUM *scalar, size_t num,
+                               const EC_POINT *points[],
+                               const BIGNUM *scalars[], BN_CTX *ctx) {
+  int ret = 0;
+  int j;
+  int mixed = 0;
+  BN_CTX *new_ctx = NULL;
+  BIGNUM *x, *y, *z, *tmp_scalar;
+  felem_bytearray g_secret;
+  felem_bytearray *secrets = NULL;
+  smallfelem(*pre_comp)[17][3] = NULL;
+  smallfelem *tmp_smallfelems = NULL;
+  felem_bytearray tmp;
+  unsigned i, num_bytes;
+  int have_pre_comp = 0;
+  size_t num_points = num;
+  smallfelem x_in, y_in, z_in;
+  felem x_out, y_out, z_out;
+  const smallfelem(*g_pre_comp)[16][3] = NULL;
+  EC_POINT *generator = NULL;
+  const EC_POINT *p = NULL;
+  const BIGNUM *p_scalar = NULL;
+
+  if (ctx == NULL) {
+    ctx = new_ctx = BN_CTX_new();
+    if (ctx == NULL) {
+      return 0;
+    }
+  }
+
+  BN_CTX_start(ctx);
+  if ((x = BN_CTX_get(ctx)) == NULL ||
+      (y = BN_CTX_get(ctx)) == NULL ||
+      (z = BN_CTX_get(ctx)) == NULL ||
+      (tmp_scalar = BN_CTX_get(ctx)) == NULL) {
+    goto err;
+  }
+
+  if (scalar != NULL) {
+    /* try to use the standard precomputation */
+    g_pre_comp = &gmul[0];
+    generator = EC_POINT_new(group);
+    if (generator == NULL) {
+      goto err;
+    }
+    /* get the generator from precomputation */
+    if (!smallfelem_to_BN(x, g_pre_comp[0][1][0]) ||
+        !smallfelem_to_BN(y, g_pre_comp[0][1][1]) ||
+        !smallfelem_to_BN(z, g_pre_comp[0][1][2])) {
+      OPENSSL_PUT_ERROR(EC, ec_GFp_nistp256_points_mul, ERR_R_BN_LIB);
+      goto err;
+    }
+    if (!ec_point_set_Jprojective_coordinates_GFp(group, generator, x, y, z,
+                                                  ctx)) {
+      goto err;
+    }
+    if (0 == EC_POINT_cmp(group, generator, group->generator, ctx)) {
+      /* precomputation matches generator */
+      have_pre_comp = 1;
+    } else {
+      /* we don't have valid precomputation: treat the generator as a
+       * random point. */
+      num_points++;
+    }
+  }
+
+  if (num_points > 0) {
+    if (num_points >= 3) {
+      /* unless we precompute multiples for just one or two points,
+       * converting those into affine form is time well spent */
+      mixed = 1;
+    }
+    secrets = OPENSSL_malloc(num_points * sizeof(felem_bytearray));
+    pre_comp = OPENSSL_malloc(num_points * 17 * 3 * sizeof(smallfelem));
+    if (mixed) {
+      tmp_smallfelems =
+          OPENSSL_malloc((num_points * 17 + 1) * sizeof(smallfelem));
+    }
+    if (secrets == NULL || pre_comp == NULL ||
+        (mixed && tmp_smallfelems == NULL)) {
+      OPENSSL_PUT_ERROR(EC, ec_GFp_nistp256_points_mul, ERR_R_MALLOC_FAILURE);
+      goto err;
+    }
+
+    /* we treat NULL scalars as 0, and NULL points as points at infinity,
+     * i.e., they contribute nothing to the linear combination. */
+    memset(secrets, 0, num_points * sizeof(felem_bytearray));
+    memset(pre_comp, 0, num_points * 17 * 3 * sizeof(smallfelem));
+    for (i = 0; i < num_points; ++i) {
+      if (i == num) {
+        /* we didn't have a valid precomputation, so we pick the generator. */
+        p = EC_GROUP_get0_generator(group);
+        p_scalar = scalar;
+      } else {
+        /* the i^th point */
+        p = points[i];
+        p_scalar = scalars[i];
+      }
+      if (p_scalar != NULL && p != NULL) {
+        /* reduce scalar to 0 <= scalar < 2^256 */
+        if (BN_num_bits(p_scalar) > 256 || BN_is_negative(p_scalar)) {
+          /* this is an unusual input, and we don't guarantee
+           * constant-timeness. */
+          if (!BN_nnmod(tmp_scalar, p_scalar, &group->order, ctx)) {
+            OPENSSL_PUT_ERROR(EC, ec_GFp_nistp256_points_mul, ERR_R_BN_LIB);
+            goto err;
+          }
+          num_bytes = BN_bn2bin(tmp_scalar, tmp);
+        } else {
+          num_bytes = BN_bn2bin(p_scalar, tmp);
+        }
+        flip_endian(secrets[i], tmp, num_bytes);
+        /* precompute multiples */
+        if (!BN_to_felem(x_out, &p->X) ||
+            !BN_to_felem(y_out, &p->Y) ||
+            !BN_to_felem(z_out, &p->Z)) {
+          goto err;
+        }
+        felem_shrink(pre_comp[i][1][0], x_out);
+        felem_shrink(pre_comp[i][1][1], y_out);
+        felem_shrink(pre_comp[i][1][2], z_out);
+        for (j = 2; j <= 16; ++j) {
+          if (j & 1) {
+            point_add_small(pre_comp[i][j][0], pre_comp[i][j][1],
+                            pre_comp[i][j][2], pre_comp[i][1][0],
+                            pre_comp[i][1][1], pre_comp[i][1][2],
+                            pre_comp[i][j - 1][0], pre_comp[i][j - 1][1],
+                            pre_comp[i][j - 1][2]);
+          } else {
+            point_double_small(pre_comp[i][j][0], pre_comp[i][j][1],
+                               pre_comp[i][j][2], pre_comp[i][j / 2][0],
+                               pre_comp[i][j / 2][1], pre_comp[i][j / 2][2]);
+          }
+        }
+      }
+    }
+    if (mixed) {
+      make_points_affine(num_points * 17, pre_comp[0], tmp_smallfelems);
+    }
+  }
+
+  /* the scalar for the generator */
+  if (scalar != NULL && have_pre_comp) {
+    memset(g_secret, 0, sizeof(g_secret));
+    /* reduce scalar to 0 <= scalar < 2^256 */
+    if (BN_num_bits(scalar) > 256 || BN_is_negative(scalar)) {
+      /* this is an unusual input, and we don't guarantee
+       * constant-timeness. */
+      if (!BN_nnmod(tmp_scalar, scalar, &group->order, ctx)) {
+        OPENSSL_PUT_ERROR(EC, ec_GFp_nistp256_points_mul, ERR_R_BN_LIB);
+        goto err;
+      }
+      num_bytes = BN_bn2bin(tmp_scalar, tmp);
+    } else {
+      num_bytes = BN_bn2bin(scalar, tmp);
+    }
+    flip_endian(g_secret, tmp, num_bytes);
+    /* do the multiplication with generator precomputation */
+    batch_mul(x_out, y_out, z_out, (const felem_bytearray(*))secrets,
+              num_points, g_secret, mixed, (const smallfelem(*)[17][3])pre_comp,
+              g_pre_comp);
+  } else {
+    /* do the multiplication without generator precomputation */
+    batch_mul(x_out, y_out, z_out, (const felem_bytearray(*))secrets,
+              num_points, NULL, mixed, (const smallfelem(*)[17][3])pre_comp,
+              NULL);
+  }
+
+  /* reduce the output to its unique minimal representation */
+  felem_contract(x_in, x_out);
+  felem_contract(y_in, y_out);
+  felem_contract(z_in, z_out);
+  if (!smallfelem_to_BN(x, x_in) ||
+      !smallfelem_to_BN(y, y_in) ||
+      !smallfelem_to_BN(z, z_in)) {
+    OPENSSL_PUT_ERROR(EC, ec_GFp_nistp256_points_mul, ERR_R_BN_LIB);
+    goto err;
+  }
+  ret = ec_point_set_Jprojective_coordinates_GFp(group, r, x, y, z, ctx);
+
+err:
+  BN_CTX_end(ctx);
+  EC_POINT_free(generator);
+  BN_CTX_free(new_ctx);
+  OPENSSL_free(secrets);
+  OPENSSL_free(pre_comp);
+  OPENSSL_free(tmp_smallfelems);
+  return ret;
+}
+
+const EC_METHOD *EC_GFp_nistp256_method(void) {
+  static const EC_METHOD ret = {
+      EC_FLAGS_DEFAULT_OCT,
+      ec_GFp_nistp256_group_init,
+      ec_GFp_simple_group_finish,
+      ec_GFp_simple_group_clear_finish,
+      ec_GFp_simple_group_copy, ec_GFp_nistp256_group_set_curve,
+      ec_GFp_simple_group_get_curve, ec_GFp_simple_group_get_degree,
+      ec_GFp_simple_group_check_discriminant, ec_GFp_simple_point_init,
+      ec_GFp_simple_point_finish, ec_GFp_simple_point_clear_finish,
+      ec_GFp_simple_point_copy, ec_GFp_simple_point_set_to_infinity,
+      ec_GFp_simple_set_Jprojective_coordinates_GFp,
+      ec_GFp_simple_get_Jprojective_coordinates_GFp,
+      ec_GFp_simple_point_set_affine_coordinates,
+      ec_GFp_nistp256_point_get_affine_coordinates,
+      0 /* point_set_compressed_coordinates */, 0 /* point2oct */,
+      0 /* oct2point */, ec_GFp_simple_add, ec_GFp_simple_dbl,
+      ec_GFp_simple_invert, ec_GFp_simple_is_at_infinity,
+      ec_GFp_simple_is_on_curve, ec_GFp_simple_cmp, ec_GFp_simple_make_affine,
+      ec_GFp_simple_points_make_affine, ec_GFp_nistp256_points_mul,
+      0 /* precompute_mult */, 0 /* have_precompute_mult */,
+      ec_GFp_simple_field_mul, ec_GFp_simple_field_sqr, 0 /* field_div */,
+      0 /* field_encode */, 0 /* field_decode */, 0 /* field_set_to_one */
+  };
+
+  return &ret;
+}
+
+#endif  /* 64_BIT && !WINDOWS */
diff --git a/src/crypto/ec/simple.c b/src/crypto/ec/simple.c
index b3f96fa..69fd2e4 100644
--- a/src/crypto/ec/simple.c
+++ b/src/crypto/ec/simple.c
@@ -178,47 +178,55 @@ int ec_GFp_simple_group_set_curve(EC_GROUP *group, const BIGNUM *p,
 
   if (ctx == NULL) {
     ctx = new_ctx = BN_CTX_new();
-    if (ctx == NULL)
+    if (ctx == NULL) {
       return 0;
+    }
   }
 
   BN_CTX_start(ctx);
   tmp_a = BN_CTX_get(ctx);
-  if (tmp_a == NULL)
+  if (tmp_a == NULL) {
     goto err;
+  }
 
   /* group->field */
-  if (!BN_copy(&group->field, p))
+  if (!BN_copy(&group->field, p)) {
     goto err;
+  }
   BN_set_negative(&group->field, 0);
 
   /* group->a */
-  if (!BN_nnmod(tmp_a, a, p, ctx))
+  if (!BN_nnmod(tmp_a, a, p, ctx)) {
     goto err;
+  }
   if (group->meth->field_encode) {
-    if (!group->meth->field_encode(group, &group->a, tmp_a, ctx))
+    if (!group->meth->field_encode(group, &group->a, tmp_a, ctx)) {
       goto err;
-  } else if (!BN_copy(&group->a, tmp_a))
+    }
+  } else if (!BN_copy(&group->a, tmp_a)) {
     goto err;
+  }
 
   /* group->b */
-  if (!BN_nnmod(&group->b, b, p, ctx))
+  if (!BN_nnmod(&group->b, b, p, ctx)) {
     goto err;
-  if (group->meth->field_encode)
-    if (!group->meth->field_encode(group, &group->b, &group->b, ctx))
-      goto err;
+  }
+  if (group->meth->field_encode &&
+      !group->meth->field_encode(group, &group->b, &group->b, ctx)) {
+    goto err;
+  }
 
   /* group->a_is_minus3 */
-  if (!BN_add_word(tmp_a, 3))
+  if (!BN_add_word(tmp_a, 3)) {
     goto err;
+  }
   group->a_is_minus3 = (0 == BN_cmp(tmp_a, &group->field));
 
   ret = 1;
 
 err:
   BN_CTX_end(ctx);
-  if (new_ctx != NULL)
-    BN_CTX_free(new_ctx);
+  BN_CTX_free(new_ctx);
   return ret;
 }
 
@@ -227,34 +235,30 @@ int ec_GFp_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a,
   int ret = 0;
   BN_CTX *new_ctx = NULL;
 
-  if (p != NULL) {
-    if (!BN_copy(p, &group->field))
-      return 0;
+  if (p != NULL && !BN_copy(p, &group->field)) {
+    return 0;
   }
 
   if (a != NULL || b != NULL) {
     if (group->meth->field_decode) {
       if (ctx == NULL) {
         ctx = new_ctx = BN_CTX_new();
-        if (ctx == NULL)
+        if (ctx == NULL) {
           return 0;
+        }
       }
-      if (a != NULL) {
-        if (!group->meth->field_decode(group, a, &group->a, ctx))
-          goto err;
+      if (a != NULL && !group->meth->field_decode(group, a, &group->a, ctx)) {
+        goto err;
       }
-      if (b != NULL) {
-        if (!group->meth->field_decode(group, b, &group->b, ctx))
-          goto err;
+      if (b != NULL && !group->meth->field_decode(group, b, &group->b, ctx)) {
+        goto err;
       }
     } else {
-      if (a != NULL) {
-        if (!BN_copy(a, &group->a))
-          goto err;
+      if (a != NULL && !BN_copy(a, &group->a)) {
+        goto err;
       }
-      if (b != NULL) {
-        if (!BN_copy(b, &group->b))
-          goto err;
+      if (b != NULL && !BN_copy(b, &group->b)) {
+        goto err;
       }
     }
   }
@@ -262,8 +266,7 @@ int ec_GFp_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a,
   ret = 1;
 
 err:
-  if (new_ctx)
-    BN_CTX_free(new_ctx);
+  BN_CTX_free(new_ctx);
   return ret;
 }
 
@@ -291,54 +294,54 @@ int ec_GFp_simple_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx) {
   tmp_1 = BN_CTX_get(ctx);
   tmp_2 = BN_CTX_get(ctx);
   order = BN_CTX_get(ctx);
-  if (order == NULL)
+  if (order == NULL) {
     goto err;
+  }
 
   if (group->meth->field_decode) {
-    if (!group->meth->field_decode(group, a, &group->a, ctx))
-      goto err;
-    if (!group->meth->field_decode(group, b, &group->b, ctx))
+    if (!group->meth->field_decode(group, a, &group->a, ctx) ||
+        !group->meth->field_decode(group, b, &group->b, ctx)) {
       goto err;
+    }
   } else {
-    if (!BN_copy(a, &group->a))
-      goto err;
-    if (!BN_copy(b, &group->b))
+    if (!BN_copy(a, &group->a) || !BN_copy(b, &group->b)) {
       goto err;
+    }
   }
 
   /* check the discriminant:
    * y^2 = x^3 + a*x + b is an elliptic curve <=> 4*a^3 + 27*b^2 != 0 (mod p)
    * 0 =< a, b < p */
   if (BN_is_zero(a)) {
-    if (BN_is_zero(b))
+    if (BN_is_zero(b)) {
       goto err;
+    }
   } else if (!BN_is_zero(b)) {
-    if (!BN_mod_sqr(tmp_1, a, p, ctx))
-      goto err;
-    if (!BN_mod_mul(tmp_2, tmp_1, a, p, ctx))
-      goto err;
-    if (!BN_lshift(tmp_1, tmp_2, 2))
+    if (!BN_mod_sqr(tmp_1, a, p, ctx) ||
+        !BN_mod_mul(tmp_2, tmp_1, a, p, ctx) ||
+        !BN_lshift(tmp_1, tmp_2, 2)) {
       goto err;
+    }
     /* tmp_1 = 4*a^3 */
 
-    if (!BN_mod_sqr(tmp_2, b, p, ctx))
-      goto err;
-    if (!BN_mul_word(tmp_2, 27))
+    if (!BN_mod_sqr(tmp_2, b, p, ctx) ||
+        !BN_mul_word(tmp_2, 27)) {
       goto err;
+    }
     /* tmp_2 = 27*b^2 */
 
-    if (!BN_mod_add(a, tmp_1, tmp_2, p, ctx))
-      goto err;
-    if (BN_is_zero(a))
+    if (!BN_mod_add(a, tmp_1, tmp_2, p, ctx) ||
+        BN_is_zero(a)) {
       goto err;
+    }
   }
   ret = 1;
 
 err:
-  if (ctx != NULL)
+  if (ctx != NULL) {
     BN_CTX_end(ctx);
-  if (new_ctx != NULL)
-    BN_CTX_free(new_ctx);
+  }
+  BN_CTX_free(new_ctx);
   return ret;
 }
 
@@ -365,12 +368,11 @@ void ec_GFp_simple_point_clear_finish(EC_POINT *point) {
 }
 
 int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src) {
-  if (!BN_copy(&dest->X, &src->X))
-    return 0;
-  if (!BN_copy(&dest->Y, &src->Y))
-    return 0;
-  if (!BN_copy(&dest->Z, &src->Z))
+  if (!BN_copy(&dest->X, &src->X) ||
+      !BN_copy(&dest->Y, &src->Y) ||
+      !BN_copy(&dest->Z, &src->Z)) {
     return 0;
+  }
   dest->Z_is_one = src->Z_is_one;
 
   return 1;
@@ -391,41 +393,45 @@ int ec_GFp_simple_set_Jprojective_coordinates_GFp(
 
   if (ctx == NULL) {
     ctx = new_ctx = BN_CTX_new();
-    if (ctx == NULL)
+    if (ctx == NULL) {
       return 0;
+    }
   }
 
   if (x != NULL) {
-    if (!BN_nnmod(&point->X, x, &group->field, ctx))
+    if (!BN_nnmod(&point->X, x, &group->field, ctx)) {
+      goto err;
+    }
+    if (group->meth->field_encode &&
+        !group->meth->field_encode(group, &point->X, &point->X, ctx)) {
       goto err;
-    if (group->meth->field_encode) {
-      if (!group->meth->field_encode(group, &point->X, &point->X, ctx))
-        goto err;
     }
   }
 
   if (y != NULL) {
-    if (!BN_nnmod(&point->Y, y, &group->field, ctx))
+    if (!BN_nnmod(&point->Y, y, &group->field, ctx)) {
+      goto err;
+    }
+    if (group->meth->field_encode &&
+        !group->meth->field_encode(group, &point->Y, &point->Y, ctx)) {
       goto err;
-    if (group->meth->field_encode) {
-      if (!group->meth->field_encode(group, &point->Y, &point->Y, ctx))
-        goto err;
     }
   }
 
   if (z != NULL) {
     int Z_is_one;
 
-    if (!BN_nnmod(&point->Z, z, &group->field, ctx))
+    if (!BN_nnmod(&point->Z, z, &group->field, ctx)) {
       goto err;
+    }
     Z_is_one = BN_is_one(&point->Z);
     if (group->meth->field_encode) {
       if (Z_is_one && (group->meth->field_set_to_one != 0)) {
-        if (!group->meth->field_set_to_one(group, &point->Z, ctx))
-          goto err;
-      } else {
-        if (!group->meth->field_encode(group, &point->Z, &point->Z, ctx))
+        if (!group->meth->field_set_to_one(group, &point->Z, ctx)) {
           goto err;
+        }
+      } else if (!group->meth->field_encode(group, &point->Z, &point->Z, ctx)) {
+        goto err;
       }
     }
     point->Z_is_one = Z_is_one;
@@ -434,8 +440,7 @@ int ec_GFp_simple_set_Jprojective_coordinates_GFp(
   ret = 1;
 
 err:
-  if (new_ctx != NULL)
-    BN_CTX_free(new_ctx);
+  BN_CTX_free(new_ctx);
   return ret;
 }
 
@@ -449,42 +454,36 @@ int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *group,
   if (group->meth->field_decode != 0) {
     if (ctx == NULL) {
       ctx = new_ctx = BN_CTX_new();
-      if (ctx == NULL)
+      if (ctx == NULL) {
         return 0;
+      }
     }
 
-    if (x != NULL) {
-      if (!group->meth->field_decode(group, x, &point->X, ctx))
-        goto err;
+    if (x != NULL && !group->meth->field_decode(group, x, &point->X, ctx)) {
+      goto err;
     }
-    if (y != NULL) {
-      if (!group->meth->field_decode(group, y, &point->Y, ctx))
-        goto err;
+    if (y != NULL && !group->meth->field_decode(group, y, &point->Y, ctx)) {
+      goto err;
     }
-    if (z != NULL) {
-      if (!group->meth->field_decode(group, z, &point->Z, ctx))
-        goto err;
+    if (z != NULL && !group->meth->field_decode(group, z, &point->Z, ctx)) {
+      goto err;
     }
   } else {
-    if (x != NULL) {
-      if (!BN_copy(x, &point->X))
-        goto err;
+    if (x != NULL && !BN_copy(x, &point->X)) {
+      goto err;
     }
-    if (y != NULL) {
-      if (!BN_copy(y, &point->Y))
-        goto err;
+    if (y != NULL && !BN_copy(y, &point->Y)) {
+      goto err;
     }
-    if (z != NULL) {
-      if (!BN_copy(z, &point->Z))
-        goto err;
+    if (z != NULL && !BN_copy(z, &point->Z)) {
+      goto err;
     }
   }
 
   ret = 1;
 
 err:
-  if (new_ctx != NULL)
-    BN_CTX_free(new_ctx);
+  BN_CTX_free(new_ctx);
   return ret;
 }
 
@@ -518,8 +517,9 @@ int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group,
 
   if (ctx == NULL) {
     ctx = new_ctx = BN_CTX_new();
-    if (ctx == NULL)
+    if (ctx == NULL) {
       return 0;
+    }
   }
 
   BN_CTX_start(ctx);
@@ -527,14 +527,16 @@ int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group,
   Z_1 = BN_CTX_get(ctx);
   Z_2 = BN_CTX_get(ctx);
   Z_3 = BN_CTX_get(ctx);
-  if (Z_3 == NULL)
+  if (Z_3 == NULL) {
     goto err;
+  }
 
   /* transform  (X, Y, Z)  into  (x, y) := (X/Z^2, Y/Z^3) */
 
   if (group->meth->field_decode) {
-    if (!group->meth->field_decode(group, Z, &point->Z, ctx))
+    if (!group->meth->field_decode(group, Z, &point->Z, ctx)) {
       goto err;
+    }
     Z_ = Z;
   } else {
     Z_ = &point->Z;
@@ -542,22 +544,18 @@ int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group,
 
   if (BN_is_one(Z_)) {
     if (group->meth->field_decode) {
-      if (x != NULL) {
-        if (!group->meth->field_decode(group, x, &point->X, ctx))
-          goto err;
+      if (x != NULL && !group->meth->field_decode(group, x, &point->X, ctx)) {
+        goto err;
       }
-      if (y != NULL) {
-        if (!group->meth->field_decode(group, y, &point->Y, ctx))
-          goto err;
+      if (y != NULL && !group->meth->field_decode(group, y, &point->Y, ctx)) {
+        goto err;
       }
     } else {
-      if (x != NULL) {
-        if (!BN_copy(x, &point->X))
-          goto err;
+      if (x != NULL && !BN_copy(x, &point->X)) {
+        goto err;
       }
-      if (y != NULL) {
-        if (!BN_copy(y, &point->Y))
-          goto err;
+      if (y != NULL && !BN_copy(y, &point->Y)) {
+        goto err;
       }
     }
   } else {
@@ -569,34 +567,34 @@ int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group,
 
     if (group->meth->field_encode == 0) {
       /* field_sqr works on standard representation */
-      if (!group->meth->field_sqr(group, Z_2, Z_1, ctx))
-        goto err;
-    } else {
-      if (!BN_mod_sqr(Z_2, Z_1, &group->field, ctx))
+      if (!group->meth->field_sqr(group, Z_2, Z_1, ctx)) {
         goto err;
+      }
+    } else if (!BN_mod_sqr(Z_2, Z_1, &group->field, ctx)) {
+      goto err;
     }
 
-    if (x != NULL) {
-      /* in the Montgomery case, field_mul will cancel out Montgomery factor in
-       * X: */
-      if (!group->meth->field_mul(group, x, &point->X, Z_2, ctx))
-        goto err;
+    /* in the Montgomery case, field_mul will cancel out Montgomery factor in
+     * X: */
+    if (x != NULL && !group->meth->field_mul(group, x, &point->X, Z_2, ctx)) {
+      goto err;
     }
 
     if (y != NULL) {
       if (group->meth->field_encode == 0) {
         /* field_mul works on standard representation */
-        if (!group->meth->field_mul(group, Z_3, Z_2, Z_1, ctx))
-          goto err;
-      } else {
-        if (!BN_mod_mul(Z_3, Z_2, Z_1, &group->field, ctx))
+        if (!group->meth->field_mul(group, Z_3, Z_2, Z_1, ctx)) {
           goto err;
+        }
+      } else if (!BN_mod_mul(Z_3, Z_2, Z_1, &group->field, ctx)) {
+        goto err;
       }
 
       /* in the Montgomery case, field_mul will cancel out Montgomery factor in
        * Y: */
-      if (!group->meth->field_mul(group, y, &point->Y, Z_3, ctx))
+      if (!group->meth->field_mul(group, y, &point->Y, Z_3, ctx)) {
         goto err;
+      }
     }
   }
 
@@ -604,8 +602,7 @@ int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group,
 
 err:
   BN_CTX_end(ctx);
-  if (new_ctx != NULL)
-    BN_CTX_free(new_ctx);
+  BN_CTX_free(new_ctx);
   return ret;
 }
 
@@ -619,12 +616,15 @@ int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
   BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6;
   int ret = 0;
 
-  if (a == b)
+  if (a == b) {
     return EC_POINT_dbl(group, r, a, ctx);
-  if (EC_POINT_is_at_infinity(group, a))
+  }
+  if (EC_POINT_is_at_infinity(group, a)) {
     return EC_POINT_copy(r, b);
-  if (EC_POINT_is_at_infinity(group, b))
+  }
+  if (EC_POINT_is_at_infinity(group, b)) {
     return EC_POINT_copy(r, a);
+  }
 
   field_mul = group->meth->field_mul;
   field_sqr = group->meth->field_sqr;
@@ -632,8 +632,9 @@ int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
 
   if (ctx == NULL) {
     ctx = new_ctx = BN_CTX_new();
-    if (ctx == NULL)
+    if (ctx == NULL) {
       return 0;
+    }
   }
 
   BN_CTX_start(ctx);
@@ -644,8 +645,9 @@ int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
   n4 = BN_CTX_get(ctx);
   n5 = BN_CTX_get(ctx);
   n6 = BN_CTX_get(ctx);
-  if (n6 == NULL)
+  if (n6 == NULL) {
     goto end;
+  }
 
   /* Note that in this function we must not read components of 'a' or 'b'
    * once we have written the corresponding components of 'r'.
@@ -654,53 +656,51 @@ int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
 
   /* n1, n2 */
   if (b->Z_is_one) {
-    if (!BN_copy(n1, &a->X))
-      goto end;
-    if (!BN_copy(n2, &a->Y))
+    if (!BN_copy(n1, &a->X) || !BN_copy(n2, &a->Y)) {
       goto end;
+    }
     /* n1 = X_a */
     /* n2 = Y_a */
   } else {
-    if (!field_sqr(group, n0, &b->Z, ctx))
-      goto end;
-    if (!field_mul(group, n1, &a->X, n0, ctx))
+    if (!field_sqr(group, n0, &b->Z, ctx) ||
+        !field_mul(group, n1, &a->X, n0, ctx)) {
       goto end;
+    }
     /* n1 = X_a * Z_b^2 */
 
-    if (!field_mul(group, n0, n0, &b->Z, ctx))
-      goto end;
-    if (!field_mul(group, n2, &a->Y, n0, ctx))
+    if (!field_mul(group, n0, n0, &b->Z, ctx) ||
+        !field_mul(group, n2, &a->Y, n0, ctx)) {
       goto end;
+    }
     /* n2 = Y_a * Z_b^3 */
   }
 
   /* n3, n4 */
   if (a->Z_is_one) {
-    if (!BN_copy(n3, &b->X))
-      goto end;
-    if (!BN_copy(n4, &b->Y))
+    if (!BN_copy(n3, &b->X) || !BN_copy(n4, &b->Y)) {
       goto end;
+    }
     /* n3 = X_b */
     /* n4 = Y_b */
   } else {
-    if (!field_sqr(group, n0, &a->Z, ctx))
-      goto end;
-    if (!field_mul(group, n3, &b->X, n0, ctx))
+    if (!field_sqr(group, n0, &a->Z, ctx) ||
+        !field_mul(group, n3, &b->X, n0, ctx)) {
       goto end;
+    }
     /* n3 = X_b * Z_a^2 */
 
-    if (!field_mul(group, n0, n0, &a->Z, ctx))
-      goto end;
-    if (!field_mul(group, n4, &b->Y, n0, ctx))
+    if (!field_mul(group, n0, n0, &a->Z, ctx) ||
+        !field_mul(group, n4, &b->Y, n0, ctx)) {
       goto end;
+    }
     /* n4 = Y_b * Z_a^3 */
   }
 
   /* n5, n6 */
-  if (!BN_mod_sub_quick(n5, n1, n3, p))
-    goto end;
-  if (!BN_mod_sub_quick(n6, n2, n4, p))
+  if (!BN_mod_sub_quick(n5, n1, n3, p) ||
+      !BN_mod_sub_quick(n6, n2, n4, p)) {
     goto end;
+  }
   /* n5 = n1 - n3 */
   /* n6 = n2 - n4 */
 
@@ -721,76 +721,79 @@ int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
   }
 
   /* 'n7', 'n8' */
-  if (!BN_mod_add_quick(n1, n1, n3, p))
-    goto end;
-  if (!BN_mod_add_quick(n2, n2, n4, p))
+  if (!BN_mod_add_quick(n1, n1, n3, p) ||
+      !BN_mod_add_quick(n2, n2, n4, p)) {
     goto end;
+  }
   /* 'n7' = n1 + n3 */
   /* 'n8' = n2 + n4 */
 
   /* Z_r */
   if (a->Z_is_one && b->Z_is_one) {
-    if (!BN_copy(&r->Z, n5))
+    if (!BN_copy(&r->Z, n5)) {
       goto end;
+    }
   } else {
     if (a->Z_is_one) {
-      if (!BN_copy(n0, &b->Z))
+      if (!BN_copy(n0, &b->Z)) {
         goto end;
+      }
     } else if (b->Z_is_one) {
-      if (!BN_copy(n0, &a->Z))
-        goto end;
-    } else {
-      if (!field_mul(group, n0, &a->Z, &b->Z, ctx))
+      if (!BN_copy(n0, &a->Z)) {
         goto end;
+      }
+    } else if (!field_mul(group, n0, &a->Z, &b->Z, ctx)) {
+      goto end;
     }
-    if (!field_mul(group, &r->Z, n0, n5, ctx))
+    if (!field_mul(group, &r->Z, n0, n5, ctx)) {
       goto end;
+    }
   }
   r->Z_is_one = 0;
   /* Z_r = Z_a * Z_b * n5 */
 
   /* X_r */
-  if (!field_sqr(group, n0, n6, ctx))
-    goto end;
-  if (!field_sqr(group, n4, n5, ctx))
-    goto end;
-  if (!field_mul(group, n3, n1, n4, ctx))
-    goto end;
-  if (!BN_mod_sub_quick(&r->X, n0, n3, p))
+  if (!field_sqr(group, n0, n6, ctx) ||
+      !field_sqr(group, n4, n5, ctx) ||
+      !field_mul(group, n3, n1, n4, ctx) ||
+      !BN_mod_sub_quick(&r->X, n0, n3, p)) {
     goto end;
+  }
   /* X_r = n6^2 - n5^2 * 'n7' */
 
   /* 'n9' */
-  if (!BN_mod_lshift1_quick(n0, &r->X, p))
-    goto end;
-  if (!BN_mod_sub_quick(n0, n3, n0, p))
+  if (!BN_mod_lshift1_quick(n0, &r->X, p) ||
+      !BN_mod_sub_quick(n0, n3, n0, p)) {
     goto end;
+  }
   /* n9 = n5^2 * 'n7' - 2 * X_r */
 
   /* Y_r */
-  if (!field_mul(group, n0, n0, n6, ctx))
-    goto end;
-  if (!field_mul(group, n5, n4, n5, ctx))
+  if (!field_mul(group, n0, n0, n6, ctx) ||
+      !field_mul(group, n5, n4, n5, ctx)) {
     goto end; /* now n5 is n5^3 */
-  if (!field_mul(group, n1, n2, n5, ctx))
+  }
+  if (!field_mul(group, n1, n2, n5, ctx) ||
+      !BN_mod_sub_quick(n0, n0, n1, p)) {
     goto end;
-  if (!BN_mod_sub_quick(n0, n0, n1, p))
+  }
+  if (BN_is_odd(n0) && !BN_add(n0, n0, p)) {
     goto end;
-  if (BN_is_odd(n0))
-    if (!BN_add(n0, n0, p))
-      goto end;
+  }
   /* now  0 <= n0 < 2*p,  and n0 is even */
-  if (!BN_rshift1(&r->Y, n0))
+  if (!BN_rshift1(&r->Y, n0)) {
     goto end;
+  }
   /* Y_r = (n6 * 'n9' - 'n8' * 'n5^3') / 2 */
 
   ret = 1;
 
 end:
-  if (ctx) /* otherwise we already called BN_CTX_end */
+  if (ctx) {
+    /* otherwise we already called BN_CTX_end */
     BN_CTX_end(ctx);
-  if (new_ctx != NULL)
-    BN_CTX_free(new_ctx);
+  }
+  BN_CTX_free(new_ctx);
   return ret;
 }
 
@@ -816,8 +819,9 @@ int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
 
   if (ctx == NULL) {
     ctx = new_ctx = BN_CTX_new();
-    if (ctx == NULL)
+    if (ctx == NULL) {
       return 0;
+    }
   }
 
   BN_CTX_start(ctx);
@@ -825,8 +829,9 @@ int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
   n1 = BN_CTX_get(ctx);
   n2 = BN_CTX_get(ctx);
   n3 = BN_CTX_get(ctx);
-  if (n3 == NULL)
+  if (n3 == NULL) {
     goto err;
+  }
 
   /* Note that in this function we must not read components of 'a'
    * once we have written the corresponding components of 'r'.
@@ -835,108 +840,95 @@ int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
 
   /* n1 */
   if (a->Z_is_one) {
-    if (!field_sqr(group, n0, &a->X, ctx))
-      goto err;
-    if (!BN_mod_lshift1_quick(n1, n0, p))
-      goto err;
-    if (!BN_mod_add_quick(n0, n0, n1, p))
-      goto err;
-    if (!BN_mod_add_quick(n1, n0, &group->a, p))
+    if (!field_sqr(group, n0, &a->X, ctx) ||
+        !BN_mod_lshift1_quick(n1, n0, p) ||
+        !BN_mod_add_quick(n0, n0, n1, p) ||
+        !BN_mod_add_quick(n1, n0, &group->a, p)) {
       goto err;
+    }
     /* n1 = 3 * X_a^2 + a_curve */
   } else if (group->a_is_minus3) {
-    if (!field_sqr(group, n1, &a->Z, ctx))
-      goto err;
-    if (!BN_mod_add_quick(n0, &a->X, n1, p))
-      goto err;
-    if (!BN_mod_sub_quick(n2, &a->X, n1, p))
-      goto err;
-    if (!field_mul(group, n1, n0, n2, ctx))
-      goto err;
-    if (!BN_mod_lshift1_quick(n0, n1, p))
-      goto err;
-    if (!BN_mod_add_quick(n1, n0, n1, p))
+    if (!field_sqr(group, n1, &a->Z, ctx) ||
+        !BN_mod_add_quick(n0, &a->X, n1, p) ||
+        !BN_mod_sub_quick(n2, &a->X, n1, p) ||
+        !field_mul(group, n1, n0, n2, ctx) ||
+        !BN_mod_lshift1_quick(n0, n1, p) ||
+        !BN_mod_add_quick(n1, n0, n1, p)) {
       goto err;
+    }
     /* n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)
      *    = 3 * X_a^2 - 3 * Z_a^4 */
   } else {
-    if (!field_sqr(group, n0, &a->X, ctx))
-      goto err;
-    if (!BN_mod_lshift1_quick(n1, n0, p))
-      goto err;
-    if (!BN_mod_add_quick(n0, n0, n1, p))
-      goto err;
-    if (!field_sqr(group, n1, &a->Z, ctx))
-      goto err;
-    if (!field_sqr(group, n1, n1, ctx))
-      goto err;
-    if (!field_mul(group, n1, n1, &group->a, ctx))
-      goto err;
-    if (!BN_mod_add_quick(n1, n1, n0, p))
+    if (!field_sqr(group, n0, &a->X, ctx) ||
+        !BN_mod_lshift1_quick(n1, n0, p) ||
+        !BN_mod_add_quick(n0, n0, n1, p) ||
+        !field_sqr(group, n1, &a->Z, ctx) ||
+        !field_sqr(group, n1, n1, ctx) ||
+        !field_mul(group, n1, n1, &group->a, ctx) ||
+        !BN_mod_add_quick(n1, n1, n0, p)) {
       goto err;
+    }
     /* n1 = 3 * X_a^2 + a_curve * Z_a^4 */
   }
 
   /* Z_r */
   if (a->Z_is_one) {
-    if (!BN_copy(n0, &a->Y))
-      goto err;
-  } else {
-    if (!field_mul(group, n0, &a->Y, &a->Z, ctx))
+    if (!BN_copy(n0, &a->Y)) {
       goto err;
+    }
+  } else if (!field_mul(group, n0, &a->Y, &a->Z, ctx)) {
+    goto err;
   }
-  if (!BN_mod_lshift1_quick(&r->Z, n0, p))
+  if (!BN_mod_lshift1_quick(&r->Z, n0, p)) {
     goto err;
+  }
   r->Z_is_one = 0;
   /* Z_r = 2 * Y_a * Z_a */
 
   /* n2 */
-  if (!field_sqr(group, n3, &a->Y, ctx))
-    goto err;
-  if (!field_mul(group, n2, &a->X, n3, ctx))
-    goto err;
-  if (!BN_mod_lshift_quick(n2, n2, 2, p))
+  if (!field_sqr(group, n3, &a->Y, ctx) ||
+      !field_mul(group, n2, &a->X, n3, ctx) ||
+      !BN_mod_lshift_quick(n2, n2, 2, p)) {
     goto err;
+  }
   /* n2 = 4 * X_a * Y_a^2 */
 
   /* X_r */
-  if (!BN_mod_lshift1_quick(n0, n2, p))
-    goto err;
-  if (!field_sqr(group, &r->X, n1, ctx))
-    goto err;
-  if (!BN_mod_sub_quick(&r->X, &r->X, n0, p))
+  if (!BN_mod_lshift1_quick(n0, n2, p) ||
+      !field_sqr(group, &r->X, n1, ctx) ||
+      !BN_mod_sub_quick(&r->X, &r->X, n0, p)) {
     goto err;
+  }
   /* X_r = n1^2 - 2 * n2 */
 
   /* n3 */
-  if (!field_sqr(group, n0, n3, ctx))
-    goto err;
-  if (!BN_mod_lshift_quick(n3, n0, 3, p))
+  if (!field_sqr(group, n0, n3, ctx) ||
+      !BN_mod_lshift_quick(n3, n0, 3, p)) {
     goto err;
+  }
   /* n3 = 8 * Y_a^4 */
 
   /* Y_r */
-  if (!BN_mod_sub_quick(n0, n2, &r->X, p))
-    goto err;
-  if (!field_mul(group, n0, n1, n0, ctx))
-    goto err;
-  if (!BN_mod_sub_quick(&r->Y, n0, n3, p))
+  if (!BN_mod_sub_quick(n0, n2, &r->X, p) ||
+      !field_mul(group, n0, n1, n0, ctx) ||
+      !BN_mod_sub_quick(&r->Y, n0, n3, p)) {
     goto err;
+  }
   /* Y_r = n1 * (n2 - X_r) - n3 */
 
   ret = 1;
 
 err:
   BN_CTX_end(ctx);
-  if (new_ctx != NULL)
-    BN_CTX_free(new_ctx);
+  BN_CTX_free(new_ctx);
   return ret;
 }
 
 int ec_GFp_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx) {
-  if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(&point->Y))
+  if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(&point->Y)) {
     /* point is its own inverse */
     return 1;
+  }
 
   return BN_usub(&point->Y, &group->field, &point->Y);
 }
@@ -955,8 +947,9 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
   BIGNUM *rh, *tmp, *Z4, *Z6;
   int ret = -1;
 
-  if (EC_POINT_is_at_infinity(group, point))
+  if (EC_POINT_is_at_infinity(group, point)) {
     return 1;
+  }
 
   field_mul = group->meth->field_mul;
   field_sqr = group->meth->field_sqr;
@@ -964,8 +957,9 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
 
   if (ctx == NULL) {
     ctx = new_ctx = BN_CTX_new();
-    if (ctx == NULL)
+    if (ctx == NULL) {
       return -1;
+    }
   }
 
   BN_CTX_start(ctx);
@@ -973,8 +967,9 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
   tmp = BN_CTX_get(ctx);
   Z4 = BN_CTX_get(ctx);
   Z6 = BN_CTX_get(ctx);
-  if (Z6 == NULL)
+  if (Z6 == NULL) {
     goto err;
+  }
 
   /* We have a curve defined by a Weierstrass equation
    *      y^2 = x^3 + a*x + b.
@@ -987,64 +982,62 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
    */
 
   /* rh := X^2 */
-  if (!field_sqr(group, rh, &point->X, ctx))
+  if (!field_sqr(group, rh, &point->X, ctx)) {
     goto err;
+  }
 
   if (!point->Z_is_one) {
-    if (!field_sqr(group, tmp, &point->Z, ctx))
-      goto err;
-    if (!field_sqr(group, Z4, tmp, ctx))
-      goto err;
-    if (!field_mul(group, Z6, Z4, tmp, ctx))
+    if (!field_sqr(group, tmp, &point->Z, ctx) ||
+        !field_sqr(group, Z4, tmp, ctx) ||
+        !field_mul(group, Z6, Z4, tmp, ctx)) {
       goto err;
+    }
 
     /* rh := (rh + a*Z^4)*X */
     if (group->a_is_minus3) {
-      if (!BN_mod_lshift1_quick(tmp, Z4, p))
-        goto err;
-      if (!BN_mod_add_quick(tmp, tmp, Z4, p))
-        goto err;
-      if (!BN_mod_sub_quick(rh, rh, tmp, p))
-        goto err;
-      if (!field_mul(group, rh, rh, &point->X, ctx))
+      if (!BN_mod_lshift1_quick(tmp, Z4, p) ||
+          !BN_mod_add_quick(tmp, tmp, Z4, p) ||
+          !BN_mod_sub_quick(rh, rh, tmp, p) ||
+          !field_mul(group, rh, rh, &point->X, ctx)) {
         goto err;
+      }
     } else {
-      if (!field_mul(group, tmp, Z4, &group->a, ctx))
-        goto err;
-      if (!BN_mod_add_quick(rh, rh, tmp, p))
-        goto err;
-      if (!field_mul(group, rh, rh, &point->X, ctx))
+      if (!field_mul(group, tmp, Z4, &group->a, ctx) ||
+          !BN_mod_add_quick(rh, rh, tmp, p) ||
+          !field_mul(group, rh, rh, &point->X, ctx)) {
         goto err;
+      }
     }
 
     /* rh := rh + b*Z^6 */
-    if (!field_mul(group, tmp, &group->b, Z6, ctx))
-      goto err;
-    if (!BN_mod_add_quick(rh, rh, tmp, p))
+    if (!field_mul(group, tmp, &group->b, Z6, ctx) ||
+        !BN_mod_add_quick(rh, rh, tmp, p)) {
       goto err;
+    }
   } else {
     /* point->Z_is_one */
 
     /* rh := (rh + a)*X */
-    if (!BN_mod_add_quick(rh, rh, &group->a, p))
-      goto err;
-    if (!field_mul(group, rh, rh, &point->X, ctx))
+    if (!BN_mod_add_quick(rh, rh, &group->a, p) ||
+        !field_mul(group, rh, rh, &point->X, ctx)) {
       goto err;
+    }
     /* rh := rh + b */
-    if (!BN_mod_add_quick(rh, rh, &group->b, p))
+    if (!BN_mod_add_quick(rh, rh, &group->b, p)) {
       goto err;
+    }
   }
 
   /* 'lh' := Y^2 */
-  if (!field_sqr(group, tmp, &point->Y, ctx))
+  if (!field_sqr(group, tmp, &point->Y, ctx)) {
     goto err;
+  }
 
   ret = (0 == BN_ucmp(tmp, rh));
 
 err:
   BN_CTX_end(ctx);
-  if (new_ctx != NULL)
-    BN_CTX_free(new_ctx);
+  BN_CTX_free(new_ctx);
   return ret;
 }
 
@@ -1068,8 +1061,9 @@ int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a,
     return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
   }
 
-  if (EC_POINT_is_at_infinity(group, b))
+  if (EC_POINT_is_at_infinity(group, b)) {
     return 1;
+  }
 
   if (a->Z_is_one && b->Z_is_one) {
     return ((BN_cmp(&a->X, &b->X) == 0) && BN_cmp(&a->Y, &b->Y) == 0) ? 0 : 1;
@@ -1080,8 +1074,9 @@ int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a,
 
   if (ctx == NULL) {
     ctx = new_ctx = BN_CTX_new();
-    if (ctx == NULL)
+    if (ctx == NULL) {
       return -1;
+    }
   }
 
   BN_CTX_start(ctx);
@@ -1089,8 +1084,9 @@ int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a,
   tmp2 = BN_CTX_get(ctx);
   Za23 = BN_CTX_get(ctx);
   Zb23 = BN_CTX_get(ctx);
-  if (Zb23 == NULL)
+  if (Zb23 == NULL) {
     goto end;
+  }
 
   /* We have to decide whether
    *     (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),
@@ -1099,21 +1095,23 @@ int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a,
    */
 
   if (!b->Z_is_one) {
-    if (!field_sqr(group, Zb23, &b->Z, ctx))
-      goto end;
-    if (!field_mul(group, tmp1, &a->X, Zb23, ctx))
+    if (!field_sqr(group, Zb23, &b->Z, ctx) ||
+        !field_mul(group, tmp1, &a->X, Zb23, ctx)) {
       goto end;
+    }
     tmp1_ = tmp1;
-  } else
+  } else {
     tmp1_ = &a->X;
+  }
   if (!a->Z_is_one) {
-    if (!field_sqr(group, Za23, &a->Z, ctx))
-      goto end;
-    if (!field_mul(group, tmp2, &b->X, Za23, ctx))
+    if (!field_sqr(group, Za23, &a->Z, ctx) ||
+        !field_mul(group, tmp2, &b->X, Za23, ctx)) {
       goto end;
+    }
     tmp2_ = tmp2;
-  } else
+  } else {
     tmp2_ = &b->X;
+  }
 
   /* compare  X_a*Z_b^2  with  X_b*Z_a^2 */
   if (BN_cmp(tmp1_, tmp2_) != 0) {
@@ -1123,21 +1121,23 @@ int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a,
 
 
   if (!b->Z_is_one) {
-    if (!field_mul(group, Zb23, Zb23, &b->Z, ctx))
-      goto end;
-    if (!field_mul(group, tmp1, &a->Y, Zb23, ctx))
+    if (!field_mul(group, Zb23, Zb23, &b->Z, ctx) ||
+        !field_mul(group, tmp1, &a->Y, Zb23, ctx)) {
       goto end;
+    }
     /* tmp1_ = tmp1 */
-  } else
+  } else {
     tmp1_ = &a->Y;
+  }
   if (!a->Z_is_one) {
-    if (!field_mul(group, Za23, Za23, &a->Z, ctx))
-      goto end;
-    if (!field_mul(group, tmp2, &b->Y, Za23, ctx))
+    if (!field_mul(group, Za23, Za23, &a->Z, ctx) ||
+        !field_mul(group, tmp2, &b->Y, Za23, ctx)) {
       goto end;
+    }
     /* tmp2_ = tmp2 */
-  } else
+  } else {
     tmp2_ = &b->Y;
+  }
 
   /* compare  Y_a*Z_b^3  with  Y_b*Z_a^3 */
   if (BN_cmp(tmp1_, tmp2_) != 0) {
@@ -1150,8 +1150,7 @@ int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a,
 
 end:
   BN_CTX_end(ctx);
-  if (new_ctx != NULL)
-    BN_CTX_free(new_ctx);
+  BN_CTX_free(new_ctx);
   return ret;
 }
 
@@ -1161,25 +1160,28 @@ int ec_GFp_simple_make_affine(const EC_GROUP *group, EC_POINT *point,
   BIGNUM *x, *y;
   int ret = 0;
 
-  if (point->Z_is_one || EC_POINT_is_at_infinity(group, point))
+  if (point->Z_is_one || EC_POINT_is_at_infinity(group, point)) {
     return 1;
+  }
 
   if (ctx == NULL) {
     ctx = new_ctx = BN_CTX_new();
-    if (ctx == NULL)
+    if (ctx == NULL) {
       return 0;
+    }
   }
 
   BN_CTX_start(ctx);
   x = BN_CTX_get(ctx);
   y = BN_CTX_get(ctx);
-  if (y == NULL)
+  if (y == NULL) {
     goto err;
+  }
 
-  if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx))
-    goto err;
-  if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx))
+  if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx) ||
+      !EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) {
     goto err;
+  }
   if (!point->Z_is_one) {
     OPENSSL_PUT_ERROR(EC, ec_GFp_simple_make_affine, ERR_R_INTERNAL_ERROR);
     goto err;
@@ -1189,8 +1191,7 @@ int ec_GFp_simple_make_affine(const EC_GROUP *group, EC_POINT *point,
 
 err:
   BN_CTX_end(ctx);
-  if (new_ctx != NULL)
-    BN_CTX_free(new_ctx);
+  BN_CTX_free(new_ctx);
   return ret;
 }
 
@@ -1335,9 +1336,7 @@ int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num,
 
 err:
   BN_CTX_end(ctx);
-  if (new_ctx != NULL) {
-    BN_CTX_free(new_ctx);
-  }
+  BN_CTX_free(new_ctx);
   if (prod_Z != NULL) {
     for (i = 0; i < num; i++) {
       if (prod_Z[i] == NULL) {
diff --git a/src/crypto/ec/util-64.c b/src/crypto/ec/util-64.c
new file mode 100644
index 0000000..171b063
--- /dev/null
+++ b/src/crypto/ec/util-64.c
@@ -0,0 +1,183 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/base.h>
+
+
+#if defined(OPENSSL_64_BIT) && !defined(OPENSSL_WINDOWS)
+
+#include <openssl/ec.h>
+
+#include "internal.h"
+
+/* Convert an array of points into affine coordinates. (If the point at
+ * infinity is found (Z = 0), it remains unchanged.) This function is
+ * essentially an equivalent to EC_POINTs_make_affine(), but works with the
+ * internal representation of points as used by ecp_nistp###.c rather than
+ * with (BIGNUM-based) EC_POINT data structures. point_array is the
+ * input/output buffer ('num' points in projective form, i.e. three
+ * coordinates each), based on an internal representation of field elements
+ * of size 'felem_size'. tmp_felems needs to point to a temporary array of
+ * 'num'+1 field elements for storage of intermediate values. */
+void ec_GFp_nistp_points_make_affine_internal(
+    size_t num, void *point_array, size_t felem_size, void *tmp_felems,
+    void (*felem_one)(void *out), int (*felem_is_zero)(const void *in),
+    void (*felem_assign)(void *out, const void *in),
+    void (*felem_square)(void *out, const void *in),
+    void (*felem_mul)(void *out, const void *in1, const void *in2),
+    void (*felem_inv)(void *out, const void *in),
+    void (*felem_contract)(void *out, const void *in)) {
+  int i = 0;
+
+#define tmp_felem(I) (&((char *)tmp_felems)[(I)*felem_size])
+#define X(I) (&((char *)point_array)[3 * (I)*felem_size])
+#define Y(I) (&((char *)point_array)[(3 * (I) + 1) * felem_size])
+#define Z(I) (&((char *)point_array)[(3 * (I) + 2) * felem_size])
+
+  if (!felem_is_zero(Z(0))) {
+    felem_assign(tmp_felem(0), Z(0));
+  } else {
+    felem_one(tmp_felem(0));
+  }
+
+  for (i = 1; i < (int)num; i++) {
+    if (!felem_is_zero(Z(i))) {
+      felem_mul(tmp_felem(i), tmp_felem(i - 1), Z(i));
+    } else {
+      felem_assign(tmp_felem(i), tmp_felem(i - 1));
+    }
+  }
+  /* Now each tmp_felem(i) is the product of Z(0) .. Z(i), skipping any
+   * zero-valued factors: if Z(i) = 0, we essentially pretend that Z(i) = 1. */
+
+  felem_inv(tmp_felem(num - 1), tmp_felem(num - 1));
+  for (i = num - 1; i >= 0; i--) {
+    if (i > 0) {
+      /* tmp_felem(i-1) is the product of Z(0) .. Z(i-1), tmp_felem(i)
+       * is the inverse of the product of Z(0) .. Z(i). */
+      /* 1/Z(i) */
+      felem_mul(tmp_felem(num), tmp_felem(i - 1), tmp_felem(i));
+    } else {
+      felem_assign(tmp_felem(num), tmp_felem(0)); /* 1/Z(0) */
+    }
+
+    if (!felem_is_zero(Z(i))) {
+      if (i > 0) {
+        /* For next iteration, replace tmp_felem(i-1) by its inverse. */
+        felem_mul(tmp_felem(i - 1), tmp_felem(i), Z(i));
+      }
+
+      /* Convert point (X, Y, Z) into affine form (X/(Z^2), Y/(Z^3), 1). */
+      felem_square(Z(i), tmp_felem(num));    /* 1/(Z^2) */
+      felem_mul(X(i), X(i), Z(i));           /* X/(Z^2) */
+      felem_mul(Z(i), Z(i), tmp_felem(num)); /* 1/(Z^3) */
+      felem_mul(Y(i), Y(i), Z(i));           /* Y/(Z^3) */
+      felem_contract(X(i), X(i));
+      felem_contract(Y(i), Y(i));
+      felem_one(Z(i));
+    } else {
+      if (i > 0) {
+        /* For next iteration, replace tmp_felem(i-1) by its inverse. */
+        felem_assign(tmp_felem(i - 1), tmp_felem(i));
+      }
+    }
+  }
+}
+
+/* This function looks at 5+1 scalar bits (5 current, 1 adjacent less
+ * significant bit), and recodes them into a signed digit for use in fast point
+ * multiplication: the use of signed rather than unsigned digits means that
+ * fewer points need to be precomputed, given that point inversion is easy (a
+ * precomputed point dP makes -dP available as well).
+ *
+ * BACKGROUND:
+ *
+ * Signed digits for multiplication were introduced by Booth ("A signed binary
+ * multiplication technique", Quart. Journ. Mech. and Applied Math., vol. IV,
+ * pt. 2 (1951), pp. 236-240), in that case for multiplication of integers.
+ * Booth's original encoding did not generally improve the density of nonzero
+ * digits over the binary representation, and was merely meant to simplify the
+ * handling of signed factors given in two's complement; but it has since been
+ * shown to be the basis of various signed-digit representations that do have
+ * further advantages, including the wNAF, using the following general
+ * approach:
+ *
+ * (1) Given a binary representation
+ *
+ *       b_k  ...  b_2  b_1  b_0,
+ *
+ *     of a nonnegative integer (b_k in {0, 1}), rewrite it in digits 0, 1, -1
+ *     by using bit-wise subtraction as follows:
+ *
+ *        b_k b_(k-1)  ...  b_2  b_1  b_0
+ *      -     b_k      ...  b_3  b_2  b_1  b_0
+ *       -------------------------------------
+ *        s_k b_(k-1)  ...  s_3  s_2  s_1  s_0
+ *
+ *     A left-shift followed by subtraction of the original value yields a new
+ *     representation of the same value, using signed bits s_i = b_(i+1) - b_i.
+ *     This representation from Booth's paper has since appeared in the
+ *     literature under a variety of different names including "reversed binary
+ *     form", "alternating greedy expansion", "mutual opposite form", and
+ *     "sign-alternating {+-1}-representation".
+ *
+ *     An interesting property is that among the nonzero bits, values 1 and -1
+ *     strictly alternate.
+ *
+ * (2) Various window schemes can be applied to the Booth representation of
+ *     integers: for example, right-to-left sliding windows yield the wNAF
+ *     (a signed-digit encoding independently discovered by various researchers
+ *     in the 1990s), and left-to-right sliding windows yield a left-to-right
+ *     equivalent of the wNAF (independently discovered by various researchers
+ *     around 2004).
+ *
+ * To prevent leaking information through side channels in point multiplication,
+ * we need to recode the given integer into a regular pattern: sliding windows
+ * as in wNAFs won't do, we need their fixed-window equivalent -- which is a few
+ * decades older: we'll be using the so-called "modified Booth encoding" due to
+ * MacSorley ("High-speed arithmetic in binary computers", Proc. IRE, vol. 49
+ * (1961), pp. 67-91), in a radix-2^5 setting.  That is, we always combine five
+ * signed bits into a signed digit:
+ *
+ *       s_(4j + 4) s_(4j + 3) s_(4j + 2) s_(4j + 1) s_(4j)
+ *
+ * The sign-alternating property implies that the resulting digit values are
+ * integers from -16 to 16.
+ *
+ * Of course, we don't actually need to compute the signed digits s_i as an
+ * intermediate step (that's just a nice way to see how this scheme relates
+ * to the wNAF): a direct computation obtains the recoded digit from the
+ * six bits b_(4j + 4) ... b_(4j - 1).
+ *
+ * This function takes those five bits as an integer (0 .. 63), writing the
+ * recoded digit to *sign (0 for positive, 1 for negative) and *digit (absolute
+ * value, in the range 0 .. 8).  Note that this integer essentially provides the
+ * input bits "shifted to the left" by one position: for example, the input to
+ * compute the least significant recoded digit, given that there's no bit b_-1,
+ * has to be b_4 b_3 b_2 b_1 b_0 0. */
+void ec_GFp_nistp_recode_scalar_bits(uint8_t *sign, uint8_t *digit,
+                                     uint8_t in) {
+  uint8_t s, d;
+
+  s = ~((in >> 5) - 1); /* sets all bits to MSB(in), 'in' seen as
+                          * 6-bit value */
+  d = (1 << 6) - in - 1;
+  d = (d & s) | (in & ~s);
+  d = (d >> 1) + (d & 1);
+
+  *sign = s & 1;
+  *digit = d;
+}
+
+#endif  /* 64_BIT && !WINDOWS */
diff --git a/src/crypto/ec/wnaf.c b/src/crypto/ec/wnaf.c
index 9016328..d87a7d9 100644
--- a/src/crypto/ec/wnaf.c
+++ b/src/crypto/ec/wnaf.c
@@ -72,6 +72,7 @@
 #include <openssl/bn.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
+#include <openssl/thread.h>
 
 #include "internal.h"
 
@@ -84,7 +85,6 @@
 
 /* structure for precomputed multiples of the generator */
 typedef struct ec_pre_comp_st {
-  const EC_GROUP *group; /* parent EC_GROUP object */
   size_t blocksize;      /* block size for wNAF splitting */
   size_t numblocks; /* max. number of blocks for which we have precomputation */
   size_t w;         /* window size */
@@ -94,18 +94,14 @@ typedef struct ec_pre_comp_st {
   int references;
 } EC_PRE_COMP;
 
-static EC_PRE_COMP *ec_pre_comp_new(const EC_GROUP *group) {
+static EC_PRE_COMP *ec_pre_comp_new(void) {
   EC_PRE_COMP *ret = NULL;
 
-  if (!group)
-    return NULL;
-
   ret = (EC_PRE_COMP *)OPENSSL_malloc(sizeof(EC_PRE_COMP));
   if (!ret) {
     OPENSSL_PUT_ERROR(EC, ec_pre_comp_new, ERR_R_MALLOC_FAILURE);
     return ret;
   }
-  ret->group = group;
   ret->blocksize = 8; /* default */
   ret->numblocks = 0;
   ret->w = 4; /* default */
@@ -125,14 +121,8 @@ void *ec_pre_comp_dup(EC_PRE_COMP *pre_comp) {
 }
 
 void ec_pre_comp_free(EC_PRE_COMP *pre_comp) {
-  int i;
-
-  if (!pre_comp) {
-    return;
-  }
-
-  i = CRYPTO_add(&pre_comp->references, -1, CRYPTO_LOCK_EC_PRE_COMP);
-  if (i > 0) {
+  if (pre_comp == NULL ||
+      CRYPTO_add(&pre_comp->references, -1, CRYPTO_LOCK_EC_PRE_COMP) > 0) {
     return;
   }
 
@@ -272,8 +262,9 @@ err:
     OPENSSL_free(r);
     r = NULL;
   }
-  if (ok)
+  if (ok) {
     *ret_len = len;
+  }
   return r;
 }
 
@@ -341,8 +332,9 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 
   if (ctx == NULL) {
     ctx = new_ctx = BN_CTX_new();
-    if (ctx == NULL)
+    if (ctx == NULL) {
       goto err;
+    }
   }
 
   if (scalar != NULL) {
@@ -365,8 +357,9 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
       numblocks = (BN_num_bits(scalar) / blocksize) + 1;
 
       /* we cannot use more blocks than we have precomputation for */
-      if (numblocks > pre_comp->numblocks)
+      if (numblocks > pre_comp->numblocks) {
         numblocks = pre_comp->numblocks;
+      }
 
       pre_points_per_block = (size_t)1 << (pre_comp->w - 1);
 
@@ -413,10 +406,12 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
     wNAF[i + 1] = NULL; /* make sure we always have a pivot */
     wNAF[i] =
         compute_wNAF((i < num ? scalars[i] : scalar), wsize[i], &wNAF_len[i]);
-    if (wNAF[i] == NULL)
+    if (wNAF[i] == NULL) {
       goto err;
-    if (wNAF_len[i] > max_len)
+    }
+    if (wNAF_len[i] > max_len) {
       max_len = wNAF_len[i];
+    }
   }
 
   if (numblocks) {
@@ -440,8 +435,9 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
       /* use the window size for which we have precomputation */
       wsize[num] = pre_comp->w;
       tmp_wNAF = compute_wNAF(scalar, wsize[num], &tmp_len);
-      if (!tmp_wNAF)
+      if (!tmp_wNAF) {
         goto err;
+      }
 
       if (tmp_len <= max_len) {
         /* One of the other wNAFs is at least as long
@@ -484,10 +480,11 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
               goto err;
             }
             tmp_len -= blocksize;
-          } else
+          } else {
             /* last block gets whatever is left
              * (this could be more or less than 'blocksize'!) */
             wNAF_len[i] = tmp_len;
+          }
 
           wNAF[i + 1] = NULL;
           wNAF[i] = OPENSSL_malloc(wNAF_len[i]);
@@ -497,8 +494,9 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
             goto err;
           }
           memcpy(wNAF[i], pp, wNAF_len[i]);
-          if (wNAF_len[i] > max_len)
+          if (wNAF_len[i] > max_len) {
             max_len = wNAF_len[i];
+          }
 
           if (*tmp_points == NULL) {
             OPENSSL_PUT_ERROR(EC, ec_wNAF_mul, ERR_R_INTERNAL_ERROR);
@@ -531,8 +529,9 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
     val_sub[i] = v;
     for (j = 0; j < ((size_t)1 << (wsize[i] - 1)); j++) {
       *v = EC_POINT_new(group);
-      if (*v == NULL)
+      if (*v == NULL) {
         goto err;
+      }
       v++;
     }
   }
@@ -541,8 +540,9 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
     goto err;
   }
 
-  if (!(tmp = EC_POINT_new(group)))
+  if (!(tmp = EC_POINT_new(group))) {
     goto err;
+  }
 
   /* prepare precomputed values:
    *    val_sub[i][0] :=     points[i]
@@ -552,34 +552,36 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
    */
   for (i = 0; i < num + num_scalar; i++) {
     if (i < num) {
-      if (!EC_POINT_copy(val_sub[i][0], points[i]))
-        goto err;
-    } else {
-      if (!EC_POINT_copy(val_sub[i][0], generator))
+      if (!EC_POINT_copy(val_sub[i][0], points[i])) {
         goto err;
+      }
+    } else if (!EC_POINT_copy(val_sub[i][0], generator)) {
+      goto err;
     }
 
     if (wsize[i] > 1) {
-      if (!EC_POINT_dbl(group, tmp, val_sub[i][0], ctx))
+      if (!EC_POINT_dbl(group, tmp, val_sub[i][0], ctx)) {
         goto err;
+      }
       for (j = 1; j < ((size_t)1 << (wsize[i] - 1)); j++) {
-        if (!EC_POINT_add(group, val_sub[i][j], val_sub[i][j - 1], tmp, ctx))
+        if (!EC_POINT_add(group, val_sub[i][j], val_sub[i][j - 1], tmp, ctx)) {
           goto err;
+        }
       }
     }
   }
 
 #if 1 /* optional; EC_window_bits_for_scalar_size assumes we do this step */
-  if (!EC_POINTs_make_affine(group, num_val, val, ctx))
+  if (!EC_POINTs_make_affine(group, num_val, val, ctx)) {
     goto err;
+  }
 #endif
 
   r_is_at_infinity = 1;
 
   for (k = max_len - 1; k >= 0; k--) {
-    if (!r_is_at_infinity) {
-      if (!EC_POINT_dbl(group, r, r, ctx))
-        goto err;
+    if (!r_is_at_infinity && !EC_POINT_dbl(group, r, r, ctx)) {
+      goto err;
     }
 
     for (i = 0; i < totalnum; i++) {
@@ -590,13 +592,13 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
         if (digit) {
           is_neg = digit < 0;
 
-          if (is_neg)
+          if (is_neg) {
             digit = -digit;
+          }
 
           if (is_neg != r_is_inverted) {
-            if (!r_is_at_infinity) {
-              if (!EC_POINT_invert(group, r, ctx))
-                goto err;
+            if (!r_is_at_infinity && !EC_POINT_invert(group, r, ctx)) {
+              goto err;
             }
             r_is_inverted = !r_is_inverted;
           }
@@ -604,12 +606,14 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
           /* digit > 0 */
 
           if (r_is_at_infinity) {
-            if (!EC_POINT_copy(r, val_sub[i][digit >> 1]))
+            if (!EC_POINT_copy(r, val_sub[i][digit >> 1])) {
               goto err;
+            }
             r_is_at_infinity = 0;
           } else {
-            if (!EC_POINT_add(group, r, r, val_sub[i][digit >> 1], ctx))
+            if (!EC_POINT_add(group, r, r, val_sub[i][digit >> 1], ctx)) {
               goto err;
+            }
           }
         }
       }
@@ -617,42 +621,37 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
   }
 
   if (r_is_at_infinity) {
-    if (!EC_POINT_set_to_infinity(group, r))
+    if (!EC_POINT_set_to_infinity(group, r)) {
       goto err;
-  } else {
-    if (r_is_inverted)
-      if (!EC_POINT_invert(group, r, ctx))
-        goto err;
+    }
+  } else if (r_is_inverted && !EC_POINT_invert(group, r, ctx)) {
+    goto err;
   }
 
   ret = 1;
 
 err:
-  if (new_ctx != NULL)
-    BN_CTX_free(new_ctx);
-  if (tmp != NULL)
-    EC_POINT_free(tmp);
-  if (wsize != NULL)
-    OPENSSL_free(wsize);
-  if (wNAF_len != NULL)
-    OPENSSL_free(wNAF_len);
+  BN_CTX_free(new_ctx);
+  EC_POINT_free(tmp);
+  OPENSSL_free(wsize);
+  OPENSSL_free(wNAF_len);
   if (wNAF != NULL) {
     signed char **w;
 
-    for (w = wNAF; *w != NULL; w++)
+    for (w = wNAF; *w != NULL; w++) {
       OPENSSL_free(*w);
+    }
 
     OPENSSL_free(wNAF);
   }
   if (val != NULL) {
-    for (v = val; *v != NULL; v++)
+    for (v = val; *v != NULL; v++) {
       EC_POINT_clear_free(*v);
+    }
 
     OPENSSL_free(val);
   }
-  if (val_sub != NULL) {
-    OPENSSL_free(val_sub);
-  }
+  OPENSSL_free(val_sub);
   return ret;
 }
 
@@ -690,33 +689,36 @@ int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *ctx) {
   int ret = 0;
 
   /* if there is an old EC_PRE_COMP object, throw it away */
-  if (group->pre_comp) {
-    ec_pre_comp_free(group->pre_comp);
-    group->pre_comp = NULL;
-  }
-
-  if ((pre_comp = ec_pre_comp_new(group)) == NULL)
-    return 0;
+  ec_pre_comp_free(group->pre_comp);
+  group->pre_comp = NULL;
 
   generator = EC_GROUP_get0_generator(group);
   if (generator == NULL) {
     OPENSSL_PUT_ERROR(EC, ec_wNAF_precompute_mult, EC_R_UNDEFINED_GENERATOR);
-    goto err;
+    return 0;
+  }
+
+  pre_comp = ec_pre_comp_new();
+  if (pre_comp == NULL) {
+    return 0;
   }
 
   if (ctx == NULL) {
     ctx = new_ctx = BN_CTX_new();
-    if (ctx == NULL)
+    if (ctx == NULL) {
       goto err;
+    }
   }
 
   BN_CTX_start(ctx);
   order = BN_CTX_get(ctx);
-  if (order == NULL)
+  if (order == NULL) {
     goto err;
+  }
 
-  if (!EC_GROUP_get_order(group, order, ctx))
+  if (!EC_GROUP_get_order(group, order, ctx)) {
     goto err;
+  }
   if (BN_is_zero(order)) {
     OPENSSL_PUT_ERROR(EC, ec_wNAF_precompute_mult, EC_R_UNKNOWN_ORDER);
     goto err;
@@ -764,23 +766,27 @@ int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *ctx) {
     goto err;
   }
 
-  if (!EC_POINT_copy(base, generator))
+  if (!EC_POINT_copy(base, generator)) {
     goto err;
+  }
 
   /* do the precomputation */
   for (i = 0; i < numblocks; i++) {
     size_t j;
 
-    if (!EC_POINT_dbl(group, tmp_point, base, ctx))
+    if (!EC_POINT_dbl(group, tmp_point, base, ctx)) {
       goto err;
+    }
 
-    if (!EC_POINT_copy(*var++, base))
+    if (!EC_POINT_copy(*var++, base)) {
       goto err;
+    }
 
     for (j = 1; j < pre_points_per_block; j++, var++) {
       /* calculate odd multiples of the current base point */
-      if (!EC_POINT_add(group, *var, tmp_point, *(var - 1), ctx))
+      if (!EC_POINT_add(group, *var, tmp_point, *(var - 1), ctx)) {
         goto err;
+      }
     }
 
     if (i < numblocks - 1) {
@@ -792,19 +798,21 @@ int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *ctx) {
         goto err;
       }
 
-      if (!EC_POINT_dbl(group, base, tmp_point, ctx))
+      if (!EC_POINT_dbl(group, base, tmp_point, ctx)) {
         goto err;
+      }
       for (k = 2; k < blocksize; k++) {
-        if (!EC_POINT_dbl(group, base, base, ctx))
+        if (!EC_POINT_dbl(group, base, base, ctx)) {
           goto err;
+        }
       }
     }
   }
 
-  if (!EC_POINTs_make_affine(group, num, points, ctx))
+  if (!EC_POINTs_make_affine(group, num, points, ctx)) {
     goto err;
+  }
 
-  pre_comp->group = group;
   pre_comp->blocksize = blocksize;
   pre_comp->numblocks = numblocks;
   pre_comp->w = w;
@@ -818,23 +826,21 @@ int ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *ctx) {
   ret = 1;
 
 err:
-  if (ctx != NULL)
+  if (ctx != NULL) {
     BN_CTX_end(ctx);
-  if (new_ctx != NULL)
-    BN_CTX_free(new_ctx);
-  if (pre_comp)
-    ec_pre_comp_free(pre_comp);
+  }
+  BN_CTX_free(new_ctx);
+  ec_pre_comp_free(pre_comp);
   if (points) {
     EC_POINT **p;
 
-    for (p = points; *p != NULL; p++)
+    for (p = points; *p != NULL; p++) {
       EC_POINT_free(*p);
+    }
     OPENSSL_free(points);
   }
-  if (tmp_point)
-    EC_POINT_free(tmp_point);
-  if (base)
-    EC_POINT_free(base);
+  EC_POINT_free(tmp_point);
+  EC_POINT_free(base);
   return ret;
 }
 
diff --git a/src/crypto/ecdh/CMakeLists.txt b/src/crypto/ecdh/CMakeLists.txt
index b312148..346e72d 100644
--- a/src/crypto/ecdh/CMakeLists.txt
+++ b/src/crypto/ecdh/CMakeLists.txt
@@ -6,5 +6,4 @@ add_library(
   OBJECT
 
   ecdh.c
-  ecdh_error.c
 )
diff --git a/src/crypto/ecdh/ecdh.c b/src/crypto/ecdh/ecdh.c
index d4497f1..a011bab 100644
--- a/src/crypto/ecdh/ecdh.c
+++ b/src/crypto/ecdh/ecdh.c
@@ -145,13 +145,17 @@ int ECDH_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
   }
 
 err:
-  if (tmp)
+  if (tmp) {
     EC_POINT_free(tmp);
-  if (ctx)
+  }
+  if (ctx) {
     BN_CTX_end(ctx);
-  if (ctx)
+  }
+  if (ctx) {
     BN_CTX_free(ctx);
-  if (buf)
+  }
+  if (buf) {
     OPENSSL_free(buf);
+  }
   return ret;
 }
diff --git a/src/crypto/ecdh/ecdh_error.c b/src/crypto/ecdh/ecdh_error.c
deleted file mode 100644
index 8ba1854..0000000
--- a/src/crypto/ecdh/ecdh_error.c
+++ /dev/null
@@ -1,25 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/ecdh.h>
-
-const ERR_STRING_DATA ECDH_error_string_data[] = {
-  {ERR_PACK(ERR_LIB_ECDH, ECDH_F_ECDH_compute_key, 0), "ECDH_compute_key"},
-  {ERR_PACK(ERR_LIB_ECDH, 0, ECDH_R_KDF_FAILED), "KDF_FAILED"},
-  {ERR_PACK(ERR_LIB_ECDH, 0, ECDH_R_NO_PRIVATE_VALUE), "NO_PRIVATE_VALUE"},
-  {ERR_PACK(ERR_LIB_ECDH, 0, ECDH_R_POINT_ARITHMETIC_FAILURE), "POINT_ARITHMETIC_FAILURE"},
-  {0, NULL},
-};
diff --git a/src/crypto/ecdsa/CMakeLists.txt b/src/crypto/ecdsa/CMakeLists.txt
index 4bddd27..c8645d1 100644
--- a/src/crypto/ecdsa/CMakeLists.txt
+++ b/src/crypto/ecdsa/CMakeLists.txt
@@ -7,14 +7,13 @@ add_library(
 
   ecdsa.c
   ecdsa_asn1.c
-  ecdsa_error.c
 )
 
 
 add_executable(
   ecdsa_test
 
-  ecdsa_test.c
+  ecdsa_test.cc
 )
 
 target_link_libraries(ecdsa_test crypto)
diff --git a/src/crypto/ecdsa/ecdsa.c b/src/crypto/ecdsa/ecdsa.c
index d389799..b71799e 100644
--- a/src/crypto/ecdsa/ecdsa.c
+++ b/src/crypto/ecdsa/ecdsa.c
@@ -57,7 +57,6 @@
 #include <openssl/bn.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
-#include <openssl/thread.h>
 
 #include "../ec/internal.h"
 
@@ -98,12 +97,8 @@ int ECDSA_verify(int type, const uint8_t *digest, size_t digest_len,
   ret = ECDSA_do_verify(digest, digest_len, s, eckey);
 
 err:
-  if (der != NULL) {
-    OPENSSL_free(der);
-  }
-  if (s != NULL) {
-    ECDSA_SIG_free(s);
-  }
+  OPENSSL_free(der);
+  ECDSA_SIG_free(s);
   return ret;
 }
 
@@ -232,9 +227,7 @@ int ECDSA_do_verify(const uint8_t *digest, size_t digest_len,
 err:
   BN_CTX_end(ctx);
   BN_CTX_free(ctx);
-  if (point) {
-    EC_POINT_free(point);
-  }
+  EC_POINT_free(point);
   return ret;
 }
 
@@ -334,12 +327,8 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
     goto err;
   }
   /* clear old values if necessary */
-  if (*rp != NULL) {
-    BN_clear_free(*rp);
-  }
-  if (*kinvp != NULL) {
-    BN_clear_free(*kinvp);
-  }
+  BN_clear_free(*rp);
+  BN_clear_free(*kinvp);
 
   /* save the pre-computed values  */
   *rp = r;
@@ -348,21 +337,15 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
 
 err:
   if (!ret) {
-    if (k != NULL) {
-      BN_clear_free(k);
-    }
-    if (r != NULL) {
-      BN_clear_free(r);
-    }
+    BN_clear_free(k);
+    BN_clear_free(r);
   }
-  if (ctx_in == NULL)
+  if (ctx_in == NULL) {
     BN_CTX_free(ctx);
-  if (order != NULL)
-    BN_free(order);
-  if (tmp_point != NULL)
-    EC_POINT_free(tmp_point);
-  if (X)
-    BN_clear_free(X);
+  }
+  BN_free(order);
+  EC_POINT_free(tmp_point);
+  BN_clear_free(X);
   return ret;
 }
 
@@ -461,16 +444,11 @@ err:
     ECDSA_SIG_free(ret);
     ret = NULL;
   }
-  if (ctx)
-    BN_CTX_free(ctx);
-  if (m)
-    BN_clear_free(m);
-  if (tmp)
-    BN_clear_free(tmp);
-  if (order)
-    BN_free(order);
-  if (kinv)
-    BN_clear_free(kinv);
+  BN_CTX_free(ctx);
+  BN_clear_free(m);
+  BN_clear_free(tmp);
+  BN_free(order);
+  BN_clear_free(kinv);
   return ret;
 }
 
diff --git a/src/crypto/ecdsa/ecdsa_asn1.c b/src/crypto/ecdsa/ecdsa_asn1.c
index b3c6a87..f557ca7 100644
--- a/src/crypto/ecdsa/ecdsa_asn1.c
+++ b/src/crypto/ecdsa/ecdsa_asn1.c
@@ -55,6 +55,7 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/ec_key.h>
+#include <openssl/mem.h>
 
 #include "../ec/internal.h"
 
@@ -67,7 +68,7 @@ ASN1_SEQUENCE(ECDSA_SIG) = {
     ASN1_SIMPLE(ECDSA_SIG, s, CBIGNUM),
 } ASN1_SEQUENCE_END(ECDSA_SIG);
 
-IMPLEMENT_ASN1_FUNCTIONS_const(ECDSA_SIG);
+IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(ECDSA_SIG, ECDSA_SIG, ECDSA_SIG);
 
 size_t ECDSA_size(const EC_KEY *key) {
   size_t ret, i, group_order_size;
@@ -114,3 +115,27 @@ size_t ECDSA_size(const EC_KEY *key) {
   BN_clear_free(order);
   return ret;
 }
+
+ECDSA_SIG *ECDSA_SIG_new(void) {
+  ECDSA_SIG *sig = OPENSSL_malloc(sizeof(ECDSA_SIG));
+  if (sig == NULL) {
+    return NULL;
+  }
+  sig->r = BN_new();
+  sig->s = BN_new();
+  if (sig->r == NULL || sig->s == NULL) {
+    ECDSA_SIG_free(sig);
+    return NULL;
+  }
+  return sig;
+}
+
+void ECDSA_SIG_free(ECDSA_SIG *sig) {
+  if (sig == NULL) {
+    return;
+  }
+
+  BN_free(sig->r);
+  BN_free(sig->s);
+  OPENSSL_free(sig);
+}
diff --git a/src/crypto/ecdsa/ecdsa_error.c b/src/crypto/ecdsa/ecdsa_error.c
deleted file mode 100644
index cbd69ce..0000000
--- a/src/crypto/ecdsa/ecdsa_error.c
+++ /dev/null
@@ -1,32 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/ecdsa.h>
-
-const ERR_STRING_DATA ECDSA_error_string_data[] = {
-  {ERR_PACK(ERR_LIB_ECDSA, ECDSA_F_ECDSA_do_sign_ex, 0), "ECDSA_do_sign_ex"},
-  {ERR_PACK(ERR_LIB_ECDSA, ECDSA_F_ECDSA_do_verify, 0), "ECDSA_do_verify"},
-  {ERR_PACK(ERR_LIB_ECDSA, ECDSA_F_ECDSA_sign_ex, 0), "ECDSA_sign_ex"},
-  {ERR_PACK(ERR_LIB_ECDSA, ECDSA_F_ECDSA_sign_setup, 0), "ECDSA_sign_setup"},
-  {ERR_PACK(ERR_LIB_ECDSA, ECDSA_F_digest_to_bn, 0), "digest_to_bn"},
-  {ERR_PACK(ERR_LIB_ECDSA, ECDSA_F_ecdsa_sign_setup, 0), "ecdsa_sign_setup"},
-  {ERR_PACK(ERR_LIB_ECDSA, 0, ECDSA_R_BAD_SIGNATURE), "BAD_SIGNATURE"},
-  {ERR_PACK(ERR_LIB_ECDSA, 0, ECDSA_R_MISSING_PARAMETERS), "MISSING_PARAMETERS"},
-  {ERR_PACK(ERR_LIB_ECDSA, 0, ECDSA_R_NEED_NEW_SETUP_VALUES), "NEED_NEW_SETUP_VALUES"},
-  {ERR_PACK(ERR_LIB_ECDSA, 0, ECDSA_R_NOT_IMPLEMENTED), "NOT_IMPLEMENTED"},
-  {ERR_PACK(ERR_LIB_ECDSA, 0, ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED), "RANDOM_NUMBER_GENERATION_FAILED"},
-  {0, NULL},
-};
diff --git a/src/crypto/ecdsa/ecdsa_test.c b/src/crypto/ecdsa/ecdsa_test.c
deleted file mode 100644
index d48f9c3..0000000
--- a/src/crypto/ecdsa/ecdsa_test.c
+++ /dev/null
@@ -1,328 +0,0 @@
-/* ====================================================================
- * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com). */
-
-#include <openssl/ecdsa.h>
-
-#include <openssl/bio.h>
-#include <openssl/bn.h>
-#include <openssl/crypto.h>
-#include <openssl/ec.h>
-#include <openssl/err.h>
-#include <openssl/mem.h>
-#include <openssl/obj.h>
-#include <openssl/rand.h>
-
-
-int test_builtin(BIO *out) {
-  size_t n = 0;
-  EC_KEY *eckey = NULL, *wrong_eckey = NULL;
-  EC_GROUP *group;
-  BIGNUM *order = NULL;
-  ECDSA_SIG *ecdsa_sig = NULL;
-  unsigned char digest[20], wrong_digest[20];
-  unsigned char *signature = NULL;
-  const unsigned char *sig_ptr;
-  unsigned char *sig_ptr2;
-  unsigned char *raw_buf = NULL;
-  unsigned int sig_len, r_len, s_len, bn_len, buf_len;
-  int nid, ret = 0;
-
-  /* fill digest values with some random data */
-  if (!RAND_bytes(digest, 20) || !RAND_bytes(wrong_digest, 20)) {
-    BIO_printf(out, "ERROR: unable to get random data\n");
-    goto builtin_err;
-  }
-
-  order = BN_new();
-  if (order == NULL) {
-    goto builtin_err;
-  }
-
-  /* create and verify a ecdsa signature with every availble curve
-   * (with ) */
-  BIO_printf(out,
-             "\ntesting ECDSA_sign() and ECDSA_verify() "
-             "with some internal curves:\n");
-
-  static const int kCurveNIDs[] = {NID_secp224r1, NID_X9_62_prime256v1,
-                                   NID_secp384r1, NID_secp521r1, NID_undef};
-
-  /* now create and verify a signature for every curve */
-  for (n = 0; kCurveNIDs[n] != NID_undef; n++) {
-    unsigned char dirt, offset;
-
-    nid = kCurveNIDs[n];
-    /* create new ecdsa key (== EC_KEY) */
-    eckey = EC_KEY_new();
-    if (eckey == NULL) {
-      goto builtin_err;
-    }
-    group = EC_GROUP_new_by_curve_name(nid);
-    if (group == NULL) {
-      goto builtin_err;
-    }
-    if (!EC_KEY_set_group(eckey, group)) {
-      goto builtin_err;
-    }
-    EC_GROUP_free(group);
-    if (!EC_GROUP_get_order(EC_KEY_get0_group(eckey), order, NULL)) {
-      goto builtin_err;
-    }
-    if (BN_num_bits(order) < 160) {
-      /* Too small to test. */
-      EC_KEY_free(eckey);
-      eckey = NULL;
-      continue;
-    }
-
-    BIO_printf(out, "%s: ", OBJ_nid2sn(nid));
-    /* create key */
-    if (!EC_KEY_generate_key(eckey)) {
-      BIO_printf(out, " failed\n");
-      goto builtin_err;
-    }
-    /* create second key */
-    wrong_eckey = EC_KEY_new();
-    if (wrong_eckey == NULL) {
-      goto builtin_err;
-    }
-    group = EC_GROUP_new_by_curve_name(nid);
-    if (group == NULL) {
-      goto builtin_err;
-    }
-    if (EC_KEY_set_group(wrong_eckey, group) == 0) {
-      goto builtin_err;
-    }
-    EC_GROUP_free(group);
-    if (!EC_KEY_generate_key(wrong_eckey)) {
-      BIO_printf(out, " failed\n");
-      goto builtin_err;
-    }
-
-    BIO_printf(out, ".");
-    (void)BIO_flush(out);
-    /* check key */
-    if (!EC_KEY_check_key(eckey)) {
-      BIO_printf(out, " failed\n");
-      goto builtin_err;
-    }
-    BIO_printf(out, ".");
-    (void)BIO_flush(out);
-    /* create signature */
-    sig_len = ECDSA_size(eckey);
-    signature = OPENSSL_malloc(sig_len);
-    if (signature == NULL) {
-      goto builtin_err;
-    }
-    if (!ECDSA_sign(0, digest, 20, signature, &sig_len, eckey)) {
-      BIO_printf(out, " failed\n");
-      goto builtin_err;
-    }
-    BIO_printf(out, ".");
-    (void)BIO_flush(out);
-    /* verify signature */
-    if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) != 1) {
-      BIO_printf(out, " failed\n");
-      goto builtin_err;
-    }
-    BIO_printf(out, ".");
-    (void)BIO_flush(out);
-    /* verify signature with the wrong key */
-    if (ECDSA_verify(0, digest, 20, signature, sig_len, wrong_eckey) == 1) {
-      BIO_printf(out, " failed\n");
-      goto builtin_err;
-    }
-    BIO_printf(out, ".");
-    (void)BIO_flush(out);
-    /* wrong digest */
-    if (ECDSA_verify(0, wrong_digest, 20, signature, sig_len, eckey) == 1) {
-      BIO_printf(out, " failed\n");
-      goto builtin_err;
-    }
-    BIO_printf(out, ".");
-    (void)BIO_flush(out);
-    /* wrong length */
-    if (ECDSA_verify(0, digest, 20, signature, sig_len - 1, eckey) == 1) {
-      BIO_printf(out, " failed\n");
-      goto builtin_err;
-    }
-    BIO_printf(out, ".");
-    (void)BIO_flush(out);
-
-    /* Modify a single byte of the signature: to ensure we don't
-     * garble the ASN1 structure, we read the raw signature and
-     * modify a byte in one of the bignums directly. */
-    sig_ptr = signature;
-    ecdsa_sig = d2i_ECDSA_SIG(NULL, &sig_ptr, sig_len);
-    if (ecdsa_sig == NULL) {
-      BIO_printf(out, " failed\n");
-      goto builtin_err;
-    }
-
-    /* Store the two BIGNUMs in raw_buf. */
-    r_len = BN_num_bytes(ecdsa_sig->r);
-    s_len = BN_num_bytes(ecdsa_sig->s);
-    bn_len = BN_num_bytes(order);
-    if (r_len > bn_len || s_len > bn_len) {
-      BIO_printf(out, " failed\n");
-      goto builtin_err;
-    }
-    buf_len = 2 * bn_len;
-    raw_buf = OPENSSL_malloc(2 * bn_len);
-    if (raw_buf == NULL) {
-      goto builtin_err;
-    }
-    /* Pad the bignums with leading zeroes. */
-    if (!BN_bn2bin_padded(raw_buf, bn_len, ecdsa_sig->r) ||
-        !BN_bn2bin_padded(raw_buf + bn_len, bn_len, ecdsa_sig->s)) {
-      goto builtin_err;
-    }
-
-    /* Modify a single byte in the buffer. */
-    offset = raw_buf[10] % buf_len;
-    dirt = raw_buf[11] ? raw_buf[11] : 1;
-    raw_buf[offset] ^= dirt;
-    /* Now read the BIGNUMs back in from raw_buf. */
-    if (BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL ||
-        BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL) {
-      goto builtin_err;
-    }
-
-    sig_ptr2 = signature;
-    sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr2);
-    if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) == 1) {
-      BIO_printf(out, " failed\n");
-      goto builtin_err;
-    }
-    /* Sanity check: undo the modification and verify signature. */
-    raw_buf[offset] ^= dirt;
-    if (BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL ||
-        BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL) {
-      goto builtin_err;
-    }
-
-    sig_ptr2 = signature;
-    sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr2);
-    if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) != 1) {
-      BIO_printf(out, " failed\n");
-      goto builtin_err;
-    }
-    BIO_printf(out, ".");
-    (void)BIO_flush(out);
-
-    BIO_printf(out, " ok\n");
-    /* cleanup */
-    /* clean bogus errors */
-    ERR_clear_error();
-    OPENSSL_free(signature);
-    signature = NULL;
-    EC_KEY_free(eckey);
-    eckey = NULL;
-    EC_KEY_free(wrong_eckey);
-    wrong_eckey = NULL;
-    ECDSA_SIG_free(ecdsa_sig);
-    ecdsa_sig = NULL;
-    OPENSSL_free(raw_buf);
-    raw_buf = NULL;
-  }
-
-  ret = 1;
-builtin_err:
-  if (eckey) {
-    EC_KEY_free(eckey);
-  }
-  if (order) {
-    BN_free(order);
-  }
-  if (wrong_eckey) {
-    EC_KEY_free(wrong_eckey);
-  }
-  if (ecdsa_sig) {
-    ECDSA_SIG_free(ecdsa_sig);
-  }
-  if (signature) {
-    OPENSSL_free(signature);
-  }
-  if (raw_buf) {
-    OPENSSL_free(raw_buf);
-  }
-
-  return ret;
-}
-
-int main(void) {
-  int ret = 1;
-  BIO *out;
-
-  CRYPTO_library_init();
-  ERR_load_crypto_strings();
-
-  out = BIO_new_fp(stdout, BIO_NOCLOSE);
-
-  if (!test_builtin(out))
-    goto err;
-
-  ret = 0;
-
-err:
-  if (ret)
-    BIO_printf(out, "\nECDSA test failed\n");
-  else
-    BIO_printf(out, "\nPASS\n");
-  if (ret)
-    BIO_print_errors(out);
-
-  if (out != NULL)
-    BIO_free(out);
-
-  return ret;
-}
diff --git a/src/crypto/ecdsa/ecdsa_test.cc b/src/crypto/ecdsa/ecdsa_test.cc
new file mode 100644
index 0000000..a6bd7a1
--- /dev/null
+++ b/src/crypto/ecdsa/ecdsa_test.cc
@@ -0,0 +1,340 @@
+/* ====================================================================
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com). */
+
+#include <openssl/ecdsa.h>
+
+#include <vector>
+
+#include <openssl/bn.h>
+#include <openssl/crypto.h>
+#include <openssl/ec.h>
+#include <openssl/err.h>
+#include <openssl/mem.h>
+#include <openssl/obj.h>
+#include <openssl/rand.h>
+
+#include "../test/scoped_types.h"
+#include "../test/stl_compat.h"
+
+enum Api {
+  kEncodedApi,
+  kRawApi,
+};
+
+// VerifyECDSASig returns true on success, false on failure.
+static bool VerifyECDSASig(Api api, const uint8_t *digest,
+                           size_t digest_len, const ECDSA_SIG *ecdsa_sig,
+                           EC_KEY *eckey, int expected_result) {
+  int actual_result;
+
+  switch (api) {
+    case kEncodedApi: {
+      int sig_len = i2d_ECDSA_SIG(ecdsa_sig, NULL);
+      if (sig_len <= 0) {
+        return false;
+      }
+      std::vector<uint8_t> signature(static_cast<size_t>(sig_len));
+      uint8_t *sig_ptr = bssl::vector_data(&signature);
+      sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr);
+      if (sig_len <= 0) {
+        return false;
+      }
+      actual_result = ECDSA_verify(0, digest, digest_len, bssl::vector_data(&signature),
+                                   signature.size(), eckey);
+      break;
+    }
+
+    case kRawApi:
+      actual_result = ECDSA_do_verify(digest, digest_len, ecdsa_sig, eckey);
+      break;
+
+    default:
+      return false;
+  }
+  return expected_result == actual_result;
+}
+
+// TestTamperedSig verifies that signature verification fails when a valid
+// signature is tampered with. |ecdsa_sig| must be a valid signature, which will
+// be modified. TestTamperedSig returns true on success, false on failure.
+static bool TestTamperedSig(FILE *out, Api api, const uint8_t *digest,
+                            size_t digest_len, ECDSA_SIG *ecdsa_sig,
+                            EC_KEY *eckey, const BIGNUM *order) {
+  // Modify a single byte of the signature: to ensure we don't
+  // garble the ASN1 structure, we read the raw signature and
+  // modify a byte in one of the bignums directly.
+
+  // Store the two BIGNUMs in raw_buf.
+  size_t r_len = BN_num_bytes(ecdsa_sig->r);
+  size_t s_len = BN_num_bytes(ecdsa_sig->s);
+  size_t bn_len = BN_num_bytes(order);
+  if (r_len > bn_len || s_len > bn_len) {
+    return false;
+  }
+  size_t buf_len = 2 * bn_len;
+  std::vector<uint8_t> raw_buf(buf_len);
+  // Pad the bignums with leading zeroes.
+  if (!BN_bn2bin_padded(bssl::vector_data(&raw_buf), bn_len, ecdsa_sig->r) ||
+      !BN_bn2bin_padded(bssl::vector_data(&raw_buf) + bn_len, bn_len,
+                        ecdsa_sig->s)) {
+    return false;
+  }
+
+  // Modify a single byte in the buffer.
+  size_t offset = raw_buf[10] % buf_len;
+  uint8_t dirt = raw_buf[11] ? raw_buf[11] : 1;
+  raw_buf[offset] ^= dirt;
+  // Now read the BIGNUMs back in from raw_buf.
+  if (BN_bin2bn(bssl::vector_data(&raw_buf), bn_len, ecdsa_sig->r) == NULL ||
+      BN_bin2bn(bssl::vector_data(&raw_buf) + bn_len, bn_len,
+                ecdsa_sig->s) == NULL ||
+      !VerifyECDSASig(api, digest, digest_len, ecdsa_sig, eckey, 0)) {
+    return false;
+  }
+
+  // Sanity check: Undo the modification and verify signature.
+  raw_buf[offset] ^= dirt;
+  if (BN_bin2bn(bssl::vector_data(&raw_buf), bn_len, ecdsa_sig->r) == NULL ||
+      BN_bin2bn(bssl::vector_data(&raw_buf) + bn_len, bn_len,
+                ecdsa_sig->s) == NULL ||
+      !VerifyECDSASig(api, digest, digest_len, ecdsa_sig, eckey, 1)) {
+    return false;
+  }
+
+  return true;
+}
+
+static bool TestBuiltin(FILE *out) {
+  // Fill digest values with some random data.
+  uint8_t digest[20], wrong_digest[20];
+  if (!RAND_bytes(digest, 20) || !RAND_bytes(wrong_digest, 20)) {
+    fprintf(out, "ERROR: unable to get random data\n");
+    return false;
+  }
+
+  static const struct {
+    int nid;
+    const char *name;
+  } kCurves[] = {
+      { NID_secp224r1, "secp224r1" },
+      { NID_X9_62_prime256v1, "secp256r1" },
+      { NID_secp384r1, "secp384r1" },
+      { NID_secp521r1, "secp521r1" },
+      { NID_undef, NULL }
+  };
+
+  // Create and verify ECDSA signatures with every available curve.
+  fputs("\ntesting ECDSA_sign(), ECDSA_verify(), ECDSA_do_sign(), and "
+        "ECDSA_do_verify() with some internal curves:\n", out);
+
+  for (size_t n = 0; kCurves[n].nid != NID_undef; n++) {
+    fprintf(out, "%s: ", kCurves[n].name);
+
+    int nid = kCurves[n].nid;
+    ScopedEC_GROUP group(EC_GROUP_new_by_curve_name(nid));
+    if (!group) {
+      fprintf(out, " failed\n");
+      return false;
+    }
+    ScopedBIGNUM order(BN_new());
+    if (!order || !EC_GROUP_get_order(group.get(), order.get(), NULL)) {
+      fprintf(out, " failed\n");
+      return false;
+    }
+    if (BN_num_bits(order.get()) < 160) {
+      // Too small to test.
+      fprintf(out, " skipped\n");
+      continue;
+    }
+
+    // Create a new ECDSA key.
+    ScopedEC_KEY eckey(EC_KEY_new());
+    if (!eckey || !EC_KEY_set_group(eckey.get(), group.get()) ||
+        !EC_KEY_generate_key(eckey.get())) {
+      fprintf(out, " failed\n");
+      return false;
+    }
+    // Create a second key.
+    ScopedEC_KEY wrong_eckey(EC_KEY_new());
+    if (!wrong_eckey || !EC_KEY_set_group(wrong_eckey.get(), group.get()) ||
+        !EC_KEY_generate_key(wrong_eckey.get())) {
+      fprintf(out, " failed\n");
+      return false;
+    }
+
+    fprintf(out, ".");
+    fflush(out);
+
+    // Check the key.
+    if (!EC_KEY_check_key(eckey.get())) {
+      fprintf(out, " failed\n");
+      return false;
+    }
+    fprintf(out, ".");
+    fflush(out);
+
+    // Test ASN.1-encoded signatures.
+    // Create a signature.
+    unsigned sig_len = ECDSA_size(eckey.get());
+    std::vector<uint8_t> signature(sig_len);
+    if (!ECDSA_sign(0, digest, 20, bssl::vector_data(&signature), &sig_len,
+                    eckey.get())) {
+      fprintf(out, " failed\n");
+      return false;
+    }
+    signature.resize(sig_len);
+    fprintf(out, ".");
+    fflush(out);
+    // Verify the signature.
+    if (!ECDSA_verify(0, digest, 20, bssl::vector_data(&signature),
+                      signature.size(), eckey.get())) {
+      fprintf(out, " failed\n");
+      return false;
+    }
+    fprintf(out, ".");
+    fflush(out);
+    // Verify the signature with the wrong key.
+    if (ECDSA_verify(0, digest, 20, bssl::vector_data(&signature),
+                     signature.size(), wrong_eckey.get())) {
+      fprintf(out, " failed\n");
+      return false;
+    }
+    fprintf(out, ".");
+    fflush(out);
+    // Verify the signature using the wrong digest.
+    if (ECDSA_verify(0, wrong_digest, 20, bssl::vector_data(&signature),
+                      signature.size(), eckey.get())) {
+      fprintf(out, " failed\n");
+      return false;
+    }
+    fprintf(out, ".");
+    fflush(out);
+    // Verify a truncated signature.
+    if (ECDSA_verify(0, digest, 20, bssl::vector_data(&signature),
+                      signature.size() - 1, eckey.get())) {
+      fprintf(out, " failed\n");
+      return false;
+    }
+    fprintf(out, ".");
+    fflush(out);
+    // Verify a tampered signature.
+    const uint8_t *sig_ptr = bssl::vector_data(&signature);
+    ScopedECDSA_SIG ecdsa_sig(d2i_ECDSA_SIG(NULL, &sig_ptr, signature.size()));
+    if (!ecdsa_sig ||
+        !TestTamperedSig(out, kEncodedApi, digest, 20, ecdsa_sig.get(),
+                         eckey.get(), order.get())) {
+      fprintf(out, " failed\n");
+      return false;
+    }
+    fprintf(out, ".");
+    fflush(out);
+
+    // Test ECDSA_SIG signing and verification.
+    // Create a signature.
+    ecdsa_sig.reset(ECDSA_do_sign(digest, 20, eckey.get()));
+    if (!ecdsa_sig) {
+      fprintf(out, " failed\n");
+      return false;
+    }
+    fprintf(out, ".");
+    fflush(out);
+    // Verify the signature using the correct key.
+    if (!ECDSA_do_verify(digest, 20, ecdsa_sig.get(), eckey.get())) {
+      fprintf(out, " failed\n");
+      return false;
+    }
+    fprintf(out, ".");
+    fflush(out);
+    // Verify the signature with the wrong key.
+    if (ECDSA_do_verify(digest, 20, ecdsa_sig.get(), wrong_eckey.get())) {
+      fprintf(out, " failed\n");
+      return false;
+    }
+    fprintf(out, ".");
+    fflush(out);
+    // Verify the signature using the wrong digest.
+    if (ECDSA_do_verify(wrong_digest, 20, ecdsa_sig.get(), eckey.get())) {
+      fprintf(out, " failed\n");
+      return false;
+    }
+    fprintf(out, ".");
+    fflush(out);
+    // Verify a tampered signature.
+    if (!TestTamperedSig(out, kRawApi, digest, 20, ecdsa_sig.get(), eckey.get(),
+                         order.get())) {
+      fprintf(out, " failed\n");
+      return false;
+    }
+    fprintf(out, ".");
+    fflush(out);
+
+    fprintf(out, " ok\n");
+    // Clear bogus errors.
+    ERR_clear_error();
+  }
+
+  return true;
+}
+
+int main(void) {
+  CRYPTO_library_init();
+  ERR_load_crypto_strings();
+
+  if (!TestBuiltin(stdout)) {
+    printf("\nECDSA test failed\n");
+    ERR_print_errors_fp(stdout);
+    return 1;
+  }
+
+  printf("\nPASS\n");
+  return 0;
+}
diff --git a/src/crypto/engine/CMakeLists.txt b/src/crypto/engine/CMakeLists.txt
index cea6566..e03650e 100644
--- a/src/crypto/engine/CMakeLists.txt
+++ b/src/crypto/engine/CMakeLists.txt
@@ -6,5 +6,4 @@ add_library(
   OBJECT
 
   engine.c
-  engine_error.c
 )
diff --git a/src/crypto/engine/engine.c b/src/crypto/engine/engine.c
index 5b8cf1c..6c3300d 100644
--- a/src/crypto/engine/engine.c
+++ b/src/crypto/engine/engine.c
@@ -15,6 +15,7 @@
 #include <openssl/engine.h>
 
 #include <string.h>
+#include <assert.h>
 
 #include <openssl/dh.h>
 #include <openssl/dsa.h>
@@ -43,33 +44,23 @@ ENGINE *ENGINE_new(void) {
 }
 
 void ENGINE_free(ENGINE *engine) {
-  if (engine->dh_method != NULL) {
-    METHOD_unref(engine->dh_method);
-  }
-
+  /* Methods are currently required to be static so are not unref'ed. */
   OPENSSL_free(engine);
 }
 
 /* set_method takes a pointer to a method and its given size and sets
- * |*out_member| to point to a copy of it. The copy is |compiled_size| bytes
- * long and has zero padding if needed. */
+ * |*out_member| to point to it. This function might want to be extended in the
+ * future to support making a copy of the method so that a stable ABI for
+ * ENGINEs can be supported. But, for the moment, all *_METHODS must be
+ * static. */
 static int set_method(void **out_member, const void *method, size_t method_size,
                       size_t compiled_size) {
-  void *copy = OPENSSL_malloc(compiled_size);
-  if (copy == NULL) {
+  const struct openssl_method_common_st *common = method;
+  if (method_size != compiled_size || !common->is_static) {
     return 0;
   }
 
-  memset(copy, 0, compiled_size);
-
-  if (method_size > compiled_size) {
-    method_size = compiled_size;
-  }
-  memcpy(copy, method, method_size);
-
-  METHOD_unref(*out_member);
-  *out_member = copy;
-
+  *out_member = (void*) method;
   return 1;
 }
 
@@ -114,25 +105,16 @@ ECDSA_METHOD *ENGINE_get_ECDSA_method(const ENGINE *engine) {
 }
 
 void METHOD_ref(void *method_in) {
-  struct openssl_method_common_st *method = method_in;
-
-  if (method->is_static) {
-    return;
-  }
-
-  CRYPTO_add(&method->references, 1, CRYPTO_LOCK_ENGINE);
+  assert(((struct openssl_method_common_st*) method_in)->is_static);
 }
 
 void METHOD_unref(void *method_in) {
   struct openssl_method_common_st *method = method_in;
 
-  if (method == NULL || method->is_static) {
+  if (method == NULL) {
     return;
   }
-
-  if (CRYPTO_add(&method->references, -1, CRYPTO_LOCK_ENGINE) == 0) {
-    OPENSSL_free(method);
-  }
+  assert(method->is_static);
 }
 
 OPENSSL_DECLARE_ERROR_REASON(ENGINE, OPERATION_NOT_SUPPORTED);
diff --git a/src/crypto/engine/engine_error.c b/src/crypto/engine/engine_error.c
deleted file mode 100644
index 9f65f70..0000000
--- a/src/crypto/engine/engine_error.c
+++ /dev/null
@@ -1,22 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/engine.h>
-
-const ERR_STRING_DATA ENGINE_error_string_data[] = {
-  {ERR_PACK(ERR_LIB_ENGINE, 0, ENGINE_R_OPERATION_NOT_SUPPORTED), "OPERATION_NOT_SUPPORTED"},
-  {0, NULL},
-};
diff --git a/src/crypto/err/CMakeLists.txt b/src/crypto/err/CMakeLists.txt
index 53dccea..89f96bd 100644
--- a/src/crypto/err/CMakeLists.txt
+++ b/src/crypto/err/CMakeLists.txt
@@ -1,18 +1,49 @@
 include_directories(. .. ../../include)
 
+add_custom_command(
+  OUTPUT err_data.c
+  COMMAND ${GO_EXECUTABLE} run err_data_generate.go > ${CMAKE_CURRENT_BINARY_DIR}/err_data.c
+  DEPENDS
+  err_data_generate.go
+  asn1.errordata
+  bio.errordata
+  bn.errordata
+  buf.errordata
+  cipher.errordata
+  conf.errordata
+  crypto.errordata
+  dh.errordata
+  digest.errordata
+  dsa.errordata
+  ecdh.errordata
+  ecdsa.errordata
+  ec.errordata
+  engine.errordata
+  evp.errordata
+  hkdf.errordata
+  obj.errordata
+  pem.errordata
+  pkcs8.errordata
+  rsa.errordata
+  ssl.errordata
+  x509.errordata
+  x509v3.errordata
+  WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
+)
+
 add_library(
   err
 
   OBJECT
 
   err.c
-  err_impl.c
+  err_data.c
 )
 
 add_executable(
   err_test
 
-  err_test.c
+  err_test.cc
 )
 
 target_link_libraries(err_test crypto)
diff --git a/src/crypto/err/asn1.errordata b/src/crypto/err/asn1.errordata
new file mode 100644
index 0000000..44b9c73
--- /dev/null
+++ b/src/crypto/err/asn1.errordata
@@ -0,0 +1,152 @@
+ASN1,function,100,ASN1_BIT_STRING_set_bit
+ASN1,function,101,ASN1_ENUMERATED_set
+ASN1,function,102,ASN1_ENUMERATED_to_BN
+ASN1,function,103,ASN1_GENERALIZEDTIME_adj
+ASN1,function,104,ASN1_INTEGER_set
+ASN1,function,105,ASN1_INTEGER_to_BN
+ASN1,function,106,ASN1_OBJECT_new
+ASN1,function,107,ASN1_PCTX_new
+ASN1,function,108,ASN1_STRING_TABLE_add
+ASN1,function,109,ASN1_STRING_set
+ASN1,function,110,ASN1_STRING_type_new
+ASN1,function,111,ASN1_TIME_adj
+ASN1,function,112,ASN1_UTCTIME_adj
+ASN1,function,113,ASN1_d2i_fp
+ASN1,function,114,ASN1_dup
+ASN1,function,115,ASN1_generate_v3
+ASN1,function,116,ASN1_get_object
+ASN1,function,117,ASN1_i2d_bio
+ASN1,function,118,ASN1_i2d_fp
+ASN1,function,119,ASN1_item_d2i_fp
+ASN1,function,120,ASN1_item_dup
+ASN1,function,121,ASN1_item_ex_d2i
+ASN1,function,122,ASN1_item_i2d_bio
+ASN1,function,123,ASN1_item_i2d_fp
+ASN1,function,124,ASN1_item_pack
+ASN1,function,125,ASN1_item_unpack
+ASN1,function,126,ASN1_mbstring_ncopy
+ASN1,function,127,ASN1_template_new
+ASN1,function,128,BIO_new_NDEF
+ASN1,function,129,BN_to_ASN1_ENUMERATED
+ASN1,function,130,BN_to_ASN1_INTEGER
+ASN1,function,131,a2d_ASN1_OBJECT
+ASN1,function,132,a2i_ASN1_ENUMERATED
+ASN1,function,133,a2i_ASN1_INTEGER
+ASN1,function,134,a2i_ASN1_STRING
+ASN1,function,135,append_exp
+ASN1,function,136,asn1_cb
+ASN1,function,137,asn1_check_tlen
+ASN1,function,138,asn1_collate_primitive
+ASN1,function,139,asn1_collect
+ASN1,function,140,asn1_d2i_ex_primitive
+ASN1,function,141,asn1_d2i_read_bio
+ASN1,function,142,asn1_do_adb
+ASN1,function,143,asn1_ex_c2i
+ASN1,function,144,asn1_find_end
+ASN1,function,145,asn1_item_ex_combine_new
+ASN1,function,146,asn1_str2type
+ASN1,function,147,asn1_template_ex_d2i
+ASN1,function,148,asn1_template_noexp_d2i
+ASN1,function,149,bitstr_cb
+ASN1,function,150,c2i_ASN1_BIT_STRING
+ASN1,function,151,c2i_ASN1_INTEGER
+ASN1,function,152,c2i_ASN1_OBJECT
+ASN1,function,153,collect_data
+ASN1,function,154,d2i_ASN1_BOOLEAN
+ASN1,function,155,d2i_ASN1_OBJECT
+ASN1,function,156,d2i_ASN1_UINTEGER
+ASN1,function,157,d2i_ASN1_UTCTIME
+ASN1,function,158,d2i_ASN1_bytes
+ASN1,function,159,d2i_ASN1_type_bytes
+ASN1,function,160,i2d_ASN1_TIME
+ASN1,function,161,i2d_PrivateKey
+ASN1,function,162,long_c2i
+ASN1,function,163,parse_tagging
+ASN1,reason,100,ASN1_LENGTH_MISMATCH
+ASN1,reason,101,AUX_ERROR
+ASN1,reason,102,BAD_GET_ASN1_OBJECT_CALL
+ASN1,reason,103,BAD_OBJECT_HEADER
+ASN1,reason,104,BMPSTRING_IS_WRONG_LENGTH
+ASN1,reason,105,BN_LIB
+ASN1,reason,106,BOOLEAN_IS_WRONG_LENGTH
+ASN1,reason,107,BUFFER_TOO_SMALL
+ASN1,reason,108,DECODE_ERROR
+ASN1,reason,109,DEPTH_EXCEEDED
+ASN1,reason,110,ENCODE_ERROR
+ASN1,reason,111,ERROR_GETTING_TIME
+ASN1,reason,112,EXPECTING_AN_ASN1_SEQUENCE
+ASN1,reason,113,EXPECTING_AN_INTEGER
+ASN1,reason,114,EXPECTING_AN_OBJECT
+ASN1,reason,115,EXPECTING_A_BOOLEAN
+ASN1,reason,116,EXPECTING_A_TIME
+ASN1,reason,117,EXPLICIT_LENGTH_MISMATCH
+ASN1,reason,118,EXPLICIT_TAG_NOT_CONSTRUCTED
+ASN1,reason,119,FIELD_MISSING
+ASN1,reason,120,FIRST_NUM_TOO_LARGE
+ASN1,reason,121,HEADER_TOO_LONG
+ASN1,reason,122,ILLEGAL_BITSTRING_FORMAT
+ASN1,reason,123,ILLEGAL_BOOLEAN
+ASN1,reason,124,ILLEGAL_CHARACTERS
+ASN1,reason,125,ILLEGAL_FORMAT
+ASN1,reason,126,ILLEGAL_HEX
+ASN1,reason,127,ILLEGAL_IMPLICIT_TAG
+ASN1,reason,128,ILLEGAL_INTEGER
+ASN1,reason,129,ILLEGAL_NESTED_TAGGING
+ASN1,reason,130,ILLEGAL_NULL
+ASN1,reason,131,ILLEGAL_NULL_VALUE
+ASN1,reason,132,ILLEGAL_OBJECT
+ASN1,reason,133,ILLEGAL_OPTIONAL_ANY
+ASN1,reason,134,ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE
+ASN1,reason,135,ILLEGAL_TAGGED_ANY
+ASN1,reason,136,ILLEGAL_TIME_VALUE
+ASN1,reason,137,INTEGER_NOT_ASCII_FORMAT
+ASN1,reason,138,INTEGER_TOO_LARGE_FOR_LONG
+ASN1,reason,139,INVALID_BIT_STRING_BITS_LEFT
+ASN1,reason,140,INVALID_BMPSTRING_LENGTH
+ASN1,reason,141,INVALID_DIGIT
+ASN1,reason,142,INVALID_MODIFIER
+ASN1,reason,143,INVALID_NUMBER
+ASN1,reason,144,INVALID_OBJECT_ENCODING
+ASN1,reason,145,INVALID_SEPARATOR
+ASN1,reason,146,INVALID_TIME_FORMAT
+ASN1,reason,147,INVALID_UNIVERSALSTRING_LENGTH
+ASN1,reason,148,INVALID_UTF8STRING
+ASN1,reason,149,LIST_ERROR
+ASN1,reason,150,MALLOC_FAILURE
+ASN1,reason,151,MISSING_ASN1_EOS
+ASN1,reason,152,MISSING_EOC
+ASN1,reason,153,MISSING_SECOND_NUMBER
+ASN1,reason,154,MISSING_VALUE
+ASN1,reason,155,MSTRING_NOT_UNIVERSAL
+ASN1,reason,156,MSTRING_WRONG_TAG
+ASN1,reason,157,NESTED_ASN1_ERROR
+ASN1,reason,158,NESTED_ASN1_STRING
+ASN1,reason,159,NON_HEX_CHARACTERS
+ASN1,reason,160,NOT_ASCII_FORMAT
+ASN1,reason,161,NOT_ENOUGH_DATA
+ASN1,reason,162,NO_MATCHING_CHOICE_TYPE
+ASN1,reason,163,NULL_IS_WRONG_LENGTH
+ASN1,reason,164,OBJECT_NOT_ASCII_FORMAT
+ASN1,reason,165,ODD_NUMBER_OF_CHARS
+ASN1,reason,166,SECOND_NUMBER_TOO_LARGE
+ASN1,reason,167,SEQUENCE_LENGTH_MISMATCH
+ASN1,reason,168,SEQUENCE_NOT_CONSTRUCTED
+ASN1,reason,169,SEQUENCE_OR_SET_NEEDS_CONFIG
+ASN1,reason,170,SHORT_LINE
+ASN1,reason,171,STREAMING_NOT_SUPPORTED
+ASN1,reason,172,STRING_TOO_LONG
+ASN1,reason,173,STRING_TOO_SHORT
+ASN1,reason,174,TAG_VALUE_TOO_HIGH
+ASN1,reason,175,TIME_NOT_ASCII_FORMAT
+ASN1,reason,176,TOO_LONG
+ASN1,reason,177,TYPE_NOT_CONSTRUCTED
+ASN1,reason,178,TYPE_NOT_PRIMITIVE
+ASN1,reason,179,UNEXPECTED_EOC
+ASN1,reason,180,UNIVERSALSTRING_IS_WRONG_LENGTH
+ASN1,reason,181,UNKNOWN_FORMAT
+ASN1,reason,182,UNKNOWN_TAG
+ASN1,reason,183,UNSUPPORTED_ANY_DEFINED_BY_TYPE
+ASN1,reason,184,UNSUPPORTED_PUBLIC_KEY_TYPE
+ASN1,reason,185,UNSUPPORTED_TYPE
+ASN1,reason,186,WRONG_TAG
+ASN1,reason,187,WRONG_TYPE
diff --git a/src/crypto/err/bio.errordata b/src/crypto/err/bio.errordata
new file mode 100644
index 0000000..cd7286a
--- /dev/null
+++ b/src/crypto/err/bio.errordata
@@ -0,0 +1,35 @@
+BIO,function,100,BIO_callback_ctrl
+BIO,function,101,BIO_ctrl
+BIO,function,102,BIO_new
+BIO,function,103,BIO_new_file
+BIO,function,104,BIO_new_mem_buf
+BIO,function,105,BIO_zero_copy_get_read_buf
+BIO,function,106,BIO_zero_copy_get_read_buf_done
+BIO,function,107,BIO_zero_copy_get_write_buf
+BIO,function,108,BIO_zero_copy_get_write_buf_done
+BIO,function,109,bio_io
+BIO,function,110,bio_make_pair
+BIO,function,111,bio_write
+BIO,function,112,buffer_ctrl
+BIO,function,113,conn_ctrl
+BIO,function,114,conn_state
+BIO,function,115,file_ctrl
+BIO,function,116,file_read
+BIO,function,117,mem_write
+BIO,reason,100,BAD_FOPEN_MODE
+BIO,reason,101,BROKEN_PIPE
+BIO,reason,102,CONNECT_ERROR
+BIO,reason,103,ERROR_SETTING_NBIO
+BIO,reason,104,INVALID_ARGUMENT
+BIO,reason,105,IN_USE
+BIO,reason,106,KEEPALIVE
+BIO,reason,107,NBIO_CONNECT_ERROR
+BIO,reason,108,NO_HOSTNAME_SPECIFIED
+BIO,reason,109,NO_PORT_SPECIFIED
+BIO,reason,110,NO_SUCH_FILE
+BIO,reason,111,NULL_PARAMETER
+BIO,reason,112,SYS_LIB
+BIO,reason,113,UNABLE_TO_CREATE_SOCKET
+BIO,reason,114,UNINITIALIZED
+BIO,reason,115,UNSUPPORTED_METHOD
+BIO,reason,116,WRITE_TO_READ_ONLY_BIO
diff --git a/src/crypto/err/bn.errordata b/src/crypto/err/bn.errordata
new file mode 100644
index 0000000..ab74073
--- /dev/null
+++ b/src/crypto/err/bn.errordata
@@ -0,0 +1,42 @@
+BN,function,100,BN_CTX_get
+BN,function,101,BN_CTX_new
+BN,function,102,BN_CTX_start
+BN,function,103,BN_bn2dec
+BN,function,104,BN_bn2hex
+BN,function,105,BN_div
+BN,function,106,BN_div_recp
+BN,function,107,BN_exp
+BN,function,108,BN_generate_dsa_nonce
+BN,function,109,BN_generate_prime_ex
+BN,function,110,BN_mod_exp2_mont
+BN,function,111,BN_mod_exp_mont
+BN,function,112,BN_mod_exp_mont_consttime
+BN,function,113,BN_mod_exp_mont_word
+BN,function,114,BN_mod_inverse
+BN,function,115,BN_mod_inverse_no_branch
+BN,function,116,BN_mod_lshift_quick
+BN,function,117,BN_mod_sqrt
+BN,function,118,BN_new
+BN,function,119,BN_rand
+BN,function,120,BN_rand_range
+BN,function,121,BN_sqrt
+BN,function,122,BN_usub
+BN,function,123,bn_wexpand
+BN,function,124,mod_exp_recp
+BN,reason,100,ARG2_LT_ARG3
+BN,reason,101,BAD_RECIPROCAL
+BN,reason,102,BIGNUM_TOO_LONG
+BN,reason,103,BITS_TOO_SMALL
+BN,reason,104,CALLED_WITH_EVEN_MODULUS
+BN,reason,105,DIV_BY_ZERO
+BN,reason,106,EXPAND_ON_STATIC_BIGNUM_DATA
+BN,reason,107,INPUT_NOT_REDUCED
+BN,reason,108,INVALID_RANGE
+BN,reason,109,NEGATIVE_NUMBER
+BN,reason,110,NOT_A_SQUARE
+BN,reason,111,NOT_INITIALIZED
+BN,reason,112,NO_INVERSE
+BN,reason,113,PRIVATE_KEY_TOO_LARGE
+BN,reason,114,P_IS_NOT_PRIME
+BN,reason,115,TOO_MANY_ITERATIONS
+BN,reason,116,TOO_MANY_TEMPORARY_VARIABLES
diff --git a/src/crypto/err/buf.errordata b/src/crypto/err/buf.errordata
new file mode 100644
index 0000000..01b6c9a
--- /dev/null
+++ b/src/crypto/err/buf.errordata
@@ -0,0 +1,4 @@
+BUF,function,100,BUF_MEM_new
+BUF,function,101,BUF_memdup
+BUF,function,102,BUF_strndup
+BUF,function,103,buf_mem_grow
diff --git a/src/crypto/err/cipher.errordata b/src/crypto/err/cipher.errordata
new file mode 100644
index 0000000..ce8459b
--- /dev/null
+++ b/src/crypto/err/cipher.errordata
@@ -0,0 +1,60 @@
+CIPHER,function,100,EVP_AEAD_CTX_init
+CIPHER,function,131,EVP_AEAD_CTX_init_with_direction
+CIPHER,function,101,EVP_AEAD_CTX_open
+CIPHER,function,102,EVP_AEAD_CTX_seal
+CIPHER,function,103,EVP_CIPHER_CTX_copy
+CIPHER,function,104,EVP_CIPHER_CTX_ctrl
+CIPHER,function,105,EVP_CIPHER_CTX_set_key_length
+CIPHER,function,106,EVP_CipherInit_ex
+CIPHER,function,107,EVP_DecryptFinal_ex
+CIPHER,function,108,EVP_EncryptFinal_ex
+CIPHER,function,132,aead_aes_ctr_hmac_sha256_init
+CIPHER,function,133,aead_aes_ctr_hmac_sha256_open
+CIPHER,function,134,aead_aes_ctr_hmac_sha256_seal
+CIPHER,function,109,aead_aes_gcm_init
+CIPHER,function,110,aead_aes_gcm_open
+CIPHER,function,111,aead_aes_gcm_seal
+CIPHER,function,112,aead_aes_key_wrap_init
+CIPHER,function,113,aead_aes_key_wrap_open
+CIPHER,function,114,aead_aes_key_wrap_seal
+CIPHER,function,115,aead_chacha20_poly1305_init
+CIPHER,function,116,aead_chacha20_poly1305_open
+CIPHER,function,117,aead_chacha20_poly1305_seal
+CIPHER,function,118,aead_rc4_md5_tls_init
+CIPHER,function,119,aead_rc4_md5_tls_open
+CIPHER,function,120,aead_rc4_md5_tls_seal
+CIPHER,function,121,aead_ssl3_ensure_cipher_init
+CIPHER,function,122,aead_ssl3_init
+CIPHER,function,123,aead_ssl3_open
+CIPHER,function,124,aead_ssl3_seal
+CIPHER,function,125,aead_tls_ensure_cipher_init
+CIPHER,function,126,aead_tls_init
+CIPHER,function,127,aead_tls_open
+CIPHER,function,128,aead_tls_seal
+CIPHER,function,129,aes_init_key
+CIPHER,function,130,aesni_init_key
+CIPHER,reason,100,AES_KEY_SETUP_FAILED
+CIPHER,reason,101,BAD_DECRYPT
+CIPHER,reason,102,BAD_KEY_LENGTH
+CIPHER,reason,103,BUFFER_TOO_SMALL
+CIPHER,reason,104,CTRL_NOT_IMPLEMENTED
+CIPHER,reason,105,CTRL_OPERATION_NOT_IMPLEMENTED
+CIPHER,reason,106,DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH
+CIPHER,reason,107,INITIALIZATION_ERROR
+CIPHER,reason,108,INPUT_NOT_INITIALIZED
+CIPHER,reason,109,INVALID_AD_SIZE
+CIPHER,reason,110,INVALID_KEY_LENGTH
+CIPHER,reason,111,INVALID_NONCE_SIZE
+CIPHER,reason,112,INVALID_OPERATION
+CIPHER,reason,113,IV_TOO_LARGE
+CIPHER,reason,114,NO_CIPHER_SET
+CIPHER,reason,124,NO_DIRECTION_SET
+CIPHER,reason,115,OUTPUT_ALIASES_INPUT
+CIPHER,reason,116,TAG_TOO_LARGE
+CIPHER,reason,117,TOO_LARGE
+CIPHER,reason,118,UNSUPPORTED_AD_SIZE
+CIPHER,reason,119,UNSUPPORTED_INPUT_SIZE
+CIPHER,reason,120,UNSUPPORTED_KEY_SIZE
+CIPHER,reason,121,UNSUPPORTED_NONCE_SIZE
+CIPHER,reason,122,UNSUPPORTED_TAG_SIZE
+CIPHER,reason,123,WRONG_FINAL_BLOCK_LENGTH
diff --git a/src/crypto/err/conf.errordata b/src/crypto/err/conf.errordata
new file mode 100644
index 0000000..0b96a32
--- /dev/null
+++ b/src/crypto/err/conf.errordata
@@ -0,0 +1,10 @@
+CONF,function,100,CONF_parse_list
+CONF,function,101,NCONF_load
+CONF,function,102,def_load_bio
+CONF,function,103,str_copy
+CONF,reason,100,LIST_CANNOT_BE_NULL
+CONF,reason,101,MISSING_CLOSE_SQUARE_BRACKET
+CONF,reason,102,MISSING_EQUAL_SIGN
+CONF,reason,103,NO_CLOSE_BRACE
+CONF,reason,104,UNABLE_TO_CREATE_NEW_SECTION
+CONF,reason,105,VARIABLE_HAS_NO_VALUE
diff --git a/src/crypto/err/crypto.errordata b/src/crypto/err/crypto.errordata
new file mode 100644
index 0000000..1e0e9d5
--- /dev/null
+++ b/src/crypto/err/crypto.errordata
@@ -0,0 +1,4 @@
+CRYPTO,function,100,CRYPTO_get_ex_new_index
+CRYPTO,function,101,CRYPTO_set_ex_data
+CRYPTO,function,102,get_class
+CRYPTO,function,103,get_func_pointers
diff --git a/src/crypto/err/dh.errordata b/src/crypto/err/dh.errordata
new file mode 100644
index 0000000..1fd675b
--- /dev/null
+++ b/src/crypto/err/dh.errordata
@@ -0,0 +1,8 @@
+DH,function,100,DH_new_method
+DH,function,101,compute_key
+DH,function,102,generate_key
+DH,function,103,generate_parameters
+DH,reason,100,BAD_GENERATOR
+DH,reason,101,INVALID_PUBKEY
+DH,reason,102,MODULUS_TOO_LARGE
+DH,reason,103,NO_PRIVATE_VALUE
diff --git a/src/crypto/err/digest.errordata b/src/crypto/err/digest.errordata
new file mode 100644
index 0000000..95a3622
--- /dev/null
+++ b/src/crypto/err/digest.errordata
@@ -0,0 +1,3 @@
+DIGEST,function,100,EVP_DigestInit_ex
+DIGEST,function,101,EVP_MD_CTX_copy_ex
+DIGEST,reason,100,INPUT_NOT_INITIALIZED
diff --git a/src/crypto/err/dsa.errordata b/src/crypto/err/dsa.errordata
new file mode 100644
index 0000000..c2dff23
--- /dev/null
+++ b/src/crypto/err/dsa.errordata
@@ -0,0 +1,9 @@
+DSA,function,100,DSA_new_method
+DSA,function,101,dsa_sig_cb
+DSA,function,102,sign
+DSA,function,103,sign_setup
+DSA,function,104,verify
+DSA,reason,100,BAD_Q_VALUE
+DSA,reason,101,MISSING_PARAMETERS
+DSA,reason,102,MODULUS_TOO_LARGE
+DSA,reason,103,NEED_NEW_SETUP_VALUES
diff --git a/src/crypto/err/ec.errordata b/src/crypto/err/ec.errordata
new file mode 100644
index 0000000..3b815c8
--- /dev/null
+++ b/src/crypto/err/ec.errordata
@@ -0,0 +1,93 @@
+EC,function,159,BN_to_felem
+EC,function,100,EC_GROUP_copy
+EC,function,101,EC_GROUP_get_curve_GFp
+EC,function,102,EC_GROUP_get_degree
+EC,function,103,EC_GROUP_new_by_curve_name
+EC,function,104,EC_KEY_check_key
+EC,function,105,EC_KEY_copy
+EC,function,106,EC_KEY_generate_key
+EC,function,107,EC_KEY_new_method
+EC,function,108,EC_KEY_set_public_key_affine_coordinates
+EC,function,109,EC_POINT_add
+EC,function,110,EC_POINT_cmp
+EC,function,111,EC_POINT_copy
+EC,function,112,EC_POINT_dbl
+EC,function,113,EC_POINT_dup
+EC,function,114,EC_POINT_get_affine_coordinates_GFp
+EC,function,115,EC_POINT_invert
+EC,function,116,EC_POINT_is_at_infinity
+EC,function,117,EC_POINT_is_on_curve
+EC,function,118,EC_POINT_make_affine
+EC,function,119,EC_POINT_new
+EC,function,120,EC_POINT_oct2point
+EC,function,121,EC_POINT_point2oct
+EC,function,122,EC_POINT_set_affine_coordinates_GFp
+EC,function,123,EC_POINT_set_compressed_coordinates_GFp
+EC,function,124,EC_POINT_set_to_infinity
+EC,function,125,EC_POINTs_make_affine
+EC,function,126,compute_wNAF
+EC,function,127,d2i_ECPKParameters
+EC,function,128,d2i_ECParameters
+EC,function,129,d2i_ECPrivateKey
+EC,function,130,ec_GFp_mont_field_decode
+EC,function,131,ec_GFp_mont_field_encode
+EC,function,132,ec_GFp_mont_field_mul
+EC,function,133,ec_GFp_mont_field_set_to_one
+EC,function,134,ec_GFp_mont_field_sqr
+EC,function,135,ec_GFp_mont_group_set_curve
+EC,function,160,ec_GFp_nistp256_group_set_curve
+EC,function,161,ec_GFp_nistp256_point_get_affine_coordinates
+EC,function,162,ec_GFp_nistp256_points_mul
+EC,function,136,ec_GFp_simple_group_check_discriminant
+EC,function,137,ec_GFp_simple_group_set_curve
+EC,function,138,ec_GFp_simple_make_affine
+EC,function,139,ec_GFp_simple_oct2point
+EC,function,140,ec_GFp_simple_point2oct
+EC,function,141,ec_GFp_simple_point_get_affine_coordinates
+EC,function,142,ec_GFp_simple_point_set_affine_coordinates
+EC,function,143,ec_GFp_simple_points_make_affine
+EC,function,144,ec_GFp_simple_set_compressed_coordinates
+EC,function,145,ec_asn1_group2pkparameters
+EC,function,146,ec_asn1_pkparameters2group
+EC,function,163,ec_group_copy
+EC,function,147,ec_group_new
+EC,function,148,ec_group_new_curve_GFp
+EC,function,149,ec_group_new_from_data
+EC,function,150,ec_point_set_Jprojective_coordinates_GFp
+EC,function,151,ec_pre_comp_new
+EC,function,152,ec_wNAF_mul
+EC,function,153,ec_wNAF_precompute_mult
+EC,function,154,i2d_ECPKParameters
+EC,function,155,i2d_ECParameters
+EC,function,156,i2d_ECPrivateKey
+EC,function,157,i2o_ECPublicKey
+EC,function,164,nistp256_pre_comp_new
+EC,function,158,o2i_ECPublicKey
+EC,reason,126,BIGNUM_OUT_OF_RANGE
+EC,reason,100,BUFFER_TOO_SMALL
+EC,reason,101,COORDINATES_OUT_OF_RANGE
+EC,reason,102,D2I_ECPKPARAMETERS_FAILURE
+EC,reason,103,EC_GROUP_NEW_BY_NAME_FAILURE
+EC,reason,104,GROUP2PKPARAMETERS_FAILURE
+EC,reason,105,I2D_ECPKPARAMETERS_FAILURE
+EC,reason,106,INCOMPATIBLE_OBJECTS
+EC,reason,107,INVALID_COMPRESSED_POINT
+EC,reason,108,INVALID_COMPRESSION_BIT
+EC,reason,109,INVALID_ENCODING
+EC,reason,110,INVALID_FIELD
+EC,reason,111,INVALID_FORM
+EC,reason,112,INVALID_GROUP_ORDER
+EC,reason,113,INVALID_PRIVATE_KEY
+EC,reason,114,MISSING_PARAMETERS
+EC,reason,115,MISSING_PRIVATE_KEY
+EC,reason,116,NON_NAMED_CURVE
+EC,reason,117,NOT_INITIALIZED
+EC,reason,118,PKPARAMETERS2GROUP_FAILURE
+EC,reason,119,POINT_AT_INFINITY
+EC,reason,120,POINT_IS_NOT_ON_CURVE
+EC,reason,121,SLOT_FULL
+EC,reason,122,UNDEFINED_GENERATOR
+EC,reason,123,UNKNOWN_GROUP
+EC,reason,124,UNKNOWN_ORDER
+EC,reason,127,WRONG_CURVE_PARAMETERS
+EC,reason,125,WRONG_ORDER
diff --git a/src/crypto/err/ecdh.errordata b/src/crypto/err/ecdh.errordata
new file mode 100644
index 0000000..0f1215e
--- /dev/null
+++ b/src/crypto/err/ecdh.errordata
@@ -0,0 +1,4 @@
+ECDH,function,100,ECDH_compute_key
+ECDH,reason,100,KDF_FAILED
+ECDH,reason,101,NO_PRIVATE_VALUE
+ECDH,reason,102,POINT_ARITHMETIC_FAILURE
diff --git a/src/crypto/err/ecdsa.errordata b/src/crypto/err/ecdsa.errordata
new file mode 100644
index 0000000..97c213e
--- /dev/null
+++ b/src/crypto/err/ecdsa.errordata
@@ -0,0 +1,10 @@
+ECDSA,function,100,ECDSA_do_sign_ex
+ECDSA,function,101,ECDSA_do_verify
+ECDSA,function,102,ECDSA_sign_ex
+ECDSA,function,103,digest_to_bn
+ECDSA,function,104,ecdsa_sign_setup
+ECDSA,reason,100,BAD_SIGNATURE
+ECDSA,reason,101,MISSING_PARAMETERS
+ECDSA,reason,102,NEED_NEW_SETUP_VALUES
+ECDSA,reason,103,NOT_IMPLEMENTED
+ECDSA,reason,104,RANDOM_NUMBER_GENERATION_FAILED
diff --git a/src/crypto/err/engine.errordata b/src/crypto/err/engine.errordata
new file mode 100644
index 0000000..1185e88
--- /dev/null
+++ b/src/crypto/err/engine.errordata
@@ -0,0 +1 @@
+ENGINE,reason,100,OPERATION_NOT_SUPPORTED
diff --git a/src/crypto/err/err.c b/src/crypto/err/err.c
index 55b1363..b879a22 100644
--- a/src/crypto/err/err.c
+++ b/src/crypto/err/err.c
@@ -111,8 +111,6 @@
 #include <assert.h>
 #include <errno.h>
 #include <inttypes.h>
-#include <stdarg.h>
-#include <stdio.h>
 #include <string.h>
 
 #if defined(OPENSSL_WINDOWS)
@@ -121,37 +119,23 @@
 #pragma warning(pop)
 #endif
 
-#include <openssl/lhash.h>
 #include <openssl/mem.h>
 #include <openssl/thread.h>
 
+#include "../internal.h"
 
-/* err_fns contains a pointer to the current error implementation. */
-static const struct ERR_FNS_st *err_fns = NULL;
-extern const struct ERR_FNS_st openssl_err_default_impl;
 
-#define ERRFN(a) err_fns->a
+extern const uint32_t kOpenSSLFunctionValues[];
+extern const size_t kOpenSSLFunctionValuesLen;
+extern const char kOpenSSLFunctionStringData[];
 
-/* err_fns_check is an internal function that checks whether "err_fns" is set
- * and if not, sets it to the default. */
-static void err_fns_check(void) {
-  /* In practice, this is not a race problem because loading the error strings
-   * at init time will cause this pointer to be set before the process goes
-   * multithreaded. */
-  if (err_fns) {
-    return;
-  }
-
-  CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-  if (!err_fns) {
-    err_fns = &openssl_err_default_impl;
-  }
-  CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-}
+extern const uint32_t kOpenSSLReasonValues[];
+extern const size_t kOpenSSLReasonValuesLen;
+extern const char kOpenSSLReasonStringData[];
 
 /* err_clear_data frees the optional |data| member of the given error. */
 static void err_clear_data(struct err_error_st *error) {
-  if (error->data != NULL && (error->flags & ERR_FLAG_MALLOCED) != 0) {
+  if ((error->flags & ERR_FLAG_MALLOCED) != 0) {
     OPENSSL_free(error->data);
   }
   error->data = NULL;
@@ -164,10 +148,45 @@ static void err_clear(struct err_error_st *error) {
   memset(error, 0, sizeof(struct err_error_st));
 }
 
+/* global_next_library contains the next custom library value to return. */
+static int global_next_library = ERR_NUM_LIBS;
+
+/* global_next_library_mutex protects |global_next_library| from concurrent
+ * updates. */
+static struct CRYPTO_STATIC_MUTEX global_next_library_mutex =
+    CRYPTO_STATIC_MUTEX_INIT;
+
+static void err_state_free(void *statep) {
+  ERR_STATE *state = statep;
+
+  if (state == NULL) {
+    return;
+  }
+
+  unsigned i;
+  for (i = 0; i < ERR_NUM_ERRORS; i++) {
+    err_clear(&state->errors[i]);
+  }
+  OPENSSL_free(state->to_free);
+  OPENSSL_free(state);
+}
+
 /* err_get_state gets the ERR_STATE object for the current thread. */
 static ERR_STATE *err_get_state(void) {
-  err_fns_check();
-  return ERRFN(get_state)();
+  ERR_STATE *state = CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_ERR);
+  if (state == NULL) {
+    state = OPENSSL_malloc(sizeof(ERR_STATE));
+    if (state == NULL) {
+      return NULL;
+    }
+    memset(state, 0, sizeof(ERR_STATE));
+    if (!CRYPTO_set_thread_local(OPENSSL_THREAD_LOCAL_ERR, state,
+                                 err_state_free)) {
+      return NULL;
+    }
+  }
+
+  return state;
 }
 
 static uint32_t get_error_values(int inc, int top, const char **file, int *line,
@@ -221,9 +240,7 @@ static uint32_t get_error_values(int inc, int top, const char **file, int *line,
        * error queue. */
       if (inc) {
         if (error->flags & ERR_FLAG_MALLOCED) {
-          if (state->to_free) {
-            OPENSSL_free(state->to_free);
-          }
+          OPENSSL_free(state->to_free);
           state->to_free = error->data;
         }
         error->data = NULL;
@@ -291,47 +308,29 @@ void ERR_clear_error(void) {
   for (i = 0; i < ERR_NUM_ERRORS; i++) {
     err_clear(&state->errors[i]);
   }
-  if (state->to_free) {
-    OPENSSL_free(state->to_free);
-    state->to_free = NULL;
-  }
+  OPENSSL_free(state->to_free);
+  state->to_free = NULL;
 
   state->top = state->bottom = 0;
 }
 
-static void err_state_free(ERR_STATE *state) {
-  unsigned i;
-
-  for (i = 0; i < ERR_NUM_ERRORS; i++) {
-    err_clear(&state->errors[i]);
-  }
-  if (state->to_free) {
-    OPENSSL_free(state->to_free);
-  }
-  OPENSSL_free(state);
-}
-
 void ERR_remove_thread_state(const CRYPTO_THREADID *tid) {
-  CRYPTO_THREADID current;
-  ERR_STATE *state;
-
-  if (tid == NULL) {
-    CRYPTO_THREADID_current(&current);
-    tid = &current;
-  }
-
-  err_fns_check();
-  state = ERRFN(release_state)(tid);
-  if (state == NULL) {
+  if (tid != NULL) {
+    assert(0);
     return;
   }
 
-  err_state_free(state);
+  ERR_clear_error();
 }
 
 int ERR_get_next_error_library(void) {
-  err_fns_check();
-  return ERRFN(get_next_library)();
+  int ret;
+
+  CRYPTO_STATIC_MUTEX_lock_write(&global_next_library_mutex);
+  ret = global_next_library++;
+  CRYPTO_STATIC_MUTEX_unlock(&global_next_library_mutex);
+
+  return ret;
 }
 
 void ERR_clear_system_error(void) {
@@ -423,53 +422,177 @@ void ERR_error_string_n(uint32_t packed_error, char *buf, size_t len) {
   }
 }
 
-/* err_component_error_string returns the error string associated with
- * |packed_error|, which must be of a special form matching the keys inserted
- * into the error hash table. */
-static const char *err_component_error_string(uint32_t packed_error) {
-  ERR_STRING_DATA *p;
+// err_string_cmp is a compare function for searching error values with
+// |bsearch| in |err_string_lookup|.
+static int err_string_cmp(const void *a, const void *b) {
+  const uint32_t a_key = *((const uint32_t*) a) >> 15;
+  const uint32_t b_key = *((const uint32_t*) b) >> 15;
 
-  err_fns_check();
-  p = ERRFN(get_item)(packed_error);
+  if (a_key < b_key) {
+    return -1;
+  } else if (a_key > b_key) {
+    return 1;
+  } else {
+    return 0;
+  }
+}
 
-  if (p == NULL) {
+/* err_string_lookup looks up the string associated with |lib| and |key| in
+ * |values| and |string_data|. It returns the string or NULL if not found. */
+static const char *err_string_lookup(uint32_t lib, uint32_t key,
+                                     const uint32_t *values,
+                                     size_t num_values,
+                                     const char *string_data) {
+  /* |values| points to data in err_data.h, which is generated by
+   * err_data_generate.go. It's an array of uint32_t values. Each value has the
+   * following structure:
+   *   | lib  |    key    |    offset     |
+   *   |6 bits|  11 bits  |    15 bits    |
+   *
+   * The |lib| value is a library identifier: one of the |ERR_LIB_*| values.
+   * The |key| is either a function or a reason code, depending on the context.
+   * The |offset| is the number of bytes from the start of |string_data| where
+   * the (NUL terminated) string for this value can be found.
+   *
+   * Values are sorted based on treating the |lib| and |key| part as an
+   * unsigned integer. */
+  if (lib >= (1 << 6) || key >= (1 << 11)) {
     return NULL;
   }
-  return p->string;
+  uint32_t search_key = lib << 26 | key << 15;
+  const uint32_t *result = bsearch(&search_key, values, num_values,
+                                   sizeof(uint32_t), err_string_cmp);
+  if (result == NULL) {
+    return NULL;
+  }
+
+  return &string_data[(*result) & 0x7fff];
 }
 
+static const char *const kLibraryNames[ERR_NUM_LIBS] = {
+    "invalid library (0)",
+    "unknown library",                            /* ERR_LIB_NONE */
+    "system library",                             /* ERR_LIB_SYS */
+    "bignum routines",                            /* ERR_LIB_BN */
+    "RSA routines",                               /* ERR_LIB_RSA */
+    "Diffie-Hellman routines",                    /* ERR_LIB_DH */
+    "public key routines",                        /* ERR_LIB_EVP */
+    "memory buffer routines",                     /* ERR_LIB_BUF */
+    "object identifier routines",                 /* ERR_LIB_OBJ */
+    "PEM routines",                               /* ERR_LIB_PEM */
+    "DSA routines",                               /* ERR_LIB_DSA */
+    "X.509 certificate routines",                 /* ERR_LIB_X509 */
+    "ASN.1 encoding routines",                    /* ERR_LIB_ASN1 */
+    "configuration file routines",                /* ERR_LIB_CONF */
+    "common libcrypto routines",                  /* ERR_LIB_CRYPTO */
+    "elliptic curve routines",                    /* ERR_LIB_EC */
+    "SSL routines",                               /* ERR_LIB_SSL */
+    "BIO routines",                               /* ERR_LIB_BIO */
+    "PKCS7 routines",                             /* ERR_LIB_PKCS7 */
+    "PKCS8 routines",                             /* ERR_LIB_PKCS8 */
+    "X509 V3 routines",                           /* ERR_LIB_X509V3 */
+    "random number generator",                    /* ERR_LIB_RAND */
+    "ENGINE routines",                            /* ERR_LIB_ENGINE */
+    "OCSP routines",                              /* ERR_LIB_OCSP */
+    "UI routines",                                /* ERR_LIB_UI */
+    "COMP routines",                              /* ERR_LIB_COMP */
+    "ECDSA routines",                             /* ERR_LIB_ECDSA */
+    "ECDH routines",                              /* ERR_LIB_ECDH */
+    "HMAC routines",                              /* ERR_LIB_HMAC */
+    "Digest functions",                           /* ERR_LIB_DIGEST */
+    "Cipher functions",                           /* ERR_LIB_CIPHER */
+    "User defined functions",                     /* ERR_LIB_USER */
+    "HKDF functions",                             /* ERR_LIB_HKDF */
+};
+
 const char *ERR_lib_error_string(uint32_t packed_error) {
-  return err_component_error_string(ERR_PACK(ERR_GET_LIB(packed_error), 0, 0));
+  const uint32_t lib = ERR_GET_LIB(packed_error);
+
+  if (lib >= ERR_NUM_LIBS) {
+    return NULL;
+  }
+  return kLibraryNames[lib];
 }
 
 const char *ERR_func_error_string(uint32_t packed_error) {
-  return err_component_error_string(
-      ERR_PACK(ERR_GET_LIB(packed_error), ERR_GET_FUNC(packed_error), 0));
+  const uint32_t lib = ERR_GET_LIB(packed_error);
+  const uint32_t func = ERR_GET_FUNC(packed_error);
+
+  if (lib == ERR_LIB_SYS) {
+    switch (func) {
+      case SYS_F_fopen:
+        return "fopen";
+      case SYS_F_fclose:
+        return "fclose";
+      case SYS_F_fread:
+        return "fread";
+      case SYS_F_fwrite:
+        return "fwrite";
+      case SYS_F_socket:
+        return "socket";
+      case SYS_F_setsockopt:
+        return "setsockopt";
+      case SYS_F_connect:
+        return "connect";
+      case SYS_F_getaddrinfo:
+        return "getaddrinfo";
+      default:
+        return NULL;
+    }
+  }
+
+  return err_string_lookup(ERR_GET_LIB(packed_error),
+                           ERR_GET_FUNC(packed_error), kOpenSSLFunctionValues,
+                           kOpenSSLFunctionValuesLen,
+                           kOpenSSLFunctionStringData);
 }
 
 const char *ERR_reason_error_string(uint32_t packed_error) {
-  const char *reason_str = err_component_error_string(
-      ERR_PACK(ERR_GET_LIB(packed_error), 0, ERR_GET_REASON(packed_error)));
+  const uint32_t lib = ERR_GET_LIB(packed_error);
+  const uint32_t reason = ERR_GET_REASON(packed_error);
 
-  if (reason_str != NULL) {
-    return reason_str;
+  if (lib == ERR_LIB_SYS) {
+    if (reason < 127) {
+      return strerror(reason);
+    }
+    return NULL;
   }
 
-  return err_component_error_string(
-      ERR_PACK(0, 0, ERR_GET_REASON(packed_error)));
+  if (reason < ERR_NUM_LIBS) {
+    return kLibraryNames[reason];
+  }
+
+  if (reason < 100) {
+    switch (reason) {
+      case ERR_R_MALLOC_FAILURE:
+        return "malloc failure";
+      case ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED:
+        return "function should not have been called";
+      case ERR_R_PASSED_NULL_PARAMETER:
+        return "passed a null parameter";
+      case ERR_R_INTERNAL_ERROR:
+        return "internal error";
+      case ERR_R_OVERFLOW:
+        return "overflow";
+      default:
+        return NULL;
+    }
+  }
+
+  return err_string_lookup(lib, reason, kOpenSSLReasonValues,
+                           kOpenSSLReasonValuesLen, kOpenSSLReasonStringData);
 }
 
 void ERR_print_errors_cb(ERR_print_errors_callback_t callback, void *ctx) {
-  CRYPTO_THREADID current_thread;
   char buf[ERR_ERROR_STRING_BUF_LEN];
   char buf2[1024];
-  unsigned long thread_hash;
   const char *file, *data;
   int line, flags;
   uint32_t packed_error;
 
-  CRYPTO_THREADID_current(&current_thread);
-  thread_hash = CRYPTO_THREADID_hash(&current_thread);
+  /* thread_hash is the least-significant bits of the |ERR_STATE| pointer value
+   * for this thread. */
+  const unsigned long thread_hash = (uintptr_t) err_get_state();
 
   for (;;) {
     packed_error = ERR_get_error_line_data(&file, &line, &data, &flags);
@@ -486,6 +609,17 @@ void ERR_print_errors_cb(ERR_print_errors_callback_t callback, void *ctx) {
   }
 }
 
+static int print_errors_to_file(const char* msg, size_t msg_len, void* ctx) {
+  assert(msg[msg_len] == '\0');
+  FILE* fp = ctx;
+  int res = fputs(msg, fp);
+  return res < 0 ? 0 : 1;
+}
+
+void ERR_print_errors_fp(FILE *file) {
+  ERR_print_errors_cb(print_errors_to_file, file);
+}
+
 /* err_set_error_data sets the data on the most recent error. The |flags|
  * argument is a combination of the |ERR_FLAG_*| values. */
 static void err_set_error_data(char *data, int flags) {
@@ -648,162 +782,10 @@ int ERR_pop_to_mark(void) {
   return 0;
 }
 
-static const char *const kLibraryNames[ERR_NUM_LIBS] = {
-    "invalid library (0)",
-    "unknown library",                            /* ERR_LIB_NONE */
-    "system library",                             /* ERR_LIB_SYS */
-    "bignum routines",                            /* ERR_LIB_BN */
-    "RSA routines",                               /* ERR_LIB_RSA */
-    "Diffie-Hellman routines",                    /* ERR_LIB_DH */
-    "public key routines",                        /* ERR_LIB_EVP */
-    "memory buffer routines",                     /* ERR_LIB_BUF */
-    "object identifier routines",                 /* ERR_LIB_OBJ */
-    "PEM routines",                               /* ERR_LIB_PEM */
-    "DSA routines",                               /* ERR_LIB_DSA */
-    "X.509 certificate routines",                 /* ERR_LIB_X509 */
-    "ASN.1 encoding routines",                    /* ERR_LIB_ASN1 */
-    "configuration file routines",                /* ERR_LIB_CONF */
-    "common libcrypto routines",                  /* ERR_LIB_CRYPTO */
-    "elliptic curve routines",                    /* ERR_LIB_EC */
-    "SSL routines",                               /* ERR_LIB_SSL */
-    "BIO routines",                               /* ERR_LIB_BIO */
-    "PKCS7 routines",                             /* ERR_LIB_PKCS7 */
-    "PKCS8 routines",                             /* ERR_LIB_PKCS8 */
-    "X509 V3 routines",                           /* ERR_LIB_X509V3 */
-    "random number generator",                    /* ERR_LIB_RAND */
-    "ENGINE routines",                            /* ERR_LIB_ENGINE */
-    "OCSP routines",                              /* ERR_LIB_OCSP */
-    "UI routines",                                /* ERR_LIB_UI */
-    "COMP routines",                              /* ERR_LIB_COMP */
-    "ECDSA routines",                             /* ERR_LIB_ECDSA */
-    "ECDH routines",                              /* ERR_LIB_ECDH */
-    "HMAC routines",                              /* ERR_LIB_HMAC */
-    "Digest functions",                           /* ERR_LIB_DIGEST */
-    "Cipher functions",                           /* ERR_LIB_CIPHER */
-    "User defined functions",                     /* ERR_LIB_USER */
-    "HKDF functions",                             /* ERR_LIB_HKDF */
-};
-
-#define NUM_SYS_ERRNOS 127
-
-/* kStaticErrors provides storage for ERR_STRING_DATA values that are created
- * at init time because we assume that ERR_STRING_DATA structures aren't
- * allocated on the heap. */
-static ERR_STRING_DATA kStaticErrors[ERR_NUM_LIBS * 2 + NUM_SYS_ERRNOS];
-
-static const ERR_STRING_DATA kGlobalErrors[] = {
-    {ERR_R_MALLOC_FAILURE, "malloc failure"},
-    {ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED, "function should not be called"},
-    {ERR_R_PASSED_NULL_PARAMETER, "passed a null parameter"},
-    {ERR_R_INTERNAL_ERROR, "internal error"},
-    {ERR_R_OVERFLOW, "overflow"},
-
-    {ERR_PACK(ERR_LIB_SYS, SYS_F_fopen, 0), "fopen"},
-    {ERR_PACK(ERR_LIB_SYS, SYS_F_fclose, 0), "fclose"},
-    {ERR_PACK(ERR_LIB_SYS, SYS_F_fread, 0), "fread"},
-    {ERR_PACK(ERR_LIB_SYS, SYS_F_fwrite, 0), "fwrite"},
-    {ERR_PACK(ERR_LIB_SYS, SYS_F_socket, 0), "socket"},
-    {ERR_PACK(ERR_LIB_SYS, SYS_F_setsockopt, 0), "setsockopt"},
-    {ERR_PACK(ERR_LIB_SYS, SYS_F_connect, 0), "connect"},
-    {ERR_PACK(ERR_LIB_SYS, SYS_F_getaddrinfo, 0), "getaddrinfo"},
-
-    {0, NULL},
-};
-
+void ERR_load_crypto_strings(void) {}
 
-extern const ERR_STRING_DATA ASN1_error_string_data[];
-extern const ERR_STRING_DATA BIO_error_string_data[];
-extern const ERR_STRING_DATA BN_error_string_data[];
-extern const ERR_STRING_DATA BUF_error_string_data[];
-extern const ERR_STRING_DATA CIPHER_error_string_data[];
-extern const ERR_STRING_DATA CONF_error_string_data[];
-extern const ERR_STRING_DATA CRYPTO_error_string_data[];
-extern const ERR_STRING_DATA DH_error_string_data[];
-extern const ERR_STRING_DATA DIGEST_error_string_data[];
-extern const ERR_STRING_DATA DSA_error_string_data[];
-extern const ERR_STRING_DATA ECDH_error_string_data[];
-extern const ERR_STRING_DATA ECDSA_error_string_data[];
-extern const ERR_STRING_DATA EC_error_string_data[];
-extern const ERR_STRING_DATA ENGINE_error_string_data[];
-extern const ERR_STRING_DATA EVP_error_string_data[];
-extern const ERR_STRING_DATA HKDF_error_string_data[];
-extern const ERR_STRING_DATA OBJ_error_string_data[];
-extern const ERR_STRING_DATA PEM_error_string_data[];
-extern const ERR_STRING_DATA PKCS8_error_string_data[];
-extern const ERR_STRING_DATA RSA_error_string_data[];
-extern const ERR_STRING_DATA X509V3_error_string_data[];
-extern const ERR_STRING_DATA X509_error_string_data[];
-
-static void err_load_strings(void) {
-  unsigned i, j = 0;
-
-  err_fns_check();
-
-  /* This loop loads strings for the libraries for the ERR_R_*_LIB
-   * reasons. */
-  for (i = ERR_LIB_NONE; i < ERR_NUM_LIBS; i++) {
-    ERR_STRING_DATA *data = &kStaticErrors[j++];
-    data->string = kLibraryNames[i];
-    data->error = ERR_PACK(i, 0, 0);
-    ERRFN(set_item)(data);
-
-    data = &kStaticErrors[j++];
-    data->string = kLibraryNames[i];
-    data->error = ERR_PACK(0, 0, i);
-    ERRFN(set_item)(data);
-  }
-
-  for (i = 1; i < 1 + NUM_SYS_ERRNOS; i++) {
-    /* The "SYS" library sets errno values as the reason for its errors.
-     * Thus we load the first |NUM_SYS_ERRNOS| errno strings as the
-     * reason strings for that library. */
-
-    ERR_STRING_DATA *data = &kStaticErrors[j++];
-    data->string = strerror(i);
-    data->error = ERR_PACK(ERR_LIB_SYS, 0, i);
-    ERRFN(set_item)(data);
-  }
-
-  ERR_load_strings(kGlobalErrors);
-
-  ERR_load_strings(ASN1_error_string_data);
-  ERR_load_strings(BIO_error_string_data);
-  ERR_load_strings(BN_error_string_data);
-  ERR_load_strings(BUF_error_string_data);
-  ERR_load_strings(CIPHER_error_string_data);
-  ERR_load_strings(CONF_error_string_data);
-  ERR_load_strings(CRYPTO_error_string_data);
-  ERR_load_strings(DH_error_string_data);
-  ERR_load_strings(DIGEST_error_string_data);
-  ERR_load_strings(DSA_error_string_data);
-  ERR_load_strings(ECDH_error_string_data);
-  ERR_load_strings(ECDSA_error_string_data);
-  ERR_load_strings(EC_error_string_data);
-  ERR_load_strings(ENGINE_error_string_data);
-  ERR_load_strings(EVP_error_string_data);
-  ERR_load_strings(HKDF_error_string_data);
-  ERR_load_strings(OBJ_error_string_data);
-  ERR_load_strings(PEM_error_string_data);
-  ERR_load_strings(PKCS8_error_string_data);
-  ERR_load_strings(RSA_error_string_data);
-  ERR_load_strings(X509V3_error_string_data);
-  ERR_load_strings(X509_error_string_data);
-}
-
-void ERR_load_strings(const ERR_STRING_DATA *str) {
-  err_fns_check();
-
-  while (str->error) {
-    ERRFN(set_item)(str);
-    str++;
-  }
-}
-
-void ERR_load_crypto_strings(void) { err_load_strings(); }
-
-void ERR_free_strings(void) {
-  err_fns_check();
-  ERRFN(shutdown)(err_state_free);
-}
+void ERR_free_strings(void) {}
 
 void ERR_load_BIO_strings(void) {}
+
+void ERR_load_ERR_strings(void) {}
diff --git a/src/crypto/err/err_data_generate.go b/src/crypto/err/err_data_generate.go
new file mode 100644
index 0000000..a5b4cb5
--- /dev/null
+++ b/src/crypto/err/err_data_generate.go
@@ -0,0 +1,287 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"sort"
+	"strconv"
+	"strings"
+)
+
+// libraryNames must be kept in sync with the enum in err.h. The generated code
+// will contain static assertions to enforce this.
+var libraryNames = []string{
+	"NONE",
+	"SYS",
+	"BN",
+	"RSA",
+	"DH",
+	"EVP",
+	"BUF",
+	"OBJ",
+	"PEM",
+	"DSA",
+	"X509",
+	"ASN1",
+	"CONF",
+	"CRYPTO",
+	"EC",
+	"SSL",
+	"BIO",
+	"PKCS7",
+	"PKCS8",
+	"X509V3",
+	"RAND",
+	"ENGINE",
+	"OCSP",
+	"UI",
+	"COMP",
+	"ECDSA",
+	"ECDH",
+	"HMAC",
+	"DIGEST",
+	"CIPHER",
+	"USER",
+	"HKDF",
+}
+
+// stringList is a map from uint32 -> string which can output data for a sorted
+// list as C literals.
+type stringList struct {
+	// entries is an array of keys and offsets into |stringData|. The
+	// offsets are in the bottom 15 bits of each uint32 and the key is the
+	// top 17 bits.
+	entries         []uint32
+	// internedStrings contains the same strings as are in |stringData|,
+	// but allows for easy deduplication. It maps a string to its offset in
+	// |stringData|.
+	internedStrings map[string]uint32
+	stringData      []byte
+}
+
+func newStringList() *stringList {
+	return &stringList{
+		internedStrings: make(map[string]uint32),
+	}
+}
+
+// offsetMask is the bottom 15 bits. It's a mask that selects the offset from a
+// uint32 in entries.
+const offsetMask = 0x7fff
+
+func (st *stringList) Add(key uint32, value string) error {
+	if key&offsetMask != 0 {
+		return errors.New("need bottom 15 bits of the key for the offset")
+	}
+	offset, ok := st.internedStrings[value]
+	if !ok {
+		offset = uint32(len(st.stringData))
+		if offset&offsetMask != offset {
+			return errors.New("stringList overflow")
+		}
+		st.stringData = append(st.stringData, []byte(value)...)
+		st.stringData = append(st.stringData, 0)
+		st.internedStrings[value] = offset
+	}
+
+	for _, existing := range st.entries {
+		if existing>>15 == key>>15 {
+			panic("duplicate entry")
+		}
+	}
+	st.entries = append(st.entries, key|offset)
+	return nil
+}
+
+// keySlice is a type that implements sorting of entries values.
+type keySlice []uint32
+
+func (ks keySlice) Len() int {
+	return len(ks)
+}
+
+func (ks keySlice) Less(i, j int) bool {
+	return (ks[i] >> 15) < (ks[j] >> 15)
+}
+
+func (ks keySlice) Swap(i, j int) {
+	ks[i], ks[j] = ks[j], ks[i]
+}
+
+func (st *stringList) buildList() []uint32 {
+	sort.Sort(keySlice(st.entries))
+	return st.entries
+}
+
+type stringWriter interface {
+	io.Writer
+	WriteString(string) (int, error)
+}
+
+func (st *stringList) WriteTo(out stringWriter, name string) {
+	list := st.buildList()
+	fmt.Fprintf(os.Stderr, "%s: %d bytes of list and %d bytes of string data.\n", name, 4*len(list), len(st.stringData))
+
+	values := "kOpenSSL" + name + "Values"
+	out.WriteString("const uint32_t " + values + "[] = {\n")
+	for _, v := range list {
+		fmt.Fprintf(out, "    0x%x,\n", v)
+	}
+	out.WriteString("};\n\n")
+	out.WriteString("const size_t " + values + "Len = sizeof(" + values + ") / sizeof(" + values + "[0]);\n\n");
+
+	stringData := "kOpenSSL" + name + "StringData"
+	out.WriteString("const char " + stringData + "[] =\n    \"")
+	for i, c := range st.stringData {
+		if c == 0 {
+			out.WriteString("\\0\"\n    \"")
+			continue
+		}
+		out.Write(st.stringData[i : i+1])
+	}
+	out.WriteString("\";\n\n")
+}
+
+type errorData struct {
+	functions, reasons *stringList
+	libraryMap         map[string]uint32
+}
+
+func (e *errorData) readErrorDataFile(filename string) error {
+	inFile, err := os.Open(filename)
+	if err != nil {
+		return err
+	}
+	defer inFile.Close()
+
+	scanner := bufio.NewScanner(inFile)
+	comma := []byte(",")
+
+	lineNo := 0
+	for scanner.Scan() {
+		lineNo++
+
+		line := scanner.Bytes()
+		if len(line) == 0 {
+			continue
+		}
+		parts := bytes.Split(line, comma)
+		if len(parts) != 4 {
+			return fmt.Errorf("bad line %d in %s: found %d values but want 4", lineNo, filename, len(parts))
+		}
+		libNum, ok := e.libraryMap[string(parts[0])]
+		if !ok {
+			return fmt.Errorf("bad line %d in %s: unknown library", lineNo, filename)
+		}
+		if libNum >= 64 {
+			return fmt.Errorf("bad line %d in %s: library value too large", lineNo, filename)
+		}
+		key, err := strconv.ParseUint(string(parts[2]), 10 /* base */, 32 /* bit size */)
+		if err != nil {
+			return fmt.Errorf("bad line %d in %s: %s", lineNo, filename, err)
+		}
+		if key >= 2048 {
+			return fmt.Errorf("bad line %d in %s: key too large", lineNo, filename)
+		}
+		value := string(parts[3])
+
+		listKey := libNum<<26 | uint32(key)<<15
+
+		switch string(parts[1]) {
+		case "function":
+			err = e.functions.Add(listKey, value)
+		case "reason":
+			err = e.reasons.Add(listKey, value)
+		default:
+			return fmt.Errorf("bad line %d in %s: bad value type", lineNo, filename)
+		}
+
+		if err != nil {
+			return err
+		}
+	}
+
+	return scanner.Err()
+}
+
+func main() {
+	e := &errorData{
+		functions:  newStringList(),
+		reasons:    newStringList(),
+		libraryMap: make(map[string]uint32),
+	}
+	for i, name := range libraryNames {
+		e.libraryMap[name] = uint32(i) + 1
+	}
+
+	cwd, err := os.Open(".")
+	if err != nil {
+		panic(err)
+	}
+	names, err := cwd.Readdirnames(-1)
+	if err != nil {
+		panic(err)
+	}
+
+	sort.Strings(names)
+	for _, name := range names {
+		if !strings.HasSuffix(name, ".errordata") {
+			continue
+		}
+		if err := e.readErrorDataFile(name); err != nil {
+			panic(err)
+		}
+	}
+
+	out := os.Stdout
+
+	out.WriteString(`/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+ /* This file was generated by err_data_generate.go. */
+
+#include <openssl/base.h>
+#include <openssl/err.h>
+#include <openssl/type_check.h>
+
+
+`)
+
+	for i, name := range libraryNames {
+		fmt.Fprintf(out, "OPENSSL_COMPILE_ASSERT(ERR_LIB_%s == %d, library_values_changed_%d);\n", name, i+1, i+1)
+	}
+	fmt.Fprintf(out, "OPENSSL_COMPILE_ASSERT(ERR_NUM_LIBS == %d, library_values_changed_num);\n", len(libraryNames) + 1)
+	out.WriteString("\n")
+
+	e.functions.WriteTo(out, "Function")
+	e.reasons.WriteTo(out, "Reason")
+}
diff --git a/src/crypto/err/err_impl.c b/src/crypto/err/err_impl.c
deleted file mode 100644
index 32cff35..0000000
--- a/src/crypto/err/err_impl.c
+++ /dev/null
@@ -1,323 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com). */
-
-#include <openssl/err.h>
-
-#include <assert.h>
-#include <string.h>
-
-#include <openssl/lhash.h>
-#include <openssl/mem.h>
-
-
-DEFINE_LHASH_OF(ERR_STATE);
-DEFINE_LHASH_OF(ERR_STRING_DATA);
-
-/* state_hash is a map from thread ID to ERR_STATE. It works like thread-local
- * storage. */
-static LHASH_OF(ERR_STATE) *state_hash = NULL;
-
-/* error_hash maps from a packed error to the string for that library /
- * function / reason. */
-static LHASH_OF(ERR_STRING_DATA) *error_hash = NULL;
-
-/* global_next_library contains the next custom library value to return. */
-static int global_next_library = ERR_NUM_LIBS;
-
-/* err_string_data_hash is an lhash hash function for ERR_STRING_DATA. */
-static uint32_t err_string_data_hash(const ERR_STRING_DATA *a) {
-  return OPENSSL_hash32(&a->error, sizeof(a->error));
-}
-
-/* err_string_data_cmp is an lhash compare function for ERR_STRING_DATA. */
-static int err_string_data_cmp(const ERR_STRING_DATA *a,
-                               const ERR_STRING_DATA *b) {
-  return ((int)a->error) - ((int)b->error);
-}
-
-/* error_hash_get_write_locked returns the hash that maps from packed error to
- * error string and creates it if need be. The caller must hold a write lock on
- * LOCK_ERR. */
-static LHASH_OF(ERR_STRING_DATA) * error_hash_get_write_locked(void) {
-  if (!error_hash) {
-    error_hash = lh_ERR_STRING_DATA_new(err_string_data_hash, err_string_data_cmp);
-  }
-
-  return error_hash;
-}
-
-/* err_get_item returns an ERR_STRING_DATA with an |error| member that
- * equals |packed_error|, or NULL if none can be found. */
-static ERR_STRING_DATA *err_get_item(uint32_t packed_error) {
-  ERR_STRING_DATA *ret = NULL, pattern;
-
-  pattern.error = packed_error;
-
-  CRYPTO_r_lock(CRYPTO_LOCK_ERR);
-  if (error_hash) {
-    ret = lh_ERR_STRING_DATA_retrieve(error_hash, &pattern);
-  }
-  CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
-
-  return ret;
-}
-
-/* err_set_item adds an ERR_STRING_DATA to the global hash of error strings and
- * returns the previous entry with the same |err->error| value, if any. */
-static ERR_STRING_DATA *err_set_item(const ERR_STRING_DATA *err) {
-  ERR_STRING_DATA *old_item = NULL;
-  LHASH_OF(ERR_STRING_DATA) *hash;
-
-  CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-  hash = error_hash_get_write_locked();
-  if (hash) {
-    lh_ERR_STRING_DATA_insert(hash, &old_item, (ERR_STRING_DATA*) err);
-  }
-  CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-
-  return old_item;
-}
-
-/* err_set_item removes an item from the global hash of error strings for
- * |packed_error| and returns the removed entry, if any. */
-static ERR_STRING_DATA *err_del_item(uint32_t packed_error) {
-  ERR_STRING_DATA *old_item = NULL, pattern;
-
-  pattern.error = packed_error;
-
-  CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-  if (error_hash) {
-    old_item = lh_ERR_STRING_DATA_delete(error_hash, &pattern);
-  }
-  CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-
-  return old_item;
-}
-
-
-/* err_state_hash is an lhash hash function for ERR_STATE. */
-static uint32_t err_state_hash(const ERR_STATE *a) {
-  return CRYPTO_THREADID_hash(&a->tid);
-}
-
-/* err_state_cmp is an lhash compare function for ERR_STATE. */
-static int err_state_cmp(const ERR_STATE *a, const ERR_STATE *b) {
-  return CRYPTO_THREADID_cmp(&a->tid, &b->tid);
-}
-
-
-static ERR_STATE *err_get_state(void) {
-  CRYPTO_THREADID tid;
-  ERR_STATE pattern, *state, *race_state;
-  int insert_result;
-  static ERR_STATE fallback;
-
-  CRYPTO_THREADID_current(&tid);
-  memset(&pattern, 0, sizeof(pattern));
-  CRYPTO_THREADID_cpy(&pattern.tid, &tid);
-
-  CRYPTO_r_lock(CRYPTO_LOCK_ERR);
-  if (state_hash == NULL) {
-    CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
-    CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-    if (state_hash == NULL) {
-      state_hash = lh_ERR_STATE_new(err_state_hash, err_state_cmp);
-    }
-    CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-    CRYPTO_r_lock(CRYPTO_LOCK_ERR);
-  }
-
-  if (state_hash == NULL) {
-    CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
-    return NULL;
-  }
-
-  state = lh_ERR_STATE_retrieve(state_hash, &pattern);
-  CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
-  if (state != NULL) {
-    return state;
-  }
-
-  state = OPENSSL_malloc(sizeof(ERR_STATE));
-  if (state == NULL) {
-    CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
-    /* The other error functions don't cope with a failure to get the error
-     * state, so we return a dummy value. */
-    return &fallback;
-  }
-
-  memset(state, 0, sizeof(ERR_STATE));
-  CRYPTO_THREADID_cpy(&state->tid, &tid);
-
-  CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-  insert_result = lh_ERR_STATE_insert(state_hash, &race_state, state);
-  CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-
-  if (!insert_result) {
-    /* Insertion failed because of malloc failure. */
-    OPENSSL_free(state);
-    return &fallback;
-  }
-
-  /* We cannot have raced with another thread to insert an ERR_STATE because no
-   * other thread should be inserting values for this thread. */
-  assert(race_state == NULL);
-
-  return state;
-}
-
-static ERR_STATE *err_release_state(const CRYPTO_THREADID *tid) {
-  ERR_STATE pattern, *state;
-
-  CRYPTO_THREADID_cpy(&pattern.tid, tid);
-
-  CRYPTO_r_lock(CRYPTO_LOCK_ERR);
-  if (state_hash == NULL) {
-    CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
-    return NULL;
-  }
-
-  state = lh_ERR_STATE_delete(state_hash, &pattern);
-  CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
-
-  return state;
-}
-
-static void err_shutdown(void (*err_state_free_cb)(ERR_STATE*)) {
-  CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-  if (error_hash) {
-    lh_ERR_STRING_DATA_free(error_hash);
-    error_hash = NULL;
-  }
-  if (state_hash) {
-    lh_ERR_STATE_doall(state_hash, err_state_free_cb);
-    lh_ERR_STATE_free(state_hash);
-    state_hash = NULL;
-  }
-  CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-}
-
-static int err_get_next_library(void) {
-  int ret;
-
-  CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-  ret = global_next_library++;
-  CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-
-  return ret;
-}
-
-const struct ERR_FNS_st openssl_err_default_impl = {
-  err_shutdown,
-  err_get_item,
-  err_set_item,
-  err_del_item,
-  err_get_state,
-  err_release_state,
-  err_get_next_library,
-};
diff --git a/src/crypto/err/err_test.c b/src/crypto/err/err_test.cc
index bf36201..98dfb85 100644
--- a/src/crypto/err/err_test.c
+++ b/src/crypto/err/err_test.cc
@@ -20,55 +20,52 @@
 #include <openssl/mem.h>
 
 
-static int test_overflow(void) {
-  unsigned i;
-
-  for (i = 0; i < ERR_NUM_ERRORS*2; i++) {
+static bool TestOverflow() {
+  for (unsigned i = 0; i < ERR_NUM_ERRORS*2; i++) {
     ERR_put_error(1, 2, i+1, "test", 1);
   }
 
-  for (i = 0; i < ERR_NUM_ERRORS - 1; i++) {
+  for (unsigned i = 0; i < ERR_NUM_ERRORS - 1; i++) {
     uint32_t err = ERR_get_error();
     /* Errors are returned in order they were pushed, with the least recent ones
      * removed, up to |ERR_NUM_ERRORS - 1| errors. So the errors returned are
      * |ERR_NUM_ERRORS + 2| through |ERR_NUM_ERRORS * 2|, inclusive. */
     if (err == 0 || ERR_GET_REASON(err) != i + ERR_NUM_ERRORS + 2) {
       fprintf(stderr, "ERR_get_error failed at %u\n", i);
-      return 0;
+      return false;
     }
   }
 
   if (ERR_get_error() != 0) {
     fprintf(stderr, "ERR_get_error more than the expected number of values.\n");
-    return 0;
+    return false;
   }
 
-  return 1;
+  return true;
 }
 
-static int test_put_error(void) {
-  uint32_t peeked_packed_error, packed_error;
-  int peeked_line, line, peeked_flags, flags;
-  const char *peeked_file, *file, *peeked_data, *data;
-
+static bool TestPutError() {
   if (ERR_get_error() != 0) {
     fprintf(stderr, "ERR_get_error returned value before an error was added.\n");
-    return 0;
+    return false;
   }
 
   ERR_put_error(1, 2, 3, "test", 4);
   ERR_add_error_data(1, "testing");
 
-  peeked_packed_error = ERR_peek_error_line_data(&peeked_file, &peeked_line,
-                                                 &peeked_data, &peeked_flags);
-  packed_error = ERR_get_error_line_data(&file, &line, &data, &flags);
+  int peeked_line, line, peeked_flags, flags;
+  const char *peeked_file, *file, *peeked_data, *data;
+  uint32_t peeked_packed_error =
+      ERR_peek_error_line_data(&peeked_file, &peeked_line, &peeked_data,
+                               &peeked_flags);
+  uint32_t packed_error = ERR_get_error_line_data(&file, &line, &data, &flags);
 
   if (peeked_packed_error != packed_error ||
       peeked_file != file ||
       peeked_data != data ||
       peeked_flags != flags) {
     fprintf(stderr, "Bad peeked error data returned.\n");
-    return 0;
+    return false;
   }
 
   if (strcmp(file, "test") != 0 ||
@@ -79,16 +76,16 @@ static int test_put_error(void) {
       ERR_GET_REASON(packed_error) != 3 ||
       strcmp(data, "testing") != 0) {
     fprintf(stderr, "Bad error data returned.\n");
-    return 0;
+    return false;
   }
 
-  return 1;
+  return true;
 }
 
-static int test_clear_error(void) {
+static bool TestClearError() {
   if (ERR_get_error() != 0) {
     fprintf(stderr, "ERR_get_error returned value before an error was added.\n");
-    return 0;
+    return false;
   }
 
   ERR_put_error(1, 2, 3, "test", 4);
@@ -96,42 +93,39 @@ static int test_clear_error(void) {
 
   if (ERR_get_error() != 0) {
     fprintf(stderr, "Error remained after clearing.\n");
-    return 0;
+    return false;
   }
 
-  return 1;
+  return true;
 }
 
-static int test_print(void) {
-  size_t i;
-  char buf[256];
-  uint32_t packed_error;
-
+static bool TestPrint() {
   ERR_put_error(1, 2, 3, "test", 4);
   ERR_add_error_data(1, "testing");
-  packed_error = ERR_get_error();
+  uint32_t packed_error = ERR_get_error();
 
-  for (i = 0; i <= sizeof(buf); i++) {
+  char buf[256];
+  for (size_t i = 0; i <= sizeof(buf); i++) {
     ERR_error_string_n(packed_error, buf, i);
   }
 
-  return 1;
+  return true;
 }
 
-static int test_release(void) {
+static bool TestRelease() {
   ERR_put_error(1, 2, 3, "test", 4);
   ERR_remove_thread_state(NULL);
-  return 1;
+  return true;
 }
 
-int main(void) {
+int main() {
   CRYPTO_library_init();
 
-  if (!test_overflow() ||
-      !test_put_error() ||
-      !test_clear_error() ||
-      !test_print() ||
-      !test_release()) {
+  if (!TestOverflow() ||
+      !TestPutError() ||
+      !TestClearError() ||
+      !TestPrint() ||
+      !TestRelease()) {
     return 1;
   }
 
diff --git a/src/crypto/err/evp.errordata b/src/crypto/err/evp.errordata
new file mode 100644
index 0000000..14dd27b
--- /dev/null
+++ b/src/crypto/err/evp.errordata
@@ -0,0 +1,114 @@
+EVP,function,160,EVP_DigestSignAlgorithm
+EVP,function,161,EVP_DigestVerifyInitFromAlgorithm
+EVP,function,162,EVP_PKEY_CTX_ctrl
+EVP,function,163,EVP_PKEY_CTX_dup
+EVP,function,159,EVP_PKEY_CTX_get0_rsa_oaep_label
+EVP,function,164,EVP_PKEY_copy_parameters
+EVP,function,165,EVP_PKEY_decrypt
+EVP,function,166,EVP_PKEY_decrypt_init
+EVP,function,167,EVP_PKEY_derive
+EVP,function,108,EVP_PKEY_derive_init
+EVP,function,168,EVP_PKEY_derive_set_peer
+EVP,function,110,EVP_PKEY_encrypt
+EVP,function,111,EVP_PKEY_encrypt_init
+EVP,function,112,EVP_PKEY_get1_DH
+EVP,function,169,EVP_PKEY_get1_DSA
+EVP,function,114,EVP_PKEY_get1_EC_KEY
+EVP,function,115,EVP_PKEY_get1_RSA
+EVP,function,116,EVP_PKEY_keygen
+EVP,function,170,EVP_PKEY_keygen_init
+EVP,function,171,EVP_PKEY_new
+EVP,function,172,EVP_PKEY_set_type
+EVP,function,120,EVP_PKEY_sign
+EVP,function,121,EVP_PKEY_sign_init
+EVP,function,122,EVP_PKEY_verify
+EVP,function,123,EVP_PKEY_verify_init
+EVP,function,173,check_padding_md
+EVP,function,125,d2i_AutoPrivateKey
+EVP,function,126,d2i_PrivateKey
+EVP,function,127,do_EC_KEY_print
+EVP,function,174,do_dsa_print
+EVP,function,175,do_rsa_print
+EVP,function,129,do_sigver_init
+EVP,function,176,dsa_param_decode
+EVP,function,177,dsa_priv_decode
+EVP,function,178,dsa_priv_encode
+EVP,function,179,dsa_pub_decode
+EVP,function,180,dsa_pub_encode
+EVP,function,181,dsa_sig_print
+EVP,function,130,eckey_param2type
+EVP,function,131,eckey_param_decode
+EVP,function,132,eckey_priv_decode
+EVP,function,133,eckey_priv_encode
+EVP,function,134,eckey_pub_decode
+EVP,function,135,eckey_pub_encode
+EVP,function,136,eckey_type2param
+EVP,function,137,evp_pkey_ctx_new
+EVP,function,138,hmac_signctx
+EVP,function,139,i2d_PublicKey
+EVP,function,182,old_dsa_priv_decode
+EVP,function,140,old_ec_priv_decode
+EVP,function,141,old_rsa_priv_decode
+EVP,function,142,pkey_ec_ctrl
+EVP,function,143,pkey_ec_derive
+EVP,function,144,pkey_ec_keygen
+EVP,function,145,pkey_ec_paramgen
+EVP,function,146,pkey_ec_sign
+EVP,function,158,pkey_hmac_ctrl
+EVP,function,147,pkey_rsa_ctrl
+EVP,function,148,pkey_rsa_decrypt
+EVP,function,149,pkey_rsa_encrypt
+EVP,function,150,pkey_rsa_sign
+EVP,function,151,rsa_algor_to_md
+EVP,function,152,rsa_digest_verify_init_from_algorithm
+EVP,function,153,rsa_mgf1_to_md
+EVP,function,154,rsa_priv_decode
+EVP,function,155,rsa_priv_encode
+EVP,function,156,rsa_pss_to_ctx
+EVP,function,157,rsa_pub_decode
+EVP,reason,151,BN_DECODE_ERROR
+EVP,reason,100,BUFFER_TOO_SMALL
+EVP,reason,101,COMMAND_NOT_SUPPORTED
+EVP,reason,146,CONTEXT_NOT_INITIALISED
+EVP,reason,143,DECODE_ERROR
+EVP,reason,104,DIFFERENT_KEY_TYPES
+EVP,reason,105,DIFFERENT_PARAMETERS
+EVP,reason,147,DIGEST_AND_KEY_TYPE_NOT_SUPPORTED
+EVP,reason,107,EXPECTING_AN_EC_KEY_KEY
+EVP,reason,141,EXPECTING_AN_RSA_KEY
+EVP,reason,109,EXPECTING_A_DH_KEY
+EVP,reason,110,EXPECTING_A_DSA_KEY
+EVP,reason,111,ILLEGAL_OR_UNSUPPORTED_PADDING_MODE
+EVP,reason,112,INVALID_CURVE
+EVP,reason,113,INVALID_DIGEST_LENGTH
+EVP,reason,114,INVALID_DIGEST_TYPE
+EVP,reason,115,INVALID_KEYBITS
+EVP,reason,116,INVALID_MGF1_MD
+EVP,reason,142,INVALID_OPERATION
+EVP,reason,118,INVALID_PADDING_MODE
+EVP,reason,119,INVALID_PSS_PARAMETERS
+EVP,reason,144,INVALID_PSS_SALTLEN
+EVP,reason,121,INVALID_SALT_LENGTH
+EVP,reason,122,INVALID_TRAILER
+EVP,reason,123,KEYS_NOT_SET
+EVP,reason,124,MISSING_PARAMETERS
+EVP,reason,125,NO_DEFAULT_DIGEST
+EVP,reason,126,NO_KEY_SET
+EVP,reason,127,NO_MDC2_SUPPORT
+EVP,reason,128,NO_NID_FOR_CURVE
+EVP,reason,129,NO_OPERATION_SET
+EVP,reason,130,NO_PARAMETERS_SET
+EVP,reason,131,OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE
+EVP,reason,132,OPERATON_NOT_INITIALIZED
+EVP,reason,152,PARAMETER_ENCODING_ERROR
+EVP,reason,133,UNKNOWN_DIGEST
+EVP,reason,134,UNKNOWN_MASK_DIGEST
+EVP,reason,150,UNKNOWN_MESSAGE_DIGEST_ALGORITHM
+EVP,reason,145,UNKNOWN_PUBLIC_KEY_TYPE
+EVP,reason,149,UNKNOWN_SIGNATURE_ALGORITHM
+EVP,reason,138,UNSUPPORTED_ALGORITHM
+EVP,reason,139,UNSUPPORTED_MASK_ALGORITHM
+EVP,reason,140,UNSUPPORTED_MASK_PARAMETER
+EVP,reason,153,UNSUPPORTED_PUBLIC_KEY_TYPE
+EVP,reason,154,UNSUPPORTED_SIGNATURE_TYPE
+EVP,reason,148,WRONG_PUBLIC_KEY_TYPE
diff --git a/src/crypto/err/hkdf.errordata b/src/crypto/err/hkdf.errordata
new file mode 100644
index 0000000..878a802
--- /dev/null
+++ b/src/crypto/err/hkdf.errordata
@@ -0,0 +1,2 @@
+HKDF,function,100,HKDF
+HKDF,reason,100,OUTPUT_TOO_LARGE
diff --git a/src/crypto/err/obj.errordata b/src/crypto/err/obj.errordata
new file mode 100644
index 0000000..74e4629
--- /dev/null
+++ b/src/crypto/err/obj.errordata
@@ -0,0 +1,5 @@
+OBJ,function,100,OBJ_create
+OBJ,function,101,OBJ_dup
+OBJ,function,102,OBJ_nid2obj
+OBJ,function,103,OBJ_txt2obj
+OBJ,reason,100,UNKNOWN_NID
diff --git a/src/crypto/err/pem.errordata b/src/crypto/err/pem.errordata
new file mode 100644
index 0000000..42216a7
--- /dev/null
+++ b/src/crypto/err/pem.errordata
@@ -0,0 +1,39 @@
+PEM,function,100,PEM_ASN1_read
+PEM,function,101,PEM_ASN1_read_bio
+PEM,function,102,PEM_ASN1_write
+PEM,function,103,PEM_ASN1_write_bio
+PEM,function,104,PEM_X509_INFO_read
+PEM,function,105,PEM_X509_INFO_read_bio
+PEM,function,106,PEM_X509_INFO_write_bio
+PEM,function,107,PEM_do_header
+PEM,function,108,PEM_get_EVP_CIPHER_INFO
+PEM,function,109,PEM_read
+PEM,function,110,PEM_read_DHparams
+PEM,function,111,PEM_read_PrivateKey
+PEM,function,112,PEM_read_bio
+PEM,function,113,PEM_read_bio_DHparams
+PEM,function,114,PEM_read_bio_Parameters
+PEM,function,115,PEM_read_bio_PrivateKey
+PEM,function,116,PEM_write
+PEM,function,117,PEM_write_PrivateKey
+PEM,function,118,PEM_write_bio
+PEM,function,119,d2i_PKCS8PrivateKey_bio
+PEM,function,120,d2i_PKCS8PrivateKey_fp
+PEM,function,121,do_pk8pkey
+PEM,function,122,do_pk8pkey_fp
+PEM,function,123,load_iv
+PEM,reason,100,BAD_BASE64_DECODE
+PEM,reason,101,BAD_DECRYPT
+PEM,reason,102,BAD_END_LINE
+PEM,reason,103,BAD_IV_CHARS
+PEM,reason,104,BAD_PASSWORD_READ
+PEM,reason,105,CIPHER_IS_NULL
+PEM,reason,106,ERROR_CONVERTING_PRIVATE_KEY
+PEM,reason,107,NOT_DEK_INFO
+PEM,reason,108,NOT_ENCRYPTED
+PEM,reason,109,NOT_PROC_TYPE
+PEM,reason,110,NO_START_LINE
+PEM,reason,111,READ_KEY
+PEM,reason,112,SHORT_HEADER
+PEM,reason,113,UNSUPPORTED_CIPHER
+PEM,reason,114,UNSUPPORTED_ENCRYPTION
diff --git a/src/crypto/err/pkcs8.errordata b/src/crypto/err/pkcs8.errordata
new file mode 100644
index 0000000..936f3c5
--- /dev/null
+++ b/src/crypto/err/pkcs8.errordata
@@ -0,0 +1,43 @@
+PKCS8,function,100,EVP_PKCS82PKEY
+PKCS8,function,101,EVP_PKEY2PKCS8
+PKCS8,function,102,PKCS12_get_key_and_certs
+PKCS8,function,103,PKCS12_handle_content_info
+PKCS8,function,104,PKCS12_handle_content_infos
+PKCS8,function,105,PKCS5_pbe2_set_iv
+PKCS8,function,106,PKCS5_pbe_set
+PKCS8,function,107,PKCS5_pbe_set0_algor
+PKCS8,function,108,PKCS5_pbkdf2_set
+PKCS8,function,109,PKCS8_decrypt
+PKCS8,function,110,PKCS8_encrypt
+PKCS8,function,111,PKCS8_encrypt_pbe
+PKCS8,function,112,pbe_cipher_init
+PKCS8,function,113,pbe_crypt
+PKCS8,function,114,pkcs12_item_decrypt_d2i
+PKCS8,function,115,pkcs12_item_i2d_encrypt
+PKCS8,function,116,pkcs12_key_gen_raw
+PKCS8,function,117,pkcs12_pbe_keyivgen
+PKCS8,reason,100,BAD_PKCS12_DATA
+PKCS8,reason,101,BAD_PKCS12_VERSION
+PKCS8,reason,102,CIPHER_HAS_NO_OBJECT_IDENTIFIER
+PKCS8,reason,103,CRYPT_ERROR
+PKCS8,reason,104,DECODE_ERROR
+PKCS8,reason,105,ENCODE_ERROR
+PKCS8,reason,106,ENCRYPT_ERROR
+PKCS8,reason,107,ERROR_SETTING_CIPHER_PARAMS
+PKCS8,reason,108,INCORRECT_PASSWORD
+PKCS8,reason,109,KEYGEN_FAILURE
+PKCS8,reason,110,KEY_GEN_ERROR
+PKCS8,reason,111,METHOD_NOT_SUPPORTED
+PKCS8,reason,112,MISSING_MAC
+PKCS8,reason,113,MULTIPLE_PRIVATE_KEYS_IN_PKCS12
+PKCS8,reason,114,PKCS12_PUBLIC_KEY_INTEGRITY_NOT_SUPPORTED
+PKCS8,reason,115,PKCS12_TOO_DEEPLY_NESTED
+PKCS8,reason,116,PRIVATE_KEY_DECODE_ERROR
+PKCS8,reason,117,PRIVATE_KEY_ENCODE_ERROR
+PKCS8,reason,118,TOO_LONG
+PKCS8,reason,119,UNKNOWN_ALGORITHM
+PKCS8,reason,120,UNKNOWN_CIPHER
+PKCS8,reason,121,UNKNOWN_CIPHER_ALGORITHM
+PKCS8,reason,122,UNKNOWN_DIGEST
+PKCS8,reason,123,UNKNOWN_HASH
+PKCS8,reason,124,UNSUPPORTED_PRIVATE_KEY_ALGORITHM
diff --git a/src/crypto/err/rsa.errordata b/src/crypto/err/rsa.errordata
new file mode 100644
index 0000000..64b390d
--- /dev/null
+++ b/src/crypto/err/rsa.errordata
@@ -0,0 +1,69 @@
+RSA,function,100,BN_BLINDING_convert_ex
+RSA,function,101,BN_BLINDING_create_param
+RSA,function,102,BN_BLINDING_invert_ex
+RSA,function,103,BN_BLINDING_new
+RSA,function,104,BN_BLINDING_update
+RSA,function,105,RSA_check_key
+RSA,function,106,RSA_new_method
+RSA,function,107,RSA_padding_add_PKCS1_OAEP_mgf1
+RSA,function,108,RSA_padding_add_PKCS1_PSS_mgf1
+RSA,function,109,RSA_padding_add_PKCS1_type_1
+RSA,function,110,RSA_padding_add_PKCS1_type_2
+RSA,function,111,RSA_padding_add_none
+RSA,function,112,RSA_padding_check_PKCS1_OAEP_mgf1
+RSA,function,113,RSA_padding_check_PKCS1_type_1
+RSA,function,114,RSA_padding_check_PKCS1_type_2
+RSA,function,115,RSA_padding_check_none
+RSA,function,116,RSA_recover_crt_params
+RSA,function,117,RSA_sign
+RSA,function,118,RSA_verify
+RSA,function,119,RSA_verify_PKCS1_PSS_mgf1
+RSA,function,120,decrypt
+RSA,function,121,encrypt
+RSA,function,122,keygen
+RSA,function,123,pkcs1_prefixed_msg
+RSA,function,124,private_transform
+RSA,function,125,rsa_setup_blinding
+RSA,function,126,sign_raw
+RSA,function,127,verify_raw
+RSA,reason,100,BAD_E_VALUE
+RSA,reason,101,BAD_FIXED_HEADER_DECRYPT
+RSA,reason,102,BAD_PAD_BYTE_COUNT
+RSA,reason,103,BAD_RSA_PARAMETERS
+RSA,reason,104,BAD_SIGNATURE
+RSA,reason,105,BLOCK_TYPE_IS_NOT_01
+RSA,reason,106,BN_NOT_INITIALIZED
+RSA,reason,107,CRT_PARAMS_ALREADY_GIVEN
+RSA,reason,108,CRT_VALUES_INCORRECT
+RSA,reason,109,DATA_LEN_NOT_EQUAL_TO_MOD_LEN
+RSA,reason,110,DATA_TOO_LARGE
+RSA,reason,111,DATA_TOO_LARGE_FOR_KEY_SIZE
+RSA,reason,112,DATA_TOO_LARGE_FOR_MODULUS
+RSA,reason,113,DATA_TOO_SMALL
+RSA,reason,114,DATA_TOO_SMALL_FOR_KEY_SIZE
+RSA,reason,115,DIGEST_TOO_BIG_FOR_RSA_KEY
+RSA,reason,116,D_E_NOT_CONGRUENT_TO_1
+RSA,reason,117,EMPTY_PUBLIC_KEY
+RSA,reason,118,FIRST_OCTET_INVALID
+RSA,reason,119,INCONSISTENT_SET_OF_CRT_VALUES
+RSA,reason,120,INTERNAL_ERROR
+RSA,reason,121,INVALID_MESSAGE_LENGTH
+RSA,reason,122,KEY_SIZE_TOO_SMALL
+RSA,reason,123,LAST_OCTET_INVALID
+RSA,reason,124,MODULUS_TOO_LARGE
+RSA,reason,125,NO_PUBLIC_EXPONENT
+RSA,reason,126,NULL_BEFORE_BLOCK_MISSING
+RSA,reason,127,N_NOT_EQUAL_P_Q
+RSA,reason,128,OAEP_DECODING_ERROR
+RSA,reason,129,ONLY_ONE_OF_P_Q_GIVEN
+RSA,reason,130,OUTPUT_BUFFER_TOO_SMALL
+RSA,reason,131,PADDING_CHECK_FAILED
+RSA,reason,132,PKCS_DECODING_ERROR
+RSA,reason,133,SLEN_CHECK_FAILED
+RSA,reason,134,SLEN_RECOVERY_FAILED
+RSA,reason,135,TOO_LONG
+RSA,reason,136,TOO_MANY_ITERATIONS
+RSA,reason,137,UNKNOWN_ALGORITHM_TYPE
+RSA,reason,138,UNKNOWN_PADDING_TYPE
+RSA,reason,139,VALUE_MISSING
+RSA,reason,140,WRONG_SIGNATURE_LENGTH
diff --git a/src/crypto/err/ssl.errordata b/src/crypto/err/ssl.errordata
new file mode 100644
index 0000000..afeaaeb
--- /dev/null
+++ b/src/crypto/err/ssl.errordata
@@ -0,0 +1,376 @@
+SSL,function,100,SSL_CTX_check_private_key
+SSL,function,101,SSL_CTX_new
+SSL,function,272,SSL_CTX_set1_tls_channel_id
+SSL,function,102,SSL_CTX_set_cipher_list
+SSL,function,103,SSL_CTX_set_cipher_list_tls11
+SSL,function,104,SSL_CTX_set_session_id_context
+SSL,function,268,SSL_CTX_set_tmp_dh
+SSL,function,269,SSL_CTX_set_tmp_ecdh
+SSL,function,105,SSL_CTX_use_PrivateKey
+SSL,function,106,SSL_CTX_use_PrivateKey_ASN1
+SSL,function,107,SSL_CTX_use_PrivateKey_file
+SSL,function,108,SSL_CTX_use_RSAPrivateKey
+SSL,function,109,SSL_CTX_use_RSAPrivateKey_ASN1
+SSL,function,110,SSL_CTX_use_RSAPrivateKey_file
+SSL,function,111,SSL_CTX_use_certificate
+SSL,function,112,SSL_CTX_use_certificate_ASN1
+SSL,function,113,SSL_CTX_use_certificate_chain_file
+SSL,function,114,SSL_CTX_use_certificate_file
+SSL,function,115,SSL_CTX_use_psk_identity_hint
+SSL,function,116,SSL_SESSION_new
+SSL,function,117,SSL_SESSION_print_fp
+SSL,function,118,SSL_SESSION_set1_id_context
+SSL,function,119,SSL_SESSION_to_bytes_full
+SSL,function,120,SSL_accept
+SSL,function,121,SSL_add_dir_cert_subjects_to_stack
+SSL,function,122,SSL_add_file_cert_subjects_to_stack
+SSL,function,123,SSL_check_private_key
+SSL,function,124,SSL_clear
+SSL,function,125,SSL_connect
+SSL,function,126,SSL_do_handshake
+SSL,function,127,SSL_load_client_CA_file
+SSL,function,128,SSL_new
+SSL,function,129,SSL_peek
+SSL,function,130,SSL_read
+SSL,function,131,SSL_renegotiate
+SSL,function,273,SSL_set1_tls_channel_id
+SSL,function,132,SSL_set_cipher_list
+SSL,function,133,SSL_set_fd
+SSL,function,134,SSL_set_rfd
+SSL,function,135,SSL_set_session_id_context
+SSL,function,274,SSL_set_tlsext_host_name
+SSL,function,270,SSL_set_tmp_dh
+SSL,function,271,SSL_set_tmp_ecdh
+SSL,function,136,SSL_set_wfd
+SSL,function,137,SSL_shutdown
+SSL,function,138,SSL_use_PrivateKey
+SSL,function,139,SSL_use_PrivateKey_ASN1
+SSL,function,140,SSL_use_PrivateKey_file
+SSL,function,141,SSL_use_RSAPrivateKey
+SSL,function,142,SSL_use_RSAPrivateKey_ASN1
+SSL,function,143,SSL_use_RSAPrivateKey_file
+SSL,function,144,SSL_use_certificate
+SSL,function,145,SSL_use_certificate_ASN1
+SSL,function,146,SSL_use_certificate_file
+SSL,function,147,SSL_use_psk_identity_hint
+SSL,function,148,SSL_write
+SSL,function,149,d2i_SSL_SESSION
+SSL,function,150,d2i_SSL_SESSION_get_octet_string
+SSL,function,151,d2i_SSL_SESSION_get_string
+SSL,function,152,do_ssl3_write
+SSL,function,153,dtls1_accept
+SSL,function,154,dtls1_buffer_record
+SSL,function,155,dtls1_check_timeout_num
+SSL,function,156,dtls1_connect
+SSL,function,157,dtls1_do_write
+SSL,function,263,dtls1_get_buffered_message
+SSL,function,158,dtls1_get_hello_verify
+SSL,function,159,dtls1_get_message
+SSL,function,160,dtls1_get_message_fragment
+SSL,function,265,dtls1_hm_fragment_new
+SSL,function,161,dtls1_preprocess_fragment
+SSL,function,264,dtls1_process_fragment
+SSL,function,162,dtls1_process_record
+SSL,function,163,dtls1_read_bytes
+SSL,function,164,dtls1_send_hello_verify_request
+SSL,function,165,dtls1_write_app_data_bytes
+SSL,function,166,i2d_SSL_SESSION
+SSL,function,167,ssl3_accept
+SSL,function,169,ssl3_cert_verify_hash
+SSL,function,170,ssl3_check_cert_and_algorithm
+SSL,function,171,ssl3_connect
+SSL,function,172,ssl3_ctrl
+SSL,function,173,ssl3_ctx_ctrl
+SSL,function,174,ssl3_digest_cached_records
+SSL,function,175,ssl3_do_change_cipher_spec
+SSL,function,176,ssl3_expect_change_cipher_spec
+SSL,function,177,ssl3_get_cert_status
+SSL,function,178,ssl3_get_cert_verify
+SSL,function,179,ssl3_get_certificate_request
+SSL,function,180,ssl3_get_channel_id
+SSL,function,181,ssl3_get_client_certificate
+SSL,function,182,ssl3_get_client_hello
+SSL,function,183,ssl3_get_client_key_exchange
+SSL,function,184,ssl3_get_finished
+SSL,function,185,ssl3_get_initial_bytes
+SSL,function,186,ssl3_get_message
+SSL,function,187,ssl3_get_new_session_ticket
+SSL,function,188,ssl3_get_next_proto
+SSL,function,189,ssl3_get_record
+SSL,function,190,ssl3_get_server_certificate
+SSL,function,191,ssl3_get_server_done
+SSL,function,192,ssl3_get_server_hello
+SSL,function,193,ssl3_get_server_key_exchange
+SSL,function,194,ssl3_get_v2_client_hello
+SSL,function,195,ssl3_handshake_mac
+SSL,function,275,ssl3_output_cert_chain
+SSL,function,196,ssl3_prf
+SSL,function,197,ssl3_read_bytes
+SSL,function,198,ssl3_read_n
+SSL,function,267,ssl3_record_sequence_update
+SSL,function,266,ssl3_seal_record
+SSL,function,199,ssl3_send_cert_verify
+SSL,function,200,ssl3_send_certificate_request
+SSL,function,201,ssl3_send_channel_id
+SSL,function,202,ssl3_send_client_certificate
+SSL,function,203,ssl3_send_client_hello
+SSL,function,204,ssl3_send_client_key_exchange
+SSL,function,205,ssl3_send_server_certificate
+SSL,function,206,ssl3_send_server_hello
+SSL,function,207,ssl3_send_server_key_exchange
+SSL,function,208,ssl3_setup_read_buffer
+SSL,function,209,ssl3_setup_write_buffer
+SSL,function,210,ssl3_write_bytes
+SSL,function,211,ssl3_write_pending
+SSL,function,212,ssl_add_cert_chain
+SSL,function,213,ssl_add_cert_to_buf
+SSL,function,214,ssl_add_clienthello_renegotiate_ext
+SSL,function,215,ssl_add_clienthello_tlsext
+SSL,function,216,ssl_add_clienthello_use_srtp_ext
+SSL,function,217,ssl_add_serverhello_renegotiate_ext
+SSL,function,218,ssl_add_serverhello_tlsext
+SSL,function,219,ssl_add_serverhello_use_srtp_ext
+SSL,function,220,ssl_build_cert_chain
+SSL,function,221,ssl_bytes_to_cipher_list
+SSL,function,222,ssl_cert_dup
+SSL,function,223,ssl_cert_inst
+SSL,function,224,ssl_cert_new
+SSL,function,225,ssl_check_serverhello_tlsext
+SSL,function,226,ssl_check_srvr_ecc_cert_and_alg
+SSL,function,227,ssl_cipher_process_rulestr
+SSL,function,228,ssl_cipher_strength_sort
+SSL,function,229,ssl_create_cipher_list
+SSL,function,230,ssl_ctx_log_master_secret
+SSL,function,231,ssl_ctx_log_rsa_client_key_exchange
+SSL,function,232,ssl_ctx_make_profiles
+SSL,function,233,ssl_get_new_session
+SSL,function,234,ssl_get_prev_session
+SSL,function,235,ssl_get_server_cert_index
+SSL,function,236,ssl_get_sign_pkey
+SSL,function,237,ssl_init_wbio_buffer
+SSL,function,238,ssl_parse_clienthello_renegotiate_ext
+SSL,function,239,ssl_parse_clienthello_tlsext
+SSL,function,240,ssl_parse_clienthello_use_srtp_ext
+SSL,function,241,ssl_parse_serverhello_renegotiate_ext
+SSL,function,242,ssl_parse_serverhello_tlsext
+SSL,function,243,ssl_parse_serverhello_use_srtp_ext
+SSL,function,244,ssl_scan_clienthello_tlsext
+SSL,function,245,ssl_scan_serverhello_tlsext
+SSL,function,246,ssl_sess_cert_new
+SSL,function,247,ssl_set_cert
+SSL,function,248,ssl_set_pkey
+SSL,function,252,ssl_verify_cert_chain
+SSL,function,253,tls12_check_peer_sigalg
+SSL,function,254,tls1_aead_ctx_init
+SSL,function,255,tls1_cert_verify_mac
+SSL,function,256,tls1_change_cipher_state
+SSL,function,257,tls1_change_cipher_state_aead
+SSL,function,258,tls1_check_duplicate_extensions
+SSL,function,259,tls1_enc
+SSL,function,260,tls1_export_keying_material
+SSL,function,261,tls1_prf
+SSL,function,262,tls1_setup_key_block
+SSL,reason,100,APP_DATA_IN_HANDSHAKE
+SSL,reason,101,ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT
+SSL,reason,102,BAD_ALERT
+SSL,reason,103,BAD_CHANGE_CIPHER_SPEC
+SSL,reason,104,BAD_DATA_RETURNED_BY_CALLBACK
+SSL,reason,105,BAD_DH_P_LENGTH
+SSL,reason,106,BAD_DIGEST_LENGTH
+SSL,reason,107,BAD_ECC_CERT
+SSL,reason,108,BAD_ECPOINT
+SSL,reason,109,BAD_HANDSHAKE_LENGTH
+SSL,reason,110,BAD_HANDSHAKE_RECORD
+SSL,reason,111,BAD_HELLO_REQUEST
+SSL,reason,112,BAD_LENGTH
+SSL,reason,113,BAD_PACKET_LENGTH
+SSL,reason,114,BAD_RSA_ENCRYPT
+SSL,reason,115,BAD_SIGNATURE
+SSL,reason,116,BAD_SRTP_MKI_VALUE
+SSL,reason,117,BAD_SRTP_PROTECTION_PROFILE_LIST
+SSL,reason,118,BAD_SSL_FILETYPE
+SSL,reason,119,BAD_WRITE_RETRY
+SSL,reason,120,BIO_NOT_SET
+SSL,reason,121,BN_LIB
+SSL,reason,272,BUFFER_TOO_SMALL
+SSL,reason,122,CANNOT_SERIALIZE_PUBLIC_KEY
+SSL,reason,123,CA_DN_LENGTH_MISMATCH
+SSL,reason,124,CA_DN_TOO_LONG
+SSL,reason,125,CCS_RECEIVED_EARLY
+SSL,reason,126,CERTIFICATE_VERIFY_FAILED
+SSL,reason,127,CERT_CB_ERROR
+SSL,reason,128,CERT_LENGTH_MISMATCH
+SSL,reason,129,CHANNEL_ID_NOT_P256
+SSL,reason,130,CHANNEL_ID_SIGNATURE_INVALID
+SSL,reason,131,CIPHER_CODE_WRONG_LENGTH
+SSL,reason,132,CIPHER_OR_HASH_UNAVAILABLE
+SSL,reason,133,CLIENTHELLO_PARSE_FAILED
+SSL,reason,134,CLIENTHELLO_TLSEXT
+SSL,reason,135,CONNECTION_REJECTED
+SSL,reason,136,CONNECTION_TYPE_NOT_SET
+SSL,reason,137,COOKIE_MISMATCH
+SSL,reason,138,D2I_ECDSA_SIG
+SSL,reason,139,DATA_BETWEEN_CCS_AND_FINISHED
+SSL,reason,140,DATA_LENGTH_TOO_LONG
+SSL,reason,141,DECODE_ERROR
+SSL,reason,142,DECRYPTION_FAILED
+SSL,reason,143,DECRYPTION_FAILED_OR_BAD_RECORD_MAC
+SSL,reason,144,DH_PUBLIC_VALUE_LENGTH_IS_WRONG
+SSL,reason,145,DIGEST_CHECK_FAILED
+SSL,reason,146,DTLS_MESSAGE_TOO_BIG
+SSL,reason,147,ECC_CERT_NOT_FOR_SIGNING
+SSL,reason,148,EMPTY_SRTP_PROTECTION_PROFILE_LIST
+SSL,reason,149,ENCRYPTED_LENGTH_TOO_LONG
+SSL,reason,150,ERROR_IN_RECEIVED_CIPHER_LIST
+SSL,reason,151,EVP_DIGESTSIGNFINAL_FAILED
+SSL,reason,152,EVP_DIGESTSIGNINIT_FAILED
+SSL,reason,153,EXCESSIVE_MESSAGE_SIZE
+SSL,reason,154,EXTRA_DATA_IN_MESSAGE
+SSL,reason,271,FRAGMENT_MISMATCH
+SSL,reason,155,GOT_A_FIN_BEFORE_A_CCS
+SSL,reason,156,GOT_CHANNEL_ID_BEFORE_A_CCS
+SSL,reason,157,GOT_NEXT_PROTO_BEFORE_A_CCS
+SSL,reason,158,GOT_NEXT_PROTO_WITHOUT_EXTENSION
+SSL,reason,159,HANDSHAKE_FAILURE_ON_CLIENT_HELLO
+SSL,reason,160,HANDSHAKE_RECORD_BEFORE_CCS
+SSL,reason,161,HTTPS_PROXY_REQUEST
+SSL,reason,162,HTTP_REQUEST
+SSL,reason,163,INAPPROPRIATE_FALLBACK
+SSL,reason,164,INVALID_COMMAND
+SSL,reason,165,INVALID_MESSAGE
+SSL,reason,166,INVALID_SSL_SESSION
+SSL,reason,167,INVALID_TICKET_KEYS_LENGTH
+SSL,reason,168,LENGTH_MISMATCH
+SSL,reason,169,LIBRARY_HAS_NO_CIPHERS
+SSL,reason,170,MISSING_DH_KEY
+SSL,reason,171,MISSING_ECDSA_SIGNING_CERT
+SSL,reason,172,MISSING_RSA_CERTIFICATE
+SSL,reason,173,MISSING_RSA_ENCRYPTING_CERT
+SSL,reason,174,MISSING_RSA_SIGNING_CERT
+SSL,reason,175,MISSING_TMP_DH_KEY
+SSL,reason,176,MISSING_TMP_ECDH_KEY
+SSL,reason,177,MIXED_SPECIAL_OPERATOR_WITH_GROUPS
+SSL,reason,178,MTU_TOO_SMALL
+SSL,reason,179,NESTED_GROUP
+SSL,reason,180,NO_CERTIFICATES_RETURNED
+SSL,reason,181,NO_CERTIFICATE_ASSIGNED
+SSL,reason,182,NO_CERTIFICATE_SET
+SSL,reason,183,NO_CIPHERS_AVAILABLE
+SSL,reason,184,NO_CIPHERS_PASSED
+SSL,reason,185,NO_CIPHERS_SPECIFIED
+SSL,reason,186,NO_CIPHER_MATCH
+SSL,reason,187,NO_COMPRESSION_SPECIFIED
+SSL,reason,188,NO_METHOD_SPECIFIED
+SSL,reason,189,NO_P256_SUPPORT
+SSL,reason,190,NO_PRIVATE_KEY_ASSIGNED
+SSL,reason,191,NO_RENEGOTIATION
+SSL,reason,192,NO_REQUIRED_DIGEST
+SSL,reason,193,NO_SHARED_CIPHER
+SSL,reason,194,NO_SHARED_SIGATURE_ALGORITHMS
+SSL,reason,195,NO_SRTP_PROFILES
+SSL,reason,196,NULL_SSL_CTX
+SSL,reason,197,NULL_SSL_METHOD_PASSED
+SSL,reason,198,OLD_SESSION_CIPHER_NOT_RETURNED
+SSL,reason,273,OLD_SESSION_VERSION_NOT_RETURNED
+SSL,reason,199,PACKET_LENGTH_TOO_LONG
+SSL,reason,200,PARSE_TLSEXT
+SSL,reason,201,PATH_TOO_LONG
+SSL,reason,202,PEER_DID_NOT_RETURN_A_CERTIFICATE
+SSL,reason,203,PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE
+SSL,reason,204,PROTOCOL_IS_SHUTDOWN
+SSL,reason,205,PSK_IDENTITY_NOT_FOUND
+SSL,reason,206,PSK_NO_CLIENT_CB
+SSL,reason,207,PSK_NO_SERVER_CB
+SSL,reason,208,READ_BIO_NOT_SET
+SSL,reason,209,READ_TIMEOUT_EXPIRED
+SSL,reason,210,RECORD_LENGTH_MISMATCH
+SSL,reason,211,RECORD_TOO_LARGE
+SSL,reason,212,RENEGOTIATE_EXT_TOO_LONG
+SSL,reason,213,RENEGOTIATION_ENCODING_ERR
+SSL,reason,214,RENEGOTIATION_MISMATCH
+SSL,reason,215,REQUIRED_CIPHER_MISSING
+SSL,reason,216,SCSV_RECEIVED_WHEN_RENEGOTIATING
+SSL,reason,217,SERVERHELLO_TLSEXT
+SSL,reason,218,SESSION_ID_CONTEXT_UNINITIALIZED
+SSL,reason,219,SESSION_MAY_NOT_BE_CREATED
+SSL,reason,220,SIGNATURE_ALGORITHMS_ERROR
+SSL,reason,221,SRTP_COULD_NOT_ALLOCATE_PROFILES
+SSL,reason,222,SRTP_PROTECTION_PROFILE_LIST_TOO_LONG
+SSL,reason,223,SRTP_UNKNOWN_PROTECTION_PROFILE
+SSL,reason,224,SSL3_EXT_INVALID_SERVERNAME
+SSL,reason,225,SSL3_EXT_INVALID_SERVERNAME_TYPE
+SSL,reason,1042,SSLV3_ALERT_BAD_CERTIFICATE
+SSL,reason,1020,SSLV3_ALERT_BAD_RECORD_MAC
+SSL,reason,1045,SSLV3_ALERT_CERTIFICATE_EXPIRED
+SSL,reason,1044,SSLV3_ALERT_CERTIFICATE_REVOKED
+SSL,reason,1046,SSLV3_ALERT_CERTIFICATE_UNKNOWN
+SSL,reason,1000,SSLV3_ALERT_CLOSE_NOTIFY
+SSL,reason,1030,SSLV3_ALERT_DECOMPRESSION_FAILURE
+SSL,reason,1040,SSLV3_ALERT_HANDSHAKE_FAILURE
+SSL,reason,1047,SSLV3_ALERT_ILLEGAL_PARAMETER
+SSL,reason,1041,SSLV3_ALERT_NO_CERTIFICATE
+SSL,reason,1010,SSLV3_ALERT_UNEXPECTED_MESSAGE
+SSL,reason,1043,SSLV3_ALERT_UNSUPPORTED_CERTIFICATE
+SSL,reason,226,SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION
+SSL,reason,227,SSL_HANDSHAKE_FAILURE
+SSL,reason,228,SSL_SESSION_ID_CALLBACK_FAILED
+SSL,reason,229,SSL_SESSION_ID_CONFLICT
+SSL,reason,230,SSL_SESSION_ID_CONTEXT_TOO_LONG
+SSL,reason,231,SSL_SESSION_ID_HAS_BAD_LENGTH
+SSL,reason,1049,TLSV1_ALERT_ACCESS_DENIED
+SSL,reason,1050,TLSV1_ALERT_DECODE_ERROR
+SSL,reason,1021,TLSV1_ALERT_DECRYPTION_FAILED
+SSL,reason,1051,TLSV1_ALERT_DECRYPT_ERROR
+SSL,reason,1060,TLSV1_ALERT_EXPORT_RESTRICTION
+SSL,reason,1086,TLSV1_ALERT_INAPPROPRIATE_FALLBACK
+SSL,reason,1071,TLSV1_ALERT_INSUFFICIENT_SECURITY
+SSL,reason,1080,TLSV1_ALERT_INTERNAL_ERROR
+SSL,reason,1100,TLSV1_ALERT_NO_RENEGOTIATION
+SSL,reason,1070,TLSV1_ALERT_PROTOCOL_VERSION
+SSL,reason,1022,TLSV1_ALERT_RECORD_OVERFLOW
+SSL,reason,1048,TLSV1_ALERT_UNKNOWN_CA
+SSL,reason,1090,TLSV1_ALERT_USER_CANCELLED
+SSL,reason,1114,TLSV1_BAD_CERTIFICATE_HASH_VALUE
+SSL,reason,1113,TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE
+SSL,reason,1111,TLSV1_CERTIFICATE_UNOBTAINABLE
+SSL,reason,1112,TLSV1_UNRECOGNIZED_NAME
+SSL,reason,1110,TLSV1_UNSUPPORTED_EXTENSION
+SSL,reason,232,TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER
+SSL,reason,233,TLS_ILLEGAL_EXPORTER_LABEL
+SSL,reason,234,TLS_INVALID_ECPOINTFORMAT_LIST
+SSL,reason,235,TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST
+SSL,reason,236,TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG
+SSL,reason,237,TOO_MANY_EMPTY_FRAGMENTS
+SSL,reason,238,UNABLE_TO_FIND_ECDH_PARAMETERS
+SSL,reason,239,UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS
+SSL,reason,240,UNEXPECTED_GROUP_CLOSE
+SSL,reason,241,UNEXPECTED_MESSAGE
+SSL,reason,242,UNEXPECTED_OPERATOR_IN_GROUP
+SSL,reason,243,UNEXPECTED_RECORD
+SSL,reason,244,UNINITIALIZED
+SSL,reason,245,UNKNOWN_ALERT_TYPE
+SSL,reason,246,UNKNOWN_CERTIFICATE_TYPE
+SSL,reason,247,UNKNOWN_CIPHER_RETURNED
+SSL,reason,248,UNKNOWN_CIPHER_TYPE
+SSL,reason,249,UNKNOWN_DIGEST
+SSL,reason,250,UNKNOWN_KEY_EXCHANGE_TYPE
+SSL,reason,251,UNKNOWN_PROTOCOL
+SSL,reason,252,UNKNOWN_SSL_VERSION
+SSL,reason,253,UNKNOWN_STATE
+SSL,reason,254,UNPROCESSED_HANDSHAKE_DATA
+SSL,reason,255,UNSAFE_LEGACY_RENEGOTIATION_DISABLED
+SSL,reason,256,UNSUPPORTED_CIPHER
+SSL,reason,257,UNSUPPORTED_COMPRESSION_ALGORITHM
+SSL,reason,258,UNSUPPORTED_ELLIPTIC_CURVE
+SSL,reason,259,UNSUPPORTED_PROTOCOL
+SSL,reason,260,UNSUPPORTED_SSL_VERSION
+SSL,reason,261,USE_SRTP_NOT_NEGOTIATED
+SSL,reason,262,WRONG_CERTIFICATE_TYPE
+SSL,reason,263,WRONG_CIPHER_RETURNED
+SSL,reason,264,WRONG_CURVE
+SSL,reason,265,WRONG_MESSAGE_TYPE
+SSL,reason,266,WRONG_SIGNATURE_TYPE
+SSL,reason,267,WRONG_SSL_VERSION
+SSL,reason,268,WRONG_VERSION_NUMBER
+SSL,reason,269,X509_LIB
+SSL,reason,270,X509_VERIFICATION_SETUP_PROBLEMS
diff --git a/src/crypto/err/x509.errordata b/src/crypto/err/x509.errordata
new file mode 100644
index 0000000..1b50e36
--- /dev/null
+++ b/src/crypto/err/x509.errordata
@@ -0,0 +1,96 @@
+X509,function,100,ASN1_digest
+X509,function,101,ASN1_item_sign_ctx
+X509,function,102,ASN1_item_verify
+X509,function,103,NETSCAPE_SPKI_b64_decode
+X509,function,104,NETSCAPE_SPKI_b64_encode
+X509,function,158,PKCS7_get_CRLs
+X509,function,105,PKCS7_get_certificates
+X509,function,106,X509_ATTRIBUTE_create_by_NID
+X509,function,107,X509_ATTRIBUTE_create_by_OBJ
+X509,function,108,X509_ATTRIBUTE_create_by_txt
+X509,function,109,X509_ATTRIBUTE_get0_data
+X509,function,110,X509_ATTRIBUTE_set1_data
+X509,function,111,X509_CRL_add0_revoked
+X509,function,112,X509_CRL_diff
+X509,function,113,X509_CRL_print_fp
+X509,function,114,X509_EXTENSION_create_by_NID
+X509,function,115,X509_EXTENSION_create_by_OBJ
+X509,function,116,X509_INFO_new
+X509,function,117,X509_NAME_ENTRY_create_by_NID
+X509,function,118,X509_NAME_ENTRY_create_by_txt
+X509,function,119,X509_NAME_ENTRY_set_object
+X509,function,120,X509_NAME_add_entry
+X509,function,121,X509_NAME_oneline
+X509,function,122,X509_NAME_print
+X509,function,123,X509_PKEY_new
+X509,function,124,X509_PUBKEY_get
+X509,function,125,X509_PUBKEY_set
+X509,function,126,X509_REQ_check_private_key
+X509,function,127,X509_REQ_to_X509
+X509,function,128,X509_STORE_CTX_get1_issuer
+X509,function,129,X509_STORE_CTX_init
+X509,function,130,X509_STORE_CTX_new
+X509,function,131,X509_STORE_CTX_purpose_inherit
+X509,function,132,X509_STORE_add_cert
+X509,function,133,X509_STORE_add_crl
+X509,function,134,X509_TRUST_add
+X509,function,135,X509_TRUST_set
+X509,function,136,X509_check_private_key
+X509,function,137,X509_get_pubkey_parameters
+X509,function,138,X509_load_cert_crl_file
+X509,function,139,X509_load_cert_file
+X509,function,140,X509_load_crl_file
+X509,function,141,X509_print_ex_fp
+X509,function,142,X509_to_X509_REQ
+X509,function,143,X509_verify_cert
+X509,function,144,X509at_add1_attr
+X509,function,145,X509v3_add_ext
+X509,function,146,add_cert_dir
+X509,function,147,by_file_ctrl
+X509,function,148,check_policy
+X509,function,149,dir_ctrl
+X509,function,150,get_cert_by_subject
+X509,function,151,i2d_DSA_PUBKEY
+X509,function,152,i2d_EC_PUBKEY
+X509,function,153,i2d_RSA_PUBKEY
+X509,function,157,pkcs7_parse_header
+X509,function,154,x509_name_encode
+X509,function,155,x509_name_ex_d2i
+X509,function,156,x509_name_ex_new
+X509,reason,100,AKID_MISMATCH
+X509,reason,101,BAD_PKCS7_VERSION
+X509,reason,102,BAD_X509_FILETYPE
+X509,reason,103,BASE64_DECODE_ERROR
+X509,reason,104,CANT_CHECK_DH_KEY
+X509,reason,105,CERT_ALREADY_IN_HASH_TABLE
+X509,reason,106,CRL_ALREADY_DELTA
+X509,reason,107,CRL_VERIFY_FAILURE
+X509,reason,108,IDP_MISMATCH
+X509,reason,109,INVALID_BIT_STRING_BITS_LEFT
+X509,reason,110,INVALID_DIRECTORY
+X509,reason,111,INVALID_FIELD_NAME
+X509,reason,112,INVALID_TRUST
+X509,reason,113,ISSUER_MISMATCH
+X509,reason,114,KEY_TYPE_MISMATCH
+X509,reason,115,KEY_VALUES_MISMATCH
+X509,reason,116,LOADING_CERT_DIR
+X509,reason,117,LOADING_DEFAULTS
+X509,reason,118,METHOD_NOT_SUPPORTED
+X509,reason,119,NEWER_CRL_NOT_NEWER
+X509,reason,120,NOT_PKCS7_SIGNED_DATA
+X509,reason,121,NO_CERTIFICATES_INCLUDED
+X509,reason,122,NO_CERT_SET_FOR_US_TO_VERIFY
+X509,reason,136,NO_CRLS_INCLUDED
+X509,reason,123,NO_CRL_NUMBER
+X509,reason,124,PUBLIC_KEY_DECODE_ERROR
+X509,reason,125,PUBLIC_KEY_ENCODE_ERROR
+X509,reason,126,SHOULD_RETRY
+X509,reason,127,UNABLE_TO_FIND_PARAMETERS_IN_CHAIN
+X509,reason,128,UNABLE_TO_GET_CERTS_PUBLIC_KEY
+X509,reason,129,UNKNOWN_KEY_TYPE
+X509,reason,130,UNKNOWN_NID
+X509,reason,131,UNKNOWN_PURPOSE_ID
+X509,reason,132,UNKNOWN_TRUST_ID
+X509,reason,133,UNSUPPORTED_ALGORITHM
+X509,reason,134,WRONG_LOOKUP_TYPE
+X509,reason,135,WRONG_TYPE
diff --git a/src/crypto/err/x509v3.errordata b/src/crypto/err/x509v3.errordata
new file mode 100644
index 0000000..059e677
--- /dev/null
+++ b/src/crypto/err/x509v3.errordata
@@ -0,0 +1,120 @@
+X509V3,function,100,SXNET_add_id_INTEGER
+X509V3,function,101,SXNET_add_id_asc
+X509V3,function,102,SXNET_add_id_ulong
+X509V3,function,103,SXNET_get_id_asc
+X509V3,function,104,SXNET_get_id_ulong
+X509V3,function,105,X509V3_EXT_add
+X509V3,function,106,X509V3_EXT_add_alias
+X509V3,function,107,X509V3_EXT_free
+X509V3,function,108,X509V3_EXT_i2d
+X509V3,function,109,X509V3_EXT_nconf
+X509V3,function,110,X509V3_add1_i2d
+X509V3,function,111,X509V3_add_value
+X509V3,function,112,X509V3_get_section
+X509V3,function,113,X509V3_get_string
+X509V3,function,114,X509V3_get_value_bool
+X509V3,function,115,X509V3_parse_list
+X509V3,function,116,X509_PURPOSE_add
+X509V3,function,117,X509_PURPOSE_set
+X509V3,function,118,a2i_GENERAL_NAME
+X509V3,function,119,copy_email
+X509V3,function,120,copy_issuer
+X509V3,function,121,do_dirname
+X509V3,function,122,do_ext_i2d
+X509V3,function,123,do_ext_nconf
+X509V3,function,124,gnames_from_sectname
+X509V3,function,125,hex_to_string
+X509V3,function,126,i2s_ASN1_ENUMERATED
+X509V3,function,127,i2s_ASN1_IA5STRING
+X509V3,function,128,i2s_ASN1_INTEGER
+X509V3,function,129,i2v_AUTHORITY_INFO_ACCESS
+X509V3,function,130,notice_section
+X509V3,function,131,nref_nos
+X509V3,function,132,policy_section
+X509V3,function,133,process_pci_value
+X509V3,function,134,r2i_certpol
+X509V3,function,135,r2i_pci
+X509V3,function,136,s2i_ASN1_IA5STRING
+X509V3,function,137,s2i_ASN1_INTEGER
+X509V3,function,138,s2i_ASN1_OCTET_STRING
+X509V3,function,139,s2i_skey_id
+X509V3,function,140,set_dist_point_name
+X509V3,function,141,string_to_hex
+X509V3,function,142,v2i_ASN1_BIT_STRING
+X509V3,function,143,v2i_AUTHORITY_INFO_ACCESS
+X509V3,function,144,v2i_AUTHORITY_KEYID
+X509V3,function,145,v2i_BASIC_CONSTRAINTS
+X509V3,function,146,v2i_EXTENDED_KEY_USAGE
+X509V3,function,147,v2i_GENERAL_NAMES
+X509V3,function,148,v2i_GENERAL_NAME_ex
+X509V3,function,149,v2i_NAME_CONSTRAINTS
+X509V3,function,150,v2i_POLICY_CONSTRAINTS
+X509V3,function,151,v2i_POLICY_MAPPINGS
+X509V3,function,152,v2i_crld
+X509V3,function,153,v2i_idp
+X509V3,function,154,v2i_issuer_alt
+X509V3,function,155,v2i_subject_alt
+X509V3,function,156,v3_generic_extension
+X509V3,reason,100,BAD_IP_ADDRESS
+X509V3,reason,101,BAD_OBJECT
+X509V3,reason,102,BN_DEC2BN_ERROR
+X509V3,reason,103,BN_TO_ASN1_INTEGER_ERROR
+X509V3,reason,104,CANNOT_FIND_FREE_FUNCTION
+X509V3,reason,105,DIRNAME_ERROR
+X509V3,reason,106,DISTPOINT_ALREADY_SET
+X509V3,reason,107,DUPLICATE_ZONE_ID
+X509V3,reason,108,ERROR_CONVERTING_ZONE
+X509V3,reason,109,ERROR_CREATING_EXTENSION
+X509V3,reason,110,ERROR_IN_EXTENSION
+X509V3,reason,111,EXPECTED_A_SECTION_NAME
+X509V3,reason,112,EXTENSION_EXISTS
+X509V3,reason,113,EXTENSION_NAME_ERROR
+X509V3,reason,114,EXTENSION_NOT_FOUND
+X509V3,reason,115,EXTENSION_SETTING_NOT_SUPPORTED
+X509V3,reason,116,EXTENSION_VALUE_ERROR
+X509V3,reason,117,ILLEGAL_EMPTY_EXTENSION
+X509V3,reason,118,ILLEGAL_HEX_DIGIT
+X509V3,reason,119,INCORRECT_POLICY_SYNTAX_TAG
+X509V3,reason,120,INVALID_BOOLEAN_STRING
+X509V3,reason,121,INVALID_EXTENSION_STRING
+X509V3,reason,122,INVALID_MULTIPLE_RDNS
+X509V3,reason,123,INVALID_NAME
+X509V3,reason,124,INVALID_NULL_ARGUMENT
+X509V3,reason,125,INVALID_NULL_NAME
+X509V3,reason,126,INVALID_NULL_VALUE
+X509V3,reason,127,INVALID_NUMBER
+X509V3,reason,128,INVALID_NUMBERS
+X509V3,reason,129,INVALID_OBJECT_IDENTIFIER
+X509V3,reason,130,INVALID_OPTION
+X509V3,reason,131,INVALID_POLICY_IDENTIFIER
+X509V3,reason,132,INVALID_PROXY_POLICY_SETTING
+X509V3,reason,133,INVALID_PURPOSE
+X509V3,reason,134,INVALID_SECTION
+X509V3,reason,135,INVALID_SYNTAX
+X509V3,reason,136,ISSUER_DECODE_ERROR
+X509V3,reason,137,MISSING_VALUE
+X509V3,reason,138,NEED_ORGANIZATION_AND_NUMBERS
+X509V3,reason,139,NO_CONFIG_DATABASE
+X509V3,reason,140,NO_ISSUER_CERTIFICATE
+X509V3,reason,141,NO_ISSUER_DETAILS
+X509V3,reason,142,NO_POLICY_IDENTIFIER
+X509V3,reason,143,NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED
+X509V3,reason,144,NO_PUBLIC_KEY
+X509V3,reason,145,NO_SUBJECT_DETAILS
+X509V3,reason,146,ODD_NUMBER_OF_DIGITS
+X509V3,reason,147,OPERATION_NOT_DEFINED
+X509V3,reason,148,OTHERNAME_ERROR
+X509V3,reason,149,POLICY_LANGUAGE_ALREADY_DEFINED
+X509V3,reason,150,POLICY_PATH_LENGTH
+X509V3,reason,151,POLICY_PATH_LENGTH_ALREADY_DEFINED
+X509V3,reason,152,POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY
+X509V3,reason,153,SECTION_NOT_FOUND
+X509V3,reason,154,UNABLE_TO_GET_ISSUER_DETAILS
+X509V3,reason,155,UNABLE_TO_GET_ISSUER_KEYID
+X509V3,reason,156,UNKNOWN_BIT_STRING_ARGUMENT
+X509V3,reason,157,UNKNOWN_EXTENSION
+X509V3,reason,158,UNKNOWN_EXTENSION_NAME
+X509V3,reason,159,UNKNOWN_OPTION
+X509V3,reason,160,UNSUPPORTED_OPTION
+X509V3,reason,161,UNSUPPORTED_TYPE
+X509V3,reason,162,USER_TOO_LONG
diff --git a/src/crypto/evp/CMakeLists.txt b/src/crypto/evp/CMakeLists.txt
index 9854a18..6db9752 100644
--- a/src/crypto/evp/CMakeLists.txt
+++ b/src/crypto/evp/CMakeLists.txt
@@ -10,7 +10,7 @@ add_library(
   digestsign.c
   evp.c
   evp_ctx.c
-  evp_error.c
+  p_dsa_asn1.c
   p_ec.c
   p_ec_asn1.c
   p_hmac.c
@@ -23,16 +23,24 @@ add_library(
 
 
 add_executable(
+  evp_extra_test
+
+  evp_extra_test.cc
+)
+
+add_executable(
   evp_test
 
-  evp_test.c
+  evp_test.cc
+  $<TARGET_OBJECTS:test_support>
 )
 
 add_executable(
   pbkdf_test
 
-  pbkdf_test.c
+  pbkdf_test.cc
 )
 
+target_link_libraries(evp_extra_test crypto)
 target_link_libraries(evp_test crypto)
 target_link_libraries(pbkdf_test crypto)
diff --git a/src/crypto/evp/asn1.c b/src/crypto/evp/asn1.c
index 27ae017..3df9f52 100644
--- a/src/crypto/evp/asn1.c
+++ b/src/crypto/evp/asn1.c
@@ -105,7 +105,7 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **out, const uint8_t **inp,
   return ret;
 
 err:
-  if (ret != NULL && (out == NULL || *out != ret)) {
+  if (out == NULL || *out != ret) {
     EVP_PKEY_free(ret);
   }
   return NULL;
diff --git a/src/crypto/evp/digestsign.c b/src/crypto/evp/digestsign.c
index c86b805..c163d40 100644
--- a/src/crypto/evp/digestsign.c
+++ b/src/crypto/evp/digestsign.c
@@ -65,9 +65,8 @@
 /* md_begin_digset is a callback from the |EVP_MD_CTX| code that is called when
  * a new digest is begun. */
 static int md_begin_digest(EVP_MD_CTX *ctx) {
-  int r = EVP_PKEY_CTX_ctrl(ctx->pctx, -1, EVP_PKEY_OP_TYPE_SIG,
-                            EVP_PKEY_CTRL_DIGESTINIT, 0, ctx);
-  return r > 0 || r == -2;
+  return EVP_PKEY_CTX_ctrl(ctx->pctx, -1, EVP_PKEY_OP_TYPE_SIG,
+                           EVP_PKEY_CTRL_DIGESTINIT, 0, ctx);
 }
 
 static const struct evp_md_pctx_ops md_pctx_ops = {
@@ -98,24 +97,24 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
 
   if (is_verify) {
     if (ctx->pctx->pmeth->verifyctx_init) {
-      if (ctx->pctx->pmeth->verifyctx_init(ctx->pctx, ctx) <= 0) {
+      if (!ctx->pctx->pmeth->verifyctx_init(ctx->pctx, ctx)) {
         return 0;
       }
       ctx->pctx->operation = EVP_PKEY_OP_VERIFYCTX;
-    } else if (EVP_PKEY_verify_init(ctx->pctx) <= 0) {
+    } else if (!EVP_PKEY_verify_init(ctx->pctx)) {
       return 0;
     }
   } else {
     if (ctx->pctx->pmeth->signctx_init) {
-      if (ctx->pctx->pmeth->signctx_init(ctx->pctx, ctx) <= 0) {
+      if (!ctx->pctx->pmeth->signctx_init(ctx->pctx, ctx)) {
         return 0;
       }
       ctx->pctx->operation = EVP_PKEY_OP_SIGNCTX;
-    } else if (EVP_PKEY_sign_init(ctx->pctx) <= 0) {
+    } else if (!EVP_PKEY_sign_init(ctx->pctx)) {
       return 0;
     }
   }
-  if (EVP_PKEY_CTX_set_signature_md(ctx->pctx, type) <= 0) {
+  if (!EVP_PKEY_CTX_set_signature_md(ctx->pctx, type)) {
     return 0;
   }
   if (pctx) {
@@ -163,12 +162,12 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, uint8_t *out_sig,
       r = tmp_ctx.pctx->pmeth->signctx(tmp_ctx.pctx, out_sig, out_sig_len, &tmp_ctx);
     } else {
       r = EVP_DigestFinal_ex(&tmp_ctx, md, &mdlen);
+      if (r) {
+        r = EVP_PKEY_sign(ctx->pctx, out_sig, out_sig_len, md, mdlen);
+      }
     }
     EVP_MD_CTX_cleanup(&tmp_ctx);
-    if (has_signctx || !r) {
-      return r;
-    }
-    return EVP_PKEY_sign(ctx->pctx, out_sig, out_sig_len, md, mdlen);
+    return r;
   } else {
     if (has_signctx) {
       return ctx->pctx->pmeth->signctx(ctx->pctx, out_sig, out_sig_len, ctx);
@@ -185,21 +184,21 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const uint8_t *sig,
   uint8_t md[EVP_MAX_MD_SIZE];
   int r;
   unsigned int mdlen;
-  const int has_verifyctx = ctx->pctx->pmeth->verifyctx != NULL;
 
   EVP_MD_CTX_init(&tmp_ctx);
   if (!EVP_MD_CTX_copy_ex(&tmp_ctx, ctx)) {
     return 0;
   }
-  if (has_verifyctx) {
+  if (ctx->pctx->pmeth->verifyctx) {
     r = tmp_ctx.pctx->pmeth->verifyctx(tmp_ctx.pctx, sig, sig_len, &tmp_ctx);
   } else {
     r = EVP_DigestFinal_ex(&tmp_ctx, md, &mdlen);
+    if (r) {
+      r = EVP_PKEY_verify(ctx->pctx, sig, sig_len, md, mdlen);
+    }
   }
 
   EVP_MD_CTX_cleanup(&tmp_ctx);
-  if (has_verifyctx || !r) {
-    return r;
-  }
-  return EVP_PKEY_verify(ctx->pctx, sig, sig_len, md, mdlen);
+
+  return r;
 }
diff --git a/src/crypto/evp/evp.c b/src/crypto/evp/evp.c
index 8a1d513..58fd9a9 100644
--- a/src/crypto/evp/evp.c
+++ b/src/crypto/evp/evp.c
@@ -67,10 +67,12 @@
 #include <openssl/mem.h>
 #include <openssl/obj.h>
 #include <openssl/rsa.h>
+#include <openssl/thread.h>
 
 #include "internal.h"
 
 
+extern const EVP_PKEY_ASN1_METHOD dsa_asn1_meth;
 extern const EVP_PKEY_ASN1_METHOD ec_asn1_meth;
 extern const EVP_PKEY_ASN1_METHOD hmac_asn1_meth;
 extern const EVP_PKEY_ASN1_METHOD rsa_asn1_meth;
@@ -109,15 +111,14 @@ void EVP_PKEY_free(EVP_PKEY *pkey) {
   }
 
   free_it(pkey);
-  if (pkey->attributes) {
-    /* TODO(fork): layering: X509_ATTRIBUTE_free is an X.509 function. In
-     * practice this path isn't called but should be removed in the future. */
-    /*sk_X509_ATTRIBUTE_pop_free(pkey->attributes, X509_ATTRIBUTE_free);*/
-    assert(0);
-  }
   OPENSSL_free(pkey);
 }
 
+EVP_PKEY *EVP_PKEY_up_ref(EVP_PKEY *pkey) {
+  CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
+  return pkey;
+}
+
 int EVP_PKEY_is_opaque(const EVP_PKEY *pkey) {
   if (pkey->ameth && pkey->ameth->pkey_opaque) {
     return pkey->ameth->pkey_opaque(pkey);
@@ -142,8 +143,9 @@ int EVP_PKEY_cmp(const EVP_PKEY *a, const EVP_PKEY *b) {
     /* Compare parameters if the algorithm has them */
     if (a->ameth->param_cmp) {
       ret = a->ameth->param_cmp(a, b);
-      if (ret <= 0)
+      if (ret <= 0) {
         return ret;
+      }
     }
 
     if (a->ameth->pub_cmp) {
@@ -154,11 +156,6 @@ int EVP_PKEY_cmp(const EVP_PKEY *a, const EVP_PKEY *b) {
   return -2;
 }
 
-EVP_PKEY *EVP_PKEY_dup(EVP_PKEY *pkey) {
-  CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
-  return pkey;
-}
-
 int EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from) {
   if (to->type != from->type) {
     OPENSSL_PUT_ERROR(EVP, EVP_PKEY_copy_parameters, EVP_R_DIFFERENT_KEY_TYPES);
@@ -213,6 +210,8 @@ const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_find(ENGINE **pengine, int nid) {
       return &hmac_asn1_meth;
     case EVP_PKEY_EC:
       return &ec_asn1_meth;
+    case EVP_PKEY_DSA:
+      return &dsa_asn1_meth;
     default:
       return NULL;
   }
@@ -236,18 +235,19 @@ EVP_PKEY *EVP_PKEY_new_mac_key(int type, ENGINE *e, const uint8_t *mac_key,
     return NULL;
   }
 
-  if (EVP_PKEY_keygen_init(mac_ctx) <= 0 ||
-      EVP_PKEY_CTX_ctrl(mac_ctx, -1, EVP_PKEY_OP_KEYGEN,
-                        EVP_PKEY_CTRL_SET_MAC_KEY, mac_key_len,
-                        (uint8_t *)mac_key) <= 0 ||
-      EVP_PKEY_keygen(mac_ctx, &ret) <= 0) {
+  if (!EVP_PKEY_keygen_init(mac_ctx) ||
+      !EVP_PKEY_CTX_ctrl(mac_ctx, -1, EVP_PKEY_OP_KEYGEN,
+                         EVP_PKEY_CTRL_SET_MAC_KEY, mac_key_len,
+                         (uint8_t *)mac_key) ||
+      !EVP_PKEY_keygen(mac_ctx, &ret)) {
     ret = NULL;
     goto merr;
   }
 
 merr:
-  if (mac_ctx)
+  if (mac_ctx) {
     EVP_PKEY_CTX_free(mac_ctx);
+  }
   return ret;
 }
 
@@ -323,7 +323,7 @@ int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key) {
 }
 
 int EVP_PKEY_assign_DH(EVP_PKEY *pkey, DH *key) {
-  return EVP_PKEY_assign(pkey, EVP_PKEY_EC, key);
+  return EVP_PKEY_assign(pkey, EVP_PKEY_DH, key);
 }
 
 DH *EVP_PKEY_get1_DH(EVP_PKEY *pkey) {
@@ -435,6 +435,10 @@ int EVP_PKEY_CTX_get_signature_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md) {
                            0, (void *)out_md);
 }
 
+EVP_PKEY *EVP_PKEY_dup(EVP_PKEY *pkey) {
+  return EVP_PKEY_up_ref(pkey);
+}
+
 void OpenSSL_add_all_algorithms(void) {}
 
 void EVP_cleanup(void) {}
diff --git a/src/crypto/evp/evp_ctx.c b/src/crypto/evp/evp_ctx.c
index a383725..9f42274 100644
--- a/src/crypto/evp/evp_ctx.c
+++ b/src/crypto/evp/evp_ctx.c
@@ -120,14 +120,12 @@ static EVP_PKEY_CTX *evp_pkey_ctx_new(EVP_PKEY *pkey, ENGINE *e, int id) {
   ret->operation = EVP_PKEY_OP_UNDEFINED;
 
   if (pkey) {
-    ret->pkey = EVP_PKEY_dup(pkey);
+    ret->pkey = EVP_PKEY_up_ref(pkey);
   }
 
   if (pmeth->init) {
     if (pmeth->init(ret) <= 0) {
-      if (pkey) {
-        EVP_PKEY_free(ret->pkey);
-      }
+      EVP_PKEY_free(ret->pkey);
       OPENSSL_free(ret);
       return NULL;
     }
@@ -151,12 +149,8 @@ void EVP_PKEY_CTX_free(EVP_PKEY_CTX *ctx) {
   if (ctx->pmeth && ctx->pmeth->cleanup) {
     ctx->pmeth->cleanup(ctx);
   }
-  if (ctx->pkey) {
-    EVP_PKEY_free(ctx->pkey);
-  }
-  if (ctx->peerkey) {
-    EVP_PKEY_free(ctx->peerkey);
-  }
+  EVP_PKEY_free(ctx->pkey);
+  EVP_PKEY_free(ctx->peerkey);
   OPENSSL_free(ctx);
 }
 
@@ -179,14 +173,14 @@ EVP_PKEY_CTX *EVP_PKEY_CTX_dup(EVP_PKEY_CTX *pctx) {
   rctx->operation = pctx->operation;
 
   if (pctx->pkey) {
-    rctx->pkey = EVP_PKEY_dup(pctx->pkey);
+    rctx->pkey = EVP_PKEY_up_ref(pctx->pkey);
     if (rctx->pkey == NULL) {
       goto err;
     }
   }
 
   if (pctx->peerkey) {
-    rctx->peerkey = EVP_PKEY_dup(pctx->peerkey);
+    rctx->peerkey = EVP_PKEY_up_ref(pctx->peerkey);
     if (rctx->peerkey == NULL) {
       goto err;
     }
@@ -212,32 +206,25 @@ void *EVP_PKEY_CTX_get_app_data(EVP_PKEY_CTX *ctx) { return ctx->app_data; }
 
 int EVP_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int keytype, int optype, int cmd,
                       int p1, void *p2) {
-  int ret;
   if (!ctx || !ctx->pmeth || !ctx->pmeth->ctrl) {
     OPENSSL_PUT_ERROR(EVP, EVP_PKEY_CTX_ctrl, EVP_R_COMMAND_NOT_SUPPORTED);
-    return -2;
+    return 0;
   }
   if (keytype != -1 && ctx->pmeth->pkey_id != keytype) {
-    return -1;
+    return 0;
   }
 
   if (ctx->operation == EVP_PKEY_OP_UNDEFINED) {
     OPENSSL_PUT_ERROR(EVP, EVP_PKEY_CTX_ctrl, EVP_R_NO_OPERATION_SET);
-    return -1;
+    return 0;
   }
 
   if (optype != -1 && !(ctx->operation & optype)) {
     OPENSSL_PUT_ERROR(EVP, EVP_PKEY_CTX_ctrl, EVP_R_INVALID_OPERATION);
-    return -1;
-  }
-
-  ret = ctx->pmeth->ctrl(ctx, cmd, p1, p2);
-
-  if (ret == -2) {
-    OPENSSL_PUT_ERROR(EVP, EVP_PKEY_CTX_ctrl, EVP_R_COMMAND_NOT_SUPPORTED);
+    return 0;
   }
 
-  return ret;
+  return ctx->pmeth->ctrl(ctx, cmd, p1, p2);
 }
 
 int EVP_PKEY_sign_init(EVP_PKEY_CTX *ctx) {
@@ -434,9 +421,7 @@ int EVP_PKEY_derive_set_peer(EVP_PKEY_CTX *ctx, EVP_PKEY *peer) {
     return 0;
   }
 
-  if (ctx->peerkey) {
-    EVP_PKEY_free(ctx->peerkey);
-  }
+  EVP_PKEY_free(ctx->peerkey);
   ctx->peerkey = peer;
 
   ret = ctx->pmeth->ctrl(ctx, EVP_PKEY_CTRL_PEER_KEY, 1, peer);
@@ -446,7 +431,7 @@ int EVP_PKEY_derive_set_peer(EVP_PKEY_CTX *ctx, EVP_PKEY *peer) {
     return 0;
   }
 
-  EVP_PKEY_dup(peer);
+  EVP_PKEY_up_ref(peer);
   return 1;
 }
 
diff --git a/src/crypto/evp/evp_error.c b/src/crypto/evp/evp_error.c
deleted file mode 100644
index b0d311e..0000000
--- a/src/crypto/evp/evp_error.c
+++ /dev/null
@@ -1,131 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/evp.h>
-
-const ERR_STRING_DATA EVP_error_string_data[] = {
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_DigestSignAlgorithm, 0), "EVP_DigestSignAlgorithm"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_DigestVerifyInitFromAlgorithm, 0), "EVP_DigestVerifyInitFromAlgorithm"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_CTX_ctrl, 0), "EVP_PKEY_CTX_ctrl"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_CTX_dup, 0), "EVP_PKEY_CTX_dup"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_copy_parameters, 0), "EVP_PKEY_copy_parameters"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_decrypt, 0), "EVP_PKEY_decrypt"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_decrypt_init, 0), "EVP_PKEY_decrypt_init"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_derive, 0), "EVP_PKEY_derive"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_derive_init, 0), "EVP_PKEY_derive_init"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_derive_set_peer, 0), "EVP_PKEY_derive_set_peer"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_encrypt, 0), "EVP_PKEY_encrypt"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_encrypt_init, 0), "EVP_PKEY_encrypt_init"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_get1_DH, 0), "EVP_PKEY_get1_DH"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_get1_DSA, 0), "EVP_PKEY_get1_DSA"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_get1_EC_KEY, 0), "EVP_PKEY_get1_EC_KEY"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_get1_RSA, 0), "EVP_PKEY_get1_RSA"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_keygen, 0), "EVP_PKEY_keygen"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_keygen_init, 0), "EVP_PKEY_keygen_init"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_new, 0), "EVP_PKEY_new"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_set_type, 0), "EVP_PKEY_set_type"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_sign, 0), "EVP_PKEY_sign"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_sign_init, 0), "EVP_PKEY_sign_init"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_verify, 0), "EVP_PKEY_verify"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_verify_init, 0), "EVP_PKEY_verify_init"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_check_padding_md, 0), "check_padding_md"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_d2i_AutoPrivateKey, 0), "d2i_AutoPrivateKey"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_d2i_PrivateKey, 0), "d2i_PrivateKey"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_do_EC_KEY_print, 0), "do_EC_KEY_print"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_do_rsa_print, 0), "do_rsa_print"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_do_sigver_init, 0), "do_sigver_init"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_eckey_param2type, 0), "eckey_param2type"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_eckey_param_decode, 0), "eckey_param_decode"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_eckey_priv_decode, 0), "eckey_priv_decode"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_eckey_priv_encode, 0), "eckey_priv_encode"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_eckey_pub_decode, 0), "eckey_pub_decode"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_eckey_pub_encode, 0), "eckey_pub_encode"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_eckey_type2param, 0), "eckey_type2param"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_evp_pkey_ctx_new, 0), "evp_pkey_ctx_new"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_hmac_signctx, 0), "hmac_signctx"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_i2d_PublicKey, 0), "i2d_PublicKey"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_old_ec_priv_decode, 0), "old_ec_priv_decode"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_old_rsa_priv_decode, 0), "old_rsa_priv_decode"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_pkey_ec_ctrl, 0), "pkey_ec_ctrl"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_pkey_ec_derive, 0), "pkey_ec_derive"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_pkey_ec_keygen, 0), "pkey_ec_keygen"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_pkey_ec_paramgen, 0), "pkey_ec_paramgen"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_pkey_ec_sign, 0), "pkey_ec_sign"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_pkey_rsa_ctrl, 0), "pkey_rsa_ctrl"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_pkey_rsa_decrypt, 0), "pkey_rsa_decrypt"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_pkey_rsa_encrypt, 0), "pkey_rsa_encrypt"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_pkey_rsa_sign, 0), "pkey_rsa_sign"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_rsa_algor_to_md, 0), "rsa_algor_to_md"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_rsa_digest_verify_init_from_algorithm, 0), "rsa_digest_verify_init_from_algorithm"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_rsa_item_verify, 0), "rsa_item_verify"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_rsa_mgf1_to_md, 0), "rsa_mgf1_to_md"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_rsa_priv_decode, 0), "rsa_priv_decode"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_rsa_priv_encode, 0), "rsa_priv_encode"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_rsa_pss_to_ctx, 0), "rsa_pss_to_ctx"},
-  {ERR_PACK(ERR_LIB_EVP, EVP_F_rsa_pub_decode, 0), "rsa_pub_decode"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_BUFFER_TOO_SMALL), "BUFFER_TOO_SMALL"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_COMMAND_NOT_SUPPORTED), "COMMAND_NOT_SUPPORTED"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_CONTEXT_NOT_INITIALISED), "CONTEXT_NOT_INITIALISED"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DECODE_ERROR), "DECODE_ERROR"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DIFFERENT_KEY_TYPES), "DIFFERENT_KEY_TYPES"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DIFFERENT_PARAMETERS), "DIFFERENT_PARAMETERS"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED), "DIGEST_AND_KEY_TYPE_NOT_SUPPORTED"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DIGEST_DOES_NOT_MATCH), "DIGEST_DOES_NOT_MATCH"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_EXPECTING_AN_DSA_KEY), "EXPECTING_AN_DSA_KEY"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_EXPECTING_AN_EC_KEY_KEY), "EXPECTING_AN_EC_KEY_KEY"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_EXPECTING_AN_RSA_KEY), "EXPECTING_AN_RSA_KEY"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_EXPECTING_A_DH_KEY), "EXPECTING_A_DH_KEY"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_EXPECTING_A_DSA_KEY), "EXPECTING_A_DSA_KEY"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_EXPLICIT_EC_PARAMETERS_NOT_SUPPORTED), "EXPLICIT_EC_PARAMETERS_NOT_SUPPORTED"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE), "ILLEGAL_OR_UNSUPPORTED_PADDING_MODE"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_CURVE), "INVALID_CURVE"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_DIGEST_LENGTH), "INVALID_DIGEST_LENGTH"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_DIGEST_TYPE), "INVALID_DIGEST_TYPE"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_KEYBITS), "INVALID_KEYBITS"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_MGF1_MD), "INVALID_MGF1_MD"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_OPERATION), "INVALID_OPERATION"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_PADDING_MODE), "INVALID_PADDING_MODE"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_PSS_PARAMETERS), "INVALID_PSS_PARAMETERS"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_PSS_SALTLEN), "INVALID_PSS_SALTLEN"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_SALT_LENGTH), "INVALID_SALT_LENGTH"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_TRAILER), "INVALID_TRAILER"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_KDF_PARAMETER_ERROR), "KDF_PARAMETER_ERROR"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_KEYS_NOT_SET), "KEYS_NOT_SET"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_MISSING_PARAMETERS), "MISSING_PARAMETERS"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_NO_DEFAULT_DIGEST), "NO_DEFAULT_DIGEST"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_NO_KEY_SET), "NO_KEY_SET"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_NO_MDC2_SUPPORT), "NO_MDC2_SUPPORT"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_NO_NID_FOR_CURVE), "NO_NID_FOR_CURVE"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_NO_OPERATION_SET), "NO_OPERATION_SET"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_NO_PARAMETERS_SET), "NO_PARAMETERS_SET"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE), "OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATON_NOT_INITIALIZED), "OPERATON_NOT_INITIALIZED"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PEER_KEY_ERROR), "PEER_KEY_ERROR"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_SHARED_INFO_ERROR), "SHARED_INFO_ERROR"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_DIGEST), "UNKNOWN_DIGEST"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_MASK_DIGEST), "UNKNOWN_MASK_DIGEST"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM), "UNKNOWN_MESSAGE_DIGEST_ALGORITHM"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_PUBLIC_KEY_TYPE), "UNKNOWN_PUBLIC_KEY_TYPE"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_SIGNATURE_ALGORITHM), "UNKNOWN_SIGNATURE_ALGORITHM"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNSUPPORTED_ALGORITHM), "UNSUPPORTED_ALGORITHM"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNSUPPORTED_MASK_ALGORITHM), "UNSUPPORTED_MASK_ALGORITHM"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNSUPPORTED_MASK_PARAMETER), "UNSUPPORTED_MASK_PARAMETER"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNSUPPORTED_PUBLIC_KEY_TYPE), "UNSUPPORTED_PUBLIC_KEY_TYPE"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNSUPPORTED_SIGNATURE_TYPE), "UNSUPPORTED_SIGNATURE_TYPE"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_WRONG_PUBLIC_KEY_TYPE), "WRONG_PUBLIC_KEY_TYPE"},
-  {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_X931_UNSUPPORTED), "X931_UNSUPPORTED"},
-  {0, NULL},
-};
diff --git a/src/crypto/evp/evp_test.c b/src/crypto/evp/evp_extra_test.cc
index 3e74cd5..674547d 100644
--- a/src/crypto/evp/evp_test.c
+++ b/src/crypto/evp/evp_extra_test.cc
@@ -16,7 +16,8 @@
 #include <stdio.h>
 #include <stdlib.h>
 
-#include <openssl/bio.h>
+#include <vector>
+
 #include <openssl/bytestring.h>
 #include <openssl/crypto.h>
 #include <openssl/digest.h>
@@ -25,9 +26,11 @@
 #include <openssl/rsa.h>
 #include <openssl/x509.h>
 
+#include "../test/scoped_types.h"
+
 
-/* kExampleRSAKeyDER is an RSA private key in ASN.1, DER format. Of course, you
- * should never use this key anywhere but in an example. */
+// kExampleRSAKeyDER is an RSA private key in ASN.1, DER format. Of course, you
+// should never use this key anywhere but in an example.
 static const uint8_t kExampleRSAKeyDER[] = {
     0x30, 0x82, 0x02, 0x5c, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81, 0x00, 0xf8,
     0xb8, 0x6c, 0x83, 0xb4, 0xbc, 0xd9, 0xa8, 0x57, 0xc0, 0xa5, 0xb4, 0x59,
@@ -82,6 +85,81 @@ static const uint8_t kExampleRSAKeyDER[] = {
     0x2d, 0x86, 0x9d, 0xa5, 0x20, 0x1b, 0xe5, 0xdf,
 };
 
+static const uint8_t kExampleDSAKeyDER[] = {
+    0x30, 0x82, 0x03, 0x56, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00,
+    0x9e, 0x12, 0xfa, 0xb3, 0xde, 0x12, 0x21, 0x35, 0x01, 0xdd, 0x82, 0xaa,
+    0x10, 0xca, 0x2d, 0x10, 0x1d, 0x2d, 0x4e, 0xbf, 0xef, 0x4d, 0x2a, 0x3f,
+    0x8d, 0xaa, 0x0f, 0xe0, 0xce, 0xda, 0xd8, 0xd6, 0xaf, 0x85, 0x61, 0x6a,
+    0xa2, 0xf3, 0x25, 0x2c, 0x0a, 0x2b, 0x5a, 0x6d, 0xb0, 0x9e, 0x6f, 0x14,
+    0x90, 0x0e, 0x0d, 0xdb, 0x83, 0x11, 0x87, 0x6d, 0xd8, 0xf9, 0x66, 0x95,
+    0x25, 0xf9, 0x9e, 0xd6, 0x59, 0x49, 0xe1, 0x84, 0xd5, 0x06, 0x47, 0x93,
+    0x27, 0x11, 0x69, 0xa2, 0x28, 0x68, 0x0b, 0x95, 0xec, 0x12, 0xf5, 0x9a,
+    0x8e, 0x20, 0xb2, 0x1f, 0x2b, 0x58, 0xeb, 0x2a, 0x20, 0x12, 0xd3, 0x5b,
+    0xde, 0x2e, 0xe3, 0x51, 0x82, 0x2f, 0xe8, 0xf3, 0x2d, 0x0a, 0x33, 0x05,
+    0x65, 0xdc, 0xce, 0x5c, 0x67, 0x2b, 0x72, 0x59, 0xc1, 0x4b, 0x24, 0x33,
+    0xd0, 0xb5, 0xb2, 0xca, 0x2b, 0x2d, 0xb0, 0xab, 0x62, 0x6e, 0x8f, 0x13,
+    0xf4, 0x7f, 0xe0, 0x34, 0x5d, 0x90, 0x4e, 0x72, 0x94, 0xbb, 0x03, 0x8e,
+    0x9c, 0xe2, 0x1a, 0x9e, 0x58, 0x0b, 0x83, 0x35, 0x62, 0x78, 0x70, 0x6c,
+    0xfe, 0x76, 0x84, 0x36, 0xc6, 0x9d, 0xe1, 0x49, 0xcc, 0xff, 0x98, 0xb4,
+    0xaa, 0xb8, 0xcb, 0x4f, 0x63, 0x85, 0xc9, 0xf1, 0x02, 0xce, 0x59, 0x34,
+    0x6e, 0xae, 0xef, 0x27, 0xe0, 0xad, 0x22, 0x2d, 0x53, 0xd6, 0xe8, 0x9c,
+    0xc8, 0xcd, 0xe5, 0x77, 0x6d, 0xd0, 0x00, 0x57, 0xb0, 0x3f, 0x2d, 0x88,
+    0xab, 0x3c, 0xed, 0xba, 0xfd, 0x7b, 0x58, 0x5f, 0x0b, 0x7f, 0x78, 0x35,
+    0xe1, 0x7a, 0x37, 0x28, 0xbb, 0xf2, 0x5e, 0xa6, 0x25, 0x72, 0xf2, 0x45,
+    0xdc, 0x11, 0x1f, 0x3c, 0xe3, 0x9c, 0xb6, 0xff, 0xac, 0xc3, 0x1b, 0x0a,
+    0x27, 0x90, 0xe7, 0xbd, 0xe9, 0x02, 0x24, 0xea, 0x9b, 0x09, 0x31, 0x53,
+    0x62, 0xaf, 0x3d, 0x2b, 0x02, 0x21, 0x00, 0xf3, 0x81, 0xdc, 0xf5, 0x3e,
+    0xbf, 0x72, 0x4f, 0x8b, 0x2e, 0x5c, 0xa8, 0x2c, 0x01, 0x0f, 0xb4, 0xb5,
+    0xed, 0xa9, 0x35, 0x8d, 0x0f, 0xd8, 0x8e, 0xd2, 0x78, 0x58, 0x94, 0x88,
+    0xb5, 0x4f, 0xc3, 0x02, 0x82, 0x01, 0x00, 0x0c, 0x40, 0x2a, 0x72, 0x5d,
+    0xcc, 0x3a, 0x62, 0xe0, 0x2b, 0xf4, 0xcf, 0x43, 0xcd, 0x17, 0xf4, 0xa4,
+    0x93, 0x59, 0x12, 0x20, 0x22, 0x36, 0x69, 0xcf, 0x41, 0x93, 0xed, 0xab,
+    0x42, 0x3a, 0xd0, 0x8d, 0xfb, 0x55, 0x2e, 0x30, 0x8a, 0x6a, 0x57, 0xa5,
+    0xff, 0xbc, 0x7c, 0xd0, 0xfb, 0x20, 0x87, 0xf8, 0x1f, 0x8d, 0xf0, 0xcb,
+    0x08, 0xab, 0x21, 0x33, 0x28, 0x7d, 0x2b, 0x69, 0x68, 0x71, 0x4a, 0x94,
+    0xf6, 0x33, 0xc9, 0x40, 0x84, 0x5a, 0x48, 0xa3, 0xe1, 0x67, 0x08, 0xdd,
+    0xe7, 0x61, 0xcc, 0x6a, 0x8e, 0xab, 0x2d, 0x84, 0xdb, 0x21, 0xb6, 0xea,
+    0x5b, 0x07, 0x68, 0x14, 0x93, 0xcc, 0x9c, 0x31, 0xfb, 0xc3, 0x68, 0xb2,
+    0x43, 0xf6, 0xdd, 0xf8, 0xc9, 0x32, 0xa8, 0xb4, 0x03, 0x8f, 0x44, 0xe7,
+    0xb1, 0x5c, 0xa8, 0x76, 0x34, 0x4a, 0x14, 0x78, 0x59, 0xf2, 0xb4, 0x3b,
+    0x39, 0x45, 0x86, 0x68, 0xad, 0x5e, 0x0a, 0x1a, 0x9a, 0x66, 0x95, 0x46,
+    0xdd, 0x28, 0x12, 0xe3, 0xb3, 0x61, 0x7a, 0x0a, 0xef, 0x99, 0xd5, 0x8e,
+    0x3b, 0xb4, 0xcc, 0x87, 0xfd, 0x94, 0x22, 0x5e, 0x01, 0xd2, 0xdc, 0xc4,
+    0x69, 0xa7, 0x72, 0x68, 0x14, 0x6c, 0x51, 0x91, 0x8f, 0x18, 0xe8, 0xb4,
+    0xd7, 0x0a, 0xa1, 0xf0, 0xc7, 0x62, 0x3b, 0xcc, 0x52, 0xcf, 0x37, 0x31,
+    0xd3, 0x86, 0x41, 0xb2, 0xd2, 0x83, 0x0b, 0x7e, 0xec, 0xb2, 0xf0, 0x95,
+    0x52, 0xff, 0x13, 0x7d, 0x04, 0x6e, 0x49, 0x4e, 0x7f, 0x33, 0xc3, 0x59,
+    0x00, 0x02, 0xb1, 0x6d, 0x1b, 0x97, 0xd9, 0x36, 0xfd, 0xa2, 0x8f, 0x90,
+    0xc3, 0xed, 0x3c, 0xa3, 0x53, 0x38, 0x16, 0x8a, 0xc1, 0x6f, 0x77, 0xc3,
+    0xc5, 0x7a, 0xdc, 0x2e, 0x8f, 0x7c, 0x6c, 0x22, 0x56, 0xe4, 0x1a, 0x5f,
+    0x65, 0x45, 0x05, 0x90, 0xdb, 0xb5, 0xbc, 0xf0, 0x6d, 0x66, 0x61, 0x02,
+    0x82, 0x01, 0x00, 0x31, 0x97, 0x31, 0xa1, 0x4e, 0x38, 0x56, 0x88, 0xdb,
+    0x94, 0x1d, 0xbf, 0x65, 0x5c, 0xda, 0x4b, 0xc2, 0x10, 0xde, 0x74, 0x20,
+    0x03, 0xce, 0x13, 0x60, 0xf2, 0x25, 0x1d, 0x55, 0x7c, 0x5d, 0x94, 0x82,
+    0x54, 0x08, 0x53, 0xdb, 0x85, 0x95, 0xbf, 0xdd, 0x5e, 0x50, 0xd5, 0x96,
+    0xe0, 0x79, 0x51, 0x1b, 0xbf, 0x4d, 0x4e, 0xb9, 0x3a, 0xc5, 0xee, 0xc4,
+    0x5e, 0x98, 0x75, 0x7b, 0xbe, 0xff, 0x30, 0xe6, 0xd0, 0x7b, 0xa6, 0xf1,
+    0xbc, 0x29, 0xea, 0xdf, 0xec, 0xf3, 0x8b, 0xfa, 0x83, 0x11, 0x9f, 0x3f,
+    0xf0, 0x5d, 0x06, 0x51, 0x32, 0xaa, 0x21, 0xfc, 0x26, 0x17, 0xe7, 0x50,
+    0xc2, 0x16, 0xba, 0xfa, 0x54, 0xb7, 0x7e, 0x1d, 0x2c, 0xa6, 0xa3, 0x41,
+    0x66, 0x33, 0x94, 0x83, 0xb9, 0xbf, 0xa0, 0x4f, 0xbd, 0xa6, 0xfd, 0x2c,
+    0x81, 0x58, 0x35, 0x33, 0x39, 0xc0, 0x6d, 0x33, 0x40, 0x56, 0x64, 0x12,
+    0x5a, 0xcd, 0x35, 0x53, 0x21, 0x78, 0x8f, 0x27, 0x24, 0x37, 0x66, 0x8a,
+    0xdf, 0x5e, 0x5f, 0x63, 0xfc, 0x8b, 0x2d, 0xef, 0x57, 0xdb, 0x40, 0x25,
+    0xd5, 0x17, 0x53, 0x0b, 0xe4, 0xa5, 0xae, 0x54, 0xbf, 0x46, 0x4f, 0xa6,
+    0x79, 0xc3, 0x74, 0xfa, 0x1f, 0x85, 0x34, 0x64, 0x6d, 0xc5, 0x03, 0xeb,
+    0x72, 0x98, 0x80, 0x7b, 0xc0, 0x8f, 0x35, 0x11, 0xa7, 0x09, 0xeb, 0x51,
+    0xe0, 0xb0, 0xac, 0x92, 0x14, 0xf2, 0xad, 0x37, 0x95, 0x5a, 0xba, 0x8c,
+    0xc4, 0xdb, 0xed, 0xc4, 0x4e, 0x8b, 0x8f, 0x84, 0x33, 0x64, 0xf8, 0x57,
+    0x12, 0xd7, 0x08, 0x7e, 0x90, 0x66, 0xdf, 0x91, 0x50, 0x23, 0xf2, 0x73,
+    0xc0, 0x6b, 0xb1, 0x15, 0xdd, 0x64, 0xd7, 0xc9, 0x75, 0x17, 0x73, 0x72,
+    0xda, 0x33, 0xc4, 0x6f, 0xa5, 0x47, 0xa1, 0xcc, 0xd1, 0xc6, 0x62, 0xe5,
+    0xca, 0xab, 0x5f, 0x2a, 0x8f, 0x6b, 0xcc, 0x02, 0x21, 0x00, 0xb0, 0xc7,
+    0x68, 0x70, 0x27, 0x43, 0xbc, 0x51, 0x24, 0x29, 0x93, 0xa9, 0x71, 0xa5,
+    0x28, 0x89, 0x79, 0x54, 0x44, 0xf7, 0xc6, 0x45, 0x22, 0x03, 0xd0, 0xce,
+    0x84, 0xfe, 0x61, 0x17, 0xd4, 0x6e,
+};
+
 static const uint8_t kMsg[] = {1, 2, 3, 4};
 
 static const uint8_t kSignature[] = {
@@ -98,8 +176,8 @@ static const uint8_t kSignature[] = {
     0x55, 0xa7, 0xab, 0x45, 0x02, 0x97, 0x60, 0x42,
 };
 
-/* kExamplePSSCert is an example self-signed certificate, signed with
- * kExampleRSAKeyDER using RSA-PSS with default hash functions. */
+// kExamplePSSCert is an example self-signed certificate, signed with
+// kExampleRSAKeyDER using RSA-PSS with default hash functions.
 static const uint8_t kExamplePSSCert[] = {
     0x30, 0x82, 0x02, 0x62, 0x30, 0x82, 0x01, 0xc6, 0xa0, 0x03, 0x02, 0x01,
     0x02, 0x02, 0x09, 0x00, 0x8d, 0xea, 0x53, 0x24, 0xfa, 0x48, 0x87, 0xf3,
@@ -155,8 +233,8 @@ static const uint8_t kExamplePSSCert[] = {
     0x8c, 0x16,
 };
 
-/* kExampleRSAKeyPKCS8 is kExampleRSAKeyDER encoded in a PKCS #8
- * PrivateKeyInfo. */
+// kExampleRSAKeyPKCS8 is kExampleRSAKeyDER encoded in a PKCS #8
+// PrivateKeyInfo.
 static const uint8_t kExampleRSAKeyPKCS8[] = {
     0x30, 0x82, 0x02, 0x76, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a,
     0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82,
@@ -213,8 +291,8 @@ static const uint8_t kExampleRSAKeyPKCS8[] = {
     0x08, 0xf1, 0x2d, 0x86, 0x9d, 0xa5, 0x20, 0x1b, 0xe5, 0xdf,
 };
 
-/* kExampleECKeyDER is a sample EC private key encoded as an ECPrivateKey
- * structure. */
+// kExampleECKeyDER is a sample EC private key encoded as an ECPrivateKey
+// structure.
 static const uint8_t kExampleECKeyDER[] = {
     0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0x07, 0x0f, 0x08, 0x72, 0x7a,
     0xd4, 0xa0, 0x4a, 0x9c, 0xdd, 0x59, 0xc9, 0x4d, 0x89, 0x68, 0x77, 0x08,
@@ -229,8 +307,8 @@ static const uint8_t kExampleECKeyDER[] = {
     0xc1,
 };
 
-/* kExampleBadECKeyDER is a sample EC private key encoded as an ECPrivateKey
- * structure. The private key is equal to the order and will fail to import */
+// kExampleBadECKeyDER is a sample EC private key encoded as an ECPrivateKey
+// structure. The private key is equal to the order and will fail to import.
 static const uint8_t kExampleBadECKeyDER[] = {
     0x30, 0x66, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48,
     0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03,
@@ -243,237 +321,143 @@ static const uint8_t kExampleBadECKeyDER[] = {
     0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51
 };
 
-static EVP_PKEY *load_example_rsa_key(void) {
-  EVP_PKEY *ret = NULL;
+static ScopedEVP_PKEY LoadExampleRSAKey() {
   const uint8_t *derp = kExampleRSAKeyDER;
-  EVP_PKEY *pkey = NULL;
-  RSA *rsa = NULL;
-
-  if (!d2i_RSAPrivateKey(&rsa, &derp, sizeof(kExampleRSAKeyDER))) {
-    return NULL;
-  }
-
-  pkey = EVP_PKEY_new();
-  if (pkey == NULL || !EVP_PKEY_set1_RSA(pkey, rsa)) {
-    goto out;
-  }
-
-  ret = pkey;
-  pkey = NULL;
-
-out:
-  if (pkey) {
-    EVP_PKEY_free(pkey);
+  ScopedRSA rsa(d2i_RSAPrivateKey(nullptr, &derp, sizeof(kExampleRSAKeyDER)));
+  if (!rsa) {
+    return nullptr;
   }
-  if (rsa) {
-    RSA_free(rsa);
+  ScopedEVP_PKEY pkey(EVP_PKEY_new());
+  if (!pkey || !EVP_PKEY_set1_RSA(pkey.get(), rsa.get())) {
+    return nullptr;
   }
-
-  return ret;
+  return pkey;
 }
 
-static int test_EVP_DigestSignInit(void) {
-  int ret = 0;
-  EVP_PKEY *pkey = NULL;
-  uint8_t *sig = NULL;
-  size_t sig_len = 0;
-  EVP_MD_CTX md_ctx, md_ctx_verify;
-
-  EVP_MD_CTX_init(&md_ctx);
-  EVP_MD_CTX_init(&md_ctx_verify);
-
-  pkey = load_example_rsa_key();
-  if (pkey == NULL ||
-      !EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL, pkey) ||
-      !EVP_DigestSignUpdate(&md_ctx, kMsg, sizeof(kMsg))) {
-    goto out;
+static bool TestEVP_DigestSignInit(void) {
+  ScopedEVP_PKEY pkey = LoadExampleRSAKey();
+  ScopedEVP_MD_CTX md_ctx;
+  if (!pkey ||
+      !EVP_DigestSignInit(md_ctx.get(), NULL, EVP_sha256(), NULL, pkey.get()) ||
+      !EVP_DigestSignUpdate(md_ctx.get(), kMsg, sizeof(kMsg))) {
+    return false;
   }
-  /* Determine the size of the signature. */
-  if (!EVP_DigestSignFinal(&md_ctx, NULL, &sig_len)) {
-    goto out;
+  // Determine the size of the signature.
+  size_t sig_len = 0;
+  if (!EVP_DigestSignFinal(md_ctx.get(), NULL, &sig_len)) {
+    return false;
   }
-  /* Sanity check for testing. */
-  if (sig_len != EVP_PKEY_size(pkey)) {
+  // Sanity check for testing.
+  if (sig_len != (size_t)EVP_PKEY_size(pkey.get())) {
     fprintf(stderr, "sig_len mismatch\n");
-    goto out;
+    return false;
   }
 
-  sig = malloc(sig_len);
-  if (sig == NULL || !EVP_DigestSignFinal(&md_ctx, sig, &sig_len)) {
-    goto out;
+  std::vector<uint8_t> sig;
+  sig.resize(sig_len);
+  if (!EVP_DigestSignFinal(md_ctx.get(), bssl::vector_data(&sig), &sig_len)) {
+    return false;
   }
+  sig.resize(sig_len);
 
-  /* Ensure that the signature round-trips. */
-  if (!EVP_DigestVerifyInit(&md_ctx_verify, NULL, EVP_sha256(), NULL, pkey) ||
-      !EVP_DigestVerifyUpdate(&md_ctx_verify, kMsg, sizeof(kMsg)) ||
-      !EVP_DigestVerifyFinal(&md_ctx_verify, sig, sig_len)) {
-    goto out;
+  // Ensure that the signature round-trips.
+  md_ctx.Reset();
+  if (!EVP_DigestVerifyInit(md_ctx.get(), NULL, EVP_sha256(), NULL, pkey.get()) ||
+      !EVP_DigestVerifyUpdate(md_ctx.get(), kMsg, sizeof(kMsg)) ||
+      !EVP_DigestVerifyFinal(md_ctx.get(), bssl::vector_data(&sig), sig_len)) {
+    return false;
   }
 
-  ret = 1;
-
-out:
-  if (!ret) {
-    BIO_print_errors_fp(stderr);
-  }
-
-  EVP_MD_CTX_cleanup(&md_ctx);
-  EVP_MD_CTX_cleanup(&md_ctx_verify);
-  if (pkey) {
-    EVP_PKEY_free(pkey);
-  }
-  if (sig) {
-    free(sig);
-  }
-
-  return ret;
+  return true;
 }
 
-static int test_EVP_DigestVerifyInit(void) {
-  int ret = 0;
-  EVP_PKEY *pkey = NULL;
-  EVP_MD_CTX md_ctx;
-
-  EVP_MD_CTX_init(&md_ctx);
-
-  pkey = load_example_rsa_key();
-  if (pkey == NULL ||
-      !EVP_DigestVerifyInit(&md_ctx, NULL, EVP_sha256(), NULL, pkey) ||
-      !EVP_DigestVerifyUpdate(&md_ctx, kMsg, sizeof(kMsg)) ||
-      !EVP_DigestVerifyFinal(&md_ctx, kSignature, sizeof(kSignature))) {
-    goto out;
-  }
-  ret = 1;
-
-out:
-  if (!ret) {
-    BIO_print_errors_fp(stderr);
-  }
-
-  EVP_MD_CTX_cleanup(&md_ctx);
-  if (pkey) {
-    EVP_PKEY_free(pkey);
-  }
-
-  return ret;
+static bool TestEVP_DigestVerifyInit(void) {
+  ScopedEVP_PKEY pkey = LoadExampleRSAKey();
+  ScopedEVP_MD_CTX md_ctx;
+  if (!pkey ||
+      !EVP_DigestVerifyInit(md_ctx.get(), NULL, EVP_sha256(), NULL,
+                            pkey.get()) ||
+      !EVP_DigestVerifyUpdate(md_ctx.get(), kMsg, sizeof(kMsg)) ||
+      !EVP_DigestVerifyFinal(md_ctx.get(), kSignature, sizeof(kSignature))) {
+    return false;
+  }
+  return true;
 }
 
-/* test_algorithm_roundtrip signs a message using an already-initialized
- * |md_ctx|, sampling the AlgorithmIdentifier. It then uses |pkey| and the
- * AlgorithmIdentifier to verify the signature. */
-static int test_algorithm_roundtrip(EVP_MD_CTX *md_ctx, EVP_PKEY *pkey) {
-  int ret = 0;
-  uint8_t *sig = NULL;
-  size_t sig_len = 0;
-  EVP_MD_CTX md_ctx_verify;
-  X509_ALGOR *algor = NULL;
-
-  EVP_MD_CTX_init(&md_ctx_verify);
-
+// TestAlgorithmRoundtrip signs a message using an already-initialized
+// |md_ctx|, sampling the AlgorithmIdentifier. It then uses |pkey| and the
+// AlgorithmIdentifier to verify the signature.
+static bool TestAlgorithmRoundtrip(EVP_MD_CTX *md_ctx, EVP_PKEY *pkey) {
   if (!EVP_DigestSignUpdate(md_ctx, kMsg, sizeof(kMsg))) {
-    goto out;
+    return false;
   }
 
-  /* Save the algorithm. */
-  algor = X509_ALGOR_new();
-  if (algor == NULL || !EVP_DigestSignAlgorithm(md_ctx, algor)) {
-    goto out;
+  // Save the algorithm.
+  ScopedX509_ALGOR algor(X509_ALGOR_new());
+  if (!algor || !EVP_DigestSignAlgorithm(md_ctx, algor.get())) {
+    return false;
   }
 
-  /* Determine the size of the signature. */
+  // Determine the size of the signature.
+  size_t sig_len = 0;
   if (!EVP_DigestSignFinal(md_ctx, NULL, &sig_len)) {
-    goto out;
+    return false;
   }
-  /* Sanity check for testing. */
-  if (sig_len != EVP_PKEY_size(pkey)) {
+  // Sanity check for testing.
+  if (sig_len != (size_t)EVP_PKEY_size(pkey)) {
     fprintf(stderr, "sig_len mismatch\n");
-    goto out;
+    return false;
   }
 
-  sig = malloc(sig_len);
-  if (sig == NULL || !EVP_DigestSignFinal(md_ctx, sig, &sig_len)) {
-    goto out;
+  std::vector<uint8_t> sig;
+  sig.resize(sig_len);
+  if (!EVP_DigestSignFinal(md_ctx, bssl::vector_data(&sig), &sig_len)) {
+    return false;
   }
+  sig.resize(sig_len);
 
-  /* Ensure that the signature round-trips. */
-  if (!EVP_DigestVerifyInitFromAlgorithm(&md_ctx_verify, algor, pkey) ||
-      !EVP_DigestVerifyUpdate(&md_ctx_verify, kMsg, sizeof(kMsg)) ||
-      !EVP_DigestVerifyFinal(&md_ctx_verify, sig, sig_len)) {
-    goto out;
+  // Ensure that the signature round-trips.
+  ScopedEVP_MD_CTX md_ctx_verify;
+  if (!EVP_DigestVerifyInitFromAlgorithm(md_ctx_verify.get(), algor.get(),
+                                         pkey) ||
+      !EVP_DigestVerifyUpdate(md_ctx_verify.get(), kMsg, sizeof(kMsg)) ||
+      !EVP_DigestVerifyFinal(md_ctx_verify.get(), bssl::vector_data(&sig),
+                             sig_len)) {
+    return false;
   }
 
-  ret = 1;
-
-out:
-  EVP_MD_CTX_cleanup(&md_ctx_verify);
-  if (sig) {
-    free(sig);
-  }
-  if (algor) {
-    X509_ALGOR_free(algor);
-  }
-
-  return ret;
+  return true;
 }
 
-static int test_EVP_DigestSignAlgorithm(void) {
-  int ret = 0;
-  EVP_PKEY *pkey = NULL;
-  EVP_MD_CTX md_ctx;
-  EVP_PKEY_CTX *pkey_ctx;
-
-  EVP_MD_CTX_init(&md_ctx);
-
-  pkey = load_example_rsa_key();
-  if (pkey == NULL) {
-    goto out;
-  }
+static bool TestEVP_DigestSignAlgorithm(void) {
+  ScopedEVP_PKEY pkey = LoadExampleRSAKey();
 
-  /* Test a simple AlgorithmIdentifier. */
-  if (!EVP_DigestSignInit(&md_ctx, &pkey_ctx, EVP_sha256(), NULL, pkey) ||
-      !test_algorithm_roundtrip(&md_ctx, pkey)) {
+  // Test a simple AlgorithmIdentifier.
+  ScopedEVP_MD_CTX md_ctx;
+  if (!pkey ||
+      !EVP_DigestSignInit(md_ctx.get(), NULL, EVP_sha256(), NULL, pkey.get()) ||
+      !TestAlgorithmRoundtrip(md_ctx.get(), pkey.get())) {
     fprintf(stderr, "RSA with SHA-256 failed\n");
-    goto out;
+    return false;
   }
 
-  EVP_MD_CTX_cleanup(&md_ctx);
-  EVP_MD_CTX_init(&md_ctx);
-
-  /* Test RSA-PSS with custom parameters. */
-  if (!EVP_DigestSignInit(&md_ctx, &pkey_ctx, EVP_sha256(), NULL, pkey) ||
-      EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING) != 1 ||
-      EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, EVP_sha512()) != 1 ||
-      !test_algorithm_roundtrip(&md_ctx, pkey)) {
+  // Test RSA-PSS with custom parameters.
+  md_ctx.Reset();
+  EVP_PKEY_CTX *pkey_ctx;
+  if (!EVP_DigestSignInit(md_ctx.get(), &pkey_ctx, EVP_sha256(), NULL,
+                          pkey.get()) ||
+      !EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING) ||
+      !EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, EVP_sha512()) ||
+      !TestAlgorithmRoundtrip(md_ctx.get(), pkey.get())) {
     fprintf(stderr, "RSA-PSS failed\n");
-    goto out;
-  }
-
-  ret = 1;
-
-out:
-  if (!ret) {
-    BIO_print_errors_fp(stderr);
+    return false;
   }
 
-  EVP_MD_CTX_cleanup(&md_ctx);
-  if (pkey) {
-    EVP_PKEY_free(pkey);
-  }
-
-  return ret;
+  return true;
 }
 
-static int test_EVP_DigestVerifyInitFromAlgorithm(void) {
-  int ret = 0;
+static bool TestEVP_DigestVerifyInitFromAlgorithm(void) {
   CBS cert, cert_body, tbs_cert, algorithm, signature;
-  uint8_t padding;
-  X509_ALGOR *algor = NULL;
-  const uint8_t *derp;
-  EVP_PKEY *pkey = NULL;
-  EVP_MD_CTX md_ctx;
-
-  EVP_MD_CTX_init(&md_ctx);
-
   CBS_init(&cert, kExamplePSSCert, sizeof(kExamplePSSCert));
   if (!CBS_get_asn1(&cert, &cert_body, CBS_ASN1_SEQUENCE) ||
       CBS_len(&cert) != 0 ||
@@ -482,155 +466,133 @@ static int test_EVP_DigestVerifyInitFromAlgorithm(void) {
       !CBS_get_asn1(&cert_body, &signature, CBS_ASN1_BITSTRING) ||
       CBS_len(&cert_body) != 0) {
     fprintf(stderr, "Failed to parse certificate\n");
-    goto out;
+    return false;
   }
 
-  /* Signatures are BIT STRINGs, but they have are multiple of 8 bytes, so the
-     leading phase byte is just a zero. */
+  // Signatures are BIT STRINGs, but they have are multiple of 8 bytes, so the
+  // leading phase byte is just a zero.
+  uint8_t padding;
   if (!CBS_get_u8(&signature, &padding) || padding != 0) {
     fprintf(stderr, "Invalid signature padding\n");
-    goto out;
+    return false;
   }
 
-  derp = CBS_data(&algorithm);
-  if (!d2i_X509_ALGOR(&algor, &derp, CBS_len(&algorithm)) ||
-      derp != CBS_data(&algorithm) + CBS_len(&algorithm)) {
+  const uint8_t *derp = CBS_data(&algorithm);
+  ScopedX509_ALGOR algor(d2i_X509_ALGOR(NULL, &derp, CBS_len(&algorithm)));
+  if (!algor || derp != CBS_data(&algorithm) + CBS_len(&algorithm)) {
     fprintf(stderr, "Failed to parse algorithm\n");
+    return false;
   }
 
-  pkey = load_example_rsa_key();
-  if (pkey == NULL ||
-      !EVP_DigestVerifyInitFromAlgorithm(&md_ctx, algor, pkey) ||
-      !EVP_DigestVerifyUpdate(&md_ctx, CBS_data(&tbs_cert),
+  ScopedEVP_PKEY pkey = LoadExampleRSAKey();
+  ScopedEVP_MD_CTX md_ctx;
+  if (!pkey ||
+      !EVP_DigestVerifyInitFromAlgorithm(md_ctx.get(), algor.get(),
+                                         pkey.get()) ||
+      !EVP_DigestVerifyUpdate(md_ctx.get(), CBS_data(&tbs_cert),
                               CBS_len(&tbs_cert)) ||
-      !EVP_DigestVerifyFinal(&md_ctx, CBS_data(&signature),
+      !EVP_DigestVerifyFinal(md_ctx.get(), CBS_data(&signature),
                              CBS_len(&signature))) {
-    goto out;
-  }
-  ret = 1;
-
-out:
-  if (!ret) {
-    BIO_print_errors_fp(stderr);
+    return false;
   }
-
-  EVP_MD_CTX_cleanup(&md_ctx);
-  if (pkey) {
-    EVP_PKEY_free(pkey);
-  }
-
-  return ret;
+  return true;
 }
 
-static int test_d2i_AutoPrivateKey(const uint8_t *input, size_t input_len,
+static bool Testd2i_AutoPrivateKey(const uint8_t *input, size_t input_len,
                                    int expected_id) {
-  int ret = 0;
-  const uint8_t *p;
-  EVP_PKEY *pkey = NULL;
-
-  p = input;
-  pkey = d2i_AutoPrivateKey(NULL, &p, input_len);
-  if (pkey == NULL || p != input + input_len) {
+  const uint8_t *p = input;
+  ScopedEVP_PKEY pkey(d2i_AutoPrivateKey(NULL, &p, input_len));
+  if (!pkey || p != input + input_len) {
     fprintf(stderr, "d2i_AutoPrivateKey failed\n");
-    goto done;
+    return false;
   }
 
-  if (EVP_PKEY_id(pkey) != expected_id) {
+  if (EVP_PKEY_id(pkey.get()) != expected_id) {
     fprintf(stderr, "Did not decode expected type\n");
-    goto done;
+    return false;
   }
 
-  ret = 1;
-
-done:
-  if (!ret) {
-    BIO_print_errors_fp(stderr);
-  }
-
-  if (pkey != NULL) {
-    EVP_PKEY_free(pkey);
-  }
-  return ret;
+  return true;
 }
 
-/* Tests loading a bad key in PKCS8 format */
-static int test_EVP_PKCS82PKEY(void) {
-  int ret = 0;
+// TestEVP_PKCS82PKEY tests loading a bad key in PKCS8 format.
+static bool TestEVP_PKCS82PKEY(void) {
   const uint8_t *derp = kExampleBadECKeyDER;
-  PKCS8_PRIV_KEY_INFO *p8inf = NULL;
-  EVP_PKEY *pkey = NULL;
-
-  p8inf = d2i_PKCS8_PRIV_KEY_INFO(NULL, &derp, sizeof(kExampleBadECKeyDER));
-
+  ScopedPKCS8_PRIV_KEY_INFO p8inf(
+      d2i_PKCS8_PRIV_KEY_INFO(NULL, &derp, sizeof(kExampleBadECKeyDER)));
   if (!p8inf || derp != kExampleBadECKeyDER + sizeof(kExampleBadECKeyDER)) {
     fprintf(stderr, "Failed to parse key\n");
-    goto done;
+    return false;
   }
 
-  pkey = EVP_PKCS82PKEY(p8inf);
+  ScopedEVP_PKEY pkey(EVP_PKCS82PKEY(p8inf.get()));
   if (pkey) {
     fprintf(stderr, "Imported invalid EC key\n");
-    goto done;
+    return false;
   }
 
-  ret = 1;
-
-done:
-  if (p8inf != NULL) {
-    PKCS8_PRIV_KEY_INFO_free(p8inf);
-  }
-
-  if (pkey != NULL) {
-    EVP_PKEY_free(pkey);
-  }
-
-  return ret;
+  return true;
 }
 
 int main(void) {
   CRYPTO_library_init();
   ERR_load_crypto_strings();
 
-  if (!test_EVP_DigestSignInit()) {
+  if (!TestEVP_DigestSignInit()) {
     fprintf(stderr, "EVP_DigestSignInit failed\n");
+    ERR_print_errors_fp(stderr);
     return 1;
   }
 
-  if (!test_EVP_DigestVerifyInit()) {
+  if (!TestEVP_DigestVerifyInit()) {
     fprintf(stderr, "EVP_DigestVerifyInit failed\n");
+    ERR_print_errors_fp(stderr);
     return 1;
   }
 
-  if (!test_EVP_DigestSignAlgorithm()) {
+  if (!TestEVP_DigestSignAlgorithm()) {
     fprintf(stderr, "EVP_DigestSignInit failed\n");
+    ERR_print_errors_fp(stderr);
     return 1;
   }
 
-  if (!test_EVP_DigestVerifyInitFromAlgorithm()) {
+  if (!TestEVP_DigestVerifyInitFromAlgorithm()) {
     fprintf(stderr, "EVP_DigestVerifyInitFromAlgorithm failed\n");
+    ERR_print_errors_fp(stderr);
     return 1;
   }
 
-  if (!test_d2i_AutoPrivateKey(kExampleRSAKeyDER, sizeof(kExampleRSAKeyDER),
-                               EVP_PKEY_RSA)) {
+  if (!Testd2i_AutoPrivateKey(kExampleRSAKeyDER, sizeof(kExampleRSAKeyDER),
+                              EVP_PKEY_RSA)) {
     fprintf(stderr, "d2i_AutoPrivateKey(kExampleRSAKeyDER) failed\n");
+    ERR_print_errors_fp(stderr);
     return 1;
   }
 
-  if (!test_d2i_AutoPrivateKey(kExampleRSAKeyPKCS8, sizeof(kExampleRSAKeyPKCS8),
-                               EVP_PKEY_RSA)) {
+  if (!Testd2i_AutoPrivateKey(kExampleRSAKeyPKCS8, sizeof(kExampleRSAKeyPKCS8),
+                              EVP_PKEY_RSA)) {
     fprintf(stderr, "d2i_AutoPrivateKey(kExampleRSAKeyPKCS8) failed\n");
+    ERR_print_errors_fp(stderr);
     return 1;
   }
 
-  if (!test_d2i_AutoPrivateKey(kExampleECKeyDER, sizeof(kExampleECKeyDER),
-                               EVP_PKEY_EC)) {
+  if (!Testd2i_AutoPrivateKey(kExampleECKeyDER, sizeof(kExampleECKeyDER),
+                              EVP_PKEY_EC)) {
     fprintf(stderr, "d2i_AutoPrivateKey(kExampleECKeyDER) failed\n");
+    ERR_print_errors_fp(stderr);
+    return 1;
+  }
+
+  if (!Testd2i_AutoPrivateKey(kExampleDSAKeyDER, sizeof(kExampleDSAKeyDER),
+                              EVP_PKEY_DSA)) {
+    fprintf(stderr, "d2i_AutoPrivateKey(kExampleDSAKeyDER) failed\n");
+    ERR_print_errors_fp(stderr);
     return 1;
   }
 
-  if (!test_EVP_PKCS82PKEY()) {
-    fprintf(stderr, "test_EVP_PKCS82PKEY failed\n");
+  if (!TestEVP_PKCS82PKEY()) {
+    fprintf(stderr, "TestEVP_PKCS82PKEY failed\n");
+    ERR_print_errors_fp(stderr);
     return 1;
   }
 
diff --git a/src/crypto/evp/evp_test.cc b/src/crypto/evp/evp_test.cc
new file mode 100644
index 0000000..239f868
--- /dev/null
+++ b/src/crypto/evp/evp_test.cc
@@ -0,0 +1,262 @@
+/*
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <map>
+#include <string>
+#include <vector>
+
+#include <openssl/bio.h>
+#include <openssl/crypto.h>
+#include <openssl/digest.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/pem.h>
+
+#include "../test/file_test.h"
+#include "../test/scoped_types.h"
+#include "../test/stl_compat.h"
+
+
+// evp_test dispatches between multiple test types. HMAC tests test the legacy
+// EVP_PKEY_HMAC API. PrivateKey tests take a key name parameter and single
+// block, decode it as a PEM private key, and save it under that key name.
+// Decrypt, Sign, and Verify tests take a previously imported key name as
+// parameter and test their respective operations.
+
+static const EVP_MD *GetDigest(FileTest *t, const std::string &name) {
+  if (name == "MD5") {
+    return EVP_md5();
+  } else if (name == "SHA1") {
+    return EVP_sha1();
+  } else if (name == "SHA224") {
+    return EVP_sha224();
+  } else if (name == "SHA256") {
+    return EVP_sha256();
+  } else if (name == "SHA384") {
+    return EVP_sha384();
+  } else if (name == "SHA512") {
+    return EVP_sha512();
+  }
+  t->PrintLine("Unknown digest: '%s'", name.c_str());
+  return nullptr;
+}
+
+using KeyMap = std::map<std::string, EVP_PKEY*>;
+
+// ImportPrivateKey evaluates a PrivateKey test in |t| and writes the resulting
+// private key to |key_map|.
+static bool ImportPrivateKey(FileTest *t, KeyMap *key_map) {
+  const std::string &key_name = t->GetParameter();
+  if (key_map->count(key_name) > 0) {
+    t->PrintLine("Duplicate key '%s'.", key_name.c_str());
+    return false;
+  }
+  const std::string &block = t->GetBlock();
+  ScopedBIO bio(BIO_new_mem_buf(const_cast<char*>(block.data()), block.size()));
+  if (!bio) {
+    return false;
+  }
+  ScopedEVP_PKEY pkey(PEM_read_bio_PrivateKey(bio.get(), nullptr, 0, nullptr));
+  if (!pkey) {
+    t->PrintLine("Error reading private key.");
+    return false;
+  }
+  (*key_map)[key_name] = pkey.release();
+  return true;
+}
+
+static bool TestHMAC(FileTest *t) {
+  std::string digest_str;
+  if (!t->GetAttribute(&digest_str, "HMAC")) {
+    return false;
+  }
+  const EVP_MD *digest = GetDigest(t, digest_str);
+  if (digest == nullptr) {
+    return false;
+  }
+
+  std::vector<uint8_t> key, input, output;
+  if (!t->GetBytes(&key, "Key") ||
+      !t->GetBytes(&input, "Input") ||
+      !t->GetBytes(&output, "Output")) {
+    return false;
+  }
+
+  ScopedEVP_PKEY pkey(EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, nullptr,
+                                           bssl::vector_data(&key),
+                                           key.size()));
+  ScopedEVP_MD_CTX mctx;
+  if (!pkey ||
+      !EVP_DigestSignInit(mctx.get(), nullptr, digest, nullptr, pkey.get()) ||
+      !EVP_DigestSignUpdate(mctx.get(), bssl::vector_data(&input),
+                            input.size())) {
+    return false;
+  }
+
+  size_t len;
+  std::vector<uint8_t> actual;
+  if (!EVP_DigestSignFinal(mctx.get(), nullptr, &len)) {
+    return false;
+  }
+  actual.resize(len);
+  if (!EVP_DigestSignFinal(mctx.get(), bssl::vector_data(&actual), &len)) {
+    return false;
+  }
+  actual.resize(len);
+  return t->ExpectBytesEqual(bssl::vector_data(&output), output.size(),
+                             bssl::vector_data(&actual), actual.size());
+}
+
+static bool TestEVP(FileTest *t, void *arg) {
+  KeyMap *key_map = reinterpret_cast<KeyMap*>(arg);
+  if (t->GetType() == "PrivateKey") {
+    return ImportPrivateKey(t, key_map);
+  } else if (t->GetType() == "HMAC") {
+    return TestHMAC(t);
+  }
+
+  int (*key_op_init)(EVP_PKEY_CTX *ctx);
+  int (*key_op)(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *out_len,
+                const uint8_t *in, size_t in_len);
+  if (t->GetType() == "Decrypt") {
+    key_op_init = EVP_PKEY_decrypt_init;
+    key_op = EVP_PKEY_decrypt;
+  } else if (t->GetType() == "Sign") {
+    key_op_init = EVP_PKEY_sign_init;
+    key_op = EVP_PKEY_sign;
+  } else if (t->GetType() == "Verify") {
+    key_op_init = EVP_PKEY_verify_init;
+    key_op = nullptr;  // EVP_PKEY_verify is handled differently.
+  } else {
+    t->PrintLine("Unknown test '%s'", t->GetType().c_str());
+    return false;
+  }
+
+  // Load the key.
+  const std::string &key_name = t->GetParameter();
+  if (key_map->count(key_name) == 0) {
+    t->PrintLine("Could not find key '%s'.", key_name.c_str());
+    return false;
+  }
+  EVP_PKEY *key = (*key_map)[key_name];
+
+  std::vector<uint8_t> input, output;
+  if (!t->GetBytes(&input, "Input") ||
+      !t->GetBytes(&output, "Output")) {
+    return false;
+  }
+
+  // Set up the EVP_PKEY_CTX.
+  ScopedEVP_PKEY_CTX ctx(EVP_PKEY_CTX_new(key, nullptr));
+  if (!ctx || !key_op_init(ctx.get())) {
+    return false;
+  }
+  if (t->HasAttribute("Digest")) {
+    const EVP_MD *digest = GetDigest(t, t->GetAttributeOrDie("Digest"));
+    if (digest == nullptr ||
+        !EVP_PKEY_CTX_set_signature_md(ctx.get(), digest)) {
+      return false;
+    }
+  }
+
+  if (t->GetType() == "Verify") {
+    if (!EVP_PKEY_verify(ctx.get(), bssl::vector_data(&output), output.size(),
+                         bssl::vector_data(&input), input.size())) {
+      // ECDSA sometimes doesn't push an error code. Push one on the error queue
+      // so it's distinguishable from other errors.
+      ERR_put_error(ERR_LIB_USER, 0, ERR_R_EVP_LIB, __FILE__, __LINE__);
+      return false;
+    }
+    return true;
+  }
+
+  size_t len;
+  std::vector<uint8_t> actual;
+  if (!key_op(ctx.get(), nullptr, &len, bssl::vector_data(&input),
+              input.size())) {
+    return false;
+  }
+  actual.resize(len);
+  if (!key_op(ctx.get(), bssl::vector_data(&actual), &len,
+              bssl::vector_data(&input), input.size())) {
+    return false;
+  }
+  actual.resize(len);
+  if (!t->ExpectBytesEqual(bssl::vector_data(&output), output.size(),
+                           bssl::vector_data(&actual), len)) {
+    return false;
+  }
+  return true;
+}
+
+int main(int argc, char **argv) {
+  CRYPTO_library_init();
+  if (argc != 2) {
+    fprintf(stderr, "%s <test file.txt>\n", argv[0]);
+    return 1;
+  }
+
+  KeyMap map;
+  int ret = FileTestMain(TestEVP, &map, argv[1]);
+  // TODO(davidben): When we can rely on a move-aware std::map, make KeyMap a
+  // map of ScopedEVP_PKEY instead.
+  for (const auto &pair : map) {
+    EVP_PKEY_free(pair.second);
+  }
+  return ret;
+}
diff --git a/src/crypto/evp/evp_tests.txt b/src/crypto/evp/evp_tests.txt
new file mode 100644
index 0000000..cccfa4f
--- /dev/null
+++ b/src/crypto/evp/evp_tests.txt
@@ -0,0 +1,174 @@
+# Public key algorithm tests
+
+# Private keys used for PKEY operations.
+
+# RSA 2048 bit key.
+
+PrivateKey = RSA-2048
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDNAIHqeyrh6gbV
+n3xz2f+5SglhXC5Lp8Y2zvCN01M+wxhVJbAVx2m5mnfWclv5w1Mqm25fZifV+4UW
+B2jT3anL01l0URcX3D0wnS/EfuQfl+Mq23+d2GShxHZ6Zm7NcbwarPXnUX9LOFlP
+6psF5C1a2pkSAIAT5FMWpNm7jtCGuI0odYusr5ItRqhotIXSOcm66w4rZFknEPQr
+LR6gpLSALAvsqzKPimiwBzvbVG/uqYCdKEmRKzkMFTK8finHZY+BdfrkbzQzL/h7
+yrPkBkm5hXeGnaDqcYNT8HInVIhpE2SHYNEivmduD8SD3SD/wxvalqMZZsmqLnWt
+A95H4cRPAgMBAAECggEAYCl6x5kbFnoG1rJHWLjL4gi+ubLZ7Jc4vYD5Ci41AF3X
+ziktnim6iFvTFv7x8gkTvArJDWsICLJBTYIQREHYYkozzgIzyPeApIs3Wv8C12cS
+IopwJITbP56+zM+77hcJ26GCgA2Unp5CFuC/81WDiPi9kNo3Oh2CdD7D+90UJ/0W
+glplejFpEuhpU2URfKL4RckJQF/KxV+JX8FdIDhsJu54yemQdQKaF4psHkzwwgDo
+qc+yfp0Vb4bmwq3CKxqEoc1cpbJ5CHXXlAfISzUjlcuBzD/tW7BDtp7eDAcgRVAC
+XO6MX0QBcLYSC7SOD3R7zY9SIRCFDfBDxCjf0YcFMQKBgQD2+WG0fLwDXTrt68fe
+hQqVa2Xs25z2B2QGPxWqSFU8WNly/mZ1BW413f3De/O58vYi7icTNyVoScm+8hdv
+6PfD+LuRujdN1TuvPeyBTSvewQwf3IjN0Wh28mse36PwlBl+301C/x+ylxEDuJjK
+hZxCcocIaoQqtBC7ac8tNa9r4wKBgQDUfnJKf/QQSLJwwlJKQQGHi3MVm7c9PbwY
+eyIOY1s1NPluJDoYTZP4YLa/u2txwe2aHh9FhYMCPDAelqaSwaCLU9DsnKkQEA2A
+RR47fcagG6xK7O+N95iEa8I1oIy7os9MBoBMwRIZ6VYIxxTj8UMNSR+tu6MqV1Gg
+T5d0WDTJpQKBgCHyRSu5uV39AoyRS/eZ8cp36JqV1Q08FtOE+EVfi9evnrPfo9WR
+2YQt7yNfdjCo5IwIj/ZkLhAXlFNakz4el2+oUJ/HKLLaDEoaCNf883q6rh/zABrK
+HcG7sF2d/7qhoJ9/se7zgjfZ68zHIrkzhDbd5xGREnmMJoCcGo3sQyBhAoGAH3UQ
+qmLC2N5KPFMoJ4H0HgLQ6LQCrnhDLkScSBEBYaEUA/AtAYgKjcyTgVLXlyGkcRpg
+esRHHr+WSBD5W+R6ReYEmeKfTJdzyDdzQE9gZjdyjC0DUbsDwybIu3OnIef6VEDq
+IXK7oUZfzDDcsNn4mTDoFaoff5cpqFfgDgM43VkCgYBNHw11b+d+AQmaZS9QqIt7
+aF3FvwCYHV0jdv0Mb+Kc1bY4c0R5MFpzrTwVmdOerjuuA1+9b+0Hwo3nBZM4eaBu
+SOamA2hu2OJWCl9q8fLCT69KqWDjghhvFe7c6aJJGucwaA3Uz3eLcPqoaCarMiNH
+fMkTd7GabVourqIZdgvu1Q==
+-----END PRIVATE KEY-----
+
+# EC P-256 key
+
+PrivateKey = P-256
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgiocvtiiTxNH/xbnw
++RdYBp+DUuCPoFpJ+NuSbLVyhyWhRANCAAQsFQ9CnOcPIWwlLPXgYs4fY5zV0WXH
++JQkBywnGX14szuSDpXNtmTpkNzwz+oNlOKo5q+dDlgFbmUxBJJbn+bJ
+-----END PRIVATE KEY-----
+
+# RSA tests
+
+Sign = RSA-2048
+Digest = SHA1
+Input = "0123456789ABCDEF1234"
+Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
+
+Verify = RSA-2048
+Digest = SHA1
+Input = "0123456789ABCDEF1234"
+Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
+
+# Digest too long
+Sign = RSA-2048
+Digest = SHA1
+Input = "0123456789ABCDEF12345"
+Output =
+Error = INVALID_DIGEST_LENGTH
+
+# Digest too short
+Sign = RSA-2048
+Digest = SHA1
+Input = "0123456789ABCDEF12345"
+Output =
+Error = INVALID_DIGEST_LENGTH
+
+# Mismatched digest
+Verify = RSA-2048
+Digest = SHA1
+Input = "0123456789ABCDEF1233"
+Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
+Error = BAD_SIGNATURE
+
+# Corrupted signature
+Verify = RSA-2048
+Digest = SHA1
+Input = "0123456789ABCDEF1233"
+Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ae
+Error = BLOCK_TYPE_IS_NOT_01
+
+# parameter missing (NOTE: this differs from upstream)
+Verify = RSA-2048
+Digest = SHA1
+Input = "0123456789ABCDEF1234"
+Output = 3ec3fc29eb6e122bd7aa361cd09fe1bcbe85311096a7b9e4799cedfb2351ce0ab7fe4e75b4f6b37f67edd9c60c800f9ab941c0c157d7d880ca9de40c951d60fd293ae220d4bc510b1572d6e85a1bbbd8605b52e05f1c64fafdae59a1c2fbed214b7844d0134619de62851d5a0522e32e556e5950f3f97b8150e3f0dffee612c924201c27cd9bc8b423a71533380c276d3d59fcba35a2e80a1a192ec266a6c2255012cd86a349fe90a542b355fa3355b04da6cdf1df77f0e7bd44a90e880e1760266d233e465226f5db1c68857847d82072861ee266ddfc2e596845b77e1803274a579835ab5e4975d81d20b7df9cec7795489e4a2bdb8c1cf6a6b359945ac92c
+Error = BAD_SIGNATURE
+
+# embedded digest too long
+Verify = RSA-2048
+Digest = SHA1
+Input = "0123456789ABCDEF1234"
+Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
+Error = BAD_SIGNATURE
+
+# embedded digest too short
+Verify = RSA-2048
+Digest = SHA1
+Input = "0123456789ABCDEF1234"
+Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
+Error = BAD_SIGNATURE
+
+# Garbage after DigestInfo
+Verify = RSA-2048
+Digest = SHA1
+Input = "0123456789ABCDEF1234"
+Output = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274
+Error = BAD_SIGNATURE
+
+# invalid tag for parameter
+Verify = RSA-2048
+Digest = SHA1
+Input = "0123456789ABCDEF1234"
+Output = 49525db4d44c755e560cba980b1d85ea604b0e077fcadd4ba44072a3487bbddb835016200a7d8739cce2dc3223d9c20cbdd25059ab02277f1f21318efd18e21038ec89aa9d40680987129e8b41ba33bceb86518bdf47268b921cce2037acabca6575d832499538d6f40cdba0d40bd7f4d8ea6ca6e2eec87f294efc971407857f5d7db09f6a7b31e301f571c6d82a5e3d08d2bb3a36e673d28b910f5bec57f0fcc4d968fd7c94d0b9226dec17f5192ad8b42bcab6f26e1bea1fdc3b958199acb00f14ebcb2a352f3afcedd4c09000128a603bbeb9696dea13040445253972d46237a25c7845e3b464e6984c2348ea1f1210a9ff0b00d2d72b50db00c009bb39f9
+Error = BAD_SIGNATURE
+
+# EC tests
+
+Verify = P-256
+Digest = SHA1
+Input = "0123456789ABCDEF1234"
+Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
+
+# Digest too long
+Verify = P-256
+Digest = SHA1
+Input = "0123456789ABCDEF12345"
+Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
+# This operation fails without an error code, so ERR_R_EVP_LIB is surfaced.
+Error = public key routines
+
+# Digest too short
+Verify = P-256
+Digest = SHA1
+Input = "0123456789ABCDEF123"
+Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
+# This operation fails without an error code, so ERR_R_EVP_LIB is surfaced.
+Error = public key routines
+
+# Digest invalid
+Verify = P-256
+Digest = SHA1
+Input = "0123456789ABCDEF1235"
+Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
+# This operation fails without an error code, so ERR_R_EVP_LIB is surfaced.
+Error = public key routines
+
+# Invalid signature
+Verify = P-256
+Digest = SHA1
+Input = "0123456789ABCDEF1234"
+Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec7
+# This operation fails without an error code, so ERR_R_EVP_LIB is surfaced.
+Error = public key routines
+
+# Garbage after signature
+Verify = P-256
+Digest = SHA1
+Input = "0123456789ABCDEF1234"
+Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec800
+# This operation fails without an error code, so ERR_R_EVP_LIB is surfaced.
+Error = public key routines
+
+# BER signature
+Verify = P-256
+Digest = SHA1
+Input = "0123456789ABCDEF1234"
+Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000
+# This operation fails without an error code, so ERR_R_EVP_LIB is surfaced.
+Error = public key routines
diff --git a/src/crypto/evp/internal.h b/src/crypto/evp/internal.h
index 2b0f608..08a7bfb 100644
--- a/src/crypto/evp/internal.h
+++ b/src/crypto/evp/internal.h
@@ -170,8 +170,49 @@ typedef int EVP_PKEY_gen_cb(EVP_PKEY_CTX *ctx);
 
 #define EVP_PKEY_OP_TYPE_GEN (EVP_PKEY_OP_PARAMGEN | EVP_PKEY_OP_KEYGEN)
 
+/* EVP_PKEY_CTX_ctrl performs |cmd| on |ctx|. The |keytype| and |optype|
+ * arguments can be -1 to specify that any type and operation are acceptable,
+ * otherwise |keytype| must match the type of |ctx| and the bits of |optype|
+ * must intersect the operation flags set on |ctx|.
+ *
+ * The |p1| and |p2| arguments depend on the value of |cmd|.
+ *
+ * It returns one on success and zero on error. */
+OPENSSL_EXPORT int EVP_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int keytype, int optype,
+                                     int cmd, int p1, void *p2);
+
+/* EVP_PKEY_CTRL_DIGESTINIT is an internal value. It's called by
+ * EVP_DigestInit_ex to signal the |EVP_PKEY| that a digest operation is
+ * starting.
+ *
+ * TODO(davidben): This is only needed to support the deprecated HMAC |EVP_PKEY|
+ * types. */
+#define EVP_PKEY_CTRL_DIGESTINIT 3
+
+/* EVP_PKEY_CTRL_PEER_KEY is called with different values of |p1|:
+ *   0: Is called from |EVP_PKEY_derive_set_peer| and |p2| contains a peer key.
+ *      If the return value is <= 0, the key is rejected.
+ *   1: Is called at the end of |EVP_PKEY_derive_set_peer| and |p2| contains a
+ *      peer key. If the return value is <= 0, the key is rejected.
+ *   2: Is called with |p2| == NULL to test whether the peer's key was used.
+ *      (EC)DH always return one in this case.
+ *   3: Is called with |p2| == NULL to set whether the peer's key was used.
+ *      (EC)DH always return one in this case. This was only used for GOST. */
+#define EVP_PKEY_CTRL_PEER_KEY 4
+
+/* EVP_PKEY_CTRL_SET_MAC_KEY sets a MAC key. For example, this can be done an
+ * |EVP_PKEY_CTX| prior to calling |EVP_PKEY_keygen| in order to generate an
+ * HMAC |EVP_PKEY| with the given key. It returns one on success and zero on
+ * error. */
+#define EVP_PKEY_CTRL_SET_MAC_KEY 5
+
+/* EVP_PKEY_ALG_CTRL is the base value from which key-type specific ctrl
+ * commands are numbered. */
+#define EVP_PKEY_ALG_CTRL 0x1000
+
 #define EVP_PKEY_CTRL_MD 1
 #define EVP_PKEY_CTRL_GET_MD 2
+
 #define EVP_PKEY_CTRL_RSA_PADDING (EVP_PKEY_ALG_CTRL + 1)
 #define EVP_PKEY_CTRL_GET_RSA_PADDING (EVP_PKEY_ALG_CTRL + 2)
 #define EVP_PKEY_CTRL_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 3)
@@ -185,6 +226,8 @@ typedef int EVP_PKEY_gen_cb(EVP_PKEY_CTX *ctx);
 #define EVP_PKEY_CTRL_RSA_OAEP_LABEL (EVP_PKEY_ALG_CTRL + 11)
 #define EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL (EVP_PKEY_ALG_CTRL + 12)
 
+#define EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID (EVP_PKEY_ALG_CTRL + 1)
+
 struct evp_pkey_ctx_st {
   /* Method associated with this operation */
   const EVP_PKEY_METHOD *pmeth;
diff --git a/src/crypto/evp/p_dsa_asn1.c b/src/crypto/evp/p_dsa_asn1.c
new file mode 100644
index 0000000..0ac7da7
--- /dev/null
+++ b/src/crypto/evp/p_dsa_asn1.c
@@ -0,0 +1,569 @@
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2006.
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com). */
+
+#include <openssl/evp.h>
+
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/digest.h>
+#include <openssl/dsa.h>
+#include <openssl/err.h>
+#include <openssl/mem.h>
+#include <openssl/obj.h>
+#include <openssl/x509.h>
+
+#include "../dsa/internal.h"
+#include "internal.h"
+
+
+static int dsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) {
+  const uint8_t *p, *pm;
+  int pklen, pmlen;
+  int ptype;
+  void *pval;
+  ASN1_STRING *pstr;
+  X509_ALGOR *palg;
+  ASN1_INTEGER *public_key = NULL;
+
+  DSA *dsa = NULL;
+
+  if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &palg, pubkey)) {
+    return 0;
+  }
+  X509_ALGOR_get0(NULL, &ptype, &pval, palg);
+
+  if (ptype == V_ASN1_SEQUENCE) {
+    pstr = pval;
+    pm = pstr->data;
+    pmlen = pstr->length;
+
+    dsa = d2i_DSAparams(NULL, &pm, pmlen);
+    if (dsa == NULL) {
+      OPENSSL_PUT_ERROR(EVP, dsa_pub_decode, EVP_R_DECODE_ERROR);
+      goto err;
+    }
+  } else if (ptype == V_ASN1_NULL || ptype == V_ASN1_UNDEF) {
+    dsa = DSA_new();
+    if (dsa == NULL) {
+      OPENSSL_PUT_ERROR(EVP, dsa_pub_decode, ERR_R_MALLOC_FAILURE);
+      goto err;
+    }
+  } else {
+    OPENSSL_PUT_ERROR(EVP, dsa_pub_decode, EVP_R_PARAMETER_ENCODING_ERROR);
+    goto err;
+  }
+
+  public_key = d2i_ASN1_INTEGER(NULL, &p, pklen);
+  if (public_key == NULL) {
+    OPENSSL_PUT_ERROR(EVP, dsa_pub_decode, EVP_R_DECODE_ERROR);
+    goto err;
+  }
+
+  dsa->pub_key = ASN1_INTEGER_to_BN(public_key, NULL);
+  if (dsa->pub_key == NULL) {
+    OPENSSL_PUT_ERROR(EVP, dsa_pub_decode, EVP_R_BN_DECODE_ERROR);
+    goto err;
+  }
+
+  ASN1_INTEGER_free(public_key);
+  EVP_PKEY_assign_DSA(pkey, dsa);
+  return 1;
+
+err:
+  ASN1_INTEGER_free(public_key);
+  DSA_free(dsa);
+  return 0;
+}
+
+static int dsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) {
+  DSA *dsa;
+  void *pval = NULL;
+  uint8_t *penc = NULL;
+  int penclen;
+
+  dsa = pkey->pkey.dsa;
+  dsa->write_params = 0;
+
+  penclen = i2d_DSAPublicKey(dsa, &penc);
+
+  if (penclen <= 0) {
+    OPENSSL_PUT_ERROR(EVP, dsa_pub_encode, ERR_R_MALLOC_FAILURE);
+    goto err;
+  }
+
+  if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_DSA), V_ASN1_UNDEF, pval,
+                             penc, penclen)) {
+    return 1;
+  }
+
+err:
+  OPENSSL_free(penc);
+  ASN1_STRING_free(pval);
+
+  return 0;
+}
+
+static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8) {
+  const uint8_t *p, *pm;
+  int pklen, pmlen;
+  int ptype;
+  void *pval;
+  ASN1_STRING *pstr;
+  X509_ALGOR *palg;
+  ASN1_INTEGER *privkey = NULL;
+  BN_CTX *ctx = NULL;
+
+  /* In PKCS#8 DSA: you just get a private key integer and parameters in the
+   * AlgorithmIdentifier the pubkey must be recalculated. */
+
+  STACK_OF(ASN1_TYPE) *ndsa = NULL;
+  DSA *dsa = NULL;
+
+  if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8)) {
+    return 0;
+  }
+  X509_ALGOR_get0(NULL, &ptype, &pval, palg);
+
+  /* Check for broken DSA PKCS#8, UGH! */
+  if (*p == (V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED)) {
+    ASN1_TYPE *t1, *t2;
+    ndsa = d2i_ASN1_SEQUENCE_ANY(NULL, &p, pklen);
+    if (ndsa == NULL) {
+      goto decerr;
+    }
+    if (sk_ASN1_TYPE_num(ndsa) != 2) {
+      goto decerr;
+    }
+
+    /* Handle Two broken types:
+     * SEQUENCE {parameters, priv_key}
+     * SEQUENCE {pub_key, priv_key}. */
+
+    t1 = sk_ASN1_TYPE_value(ndsa, 0);
+    t2 = sk_ASN1_TYPE_value(ndsa, 1);
+    if (t1->type == V_ASN1_SEQUENCE) {
+      p8->broken = PKCS8_EMBEDDED_PARAM;
+      pval = t1->value.ptr;
+    } else if (ptype == V_ASN1_SEQUENCE) {
+      p8->broken = PKCS8_NS_DB;
+    } else {
+      goto decerr;
+    }
+
+    if (t2->type != V_ASN1_INTEGER) {
+      goto decerr;
+    }
+
+    privkey = t2->value.integer;
+  } else {
+    const uint8_t *q = p;
+    privkey = d2i_ASN1_INTEGER(NULL, &p, pklen);
+    if (privkey == NULL) {
+      goto decerr;
+    }
+    if (privkey->type == V_ASN1_NEG_INTEGER) {
+      p8->broken = PKCS8_NEG_PRIVKEY;
+      ASN1_INTEGER_free(privkey);
+      privkey = d2i_ASN1_UINTEGER(NULL, &q, pklen);
+      if (privkey == NULL) {
+        goto decerr;
+      }
+    }
+    if (ptype != V_ASN1_SEQUENCE) {
+      goto decerr;
+    }
+  }
+
+  pstr = pval;
+  pm = pstr->data;
+  pmlen = pstr->length;
+  dsa = d2i_DSAparams(NULL, &pm, pmlen);
+  if (dsa == NULL) {
+    goto decerr;
+  }
+  /* We have parameters. Now set private key */
+  dsa->priv_key = ASN1_INTEGER_to_BN(privkey, NULL);
+  if (dsa->priv_key == NULL) {
+    OPENSSL_PUT_ERROR(EVP, dsa_priv_decode, ERR_LIB_BN);
+    goto dsaerr;
+  }
+  /* Calculate public key. */
+  dsa->pub_key = BN_new();
+  if (dsa->pub_key == NULL) {
+    OPENSSL_PUT_ERROR(EVP, dsa_priv_decode, ERR_R_MALLOC_FAILURE);
+    goto dsaerr;
+  }
+  ctx = BN_CTX_new();
+  if (ctx == NULL) {
+    OPENSSL_PUT_ERROR(EVP, dsa_priv_decode, ERR_R_MALLOC_FAILURE);
+    goto dsaerr;
+  }
+
+  if (!BN_mod_exp(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx)) {
+    OPENSSL_PUT_ERROR(EVP, dsa_priv_decode, ERR_LIB_BN);
+    goto dsaerr;
+  }
+
+  EVP_PKEY_assign_DSA(pkey, dsa);
+  BN_CTX_free(ctx);
+  sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
+  ASN1_INTEGER_free(privkey);
+
+  return 1;
+
+decerr:
+  OPENSSL_PUT_ERROR(EVP, dsa_priv_decode, EVP_R_DECODE_ERROR);
+
+dsaerr:
+  BN_CTX_free(ctx);
+  ASN1_INTEGER_free(privkey);
+  sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
+  DSA_free(dsa);
+  return 0;
+}
+
+static int dsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) {
+  ASN1_STRING *params = NULL;
+  ASN1_INTEGER *prkey = NULL;
+  uint8_t *dp = NULL;
+  int dplen;
+
+  if (!pkey->pkey.dsa || !pkey->pkey.dsa->priv_key) {
+    OPENSSL_PUT_ERROR(EVP, dsa_priv_encode, EVP_R_MISSING_PARAMETERS);
+    goto err;
+  }
+
+  params = ASN1_STRING_new();
+  if (!params) {
+    OPENSSL_PUT_ERROR(EVP, dsa_priv_encode, ERR_R_MALLOC_FAILURE);
+    goto err;
+  }
+
+  params->length = i2d_DSAparams(pkey->pkey.dsa, &params->data);
+  if (params->length <= 0) {
+    OPENSSL_PUT_ERROR(EVP, dsa_priv_encode, ERR_R_MALLOC_FAILURE);
+    goto err;
+  }
+  params->type = V_ASN1_SEQUENCE;
+
+  /* Get private key into integer. */
+  prkey = BN_to_ASN1_INTEGER(pkey->pkey.dsa->priv_key, NULL);
+
+  if (!prkey) {
+    OPENSSL_PUT_ERROR(EVP, dsa_priv_encode, ERR_LIB_BN);
+    goto err;
+  }
+
+  dplen = i2d_ASN1_INTEGER(prkey, &dp);
+
+  ASN1_INTEGER_free(prkey);
+
+  if (!PKCS8_pkey_set0(p8, (ASN1_OBJECT *)OBJ_nid2obj(NID_dsa), 0,
+                       V_ASN1_SEQUENCE, params, dp, dplen)) {
+    goto err;
+  }
+
+  return 1;
+
+err:
+  OPENSSL_free(dp);
+  ASN1_STRING_free(params);
+  ASN1_INTEGER_free(prkey);
+  return 0;
+}
+
+static int int_dsa_size(const EVP_PKEY *pkey) {
+  return DSA_size(pkey->pkey.dsa);
+}
+
+static int dsa_bits(const EVP_PKEY *pkey) {
+  return BN_num_bits(pkey->pkey.dsa->p);
+}
+
+static int dsa_missing_parameters(const EVP_PKEY *pkey) {
+  DSA *dsa;
+  dsa = pkey->pkey.dsa;
+  if (dsa->p == NULL || dsa->q == NULL || dsa->g == NULL) {
+    return 1;
+  }
+  return 0;
+}
+
+static int dup_bn_into(BIGNUM **out, BIGNUM *src) {
+  BIGNUM *a;
+
+  a = BN_dup(src);
+  if (a == NULL) {
+    return 0;
+  }
+  BN_free(*out);
+  *out = a;
+
+  return 1;
+}
+
+static int dsa_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from) {
+  if (!dup_bn_into(&to->pkey.dsa->p, from->pkey.dsa->p) ||
+      !dup_bn_into(&to->pkey.dsa->q, from->pkey.dsa->q) ||
+      !dup_bn_into(&to->pkey.dsa->g, from->pkey.dsa->g)) {
+    return 0;
+  }
+
+  return 1;
+}
+
+static int dsa_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b) {
+  return BN_cmp(a->pkey.dsa->p, b->pkey.dsa->p) == 0 &&
+         BN_cmp(a->pkey.dsa->q, b->pkey.dsa->q) == 0 &&
+         BN_cmp(a->pkey.dsa->g, b->pkey.dsa->g) == 0;
+}
+
+static int dsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) {
+  return BN_cmp(b->pkey.dsa->pub_key, a->pkey.dsa->pub_key) == 0;
+}
+
+static void int_dsa_free(EVP_PKEY *pkey) { DSA_free(pkey->pkey.dsa); }
+
+static void update_buflen(const BIGNUM *b, size_t *pbuflen) {
+  size_t i;
+
+  if (!b) {
+    return;
+  }
+  i = BN_num_bytes(b);
+  if (*pbuflen < i) {
+    *pbuflen = i;
+  }
+}
+
+static int do_dsa_print(BIO *bp, const DSA *x, int off, int ptype) {
+  uint8_t *m = NULL;
+  int ret = 0;
+  size_t buf_len = 0;
+  const char *ktype = NULL;
+
+  const BIGNUM *priv_key, *pub_key;
+
+  priv_key = NULL;
+  if (ptype == 2) {
+    priv_key = x->priv_key;
+  }
+
+  pub_key = NULL;
+  if (ptype > 0) {
+    pub_key = x->pub_key;
+  }
+
+  ktype = "DSA-Parameters";
+  if (ptype == 2) {
+    ktype = "Private-Key";
+  } else if (ptype == 1) {
+    ktype = "Public-Key";
+  }
+
+  update_buflen(x->p, &buf_len);
+  update_buflen(x->q, &buf_len);
+  update_buflen(x->g, &buf_len);
+  update_buflen(priv_key, &buf_len);
+  update_buflen(pub_key, &buf_len);
+
+  m = (uint8_t *)OPENSSL_malloc(buf_len + 10);
+  if (m == NULL) {
+    OPENSSL_PUT_ERROR(EVP, do_dsa_print, ERR_R_MALLOC_FAILURE);
+    goto err;
+  }
+
+  if (priv_key) {
+    if (!BIO_indent(bp, off, 128) ||
+        BIO_printf(bp, "%s: (%d bit)\n", ktype, BN_num_bits(x->p)) <= 0) {
+      goto err;
+    }
+  }
+
+  if (!ASN1_bn_print(bp, "priv:", priv_key, m, off) ||
+      !ASN1_bn_print(bp, "pub: ", pub_key, m, off) ||
+      !ASN1_bn_print(bp, "P:   ", x->p, m, off) ||
+      !ASN1_bn_print(bp, "Q:   ", x->q, m, off) ||
+      !ASN1_bn_print(bp, "G:   ", x->g, m, off)) {
+    goto err;
+  }
+  ret = 1;
+
+err:
+  OPENSSL_free(m);
+  return ret;
+}
+
+static int dsa_param_decode(EVP_PKEY *pkey, const uint8_t **pder, int derlen) {
+  DSA *dsa;
+  dsa = d2i_DSAparams(NULL, pder, derlen);
+  if (dsa == NULL) {
+    OPENSSL_PUT_ERROR(EVP, dsa_param_decode, ERR_R_DSA_LIB);
+    return 0;
+  }
+  EVP_PKEY_assign_DSA(pkey, dsa);
+  return 1;
+}
+
+static int dsa_param_encode(const EVP_PKEY *pkey, uint8_t **pder) {
+  return i2d_DSAparams(pkey->pkey.dsa, pder);
+}
+
+static int dsa_param_print(BIO *bp, const EVP_PKEY *pkey, int indent,
+                           ASN1_PCTX *ctx) {
+  return do_dsa_print(bp, pkey->pkey.dsa, indent, 0);
+}
+
+static int dsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent,
+                         ASN1_PCTX *ctx) {
+  return do_dsa_print(bp, pkey->pkey.dsa, indent, 1);
+}
+
+static int dsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent,
+                          ASN1_PCTX *ctx) {
+  return do_dsa_print(bp, pkey->pkey.dsa, indent, 2);
+}
+
+static int old_dsa_priv_decode(EVP_PKEY *pkey, const uint8_t **pder,
+                               int derlen) {
+  DSA *dsa;
+  dsa = d2i_DSAPrivateKey(NULL, pder, derlen);
+  if (dsa == NULL) {
+    OPENSSL_PUT_ERROR(EVP, old_dsa_priv_decode, ERR_R_DSA_LIB);
+    return 0;
+  }
+  EVP_PKEY_assign_DSA(pkey, dsa);
+  return 1;
+}
+
+static int old_dsa_priv_encode(const EVP_PKEY *pkey, uint8_t **pder) {
+  return i2d_DSAPrivateKey(pkey->pkey.dsa, pder);
+}
+
+static int dsa_sig_print(BIO *bp, const X509_ALGOR *sigalg,
+                         const ASN1_STRING *sig, int indent, ASN1_PCTX *pctx) {
+  DSA_SIG *dsa_sig;
+  const uint8_t *p;
+
+  if (!sig) {
+    return BIO_puts(bp, "\n") > 0;
+  }
+
+  p = sig->data;
+  dsa_sig = d2i_DSA_SIG(NULL, &p, sig->length);
+  if (dsa_sig == NULL) {
+    return X509_signature_dump(bp, sig, indent);
+  }
+
+  int rv = 0;
+  size_t buf_len = 0;
+  uint8_t *m = NULL;
+
+  update_buflen(dsa_sig->r, &buf_len);
+  update_buflen(dsa_sig->s, &buf_len);
+  m = OPENSSL_malloc(buf_len + 10);
+  if (m == NULL) {
+    OPENSSL_PUT_ERROR(EVP, dsa_sig_print, ERR_R_MALLOC_FAILURE);
+    goto err;
+  }
+
+  if (BIO_write(bp, "\n", 1) != 1 ||
+      !ASN1_bn_print(bp, "r:   ", dsa_sig->r, m, indent) ||
+      !ASN1_bn_print(bp, "s:   ", dsa_sig->s, m, indent)) {
+    goto err;
+  }
+  rv = 1;
+
+err:
+  OPENSSL_free(m);
+  DSA_SIG_free(dsa_sig);
+  return rv;
+}
+
+const EVP_PKEY_ASN1_METHOD dsa_asn1_meth = {
+  EVP_PKEY_DSA,
+  EVP_PKEY_DSA,
+  0,
+
+  "DSA",
+  "OpenSSL DSA method",
+
+  dsa_pub_decode,
+  dsa_pub_encode,
+  dsa_pub_cmp,
+  dsa_pub_print,
+
+  dsa_priv_decode,
+  dsa_priv_encode,
+  dsa_priv_print,
+
+  NULL /* pkey_opaque */,
+  NULL /* pkey_supports_digest */,
+
+  int_dsa_size,
+  dsa_bits,
+
+  dsa_param_decode,
+  dsa_param_encode,
+  dsa_missing_parameters,
+  dsa_copy_parameters,
+  dsa_cmp_parameters,
+  dsa_param_print,
+  dsa_sig_print,
+
+  int_dsa_free,
+  old_dsa_priv_decode,
+  old_dsa_priv_encode,
+};
diff --git a/src/crypto/evp/p_ec.c b/src/crypto/evp/p_ec.c
index c274131..73c00d8 100644
--- a/src/crypto/evp/p_ec.c
+++ b/src/crypto/evp/p_ec.c
@@ -119,9 +119,7 @@ static void pkey_ec_cleanup(EVP_PKEY_CTX *ctx) {
     return;
   }
 
-  if (dctx->gen_group) {
-    EC_GROUP_free(dctx->gen_group);
-  }
+  EC_GROUP_free(dctx->gen_group);
   OPENSSL_free(dctx);
 }
 
@@ -212,8 +210,7 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) {
         OPENSSL_PUT_ERROR(EVP, pkey_ec_ctrl, EVP_R_INVALID_CURVE);
         return 0;
       }
-      if (dctx->gen_group)
-        EC_GROUP_free(dctx->gen_group);
+      EC_GROUP_free(dctx->gen_group);
       dctx->gen_group = group;
       return 1;
 
@@ -240,7 +237,8 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) {
       return 1;
 
     default:
-      return -2;
+      OPENSSL_PUT_ERROR(EVP, pkey_ec_ctrl, EVP_R_COMMAND_NOT_SUPPORTED);
+      return 0;
   }
 }
 
diff --git a/src/crypto/evp/p_ec_asn1.c b/src/crypto/evp/p_ec_asn1.c
index 914cc2f..fbbf4e7 100644
--- a/src/crypto/evp/p_ec_asn1.c
+++ b/src/crypto/evp/p_ec_asn1.c
@@ -142,23 +142,13 @@ static EC_KEY *eckey_type2param(int ptype, void *pval) {
     }
   } else if (ptype == V_ASN1_OBJECT) {
     ASN1_OBJECT *poid = pval;
-    EC_GROUP *group;
 
     /* type == V_ASN1_OBJECT => the parameters are given
      * by an asn1 OID */
-    eckey = EC_KEY_new();
+    eckey = EC_KEY_new_by_curve_name(OBJ_obj2nid(poid));
     if (eckey == NULL) {
-      OPENSSL_PUT_ERROR(EVP, eckey_type2param, ERR_R_MALLOC_FAILURE);
       goto err;
     }
-    group = EC_GROUP_new_by_curve_name(OBJ_obj2nid(poid));
-    if (group == NULL) {
-      goto err;
-    }
-    if (EC_KEY_set_group(eckey, group) == 0) {
-      goto err;
-    }
-    EC_GROUP_free(group);
   } else {
     OPENSSL_PUT_ERROR(EVP, eckey_type2param, EVP_R_DECODE_ERROR);
     goto err;
@@ -201,8 +191,9 @@ static int eckey_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) {
   return 1;
 
 err:
-  if (eckey)
+  if (eckey) {
     EC_KEY_free(eckey);
+  }
   return 0;
 }
 
@@ -235,8 +226,9 @@ static int eckey_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8) {
 
   eckey = eckey_type2param(ptype, pval);
 
-  if (!eckey)
+  if (!eckey) {
     goto ecliberr;
+  }
 
   /* We have parameters now set private key */
   if (!d2i_ECPrivateKey(&eckey, &p, pklen)) {
@@ -282,8 +274,9 @@ static int eckey_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8) {
 ecliberr:
   OPENSSL_PUT_ERROR(EVP, eckey_priv_decode, ERR_R_EC_LIB);
 ecerr:
-  if (eckey)
+  if (eckey) {
     EC_KEY_free(eckey);
+  }
   return 0;
 }
 
@@ -439,10 +432,12 @@ static int do_EC_KEY_print(BIO *bp, const EC_KEY *x, int off, int ktype) {
 
   if (ktype == 2) {
     priv_key = EC_KEY_get0_private_key(x);
-    if (priv_key && (i = (size_t)BN_num_bytes(priv_key)) > buf_len)
+    if (priv_key && (i = (size_t)BN_num_bytes(priv_key)) > buf_len) {
       buf_len = i;
-  } else
+    }
+  } else {
     priv_key = NULL;
+  }
 
   if (ktype > 0) {
     buf_len += 10;
@@ -451,24 +446,27 @@ static int do_EC_KEY_print(BIO *bp, const EC_KEY *x, int off, int ktype) {
       goto err;
     }
   }
-  if (ktype == 2)
+  if (ktype == 2) {
     ecstr = "Private-Key";
-  else if (ktype == 1)
+  } else if (ktype == 1) {
     ecstr = "Public-Key";
-  else
+  } else {
     ecstr = "ECDSA-Parameters";
+  }
 
-  if (!BIO_indent(bp, off, 128))
-    goto err;
-  if ((order = BN_new()) == NULL)
-    goto err;
-  if (!EC_GROUP_get_order(group, order, NULL))
+  if (!BIO_indent(bp, off, 128)) {
     goto err;
-  if (BIO_printf(bp, "%s: (%d bit)\n", ecstr, BN_num_bits(order)) <= 0)
+  }
+  order = BN_new();
+  if (order == NULL || !EC_GROUP_get_order(group, order, NULL) ||
+      BIO_printf(bp, "%s: (%d bit)\n", ecstr, BN_num_bits(order)) <= 0) {
     goto err;
+  }
 
-  if ((priv_key != NULL) && !ASN1_bn_print(bp, "priv:", priv_key, buffer, off))
+  if ((priv_key != NULL) &&
+      !ASN1_bn_print(bp, "priv:", priv_key, buffer, off)) {
     goto err;
+  }
   if (pub_key_bytes != NULL) {
     BIO_hexdump(bp, pub_key_bytes, pub_key_bytes_len, off);
   }
@@ -479,16 +477,13 @@ static int do_EC_KEY_print(BIO *bp, const EC_KEY *x, int off, int ktype) {
   ret = 1;
 
 err:
-  if (!ret)
+  if (!ret) {
     OPENSSL_PUT_ERROR(EVP, do_EC_KEY_print, reason);
-  if (pub_key_bytes)
-    OPENSSL_free(pub_key_bytes);
-  if (order)
-    BN_free(order);
-  if (ctx)
-    BN_CTX_free(ctx);
-  if (buffer != NULL)
-    OPENSSL_free(buffer);
+  }
+  OPENSSL_free(pub_key_bytes);
+  BN_free(order);
+  BN_CTX_free(ctx);
+  OPENSSL_free(buffer);
   return ret;
 }
 
diff --git a/src/crypto/evp/p_hmac.c b/src/crypto/evp/p_hmac.c
index 6d9a909..21703ed 100644
--- a/src/crypto/evp/p_hmac.c
+++ b/src/crypto/evp/p_hmac.c
@@ -204,7 +204,8 @@ static int pkey_hmac_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) {
       break;
 
     default:
-      return -2;
+      OPENSSL_PUT_ERROR(EVP, pkey_hmac_ctrl, EVP_R_COMMAND_NOT_SUPPORTED);
+      return 0;
   }
   return 1;
 }
diff --git a/src/crypto/evp/p_rsa.c b/src/crypto/evp/p_rsa.c
index 31f5aaa..5abc075 100644
--- a/src/crypto/evp/p_rsa.c
+++ b/src/crypto/evp/p_rsa.c
@@ -55,10 +55,12 @@
 
 #include <openssl/evp.h>
 
+#include <limits.h>
 #include <string.h>
 
 #include <openssl/bn.h>
 #include <openssl/buf.h>
+#include <openssl/bytestring.h>
 #include <openssl/digest.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
@@ -125,9 +127,7 @@ static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) {
   dctx->md = sctx->md;
   dctx->mgf1md = sctx->mgf1md;
   if (sctx->oaep_label) {
-    if (dctx->oaep_label) {
-      OPENSSL_free(dctx->oaep_label);
-    }
+    OPENSSL_free(dctx->oaep_label);
     dctx->oaep_label = BUF_memdup(sctx->oaep_label, sctx->oaep_labellen);
     if (!dctx->oaep_label) {
       return 0;
@@ -145,15 +145,9 @@ static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) {
     return;
   }
 
-  if (rctx->pub_exp) {
-    BN_free(rctx->pub_exp);
-  }
-  if (rctx->tbuf) {
-    OPENSSL_free(rctx->tbuf);
-  }
-  if (rctx->oaep_label) {
-    OPENSSL_free(rctx->oaep_label);
-  }
+  BN_free(rctx->pub_exp);
+  OPENSSL_free(rctx->tbuf);
+  OPENSSL_free(rctx->oaep_label);
   OPENSSL_free(rctx);
 }
 
@@ -369,7 +363,7 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) {
            0 == (ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))) {
         OPENSSL_PUT_ERROR(EVP, pkey_rsa_ctrl,
                           EVP_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
-        return -2;
+        return 0;
       }
       if ((p1 == RSA_PKCS1_PSS_PADDING || p1 == RSA_PKCS1_OAEP_PADDING) &&
           rctx->md == NULL) {
@@ -386,13 +380,13 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) {
     case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
       if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
         OPENSSL_PUT_ERROR(EVP, pkey_rsa_ctrl, EVP_R_INVALID_PSS_SALTLEN);
-        return -2;
+        return 0;
       }
       if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) {
         *(int *)p2 = rctx->saltlen;
       } else {
         if (p1 < -2) {
-          return -2;
+          return 0;
         }
         rctx->saltlen = p1;
       }
@@ -401,14 +395,14 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) {
     case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
       if (p1 < 256) {
         OPENSSL_PUT_ERROR(EVP, pkey_rsa_ctrl, EVP_R_INVALID_KEYBITS);
-        return -2;
+        return 0;
       }
       rctx->nbits = p1;
       return 1;
 
     case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
       if (!p2) {
-        return -2;
+        return 0;
       }
       BN_free(rctx->pub_exp);
       rctx->pub_exp = p2;
@@ -418,7 +412,7 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) {
     case EVP_PKEY_CTRL_GET_RSA_OAEP_MD:
       if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
         OPENSSL_PUT_ERROR(EVP, pkey_rsa_ctrl, EVP_R_INVALID_PADDING_MODE);
-        return -2;
+        return 0;
       }
       if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD) {
         *(const EVP_MD **)p2 = rctx->md;
@@ -443,7 +437,7 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) {
       if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING &&
           rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
         OPENSSL_PUT_ERROR(EVP, pkey_rsa_ctrl, EVP_R_INVALID_MGF1_MD);
-        return -2;
+        return 0;
       }
       if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) {
         if (rctx->mgf1md) {
@@ -459,11 +453,9 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) {
     case EVP_PKEY_CTRL_RSA_OAEP_LABEL:
       if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
         OPENSSL_PUT_ERROR(EVP, pkey_rsa_ctrl, EVP_R_INVALID_PADDING_MODE);
-        return -2;
-      }
-      if (rctx->oaep_label) {
-        OPENSSL_free(rctx->oaep_label);
+        return 0;
       }
+      OPENSSL_free(rctx->oaep_label);
       if (p2 && p1 > 0) {
         /* TODO(fork): this seems wrong. Shouldn't it take a copy of the
          * buffer? */
@@ -478,16 +470,17 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) {
     case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL:
       if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
         OPENSSL_PUT_ERROR(EVP, pkey_rsa_ctrl, EVP_R_INVALID_PADDING_MODE);
-        return -2;
+        return 0;
       }
-      *(uint8_t **)p2 = rctx->oaep_label;
-      return rctx->oaep_labellen;
+      CBS_init((CBS *)p2, rctx->oaep_label, rctx->oaep_labellen);
+      return 1;
 
     case EVP_PKEY_CTRL_DIGESTINIT:
       return 1;
 
     default:
-      return -2;
+      OPENSSL_PUT_ERROR(EVP, pkey_rsa_ctrl, EVP_R_COMMAND_NOT_SUPPORTED);
+      return 0;
   }
 }
 
@@ -497,8 +490,9 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) {
 
   if (!rctx->pub_exp) {
     rctx->pub_exp = BN_new();
-    if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4))
+    if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4)) {
       return 0;
+    }
   }
   rsa = RSA_new();
   if (!rsa) {
@@ -583,7 +577,7 @@ int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, const uint8_t *label,
                                      size_t label_len) {
   int label_len_int = label_len;
   if (((size_t) label_len_int) != label_len) {
-    return -2;
+    return 0;
   }
 
   return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
@@ -593,6 +587,15 @@ int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, const uint8_t *label,
 
 int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx,
                                      const uint8_t **out_label) {
-  return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
-                           EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, 0, (void *) out_label);
+  CBS label;
+  if (!EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
+                         EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, 0, &label)) {
+    return -1;
+  }
+  if (CBS_len(&label) > INT_MAX) {
+    OPENSSL_PUT_ERROR(EVP, EVP_PKEY_CTX_get0_rsa_oaep_label, ERR_R_OVERFLOW);
+    return -1;
+  }
+  *out_label = CBS_data(&label);
+  return (int)CBS_len(&label);
 }
diff --git a/src/crypto/evp/p_rsa_asn1.c b/src/crypto/evp/p_rsa_asn1.c
index f478d50..1e2d3f6 100644
--- a/src/crypto/evp/p_rsa_asn1.c
+++ b/src/crypto/evp/p_rsa_asn1.c
@@ -245,9 +245,7 @@ static int do_rsa_print(BIO *out, const RSA *rsa, int off,
   ret = 1;
 
 err:
-  if (m != NULL) {
-    OPENSSL_free(m);
-  }
+  OPENSSL_free(m);
   return ret;
 }
 
@@ -394,12 +392,8 @@ static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg,
 
     pss = rsa_pss_decode(sigalg, &maskHash);
     rv = rsa_pss_param_print(bp, pss, maskHash, indent);
-    if (pss) {
-      RSA_PSS_PARAMS_free(pss);
-    }
-    if (maskHash) {
-      X509_ALGOR_free(maskHash);
-    }
+    RSA_PSS_PARAMS_free(pss);
+    X509_ALGOR_free(maskHash);
     if (!rv) {
       return 0;
     }
@@ -463,12 +457,11 @@ static int rsa_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md) {
   stmp = NULL;
 
 err:
-  if (stmp)
-    ASN1_STRING_free(stmp);
-  if (algtmp)
-    X509_ALGOR_free(algtmp);
-  if (*palg)
+  ASN1_STRING_free(stmp);
+  X509_ALGOR_free(algtmp);
+  if (*palg) {
     return 1;
+  }
 
   return 0;
 }
@@ -518,8 +511,8 @@ static ASN1_STRING *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx) {
   EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx);
   int saltlen, rv = 0;
 
-  if (EVP_PKEY_CTX_get_signature_md(pkctx, &sigmd) <= 0 ||
-      EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0 ||
+  if (!EVP_PKEY_CTX_get_signature_md(pkctx, &sigmd) ||
+      !EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) ||
       !EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen)) {
     goto err;
   }
@@ -560,12 +553,15 @@ static ASN1_STRING *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx) {
   rv = 1;
 
 err:
-  if (pss)
+  if (pss) {
     RSA_PSS_PARAMS_free(pss);
-  if (rv)
+  }
+  if (rv) {
     return os;
-  if (os)
+  }
+  if (os) {
     ASN1_STRING_free(os);
+  }
   return NULL;
 }
 
@@ -619,9 +615,9 @@ static int rsa_pss_to_ctx(EVP_MD_CTX *ctx, X509_ALGOR *sigalg, EVP_PKEY *pkey) {
   }
 
   if (!EVP_DigestVerifyInit(ctx, &pkctx, md, NULL, pkey) ||
-      EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0 ||
-      EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0 ||
-      EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0) {
+      !EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) ||
+      !EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) ||
+      !EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md)) {
     goto err;
   }
 
@@ -653,7 +649,7 @@ static evp_digest_sign_algorithm_result_t rsa_digest_sign_algorithm(
     EVP_MD_CTX *ctx, X509_ALGOR *sigalg) {
   int pad_mode;
   EVP_PKEY_CTX *pkctx = ctx->pctx;
-  if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0) {
+  if (!EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode)) {
     return EVP_DIGEST_SIGN_ALGORITHM_ERROR;
   }
   if (pad_mode == RSA_PKCS1_PSS_PADDING) {
diff --git a/src/crypto/evp/pbkdf_test.cc b/src/crypto/evp/pbkdf_test.cc
new file mode 100644
index 0000000..ae2f405
--- /dev/null
+++ b/src/crypto/evp/pbkdf_test.cc
@@ -0,0 +1,179 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/bio.h>
+#include <openssl/crypto.h>
+#include <openssl/digest.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+
+
+// Prints out the data buffer as a sequence of hex bytes.
+static void PrintDataHex(const void *data, size_t len) {
+  for (size_t i = 0; i < len; ++i) {
+    fprintf(stderr, "%02x", (int)((const uint8_t *)data)[i]);
+  }
+}
+
+// Helper for testing that PBKDF2 derives the expected key from the given
+// inputs. Returns 1 on success, 0 otherwise.
+static bool TestPBKDF2(const void *password, size_t password_len,
+                       const void *salt, size_t salt_len, unsigned iterations,
+                       const EVP_MD *digest, size_t key_len,
+                       const uint8_t *expected_key) {
+  uint8_t key[64];
+
+  if (key_len > sizeof(key)) {
+    fprintf(stderr, "Output buffer is not large enough.\n");
+    return false;
+  }
+
+  if (!PKCS5_PBKDF2_HMAC((const char *)password, password_len,
+                         (const uint8_t *)salt, salt_len, iterations, digest,
+                         key_len, key)) {
+    fprintf(stderr, "Call to PKCS5_PBKDF2_HMAC failed\n");
+    ERR_print_errors_fp(stderr);
+    return false;
+  }
+
+  if (memcmp(key, expected_key, key_len) != 0) {
+    fprintf(stderr, "Resulting key material does not match expectation\n");
+    fprintf(stderr, "Expected:\n    ");
+    PrintDataHex(expected_key, key_len);
+    fprintf(stderr, "\nActual:\n    ");
+    PrintDataHex(key, key_len);
+    fprintf(stderr, "\n");
+    return false;
+  }
+
+  return true;
+}
+
+// Tests deriving a key using an empty password (specified both as NULL and as
+// non-NULL). Note that NULL has special meaning to HMAC initialization.
+static bool TestEmptyPassword() {
+  const uint8_t kKey[] = {0xa3, 0x3d, 0xdd, 0xc3, 0x04, 0x78, 0x18,
+                          0x55, 0x15, 0x31, 0x1f, 0x87, 0x52, 0x89,
+                          0x5d, 0x36, 0xea, 0x43, 0x63, 0xa2};
+
+  if (!TestPBKDF2(NULL, 0, "salt", 4, 1, EVP_sha1(), sizeof(kKey), kKey) ||
+      !TestPBKDF2("", 0, "salt", 4, 1, EVP_sha1(), sizeof(kKey), kKey)) {
+    return false;
+  }
+
+  return true;
+}
+
+// Tests deriving a key using an empty salt. Note that the expectation was
+// generated using OpenSSL itself, and hence is not verified.
+static bool TestEmptySalt() {
+  const uint8_t kKey[] = {0x8b, 0xc2, 0xf9, 0x16, 0x7a, 0x81, 0xcd, 0xcf,
+                          0xad, 0x12, 0x35, 0xcd, 0x90, 0x47, 0xf1, 0x13,
+                          0x62, 0x71, 0xc1, 0xf9, 0x78, 0xfc, 0xfc, 0xb3,
+                          0x5e, 0x22, 0xdb, 0xea, 0xfa, 0x46, 0x34, 0xf6};
+
+  if (!TestPBKDF2("password", 8, NULL, 0, 2, EVP_sha256(), sizeof(kKey),
+                  kKey) ||
+      !TestPBKDF2("password", 8, "", 0, 2, EVP_sha256(), sizeof(kKey), kKey)) {
+    return false;
+  }
+
+  return true;
+}
+
+// Exercises test vectors taken from https://tools.ietf.org/html/rfc6070.
+// Note that each of these test vectors uses SHA-1 as the digest.
+static bool TestRFC6070Vectors() {
+  const uint8_t kKey1[] = {0x0c, 0x60, 0xc8, 0x0f, 0x96, 0x1f, 0x0e,
+                           0x71, 0xf3, 0xa9, 0xb5, 0x24, 0xaf, 0x60,
+                           0x12, 0x06, 0x2f, 0xe0, 0x37, 0xa6};
+  const uint8_t kKey2[] = {0xea, 0x6c, 0x01, 0x4d, 0xc7, 0x2d, 0x6f,
+                           0x8c, 0xcd, 0x1e, 0xd9, 0x2a, 0xce, 0x1d,
+                           0x41, 0xf0, 0xd8, 0xde, 0x89, 0x57};
+  const uint8_t kKey3[] = {0x56, 0xfa, 0x6a, 0xa7, 0x55, 0x48, 0x09, 0x9d,
+                           0xcc, 0x37, 0xd7, 0xf0, 0x34, 0x25, 0xe0, 0xc3};
+
+  if (!TestPBKDF2("password", 8, "salt", 4, 1, EVP_sha1(), sizeof(kKey1),
+                  kKey1) ||
+      !TestPBKDF2("password", 8, "salt", 4, 2, EVP_sha1(), sizeof(kKey2),
+                  kKey2) ||
+      !TestPBKDF2("pass\0word", 9, "sa\0lt", 5, 4096, EVP_sha1(),
+                  sizeof(kKey3), kKey3)) {
+    return false;
+  }
+
+  return true;
+}
+
+// Tests key derivation using SHA-2 digests.
+static bool TestSHA2() {
+  // This test was taken from:
+  // http://stackoverflow.com/questions/5130513/pbkdf2-hmac-sha2-test-vectors.
+  const uint8_t kKey1[] = {0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3,
+                           0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0,
+                           0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf,
+                           0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43};
+
+  // This test was taken from:
+  // http://stackoverflow.com/questions/15593184/pbkdf2-hmac-sha-512-test-vectors.
+  const uint8_t kKey2[] = {
+      0x8c, 0x05, 0x11, 0xf4, 0xc6, 0xe5, 0x97, 0xc6, 0xac, 0x63, 0x15,
+      0xd8, 0xf0, 0x36, 0x2e, 0x22, 0x5f, 0x3c, 0x50, 0x14, 0x95, 0xba,
+      0x23, 0xb8, 0x68, 0xc0, 0x05, 0x17, 0x4d, 0xc4, 0xee, 0x71, 0x11,
+      0x5b, 0x59, 0xf9, 0xe6, 0x0c, 0xd9, 0x53, 0x2f, 0xa3, 0x3e, 0x0f,
+      0x75, 0xae, 0xfe, 0x30, 0x22, 0x5c, 0x58, 0x3a, 0x18, 0x6c, 0xd8,
+      0x2b, 0xd4, 0xda, 0xea, 0x97, 0x24, 0xa3, 0xd3, 0xb8};
+
+  if (!TestPBKDF2("password", 8, "salt", 4, 2, EVP_sha256(), sizeof(kKey1),
+                  kKey1) ||
+      !TestPBKDF2("passwordPASSWORDpassword", 24,
+                  "saltSALTsaltSALTsaltSALTsaltSALTsalt", 36, 4096,
+                  EVP_sha512(), sizeof(kKey2), kKey2)) {
+    return false;
+  }
+
+  return true;
+}
+
+int main(void) {
+  CRYPTO_library_init();
+  ERR_load_crypto_strings();
+
+  if (!TestEmptyPassword()) {
+    fprintf(stderr, "TestEmptyPassword failed\n");
+    return 1;
+  }
+
+  if (!TestEmptySalt()) {
+    fprintf(stderr, "TestEmptySalt failed\n");
+    return 1;
+  }
+
+  if (!TestRFC6070Vectors()) {
+    fprintf(stderr, "TestRFC6070Vectors failed\n");
+    return 1;
+  }
+
+  if (!TestSHA2()) {
+    fprintf(stderr, "TestSHA2 failed\n");
+    return 1;
+  }
+
+  printf("PASS\n");
+  ERR_free_strings();
+  return 0;
+}
diff --git a/src/crypto/evp/sign.c b/src/crypto/evp/sign.c
index 1faf7c6..ced86bd 100644
--- a/src/crypto/evp/sign.c
+++ b/src/crypto/evp/sign.c
@@ -92,9 +92,9 @@ int EVP_SignFinal(const EVP_MD_CTX *ctx, uint8_t *sig,
   EVP_MD_CTX_cleanup(&tmp_ctx);
 
   pkctx = EVP_PKEY_CTX_new(pkey, NULL);
-  if (!pkctx || EVP_PKEY_sign_init(pkctx) <= 0 ||
-      EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0 ||
-      EVP_PKEY_sign(pkctx, sig, &sig_len, m, m_len) <= 0) {
+  if (!pkctx || !EVP_PKEY_sign_init(pkctx) ||
+      !EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) ||
+      !EVP_PKEY_sign(pkctx, sig, &sig_len, m, m_len)) {
     goto out;
   }
   *out_sig_len = sig_len;
@@ -138,8 +138,8 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, const uint8_t *sig, size_t sig_len,
 
   pkctx = EVP_PKEY_CTX_new(pkey, NULL);
   if (!pkctx ||
-      EVP_PKEY_verify_init(pkctx) <= 0 ||
-      EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0) {
+      !EVP_PKEY_verify_init(pkctx) ||
+      !EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest)) {
     goto out;
   }
   ret = EVP_PKEY_verify(pkctx, sig, sig_len, m, m_len);
diff --git a/src/crypto/ex_data.c b/src/crypto/ex_data.c
index 0c2503e..10fefc8 100644
--- a/src/crypto/ex_data.c
+++ b/src/crypto/ex_data.c
@@ -108,47 +108,65 @@
 
 #include <openssl/ex_data.h>
 
+#include <assert.h>
+#include <string.h>
+
+#include <openssl/crypto.h>
 #include <openssl/err.h>
+#include <openssl/lhash.h>
+#include <openssl/mem.h>
+#include <openssl/stack.h>
 #include <openssl/thread.h>
 
-#include "crypto_error.h"
 #include "internal.h"
 
 
-/* global_impl is the implementation that we use at runtime. */
-static const CRYPTO_EX_DATA_IMPL *global_impl = NULL;
+struct crypto_ex_data_func_st {
+  long argl;  /* Arbitary long */
+  void *argp; /* Arbitary void pointer */
+  CRYPTO_EX_new *new_func;
+  CRYPTO_EX_free *free_func;
+  CRYPTO_EX_dup *dup_func;
+};
+
+int CRYPTO_get_ex_new_index(CRYPTO_EX_DATA_CLASS *ex_data_class, int *out_index,
+                            long argl, void *argp, CRYPTO_EX_new *new_func,
+                            CRYPTO_EX_dup *dup_func,
+                            CRYPTO_EX_free *free_func) {
+  CRYPTO_EX_DATA_FUNCS *funcs;
+  int ret = 0;
 
-/* ex_data_default_impl is a the default implementation, defined in
- * ex_data_impl.c. */
-extern const CRYPTO_EX_DATA_IMPL ex_data_default_impl;
+  funcs = OPENSSL_malloc(sizeof(CRYPTO_EX_DATA_FUNCS));
+  if (funcs == NULL) {
+    OPENSSL_PUT_ERROR(CRYPTO, CRYPTO_get_ex_new_index, ERR_R_MALLOC_FAILURE);
+    return 0;
+  }
 
-/* get_impl returns the current ex_data implementatation. */
-static const CRYPTO_EX_DATA_IMPL *get_impl(void) {
-  const CRYPTO_EX_DATA_IMPL *impl;
+  funcs->argl = argl;
+  funcs->argp = argp;
+  funcs->new_func = new_func;
+  funcs->dup_func = dup_func;
+  funcs->free_func = free_func;
 
-  CRYPTO_r_lock(CRYPTO_LOCK_EX_DATA);
-  impl = global_impl;
-  CRYPTO_r_unlock(CRYPTO_LOCK_EX_DATA);
+  CRYPTO_STATIC_MUTEX_lock_write(&ex_data_class->lock);
 
-  if (impl != NULL) {
-    return impl;
+  if (ex_data_class->meth == NULL) {
+    ex_data_class->meth = sk_CRYPTO_EX_DATA_FUNCS_new_null();
   }
 
-  CRYPTO_w_lock(CRYPTO_LOCK_EX_DATA);
-  if (global_impl == NULL) {
-    global_impl = &ex_data_default_impl;
+  if (ex_data_class->meth == NULL ||
+      !sk_CRYPTO_EX_DATA_FUNCS_push(ex_data_class->meth, funcs)) {
+    OPENSSL_PUT_ERROR(CRYPTO, CRYPTO_get_ex_new_index, ERR_R_MALLOC_FAILURE);
+    OPENSSL_free(funcs);
+    goto err;
   }
-  impl = global_impl;
-  CRYPTO_w_unlock(CRYPTO_LOCK_EX_DATA);
-  return impl;
-}
 
-int CRYPTO_get_ex_new_index(int class_value, long argl, void *argp,
-                            CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func,
-                            CRYPTO_EX_free *free_func) {
-  const CRYPTO_EX_DATA_IMPL *const impl = get_impl();
-  return impl->get_new_index(class_value, argl, argp, new_func, dup_func,
-                             free_func);
+  *out_index = sk_CRYPTO_EX_DATA_FUNCS_num(ex_data_class->meth) - 1;
+  ret = 1;
+
+err:
+  CRYPTO_STATIC_MUTEX_unlock(&ex_data_class->lock);
+  return ret;
 }
 
 int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int index, void *val) {
@@ -183,45 +201,113 @@ void *CRYPTO_get_ex_data(const CRYPTO_EX_DATA *ad, int idx) {
   return sk_void_value(ad->sk, idx);
 }
 
-int CRYPTO_ex_data_new_class(void) {
-  const CRYPTO_EX_DATA_IMPL *const impl = get_impl();
-  return impl->new_class();
+/* get_func_pointers takes a copy of the CRYPTO_EX_DATA_FUNCS pointers, if any,
+ * for the given class. If there are some pointers, it sets |*out| to point to
+ * a fresh stack of them. Otherwise it sets |*out| to NULL. It returns one on
+ * success or zero on error. */
+static int get_func_pointers(STACK_OF(CRYPTO_EX_DATA_FUNCS) **out,
+                             CRYPTO_EX_DATA_CLASS *ex_data_class) {
+  size_t n;
+
+  *out = NULL;
+
+  /* CRYPTO_EX_DATA_FUNCS structures are static once set, so we can take a
+   * shallow copy of the list under lock and then use the structures without
+   * the lock held. */
+  CRYPTO_STATIC_MUTEX_lock_read(&ex_data_class->lock);
+  n = sk_CRYPTO_EX_DATA_FUNCS_num(ex_data_class->meth);
+  if (n > 0) {
+    *out = sk_CRYPTO_EX_DATA_FUNCS_dup(ex_data_class->meth);
+  }
+  CRYPTO_STATIC_MUTEX_unlock(&ex_data_class->lock);
+
+  if (n > 0 && *out == NULL) {
+    OPENSSL_PUT_ERROR(CRYPTO, get_func_pointers, ERR_R_MALLOC_FAILURE);
+    return 0;
+  }
+
+  return 1;
 }
 
-int CRYPTO_new_ex_data(int class_value, void *obj, CRYPTO_EX_DATA *ad) {
-  const CRYPTO_EX_DATA_IMPL *const impl = get_impl();
-  return impl->new_ex_data(class_value, obj, ad);
+int CRYPTO_new_ex_data(CRYPTO_EX_DATA_CLASS *ex_data_class, void *obj,
+                       CRYPTO_EX_DATA *ad) {
+  STACK_OF(CRYPTO_EX_DATA_FUNCS) *func_pointers;
+  size_t i;
+
+  ad->sk = NULL;
+
+  if (!get_func_pointers(&func_pointers, ex_data_class)) {
+    return 0;
+  }
+
+  for (i = 0; i < sk_CRYPTO_EX_DATA_FUNCS_num(func_pointers); i++) {
+    CRYPTO_EX_DATA_FUNCS *func_pointer =
+        sk_CRYPTO_EX_DATA_FUNCS_value(func_pointers, i);
+    if (func_pointer->new_func) {
+      func_pointer->new_func(obj, NULL, ad, i, func_pointer->argl,
+                             func_pointer->argp);
+    }
+  }
+
+  sk_CRYPTO_EX_DATA_FUNCS_free(func_pointers);
+
+  return 1;
 }
 
-int CRYPTO_dup_ex_data(int class_value, CRYPTO_EX_DATA *to,
+int CRYPTO_dup_ex_data(CRYPTO_EX_DATA_CLASS *ex_data_class, CRYPTO_EX_DATA *to,
                        const CRYPTO_EX_DATA *from) {
-  const CRYPTO_EX_DATA_IMPL *const impl = get_impl();
-  return impl->dup_ex_data(class_value, to, from);
-}
+  STACK_OF(CRYPTO_EX_DATA_FUNCS) *func_pointers;
+  size_t i;
 
-void CRYPTO_free_ex_data(int class_value, void *obj, CRYPTO_EX_DATA *ad) {
-  const CRYPTO_EX_DATA_IMPL *const impl = get_impl();
-  impl->free_ex_data(class_value, obj, ad);
-}
+  if (!from->sk) {
+    /* In this case, |from| is blank, which is also the initial state of |to|,
+     * so there's nothing to do. */
+    return 1;
+  }
+
+  if (!get_func_pointers(&func_pointers, ex_data_class)) {
+    return 0;
+  }
 
-const CRYPTO_EX_DATA_IMPL *CRYPTO_get_ex_data_implementation(void) {
-  return get_impl();
+  for (i = 0; i < sk_CRYPTO_EX_DATA_FUNCS_num(func_pointers); i++) {
+    CRYPTO_EX_DATA_FUNCS *func_pointer =
+        sk_CRYPTO_EX_DATA_FUNCS_value(func_pointers, i);
+    void *ptr = CRYPTO_get_ex_data(from, i);
+    if (func_pointer->dup_func) {
+      func_pointer->dup_func(to, from, &ptr, i, func_pointer->argl,
+                             func_pointer->argp);
+    }
+    CRYPTO_set_ex_data(to, i, ptr);
+  }
+
+  sk_CRYPTO_EX_DATA_FUNCS_free(func_pointers);
+
+  return 1;
 }
 
-int CRYPTO_set_ex_data_implementation(const CRYPTO_EX_DATA_IMPL *impl) {
-  int ret = 0;
+void CRYPTO_free_ex_data(CRYPTO_EX_DATA_CLASS *ex_data_class, void *obj,
+                         CRYPTO_EX_DATA *ad) {
+  STACK_OF(CRYPTO_EX_DATA_FUNCS) *func_pointers;
+  size_t i;
 
-  CRYPTO_w_lock(CRYPTO_LOCK_EX_DATA);
-  if (global_impl == NULL) {
-    ret = 1;
-    global_impl = impl;
+  if (!get_func_pointers(&func_pointers, ex_data_class)) {
+    return;
   }
-  CRYPTO_w_unlock(CRYPTO_LOCK_EX_DATA);
 
-  return ret;
-}
+  for (i = 0; i < sk_CRYPTO_EX_DATA_FUNCS_num(func_pointers); i++) {
+    CRYPTO_EX_DATA_FUNCS *func_pointer =
+        sk_CRYPTO_EX_DATA_FUNCS_value(func_pointers, i);
+    if (func_pointer->free_func) {
+      void *ptr = CRYPTO_get_ex_data(ad, i);
+      func_pointer->free_func(obj, ptr, ad, i, func_pointer->argl,
+                              func_pointer->argp);
+    }
+  }
 
-void CRYPTO_cleanup_all_ex_data(void) {
-  const CRYPTO_EX_DATA_IMPL *const impl = get_impl();
-  impl->cleanup();
+  sk_CRYPTO_EX_DATA_FUNCS_free(func_pointers);
+
+  sk_void_free(ad->sk);
+  ad->sk = NULL;
 }
+
+void CRYPTO_cleanup_all_ex_data(void) {}
diff --git a/src/crypto/ex_data_impl.c b/src/crypto/ex_data_impl.c
deleted file mode 100644
index f55b369..0000000
--- a/src/crypto/ex_data_impl.c
+++ /dev/null
@@ -1,401 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com). */
-
-#include <openssl/ex_data.h>
-
-#include <assert.h>
-
-#include <openssl/err.h>
-#include <openssl/lhash.h>
-#include <openssl/mem.h>
-#include <openssl/stack.h>
-#include <openssl/thread.h>
-
-#include "crypto_error.h"
-#include "internal.h"
-
-typedef struct crypto_ex_data_func_st {
-  long argl;  /* Arbitary long */
-  void *argp; /* Arbitary void pointer */
-  CRYPTO_EX_new *new_func;
-  CRYPTO_EX_free *free_func;
-  CRYPTO_EX_dup *dup_func;
-} CRYPTO_EX_DATA_FUNCS;
-
-typedef struct st_ex_class_item {
-  STACK_OF(CRYPTO_EX_DATA_FUNCS) *meth;
-  int class_value;
-} EX_CLASS_ITEM;
-
-static LHASH_OF(EX_CLASS_ITEM) *global_classes = NULL;
-
-static int global_next_class = 100;
-
-static int new_class(void) {
-  int ret;
-  CRYPTO_w_lock(CRYPTO_LOCK_EX_DATA);
-  ret = global_next_class++;
-  CRYPTO_w_unlock(CRYPTO_LOCK_EX_DATA);
-
-  return ret;
-}
-
-/* class_hash is a hash function used by an LHASH of |EX_CLASS_ITEM|
- * structures. */
-static uint32_t class_hash(const EX_CLASS_ITEM *a) {
-  return a->class_value;
-}
-
-/* class_cmp is a comparison function for an LHASH of |EX_CLASS_ITEM|
- * structures. */
-static int class_cmp(const EX_CLASS_ITEM *a, const EX_CLASS_ITEM *b) {
-  return a->class_value - b->class_value;
-}
-
-/* data_funcs_free is a callback function from |sk_pop_free| that frees a
- * |CRYPTO_EX_DATA_FUNCS|. */
-static void data_funcs_free(CRYPTO_EX_DATA_FUNCS *funcs) {
-  OPENSSL_free(funcs);
-}
-
-/* class_free is a callback function from lh_doall to free the EX_CLASS_ITEM
- * structures. */
-static void class_free(EX_CLASS_ITEM *item) {
-  sk_CRYPTO_EX_DATA_FUNCS_pop_free(item->meth, data_funcs_free);
-  OPENSSL_free(item);
-}
-
-static LHASH_OF(EX_CLASS_ITEM) *get_classes(void) {
-  LHASH_OF(EX_CLASS_ITEM) *ret;
-
-  CRYPTO_r_lock(CRYPTO_LOCK_EX_DATA);
-  ret = global_classes;
-  CRYPTO_r_unlock(CRYPTO_LOCK_EX_DATA);
-
-  if (ret != NULL) {
-    return ret;
-  }
-
-  CRYPTO_w_lock(CRYPTO_LOCK_EX_DATA);
-  if (global_classes == NULL) {
-    global_classes = lh_EX_CLASS_ITEM_new(class_hash, class_cmp);
-  }
-  ret = global_classes;
-  CRYPTO_w_unlock(CRYPTO_LOCK_EX_DATA);
-
-  return ret;
-}
-
-static void cleanup(void) {
-  LHASH_OF(EX_CLASS_ITEM) *classes = get_classes();
-
-  if (classes != NULL) {
-    lh_EX_CLASS_ITEM_doall(classes, class_free);
-    lh_EX_CLASS_ITEM_free(classes);
-  }
-
-  global_classes = NULL;
-}
-
-static EX_CLASS_ITEM *get_class(int class_value) {
-  LHASH_OF(EX_CLASS_ITEM) *const classes = get_classes();
-  EX_CLASS_ITEM template, *class_item;
-  int ok = 0;
-
-  if (classes == NULL) {
-    return NULL;
-  }
-
-  CRYPTO_w_lock(CRYPTO_LOCK_EX_DATA);
-  template.class_value = class_value;
-  class_item = lh_EX_CLASS_ITEM_retrieve(classes, &template);
-  if (class_item != NULL) {
-    ok = 1;
-  } else {
-    class_item = OPENSSL_malloc(sizeof(EX_CLASS_ITEM));
-    if (class_item) {
-      class_item->class_value = class_value;
-      class_item->meth = sk_CRYPTO_EX_DATA_FUNCS_new_null();
-      if (class_item->meth != NULL) {
-        EX_CLASS_ITEM *old_data;
-        ok = lh_EX_CLASS_ITEM_insert(classes, &old_data, class_item);
-        assert(old_data == NULL);
-      }
-    }
-  }
-  CRYPTO_w_unlock(CRYPTO_LOCK_EX_DATA);
-
-  if (!ok) {
-    if (class_item) {
-      if (class_item->meth) {
-        sk_CRYPTO_EX_DATA_FUNCS_free(class_item->meth);
-      }
-      OPENSSL_free(class_item);
-      class_item = NULL;
-    }
-
-    OPENSSL_PUT_ERROR(CRYPTO, get_class, ERR_R_MALLOC_FAILURE);
-  }
-
-  return class_item;
-}
-
-static int get_new_index(int class_value, long argl, void *argp,
-                         CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func,
-                         CRYPTO_EX_free *free_func) {
-  EX_CLASS_ITEM *const item = get_class(class_value);
-  CRYPTO_EX_DATA_FUNCS *funcs;
-  int ret = -1;
-
-  if (!item) {
-    return -1;
-  }
-
-  funcs = OPENSSL_malloc(sizeof(CRYPTO_EX_DATA_FUNCS));
-  if (funcs == NULL) {
-    OPENSSL_PUT_ERROR(CRYPTO, get_new_index, ERR_R_MALLOC_FAILURE);
-    return -1;
-  }
-
-  funcs->argl = argl;
-  funcs->argp = argp;
-  funcs->new_func = new_func;
-  funcs->dup_func = dup_func;
-  funcs->free_func = free_func;
-
-  CRYPTO_w_lock(CRYPTO_LOCK_EX_DATA);
-
-  if (!sk_CRYPTO_EX_DATA_FUNCS_push(item->meth, funcs)) {
-    OPENSSL_PUT_ERROR(CRYPTO, get_new_index, ERR_R_MALLOC_FAILURE);
-    OPENSSL_free(funcs);
-    goto err;
-  }
-
-  ret = sk_CRYPTO_EX_DATA_FUNCS_num(item->meth) - 1;
-
-err:
-  CRYPTO_w_unlock(CRYPTO_LOCK_EX_DATA);
-  return ret;
-}
-
-/* get_func_pointers takes a copy of the CRYPTO_EX_DATA_FUNCS pointers, if any,
- * for the given class. If there are some pointers, it sets |*out| to point to
- * a fresh stack of them. Otherwise it sets |*out| to NULL. It returns one on
- * success or zero on error. */
-static int get_func_pointers(STACK_OF(CRYPTO_EX_DATA_FUNCS) **out,
-                             int class_value) {
-  EX_CLASS_ITEM *const item = get_class(class_value);
-  size_t n;
-
-  if (!item) {
-    return 0;
-  }
-
-  *out = NULL;
-
-  /* CRYPTO_EX_DATA_FUNCS structures are static once set, so we can take a
-   * shallow copy of the list under lock and then use the structures without
-   * the lock held. */
-  CRYPTO_r_lock(CRYPTO_LOCK_EX_DATA);
-  n = sk_CRYPTO_EX_DATA_FUNCS_num(item->meth);
-  if (n > 0) {
-    *out = sk_CRYPTO_EX_DATA_FUNCS_dup(item->meth);
-  }
-  CRYPTO_r_unlock(CRYPTO_LOCK_EX_DATA);
-
-  if (n > 0 && *out == NULL) {
-    OPENSSL_PUT_ERROR(CRYPTO, get_func_pointers, ERR_R_MALLOC_FAILURE);
-    return 0;
-  }
-
-  return 1;
-}
-
-static int new_ex_data(int class_value, void *obj, CRYPTO_EX_DATA *ad) {
-  STACK_OF(CRYPTO_EX_DATA_FUNCS) *func_pointers;
-  size_t i;
-
-  ad->sk = NULL;
-
-  if (!get_func_pointers(&func_pointers, class_value)) {
-    return 0;
-  }
-
-  for (i = 0; i < sk_CRYPTO_EX_DATA_FUNCS_num(func_pointers); i++) {
-    CRYPTO_EX_DATA_FUNCS *func_pointer =
-        sk_CRYPTO_EX_DATA_FUNCS_value(func_pointers, i);
-    if (func_pointer->new_func) {
-      func_pointer->new_func(obj, NULL, ad, i, func_pointer->argl,
-                             func_pointer->argp);
-    }
-  }
-
-  sk_CRYPTO_EX_DATA_FUNCS_free(func_pointers);
-
-  return 1;
-}
-
-static int dup_ex_data(int class_value, CRYPTO_EX_DATA *to,
-                       const CRYPTO_EX_DATA *from) {
-  STACK_OF(CRYPTO_EX_DATA_FUNCS) *func_pointers;
-  size_t i;
-
-  if (!from->sk) {
-    /* In this case, |from| is blank, which is also the initial state of |to|,
-     * so there's nothing to do. */
-    return 1;
-  }
-
-  if (!get_func_pointers(&func_pointers, class_value)) {
-    return 0;
-  }
-
-  for (i = 0; i < sk_CRYPTO_EX_DATA_FUNCS_num(func_pointers); i++) {
-    CRYPTO_EX_DATA_FUNCS *func_pointer =
-        sk_CRYPTO_EX_DATA_FUNCS_value(func_pointers, i);
-    void *ptr = CRYPTO_get_ex_data(from, i);
-    if (func_pointer->dup_func) {
-      func_pointer->dup_func(to, from, &ptr, i, func_pointer->argl,
-                             func_pointer->argp);
-    }
-    CRYPTO_set_ex_data(to, i, ptr);
-  }
-
-  sk_CRYPTO_EX_DATA_FUNCS_free(func_pointers);
-
-  return 1;
-}
-
-static void free_ex_data(int class_value, void *obj, CRYPTO_EX_DATA *ad) {
-  STACK_OF(CRYPTO_EX_DATA_FUNCS) *func_pointers;
-  size_t i;
-
-  if (!get_func_pointers(&func_pointers, class_value)) {
-    return;
-  }
-
-  for (i = 0; i < sk_CRYPTO_EX_DATA_FUNCS_num(func_pointers); i++) {
-    CRYPTO_EX_DATA_FUNCS *func_pointer =
-        sk_CRYPTO_EX_DATA_FUNCS_value(func_pointers, i);
-    if (func_pointer->free_func) {
-      void *ptr = CRYPTO_get_ex_data(ad, i);
-      func_pointer->free_func(obj, ptr, ad, i, func_pointer->argl,
-                              func_pointer->argp);
-    }
-  }
-
-  sk_CRYPTO_EX_DATA_FUNCS_free(func_pointers);
-
-  if (ad->sk) {
-    sk_void_free(ad->sk);
-    ad->sk = NULL;
-  }
-}
-
-const CRYPTO_EX_DATA_IMPL ex_data_default_impl = {
-    new_class, cleanup, get_new_index, new_ex_data, dup_ex_data, free_ex_data};
diff --git a/src/crypto/hkdf/CMakeLists.txt b/src/crypto/hkdf/CMakeLists.txt
index 9666172..f8dd748 100644
--- a/src/crypto/hkdf/CMakeLists.txt
+++ b/src/crypto/hkdf/CMakeLists.txt
@@ -6,7 +6,6 @@ add_library(
   OBJECT
 
   hkdf.c
-  hkdf_error.c
 )
 
 add_executable(
diff --git a/src/crypto/hkdf/hkdf_error.c b/src/crypto/hkdf/hkdf_error.c
deleted file mode 100644
index e1928d6..0000000
--- a/src/crypto/hkdf/hkdf_error.c
+++ /dev/null
@@ -1,23 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/hkdf.h>
-
-const ERR_STRING_DATA HKDF_error_string_data[] = {
-  {ERR_PACK(ERR_LIB_HKDF, HKDF_F_HKDF, 0), "HKDF"},
-  {ERR_PACK(ERR_LIB_HKDF, 0, HKDF_R_OUTPUT_TOO_LARGE), "OUTPUT_TOO_LARGE"},
-  {0, NULL},
-};
diff --git a/src/crypto/hkdf/hkdf_test.c b/src/crypto/hkdf/hkdf_test.c
index 7467fe0..63070dc 100644
--- a/src/crypto/hkdf/hkdf_test.c
+++ b/src/crypto/hkdf/hkdf_test.c
@@ -15,7 +15,6 @@
 #include <stdio.h>
 #include <string.h>
 
-#include <openssl/bio.h>
 #include <openssl/crypto.h>
 #include <openssl/digest.h>
 #include <openssl/err.h>
@@ -224,7 +223,7 @@ int main(void) {
     if (!HKDF(buf, test->out_len, test->md_func(), test->ikm, test->ikm_len,
               test->salt, test->salt_len, test->info, test->info_len)) {
       fprintf(stderr, "Call to HKDF failed\n");
-      BIO_print_errors_fp(stderr);
+      ERR_print_errors_fp(stderr);
       return 1;
     }
     if (memcmp(buf, test->out, test->out_len) != 0) {
diff --git a/src/crypto/hmac/CMakeLists.txt b/src/crypto/hmac/CMakeLists.txt
index e15c956..1a08c55 100644
--- a/src/crypto/hmac/CMakeLists.txt
+++ b/src/crypto/hmac/CMakeLists.txt
@@ -12,7 +12,8 @@ add_library(
 add_executable(
   hmac_test
 
-  hmac_test.c
+  hmac_test.cc
+  $<TARGET_OBJECTS:test_support>
 )
 
 target_link_libraries(hmac_test crypto)
diff --git a/src/crypto/hmac/hmac.c b/src/crypto/hmac/hmac.c
index f179fed..b1b2623 100644
--- a/src/crypto/hmac/hmac.c
+++ b/src/crypto/hmac/hmac.c
@@ -76,7 +76,7 @@ uint8_t *HMAC(const EVP_MD *evp_md, const void *key, size_t key_len,
   }
 
   HMAC_CTX_init(&ctx);
-  if (!HMAC_Init(&ctx, key, key_len, evp_md) ||
+  if (!HMAC_Init_ex(&ctx, key, key_len, evp_md, NULL) ||
       !HMAC_Update(&ctx, data, data_len) ||
       !HMAC_Final(&ctx, out, out_len)) {
     out = NULL;
@@ -88,7 +88,6 @@ uint8_t *HMAC(const EVP_MD *evp_md, const void *key, size_t key_len,
 
 void HMAC_CTX_init(HMAC_CTX *ctx) {
   ctx->md = NULL;
-  ctx->key_length = 0;
   EVP_MD_CTX_init(&ctx->i_ctx);
   EVP_MD_CTX_init(&ctx->o_ctx);
   EVP_MD_CTX_init(&ctx->md_ctx);
@@ -103,71 +102,66 @@ void HMAC_CTX_cleanup(HMAC_CTX *ctx) {
 
 int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, size_t key_len,
                  const EVP_MD *md, ENGINE *impl) {
-  unsigned i, reset = 0;
-  uint8_t pad[HMAC_MAX_MD_CBLOCK];
-
-  if (md != NULL) {
-    if (ctx->md == NULL && key == NULL && ctx->key_length == 0) {
-      /* TODO(eroman): Change the API instead of this hack.
-       * If a key hasn't yet been assigned to the context, then default to using
-       * an all-zero key. This is to work around callers of
-       * HMAC_Init_ex(key=NULL, key_len=0) intending to set a zero-length key.
-       * Rather than resulting in uninitialized memory reads, it will
-       * predictably use a zero key. */
-      memset(ctx->key, 0, sizeof(ctx->key));
-    }
-    reset = 1;
-    ctx->md = md;
-  } else {
+  if (md == NULL) {
     md = ctx->md;
   }
 
-  if (key != NULL) {
+  /* If either |key| is non-NULL or |md| has changed, initialize with a new key
+   * rather than rewinding the previous one.
+   *
+   * TODO(davidben,eroman): Passing the previous |md| with a NULL |key| is
+   * ambiguous between using the empty key and reusing the previous key. There
+   * exist callers which intend the latter, but the former is an awkward edge
+   * case. Fix to API to avoid this. */
+  if (md != ctx->md || key != NULL) {
+    size_t i;
+    uint8_t pad[HMAC_MAX_MD_CBLOCK];
+    uint8_t key_block[HMAC_MAX_MD_CBLOCK];
+    unsigned key_block_len;
+
     size_t block_size = EVP_MD_block_size(md);
-    reset = 1;
-    assert(block_size <= sizeof(ctx->key));
+    assert(block_size <= sizeof(key_block));
     if (block_size < key_len) {
+      /* Long keys are hashed. */
       if (!EVP_DigestInit_ex(&ctx->md_ctx, md, impl) ||
           !EVP_DigestUpdate(&ctx->md_ctx, key, key_len) ||
-          !EVP_DigestFinal_ex(&(ctx->md_ctx), ctx->key, &ctx->key_length)) {
-        goto err;
+          !EVP_DigestFinal_ex(&ctx->md_ctx, key_block, &key_block_len)) {
+        return 0;
       }
     } else {
-      assert(key_len >= 0 && key_len <= sizeof(ctx->key));
-      memcpy(ctx->key, key, key_len);
-      ctx->key_length = key_len;
+      assert(key_len >= 0 && key_len <= sizeof(key_block));
+      memcpy(key_block, key, key_len);
+      key_block_len = (unsigned)key_len;
     }
-    if (ctx->key_length != HMAC_MAX_MD_CBLOCK) {
-      memset(&ctx->key[ctx->key_length], 0, sizeof(ctx->key) - ctx->key_length);
+    /* Keys are then padded with zeros. */
+    if (key_block_len != HMAC_MAX_MD_CBLOCK) {
+      memset(&key_block[key_block_len], 0, sizeof(key_block) - key_block_len);
     }
-  }
 
-  if (reset) {
     for (i = 0; i < HMAC_MAX_MD_CBLOCK; i++) {
-      pad[i] = 0x36 ^ ctx->key[i];
+      pad[i] = 0x36 ^ key_block[i];
     }
     if (!EVP_DigestInit_ex(&ctx->i_ctx, md, impl) ||
         !EVP_DigestUpdate(&ctx->i_ctx, pad, EVP_MD_block_size(md))) {
-      goto err;
+      return 0;
     }
 
     for (i = 0; i < HMAC_MAX_MD_CBLOCK; i++) {
-      pad[i] = 0x5c ^ ctx->key[i];
+      pad[i] = 0x5c ^ key_block[i];
     }
     if (!EVP_DigestInit_ex(&ctx->o_ctx, md, impl) ||
         !EVP_DigestUpdate(&ctx->o_ctx, pad, EVP_MD_block_size(md))) {
-      goto err;
+      return 0;
     }
+
+    ctx->md = md;
   }
 
   if (!EVP_MD_CTX_copy_ex(&ctx->md_ctx, &ctx->i_ctx)) {
-    goto err;
+    return 0;
   }
 
   return 1;
-
-err:
-  return 0;
 }
 
 int HMAC_Update(HMAC_CTX *ctx, const uint8_t *data, size_t data_len) {
@@ -200,8 +194,6 @@ int HMAC_CTX_copy_ex(HMAC_CTX *dest, const HMAC_CTX *src) {
     return 0;
   }
 
-  memcpy(dest->key, src->key, HMAC_MAX_MD_CBLOCK);
-  dest->key_length = src->key_length;
   dest->md = src->md;
   return 1;
 }
diff --git a/src/crypto/hmac/hmac_test.c b/src/crypto/hmac/hmac_test.c
deleted file mode 100644
index ecc418a..0000000
--- a/src/crypto/hmac/hmac_test.c
+++ /dev/null
@@ -1,223 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.] */
-
-#include <assert.h>
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/crypto.h>
-#include <openssl/digest.h>
-#include <openssl/hmac.h>
-
-
-struct test_st {
-  uint8_t key[16];
-  size_t key_len;
-  uint8_t data[64];
-  size_t data_len;
-  const char *hex_digest;
-};
-
-#define NUM_TESTS 4
-
-static const struct test_st kTests[NUM_TESTS] = {
-  {
-    "", 0, "More text test vectors to stuff up EBCDIC machines :-)", 54,
-    "e9139d1e6ee064ef8cf514fc7dc83e86",
-  },
-  {
-    {
-      0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
-      0x0b, 0x0b, 0x0b, 0x0b,
-    },
-    16,
-    "Hi There",
-    8,
-    "9294727a3638bb1c13f48ef8158bfc9d",
-  },
-  {
-    "Jefe", 4, "what do ya want for nothing?", 28,
-    "750c783e6ab0b503eaa86e310a5db738",
-  },
-  {
-    {
-      0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
-      0xaa, 0xaa, 0xaa, 0xaa,
-    },
-    16,
-    {
-      0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
-      0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
-      0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
-      0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
-      0xdd, 0xdd,
-    },
-    50,
-    "56be34521d144c88dbb8c733f0e8b3f6",
-  },
-};
-
-static char *to_hex(const uint8_t *md, size_t md_len) {
-  size_t i;
-  static char buf[80];
-
-  for (i = 0; i < md_len; i++) {
-    sprintf(&(buf[i * 2]), "%02x", md[i]);
-  }
-  return buf;
-}
-
-int main(int argc, char *argv[]) {
-  unsigned i;
-  char *p;
-  int err = 0;
-  uint8_t out[EVP_MAX_MD_SIZE];
-  unsigned out_len;
-
-  CRYPTO_library_init();
-
-  for (i = 0; i < NUM_TESTS; i++) {
-    const struct test_st *test = &kTests[i];
-
-    /* Test using the one-shot API. */
-    if (NULL == HMAC(EVP_md5(), test->key, test->key_len, test->data,
-                     test->data_len, out, &out_len)) {
-      fprintf(stderr, "%u: HMAC failed.\n", i);
-      err++;
-      continue;
-    }
-    p = to_hex(out, out_len);
-    if (strcmp(p, test->hex_digest) != 0) {
-      fprintf(stderr, "%u: got %s instead of %s\n", i, p, test->hex_digest);
-      err++;
-    }
-
-    /* Test using HMAC_CTX. */
-    HMAC_CTX ctx;
-    HMAC_CTX_init(&ctx);
-    if (!HMAC_Init_ex(&ctx, test->key, test->key_len, EVP_md5(), NULL) ||
-        !HMAC_Update(&ctx, test->data, test->data_len) ||
-        !HMAC_Final(&ctx, out, &out_len)) {
-      fprintf(stderr, "%u: HMAC failed.\n", i);
-      err++;
-      HMAC_CTX_cleanup(&ctx);
-      continue;
-    }
-    p = to_hex(out, out_len);
-    if (strcmp(p, test->hex_digest) != 0) {
-      fprintf(stderr, "%u: got %s instead of %s\n", i, p, test->hex_digest);
-      err++;
-    }
-
-    /* Test that an HMAC_CTX may be reset with the same key. */
-    if (!HMAC_Init_ex(&ctx, NULL, 0, EVP_md5(), NULL) ||
-        !HMAC_Update(&ctx, test->data, test->data_len) ||
-        !HMAC_Final(&ctx, out, &out_len)) {
-      fprintf(stderr, "%u: HMAC failed.\n", i);
-      err++;
-      HMAC_CTX_cleanup(&ctx);
-      continue;
-    }
-    p = to_hex(out, out_len);
-    if (strcmp(p, test->hex_digest) != 0) {
-      fprintf(stderr, "%u: got %s instead of %s\n", i, p, test->hex_digest);
-      err++;
-    }
-
-    HMAC_CTX_cleanup(&ctx);
-  }
-
-  /* Test that HMAC() uses the empty key when called with key = NULL. */
-  const struct test_st *test = &kTests[0];
-  assert(test->key_len == 0);
-  if (NULL == HMAC(EVP_md5(), NULL, 0, test->data, test->data_len, out,
-                   &out_len)) {
-    fprintf(stderr, "HMAC failed.\n");
-    err++;
-  } else {
-    p = to_hex(out, out_len);
-    if (strcmp(p, test->hex_digest) != 0) {
-      fprintf(stderr, "got %s instead of %s\n", p, test->hex_digest);
-      err++;
-    }
-  }
-
-  /* Test that HMAC_Init, etc., uses the empty key when called initially with
-   * key = NULL. */
-  assert(test->key_len == 0);
-  HMAC_CTX ctx;
-  HMAC_CTX_init(&ctx);
-  if (!HMAC_Init_ex(&ctx, NULL, 0, EVP_md5(), NULL) ||
-      !HMAC_Update(&ctx, test->data, test->data_len) ||
-      !HMAC_Final(&ctx, out, &out_len)) {
-    fprintf(stderr, "HMAC failed.\n");
-    err++;
-  } else {
-    p = to_hex(out, out_len);
-    if (strcmp(p, test->hex_digest) != 0) {
-      fprintf(stderr, "got %s instead of %s\n", p, test->hex_digest);
-      err++;
-    }
-  }
-  HMAC_CTX_cleanup(&ctx);
-
-  if (err) {
-    return 1;
-  }
-
-  printf("PASS\n");
-  return 0;
-}
diff --git a/src/crypto/hmac/hmac_test.cc b/src/crypto/hmac/hmac_test.cc
new file mode 100644
index 0000000..d438b70
--- /dev/null
+++ b/src/crypto/hmac/hmac_test.cc
@@ -0,0 +1,171 @@
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.] */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <string>
+#include <vector>
+
+#include <openssl/crypto.h>
+#include <openssl/digest.h>
+#include <openssl/hmac.h>
+
+#include "../test/file_test.h"
+#include "../test/scoped_types.h"
+#include "../test/stl_compat.h"
+
+
+static const EVP_MD *GetDigest(const std::string &name) {
+  if (name == "MD5") {
+    return EVP_md5();
+  } else if (name == "SHA1") {
+    return EVP_sha1();
+  } else if (name == "SHA224") {
+    return EVP_sha224();
+  } else if (name == "SHA256") {
+    return EVP_sha256();
+  } else if (name == "SHA384") {
+    return EVP_sha384();
+  } else if (name == "SHA512") {
+    return EVP_sha512();
+  }
+  return nullptr;
+}
+
+static bool TestHMAC(FileTest *t, void *arg) {
+  std::string digest_str;
+  if (!t->GetAttribute(&digest_str, "HMAC")) {
+    return false;
+  }
+  const EVP_MD *digest = GetDigest(digest_str);
+  if (digest == nullptr) {
+    t->PrintLine("Unknown digest '%s'", digest_str.c_str());
+    return false;
+  }
+
+  std::vector<uint8_t> key, input, output;
+  if (!t->GetBytes(&key, "Key") ||
+      !t->GetBytes(&input, "Input") ||
+      !t->GetBytes(&output, "Output")) {
+    return false;
+  }
+
+  // Test using the one-shot API.
+  uint8_t mac[EVP_MAX_MD_SIZE];
+  unsigned mac_len;
+  if (nullptr == HMAC(digest, bssl::vector_data(&key), key.size(),
+                      bssl::vector_data(&input), input.size(), mac,
+                      &mac_len) ||
+      !t->ExpectBytesEqual(bssl::vector_data(&output), output.size(), mac,
+                           mac_len)) {
+    t->PrintLine("One-shot API failed.");
+    return false;
+  }
+
+  // Test using HMAC_CTX.
+  ScopedHMAC_CTX ctx;
+  if (!HMAC_Init_ex(ctx.get(), bssl::vector_data(&key), key.size(), digest,
+                    nullptr) ||
+      !HMAC_Update(ctx.get(), bssl::vector_data(&input), input.size()) ||
+      !HMAC_Final(ctx.get(), mac, &mac_len) ||
+      !t->ExpectBytesEqual(bssl::vector_data(&output), output.size(), mac,
+                           mac_len)) {
+    t->PrintLine("HMAC_CTX failed.");
+   return false;
+  }
+
+  // Test that an HMAC_CTX may be reset with the same key.
+  if (!HMAC_Init_ex(ctx.get(), nullptr, 0, digest, nullptr) ||
+      !HMAC_Update(ctx.get(), bssl::vector_data(&input), input.size()) ||
+      !HMAC_Final(ctx.get(), mac, &mac_len) ||
+      !t->ExpectBytesEqual(bssl::vector_data(&output), output.size(), mac,
+                           mac_len)) {
+    t->PrintLine("HMAC_CTX with reset failed.");
+   return false;
+  }
+
+  // Test feeding the input in byte by byte.
+  if (!HMAC_Init_ex(ctx.get(), nullptr, 0, nullptr, nullptr)) {
+   t->PrintLine("HMAC_CTX streaming failed.");
+   return false;
+  }
+  for (size_t i = 0; i < input.size(); i++) {
+    if (!HMAC_Update(ctx.get(), &input[i], 1)) {
+      t->PrintLine("HMAC_CTX streaming failed.");
+      return false;
+    }
+  }
+  if (!HMAC_Final(ctx.get(), mac, &mac_len) ||
+      !t->ExpectBytesEqual(bssl::vector_data(&output), output.size(), mac,
+                           mac_len)) {
+    t->PrintLine("HMAC_CTX streaming failed.");
+    return false;
+  }
+
+  return true;
+}
+
+int main(int argc, char *argv[]) {
+  CRYPTO_library_init();
+
+  if (argc != 2) {
+    fprintf(stderr, "%s <test file.txt>\n", argv[0]);
+    return 1;
+  }
+
+  return FileTestMain(TestHMAC, nullptr, argv[1]);
+}
diff --git a/src/crypto/hmac/hmac_tests.txt b/src/crypto/hmac/hmac_tests.txt
new file mode 100644
index 0000000..9caa3c9
--- /dev/null
+++ b/src/crypto/hmac/hmac_tests.txt
@@ -0,0 +1,102 @@
+# This test file is shared between evp_test and hmac_test, to test the legacy
+# EVP_PKEY_HMAC API.
+
+HMAC = MD5
+# Note: The empty key results in passing NULL to HMAC_Init_ex, so this tests
+# that HMAC_CTX and HMAC treat NULL as the empty key initially.
+Key =
+Input = "More text test vectors to stuff up EBCDIC machines :-)"
+Output = e9139d1e6ee064ef8cf514fc7dc83e86
+
+# HMAC tests from RFC2104
+HMAC = MD5
+Key = 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
+Input = "Hi There"
+Output = 9294727a3638bb1c13f48ef8158bfc9d
+
+HMAC = MD5
+Key = "Jefe"
+Input = "what do ya want for nothing?"
+Output = 750c783e6ab0b503eaa86e310a5db738
+
+HMAC = MD5
+Key = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+Input = DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
+Output = 56be34521d144c88dbb8c733f0e8b3f6
+
+# HMAC tests from NIST test data
+
+HMAC = SHA1
+Input = "Sample message for keylen=blocklen"
+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F
+Output = 5FD596EE78D5553C8FF4E72D266DFD192366DA29
+
+HMAC = SHA1
+Input = "Sample message for keylen<blocklen"
+Key = 000102030405060708090A0B0C0D0E0F10111213
+Output = 4C99FF0CB1B31BD33F8431DBAF4D17FCD356A807
+
+HMAC = SHA1
+Input = "Sample message for keylen=blocklen"
+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F60616263
+Output = 2D51B2F7750E410584662E38F133435F4C4FD42A
+
+HMAC = SHA224
+Input = "Sample message for keylen=blocklen"
+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F
+Output = C7405E3AE058E8CD30B08B4140248581ED174CB34E1224BCC1EFC81B
+
+HMAC = SHA224
+Input = "Sample message for keylen<blocklen"
+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B
+Output = E3D249A8CFB67EF8B7A169E9A0A599714A2CECBA65999A51BEB8FBBE
+
+HMAC = SHA224
+Input = "Sample message for keylen=blocklen"
+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F60616263
+Output = 91C52509E5AF8531601AE6230099D90BEF88AAEFB961F4080ABC014D
+
+HMAC = SHA256
+Input = "Sample message for keylen=blocklen"
+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F
+Output = 8BB9A1DB9806F20DF7F77B82138C7914D174D59E13DC4D0169C9057B133E1D62
+
+HMAC = SHA256
+Input = "Sample message for keylen<blocklen"
+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
+Output = A28CF43130EE696A98F14A37678B56BCFCBDD9E5CF69717FECF5480F0EBDF790
+
+HMAC = SHA256
+Input = "Sample message for keylen=blocklen"
+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F60616263
+Output = BDCCB6C72DDEADB500AE768386CB38CC41C63DBB0878DDB9C7A38A431B78378D
+
+HMAC = SHA384
+Input = "Sample message for keylen=blocklen"
+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F
+Output = 63C5DAA5E651847CA897C95814AB830BEDEDC7D25E83EEF9195CD45857A37F448947858F5AF50CC2B1B730DDF29671A9
+
+HMAC = SHA384
+Input = "Sample message for keylen<blocklen"
+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F
+Output = 6EB242BDBB582CA17BEBFA481B1E23211464D2B7F8C20B9FF2201637B93646AF5AE9AC316E98DB45D9CAE773675EEED0
+
+HMAC = SHA384
+Input = "Sample message for keylen=blocklen"
+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+Output = 5B664436DF69B0CA22551231A3F0A3D5B4F97991713CFA84BFF4D0792EFF96C27DCCBBB6F79B65D548B40E8564CEF594
+
+HMAC = SHA512
+Input = "Sample message for keylen=blocklen"
+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F
+Output = FC25E240658CA785B7A811A8D3F7B4CA48CFA26A8A366BF2CD1F836B05FCB024BD36853081811D6CEA4216EBAD79DA1CFCB95EA4586B8A0CE356596A55FB1347
+
+HMAC = SHA512
+Input = "Sample message for keylen<blocklen"
+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F
+Output = FD44C18BDA0BB0A6CE0E82B031BF2818F6539BD56EC00BDC10A8A2D730B3634DE2545D639B0F2CF710D0692C72A1896F1F211C2B922D1A96C392E07E7EA9FEDC
+
+HMAC = SHA512
+Input = "Sample message for keylen=blocklen"
+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+Output = D93EC8D2DE1AD2A9957CB9B83F14E76AD6B5E0CCE285079A127D3B14BCCB7AA7286D4AC0D4CE64215F2BC9E6870B33D97438BE4AAA20CDA5C5A912B48B8E27F3
diff --git a/src/crypto/internal.h b/src/crypto/internal.h
index 4336e65..42125db 100644
--- a/src/crypto/internal.h
+++ b/src/crypto/internal.h
@@ -110,26 +110,62 @@
 #define OPENSSL_HEADER_CRYPTO_INTERNAL_H
 
 #include <openssl/ex_data.h>
+#include <openssl/thread.h>
+
+#if defined(OPENSSL_NO_THREADS)
+#elif defined(OPENSSL_WINDOWS)
+#pragma warning(push, 3)
+#include <windows.h>
+#pragma warning(pop)
+#else
+#include <pthread.h>
+#endif
 
 #if defined(__cplusplus)
 extern "C" {
 #endif
 
 
-/* st_CRYPTO_EX_DATA_IMPL contains an ex_data implementation. See the comments
- * in ex_data.h for details of the behaviour of each of the functions. */
-struct st_CRYPTO_EX_DATA_IMPL {
-  int (*new_class)(void);
-  void (*cleanup)(void);
+/* MSVC's C4701 warning about the use of *potentially*--as opposed to
+ * *definitely*--uninitialized values sometimes has false positives. Usually
+ * the false positives can and should be worked around by simplifying the
+ * control flow. When that is not practical, annotate the function containing
+ * the code that triggers the warning with
+ * OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS after its parameters:
+ *
+ *    void f() OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS {
+ *       ...
+ *    }
+ *
+ * Note that MSVC's control flow analysis seems to operate on a whole-function
+ * basis, so the annotation must be placed on the entire function, not just a
+ * block within the function. */
+#if defined(_MSC_VER)
+#define OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS \
+        __pragma(warning(suppress:4701))
+#else
+#define OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS
+#endif
 
-  int (*get_new_index)(int class_value, long argl, void *argp,
-                       CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func,
-                       CRYPTO_EX_free *free_func);
-  int (*new_ex_data)(int class_value, void *obj, CRYPTO_EX_DATA *ad);
-  int (*dup_ex_data)(int class_value, CRYPTO_EX_DATA *to,
-                     const CRYPTO_EX_DATA *from);
-  void (*free_ex_data)(int class_value, void *obj, CRYPTO_EX_DATA *ad);
-};
+/* MSVC will sometimes correctly detect unreachable code and issue a warning,
+ * which breaks the build since we treat errors as warnings, in some rare cases
+ * where we want to allow the dead code to continue to exist. In these
+ * situations, annotate the function containing the unreachable code with
+ * OPENSSL_SUPPRESS_UNREACHABLE_CODE_WARNINGS after its parameters:
+ *
+ *    void f() OPENSSL_SUPPRESS_UNREACHABLE_CODE_WARNINGS {
+ *       ...
+ *    }
+ *
+ * Note that MSVC's reachability analysis seems to operate on a whole-function
+ * basis, so the annotation must be placed on the entire function, not just a
+ * block within the function. */
+#if defined(_MSC_VER)
+#define OPENSSL_SUPPRESS_UNREACHABLE_CODE_WARNINGS \
+        __pragma(warning(suppress:4702))
+#else
+#define OPENSSL_SUPPRESS_UNREACHABLE_CODE_WARNINGS
+#endif
 
 
 #if defined(_MSC_VER)
@@ -295,6 +331,185 @@ static inline int constant_time_select_int(unsigned int mask, int a, int b) {
 }
 
 
+/* Thread-safe initialisation. */
+
+#if defined(OPENSSL_NO_THREADS)
+typedef uint32_t CRYPTO_once_t;
+#define CRYPTO_ONCE_INIT 0
+#elif defined(OPENSSL_WINDOWS)
+typedef LONG CRYPTO_once_t;
+#define CRYPTO_ONCE_INIT 0
+#else
+typedef pthread_once_t CRYPTO_once_t;
+#define CRYPTO_ONCE_INIT PTHREAD_ONCE_INIT
+#endif
+
+/* CRYPTO_once calls |init| exactly once per process. This is thread-safe: if
+ * concurrent threads call |CRYPTO_once| with the same |CRYPTO_once_t| argument
+ * then they will block until |init| completes, but |init| will have only been
+ * called once.
+ *
+ * The |once| argument must be a |CRYPTO_once_t| that has been initialised with
+ * the value |CRYPTO_ONCE_INIT|. */
+OPENSSL_EXPORT void CRYPTO_once(CRYPTO_once_t *once, void (*init)(void));
+
+
+/* Locks.
+ *
+ * Two types of locks are defined: |CRYPTO_MUTEX|, which can be used in
+ * structures as normal, and |struct CRYPTO_STATIC_MUTEX|, which can be used as
+ * a global lock. A global lock must be initialised to the value
+ * |CRYPTO_STATIC_MUTEX_INIT|.
+ *
+ * |CRYPTO_MUTEX| can appear in public structures and so is defined in
+ * thread.h.
+ *
+ * The global lock is a different type because there's no static initialiser
+ * value on Windows for locks, so global locks have to be coupled with a
+ * |CRYPTO_once_t| to ensure that the lock is setup before use. This is done
+ * automatically by |CRYPTO_STATIC_MUTEX_lock_*|. */
+
+#if defined(OPENSSL_NO_THREADS)
+struct CRYPTO_STATIC_MUTEX {};
+#define CRYPTO_STATIC_MUTEX_INIT {}
+#elif defined(OPENSSL_WINDOWS)
+struct CRYPTO_STATIC_MUTEX {
+  CRYPTO_once_t once;
+  CRITICAL_SECTION lock;
+};
+#define CRYPTO_STATIC_MUTEX_INIT { CRYPTO_ONCE_INIT, { 0 } }
+#else
+struct CRYPTO_STATIC_MUTEX {
+  pthread_rwlock_t lock;
+};
+#define CRYPTO_STATIC_MUTEX_INIT { PTHREAD_RWLOCK_INITIALIZER }
+#endif
+
+/* CRYPTO_MUTEX_init initialises |lock|. If |lock| is a static variable, use a
+ * |CRYPTO_STATIC_MUTEX|. */
+void CRYPTO_MUTEX_init(CRYPTO_MUTEX *lock);
+
+/* CRYPTO_MUTEX_lock_read locks |lock| such that other threads may also have a
+ * read lock, but none may have a write lock. (On Windows, read locks are
+ * actually fully exclusive.) */
+void CRYPTO_MUTEX_lock_read(CRYPTO_MUTEX *lock);
+
+/* CRYPTO_MUTEX_lock_write locks |lock| such that no other thread has any type
+ * of lock on it. */
+void CRYPTO_MUTEX_lock_write(CRYPTO_MUTEX *lock);
+
+/* CRYPTO_MUTEX_unlock unlocks |lock|. */
+void CRYPTO_MUTEX_unlock(CRYPTO_MUTEX *lock);
+
+/* CRYPTO_MUTEX_cleanup releases all resources held by |lock|. */
+void CRYPTO_MUTEX_cleanup(CRYPTO_MUTEX *lock);
+
+/* CRYPTO_STATIC_MUTEX_lock_read locks |lock| such that other threads may also
+ * have a read lock, but none may have a write lock. The |lock| variable does
+ * not need to be initialised by any function, but must have been statically
+ * initialised with |CRYPTO_STATIC_MUTEX_INIT|. */
+void CRYPTO_STATIC_MUTEX_lock_read(struct CRYPTO_STATIC_MUTEX *lock);
+
+/* CRYPTO_STATIC_MUTEX_lock_write locks |lock| such that no other thread has
+ * any type of lock on it.  The |lock| variable does not need to be initialised
+ * by any function, but must have been statically initialised with
+ * |CRYPTO_STATIC_MUTEX_INIT|. */
+void CRYPTO_STATIC_MUTEX_lock_write(struct CRYPTO_STATIC_MUTEX *lock);
+
+/* CRYPTO_STATIC_MUTEX_unlock unlocks |lock|. */
+void CRYPTO_STATIC_MUTEX_unlock(struct CRYPTO_STATIC_MUTEX *lock);
+
+
+/* Thread local storage. */
+
+/* thread_local_data_t enumerates the types of thread-local data that can be
+ * stored. */
+typedef enum {
+  OPENSSL_THREAD_LOCAL_ERR = 0,
+  OPENSSL_THREAD_LOCAL_RAND,
+  OPENSSL_THREAD_LOCAL_TEST,
+  NUM_OPENSSL_THREAD_LOCALS,
+} thread_local_data_t;
+
+/* thread_local_destructor_t is the type of a destructor function that will be
+ * called when a thread exits and its thread-local storage needs to be freed. */
+typedef void (*thread_local_destructor_t)(void *);
+
+/* CRYPTO_get_thread_local gets the pointer value that is stored for the
+ * current thread for the given index, or NULL if none has been set. */
+OPENSSL_EXPORT void *CRYPTO_get_thread_local(thread_local_data_t value);
+
+/* CRYPTO_set_thread_local sets a pointer value for the current thread at the
+ * given index. This function should only be called once per thread for a given
+ * |index|: rather than update the pointer value itself, update the data that
+ * is pointed to.
+ *
+ * The destructor function will be called when a thread exits to free this
+ * thread-local data. All calls to |CRYPTO_set_thread_local| with the same
+ * |index| should have the same |destructor| argument. The destructor may be
+ * called with a NULL argument if a thread that never set a thread-local
+ * pointer for |index|, exits. The destructor may be called concurrently with
+ * different arguments.
+ *
+ * This function returns one on success or zero on error. If it returns zero
+ * then |destructor| has been called with |value| already. */
+OPENSSL_EXPORT int CRYPTO_set_thread_local(
+    thread_local_data_t index, void *value,
+    thread_local_destructor_t destructor);
+
+
+/* ex_data */
+
+typedef struct crypto_ex_data_func_st CRYPTO_EX_DATA_FUNCS;
+
+/* CRYPTO_EX_DATA_CLASS tracks the ex_indices registered for a type which
+ * supports ex_data. It should defined as a static global within the module
+ * which defines that type. */
+typedef struct {
+  struct CRYPTO_STATIC_MUTEX lock;
+  STACK_OF(CRYPTO_EX_DATA_FUNCS) *meth;
+} CRYPTO_EX_DATA_CLASS;
+
+#define CRYPTO_EX_DATA_CLASS_INIT {CRYPTO_STATIC_MUTEX_INIT, NULL}
+
+/* CRYPTO_get_ex_new_index allocates a new index for |ex_data_class| and writes
+ * it to |*out_index|. Each class of object should provide a wrapper function
+ * that uses the correct |CRYPTO_EX_DATA_CLASS|. It returns one on success and
+ * zero otherwise. */
+OPENSSL_EXPORT int CRYPTO_get_ex_new_index(CRYPTO_EX_DATA_CLASS *ex_data_class,
+                                           int *out_index, long argl,
+                                           void *argp, CRYPTO_EX_new *new_func,
+                                           CRYPTO_EX_dup *dup_func,
+                                           CRYPTO_EX_free *free_func);
+
+/* CRYPTO_set_ex_data sets an extra data pointer on a given object. Each class
+ * of object should provide a wrapper function. */
+OPENSSL_EXPORT int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int index, void *val);
+
+/* CRYPTO_get_ex_data returns an extra data pointer for a given object, or NULL
+ * if no such index exists. Each class of object should provide a wrapper
+ * function. */
+OPENSSL_EXPORT void *CRYPTO_get_ex_data(const CRYPTO_EX_DATA *ad, int index);
+
+/* CRYPTO_new_ex_data initialises a newly allocated |CRYPTO_EX_DATA| which is
+ * embedded inside of |obj| which is of class |ex_data_class|. Returns one on
+ * success and zero otherwise. */
+OPENSSL_EXPORT int CRYPTO_new_ex_data(CRYPTO_EX_DATA_CLASS *ex_data_class,
+                                      void *obj, CRYPTO_EX_DATA *ad);
+
+/* CRYPTO_dup_ex_data duplicates |from| into a freshly allocated
+ * |CRYPTO_EX_DATA|, |to|. Both of which are inside objects of the given
+ * class. It returns one on success and zero otherwise. */
+OPENSSL_EXPORT int CRYPTO_dup_ex_data(CRYPTO_EX_DATA_CLASS *ex_data_class,
+                                      CRYPTO_EX_DATA *to,
+                                      const CRYPTO_EX_DATA *from);
+
+/* CRYPTO_free_ex_data frees |ad|, which is embedded inside |obj|, which is an
+ * object of the given class. */
+OPENSSL_EXPORT void CRYPTO_free_ex_data(CRYPTO_EX_DATA_CLASS *ex_data_class,
+                                        void *obj, CRYPTO_EX_DATA *ad);
+
+
 #if defined(__cplusplus)
 }  /* extern C */
 #endif
diff --git a/src/crypto/lhash/make_macros.sh b/src/crypto/lhash/make_macros.sh
index 79d1e57..8a876af 100644
--- a/src/crypto/lhash/make_macros.sh
+++ b/src/crypto/lhash/make_macros.sh
@@ -1,6 +1,9 @@
 #!/bin/sh
 
-cat > lhash_macros.h << EOF
+include_dir=../../include/openssl
+out=${include_dir}/lhash_macros.h
+
+cat > $out << EOF
 /* Copyright (c) 2014, Google Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -24,7 +27,7 @@ EOF
 output_lhash () {
   type=$1
 
-  cat >> lhash_macros.h << EOF
+  cat >> $out << EOF
 /* ${type} */
 #define lh_${type}_new(hash, comp)\\
 ((LHASH_OF(${type})*) lh_new(CHECKED_CAST(lhash_hash_func, uint32_t (*) (const ${type} *), hash), CHECKED_CAST(lhash_cmp_func, int (*) (const ${type} *a, const ${type} *b), comp)))
@@ -54,11 +57,11 @@ output_lhash () {
 EOF
 }
 
-lhash_types=$(cat lhash.h | grep '^ \* LHASH_OF:' | sed -e 's/.*LHASH_OF://' -e 's/ .*//')
+lhash_types=$(cat ${include_dir}/lhash.h | grep '^ \* LHASH_OF:' | sed -e 's/.*LHASH_OF://' -e 's/ .*//')
 
 for type in $lhash_types; do
   echo Hash of ${type}
   output_lhash "${type}"
 done
 
-clang-format -i lhash_macros.h
+clang-format -i $out
diff --git a/src/crypto/md4/md4.c b/src/crypto/md4/md4.c
index 8fb357b..6150b96 100644
--- a/src/crypto/md4/md4.c
+++ b/src/crypto/md4/md4.c
@@ -56,6 +56,7 @@
 
 #include <openssl/md4.h>
 
+#include <stdlib.h>
 #include <string.h>
 
 
diff --git a/src/crypto/modes/asm/ghash-armv4.pl b/src/crypto/modes/asm/ghash-armv4.pl
index b324641..25a4e27 100644
--- a/src/crypto/modes/asm/ghash-armv4.pl
+++ b/src/crypto/modes/asm/ghash-armv4.pl
@@ -42,8 +42,8 @@
 # below and combine it with reduction algorithm from x86 module.
 # Performance improvement over previous version varies from 65% on
 # Snapdragon S4 to 110% on Cortex A9. In absolute terms Cortex A8
-# processes one byte in 8.45 cycles, A9 - in 10.2, Snapdragon S4 -
-# in 9.33.
+# processes one byte in 8.45 cycles, A9 - in 10.2, A15 - in 7.63,
+# Snapdragon S4 - in 9.33.
 #
 # Câmara, D.; Gouvêa, C. P. L.; López, J. & Dahab, R.: Fast Software
 # Polynomial Multiplication on ARM Processors using the NEON Engine.
@@ -71,8 +71,20 @@
 # *native* byte order on current platform. See gcm128.c for working
 # example...
 
-while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {}
-open STDOUT,">$output";
+$flavour = shift;
+if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; }
+else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} }
+
+if ($flavour && $flavour ne "void") {
+    $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+    ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+    ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+    die "can't locate arm-xlate.pl";
+
+    open STDOUT,"| \"$^X\" $xlate $flavour $output";
+} else {
+    open STDOUT,">$output";
+}
 
 $Xi="r0";	# argument block
 $Htbl="r1";
@@ -129,6 +141,11 @@ $code=<<___;
 .text
 .code	32
 
+#ifdef  __APPLE__
+#define ldrplb  ldrbpl
+#define ldrneb  ldrbne
+#endif
+
 .type	rem_4bit,%object
 .align	5
 rem_4bit:
@@ -370,7 +387,8 @@ ___
 }
 
 $code.=<<___;
-#if __ARM_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7
+.arch	armv7-a
 .fpu	neon
 
 .global	gcm_init_neon
@@ -378,9 +396,9 @@ $code.=<<___;
 .type	gcm_init_neon,%function
 .align	4
 gcm_init_neon:
-	vld1.64		$IN#hi,[r1,:64]!	@ load H
+	vld1.64		$IN#hi,[r1]!		@ load H
 	vmov.i8		$t0,#0xe1
-	vld1.64		$IN#lo,[r1,:64]
+	vld1.64		$IN#lo,[r1]
 	vshl.i64	$t0#hi,#57
 	vshr.u64	$t0#lo,#63		@ t0=0xc2....01
 	vdup.8		$t1,$IN#hi[7]
@@ -392,7 +410,7 @@ gcm_init_neon:
 	veor		$IN,$IN,$t0		@ twisted H
 	vstmia		r0,{$IN}
 
-	bx	lr
+	ret					@ bx lr
 .size	gcm_init_neon,.-gcm_init_neon
 
 .global	gcm_gmult_neon
@@ -400,8 +418,8 @@ gcm_init_neon:
 .type	gcm_gmult_neon,%function
 .align	4
 gcm_gmult_neon:
-	vld1.64		$IN#hi,[$Xi,:64]!	@ load Xi
-	vld1.64		$IN#lo,[$Xi,:64]!
+	vld1.64		$IN#hi,[$Xi]!		@ load Xi
+	vld1.64		$IN#lo,[$Xi]!
 	vmov.i64	$k48,#0x0000ffffffffffff
 	vldmia		$Htbl,{$Hlo-$Hhi}	@ load twisted H
 	vmov.i64	$k32,#0x00000000ffffffff
@@ -419,8 +437,8 @@ gcm_gmult_neon:
 .type	gcm_ghash_neon,%function
 .align	4
 gcm_ghash_neon:
-	vld1.64		$Xl#hi,[$Xi,:64]!	@ load Xi
-	vld1.64		$Xl#lo,[$Xi,:64]!
+	vld1.64		$Xl#hi,[$Xi]!		@ load Xi
+	vld1.64		$Xl#lo,[$Xi]!
 	vmov.i64	$k48,#0x0000ffffffffffff
 	vldmia		$Htbl,{$Hlo-$Hhi}	@ load twisted H
 	vmov.i64	$k32,#0x00000000ffffffff
@@ -475,10 +493,10 @@ $code.=<<___;
 	vrev64.8	$Xl,$Xl
 #endif
 	sub		$Xi,#16	
-	vst1.64		$Xl#hi,[$Xi,:64]!	@ write out Xi
-	vst1.64		$Xl#lo,[$Xi,:64]
+	vst1.64		$Xl#hi,[$Xi]!		@ write out Xi
+	vst1.64		$Xl#lo,[$Xi]
 
-	bx	lr
+	ret					@ bx lr
 .size	gcm_ghash_neon,.-gcm_ghash_neon
 #endif
 ___
@@ -494,6 +512,7 @@ foreach (split("\n",$code)) {
 	s/\`([^\`]*)\`/eval $1/geo;
 
 	s/\bq([0-9]+)#(lo|hi)/sprintf "d%d",2*$1+($2 eq "hi")/geo	or
+	s/\bret\b/bx	lr/go		or
 	s/\bbx\s+lr\b/.word\t0xe12fff1e/go;    # make it possible to compile with -march=armv4
 
 	print $_,"\n";
diff --git a/src/crypto/modes/asm/ghash-x86.pl b/src/crypto/modes/asm/ghash-x86.pl
index eb6d55e..23a5527 100644
--- a/src/crypto/modes/asm/ghash-x86.pl
+++ b/src/crypto/modes/asm/ghash-x86.pl
@@ -131,8 +131,8 @@ require "x86asm.pl";
 
 &asm_init($ARGV[0],"ghash-x86.pl",$x86only = $ARGV[$#ARGV] eq "386");
 
-$sse2=1;
-#for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
+$sse2=0;
+for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
 
 ($Zhh,$Zhl,$Zlh,$Zll) = ("ebp","edx","ecx","ebx");
 $inp  = "edi";
diff --git a/src/crypto/modes/asm/ghashv8-armx.pl b/src/crypto/modes/asm/ghashv8-armx.pl
index 08c8775..686951f 100644
--- a/src/crypto/modes/asm/ghashv8-armx.pl
+++ b/src/crypto/modes/asm/ghashv8-armx.pl
@@ -16,17 +16,31 @@
 # other assembly modules. Just like aesv8-armx.pl this module
 # supports both AArch32 and AArch64 execution modes.
 #
+# July 2014
+#
+# Implement 2x aggregated reduction [see ghash-x86.pl for background
+# information].
+#
 # Current performance in cycles per processed byte:
 #
 #		PMULL[2]	32-bit NEON(*)
-# Apple A7	1.76		5.62
-# Cortex-A53	1.45		8.39
-# Cortex-A57	2.22		7.61
+# Apple A7	0.92		5.62
+# Cortex-A53	1.01		8.39
+# Cortex-A57	1.17		7.61
+# Denver	0.71		6.02
 #
 # (*)	presented for reference/comparison purposes;
 
 $flavour = shift;
-open STDOUT,">".shift;
+$output  = shift;
+
+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+die "can't locate arm-xlate.pl";
+
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 $Xi="x0";	# argument block
 $Htbl="x1";
@@ -37,128 +51,291 @@ $inc="x12";
 
 {
 my ($Xl,$Xm,$Xh,$IN)=map("q$_",(0..3));
-my ($t0,$t1,$t2,$t3,$H,$Hhl)=map("q$_",(8..14));
+my ($t0,$t1,$t2,$xC2,$H,$Hhl,$H2)=map("q$_",(8..14));
 
 $code=<<___;
 #include "arm_arch.h"
 
 .text
 ___
-$code.=<<___	if ($flavour =~ /64/);
+$code.=<<___ if ($flavour =~ /64/);
 #if !defined(__clang__)
-.arch	armv8-a+crypto
+.arch  armv8-a+crypto
 #endif
 ___
 $code.=".fpu	neon\n.code	32\n"	if ($flavour !~ /64/);
 
+################################################################################
+# void gcm_init_v8(u128 Htable[16],const u64 H[2]);
+#
+# input:	128-bit H - secret parameter E(K,0^128)
+# output:	precomputed table filled with degrees of twisted H;
+#		H is twisted to handle reverse bitness of GHASH;
+#		only few of 16 slots of Htable[16] are used;
+#		data is opaque to outside world (which allows to
+#		optimize the code independently);
+#
 $code.=<<___;
 .global	gcm_init_v8
 .type	gcm_init_v8,%function
 .align	4
 gcm_init_v8:
-	vld1.64		{$t1},[x1]		@ load H
-	vmov.i8		$t0,#0xe1
+	vld1.64		{$t1},[x1]		@ load input H
+	vmov.i8		$xC2,#0xe1
+	vshl.i64	$xC2,$xC2,#57		@ 0xc2.0
 	vext.8		$IN,$t1,$t1,#8
-	vshl.i64	$t0,$t0,#57
-	vshr.u64	$t2,$t0,#63
-	vext.8		$t0,$t2,$t0,#8		@ t0=0xc2....01
+	vshr.u64	$t2,$xC2,#63
 	vdup.32		$t1,${t1}[1]
-	vshr.u64	$t3,$IN,#63
+	vext.8		$t0,$t2,$xC2,#8		@ t0=0xc2....01
+	vshr.u64	$t2,$IN,#63
 	vshr.s32	$t1,$t1,#31		@ broadcast carry bit
-	vand		$t3,$t3,$t0
+	vand		$t2,$t2,$t0
 	vshl.i64	$IN,$IN,#1
-	vext.8		$t3,$t3,$t3,#8
+	vext.8		$t2,$t2,$t2,#8
 	vand		$t0,$t0,$t1
-	vorr		$IN,$IN,$t3		@ H<<<=1
-	veor		$IN,$IN,$t0		@ twisted H
-	vst1.64		{$IN},[x0]
+	vorr		$IN,$IN,$t2		@ H<<<=1
+	veor		$H,$IN,$t0		@ twisted H
+	vst1.64		{$H},[x0],#16		@ store Htable[0]
+
+	@ calculate H^2
+	vext.8		$t0,$H,$H,#8		@ Karatsuba pre-processing
+	vpmull.p64	$Xl,$H,$H
+	veor		$t0,$t0,$H
+	vpmull2.p64	$Xh,$H,$H
+	vpmull.p64	$Xm,$t0,$t0
+
+	vext.8		$t1,$Xl,$Xh,#8		@ Karatsuba post-processing
+	veor		$t2,$Xl,$Xh
+	veor		$Xm,$Xm,$t1
+	veor		$Xm,$Xm,$t2
+	vpmull.p64	$t2,$Xl,$xC2		@ 1st phase
+
+	vmov		$Xh#lo,$Xm#hi		@ Xh|Xm - 256-bit result
+	vmov		$Xm#hi,$Xl#lo		@ Xm is rotated Xl
+	veor		$Xl,$Xm,$t2
+
+	vext.8		$t2,$Xl,$Xl,#8		@ 2nd phase
+	vpmull.p64	$Xl,$Xl,$xC2
+	veor		$t2,$t2,$Xh
+	veor		$H2,$Xl,$t2
+
+	vext.8		$t1,$H2,$H2,#8		@ Karatsuba pre-processing
+	veor		$t1,$t1,$H2
+	vext.8		$Hhl,$t0,$t1,#8		@ pack Karatsuba pre-processed
+	vst1.64		{$Hhl-$H2},[x0]		@ store Htable[1..2]
 
 	ret
 .size	gcm_init_v8,.-gcm_init_v8
-
+___
+################################################################################
+# void gcm_gmult_v8(u64 Xi[2],const u128 Htable[16]);
+#
+# input:	Xi - current hash value;
+#		Htable - table precomputed in gcm_init_v8;
+# output:	Xi - next hash value Xi;
+#
+$code.=<<___;
 .global	gcm_gmult_v8
 .type	gcm_gmult_v8,%function
 .align	4
 gcm_gmult_v8:
 	vld1.64		{$t1},[$Xi]		@ load Xi
-	vmov.i8		$t3,#0xe1
-	vld1.64		{$H},[$Htbl]		@ load twisted H
-	vshl.u64	$t3,$t3,#57
+	vmov.i8		$xC2,#0xe1
+	vld1.64		{$H-$Hhl},[$Htbl]	@ load twisted H, ...
+	vshl.u64	$xC2,$xC2,#57
 #ifndef __ARMEB__
 	vrev64.8	$t1,$t1
 #endif
-	vext.8		$Hhl,$H,$H,#8
-	mov		$len,#0
 	vext.8		$IN,$t1,$t1,#8
-	mov		$inc,#0
-	veor		$Hhl,$Hhl,$H		@ Karatsuba pre-processing
-	mov		$inp,$Xi
-	b		.Lgmult_v8
-.size	gcm_gmult_v8,.-gcm_gmult_v8
 
+	vpmull.p64	$Xl,$H,$IN		@ H.lo·Xi.lo
+	veor		$t1,$t1,$IN		@ Karatsuba pre-processing
+	vpmull2.p64	$Xh,$H,$IN		@ H.hi·Xi.hi
+	vpmull.p64	$Xm,$Hhl,$t1		@ (H.lo+H.hi)·(Xi.lo+Xi.hi)
+
+	vext.8		$t1,$Xl,$Xh,#8		@ Karatsuba post-processing
+	veor		$t2,$Xl,$Xh
+	veor		$Xm,$Xm,$t1
+	veor		$Xm,$Xm,$t2
+	vpmull.p64	$t2,$Xl,$xC2		@ 1st phase of reduction
+
+	vmov		$Xh#lo,$Xm#hi		@ Xh|Xm - 256-bit result
+	vmov		$Xm#hi,$Xl#lo		@ Xm is rotated Xl
+	veor		$Xl,$Xm,$t2
+
+	vext.8		$t2,$Xl,$Xl,#8		@ 2nd phase of reduction
+	vpmull.p64	$Xl,$Xl,$xC2
+	veor		$t2,$t2,$Xh
+	veor		$Xl,$Xl,$t2
+
+#ifndef __ARMEB__
+	vrev64.8	$Xl,$Xl
+#endif
+	vext.8		$Xl,$Xl,$Xl,#8
+	vst1.64		{$Xl},[$Xi]		@ write out Xi
+
+	ret
+.size	gcm_gmult_v8,.-gcm_gmult_v8
+___
+################################################################################
+# void gcm_ghash_v8(u64 Xi[2],const u128 Htable[16],const u8 *inp,size_t len);
+#
+# input:	table precomputed in gcm_init_v8;
+#		current hash value Xi;
+#		pointer to input data;
+#		length of input data in bytes, but divisible by block size;
+# output:	next hash value Xi;
+#
+$code.=<<___;
 .global	gcm_ghash_v8
 .type	gcm_ghash_v8,%function
 .align	4
 gcm_ghash_v8:
+___
+$code.=<<___		if ($flavour !~ /64/);
+	vstmdb		sp!,{d8-d15}		@ 32-bit ABI says so
+___
+$code.=<<___;
 	vld1.64		{$Xl},[$Xi]		@ load [rotated] Xi
-	subs		$len,$len,#16
-	vmov.i8		$t3,#0xe1
-	mov		$inc,#16
-	vld1.64		{$H},[$Htbl]		@ load twisted H
-	cclr		$inc,eq
-	vext.8		$Xl,$Xl,$Xl,#8
-	vshl.u64	$t3,$t3,#57
-	vld1.64		{$t1},[$inp],$inc	@ load [rotated] inp
-	vext.8		$Hhl,$H,$H,#8
+						@ "[rotated]" means that
+						@ loaded value would have
+						@ to be rotated in order to
+						@ make it appear as in
+						@ alorithm specification
+	subs		$len,$len,#32		@ see if $len is 32 or larger
+	mov		$inc,#16		@ $inc is used as post-
+						@ increment for input pointer;
+						@ as loop is modulo-scheduled
+						@ $inc is zeroed just in time
+						@ to preclude oversteping
+						@ inp[len], which means that
+						@ last block[s] are actually
+						@ loaded twice, but last
+						@ copy is not processed
+	vld1.64		{$H-$Hhl},[$Htbl],#32	@ load twisted H, ..., H^2
+	vmov.i8		$xC2,#0xe1
+	vld1.64		{$H2},[$Htbl]
+	cclr		$inc,eq			@ is it time to zero $inc?
+	vext.8		$Xl,$Xl,$Xl,#8		@ rotate Xi
+	vld1.64		{$t0},[$inp],#16	@ load [rotated] I[0]
+	vshl.u64	$xC2,$xC2,#57		@ compose 0xc2.0 constant
 #ifndef __ARMEB__
+	vrev64.8	$t0,$t0
 	vrev64.8	$Xl,$Xl
+#endif
+	vext.8		$IN,$t0,$t0,#8		@ rotate I[0]
+	b.lo		.Lodd_tail_v8		@ $len was less than 32
+___
+{ my ($Xln,$Xmn,$Xhn,$In) = map("q$_",(4..7));
+	#######
+	# Xi+2 =[H*(Ii+1 + Xi+1)] mod P =
+	#	[(H*Ii+1) + (H*Xi+1)] mod P =
+	#	[(H*Ii+1) + H^2*(Ii+Xi)] mod P
+	#
+$code.=<<___;
+	vld1.64		{$t1},[$inp],$inc	@ load [rotated] I[1]
+#ifndef __ARMEB__
 	vrev64.8	$t1,$t1
 #endif
-	veor		$Hhl,$Hhl,$H		@ Karatsuba pre-processing
-	vext.8		$IN,$t1,$t1,#8
-	b		.Loop_v8
+	vext.8		$In,$t1,$t1,#8
+	veor		$IN,$IN,$Xl		@ I[i]^=Xi
+	vpmull.p64	$Xln,$H,$In		@ H·Ii+1
+	veor		$t1,$t1,$In		@ Karatsuba pre-processing
+	vpmull2.p64	$Xhn,$H,$In
+	b		.Loop_mod2x_v8
 
 .align	4
-.Loop_v8:
+.Loop_mod2x_v8:
+	vext.8		$t2,$IN,$IN,#8
+	subs		$len,$len,#32		@ is there more data?
+	vpmull.p64	$Xl,$H2,$IN		@ H^2.lo·Xi.lo
+	cclr		$inc,lo			@ is it time to zero $inc?
+
+	 vpmull.p64	$Xmn,$Hhl,$t1
+	veor		$t2,$t2,$IN		@ Karatsuba pre-processing
+	vpmull2.p64	$Xh,$H2,$IN		@ H^2.hi·Xi.hi
+	veor		$Xl,$Xl,$Xln		@ accumulate
+	vpmull2.p64	$Xm,$Hhl,$t2		@ (H^2.lo+H^2.hi)·(Xi.lo+Xi.hi)
+	 vld1.64	{$t0},[$inp],$inc	@ load [rotated] I[i+2]
+
+	veor		$Xh,$Xh,$Xhn
+	 cclr		$inc,eq			@ is it time to zero $inc?
+	veor		$Xm,$Xm,$Xmn
+
+	vext.8		$t1,$Xl,$Xh,#8		@ Karatsuba post-processing
+	veor		$t2,$Xl,$Xh
+	veor		$Xm,$Xm,$t1
+	 vld1.64	{$t1},[$inp],$inc	@ load [rotated] I[i+3]
+#ifndef __ARMEB__
+	 vrev64.8	$t0,$t0
+#endif
+	veor		$Xm,$Xm,$t2
+	vpmull.p64	$t2,$Xl,$xC2		@ 1st phase of reduction
+
+#ifndef __ARMEB__
+	 vrev64.8	$t1,$t1
+#endif
+	vmov		$Xh#lo,$Xm#hi		@ Xh|Xm - 256-bit result
+	vmov		$Xm#hi,$Xl#lo		@ Xm is rotated Xl
+	 vext.8		$In,$t1,$t1,#8
+	 vext.8		$IN,$t0,$t0,#8
+	veor		$Xl,$Xm,$t2
+	 vpmull.p64	$Xln,$H,$In		@ H·Ii+1
+	veor		$IN,$IN,$Xh		@ accumulate $IN early
+
+	vext.8		$t2,$Xl,$Xl,#8		@ 2nd phase of reduction
+	vpmull.p64	$Xl,$Xl,$xC2
+	veor		$IN,$IN,$t2
+	 veor		$t1,$t1,$In		@ Karatsuba pre-processing
+	veor		$IN,$IN,$Xl
+	 vpmull2.p64	$Xhn,$H,$In
+	b.hs		.Loop_mod2x_v8		@ there was at least 32 more bytes
+
+	veor		$Xh,$Xh,$t2
+	vext.8		$IN,$t0,$t0,#8		@ re-construct $IN
+	adds		$len,$len,#32		@ re-construct $len
+	veor		$Xl,$Xl,$Xh		@ re-construct $Xl
+	b.eq		.Ldone_v8		@ is $len zero?
+___
+}
+$code.=<<___;
+.Lodd_tail_v8:
 	vext.8		$t2,$Xl,$Xl,#8
 	veor		$IN,$IN,$Xl		@ inp^=Xi
-	veor		$t1,$t1,$t2		@ $t1 is rotated inp^Xi
+	veor		$t1,$t0,$t2		@ $t1 is rotated inp^Xi
 
-.Lgmult_v8:
 	vpmull.p64	$Xl,$H,$IN		@ H.lo·Xi.lo
 	veor		$t1,$t1,$IN		@ Karatsuba pre-processing
 	vpmull2.p64	$Xh,$H,$IN		@ H.hi·Xi.hi
-	subs		$len,$len,#16
 	vpmull.p64	$Xm,$Hhl,$t1		@ (H.lo+H.hi)·(Xi.lo+Xi.hi)
-	cclr		$inc,eq
 
 	vext.8		$t1,$Xl,$Xh,#8		@ Karatsuba post-processing
 	veor		$t2,$Xl,$Xh
 	veor		$Xm,$Xm,$t1
-	 vld1.64	{$t1},[$inp],$inc	@ load [rotated] inp
 	veor		$Xm,$Xm,$t2
-	vpmull.p64	$t2,$Xl,$t3		@ 1st phase
+	vpmull.p64	$t2,$Xl,$xC2		@ 1st phase of reduction
 
 	vmov		$Xh#lo,$Xm#hi		@ Xh|Xm - 256-bit result
 	vmov		$Xm#hi,$Xl#lo		@ Xm is rotated Xl
-#ifndef __ARMEB__
-	 vrev64.8	$t1,$t1
-#endif
 	veor		$Xl,$Xm,$t2
-	 vext.8		$IN,$t1,$t1,#8
 
-	vext.8		$t2,$Xl,$Xl,#8		@ 2nd phase
-	vpmull.p64	$Xl,$Xl,$t3
+	vext.8		$t2,$Xl,$Xl,#8		@ 2nd phase of reduction
+	vpmull.p64	$Xl,$Xl,$xC2
 	veor		$t2,$t2,$Xh
 	veor		$Xl,$Xl,$t2
-	b.hs		.Loop_v8
 
+.Ldone_v8:
 #ifndef __ARMEB__
 	vrev64.8	$Xl,$Xl
 #endif
 	vext.8		$Xl,$Xl,$Xl,#8
 	vst1.64		{$Xl},[$Xi]		@ write out Xi
 
+___
+$code.=<<___		if ($flavour !~ /64/);
+	vldmia		sp!,{d8-d15}		@ 32-bit ABI says so
+___
+$code.=<<___;
 	ret
 .size	gcm_ghash_v8,.-gcm_ghash_v8
 ___
@@ -226,7 +403,7 @@ if ($flavour =~ /64/) {			######## 64-bit code
     foreach(split("\n",$code)) {
 	s/\b[wx]([0-9]+)\b/r$1/go;		# new->old registers
 	s/\bv([0-9])\.[12468]+[bsd]\b/q$1/go;	# new->old registers
-        s/\/\/\s?/@ /o;				# new->old style commentary
+	s/\/\/\s?/@ /o;				# new->old style commentary
 
 	# fix up remainig new-style suffixes
 	s/\],#[0-9]+/]!/o;
@@ -238,7 +415,7 @@ if ($flavour =~ /64/) {			######## 64-bit code
 	s/^(\s+)b\./$1b/o						or
 	s/^(\s+)ret/$1bx\tlr/o;
 
-        print $_,"\n";
+	print $_,"\n";
     }
 }
 
diff --git a/src/crypto/modes/cbc.c b/src/crypto/modes/cbc.c
index a2ad26c..ba4805b 100644
--- a/src/crypto/modes/cbc.c
+++ b/src/crypto/modes/cbc.c
@@ -128,8 +128,9 @@ void CRYPTO_cbc128_decrypt(const uint8_t *in, uint8_t *out, size_t len,
         ((size_t)in | (size_t)out | (size_t)ivec) % sizeof(size_t) != 0) {
       while (len >= 16) {
         (*block)(in, out, key);
-        for (n = 0; n < 16; ++n)
+        for (n = 0; n < 16; ++n) {
           out[n] ^= iv[n];
+        }
         iv = in;
         len -= 16;
         in += 16;
@@ -140,8 +141,9 @@ void CRYPTO_cbc128_decrypt(const uint8_t *in, uint8_t *out, size_t len,
         size_t *out_t = (size_t *)out, *iv_t = (size_t *)iv;
 
         (*block)(in, out, key);
-        for (n = 0; n < 16 / sizeof(size_t); n++)
+        for (n = 0; n < 16 / sizeof(size_t); n++) {
           out_t[n] ^= iv_t[n];
+        }
         iv = in;
         len -= 16;
         in += 16;
diff --git a/src/crypto/modes/ctr.c b/src/crypto/modes/ctr.c
index 61832ba..306b6f7 100644
--- a/src/crypto/modes/ctr.c
+++ b/src/crypto/modes/ctr.c
@@ -121,8 +121,9 @@ void CRYPTO_ctr128_encrypt(const uint8_t *in, uint8_t *out, size_t len,
   while (len >= 16) {
     (*block)(ivec, ecount_buf, key);
     ctr128_inc(ivec);
-    for (; n < 16; n += sizeof(size_t))
+    for (; n < 16; n += sizeof(size_t)) {
       *(size_t *)(out + n) = *(size_t *)(in + n) ^ *(size_t *)(ecount_buf + n);
+    }
     len -= 16;
     out += 16;
     in += 16;
@@ -162,7 +163,8 @@ void CRYPTO_ctr128_encrypt_ctr32(const uint8_t *in, uint8_t *out,
                                  unsigned int *num, ctr128_f func) {
   unsigned int n, ctr32;
 
-  assert(in && out && key && ecount_buf && num);
+  assert(key && ecount_buf && num);
+  assert(len == 0 || (in && out));
   assert(*num < 16);
 
   n = *num;
@@ -179,8 +181,9 @@ void CRYPTO_ctr128_encrypt_ctr32(const uint8_t *in, uint8_t *out,
     /* 1<<28 is just a not-so-small yet not-so-large number...
      * Below condition is practically never met, but it has to
      * be checked for code correctness. */
-    if (sizeof(size_t) > sizeof(unsigned int) && blocks > (1U << 28))
+    if (sizeof(size_t) > sizeof(unsigned int) && blocks > (1U << 28)) {
       blocks = (1U << 28);
+    }
     /* As (*func) operates on 32-bit counter, caller
      * has to handle overflow. 'if' below detects the
      * overflow, which is then handled by limiting the
@@ -194,8 +197,9 @@ void CRYPTO_ctr128_encrypt_ctr32(const uint8_t *in, uint8_t *out,
     /* (*func) does not update ivec, caller does: */
     PUTU32(ivec + 12, ctr32);
     /* ... overflow was detected, propogate carry. */
-    if (ctr32 == 0)
+    if (ctr32 == 0) {
       ctr96_inc(ivec);
+    }
     blocks *= 16;
     len -= blocks;
     out += blocks;
diff --git a/src/crypto/modes/gcm.c b/src/crypto/modes/gcm.c
index eeaeeff..b1c10b3 100644
--- a/src/crypto/modes/gcm.c
+++ b/src/crypto/modes/gcm.c
@@ -620,8 +620,9 @@ int CRYPTO_gcm128_aad(GCM128_CONTEXT *ctx, const uint8_t *aad, size_t len) {
 #endif
   if (len) {
     n = (unsigned int)len;
-    for (i = 0; i < len; ++i)
+    for (i = 0; i < len; ++i) {
       ctx->Xi.c[i] ^= aad[i];
+    }
   }
 
   ctx->ares = n;
@@ -1123,10 +1124,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, const uint8_t *in,
     GHASH(ctx, in, GHASH_CHUNK);
     (*stream)(in, out, GHASH_CHUNK / 16, key, ctx->Yi.c);
     ctr += GHASH_CHUNK / 16;
-    if (is_endian.little)
+    if (is_endian.little) {
       PUTU32(ctx->Yi.c + 12, ctr);
-    else
+    } else {
       ctx->Yi.d[3] = ctr;
+    }
     out += GHASH_CHUNK;
     in += GHASH_CHUNK;
     len -= GHASH_CHUNK;
@@ -1140,8 +1142,9 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, const uint8_t *in,
 #else
     while (j--) {
       size_t k;
-      for (k = 0; k < 16; ++k)
+      for (k = 0; k < 16; ++k) {
         ctx->Xi.c[k] ^= in[k];
+      }
       GCM_MUL(ctx, Xi);
       in += 16;
     }
@@ -1150,10 +1153,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, const uint8_t *in,
 #endif
     (*stream)(in, out, j, key, ctx->Yi.c);
     ctr += (unsigned int)j;
-    if (is_endian.little)
+    if (is_endian.little) {
       PUTU32(ctx->Yi.c + 12, ctr);
-    else
+    } else {
       ctx->Yi.d[3] = ctr;
+    }
     out += i;
     in += i;
     len -= i;
@@ -1161,10 +1165,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, const uint8_t *in,
   if (len) {
     (*ctx->block)(ctx->Yi.c, ctx->EKi.c, key);
     ++ctr;
-    if (is_endian.little)
+    if (is_endian.little) {
       PUTU32(ctx->Yi.c + 12, ctr);
-    else
+    } else {
       ctx->Yi.d[3] = ctr;
+    }
     while (len--) {
       uint8_t c = in[n];
       ctx->Xi.c[n] ^= c;
diff --git a/src/crypto/modes/gcm_test.c b/src/crypto/modes/gcm_test.c
index 29f9d95..3548c81 100644
--- a/src/crypto/modes/gcm_test.c
+++ b/src/crypto/modes/gcm_test.c
@@ -294,9 +294,7 @@ static int decode_hex(uint8_t **out, size_t *out_len, const char *in,
   return 1;
 
 err:
-  if (buf) {
-    OPENSSL_free(buf);
-  }
+  OPENSSL_free(buf);
   return 0;
 }
 
@@ -391,27 +389,13 @@ static int run_test_case(unsigned test_num, const struct test_case *test) {
   ret = 1;
 
 out:
-  if (key) {
-    OPENSSL_free(key);
-  }
-  if (plaintext) {
-    OPENSSL_free(plaintext);
-  }
-  if (additional_data) {
-    OPENSSL_free(additional_data);
-  }
-  if (nonce) {
-    OPENSSL_free(nonce);
-  }
-  if (ciphertext) {
-    OPENSSL_free(ciphertext);
-  }
-  if (tag) {
-    OPENSSL_free(tag);
-  }
-  if (out) {
-    OPENSSL_free(out);
-  }
+  OPENSSL_free(key);
+  OPENSSL_free(plaintext);
+  OPENSSL_free(additional_data);
+  OPENSSL_free(nonce);
+  OPENSSL_free(ciphertext);
+  OPENSSL_free(tag);
+  OPENSSL_free(out);
   return ret;
 }
 
diff --git a/src/crypto/modes/internal.h b/src/crypto/modes/internal.h
index 9662e0d..d12405e 100644
--- a/src/crypto/modes/internal.h
+++ b/src/crypto/modes/internal.h
@@ -121,6 +121,9 @@ extern "C" {
 #endif
 #elif defined(_MSC_VER)
 #if _MSC_VER >= 1300
+#pragma warning(push, 3)
+#include <intrin.h>
+#pragma warning(pop)
 #pragma intrinsic(_byteswap_uint64, _byteswap_ulong)
 #define BSWAP8(x) _byteswap_uint64((uint64_t)(x))
 #define BSWAP4(x) _byteswap_ulong((uint32_t)(x))
diff --git a/src/crypto/obj/CMakeLists.txt b/src/crypto/obj/CMakeLists.txt
index ade603d..a27e504 100644
--- a/src/crypto/obj/CMakeLists.txt
+++ b/src/crypto/obj/CMakeLists.txt
@@ -7,5 +7,4 @@ add_library(
 
   obj.c
   obj_xref.c
-  obj_error.c
 )
diff --git a/src/crypto/obj/obj.c b/src/crypto/obj/obj.c
index b04321b..511aba3 100644
--- a/src/crypto/obj/obj.c
+++ b/src/crypto/obj/obj.c
@@ -68,21 +68,26 @@
 #include <openssl/thread.h>
 
 #include "obj_dat.h"
+#include "../internal.h"
 
-/* These globals are protected by CRYPTO_LOCK_OBJ. */
+
+static struct CRYPTO_STATIC_MUTEX global_added_lock = CRYPTO_STATIC_MUTEX_INIT;
+/* These globals are protected by |global_added_lock|. */
 static LHASH_OF(ASN1_OBJECT) *global_added_by_data = NULL;
 static LHASH_OF(ASN1_OBJECT) *global_added_by_nid = NULL;
 static LHASH_OF(ASN1_OBJECT) *global_added_by_short_name = NULL;
 static LHASH_OF(ASN1_OBJECT) *global_added_by_long_name = NULL;
 
+static struct CRYPTO_STATIC_MUTEX global_next_nid_lock =
+    CRYPTO_STATIC_MUTEX_INIT;
 static unsigned global_next_nid = NUM_NID;
 
 static int obj_next_nid(void) {
   int ret;
 
-  CRYPTO_w_lock(CRYPTO_LOCK_OBJ);
+  CRYPTO_STATIC_MUTEX_lock_write(&global_next_nid_lock);
   ret = global_next_nid++;
-  CRYPTO_w_unlock(CRYPTO_LOCK_OBJ);
+  CRYPTO_STATIC_MUTEX_unlock(&global_next_nid_lock);
 
   return ret;
 }
@@ -130,7 +135,7 @@ ASN1_OBJECT *OBJ_dup(const ASN1_OBJECT *o) {
 
   if (o->sn != NULL) {
     sn = OPENSSL_strdup(o->sn);
-    if (sn) {
+    if (sn == NULL) {
       goto err;
     }
   }
@@ -145,15 +150,9 @@ ASN1_OBJECT *OBJ_dup(const ASN1_OBJECT *o) {
 
 err:
   OPENSSL_PUT_ERROR(OBJ, OBJ_dup, ERR_R_MALLOC_FAILURE);
-  if (ln != NULL) {
-    OPENSSL_free(ln);
-  }
-  if (sn != NULL) {
-    OPENSSL_free(sn);
-  }
-  if (data != NULL) {
-    OPENSSL_free(data);
-  }
+  OPENSSL_free(ln);
+  OPENSSL_free(sn);
+  OPENSSL_free(data);
   OPENSSL_free(r);
   return NULL;
 }
@@ -195,17 +194,17 @@ int OBJ_obj2nid(const ASN1_OBJECT *obj) {
     return obj->nid;
   }
 
-  CRYPTO_r_lock(CRYPTO_LOCK_OBJ);
+  CRYPTO_STATIC_MUTEX_lock_read(&global_added_lock);
   if (global_added_by_data != NULL) {
     ASN1_OBJECT *match;
 
     match = lh_ASN1_OBJECT_retrieve(global_added_by_data, obj);
     if (match != NULL) {
-      CRYPTO_r_unlock(CRYPTO_LOCK_OBJ);
+      CRYPTO_STATIC_MUTEX_unlock(&global_added_lock);
       return match->nid;
     }
   }
-  CRYPTO_r_unlock(CRYPTO_LOCK_OBJ);
+  CRYPTO_STATIC_MUTEX_unlock(&global_added_lock);
 
   nid_ptr = bsearch(obj, kNIDsInOIDOrder, NUM_OBJ, sizeof(unsigned), obj_cmp);
   if (nid_ptr == NULL) {
@@ -237,18 +236,18 @@ static int short_name_cmp(const void *key, const void *element) {
 int OBJ_sn2nid(const char *short_name) {
   const unsigned int *nid_ptr;
 
-  CRYPTO_r_lock(CRYPTO_LOCK_OBJ);
+  CRYPTO_STATIC_MUTEX_lock_read(&global_added_lock);
   if (global_added_by_short_name != NULL) {
     ASN1_OBJECT *match, template;
 
     template.sn = short_name;
     match = lh_ASN1_OBJECT_retrieve(global_added_by_short_name, &template);
     if (match != NULL) {
-      CRYPTO_r_unlock(CRYPTO_LOCK_OBJ);
+      CRYPTO_STATIC_MUTEX_unlock(&global_added_lock);
       return match->nid;
     }
   }
-  CRYPTO_r_unlock(CRYPTO_LOCK_OBJ);
+  CRYPTO_STATIC_MUTEX_unlock(&global_added_lock);
 
   nid_ptr = bsearch(short_name, kNIDsInShortNameOrder, NUM_SN, sizeof(unsigned), short_name_cmp);
   if (nid_ptr == NULL) {
@@ -271,18 +270,18 @@ static int long_name_cmp(const void *key, const void *element) {
 int OBJ_ln2nid(const char *long_name) {
   const unsigned int *nid_ptr;
 
-  CRYPTO_r_lock(CRYPTO_LOCK_OBJ);
+  CRYPTO_STATIC_MUTEX_lock_read(&global_added_lock);
   if (global_added_by_long_name != NULL) {
     ASN1_OBJECT *match, template;
 
     template.ln = long_name;
     match = lh_ASN1_OBJECT_retrieve(global_added_by_long_name, &template);
     if (match != NULL) {
-      CRYPTO_r_unlock(CRYPTO_LOCK_OBJ);
+      CRYPTO_STATIC_MUTEX_unlock(&global_added_lock);
       return match->nid;
     }
   }
-  CRYPTO_r_unlock(CRYPTO_LOCK_OBJ);
+  CRYPTO_STATIC_MUTEX_unlock(&global_added_lock);
 
   nid_ptr = bsearch(long_name, kNIDsInLongNameOrder, NUM_LN, sizeof(unsigned), long_name_cmp);
   if (nid_ptr == NULL) {
@@ -324,18 +323,18 @@ const ASN1_OBJECT *OBJ_nid2obj(int nid) {
     return &kObjects[nid];
   }
 
-  CRYPTO_r_lock(CRYPTO_LOCK_OBJ);
+  CRYPTO_STATIC_MUTEX_lock_read(&global_added_lock);
   if (global_added_by_nid != NULL) {
     ASN1_OBJECT *match, template;
 
     template.nid = nid;
     match = lh_ASN1_OBJECT_retrieve(global_added_by_nid, &template);
     if (match != NULL) {
-      CRYPTO_r_unlock(CRYPTO_LOCK_OBJ);
+      CRYPTO_STATIC_MUTEX_unlock(&global_added_lock);
       return match;
     }
   }
-  CRYPTO_r_unlock(CRYPTO_LOCK_OBJ);
+  CRYPTO_STATIC_MUTEX_unlock(&global_added_lock);
 
 err:
   OPENSSL_PUT_ERROR(OBJ, OBJ_nid2obj, OBJ_R_UNKNOWN_NID);
@@ -543,15 +542,11 @@ int OBJ_obj2txt(char *out, int out_len, const ASN1_OBJECT *obj, int dont_return_
     }
   }
 
-  if (bl) {
-    BN_free(bl);
-  }
+  BN_free(bl);
   return n;
 
 err:
-  if (bl) {
-    BN_free(bl);
-  }
+  BN_free(bl);
   return -1;
 }
 
@@ -600,7 +595,7 @@ static int obj_add_object(ASN1_OBJECT *obj) {
   obj->flags &= ~(ASN1_OBJECT_FLAG_DYNAMIC | ASN1_OBJECT_FLAG_DYNAMIC_STRINGS |
                   ASN1_OBJECT_FLAG_DYNAMIC_DATA);
 
-  CRYPTO_w_lock(CRYPTO_LOCK_OBJ);
+  CRYPTO_STATIC_MUTEX_lock_write(&global_added_lock);
   if (global_added_by_nid == NULL) {
     global_added_by_nid = lh_ASN1_OBJECT_new(hash_nid, cmp_nid);
     global_added_by_data = lh_ASN1_OBJECT_new(hash_data, cmp_data);
@@ -623,7 +618,7 @@ static int obj_add_object(ASN1_OBJECT *obj) {
   if (obj->ln != NULL) {
     ok &= lh_ASN1_OBJECT_insert(global_added_by_long_name, &old_object, obj);
   }
-  CRYPTO_w_unlock(CRYPTO_LOCK_OBJ);
+  CRYPTO_STATIC_MUTEX_unlock(&global_added_lock);
 
   return ok;
 }
@@ -662,12 +657,8 @@ int OBJ_create(const char *oid, const char *short_name, const char *long_name) {
   op = NULL;
 
 err:
-  if (op != NULL) {
-    ASN1_OBJECT_free(op);
-  }
-  if (buf != NULL) {
-    OPENSSL_free(buf);
-  }
+  ASN1_OBJECT_free(op);
+  OPENSSL_free(buf);
 
   return ret;
 }
diff --git a/src/crypto/obj/obj_error.c b/src/crypto/obj/obj_error.c
deleted file mode 100644
index 1ec9771..0000000
--- a/src/crypto/obj/obj_error.c
+++ /dev/null
@@ -1,26 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/obj.h>
-
-const ERR_STRING_DATA OBJ_error_string_data[] = {
-  {ERR_PACK(ERR_LIB_OBJ, OBJ_F_OBJ_create, 0), "OBJ_create"},
-  {ERR_PACK(ERR_LIB_OBJ, OBJ_F_OBJ_dup, 0), "OBJ_dup"},
-  {ERR_PACK(ERR_LIB_OBJ, OBJ_F_OBJ_nid2obj, 0), "OBJ_nid2obj"},
-  {ERR_PACK(ERR_LIB_OBJ, OBJ_F_OBJ_txt2obj, 0), "OBJ_txt2obj"},
-  {ERR_PACK(ERR_LIB_OBJ, 0, OBJ_R_UNKNOWN_NID), "UNKNOWN_NID"},
-  {0, NULL},
-};
diff --git a/src/crypto/pem/CMakeLists.txt b/src/crypto/pem/CMakeLists.txt
index 3275b15..720ba2f 100644
--- a/src/crypto/pem/CMakeLists.txt
+++ b/src/crypto/pem/CMakeLists.txt
@@ -6,7 +6,6 @@ add_library(
   OBJECT
 
   pem_all.c
-  pem_error.c
   pem_info.c
   pem_lib.c
   pem_oth.c
diff --git a/src/crypto/pem/pem_error.c b/src/crypto/pem/pem_error.c
deleted file mode 100644
index 2745f4c..0000000
--- a/src/crypto/pem/pem_error.c
+++ /dev/null
@@ -1,73 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/pem.h>
-
-const ERR_STRING_DATA PEM_error_string_data[] = {
-  {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_ASN1_read, 0), "PEM_ASN1_read"},
-  {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_ASN1_read_bio, 0), "PEM_ASN1_read_bio"},
-  {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_ASN1_write, 0), "PEM_ASN1_write"},
-  {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_ASN1_write_bio, 0), "PEM_ASN1_write_bio"},
-  {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_X509_INFO_read, 0), "PEM_X509_INFO_read"},
-  {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_X509_INFO_read_bio, 0), "PEM_X509_INFO_read_bio"},
-  {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_X509_INFO_write_bio, 0), "PEM_X509_INFO_write_bio"},
-  {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_do_header, 0), "PEM_do_header"},
-  {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_get_EVP_CIPHER_INFO, 0), "PEM_get_EVP_CIPHER_INFO"},
-  {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_read, 0), "PEM_read"},
-  {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_read_DHparams, 0), "PEM_read_DHparams"},
-  {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_read_PrivateKey, 0), "PEM_read_PrivateKey"},
-  {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_read_bio, 0), "PEM_read_bio"},
-  {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_read_bio_DHparams, 0), "PEM_read_bio_DHparams"},
-  {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_read_bio_Parameters, 0), "PEM_read_bio_Parameters"},
-  {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_read_bio_PrivateKey, 0), "PEM_read_bio_PrivateKey"},
-  {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_write, 0), "PEM_write"},
-  {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_write_PrivateKey, 0), "PEM_write_PrivateKey"},
-  {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_write_bio, 0), "PEM_write_bio"},
-  {ERR_PACK(ERR_LIB_PEM, PEM_F_d2i_PKCS8PrivateKey_bio, 0), "d2i_PKCS8PrivateKey_bio"},
-  {ERR_PACK(ERR_LIB_PEM, PEM_F_d2i_PKCS8PrivateKey_fp, 0), "d2i_PKCS8PrivateKey_fp"},
-  {ERR_PACK(ERR_LIB_PEM, PEM_F_do_pk8pkey, 0), "do_pk8pkey"},
-  {ERR_PACK(ERR_LIB_PEM, PEM_F_do_pk8pkey_fp, 0), "do_pk8pkey_fp"},
-  {ERR_PACK(ERR_LIB_PEM, PEM_F_load_iv, 0), "load_iv"},
-  {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_BAD_BASE64_DECODE), "BAD_BASE64_DECODE"},
-  {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_BAD_DECRYPT), "BAD_DECRYPT"},
-  {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_BAD_END_LINE), "BAD_END_LINE"},
-  {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_BAD_IV_CHARS), "BAD_IV_CHARS"},
-  {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_BAD_MAGIC_NUMBER), "BAD_MAGIC_NUMBER"},
-  {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_BAD_PASSWORD_READ), "BAD_PASSWORD_READ"},
-  {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_BAD_VERSION_NUMBER), "BAD_VERSION_NUMBER"},
-  {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_BIO_WRITE_FAILURE), "BIO_WRITE_FAILURE"},
-  {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_CIPHER_IS_NULL), "CIPHER_IS_NULL"},
-  {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_ERROR_CONVERTING_PRIVATE_KEY), "ERROR_CONVERTING_PRIVATE_KEY"},
-  {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_EXPECTING_PRIVATE_KEY_BLOB), "EXPECTING_PRIVATE_KEY_BLOB"},
-  {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_EXPECTING_PUBLIC_KEY_BLOB), "EXPECTING_PUBLIC_KEY_BLOB"},
-  {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_INCONSISTENT_HEADER), "INCONSISTENT_HEADER"},
-  {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_KEYBLOB_HEADER_PARSE_ERROR), "KEYBLOB_HEADER_PARSE_ERROR"},
-  {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_KEYBLOB_TOO_SHORT), "KEYBLOB_TOO_SHORT"},
-  {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_NOT_DEK_INFO), "NOT_DEK_INFO"},
-  {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_NOT_ENCRYPTED), "NOT_ENCRYPTED"},
-  {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_NOT_PROC_TYPE), "NOT_PROC_TYPE"},
-  {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_NO_START_LINE), "NO_START_LINE"},
-  {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_PROBLEMS_GETTING_PASSWORD), "PROBLEMS_GETTING_PASSWORD"},
-  {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_PUBLIC_KEY_NO_RSA), "PUBLIC_KEY_NO_RSA"},
-  {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_PVK_DATA_TOO_SHORT), "PVK_DATA_TOO_SHORT"},
-  {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_PVK_TOO_SHORT), "PVK_TOO_SHORT"},
-  {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_READ_KEY), "READ_KEY"},
-  {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_SHORT_HEADER), "SHORT_HEADER"},
-  {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_UNSUPPORTED_CIPHER), "UNSUPPORTED_CIPHER"},
-  {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_UNSUPPORTED_ENCRYPTION), "UNSUPPORTED_ENCRYPTION"},
-  {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_UNSUPPORTED_KEY_COMPONENTS), "UNSUPPORTED_KEY_COMPONENTS"},
-  {0, NULL},
-};
diff --git a/src/crypto/pem/pem_lib.c b/src/crypto/pem/pem_lib.c
index ff72c44..48e3297 100644
--- a/src/crypto/pem/pem_lib.c
+++ b/src/crypto/pem/pem_lib.c
@@ -363,10 +363,11 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp,
 			|| !EVP_EncryptUpdate(&ctx,data,&j,data,i)
 			|| !EVP_EncryptFinal_ex(&ctx,&(data[j]),&i))
 			ret = 0;
+		else
+			i += j;
 		EVP_CIPHER_CTX_cleanup(&ctx);
 		if (ret == 0)
 			goto err;
-		i+=j;
 		}
 	else
 		{
diff --git a/src/crypto/pem/pem_pk8.c b/src/crypto/pem/pem_pk8.c
index 18cfb92..383a524 100644
--- a/src/crypto/pem/pem_pk8.c
+++ b/src/crypto/pem/pem_pk8.c
@@ -59,6 +59,7 @@
 #include <openssl/buf.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
+#include <openssl/mem.h>
 #include <openssl/obj.h>
 #include <openssl/pkcs8.h>
 #include <openssl/rand.h>
diff --git a/src/crypto/perlasm/arm-xlate.pl b/src/crypto/perlasm/arm-xlate.pl
new file mode 100755
index 0000000..81ceb31
--- /dev/null
+++ b/src/crypto/perlasm/arm-xlate.pl
@@ -0,0 +1,165 @@
+#!/usr/bin/env perl
+
+# ARM assembler distiller by <appro>.
+
+my $flavour = shift;
+my $output = shift;
+open STDOUT,">$output" || die "can't open $output: $!";
+
+$flavour = "linux32" if (!$flavour or $flavour eq "void");
+
+my %GLOBALS;
+my $dotinlocallabels=($flavour=~/linux/)?1:0;
+
+################################################################
+# directives which need special treatment on different platforms
+################################################################
+my $arch = sub {
+    if ($flavour =~ /linux/)	{ ".arch\t".join(',',@_); }
+    else			{ ""; }
+};
+my $fpu = sub {
+    if ($flavour =~ /linux/)	{ ".fpu\t".join(',',@_); }
+    else			{ ""; }
+};
+my $hidden = sub {
+    if ($flavour =~ /ios/)	{ ".private_extern\t".join(',',@_); }
+    else			{ ".hidden\t".join(',',@_); }
+};
+my $comm = sub {
+    my @args = split(/,\s*/,shift);
+    my $name = @args[0];
+    my $global = \$GLOBALS{$name};
+    my $ret;
+
+    if ($flavour =~ /ios32/)	{
+	$ret = ".comm\t_$name,@args[1]\n";
+	$ret .= ".non_lazy_symbol_pointer\n";
+	$ret .= "$name:\n";
+	$ret .= ".indirect_symbol\t_$name\n";
+	$ret .= ".long\t0";
+	$name = "_$name";
+    } else			{ $ret = ".comm\t".join(',',@args); }
+
+    $$global = $name;
+    $ret;
+};
+my $globl = sub {
+    my $name = shift;
+    my $global = \$GLOBALS{$name};
+    my $ret;
+
+    SWITCH: for ($flavour) {
+	/ios/		&& do { $name = "_$name";
+				last;
+			      };
+    }
+
+    $ret = ".globl	$name" if (!$ret);
+    $$global = $name;
+    $ret;
+};
+my $global = $globl;
+my $extern = sub {
+    &$globl(@_);
+    return;	# return nothing
+};
+my $type = sub {
+    if ($flavour =~ /linux/)	{ ".type\t".join(',',@_); }
+    else			{ ""; }
+};
+my $size = sub {
+    if ($flavour =~ /linux/)	{ ".size\t".join(',',@_); }
+    else			{ ""; }
+};
+my $inst = sub {
+    if ($flavour =~ /linux/)    { ".inst\t".join(',',@_); }
+    else                        { ".long\t".join(',',@_); }
+};
+my $asciz = sub {
+    my $line = join(",",@_);
+    if ($line =~ /^"(.*)"$/)
+    {	".byte	" . join(",",unpack("C*",$1),0) . "\n.align	2";	}
+    else
+    {	"";	}
+};
+
+sub range {
+  my ($r,$sfx,$start,$end) = @_;
+
+    join(",",map("$r$_$sfx",($start..$end)));
+}
+
+sub expand_line {
+  my $line = shift;
+  my @ret = ();
+
+    pos($line)=0;
+
+    while ($line =~ m/\G[^@\/\{\"]*/g) {
+	if ($line =~ m/\G(@|\/\/|$)/gc) {
+	    last;
+	}
+	elsif ($line =~ m/\G\{/gc) {
+	    my $saved_pos = pos($line);
+	    $line =~ s/\G([rdqv])([0-9]+)([^\-]*)\-\1([0-9]+)\3/range($1,$3,$2,$4)/e;
+	    pos($line) = $saved_pos;
+	    $line =~ m/\G[^\}]*\}/g;
+	}
+	elsif ($line =~ m/\G\"/gc) {
+	    $line =~ m/\G[^\"]*\"/g;
+	}
+    }
+
+    $line =~ s/\b(\w+)/$GLOBALS{$1} or $1/ge;
+
+    return $line;
+}
+
+while($line=<>) {
+
+    if ($line =~ m/^\s*(#|@|\/\/)/)	{ print $line; next; }
+
+    $line =~ s|/\*.*\*/||;	# get rid of C-style comments...
+    $line =~ s|^\s+||;		# ... and skip white spaces in beginning...
+    $line =~ s|\s+$||;		# ... and at the end
+
+    {
+	$line =~ s|[\b\.]L(\w{2,})|L$1|g;	# common denominator for Locallabel
+	$line =~ s|\bL(\w{2,})|\.L$1|g	if ($dotinlocallabels);
+    }
+
+    {
+	$line =~ s|(^[\.\w]+)\:\s*||;
+	my $label = $1;
+	if ($label) {
+	    printf "%s:",($GLOBALS{$label} or $label);
+	}
+    }
+
+    if ($line !~ m/^[#@]/) {
+	$line =~ s|^\s*(\.?)(\S+)\s*||;
+	my $c = $1; $c = "\t" if ($c eq "");
+	my $mnemonic = $2;
+	my $opcode;
+	if ($mnemonic =~ m/([^\.]+)\.([^\.]+)/) {
+	    $opcode = eval("\$$1_$2");
+	} else {
+	    $opcode = eval("\$$mnemonic");
+	}
+
+	my $arg=expand_line($line);
+
+	if (ref($opcode) eq 'CODE') {
+		$line = &$opcode($arg);
+	} elsif ($mnemonic)         {
+		$line = $c.$mnemonic;
+		$line.= "\t$arg" if ($arg ne "");
+	}
+    }
+
+    print $line if ($line);
+    print "\n";
+}
+
+close STDOUT;
diff --git a/src/crypto/perlasm/ppc-xlate.pl b/src/crypto/perlasm/ppc-xlate.pl
deleted file mode 100755
index 3c1caac..0000000
--- a/src/crypto/perlasm/ppc-xlate.pl
+++ /dev/null
@@ -1,167 +0,0 @@
-#!/usr/bin/env perl
-
-# PowerPC assembler distiller by <appro>.
-
-my $flavour = shift;
-my $output = shift;
-open STDOUT,">$output" || die "can't open $output: $!";
-
-my %GLOBALS;
-my $dotinlocallabels=($flavour=~/linux/)?1:0;
-
-################################################################
-# directives which need special treatment on different platforms
-################################################################
-my $globl = sub {
-    my $junk = shift;
-    my $name = shift;
-    my $global = \$GLOBALS{$name};
-    my $ret;
-
-    $name =~ s|^[\.\_]||;
- 
-    SWITCH: for ($flavour) {
-	/aix/		&& do { $name = ".$name";
-				last;
-			      };
-	/osx/		&& do { $name = "_$name";
-				last;
-			      };
-	/linux.*(32|64le)/
-			&& do {	$ret .= ".globl	$name\n";
-				$ret .= ".type	$name,\@function";
-				last;
-			      };
-	/linux.*64/	&& do {	$ret .= ".globl	$name\n";
-				$ret .= ".type	$name,\@function\n";
-				$ret .= ".section	\".opd\",\"aw\"\n";
-				$ret .= ".align	3\n";
-				$ret .= "$name:\n";
-				$ret .= ".quad	.$name,.TOC.\@tocbase,0\n";
-				$ret .= ".previous\n";
-
-				$name = ".$name";
-				last;
-			      };
-    }
-
-    $ret = ".globl	$name" if (!$ret);
-    $$global = $name;
-    $ret;
-};
-my $text = sub {
-    my $ret = ($flavour =~ /aix/) ? ".csect" : ".text";
-    $ret = ".abiversion	2\n".$ret	if ($flavour =~ /linux.*64le/);
-    $ret;
-};
-my $machine = sub {
-    my $junk = shift;
-    my $arch = shift;
-    if ($flavour =~ /osx/)
-    {	$arch =~ s/\"//g;
-	$arch = ($flavour=~/64/) ? "ppc970-64" : "ppc970" if ($arch eq "any");
-    }
-    ".machine	$arch";
-};
-my $size = sub {
-    if ($flavour =~ /linux/)
-    {	shift;
-	my $name = shift; $name =~ s|^[\.\_]||;
-	my $ret  = ".size	$name,.-".($flavour=~/64$/?".":"").$name;
-	$ret .= "\n.size	.$name,.-.$name" if ($flavour=~/64$/);
-	$ret;
-    }
-    else
-    {	"";	}
-};
-my $asciz = sub {
-    shift;
-    my $line = join(",",@_);
-    if ($line =~ /^"(.*)"$/)
-    {	".byte	" . join(",",unpack("C*",$1),0) . "\n.align	2";	}
-    else
-    {	"";	}
-};
-
-################################################################
-# simplified mnemonics not handled by at least one assembler
-################################################################
-my $cmplw = sub {
-    my $f = shift;
-    my $cr = 0; $cr = shift if ($#_>1);
-    # Some out-of-date 32-bit GNU assembler just can't handle cmplw...
-    ($flavour =~ /linux.*32/) ?
-	"	.long	".sprintf "0x%x",31<<26|$cr<<23|$_[0]<<16|$_[1]<<11|64 :
-	"	cmplw	".join(',',$cr,@_);
-};
-my $bdnz = sub {
-    my $f = shift;
-    my $bo = $f=~/[\+\-]/ ? 16+9 : 16;	# optional "to be taken" hint
-    "	bc	$bo,0,".shift;
-} if ($flavour!~/linux/);
-my $bltlr = sub {
-    my $f = shift;
-    my $bo = $f=~/\-/ ? 12+2 : 12;	# optional "not to be taken" hint
-    ($flavour =~ /linux/) ?		# GNU as doesn't allow most recent hints
-	"	.long	".sprintf "0x%x",19<<26|$bo<<21|16<<1 :
-	"	bclr	$bo,0";
-};
-my $bnelr = sub {
-    my $f = shift;
-    my $bo = $f=~/\-/ ? 4+2 : 4;	# optional "not to be taken" hint
-    ($flavour =~ /linux/) ?		# GNU as doesn't allow most recent hints
-	"	.long	".sprintf "0x%x",19<<26|$bo<<21|2<<16|16<<1 :
-	"	bclr	$bo,2";
-};
-my $beqlr = sub {
-    my $f = shift;
-    my $bo = $f=~/-/ ? 12+2 : 12;	# optional "not to be taken" hint
-    ($flavour =~ /linux/) ?		# GNU as doesn't allow most recent hints
-	"	.long	".sprintf "0x%X",19<<26|$bo<<21|2<<16|16<<1 :
-	"	bclr	$bo,2";
-};
-# GNU assembler can't handle extrdi rA,rS,16,48, or when sum of last two
-# arguments is 64, with "operand out of range" error.
-my $extrdi = sub {
-    my ($f,$ra,$rs,$n,$b) = @_;
-    $b = ($b+$n)&63; $n = 64-$n;
-    "	rldicl	$ra,$rs,$b,$n";
-};
-
-while($line=<>) {
-
-    $line =~ s|[#!;].*$||;	# get rid of asm-style comments...
-    $line =~ s|/\*.*\*/||;	# ... and C-style comments...
-    $line =~ s|^\s+||;		# ... and skip white spaces in beginning...
-    $line =~ s|\s+$||;		# ... and at the end
-
-    {
-	$line =~ s|\b\.L(\w+)|L$1|g;	# common denominator for Locallabel
-	$line =~ s|\bL(\w+)|\.L$1|g	if ($dotinlocallabels);
-    }
-
-    {
-	$line =~ s|(^[\.\w]+)\:\s*||;
-	my $label = $1;
-	if ($label) {
-	    printf "%s:",($GLOBALS{$label} or $label);
-	    printf "\n.localentry\t$GLOBALS{$label},0"	if ($GLOBALS{$label} && $flavour =~ /linux.*64le/);
-	}
-    }
-
-    {
-	$line =~ s|^\s*(\.?)(\w+)([\.\+\-]?)\s*||;
-	my $c = $1; $c = "\t" if ($c eq "");
-	my $mnemonic = $2;
-	my $f = $3;
-	my $opcode = eval("\$$mnemonic");
-	$line =~ s|\bc?[rf]([0-9]+)\b|$1|g if ($c ne "." and $flavour !~ /osx/);
-	if (ref($opcode) eq 'CODE') { $line = &$opcode($f,split(',',$line)); }
-	elsif ($mnemonic)           { $line = $c.$mnemonic.$f."\t".$line; }
-    }
-
-    print $line if ($line);
-    print "\n";
-}
-
-close STDOUT;
diff --git a/src/crypto/perlasm/sparcv9_modes.pl b/src/crypto/perlasm/sparcv9_modes.pl
deleted file mode 100644
index 6b47bb1..0000000
--- a/src/crypto/perlasm/sparcv9_modes.pl
+++ /dev/null
@@ -1,1680 +0,0 @@
-#!/usr/bin/env perl
-
-# Specific modes implementations for SPARC Architecture 2011. There
-# is T4 dependency though, an ASI value that is not specified in the
-# Architecture Manual. But as SPARC universe is rather monocultural,
-# we imply that processor capable of executing crypto instructions
-# can handle the ASI in question as well. This means that we ought to
-# keep eyes open when new processors emerge...
-#
-# As for above mentioned ASI. It's so called "block initializing
-# store" which cancels "read" in "read-update-write" on cache lines.
-# This is "cooperative" optimization, as it reduces overall pressure
-# on memory interface. Benefits can't be observed/quantified with
-# usual benchmarks, on the contrary you can notice that single-thread
-# performance for parallelizable modes is ~1.5% worse for largest
-# block sizes [though few percent better for not so long ones]. All
-# this based on suggestions from David Miller.
-
-sub asm_init {		# to be called with @ARGV as argument
-    for (@_)		{ $::abibits=64 if (/\-m64/ || /\-xarch\=v9/); }
-    if ($::abibits==64)	{ $::bias=2047; $::frame=192; $::size_t_cc="%xcc"; }
-    else		{ $::bias=0;    $::frame=112; $::size_t_cc="%icc"; }
-}
-
-# unified interface
-my ($inp,$out,$len,$key,$ivec)=map("%i$_",(0..5));
-# local variables
-my ($ileft,$iright,$ooff,$omask,$ivoff,$blk_init)=map("%l$_",(0..7));
-
-sub alg_cbc_encrypt_implement {
-my ($alg,$bits) = @_;
-
-$::code.=<<___;
-.globl	${alg}${bits}_t4_cbc_encrypt
-.align	32
-${alg}${bits}_t4_cbc_encrypt:
-	save		%sp, -$::frame, %sp
-	sub		$inp, $out, $blk_init	! $inp!=$out
-___
-$::code.=<<___ if (!$::evp);
-	andcc		$ivec, 7, $ivoff
-	alignaddr	$ivec, %g0, $ivec
-
-	ldd		[$ivec + 0], %f0	! load ivec
-	bz,pt		%icc, 1f
-	ldd		[$ivec + 8], %f2
-	ldd		[$ivec + 16], %f4
-	faligndata	%f0, %f2, %f0
-	faligndata	%f2, %f4, %f2
-1:
-___
-$::code.=<<___ if ($::evp);
-	ld		[$ivec + 0], %f0
-	ld		[$ivec + 4], %f1
-	ld		[$ivec + 8], %f2
-	ld		[$ivec + 12], %f3
-___
-$::code.=<<___;
-	prefetch	[$inp], 20
-	prefetch	[$inp + 63], 20
-	call		_${alg}${bits}_load_enckey
-	and		$inp, 7, $ileft
-	andn		$inp, 7, $inp
-	sll		$ileft, 3, $ileft
-	mov		64, $iright
-	mov		0xff, $omask
-	sub		$iright, $ileft, $iright
-	and		$out, 7, $ooff
-	cmp		$len, 127
-	movrnz		$ooff, 0, $blk_init		! if (	$out&7 ||
-	movleu		$::size_t_cc, 0, $blk_init	!	$len<128 ||
-	brnz,pn		$blk_init, .L${bits}cbc_enc_blk	!	$inp==$out)
-	srl		$omask, $ooff, $omask
-
-	alignaddrl	$out, %g0, $out
-	srlx		$len, 4, $len
-	prefetch	[$out], 22
-
-.L${bits}_cbc_enc_loop:
-	ldx		[$inp + 0], %o0
-	brz,pt		$ileft, 4f
-	ldx		[$inp + 8], %o1
-
-	ldx		[$inp + 16], %o2
-	sllx		%o0, $ileft, %o0
-	srlx		%o1, $iright, %g1
-	sllx		%o1, $ileft, %o1
-	or		%g1, %o0, %o0
-	srlx		%o2, $iright, %o2
-	or		%o2, %o1, %o1
-4:
-	xor		%g4, %o0, %o0		! ^= rk[0]
-	xor		%g5, %o1, %o1
-	movxtod		%o0, %f12
-	movxtod		%o1, %f14
-
-	fxor		%f12, %f0, %f0		! ^= ivec
-	fxor		%f14, %f2, %f2
-	prefetch	[$out + 63], 22
-	prefetch	[$inp + 16+63], 20
-	call		_${alg}${bits}_encrypt_1x
-	add		$inp, 16, $inp
-
-	brnz,pn		$ooff, 2f
-	sub		$len, 1, $len
-		
-	std		%f0, [$out + 0]
-	std		%f2, [$out + 8]
-	brnz,pt		$len, .L${bits}_cbc_enc_loop
-	add		$out, 16, $out
-___
-$::code.=<<___ if ($::evp);
-	st		%f0, [$ivec + 0]
-	st		%f1, [$ivec + 4]
-	st		%f2, [$ivec + 8]
-	st		%f3, [$ivec + 12]
-___
-$::code.=<<___ if (!$::evp);
-	brnz,pn		$ivoff, 3f
-	nop
-
-	std		%f0, [$ivec + 0]	! write out ivec
-	std		%f2, [$ivec + 8]
-___
-$::code.=<<___;
-	ret
-	restore
-
-.align	16
-2:	ldxa		[$inp]0x82, %o0		! avoid read-after-write hazard
-						! and ~3x deterioration
-						! in inp==out case
-	faligndata	%f0, %f0, %f4		! handle unaligned output
-	faligndata	%f0, %f2, %f6
-	faligndata	%f2, %f2, %f8
-
-	stda		%f4, [$out + $omask]0xc0	! partial store
-	std		%f6, [$out + 8]
-	add		$out, 16, $out
-	orn		%g0, $omask, $omask
-	stda		%f8, [$out + $omask]0xc0	! partial store
-
-	brnz,pt		$len, .L${bits}_cbc_enc_loop+4
-	orn		%g0, $omask, $omask
-___
-$::code.=<<___ if ($::evp);
-	st		%f0, [$ivec + 0]
-	st		%f1, [$ivec + 4]
-	st		%f2, [$ivec + 8]
-	st		%f3, [$ivec + 12]
-___
-$::code.=<<___ if (!$::evp);
-	brnz,pn		$ivoff, 3f
-	nop
-
-	std		%f0, [$ivec + 0]	! write out ivec
-	std		%f2, [$ivec + 8]
-	ret
-	restore
-
-.align	16
-3:	alignaddrl	$ivec, $ivoff, %g0	! handle unaligned ivec
-	mov		0xff, $omask
-	srl		$omask, $ivoff, $omask
-	faligndata	%f0, %f0, %f4
-	faligndata	%f0, %f2, %f6
-	faligndata	%f2, %f2, %f8
-	stda		%f4, [$ivec + $omask]0xc0
-	std		%f6, [$ivec + 8]
-	add		$ivec, 16, $ivec
-	orn		%g0, $omask, $omask
-	stda		%f8, [$ivec + $omask]0xc0
-___
-$::code.=<<___;
-	ret
-	restore
-
-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-.align	32
-.L${bits}cbc_enc_blk:
-	add	$out, $len, $blk_init
-	and	$blk_init, 63, $blk_init	! tail
-	sub	$len, $blk_init, $len
-	add	$blk_init, 15, $blk_init	! round up to 16n
-	srlx	$len, 4, $len
-	srl	$blk_init, 4, $blk_init
-
-.L${bits}_cbc_enc_blk_loop:
-	ldx		[$inp + 0], %o0
-	brz,pt		$ileft, 5f
-	ldx		[$inp + 8], %o1
-
-	ldx		[$inp + 16], %o2
-	sllx		%o0, $ileft, %o0
-	srlx		%o1, $iright, %g1
-	sllx		%o1, $ileft, %o1
-	or		%g1, %o0, %o0
-	srlx		%o2, $iright, %o2
-	or		%o2, %o1, %o1
-5:
-	xor		%g4, %o0, %o0		! ^= rk[0]
-	xor		%g5, %o1, %o1
-	movxtod		%o0, %f12
-	movxtod		%o1, %f14
-
-	fxor		%f12, %f0, %f0		! ^= ivec
-	fxor		%f14, %f2, %f2
-	prefetch	[$inp + 16+63], 20
-	call		_${alg}${bits}_encrypt_1x
-	add		$inp, 16, $inp
-	sub		$len, 1, $len
-		
-	stda		%f0, [$out]0xe2		! ASI_BLK_INIT, T4-specific
-	add		$out, 8, $out
-	stda		%f2, [$out]0xe2		! ASI_BLK_INIT, T4-specific
-	brnz,pt		$len, .L${bits}_cbc_enc_blk_loop
-	add		$out, 8, $out
-
-	membar		#StoreLoad|#StoreStore
-	brnz,pt		$blk_init, .L${bits}_cbc_enc_loop
-	mov		$blk_init, $len
-___
-$::code.=<<___ if ($::evp);
-	st		%f0, [$ivec + 0]
-	st		%f1, [$ivec + 4]
-	st		%f2, [$ivec + 8]
-	st		%f3, [$ivec + 12]
-___
-$::code.=<<___ if (!$::evp);
-	brnz,pn		$ivoff, 3b
-	nop
-
-	std		%f0, [$ivec + 0]	! write out ivec
-	std		%f2, [$ivec + 8]
-___
-$::code.=<<___;
-	ret
-	restore
-.type	${alg}${bits}_t4_cbc_encrypt,#function
-.size	${alg}${bits}_t4_cbc_encrypt,.-${alg}${bits}_t4_cbc_encrypt
-___
-}
-
-sub alg_cbc_decrypt_implement {
-my ($alg,$bits) = @_;
-
-$::code.=<<___;
-.globl	${alg}${bits}_t4_cbc_decrypt
-.align	32
-${alg}${bits}_t4_cbc_decrypt:
-	save		%sp, -$::frame, %sp
-	sub		$inp, $out, $blk_init	! $inp!=$out
-___
-$::code.=<<___ if (!$::evp);
-	andcc		$ivec, 7, $ivoff
-	alignaddr	$ivec, %g0, $ivec
-
-	ldd		[$ivec + 0], %f12	! load ivec
-	bz,pt		%icc, 1f
-	ldd		[$ivec + 8], %f14
-	ldd		[$ivec + 16], %f0
-	faligndata	%f12, %f14, %f12
-	faligndata	%f14, %f0, %f14
-1:
-___
-$::code.=<<___ if ($::evp);
-	ld		[$ivec + 0], %f12	! load ivec
-	ld		[$ivec + 4], %f13
-	ld		[$ivec + 8], %f14
-	ld		[$ivec + 12], %f15
-___
-$::code.=<<___;
-	prefetch	[$inp], 20
-	prefetch	[$inp + 63], 20
-	call		_${alg}${bits}_load_deckey
-	and		$inp, 7, $ileft
-	andn		$inp, 7, $inp
-	sll		$ileft, 3, $ileft
-	mov		64, $iright
-	mov		0xff, $omask
-	sub		$iright, $ileft, $iright
-	and		$out, 7, $ooff
-	cmp		$len, 255
-	movrnz		$ooff, 0, $blk_init		! if (	$out&7 ||
-	movleu		$::size_t_cc, 0, $blk_init	!	$len<256 ||
-	brnz,pn		$blk_init, .L${bits}cbc_dec_blk	!	$inp==$out)
-	srl		$omask, $ooff, $omask
-
-	andcc		$len, 16, %g0		! is number of blocks even?
-	srlx		$len, 4, $len
-	alignaddrl	$out, %g0, $out
-	bz		%icc, .L${bits}_cbc_dec_loop2x
-	prefetch	[$out], 22
-.L${bits}_cbc_dec_loop:
-	ldx		[$inp + 0], %o0
-	brz,pt		$ileft, 4f
-	ldx		[$inp + 8], %o1
-
-	ldx		[$inp + 16], %o2
-	sllx		%o0, $ileft, %o0
-	srlx		%o1, $iright, %g1
-	sllx		%o1, $ileft, %o1
-	or		%g1, %o0, %o0
-	srlx		%o2, $iright, %o2
-	or		%o2, %o1, %o1
-4:
-	xor		%g4, %o0, %o2		! ^= rk[0]
-	xor		%g5, %o1, %o3
-	movxtod		%o2, %f0
-	movxtod		%o3, %f2
-
-	prefetch	[$out + 63], 22
-	prefetch	[$inp + 16+63], 20
-	call		_${alg}${bits}_decrypt_1x
-	add		$inp, 16, $inp
-
-	fxor		%f12, %f0, %f0		! ^= ivec
-	fxor		%f14, %f2, %f2
-	movxtod		%o0, %f12
-	movxtod		%o1, %f14
-
-	brnz,pn		$ooff, 2f
-	sub		$len, 1, $len
-		
-	std		%f0, [$out + 0]
-	std		%f2, [$out + 8]
-	brnz,pt		$len, .L${bits}_cbc_dec_loop2x
-	add		$out, 16, $out
-___
-$::code.=<<___ if ($::evp);
-	st		%f12, [$ivec + 0]
-	st		%f13, [$ivec + 4]
-	st		%f14, [$ivec + 8]
-	st		%f15, [$ivec + 12]
-___
-$::code.=<<___ if (!$::evp);
-	brnz,pn		$ivoff, .L${bits}_cbc_dec_unaligned_ivec
-	nop
-
-	std		%f12, [$ivec + 0]	! write out ivec
-	std		%f14, [$ivec + 8]
-___
-$::code.=<<___;
-	ret
-	restore
-
-.align	16
-2:	ldxa		[$inp]0x82, %o0		! avoid read-after-write hazard
-						! and ~3x deterioration
-						! in inp==out case
-	faligndata	%f0, %f0, %f4		! handle unaligned output
-	faligndata	%f0, %f2, %f6
-	faligndata	%f2, %f2, %f8
-
-	stda		%f4, [$out + $omask]0xc0	! partial store
-	std		%f6, [$out + 8]
-	add		$out, 16, $out
-	orn		%g0, $omask, $omask
-	stda		%f8, [$out + $omask]0xc0	! partial store
-
-	brnz,pt		$len, .L${bits}_cbc_dec_loop2x+4
-	orn		%g0, $omask, $omask
-___
-$::code.=<<___ if ($::evp);
-	st		%f12, [$ivec + 0]
-	st		%f13, [$ivec + 4]
-	st		%f14, [$ivec + 8]
-	st		%f15, [$ivec + 12]
-___
-$::code.=<<___ if (!$::evp);
-	brnz,pn		$ivoff, .L${bits}_cbc_dec_unaligned_ivec
-	nop
-
-	std		%f12, [$ivec + 0]	! write out ivec
-	std		%f14, [$ivec + 8]
-___
-$::code.=<<___;
-	ret
-	restore
-
-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-.align	32
-.L${bits}_cbc_dec_loop2x:
-	ldx		[$inp + 0], %o0
-	ldx		[$inp + 8], %o1
-	ldx		[$inp + 16], %o2
-	brz,pt		$ileft, 4f
-	ldx		[$inp + 24], %o3
-
-	ldx		[$inp + 32], %o4
-	sllx		%o0, $ileft, %o0
-	srlx		%o1, $iright, %g1
-	or		%g1, %o0, %o0
-	sllx		%o1, $ileft, %o1
-	srlx		%o2, $iright, %g1
-	or		%g1, %o1, %o1
-	sllx		%o2, $ileft, %o2
-	srlx		%o3, $iright, %g1
-	or		%g1, %o2, %o2
-	sllx		%o3, $ileft, %o3
-	srlx		%o4, $iright, %o4
-	or		%o4, %o3, %o3
-4:
-	xor		%g4, %o0, %o4		! ^= rk[0]
-	xor		%g5, %o1, %o5
-	movxtod		%o4, %f0
-	movxtod		%o5, %f2
-	xor		%g4, %o2, %o4
-	xor		%g5, %o3, %o5
-	movxtod		%o4, %f4
-	movxtod		%o5, %f6
-
-	prefetch	[$out + 63], 22
-	prefetch	[$inp + 32+63], 20
-	call		_${alg}${bits}_decrypt_2x
-	add		$inp, 32, $inp
-
-	movxtod		%o0, %f8
-	movxtod		%o1, %f10
-	fxor		%f12, %f0, %f0		! ^= ivec
-	fxor		%f14, %f2, %f2
-	movxtod		%o2, %f12
-	movxtod		%o3, %f14
-	fxor		%f8, %f4, %f4
-	fxor		%f10, %f6, %f6
-
-	brnz,pn		$ooff, 2f
-	sub		$len, 2, $len
-		
-	std		%f0, [$out + 0]
-	std		%f2, [$out + 8]
-	std		%f4, [$out + 16]
-	std		%f6, [$out + 24]
-	brnz,pt		$len, .L${bits}_cbc_dec_loop2x
-	add		$out, 32, $out
-___
-$::code.=<<___ if ($::evp);
-	st		%f12, [$ivec + 0]
-	st		%f13, [$ivec + 4]
-	st		%f14, [$ivec + 8]
-	st		%f15, [$ivec + 12]
-___
-$::code.=<<___ if (!$::evp);
-	brnz,pn		$ivoff, .L${bits}_cbc_dec_unaligned_ivec
-	nop
-
-	std		%f12, [$ivec + 0]	! write out ivec
-	std		%f14, [$ivec + 8]
-___
-$::code.=<<___;
-	ret
-	restore
-
-.align	16
-2:	ldxa		[$inp]0x82, %o0		! avoid read-after-write hazard
-						! and ~3x deterioration
-						! in inp==out case
-	faligndata	%f0, %f0, %f8		! handle unaligned output
-	faligndata	%f0, %f2, %f0
-	faligndata	%f2, %f4, %f2
-	faligndata	%f4, %f6, %f4
-	faligndata	%f6, %f6, %f6
-	stda		%f8, [$out + $omask]0xc0	! partial store
-	std		%f0, [$out + 8]
-	std		%f2, [$out + 16]
-	std		%f4, [$out + 24]
-	add		$out, 32, $out
-	orn		%g0, $omask, $omask
-	stda		%f6, [$out + $omask]0xc0	! partial store
-
-	brnz,pt		$len, .L${bits}_cbc_dec_loop2x+4
-	orn		%g0, $omask, $omask
-___
-$::code.=<<___ if ($::evp);
-	st		%f12, [$ivec + 0]
-	st		%f13, [$ivec + 4]
-	st		%f14, [$ivec + 8]
-	st		%f15, [$ivec + 12]
-___
-$::code.=<<___ if (!$::evp);
-	brnz,pn		$ivoff, .L${bits}_cbc_dec_unaligned_ivec
-	nop
-
-	std		%f12, [$ivec + 0]	! write out ivec
-	std		%f14, [$ivec + 8]
-	ret
-	restore
-
-.align	16
-.L${bits}_cbc_dec_unaligned_ivec:
-	alignaddrl	$ivec, $ivoff, %g0	! handle unaligned ivec
-	mov		0xff, $omask
-	srl		$omask, $ivoff, $omask
-	faligndata	%f12, %f12, %f0
-	faligndata	%f12, %f14, %f2
-	faligndata	%f14, %f14, %f4
-	stda		%f0, [$ivec + $omask]0xc0
-	std		%f2, [$ivec + 8]
-	add		$ivec, 16, $ivec
-	orn		%g0, $omask, $omask
-	stda		%f4, [$ivec + $omask]0xc0
-___
-$::code.=<<___;
-	ret
-	restore
-
-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-.align	32
-.L${bits}cbc_dec_blk:
-	add	$out, $len, $blk_init
-	and	$blk_init, 63, $blk_init	! tail
-	sub	$len, $blk_init, $len
-	add	$blk_init, 15, $blk_init	! round up to 16n
-	srlx	$len, 4, $len
-	srl	$blk_init, 4, $blk_init
-	sub	$len, 1, $len
-	add	$blk_init, 1, $blk_init
-
-.L${bits}_cbc_dec_blk_loop2x:
-	ldx		[$inp + 0], %o0
-	ldx		[$inp + 8], %o1
-	ldx		[$inp + 16], %o2
-	brz,pt		$ileft, 5f
-	ldx		[$inp + 24], %o3
-
-	ldx		[$inp + 32], %o4
-	sllx		%o0, $ileft, %o0
-	srlx		%o1, $iright, %g1
-	or		%g1, %o0, %o0
-	sllx		%o1, $ileft, %o1
-	srlx		%o2, $iright, %g1
-	or		%g1, %o1, %o1
-	sllx		%o2, $ileft, %o2
-	srlx		%o3, $iright, %g1
-	or		%g1, %o2, %o2
-	sllx		%o3, $ileft, %o3
-	srlx		%o4, $iright, %o4
-	or		%o4, %o3, %o3
-5:
-	xor		%g4, %o0, %o4		! ^= rk[0]
-	xor		%g5, %o1, %o5
-	movxtod		%o4, %f0
-	movxtod		%o5, %f2
-	xor		%g4, %o2, %o4
-	xor		%g5, %o3, %o5
-	movxtod		%o4, %f4
-	movxtod		%o5, %f6
-
-	prefetch	[$inp + 32+63], 20
-	call		_${alg}${bits}_decrypt_2x
-	add		$inp, 32, $inp
-	subcc		$len, 2, $len
-
-	movxtod		%o0, %f8
-	movxtod		%o1, %f10
-	fxor		%f12, %f0, %f0		! ^= ivec
-	fxor		%f14, %f2, %f2
-	movxtod		%o2, %f12
-	movxtod		%o3, %f14
-	fxor		%f8, %f4, %f4
-	fxor		%f10, %f6, %f6
-
-	stda		%f0, [$out]0xe2		! ASI_BLK_INIT, T4-specific
-	add		$out, 8, $out
-	stda		%f2, [$out]0xe2		! ASI_BLK_INIT, T4-specific
-	add		$out, 8, $out
-	stda		%f4, [$out]0xe2		! ASI_BLK_INIT, T4-specific
-	add		$out, 8, $out
-	stda		%f6, [$out]0xe2		! ASI_BLK_INIT, T4-specific
-	bgu,pt		$::size_t_cc, .L${bits}_cbc_dec_blk_loop2x
-	add		$out, 8, $out
-
-	add		$blk_init, $len, $len
-	andcc		$len, 1, %g0		! is number of blocks even?
-	membar		#StoreLoad|#StoreStore
-	bnz,pt		%icc, .L${bits}_cbc_dec_loop
-	srl		$len, 0, $len
-	brnz,pn		$len, .L${bits}_cbc_dec_loop2x
-	nop
-___
-$::code.=<<___ if ($::evp);
-	st		%f12, [$ivec + 0]	! write out ivec
-	st		%f13, [$ivec + 4]
-	st		%f14, [$ivec + 8]
-	st		%f15, [$ivec + 12]
-___
-$::code.=<<___ if (!$::evp);
-	brnz,pn		$ivoff, 3b
-	nop
-
-	std		%f12, [$ivec + 0]	! write out ivec
-	std		%f14, [$ivec + 8]
-___
-$::code.=<<___;
-	ret
-	restore
-.type	${alg}${bits}_t4_cbc_decrypt,#function
-.size	${alg}${bits}_t4_cbc_decrypt,.-${alg}${bits}_t4_cbc_decrypt
-___
-}
-
-sub alg_ctr32_implement {
-my ($alg,$bits) = @_;
-
-$::code.=<<___;
-.globl	${alg}${bits}_t4_ctr32_encrypt
-.align	32
-${alg}${bits}_t4_ctr32_encrypt:
-	save		%sp, -$::frame, %sp
-
-	prefetch	[$inp], 20
-	prefetch	[$inp + 63], 20
-	call		_${alg}${bits}_load_enckey
-	sllx		$len, 4, $len
-
-	ld		[$ivec + 0], %l4	! counter
-	ld		[$ivec + 4], %l5
-	ld		[$ivec + 8], %l6
-	ld		[$ivec + 12], %l7
-
-	sllx		%l4, 32, %o5
-	or		%l5, %o5, %o5
-	sllx		%l6, 32, %g1
-	xor		%o5, %g4, %g4		! ^= rk[0]
-	xor		%g1, %g5, %g5
-	movxtod		%g4, %f14		! most significant 64 bits
-
-	sub		$inp, $out, $blk_init	! $inp!=$out
-	and		$inp, 7, $ileft
-	andn		$inp, 7, $inp
-	sll		$ileft, 3, $ileft
-	mov		64, $iright
-	mov		0xff, $omask
-	sub		$iright, $ileft, $iright
-	and		$out, 7, $ooff
-	cmp		$len, 255
-	movrnz		$ooff, 0, $blk_init		! if (	$out&7 ||
-	movleu		$::size_t_cc, 0, $blk_init	!	$len<256 ||
-	brnz,pn		$blk_init, .L${bits}_ctr32_blk	!	$inp==$out)
-	srl		$omask, $ooff, $omask
-
-	andcc		$len, 16, %g0		! is number of blocks even?
-	alignaddrl	$out, %g0, $out
-	bz		%icc, .L${bits}_ctr32_loop2x
-	srlx		$len, 4, $len
-.L${bits}_ctr32_loop:
-	ldx		[$inp + 0], %o0
-	brz,pt		$ileft, 4f
-	ldx		[$inp + 8], %o1
-
-	ldx		[$inp + 16], %o2
-	sllx		%o0, $ileft, %o0
-	srlx		%o1, $iright, %g1
-	sllx		%o1, $ileft, %o1
-	or		%g1, %o0, %o0
-	srlx		%o2, $iright, %o2
-	or		%o2, %o1, %o1
-4:
-	xor		%g5, %l7, %g1		! ^= rk[0]
-	add		%l7, 1, %l7
-	movxtod		%g1, %f2
-	srl		%l7, 0, %l7		! clruw
-	prefetch	[$out + 63], 22
-	prefetch	[$inp + 16+63], 20
-___
-$::code.=<<___ if ($alg eq "aes");
-	aes_eround01	%f16, %f14, %f2, %f4
-	aes_eround23	%f18, %f14, %f2, %f2
-___
-$::code.=<<___ if ($alg eq "cmll");
-	camellia_f	%f16, %f2, %f14, %f2
-	camellia_f	%f18, %f14, %f2, %f0
-___
-$::code.=<<___;
-	call		_${alg}${bits}_encrypt_1x+8
-	add		$inp, 16, $inp
-
-	movxtod		%o0, %f10
-	movxtod		%o1, %f12
-	fxor		%f10, %f0, %f0		! ^= inp
-	fxor		%f12, %f2, %f2
-
-	brnz,pn		$ooff, 2f
-	sub		$len, 1, $len
-		
-	std		%f0, [$out + 0]
-	std		%f2, [$out + 8]
-	brnz,pt		$len, .L${bits}_ctr32_loop2x
-	add		$out, 16, $out
-
-	ret
-	restore
-
-.align	16
-2:	ldxa		[$inp]0x82, %o0		! avoid read-after-write hazard
-						! and ~3x deterioration
-						! in inp==out case
-	faligndata	%f0, %f0, %f4		! handle unaligned output
-	faligndata	%f0, %f2, %f6
-	faligndata	%f2, %f2, %f8
-	stda		%f4, [$out + $omask]0xc0	! partial store
-	std		%f6, [$out + 8]
-	add		$out, 16, $out
-	orn		%g0, $omask, $omask
-	stda		%f8, [$out + $omask]0xc0	! partial store
-
-	brnz,pt		$len, .L${bits}_ctr32_loop2x+4
-	orn		%g0, $omask, $omask
-
-	ret
-	restore
-
-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-.align	32
-.L${bits}_ctr32_loop2x:
-	ldx		[$inp + 0], %o0
-	ldx		[$inp + 8], %o1
-	ldx		[$inp + 16], %o2
-	brz,pt		$ileft, 4f
-	ldx		[$inp + 24], %o3
-
-	ldx		[$inp + 32], %o4
-	sllx		%o0, $ileft, %o0
-	srlx		%o1, $iright, %g1
-	or		%g1, %o0, %o0
-	sllx		%o1, $ileft, %o1
-	srlx		%o2, $iright, %g1
-	or		%g1, %o1, %o1
-	sllx		%o2, $ileft, %o2
-	srlx		%o3, $iright, %g1
-	or		%g1, %o2, %o2
-	sllx		%o3, $ileft, %o3
-	srlx		%o4, $iright, %o4
-	or		%o4, %o3, %o3
-4:
-	xor		%g5, %l7, %g1		! ^= rk[0]
-	add		%l7, 1, %l7
-	movxtod		%g1, %f2
-	srl		%l7, 0, %l7		! clruw
-	xor		%g5, %l7, %g1
-	add		%l7, 1, %l7
-	movxtod		%g1, %f6
-	srl		%l7, 0, %l7		! clruw
-	prefetch	[$out + 63], 22
-	prefetch	[$inp + 32+63], 20
-___
-$::code.=<<___ if ($alg eq "aes");
-	aes_eround01	%f16, %f14, %f2, %f8
-	aes_eround23	%f18, %f14, %f2, %f2
-	aes_eround01	%f16, %f14, %f6, %f10
-	aes_eround23	%f18, %f14, %f6, %f6
-___
-$::code.=<<___ if ($alg eq "cmll");
-	camellia_f	%f16, %f2, %f14, %f2
-	camellia_f	%f16, %f6, %f14, %f6
-	camellia_f	%f18, %f14, %f2, %f0
-	camellia_f	%f18, %f14, %f6, %f4
-___
-$::code.=<<___;
-	call		_${alg}${bits}_encrypt_2x+16
-	add		$inp, 32, $inp
-
-	movxtod		%o0, %f8
-	movxtod		%o1, %f10
-	movxtod		%o2, %f12
-	fxor		%f8, %f0, %f0		! ^= inp
-	movxtod		%o3, %f8
-	fxor		%f10, %f2, %f2
-	fxor		%f12, %f4, %f4
-	fxor		%f8, %f6, %f6
-
-	brnz,pn		$ooff, 2f
-	sub		$len, 2, $len
-		
-	std		%f0, [$out + 0]
-	std		%f2, [$out + 8]
-	std		%f4, [$out + 16]
-	std		%f6, [$out + 24]
-	brnz,pt		$len, .L${bits}_ctr32_loop2x
-	add		$out, 32, $out
-
-	ret
-	restore
-
-.align	16
-2:	ldxa		[$inp]0x82, %o0		! avoid read-after-write hazard
-						! and ~3x deterioration
-						! in inp==out case
-	faligndata	%f0, %f0, %f8		! handle unaligned output
-	faligndata	%f0, %f2, %f0
-	faligndata	%f2, %f4, %f2
-	faligndata	%f4, %f6, %f4
-	faligndata	%f6, %f6, %f6
-
-	stda		%f8, [$out + $omask]0xc0	! partial store
-	std		%f0, [$out + 8]
-	std		%f2, [$out + 16]
-	std		%f4, [$out + 24]
-	add		$out, 32, $out
-	orn		%g0, $omask, $omask
-	stda		%f6, [$out + $omask]0xc0	! partial store
-
-	brnz,pt		$len, .L${bits}_ctr32_loop2x+4
-	orn		%g0, $omask, $omask
-
-	ret
-	restore
-
-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-.align	32
-.L${bits}_ctr32_blk:
-	add	$out, $len, $blk_init
-	and	$blk_init, 63, $blk_init	! tail
-	sub	$len, $blk_init, $len
-	add	$blk_init, 15, $blk_init	! round up to 16n
-	srlx	$len, 4, $len
-	srl	$blk_init, 4, $blk_init
-	sub	$len, 1, $len
-	add	$blk_init, 1, $blk_init
-
-.L${bits}_ctr32_blk_loop2x:
-	ldx		[$inp + 0], %o0
-	ldx		[$inp + 8], %o1
-	ldx		[$inp + 16], %o2
-	brz,pt		$ileft, 5f
-	ldx		[$inp + 24], %o3
-
-	ldx		[$inp + 32], %o4
-	sllx		%o0, $ileft, %o0
-	srlx		%o1, $iright, %g1
-	or		%g1, %o0, %o0
-	sllx		%o1, $ileft, %o1
-	srlx		%o2, $iright, %g1
-	or		%g1, %o1, %o1
-	sllx		%o2, $ileft, %o2
-	srlx		%o3, $iright, %g1
-	or		%g1, %o2, %o2
-	sllx		%o3, $ileft, %o3
-	srlx		%o4, $iright, %o4
-	or		%o4, %o3, %o3
-5:
-	xor		%g5, %l7, %g1		! ^= rk[0]
-	add		%l7, 1, %l7
-	movxtod		%g1, %f2
-	srl		%l7, 0, %l7		! clruw
-	xor		%g5, %l7, %g1
-	add		%l7, 1, %l7
-	movxtod		%g1, %f6
-	srl		%l7, 0, %l7		! clruw
-	prefetch	[$inp + 32+63], 20
-___
-$::code.=<<___ if ($alg eq "aes");
-	aes_eround01	%f16, %f14, %f2, %f8
-	aes_eround23	%f18, %f14, %f2, %f2
-	aes_eround01	%f16, %f14, %f6, %f10
-	aes_eround23	%f18, %f14, %f6, %f6
-___
-$::code.=<<___ if ($alg eq "cmll");
-	camellia_f	%f16, %f2, %f14, %f2
-	camellia_f	%f16, %f6, %f14, %f6
-	camellia_f	%f18, %f14, %f2, %f0
-	camellia_f	%f18, %f14, %f6, %f4
-___
-$::code.=<<___;
-	call		_${alg}${bits}_encrypt_2x+16
-	add		$inp, 32, $inp
-	subcc		$len, 2, $len
-
-	movxtod		%o0, %f8
-	movxtod		%o1, %f10
-	movxtod		%o2, %f12
-	fxor		%f8, %f0, %f0		! ^= inp
-	movxtod		%o3, %f8
-	fxor		%f10, %f2, %f2
-	fxor		%f12, %f4, %f4
-	fxor		%f8, %f6, %f6
-
-	stda		%f0, [$out]0xe2		! ASI_BLK_INIT, T4-specific
-	add		$out, 8, $out
-	stda		%f2, [$out]0xe2		! ASI_BLK_INIT, T4-specific
-	add		$out, 8, $out
-	stda		%f4, [$out]0xe2		! ASI_BLK_INIT, T4-specific
-	add		$out, 8, $out
-	stda		%f6, [$out]0xe2		! ASI_BLK_INIT, T4-specific
-	bgu,pt		$::size_t_cc, .L${bits}_ctr32_blk_loop2x
-	add		$out, 8, $out
-
-	add		$blk_init, $len, $len
-	andcc		$len, 1, %g0		! is number of blocks even?
-	membar		#StoreLoad|#StoreStore
-	bnz,pt		%icc, .L${bits}_ctr32_loop
-	srl		$len, 0, $len
-	brnz,pn		$len, .L${bits}_ctr32_loop2x
-	nop
-
-	ret
-	restore
-.type	${alg}${bits}_t4_ctr32_encrypt,#function
-.size	${alg}${bits}_t4_ctr32_encrypt,.-${alg}${bits}_t4_ctr32_encrypt
-___
-}
-
-sub alg_xts_implement {
-my ($alg,$bits,$dir) = @_;
-my ($inp,$out,$len,$key1,$key2,$ivec)=map("%i$_",(0..5));
-my $rem=$ivec;
-
-$::code.=<<___;
-.globl	${alg}${bits}_t4_xts_${dir}crypt
-.align	32
-${alg}${bits}_t4_xts_${dir}crypt:
-	save		%sp, -$::frame-16, %sp
-
-	mov		$ivec, %o0
-	add		%fp, $::bias-16, %o1
-	call		${alg}_t4_encrypt
-	mov		$key2, %o2
-
-	add		%fp, $::bias-16, %l7
-	ldxa		[%l7]0x88, %g2
-	add		%fp, $::bias-8, %l7
-	ldxa		[%l7]0x88, %g3		! %g3:%g2 is tweak
-
-	sethi		%hi(0x76543210), %l7
-	or		%l7, %lo(0x76543210), %l7
-	bmask		%l7, %g0, %g0		! byte swap mask
-
-	prefetch	[$inp], 20
-	prefetch	[$inp + 63], 20
-	call		_${alg}${bits}_load_${dir}ckey
-	and		$len, 15,  $rem
-	and		$len, -16, $len
-___
-$code.=<<___ if ($dir eq "de");
-	mov		0, %l7
-	movrnz		$rem, 16,  %l7
-	sub		$len, %l7, $len
-___
-$code.=<<___;
-
-	sub		$inp, $out, $blk_init	! $inp!=$out
-	and		$inp, 7, $ileft
-	andn		$inp, 7, $inp
-	sll		$ileft, 3, $ileft
-	mov		64, $iright
-	mov		0xff, $omask
-	sub		$iright, $ileft, $iright
-	and		$out, 7, $ooff
-	cmp		$len, 255
-	movrnz		$ooff, 0, $blk_init		! if (	$out&7 ||
-	movleu		$::size_t_cc, 0, $blk_init	!	$len<256 ||
-	brnz,pn		$blk_init, .L${bits}_xts_${dir}blk !	$inp==$out)
-	srl		$omask, $ooff, $omask
-
-	andcc		$len, 16, %g0		! is number of blocks even?
-___
-$code.=<<___ if ($dir eq "de");
-	brz,pn		$len, .L${bits}_xts_${dir}steal
-___
-$code.=<<___;
-	alignaddrl	$out, %g0, $out
-	bz		%icc, .L${bits}_xts_${dir}loop2x
-	srlx		$len, 4, $len
-.L${bits}_xts_${dir}loop:
-	ldx		[$inp + 0], %o0
-	brz,pt		$ileft, 4f
-	ldx		[$inp + 8], %o1
-
-	ldx		[$inp + 16], %o2
-	sllx		%o0, $ileft, %o0
-	srlx		%o1, $iright, %g1
-	sllx		%o1, $ileft, %o1
-	or		%g1, %o0, %o0
-	srlx		%o2, $iright, %o2
-	or		%o2, %o1, %o1
-4:
-	movxtod		%g2, %f12
-	movxtod		%g3, %f14
-	bshuffle	%f12, %f12, %f12
-	bshuffle	%f14, %f14, %f14
-
-	xor		%g4, %o0, %o0		! ^= rk[0]
-	xor		%g5, %o1, %o1
-	movxtod		%o0, %f0
-	movxtod		%o1, %f2
-
-	fxor		%f12, %f0, %f0		! ^= tweak[0]
-	fxor		%f14, %f2, %f2
-
-	prefetch	[$out + 63], 22
-	prefetch	[$inp + 16+63], 20
-	call		_${alg}${bits}_${dir}crypt_1x
-	add		$inp, 16, $inp
-
-	fxor		%f12, %f0, %f0		! ^= tweak[0]
-	fxor		%f14, %f2, %f2
-
-	srax		%g3, 63, %l7		! next tweak value
-	addcc		%g2, %g2, %g2
-	and		%l7, 0x87, %l7
-	addxc		%g3, %g3, %g3
-	xor		%l7, %g2, %g2
-
-	brnz,pn		$ooff, 2f
-	sub		$len, 1, $len
-		
-	std		%f0, [$out + 0]
-	std		%f2, [$out + 8]
-	brnz,pt		$len, .L${bits}_xts_${dir}loop2x
-	add		$out, 16, $out
-
-	brnz,pn		$rem, .L${bits}_xts_${dir}steal
-	nop
-
-	ret
-	restore
-
-.align	16
-2:	ldxa		[$inp]0x82, %o0		! avoid read-after-write hazard
-						! and ~3x deterioration
-						! in inp==out case
-	faligndata	%f0, %f0, %f4		! handle unaligned output
-	faligndata	%f0, %f2, %f6
-	faligndata	%f2, %f2, %f8
-	stda		%f4, [$out + $omask]0xc0	! partial store
-	std		%f6, [$out + 8]
-	add		$out, 16, $out
-	orn		%g0, $omask, $omask
-	stda		%f8, [$out + $omask]0xc0	! partial store
-
-	brnz,pt		$len, .L${bits}_xts_${dir}loop2x+4
-	orn		%g0, $omask, $omask
-
-	brnz,pn		$rem, .L${bits}_xts_${dir}steal
-	nop
-
-	ret
-	restore
-
-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-.align	32
-.L${bits}_xts_${dir}loop2x:
-	ldx		[$inp + 0], %o0
-	ldx		[$inp + 8], %o1
-	ldx		[$inp + 16], %o2
-	brz,pt		$ileft, 4f
-	ldx		[$inp + 24], %o3
-
-	ldx		[$inp + 32], %o4
-	sllx		%o0, $ileft, %o0
-	srlx		%o1, $iright, %g1
-	or		%g1, %o0, %o0
-	sllx		%o1, $ileft, %o1
-	srlx		%o2, $iright, %g1
-	or		%g1, %o1, %o1
-	sllx		%o2, $ileft, %o2
-	srlx		%o3, $iright, %g1
-	or		%g1, %o2, %o2
-	sllx		%o3, $ileft, %o3
-	srlx		%o4, $iright, %o4
-	or		%o4, %o3, %o3
-4:
-	movxtod		%g2, %f12
-	movxtod		%g3, %f14
-	bshuffle	%f12, %f12, %f12
-	bshuffle	%f14, %f14, %f14
-
-	srax		%g3, 63, %l7		! next tweak value
-	addcc		%g2, %g2, %g2
-	and		%l7, 0x87, %l7
-	addxc		%g3, %g3, %g3
-	xor		%l7, %g2, %g2
-
-	movxtod		%g2, %f8
-	movxtod		%g3, %f10
-	bshuffle	%f8,  %f8,  %f8
-	bshuffle	%f10, %f10, %f10
-
-	xor		%g4, %o0, %o0		! ^= rk[0]
-	xor		%g5, %o1, %o1
-	xor		%g4, %o2, %o2		! ^= rk[0]
-	xor		%g5, %o3, %o3
-	movxtod		%o0, %f0
-	movxtod		%o1, %f2
-	movxtod		%o2, %f4
-	movxtod		%o3, %f6
-
-	fxor		%f12, %f0, %f0		! ^= tweak[0]
-	fxor		%f14, %f2, %f2
-	fxor		%f8,  %f4, %f4		! ^= tweak[0]
-	fxor		%f10, %f6, %f6
-
-	prefetch	[$out + 63], 22
-	prefetch	[$inp + 32+63], 20
-	call		_${alg}${bits}_${dir}crypt_2x
-	add		$inp, 32, $inp
-
-	movxtod		%g2, %f8
-	movxtod		%g3, %f10
-
-	srax		%g3, 63, %l7		! next tweak value
-	addcc		%g2, %g2, %g2
-	and		%l7, 0x87, %l7
-	addxc		%g3, %g3, %g3
-	xor		%l7, %g2, %g2
-
-	bshuffle	%f8,  %f8,  %f8
-	bshuffle	%f10, %f10, %f10
-
-	fxor		%f12, %f0, %f0		! ^= tweak[0]
-	fxor		%f14, %f2, %f2
-	fxor		%f8,  %f4, %f4
-	fxor		%f10, %f6, %f6
-
-	brnz,pn		$ooff, 2f
-	sub		$len, 2, $len
-		
-	std		%f0, [$out + 0]
-	std		%f2, [$out + 8]
-	std		%f4, [$out + 16]
-	std		%f6, [$out + 24]
-	brnz,pt		$len, .L${bits}_xts_${dir}loop2x
-	add		$out, 32, $out
-
-	fsrc2		%f4, %f0
-	fsrc2		%f6, %f2
-	brnz,pn		$rem, .L${bits}_xts_${dir}steal
-	nop
-
-	ret
-	restore
-
-.align	16
-2:	ldxa		[$inp]0x82, %o0		! avoid read-after-write hazard
-						! and ~3x deterioration
-						! in inp==out case
-	faligndata	%f0, %f0, %f8		! handle unaligned output
-	faligndata	%f0, %f2, %f10
-	faligndata	%f2, %f4, %f12
-	faligndata	%f4, %f6, %f14
-	faligndata	%f6, %f6, %f0
-
-	stda		%f8, [$out + $omask]0xc0	! partial store
-	std		%f10, [$out + 8]
-	std		%f12, [$out + 16]
-	std		%f14, [$out + 24]
-	add		$out, 32, $out
-	orn		%g0, $omask, $omask
-	stda		%f0, [$out + $omask]0xc0	! partial store
-
-	brnz,pt		$len, .L${bits}_xts_${dir}loop2x+4
-	orn		%g0, $omask, $omask
-
-	fsrc2		%f4, %f0
-	fsrc2		%f6, %f2
-	brnz,pn		$rem, .L${bits}_xts_${dir}steal
-	nop
-
-	ret
-	restore
-
-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-.align	32
-.L${bits}_xts_${dir}blk:
-	add	$out, $len, $blk_init
-	and	$blk_init, 63, $blk_init	! tail
-	sub	$len, $blk_init, $len
-	add	$blk_init, 15, $blk_init	! round up to 16n
-	srlx	$len, 4, $len
-	srl	$blk_init, 4, $blk_init
-	sub	$len, 1, $len
-	add	$blk_init, 1, $blk_init
-
-.L${bits}_xts_${dir}blk2x:
-	ldx		[$inp + 0], %o0
-	ldx		[$inp + 8], %o1
-	ldx		[$inp + 16], %o2
-	brz,pt		$ileft, 5f
-	ldx		[$inp + 24], %o3
-
-	ldx		[$inp + 32], %o4
-	sllx		%o0, $ileft, %o0
-	srlx		%o1, $iright, %g1
-	or		%g1, %o0, %o0
-	sllx		%o1, $ileft, %o1
-	srlx		%o2, $iright, %g1
-	or		%g1, %o1, %o1
-	sllx		%o2, $ileft, %o2
-	srlx		%o3, $iright, %g1
-	or		%g1, %o2, %o2
-	sllx		%o3, $ileft, %o3
-	srlx		%o4, $iright, %o4
-	or		%o4, %o3, %o3
-5:
-	movxtod		%g2, %f12
-	movxtod		%g3, %f14
-	bshuffle	%f12, %f12, %f12
-	bshuffle	%f14, %f14, %f14
-
-	srax		%g3, 63, %l7		! next tweak value
-	addcc		%g2, %g2, %g2
-	and		%l7, 0x87, %l7
-	addxc		%g3, %g3, %g3
-	xor		%l7, %g2, %g2
-
-	movxtod		%g2, %f8
-	movxtod		%g3, %f10
-	bshuffle	%f8,  %f8,  %f8
-	bshuffle	%f10, %f10, %f10
-
-	xor		%g4, %o0, %o0		! ^= rk[0]
-	xor		%g5, %o1, %o1
-	xor		%g4, %o2, %o2		! ^= rk[0]
-	xor		%g5, %o3, %o3
-	movxtod		%o0, %f0
-	movxtod		%o1, %f2
-	movxtod		%o2, %f4
-	movxtod		%o3, %f6
-
-	fxor		%f12, %f0, %f0		! ^= tweak[0]
-	fxor		%f14, %f2, %f2
-	fxor		%f8,  %f4, %f4		! ^= tweak[0]
-	fxor		%f10, %f6, %f6
-
-	prefetch	[$inp + 32+63], 20
-	call		_${alg}${bits}_${dir}crypt_2x
-	add		$inp, 32, $inp
-
-	movxtod		%g2, %f8
-	movxtod		%g3, %f10
-
-	srax		%g3, 63, %l7		! next tweak value
-	addcc		%g2, %g2, %g2
-	and		%l7, 0x87, %l7
-	addxc		%g3, %g3, %g3
-	xor		%l7, %g2, %g2
-
-	bshuffle	%f8,  %f8,  %f8
-	bshuffle	%f10, %f10, %f10
-
-	fxor		%f12, %f0, %f0		! ^= tweak[0]
-	fxor		%f14, %f2, %f2
-	fxor		%f8,  %f4, %f4
-	fxor		%f10, %f6, %f6
-
-	stda		%f0, [$out]0xe2		! ASI_BLK_INIT, T4-specific
-	add		$out, 8, $out
-	stda		%f2, [$out]0xe2		! ASI_BLK_INIT, T4-specific
-	add		$out, 8, $out
-	stda		%f4, [$out]0xe2		! ASI_BLK_INIT, T4-specific
-	add		$out, 8, $out
-	stda		%f6, [$out]0xe2		! ASI_BLK_INIT, T4-specific
-	bgu,pt		$::size_t_cc, .L${bits}_xts_${dir}blk2x
-	add		$out, 8, $out
-
-	add		$blk_init, $len, $len
-	andcc		$len, 1, %g0		! is number of blocks even?
-	membar		#StoreLoad|#StoreStore
-	bnz,pt		%icc, .L${bits}_xts_${dir}loop
-	srl		$len, 0, $len
-	brnz,pn		$len, .L${bits}_xts_${dir}loop2x
-	nop
-
-	fsrc2		%f4, %f0
-	fsrc2		%f6, %f2
-	brnz,pn		$rem, .L${bits}_xts_${dir}steal
-	nop
-
-	ret
-	restore
-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-___
-$code.=<<___ if ($dir eq "en");
-.align	32
-.L${bits}_xts_${dir}steal:
-	std		%f0, [%fp + $::bias-16]	! copy of output
-	std		%f2, [%fp + $::bias-8]
-
-	srl		$ileft, 3, $ileft
-	add		%fp, $::bias-16, %l7
-	add		$inp, $ileft, $inp	! original $inp+$len&-15
-	add		$out, $ooff, $out	! original $out+$len&-15
-	mov		0, $ileft
-	nop					! align
-
-.L${bits}_xts_${dir}stealing:
-	ldub		[$inp + $ileft], %o0
-	ldub		[%l7  + $ileft], %o1
-	dec		$rem
-	stb		%o0, [%l7  + $ileft]
-	stb		%o1, [$out + $ileft]
-	brnz		$rem, .L${bits}_xts_${dir}stealing
-	inc		$ileft
-
-	mov		%l7, $inp
-	sub		$out, 16, $out
-	mov		0, $ileft
-	sub		$out, $ooff, $out
-	ba		.L${bits}_xts_${dir}loop	! one more time
-	mov		1, $len				! $rem is 0
-___
-$code.=<<___ if ($dir eq "de");
-.align	32
-.L${bits}_xts_${dir}steal:
-	ldx		[$inp + 0], %o0
-	brz,pt		$ileft, 8f
-	ldx		[$inp + 8], %o1
-
-	ldx		[$inp + 16], %o2
-	sllx		%o0, $ileft, %o0
-	srlx		%o1, $iright, %g1
-	sllx		%o1, $ileft, %o1
-	or		%g1, %o0, %o0
-	srlx		%o2, $iright, %o2
-	or		%o2, %o1, %o1
-8:
-	srax		%g3, 63, %l7		! next tweak value
-	addcc		%g2, %g2, %o2
-	and		%l7, 0x87, %l7
-	addxc		%g3, %g3, %o3
-	xor		%l7, %o2, %o2
-
-	movxtod		%o2, %f12
-	movxtod		%o3, %f14
-	bshuffle	%f12, %f12, %f12
-	bshuffle	%f14, %f14, %f14
-
-	xor		%g4, %o0, %o0		! ^= rk[0]
-	xor		%g5, %o1, %o1
-	movxtod		%o0, %f0
-	movxtod		%o1, %f2
-
-	fxor		%f12, %f0, %f0		! ^= tweak[0]
-	fxor		%f14, %f2, %f2
-
-	call		_${alg}${bits}_${dir}crypt_1x
-	add		$inp, 16, $inp
-
-	fxor		%f12, %f0, %f0		! ^= tweak[0]
-	fxor		%f14, %f2, %f2
-
-	std		%f0, [%fp + $::bias-16]
-	std		%f2, [%fp + $::bias-8]
-
-	srl		$ileft, 3, $ileft
-	add		%fp, $::bias-16, %l7
-	add		$inp, $ileft, $inp	! original $inp+$len&-15
-	add		$out, $ooff, $out	! original $out+$len&-15
-	mov		0, $ileft
-	add		$out, 16, $out
-	nop					! align
-
-.L${bits}_xts_${dir}stealing:
-	ldub		[$inp + $ileft], %o0
-	ldub		[%l7  + $ileft], %o1
-	dec		$rem
-	stb		%o0, [%l7  + $ileft]
-	stb		%o1, [$out + $ileft]
-	brnz		$rem, .L${bits}_xts_${dir}stealing
-	inc		$ileft
-
-	mov		%l7, $inp
-	sub		$out, 16, $out
-	mov		0, $ileft
-	sub		$out, $ooff, $out
-	ba		.L${bits}_xts_${dir}loop	! one more time
-	mov		1, $len				! $rem is 0
-___
-$code.=<<___;
-	ret
-	restore
-.type	${alg}${bits}_t4_xts_${dir}crypt,#function
-.size	${alg}${bits}_t4_xts_${dir}crypt,.-${alg}${bits}_t4_xts_${dir}crypt
-___
-}
-
-# Purpose of these subroutines is to explicitly encode VIS instructions,
-# so that one can compile the module without having to specify VIS
-# extentions on compiler command line, e.g. -xarch=v9 vs. -xarch=v9a.
-# Idea is to reserve for option to produce "universal" binary and let
-# programmer detect if current CPU is VIS capable at run-time.
-sub unvis {
-my ($mnemonic,$rs1,$rs2,$rd)=@_;
-my ($ref,$opf);
-my %visopf = (	"faligndata"	=> 0x048,
-		"bshuffle"	=> 0x04c,
-		"fnot2"		=> 0x066,
-		"fxor"		=> 0x06c,
-		"fsrc2"		=> 0x078	);
-
-    $ref = "$mnemonic\t$rs1,$rs2,$rd";
-
-    if ($opf=$visopf{$mnemonic}) {
-	foreach ($rs1,$rs2,$rd) {
-	    return $ref if (!/%f([0-9]{1,2})/);
-	    $_=$1;
-	    if ($1>=32) {
-		return $ref if ($1&1);
-		# re-encode for upper double register addressing
-		$_=($1|$1>>5)&31;
-	    }
-	}
-
-	return	sprintf ".word\t0x%08x !%s",
-			0x81b00000|$rd<<25|$rs1<<14|$opf<<5|$rs2,
-			$ref;
-    } else {
-	return $ref;
-    }
-}
-
-sub unvis3 {
-my ($mnemonic,$rs1,$rs2,$rd)=@_;
-my %bias = ( "g" => 0, "o" => 8, "l" => 16, "i" => 24 );
-my ($ref,$opf);
-my %visopf = (	"addxc"		=> 0x011,
-		"addxccc"	=> 0x013,
-		"umulxhi"	=> 0x016,
-		"alignaddr"	=> 0x018,
-		"bmask"		=> 0x019,
-		"alignaddrl"	=> 0x01a	);
-
-    $ref = "$mnemonic\t$rs1,$rs2,$rd";
-
-    if ($opf=$visopf{$mnemonic}) {
-	foreach ($rs1,$rs2,$rd) {
-	    return $ref if (!/%([goli])([0-9])/);
-	    $_=$bias{$1}+$2;
-	}
-
-	return	sprintf ".word\t0x%08x !%s",
-			0x81b00000|$rd<<25|$rs1<<14|$opf<<5|$rs2,
-			$ref;
-    } else {
-	return $ref;
-    }
-}
-
-sub unaes_round {	# 4-argument instructions
-my ($mnemonic,$rs1,$rs2,$rs3,$rd)=@_;
-my ($ref,$opf);
-my %aesopf = (	"aes_eround01"	=> 0,
-		"aes_eround23"	=> 1,
-		"aes_dround01"	=> 2,
-		"aes_dround23"	=> 3,
-		"aes_eround01_l"=> 4,
-		"aes_eround23_l"=> 5,
-		"aes_dround01_l"=> 6,
-		"aes_dround23_l"=> 7,
-		"aes_kexpand1"	=> 8	);
-
-    $ref = "$mnemonic\t$rs1,$rs2,$rs3,$rd";
-
-    if (defined($opf=$aesopf{$mnemonic})) {
-	$rs3 = ($rs3 =~ /%f([0-6]*[02468])/) ? (($1|$1>>5)&31) : $rs3;
-	foreach ($rs1,$rs2,$rd) {
-	    return $ref if (!/%f([0-9]{1,2})/);
-	    $_=$1;
-	    if ($1>=32) {
-		return $ref if ($1&1);
-		# re-encode for upper double register addressing
-		$_=($1|$1>>5)&31;
-	    }
-	}
-
-	return	sprintf ".word\t0x%08x !%s",
-			2<<30|$rd<<25|0x19<<19|$rs1<<14|$rs3<<9|$opf<<5|$rs2,
-			$ref;
-    } else {
-	return $ref;
-    }
-}
-
-sub unaes_kexpand {	# 3-argument instructions
-my ($mnemonic,$rs1,$rs2,$rd)=@_;
-my ($ref,$opf);
-my %aesopf = (	"aes_kexpand0"	=> 0x130,
-		"aes_kexpand2"	=> 0x131	);
-
-    $ref = "$mnemonic\t$rs1,$rs2,$rd";
-
-    if (defined($opf=$aesopf{$mnemonic})) {
-	foreach ($rs1,$rs2,$rd) {
-	    return $ref if (!/%f([0-9]{1,2})/);
-	    $_=$1;
-	    if ($1>=32) {
-		return $ref if ($1&1);
-		# re-encode for upper double register addressing
-		$_=($1|$1>>5)&31;
-	    }
-	}
-
-	return	sprintf ".word\t0x%08x !%s",
-			2<<30|$rd<<25|0x36<<19|$rs1<<14|$opf<<5|$rs2,
-			$ref;
-    } else {
-	return $ref;
-    }
-}
-
-sub uncamellia_f {	# 4-argument instructions
-my ($mnemonic,$rs1,$rs2,$rs3,$rd)=@_;
-my ($ref,$opf);
-
-    $ref = "$mnemonic\t$rs1,$rs2,$rs3,$rd";
-
-    if (1) {
-	$rs3 = ($rs3 =~ /%f([0-6]*[02468])/) ? (($1|$1>>5)&31) : $rs3;
-	foreach ($rs1,$rs2,$rd) {
-	    return $ref if (!/%f([0-9]{1,2})/);
-	    $_=$1;
-	    if ($1>=32) {
-		return $ref if ($1&1);
-		# re-encode for upper double register addressing
-		$_=($1|$1>>5)&31;
-	    }
-	}
-
-	return	sprintf ".word\t0x%08x !%s",
-			2<<30|$rd<<25|0x19<<19|$rs1<<14|$rs3<<9|0xc<<5|$rs2,
-			$ref;
-    } else {
-	return $ref;
-    }
-}
-
-sub uncamellia3 {	# 3-argument instructions
-my ($mnemonic,$rs1,$rs2,$rd)=@_;
-my ($ref,$opf);
-my %cmllopf = (	"camellia_fl"	=> 0x13c,
-		"camellia_fli"	=> 0x13d	);
-
-    $ref = "$mnemonic\t$rs1,$rs2,$rd";
-
-    if (defined($opf=$cmllopf{$mnemonic})) {
-	foreach ($rs1,$rs2,$rd) {
-	    return $ref if (!/%f([0-9]{1,2})/);
-	    $_=$1;
-	    if ($1>=32) {
-		return $ref if ($1&1);
-		# re-encode for upper double register addressing
-		$_=($1|$1>>5)&31;
-	    }
-	}
-
-	return	sprintf ".word\t0x%08x !%s",
-			2<<30|$rd<<25|0x36<<19|$rs1<<14|$opf<<5|$rs2,
-			$ref;
-    } else {
-	return $ref;
-    }
-}
-
-sub unmovxtox {		# 2-argument instructions
-my ($mnemonic,$rs,$rd)=@_;
-my %bias = ( "g" => 0, "o" => 8, "l" => 16, "i" => 24, "f" => 0 );
-my ($ref,$opf);
-my %movxopf = (	"movdtox"	=> 0x110,
-		"movstouw"	=> 0x111,
-		"movstosw"	=> 0x113,
-		"movxtod"	=> 0x118,
-		"movwtos"	=> 0x119	);
-
-    $ref = "$mnemonic\t$rs,$rd";
-
-    if (defined($opf=$movxopf{$mnemonic})) {
-	foreach ($rs,$rd) {
-	    return $ref if (!/%([fgoli])([0-9]{1,2})/);
-	    $_=$bias{$1}+$2;
-	    if ($2>=32) {
-		return $ref if ($2&1);
-		# re-encode for upper double register addressing
-		$_=($2|$2>>5)&31;
-	    }
-	}
-
-	return	sprintf ".word\t0x%08x !%s",
-			2<<30|$rd<<25|0x36<<19|$opf<<5|$rs,
-			$ref;
-    } else {
-	return $ref;
-    }
-}
-
-sub undes {
-my ($mnemonic)=shift;
-my @args=@_;
-my ($ref,$opf);
-my %desopf = (	"des_round"	=> 0b1001,
-		"des_ip"	=> 0b100110100,
-		"des_iip"	=> 0b100110101,
-		"des_kexpand"	=> 0b100110110	);
-
-    $ref = "$mnemonic\t".join(",",@_);
-
-    if (defined($opf=$desopf{$mnemonic})) {	# 4-arg
-	if ($mnemonic eq "des_round") {
-	    foreach (@args[0..3]) {
-		return $ref if (!/%f([0-9]{1,2})/);
-		$_=$1;
-		if ($1>=32) {
-		    return $ref if ($1&1);
-		    # re-encode for upper double register addressing
-		    $_=($1|$1>>5)&31;
-		}
-	    }
-	    return  sprintf ".word\t0x%08x !%s",
-			    2<<30|0b011001<<19|$opf<<5|$args[0]<<14|$args[1]|$args[2]<<9|$args[3]<<25,
-			    $ref;
-	} elsif ($mnemonic eq "des_kexpand") {	# 3-arg
-	    foreach (@args[0..2]) {
-		return $ref if (!/(%f)?([0-9]{1,2})/);
-		$_=$2;
-		if ($2>=32) {
-		    return $ref if ($2&1);
-		    # re-encode for upper double register addressing
-		    $_=($2|$2>>5)&31;
-		}
-	    }
-	    return  sprintf ".word\t0x%08x !%s",
-			    2<<30|0b110110<<19|$opf<<5|$args[0]<<14|$args[1]|$args[2]<<25,
-			    $ref;
-	} else {				# 2-arg
-	    foreach (@args[0..1]) {
-		return $ref if (!/%f([0-9]{1,2})/);
-		$_=$1;
-		if ($1>=32) {
-		    return $ref if ($2&1);
-		    # re-encode for upper double register addressing
-		    $_=($1|$1>>5)&31;
-		}
-	    }
-	    return  sprintf ".word\t0x%08x !%s",
-			    2<<30|0b110110<<19|$opf<<5|$args[0]<<14|$args[1]<<25,
-			    $ref;
-	}
-    } else {
-	return $ref;
-    }
-}
-
-sub emit_assembler {
-    foreach (split("\n",$::code)) {
-	s/\`([^\`]*)\`/eval $1/ge;
-
-	s/\b(f[a-z]+2[sd]*)\s+(%f[0-9]{1,2}),\s*(%f[0-9]{1,2})\s*$/$1\t%f0,$2,$3/go;
-
-	s/\b(aes_[edk][^\s]*)\s+(%f[0-9]{1,2}),\s*(%f[0-9]{1,2}),\s*([%fx0-9]+),\s*(%f[0-9]{1,2})/
-		&unaes_round($1,$2,$3,$4,$5)
-	 /geo or
-	s/\b(aes_kexpand[02])\s+(%f[0-9]{1,2}),\s*(%f[0-9]{1,2}),\s*(%f[0-9]{1,2})/
-		&unaes_kexpand($1,$2,$3,$4)
-	 /geo or
-	s/\b(camellia_f)\s+(%f[0-9]{1,2}),\s*(%f[0-9]{1,2}),\s*([%fx0-9]+),\s*(%f[0-9]{1,2})/
-		&uncamellia_f($1,$2,$3,$4,$5)
-	 /geo or
-	s/\b(camellia_[^s]+)\s+(%f[0-9]{1,2}),\s*(%f[0-9]{1,2}),\s*(%f[0-9]{1,2})/
-		&uncamellia3($1,$2,$3,$4)
-	 /geo or
-	s/\b(des_\w+)\s+(%f[0-9]{1,2}),\s*([%fx0-9]+)(?:,\s*(%f[0-9]{1,2})(?:,\s*(%f[0-9]{1,2}))?)?/
-		&undes($1,$2,$3,$4,$5)
-	 /geo or
-	s/\b(mov[ds]to\w+)\s+(%f[0-9]{1,2}),\s*(%[goli][0-7])/
-		&unmovxtox($1,$2,$3)
-	 /geo or
-	s/\b(mov[xw]to[ds])\s+(%[goli][0-7]),\s*(%f[0-9]{1,2})/
-		&unmovxtox($1,$2,$3)
-	 /geo or
-	s/\b([fb][^\s]*)\s+(%f[0-9]{1,2}),\s*(%f[0-9]{1,2}),\s*(%f[0-9]{1,2})/
-		&unvis($1,$2,$3,$4)
-	 /geo or
-	s/\b(umulxhi|bmask|addxc[c]{0,2}|alignaddr[l]*)\s+(%[goli][0-7]),\s*(%[goli][0-7]),\s*(%[goli][0-7])/
-		&unvis3($1,$2,$3,$4)
-	 /geo;
-
-	print $_,"\n";
-    }
-}
-
-1;
diff --git a/src/crypto/perlasm/x86masm.pl b/src/crypto/perlasm/x86masm.pl
index a491529..b7f49d1 100644
--- a/src/crypto/perlasm/x86masm.pl
+++ b/src/crypto/perlasm/x86masm.pl
@@ -18,10 +18,10 @@ sub ::generic
 
     if ($opcode =~ /lea/ && @arg[1] =~ s/.*PTR\s+(\(.*\))$/OFFSET $1/)	# no []
     {	$opcode="mov";	}
-    elsif ($opcode !~ /movq/)
+    elsif ($opcode !~ /mov[dq]$/)
     {	# fix xmm references
-	$arg[0] =~ s/\b[A-Z]+WORD\s+PTR/XMMWORD PTR/i if ($arg[1]=~/\bxmm[0-7]\b/i);
-	$arg[1] =~ s/\b[A-Z]+WORD\s+PTR/XMMWORD PTR/i if ($arg[0]=~/\bxmm[0-7]\b/i);
+	$arg[0] =~ s/\b[A-Z]+WORD\s+PTR/XMMWORD PTR/i if ($arg[-1]=~/\bxmm[0-7]\b/i);
+	$arg[-1] =~ s/\b[A-Z]+WORD\s+PTR/XMMWORD PTR/i if ($arg[0]=~/\bxmm[0-7]\b/i);
     }
 
     &::emit($opcode,@arg);
@@ -160,16 +160,13 @@ sub ::public_label
 {   push(@out,"PUBLIC\t".&::LABEL($_[0],$nmdecor.$_[0])."\n");   }
 
 sub ::data_byte
-{   push(@out,("DB\t").join(',',@_)."\n");	}
+{   push(@out,("DB\t").join(',',splice(@_,0,16))."\n") while(@_);	}
 
 sub ::data_short
-{   push(@out,("DW\t").join(',',@_)."\n");	}
+{   push(@out,("DW\t").join(',',splice(@_,0,8))."\n") while(@_);	}
 
 sub ::data_word
-{   # MASM can't handle long lines, so emit one word at a time.
-    foreach(@_)
-    {	push(@out,"DD\t$_\n");	}
-}
+{   push(@out,("DD\t").join(',',splice(@_,0,4))."\n") while(@_);	}
 
 sub ::align
 {   push(@out,"ALIGN\t$_[0]\n");	}
diff --git a/src/crypto/pkcs8/CMakeLists.txt b/src/crypto/pkcs8/CMakeLists.txt
index 1886fce..c0f2746 100644
--- a/src/crypto/pkcs8/CMakeLists.txt
+++ b/src/crypto/pkcs8/CMakeLists.txt
@@ -9,13 +9,12 @@ add_library(
   p8_pkey.c
   p5_pbe.c
   p5_pbev2.c
-  pkcs8_error.c
 )
 
 add_executable(
   pkcs12_test
 
-  pkcs12_test.c
+  pkcs12_test.cc
 )
 
 target_link_libraries(pkcs12_test crypto)
diff --git a/src/crypto/pkcs8/pkcs12_test.c b/src/crypto/pkcs8/pkcs12_test.cc
index 2292b77..8b265cd 100644
--- a/src/crypto/pkcs8/pkcs12_test.c
+++ b/src/crypto/pkcs8/pkcs12_test.cc
@@ -13,7 +13,6 @@
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
 
 #include <stdio.h>
-#include <stdlib.h>
 
 #include <openssl/bio.h>
 #include <openssl/bytestring.h>
@@ -24,6 +23,8 @@
 #include <openssl/stack.h>
 #include <openssl/x509.h>
 
+#include "../test/scoped_types.h"
+
 
 /* kPKCS12DER contains sample PKCS#12 data generated by OpenSSL with:
  * openssl pkcs12 -export -inkey key.pem -in cacert.pem */
@@ -680,81 +681,76 @@ static const uint8_t kWindows[] = {
     0xfe, 0x3a, 0x66, 0x47, 0x40, 0x49, 0x02, 0x02, 0x07, 0xd0,
 };
 
-static int test(const char *name, const uint8_t *der, size_t der_len) {
-  CBS pkcs12;
-  EVP_PKEY *key;
-  STACK_OF(X509) *certs;
-
-  certs = sk_X509_new_null();
+static bool Test(const char *name, const uint8_t *der, size_t der_len) {
+  ScopedX509Stack certs(sk_X509_new_null());
+  if (!certs) {
+    return false;
+  }
 
+  CBS pkcs12;
+  EVP_PKEY *key = nullptr;
   CBS_init(&pkcs12, der, der_len);
-  if (!PKCS12_get_key_and_certs(&key, certs, &pkcs12, "foo")) {
+  if (!PKCS12_get_key_and_certs(&key, certs.get(), &pkcs12, "foo")) {
     fprintf(stderr, "PKCS12 failed on %s data.\n", name);
-    BIO_print_errors_fp(stderr);
-    return 0;
+    ERR_print_errors_fp(stderr);
+    return false;
   }
+  ScopedEVP_PKEY delete_key(key);
 
-  if (sk_X509_num(certs) != 1 || key == NULL) {
+  if (sk_X509_num(certs.get()) != 1 || key == nullptr) {
     fprintf(stderr, "Bad result from %s data.\n", name);
-    return 0;
+    return false;
   }
 
-  sk_X509_pop_free(certs, X509_free);
-  EVP_PKEY_free(key);
-
-  return 1;
+  return true;
 }
 
-static int test_compat(const uint8_t *der, size_t der_len) {
-  PKCS12 *p12;
-  X509 *cert = NULL;
-  STACK_OF(X509) *ca_certs = NULL;
-  EVP_PKEY *key;
-  BIO *bio;
-
-  bio = BIO_new_mem_buf((void*) der, der_len);
+static bool TestCompat(const uint8_t *der, size_t der_len) {
+  ScopedBIO bio(BIO_new_mem_buf((void*) der, der_len));
+  if (!bio) {
+    return false;
+  }
 
-  p12 = d2i_PKCS12_bio(bio, NULL);
-  if (p12 == NULL) {
+  ScopedPKCS12 p12(d2i_PKCS12_bio(bio.get(), nullptr));
+  if (!p12) {
     fprintf(stderr, "PKCS12_parse failed.\n");
-    BIO_print_errors_fp(stderr);
-    return 0;
+    ERR_print_errors_fp(stderr);
+    return false;
   }
-  BIO_free(bio);
 
-  if (!PKCS12_parse(p12, "foo", &key, &cert, &ca_certs)) {
+  EVP_PKEY *key = nullptr;
+  X509 *cert = nullptr;
+  STACK_OF(X509) *ca_certs = nullptr;
+  if (!PKCS12_parse(p12.get(), "foo", &key, &cert, &ca_certs)) {
     fprintf(stderr, "PKCS12_parse failed.\n");
-    BIO_print_errors_fp(stderr);
-    return 0;
+    ERR_print_errors_fp(stderr);
+    return false;
   }
+  ScopedEVP_PKEY delete_key(key);
+  ScopedX509 delete_cert(cert);
+  ScopedX509Stack delete_ca_certs(ca_certs);
 
-  if (key == NULL || cert == NULL) {
+  if (key == nullptr || cert == nullptr) {
     fprintf(stderr, "Bad result from PKCS12_parse.\n");
-    return 0;
+    return false;
   }
 
-  EVP_PKEY_free(key);
-  X509_free(cert);
-
   if (sk_X509_num(ca_certs) != 0) {
     fprintf(stderr, "Bad result from PKCS12_parse.\n");
-    return 0;
+    return false;
   }
-  sk_X509_free(ca_certs);
-
-  PKCS12_free(p12);
 
-  return 1;
+  return true;
 }
 
 int main(int argc, char **argv) {
   CRYPTO_library_init();
   ERR_load_crypto_strings();
 
-  if (!test("OpenSSL", kOpenSSL, sizeof(kOpenSSL)) ||
-      !test("NSS", kNSS, sizeof(kNSS)) ||
-      !test("Windows", kWindows, sizeof(kWindows)) ||
-      !test_compat(kWindows, sizeof(kWindows))) {
+  if (!Test("OpenSSL", kOpenSSL, sizeof(kOpenSSL)) ||
+      !Test("NSS", kNSS, sizeof(kNSS)) ||
+      !Test("Windows", kWindows, sizeof(kWindows)) ||
+      !TestCompat(kWindows, sizeof(kWindows))) {
     return 1;
   }
 
diff --git a/src/crypto/pkcs8/pkcs8.c b/src/crypto/pkcs8/pkcs8.c
index 0b1dfba..843c74d 100644
--- a/src/crypto/pkcs8/pkcs8.c
+++ b/src/crypto/pkcs8/pkcs8.c
@@ -123,23 +123,28 @@ static int pkcs12_key_gen_raw(const uint8_t *pass_raw, size_t pass_raw_len,
   Ai = OPENSSL_malloc(u);
   B = OPENSSL_malloc(v + 1);
   Slen = v * ((salt_len + v - 1) / v);
-  if (pass_raw_len)
+  if (pass_raw_len) {
     Plen = v * ((pass_raw_len + v - 1) / v);
-  else
+  } else {
     Plen = 0;
+  }
   Ilen = Slen + Plen;
   I = OPENSSL_malloc(Ilen);
   Ij = BN_new();
   Bpl1 = BN_new();
-  if (!D || !Ai || !B || !I || !Ij || !Bpl1)
+  if (!D || !Ai || !B || !I || !Ij || !Bpl1) {
     goto err;
-  for (i = 0; i < v; i++)
+  }
+  for (i = 0; i < v; i++) {
     D[i] = id;
+  }
   p = I;
-  for (i = 0; i < Slen; i++)
+  for (i = 0; i < Slen; i++) {
     *p++ = salt[i % salt_len];
-  for (i = 0; i < Plen; i++)
+  }
+  for (i = 0; i < Plen; i++) {
     *p++ = pass_raw[i % pass_raw_len];
+  }
   for (;;) {
     if (!EVP_DigestInit_ex(&ctx, md_type, NULL) ||
         !EVP_DigestUpdate(&ctx, D, v) ||
@@ -161,31 +166,33 @@ static int pkcs12_key_gen_raw(const uint8_t *pass_raw, size_t pass_raw_len,
     }
     out_len -= u;
     out += u;
-    for (j = 0; j < v; j++)
+    for (j = 0; j < v; j++) {
       B[j] = Ai[j % u];
+    }
     /* Work out B + 1 first then can use B as tmp space */
-    if (!BN_bin2bn(B, v, Bpl1))
-      goto err;
-    if (!BN_add_word(Bpl1, 1))
+    if (!BN_bin2bn(B, v, Bpl1) ||
+        !BN_add_word(Bpl1, 1)) {
       goto err;
+    }
     for (j = 0; j < Ilen; j += v) {
-      if (!BN_bin2bn(I + j, v, Ij))
-        goto err;
-      if (!BN_add(Ij, Ij, Bpl1))
-        goto err;
-      if (!BN_bn2bin(Ij, B))
+      if (!BN_bin2bn(I + j, v, Ij) ||
+          !BN_add(Ij, Ij, Bpl1) ||
+          !BN_bn2bin(Ij, B)) {
         goto err;
+      }
       Ijlen = BN_num_bytes(Ij);
       /* If more than 2^(v*8) - 1 cut off MSB */
       if (Ijlen > v) {
-        if (!BN_bn2bin(Ij, B))
+        if (!BN_bn2bin(Ij, B)) {
           goto err;
+        }
         memcpy(I + j, B + 1, v);
         /* If less than v bytes pad with zeroes */
       } else if (Ijlen < v) {
         memset(I + j, 0, v - Ijlen);
-        if (!BN_bn2bin(Ij, I + j + v - Ijlen))
+        if (!BN_bn2bin(Ij, I + j + v - Ijlen)) {
           goto err;
+        }
       } else if (!BN_bn2bin(Ij, I + j)) {
         goto err;
       }
@@ -427,7 +434,7 @@ PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *pkcs8, const char *pass,
       pass_len = strlen(pass);
     }
     if (!ascii_to_ucs2(pass, pass_len, &pass_raw, &pass_raw_len)) {
-      OPENSSL_PUT_ERROR(PKCS8, pkcs12_key_gen_asc, PKCS8_R_DECODE_ERROR);
+      OPENSSL_PUT_ERROR(PKCS8, PKCS8_decrypt, PKCS8_R_DECODE_ERROR);
       return NULL;
     }
   }
@@ -491,7 +498,7 @@ X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, const char *pass,
       pass_len = strlen(pass);
     }
     if (!ascii_to_ucs2(pass, pass_len, &pass_raw, &pass_raw_len)) {
-      OPENSSL_PUT_ERROR(PKCS8, pkcs12_key_gen_asc, PKCS8_R_DECODE_ERROR);
+      OPENSSL_PUT_ERROR(PKCS8, PKCS8_encrypt, PKCS8_R_DECODE_ERROR);
       return NULL;
     }
   }
@@ -547,8 +554,9 @@ EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8) {
   ASN1_OBJECT *algoid;
   char obj_tmp[80];
 
-  if (!PKCS8_pkey_get0(&algoid, NULL, NULL, NULL, p8))
+  if (!PKCS8_pkey_get0(&algoid, NULL, NULL, NULL, p8)) {
     return NULL;
+  }
 
   pkey = EVP_PKEY_new();
   if (pkey == NULL) {
@@ -683,9 +691,7 @@ static int PKCS12_handle_content_infos(CBS *content_infos,
   ret = 1;
 
 err:
-  if (der_bytes != NULL) {
-    OPENSSL_free(der_bytes);
-  }
+  OPENSSL_free(der_bytes);
   return ret;
 }
 
@@ -699,7 +705,8 @@ static int PKCS12_handle_content_info(CBS *content_info, unsigned depth,
   if (!CBS_get_asn1(content_info, &content_type, CBS_ASN1_OBJECT) ||
       !CBS_get_asn1(content_info, &wrapped_contents,
                         CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {
-    OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_BAD_PKCS12_DATA);
+    OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info,
+                      PKCS8_R_BAD_PKCS12_DATA);
     goto err;
   }
 
@@ -884,27 +891,28 @@ int PKCS12_get_key_and_certs(EVP_PKEY **out_key, STACK_OF(X509) *out_certs,
   if (!CBS_get_asn1(&in, &pfx, CBS_ASN1_SEQUENCE) ||
       CBS_len(&in) != 0 ||
       !CBS_get_asn1_uint64(&pfx, &version)) {
-    OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_BAD_PKCS12_DATA);
+    OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_BAD_PKCS12_DATA);
     goto err;
   }
 
   if (version < 3) {
-    OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_BAD_PKCS12_VERSION);
+    OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs,
+                      PKCS8_R_BAD_PKCS12_VERSION);
     goto err;
   }
 
   if (!CBS_get_asn1(&pfx, &authsafe, CBS_ASN1_SEQUENCE)) {
-    OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_BAD_PKCS12_DATA);
+    OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_BAD_PKCS12_DATA);
     goto err;
   }
 
   if (CBS_len(&pfx) == 0) {
-    OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_MISSING_MAC);
+    OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_MISSING_MAC);
     goto err;
   }
 
   if (!CBS_get_asn1(&pfx, &mac_data, CBS_ASN1_SEQUENCE)) {
-    OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_BAD_PKCS12_DATA);
+    OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_BAD_PKCS12_DATA);
     goto err;
   }
 
@@ -913,7 +921,7 @@ int PKCS12_get_key_and_certs(EVP_PKEY **out_key, STACK_OF(X509) *out_certs,
   if (!CBS_get_asn1(&authsafe, &content_type, CBS_ASN1_OBJECT) ||
       !CBS_get_asn1(&authsafe, &wrapped_authsafes,
                         CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {
-    OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_BAD_PKCS12_DATA);
+    OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_BAD_PKCS12_DATA);
     goto err;
   }
 
@@ -921,13 +929,13 @@ int PKCS12_get_key_and_certs(EVP_PKEY **out_key, STACK_OF(X509) *out_certs,
    * latter indicates that it's signed by a public key, which isn't
    * supported. */
   if (OBJ_cbs2nid(&content_type) != NID_pkcs7_data) {
-    OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse,
+    OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs,
                       PKCS8_R_PKCS12_PUBLIC_KEY_INTEGRITY_NOT_SUPPORTED);
     goto err;
   }
 
   if (!CBS_get_asn1(&wrapped_authsafes, &authsafes, CBS_ASN1_OCTETSTRING)) {
-    OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_BAD_PKCS12_DATA);
+    OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_BAD_PKCS12_DATA);
     goto err;
   }
 
@@ -935,7 +943,7 @@ int PKCS12_get_key_and_certs(EVP_PKEY **out_key, STACK_OF(X509) *out_certs,
   ctx.out_certs = out_certs;
   if (!ascii_to_ucs2(password, strlen(password), &ctx.password,
                      &ctx.password_len)) {
-    OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_DECODE_ERROR);
+    OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_DECODE_ERROR);
     goto err;
   }
 
@@ -954,7 +962,7 @@ int PKCS12_get_key_and_certs(EVP_PKEY **out_key, STACK_OF(X509) *out_certs,
         !CBS_get_asn1(&hash_type_seq, &hash_oid, CBS_ASN1_OBJECT) ||
         !CBS_get_asn1(&mac, &expected_mac, CBS_ASN1_OCTETSTRING) ||
         !CBS_get_asn1(&mac_data, &salt, CBS_ASN1_OCTETSTRING)) {
-      OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_BAD_PKCS12_DATA);
+      OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_BAD_PKCS12_DATA);
       goto err;
     }
 
@@ -963,7 +971,8 @@ int PKCS12_get_key_and_certs(EVP_PKEY **out_key, STACK_OF(X509) *out_certs,
     if (CBS_len(&mac_data) > 0) {
       if (!CBS_get_asn1_uint64(&mac_data, &iterations) ||
           iterations > INT_MAX) {
-        OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_BAD_PKCS12_DATA);
+        OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs,
+                          PKCS8_R_BAD_PKCS12_DATA);
         goto err;
       }
     }
@@ -971,7 +980,7 @@ int PKCS12_get_key_and_certs(EVP_PKEY **out_key, STACK_OF(X509) *out_certs,
     hash_nid = OBJ_cbs2nid(&hash_oid);
     if (hash_nid == NID_undef ||
         (md = EVP_get_digestbynid(hash_nid)) == NULL) {
-      OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_UNKNOWN_HASH);
+      OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_UNKNOWN_HASH);
       goto err;
     }
 
@@ -987,7 +996,8 @@ int PKCS12_get_key_and_certs(EVP_PKEY **out_key, STACK_OF(X509) *out_certs,
     }
 
     if (!CBS_mem_equal(&expected_mac, hmac, hmac_len)) {
-      OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_INCORRECT_PASSWORD);
+      OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs,
+                        PKCS8_R_INCORRECT_PASSWORD);
       goto err;
     }
   }
@@ -1000,17 +1010,11 @@ int PKCS12_get_key_and_certs(EVP_PKEY **out_key, STACK_OF(X509) *out_certs,
   ret = 1;
 
 err:
-  if (ctx.password) {
-    OPENSSL_free(ctx.password);
-  }
-  if (der_bytes) {
-    OPENSSL_free(der_bytes);
-  }
+  OPENSSL_free(ctx.password);
+  OPENSSL_free(der_bytes);
   if (!ret) {
-    if (*out_key) {
-      EVP_PKEY_free(*out_key);
-      *out_key = NULL;
-    }
+    EVP_PKEY_free(*out_key);
+    *out_key = NULL;
     while (sk_X509_num(out_certs) > original_out_certs_len) {
       X509 *x509 = sk_X509_pop(out_certs);
       X509_free(x509);
diff --git a/src/crypto/pkcs8/pkcs8_error.c b/src/crypto/pkcs8/pkcs8_error.c
deleted file mode 100644
index 3041658..0000000
--- a/src/crypto/pkcs8/pkcs8_error.c
+++ /dev/null
@@ -1,68 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/pkcs8.h>
-
-const ERR_STRING_DATA PKCS8_error_string_data[] = {
-  {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_EVP_PKCS82PKEY, 0), "EVP_PKCS82PKEY"},
-  {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_EVP_PKEY2PKCS8, 0), "EVP_PKEY2PKCS8"},
-  {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_PKCS12_get_key_and_certs, 0), "PKCS12_get_key_and_certs"},
-  {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_PKCS12_handle_content_info, 0), "PKCS12_handle_content_info"},
-  {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_PKCS12_handle_content_infos, 0), "PKCS12_handle_content_infos"},
-  {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_PKCS12_parse, 0), "PKCS12_parse"},
-  {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_PKCS5_pbe2_set_iv, 0), "PKCS5_pbe2_set_iv"},
-  {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_PKCS5_pbe_set, 0), "PKCS5_pbe_set"},
-  {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_PKCS5_pbe_set0_algor, 0), "PKCS5_pbe_set0_algor"},
-  {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_PKCS5_pbkdf2_set, 0), "PKCS5_pbkdf2_set"},
-  {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_PKCS8_decrypt, 0), "PKCS8_decrypt"},
-  {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_PKCS8_encrypt, 0), "PKCS8_encrypt"},
-  {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_PKCS8_encrypt_pbe, 0), "PKCS8_encrypt_pbe"},
-  {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_pbe_cipher_init, 0), "pbe_cipher_init"},
-  {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_pbe_crypt, 0), "pbe_crypt"},
-  {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_pkcs12_item_decrypt_d2i, 0), "pkcs12_item_decrypt_d2i"},
-  {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_pkcs12_item_i2d_encrypt, 0), "pkcs12_item_i2d_encrypt"},
-  {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_pkcs12_key_gen_asc, 0), "pkcs12_key_gen_asc"},
-  {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_pkcs12_key_gen_raw, 0), "pkcs12_key_gen_raw"},
-  {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_pkcs12_key_gen_uni, 0), "pkcs12_key_gen_uni"},
-  {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_pkcs12_pbe_keyivgen, 0), "pkcs12_pbe_keyivgen"},
-  {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_BAD_MAC), "BAD_MAC"},
-  {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_BAD_PKCS12_DATA), "BAD_PKCS12_DATA"},
-  {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_BAD_PKCS12_VERSION), "BAD_PKCS12_VERSION"},
-  {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER), "CIPHER_HAS_NO_OBJECT_IDENTIFIER"},
-  {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_CRYPT_ERROR), "CRYPT_ERROR"},
-  {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_DECODE_ERROR), "DECODE_ERROR"},
-  {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_ENCODE_ERROR), "ENCODE_ERROR"},
-  {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_ENCRYPT_ERROR), "ENCRYPT_ERROR"},
-  {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_ERROR_SETTING_CIPHER_PARAMS), "ERROR_SETTING_CIPHER_PARAMS"},
-  {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_INCORRECT_PASSWORD), "INCORRECT_PASSWORD"},
-  {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_KEYGEN_FAILURE), "KEYGEN_FAILURE"},
-  {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_KEY_GEN_ERROR), "KEY_GEN_ERROR"},
-  {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_METHOD_NOT_SUPPORTED), "METHOD_NOT_SUPPORTED"},
-  {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_MISSING_MAC), "MISSING_MAC"},
-  {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_MULTIPLE_PRIVATE_KEYS_IN_PKCS12), "MULTIPLE_PRIVATE_KEYS_IN_PKCS12"},
-  {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_PKCS12_PUBLIC_KEY_INTEGRITY_NOT_SUPPORTED), "PKCS12_PUBLIC_KEY_INTEGRITY_NOT_SUPPORTED"},
-  {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_PKCS12_TOO_DEEPLY_NESTED), "PKCS12_TOO_DEEPLY_NESTED"},
-  {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_PRIVATE_KEY_DECODE_ERROR), "PRIVATE_KEY_DECODE_ERROR"},
-  {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_PRIVATE_KEY_ENCODE_ERROR), "PRIVATE_KEY_ENCODE_ERROR"},
-  {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_TOO_LONG), "TOO_LONG"},
-  {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_UNKNOWN_ALGORITHM), "UNKNOWN_ALGORITHM"},
-  {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_UNKNOWN_CIPHER), "UNKNOWN_CIPHER"},
-  {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_UNKNOWN_CIPHER_ALGORITHM), "UNKNOWN_CIPHER_ALGORITHM"},
-  {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_UNKNOWN_DIGEST), "UNKNOWN_DIGEST"},
-  {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_UNKNOWN_HASH), "UNKNOWN_HASH"},
-  {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM), "UNSUPPORTED_PRIVATE_KEY_ALGORITHM"},
-  {0, NULL},
-};
diff --git a/src/crypto/poly1305/poly1305.c b/src/crypto/poly1305/poly1305.c
index bf5cd5e..5a49e2d 100644
--- a/src/crypto/poly1305/poly1305.c
+++ b/src/crypto/poly1305/poly1305.c
@@ -132,19 +132,23 @@ poly1305_donna_mul:
   b = (uint32_t)(t[4] >> 26);
   state->h0 += b * 5;
 
-  if (len >= 16)
+  if (len >= 16) {
     goto poly1305_donna_16bytes;
+  }
 
 /* final bytes */
 poly1305_donna_atmost15bytes:
-  if (!len)
+  if (!len) {
     return;
+  }
 
-  for (j = 0; j < len; j++)
+  for (j = 0; j < len; j++) {
     mp[j] = in[j];
+  }
   mp[j++] = 1;
-  for (; j < 16; j++)
+  for (; j < 16; j++) {
     mp[j] = 0;
+  }
   len = 0;
 
   t0 = U8TO32_LE(mp + 0);
@@ -221,10 +225,12 @@ void CRYPTO_poly1305_update(poly1305_state *statep, const uint8_t *in,
 
   if (state->buf_used) {
     unsigned int todo = 16 - state->buf_used;
-    if (todo > in_len)
+    if (todo > in_len) {
       todo = in_len;
-    for (i = 0; i < todo; i++)
+    }
+    for (i = 0; i < todo; i++) {
       state->buf[state->buf_used + i] = in[i];
+    }
     state->buf_used += todo;
     in_len -= todo;
     in += todo;
@@ -243,8 +249,9 @@ void CRYPTO_poly1305_update(poly1305_state *statep, const uint8_t *in,
   }
 
   if (in_len) {
-    for (i = 0; i < in_len; i++)
+    for (i = 0; i < in_len; i++) {
       state->buf[i] = in[i];
+    }
     state->buf_used = in_len;
   }
 }
@@ -262,8 +269,9 @@ void CRYPTO_poly1305_finish(poly1305_state *statep, uint8_t mac[16]) {
   }
 #endif
 
-  if (state->buf_used)
+  if (state->buf_used) {
     poly1305_update(state, state->buf, state->buf_used);
+  }
 
   b = state->h0 >> 26;
   state->h0 = state->h0 & 0x3ffffff;
diff --git a/src/crypto/poly1305/poly1305_arm.c b/src/crypto/poly1305/poly1305_arm.c
index 61ebec5..c06eded 100644
--- a/src/crypto/poly1305/poly1305_arm.c
+++ b/src/crypto/poly1305/poly1305_arm.c
@@ -135,13 +135,15 @@ static void fe1305x2_frombytearray(fe1305x2 *r, const uint8_t *x,
   int i;
   uint8_t t[17];
 
-  for (i = 0; (i < 16) && (i < xlen); i++)
+  for (i = 0; (i < 16) && (i < xlen); i++) {
     t[i] = x[i];
+  }
   xlen -= i;
   x += i;
   t[i++] = 1;
-  for (; i < 17; i++)
+  for (; i < 17; i++) {
     t[i] = 0;
+  }
 
   r->v[0] = 0x3ffffff & load32(t);
   r->v[2] = 0x3ffffff & (load32(t + 3) >> 2);
@@ -150,19 +152,22 @@ static void fe1305x2_frombytearray(fe1305x2 *r, const uint8_t *x,
   r->v[8] = load32(t + 13);
 
   if (xlen) {
-    for (i = 0; (i < 16) && (i < xlen); i++)
+    for (i = 0; (i < 16) && (i < xlen); i++) {
       t[i] = x[i];
+    }
     t[i++] = 1;
-    for (; i < 17; i++)
+    for (; i < 17; i++) {
       t[i] = 0;
+    }
 
     r->v[1] = 0x3ffffff & load32(t);
     r->v[3] = 0x3ffffff & (load32(t + 3) >> 2);
     r->v[5] = 0x3ffffff & (load32(t + 6) >> 4);
     r->v[7] = 0x3ffffff & (load32(t + 9) >> 6);
     r->v[9] = load32(t + 13);
-  } else
+  } else {
     r->v[1] = r->v[3] = r->v[5] = r->v[7] = r->v[9] = 0;
+  }
 }
 
 static const fe1305x2 zero __attribute__((aligned(16)));
@@ -188,8 +193,9 @@ void CRYPTO_poly1305_init_neon(poly1305_state *state, const uint8_t key[32]) {
   r->v[7] = r->v[6] = 0x3f03fff & ((*(uint32_t *)(key + 9)) >> 6);
   r->v[9] = r->v[8] = 0x00fffff & ((*(uint32_t *)(key + 12)) >> 8);
 
-  for (j = 0; j < 10; j++)
+  for (j = 0; j < 10; j++) {
     h->v[j] = 0; /* XXX: should fast-forward a bit */
+  }
 
   addmulmod(precomp, r, r, &zero);                 /* precompute r^2 */
   addmulmod(precomp + 1, precomp, precomp, &zero); /* precompute r^4 */
@@ -209,10 +215,12 @@ void CRYPTO_poly1305_update_neon(poly1305_state *state, const uint8_t *in,
 
   if (st->buf_used) {
     unsigned int todo = 32 - st->buf_used;
-    if (todo > in_len)
+    if (todo > in_len) {
       todo = in_len;
-    for (i = 0; i < todo; i++)
+    }
+    for (i = 0; i < todo; i++) {
       st->buf[st->buf_used + i] = in[i];
+    }
     st->buf_used += todo;
     in_len -= todo;
     in += todo;
@@ -220,24 +228,27 @@ void CRYPTO_poly1305_update_neon(poly1305_state *state, const uint8_t *in,
     if (st->buf_used == sizeof(st->buf) && in_len) {
       addmulmod(h, h, precomp, &zero);
       fe1305x2_frombytearray(c, st->buf, sizeof(st->buf));
-      for (i = 0; i < 10; i++)
+      for (i = 0; i < 10; i++) {
         h->v[i] += c->v[i];
+      }
       st->buf_used = 0;
     }
   }
 
   while (in_len > 32) {
     unsigned int tlen = 1048576;
-    if (in_len < tlen)
+    if (in_len < tlen) {
       tlen = in_len;
+    }
     tlen -= blocks(h, precomp, in, tlen);
     in_len -= tlen;
     in += tlen;
   }
 
   if (in_len) {
-    for (i = 0; i < in_len; i++)
+    for (i = 0; i < in_len; i++) {
       st->buf[i] = in[i];
+    }
     st->buf_used = in_len;
   }
 }
diff --git a/src/crypto/poly1305/poly1305_vec.c b/src/crypto/poly1305/poly1305_vec.c
index 89fcacb..07578d0 100644
--- a/src/crypto/poly1305/poly1305_vec.c
+++ b/src/crypto/poly1305/poly1305_vec.c
@@ -727,8 +727,9 @@ void CRYPTO_poly1305_update(poly1305_state *state, const uint8_t *m,
       bytes -= want;
       m += want;
       st->leftover += want;
-      if ((st->leftover < 32) || (bytes == 0))
+      if ((st->leftover < 32) || (bytes == 0)) {
         return;
+      }
       poly1305_first_block(st, st->buffer);
       st->leftover = 0;
     }
@@ -742,8 +743,9 @@ void CRYPTO_poly1305_update(poly1305_state *state, const uint8_t *m,
     bytes -= want;
     m += want;
     st->leftover += want;
-    if (st->leftover < 64)
+    if (st->leftover < 64) {
       return;
+    }
     poly1305_blocks(st, st->buffer, 64);
     st->leftover = 0;
   }
@@ -791,8 +793,9 @@ void CRYPTO_poly1305_finish(poly1305_state *state, uint8_t mac[16]) {
   s1 = r1 * (5 << 2);
   s2 = r2 * (5 << 2);
 
-  if (leftover < 16)
+  if (leftover < 16) {
     goto poly1305_donna_atmost15bytes;
+  }
 
 poly1305_donna_atleast16bytes:
   t0 = U8TO64_LE(m + 0);
@@ -821,13 +824,15 @@ poly1305_donna_mul:
 
   m += 16;
   leftover -= 16;
-  if (leftover >= 16)
+  if (leftover >= 16) {
     goto poly1305_donna_atleast16bytes;
+  }
 
 /* final bytes */
 poly1305_donna_atmost15bytes:
-  if (!leftover)
+  if (!leftover) {
     goto poly1305_donna_finish;
+  }
 
   m[leftover++] = 1;
   poly1305_block_zero(m + leftover, 16 - leftover);
diff --git a/src/crypto/rand/CMakeLists.txt b/src/crypto/rand/CMakeLists.txt
index 23c1b24..374d8f1 100644
--- a/src/crypto/rand/CMakeLists.txt
+++ b/src/crypto/rand/CMakeLists.txt
@@ -1,5 +1,13 @@
 include_directories(. .. ../../include)
 
+if (${ARCH} STREQUAL "x86_64")
+  set(
+    RAND_ARCH_SOURCES
+
+    rdrand-x86_64.${ASM_EXT}
+  )
+endif()
+
 add_library(
   rand
 
@@ -8,4 +16,9 @@ add_library(
   rand.c
   urandom.c
   windows.c
+  hwrand.c
+
+  ${RAND_ARCH_SOURCES}
 )
+
+perlasm(rdrand-x86_64.${ASM_EXT} asm/rdrand-x86_64.pl)
diff --git a/src/crypto/rand/asm/rdrand-x86_64.pl b/src/crypto/rand/asm/rdrand-x86_64.pl
new file mode 100644
index 0000000..a917611
--- /dev/null
+++ b/src/crypto/rand/asm/rdrand-x86_64.pl
@@ -0,0 +1,25 @@
+#!/usr/bin/env perl
+
+$flavour = shift;
+$output  = shift;
+if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
+
+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
+die "can't locate x86_64-xlate.pl";
+
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
+
+print<<___;
+.text
+
+.globl	CRYPTO_rdrand
+.type	CRYPTO_rdrand,\@function,1
+.align	16
+CRYPTO_rdrand:
+	.byte 0x48, 0x0f, 0xc7, 0xf0
+	retq
+___
+
+close STDOUT;	# flush
diff --git a/src/crypto/rand/hwrand.c b/src/crypto/rand/hwrand.c
new file mode 100644
index 0000000..73d3de7
--- /dev/null
+++ b/src/crypto/rand/hwrand.c
@@ -0,0 +1,56 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/rand.h>
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/cpu.h>
+
+
+#if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM)
+
+int CRYPTO_have_hwrand(void) {
+  return (OPENSSL_ia32cap_P[1] & (1u << 30)) != 0;
+}
+
+/* CRYPTO_rdrand is defined in asm/rdrand-x86_64.pl */
+extern uint64_t CRYPTO_rdrand(void);
+
+void CRYPTO_hwrand(uint8_t *buf, size_t len) {
+  while (len >= 8) {
+    uint64_t rand = CRYPTO_rdrand();
+    memcpy(buf, &rand, sizeof(rand));
+    len -= sizeof(rand);
+    buf += sizeof(rand);
+  }
+
+  if (len > 0) {
+    uint64_t rand = CRYPTO_rdrand();
+    memcpy(buf, &rand, len);
+  }
+}
+
+#else
+
+int CRYPTO_have_hwrand(void) {
+  return 0;
+}
+
+void CRYPTO_hwrand(uint8_t *buf, size_t len) {
+  abort();
+}
+
+#endif
diff --git a/src/crypto/rand/internal.h b/src/crypto/rand/internal.h
new file mode 100644
index 0000000..1cca7f3
--- /dev/null
+++ b/src/crypto/rand/internal.h
@@ -0,0 +1,40 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_CRYPTO_RAND_INTERNAL_H
+#define OPENSSL_HEADER_CRYPTO_RAND_INTERNAL_H
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+/* CRYPTO_sysrand fills |len| bytes at |buf| with entropy from the operating
+ * system. */
+void CRYPTO_sysrand(uint8_t *buf, size_t len);
+
+/* CRYPTO_have_hwrand returns one iff |CRYPTO_hwrand| can be called to generate
+ * hardware entropy. */
+int CRYPTO_have_hwrand(void);
+
+/* CRYPTO_hwrand fills |len| bytes at |buf| with entropy from the hardware.
+ * This function can only be called if |CRYPTO_have_hwrand| returns one. */
+void CRYPTO_hwrand(uint8_t *buf, size_t len);
+
+
+#if defined(__cplusplus)
+}  /* extern C */
+#endif
+
+#endif  /* OPENSSL_HEADER_CRYPTO_RAND_INTERNAL_H */
diff --git a/src/crypto/rand/rand.c b/src/crypto/rand/rand.c
index efd6c0a..ae30edb 100644
--- a/src/crypto/rand/rand.c
+++ b/src/crypto/rand/rand.c
@@ -14,6 +14,134 @@
 
 #include <openssl/rand.h>
 
+#include <string.h>
+
+#include <openssl/mem.h>
+
+#include "internal.h"
+#include "../internal.h"
+
+
+/* It's assumed that the operating system always has an unfailing source of
+ * entropy which is accessed via |CRYPTO_sysrand|. (If the operating system
+ * entropy source fails, it's up to |CRYPTO_sysrand| to abort the process—we
+ * don't try to handle it.)
+ *
+ * In addition, the hardware may provide a low-latency RNG. Intel's rdrand
+ * instruction is the canonical example of this. When a hardware RNG is
+ * available we don't need to worry about an RNG failure arising from fork()ing
+ * the process or moving a VM, so we can keep thread-local RNG state and XOR
+ * the hardware entropy in.
+ *
+ * (We assume that the OS entropy is safe from fork()ing and VM duplication.
+ * This might be a bit of a leap of faith, esp on Windows, but there's nothing
+ * that we can do about it.) */
+
+/* rand_thread_state contains the per-thread state for the RNG. This is only
+ * used if the system has support for a hardware RNG. */
+struct rand_thread_state {
+  uint8_t key[32];
+  uint64_t calls_used;
+  size_t bytes_used;
+  uint8_t partial_block[64];
+  unsigned partial_block_used;
+};
+
+/* kMaxCallsPerRefresh is the maximum number of |RAND_bytes| calls that we'll
+ * serve before reading a new key from the operating system. This only applies
+ * if we have a hardware RNG. */
+static const unsigned kMaxCallsPerRefresh = 1024;
+
+/* kMaxBytesPerRefresh is the maximum number of bytes that we'll return from
+ * |RAND_bytes| before reading a new key from the operating system. This only
+ * applies if we have a hardware RNG. */
+static const uint64_t kMaxBytesPerRefresh = 1024 * 1024;
+
+/* rand_thread_state_free frees a |rand_thread_state|. This is called when a
+ * thread exits. */
+static void rand_thread_state_free(void *state) {
+  if (state == NULL) {
+    return;
+  }
+
+  OPENSSL_cleanse(state, sizeof(struct rand_thread_state));
+  OPENSSL_free(state);
+}
+
+extern void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len,
+                             const uint8_t key[32], const uint8_t nonce[8],
+                             size_t counter);
+
+int RAND_bytes(uint8_t *buf, size_t len) {
+  if (len == 0) {
+    return 1;
+  }
+
+  if (!CRYPTO_have_hwrand()) {
+    /* Without a hardware RNG to save us from address-space duplication, the OS
+     * entropy is used directly. */
+    CRYPTO_sysrand(buf, len);
+    return 1;
+  }
+
+  struct rand_thread_state *state =
+      CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_RAND);
+  if (state == NULL) {
+    state = OPENSSL_malloc(sizeof(struct rand_thread_state));
+    if (state == NULL ||
+        !CRYPTO_set_thread_local(OPENSSL_THREAD_LOCAL_RAND, state,
+                                 rand_thread_state_free)) {
+      CRYPTO_sysrand(buf, len);
+      return 1;
+    }
+
+    state->calls_used = kMaxCallsPerRefresh;
+  }
+
+  if (state->calls_used >= kMaxCallsPerRefresh ||
+      state->bytes_used >= kMaxBytesPerRefresh) {
+    CRYPTO_sysrand(state->key, sizeof(state->key));
+    state->calls_used = 0;
+    state->bytes_used = 0;
+    state->partial_block_used = sizeof(state->partial_block);
+  }
+
+  CRYPTO_hwrand(buf, len);
+
+  if (len >= sizeof(state->partial_block)) {
+    size_t remaining = len;
+    while (remaining > 0) {
+      // kMaxBytesPerCall is only 2GB, while ChaCha can handle 256GB. But this
+      // is sufficient and easier on 32-bit.
+      static const size_t kMaxBytesPerCall = 0x80000000;
+      size_t todo = remaining;
+      if (todo > kMaxBytesPerCall) {
+        todo = kMaxBytesPerCall;
+      }
+      CRYPTO_chacha_20(buf, buf, todo, state->key,
+                       (uint8_t *)&state->calls_used, 0);
+      buf += todo;
+      remaining -= todo;
+      state->calls_used++;
+    }
+  } else {
+    if (sizeof(state->partial_block) - state->partial_block_used < len) {
+      CRYPTO_chacha_20(state->partial_block, state->partial_block,
+                       sizeof(state->partial_block), state->key,
+                       (uint8_t *)&state->calls_used, 0);
+      state->partial_block_used = 0;
+    }
+
+    unsigned i;
+    for (i = 0; i < len; i++) {
+      buf[i] ^= state->partial_block[state->partial_block_used++];
+    }
+    state->calls_used++;
+  }
+  state->bytes_used += len;
+
+  return 1;
+}
 
 int RAND_pseudo_bytes(uint8_t *buf, size_t len) {
   return RAND_bytes(buf, len);
diff --git a/src/crypto/rand/urandom.c b/src/crypto/rand/urandom.c
index 2ad4af0..788a979 100644
--- a/src/crypto/rand/urandom.c
+++ b/src/crypto/rand/urandom.c
@@ -19,13 +19,15 @@
 #include <assert.h>
 #include <errno.h>
 #include <fcntl.h>
-#include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 
 #include <openssl/thread.h>
 #include <openssl/mem.h>
 
+#include "internal.h"
+#include "../internal.h"
+
 
 /* This file implements a PRNG by reading from /dev/urandom, optionally with a
  * fork-safe buffer.
@@ -73,23 +75,26 @@ struct rand_buffer {
 /* rand_bytes_per_buf is the number of actual entropy bytes in a buffer. */
 static const size_t rand_bytes_per_buf = BUF_SIZE - sizeof(struct rand_buffer);
 
+static struct CRYPTO_STATIC_MUTEX global_lock = CRYPTO_STATIC_MUTEX_INIT;
+
 /* list_head is the start of a global, linked-list of rand_buffer objects. It's
- * protected by CRYPTO_LOCK_RAND. */
+ * protected by |global_lock|. */
 static struct rand_buffer *list_head;
 
 /* urandom_fd is a file descriptor to /dev/urandom. It's protected by
- * CRYPTO_LOCK_RAND. */
+ * |global_lock|. */
 static int urandom_fd = -2;
 
 /* urandom_buffering controls whether buffering is enabled (1) or not (0). This
- * is protected by CRYPTO_LOCK_RAND. */
+ * is protected by |global_lock|. */
 static int urandom_buffering = 0;
 
 /* urandom_get_fd_locked returns a file descriptor to /dev/urandom. The caller
- * of this function must hold CRYPTO_LOCK_RAND. */
+ * of this function must hold |global_lock|. */
 static int urandom_get_fd_locked(void) {
-  if (urandom_fd != -2)
+  if (urandom_fd != -2) {
     return urandom_fd;
+  }
 
   urandom_fd = open("/dev/urandom", O_RDONLY);
   return urandom_fd;
@@ -100,7 +105,7 @@ static int urandom_get_fd_locked(void) {
 void RAND_cleanup(void) {
   struct rand_buffer *cur;
 
-  CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+  CRYPTO_STATIC_MUTEX_lock_write(&global_lock);
   while ((cur = list_head)) {
     list_head = cur->next;
     OPENSSL_free(cur);
@@ -110,7 +115,7 @@ void RAND_cleanup(void) {
   }
   urandom_fd = -2;
   list_head = NULL;
-  CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+  CRYPTO_STATIC_MUTEX_unlock(&global_lock);
 }
 
 /* read_full reads exactly |len| bytes from |fd| into |out| and returns 1. In
@@ -133,36 +138,34 @@ static char read_full(int fd, uint8_t *out, size_t len) {
   return 1;
 }
 
-/* urandom_rand_pseudo_bytes puts |num| random bytes into |out|. It returns
- * one on success and zero otherwise. */
-int RAND_bytes(uint8_t *out, size_t requested) {
+/* CRYPTO_sysrand puts |num| random bytes into |out|. */
+void CRYPTO_sysrand(uint8_t *out, size_t requested) {
   int fd;
   struct rand_buffer *buf;
   size_t todo;
   pid_t pid, ppid;
 
   if (requested == 0) {
-    return 1;
+    return;
   }
 
-  CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+  CRYPTO_STATIC_MUTEX_lock_write(&global_lock);
   fd = urandom_get_fd_locked();
 
   if (fd < 0) {
-    CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+    CRYPTO_STATIC_MUTEX_unlock(&global_lock);
     abort();
-    return 0;
+    return;
   }
 
   /* If buffering is not enabled, or if the request is large, then the
    * result comes directly from urandom. */
   if (!urandom_buffering || requested > BUF_SIZE / 2) {
-    CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+    CRYPTO_STATIC_MUTEX_unlock(&global_lock);
     if (!read_full(fd, out, requested)) {
       abort();
-      return 0;
     }
-    return 1;
+    return;
   }
 
   pid = getpid();
@@ -174,8 +177,8 @@ int RAND_bytes(uint8_t *out, size_t requested) {
         rand_bytes_per_buf - buf->used >= requested) {
       memcpy(out, &buf->rand[buf->used], requested);
       buf->used += requested;
-      CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-      return 1;
+      CRYPTO_STATIC_MUTEX_unlock(&global_lock);
+      return;
     }
 
     /* If we don't immediately have enough entropy with the correct
@@ -184,10 +187,14 @@ int RAND_bytes(uint8_t *out, size_t requested) {
     if (buf) {
       list_head = buf->next;
     }
-    CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+    CRYPTO_STATIC_MUTEX_unlock(&global_lock);
 
     if (!buf) {
       buf = (struct rand_buffer *)OPENSSL_malloc(BUF_SIZE);
+      if (!buf) {
+        abort();
+        return;
+      }
       /* The buffer doesn't contain any random bytes yet
        * so we mark it as fully used so that it will be
        * filled below. */
@@ -204,7 +211,7 @@ int RAND_bytes(uint8_t *out, size_t requested) {
     /* We have forked and so cannot use these bytes as they
      * may have been used in another process. */
     OPENSSL_free(buf);
-    CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+    CRYPTO_STATIC_MUTEX_lock_write(&global_lock);
   }
 
   while (requested > 0) {
@@ -224,18 +231,17 @@ int RAND_bytes(uint8_t *out, size_t requested) {
     if (!read_full(fd, buf->rand, rand_bytes_per_buf)) {
       OPENSSL_free(buf);
       abort();
-      return 0;
+      return;
     }
 
     buf->used = 0;
   }
 
-  CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+  CRYPTO_STATIC_MUTEX_lock_write(&global_lock);
   assert(list_head != buf);
   buf->next = list_head;
   list_head = buf;
-  CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-  return 1;
+  CRYPTO_STATIC_MUTEX_unlock(&global_lock);
 }
 
 #endif  /* !OPENSSL_WINDOWS */
diff --git a/src/crypto/rand/windows.c b/src/crypto/rand/windows.c
index e8b2d78..7bfcb1d 100644
--- a/src/crypto/rand/windows.c
+++ b/src/crypto/rand/windows.c
@@ -27,16 +27,18 @@
  * "Community Additions" comment on MSDN here:
  * http://msdn.microsoft.com/en-us/library/windows/desktop/aa387694.aspx */
 #define SystemFunction036 NTAPI SystemFunction036
-#include <ntsecapi.h>
+#include <NTSecAPI.h>
 #undef SystemFunction036
 
 #pragma warning(pop)
 
+#include "internal.h"
+
 
 void RAND_cleanup(void) {
 }
 
-int RAND_bytes(uint8_t *out, size_t requested) {
+void CRYPTO_sysrand(uint8_t *out, size_t requested) {
   while (requested > 0) {
     ULONG output_bytes_this_pass = ULONG_MAX;
     if (requested < output_bytes_this_pass) {
@@ -48,7 +50,7 @@ int RAND_bytes(uint8_t *out, size_t requested) {
     requested -= output_bytes_this_pass;
     out += output_bytes_this_pass;
   }
-  return 1;
+  return;
 }
 
 #endif  /* OPENSSL_WINDOWS */
diff --git a/src/crypto/rc4/asm/rc4-x86_64.pl b/src/crypto/rc4/asm/rc4-x86_64.pl
index 2c52ac0..db46242 100644
--- a/src/crypto/rc4/asm/rc4-x86_64.pl
+++ b/src/crypto/rc4/asm/rc4-x86_64.pl
@@ -502,32 +502,6 @@ asm_RC4_set_key:
 	mov	%eax,-4($dat)
 	ret
 .size	asm_RC4_set_key,.-asm_RC4_set_key
-
-.globl	RC4_options
-.type	RC4_options,\@abi-omnipotent
-.align	16
-RC4_options:
-	lea	.Lopts(%rip),%rax
-	mov	OPENSSL_ia32cap_P(%rip),%rdx
-	mov	(%rdx),%edx
-	bt	\$20,%edx
-	jc	.L8xchar
-	bt	\$30,%edx
-	jnc	.Ldone
-	add	\$25,%rax
-	ret
-.L8xchar:
-	add	\$12,%rax
-.Ldone:
-	ret
-.align	64
-.Lopts:
-.asciz	"rc4(8x,int)"
-.asciz	"rc4(8x,char)"
-.asciz	"rc4(16x,int)"
-.asciz	"RC4 for x86_64, CRYPTOGAMS by <appro\@openssl.org>"
-.align	64
-.size	RC4_options,.-RC4_options
 ___
 
 # EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame,
diff --git a/src/crypto/rc4/rc4.c b/src/crypto/rc4/rc4.c
index 00b59c8..2a98fd0 100644
--- a/src/crypto/rc4/rc4.c
+++ b/src/crypto/rc4/rc4.c
@@ -67,8 +67,6 @@
 #error "Unknown word size"
 #endif
 
-#define RC4_INT uint32_t
-
 
 /* RC4 as implemented from a posting from
  * Newsgroups: sci.crypt
@@ -78,44 +76,14 @@
  * Date: Wed, 14 Sep 1994 06:35:31 GMT */
 
 void RC4(RC4_KEY *key, size_t len, const uint8_t *in, uint8_t *out) {
-  register RC4_INT *d;
-  register RC4_INT x, y, tx, ty;
+  uint32_t *d;
+  uint32_t x, y, tx, ty;
   size_t i;
 
   x = key->x;
   y = key->y;
   d = key->data;
 
-#if defined(RC4_CHUNK)
-/* The original reason for implementing this(*) was the fact that
- * pre-21164a Alpha CPUs don't have byte load/store instructions
- * and e.g. a byte store has to be done with 64-bit load, shift,
- * and, or and finally 64-bit store. Peaking data and operating
- * at natural word size made it possible to reduce amount of
- * instructions as well as to perform early read-ahead without
- * suffering from RAW (read-after-write) hazard. This resulted
- * in ~40%(**) performance improvement on 21064 box with gcc.
- * But it's not only Alpha users who win here:-) Thanks to the
- * early-n-wide read-ahead this implementation also exhibits
- * >40% speed-up on SPARC and 20-30% on 64-bit MIPS (depending
- * on sizeof(RC4_INT)).
- *
- * (*)	"this" means code which recognizes the case when input
- *	and output pointers appear to be aligned at natural CPU
- *	word boundary
- * (**)	i.e. according to 'apps/openssl speed rc4' benchmark,
- *	crypto/rc4/rc4speed.c exhibits almost 70% speed-up...
- *
- * Cavets.
- *
- * - RC4_CHUNK="unsigned long long" should be a #1 choice for
- *   UltraSPARC. Unfortunately gcc generates very slow code
- *   (2.5-3 times slower than one generated by Sun's WorkShop
- *   C) and therefore gcc (at least 2.95 and earlier) should
- *   always be told that RC4_CHUNK="unsigned long".
- *
- *					<appro@fy.chalmers.se> */
-
 #define RC4_STEP                                                             \
   (x = (x + 1) & 0xff, tx = d[x], y = (tx + y) & 0xff, ty = d[y], d[y] = tx, \
    d[x] = ty, (RC4_CHUNK)d[(tx + ty) & 0xff])
@@ -255,7 +223,6 @@ void RC4(RC4_KEY *key, size_t len, const uint8_t *in, uint8_t *out) {
       return;
     }
   }
-#endif
 #define LOOP(in, out)   \
   x = ((x + 1) & 0xff); \
   tx = d[x];            \
@@ -285,34 +252,42 @@ void RC4(RC4_KEY *key, size_t len, const uint8_t *in, uint8_t *out) {
       in += 8;
       out += 8;
 #endif
-      if (--i == 0)
+      if (--i == 0) {
         break;
+      }
     }
   }
   i = len & 0x07;
   if (i) {
     for (;;) {
       RC4_LOOP(in, out, 0);
-      if (--i == 0)
+      if (--i == 0) {
         break;
+      }
       RC4_LOOP(in, out, 1);
-      if (--i == 0)
+      if (--i == 0) {
         break;
+      }
       RC4_LOOP(in, out, 2);
-      if (--i == 0)
+      if (--i == 0) {
         break;
+      }
       RC4_LOOP(in, out, 3);
-      if (--i == 0)
+      if (--i == 0) {
         break;
+      }
       RC4_LOOP(in, out, 4);
-      if (--i == 0)
+      if (--i == 0) {
         break;
+      }
       RC4_LOOP(in, out, 5);
-      if (--i == 0)
+      if (--i == 0) {
         break;
+      }
       RC4_LOOP(in, out, 6);
-      if (--i == 0)
+      if (--i == 0) {
         break;
+      }
     }
   }
   key->x = x;
@@ -320,9 +295,9 @@ void RC4(RC4_KEY *key, size_t len, const uint8_t *in, uint8_t *out) {
 }
 
 void RC4_set_key(RC4_KEY *rc4key, unsigned len, const uint8_t *key) {
-  register RC4_INT tmp;
-  register int id1, id2;
-  register RC4_INT *d;
+  uint32_t tmp;
+  int id1, id2;
+  uint32_t *d;
   unsigned int i;
 
   d = &rc4key->data[0];
diff --git a/src/crypto/rsa/CMakeLists.txt b/src/crypto/rsa/CMakeLists.txt
index b3d8fa4..c438e1d 100644
--- a/src/crypto/rsa/CMakeLists.txt
+++ b/src/crypto/rsa/CMakeLists.txt
@@ -10,7 +10,6 @@ add_library(
   blinding.c
   padding.c
   rsa_asn1.c
-  rsa_error.c
 )
 
 add_executable(
diff --git a/src/crypto/rsa/blinding.c b/src/crypto/rsa/blinding.c
index 06f87a7..245142b 100644
--- a/src/crypto/rsa/blinding.c
+++ b/src/crypto/rsa/blinding.c
@@ -113,6 +113,7 @@
 #include <openssl/bn.h>
 #include <openssl/mem.h>
 #include <openssl/err.h>
+#include <openssl/thread.h>
 
 #include "internal.h"
 
@@ -124,7 +125,6 @@ struct bn_blinding_st {
   BIGNUM *Ai;
   BIGNUM *e;
   BIGNUM *mod; /* just a reference */
-  CRYPTO_THREADID tid;
   int counter;
   unsigned long flags;
   BN_MONT_CTX *m_ctx;
@@ -167,13 +167,10 @@ BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod) {
    * to indicate that this is never-used fresh blinding
    * that does not need updating before first use. */
   ret->counter = -1;
-  CRYPTO_THREADID_current(&ret->tid);
   return ret;
 
 err:
-  if (ret != NULL) {
-    BN_BLINDING_free(ret);
-  }
+  BN_BLINDING_free(ret);
   return NULL;
 }
 
@@ -182,14 +179,10 @@ void BN_BLINDING_free(BN_BLINDING *r) {
     return;
   }
 
-  if (r->A != NULL)
-    BN_free(r->A);
-  if (r->Ai != NULL)
-    BN_free(r->Ai);
-  if (r->e != NULL)
-    BN_free(r->e);
-  if (r->mod != NULL)
-    BN_free(r->mod);
+  BN_free(r->A);
+  BN_free(r->Ai);
+  BN_free(r->e);
+  BN_free(r->mod);
   OPENSSL_free(r);
 }
 
@@ -282,8 +275,6 @@ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b,
   return ret;
 }
 
-CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *b) { return &b->tid; }
-
 unsigned long BN_BLINDING_get_flags(const BN_BLINDING *b) { return b->flags; }
 
 void BN_BLINDING_set_flags(BN_BLINDING *b, unsigned long flags) {
@@ -316,9 +307,7 @@ BN_BLINDING *BN_BLINDING_create_param(
   }
 
   if (e != NULL) {
-    if (ret->e != NULL) {
-      BN_free(ret->e);
-    }
+    BN_free(ret->e);
     ret->e = BN_dup(e);
   }
   if (ret->e == NULL) {
@@ -367,7 +356,7 @@ BN_BLINDING *BN_BLINDING_create_param(
   return ret;
 
 err:
-  if (b == NULL && ret != NULL) {
+  if (b == NULL) {
     BN_BLINDING_free(ret);
     ret = NULL;
   }
@@ -413,6 +402,7 @@ BN_BLINDING *rsa_setup_blinding(RSA *rsa, BN_CTX *in_ctx) {
   BIGNUM *e, *n;
   BN_CTX *ctx;
   BN_BLINDING *ret = NULL;
+  BN_MONT_CTX *mont_ctx = NULL;
 
   if (in_ctx == NULL) {
     ctx = BN_CTX_new();
@@ -444,19 +434,19 @@ BN_BLINDING *rsa_setup_blinding(RSA *rsa, BN_CTX *in_ctx) {
   BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
 
   if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {
-    if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n,
-                                ctx)) {
+    mont_ctx =
+        BN_MONT_CTX_set_locked(&rsa->_method_mod_n, &rsa->lock, rsa->n, ctx);
+    if (mont_ctx == NULL) {
       goto err;
     }
   }
 
   ret = BN_BLINDING_create_param(NULL, e, n, ctx, rsa->meth->bn_mod_exp,
-                                 rsa->_method_mod_n);
+                                 mont_ctx);
   if (ret == NULL) {
     OPENSSL_PUT_ERROR(RSA, rsa_setup_blinding, ERR_R_BN_LIB);
     goto err;
   }
-  CRYPTO_THREADID_current(BN_BLINDING_thread_id(ret));
 
 err:
   BN_CTX_end(ctx);
diff --git a/src/crypto/rsa/internal.h b/src/crypto/rsa/internal.h
index 3dd4f04..d15f2a5 100644
--- a/src/crypto/rsa/internal.h
+++ b/src/crypto/rsa/internal.h
@@ -60,7 +60,7 @@
 #include <openssl/base.h>
 
 #include <openssl/asn1.h>
-#include <openssl/thread.h>
+
 
 #if defined(__cplusplus)
 extern "C" {
@@ -81,7 +81,6 @@ int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
 int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
 int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *);
 int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *);
-CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *);
 unsigned long BN_BLINDING_get_flags(const BN_BLINDING *);
 void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long);
 BN_BLINDING *BN_BLINDING_create_param(
diff --git a/src/crypto/rsa/padding.c b/src/crypto/rsa/padding.c
index 66fdf13..0a725f1 100644
--- a/src/crypto/rsa/padding.c
+++ b/src/crypto/rsa/padding.c
@@ -443,9 +443,7 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(uint8_t *to, unsigned tlen,
   ret = 1;
 
 out:
-  if (dbmask != NULL) {
-    OPENSSL_free(dbmask);
-  }
+  OPENSSL_free(dbmask);
   return ret;
 }
 
@@ -544,9 +542,7 @@ decoding_err:
   OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_OAEP_mgf1,
                     RSA_R_OAEP_DECODING_ERROR);
  err:
-  if (db != NULL) {
-    OPENSSL_free(db);
-  }
+  OPENSSL_free(db);
   return -1;
 }
 
@@ -620,8 +616,9 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const uint8_t *mHash,
   if (MSBits) {
     DB[0] &= 0xFF >> (8 - MSBits);
   }
-  for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++)
+  for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) {
     ;
+  }
   if (DB[i++] != 0x1) {
     OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1,
                       RSA_R_SLEN_RECOVERY_FAILED);
@@ -652,9 +649,7 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const uint8_t *mHash,
   }
 
 err:
-  if (DB) {
-    OPENSSL_free(DB);
-  }
+  OPENSSL_free(DB);
   EVP_MD_CTX_cleanup(&ctx);
 
   return ret;
@@ -771,9 +766,7 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
   ret = 1;
 
 err:
-  if (salt) {
-    OPENSSL_free(salt);
-  }
+  OPENSSL_free(salt);
 
   return ret;
 }
diff --git a/src/crypto/rsa/rsa.c b/src/crypto/rsa/rsa.c
index 66002cc..5cc48ed 100644
--- a/src/crypto/rsa/rsa.c
+++ b/src/crypto/rsa/rsa.c
@@ -64,12 +64,16 @@
 #include <openssl/ex_data.h>
 #include <openssl/mem.h>
 #include <openssl/obj.h>
+#include <openssl/thread.h>
 
 #include "internal.h"
+#include "../internal.h"
 
 
 extern const RSA_METHOD RSA_default_method;
 
+static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;
+
 RSA *RSA_new(void) { return RSA_new_method(NULL); }
 
 RSA *RSA_new_method(const ENGINE *engine) {
@@ -92,15 +96,16 @@ RSA *RSA_new_method(const ENGINE *engine) {
 
   rsa->references = 1;
   rsa->flags = rsa->meth->flags;
+  CRYPTO_MUTEX_init(&rsa->lock);
 
-  if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, rsa, &rsa->ex_data)) {
+  if (!CRYPTO_new_ex_data(&g_ex_data_class, rsa, &rsa->ex_data)) {
     METHOD_unref(rsa->meth);
     OPENSSL_free(rsa);
     return NULL;
   }
 
   if (rsa->meth->init && !rsa->meth->init(rsa)) {
-    CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, rsa, &rsa->ex_data);
+    CRYPTO_free_ex_data(&g_ex_data_class, rsa, &rsa->ex_data);
     METHOD_unref(rsa->meth);
     OPENSSL_free(rsa);
     return NULL;
@@ -125,31 +130,22 @@ void RSA_free(RSA *rsa) {
   }
   METHOD_unref(rsa->meth);
 
-  CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DSA, rsa, &rsa->ex_data);
-
-  if (rsa->n != NULL)
-    BN_clear_free(rsa->n);
-  if (rsa->e != NULL)
-    BN_clear_free(rsa->e);
-  if (rsa->d != NULL)
-    BN_clear_free(rsa->d);
-  if (rsa->p != NULL)
-    BN_clear_free(rsa->p);
-  if (rsa->q != NULL)
-    BN_clear_free(rsa->q);
-  if (rsa->dmp1 != NULL)
-    BN_clear_free(rsa->dmp1);
-  if (rsa->dmq1 != NULL)
-    BN_clear_free(rsa->dmq1);
-  if (rsa->iqmp != NULL)
-    BN_clear_free(rsa->iqmp);
+  CRYPTO_free_ex_data(&g_ex_data_class, rsa, &rsa->ex_data);
+
+  BN_clear_free(rsa->n);
+  BN_clear_free(rsa->e);
+  BN_clear_free(rsa->d);
+  BN_clear_free(rsa->p);
+  BN_clear_free(rsa->q);
+  BN_clear_free(rsa->dmp1);
+  BN_clear_free(rsa->dmq1);
+  BN_clear_free(rsa->iqmp);
   for (u = 0; u < rsa->num_blindings; u++) {
     BN_BLINDING_free(rsa->blindings[u]);
   }
-  if (rsa->blindings != NULL)
-    OPENSSL_free(rsa->blindings);
-  if (rsa->blindings_inuse != NULL)
-    OPENSSL_free(rsa->blindings_inuse);
+  OPENSSL_free(rsa->blindings);
+  OPENSSL_free(rsa->blindings_inuse);
+  CRYPTO_MUTEX_cleanup(&rsa->lock);
   OPENSSL_free(rsa);
 }
 
@@ -271,8 +267,12 @@ int RSA_supports_digest(const RSA *rsa, const EVP_MD *md) {
 
 int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
                          CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) {
-  return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_RSA, argl, argp, new_func,
-                                 dup_func, free_func);
+  int index;
+  if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp, new_func,
+                               dup_func, free_func)) {
+    return -1;
+  }
+  return index;
 }
 
 int RSA_set_ex_data(RSA *d, int idx, void *arg) {
@@ -338,12 +338,6 @@ static const struct pkcs1_sig_prefix kPKCS1SigPrefixes[] = {
       0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40},
     },
     {
-     NID_ripemd160,
-     14,
-     {0x30, 0x20, 0x30, 0x08, 0x06, 0x06, 0x28, 0xcf, 0x06, 0x03, 0x00, 0x31,
-      0x04, 0x14},
-    },
-    {
      NID_undef, 0, {0},
     },
 };
@@ -357,15 +351,11 @@ static int pkcs1_prefixed_msg(uint8_t **out_msg, size_t *out_msg_len,
                               int *is_alloced, int hash_nid, const uint8_t *msg,
                               size_t msg_len) {
   unsigned i;
-  const uint8_t* prefix = NULL;
-  unsigned prefix_len;
-  uint8_t *signed_msg;
-  unsigned signed_msg_len;
 
   if (hash_nid == NID_md5_sha1) {
     /* Special case: SSL signature, just check the length. */
     if (msg_len != SSL_SIG_LENGTH) {
-      OPENSSL_PUT_ERROR(RSA, RSA_sign, RSA_R_INVALID_MESSAGE_LENGTH);
+      OPENSSL_PUT_ERROR(RSA, pkcs1_prefixed_msg, RSA_R_INVALID_MESSAGE_LENGTH);
       return 0;
     }
 
@@ -377,38 +367,39 @@ static int pkcs1_prefixed_msg(uint8_t **out_msg, size_t *out_msg_len,
 
   for (i = 0; kPKCS1SigPrefixes[i].nid != NID_undef; i++) {
     const struct pkcs1_sig_prefix *sig_prefix = &kPKCS1SigPrefixes[i];
-    if (sig_prefix->nid == hash_nid) {
-      prefix = sig_prefix->bytes;
-      prefix_len = sig_prefix->len;
-      break;
+    if (sig_prefix->nid != hash_nid) {
+      continue;
     }
-  }
 
-  if (prefix == NULL) {
-    OPENSSL_PUT_ERROR(RSA, RSA_sign, RSA_R_UNKNOWN_ALGORITHM_TYPE);
-    return 0;
-  }
+    const uint8_t* prefix = sig_prefix->bytes;
+    unsigned prefix_len = sig_prefix->len;
+    unsigned signed_msg_len;
+    uint8_t *signed_msg;
 
-  signed_msg_len = prefix_len + msg_len;
-  if (signed_msg_len < prefix_len) {
-    OPENSSL_PUT_ERROR(RSA, RSA_sign, RSA_R_TOO_LONG);
-    return 0;
-  }
+    signed_msg_len = prefix_len + msg_len;
+    if (signed_msg_len < prefix_len) {
+      OPENSSL_PUT_ERROR(RSA, pkcs1_prefixed_msg, RSA_R_TOO_LONG);
+      return 0;
+    }
 
-  signed_msg = OPENSSL_malloc(signed_msg_len);
-  if (!signed_msg) {
-    OPENSSL_PUT_ERROR(RSA, RSA_sign, ERR_R_MALLOC_FAILURE);
-    return 0;
-  }
+    signed_msg = OPENSSL_malloc(signed_msg_len);
+    if (!signed_msg) {
+      OPENSSL_PUT_ERROR(RSA, pkcs1_prefixed_msg, ERR_R_MALLOC_FAILURE);
+      return 0;
+    }
 
-  memcpy(signed_msg, prefix, prefix_len);
-  memcpy(signed_msg + prefix_len, msg, msg_len);
+    memcpy(signed_msg, prefix, prefix_len);
+    memcpy(signed_msg + prefix_len, msg, msg_len);
 
-  *out_msg = signed_msg;
-  *out_msg_len = signed_msg_len;
-  *is_alloced = 1;
+    *out_msg = signed_msg;
+    *out_msg_len = signed_msg_len;
+    *is_alloced = 1;
 
-  return 1;
+    return 1;
+  }
+
+  OPENSSL_PUT_ERROR(RSA, pkcs1_prefixed_msg, RSA_R_UNKNOWN_ALGORITHM_TYPE);
+  return 0;
 }
 
 int RSA_sign(int hash_nid, const uint8_t *in, unsigned in_len, uint8_t *out,
@@ -495,9 +486,7 @@ int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len,
   ret = 1;
 
 out:
-  if (buf != NULL) {
-    OPENSSL_free(buf);
-  }
+  OPENSSL_free(buf);
   if (signed_msg_is_alloced) {
     OPENSSL_free(signed_msg);
   }
@@ -505,10 +494,6 @@ out:
 }
 
 static void bn_free_and_null(BIGNUM **bn) {
-  if (*bn == NULL) {
-    return;
-  }
-
   BN_free(*bn);
   *bn = NULL;
 }
diff --git a/src/crypto/rsa/rsa_error.c b/src/crypto/rsa/rsa_error.c
deleted file mode 100644
index 3c8ebe4..0000000
--- a/src/crypto/rsa/rsa_error.c
+++ /dev/null
@@ -1,95 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/rsa.h>
-
-const ERR_STRING_DATA RSA_error_string_data[] = {
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_BN_BLINDING_convert_ex, 0), "BN_BLINDING_convert_ex"},
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_BN_BLINDING_create_param, 0), "BN_BLINDING_create_param"},
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_BN_BLINDING_invert_ex, 0), "BN_BLINDING_invert_ex"},
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_BN_BLINDING_new, 0), "BN_BLINDING_new"},
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_BN_BLINDING_update, 0), "BN_BLINDING_update"},
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_check_key, 0), "RSA_check_key"},
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_new_method, 0), "RSA_new_method"},
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_padding_add_PKCS1_OAEP_mgf1, 0), "RSA_padding_add_PKCS1_OAEP_mgf1"},
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_padding_add_PKCS1_PSS_mgf1, 0), "RSA_padding_add_PKCS1_PSS_mgf1"},
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_padding_add_PKCS1_type_1, 0), "RSA_padding_add_PKCS1_type_1"},
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_padding_add_PKCS1_type_2, 0), "RSA_padding_add_PKCS1_type_2"},
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_padding_add_SSLv23, 0), "RSA_padding_add_SSLv23"},
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_padding_add_none, 0), "RSA_padding_add_none"},
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_padding_check_PKCS1_OAEP_mgf1, 0), "RSA_padding_check_PKCS1_OAEP_mgf1"},
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_padding_check_PKCS1_type_1, 0), "RSA_padding_check_PKCS1_type_1"},
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_padding_check_PKCS1_type_2, 0), "RSA_padding_check_PKCS1_type_2"},
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_padding_check_SSLv23, 0), "RSA_padding_check_SSLv23"},
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_padding_check_none, 0), "RSA_padding_check_none"},
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_recover_crt_params, 0), "RSA_recover_crt_params"},
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_sign, 0), "RSA_sign"},
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_verify, 0), "RSA_verify"},
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_verify_PKCS1_PSS_mgf1, 0), "RSA_verify_PKCS1_PSS_mgf1"},
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_decrypt, 0), "decrypt"},
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_encrypt, 0), "encrypt"},
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_keygen, 0), "keygen"},
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_pkcs1_prefixed_msg, 0), "pkcs1_prefixed_msg"},
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_private_transform, 0), "private_transform"},
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_rsa_setup_blinding, 0), "rsa_setup_blinding"},
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_sign_raw, 0), "sign_raw"},
-  {ERR_PACK(ERR_LIB_RSA, RSA_F_verify_raw, 0), "verify_raw"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_BAD_E_VALUE), "BAD_E_VALUE"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_BAD_FIXED_HEADER_DECRYPT), "BAD_FIXED_HEADER_DECRYPT"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_BAD_PAD_BYTE_COUNT), "BAD_PAD_BYTE_COUNT"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_BAD_RSA_PARAMETERS), "BAD_RSA_PARAMETERS"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_BAD_SIGNATURE), "BAD_SIGNATURE"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_BLOCK_TYPE_IS_NOT_01), "BLOCK_TYPE_IS_NOT_01"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_BLOCK_TYPE_IS_NOT_02), "BLOCK_TYPE_IS_NOT_02"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_BN_NOT_INITIALIZED), "BN_NOT_INITIALIZED"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_CRT_PARAMS_ALREADY_GIVEN), "CRT_PARAMS_ALREADY_GIVEN"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_CRT_VALUES_INCORRECT), "CRT_VALUES_INCORRECT"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN), "DATA_LEN_NOT_EQUAL_TO_MOD_LEN"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_DATA_TOO_LARGE), "DATA_TOO_LARGE"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE), "DATA_TOO_LARGE_FOR_KEY_SIZE"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_DATA_TOO_LARGE_FOR_MODULUS), "DATA_TOO_LARGE_FOR_MODULUS"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_DATA_TOO_SMALL), "DATA_TOO_SMALL"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE), "DATA_TOO_SMALL_FOR_KEY_SIZE"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY), "DIGEST_TOO_BIG_FOR_RSA_KEY"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_D_E_NOT_CONGRUENT_TO_1), "D_E_NOT_CONGRUENT_TO_1"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_EMPTY_PUBLIC_KEY), "EMPTY_PUBLIC_KEY"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_FIRST_OCTET_INVALID), "FIRST_OCTET_INVALID"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_INCONSISTENT_SET_OF_CRT_VALUES), "INCONSISTENT_SET_OF_CRT_VALUES"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_INTERNAL_ERROR), "INTERNAL_ERROR"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_INVALID_MESSAGE_LENGTH), "INVALID_MESSAGE_LENGTH"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_KEY_SIZE_TOO_SMALL), "KEY_SIZE_TOO_SMALL"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_LAST_OCTET_INVALID), "LAST_OCTET_INVALID"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MODULUS_TOO_LARGE), "MODULUS_TOO_LARGE"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NO_PUBLIC_EXPONENT), "NO_PUBLIC_EXPONENT"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NULL_BEFORE_BLOCK_MISSING), "NULL_BEFORE_BLOCK_MISSING"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_N_NOT_EQUAL_P_Q), "N_NOT_EQUAL_P_Q"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OAEP_DECODING_ERROR), "OAEP_DECODING_ERROR"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_ONLY_ONE_OF_P_Q_GIVEN), "ONLY_ONE_OF_P_Q_GIVEN"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OUTPUT_BUFFER_TOO_SMALL), "OUTPUT_BUFFER_TOO_SMALL"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_PADDING_CHECK_FAILED), "PADDING_CHECK_FAILED"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_PKCS_DECODING_ERROR), "PKCS_DECODING_ERROR"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_SLEN_CHECK_FAILED), "SLEN_CHECK_FAILED"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_SLEN_RECOVERY_FAILED), "SLEN_RECOVERY_FAILED"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_SSLV3_ROLLBACK_ATTACK), "SSLV3_ROLLBACK_ATTACK"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD), "THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_TOO_LONG), "TOO_LONG"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_TOO_MANY_ITERATIONS), "TOO_MANY_ITERATIONS"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNKNOWN_ALGORITHM_TYPE), "UNKNOWN_ALGORITHM_TYPE"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNKNOWN_PADDING_TYPE), "UNKNOWN_PADDING_TYPE"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_VALUE_MISSING), "VALUE_MISSING"},
-  {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_WRONG_SIGNATURE_LENGTH), "WRONG_SIGNATURE_LENGTH"},
-  {0, NULL},
-};
diff --git a/src/crypto/rsa/rsa_impl.c b/src/crypto/rsa/rsa_impl.c
index d950d50..e14f0f5 100644
--- a/src/crypto/rsa/rsa_impl.c
+++ b/src/crypto/rsa/rsa_impl.c
@@ -61,8 +61,10 @@
 #include <openssl/bn.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
+#include <openssl/thread.h>
 
 #include "internal.h"
+#include "../internal.h"
 
 
 #define OPENSSL_RSA_MAX_MODULUS_BITS 16384
@@ -72,15 +74,9 @@
 
 
 static int finish(RSA *rsa) {
-  if (rsa->_method_mod_n != NULL) {
-    BN_MONT_CTX_free(rsa->_method_mod_n);
-  }
-  if (rsa->_method_mod_p != NULL) {
-    BN_MONT_CTX_free(rsa->_method_mod_p);
-  }
-  if (rsa->_method_mod_q != NULL) {
-    BN_MONT_CTX_free(rsa->_method_mod_q);
-  }
+  BN_MONT_CTX_free(rsa->_method_mod_n);
+  BN_MONT_CTX_free(rsa->_method_mod_p);
+  BN_MONT_CTX_free(rsa->_method_mod_q);
 
   return 1;
 }
@@ -165,13 +161,14 @@ static int encrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
   }
 
   if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {
-    if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n,
-                                ctx)) {
+    if (BN_MONT_CTX_set_locked(&rsa->_method_mod_n, &rsa->lock, rsa->n, ctx) ==
+        NULL) {
       goto err;
     }
   }
 
-  if (!rsa->meth->bn_mod_exp(result, f, rsa->e, rsa->n, ctx, rsa->_method_mod_n)) {
+  if (!rsa->meth->bn_mod_exp(result, f, rsa->e, rsa->n, ctx,
+                             rsa->_method_mod_n)) {
     goto err;
   }
 
@@ -217,37 +214,20 @@ static BN_BLINDING *rsa_blinding_get(RSA *rsa, unsigned *index_used,
   uint8_t *new_blindings_inuse;
   char overflow = 0;
 
-  CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
-  if (rsa->num_blindings > 0) {
-    unsigned i, starting_index;
-    CRYPTO_THREADID threadid;
-
-    /* We start searching the array at a value based on the
-     * threadid in order to try avoid bouncing the BN_BLINDING
-     * values around different threads. It's harmless if
-     * threadid.val is always set to zero. */
-    CRYPTO_THREADID_current(&threadid);
-    starting_index = threadid.val % rsa->num_blindings;
-
-    for (i = starting_index;;) {
-      if (rsa->blindings_inuse[i] == 0) {
-        rsa->blindings_inuse[i] = 1;
-        ret = rsa->blindings[i];
-        *index_used = i;
-        break;
-      }
-      i++;
-      if (i == rsa->num_blindings) {
-        i = 0;
-      }
-      if (i == starting_index) {
-        break;
-      }
+  CRYPTO_MUTEX_lock_write(&rsa->lock);
+
+  unsigned i;
+  for (i = 0; i < rsa->num_blindings; i++) {
+    if (rsa->blindings_inuse[i] == 0) {
+      rsa->blindings_inuse[i] = 1;
+      ret = rsa->blindings[i];
+      *index_used = i;
+      break;
     }
   }
 
   if (ret != NULL) {
-    CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
+    CRYPTO_MUTEX_unlock(&rsa->lock);
     return ret;
   }
 
@@ -256,7 +236,7 @@ static BN_BLINDING *rsa_blinding_get(RSA *rsa, unsigned *index_used,
   /* We didn't find a free BN_BLINDING to use so increase the length of
    * the arrays by one and use the newly created element. */
 
-  CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
+  CRYPTO_MUTEX_unlock(&rsa->lock);
   ret = rsa_setup_blinding(rsa, ctx);
   if (ret == NULL) {
     return NULL;
@@ -269,7 +249,7 @@ static BN_BLINDING *rsa_blinding_get(RSA *rsa, unsigned *index_used,
     return ret;
   }
 
-  CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
+  CRYPTO_MUTEX_lock_write(&rsa->lock);
 
   new_blindings =
       OPENSSL_malloc(sizeof(BN_BLINDING *) * (rsa->num_blindings + 1));
@@ -288,24 +268,20 @@ static BN_BLINDING *rsa_blinding_get(RSA *rsa, unsigned *index_used,
   new_blindings_inuse[rsa->num_blindings] = 1;
   *index_used = rsa->num_blindings;
 
-  if (rsa->blindings != NULL) {
-    OPENSSL_free(rsa->blindings);
-  }
+  OPENSSL_free(rsa->blindings);
   rsa->blindings = new_blindings;
-  if (rsa->blindings_inuse != NULL) {
-    OPENSSL_free(rsa->blindings_inuse);
-  }
+  OPENSSL_free(rsa->blindings_inuse);
   rsa->blindings_inuse = new_blindings_inuse;
   rsa->num_blindings++;
 
-  CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
+  CRYPTO_MUTEX_unlock(&rsa->lock);
   return ret;
 
 err2:
   OPENSSL_free(new_blindings);
 
 err1:
-  CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
+  CRYPTO_MUTEX_unlock(&rsa->lock);
   BN_BLINDING_free(ret);
   return NULL;
 }
@@ -320,9 +296,9 @@ static void rsa_blinding_release(RSA *rsa, BN_BLINDING *blinding,
     return;
   }
 
-  CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
+  CRYPTO_MUTEX_lock_write(&rsa->lock);
   rsa->blindings_inuse[blinding_index] = 0;
-  CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
+  CRYPTO_MUTEX_unlock(&rsa->lock);
 }
 
 /* signing */
@@ -360,8 +336,7 @@ static int sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
   }
 
   if (!RSA_private_transform(rsa, out, buf, rsa_size)) {
-      OPENSSL_PUT_ERROR(RSA, sign_raw, ERR_R_INTERNAL_ERROR);
-      goto err;
+    goto err;
   }
 
   *out_len = rsa_size;
@@ -400,7 +375,6 @@ static int decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
   }
 
   if (!RSA_private_transform(rsa, buf, in, rsa_size)) {
-    OPENSSL_PUT_ERROR(RSA, decrypt, ERR_R_INTERNAL_ERROR);
     goto err;
   }
 
@@ -497,8 +471,8 @@ static int verify_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
   }
 
   if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {
-    if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n,
-                                ctx)) {
+    if (BN_MONT_CTX_set_locked(&rsa->_method_mod_n, &rsa->lock, rsa->n, ctx) ==
+        NULL) {
       goto err;
     }
   }
@@ -601,8 +575,8 @@ static int private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
     BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
 
     if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {
-      if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n,
-                                  ctx)) {
+      if (BN_MONT_CTX_set_locked(&rsa->_method_mod_n, &rsa->lock, rsa->n,
+                                 ctx) == NULL) {
         goto err;
       }
     }
@@ -663,18 +637,20 @@ static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) {
     BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
 
     if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
-      if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx)) {
+      if (BN_MONT_CTX_set_locked(&rsa->_method_mod_p, &rsa->lock, p, ctx) ==
+          NULL) {
         goto err;
       }
-      if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx)) {
+      if (BN_MONT_CTX_set_locked(&rsa->_method_mod_q, &rsa->lock, q, ctx) ==
+          NULL) {
         goto err;
       }
     }
   }
 
   if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {
-    if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n,
-                                ctx)) {
+    if (BN_MONT_CTX_set_locked(&rsa->_method_mod_n, &rsa->lock, rsa->n, ctx) ==
+        NULL) {
       goto err;
     }
   }
@@ -814,65 +790,79 @@ static int keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) {
   bitsq = bits - bitsp;
 
   /* We need the RSA components non-NULL */
-  if (!rsa->n && ((rsa->n = BN_new()) == NULL))
+  if (!rsa->n && ((rsa->n = BN_new()) == NULL)) {
     goto err;
-  if (!rsa->d && ((rsa->d = BN_new()) == NULL))
+  }
+  if (!rsa->d && ((rsa->d = BN_new()) == NULL)) {
     goto err;
-  if (!rsa->e && ((rsa->e = BN_new()) == NULL))
+  }
+  if (!rsa->e && ((rsa->e = BN_new()) == NULL)) {
     goto err;
-  if (!rsa->p && ((rsa->p = BN_new()) == NULL))
+  }
+  if (!rsa->p && ((rsa->p = BN_new()) == NULL)) {
     goto err;
-  if (!rsa->q && ((rsa->q = BN_new()) == NULL))
+  }
+  if (!rsa->q && ((rsa->q = BN_new()) == NULL)) {
     goto err;
-  if (!rsa->dmp1 && ((rsa->dmp1 = BN_new()) == NULL))
+  }
+  if (!rsa->dmp1 && ((rsa->dmp1 = BN_new()) == NULL)) {
     goto err;
-  if (!rsa->dmq1 && ((rsa->dmq1 = BN_new()) == NULL))
+  }
+  if (!rsa->dmq1 && ((rsa->dmq1 = BN_new()) == NULL)) {
     goto err;
-  if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL))
+  }
+  if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL)) {
     goto err;
+  }
 
   BN_copy(rsa->e, e_value);
 
   /* generate p and q */
   for (;;) {
-    if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
-      goto err;
-    if (!BN_sub(r2, rsa->p, BN_value_one()))
-      goto err;
-    if (!BN_gcd(r1, r2, rsa->e, ctx))
+    if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb) ||
+        !BN_sub(r2, rsa->p, BN_value_one()) ||
+        !BN_gcd(r1, r2, rsa->e, ctx)) {
       goto err;
-    if (BN_is_one(r1))
+    }
+    if (BN_is_one(r1)) {
       break;
-    if (!BN_GENCB_call(cb, 2, n++))
+    }
+    if (!BN_GENCB_call(cb, 2, n++)) {
       goto err;
+    }
   }
-  if (!BN_GENCB_call(cb, 3, 0))
+  if (!BN_GENCB_call(cb, 3, 0)) {
     goto err;
+  }
   for (;;) {
     /* When generating ridiculously small keys, we can get stuck
      * continually regenerating the same prime values. Check for
      * this and bail if it happens 3 times. */
     unsigned int degenerate = 0;
     do {
-      if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
+      if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) {
         goto err;
+      }
     } while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
     if (degenerate == 3) {
       ok = 0; /* we set our own err */
       OPENSSL_PUT_ERROR(RSA, keygen, RSA_R_KEY_SIZE_TOO_SMALL);
       goto err;
     }
-    if (!BN_sub(r2, rsa->q, BN_value_one()))
-      goto err;
-    if (!BN_gcd(r1, r2, rsa->e, ctx))
+    if (!BN_sub(r2, rsa->q, BN_value_one()) ||
+        !BN_gcd(r1, r2, rsa->e, ctx)) {
       goto err;
-    if (BN_is_one(r1))
+    }
+    if (BN_is_one(r1)) {
       break;
-    if (!BN_GENCB_call(cb, 2, n++))
+    }
+    if (!BN_GENCB_call(cb, 2, n++)) {
       goto err;
+    }
   }
-  if (!BN_GENCB_call(cb, 3, 1))
+  if (!BN_GENCB_call(cb, 3, 1)) {
     goto err;
+  }
   if (BN_cmp(rsa->p, rsa->q) < 0) {
     tmp = rsa->p;
     rsa->p = rsa->q;
@@ -880,39 +870,47 @@ static int keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) {
   }
 
   /* calculate n */
-  if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx))
+  if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx)) {
     goto err;
+  }
 
   /* calculate d */
-  if (!BN_sub(r1, rsa->p, BN_value_one()))
+  if (!BN_sub(r1, rsa->p, BN_value_one())) {
     goto err; /* p-1 */
-  if (!BN_sub(r2, rsa->q, BN_value_one()))
+  }
+  if (!BN_sub(r2, rsa->q, BN_value_one())) {
     goto err; /* q-1 */
-  if (!BN_mul(r0, r1, r2, ctx))
+  }
+  if (!BN_mul(r0, r1, r2, ctx)) {
     goto err; /* (p-1)(q-1) */
+  }
   pr0 = &local_r0;
   BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
-  if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx))
+  if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) {
     goto err; /* d */
+  }
 
   /* set up d for correct BN_FLG_CONSTTIME flag */
   d = &local_d;
   BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
 
   /* calculate d mod (p-1) */
-  if (!BN_mod(rsa->dmp1, d, r1, ctx))
+  if (!BN_mod(rsa->dmp1, d, r1, ctx)) {
     goto err;
+  }
 
   /* calculate d mod (q-1) */
-  if (!BN_mod(rsa->dmq1, d, r2, ctx))
+  if (!BN_mod(rsa->dmq1, d, r2, ctx)) {
     goto err;
+  }
 
   /* calculate inverse of q mod p */
   p = &local_p;
   BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
 
-  if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
+  if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) {
     goto err;
+  }
 
   ok = 1;
 
diff --git a/src/crypto/rsa/rsa_test.c b/src/crypto/rsa/rsa_test.c
index 75489e0..318cf3f 100644
--- a/src/crypto/rsa/rsa_test.c
+++ b/src/crypto/rsa/rsa_test.c
@@ -56,9 +56,9 @@
 
 #include <openssl/rsa.h>
 
+#include <stdlib.h>
 #include <string.h>
 
-#include <openssl/bio.h>
 #include <openssl/bn.h>
 #include <openssl/crypto.h>
 #include <openssl/err.h>
@@ -249,13 +249,13 @@ static int test_bad_key(void) {
 
   if (!RSA_generate_key_ex(key, 512, &e, NULL)) {
     fprintf(stderr, "RSA_generate_key_ex failed.\n");
-    BIO_print_errors_fp(stderr);
+    ERR_print_errors_fp(stderr);
     return 0;
   }
 
   if (!BN_add(key->p, key->p, BN_value_one())) {
     fprintf(stderr, "BN error.\n");
-    BIO_print_errors_fp(stderr);
+    ERR_print_errors_fp(stderr);
     return 0;
   }
 
@@ -292,19 +292,21 @@ static int test_only_d_given(void) {
 
   if (!RSA_check_key(key)) {
     fprintf(stderr, "RSA_check_key failed with only d given.\n");
-    BIO_print_errors_fp(stderr);
+    ERR_print_errors_fp(stderr);
     goto err;
   }
 
-  if (!RSA_sign(NID_md5, kDummyHash, sizeof(kDummyHash), buf, &buf_len, key)) {
+  if (!RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), buf, &buf_len,
+                key)) {
     fprintf(stderr, "RSA_sign failed with only d given.\n");
-    BIO_print_errors_fp(stderr);
+    ERR_print_errors_fp(stderr);
     goto err;
   }
 
-  if (!RSA_verify(NID_md5, kDummyHash, sizeof(kDummyHash), buf, buf_len, key)) {
+  if (!RSA_verify(NID_sha256, kDummyHash, sizeof(kDummyHash), buf, buf_len,
+                  key)) {
     fprintf(stderr, "RSA_verify failed with only d given.\n");
-    BIO_print_errors_fp(stderr);
+    ERR_print_errors_fp(stderr);
     goto err;
   }
 
@@ -331,13 +333,13 @@ static int test_recover_crt_params(void) {
     key1 = RSA_new();
     if (!RSA_generate_key_ex(key1, 512, e, NULL)) {
       fprintf(stderr, "RSA_generate_key_ex failed.\n");
-      BIO_print_errors_fp(stderr);
+      ERR_print_errors_fp(stderr);
       return 0;
     }
 
     if (!RSA_check_key(key1)) {
       fprintf(stderr, "RSA_check_key failed with original key.\n");
-      BIO_print_errors_fp(stderr);
+      ERR_print_errors_fp(stderr);
       return 0;
     }
 
@@ -349,7 +351,7 @@ static int test_recover_crt_params(void) {
 
     if (!RSA_recover_crt_params(key2)) {
       fprintf(stderr, "RSA_recover_crt_params failed.\n");
-      BIO_print_errors_fp(stderr);
+      ERR_print_errors_fp(stderr);
       return 0;
     }
 
@@ -359,21 +361,21 @@ static int test_recover_crt_params(void) {
 
     if (!RSA_check_key(key2)) {
       fprintf(stderr, "RSA_check_key failed with recovered key.\n");
-      BIO_print_errors_fp(stderr);
+      ERR_print_errors_fp(stderr);
       return 0;
     }
 
-    if (!RSA_sign(NID_md5, kDummyHash, sizeof(kDummyHash), buf, &buf_len,
+    if (!RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), buf, &buf_len,
                   key2)) {
       fprintf(stderr, "RSA_sign failed with recovered key.\n");
-      BIO_print_errors_fp(stderr);
+      ERR_print_errors_fp(stderr);
       return 0;
     }
 
-    if (!RSA_verify(NID_md5, kDummyHash, sizeof(kDummyHash), buf, buf_len,
+    if (!RSA_verify(NID_sha256, kDummyHash, sizeof(kDummyHash), buf, buf_len,
                     key2)) {
       fprintf(stderr, "RSA_verify failed with recovered key.\n");
-      BIO_print_errors_fp(stderr);
+      ERR_print_errors_fp(stderr);
       return 0;
     }
 
@@ -478,8 +480,9 @@ int main(int argc, char *argv[]) {
       int b;
       unsigned char saved = ctext[n];
       for (b = 0; b < 256; ++b) {
-        if (b == saved)
+        if (b == saved) {
           continue;
+        }
         ctext[n] = b;
         num =
             RSA_private_decrypt(num, ctext, ptext, key, RSA_PKCS1_OAEP_PADDING);
diff --git a/src/crypto/sha/asm/sha1-586.pl b/src/crypto/sha/asm/sha1-586.pl
index 8377299..4895eb3 100644
--- a/src/crypto/sha/asm/sha1-586.pl
+++ b/src/crypto/sha/asm/sha1-586.pl
@@ -450,7 +450,7 @@ sub sha1msg2	{ sha1op38(0xca,@_); }
 	&sub	("esp",32);
 
 	&movdqu	($ABCD,&QWP(0,$ctx));
-	&movd	($E,&QWP(16,$ctx));
+	&movd	($E,&DWP(16,$ctx));
 	&and	("esp",-32);
 	&movdqa	($BSWAP,&QWP(0x50,$tmp1));	# byte-n-word swap
 
diff --git a/src/crypto/sha/asm/sha1-armv4-large.pl b/src/crypto/sha/asm/sha1-armv4-large.pl
index 1ffa041..a20d336 100644
--- a/src/crypto/sha/asm/sha1-armv4-large.pl
+++ b/src/crypto/sha/asm/sha1-armv4-large.pl
@@ -60,14 +60,28 @@
 # is ~2.5x larger and there are some redundant instructions executed
 # when processing last block, improvement is not as big for smallest
 # blocks, only ~30%. Snapdragon S4 is a tad faster, 6.4 cycles per
-# byte, which is also >80% faster than integer-only code.
+# byte, which is also >80% faster than integer-only code. Cortex-A15
+# is even faster spending 5.6 cycles per byte outperforming integer-
+# only code by factor of 2.
 
 # May 2014.
 #
 # Add ARMv8 code path performing at 2.35 cpb on Apple A7.
 
-while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {}
-open STDOUT,">$output";
+$flavour = shift;
+if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; }
+else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} }
+
+if ($flavour && $flavour ne "void") {
+    $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+    ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+    ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+    die "can't locate arm-xlate.pl";
+
+    open STDOUT,"| \"$^X\" $xlate $flavour $output";
+} else {
+    open STDOUT,">$output";
+}
 
 $ctx="r0";
 $inp="r1";
@@ -178,6 +192,9 @@ sha1_block_data_order:
 	sub	r3,pc,#8		@ sha1_block_data_order
 	ldr	r12,.LOPENSSL_armcap
 	ldr	r12,[r3,r12]		@ OPENSSL_armcap_P
+#ifdef	__APPLE__
+	ldr	r12,[r12]
+#endif
 	tst	r12,#ARMV8_SHA1
 	bne	.LARMv8
 	tst	r12,#ARMV7_NEON
diff --git a/src/crypto/sha/asm/sha1-armv8.pl b/src/crypto/sha/asm/sha1-armv8.pl
index deb1238..a8c08c2 100644
--- a/src/crypto/sha/asm/sha1-armv8.pl
+++ b/src/crypto/sha/asm/sha1-armv8.pl
@@ -14,13 +14,25 @@
 #
 #		hardware-assisted	software(*)
 # Apple A7	2.31			4.13 (+14%)
-# Cortex-A53	2.19			8.73 (+108%)
+# Cortex-A53	2.24			8.03 (+97%)
 # Cortex-A57	2.35			7.88 (+74%)
+# Denver	2.13			3.97 (+0%)(**)
+# X-Gene				8.80 (+200%)
 #
 # (*)	Software results are presented mostly for reference purposes.
+# (**)	Keep in mind that Denver relies on binary translation, which
+#	optimizes compiler output at run-time.
 
 $flavour = shift;
-open STDOUT,">".shift;
+$output  = shift;
+
+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+die "can't locate arm-xlate.pl";
+
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 ($ctx,$inp,$num)=("x0","x1","x2");
 @Xw=map("w$_",(3..17,19));
@@ -154,6 +166,7 @@ $code.=<<___;
 
 .text
 
+.extern	OPENSSL_armcap_P
 .globl	sha1_block_data_order
 .type	sha1_block_data_order,%function
 .align	6
diff --git a/src/crypto/sha/asm/sha256-armv4.pl b/src/crypto/sha/asm/sha256-armv4.pl
index 398376e..778c3d9 100644
--- a/src/crypto/sha/asm/sha256-armv4.pl
+++ b/src/crypto/sha/asm/sha256-armv4.pl
@@ -5,6 +5,8 @@
 # project. The module is, however, dual licensed under OpenSSL and
 # CRYPTOGAMS licenses depending on where you obtain it. For further
 # details see http://www.openssl.org/~appro/cryptogams/.
+#
+# Permission to use under GPL terms is granted.
 # ====================================================================
 
 # SHA256 block procedure for ARMv4. May 2007.
@@ -35,8 +37,20 @@
 #
 # Add ARMv8 code path performing at 2.0 cpb on Apple A7.
 
-while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {}
-open STDOUT,">$output";
+$flavour = shift;
+if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; }
+else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} }
+
+if ($flavour && $flavour ne "void") {
+    $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+    ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+    ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+    die "can't locate arm-xlate.pl";
+
+    open STDOUT,"| \"$^X\" $xlate $flavour $output";
+} else {
+    open STDOUT,">$output";
+}
 
 $ctx="r0";	$t0="r0";
 $inp="r1";	$t4="r1";
@@ -71,7 +85,9 @@ $code.=<<___ if ($i<16);
 	eor	$t0,$e,$e,ror#`$Sigma1[1]-$Sigma1[0]`
 	add	$a,$a,$t2			@ h+=Maj(a,b,c) from the past
 	eor	$t0,$t0,$e,ror#`$Sigma1[2]-$Sigma1[0]`	@ Sigma1(e)
+# ifndef __ARMEB__
 	rev	$t1,$t1
+# endif
 #else
 	@ ldrb	$t1,[$inp,#3]			@ $i
 	add	$a,$a,$t2			@ h+=Maj(a,b,c) from the past
@@ -151,10 +167,25 @@ ___
 }
 
 $code=<<___;
-#include "arm_arch.h"
+#ifndef __KERNEL__
+# include "arm_arch.h"
+#else
+# define __ARM_ARCH__ __LINUX_ARM_ARCH__
+# define __ARM_MAX_ARCH__ 7
+#endif
 
 .text
+#if __ARM_ARCH__<7
 .code	32
+#else
+.syntax unified
+# if defined(__thumb2__) && !defined(__APPLE__)
+#  define adrl adr
+.thumb
+# else
+.code   32
+# endif
+#endif
 
 .type	K256,%object
 .align	5
@@ -177,25 +208,33 @@ K256:
 .word	0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2
 .size	K256,.-K256
 .word	0				@ terminator
-#if __ARM_MAX_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
 .LOPENSSL_armcap:
-.word	OPENSSL_armcap_P-sha256_block_data_order
+.word	OPENSSL_armcap_P-.Lsha256_block_data_order
 #endif
 .align	5
 
 .global	sha256_block_data_order
 .type	sha256_block_data_order,%function
 sha256_block_data_order:
+.Lsha256_block_data_order:
+#if __ARM_ARCH__<7
 	sub	r3,pc,#8		@ sha256_block_data_order
-	add	$len,$inp,$len,lsl#6	@ len to point at the end of inp
-#if __ARM_MAX_ARCH__>=7
+#else
+	adr	r3,sha256_block_data_order
+#endif
+#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
 	ldr	r12,.LOPENSSL_armcap
 	ldr	r12,[r3,r12]		@ OPENSSL_armcap_P
+#ifdef	__APPLE__
+	ldr	r12,[r12]
+#endif
 	tst	r12,#ARMV8_SHA256
 	bne	.LARMv8
 	tst	r12,#ARMV7_NEON
 	bne	.LNEON
 #endif
+	add	$len,$inp,$len,lsl#6	@ len to point at the end of inp
 	stmdb	sp!,{$ctx,$inp,$len,r4-r11,lr}
 	ldmia	$ctx,{$A,$B,$C,$D,$E,$F,$G,$H}
 	sub	$Ktbl,r3,#256+32	@ K256
@@ -213,6 +252,9 @@ for($i=0;$i<16;$i++)	{ &BODY_00_15($i,@V); unshift(@V,pop(@V)); }
 $code.=".Lrounds_16_xx:\n";
 for (;$i<32;$i++)	{ &BODY_16_XX($i,@V); unshift(@V,pop(@V)); }
 $code.=<<___;
+#if __ARM_ARCH__>=7
+	ite	eq			@ Thumb2 thing, sanity check in ARM
+#endif
 	ldreq	$t3,[sp,#16*4]		@ pull ctx
 	bne	.Lrounds_16_xx
 
@@ -429,16 +471,19 @@ $code.=<<___;
 .arch	armv7-a
 .fpu	neon
 
+.global	sha256_block_data_order_neon
 .type	sha256_block_data_order_neon,%function
 .align	4
 sha256_block_data_order_neon:
 .LNEON:
 	stmdb	sp!,{r4-r12,lr}
 
+	sub	$H,sp,#16*4+16
+	adr	$Ktbl,K256
+	bic	$H,$H,#15		@ align for 128-bit stores
 	mov	$t2,sp
-	sub	sp,sp,#16*4+16		@ alloca
-	sub	$Ktbl,r3,#256+32	@ K256
-	bic	sp,sp,#15		@ align for 128-bit stores
+	mov	sp,$H			@ alloca
+	add	$len,$inp,$len,lsl#6	@ len to point at the end of inp
 
 	vld1.8		{@X[0]},[$inp]!
 	vld1.8		{@X[1]},[$inp]!
@@ -490,11 +535,13 @@ $code.=<<___;
 	ldr		$t0,[sp,#72]
 	sub		$Ktbl,$Ktbl,#256	@ rewind $Ktbl
 	teq		$inp,$t0
+	it		eq
 	subeq		$inp,$inp,#64		@ avoid SEGV
 	vld1.8		{@X[0]},[$inp]!		@ load next input block
 	vld1.8		{@X[1]},[$inp]!
 	vld1.8		{@X[2]},[$inp]!
 	vld1.8		{@X[3]},[$inp]!
+	it		ne
 	strne		$inp,[sp,#68]
 	mov		$Xfer,sp
 ___
@@ -526,10 +573,12 @@ $code.=<<___;
 	str	$D,[$t1],#4
 	stmia	$t1,{$E-$H}
 
+	ittte	ne
 	movne	$Xfer,sp
 	ldrne	$t1,[sp,#0]
 	eorne	$t2,$t2,$t2
 	ldreq	sp,[sp,#76]			@ restore original sp
+	itt	ne
 	eorne	$t3,$B,$C
 	bne	.L_00_48
 
@@ -548,13 +597,28 @@ my ($W0,$W1,$ABCD_SAVE,$EFGH_SAVE)=map("q$_",(12..15));
 my $Ktbl="r3";
 
 $code.=<<___;
-#if __ARM_MAX_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
+
+# if defined(__thumb2__) && !defined(__APPLE__)
+#  define INST(a,b,c,d)	.byte	c,d|0xc,a,b
+# else
+#  define INST(a,b,c,d)	.byte	a,b,c,d
+# endif
+
 .type	sha256_block_data_order_armv8,%function
 .align	5
 sha256_block_data_order_armv8:
 .LARMv8:
 	vld1.32	{$ABCD,$EFGH},[$ctx]
-	sub	$Ktbl,r3,#sha256_block_data_order-K256
+# ifdef	__APPLE__
+	sub	$Ktbl,$Ktbl,#256+32
+# elif	defined(__thumb2__)
+	adr	$Ktbl,.LARMv8
+	sub	$Ktbl,$Ktbl,#.LARMv8-K256
+# else
+	adrl	$Ktbl,K256
+# endif
+	add	$len,$inp,$len,lsl#6	@ len to point at the end of inp
 
 .Loop_v8:
 	vld1.8		{@MSG[0]-@MSG[1]},[$inp]!
@@ -607,6 +671,7 @@ $code.=<<___;
 
 	vadd.i32	$ABCD,$ABCD,$ABCD_SAVE
 	vadd.i32	$EFGH,$EFGH,$EFGH_SAVE
+	it		ne
 	bne		.Loop_v8
 
 	vst1.32		{$ABCD,$EFGH},[$ctx]
@@ -619,12 +684,20 @@ ___
 $code.=<<___;
 .asciz  "SHA256 block transform for ARMv4/NEON/ARMv8, CRYPTOGAMS by <appro\@openssl.org>"
 .align	2
-#if __ARM_MAX_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
 .comm   OPENSSL_armcap_P,4,4
 .hidden OPENSSL_armcap_P
 #endif
 ___
 
+open SELF,$0;
+while(<SELF>) {
+	next if (/^#!/);
+	last if (!s/^#/@/ and !/^$/);
+	print;
+}
+close SELF;
+
 {   my  %opcode = (
 	"sha256h"	=> 0xf3000c40,	"sha256h2"	=> 0xf3100c40,
 	"sha256su0"	=> 0xf3ba03c0,	"sha256su1"	=> 0xf3200c40	);
@@ -639,7 +712,7 @@ ___
 	    # since ARMv7 instructions are always encoded little-endian.
 	    # correct solution is to use .inst directive, but older
 	    # assemblers don't implement it:-(
-	    sprintf ".byte\t0x%02x,0x%02x,0x%02x,0x%02x\t@ %s %s",
+	    sprintf "INST(0x%02x,0x%02x,0x%02x,0x%02x)\t@ %s %s",
 			$word&0xff,($word>>8)&0xff,
 			($word>>16)&0xff,($word>>24)&0xff,
 			$mnemonic,$arg;
diff --git a/src/crypto/sha/asm/sha512-armv4.pl b/src/crypto/sha/asm/sha512-armv4.pl
index bfe28c4..2964a39 100644
--- a/src/crypto/sha/asm/sha512-armv4.pl
+++ b/src/crypto/sha/asm/sha512-armv4.pl
@@ -5,6 +5,8 @@
 # project. The module is, however, dual licensed under OpenSSL and
 # CRYPTOGAMS licenses depending on where you obtain it. For further
 # details see http://www.openssl.org/~appro/cryptogams/.
+#
+# Permission to use under GPL terms is granted.
 # ====================================================================
 
 # SHA512 block procedure for ARMv4. September 2007.
@@ -34,16 +36,9 @@
 # terms it's 22.6 cycles per byte, which is disappointing result.
 # Technical writers asserted that 3-way S4 pipeline can sustain
 # multiple NEON instructions per cycle, but dual NEON issue could
-# not be observed, and for NEON-only sequences IPC(*) was found to
-# be limited by 1:-( 0.33 and 0.66 were measured for sequences with
-# ILPs(*) of 1 and 2 respectively. This in turn means that you can
-# even find yourself striving, as I did here, for achieving IPC
-# adequate to one delivered by Cortex A8 [for reference, it's
-# 0.5 for ILP of 1, and 1 for higher ILPs].
-#
-# (*) ILP, instruction-level parallelism, how many instructions
-#     *can* execute at the same time. IPC, instructions per cycle,
-#     indicates how many instructions actually execute.
+# not be observed, see http://www.openssl.org/~appro/Snapdragon-S4.html
+# for further details. On side note Cortex-A15 processes one byte in
+# 16 cycles.
 
 # Byte order [in]dependence. =========================================
 #
@@ -55,8 +50,20 @@ $hi="HI";
 $lo="LO";
 # ====================================================================
 
-while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {}
-open STDOUT,">$output";
+$flavour = shift;
+if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; }
+else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} }
+
+if ($flavour && $flavour ne "void") {
+    $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+    ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+    ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+    die "can't locate arm-xlate.pl";
+
+    open STDOUT,"| \"$^X\" $xlate $flavour $output";
+} else {
+    open STDOUT,">$output";
+}
 
 $ctx="r0";	# parameter block
 $inp="r1";
@@ -143,6 +150,9 @@ $code.=<<___;
 	teq	$t0,#$magic
 
 	ldr	$t3,[sp,#$Coff+0]	@ c.lo
+#if __ARM_ARCH__>=7
+	it	eq			@ Thumb2 thing, sanity check in ARM
+#endif
 	orreq	$Ktbl,$Ktbl,#1
 	@ Sigma0(x)	(ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39))
 	@ LO		lo>>28^hi<<4  ^ hi>>2^lo<<30 ^ hi>>7^lo<<25
@@ -180,7 +190,17 @@ $code.=<<___;
 ___
 }
 $code=<<___;
-#include "arm_arch.h"
+#ifndef __KERNEL__
+# include "arm_arch.h"
+# define VFP_ABI_PUSH	vstmdb	sp!,{d8-d15}
+# define VFP_ABI_POP	vldmia	sp!,{d8-d15}
+#else
+# define __ARM_ARCH__ __LINUX_ARM_ARCH__
+# define __ARM_MAX_ARCH__ 7
+# define VFP_ABI_PUSH
+# define VFP_ABI_POP
+#endif
+
 #ifdef __ARMEL__
 # define LO 0
 # define HI 4
@@ -192,7 +212,18 @@ $code=<<___;
 #endif
 
 .text
+#if __ARM_ARCH__<7 || defined(__APPLE__)
 .code	32
+#else
+.syntax unified
+# ifdef __thumb2__
+#  define adrl adr
+.thumb
+# else
+.code   32
+# endif
+#endif
+
 .type	K512,%object
 .align	5
 K512:
@@ -237,9 +268,9 @@ WORD64(0x3c9ebe0a,0x15c9bebc, 0x431d67c4,0x9c100d4c)
 WORD64(0x4cc5d4be,0xcb3e42b6, 0x597f299c,0xfc657e2a)
 WORD64(0x5fcb6fab,0x3ad6faec, 0x6c44198c,0x4a475817)
 .size	K512,.-K512
-#if __ARM_MAX_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
 .LOPENSSL_armcap:
-.word	OPENSSL_armcap_P-sha512_block_data_order
+.word	OPENSSL_armcap_P-.Lsha512_block_data_order
 .skip	32-4
 #else
 .skip	32
@@ -248,14 +279,22 @@ WORD64(0x5fcb6fab,0x3ad6faec, 0x6c44198c,0x4a475817)
 .global	sha512_block_data_order
 .type	sha512_block_data_order,%function
 sha512_block_data_order:
+.Lsha512_block_data_order:
+#if __ARM_ARCH__<7
 	sub	r3,pc,#8		@ sha512_block_data_order
-	add	$len,$inp,$len,lsl#7	@ len to point at the end of inp
-#if __ARM_MAX_ARCH__>=7
+#else
+	adr	r3,sha512_block_data_order
+#endif
+#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
 	ldr	r12,.LOPENSSL_armcap
 	ldr	r12,[r3,r12]		@ OPENSSL_armcap_P
+#ifdef	__APPLE__
+	ldr	r12,[r12]
+#endif
 	tst	r12,#1
 	bne	.LNEON
 #endif
+	add	$len,$inp,$len,lsl#7	@ len to point at the end of inp
 	stmdb	sp!,{r4-r12,lr}
 	sub	$Ktbl,r3,#672		@ K512
 	sub	sp,sp,#9*8
@@ -369,6 +408,9 @@ $code.=<<___;
 ___
 	&BODY_00_15(0x17);
 $code.=<<___;
+#if __ARM_ARCH__>=7
+	ittt	eq			@ Thumb2 thing, sanity check in ARM
+#endif
 	ldreq	$t0,[sp,#`$Xoff+8*(16-1)`+0]
 	ldreq	$t1,[sp,#`$Xoff+8*(16-1)`+4]
 	beq	.L16_79
@@ -453,6 +495,7 @@ $code.=<<___;
 	moveq	pc,lr			@ be binary compatible with V4, yet
 	bx	lr			@ interoperable with Thumb ISA:-)
 #endif
+.size	sha512_block_data_order,.-sha512_block_data_order
 ___
 
 {
@@ -559,11 +602,15 @@ $code.=<<___;
 .arch	armv7-a
 .fpu	neon
 
+.global	sha512_block_data_order_neon
+.type	sha512_block_data_order_neon,%function
 .align	4
+sha512_block_data_order_neon:
 .LNEON:
 	dmb				@ errata #451034 on early Cortex A8
-	vstmdb	sp!,{d8-d15}		@ ABI specification says so
-	sub	$Ktbl,r3,#672		@ K512
+	add	$len,$inp,$len,lsl#7	@ len to point at the end of inp
+	adr	$Ktbl,K512
+	VFP_ABI_PUSH
 	vldmia	$ctx,{$A-$H}		@ load context
 .Loop_neon:
 ___
@@ -588,16 +635,16 @@ $code.=<<___;
 	sub		$Ktbl,#640	@ rewind K512
 	bne		.Loop_neon
 
-	vldmia	sp!,{d8-d15}		@ epilogue
+	VFP_ABI_POP
 	ret				@ bx lr
+.size	sha512_block_data_order_neon,.-sha512_block_data_order_neon
 #endif
 ___
 }
 $code.=<<___;
-.size	sha512_block_data_order,.-sha512_block_data_order
 .asciz	"SHA512 block transform for ARMv4/NEON, CRYPTOGAMS by <appro\@openssl.org>"
 .align	2
-#if __ARM_MAX_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
 .comm	OPENSSL_armcap_P,4,4
 .hidden	OPENSSL_armcap_P
 #endif
@@ -606,5 +653,14 @@ ___
 $code =~ s/\`([^\`]*)\`/eval $1/gem;
 $code =~ s/\bbx\s+lr\b/.word\t0xe12fff1e/gm;	# make it possible to compile with -march=armv4
 $code =~ s/\bret\b/bx	lr/gm;
+
+open SELF,$0;
+while(<SELF>) {
+	next if (/^#!/);
+	last if (!s/^#/@/ and !/^$/);
+	print;
+}
+close SELF;
+
 print $code;
 close STDOUT; # enforce flush
diff --git a/src/crypto/sha/asm/sha512-armv8.pl b/src/crypto/sha/asm/sha512-armv8.pl
index 5a9c812..43e7293 100644
--- a/src/crypto/sha/asm/sha512-armv8.pl
+++ b/src/crypto/sha/asm/sha512-armv8.pl
@@ -14,8 +14,10 @@
 #
 #		SHA256-hw	SHA256(*)	SHA512
 # Apple A7	1.97		10.5 (+33%)	6.73 (-1%(**))
-# Cortex-A53	2.38		15.6 (+110%)	10.1 (+190%(***))
+# Cortex-A53	2.38		15.5 (+115%)	10.0 (+150%(***))
 # Cortex-A57	2.31		11.6 (+86%)	7.51 (+260%(***))
+# Denver	2.01		10.5 (+26%)	6.70 (+8%)
+# X-Gene			20.0 (+100%)	12.8 (+300%(***))
 # 
 # (*)	Software SHA256 results are of lesser relevance, presented
 #	mostly for informational purposes.
@@ -25,12 +27,24 @@
 # (***)	Super-impressive coefficients over gcc-generated code are
 #	indication of some compiler "pathology", most notably code
 #	generated with -mgeneral-regs-only is significanty faster
-#	and lags behind assembly only by 50-90%.
+#	and the gap is only 40-90%.
 
 $flavour=shift;
+# Unlike most perlasm files, sha512-armv8.pl takes an additional argument to
+# determine which hash function to emit. This differs from upstream OpenSSL so
+# that the script may continue to output to stdout.
+$variant=shift;
 $output=shift;
 
-if ($output =~ /512/) {
+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+die "can't locate arm-xlate.pl";
+
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
+
+if ($variant eq "sha512") {
 	$BITS=512;
 	$SZ=8;
 	@Sigma0=(28,34,39);
@@ -39,7 +53,7 @@ if ($output =~ /512/) {
 	@sigma1=(19,61, 6);
 	$rounds=80;
 	$reg_t="x";
-} else {
+} elsif ($variant eq "sha256") {
 	$BITS=256;
 	$SZ=4;
 	@Sigma0=( 2,13,22);
@@ -48,6 +62,8 @@ if ($output =~ /512/) {
 	@sigma1=(17,19,10);
 	$rounds=64;
 	$reg_t="w";
+} else {
+  die "Unknown variant: $variant";
 }
 
 $func="sha${BITS}_block_data_order";
@@ -152,6 +168,7 @@ $code.=<<___;
 
 .text
 
+.extern	OPENSSL_armcap_P
 .globl	$func
 .type	$func,%function
 .align	6
@@ -181,7 +198,7 @@ $code.=<<___;
 	ldp	$E,$F,[$ctx,#4*$SZ]
 	add	$num,$inp,$num,lsl#`log(16*$SZ)/log(2)`	// end of input
 	ldp	$G,$H,[$ctx,#6*$SZ]
-	adr	$Ktbl,K$BITS
+	adr	$Ktbl,.LK$BITS
 	stp	$ctx,$num,[x29,#96]
 
 .Loop:
@@ -231,8 +248,8 @@ $code.=<<___;
 .size	$func,.-$func
 
 .align	6
-.type	K$BITS,%object
-K$BITS:
+.type	.LK$BITS,%object
+.LK$BITS:
 ___
 $code.=<<___ if ($SZ==8);
 	.quad	0x428a2f98d728ae22,0x7137449123ef65cd
@@ -297,7 +314,7 @@ $code.=<<___ if ($SZ==4);
 	.long	0	//terminator
 ___
 $code.=<<___;
-.size	K$BITS,.-K$BITS
+.size	.LK$BITS,.-.LK$BITS
 .align	3
 .LOPENSSL_armcap_P:
 	.quad	OPENSSL_armcap_P-.
@@ -322,7 +339,7 @@ sha256_block_armv8:
 	add		x29,sp,#0
 
 	ld1.32		{$ABCD,$EFGH},[$ctx]
-	adr		$Ktbl,K256
+	adr		$Ktbl,.LK256
 
 .Loop_hw:
 	ld1		{@MSG[0]-@MSG[3]},[$inp],#64
diff --git a/src/crypto/sha/sha1.c b/src/crypto/sha/sha1.c
index 7595bc8..60d09f6 100644
--- a/src/crypto/sha/sha1.c
+++ b/src/crypto/sha/sha1.c
@@ -367,8 +367,9 @@ static void HASH_BLOCK_DATA_ORDER(SHA_CTX *c, const void *p, size_t num) {
     c->h3 = (c->h3 + B) & 0xffffffffL;
     c->h4 = (c->h4 + C) & 0xffffffffL;
 
-    if (--num == 0)
+    if (--num == 0) {
       break;
+    }
 
     A = c->h0;
     B = c->h1;
diff --git a/src/crypto/sha/sha512.c b/src/crypto/sha/sha512.c
index 59be8c1..2acefb1 100644
--- a/src/crypto/sha/sha512.c
+++ b/src/crypto/sha/sha512.c
@@ -189,8 +189,9 @@ int SHA512_Update(SHA512_CTX *c, const void *in_data, size_t len) {
   uint8_t *p = c->u.p;
   const uint8_t *data = (const uint8_t *)in_data;
 
-  if (len == 0)
+  if (len == 0) {
     return 1;
+  }
 
   l = (c->Nl + (((uint64_t)len) << 3)) & OPENSSL_U64(0xffffffffffffffff);
   if (l < c->Nl) {
@@ -218,14 +219,21 @@ int SHA512_Update(SHA512_CTX *c, const void *in_data, size_t len) {
 
   if (len >= sizeof(c->u)) {
 #ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
-    if ((size_t)data % sizeof(c->u.d[0]) != 0)
-      while (len >= sizeof(c->u))
-        memcpy(p, data, sizeof(c->u)), sha512_block_data_order(c, p, 1),
-            len -= sizeof(c->u), data += sizeof(c->u);
-    else
+    if ((size_t)data % sizeof(c->u.d[0]) != 0) {
+      while (len >= sizeof(c->u)) {
+        memcpy(p, data, sizeof(c->u));
+        sha512_block_data_order(c, p, 1);
+        len -= sizeof(c->u);
+        data += sizeof(c->u);
+      }
+    } else
 #endif
-      sha512_block_data_order(c, data, len / sizeof(c->u)), data += len,
-          len %= sizeof(c->u), data -= len;
+    {
+      sha512_block_data_order(c, data, len / sizeof(c->u));
+      data += len;
+      len %= sizeof(c->u);
+      data -= len;
+    }
   }
 
   if (len != 0) {
diff --git a/src/crypto/stack/make_macros.sh b/src/crypto/stack/make_macros.sh
index f72aa33..4837e44 100644
--- a/src/crypto/stack/make_macros.sh
+++ b/src/crypto/stack/make_macros.sh
@@ -86,6 +86,9 @@ output_stack () {
 #define sk_${type}_set_cmp_func(sk, comp)\\
   ((int (*) (const ${type} **a, const ${type} **b)) sk_set_cmp_func(CHECKED_CAST(_STACK*, STACK_OF(${type})*, sk), CHECKED_CAST(stack_cmp_func, int (*) (const ${type} **a, const ${type} **b), comp)))
 
+#define sk_${type}_deep_copy(sk, copy_func, free_func)\\
+((STACK_OF(${type})*) sk_deep_copy(CHECKED_CAST(const _STACK*, const STACK_OF(${type})*, sk), CHECKED_CAST(void* (*) (void*), ${ptrtype} (*) (${ptrtype}), copy_func), CHECKED_CAST(void (*) (void*), void (*) (${ptrtype}), free_func)))
+
 
 EOF
 }
diff --git a/src/crypto/stack/stack.c b/src/crypto/stack/stack.c
index 0b336ba..c584515 100644
--- a/src/crypto/stack/stack.c
+++ b/src/crypto/stack/stack.c
@@ -86,9 +86,7 @@ _STACK *sk_new(stack_cmp_func comp) {
   return ret;
 
 err:
-  if (ret) {
-    OPENSSL_free(ret);
-  }
+  OPENSSL_free(ret);
   return NULL;
 }
 
@@ -232,7 +230,7 @@ int sk_find(_STACK *sk, size_t *out_index, void *p) {
   int (*comp_func)(const void *,const void *);
 
   if (sk == NULL) {
-    return -1;
+    return 0;
   }
 
   if (sk->comp == NULL) {
@@ -324,9 +322,7 @@ _STACK *sk_dup(const _STACK *sk) {
   return ret;
 
 err:
-  if (ret) {
-    sk_free(ret);
-  }
+  sk_free(ret);
   return NULL;
 }
 
@@ -360,3 +356,31 @@ stack_cmp_func sk_set_cmp_func(_STACK *sk, stack_cmp_func comp) {
 
   return old;
 }
+
+_STACK *sk_deep_copy(const _STACK *sk, void *(*copy_func)(void *),
+                     void (*free_func)(void *)) {
+  _STACK *ret = sk_dup(sk);
+  if (ret == NULL) {
+    return NULL;
+  }
+
+  size_t i;
+  for (i = 0; i < ret->num; i++) {
+    if (ret->data[i] == NULL) {
+      continue;
+    }
+    ret->data[i] = copy_func(ret->data[i]);
+    if (ret->data[i] == NULL) {
+      size_t j;
+      for (j = 0; j < i; j++) {
+        if (ret->data[j] != NULL) {
+          free_func(ret->data[j]);
+        }
+      }
+      sk_free(ret);
+      return NULL;
+    }
+  }
+
+  return ret;
+}
diff --git a/src/crypto/test/CMakeLists.txt b/src/crypto/test/CMakeLists.txt
new file mode 100644
index 0000000..0d5ca81
--- /dev/null
+++ b/src/crypto/test/CMakeLists.txt
@@ -0,0 +1,7 @@
+add_library(
+  test_support
+
+  OBJECT
+
+  file_test.cc
+)
diff --git a/src/crypto/test/file_test.cc b/src/crypto/test/file_test.cc
new file mode 100644
index 0000000..12405f2
--- /dev/null
+++ b/src/crypto/test/file_test.cc
@@ -0,0 +1,326 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include "file_test.h"
+
+#include <ctype.h>
+#include <errno.h>
+#include <stdarg.h>
+#include <string.h>
+
+#include <openssl/err.h>
+
+#include "stl_compat.h"
+
+
+FileTest::FileTest(const char *path) {
+  file_ = fopen(path, "r");
+  if (file_ == nullptr) {
+    fprintf(stderr, "Could not open file %s: %s.\n", path, strerror(errno));
+  }
+}
+
+FileTest::~FileTest() {
+  if (file_ != nullptr) {
+    fclose(file_);
+  }
+}
+
+// FindDelimiter returns a pointer to the first '=' or ':' in |str| or nullptr
+// if there is none.
+static const char *FindDelimiter(const char *str) {
+  while (*str) {
+    if (*str == ':' || *str == '=') {
+      return str;
+    }
+    str++;
+  }
+  return nullptr;
+}
+
+// StripSpace returns a string containing up to |len| characters from |str| with
+// leading and trailing whitespace removed.
+static std::string StripSpace(const char *str, size_t len) {
+  // Remove leading space.
+  while (len > 0 && isspace(*str)) {
+    str++;
+    len--;
+  }
+  while (len > 0 && isspace(str[len-1])) {
+    len--;
+  }
+  return std::string(str, len);
+}
+
+FileTest::ReadResult FileTest::ReadNext() {
+  // If the previous test had unused attributes or block, it is an error.
+  if (!unused_attributes_.empty()) {
+    for (const std::string &key : unused_attributes_) {
+      PrintLine("Unused attribute: %s", key.c_str());
+    }
+    return kReadError;
+  }
+  if (!block_.empty() && !used_block_) {
+    PrintLine("Unused block");
+    return kReadError;
+  }
+
+  ClearTest();
+
+  bool in_block = false;
+  while (true) {
+    // Read the next line.
+    char buf[4096];
+    if (fgets(buf, sizeof(buf), file_) == nullptr) {
+      if (feof(file_)) {
+        if (in_block) {
+          fprintf(stderr, "Unterminated block.\n");
+          return kReadError;
+        }
+        // EOF is a valid terminator for a test.
+        return start_line_ > 0 ? kReadSuccess : kReadEOF;
+      }
+      fprintf(stderr, "Error reading from input.\n");
+      return kReadError;
+    }
+
+    line_++;
+    size_t len = strlen(buf);
+    // Check for truncation.
+    if (len > 0 && buf[len - 1] != '\n' && !feof(file_)) {
+      fprintf(stderr, "Line %u too long.\n", line_);
+      return kReadError;
+    }
+
+    bool is_delimiter = strncmp(buf, "---", 3) == 0;
+    if (in_block) {
+      block_ += buf;
+      if (is_delimiter) {
+        // Ending the block completes the test.
+        return kReadSuccess;
+      }
+    } else if (is_delimiter) {
+      if (start_line_ == 0) {
+        fprintf(stderr, "Line %u: Unexpected block.\n", line_);
+        return kReadError;
+      }
+      in_block = true;
+      block_ += buf;
+    } else if (buf[0] == '\n' || buf[0] == '\0') {
+      // Empty lines delimit tests.
+      if (start_line_ > 0) {
+        return kReadSuccess;
+      }
+    } else if (buf[0] != '#') {  // Comment lines are ignored.
+      // Parse the line as an attribute.
+      const char *delimiter = FindDelimiter(buf);
+      if (delimiter == nullptr) {
+        fprintf(stderr, "Line %u: Could not parse attribute.\n", line_);
+      }
+      std::string key = StripSpace(buf, delimiter - buf);
+      std::string value = StripSpace(delimiter + 1,
+                                     buf + len - delimiter - 1);
+
+      unused_attributes_.insert(key);
+      attributes_[key] = value;
+      if (start_line_ == 0) {
+        // This is the start of a test.
+        type_ = key;
+        parameter_ = value;
+        start_line_ = line_;
+      }
+    }
+  }
+}
+
+void FileTest::PrintLine(const char *format, ...) {
+  va_list args;
+  va_start(args, format);
+
+  fprintf(stderr, "Line %u: ", start_line_);
+  vfprintf(stderr, format, args);
+  fprintf(stderr, "\n");
+
+  va_end(args);
+}
+
+const std::string &FileTest::GetType() {
+  OnKeyUsed(type_);
+  return type_;
+}
+
+const std::string &FileTest::GetParameter() {
+  OnKeyUsed(type_);
+  return parameter_;
+}
+
+const std::string &FileTest::GetBlock() {
+  used_block_ = true;
+  return block_;
+}
+
+bool FileTest::HasAttribute(const std::string &key) {
+  OnKeyUsed(key);
+  return attributes_.count(key) > 0;
+}
+
+bool FileTest::GetAttribute(std::string *out_value, const std::string &key) {
+  OnKeyUsed(key);
+  auto iter = attributes_.find(key);
+  if (iter == attributes_.end()) {
+    PrintLine("Missing attribute '%s'.", key.c_str());
+    return false;
+  }
+  *out_value = iter->second;
+  return true;
+}
+
+const std::string &FileTest::GetAttributeOrDie(const std::string &key) {
+  if (!HasAttribute(key)) {
+    abort();
+  }
+  return attributes_[key];
+}
+
+static bool FromHexDigit(uint8_t *out, char c) {
+  if ('0' <= c && c <= '9') {
+    *out = c - '0';
+    return true;
+  }
+  if ('a' <= c && c <= 'f') {
+    *out = c - 'a' + 10;
+    return true;
+  }
+  if ('A' <= c && c <= 'F') {
+    *out = c - 'A' + 10;
+    return true;
+  }
+  return false;
+}
+
+bool FileTest::GetBytes(std::vector<uint8_t> *out, const std::string &key) {
+  std::string value;
+  if (!GetAttribute(&value, key)) {
+    return false;
+  }
+
+  if (value.size() >= 2 && value[0] == '"' && value[value.size() - 1] == '"') {
+    out->assign(value.begin() + 1, value.end() - 1);
+    return true;
+  }
+
+  if (value.size() % 2 != 0) {
+    PrintLine("Error decoding value: %s", value.c_str());
+    return false;
+  }
+  out->reserve(value.size() / 2);
+  for (size_t i = 0; i < value.size(); i += 2) {
+    uint8_t hi, lo;
+    if (!FromHexDigit(&hi, value[i]) || !FromHexDigit(&lo, value[i+1])) {
+      PrintLine("Error decoding value: %s", value.c_str());
+      return false;
+    }
+    out->push_back((hi << 4) | lo);
+  }
+  return true;
+}
+
+static std::string EncodeHex(const uint8_t *in, size_t in_len) {
+  static const char kHexDigits[] = "0123456789abcdef";
+  std::string ret;
+  ret.reserve(in_len * 2);
+  for (size_t i = 0; i < in_len; i++) {
+    ret += kHexDigits[in[i] >> 4];
+    ret += kHexDigits[in[i] & 0xf];
+  }
+  return ret;
+}
+
+bool FileTest::ExpectBytesEqual(const uint8_t *expected, size_t expected_len,
+                                const uint8_t *actual, size_t actual_len) {
+  if (expected_len == actual_len &&
+      memcmp(expected, actual, expected_len) == 0) {
+    return true;
+  }
+
+  std::string expected_hex = EncodeHex(expected, expected_len);
+  std::string actual_hex = EncodeHex(actual, actual_len);
+  PrintLine("Expected: %s", expected_hex.c_str());
+  PrintLine("Actual:   %s", actual_hex.c_str());
+  return false;
+}
+
+void FileTest::ClearTest() {
+  start_line_ = 0;
+  type_.clear();
+  parameter_.clear();
+  attributes_.clear();
+  block_.clear();
+  unused_attributes_.clear();
+  used_block_ = false;
+}
+
+void FileTest::OnKeyUsed(const std::string &key) {
+  unused_attributes_.erase(key);
+}
+
+int FileTestMain(bool (*run_test)(FileTest *t, void *arg), void *arg,
+                 const char *path) {
+  FileTest t(path);
+  if (!t.is_open()) {
+    return 1;
+  }
+
+  bool failed = false;
+  while (true) {
+    FileTest::ReadResult ret = t.ReadNext();
+    if (ret == FileTest::kReadError) {
+      return 1;
+    } else if (ret == FileTest::kReadEOF) {
+      break;
+    }
+
+    bool result = run_test(&t, arg);
+    if (t.HasAttribute("Error")) {
+      if (result) {
+        t.PrintLine("Operation unexpectedly succeeded.");
+        failed = true;
+        continue;
+      }
+      uint32_t err = ERR_peek_error();
+      if (ERR_reason_error_string(err) != t.GetAttributeOrDie("Error")) {
+        t.PrintLine("Unexpected error; wanted '%s', got '%s'.",
+                     t.GetAttributeOrDie("Error").c_str(),
+                     ERR_reason_error_string(err));
+        failed = true;
+        continue;
+      }
+      ERR_clear_error();
+    } else if (!result) {
+      // In case the test itself doesn't print output, print something so the
+      // line number is reported.
+      t.PrintLine("Test failed");
+      ERR_print_errors_fp(stderr);
+      failed = true;
+      continue;
+    }
+  }
+
+  if (failed) {
+    return 1;
+  }
+
+  printf("PASS\n");
+  return 0;
+}
diff --git a/src/crypto/test/file_test.h b/src/crypto/test/file_test.h
new file mode 100644
index 0000000..7303d8a
--- /dev/null
+++ b/src/crypto/test/file_test.h
@@ -0,0 +1,166 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_CRYPTO_TEST_FILE_TEST_H
+#define OPENSSL_HEADER_CRYPTO_TEST_FILE_TEST_H
+
+#include <stdint.h>
+#include <stdio.h>
+
+#include <string>
+#include <map>
+#include <set>
+#include <vector>
+
+
+// File-based test framework.
+//
+// This module provides a file-based test framework. The file format is based on
+// that of OpenSSL upstream's evp_test and BoringSSL's aead_test. Each input
+// file is a sequence of attributes, blocks, and blank lines.
+//
+// Each attribute has the form:
+//
+//   Name = Value
+//
+// Either '=' or ':' may be used to delimit the name from the value. Both the
+// name and value have leading and trailing spaces stripped.
+//
+// Blocks are delimited by lines beginning with three hyphens, "---". One such
+// line begins a block and another ends it. Blocks are intended as a convenient
+// way to embed PEM data and include their delimiters.
+//
+// Outside a block, lines beginning with # are ignored.
+//
+// A test is a sequence of one or more attributes followed by a block or blank
+// line. Blank lines are otherwise ignored. For tests that process multiple
+// kinds of test cases, the first attribute is parsed out as the test's type and
+// parameter. Otherwise, attributes are unordered. The first attribute is also
+// included in the set of attributes, so tests which do not dispatch may ignore
+// this mechanism.
+//
+// Functions in this module freely output to |stderr| on failure. Tests should
+// also do so, and it is recommended they include the corresponding test's line
+// number in any output. |PrintLine| does this automatically.
+//
+// Each attribute in a test must be consumed. When a test completes, if any
+// attributes haven't been processed, the framework reports an error.
+
+
+class FileTest {
+ public:
+  explicit FileTest(const char *path);
+  ~FileTest();
+
+  // is_open returns true if the file was successfully opened.
+  bool is_open() const { return file_ != nullptr; }
+
+  enum ReadResult {
+    kReadSuccess,
+    kReadEOF,
+    kReadError,
+  };
+
+  // ReadNext reads the next test from the file. It returns |kReadSuccess| if
+  // successfully reading a test and |kReadEOF| at the end of the file. On
+  // error or if the previous test had unconsumed attributes, it returns
+  // |kReadError|.
+  ReadResult ReadNext();
+
+  // PrintLine is a variant of printf which prepends the line number and appends
+  // a trailing newline.
+  void PrintLine(const char *format, ...)
+#ifdef __GNUC__
+      __attribute__((__format__(__printf__, 2, 3)))
+#endif
+  ;
+
+  unsigned start_line() const { return start_line_; }
+
+  // GetType returns the name of the first attribute of the current test.
+  const std::string &GetType();
+  // GetParameter returns the value of the first attribute of the current test.
+  const std::string &GetParameter();
+  // GetBlock returns the optional block of the current test, or the empty
+  // if there was no block.
+  const std::string &GetBlock();
+
+  // HasAttribute returns true if the current test has an attribute named |key|.
+  bool HasAttribute(const std::string &key);
+
+  // GetAttribute looks up the attribute with key |key|. It sets |*out_value| to
+  // the value and returns true if it exists and returns false with an error to
+  // |stderr| otherwise.
+  bool GetAttribute(std::string *out_value, const std::string &key);
+
+  // GetAttributeOrDie looks up the attribute with key |key| and aborts if it is
+  // missing. It only be used after a |HasAttribute| call.
+  const std::string &GetAttributeOrDie(const std::string &key);
+
+  // GetBytes looks up the attribute with key |key| and decodes it as a byte
+  // string. On success, it writes the result to |*out| and returns
+  // true. Otherwise it returns false with an error to |stderr|. The value may
+  // be either a hexadecimal string or a quoted ASCII string. It returns true on
+  // success and returns false with an error to |stderr| on failure.
+  bool GetBytes(std::vector<uint8_t> *out, const std::string &key);
+
+  // ExpectBytesEqual returns true if |expected| and |actual| are equal.
+  // Otherwise, it returns false and prints a message to |stderr|.
+  bool ExpectBytesEqual(const uint8_t *expected, size_t expected_len,
+                        const uint8_t *actual, size_t actual_len);
+
+ private:
+  void ClearTest();
+  void OnKeyUsed(const std::string &key);
+
+  FILE *file_ = nullptr;
+  // line_ is the number of lines read.
+  unsigned line_ = 0;
+
+  // start_line_ is the line number of the first attribute of the test.
+  unsigned start_line_ = 0;
+  // type_ is the name of the first attribute of the test.
+  std::string type_;
+  // parameter_ is the value of the first attribute.
+  std::string parameter_;
+  // attributes_ contains all attributes in the test, including the first.
+  std::map<std::string, std::string> attributes_;
+  // block_, if non-empty, is the test's optional trailing block.
+  std::string block_;
+
+  // unused_attributes_ is the set of attributes that have been queried.
+  std::set<std::string> unused_attributes_;
+  // used_block_ is true if the block has been queried.
+  bool used_block_ = false;
+
+  FileTest(const FileTest&) = delete;
+  FileTest &operator=(const FileTest&) = delete;
+};
+
+// FileTestMain runs a file-based test out of |path| and returns an exit code
+// suitable to return out of |main|. |run_test| should return true on pass and
+// false on failure. FileTestMain also implements common handling of the 'Error'
+// attribute. A test with that attribute is expected to fail. The value of the
+// attribute is the reason string of the expected OpenSSL error code.
+//
+// Tests are guaranteed to run serially and may affect global state if need be.
+// It is legal to use "tests" which, for example, import a private key into a
+// list of keys. This may be used to initialize a shared set of keys for many
+// tests. However, if one test fails, the framework will continue to run
+// subsequent tests.
+int FileTestMain(bool (*run_test)(FileTest *t, void *arg), void *arg,
+                 const char *path);
+
+
+#endif /* OPENSSL_HEADER_CRYPTO_TEST_FILE_TEST_H */
diff --git a/src/crypto/test/scoped_types.h b/src/crypto/test/scoped_types.h
new file mode 100644
index 0000000..eb04c18
--- /dev/null
+++ b/src/crypto/test/scoped_types.h
@@ -0,0 +1,120 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_CRYPTO_TEST_SCOPED_TYPES_H
+#define OPENSSL_HEADER_CRYPTO_TEST_SCOPED_TYPES_H
+
+#include <stdint.h>
+
+#include <openssl/bio.h>
+#include <openssl/bn.h>
+#include <openssl/cmac.h>
+#include <openssl/dh.h>
+#include <openssl/ec.h>
+#include <openssl/ec_key.h>
+#include <openssl/ecdsa.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/mem.h>
+#include <openssl/pkcs8.h>
+#include <openssl/rsa.h>
+#include <openssl/stack.h>
+#include <openssl/x509.h>
+
+#include "stl_compat.h"
+
+
+template<typename T, void (*func)(T*)>
+struct OpenSSLDeleter {
+  void operator()(T *obj) {
+    func(obj);
+  }
+};
+
+template<typename StackType, typename T, void (*func)(T*)>
+struct OpenSSLStackDeleter {
+  void operator()(StackType *obj) {
+    sk_pop_free(reinterpret_cast<_STACK*>(obj),
+                reinterpret_cast<void (*)(void *)>(func));
+  }
+};
+
+template<typename T>
+struct OpenSSLFree {
+  void operator()(T *buf) {
+    OPENSSL_free(buf);
+  }
+};
+
+template<typename T, void (*func)(T*)>
+using ScopedOpenSSLType = bssl::unique_ptr<T, OpenSSLDeleter<T, func>>;
+
+template<typename StackType, typename T, void (*func)(T*)>
+using ScopedOpenSSLStack =
+    bssl::unique_ptr<StackType, OpenSSLStackDeleter<StackType, T, func>>;
+
+template<typename T, typename CleanupRet, void (*init_func)(T*),
+         CleanupRet (*cleanup_func)(T*)>
+class ScopedOpenSSLContext {
+ public:
+  ScopedOpenSSLContext() {
+    init_func(&ctx_);
+  }
+  ~ScopedOpenSSLContext() {
+    cleanup_func(&ctx_);
+  }
+
+  T *get() { return &ctx_; }
+  const T *get() const { return &ctx_; }
+
+  void Reset() {
+    cleanup_func(&ctx_);
+    init_func(&ctx_);
+  }
+
+ private:
+  T ctx_;
+};
+
+using ScopedBIO = ScopedOpenSSLType<BIO, BIO_vfree>;
+using ScopedBIGNUM = ScopedOpenSSLType<BIGNUM, BN_free>;
+using ScopedBN_CTX = ScopedOpenSSLType<BN_CTX, BN_CTX_free>;
+using ScopedBN_MONT_CTX = ScopedOpenSSLType<BN_MONT_CTX, BN_MONT_CTX_free>;
+using ScopedCMAC_CTX = ScopedOpenSSLType<CMAC_CTX, CMAC_CTX_free>;
+using ScopedDH = ScopedOpenSSLType<DH, DH_free>;
+using ScopedECDSA_SIG = ScopedOpenSSLType<ECDSA_SIG, ECDSA_SIG_free>;
+using ScopedEC_GROUP = ScopedOpenSSLType<EC_GROUP, EC_GROUP_free>;
+using ScopedEC_KEY = ScopedOpenSSLType<EC_KEY, EC_KEY_free>;
+using ScopedEC_POINT = ScopedOpenSSLType<EC_POINT, EC_POINT_free>;
+using ScopedEVP_PKEY = ScopedOpenSSLType<EVP_PKEY, EVP_PKEY_free>;
+using ScopedEVP_PKEY_CTX = ScopedOpenSSLType<EVP_PKEY_CTX, EVP_PKEY_CTX_free>;
+using ScopedPKCS8_PRIV_KEY_INFO = ScopedOpenSSLType<PKCS8_PRIV_KEY_INFO,
+                                                    PKCS8_PRIV_KEY_INFO_free>;
+using ScopedPKCS12 = ScopedOpenSSLType<PKCS12, PKCS12_free>;
+using ScopedRSA = ScopedOpenSSLType<RSA, RSA_free>;
+using ScopedX509 = ScopedOpenSSLType<X509, X509_free>;
+using ScopedX509_ALGOR = ScopedOpenSSLType<X509_ALGOR, X509_ALGOR_free>;
+
+using ScopedX509Stack = ScopedOpenSSLStack<STACK_OF(X509), X509, X509_free>;
+
+using ScopedEVP_MD_CTX = ScopedOpenSSLContext<EVP_MD_CTX, int, EVP_MD_CTX_init,
+                                              EVP_MD_CTX_cleanup>;
+using ScopedHMAC_CTX = ScopedOpenSSLContext<HMAC_CTX, void, HMAC_CTX_init,
+                                            HMAC_CTX_cleanup>;
+
+using ScopedOpenSSLBytes = bssl::unique_ptr<uint8_t, OpenSSLFree<uint8_t>>;
+using ScopedOpenSSLString = bssl::unique_ptr<char, OpenSSLFree<char>>;
+
+
+#endif  // OPENSSL_HEADER_CRYPTO_TEST_SCOPED_TYPES_H
diff --git a/src/crypto/test/stl_compat.h b/src/crypto/test/stl_compat.h
new file mode 100644
index 0000000..1997a45
--- /dev/null
+++ b/src/crypto/test/stl_compat.h
@@ -0,0 +1,144 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_CRYPTO_TEST_STL_COMPAT_H
+#define OPENSSL_HEADER_CRYPTO_TEST_STL_COMPAT_H
+
+#include <assert.h>
+
+#include <vector>
+
+
+// This header contains re-implementations of library functions from C++11. They
+// will be replaced with their standard counterparts once Chromium has C++11
+// library support in its toolchain.
+
+namespace bssl {
+
+// vector_data is a reimplementation of |std::vector::data| from C++11.
+template <class T>
+static T *vector_data(std::vector<T> *out) {
+  return out->empty() ? nullptr : &(*out)[0];
+}
+
+template <class T>
+static const T *vector_data(const std::vector<T> *out) {
+  return out->empty() ? nullptr : &(*out)[0];
+}
+
+// remove_reference is a reimplementation of |std::remove_reference| from C++11.
+template <class T>
+struct remove_reference {
+  using type = T;
+};
+
+template <class T>
+struct remove_reference<T&> {
+  using type = T;
+};
+
+template <class T>
+struct remove_reference<T&&> {
+  using type = T;
+};
+
+// move is a reimplementation of |std::move| from C++11.
+template <class T>
+typename remove_reference<T>::type &&move(T &&t) {
+  return static_cast<typename remove_reference<T>::type&&>(t);
+}
+
+// default_delete is a partial reimplementation of |std::default_delete| from
+// C++11.
+template <class T>
+struct default_delete {
+  void operator()(T *t) const {
+    enum { type_must_be_complete = sizeof(T) };
+    delete t;
+  }
+};
+
+// nullptr_t is |std::nullptr_t| from C++11.
+using nullptr_t = decltype(nullptr);
+
+// unique_ptr is a partial reimplementation of |std::unique_ptr| from C++11. It
+// intentionally does not support stateful deleters to avoid having to bother
+// with the empty member optimization.
+template <class T, class Deleter = default_delete<T>>
+class unique_ptr {
+ public:
+  unique_ptr() : ptr_(nullptr) {}
+  unique_ptr(nullptr_t) : ptr_(nullptr) {}
+  unique_ptr(T *ptr) : ptr_(ptr) {}
+  unique_ptr(const unique_ptr &u) = delete;
+
+  unique_ptr(unique_ptr &&u) : ptr_(nullptr) {
+    reset(u.release());
+  }
+
+  ~unique_ptr() {
+    reset();
+  }
+
+  unique_ptr &operator=(nullptr_t) {
+    reset();
+    return *this;
+  }
+
+  unique_ptr &operator=(unique_ptr &&u) {
+    reset(u.release());
+    return *this;
+  }
+
+  unique_ptr& operator=(const unique_ptr &u) = delete;
+
+  explicit operator bool() const {
+    return ptr_ != nullptr;
+  }
+
+  T &operator*() const {
+    assert(ptr_ != nullptr);
+    return *ptr_;
+  }
+
+  T *operator->() const {
+    assert(ptr_ != nullptr);
+    return ptr_;
+  }
+
+  T *get() const {
+    return ptr_;
+  }
+
+  T *release() {
+    T *ptr = ptr_;
+    ptr_ = nullptr;
+    return ptr;
+  }
+
+  void reset(T *ptr = nullptr) {
+    if (ptr_ != nullptr) {
+      Deleter()(ptr_);
+    }
+    ptr_ = ptr;
+  }
+
+ private:
+  T *ptr_;
+};
+
+}  // namespace bssl
+
+
+#endif  // OPENSSL_HEADER_CRYPTO_TEST_STL_COMPAT_H
diff --git a/src/crypto/thread.c b/src/crypto/thread.c
index 024993e..abc8b6f 100644
--- a/src/crypto/thread.c
+++ b/src/crypto/thread.c
@@ -56,44 +56,34 @@
 
 #include <openssl/thread.h>
 
-#include <errno.h>
 #include <string.h>
 
-#if defined(OPENSSL_WINDOWS)
+#if !defined(OPENSSL_WINDOWS)
+#include <errno.h>
+#else
 #pragma warning(push, 3)
 #include <windows.h>
 #pragma warning(pop)
 #endif
 
 #include <openssl/mem.h>
-#include <openssl/type_check.h>
 
 
+#define CRYPTO_LOCK_ITEM(x) #x
+
 /* lock_names contains the names of all the locks defined in thread.h. */
 static const char *const lock_names[] = {
-    "<<ERROR>>",    "err",          "ex_data",       "x509",
-    "x509_info",    "x509_pkey",    "x509_crl",      "x509_req",
-    "dsa",          "rsa",          "evp_pkey",      "x509_store",
-    "ssl_ctx",      "ssl_cert",     "ssl_session",   "ssl_sess_cert",
-    "ssl",          "ssl_method",   "rand",          "rand2",
-    "debug_malloc", "BIO",          "gethostbyname", "getservbyname",
-    "readdir",      "RSA_blinding", "dh",            "debug_malloc2",
-    "dso",          "dynlock",      "engine",        "ui",
-    "ecdsa",        "ec",           "ecdh",          "bn",
-    "ec_pre_comp",  "store",        "comp",          "fips",
-    "fips2",        "obj",
+  CRYPTO_LOCK_LIST
 };
 
-OPENSSL_COMPILE_ASSERT(CRYPTO_NUM_LOCKS ==
-                           sizeof(lock_names) / sizeof(lock_names[0]),
-                       CRYPTO_NUM_LOCKS_inconsistent);
+#undef CRYPTO_LOCK_ITEM
+
+#define CRYPTO_NUM_LOCKS (sizeof(lock_names) / sizeof(lock_names[0]))
 
 static void (*locking_callback)(int mode, int lock_num, const char *file,
                                 int line) = 0;
 static int (*add_lock_callback)(int *pointer, int amount, int lock_num,
                                 const char *file, int line) = 0;
-static void (*threadid_callback)(CRYPTO_THREADID *) = 0;
-
 
 int CRYPTO_num_locks(void) { return CRYPTO_NUM_LOCKS; }
 
@@ -115,23 +105,13 @@ const char *CRYPTO_get_lock_name(int lock_num) {
   }
 }
 
-int CRYPTO_THREADID_set_callback(void (*func)(CRYPTO_THREADID *)) {
-  if (threadid_callback) {
-    return 0;
-  }
-  threadid_callback = func;
-  return 1;
-}
+int CRYPTO_THREADID_set_callback(void (*func)(CRYPTO_THREADID *)) { return 1; }
 
-void CRYPTO_THREADID_set_numeric(CRYPTO_THREADID *id, unsigned long val) {
-  memset(id, 0, sizeof(*id));
-  id->val = val;
-}
+void CRYPTO_THREADID_set_numeric(CRYPTO_THREADID *id, unsigned long val) {}
 
-void CRYPTO_THREADID_set_pointer(CRYPTO_THREADID *id, void *ptr) {
-  memset(id, 0, sizeof(*id));
-  id->ptr = ptr;
-}
+void CRYPTO_THREADID_set_pointer(CRYPTO_THREADID *id, void *ptr) {}
+
+void CRYPTO_THREADID_current(CRYPTO_THREADID *id) {}
 
 void (*CRYPTO_get_locking_callback(void))(int mode, int lock_num,
                                           const char *file, int line) {
@@ -165,32 +145,6 @@ int CRYPTO_add_lock(int *pointer, int amount, int lock_num, const char *file,
   return ret;
 }
 
-void CRYPTO_THREADID_current(CRYPTO_THREADID *id) {
-  if (threadid_callback) {
-    threadid_callback(id);
-    return;
-  }
-
-#if defined(OPENSSL_WINDOWS)
-  CRYPTO_THREADID_set_numeric(id, (unsigned long)GetCurrentThreadId());
-#else
-  /* For everything else, default to using the address of 'errno' */
-  CRYPTO_THREADID_set_pointer(id, (void *)&errno);
-#endif
-}
-
-int CRYPTO_THREADID_cmp(const CRYPTO_THREADID *a, const CRYPTO_THREADID *b) {
-  return memcmp(a, b, sizeof(*a));
-}
-
-void CRYPTO_THREADID_cpy(CRYPTO_THREADID *dest, const CRYPTO_THREADID *src) {
-  memcpy(dest, src, sizeof(*src));
-}
-
-uint32_t CRYPTO_THREADID_hash(const CRYPTO_THREADID *id) {
-  return OPENSSL_hash32(id, sizeof(CRYPTO_THREADID));
-}
-
 void CRYPTO_set_id_callback(unsigned long (*func)(void)) {}
 
 void CRYPTO_set_dynlock_create_callback(struct CRYPTO_dynlock_value *(
diff --git a/src/crypto/thread_none.c b/src/crypto/thread_none.c
new file mode 100644
index 0000000..cf4e85a
--- /dev/null
+++ b/src/crypto/thread_none.c
@@ -0,0 +1,55 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include "internal.h"
+
+#if defined(OPENSSL_NO_THREADS)
+
+void CRYPTO_MUTEX_init(CRYPTO_MUTEX *lock) {}
+
+void CRYPTO_MUTEX_lock_read(CRYPTO_MUTEX *lock) {}
+
+void CRYPTO_MUTEX_lock_write(CRYPTO_MUTEX *lock) {}
+
+void CRYPTO_MUTEX_unlock(CRYPTO_MUTEX *lock) {}
+
+void CRYPTO_MUTEX_cleanup(CRYPTO_MUTEX *lock) {}
+
+void CRYPTO_STATIC_MUTEX_lock_read(struct CRYPTO_STATIC_MUTEX *lock) {}
+
+void CRYPTO_STATIC_MUTEX_lock_write(struct CRYPTO_STATIC_MUTEX *lock) {}
+
+void CRYPTO_STATIC_MUTEX_unlock(struct CRYPTO_STATIC_MUTEX *lock) {}
+
+void CRYPTO_once(CRYPTO_once_t *once, void (*init)(void)) {
+  if (*once) {
+    return;
+  }
+  *once = 1;
+  init();
+}
+
+static void *g_thread_locals[NUM_OPENSSL_THREAD_LOCALS];
+
+void *CRYPTO_get_thread_local(thread_local_data_t index) {
+  return g_thread_locals[index];
+}
+
+int CRYPTO_set_thread_local(thread_local_data_t index, void *value,
+                            thread_local_destructor_t destructor) {
+  g_thread_locals[index] = value;
+  return 1;
+}
+
+#endif  /* OPENSSL_NO_THREADS */
diff --git a/src/crypto/thread_pthread.c b/src/crypto/thread_pthread.c
new file mode 100644
index 0000000..59c4b8d
--- /dev/null
+++ b/src/crypto/thread_pthread.c
@@ -0,0 +1,162 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include "internal.h"
+
+#if !defined(OPENSSL_WINDOWS) && !defined(OPENSSL_NO_THREADS)
+
+#include <pthread.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/mem.h>
+#include <openssl/type_check.h>
+
+
+OPENSSL_COMPILE_ASSERT(sizeof(CRYPTO_MUTEX) >= sizeof(pthread_rwlock_t),
+                       CRYPTO_MUTEX_too_small);
+
+void CRYPTO_MUTEX_init(CRYPTO_MUTEX *lock) {
+  if (pthread_rwlock_init((pthread_rwlock_t *) lock, NULL) != 0) {
+    abort();
+  }
+}
+
+void CRYPTO_MUTEX_lock_read(CRYPTO_MUTEX *lock) {
+  if (pthread_rwlock_rdlock((pthread_rwlock_t *) lock) != 0) {
+    abort();
+  }
+}
+
+void CRYPTO_MUTEX_lock_write(CRYPTO_MUTEX *lock) {
+  if (pthread_rwlock_wrlock((pthread_rwlock_t *) lock) != 0) {
+    abort();
+  }
+}
+
+void CRYPTO_MUTEX_unlock(CRYPTO_MUTEX *lock) {
+  if (pthread_rwlock_unlock((pthread_rwlock_t *) lock) != 0) {
+    abort();
+  }
+}
+
+void CRYPTO_MUTEX_cleanup(CRYPTO_MUTEX *lock) {
+  pthread_rwlock_destroy((pthread_rwlock_t *) lock);
+}
+
+void CRYPTO_STATIC_MUTEX_lock_read(struct CRYPTO_STATIC_MUTEX *lock) {
+  if (pthread_rwlock_rdlock(&lock->lock) != 0) {
+    abort();
+  }
+}
+
+void CRYPTO_STATIC_MUTEX_lock_write(struct CRYPTO_STATIC_MUTEX *lock) {
+  if (pthread_rwlock_wrlock(&lock->lock) != 0) {
+    abort();
+  }
+}
+
+void CRYPTO_STATIC_MUTEX_unlock(struct CRYPTO_STATIC_MUTEX *lock) {
+  if (pthread_rwlock_unlock(&lock->lock) != 0) {
+    abort();
+  }
+}
+
+void CRYPTO_once(CRYPTO_once_t *once, void (*init)(void)) {
+  pthread_once(once, init);
+}
+
+static pthread_mutex_t g_destructors_lock = PTHREAD_MUTEX_INITIALIZER;
+static thread_local_destructor_t g_destructors[NUM_OPENSSL_THREAD_LOCALS];
+
+static void thread_local_destructor(void *arg) {
+  if (arg == NULL) {
+    return;
+  }
+
+  thread_local_destructor_t destructors[NUM_OPENSSL_THREAD_LOCALS];
+  if (pthread_mutex_lock(&g_destructors_lock) != 0) {
+    return;
+  }
+  memcpy(destructors, g_destructors, sizeof(destructors));
+  pthread_mutex_unlock(&g_destructors_lock);
+
+  unsigned i;
+  void **pointers = arg;
+  for (i = 0; i < NUM_OPENSSL_THREAD_LOCALS; i++) {
+    if (destructors[i] != NULL) {
+      destructors[i](pointers[i]);
+    }
+  }
+
+  OPENSSL_free(pointers);
+}
+
+static pthread_once_t g_thread_local_init_once = PTHREAD_ONCE_INIT;
+static pthread_key_t g_thread_local_key;
+static int g_thread_local_failed = 0;
+
+static void thread_local_init(void) {
+  g_thread_local_failed =
+      pthread_key_create(&g_thread_local_key, thread_local_destructor) != 0;
+}
+
+void *CRYPTO_get_thread_local(thread_local_data_t index) {
+  CRYPTO_once(&g_thread_local_init_once, thread_local_init);
+  if (g_thread_local_failed) {
+    return NULL;
+  }
+
+  void **pointers = pthread_getspecific(g_thread_local_key);
+  if (pointers == NULL) {
+    return NULL;
+  }
+  return pointers[index];
+}
+
+int CRYPTO_set_thread_local(thread_local_data_t index, void *value,
+                            thread_local_destructor_t destructor) {
+  CRYPTO_once(&g_thread_local_init_once, thread_local_init);
+  if (g_thread_local_failed) {
+    destructor(value);
+    return 0;
+  }
+
+  void **pointers = pthread_getspecific(g_thread_local_key);
+  if (pointers == NULL) {
+    pointers = OPENSSL_malloc(sizeof(void *) * NUM_OPENSSL_THREAD_LOCALS);
+    if (pointers == NULL) {
+      destructor(value);
+      return 0;
+    }
+    memset(pointers, 0, sizeof(void *) * NUM_OPENSSL_THREAD_LOCALS);
+    if (pthread_setspecific(g_thread_local_key, pointers) != 0) {
+      OPENSSL_free(pointers);
+      destructor(value);
+      return 0;
+    }
+  }
+
+  if (pthread_mutex_lock(&g_destructors_lock) != 0) {
+    destructor(value);
+    return 0;
+  }
+  g_destructors[index] = destructor;
+  pthread_mutex_unlock(&g_destructors_lock);
+
+  pointers[index] = value;
+  return 1;
+}
+
+#endif  /* !OPENSSL_WINDOWS && !OPENSSL_NO_THREADS */
diff --git a/src/crypto/thread_test.c b/src/crypto/thread_test.c
new file mode 100644
index 0000000..cecda88
--- /dev/null
+++ b/src/crypto/thread_test.c
@@ -0,0 +1,202 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include "internal.h"
+
+#include <stdio.h>
+
+
+#if !defined(OPENSSL_NO_THREADS)
+
+#if defined(OPENSSL_WINDOWS)
+
+#pragma warning(push, 3)
+#include <Windows.h>
+#pragma warning(pop)
+
+typedef HANDLE thread_t;
+
+static DWORD WINAPI thread_run(LPVOID arg) {
+  void (*thread_func)(void);
+  /* VC really doesn't like casting between data and function pointers. */
+  memcpy(&thread_func, &arg, sizeof(thread_func));
+  thread_func();
+  return 0;
+}
+
+static int run_thread(thread_t *out_thread, void (*thread_func)(void)) {
+  void *arg;
+  /* VC really doesn't like casting between data and function pointers. */
+  memcpy(&arg, &thread_func, sizeof(arg));
+
+  *out_thread = CreateThread(NULL /* security attributes */,
+                             0 /* default stack size */, thread_run, arg,
+                             0 /* run immediately */, NULL /* ignore id */);
+  return *out_thread != NULL;
+}
+
+static int wait_for_thread(thread_t thread) {
+  return WaitForSingleObject(thread, INFINITE) == 0;
+}
+
+#else
+
+#include <pthread.h>
+
+typedef pthread_t thread_t;
+
+static void *thread_run(void *arg) {
+  void (*thread_func)(void) = arg;
+  thread_func();
+  return NULL;
+}
+
+static int run_thread(thread_t *out_thread, void (*thread_func)(void)) {
+  return pthread_create(out_thread, NULL /* default attributes */, thread_run,
+                        thread_func) == 0;
+}
+
+static int wait_for_thread(thread_t thread) {
+  return pthread_join(thread, NULL) == 0;
+}
+
+#endif  /* OPENSSL_WINDOWS */
+
+static unsigned g_once_init_called = 0;
+
+static void once_init(void) {
+  g_once_init_called++;
+}
+
+static CRYPTO_once_t g_test_once = CRYPTO_ONCE_INIT;
+
+static void call_once_thread(void) {
+  CRYPTO_once(&g_test_once, once_init);
+}
+
+static int test_once(void) {
+  if (g_once_init_called != 0) {
+    fprintf(stderr, "g_once_init_called was non-zero at start.\n");
+    return 0;
+  }
+
+  thread_t thread;
+  if (!run_thread(&thread, call_once_thread) ||
+      !wait_for_thread(thread)) {
+    fprintf(stderr, "thread failed.\n");
+    return 0;
+  }
+
+  CRYPTO_once(&g_test_once, once_init);
+
+  if (g_once_init_called != 1) {
+    fprintf(stderr, "Expected init function to be called once, but found %u.\n",
+            g_once_init_called);
+    return 0;
+  }
+
+  return 1;
+}
+
+
+static int g_test_thread_ok = 0;
+static unsigned g_destructor_called_count = 0;
+
+static void thread_local_destructor(void *arg) {
+  if (arg == NULL) {
+    return;
+  }
+
+  unsigned *count = arg;
+  (*count)++;
+}
+
+static void thread_local_test_thread(void) {
+  void *ptr = CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_TEST);
+  if (ptr != NULL) {
+    return;
+  }
+
+  if (!CRYPTO_set_thread_local(OPENSSL_THREAD_LOCAL_TEST,
+                               &g_destructor_called_count,
+                               thread_local_destructor)) {
+    return;
+  }
+
+  if (CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_TEST) !=
+      &g_destructor_called_count) {
+    return;
+  }
+
+  g_test_thread_ok = 1;
+}
+
+static void thread_local_test2_thread(void) {}
+
+static int test_thread_local(void) {
+  void *ptr = CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_TEST);
+  if (ptr != NULL) {
+    fprintf(stderr, "Thread-local data was non-NULL at start.\n");
+  }
+
+  thread_t thread;
+  if (!run_thread(&thread, thread_local_test_thread) ||
+      !wait_for_thread(thread)) {
+    fprintf(stderr, "thread failed.\n");
+    return 0;
+  }
+
+  if (!g_test_thread_ok) {
+    fprintf(stderr, "Thread-local data didn't work in thread.\n");
+    return 0;
+  }
+
+  if (g_destructor_called_count != 1) {
+    fprintf(stderr,
+            "Destructor should have been called once, but actually called %u "
+            "times.\n",
+            g_destructor_called_count);
+    return 0;
+  }
+
+  /* thread_local_test2_thread doesn't do anything, but it tests that the
+   * thread destructor function works even if thread-local storage wasn't used
+   * for a thread. */
+  if (!run_thread(&thread, thread_local_test2_thread) ||
+      !wait_for_thread(thread)) {
+    fprintf(stderr, "thread failed.\n");
+    return 0;
+  }
+
+  return 1;
+}
+
+int main(int argc, char **argv) {
+  if (!test_once() ||
+      !test_thread_local()) {
+    return 1;
+  }
+
+  printf("PASS\n");
+  return 0;
+}
+
+#else  /* OPENSSL_NO_THREADS */
+
+int main(int argc, char **argv) {
+  printf("PASS\n");
+  return 0;
+}
+
+#endif
diff --git a/src/crypto/thread_win.c b/src/crypto/thread_win.c
new file mode 100644
index 0000000..5efd8be
--- /dev/null
+++ b/src/crypto/thread_win.c
@@ -0,0 +1,282 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include "internal.h"
+
+#if defined(OPENSSL_WINDOWS) && !defined(OPENSSL_NO_THREADS)
+
+#pragma warning(push, 3)
+#include <windows.h>
+#pragma warning(pop)
+
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/mem.h>
+#include <openssl/type_check.h>
+
+
+OPENSSL_COMPILE_ASSERT(sizeof(CRYPTO_MUTEX) >= sizeof(CRITICAL_SECTION),
+                       CRYPTO_MUTEX_too_small);
+
+static void run_once(CRYPTO_once_t *in_once, void (*init)(void *), void *arg) {
+  volatile LONG *once = in_once;
+
+  /* Values must be aligned. */
+  assert((((uintptr_t) once) & 3) == 0);
+
+  /* This assumes that reading *once has acquire semantics. This should be true
+   * on x86 and x86-64, where we expect Windows to run. */
+#if !defined(OPENSSL_X86) && !defined(OPENSSL_X86_64)
+#error "Windows once code may not work on other platforms." \
+       "You can use InitOnceBeginInitialize on >=Vista"
+#endif
+  if (*once == 1) {
+    return;
+  }
+
+  for (;;) {
+    switch (InterlockedCompareExchange(once, 2, 0)) {
+      case 0:
+        /* The value was zero so we are the first thread to call |CRYPTO_once|
+         * on it. */
+        init(arg);
+        /* Write one to indicate that initialisation is complete. */
+        InterlockedExchange(once, 1);
+        return;
+
+      case 1:
+        /* Another thread completed initialisation between our fast-path check
+         * and |InterlockedCompareExchange|. */
+        return;
+
+      case 2:
+        /* Another thread is running the initialisation. Switch to it then try
+         * again. */
+        SwitchToThread();
+        break;
+
+      default:
+        abort();
+    }
+  }
+}
+
+static void call_once_init(void *arg) {
+  void (*init_func)(void);
+  /* MSVC does not like casting between data and function pointers. */
+  memcpy(&init_func, &arg, sizeof(void *));
+  init_func();
+}
+
+void CRYPTO_once(CRYPTO_once_t *in_once, void (*init)(void)) {
+  void *arg;
+  /* MSVC does not like casting between data and function pointers. */
+  memcpy(&arg, &init, sizeof(void *));
+  run_once(in_once, call_once_init, arg);
+}
+
+void CRYPTO_MUTEX_init(CRYPTO_MUTEX *lock) {
+  if (!InitializeCriticalSectionAndSpinCount((CRITICAL_SECTION *) lock, 0x400)) {
+    abort();
+  }
+}
+
+void CRYPTO_MUTEX_lock_read(CRYPTO_MUTEX *lock) {
+  /* Since we have to support Windows XP, read locks are actually exclusive. */
+  EnterCriticalSection((CRITICAL_SECTION *) lock);
+}
+
+void CRYPTO_MUTEX_lock_write(CRYPTO_MUTEX *lock) {
+  EnterCriticalSection((CRITICAL_SECTION *) lock);
+}
+
+void CRYPTO_MUTEX_unlock(CRYPTO_MUTEX *lock) {
+  LeaveCriticalSection((CRITICAL_SECTION *) lock);
+}
+
+void CRYPTO_MUTEX_cleanup(CRYPTO_MUTEX *lock) {
+  DeleteCriticalSection((CRITICAL_SECTION *) lock);
+}
+
+static void static_lock_init(void *arg) {
+  struct CRYPTO_STATIC_MUTEX *lock = arg;
+  if (!InitializeCriticalSectionAndSpinCount(&lock->lock, 0x400)) {
+    abort();
+  }
+}
+
+void CRYPTO_STATIC_MUTEX_lock_read(struct CRYPTO_STATIC_MUTEX *lock) {
+  /* Since we have to support Windows XP, read locks are actually exclusive. */
+  run_once(&lock->once, static_lock_init, lock);
+  EnterCriticalSection(&lock->lock);
+}
+
+void CRYPTO_STATIC_MUTEX_lock_write(struct CRYPTO_STATIC_MUTEX *lock) {
+  CRYPTO_STATIC_MUTEX_lock_read(lock);
+}
+
+void CRYPTO_STATIC_MUTEX_unlock(struct CRYPTO_STATIC_MUTEX *lock) {
+  LeaveCriticalSection(&lock->lock);
+}
+
+static CRITICAL_SECTION g_destructors_lock;
+static thread_local_destructor_t g_destructors[NUM_OPENSSL_THREAD_LOCALS];
+
+static CRYPTO_once_t g_thread_local_init_once = CRYPTO_ONCE_INIT;
+static DWORD g_thread_local_key;
+static int g_thread_local_failed;
+
+static void thread_local_init(void) {
+  if (!InitializeCriticalSectionAndSpinCount(&g_destructors_lock, 0x400)) {
+    g_thread_local_failed = 1;
+    return;
+  }
+  g_thread_local_key = TlsAlloc();
+  g_thread_local_failed = (g_thread_local_key == TLS_OUT_OF_INDEXES);
+}
+
+static void NTAPI thread_local_destructor(PVOID module,
+                                          DWORD reason, PVOID reserved) {
+  if (DLL_THREAD_DETACH != reason && DLL_PROCESS_DETACH != reason) {
+    return;
+  }
+
+  CRYPTO_once(&g_thread_local_init_once, thread_local_init);
+  if (g_thread_local_failed) {
+    return;
+  }
+
+  void **pointers = (void**) TlsGetValue(g_thread_local_key);
+  if (pointers == NULL) {
+    return;
+  }
+
+  thread_local_destructor_t destructors[NUM_OPENSSL_THREAD_LOCALS];
+
+  EnterCriticalSection(&g_destructors_lock);
+  memcpy(destructors, g_destructors, sizeof(destructors));
+  LeaveCriticalSection(&g_destructors_lock);
+
+  unsigned i;
+  for (i = 0; i < NUM_OPENSSL_THREAD_LOCALS; i++) {
+    if (destructors[i] != NULL) {
+      destructors[i](pointers[i]);
+    }
+  }
+
+  OPENSSL_free(pointers);
+}
+
+/* Thread Termination Callbacks.
+ *
+ * Windows doesn't support a per-thread destructor with its TLS primitives.
+ * So, we build it manually by inserting a function to be called on each
+ * thread's exit. This magic is from http://www.codeproject.com/threads/tls.asp
+ * and it works for VC++ 7.0 and later.
+ *
+ * Force a reference to _tls_used to make the linker create the TLS directory
+ * if it's not already there. (E.g. if __declspec(thread) is not used). Force
+ * a reference to p_thread_callback_boringssl to prevent whole program
+ * optimization from discarding the variable. */
+#ifdef _WIN64
+#pragma comment(linker, "/INCLUDE:_tls_used")
+#pragma comment(linker, "/INCLUDE:p_thread_callback_boringssl")
+#else
+#pragma comment(linker, "/INCLUDE:__tls_used")
+#pragma comment(linker, "/INCLUDE:_p_thread_callback_boringssl")
+#endif
+
+/* .CRT$XLA to .CRT$XLZ is an array of PIMAGE_TLS_CALLBACK pointers that are
+ * called automatically by the OS loader code (not the CRT) when the module is
+ * loaded and on thread creation. They are NOT called if the module has been
+ * loaded by a LoadLibrary() call. It must have implicitly been loaded at
+ * process startup.
+ *
+ * By implicitly loaded, I mean that it is directly referenced by the main EXE
+ * or by one of its dependent DLLs. Delay-loaded DLL doesn't count as being
+ * implicitly loaded.
+ *
+ * See VC\crt\src\tlssup.c for reference. */
+
+/* The linker must not discard p_thread_callback_boringssl. (We force a reference
+ * to this variable with a linker /INCLUDE:symbol pragma to ensure that.) If
+ * this variable is discarded, the OnThreadExit function will never be
+ * called. */
+#ifdef _WIN64
+
+/* .CRT section is merged with .rdata on x64 so it must be constant data. */
+#pragma const_seg(".CRT$XLC")
+/* When defining a const variable, it must have external linkage to be sure the
+ * linker doesn't discard it. */
+extern const PIMAGE_TLS_CALLBACK p_thread_callback_boringssl;
+const PIMAGE_TLS_CALLBACK p_thread_callback_boringssl = thread_local_destructor;
+/* Reset the default section. */
+#pragma const_seg()
+
+#else
+
+#pragma data_seg(".CRT$XLC")
+PIMAGE_TLS_CALLBACK p_thread_callback_boringssl = thread_local_destructor;
+/* Reset the default section. */
+#pragma data_seg()
+
+#endif  /* _WIN64 */
+
+void *CRYPTO_get_thread_local(thread_local_data_t index) {
+  CRYPTO_once(&g_thread_local_init_once, thread_local_init);
+  if (g_thread_local_failed) {
+    return NULL;
+  }
+
+  void **pointers = TlsGetValue(g_thread_local_key);
+  if (pointers == NULL) {
+    return NULL;
+  }
+  return pointers[index];
+}
+
+int CRYPTO_set_thread_local(thread_local_data_t index, void *value,
+                            thread_local_destructor_t destructor) {
+  CRYPTO_once(&g_thread_local_init_once, thread_local_init);
+  if (g_thread_local_failed) {
+    destructor(value);
+    return 0;
+  }
+
+  void **pointers = TlsGetValue(g_thread_local_key);
+  if (pointers == NULL) {
+    pointers = OPENSSL_malloc(sizeof(void *) * NUM_OPENSSL_THREAD_LOCALS);
+    if (pointers == NULL) {
+      destructor(value);
+      return 0;
+    }
+    memset(pointers, 0, sizeof(void *) * NUM_OPENSSL_THREAD_LOCALS);
+    if (TlsSetValue(g_thread_local_key, pointers) == 0) {
+      OPENSSL_free(pointers);
+      destructor(value);
+      return 0;
+    }
+  }
+
+  EnterCriticalSection(&g_destructors_lock);
+  g_destructors[index] = destructor;
+  LeaveCriticalSection(&g_destructors_lock);
+
+  pointers[index] = value;
+  return 1;
+}
+
+#endif  /* OPENSSL_WINDOWS && !OPENSSL_NO_THREADS */
diff --git a/src/crypto/time_support.c b/src/crypto/time_support.c
index 9302ebf..bf9daed 100644
--- a/src/crypto/time_support.c
+++ b/src/crypto/time_support.c
@@ -67,6 +67,9 @@
 
 #include <openssl/time_support.h>
 
+#include <time.h>
+
+
 #define SECS_PER_DAY (24 * 60 * 60)
 
 struct tm *OPENSSL_gmtime(const time_t *time, struct tm *result) {
@@ -135,8 +138,9 @@ static int julian_adj(const struct tm *tm, int off_day, long offset_sec,
   /* Work out Julian day of new date */
   time_jd += offset_day;
 
-  if (time_jd < 0)
+  if (time_jd < 0) {
     return 0;
+  }
 
   *pday = time_jd;
   *psec = offset_hms;
@@ -148,15 +152,17 @@ int OPENSSL_gmtime_adj(struct tm *tm, int off_day, long offset_sec) {
   long time_jd;
 
   /* Convert time and offset into julian day and seconds */
-  if (!julian_adj(tm, off_day, offset_sec, &time_jd, &time_sec))
+  if (!julian_adj(tm, off_day, offset_sec, &time_jd, &time_sec)) {
     return 0;
+  }
 
   /* Convert Julian day back to date */
 
   julian_to_date(time_jd, &time_year, &time_month, &time_day);
 
-  if (time_year < 1900 || time_year > 9999)
+  if (time_year < 1900 || time_year > 9999) {
     return 0;
+  }
 
   /* Update tm structure */
 
diff --git a/src/crypto/x509/CMakeLists.txt b/src/crypto/x509/CMakeLists.txt
index f00e28a..96cf35c 100644
--- a/src/crypto/x509/CMakeLists.txt
+++ b/src/crypto/x509/CMakeLists.txt
@@ -22,7 +22,6 @@ add_library(
   x509_cmp.c
   x509_d2.c
   x509_def.c
-  x509_error.c
   x509_ext.c
   x509_lu.c
   x509_obj.c
diff --git a/src/crypto/x509/asn1_gen.c b/src/crypto/x509/asn1_gen.c
index 750701e..d4d1ee6 100644
--- a/src/crypto/x509/asn1_gen.c
+++ b/src/crypto/x509/asn1_gen.c
@@ -64,6 +64,11 @@
 #include <openssl/obj.h>
 #include <openssl/x509v3.h>
 
+#include "../internal.h"
+
+
+/* Although this file is in crypto/x509 for layering purposes, it emits errors
+ * from the ASN.1 module for OpenSSL compatibility. */
 
 #define ASN1_GEN_FLAG		0x10000
 #define ASN1_GEN_FLAG_IMP	(ASN1_GEN_FLAG|1)
@@ -138,6 +143,7 @@ ASN1_TYPE *ASN1_generate_nconf(char *str, CONF *nconf)
 	}
 
 ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf)
+                            OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS
 	{
 	ASN1_TYPE *ret;
 	tag_exp_arg asn1_tags;
@@ -165,7 +171,7 @@ ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf)
 		{
 		if (!cnf)
 			{
-			OPENSSL_PUT_ERROR(X509, ASN1_generate_v3, ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG);
+			OPENSSL_PUT_ERROR(ASN1, ASN1_generate_v3, ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG);
 			return NULL;
 			}
 		ret = asn1_multi(asn1_tags.utype, asn1_tags.str, cnf);
@@ -308,7 +314,7 @@ static int asn1_cb(const char *elem, int len, void *bitstr)
 
 	if (utype == -1)
 		{
-		OPENSSL_PUT_ERROR(X509, asn1_cb, ASN1_R_UNKNOWN_TAG);
+		OPENSSL_PUT_ERROR(ASN1, asn1_cb, ASN1_R_UNKNOWN_TAG);
 		ERR_add_error_data(2, "tag=", elem);
 		return -1;
 		}
@@ -321,7 +327,7 @@ static int asn1_cb(const char *elem, int len, void *bitstr)
 		/* If no value and not end of string, error */
 		if (!vstart && elem[len])
 			{
-			OPENSSL_PUT_ERROR(X509, asn1_cb, ASN1_R_MISSING_VALUE);
+			OPENSSL_PUT_ERROR(ASN1, asn1_cb, ASN1_R_MISSING_VALUE);
 			return -1;
 			}
 		return 0;
@@ -334,7 +340,7 @@ static int asn1_cb(const char *elem, int len, void *bitstr)
 		/* Check for illegal multiple IMPLICIT tagging */
 		if (arg->imp_tag != -1)
 			{
-			OPENSSL_PUT_ERROR(X509, asn1_cb, ASN1_R_ILLEGAL_NESTED_TAGGING);
+			OPENSSL_PUT_ERROR(ASN1, asn1_cb, ASN1_R_ILLEGAL_NESTED_TAGGING);
 			return -1;
 			}
 		if (!parse_tagging(vstart, vlen, &arg->imp_tag, &arg->imp_class))
@@ -370,17 +376,22 @@ static int asn1_cb(const char *elem, int len, void *bitstr)
 		break;
 
 		case ASN1_GEN_FLAG_FORMAT:
+		if (!vstart)
+			{
+			OPENSSL_PUT_ERROR(ASN1, asn1_cb, ASN1_R_UNKNOWN_FORMAT);
+			return -1;
+			}
 		if (!strncmp(vstart, "ASCII", 5))
 			arg->format = ASN1_GEN_FORMAT_ASCII;
 		else if (!strncmp(vstart, "UTF8", 4))
 			arg->format = ASN1_GEN_FORMAT_UTF8;
 		else if (!strncmp(vstart, "HEX", 3))
 			arg->format = ASN1_GEN_FORMAT_HEX;
-		else if (!strncmp(vstart, "BITLIST", 3))
+		else if (!strncmp(vstart, "BITLIST", 7))
 			arg->format = ASN1_GEN_FORMAT_BITLIST;
 		else
 			{
-			OPENSSL_PUT_ERROR(X509, asn1_cb, ASN1_R_UNKNOWN_FORMAT);
+			OPENSSL_PUT_ERROR(ASN1, asn1_cb, ASN1_R_UNKNOWN_FORMAT);
 			return -1;
 			}
 		break;
@@ -404,7 +415,7 @@ static int parse_tagging(const char *vstart, int vlen, int *ptag, int *pclass)
 		return 0;
 	if (tag_num < 0)
 		{
-		OPENSSL_PUT_ERROR(X509, parse_tagging, ASN1_R_INVALID_NUMBER);
+		OPENSSL_PUT_ERROR(ASN1, parse_tagging, ASN1_R_INVALID_NUMBER);
 		return 0;
 		}
 	*ptag = tag_num;
@@ -437,7 +448,7 @@ static int parse_tagging(const char *vstart, int vlen, int *ptag, int *pclass)
 			default:
 			erch[0] = *eptr;
 			erch[1] = 0;
-			OPENSSL_PUT_ERROR(X509, parse_tagging, ASN1_R_INVALID_MODIFIER);
+			OPENSSL_PUT_ERROR(ASN1, parse_tagging, ASN1_R_INVALID_MODIFIER);
 			ERR_add_error_data(2, "Char=", erch);
 			return 0;
 			break;
@@ -523,13 +534,13 @@ static int append_exp(tag_exp_arg *arg, int exp_tag, int exp_class, int exp_cons
 	/* Can only have IMPLICIT if permitted */
 	if ((arg->imp_tag != -1) && !imp_ok)
 		{
-		OPENSSL_PUT_ERROR(X509, append_exp, ASN1_R_ILLEGAL_IMPLICIT_TAG);
+		OPENSSL_PUT_ERROR(ASN1, append_exp, ASN1_R_ILLEGAL_IMPLICIT_TAG);
 		return 0;
 		}
 
 	if (arg->exp_count == ASN1_FLAG_EXP_MAX)
 		{
-		OPENSSL_PUT_ERROR(X509, append_exp, ASN1_R_DEPTH_EXCEEDED);
+		OPENSSL_PUT_ERROR(ASN1, append_exp, ASN1_R_DEPTH_EXCEEDED);
 		return 0;
 		}
 
@@ -647,7 +658,7 @@ static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype)
 
 	if (!(atmp = ASN1_TYPE_new()))
 		{
-		OPENSSL_PUT_ERROR(X509, asn1_str2type, ERR_R_MALLOC_FAILURE);
+		OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ERR_R_MALLOC_FAILURE);
 		return NULL;
 		}
 
@@ -660,7 +671,7 @@ static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype)
 		case V_ASN1_NULL:
 		if (str && *str)
 			{
-			OPENSSL_PUT_ERROR(X509, asn1_str2type, ASN1_R_ILLEGAL_NULL_VALUE);
+			OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ASN1_R_ILLEGAL_NULL_VALUE);
 			goto bad_form;
 			}
 		break;
@@ -668,7 +679,7 @@ static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype)
 		case V_ASN1_BOOLEAN:
 		if (format != ASN1_GEN_FORMAT_ASCII)
 			{
-			OPENSSL_PUT_ERROR(X509, asn1_str2type, ASN1_R_NOT_ASCII_FORMAT);
+			OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ASN1_R_NOT_ASCII_FORMAT);
 			goto bad_form;
 			}
 		vtmp.name = NULL;
@@ -676,7 +687,7 @@ static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype)
 		vtmp.value = (char *)str;
 		if (!X509V3_get_value_bool(&vtmp, &atmp->value.boolean))
 			{
-			OPENSSL_PUT_ERROR(X509, asn1_str2type, ASN1_R_ILLEGAL_BOOLEAN);
+			OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ASN1_R_ILLEGAL_BOOLEAN);
 			goto bad_str;
 			}
 		break;
@@ -685,12 +696,12 @@ static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype)
 		case V_ASN1_ENUMERATED:
 		if (format != ASN1_GEN_FORMAT_ASCII)
 			{
-			OPENSSL_PUT_ERROR(X509, asn1_str2type, ASN1_R_INTEGER_NOT_ASCII_FORMAT);
+			OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ASN1_R_INTEGER_NOT_ASCII_FORMAT);
 			goto bad_form;
 			}
 		if (!(atmp->value.integer = s2i_ASN1_INTEGER(NULL, (char *)str)))
 			{
-			OPENSSL_PUT_ERROR(X509, asn1_str2type, ASN1_R_ILLEGAL_INTEGER);
+			OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ASN1_R_ILLEGAL_INTEGER);
 			goto bad_str;
 			}
 		break;
@@ -698,12 +709,12 @@ static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype)
 		case V_ASN1_OBJECT:
 		if (format != ASN1_GEN_FORMAT_ASCII)
 			{
-			OPENSSL_PUT_ERROR(X509, asn1_str2type, ASN1_R_OBJECT_NOT_ASCII_FORMAT);
+			OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ASN1_R_OBJECT_NOT_ASCII_FORMAT);
 			goto bad_form;
 			}
 		if (!(atmp->value.object = OBJ_txt2obj(str, 0)))
 			{
-			OPENSSL_PUT_ERROR(X509, asn1_str2type, ASN1_R_ILLEGAL_OBJECT);
+			OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ASN1_R_ILLEGAL_OBJECT);
 			goto bad_str;
 			}
 		break;
@@ -712,23 +723,23 @@ static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype)
 		case V_ASN1_GENERALIZEDTIME:
 		if (format != ASN1_GEN_FORMAT_ASCII)
 			{
-			OPENSSL_PUT_ERROR(X509, asn1_str2type, ASN1_R_TIME_NOT_ASCII_FORMAT);
+			OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ASN1_R_TIME_NOT_ASCII_FORMAT);
 			goto bad_form;
 			}
 		if (!(atmp->value.asn1_string = ASN1_STRING_new()))
 			{
-			OPENSSL_PUT_ERROR(X509, asn1_str2type, ERR_R_MALLOC_FAILURE);
+			OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ERR_R_MALLOC_FAILURE);
 			goto bad_str;
 			}
 		if (!ASN1_STRING_set(atmp->value.asn1_string, str, -1))
 			{
-			OPENSSL_PUT_ERROR(X509, asn1_str2type, ERR_R_MALLOC_FAILURE);
+			OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ERR_R_MALLOC_FAILURE);
 			goto bad_str;
 			}
 		atmp->value.asn1_string->type = utype;
 		if (!ASN1_TIME_check(atmp->value.asn1_string))
 			{
-			OPENSSL_PUT_ERROR(X509, asn1_str2type, ASN1_R_ILLEGAL_TIME_VALUE);
+			OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ASN1_R_ILLEGAL_TIME_VALUE);
 			goto bad_str;
 			}
 
@@ -750,7 +761,7 @@ static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype)
 			format = MBSTRING_UTF8;
 		else
 			{
-			OPENSSL_PUT_ERROR(X509, asn1_str2type, ASN1_R_ILLEGAL_FORMAT);
+			OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ASN1_R_ILLEGAL_FORMAT);
 			goto bad_form;
 			}
 
@@ -758,7 +769,7 @@ static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype)
 		if (ASN1_mbstring_copy(&atmp->value.asn1_string, (unsigned char *)str,
 						-1, format, ASN1_tag2bit(utype)) <= 0)
 			{
-			OPENSSL_PUT_ERROR(X509, asn1_str2type, ERR_R_MALLOC_FAILURE);
+			OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ERR_R_MALLOC_FAILURE);
 			goto bad_str;
 			}
 		
@@ -771,7 +782,7 @@ static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype)
 
 		if (!(atmp->value.asn1_string = ASN1_STRING_new()))
 			{
-			OPENSSL_PUT_ERROR(X509, asn1_str2type, ERR_R_MALLOC_FAILURE);
+			OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ERR_R_MALLOC_FAILURE);
 			goto bad_form;
 			}
 
@@ -780,7 +791,7 @@ static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype)
 
 			if (!(rdata = string_to_hex((char *)str, &rdlen)))
 				{
-				OPENSSL_PUT_ERROR(X509, asn1_str2type, ASN1_R_ILLEGAL_HEX);
+				OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ASN1_R_ILLEGAL_HEX);
 				goto bad_str;
 				}
 
@@ -795,7 +806,7 @@ static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype)
 			{
 			if (!CONF_parse_list(str, ',', 1, bitstr_cb, atmp->value.bit_string))
 				{
-				OPENSSL_PUT_ERROR(X509, asn1_str2type, ASN1_R_LIST_ERROR);
+				OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ASN1_R_LIST_ERROR);
 				goto bad_str;
 				}
 			no_unused = 0;
@@ -803,7 +814,7 @@ static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype)
 			}
 		else 
 			{
-			OPENSSL_PUT_ERROR(X509, asn1_str2type, ASN1_R_ILLEGAL_BITSTRING_FORMAT);
+			OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ASN1_R_ILLEGAL_BITSTRING_FORMAT);
 			goto bad_form;
 			}
 
@@ -819,7 +830,7 @@ static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype)
 		break;
 
 		default:
-		OPENSSL_PUT_ERROR(X509, asn1_str2type, ASN1_R_UNSUPPORTED_TYPE);
+		OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ASN1_R_UNSUPPORTED_TYPE);
 		goto bad_str;
 		break;
 		}
@@ -849,12 +860,12 @@ static int bitstr_cb(const char *elem, int len, void *bitstr)
 		return 0;
 	if (bitnum < 0)
 		{
-		OPENSSL_PUT_ERROR(X509, bitstr_cb, ASN1_R_INVALID_NUMBER);
+		OPENSSL_PUT_ERROR(ASN1, bitstr_cb, ASN1_R_INVALID_NUMBER);
 		return 0;
 		}
 	if (!ASN1_BIT_STRING_set_bit(bitstr, bitnum, 1))
 		{
-		OPENSSL_PUT_ERROR(X509, bitstr_cb, ERR_R_MALLOC_FAILURE);
+		OPENSSL_PUT_ERROR(ASN1, bitstr_cb, ERR_R_MALLOC_FAILURE);
 		return 0;
 		}
 	return 1;
diff --git a/src/crypto/x509/by_dir.c b/src/crypto/x509/by_dir.c
index 5a77b81..098c1bd 100644
--- a/src/crypto/x509/by_dir.c
+++ b/src/crypto/x509/by_dir.c
@@ -63,6 +63,7 @@
 #include <openssl/err.h>
 #include <openssl/lhash.h>
 #include <openssl/mem.h>
+#include <openssl/thread.h>
 #include <openssl/x509.h>
 
 
@@ -442,6 +443,12 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
 				if (!hent)
 					{
 					hent = OPENSSL_malloc(sizeof(BY_DIR_HASH));
+					if (hent == NULL)
+						{
+						CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+						ok = 0;
+						goto finish;
+						}
 					hent->hash = h;
 					hent->suffix = k;
 					if (!sk_BY_DIR_HASH_push(ent->hashes, hent))
diff --git a/src/crypto/x509/by_file.c b/src/crypto/x509/by_file.c
index 2649631..2fdbce4 100644
--- a/src/crypto/x509/by_file.c
+++ b/src/crypto/x509/by_file.c
@@ -55,11 +55,14 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.] */
 
+#include <stdlib.h>
+
 #include <openssl/buf.h>
 #include <openssl/err.h>
 #include <openssl/lhash.h>
 #include <openssl/pem.h>
-#include <openssl/x509.h>
+#include <openssl/thread.h>
+
 
 #ifndef OPENSSL_NO_STDIO
 
diff --git a/src/crypto/x509/i2d_pr.c b/src/crypto/x509/i2d_pr.c
index 8896565..443ca53 100644
--- a/src/crypto/x509/i2d_pr.c
+++ b/src/crypto/x509/i2d_pr.c
@@ -57,8 +57,7 @@
 
 #include <openssl/x509.h>
 
-#include <stdio.h>
-
+#include <openssl/asn1.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
 
@@ -77,7 +76,9 @@ int i2d_PrivateKey(const EVP_PKEY *a, unsigned char **pp)
 		PKCS8_PRIV_KEY_INFO_free(p8);
 		return ret;
 	}
-	OPENSSL_PUT_ERROR(X509, i2d_PrivateKey, ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
+	/* Although this file is in crypto/x509 for layering reasons, it emits
+	 * an error code from ASN1 for OpenSSL compatibility. */
+	OPENSSL_PUT_ERROR(ASN1, i2d_PrivateKey, ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
 	return -1;
 	}
 
diff --git a/src/crypto/x509/pkcs7.c b/src/crypto/x509/pkcs7.c
index bb86077..99ee3da 100644
--- a/src/crypto/x509/pkcs7.c
+++ b/src/crypto/x509/pkcs7.c
@@ -18,6 +18,7 @@
 
 #include <openssl/bytestring.h>
 #include <openssl/err.h>
+#include <openssl/mem.h>
 #include <openssl/obj.h>
 #include <openssl/pem.h>
 #include <openssl/stack.h>
diff --git a/src/crypto/x509/pkcs7_test.c b/src/crypto/x509/pkcs7_test.c
index bac9fb2..38beb3e 100644
--- a/src/crypto/x509/pkcs7_test.c
+++ b/src/crypto/x509/pkcs7_test.c
@@ -18,6 +18,7 @@
 
 #include <openssl/bytestring.h>
 #include <openssl/crypto.h>
+#include <openssl/mem.h>
 #include <openssl/stack.h>
 #include <openssl/x509.h>
 
diff --git a/src/crypto/x509/vpm_int.h b/src/crypto/x509/vpm_int.h
index d18a4d4..9edbd5a 100644
--- a/src/crypto/x509/vpm_int.h
+++ b/src/crypto/x509/vpm_int.h
@@ -60,10 +60,10 @@
 
 struct X509_VERIFY_PARAM_ID_st
 	{
-	unsigned char *host;	/* If not NULL hostname to match */
-	size_t hostlen;
+	STACK_OF(OPENSSL_STRING) *hosts;	/* Set of acceptable names */
 	unsigned int hostflags;	/* Flags to control matching features */
-	unsigned char *email;	/* If not NULL email address to match */
+	char *peername;		/* Matching hostname in peer certificate */
+	char *email;		/* If not NULL email address to match */
 	size_t emaillen;
 	unsigned char *ip;	/* If not NULL IP address to match */
 	size_t iplen;		/* Length of IP address */
diff --git a/src/crypto/x509/x509_att.c b/src/crypto/x509/x509_att.c
index 3613c35..90e7810 100644
--- a/src/crypto/x509/x509_att.c
+++ b/src/crypto/x509/x509_att.c
@@ -273,7 +273,7 @@ int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj)
 		return(0);
 	ASN1_OBJECT_free(attr->object);
 	attr->object=OBJ_dup(obj);
-	return(1);
+	return attr->object != NULL;
 }
 
 int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *data, int len)
diff --git a/src/crypto/x509/x509_error.c b/src/crypto/x509/x509_error.c
deleted file mode 100644
index 6669a7a..0000000
--- a/src/crypto/x509/x509_error.c
+++ /dev/null
@@ -1,128 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/x509.h>
-
-const ERR_STRING_DATA X509_error_string_data[] = {
-  {ERR_PACK(ERR_LIB_X509, X509_F_ASN1_digest, 0), "ASN1_digest"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_ASN1_generate_v3, 0), "ASN1_generate_v3"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_ASN1_item_sign_ctx, 0), "ASN1_item_sign_ctx"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_ASN1_item_verify, 0), "ASN1_item_verify"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_ASN1_sign, 0), "ASN1_sign"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_NETSCAPE_SPKI_b64_decode, 0), "NETSCAPE_SPKI_b64_decode"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_NETSCAPE_SPKI_b64_encode, 0), "NETSCAPE_SPKI_b64_encode"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_PKCS7_get_CRLs, 0), "PKCS7_get_CRLs"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_PKCS7_get_certificates, 0), "PKCS7_get_certificates"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_ATTRIBUTE_create_by_NID, 0), "X509_ATTRIBUTE_create_by_NID"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_ATTRIBUTE_create_by_OBJ, 0), "X509_ATTRIBUTE_create_by_OBJ"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_ATTRIBUTE_create_by_txt, 0), "X509_ATTRIBUTE_create_by_txt"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_ATTRIBUTE_get0_data, 0), "X509_ATTRIBUTE_get0_data"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_ATTRIBUTE_set1_data, 0), "X509_ATTRIBUTE_set1_data"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_CRL_add0_revoked, 0), "X509_CRL_add0_revoked"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_CRL_diff, 0), "X509_CRL_diff"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_CRL_print_fp, 0), "X509_CRL_print_fp"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_EXTENSION_create_by_NID, 0), "X509_EXTENSION_create_by_NID"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_EXTENSION_create_by_OBJ, 0), "X509_EXTENSION_create_by_OBJ"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_INFO_new, 0), "X509_INFO_new"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_NAME_ENTRY_create_by_NID, 0), "X509_NAME_ENTRY_create_by_NID"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_NAME_ENTRY_create_by_txt, 0), "X509_NAME_ENTRY_create_by_txt"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_NAME_ENTRY_set_object, 0), "X509_NAME_ENTRY_set_object"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_NAME_add_entry, 0), "X509_NAME_add_entry"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_NAME_oneline, 0), "X509_NAME_oneline"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_NAME_print, 0), "X509_NAME_print"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_PKEY_new, 0), "X509_PKEY_new"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_PUBKEY_get, 0), "X509_PUBKEY_get"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_PUBKEY_set, 0), "X509_PUBKEY_set"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_REQ_check_private_key, 0), "X509_REQ_check_private_key"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_REQ_to_X509, 0), "X509_REQ_to_X509"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_STORE_CTX_get1_issuer, 0), "X509_STORE_CTX_get1_issuer"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_STORE_CTX_init, 0), "X509_STORE_CTX_init"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_STORE_CTX_new, 0), "X509_STORE_CTX_new"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_STORE_CTX_purpose_inherit, 0), "X509_STORE_CTX_purpose_inherit"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_STORE_add_cert, 0), "X509_STORE_add_cert"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_STORE_add_crl, 0), "X509_STORE_add_crl"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_TRUST_add, 0), "X509_TRUST_add"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_TRUST_set, 0), "X509_TRUST_set"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_check_private_key, 0), "X509_check_private_key"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_get_pubkey_parameters, 0), "X509_get_pubkey_parameters"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_load_cert_crl_file, 0), "X509_load_cert_crl_file"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_load_cert_file, 0), "X509_load_cert_file"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_load_crl_file, 0), "X509_load_crl_file"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_print_ex_fp, 0), "X509_print_ex_fp"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_to_X509_REQ, 0), "X509_to_X509_REQ"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509_verify_cert, 0), "X509_verify_cert"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509at_add1_attr, 0), "X509at_add1_attr"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_X509v3_add_ext, 0), "X509v3_add_ext"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_add_cert_dir, 0), "add_cert_dir"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_append_exp, 0), "append_exp"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_asn1_cb, 0), "asn1_cb"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_asn1_str2type, 0), "asn1_str2type"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_bitstr_cb, 0), "bitstr_cb"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_by_file_ctrl, 0), "by_file_ctrl"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_check_policy, 0), "check_policy"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_d2i_X509_PKEY, 0), "d2i_X509_PKEY"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_dir_ctrl, 0), "dir_ctrl"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_get_cert_by_subject, 0), "get_cert_by_subject"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_i2d_DSA_PUBKEY, 0), "i2d_DSA_PUBKEY"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_i2d_EC_PUBKEY, 0), "i2d_EC_PUBKEY"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_i2d_PrivateKey, 0), "i2d_PrivateKey"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_i2d_RSA_PUBKEY, 0), "i2d_RSA_PUBKEY"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_parse_tagging, 0), "parse_tagging"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_pkcs7_parse_header, 0), "pkcs7_parse_header"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_x509_name_encode, 0), "x509_name_encode"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_x509_name_ex_d2i, 0), "x509_name_ex_d2i"},
-  {ERR_PACK(ERR_LIB_X509, X509_F_x509_name_ex_new, 0), "x509_name_ex_new"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_AKID_MISMATCH), "AKID_MISMATCH"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_BAD_PKCS7_VERSION), "BAD_PKCS7_VERSION"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_BAD_X509_FILETYPE), "BAD_X509_FILETYPE"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_BASE64_DECODE_ERROR), "BASE64_DECODE_ERROR"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_CANT_CHECK_DH_KEY), "CANT_CHECK_DH_KEY"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_CERT_ALREADY_IN_HASH_TABLE), "CERT_ALREADY_IN_HASH_TABLE"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_CONTEXT_NOT_INITIALISED), "CONTEXT_NOT_INITIALISED"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_CRL_ALREADY_DELTA), "CRL_ALREADY_DELTA"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_CRL_VERIFY_FAILURE), "CRL_VERIFY_FAILURE"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_ERR_ASN1_LIB), "ERR_ASN1_LIB"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_IDP_MISMATCH), "IDP_MISMATCH"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_INVALID_BIT_STRING_BITS_LEFT), "INVALID_BIT_STRING_BITS_LEFT"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_INVALID_DIRECTORY), "INVALID_DIRECTORY"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_INVALID_FIELD_NAME), "INVALID_FIELD_NAME"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_INVALID_TRUST), "INVALID_TRUST"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_ISSUER_MISMATCH), "ISSUER_MISMATCH"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_KEY_TYPE_MISMATCH), "KEY_TYPE_MISMATCH"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_KEY_VALUES_MISMATCH), "KEY_VALUES_MISMATCH"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_LOADING_CERT_DIR), "LOADING_CERT_DIR"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_LOADING_DEFAULTS), "LOADING_DEFAULTS"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_METHOD_NOT_SUPPORTED), "METHOD_NOT_SUPPORTED"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_NEWER_CRL_NOT_NEWER), "NEWER_CRL_NOT_NEWER"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_NOT_PKCS7_SIGNED_DATA), "NOT_PKCS7_SIGNED_DATA"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_NO_CERTIFICATES_INCLUDED), "NO_CERTIFICATES_INCLUDED"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY), "NO_CERT_SET_FOR_US_TO_VERIFY"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_NO_CRLS_INCLUDED), "NO_CRLS_INCLUDED"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_NO_CRL_NUMBER), "NO_CRL_NUMBER"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_PUBLIC_KEY_DECODE_ERROR), "PUBLIC_KEY_DECODE_ERROR"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_PUBLIC_KEY_ENCODE_ERROR), "PUBLIC_KEY_ENCODE_ERROR"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_SHOULD_RETRY), "SHOULD_RETRY"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN), "UNABLE_TO_FIND_PARAMETERS_IN_CHAIN"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY), "UNABLE_TO_GET_CERTS_PUBLIC_KEY"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_UNKNOWN_KEY_TYPE), "UNKNOWN_KEY_TYPE"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_UNKNOWN_NID), "UNKNOWN_NID"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_UNKNOWN_PURPOSE_ID), "UNKNOWN_PURPOSE_ID"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_UNKNOWN_TRUST_ID), "UNKNOWN_TRUST_ID"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_UNSUPPORTED_ALGORITHM), "UNSUPPORTED_ALGORITHM"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_WRONG_LOOKUP_TYPE), "WRONG_LOOKUP_TYPE"},
-  {ERR_PACK(ERR_LIB_X509, 0, X509_R_WRONG_TYPE), "WRONG_TYPE"},
-  {0, NULL},
-};
diff --git a/src/crypto/x509/x509_lu.c b/src/crypto/x509/x509_lu.c
index 090d341..34ef26e 100644
--- a/src/crypto/x509/x509_lu.c
+++ b/src/crypto/x509/x509_lu.c
@@ -60,6 +60,7 @@
 #include <openssl/err.h>
 #include <openssl/lhash.h>
 #include <openssl/mem.h>
+#include <openssl/thread.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
@@ -191,9 +192,6 @@ X509_STORE *X509_STORE_new(void)
 	if ((ret->param = X509_VERIFY_PARAM_new()) == NULL)
 		goto err;
 
-	if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data))
-		goto err;
-
 	ret->references = 1;
 	return ret;
 err:
@@ -261,7 +259,6 @@ void X509_STORE_free(X509_STORE *vfy)
 	sk_X509_LOOKUP_free(sk);
 	sk_X509_OBJECT_pop_free(vfy->objs, cleanup);
 
-	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE, vfy, &vfy->ex_data);
 	if (vfy->param)
 		X509_VERIFY_PARAM_free(vfy->param);
 	OPENSSL_free(vfy);
diff --git a/src/crypto/x509/x509_req.c b/src/crypto/x509/x509_req.c
index daaedb6..2732d6e 100644
--- a/src/crypto/x509/x509_req.c
+++ b/src/crypto/x509/x509_req.c
@@ -92,6 +92,8 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
 		goto err;
 
 	pktmp = X509_get_pubkey(x);
+	if (pktmp == NULL)
+		goto err;
 	i=X509_REQ_set_pubkey(ret,pktmp);
 	EVP_PKEY_free(pktmp);
 	if (!i) goto err;
diff --git a/src/crypto/x509/x509_v3.c b/src/crypto/x509/x509_v3.c
index 95fe729..0fc9a9a 100644
--- a/src/crypto/x509/x509_v3.c
+++ b/src/crypto/x509/x509_v3.c
@@ -231,7 +231,7 @@ int X509_EXTENSION_set_object(X509_EXTENSION *ex, const ASN1_OBJECT *obj)
 		return(0);
 	ASN1_OBJECT_free(ex->object);
 	ex->object=OBJ_dup(obj);
-	return(1);
+	return ex->object != NULL;
 	}
 
 int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit)
diff --git a/src/crypto/x509/x509_vfy.c b/src/crypto/x509/x509_vfy.c
index 285bcaf..a0cd9fc 100644
--- a/src/crypto/x509/x509_vfy.c
+++ b/src/crypto/x509/x509_vfy.c
@@ -64,10 +64,15 @@
 #include <openssl/lhash.h>
 #include <openssl/mem.h>
 #include <openssl/obj.h>
+#include <openssl/thread.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
 #include "vpm_int.h"
+#include "../internal.h"
+
+
+static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;
 
 /* CRL score values */
 
@@ -410,9 +415,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 
 	if (!ok) goto end;
 
-	/* We may as well copy down any DSA parameters that are required */
-	X509_get_pubkey_parameters(NULL,ctx->chain);
-
 	/* Check revocation status: we do this after copying parameters
 	 * because they may be needed for CRL signature verification.
 	 */
@@ -441,12 +443,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 	/* If we get this far evaluate policies */
 	if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
 		ok = ctx->check_policy(ctx);
-	if(!ok) goto end;
-	if (0)
-		{
+
 end:
-		X509_get_pubkey_parameters(NULL,ctx->chain);
-		}
 	if (sktmp != NULL) sk_X509_free(sktmp);
 	if (chain_ss != NULL) X509_free(chain_ss);
 	return ok;
@@ -704,23 +702,38 @@ static int check_id_error(X509_STORE_CTX *ctx, int errcode)
 	return ctx->verify_cb(0, ctx);
 	}
 
+static int check_hosts(X509 *x, X509_VERIFY_PARAM_ID *id)
+	{
+	size_t i;
+	size_t n = sk_OPENSSL_STRING_num(id->hosts);
+	char *name;
+
+	for (i = 0; i < n; ++i)
+		{
+		name = sk_OPENSSL_STRING_value(id->hosts, i);
+		if (X509_check_host(x, name, strlen(name), id->hostflags,
+				    &id->peername) > 0)
+			return 1;
+		}
+	return n == 0;
+	}
+
 static int check_id(X509_STORE_CTX *ctx)
 	{
 	X509_VERIFY_PARAM *vpm = ctx->param;
 	X509_VERIFY_PARAM_ID *id = vpm->id;
 	X509 *x = ctx->cert;
-	if (id->host && !X509_check_host(x, id->host, id->hostlen,
-					 id->hostflags))
+	if (id->hosts && check_hosts(x, id) <= 0)
 		{
 		if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))
 			return 0;
 		}
-	if (id->email && !X509_check_email(x, id->email, id->emaillen, 0))
+	if (id->email && X509_check_email(x, id->email, id->emaillen, 0) <= 0)
 		{
 		if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH))
 			return 0;
 		}
-	if (id->ip && !X509_check_ip(x, id->ip, id->iplen, 0))
+	if (id->ip && X509_check_ip(x, id->ip, id->iplen, 0) <= 0)
 		{
 		if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH))
 			return 0;
@@ -805,6 +818,7 @@ static int check_revocation(X509_STORE_CTX *ctx)
 	}
 
 static int check_cert(X509_STORE_CTX *ctx)
+                      OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS
 	{
 	X509_CRL *crl = NULL, *dcrl = NULL;
 	X509 *x;
@@ -1917,48 +1931,6 @@ ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
 	return ASN1_TIME_adj(s, t, offset_day, offset_sec);
 	}
 
-int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
-	{
-	EVP_PKEY *ktmp=NULL,*ktmp2;
-	size_t i,j;
-
-	if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1;
-
-	for (i=0; i<sk_X509_num(chain); i++)
-		{
-		ktmp=X509_get_pubkey(sk_X509_value(chain,i));
-		if (ktmp == NULL)
-			{
-			OPENSSL_PUT_ERROR(X509, X509_get_pubkey_parameters, X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
-			return 0;
-			}
-		if (!EVP_PKEY_missing_parameters(ktmp))
-			break;
-		else
-			{
-			EVP_PKEY_free(ktmp);
-			ktmp=NULL;
-			}
-		}
-	if (ktmp == NULL)
-		{
-		OPENSSL_PUT_ERROR(X509, X509_get_pubkey_parameters, X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
-		return 0;
-		}
-
-	/* first, populate the other certs */
-	for (j=i-1; j < i; j--)
-		{
-		ktmp2=X509_get_pubkey(sk_X509_value(chain,j));
-		EVP_PKEY_copy_parameters(ktmp2,ktmp);
-		EVP_PKEY_free(ktmp2);
-		}
-	
-	if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp);
-	EVP_PKEY_free(ktmp);
-	return 1;
-	}
-
 /* Make a delta CRL as the diff between two full CRLs */
 
 X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
@@ -2084,8 +2056,13 @@ int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_fu
 	{
 	/* This function is (usually) called only once, by
 	 * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */
-	return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp,
-			new_func, dup_func, free_func);
+	int index;
+	if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp,
+			new_func, dup_func, free_func))
+		{
+		return -1;
+		}
+	return index;
 	}
 
 int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
@@ -2255,7 +2232,7 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
 	ctx->cert=x509;
 	ctx->untrusted=chain;
 
-	if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
+	if(!CRYPTO_new_ex_data(&g_ex_data_class, ctx,
 			       &ctx->ex_data))
 		{
 		goto err;
@@ -2346,7 +2323,7 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
 err:
 	if (ex_data_allocated)
 		{
-		CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &ctx->ex_data);
+		CRYPTO_free_ex_data(&g_ex_data_class, ctx, &ctx->ex_data);
 		}
 	if (ctx->param != NULL)
 		{
@@ -2387,7 +2364,7 @@ void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
 		sk_X509_pop_free(ctx->chain,X509_free);
 		ctx->chain=NULL;
 		}
-	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data));
+	CRYPTO_free_ex_data(&g_ex_data_class, ctx, &(ctx->ex_data));
 	memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
 	}
 
diff --git a/src/crypto/x509/x509_vpm.c b/src/crypto/x509/x509_vpm.c
index 3daaf61..8c8f98e 100644
--- a/src/crypto/x509/x509_vpm.c
+++ b/src/crypto/x509/x509_vpm.c
@@ -58,6 +58,7 @@
 #include <openssl/lhash.h>
 #include <openssl/mem.h>
 #include <openssl/obj.h>
+#include <openssl/stack.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
@@ -66,6 +67,59 @@
 
 /* X509_VERIFY_PARAM functions */
 
+#define SET_HOST 0
+#define ADD_HOST 1
+
+static char *str_copy(char *s) { return OPENSSL_strdup(s); }
+static void str_free(char *s) { OPENSSL_free(s); }
+
+#define string_stack_free(sk) sk_OPENSSL_STRING_pop_free(sk, str_free)
+
+static int int_x509_param_set_hosts(X509_VERIFY_PARAM_ID *id, int mode,
+				    const char *name, size_t namelen)
+	{
+	char *copy;
+
+	/*
+	 * Refuse names with embedded NUL bytes.
+	 * XXX: Do we need to push an error onto the error stack?
+	 */
+	if (name && memchr(name, '\0', namelen))
+		 return 0;
+
+	if (mode == SET_HOST && id->hosts)
+		{
+		string_stack_free(id->hosts);
+		id->hosts = NULL;
+		}
+	if (name == NULL || namelen == 0)
+		return 1;
+
+	copy = BUF_strndup(name, namelen);
+	if (copy == NULL)
+		return 0;
+
+	if (id->hosts == NULL &&
+	    (id->hosts = sk_OPENSSL_STRING_new_null()) == NULL)
+		{
+		OPENSSL_free(copy);
+		return 0;
+		}
+
+	if (!sk_OPENSSL_STRING_push(id->hosts, copy))
+		{
+		OPENSSL_free(copy);
+		if (sk_OPENSSL_STRING_num(id->hosts) == 0)
+			{
+			sk_OPENSSL_STRING_free(id->hosts);
+			id->hosts = NULL;
+			}
+		return 0;
+		}
+
+	return 1;
+	}
+
 static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
 	{
 	X509_VERIFY_PARAM_ID *paramid;
@@ -84,11 +138,15 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
 		param->policies = NULL;
 		}
 	paramid = param->id;
-	if (paramid->host)
+	if (paramid->hosts)
 		{
-		OPENSSL_free(paramid->host);
-		paramid->host = NULL;
-		paramid->hostlen = 0;
+		string_stack_free(paramid->hosts);
+		paramid->hosts = NULL;
+		}
+	if (paramid->peername)
+		{
+		OPENSSL_free(paramid->peername);
+		paramid->peername = NULL;
 		}
 	if (paramid->email)
 		{
@@ -127,6 +185,8 @@ X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
 
 void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
 	{
+	if (param == NULL)
+		return;
 	x509_verify_param_zero(param);
 	OPENSSL_free(param->id);
 	OPENSSL_free(param);
@@ -232,11 +292,23 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
 			return 0;
 		}
 
-	if (test_x509_verify_param_copy_id(host, NULL))
+	/* Copy the host flags if and only if we're copying the host list */
+	if (test_x509_verify_param_copy_id(hosts, NULL))
 		{
-		if (!X509_VERIFY_PARAM_set1_host(dest, id->host, id->hostlen))
-			return 0;
-		dest->id->hostflags = id->hostflags;
+		if (dest->id->hosts)
+			{
+			string_stack_free(dest->id->hosts);
+			dest->id->hosts = NULL;
+			}
+		if (id->hosts)
+			{
+			dest->id->hosts =
+			    sk_OPENSSL_STRING_deep_copy(id->hosts,
+							str_copy, str_free);
+			if (dest->id->hosts == NULL)
+				return 0;
+			dest->id->hostflags = id->hostflags;
+			}
 		}
 
 	if (test_x509_verify_param_copy_id(email, NULL))
@@ -265,16 +337,16 @@ int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
 	return ret;
 	}
 
-static int int_x509_param_set1(unsigned char **pdest, size_t *pdestlen,
-				const unsigned char *src, size_t srclen)
+static int int_x509_param_set1(char **pdest, size_t *pdestlen,
+				const char *src, size_t srclen)
 	{
 	void *tmp;
 	if (src)
 		{
 		if (srclen == 0)
 			{
-			tmp = BUF_strdup((char *)src);
-			srclen = strlen((char *)src);
+			tmp = BUF_strdup(src);
+			srclen = strlen(src);
 			}
 		else
 			tmp = BUF_memdup(src, srclen);
@@ -394,10 +466,15 @@ int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
 	}
 
 int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
-				const unsigned char *name, size_t namelen)
+				const char *name, size_t namelen)
+	{
+	return int_x509_param_set_hosts(param->id, SET_HOST, name, namelen);
+	}
+
+int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
+				const char *name, size_t namelen)
 	{
-	return int_x509_param_set1(&param->id->host, &param->id->hostlen,
-					name, namelen);
+	return int_x509_param_set_hosts(param->id, ADD_HOST, name, namelen);
 	}
 
 void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
@@ -406,8 +483,13 @@ void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
 	param->id->hostflags = flags;
 	}
 
+char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param)
+	{
+	return param->id->peername;
+	}
+
 int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
-				const unsigned char *email, size_t emaillen)
+				const char *email, size_t emaillen)
 	{
 	return int_x509_param_set1(&param->id->email, &param->id->emaillen,
 					email, emaillen);
@@ -418,17 +500,19 @@ int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param,
 	{
 	if (iplen != 0 && iplen != 4 && iplen != 16)
 		return 0;
-	return int_x509_param_set1(&param->id->ip, &param->id->iplen, ip, iplen);
+	return int_x509_param_set1((char **)&param->id->ip, &param->id->iplen,
+				   (char *)ip, iplen);
 	}
 
 int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc)
 	{
 	unsigned char ipout[16];
-	int iplen;
-	iplen = a2i_ipadd(ipout, ipasc);
+	size_t iplen;
+
+	iplen = (size_t) a2i_ipadd(ipout, ipasc);
 	if (iplen == 0)
 		return 0;
-	return X509_VERIFY_PARAM_set1_ip(param, ipout, (size_t)iplen);
+	return X509_VERIFY_PARAM_set1_ip(param, ipout, iplen);
 	}
 
 int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
@@ -441,7 +525,7 @@ const char *X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param)
 	return param->name;
 	}
 
-static const X509_VERIFY_PARAM_ID _empty_id = {NULL, 0, 0U, NULL, 0, NULL, 0};
+static const X509_VERIFY_PARAM_ID _empty_id = {NULL, 0U, NULL, NULL, 0, NULL, 0};
 
 #define vpm_empty_id (X509_VERIFY_PARAM_ID *)&_empty_id
 
diff --git a/src/crypto/x509/x_crl.c b/src/crypto/x509/x_crl.c
index bb23b57..aa92fa9 100644
--- a/src/crypto/x509/x_crl.c
+++ b/src/crypto/x509/x_crl.c
@@ -61,6 +61,7 @@
 #include <openssl/mem.h>
 #include <openssl/obj.h>
 #include <openssl/stack.h>
+#include <openssl/thread.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
diff --git a/src/crypto/x509/x_info.c b/src/crypto/x509/x_info.c
index 8047c71..6807b24 100644
--- a/src/crypto/x509/x_info.c
+++ b/src/crypto/x509/x_info.c
@@ -59,6 +59,7 @@
 #include <openssl/asn1.h>
 #include <openssl/err.h>
 #include <openssl/mem.h>
+#include <openssl/thread.h>
 
 
 X509_INFO *X509_INFO_new(void)
diff --git a/src/crypto/x509/x_name.c b/src/crypto/x509/x_name.c
index 211f68f..5cfb3ae 100644
--- a/src/crypto/x509/x_name.c
+++ b/src/crypto/x509/x_name.c
@@ -175,6 +175,16 @@ static void x509_name_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
 	*pval = NULL;
 }
 
+static void local_sk_X509_NAME_ENTRY_free(STACK_OF(X509_NAME_ENTRY) *ne)
+{
+	sk_X509_NAME_ENTRY_free(ne);
+}
+
+static void local_sk_X509_NAME_ENTRY_pop_free(STACK_OF(X509_NAME_ENTRY) *ne)
+{
+	sk_X509_NAME_ENTRY_pop_free(ne, X509_NAME_ENTRY_free);
+}
+
 static int x509_name_ex_d2i(ASN1_VALUE **val,
 			const unsigned char **in, long len, const ASN1_ITEM *it,
 				int tag, int aclass, char opt, ASN1_TLC *ctx)
@@ -197,9 +207,14 @@ static int x509_name_ex_d2i(ASN1_VALUE **val,
 	if(ret <= 0) return ret;
 
 	if(*val) x509_name_ex_free(val, NULL);
-	if(!x509_name_ex_new(&nm.a, NULL)) goto err;
 	/* We've decoded it: now cache encoding */
-	if(!BUF_MEM_grow(nm.x->bytes, p - q)) goto err;
+	if (!x509_name_ex_new(&nm.a, NULL) ||
+		!BUF_MEM_grow(nm.x->bytes, p - q))
+		{
+		sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname.s,
+			local_sk_X509_NAME_ENTRY_pop_free);
+		goto err;
+		}
 	memcpy(nm.x->bytes->data, q, p - q);
 
 	/* Convert internal representation to X509_NAME structure */
@@ -248,16 +263,6 @@ static int x509_name_ex_i2d(ASN1_VALUE **val, unsigned char **out, const ASN1_IT
 	return ret;
 }
 
-static void local_sk_X509_NAME_ENTRY_free(STACK_OF(X509_NAME_ENTRY) *ne)
-	{
-	sk_X509_NAME_ENTRY_free(ne);
-	}
-
-static void local_sk_X509_NAME_ENTRY_pop_free(STACK_OF(X509_NAME_ENTRY) *ne)
-	{
-	sk_X509_NAME_ENTRY_pop_free(ne, X509_NAME_ENTRY_free);
-	}
-
 static int x509_name_encode(X509_NAME *a)
 {
 	union { STACK_OF(STACK_OF_X509_NAME_ENTRY) *s;
diff --git a/src/crypto/x509/x_pkey.c b/src/crypto/x509/x_pkey.c
index 550078b..5acbe5b 100644
--- a/src/crypto/x509/x_pkey.c
+++ b/src/crypto/x509/x_pkey.c
@@ -59,8 +59,9 @@
 #include <string.h>
 
 #include <openssl/asn1.h>
-#include <openssl/mem.h>
 #include <openssl/err.h>
+#include <openssl/mem.h>
+#include <openssl/thread.h>
 
 
 X509_PKEY *X509_PKEY_new(void)
diff --git a/src/crypto/x509/x_pubkey.c b/src/crypto/x509/x_pubkey.c
index c285aa6..d6512ae 100644
--- a/src/crypto/x509/x_pubkey.c
+++ b/src/crypto/x509/x_pubkey.c
@@ -60,6 +60,7 @@
 #include <openssl/evp.h>
 #include <openssl/mem.h>
 #include <openssl/obj.h>
+#include <openssl/thread.h>
 #include <openssl/x509.h>
 
 #include "../evp/internal.h"
@@ -133,7 +134,7 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
 
 	if (key->pkey != NULL)
 		{
-		return EVP_PKEY_dup(key->pkey);
+		return EVP_PKEY_up_ref(key->pkey);
 		}
 
 	if (key->public_key == NULL) goto error;
@@ -178,7 +179,7 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
 		CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
 		}
 
-	return EVP_PKEY_dup(ret);
+	return EVP_PKEY_up_ref(ret);
 
 	error:
 	if (ret != NULL)
diff --git a/src/crypto/x509/x_x509.c b/src/crypto/x509/x_x509.c
index 5cda3c7..234494d 100644
--- a/src/crypto/x509/x_x509.c
+++ b/src/crypto/x509/x_x509.c
@@ -65,6 +65,10 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "../internal.h"
+
+
+static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;
 
 ASN1_SEQUENCE_enc(X509_CINF, enc, 0) = {
 	ASN1_EXP_OPT(X509_CINF, version, ASN1_INTEGER, 0),
@@ -100,7 +104,7 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
 		ret->akid = NULL;
 		ret->aux = NULL;
 		ret->crldp = NULL;
-		CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data);
+		CRYPTO_new_ex_data(&g_ex_data_class, ret, &ret->ex_data);
 		break;
 
 		case ASN1_OP_D2I_POST:
@@ -109,7 +113,7 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
 		break;
 
 		case ASN1_OP_FREE_POST:
-		CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data);
+		CRYPTO_free_ex_data(&g_ex_data_class, ret, &ret->ex_data);
 		X509_CERT_AUX_free(ret->aux);
 		ASN1_OCTET_STRING_free(ret->skid);
 		AUTHORITY_KEYID_free(ret->akid);
@@ -145,8 +149,13 @@ X509 *X509_up_ref(X509 *x)
 int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
 	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
         {
-	return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509, argl, argp,
-				new_func, dup_func, free_func);
+	int index;
+	if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp,
+			new_func, dup_func, free_func))
+		{
+		return -1;
+		}
+	return index;
         }
 
 int X509_set_ex_data(X509 *r, int idx, void *arg)
@@ -171,8 +180,13 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)
 {
 	const unsigned char *q;
 	X509 *ret;
+	int freeret = 0;
+
 	/* Save start position */
 	q = *pp;
+
+	if (!a || *a == NULL)
+		freeret = 1;
 	ret = d2i_X509(a, pp, length);
 	/* If certificate unreadable then forget it */
 	if(!ret) return NULL;
@@ -182,7 +196,12 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)
 	if(!d2i_X509_CERT_AUX(&ret->aux, pp, length)) goto err;
 	return ret;
 	err:
-	X509_free(ret);
+	if (freeret)
+		{
+		X509_free(ret);
+		if (a)
+			*a = NULL;
+		}
 	return NULL;
 }
 
diff --git a/src/crypto/x509v3/CMakeLists.txt b/src/crypto/x509v3/CMakeLists.txt
index 26de0ed..ffa5a4a 100644
--- a/src/crypto/x509v3/CMakeLists.txt
+++ b/src/crypto/x509v3/CMakeLists.txt
@@ -41,7 +41,6 @@ add_library(
   v3_skey.c
   v3_sxnet.c
   v3_utl.c
-  x509v3_error.c
 )
 
 add_executable(
@@ -50,11 +49,12 @@ add_executable(
   v3nametest.c
 )
 
+target_link_libraries(v3name_test crypto)
+
 add_executable(
   tab_test
 
   tabtest.c
 )
 
-target_link_libraries(v3name_test crypto)
 target_link_libraries(tab_test crypto)
diff --git a/src/crypto/x509v3/tabtest.c b/src/crypto/x509v3/tabtest.c
index 26ecc6c..6b97e91 100644
--- a/src/crypto/x509v3/tabtest.c
+++ b/src/crypto/x509v3/tabtest.c
@@ -62,13 +62,17 @@
 
 #include <stdio.h>
 
+#include <openssl/base.h>
 #include <openssl/crypto.h>
 #include <openssl/x509v3.h>
 
+#if !defined(BORINGSSL_SHARED_LIBRARY)
 #include "ext_dat.h"
+#endif
 
 int main(void)
 {
+#if !defined(BORINGSSL_SHARED_LIBRARY)
 	int i, prev = -1, bad = 0;
 	const X509V3_EXT_METHOD *const *tmp;
         CRYPTO_library_init();
@@ -91,4 +95,9 @@ int main(void)
 		printf("PASS\n");
 		return 0;
 	}
+#else
+	/* TODO(davidben): Fix this test in the shared library build. */
+	printf("PASS\n");
+	return 0;
+#endif
 }
diff --git a/src/crypto/x509v3/v3_alt.c b/src/crypto/x509v3/v3_alt.c
index 113cf45..f547316 100644
--- a/src/crypto/x509v3/v3_alt.c
+++ b/src/crypto/x509v3/v3_alt.c
@@ -583,6 +583,8 @@ static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
 		return 0;
 	objlen = p - value;
 	objtmp = OPENSSL_malloc(objlen + 1);
+	if (objtmp == NULL)
+		return 0;
 	strncpy(objtmp, value, objlen);
 	objtmp[objlen] = 0;
 	gen->d.otherName->type_id = OBJ_txt2obj(objtmp, 0);
diff --git a/src/crypto/x509v3/v3_conf.c b/src/crypto/x509v3/v3_conf.c
index 7606ac1..cb6569f 100644
--- a/src/crypto/x509v3/v3_conf.c
+++ b/src/crypto/x509v3/v3_conf.c
@@ -67,6 +67,8 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "../internal.h"
+
 
 static int v3_check_critical(char **value);
 static int v3_check_generic(char **value);
@@ -260,6 +262,7 @@ static int v3_check_generic(char **value)
 static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
 					    int crit, int gen_type,
 					    X509V3_CTX *ctx)
+        OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS
 	{
 	unsigned char *ext_der=NULL;
 	long ext_len;
@@ -454,76 +457,3 @@ void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req,
 	ctx->flags = flags;
 	}
 
-/* TODO(fork): remove */
-#if 0
-/* Old conf compatibility functions */
-
-X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-				char *name, char *value)
-	{
-	CONF ctmp;
-	CONF_set_nconf(&ctmp, conf);
-	return X509V3_EXT_nconf(&ctmp, ctx, name, value);
-	}
-
-/* LHASH *conf:  Config file    */
-/* char *value:  Value    */
-X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-				    int ext_nid, char *value)
-	{
-	CONF ctmp;
-	CONF_set_nconf(&ctmp, conf);
-	return X509V3_EXT_nconf_nid(&ctmp, ctx, ext_nid, value);
-	}
-
-static char *conf_lhash_get_string(void *db, char *section, char *value)
-	{
-	return CONF_get_string(db, section, value);
-	}
-
-static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section)
-	{
-	return CONF_get_section(db, section);
-	}
-
-static const X509V3_CONF_METHOD conf_lhash_method = {
-conf_lhash_get_string,
-conf_lhash_get_section,
-NULL,
-NULL
-};
-
-void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash)
-	{
-	ctx->db_meth = &conf_lhash_method;
-	ctx->db = lhash;
-	}
-
-int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-			char *section, X509 *cert)
-	{
-	CONF ctmp;
-	CONF_set_nconf(&ctmp, conf);
-	return X509V3_EXT_add_nconf(&ctmp, ctx, section, cert);
-	}
-
-/* Same as above but for a CRL */
-
-int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-			    char *section, X509_CRL *crl)
-	{
-	CONF ctmp;
-	CONF_set_nconf(&ctmp, conf);
-	return X509V3_EXT_CRL_add_nconf(&ctmp, ctx, section, crl);
-	}
-
-/* Add extensions to certificate request */
-
-int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-			    char *section, X509_REQ *req)
-	{
-	CONF ctmp;
-	CONF_set_nconf(&ctmp, conf);
-	return X509V3_EXT_REQ_add_nconf(&ctmp, ctx, section, req);
-	}
-#endif
diff --git a/src/crypto/x509v3/v3_cpols.c b/src/crypto/x509v3/v3_cpols.c
index d5a8c3c..cbe596b 100644
--- a/src/crypto/x509v3/v3_cpols.c
+++ b/src/crypto/x509v3/v3_cpols.c
@@ -228,7 +228,14 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx,
 								 goto merr;
                         /* TODO(fork): const correctness */
 			qual->pqualid = (ASN1_OBJECT*) OBJ_nid2obj(NID_id_qt_cps);
+			if (qual->pqualid == NULL) {
+				OPENSSL_PUT_ERROR(X509V3, policy_section, ERR_R_INTERNAL_ERROR);
+				goto err;
+			}
 			qual->d.cpsuri = M_ASN1_IA5STRING_new();
+			if (qual->d.cpsuri == NULL) {
+				goto err;
+			}
 			if(!ASN1_STRING_set(qual->d.cpsuri, cnf->value,
 						 strlen(cnf->value))) goto merr;
 		} else if(!name_cmp(cnf->name, "userNotice")) {
@@ -287,12 +294,19 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
 	if(!(qual = POLICYQUALINFO_new())) goto merr;
         /* TODO(fork): const correctness */
 	qual->pqualid = (ASN1_OBJECT *) OBJ_nid2obj(NID_id_qt_unotice);
+	if (qual->pqualid == NULL)
+		{
+		OPENSSL_PUT_ERROR(X509V3, notice_section, ERR_R_INTERNAL_ERROR);
+		goto err;
+		}
 	if(!(not = USERNOTICE_new())) goto merr;
 	qual->d.usernotice = not;
 	for(i = 0; i < sk_CONF_VALUE_num(unot); i++) {
 		cnf = sk_CONF_VALUE_value(unot, i);
 		if(!strcmp(cnf->name, "explicitText")) {
 			not->exptext = M_ASN1_VISIBLESTRING_new();
+			if (not->exptext == NULL)
+				goto merr;
 			if(!ASN1_STRING_set(not->exptext, cnf->value,
 						 strlen(cnf->value))) goto merr;
 		} else if(!strcmp(cnf->name, "organization")) {
diff --git a/src/crypto/x509v3/v3_purp.c b/src/crypto/x509v3/v3_purp.c
index 6daf632..3f175c9 100644
--- a/src/crypto/x509v3/v3_purp.c
+++ b/src/crypto/x509v3/v3_purp.c
@@ -63,6 +63,7 @@
 #include <openssl/digest.h>
 #include <openssl/mem.h>
 #include <openssl/obj.h>
+#include <openssl/thread.h>
 #include <openssl/x509_vfy.h>
 #include <openssl/x509v3.h>
 
@@ -200,7 +201,7 @@ int X509_PURPOSE_add(int id, int trust, int flags,
 	name_dup = BUF_strdup(name);
 	sname_dup = BUF_strdup(sname);
 	if (name_dup == NULL || sname_dup == NULL) {
-		OPENSSL_PUT_ERROR(X509, X509_TRUST_add, ERR_R_MALLOC_FAILURE);
+		OPENSSL_PUT_ERROR(X509V3, X509_PURPOSE_add, ERR_R_MALLOC_FAILURE);
 		if (name_dup != NULL)
 			OPENSSL_free(name_dup);
 		if (sname_dup != NULL)
diff --git a/src/crypto/x509v3/v3_utl.c b/src/crypto/x509v3/v3_utl.c
index d081c1c..27a91ff 100644
--- a/src/crypto/x509v3/v3_utl.c
+++ b/src/crypto/x509v3/v3_utl.c
@@ -262,6 +262,8 @@ STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line)
 	int state;
 	/* We are going to modify the line so copy it first */
 	linebuf = BUF_strdup(line);
+	if (linebuf == NULL)
+		goto err;
 	state = HDR_NAME;
 	ntmp = NULL;
 	/* Go through all characters */
@@ -850,9 +852,11 @@ static int equal_wildcard(const unsigned char *pattern, size_t pattern_len,
  */
 
 static int do_check_string(ASN1_STRING *a, int cmp_type, equal_fn equal,
-				unsigned int flags,
-				const unsigned char *b, size_t blen)
+				unsigned int flags, const char *b, size_t blen,
+				char **peername)
 	{
+	int rv = 0;
+
 	if (!a->data || !a->length)
 		return 0;
 	if (cmp_type > 0)
@@ -860,27 +864,31 @@ static int do_check_string(ASN1_STRING *a, int cmp_type, equal_fn equal,
 		if (cmp_type != a->type)
 			return 0;
 		if (cmp_type == V_ASN1_IA5STRING)
-			return equal(a->data, a->length, b, blen, flags);
-		if (a->length == (int)blen && !memcmp(a->data, b, blen))
-			return 1;
-		else
-			return 0;
+			rv = equal(a->data, a->length,
+				   (unsigned char *)b, blen, flags);
+		else if (a->length == (int)blen && !memcmp(a->data, b, blen))
+			rv = 1;
+		if (rv > 0 && peername)
+			*peername = BUF_strndup((char *)a->data, a->length);
 		}
 	else
 		{
-		int astrlen, rv;
+		int astrlen;
 		unsigned char *astr;
 		astrlen = ASN1_STRING_to_UTF8(&astr, a);
 		if (astrlen < 0)
 			return -1;
-		rv = equal(astr, astrlen, b, blen, flags);
+		rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);
 		OPENSSL_free(astr);
-		return rv;
+		if (rv > 0 && peername)
+			*peername = BUF_strndup((char *)astr, astrlen);
 		}
+	return rv;
 	}
 
-static int do_x509_check(X509 *x, const unsigned char *chk, size_t chklen,
-					unsigned int flags, int check_type)
+static int do_x509_check(X509 *x, const char *chk, size_t chklen,
+					unsigned int flags, int check_type,
+					char **peername)
 	{
 	GENERAL_NAMES *gens = NULL;
 	X509_NAME *name = NULL;
@@ -889,6 +897,7 @@ static int do_x509_check(X509 *x, const unsigned char *chk, size_t chklen,
 	int cnid;
 	int alt_type;
 	int san_present = 0;
+	int rv = 0;
 	equal_fn equal;
 
 	/* See below, this flag is internal-only */
@@ -918,13 +927,9 @@ static int do_x509_check(X509 *x, const unsigned char *chk, size_t chklen,
 		equal = equal_case;
 		}
 
-	if (chklen == 0)
-		chklen = strlen((const char *)chk);
-
 	gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
 	if (gens)
 		{
-		int rv = 0;
 		for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
 			{
 			GENERAL_NAME *gen;
@@ -939,16 +944,14 @@ static int do_x509_check(X509 *x, const unsigned char *chk, size_t chklen,
 				cstr = gen->d.dNSName;
 			else
 				cstr = gen->d.iPAddress;
-			if (do_check_string(cstr, alt_type, equal, flags,
-					    chk, chklen))
-				{
-				rv = 1;
+			/* Positive on success, negative on error! */
+			if ((rv = do_check_string(cstr, alt_type, equal, flags,
+						  chk, chklen, peername)) != 0)
 				break;
-				}
 			}
 		GENERAL_NAMES_free(gens);
-		if (rv)
-			return 1;
+		if (rv != 0)
+			return rv;
 		if (!cnid
 		    || (san_present
 		        && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT)))
@@ -962,38 +965,53 @@ static int do_x509_check(X509 *x, const unsigned char *chk, size_t chklen,
 		ASN1_STRING *str;
 		ne = X509_NAME_get_entry(name, j);
 		str = X509_NAME_ENTRY_get_data(ne);
-		if (do_check_string(str, -1, equal, flags, chk, chklen))
-			return 1;
+		/* Positive on success, negative on error! */
+		if ((rv = do_check_string(str, -1, equal, flags,
+					  chk, chklen, peername)) != 0)
+			return rv;
 		}
 	return 0;
 	}
 
-int X509_check_host(X509 *x, const unsigned char *chk, size_t chklen,
-					unsigned int flags)
+int X509_check_host(X509 *x, const char *chk, size_t chklen,
+			unsigned int flags, char **peername)
 	{
-	return do_x509_check(x, chk, chklen, flags, GEN_DNS);
+	if (chk == NULL)
+		return -2;
+	if (memchr(chk, '\0', chklen))
+		return -2;
+	return do_x509_check(x, chk, chklen, flags, GEN_DNS, peername);
 	}
 
-int X509_check_email(X509 *x, const unsigned char *chk, size_t chklen,
-					unsigned int flags)
+int X509_check_email(X509 *x, const char *chk, size_t chklen,
+			unsigned int flags)
 	{
-	return do_x509_check(x, chk, chklen, flags, GEN_EMAIL);
+	if (chk == NULL)
+		return -2;
+	if (memchr(chk, '\0', chklen))
+		return -2;
+	return do_x509_check(x, chk, chklen, flags, GEN_EMAIL, NULL);
 	}
 
 int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
 					unsigned int flags)
 	{
-	return do_x509_check(x, chk, chklen, flags, GEN_IPADD);
+	if (chk == NULL)
+		return -2;
+	return do_x509_check(x, (char *)chk, chklen, flags, GEN_IPADD, NULL);
 	}
 
 int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags)
 	{
 	unsigned char ipout[16];
-	int iplen;
-	iplen = a2i_ipadd(ipout, ipasc);
+	size_t iplen;
+
+	if (ipasc == NULL)
+		return -2;
+	iplen = (size_t) a2i_ipadd(ipout, ipasc);
 	if (iplen == 0)
 		return -2;
-	return do_x509_check(x, ipout, (size_t)iplen, flags, GEN_IPADD);
+	return do_x509_check(x, (char *)ipout, iplen, flags, GEN_IPADD, NULL);
 	}
 
 /* Convert IP addresses both IPv4 and IPv6 into an 
diff --git a/src/crypto/x509v3/v3nametest.c b/src/crypto/x509v3/v3nametest.c
index b2e9c09..a3197e6 100644
--- a/src/crypto/x509v3/v3nametest.c
+++ b/src/crypto/x509v3/v3nametest.c
@@ -52,6 +52,7 @@
  * (eay@cryptsoft.com).  This product includes software written by Tim
  * Hudson (tjh@cryptsoft.com). */
 
+#include <stdarg.h>
 #include <string.h>
 
 #include <openssl/crypto.h>
@@ -332,8 +333,7 @@ static void run_cert(X509 *crt, const char *nameincert,
 		int match, ret;
 		memcpy(name, *pname, namelen);
 
-		ret = X509_check_host(crt, (const unsigned char *)name,
-				      namelen, 0);
+		ret = X509_check_host(crt, name, namelen, 0, NULL);
 		match = -1;
 		if (ret < 0)
 			{
@@ -351,8 +351,8 @@ static void run_cert(X509 *crt, const char *nameincert,
 			match = 1;
 		check_message(fn, "host", nameincert, match, *pname);
 
-		ret = X509_check_host(crt, (const unsigned char *)name,
-				      namelen, X509_CHECK_FLAG_NO_WILDCARDS);
+		ret = X509_check_host(crt, name, namelen,
+				      X509_CHECK_FLAG_NO_WILDCARDS, NULL);
 		match = -1;
 		if (ret < 0)
 			{
@@ -371,8 +371,7 @@ static void run_cert(X509 *crt, const char *nameincert,
 		check_message(fn, "host-no-wildcards",
 			      nameincert, match, *pname);
 
-		ret = X509_check_email(crt, (const unsigned char *)name,
-				       namelen, 0);
+		ret = X509_check_email(crt, name, namelen, 0);
 		match = -1;
 		if (fn->email)
 			{
diff --git a/src/crypto/x509v3/x509v3_error.c b/src/crypto/x509v3/x509v3_error.c
deleted file mode 100644
index 9fbca5f..0000000
--- a/src/crypto/x509v3/x509v3_error.c
+++ /dev/null
@@ -1,147 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/x509v3.h>
-
-const ERR_STRING_DATA X509V3_error_string_data[] = {
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_SXNET_add_id_INTEGER, 0), "SXNET_add_id_INTEGER"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_SXNET_add_id_asc, 0), "SXNET_add_id_asc"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_SXNET_add_id_ulong, 0), "SXNET_add_id_ulong"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_SXNET_get_id_asc, 0), "SXNET_get_id_asc"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_SXNET_get_id_ulong, 0), "SXNET_get_id_ulong"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_EXT_add, 0), "X509V3_EXT_add"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_EXT_add_alias, 0), "X509V3_EXT_add_alias"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_EXT_free, 0), "X509V3_EXT_free"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_EXT_i2d, 0), "X509V3_EXT_i2d"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_EXT_nconf, 0), "X509V3_EXT_nconf"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_add1_i2d, 0), "X509V3_add1_i2d"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_add_value, 0), "X509V3_add_value"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_get_section, 0), "X509V3_get_section"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_get_string, 0), "X509V3_get_string"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_get_value_bool, 0), "X509V3_get_value_bool"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_parse_list, 0), "X509V3_parse_list"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509_PURPOSE_add, 0), "X509_PURPOSE_add"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509_PURPOSE_set, 0), "X509_PURPOSE_set"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_a2i_GENERAL_NAME, 0), "a2i_GENERAL_NAME"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_copy_email, 0), "copy_email"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_copy_issuer, 0), "copy_issuer"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_do_dirname, 0), "do_dirname"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_do_ext_i2d, 0), "do_ext_i2d"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_do_ext_nconf, 0), "do_ext_nconf"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_gnames_from_sectname, 0), "gnames_from_sectname"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_hex_to_string, 0), "hex_to_string"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_i2s_ASN1_ENUMERATED, 0), "i2s_ASN1_ENUMERATED"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_i2s_ASN1_IA5STRING, 0), "i2s_ASN1_IA5STRING"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_i2s_ASN1_INTEGER, 0), "i2s_ASN1_INTEGER"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_i2v_AUTHORITY_INFO_ACCESS, 0), "i2v_AUTHORITY_INFO_ACCESS"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_notice_section, 0), "notice_section"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_nref_nos, 0), "nref_nos"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_policy_section, 0), "policy_section"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_process_pci_value, 0), "process_pci_value"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_r2i_certpol, 0), "r2i_certpol"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_r2i_pci, 0), "r2i_pci"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_s2i_ASN1_IA5STRING, 0), "s2i_ASN1_IA5STRING"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_s2i_ASN1_INTEGER, 0), "s2i_ASN1_INTEGER"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_s2i_ASN1_OCTET_STRING, 0), "s2i_ASN1_OCTET_STRING"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_s2i_skey_id, 0), "s2i_skey_id"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_set_dist_point_name, 0), "set_dist_point_name"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_string_to_hex, 0), "string_to_hex"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v2i_ASN1_BIT_STRING, 0), "v2i_ASN1_BIT_STRING"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v2i_AUTHORITY_INFO_ACCESS, 0), "v2i_AUTHORITY_INFO_ACCESS"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v2i_AUTHORITY_KEYID, 0), "v2i_AUTHORITY_KEYID"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v2i_BASIC_CONSTRAINTS, 0), "v2i_BASIC_CONSTRAINTS"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v2i_EXTENDED_KEY_USAGE, 0), "v2i_EXTENDED_KEY_USAGE"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v2i_GENERAL_NAMES, 0), "v2i_GENERAL_NAMES"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v2i_GENERAL_NAME_ex, 0), "v2i_GENERAL_NAME_ex"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v2i_NAME_CONSTRAINTS, 0), "v2i_NAME_CONSTRAINTS"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v2i_POLICY_CONSTRAINTS, 0), "v2i_POLICY_CONSTRAINTS"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v2i_POLICY_MAPPINGS, 0), "v2i_POLICY_MAPPINGS"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v2i_crld, 0), "v2i_crld"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v2i_idp, 0), "v2i_idp"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v2i_issuer_alt, 0), "v2i_issuer_alt"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v2i_subject_alt, 0), "v2i_subject_alt"},
-  {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v3_generic_extension, 0), "v3_generic_extension"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BAD_IP_ADDRESS), "BAD_IP_ADDRESS"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BAD_OBJECT), "BAD_OBJECT"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BN_DEC2BN_ERROR), "BN_DEC2BN_ERROR"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BN_TO_ASN1_INTEGER_ERROR), "BN_TO_ASN1_INTEGER_ERROR"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_CANNOT_FIND_FREE_FUNCTION), "CANNOT_FIND_FREE_FUNCTION"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_DIRNAME_ERROR), "DIRNAME_ERROR"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_DISTPOINT_ALREADY_SET), "DISTPOINT_ALREADY_SET"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_DUPLICATE_ZONE_ID), "DUPLICATE_ZONE_ID"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_ERROR_CONVERTING_ZONE), "ERROR_CONVERTING_ZONE"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_ERROR_CREATING_EXTENSION), "ERROR_CREATING_EXTENSION"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_ERROR_IN_EXTENSION), "ERROR_IN_EXTENSION"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_EXPECTED_A_SECTION_NAME), "EXPECTED_A_SECTION_NAME"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_EXTENSION_EXISTS), "EXTENSION_EXISTS"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_EXTENSION_NAME_ERROR), "EXTENSION_NAME_ERROR"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_EXTENSION_NOT_FOUND), "EXTENSION_NOT_FOUND"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED), "EXTENSION_SETTING_NOT_SUPPORTED"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_EXTENSION_VALUE_ERROR), "EXTENSION_VALUE_ERROR"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_ILLEGAL_EMPTY_EXTENSION), "ILLEGAL_EMPTY_EXTENSION"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_ILLEGAL_HEX_DIGIT), "ILLEGAL_HEX_DIGIT"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INCORRECT_POLICY_SYNTAX_TAG), "INCORRECT_POLICY_SYNTAX_TAG"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_ASNUMBER), "INVALID_ASNUMBER"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_ASRANGE), "INVALID_ASRANGE"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_BOOLEAN_STRING), "INVALID_BOOLEAN_STRING"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_EXTENSION_STRING), "INVALID_EXTENSION_STRING"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_INHERITANCE), "INVALID_INHERITANCE"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_IPADDRESS), "INVALID_IPADDRESS"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_MULTIPLE_RDNS), "INVALID_MULTIPLE_RDNS"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_NAME), "INVALID_NAME"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_NULL_ARGUMENT), "INVALID_NULL_ARGUMENT"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_NULL_NAME), "INVALID_NULL_NAME"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_NULL_VALUE), "INVALID_NULL_VALUE"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_NUMBER), "INVALID_NUMBER"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_NUMBERS), "INVALID_NUMBERS"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_OBJECT_IDENTIFIER), "INVALID_OBJECT_IDENTIFIER"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_OPTION), "INVALID_OPTION"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_POLICY_IDENTIFIER), "INVALID_POLICY_IDENTIFIER"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_PROXY_POLICY_SETTING), "INVALID_PROXY_POLICY_SETTING"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_PURPOSE), "INVALID_PURPOSE"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_SAFI), "INVALID_SAFI"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_SECTION), "INVALID_SECTION"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_SYNTAX), "INVALID_SYNTAX"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_ISSUER_DECODE_ERROR), "ISSUER_DECODE_ERROR"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_MISSING_VALUE), "MISSING_VALUE"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_NEED_ORGANIZATION_AND_NUMBERS), "NEED_ORGANIZATION_AND_NUMBERS"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_NO_CONFIG_DATABASE), "NO_CONFIG_DATABASE"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_NO_ISSUER_CERTIFICATE), "NO_ISSUER_CERTIFICATE"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_NO_ISSUER_DETAILS), "NO_ISSUER_DETAILS"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_NO_POLICY_IDENTIFIER), "NO_POLICY_IDENTIFIER"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED), "NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_NO_PUBLIC_KEY), "NO_PUBLIC_KEY"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_NO_SUBJECT_DETAILS), "NO_SUBJECT_DETAILS"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_ODD_NUMBER_OF_DIGITS), "ODD_NUMBER_OF_DIGITS"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_OPERATION_NOT_DEFINED), "OPERATION_NOT_DEFINED"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_OTHERNAME_ERROR), "OTHERNAME_ERROR"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED), "POLICY_LANGUAGE_ALREADY_DEFINED"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_POLICY_PATH_LENGTH), "POLICY_PATH_LENGTH"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED), "POLICY_PATH_LENGTH_ALREADY_DEFINED"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED), "POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY), "POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_SECTION_NOT_FOUND), "SECTION_NOT_FOUND"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS), "UNABLE_TO_GET_ISSUER_DETAILS"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNABLE_TO_GET_ISSUER_KEYID), "UNABLE_TO_GET_ISSUER_KEYID"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT), "UNKNOWN_BIT_STRING_ARGUMENT"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNKNOWN_EXTENSION), "UNKNOWN_EXTENSION"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNKNOWN_EXTENSION_NAME), "UNKNOWN_EXTENSION_NAME"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNKNOWN_OPTION), "UNKNOWN_OPTION"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNSUPPORTED_OPTION), "UNSUPPORTED_OPTION"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNSUPPORTED_TYPE), "UNSUPPORTED_TYPE"},
-  {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_USER_TOO_LONG), "USER_TOO_LONG"},
-  {0, NULL},
-};
diff --git a/src/decrepit/CMakeLists.txt b/src/decrepit/CMakeLists.txt
new file mode 100644
index 0000000..b43fea7
--- /dev/null
+++ b/src/decrepit/CMakeLists.txt
@@ -0,0 +1,9 @@
+add_subdirectory(cast)
+add_subdirectory(blowfish)
+
+add_library(
+  decrepit
+
+  $<TARGET_OBJECTS:cast>
+  $<TARGET_OBJECTS:blowfish>
+)
diff --git a/src/decrepit/blowfish/CMakeLists.txt b/src/decrepit/blowfish/CMakeLists.txt
new file mode 100644
index 0000000..afaf641
--- /dev/null
+++ b/src/decrepit/blowfish/CMakeLists.txt
@@ -0,0 +1,9 @@
+include_directories(. ../../include)
+
+add_library(
+  blowfish
+
+  OBJECT
+
+  blowfish.c
+)
diff --git a/src/decrepit/blowfish/blowfish.c b/src/decrepit/blowfish/blowfish.c
new file mode 100644
index 0000000..e277f34
--- /dev/null
+++ b/src/decrepit/blowfish/blowfish.c
@@ -0,0 +1,493 @@
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.] */
+
+#include <openssl/blowfish.h>
+
+#include <string.h>
+
+#include "../macros.h"
+
+
+#define BF_ENC(LL, R, S, P)                                               \
+  (LL ^= P,                                                               \
+   LL ^=                                                                  \
+   (((S[((int)(R >> 24) & 0xff)] + S[0x0100 + ((int)(R >> 16) & 0xff)]) ^ \
+     S[0x0200 + ((int)(R >> 8) & 0xff)]) +                                \
+    S[0x0300 + ((int)(R)&0xff)]) &                                        \
+   0xffffffffL)
+
+void BF_encrypt(uint32_t *data, const BF_KEY *key) {
+  uint32_t l, r;
+  const uint32_t *p, *s;
+
+  p = key->P;
+  s = &(key->S[0]);
+  l = data[0];
+  r = data[1];
+
+  l ^= p[0];
+  BF_ENC(r, l, s, p[1]);
+  BF_ENC(l, r, s, p[2]);
+  BF_ENC(r, l, s, p[3]);
+  BF_ENC(l, r, s, p[4]);
+  BF_ENC(r, l, s, p[5]);
+  BF_ENC(l, r, s, p[6]);
+  BF_ENC(r, l, s, p[7]);
+  BF_ENC(l, r, s, p[8]);
+  BF_ENC(r, l, s, p[9]);
+  BF_ENC(l, r, s, p[10]);
+  BF_ENC(r, l, s, p[11]);
+  BF_ENC(l, r, s, p[12]);
+  BF_ENC(r, l, s, p[13]);
+  BF_ENC(l, r, s, p[14]);
+  BF_ENC(r, l, s, p[15]);
+  BF_ENC(l, r, s, p[16]);
+  r ^= p[BF_ROUNDS + 1];
+
+  data[1] = l & 0xffffffffL;
+  data[0] = r & 0xffffffffL;
+}
+
+void BF_decrypt(uint32_t *data, const BF_KEY *key) {
+  uint32_t l, r;
+  const uint32_t *p, *s;
+
+  p = key->P;
+  s = &(key->S[0]);
+  l = data[0];
+  r = data[1];
+
+  l ^= p[BF_ROUNDS + 1];
+  BF_ENC(r, l, s, p[16]);
+  BF_ENC(l, r, s, p[15]);
+  BF_ENC(r, l, s, p[14]);
+  BF_ENC(l, r, s, p[13]);
+  BF_ENC(r, l, s, p[12]);
+  BF_ENC(l, r, s, p[11]);
+  BF_ENC(r, l, s, p[10]);
+  BF_ENC(l, r, s, p[9]);
+  BF_ENC(r, l, s, p[8]);
+  BF_ENC(l, r, s, p[7]);
+  BF_ENC(r, l, s, p[6]);
+  BF_ENC(l, r, s, p[5]);
+  BF_ENC(r, l, s, p[4]);
+  BF_ENC(l, r, s, p[3]);
+  BF_ENC(r, l, s, p[2]);
+  BF_ENC(l, r, s, p[1]);
+  r ^= p[0];
+
+  data[1] = l & 0xffffffffL;
+  data[0] = r & 0xffffffffL;
+}
+
+void BF_ecb_encrypt(const uint8_t *in, uint8_t *out,
+                    const BF_KEY *key, int encrypt) {
+  uint32_t d[2];
+
+  n2l(in, d[0]);
+  n2l(in, d[1]);
+  if (encrypt) {
+    BF_encrypt(d, key);
+  } else {
+    BF_decrypt(d, key);
+  }
+  l2n(d[0], out);
+  l2n(d[1], out);
+}
+
+void BF_cbc_encrypt(const uint8_t *in, uint8_t *out, long length,
+                    const BF_KEY *schedule, uint8_t *ivec, int encrypt) {
+  uint32_t tin0, tin1;
+  uint32_t tout0, tout1, xor0, xor1;
+  long l = length;
+  uint32_t tin[2];
+
+  if (encrypt) {
+    n2l(ivec, tout0);
+    n2l(ivec, tout1);
+    ivec -= 8;
+    for (l -= 8; l >= 0; l -= 8) {
+      n2l(in, tin0);
+      n2l(in, tin1);
+      tin0 ^= tout0;
+      tin1 ^= tout1;
+      tin[0] = tin0;
+      tin[1] = tin1;
+      BF_encrypt(tin, schedule);
+      tout0 = tin[0];
+      tout1 = tin[1];
+      l2n(tout0, out);
+      l2n(tout1, out);
+    }
+    if (l != -8) {
+      n2ln(in, tin0, tin1, l + 8);
+      tin0 ^= tout0;
+      tin1 ^= tout1;
+      tin[0] = tin0;
+      tin[1] = tin1;
+      BF_encrypt(tin, schedule);
+      tout0 = tin[0];
+      tout1 = tin[1];
+      l2n(tout0, out);
+      l2n(tout1, out);
+    }
+    l2n(tout0, ivec);
+    l2n(tout1, ivec);
+  } else {
+    n2l(ivec, xor0);
+    n2l(ivec, xor1);
+    ivec -= 8;
+    for (l -= 8; l >= 0; l -= 8) {
+      n2l(in, tin0);
+      n2l(in, tin1);
+      tin[0] = tin0;
+      tin[1] = tin1;
+      BF_decrypt(tin, schedule);
+      tout0 = tin[0] ^ xor0;
+      tout1 = tin[1] ^ xor1;
+      l2n(tout0, out);
+      l2n(tout1, out);
+      xor0 = tin0;
+      xor1 = tin1;
+    }
+    if (l != -8) {
+      n2l(in, tin0);
+      n2l(in, tin1);
+      tin[0] = tin0;
+      tin[1] = tin1;
+      BF_decrypt(tin, schedule);
+      tout0 = tin[0] ^ xor0;
+      tout1 = tin[1] ^ xor1;
+      l2nn(tout0, tout1, out, l + 8);
+      xor0 = tin0;
+      xor1 = tin1;
+    }
+    l2n(xor0, ivec);
+    l2n(xor1, ivec);
+  }
+  tin0 = tin1 = tout0 = tout1 = xor0 = xor1 = 0;
+  tin[0] = tin[1] = 0;
+}
+
+static const BF_KEY bf_init = {
+    {0x243f6a88L, 0x85a308d3L, 0x13198a2eL, 0x03707344L, 0xa4093822L,
+     0x299f31d0L, 0x082efa98L, 0xec4e6c89L, 0x452821e6L, 0x38d01377L,
+     0xbe5466cfL, 0x34e90c6cL, 0xc0ac29b7L, 0xc97c50ddL, 0x3f84d5b5L,
+     0xb5470917L, 0x9216d5d9L, 0x8979fb1b},
+    {
+     0xd1310ba6L, 0x98dfb5acL, 0x2ffd72dbL, 0xd01adfb7L, 0xb8e1afedL,
+     0x6a267e96L, 0xba7c9045L, 0xf12c7f99L, 0x24a19947L, 0xb3916cf7L,
+     0x0801f2e2L, 0x858efc16L, 0x636920d8L, 0x71574e69L, 0xa458fea3L,
+     0xf4933d7eL, 0x0d95748fL, 0x728eb658L, 0x718bcd58L, 0x82154aeeL,
+     0x7b54a41dL, 0xc25a59b5L, 0x9c30d539L, 0x2af26013L, 0xc5d1b023L,
+     0x286085f0L, 0xca417918L, 0xb8db38efL, 0x8e79dcb0L, 0x603a180eL,
+     0x6c9e0e8bL, 0xb01e8a3eL, 0xd71577c1L, 0xbd314b27L, 0x78af2fdaL,
+     0x55605c60L, 0xe65525f3L, 0xaa55ab94L, 0x57489862L, 0x63e81440L,
+     0x55ca396aL, 0x2aab10b6L, 0xb4cc5c34L, 0x1141e8ceL, 0xa15486afL,
+     0x7c72e993L, 0xb3ee1411L, 0x636fbc2aL, 0x2ba9c55dL, 0x741831f6L,
+     0xce5c3e16L, 0x9b87931eL, 0xafd6ba33L, 0x6c24cf5cL, 0x7a325381L,
+     0x28958677L, 0x3b8f4898L, 0x6b4bb9afL, 0xc4bfe81bL, 0x66282193L,
+     0x61d809ccL, 0xfb21a991L, 0x487cac60L, 0x5dec8032L, 0xef845d5dL,
+     0xe98575b1L, 0xdc262302L, 0xeb651b88L, 0x23893e81L, 0xd396acc5L,
+     0x0f6d6ff3L, 0x83f44239L, 0x2e0b4482L, 0xa4842004L, 0x69c8f04aL,
+     0x9e1f9b5eL, 0x21c66842L, 0xf6e96c9aL, 0x670c9c61L, 0xabd388f0L,
+     0x6a51a0d2L, 0xd8542f68L, 0x960fa728L, 0xab5133a3L, 0x6eef0b6cL,
+     0x137a3be4L, 0xba3bf050L, 0x7efb2a98L, 0xa1f1651dL, 0x39af0176L,
+     0x66ca593eL, 0x82430e88L, 0x8cee8619L, 0x456f9fb4L, 0x7d84a5c3L,
+     0x3b8b5ebeL, 0xe06f75d8L, 0x85c12073L, 0x401a449fL, 0x56c16aa6L,
+     0x4ed3aa62L, 0x363f7706L, 0x1bfedf72L, 0x429b023dL, 0x37d0d724L,
+     0xd00a1248L, 0xdb0fead3L, 0x49f1c09bL, 0x075372c9L, 0x80991b7bL,
+     0x25d479d8L, 0xf6e8def7L, 0xe3fe501aL, 0xb6794c3bL, 0x976ce0bdL,
+     0x04c006baL, 0xc1a94fb6L, 0x409f60c4L, 0x5e5c9ec2L, 0x196a2463L,
+     0x68fb6fafL, 0x3e6c53b5L, 0x1339b2ebL, 0x3b52ec6fL, 0x6dfc511fL,
+     0x9b30952cL, 0xcc814544L, 0xaf5ebd09L, 0xbee3d004L, 0xde334afdL,
+     0x660f2807L, 0x192e4bb3L, 0xc0cba857L, 0x45c8740fL, 0xd20b5f39L,
+     0xb9d3fbdbL, 0x5579c0bdL, 0x1a60320aL, 0xd6a100c6L, 0x402c7279L,
+     0x679f25feL, 0xfb1fa3ccL, 0x8ea5e9f8L, 0xdb3222f8L, 0x3c7516dfL,
+     0xfd616b15L, 0x2f501ec8L, 0xad0552abL, 0x323db5faL, 0xfd238760L,
+     0x53317b48L, 0x3e00df82L, 0x9e5c57bbL, 0xca6f8ca0L, 0x1a87562eL,
+     0xdf1769dbL, 0xd542a8f6L, 0x287effc3L, 0xac6732c6L, 0x8c4f5573L,
+     0x695b27b0L, 0xbbca58c8L, 0xe1ffa35dL, 0xb8f011a0L, 0x10fa3d98L,
+     0xfd2183b8L, 0x4afcb56cL, 0x2dd1d35bL, 0x9a53e479L, 0xb6f84565L,
+     0xd28e49bcL, 0x4bfb9790L, 0xe1ddf2daL, 0xa4cb7e33L, 0x62fb1341L,
+     0xcee4c6e8L, 0xef20cadaL, 0x36774c01L, 0xd07e9efeL, 0x2bf11fb4L,
+     0x95dbda4dL, 0xae909198L, 0xeaad8e71L, 0x6b93d5a0L, 0xd08ed1d0L,
+     0xafc725e0L, 0x8e3c5b2fL, 0x8e7594b7L, 0x8ff6e2fbL, 0xf2122b64L,
+     0x8888b812L, 0x900df01cL, 0x4fad5ea0L, 0x688fc31cL, 0xd1cff191L,
+     0xb3a8c1adL, 0x2f2f2218L, 0xbe0e1777L, 0xea752dfeL, 0x8b021fa1L,
+     0xe5a0cc0fL, 0xb56f74e8L, 0x18acf3d6L, 0xce89e299L, 0xb4a84fe0L,
+     0xfd13e0b7L, 0x7cc43b81L, 0xd2ada8d9L, 0x165fa266L, 0x80957705L,
+     0x93cc7314L, 0x211a1477L, 0xe6ad2065L, 0x77b5fa86L, 0xc75442f5L,
+     0xfb9d35cfL, 0xebcdaf0cL, 0x7b3e89a0L, 0xd6411bd3L, 0xae1e7e49L,
+     0x00250e2dL, 0x2071b35eL, 0x226800bbL, 0x57b8e0afL, 0x2464369bL,
+     0xf009b91eL, 0x5563911dL, 0x59dfa6aaL, 0x78c14389L, 0xd95a537fL,
+     0x207d5ba2L, 0x02e5b9c5L, 0x83260376L, 0x6295cfa9L, 0x11c81968L,
+     0x4e734a41L, 0xb3472dcaL, 0x7b14a94aL, 0x1b510052L, 0x9a532915L,
+     0xd60f573fL, 0xbc9bc6e4L, 0x2b60a476L, 0x81e67400L, 0x08ba6fb5L,
+     0x571be91fL, 0xf296ec6bL, 0x2a0dd915L, 0xb6636521L, 0xe7b9f9b6L,
+     0xff34052eL, 0xc5855664L, 0x53b02d5dL, 0xa99f8fa1L, 0x08ba4799L,
+     0x6e85076aL, 0x4b7a70e9L, 0xb5b32944L, 0xdb75092eL, 0xc4192623L,
+     0xad6ea6b0L, 0x49a7df7dL, 0x9cee60b8L, 0x8fedb266L, 0xecaa8c71L,
+     0x699a17ffL, 0x5664526cL, 0xc2b19ee1L, 0x193602a5L, 0x75094c29L,
+     0xa0591340L, 0xe4183a3eL, 0x3f54989aL, 0x5b429d65L, 0x6b8fe4d6L,
+     0x99f73fd6L, 0xa1d29c07L, 0xefe830f5L, 0x4d2d38e6L, 0xf0255dc1L,
+     0x4cdd2086L, 0x8470eb26L, 0x6382e9c6L, 0x021ecc5eL, 0x09686b3fL,
+     0x3ebaefc9L, 0x3c971814L, 0x6b6a70a1L, 0x687f3584L, 0x52a0e286L,
+     0xb79c5305L, 0xaa500737L, 0x3e07841cL, 0x7fdeae5cL, 0x8e7d44ecL,
+     0x5716f2b8L, 0xb03ada37L, 0xf0500c0dL, 0xf01c1f04L, 0x0200b3ffL,
+     0xae0cf51aL, 0x3cb574b2L, 0x25837a58L, 0xdc0921bdL, 0xd19113f9L,
+     0x7ca92ff6L, 0x94324773L, 0x22f54701L, 0x3ae5e581L, 0x37c2dadcL,
+     0xc8b57634L, 0x9af3dda7L, 0xa9446146L, 0x0fd0030eL, 0xecc8c73eL,
+     0xa4751e41L, 0xe238cd99L, 0x3bea0e2fL, 0x3280bba1L, 0x183eb331L,
+     0x4e548b38L, 0x4f6db908L, 0x6f420d03L, 0xf60a04bfL, 0x2cb81290L,
+     0x24977c79L, 0x5679b072L, 0xbcaf89afL, 0xde9a771fL, 0xd9930810L,
+     0xb38bae12L, 0xdccf3f2eL, 0x5512721fL, 0x2e6b7124L, 0x501adde6L,
+     0x9f84cd87L, 0x7a584718L, 0x7408da17L, 0xbc9f9abcL, 0xe94b7d8cL,
+     0xec7aec3aL, 0xdb851dfaL, 0x63094366L, 0xc464c3d2L, 0xef1c1847L,
+     0x3215d908L, 0xdd433b37L, 0x24c2ba16L, 0x12a14d43L, 0x2a65c451L,
+     0x50940002L, 0x133ae4ddL, 0x71dff89eL, 0x10314e55L, 0x81ac77d6L,
+     0x5f11199bL, 0x043556f1L, 0xd7a3c76bL, 0x3c11183bL, 0x5924a509L,
+     0xf28fe6edL, 0x97f1fbfaL, 0x9ebabf2cL, 0x1e153c6eL, 0x86e34570L,
+     0xeae96fb1L, 0x860e5e0aL, 0x5a3e2ab3L, 0x771fe71cL, 0x4e3d06faL,
+     0x2965dcb9L, 0x99e71d0fL, 0x803e89d6L, 0x5266c825L, 0x2e4cc978L,
+     0x9c10b36aL, 0xc6150ebaL, 0x94e2ea78L, 0xa5fc3c53L, 0x1e0a2df4L,
+     0xf2f74ea7L, 0x361d2b3dL, 0x1939260fL, 0x19c27960L, 0x5223a708L,
+     0xf71312b6L, 0xebadfe6eL, 0xeac31f66L, 0xe3bc4595L, 0xa67bc883L,
+     0xb17f37d1L, 0x018cff28L, 0xc332ddefL, 0xbe6c5aa5L, 0x65582185L,
+     0x68ab9802L, 0xeecea50fL, 0xdb2f953bL, 0x2aef7dadL, 0x5b6e2f84L,
+     0x1521b628L, 0x29076170L, 0xecdd4775L, 0x619f1510L, 0x13cca830L,
+     0xeb61bd96L, 0x0334fe1eL, 0xaa0363cfL, 0xb5735c90L, 0x4c70a239L,
+     0xd59e9e0bL, 0xcbaade14L, 0xeecc86bcL, 0x60622ca7L, 0x9cab5cabL,
+     0xb2f3846eL, 0x648b1eafL, 0x19bdf0caL, 0xa02369b9L, 0x655abb50L,
+     0x40685a32L, 0x3c2ab4b3L, 0x319ee9d5L, 0xc021b8f7L, 0x9b540b19L,
+     0x875fa099L, 0x95f7997eL, 0x623d7da8L, 0xf837889aL, 0x97e32d77L,
+     0x11ed935fL, 0x16681281L, 0x0e358829L, 0xc7e61fd6L, 0x96dedfa1L,
+     0x7858ba99L, 0x57f584a5L, 0x1b227263L, 0x9b83c3ffL, 0x1ac24696L,
+     0xcdb30aebL, 0x532e3054L, 0x8fd948e4L, 0x6dbc3128L, 0x58ebf2efL,
+     0x34c6ffeaL, 0xfe28ed61L, 0xee7c3c73L, 0x5d4a14d9L, 0xe864b7e3L,
+     0x42105d14L, 0x203e13e0L, 0x45eee2b6L, 0xa3aaabeaL, 0xdb6c4f15L,
+     0xfacb4fd0L, 0xc742f442L, 0xef6abbb5L, 0x654f3b1dL, 0x41cd2105L,
+     0xd81e799eL, 0x86854dc7L, 0xe44b476aL, 0x3d816250L, 0xcf62a1f2L,
+     0x5b8d2646L, 0xfc8883a0L, 0xc1c7b6a3L, 0x7f1524c3L, 0x69cb7492L,
+     0x47848a0bL, 0x5692b285L, 0x095bbf00L, 0xad19489dL, 0x1462b174L,
+     0x23820e00L, 0x58428d2aL, 0x0c55f5eaL, 0x1dadf43eL, 0x233f7061L,
+     0x3372f092L, 0x8d937e41L, 0xd65fecf1L, 0x6c223bdbL, 0x7cde3759L,
+     0xcbee7460L, 0x4085f2a7L, 0xce77326eL, 0xa6078084L, 0x19f8509eL,
+     0xe8efd855L, 0x61d99735L, 0xa969a7aaL, 0xc50c06c2L, 0x5a04abfcL,
+     0x800bcadcL, 0x9e447a2eL, 0xc3453484L, 0xfdd56705L, 0x0e1e9ec9L,
+     0xdb73dbd3L, 0x105588cdL, 0x675fda79L, 0xe3674340L, 0xc5c43465L,
+     0x713e38d8L, 0x3d28f89eL, 0xf16dff20L, 0x153e21e7L, 0x8fb03d4aL,
+     0xe6e39f2bL, 0xdb83adf7L, 0xe93d5a68L, 0x948140f7L, 0xf64c261cL,
+     0x94692934L, 0x411520f7L, 0x7602d4f7L, 0xbcf46b2eL, 0xd4a20068L,
+     0xd4082471L, 0x3320f46aL, 0x43b7d4b7L, 0x500061afL, 0x1e39f62eL,
+     0x97244546L, 0x14214f74L, 0xbf8b8840L, 0x4d95fc1dL, 0x96b591afL,
+     0x70f4ddd3L, 0x66a02f45L, 0xbfbc09ecL, 0x03bd9785L, 0x7fac6dd0L,
+     0x31cb8504L, 0x96eb27b3L, 0x55fd3941L, 0xda2547e6L, 0xabca0a9aL,
+     0x28507825L, 0x530429f4L, 0x0a2c86daL, 0xe9b66dfbL, 0x68dc1462L,
+     0xd7486900L, 0x680ec0a4L, 0x27a18deeL, 0x4f3ffea2L, 0xe887ad8cL,
+     0xb58ce006L, 0x7af4d6b6L, 0xaace1e7cL, 0xd3375fecL, 0xce78a399L,
+     0x406b2a42L, 0x20fe9e35L, 0xd9f385b9L, 0xee39d7abL, 0x3b124e8bL,
+     0x1dc9faf7L, 0x4b6d1856L, 0x26a36631L, 0xeae397b2L, 0x3a6efa74L,
+     0xdd5b4332L, 0x6841e7f7L, 0xca7820fbL, 0xfb0af54eL, 0xd8feb397L,
+     0x454056acL, 0xba489527L, 0x55533a3aL, 0x20838d87L, 0xfe6ba9b7L,
+     0xd096954bL, 0x55a867bcL, 0xa1159a58L, 0xcca92963L, 0x99e1db33L,
+     0xa62a4a56L, 0x3f3125f9L, 0x5ef47e1cL, 0x9029317cL, 0xfdf8e802L,
+     0x04272f70L, 0x80bb155cL, 0x05282ce3L, 0x95c11548L, 0xe4c66d22L,
+     0x48c1133fL, 0xc70f86dcL, 0x07f9c9eeL, 0x41041f0fL, 0x404779a4L,
+     0x5d886e17L, 0x325f51ebL, 0xd59bc0d1L, 0xf2bcc18fL, 0x41113564L,
+     0x257b7834L, 0x602a9c60L, 0xdff8e8a3L, 0x1f636c1bL, 0x0e12b4c2L,
+     0x02e1329eL, 0xaf664fd1L, 0xcad18115L, 0x6b2395e0L, 0x333e92e1L,
+     0x3b240b62L, 0xeebeb922L, 0x85b2a20eL, 0xe6ba0d99L, 0xde720c8cL,
+     0x2da2f728L, 0xd0127845L, 0x95b794fdL, 0x647d0862L, 0xe7ccf5f0L,
+     0x5449a36fL, 0x877d48faL, 0xc39dfd27L, 0xf33e8d1eL, 0x0a476341L,
+     0x992eff74L, 0x3a6f6eabL, 0xf4f8fd37L, 0xa812dc60L, 0xa1ebddf8L,
+     0x991be14cL, 0xdb6e6b0dL, 0xc67b5510L, 0x6d672c37L, 0x2765d43bL,
+     0xdcd0e804L, 0xf1290dc7L, 0xcc00ffa3L, 0xb5390f92L, 0x690fed0bL,
+     0x667b9ffbL, 0xcedb7d9cL, 0xa091cf0bL, 0xd9155ea3L, 0xbb132f88L,
+     0x515bad24L, 0x7b9479bfL, 0x763bd6ebL, 0x37392eb3L, 0xcc115979L,
+     0x8026e297L, 0xf42e312dL, 0x6842ada7L, 0xc66a2b3bL, 0x12754cccL,
+     0x782ef11cL, 0x6a124237L, 0xb79251e7L, 0x06a1bbe6L, 0x4bfb6350L,
+     0x1a6b1018L, 0x11caedfaL, 0x3d25bdd8L, 0xe2e1c3c9L, 0x44421659L,
+     0x0a121386L, 0xd90cec6eL, 0xd5abea2aL, 0x64af674eL, 0xda86a85fL,
+     0xbebfe988L, 0x64e4c3feL, 0x9dbc8057L, 0xf0f7c086L, 0x60787bf8L,
+     0x6003604dL, 0xd1fd8346L, 0xf6381fb0L, 0x7745ae04L, 0xd736fcccL,
+     0x83426b33L, 0xf01eab71L, 0xb0804187L, 0x3c005e5fL, 0x77a057beL,
+     0xbde8ae24L, 0x55464299L, 0xbf582e61L, 0x4e58f48fL, 0xf2ddfda2L,
+     0xf474ef38L, 0x8789bdc2L, 0x5366f9c3L, 0xc8b38e74L, 0xb475f255L,
+     0x46fcd9b9L, 0x7aeb2661L, 0x8b1ddf84L, 0x846a0e79L, 0x915f95e2L,
+     0x466e598eL, 0x20b45770L, 0x8cd55591L, 0xc902de4cL, 0xb90bace1L,
+     0xbb8205d0L, 0x11a86248L, 0x7574a99eL, 0xb77f19b6L, 0xe0a9dc09L,
+     0x662d09a1L, 0xc4324633L, 0xe85a1f02L, 0x09f0be8cL, 0x4a99a025L,
+     0x1d6efe10L, 0x1ab93d1dL, 0x0ba5a4dfL, 0xa186f20fL, 0x2868f169L,
+     0xdcb7da83L, 0x573906feL, 0xa1e2ce9bL, 0x4fcd7f52L, 0x50115e01L,
+     0xa70683faL, 0xa002b5c4L, 0x0de6d027L, 0x9af88c27L, 0x773f8641L,
+     0xc3604c06L, 0x61a806b5L, 0xf0177a28L, 0xc0f586e0L, 0x006058aaL,
+     0x30dc7d62L, 0x11e69ed7L, 0x2338ea63L, 0x53c2dd94L, 0xc2c21634L,
+     0xbbcbee56L, 0x90bcb6deL, 0xebfc7da1L, 0xce591d76L, 0x6f05e409L,
+     0x4b7c0188L, 0x39720a3dL, 0x7c927c24L, 0x86e3725fL, 0x724d9db9L,
+     0x1ac15bb4L, 0xd39eb8fcL, 0xed545578L, 0x08fca5b5L, 0xd83d7cd3L,
+     0x4dad0fc4L, 0x1e50ef5eL, 0xb161e6f8L, 0xa28514d9L, 0x6c51133cL,
+     0x6fd5c7e7L, 0x56e14ec4L, 0x362abfceL, 0xddc6c837L, 0xd79a3234L,
+     0x92638212L, 0x670efa8eL, 0x406000e0L, 0x3a39ce37L, 0xd3faf5cfL,
+     0xabc27737L, 0x5ac52d1bL, 0x5cb0679eL, 0x4fa33742L, 0xd3822740L,
+     0x99bc9bbeL, 0xd5118e9dL, 0xbf0f7315L, 0xd62d1c7eL, 0xc700c47bL,
+     0xb78c1b6bL, 0x21a19045L, 0xb26eb1beL, 0x6a366eb4L, 0x5748ab2fL,
+     0xbc946e79L, 0xc6a376d2L, 0x6549c2c8L, 0x530ff8eeL, 0x468dde7dL,
+     0xd5730a1dL, 0x4cd04dc6L, 0x2939bbdbL, 0xa9ba4650L, 0xac9526e8L,
+     0xbe5ee304L, 0xa1fad5f0L, 0x6a2d519aL, 0x63ef8ce2L, 0x9a86ee22L,
+     0xc089c2b8L, 0x43242ef6L, 0xa51e03aaL, 0x9cf2d0a4L, 0x83c061baL,
+     0x9be96a4dL, 0x8fe51550L, 0xba645bd6L, 0x2826a2f9L, 0xa73a3ae1L,
+     0x4ba99586L, 0xef5562e9L, 0xc72fefd3L, 0xf752f7daL, 0x3f046f69L,
+     0x77fa0a59L, 0x80e4a915L, 0x87b08601L, 0x9b09e6adL, 0x3b3ee593L,
+     0xe990fd5aL, 0x9e34d797L, 0x2cf0b7d9L, 0x022b8b51L, 0x96d5ac3aL,
+     0x017da67dL, 0xd1cf3ed6L, 0x7c7d2d28L, 0x1f9f25cfL, 0xadf2b89bL,
+     0x5ad6b472L, 0x5a88f54cL, 0xe029ac71L, 0xe019a5e6L, 0x47b0acfdL,
+     0xed93fa9bL, 0xe8d3c48dL, 0x283b57ccL, 0xf8d56629L, 0x79132e28L,
+     0x785f0191L, 0xed756055L, 0xf7960e44L, 0xe3d35e8cL, 0x15056dd4L,
+     0x88f46dbaL, 0x03a16125L, 0x0564f0bdL, 0xc3eb9e15L, 0x3c9057a2L,
+     0x97271aecL, 0xa93a072aL, 0x1b3f6d9bL, 0x1e6321f5L, 0xf59c66fbL,
+     0x26dcf319L, 0x7533d928L, 0xb155fdf5L, 0x03563482L, 0x8aba3cbbL,
+     0x28517711L, 0xc20ad9f8L, 0xabcc5167L, 0xccad925fL, 0x4de81751L,
+     0x3830dc8eL, 0x379d5862L, 0x9320f991L, 0xea7a90c2L, 0xfb3e7bceL,
+     0x5121ce64L, 0x774fbe32L, 0xa8b6e37eL, 0xc3293d46L, 0x48de5369L,
+     0x6413e680L, 0xa2ae0810L, 0xdd6db224L, 0x69852dfdL, 0x09072166L,
+     0xb39a460aL, 0x6445c0ddL, 0x586cdecfL, 0x1c20c8aeL, 0x5bbef7ddL,
+     0x1b588d40L, 0xccd2017fL, 0x6bb4e3bbL, 0xdda26a7eL, 0x3a59ff45L,
+     0x3e350a44L, 0xbcb4cdd5L, 0x72eacea8L, 0xfa6484bbL, 0x8d6612aeL,
+     0xbf3c6f47L, 0xd29be463L, 0x542f5d9eL, 0xaec2771bL, 0xf64e6370L,
+     0x740e0d8dL, 0xe75b1357L, 0xf8721671L, 0xaf537d5dL, 0x4040cb08L,
+     0x4eb4e2ccL, 0x34d2466aL, 0x0115af84L, 0xe1b00428L, 0x95983a1dL,
+     0x06b89fb4L, 0xce6ea048L, 0x6f3f3b82L, 0x3520ab82L, 0x011a1d4bL,
+     0x277227f8L, 0x611560b1L, 0xe7933fdcL, 0xbb3a792bL, 0x344525bdL,
+     0xa08839e1L, 0x51ce794bL, 0x2f32c9b7L, 0xa01fbac9L, 0xe01cc87eL,
+     0xbcc7d1f6L, 0xcf0111c3L, 0xa1e8aac7L, 0x1a908749L, 0xd44fbd9aL,
+     0xd0dadecbL, 0xd50ada38L, 0x0339c32aL, 0xc6913667L, 0x8df9317cL,
+     0xe0b12b4fL, 0xf79e59b7L, 0x43f5bb3aL, 0xf2d519ffL, 0x27d9459cL,
+     0xbf97222cL, 0x15e6fc2aL, 0x0f91fc71L, 0x9b941525L, 0xfae59361L,
+     0xceb69cebL, 0xc2a86459L, 0x12baa8d1L, 0xb6c1075eL, 0xe3056a0cL,
+     0x10d25065L, 0xcb03a442L, 0xe0ec6e0eL, 0x1698db3bL, 0x4c98a0beL,
+     0x3278e964L, 0x9f1f9532L, 0xe0d392dfL, 0xd3a0342bL, 0x8971f21eL,
+     0x1b0a7441L, 0x4ba3348cL, 0xc5be7120L, 0xc37632d8L, 0xdf359f8dL,
+     0x9b992f2eL, 0xe60b6f47L, 0x0fe3f11dL, 0xe54cda54L, 0x1edad891L,
+     0xce6279cfL, 0xcd3e7e6fL, 0x1618b166L, 0xfd2c1d05L, 0x848fd2c5L,
+     0xf6fb2299L, 0xf523f357L, 0xa6327623L, 0x93a83531L, 0x56cccd02L,
+     0xacf08162L, 0x5a75ebb5L, 0x6e163697L, 0x88d273ccL, 0xde966292L,
+     0x81b949d0L, 0x4c50901bL, 0x71c65614L, 0xe6c6c7bdL, 0x327a140aL,
+     0x45e1d006L, 0xc3f27b9aL, 0xc9aa53fdL, 0x62a80f00L, 0xbb25bfe2L,
+     0x35bdd2f6L, 0x71126905L, 0xb2040222L, 0xb6cbcf7cL, 0xcd769c2bL,
+     0x53113ec0L, 0x1640e3d3L, 0x38abbd60L, 0x2547adf0L, 0xba38209cL,
+     0xf746ce76L, 0x77afa1c5L, 0x20756060L, 0x85cbfe4eL, 0x8ae88dd8L,
+     0x7aaaf9b0L, 0x4cf9aa7eL, 0x1948c25cL, 0x02fb8a8cL, 0x01c36ae4L,
+     0xd6ebe1f9L, 0x90d4f869L, 0xa65cdea0L, 0x3f09252dL, 0xc208e69fL,
+     0xb74e6132L, 0xce77e25bL, 0x578fdfe3L, 0x3ac372e6L,
+    },
+};
+
+void BF_set_key(BF_KEY *key, size_t len, const uint8_t *data) {
+  int i;
+  uint32_t *p, ri, in[2];
+  const uint8_t *d, *end;
+
+  memcpy(key, &bf_init, sizeof(BF_KEY));
+  p = key->P;
+
+  if (len > ((BF_ROUNDS + 2) * 4))
+    len = (BF_ROUNDS + 2) * 4;
+
+  d = data;
+  end = &data[len];
+  for (i = 0; i < BF_ROUNDS + 2; i++) {
+    ri = *(d++);
+    if (d >= end) {
+      d = data;
+    }
+
+    ri <<= 8;
+    ri |= *(d++);
+    if (d >= end) {
+      d = data;
+    }
+
+    ri <<= 8;
+    ri |= *(d++);
+    if (d >= end) {
+      d = data;
+    }
+
+    ri <<= 8;
+    ri |= *(d++);
+    if (d >= end) {
+      d = data;
+    }
+
+    p[i] ^= ri;
+  }
+
+  in[0] = 0L;
+  in[1] = 0L;
+  for (i = 0; i < BF_ROUNDS + 2; i += 2) {
+    BF_encrypt(in, key);
+    p[i] = in[0];
+    p[i + 1] = in[1];
+  }
+
+  p = key->S;
+  for (i = 0; i < 4 * 256; i += 2) {
+    BF_encrypt(in, key);
+    p[i] = in[0];
+    p[i + 1] = in[1];
+  }
+}
diff --git a/src/decrepit/cast/CMakeLists.txt b/src/decrepit/cast/CMakeLists.txt
new file mode 100644
index 0000000..ada99e4
--- /dev/null
+++ b/src/decrepit/cast/CMakeLists.txt
@@ -0,0 +1,10 @@
+include_directories(. ../../include)
+
+add_library(
+  cast
+
+  OBJECT
+
+  cast.c
+  cast_tables.c
+)
diff --git a/src/decrepit/cast/cast.c b/src/decrepit/cast/cast.c
new file mode 100644
index 0000000..68bcbe3
--- /dev/null
+++ b/src/decrepit/cast/cast.c
@@ -0,0 +1,416 @@
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]. */
+
+#include <openssl/cast.h>
+
+#if defined(OPENSSL_WINDOWS)
+#pragma warning(push, 3)
+#include <intrin.h>
+#pragma warning(pop)
+#endif
+
+#include "../macros.h"
+
+
+void CAST_ecb_encrypt(const uint8_t *in, uint8_t *out, const CAST_KEY *ks,
+                      int enc) {
+  uint32_t d[2];
+
+  n2l(in, d[0]);
+  n2l(in, d[1]);
+  if (enc) {
+    CAST_encrypt(d, ks);
+  } else {
+    CAST_decrypt(d, ks);
+  }
+  l2n(d[0], out);
+  l2n(d[1], out);
+}
+
+extern const uint32_t CAST_S_table0[256];
+extern const uint32_t CAST_S_table1[256];
+extern const uint32_t CAST_S_table2[256];
+extern const uint32_t CAST_S_table3[256];
+extern const uint32_t CAST_S_table4[256];
+extern const uint32_t CAST_S_table5[256];
+extern const uint32_t CAST_S_table6[256];
+extern const uint32_t CAST_S_table7[256];
+
+#if defined(OPENSSL_WINDOWS) && defined(_MSC_VER)
+#define ROTL(a, n) (_lrotl(a, n))
+#else
+#define ROTL(a, n) ((((a) << (n)) | ((a) >> ((-(n))&31))) & 0xffffffffL)
+#endif
+
+#define E_CAST(n, key, L, R, OP1, OP2, OP3)                                   \
+  {                                                                           \
+    uint32_t a, b, c, d;                                                      \
+    t = (key[n * 2] OP1 R) & 0xffffffff;                                      \
+    t = ROTL(t, (key[n * 2 + 1]));                                            \
+    a = CAST_S_table0[(t >> 8) & 0xff];                                       \
+    b = CAST_S_table1[(t)&0xff];                                              \
+    c = CAST_S_table2[(t >> 24) & 0xff];                                      \
+    d = CAST_S_table3[(t >> 16) & 0xff];                                      \
+    L ^= (((((a OP2 b)&0xffffffffL)OP3 c) & 0xffffffffL)OP1 d) & 0xffffffffL; \
+  }
+
+void CAST_encrypt(uint32_t *data, const CAST_KEY *key) {
+  uint32_t l, r, t;
+  const uint32_t *k;
+
+  k = &key->data[0];
+  l = data[0];
+  r = data[1];
+
+  E_CAST(0, k, l, r, +, ^, -);
+  E_CAST(1, k, r, l, ^, -, +);
+  E_CAST(2, k, l, r, -, +, ^);
+  E_CAST(3, k, r, l, +, ^, -);
+  E_CAST(4, k, l, r, ^, -, +);
+  E_CAST(5, k, r, l, -, +, ^);
+  E_CAST(6, k, l, r, +, ^, -);
+  E_CAST(7, k, r, l, ^, -, +);
+  E_CAST(8, k, l, r, -, +, ^);
+  E_CAST(9, k, r, l, +, ^, -);
+  E_CAST(10, k, l, r, ^, -, +);
+  E_CAST(11, k, r, l, -, +, ^);
+
+  if (!key->short_key) {
+    E_CAST(12, k, l, r, +, ^, -);
+    E_CAST(13, k, r, l, ^, -, +);
+    E_CAST(14, k, l, r, -, +, ^);
+    E_CAST(15, k, r, l, +, ^, -);
+  }
+
+  data[1] = l & 0xffffffffL;
+  data[0] = r & 0xffffffffL;
+}
+
+void CAST_decrypt(uint32_t *data, const CAST_KEY *key) {
+  uint32_t l, r, t;
+  const uint32_t *k;
+
+  k = &key->data[0];
+  l = data[0];
+  r = data[1];
+
+  if (!key->short_key) {
+    E_CAST(15, k, l, r, +, ^, -);
+    E_CAST(14, k, r, l, -, +, ^);
+    E_CAST(13, k, l, r, ^, -, +);
+    E_CAST(12, k, r, l, +, ^, -);
+  }
+
+  E_CAST(11, k, l, r, -, +, ^);
+  E_CAST(10, k, r, l, ^, -, +);
+  E_CAST(9, k, l, r, +, ^, -);
+  E_CAST(8, k, r, l, -, +, ^);
+  E_CAST(7, k, l, r, ^, -, +);
+  E_CAST(6, k, r, l, +, ^, -);
+  E_CAST(5, k, l, r, -, +, ^);
+  E_CAST(4, k, r, l, ^, -, +);
+  E_CAST(3, k, l, r, +, ^, -);
+  E_CAST(2, k, r, l, -, +, ^);
+  E_CAST(1, k, l, r, ^, -, +);
+  E_CAST(0, k, r, l, +, ^, -);
+
+  data[1] = l & 0xffffffffL;
+  data[0] = r & 0xffffffffL;
+}
+
+void CAST_cbc_encrypt(const uint8_t *in, uint8_t *out, long length,
+                      const CAST_KEY *ks, uint8_t *iv, int enc) {
+  uint32_t tin0, tin1;
+  uint32_t tout0, tout1, xor0, xor1;
+  long l = length;
+  uint32_t tin[2];
+
+  if (enc) {
+    n2l(iv, tout0);
+    n2l(iv, tout1);
+    iv -= 8;
+    for (l -= 8; l >= 0; l -= 8) {
+      n2l(in, tin0);
+      n2l(in, tin1);
+      tin0 ^= tout0;
+      tin1 ^= tout1;
+      tin[0] = tin0;
+      tin[1] = tin1;
+      CAST_encrypt(tin, ks);
+      tout0 = tin[0];
+      tout1 = tin[1];
+      l2n(tout0, out);
+      l2n(tout1, out);
+    }
+    if (l != -8) {
+      n2ln(in, tin0, tin1, l + 8);
+      tin0 ^= tout0;
+      tin1 ^= tout1;
+      tin[0] = tin0;
+      tin[1] = tin1;
+      CAST_encrypt(tin, ks);
+      tout0 = tin[0];
+      tout1 = tin[1];
+      l2n(tout0, out);
+      l2n(tout1, out);
+    }
+    l2n(tout0, iv);
+    l2n(tout1, iv);
+  } else {
+    n2l(iv, xor0);
+    n2l(iv, xor1);
+    iv -= 8;
+    for (l -= 8; l >= 0; l -= 8) {
+      n2l(in, tin0);
+      n2l(in, tin1);
+      tin[0] = tin0;
+      tin[1] = tin1;
+      CAST_decrypt(tin, ks);
+      tout0 = tin[0] ^ xor0;
+      tout1 = tin[1] ^ xor1;
+      l2n(tout0, out);
+      l2n(tout1, out);
+      xor0 = tin0;
+      xor1 = tin1;
+    }
+    if (l != -8) {
+      n2l(in, tin0);
+      n2l(in, tin1);
+      tin[0] = tin0;
+      tin[1] = tin1;
+      CAST_decrypt(tin, ks);
+      tout0 = tin[0] ^ xor0;
+      tout1 = tin[1] ^ xor1;
+      l2nn(tout0, tout1, out, l + 8);
+      xor0 = tin0;
+      xor1 = tin1;
+    }
+    l2n(xor0, iv);
+    l2n(xor1, iv);
+  }
+  tin0 = tin1 = tout0 = tout1 = xor0 = xor1 = 0;
+  tin[0] = tin[1] = 0;
+}
+
+#define CAST_exp(l, A, a, n)   \
+  A[n / 4] = l;                \
+  a[n + 3] = (l)&0xff;         \
+  a[n + 2] = (l >> 8) & 0xff;  \
+  a[n + 1] = (l >> 16) & 0xff; \
+  a[n + 0] = (l >> 24) & 0xff;
+#define S4 CAST_S_table4
+#define S5 CAST_S_table5
+#define S6 CAST_S_table6
+#define S7 CAST_S_table7
+
+void CAST_set_key(CAST_KEY *key, size_t len, const uint8_t *data) {
+  uint32_t x[16];
+  uint32_t z[16];
+  uint32_t k[32];
+  uint32_t X[4], Z[4];
+  uint32_t l, *K;
+  size_t i;
+
+  for (i = 0; i < 16; i++) {
+    x[i] = 0;
+  }
+
+  if (len > 16) {
+    len = 16;
+  }
+
+  for (i = 0; i < len; i++) {
+    x[i] = data[i];
+  }
+
+  if (len <= 10) {
+    key->short_key = 1;
+  } else {
+    key->short_key = 0;
+  }
+
+  K = &k[0];
+  X[0] = ((x[0] << 24) | (x[1] << 16) | (x[2] << 8) | x[3]) & 0xffffffffL;
+  X[1] = ((x[4] << 24) | (x[5] << 16) | (x[6] << 8) | x[7]) & 0xffffffffL;
+  X[2] = ((x[8] << 24) | (x[9] << 16) | (x[10] << 8) | x[11]) & 0xffffffffL;
+  X[3] = ((x[12] << 24) | (x[13] << 16) | (x[14] << 8) | x[15]) & 0xffffffffL;
+
+  for (;;) {
+    l = X[0] ^ S4[x[13]] ^ S5[x[15]] ^ S6[x[12]] ^ S7[x[14]] ^ S6[x[8]];
+    CAST_exp(l, Z, z, 0);
+    l = X[2] ^ S4[z[0]] ^ S5[z[2]] ^ S6[z[1]] ^ S7[z[3]] ^ S7[x[10]];
+    CAST_exp(l, Z, z, 4);
+    l = X[3] ^ S4[z[7]] ^ S5[z[6]] ^ S6[z[5]] ^ S7[z[4]] ^ S4[x[9]];
+    CAST_exp(l, Z, z, 8);
+    l = X[1] ^ S4[z[10]] ^ S5[z[9]] ^ S6[z[11]] ^ S7[z[8]] ^ S5[x[11]];
+    CAST_exp(l, Z, z, 12);
+
+    K[0] = S4[z[8]] ^ S5[z[9]] ^ S6[z[7]] ^ S7[z[6]] ^ S4[z[2]];
+    K[1] = S4[z[10]] ^ S5[z[11]] ^ S6[z[5]] ^ S7[z[4]] ^ S5[z[6]];
+    K[2] = S4[z[12]] ^ S5[z[13]] ^ S6[z[3]] ^ S7[z[2]] ^ S6[z[9]];
+    K[3] = S4[z[14]] ^ S5[z[15]] ^ S6[z[1]] ^ S7[z[0]] ^ S7[z[12]];
+
+    l = Z[2] ^ S4[z[5]] ^ S5[z[7]] ^ S6[z[4]] ^ S7[z[6]] ^ S6[z[0]];
+    CAST_exp(l, X, x, 0);
+    l = Z[0] ^ S4[x[0]] ^ S5[x[2]] ^ S6[x[1]] ^ S7[x[3]] ^ S7[z[2]];
+    CAST_exp(l, X, x, 4);
+    l = Z[1] ^ S4[x[7]] ^ S5[x[6]] ^ S6[x[5]] ^ S7[x[4]] ^ S4[z[1]];
+    CAST_exp(l, X, x, 8);
+    l = Z[3] ^ S4[x[10]] ^ S5[x[9]] ^ S6[x[11]] ^ S7[x[8]] ^ S5[z[3]];
+    CAST_exp(l, X, x, 12);
+
+    K[4] = S4[x[3]] ^ S5[x[2]] ^ S6[x[12]] ^ S7[x[13]] ^ S4[x[8]];
+    K[5] = S4[x[1]] ^ S5[x[0]] ^ S6[x[14]] ^ S7[x[15]] ^ S5[x[13]];
+    K[6] = S4[x[7]] ^ S5[x[6]] ^ S6[x[8]] ^ S7[x[9]] ^ S6[x[3]];
+    K[7] = S4[x[5]] ^ S5[x[4]] ^ S6[x[10]] ^ S7[x[11]] ^ S7[x[7]];
+
+    l = X[0] ^ S4[x[13]] ^ S5[x[15]] ^ S6[x[12]] ^ S7[x[14]] ^ S6[x[8]];
+    CAST_exp(l, Z, z, 0);
+    l = X[2] ^ S4[z[0]] ^ S5[z[2]] ^ S6[z[1]] ^ S7[z[3]] ^ S7[x[10]];
+    CAST_exp(l, Z, z, 4);
+    l = X[3] ^ S4[z[7]] ^ S5[z[6]] ^ S6[z[5]] ^ S7[z[4]] ^ S4[x[9]];
+    CAST_exp(l, Z, z, 8);
+    l = X[1] ^ S4[z[10]] ^ S5[z[9]] ^ S6[z[11]] ^ S7[z[8]] ^ S5[x[11]];
+    CAST_exp(l, Z, z, 12);
+
+    K[8] = S4[z[3]] ^ S5[z[2]] ^ S6[z[12]] ^ S7[z[13]] ^ S4[z[9]];
+    K[9] = S4[z[1]] ^ S5[z[0]] ^ S6[z[14]] ^ S7[z[15]] ^ S5[z[12]];
+    K[10] = S4[z[7]] ^ S5[z[6]] ^ S6[z[8]] ^ S7[z[9]] ^ S6[z[2]];
+    K[11] = S4[z[5]] ^ S5[z[4]] ^ S6[z[10]] ^ S7[z[11]] ^ S7[z[6]];
+
+    l = Z[2] ^ S4[z[5]] ^ S5[z[7]] ^ S6[z[4]] ^ S7[z[6]] ^ S6[z[0]];
+    CAST_exp(l, X, x, 0);
+    l = Z[0] ^ S4[x[0]] ^ S5[x[2]] ^ S6[x[1]] ^ S7[x[3]] ^ S7[z[2]];
+    CAST_exp(l, X, x, 4);
+    l = Z[1] ^ S4[x[7]] ^ S5[x[6]] ^ S6[x[5]] ^ S7[x[4]] ^ S4[z[1]];
+    CAST_exp(l, X, x, 8);
+    l = Z[3] ^ S4[x[10]] ^ S5[x[9]] ^ S6[x[11]] ^ S7[x[8]] ^ S5[z[3]];
+    CAST_exp(l, X, x, 12);
+
+    K[12] = S4[x[8]] ^ S5[x[9]] ^ S6[x[7]] ^ S7[x[6]] ^ S4[x[3]];
+    K[13] = S4[x[10]] ^ S5[x[11]] ^ S6[x[5]] ^ S7[x[4]] ^ S5[x[7]];
+    K[14] = S4[x[12]] ^ S5[x[13]] ^ S6[x[3]] ^ S7[x[2]] ^ S6[x[8]];
+    K[15] = S4[x[14]] ^ S5[x[15]] ^ S6[x[1]] ^ S7[x[0]] ^ S7[x[13]];
+    if (K != k) {
+      break;
+    }
+    K += 16;
+  }
+
+  for (i = 0; i < 16; i++) {
+    key->data[i * 2] = k[i];
+    key->data[i * 2 + 1] = ((k[i + 16]) + 16) & 0x1f;
+  }
+}
+
+/* The input and output encrypted as though 64bit cfb mode is being used. The
+ * extra state information to record how much of the 64bit block we have used
+ * is contained in *num. */
+void CAST_cfb64_encrypt(const uint8_t *in, uint8_t *out, long length,
+                        const CAST_KEY *schedule, uint8_t *ivec, int *num,
+                        int enc) {
+  uint32_t v0, v1, t;
+  int n = *num;
+  long l = length;
+  uint32_t ti[2];
+  uint8_t *iv, c, cc;
+
+  iv = ivec;
+  if (enc) {
+    while (l--) {
+      if (n == 0) {
+        n2l(iv, v0);
+        ti[0] = v0;
+        n2l(iv, v1);
+        ti[1] = v1;
+        CAST_encrypt((uint32_t *)ti, schedule);
+        iv = ivec;
+        t = ti[0];
+        l2n(t, iv);
+        t = ti[1];
+        l2n(t, iv);
+        iv = ivec;
+      }
+      c = *(in++) ^ iv[n];
+      *(out++) = c;
+      iv[n] = c;
+      n = (n + 1) & 0x07;
+    }
+  } else {
+    while (l--) {
+      if (n == 0) {
+        n2l(iv, v0);
+        ti[0] = v0;
+        n2l(iv, v1);
+        ti[1] = v1;
+        CAST_encrypt((uint32_t *)ti, schedule);
+        iv = ivec;
+        t = ti[0];
+        l2n(t, iv);
+        t = ti[1];
+        l2n(t, iv);
+        iv = ivec;
+      }
+      cc = *(in++);
+      c = iv[n];
+      iv[n] = cc;
+      *(out++) = c ^ cc;
+      n = (n + 1) & 0x07;
+    }
+  }
+  v0 = v1 = ti[0] = ti[1] = t = c = cc = 0;
+  *num = n;
+}
diff --git a/src/decrepit/cast/cast_tables.c b/src/decrepit/cast/cast_tables.c
new file mode 100644
index 0000000..a00acd8
--- /dev/null
+++ b/src/decrepit/cast/cast_tables.c
@@ -0,0 +1,425 @@
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.] */
+
+#include <openssl/base.h>
+
+const uint32_t CAST_S_table0[256] = {
+    0x30fb40d4, 0x9fa0ff0b, 0x6beccd2f, 0x3f258c7a, 0x1e213f2f, 0x9c004dd3,
+    0x6003e540, 0xcf9fc949, 0xbfd4af27, 0x88bbbdb5, 0xe2034090, 0x98d09675,
+    0x6e63a0e0, 0x15c361d2, 0xc2e7661d, 0x22d4ff8e, 0x28683b6f, 0xc07fd059,
+    0xff2379c8, 0x775f50e2, 0x43c340d3, 0xdf2f8656, 0x887ca41a, 0xa2d2bd2d,
+    0xa1c9e0d6, 0x346c4819, 0x61b76d87, 0x22540f2f, 0x2abe32e1, 0xaa54166b,
+    0x22568e3a, 0xa2d341d0, 0x66db40c8, 0xa784392f, 0x004dff2f, 0x2db9d2de,
+    0x97943fac, 0x4a97c1d8, 0x527644b7, 0xb5f437a7, 0xb82cbaef, 0xd751d159,
+    0x6ff7f0ed, 0x5a097a1f, 0x827b68d0, 0x90ecf52e, 0x22b0c054, 0xbc8e5935,
+    0x4b6d2f7f, 0x50bb64a2, 0xd2664910, 0xbee5812d, 0xb7332290, 0xe93b159f,
+    0xb48ee411, 0x4bff345d, 0xfd45c240, 0xad31973f, 0xc4f6d02e, 0x55fc8165,
+    0xd5b1caad, 0xa1ac2dae, 0xa2d4b76d, 0xc19b0c50, 0x882240f2, 0x0c6e4f38,
+    0xa4e4bfd7, 0x4f5ba272, 0x564c1d2f, 0xc59c5319, 0xb949e354, 0xb04669fe,
+    0xb1b6ab8a, 0xc71358dd, 0x6385c545, 0x110f935d, 0x57538ad5, 0x6a390493,
+    0xe63d37e0, 0x2a54f6b3, 0x3a787d5f, 0x6276a0b5, 0x19a6fcdf, 0x7a42206a,
+    0x29f9d4d5, 0xf61b1891, 0xbb72275e, 0xaa508167, 0x38901091, 0xc6b505eb,
+    0x84c7cb8c, 0x2ad75a0f, 0x874a1427, 0xa2d1936b, 0x2ad286af, 0xaa56d291,
+    0xd7894360, 0x425c750d, 0x93b39e26, 0x187184c9, 0x6c00b32d, 0x73e2bb14,
+    0xa0bebc3c, 0x54623779, 0x64459eab, 0x3f328b82, 0x7718cf82, 0x59a2cea6,
+    0x04ee002e, 0x89fe78e6, 0x3fab0950, 0x325ff6c2, 0x81383f05, 0x6963c5c8,
+    0x76cb5ad6, 0xd49974c9, 0xca180dcf, 0x380782d5, 0xc7fa5cf6, 0x8ac31511,
+    0x35e79e13, 0x47da91d0, 0xf40f9086, 0xa7e2419e, 0x31366241, 0x051ef495,
+    0xaa573b04, 0x4a805d8d, 0x548300d0, 0x00322a3c, 0xbf64cddf, 0xba57a68e,
+    0x75c6372b, 0x50afd341, 0xa7c13275, 0x915a0bf5, 0x6b54bfab, 0x2b0b1426,
+    0xab4cc9d7, 0x449ccd82, 0xf7fbf265, 0xab85c5f3, 0x1b55db94, 0xaad4e324,
+    0xcfa4bd3f, 0x2deaa3e2, 0x9e204d02, 0xc8bd25ac, 0xeadf55b3, 0xd5bd9e98,
+    0xe31231b2, 0x2ad5ad6c, 0x954329de, 0xadbe4528, 0xd8710f69, 0xaa51c90f,
+    0xaa786bf6, 0x22513f1e, 0xaa51a79b, 0x2ad344cc, 0x7b5a41f0, 0xd37cfbad,
+    0x1b069505, 0x41ece491, 0xb4c332e6, 0x032268d4, 0xc9600acc, 0xce387e6d,
+    0xbf6bb16c, 0x6a70fb78, 0x0d03d9c9, 0xd4df39de, 0xe01063da, 0x4736f464,
+    0x5ad328d8, 0xb347cc96, 0x75bb0fc3, 0x98511bfb, 0x4ffbcc35, 0xb58bcf6a,
+    0xe11f0abc, 0xbfc5fe4a, 0xa70aec10, 0xac39570a, 0x3f04442f, 0x6188b153,
+    0xe0397a2e, 0x5727cb79, 0x9ceb418f, 0x1cacd68d, 0x2ad37c96, 0x0175cb9d,
+    0xc69dff09, 0xc75b65f0, 0xd9db40d8, 0xec0e7779, 0x4744ead4, 0xb11c3274,
+    0xdd24cb9e, 0x7e1c54bd, 0xf01144f9, 0xd2240eb1, 0x9675b3fd, 0xa3ac3755,
+    0xd47c27af, 0x51c85f4d, 0x56907596, 0xa5bb15e6, 0x580304f0, 0xca042cf1,
+    0x011a37ea, 0x8dbfaadb, 0x35ba3e4a, 0x3526ffa0, 0xc37b4d09, 0xbc306ed9,
+    0x98a52666, 0x5648f725, 0xff5e569d, 0x0ced63d0, 0x7c63b2cf, 0x700b45e1,
+    0xd5ea50f1, 0x85a92872, 0xaf1fbda7, 0xd4234870, 0xa7870bf3, 0x2d3b4d79,
+    0x42e04198, 0x0cd0ede7, 0x26470db8, 0xf881814c, 0x474d6ad7, 0x7c0c5e5c,
+    0xd1231959, 0x381b7298, 0xf5d2f4db, 0xab838653, 0x6e2f1e23, 0x83719c9e,
+    0xbd91e046, 0x9a56456e, 0xdc39200c, 0x20c8c571, 0x962bda1c, 0xe1e696ff,
+    0xb141ab08, 0x7cca89b9, 0x1a69e783, 0x02cc4843, 0xa2f7c579, 0x429ef47d,
+    0x427b169c, 0x5ac9f049, 0xdd8f0f00, 0x5c8165bf,
+};
+
+const uint32_t CAST_S_table1[256] = {
+    0x1f201094, 0xef0ba75b, 0x69e3cf7e, 0x393f4380, 0xfe61cf7a, 0xeec5207a,
+    0x55889c94, 0x72fc0651, 0xada7ef79, 0x4e1d7235, 0xd55a63ce, 0xde0436ba,
+    0x99c430ef, 0x5f0c0794, 0x18dcdb7d, 0xa1d6eff3, 0xa0b52f7b, 0x59e83605,
+    0xee15b094, 0xe9ffd909, 0xdc440086, 0xef944459, 0xba83ccb3, 0xe0c3cdfb,
+    0xd1da4181, 0x3b092ab1, 0xf997f1c1, 0xa5e6cf7b, 0x01420ddb, 0xe4e7ef5b,
+    0x25a1ff41, 0xe180f806, 0x1fc41080, 0x179bee7a, 0xd37ac6a9, 0xfe5830a4,
+    0x98de8b7f, 0x77e83f4e, 0x79929269, 0x24fa9f7b, 0xe113c85b, 0xacc40083,
+    0xd7503525, 0xf7ea615f, 0x62143154, 0x0d554b63, 0x5d681121, 0xc866c359,
+    0x3d63cf73, 0xcee234c0, 0xd4d87e87, 0x5c672b21, 0x071f6181, 0x39f7627f,
+    0x361e3084, 0xe4eb573b, 0x602f64a4, 0xd63acd9c, 0x1bbc4635, 0x9e81032d,
+    0x2701f50c, 0x99847ab4, 0xa0e3df79, 0xba6cf38c, 0x10843094, 0x2537a95e,
+    0xf46f6ffe, 0xa1ff3b1f, 0x208cfb6a, 0x8f458c74, 0xd9e0a227, 0x4ec73a34,
+    0xfc884f69, 0x3e4de8df, 0xef0e0088, 0x3559648d, 0x8a45388c, 0x1d804366,
+    0x721d9bfd, 0xa58684bb, 0xe8256333, 0x844e8212, 0x128d8098, 0xfed33fb4,
+    0xce280ae1, 0x27e19ba5, 0xd5a6c252, 0xe49754bd, 0xc5d655dd, 0xeb667064,
+    0x77840b4d, 0xa1b6a801, 0x84db26a9, 0xe0b56714, 0x21f043b7, 0xe5d05860,
+    0x54f03084, 0x066ff472, 0xa31aa153, 0xdadc4755, 0xb5625dbf, 0x68561be6,
+    0x83ca6b94, 0x2d6ed23b, 0xeccf01db, 0xa6d3d0ba, 0xb6803d5c, 0xaf77a709,
+    0x33b4a34c, 0x397bc8d6, 0x5ee22b95, 0x5f0e5304, 0x81ed6f61, 0x20e74364,
+    0xb45e1378, 0xde18639b, 0x881ca122, 0xb96726d1, 0x8049a7e8, 0x22b7da7b,
+    0x5e552d25, 0x5272d237, 0x79d2951c, 0xc60d894c, 0x488cb402, 0x1ba4fe5b,
+    0xa4b09f6b, 0x1ca815cf, 0xa20c3005, 0x8871df63, 0xb9de2fcb, 0x0cc6c9e9,
+    0x0beeff53, 0xe3214517, 0xb4542835, 0x9f63293c, 0xee41e729, 0x6e1d2d7c,
+    0x50045286, 0x1e6685f3, 0xf33401c6, 0x30a22c95, 0x31a70850, 0x60930f13,
+    0x73f98417, 0xa1269859, 0xec645c44, 0x52c877a9, 0xcdff33a6, 0xa02b1741,
+    0x7cbad9a2, 0x2180036f, 0x50d99c08, 0xcb3f4861, 0xc26bd765, 0x64a3f6ab,
+    0x80342676, 0x25a75e7b, 0xe4e6d1fc, 0x20c710e6, 0xcdf0b680, 0x17844d3b,
+    0x31eef84d, 0x7e0824e4, 0x2ccb49eb, 0x846a3bae, 0x8ff77888, 0xee5d60f6,
+    0x7af75673, 0x2fdd5cdb, 0xa11631c1, 0x30f66f43, 0xb3faec54, 0x157fd7fa,
+    0xef8579cc, 0xd152de58, 0xdb2ffd5e, 0x8f32ce19, 0x306af97a, 0x02f03ef8,
+    0x99319ad5, 0xc242fa0f, 0xa7e3ebb0, 0xc68e4906, 0xb8da230c, 0x80823028,
+    0xdcdef3c8, 0xd35fb171, 0x088a1bc8, 0xbec0c560, 0x61a3c9e8, 0xbca8f54d,
+    0xc72feffa, 0x22822e99, 0x82c570b4, 0xd8d94e89, 0x8b1c34bc, 0x301e16e6,
+    0x273be979, 0xb0ffeaa6, 0x61d9b8c6, 0x00b24869, 0xb7ffce3f, 0x08dc283b,
+    0x43daf65a, 0xf7e19798, 0x7619b72f, 0x8f1c9ba4, 0xdc8637a0, 0x16a7d3b1,
+    0x9fc393b7, 0xa7136eeb, 0xc6bcc63e, 0x1a513742, 0xef6828bc, 0x520365d6,
+    0x2d6a77ab, 0x3527ed4b, 0x821fd216, 0x095c6e2e, 0xdb92f2fb, 0x5eea29cb,
+    0x145892f5, 0x91584f7f, 0x5483697b, 0x2667a8cc, 0x85196048, 0x8c4bacea,
+    0x833860d4, 0x0d23e0f9, 0x6c387e8a, 0x0ae6d249, 0xb284600c, 0xd835731d,
+    0xdcb1c647, 0xac4c56ea, 0x3ebd81b3, 0x230eabb0, 0x6438bc87, 0xf0b5b1fa,
+    0x8f5ea2b3, 0xfc184642, 0x0a036b7a, 0x4fb089bd, 0x649da589, 0xa345415e,
+    0x5c038323, 0x3e5d3bb9, 0x43d79572, 0x7e6dd07c, 0x06dfdf1e, 0x6c6cc4ef,
+    0x7160a539, 0x73bfbe70, 0x83877605, 0x4523ecf1,
+};
+
+const uint32_t CAST_S_table2[256] = {
+    0x8defc240, 0x25fa5d9f, 0xeb903dbf, 0xe810c907, 0x47607fff, 0x369fe44b,
+    0x8c1fc644, 0xaececa90, 0xbeb1f9bf, 0xeefbcaea, 0xe8cf1950, 0x51df07ae,
+    0x920e8806, 0xf0ad0548, 0xe13c8d83, 0x927010d5, 0x11107d9f, 0x07647db9,
+    0xb2e3e4d4, 0x3d4f285e, 0xb9afa820, 0xfade82e0, 0xa067268b, 0x8272792e,
+    0x553fb2c0, 0x489ae22b, 0xd4ef9794, 0x125e3fbc, 0x21fffcee, 0x825b1bfd,
+    0x9255c5ed, 0x1257a240, 0x4e1a8302, 0xbae07fff, 0x528246e7, 0x8e57140e,
+    0x3373f7bf, 0x8c9f8188, 0xa6fc4ee8, 0xc982b5a5, 0xa8c01db7, 0x579fc264,
+    0x67094f31, 0xf2bd3f5f, 0x40fff7c1, 0x1fb78dfc, 0x8e6bd2c1, 0x437be59b,
+    0x99b03dbf, 0xb5dbc64b, 0x638dc0e6, 0x55819d99, 0xa197c81c, 0x4a012d6e,
+    0xc5884a28, 0xccc36f71, 0xb843c213, 0x6c0743f1, 0x8309893c, 0x0feddd5f,
+    0x2f7fe850, 0xd7c07f7e, 0x02507fbf, 0x5afb9a04, 0xa747d2d0, 0x1651192e,
+    0xaf70bf3e, 0x58c31380, 0x5f98302e, 0x727cc3c4, 0x0a0fb402, 0x0f7fef82,
+    0x8c96fdad, 0x5d2c2aae, 0x8ee99a49, 0x50da88b8, 0x8427f4a0, 0x1eac5790,
+    0x796fb449, 0x8252dc15, 0xefbd7d9b, 0xa672597d, 0xada840d8, 0x45f54504,
+    0xfa5d7403, 0xe83ec305, 0x4f91751a, 0x925669c2, 0x23efe941, 0xa903f12e,
+    0x60270df2, 0x0276e4b6, 0x94fd6574, 0x927985b2, 0x8276dbcb, 0x02778176,
+    0xf8af918d, 0x4e48f79e, 0x8f616ddf, 0xe29d840e, 0x842f7d83, 0x340ce5c8,
+    0x96bbb682, 0x93b4b148, 0xef303cab, 0x984faf28, 0x779faf9b, 0x92dc560d,
+    0x224d1e20, 0x8437aa88, 0x7d29dc96, 0x2756d3dc, 0x8b907cee, 0xb51fd240,
+    0xe7c07ce3, 0xe566b4a1, 0xc3e9615e, 0x3cf8209d, 0x6094d1e3, 0xcd9ca341,
+    0x5c76460e, 0x00ea983b, 0xd4d67881, 0xfd47572c, 0xf76cedd9, 0xbda8229c,
+    0x127dadaa, 0x438a074e, 0x1f97c090, 0x081bdb8a, 0x93a07ebe, 0xb938ca15,
+    0x97b03cff, 0x3dc2c0f8, 0x8d1ab2ec, 0x64380e51, 0x68cc7bfb, 0xd90f2788,
+    0x12490181, 0x5de5ffd4, 0xdd7ef86a, 0x76a2e214, 0xb9a40368, 0x925d958f,
+    0x4b39fffa, 0xba39aee9, 0xa4ffd30b, 0xfaf7933b, 0x6d498623, 0x193cbcfa,
+    0x27627545, 0x825cf47a, 0x61bd8ba0, 0xd11e42d1, 0xcead04f4, 0x127ea392,
+    0x10428db7, 0x8272a972, 0x9270c4a8, 0x127de50b, 0x285ba1c8, 0x3c62f44f,
+    0x35c0eaa5, 0xe805d231, 0x428929fb, 0xb4fcdf82, 0x4fb66a53, 0x0e7dc15b,
+    0x1f081fab, 0x108618ae, 0xfcfd086d, 0xf9ff2889, 0x694bcc11, 0x236a5cae,
+    0x12deca4d, 0x2c3f8cc5, 0xd2d02dfe, 0xf8ef5896, 0xe4cf52da, 0x95155b67,
+    0x494a488c, 0xb9b6a80c, 0x5c8f82bc, 0x89d36b45, 0x3a609437, 0xec00c9a9,
+    0x44715253, 0x0a874b49, 0xd773bc40, 0x7c34671c, 0x02717ef6, 0x4feb5536,
+    0xa2d02fff, 0xd2bf60c4, 0xd43f03c0, 0x50b4ef6d, 0x07478cd1, 0x006e1888,
+    0xa2e53f55, 0xb9e6d4bc, 0xa2048016, 0x97573833, 0xd7207d67, 0xde0f8f3d,
+    0x72f87b33, 0xabcc4f33, 0x7688c55d, 0x7b00a6b0, 0x947b0001, 0x570075d2,
+    0xf9bb88f8, 0x8942019e, 0x4264a5ff, 0x856302e0, 0x72dbd92b, 0xee971b69,
+    0x6ea22fde, 0x5f08ae2b, 0xaf7a616d, 0xe5c98767, 0xcf1febd2, 0x61efc8c2,
+    0xf1ac2571, 0xcc8239c2, 0x67214cb8, 0xb1e583d1, 0xb7dc3e62, 0x7f10bdce,
+    0xf90a5c38, 0x0ff0443d, 0x606e6dc6, 0x60543a49, 0x5727c148, 0x2be98a1d,
+    0x8ab41738, 0x20e1be24, 0xaf96da0f, 0x68458425, 0x99833be5, 0x600d457d,
+    0x282f9350, 0x8334b362, 0xd91d1120, 0x2b6d8da0, 0x642b1e31, 0x9c305a00,
+    0x52bce688, 0x1b03588a, 0xf7baefd5, 0x4142ed9c, 0xa4315c11, 0x83323ec5,
+    0xdfef4636, 0xa133c501, 0xe9d3531c, 0xee353783,
+};
+
+const uint32_t CAST_S_table3[256] = {
+    0x9db30420, 0x1fb6e9de, 0xa7be7bef, 0xd273a298, 0x4a4f7bdb, 0x64ad8c57,
+    0x85510443, 0xfa020ed1, 0x7e287aff, 0xe60fb663, 0x095f35a1, 0x79ebf120,
+    0xfd059d43, 0x6497b7b1, 0xf3641f63, 0x241e4adf, 0x28147f5f, 0x4fa2b8cd,
+    0xc9430040, 0x0cc32220, 0xfdd30b30, 0xc0a5374f, 0x1d2d00d9, 0x24147b15,
+    0xee4d111a, 0x0fca5167, 0x71ff904c, 0x2d195ffe, 0x1a05645f, 0x0c13fefe,
+    0x081b08ca, 0x05170121, 0x80530100, 0xe83e5efe, 0xac9af4f8, 0x7fe72701,
+    0xd2b8ee5f, 0x06df4261, 0xbb9e9b8a, 0x7293ea25, 0xce84ffdf, 0xf5718801,
+    0x3dd64b04, 0xa26f263b, 0x7ed48400, 0x547eebe6, 0x446d4ca0, 0x6cf3d6f5,
+    0x2649abdf, 0xaea0c7f5, 0x36338cc1, 0x503f7e93, 0xd3772061, 0x11b638e1,
+    0x72500e03, 0xf80eb2bb, 0xabe0502e, 0xec8d77de, 0x57971e81, 0xe14f6746,
+    0xc9335400, 0x6920318f, 0x081dbb99, 0xffc304a5, 0x4d351805, 0x7f3d5ce3,
+    0xa6c866c6, 0x5d5bcca9, 0xdaec6fea, 0x9f926f91, 0x9f46222f, 0x3991467d,
+    0xa5bf6d8e, 0x1143c44f, 0x43958302, 0xd0214eeb, 0x022083b8, 0x3fb6180c,
+    0x18f8931e, 0x281658e6, 0x26486e3e, 0x8bd78a70, 0x7477e4c1, 0xb506e07c,
+    0xf32d0a25, 0x79098b02, 0xe4eabb81, 0x28123b23, 0x69dead38, 0x1574ca16,
+    0xdf871b62, 0x211c40b7, 0xa51a9ef9, 0x0014377b, 0x041e8ac8, 0x09114003,
+    0xbd59e4d2, 0xe3d156d5, 0x4fe876d5, 0x2f91a340, 0x557be8de, 0x00eae4a7,
+    0x0ce5c2ec, 0x4db4bba6, 0xe756bdff, 0xdd3369ac, 0xec17b035, 0x06572327,
+    0x99afc8b0, 0x56c8c391, 0x6b65811c, 0x5e146119, 0x6e85cb75, 0xbe07c002,
+    0xc2325577, 0x893ff4ec, 0x5bbfc92d, 0xd0ec3b25, 0xb7801ab7, 0x8d6d3b24,
+    0x20c763ef, 0xc366a5fc, 0x9c382880, 0x0ace3205, 0xaac9548a, 0xeca1d7c7,
+    0x041afa32, 0x1d16625a, 0x6701902c, 0x9b757a54, 0x31d477f7, 0x9126b031,
+    0x36cc6fdb, 0xc70b8b46, 0xd9e66a48, 0x56e55a79, 0x026a4ceb, 0x52437eff,
+    0x2f8f76b4, 0x0df980a5, 0x8674cde3, 0xedda04eb, 0x17a9be04, 0x2c18f4df,
+    0xb7747f9d, 0xab2af7b4, 0xefc34d20, 0x2e096b7c, 0x1741a254, 0xe5b6a035,
+    0x213d42f6, 0x2c1c7c26, 0x61c2f50f, 0x6552daf9, 0xd2c231f8, 0x25130f69,
+    0xd8167fa2, 0x0418f2c8, 0x001a96a6, 0x0d1526ab, 0x63315c21, 0x5e0a72ec,
+    0x49bafefd, 0x187908d9, 0x8d0dbd86, 0x311170a7, 0x3e9b640c, 0xcc3e10d7,
+    0xd5cad3b6, 0x0caec388, 0xf73001e1, 0x6c728aff, 0x71eae2a1, 0x1f9af36e,
+    0xcfcbd12f, 0xc1de8417, 0xac07be6b, 0xcb44a1d8, 0x8b9b0f56, 0x013988c3,
+    0xb1c52fca, 0xb4be31cd, 0xd8782806, 0x12a3a4e2, 0x6f7de532, 0x58fd7eb6,
+    0xd01ee900, 0x24adffc2, 0xf4990fc5, 0x9711aac5, 0x001d7b95, 0x82e5e7d2,
+    0x109873f6, 0x00613096, 0xc32d9521, 0xada121ff, 0x29908415, 0x7fbb977f,
+    0xaf9eb3db, 0x29c9ed2a, 0x5ce2a465, 0xa730f32c, 0xd0aa3fe8, 0x8a5cc091,
+    0xd49e2ce7, 0x0ce454a9, 0xd60acd86, 0x015f1919, 0x77079103, 0xdea03af6,
+    0x78a8565e, 0xdee356df, 0x21f05cbe, 0x8b75e387, 0xb3c50651, 0xb8a5c3ef,
+    0xd8eeb6d2, 0xe523be77, 0xc2154529, 0x2f69efdf, 0xafe67afb, 0xf470c4b2,
+    0xf3e0eb5b, 0xd6cc9876, 0x39e4460c, 0x1fda8538, 0x1987832f, 0xca007367,
+    0xa99144f8, 0x296b299e, 0x492fc295, 0x9266beab, 0xb5676e69, 0x9bd3ddda,
+    0xdf7e052f, 0xdb25701c, 0x1b5e51ee, 0xf65324e6, 0x6afce36c, 0x0316cc04,
+    0x8644213e, 0xb7dc59d0, 0x7965291f, 0xccd6fd43, 0x41823979, 0x932bcdf6,
+    0xb657c34d, 0x4edfd282, 0x7ae5290c, 0x3cb9536b, 0x851e20fe, 0x9833557e,
+    0x13ecf0b0, 0xd3ffb372, 0x3f85c5c1, 0x0aef7ed2,
+};
+
+const uint32_t CAST_S_table4[256] = {
+    0x7ec90c04, 0x2c6e74b9, 0x9b0e66df, 0xa6337911, 0xb86a7fff, 0x1dd358f5,
+    0x44dd9d44, 0x1731167f, 0x08fbf1fa, 0xe7f511cc, 0xd2051b00, 0x735aba00,
+    0x2ab722d8, 0x386381cb, 0xacf6243a, 0x69befd7a, 0xe6a2e77f, 0xf0c720cd,
+    0xc4494816, 0xccf5c180, 0x38851640, 0x15b0a848, 0xe68b18cb, 0x4caadeff,
+    0x5f480a01, 0x0412b2aa, 0x259814fc, 0x41d0efe2, 0x4e40b48d, 0x248eb6fb,
+    0x8dba1cfe, 0x41a99b02, 0x1a550a04, 0xba8f65cb, 0x7251f4e7, 0x95a51725,
+    0xc106ecd7, 0x97a5980a, 0xc539b9aa, 0x4d79fe6a, 0xf2f3f763, 0x68af8040,
+    0xed0c9e56, 0x11b4958b, 0xe1eb5a88, 0x8709e6b0, 0xd7e07156, 0x4e29fea7,
+    0x6366e52d, 0x02d1c000, 0xc4ac8e05, 0x9377f571, 0x0c05372a, 0x578535f2,
+    0x2261be02, 0xd642a0c9, 0xdf13a280, 0x74b55bd2, 0x682199c0, 0xd421e5ec,
+    0x53fb3ce8, 0xc8adedb3, 0x28a87fc9, 0x3d959981, 0x5c1ff900, 0xfe38d399,
+    0x0c4eff0b, 0x062407ea, 0xaa2f4fb1, 0x4fb96976, 0x90c79505, 0xb0a8a774,
+    0xef55a1ff, 0xe59ca2c2, 0xa6b62d27, 0xe66a4263, 0xdf65001f, 0x0ec50966,
+    0xdfdd55bc, 0x29de0655, 0x911e739a, 0x17af8975, 0x32c7911c, 0x89f89468,
+    0x0d01e980, 0x524755f4, 0x03b63cc9, 0x0cc844b2, 0xbcf3f0aa, 0x87ac36e9,
+    0xe53a7426, 0x01b3d82b, 0x1a9e7449, 0x64ee2d7e, 0xcddbb1da, 0x01c94910,
+    0xb868bf80, 0x0d26f3fd, 0x9342ede7, 0x04a5c284, 0x636737b6, 0x50f5b616,
+    0xf24766e3, 0x8eca36c1, 0x136e05db, 0xfef18391, 0xfb887a37, 0xd6e7f7d4,
+    0xc7fb7dc9, 0x3063fcdf, 0xb6f589de, 0xec2941da, 0x26e46695, 0xb7566419,
+    0xf654efc5, 0xd08d58b7, 0x48925401, 0xc1bacb7f, 0xe5ff550f, 0xb6083049,
+    0x5bb5d0e8, 0x87d72e5a, 0xab6a6ee1, 0x223a66ce, 0xc62bf3cd, 0x9e0885f9,
+    0x68cb3e47, 0x086c010f, 0xa21de820, 0xd18b69de, 0xf3f65777, 0xfa02c3f6,
+    0x407edac3, 0xcbb3d550, 0x1793084d, 0xb0d70eba, 0x0ab378d5, 0xd951fb0c,
+    0xded7da56, 0x4124bbe4, 0x94ca0b56, 0x0f5755d1, 0xe0e1e56e, 0x6184b5be,
+    0x580a249f, 0x94f74bc0, 0xe327888e, 0x9f7b5561, 0xc3dc0280, 0x05687715,
+    0x646c6bd7, 0x44904db3, 0x66b4f0a3, 0xc0f1648a, 0x697ed5af, 0x49e92ff6,
+    0x309e374f, 0x2cb6356a, 0x85808573, 0x4991f840, 0x76f0ae02, 0x083be84d,
+    0x28421c9a, 0x44489406, 0x736e4cb8, 0xc1092910, 0x8bc95fc6, 0x7d869cf4,
+    0x134f616f, 0x2e77118d, 0xb31b2be1, 0xaa90b472, 0x3ca5d717, 0x7d161bba,
+    0x9cad9010, 0xaf462ba2, 0x9fe459d2, 0x45d34559, 0xd9f2da13, 0xdbc65487,
+    0xf3e4f94e, 0x176d486f, 0x097c13ea, 0x631da5c7, 0x445f7382, 0x175683f4,
+    0xcdc66a97, 0x70be0288, 0xb3cdcf72, 0x6e5dd2f3, 0x20936079, 0x459b80a5,
+    0xbe60e2db, 0xa9c23101, 0xeba5315c, 0x224e42f2, 0x1c5c1572, 0xf6721b2c,
+    0x1ad2fff3, 0x8c25404e, 0x324ed72f, 0x4067b7fd, 0x0523138e, 0x5ca3bc78,
+    0xdc0fd66e, 0x75922283, 0x784d6b17, 0x58ebb16e, 0x44094f85, 0x3f481d87,
+    0xfcfeae7b, 0x77b5ff76, 0x8c2302bf, 0xaaf47556, 0x5f46b02a, 0x2b092801,
+    0x3d38f5f7, 0x0ca81f36, 0x52af4a8a, 0x66d5e7c0, 0xdf3b0874, 0x95055110,
+    0x1b5ad7a8, 0xf61ed5ad, 0x6cf6e479, 0x20758184, 0xd0cefa65, 0x88f7be58,
+    0x4a046826, 0x0ff6f8f3, 0xa09c7f70, 0x5346aba0, 0x5ce96c28, 0xe176eda3,
+    0x6bac307f, 0x376829d2, 0x85360fa9, 0x17e3fe2a, 0x24b79767, 0xf5a96b20,
+    0xd6cd2595, 0x68ff1ebf, 0x7555442c, 0xf19f06be, 0xf9e0659a, 0xeeb9491d,
+    0x34010718, 0xbb30cab8, 0xe822fe15, 0x88570983, 0x750e6249, 0xda627e55,
+    0x5e76ffa8, 0xb1534546, 0x6d47de08, 0xefe9e7d4,
+};
+
+const uint32_t CAST_S_table5[256] = {
+    0xf6fa8f9d, 0x2cac6ce1, 0x4ca34867, 0xe2337f7c, 0x95db08e7, 0x016843b4,
+    0xeced5cbc, 0x325553ac, 0xbf9f0960, 0xdfa1e2ed, 0x83f0579d, 0x63ed86b9,
+    0x1ab6a6b8, 0xde5ebe39, 0xf38ff732, 0x8989b138, 0x33f14961, 0xc01937bd,
+    0xf506c6da, 0xe4625e7e, 0xa308ea99, 0x4e23e33c, 0x79cbd7cc, 0x48a14367,
+    0xa3149619, 0xfec94bd5, 0xa114174a, 0xeaa01866, 0xa084db2d, 0x09a8486f,
+    0xa888614a, 0x2900af98, 0x01665991, 0xe1992863, 0xc8f30c60, 0x2e78ef3c,
+    0xd0d51932, 0xcf0fec14, 0xf7ca07d2, 0xd0a82072, 0xfd41197e, 0x9305a6b0,
+    0xe86be3da, 0x74bed3cd, 0x372da53c, 0x4c7f4448, 0xdab5d440, 0x6dba0ec3,
+    0x083919a7, 0x9fbaeed9, 0x49dbcfb0, 0x4e670c53, 0x5c3d9c01, 0x64bdb941,
+    0x2c0e636a, 0xba7dd9cd, 0xea6f7388, 0xe70bc762, 0x35f29adb, 0x5c4cdd8d,
+    0xf0d48d8c, 0xb88153e2, 0x08a19866, 0x1ae2eac8, 0x284caf89, 0xaa928223,
+    0x9334be53, 0x3b3a21bf, 0x16434be3, 0x9aea3906, 0xefe8c36e, 0xf890cdd9,
+    0x80226dae, 0xc340a4a3, 0xdf7e9c09, 0xa694a807, 0x5b7c5ecc, 0x221db3a6,
+    0x9a69a02f, 0x68818a54, 0xceb2296f, 0x53c0843a, 0xfe893655, 0x25bfe68a,
+    0xb4628abc, 0xcf222ebf, 0x25ac6f48, 0xa9a99387, 0x53bddb65, 0xe76ffbe7,
+    0xe967fd78, 0x0ba93563, 0x8e342bc1, 0xe8a11be9, 0x4980740d, 0xc8087dfc,
+    0x8de4bf99, 0xa11101a0, 0x7fd37975, 0xda5a26c0, 0xe81f994f, 0x9528cd89,
+    0xfd339fed, 0xb87834bf, 0x5f04456d, 0x22258698, 0xc9c4c83b, 0x2dc156be,
+    0x4f628daa, 0x57f55ec5, 0xe2220abe, 0xd2916ebf, 0x4ec75b95, 0x24f2c3c0,
+    0x42d15d99, 0xcd0d7fa0, 0x7b6e27ff, 0xa8dc8af0, 0x7345c106, 0xf41e232f,
+    0x35162386, 0xe6ea8926, 0x3333b094, 0x157ec6f2, 0x372b74af, 0x692573e4,
+    0xe9a9d848, 0xf3160289, 0x3a62ef1d, 0xa787e238, 0xf3a5f676, 0x74364853,
+    0x20951063, 0x4576698d, 0xb6fad407, 0x592af950, 0x36f73523, 0x4cfb6e87,
+    0x7da4cec0, 0x6c152daa, 0xcb0396a8, 0xc50dfe5d, 0xfcd707ab, 0x0921c42f,
+    0x89dff0bb, 0x5fe2be78, 0x448f4f33, 0x754613c9, 0x2b05d08d, 0x48b9d585,
+    0xdc049441, 0xc8098f9b, 0x7dede786, 0xc39a3373, 0x42410005, 0x6a091751,
+    0x0ef3c8a6, 0x890072d6, 0x28207682, 0xa9a9f7be, 0xbf32679d, 0xd45b5b75,
+    0xb353fd00, 0xcbb0e358, 0x830f220a, 0x1f8fb214, 0xd372cf08, 0xcc3c4a13,
+    0x8cf63166, 0x061c87be, 0x88c98f88, 0x6062e397, 0x47cf8e7a, 0xb6c85283,
+    0x3cc2acfb, 0x3fc06976, 0x4e8f0252, 0x64d8314d, 0xda3870e3, 0x1e665459,
+    0xc10908f0, 0x513021a5, 0x6c5b68b7, 0x822f8aa0, 0x3007cd3e, 0x74719eef,
+    0xdc872681, 0x073340d4, 0x7e432fd9, 0x0c5ec241, 0x8809286c, 0xf592d891,
+    0x08a930f6, 0x957ef305, 0xb7fbffbd, 0xc266e96f, 0x6fe4ac98, 0xb173ecc0,
+    0xbc60b42a, 0x953498da, 0xfba1ae12, 0x2d4bd736, 0x0f25faab, 0xa4f3fceb,
+    0xe2969123, 0x257f0c3d, 0x9348af49, 0x361400bc, 0xe8816f4a, 0x3814f200,
+    0xa3f94043, 0x9c7a54c2, 0xbc704f57, 0xda41e7f9, 0xc25ad33a, 0x54f4a084,
+    0xb17f5505, 0x59357cbe, 0xedbd15c8, 0x7f97c5ab, 0xba5ac7b5, 0xb6f6deaf,
+    0x3a479c3a, 0x5302da25, 0x653d7e6a, 0x54268d49, 0x51a477ea, 0x5017d55b,
+    0xd7d25d88, 0x44136c76, 0x0404a8c8, 0xb8e5a121, 0xb81a928a, 0x60ed5869,
+    0x97c55b96, 0xeaec991b, 0x29935913, 0x01fdb7f1, 0x088e8dfa, 0x9ab6f6f5,
+    0x3b4cbf9f, 0x4a5de3ab, 0xe6051d35, 0xa0e1d855, 0xd36b4cf1, 0xf544edeb,
+    0xb0e93524, 0xbebb8fbd, 0xa2d762cf, 0x49c92f54, 0x38b5f331, 0x7128a454,
+    0x48392905, 0xa65b1db8, 0x851c97bd, 0xd675cf2f,
+};
+
+const uint32_t CAST_S_table6[256] = {
+    0x85e04019, 0x332bf567, 0x662dbfff, 0xcfc65693, 0x2a8d7f6f, 0xab9bc912,
+    0xde6008a1, 0x2028da1f, 0x0227bce7, 0x4d642916, 0x18fac300, 0x50f18b82,
+    0x2cb2cb11, 0xb232e75c, 0x4b3695f2, 0xb28707de, 0xa05fbcf6, 0xcd4181e9,
+    0xe150210c, 0xe24ef1bd, 0xb168c381, 0xfde4e789, 0x5c79b0d8, 0x1e8bfd43,
+    0x4d495001, 0x38be4341, 0x913cee1d, 0x92a79c3f, 0x089766be, 0xbaeeadf4,
+    0x1286becf, 0xb6eacb19, 0x2660c200, 0x7565bde4, 0x64241f7a, 0x8248dca9,
+    0xc3b3ad66, 0x28136086, 0x0bd8dfa8, 0x356d1cf2, 0x107789be, 0xb3b2e9ce,
+    0x0502aa8f, 0x0bc0351e, 0x166bf52a, 0xeb12ff82, 0xe3486911, 0xd34d7516,
+    0x4e7b3aff, 0x5f43671b, 0x9cf6e037, 0x4981ac83, 0x334266ce, 0x8c9341b7,
+    0xd0d854c0, 0xcb3a6c88, 0x47bc2829, 0x4725ba37, 0xa66ad22b, 0x7ad61f1e,
+    0x0c5cbafa, 0x4437f107, 0xb6e79962, 0x42d2d816, 0x0a961288, 0xe1a5c06e,
+    0x13749e67, 0x72fc081a, 0xb1d139f7, 0xf9583745, 0xcf19df58, 0xbec3f756,
+    0xc06eba30, 0x07211b24, 0x45c28829, 0xc95e317f, 0xbc8ec511, 0x38bc46e9,
+    0xc6e6fa14, 0xbae8584a, 0xad4ebc46, 0x468f508b, 0x7829435f, 0xf124183b,
+    0x821dba9f, 0xaff60ff4, 0xea2c4e6d, 0x16e39264, 0x92544a8b, 0x009b4fc3,
+    0xaba68ced, 0x9ac96f78, 0x06a5b79a, 0xb2856e6e, 0x1aec3ca9, 0xbe838688,
+    0x0e0804e9, 0x55f1be56, 0xe7e5363b, 0xb3a1f25d, 0xf7debb85, 0x61fe033c,
+    0x16746233, 0x3c034c28, 0xda6d0c74, 0x79aac56c, 0x3ce4e1ad, 0x51f0c802,
+    0x98f8f35a, 0x1626a49f, 0xeed82b29, 0x1d382fe3, 0x0c4fb99a, 0xbb325778,
+    0x3ec6d97b, 0x6e77a6a9, 0xcb658b5c, 0xd45230c7, 0x2bd1408b, 0x60c03eb7,
+    0xb9068d78, 0xa33754f4, 0xf430c87d, 0xc8a71302, 0xb96d8c32, 0xebd4e7be,
+    0xbe8b9d2d, 0x7979fb06, 0xe7225308, 0x8b75cf77, 0x11ef8da4, 0xe083c858,
+    0x8d6b786f, 0x5a6317a6, 0xfa5cf7a0, 0x5dda0033, 0xf28ebfb0, 0xf5b9c310,
+    0xa0eac280, 0x08b9767a, 0xa3d9d2b0, 0x79d34217, 0x021a718d, 0x9ac6336a,
+    0x2711fd60, 0x438050e3, 0x069908a8, 0x3d7fedc4, 0x826d2bef, 0x4eeb8476,
+    0x488dcf25, 0x36c9d566, 0x28e74e41, 0xc2610aca, 0x3d49a9cf, 0xbae3b9df,
+    0xb65f8de6, 0x92aeaf64, 0x3ac7d5e6, 0x9ea80509, 0xf22b017d, 0xa4173f70,
+    0xdd1e16c3, 0x15e0d7f9, 0x50b1b887, 0x2b9f4fd5, 0x625aba82, 0x6a017962,
+    0x2ec01b9c, 0x15488aa9, 0xd716e740, 0x40055a2c, 0x93d29a22, 0xe32dbf9a,
+    0x058745b9, 0x3453dc1e, 0xd699296e, 0x496cff6f, 0x1c9f4986, 0xdfe2ed07,
+    0xb87242d1, 0x19de7eae, 0x053e561a, 0x15ad6f8c, 0x66626c1c, 0x7154c24c,
+    0xea082b2a, 0x93eb2939, 0x17dcb0f0, 0x58d4f2ae, 0x9ea294fb, 0x52cf564c,
+    0x9883fe66, 0x2ec40581, 0x763953c3, 0x01d6692e, 0xd3a0c108, 0xa1e7160e,
+    0xe4f2dfa6, 0x693ed285, 0x74904698, 0x4c2b0edd, 0x4f757656, 0x5d393378,
+    0xa132234f, 0x3d321c5d, 0xc3f5e194, 0x4b269301, 0xc79f022f, 0x3c997e7e,
+    0x5e4f9504, 0x3ffafbbd, 0x76f7ad0e, 0x296693f4, 0x3d1fce6f, 0xc61e45be,
+    0xd3b5ab34, 0xf72bf9b7, 0x1b0434c0, 0x4e72b567, 0x5592a33d, 0xb5229301,
+    0xcfd2a87f, 0x60aeb767, 0x1814386b, 0x30bcc33d, 0x38a0c07d, 0xfd1606f2,
+    0xc363519b, 0x589dd390, 0x5479f8e6, 0x1cb8d647, 0x97fd61a9, 0xea7759f4,
+    0x2d57539d, 0x569a58cf, 0xe84e63ad, 0x462e1b78, 0x6580f87e, 0xf3817914,
+    0x91da55f4, 0x40a230f3, 0xd1988f35, 0xb6e318d2, 0x3ffa50bc, 0x3d40f021,
+    0xc3c0bdae, 0x4958c24c, 0x518f36b2, 0x84b1d370, 0x0fedce83, 0x878ddada,
+    0xf2a279c7, 0x94e01be8, 0x90716f4b, 0x954b8aa3,
+};
+
+const uint32_t CAST_S_table7[256] = {
+    0xe216300d, 0xbbddfffc, 0xa7ebdabd, 0x35648095, 0x7789f8b7, 0xe6c1121b,
+    0x0e241600, 0x052ce8b5, 0x11a9cfb0, 0xe5952f11, 0xece7990a, 0x9386d174,
+    0x2a42931c, 0x76e38111, 0xb12def3a, 0x37ddddfc, 0xde9adeb1, 0x0a0cc32c,
+    0xbe197029, 0x84a00940, 0xbb243a0f, 0xb4d137cf, 0xb44e79f0, 0x049eedfd,
+    0x0b15a15d, 0x480d3168, 0x8bbbde5a, 0x669ded42, 0xc7ece831, 0x3f8f95e7,
+    0x72df191b, 0x7580330d, 0x94074251, 0x5c7dcdfa, 0xabbe6d63, 0xaa402164,
+    0xb301d40a, 0x02e7d1ca, 0x53571dae, 0x7a3182a2, 0x12a8ddec, 0xfdaa335d,
+    0x176f43e8, 0x71fb46d4, 0x38129022, 0xce949ad4, 0xb84769ad, 0x965bd862,
+    0x82f3d055, 0x66fb9767, 0x15b80b4e, 0x1d5b47a0, 0x4cfde06f, 0xc28ec4b8,
+    0x57e8726e, 0x647a78fc, 0x99865d44, 0x608bd593, 0x6c200e03, 0x39dc5ff6,
+    0x5d0b00a3, 0xae63aff2, 0x7e8bd632, 0x70108c0c, 0xbbd35049, 0x2998df04,
+    0x980cf42a, 0x9b6df491, 0x9e7edd53, 0x06918548, 0x58cb7e07, 0x3b74ef2e,
+    0x522fffb1, 0xd24708cc, 0x1c7e27cd, 0xa4eb215b, 0x3cf1d2e2, 0x19b47a38,
+    0x424f7618, 0x35856039, 0x9d17dee7, 0x27eb35e6, 0xc9aff67b, 0x36baf5b8,
+    0x09c467cd, 0xc18910b1, 0xe11dbf7b, 0x06cd1af8, 0x7170c608, 0x2d5e3354,
+    0xd4de495a, 0x64c6d006, 0xbcc0c62c, 0x3dd00db3, 0x708f8f34, 0x77d51b42,
+    0x264f620f, 0x24b8d2bf, 0x15c1b79e, 0x46a52564, 0xf8d7e54e, 0x3e378160,
+    0x7895cda5, 0x859c15a5, 0xe6459788, 0xc37bc75f, 0xdb07ba0c, 0x0676a3ab,
+    0x7f229b1e, 0x31842e7b, 0x24259fd7, 0xf8bef472, 0x835ffcb8, 0x6df4c1f2,
+    0x96f5b195, 0xfd0af0fc, 0xb0fe134c, 0xe2506d3d, 0x4f9b12ea, 0xf215f225,
+    0xa223736f, 0x9fb4c428, 0x25d04979, 0x34c713f8, 0xc4618187, 0xea7a6e98,
+    0x7cd16efc, 0x1436876c, 0xf1544107, 0xbedeee14, 0x56e9af27, 0xa04aa441,
+    0x3cf7c899, 0x92ecbae6, 0xdd67016d, 0x151682eb, 0xa842eedf, 0xfdba60b4,
+    0xf1907b75, 0x20e3030f, 0x24d8c29e, 0xe139673b, 0xefa63fb8, 0x71873054,
+    0xb6f2cf3b, 0x9f326442, 0xcb15a4cc, 0xb01a4504, 0xf1e47d8d, 0x844a1be5,
+    0xbae7dfdc, 0x42cbda70, 0xcd7dae0a, 0x57e85b7a, 0xd53f5af6, 0x20cf4d8c,
+    0xcea4d428, 0x79d130a4, 0x3486ebfb, 0x33d3cddc, 0x77853b53, 0x37effcb5,
+    0xc5068778, 0xe580b3e6, 0x4e68b8f4, 0xc5c8b37e, 0x0d809ea2, 0x398feb7c,
+    0x132a4f94, 0x43b7950e, 0x2fee7d1c, 0x223613bd, 0xdd06caa2, 0x37df932b,
+    0xc4248289, 0xacf3ebc3, 0x5715f6b7, 0xef3478dd, 0xf267616f, 0xc148cbe4,
+    0x9052815e, 0x5e410fab, 0xb48a2465, 0x2eda7fa4, 0xe87b40e4, 0xe98ea084,
+    0x5889e9e1, 0xefd390fc, 0xdd07d35b, 0xdb485694, 0x38d7e5b2, 0x57720101,
+    0x730edebc, 0x5b643113, 0x94917e4f, 0x503c2fba, 0x646f1282, 0x7523d24a,
+    0xe0779695, 0xf9c17a8f, 0x7a5b2121, 0xd187b896, 0x29263a4d, 0xba510cdf,
+    0x81f47c9f, 0xad1163ed, 0xea7b5965, 0x1a00726e, 0x11403092, 0x00da6d77,
+    0x4a0cdd61, 0xad1f4603, 0x605bdfb0, 0x9eedc364, 0x22ebe6a8, 0xcee7d28a,
+    0xa0e736a0, 0x5564a6b9, 0x10853209, 0xc7eb8f37, 0x2de705ca, 0x8951570f,
+    0xdf09822b, 0xbd691a6c, 0xaa12e4f2, 0x87451c0f, 0xe0f6a27a, 0x3ada4819,
+    0x4cf1764f, 0x0d771c2b, 0x67cdb156, 0x350d8384, 0x5938fa0f, 0x42399ef3,
+    0x36997b07, 0x0e84093d, 0x4aa93e61, 0x8360d87b, 0x1fa98b0c, 0x1149382c,
+    0xe97625a5, 0x0614d1b7, 0x0e25244b, 0x0c768347, 0x589e8d82, 0x0d2059d1,
+    0xa466bb1e, 0xf8da0a82, 0x04f19130, 0xba6e4ec0, 0x99265164, 0x1ee7230d,
+    0x50b2ad80, 0xeaee6801, 0x8db2a283, 0xea8bf59e,
+};
diff --git a/src/decrepit/macros.h b/src/decrepit/macros.h
new file mode 100644
index 0000000..228183a
--- /dev/null
+++ b/src/decrepit/macros.h
@@ -0,0 +1,123 @@
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.] */
+
+#ifndef OPENSSL_HEADER_DECREPIT_MACROS_H
+#define OPENSSL_HEADER_DECREPIT_MACROS_H
+
+
+/* NOTE - c is not incremented as per n2l */
+#define n2ln(c, l1, l2, n)                       \
+  {                                              \
+    c += n;                                      \
+    l1 = l2 = 0;                                 \
+    switch (n) {                                 \
+      case 8:                                    \
+        l2 = ((unsigned long)(*(--(c))));        \
+      case 7:                                    \
+        l2 |= ((unsigned long)(*(--(c)))) << 8;  \
+      case 6:                                    \
+        l2 |= ((unsigned long)(*(--(c)))) << 16; \
+      case 5:                                    \
+        l2 |= ((unsigned long)(*(--(c)))) << 24; \
+      case 4:                                    \
+        l1 = ((unsigned long)(*(--(c))));        \
+      case 3:                                    \
+        l1 |= ((unsigned long)(*(--(c)))) << 8;  \
+      case 2:                                    \
+        l1 |= ((unsigned long)(*(--(c)))) << 16; \
+      case 1:                                    \
+        l1 |= ((unsigned long)(*(--(c)))) << 24; \
+    }                                            \
+  }
+
+/* NOTE - c is not incremented as per l2n */
+#define l2nn(l1, l2, c, n)                               \
+  {                                                      \
+    c += n;                                              \
+    switch (n) {                                         \
+      case 8:                                            \
+        *(--(c)) = (unsigned char)(((l2)) & 0xff);       \
+      case 7:                                            \
+        *(--(c)) = (unsigned char)(((l2) >> 8) & 0xff);  \
+      case 6:                                            \
+        *(--(c)) = (unsigned char)(((l2) >> 16) & 0xff); \
+      case 5:                                            \
+        *(--(c)) = (unsigned char)(((l2) >> 24) & 0xff); \
+      case 4:                                            \
+        *(--(c)) = (unsigned char)(((l1)) & 0xff);       \
+      case 3:                                            \
+        *(--(c)) = (unsigned char)(((l1) >> 8) & 0xff);  \
+      case 2:                                            \
+        *(--(c)) = (unsigned char)(((l1) >> 16) & 0xff); \
+      case 1:                                            \
+        *(--(c)) = (unsigned char)(((l1) >> 24) & 0xff); \
+    }                                                    \
+  }
+
+#define l2n(l, c)                                   \
+  (*((c)++) = (unsigned char)(((l) >> 24L) & 0xff), \
+   *((c)++) = (unsigned char)(((l) >> 16L) & 0xff), \
+   *((c)++) = (unsigned char)(((l) >> 8L) & 0xff),  \
+   *((c)++) = (unsigned char)(((l)) & 0xff))
+
+#define n2l(c, l)                           \
+  (l = ((unsigned long)(*((c)++))) << 24L,  \
+   l |= ((unsigned long)(*((c)++))) << 16L, \
+   l |= ((unsigned long)(*((c)++))) << 8L,  \
+   l |= ((unsigned long)(*((c)++))))
+
+
+#endif  /* OPENSSL_HEADER_DECREPIT_MACROS_H */
diff --git a/src/include/openssl/aead.h b/src/include/openssl/aead.h
index 61cf3cd..dc453e3 100644
--- a/src/include/openssl/aead.h
+++ b/src/include/openssl/aead.h
@@ -115,18 +115,28 @@ OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_key_wrap(void);
  * See |EVP_aead_aes_128_key_wrap| for details. */
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_key_wrap(void);
 
+/* EVP_aead_aes_128_ctr_hmac_sha256 is AES-128 in CTR mode with HMAC-SHA256 for
+ * authentication. The nonce is 12 bytes; the bottom 32-bits are used as the
+ * block counter, thus the maximum plaintext size is 64GB. */
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_ctr_hmac_sha256(void);
+
+/* EVP_aead_aes_128_ctr_hmac_sha256 is AES-256 in CTR mode with HMAC-SHA256 for
+ * authentication. See |EVP_aead_aes_128_ctr_hmac_sha256| for details. */
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_ctr_hmac_sha256(void);
+
 /* EVP_has_aes_hardware returns one if we enable hardware support for fast and
  * constant-time AES-GCM. */
 OPENSSL_EXPORT int EVP_has_aes_hardware(void);
 
 
-/* TLS specific AEAD algorithms.
+/* TLS-specific AEAD algorithms.
  *
  * These AEAD primitives do not meet the definition of generic AEADs. They are
- * all specific to TLS in some fashion and should not be used outside of that
- * context. They require an additional data of length 11 (the standard TLS one
- * with the length omitted). They are also stateful, so a given |EVP_AEAD_CTX|
- * may only be used for one of seal or open, but not both. */
+ * all specific to TLS and should not be used outside of that context. They must
+ * be initialized with |EVP_AEAD_CTX_init_with_direction|, are stateful, and may
+ * not be used concurrently. Any nonces are used as IVs, so they must be
+ * unpredictable. They only accept an |ad| parameter of length 11 (the standard
+ * TLS one with length omitted). */
 
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_md5_tls(void);
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_sha1_tls(void);
@@ -144,11 +154,13 @@ OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void);
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void);
 
 
-/* SSLv3 specific AEAD algorithms.
+/* SSLv3-specific AEAD algorithms.
  *
  * These AEAD primitives do not meet the definition of generic AEADs. They are
- * all specific to SSLv3 in some fashion and should not be used outside of that
- * context. */
+ * all specific to SSLv3 and should not be used outside of that context. They
+ * must be initialized with |EVP_AEAD_CTX_init_with_direction|, are stateful,
+ * and may not be used concurrently. They only accept an |ad| parameter of
+ * length 9 (the standard TLS one with length and version omitted). */
 
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_md5_ssl3(void);
 OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_sha1_ssl3(void);
@@ -205,17 +217,35 @@ typedef struct evp_aead_ctx_st {
  * be used. */
 #define EVP_AEAD_DEFAULT_TAG_LENGTH 0
 
-/* EVP_AEAD_init initializes |ctx| for the given AEAD algorithm from |impl|.
+/* evp_aead_direction_t denotes the direction of an AEAD operation. */
+enum evp_aead_direction_t {
+  evp_aead_open,
+  evp_aead_seal,
+};
+
+/* EVP_AEAD_CTX_init initializes |ctx| for the given AEAD algorithm from |impl|.
  * The |impl| argument may be NULL to choose the default implementation.
  * Authentication tags may be truncated by passing a size as |tag_len|. A
  * |tag_len| of zero indicates the default tag length and this is defined as
  * EVP_AEAD_DEFAULT_TAG_LENGTH for readability.
- * Returns 1 on success. Otherwise returns 0 and pushes to the error stack. */
+ *
+ * Returns 1 on success. Otherwise returns 0 and pushes to the error stack. In
+ * the error case, you do not need to call |EVP_AEAD_CTX_cleanup|, but it's
+ * harmless to do so. */
 OPENSSL_EXPORT int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
                                      const uint8_t *key, size_t key_len,
                                      size_t tag_len, ENGINE *impl);
 
-/* EVP_AEAD_CTX_cleanup frees any data allocated by |ctx|. */
+/* EVP_AEAD_CTX_init_with_direction calls |EVP_AEAD_CTX_init| for normal
+ * AEADs. For TLS-specific and SSL3-specific AEADs, it initializes |ctx| for a
+ * given direction. */
+OPENSSL_EXPORT int EVP_AEAD_CTX_init_with_direction(
+    EVP_AEAD_CTX *ctx, const EVP_AEAD *aead, const uint8_t *key, size_t key_len,
+    size_t tag_len, enum evp_aead_direction_t dir);
+
+/* EVP_AEAD_CTX_cleanup frees any data allocated by |ctx|. It is a no-op to
+ * call |EVP_AEAD_CTX_cleanup| on a |EVP_AEAD_CTX| that has been |memset| to
+ * all zeros. */
 OPENSSL_EXPORT void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx);
 
 /* EVP_AEAD_CTX_seal encrypts and authenticates |in_len| bytes from |in| and
@@ -270,6 +300,14 @@ OPENSSL_EXPORT int EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
                                      const uint8_t *ad, size_t ad_len);
 
 
+/* Obscure functions. */
+
+/* EVP_AEAD_CTX_get_rc4_state sets |*out_key| to point to an RC4 key structure.
+ * It returns one on success or zero if |ctx| doesn't have an RC4 key. */
+OPENSSL_EXPORT int EVP_AEAD_CTX_get_rc4_state(const EVP_AEAD_CTX *ctx,
+                                              const RC4_KEY **out_key);
+
+
 #if defined(__cplusplus)
 }  /* extern C */
 #endif
diff --git a/src/include/openssl/asn1.h b/src/include/openssl/asn1.h
index 941b156..4baf81c 100644
--- a/src/include/openssl/asn1.h
+++ b/src/include/openssl/asn1.h
@@ -517,7 +517,7 @@ struct X509_algor_st
        } /* X509_ALGOR */;
 DEFINE_STACK_OF(X509_ALGOR);
 
-DECLARE_ASN1_FUNCTIONS(X509_ALGOR);
+DECLARE_ASN1_FUNCTIONS(X509_ALGOR)
 
 typedef struct NETSCAPE_X509_st
 	{
@@ -1078,187 +1078,157 @@ OPENSSL_EXPORT int BIO_asn1_get_suffix(BIO *b, asn1_ps_func **psuffix, asn1_ps_f
 }
 #endif
 
-#define ASN1_F_asn1_template_ex_d2i 100
-#define ASN1_F_ASN1_dup 101
-#define ASN1_F_a2i_ASN1_STRING 102
-#define ASN1_F_ASN1_d2i_fp 103
-#define ASN1_F_d2i_ASN1_OBJECT 104
-#define ASN1_F_asn1_item_ex_combine_new 105
-#define ASN1_F_ASN1_template_new 106
-#define ASN1_F_asn1_do_adb 107
-#define ASN1_F_asn1_d2i_read_bio 108
-#define ASN1_F_asn1_ex_c2i 109
-#define ASN1_F_c2i_ASN1_INTEGER 110
-#define ASN1_F_ASN1_PCTX_new 111
-#define ASN1_F_ASN1_item_unpack 112
-#define ASN1_F_d2i_ASN1_type_bytes 113
-#define ASN1_F_a2i_ASN1_INTEGER 114
-#define ASN1_F_asn1_collect 115
-#define ASN1_F_ASN1_item_dup 116
-#define ASN1_F_ASN1_ENUMERATED_set 117
-#define ASN1_F_c2i_ASN1_OBJECT 118
-#define ASN1_F_ASN1_unpack_string 119
-#define ASN1_F_d2i_ASN1_UINTEGER 120
-#define ASN1_F_long_c2i 121
-#define ASN1_F_ASN1_seq_pack 122
-#define ASN1_F_a2d_ASN1_OBJECT 123
-#define ASN1_F_ASN1_STRING_type_new 124
-#define ASN1_F_ASN1_INTEGER_set 125
-#define ASN1_F_BN_to_ASN1_INTEGER 126
-#define ASN1_F_BIO_new_NDEF 127
-#define ASN1_F_ASN1_ENUMERATED_to_BN 128
-#define ASN1_F_ASN1_item_ex_d2i 129
-#define ASN1_F_ASN1_INTEGER_to_BN 130
-#define ASN1_F_i2d_ASN1_TIME 131
-#define ASN1_F_ASN1_TIME_adj 132
-#define ASN1_F_ASN1_BIT_STRING_set_bit 133
-#define ASN1_F_ASN1_seq_unpack 134
-#define ASN1_F_ASN1_item_pack 135
-#define ASN1_F_ASN1_STRING_set 136
-#define ASN1_F_ASN1_UTCTIME_adj 137
-#define ASN1_F_ASN1_mbstring_ncopy 138
-#define ASN1_F_d2i_ASN1_BOOLEAN 139
-#define ASN1_F_ASN1_OBJECT_new 140
-#define ASN1_F_asn1_template_noexp_d2i 141
-#define ASN1_F_c2i_ASN1_BIT_STRING 142
-#define ASN1_F_BN_to_ASN1_ENUMERATED 143
-#define ASN1_F_asn1_d2i_ex_primitive 144
-#define ASN1_F_ASN1_i2d_bio 145
-#define ASN1_F_ASN1_item_i2d_bio 146
-#define ASN1_F_d2i_ASN1_UTCTIME 147
-#define ASN1_F_ASN1_STRING_TABLE_add 148
-#define ASN1_F_asn1_find_end 149
-#define ASN1_F_ASN1_item_d2i_fp 150
-#define ASN1_F_collect_data 151
-#define ASN1_F_asn1_check_tlen 152
-#define ASN1_F_ASN1_i2d_fp 153
-#define ASN1_F_ASN1_item_i2d_fp 154
-#define ASN1_F_ASN1_GENERALIZEDTIME_adj 155
-#define ASN1_F_asn1_collate_primitive 156
-#define ASN1_F_ASN1_pack_string 157
-#define ASN1_F_ASN1_get_object 158
-#define ASN1_F_d2i_ASN1_bytes 159
-#define ASN1_F_a2i_ASN1_ENUMERATED 160
-#define ASN1_R_ASN1_SIG_PARSE_ERROR 100
-#define ASN1_R_ADDING_OBJECT 101
-#define ASN1_R_MIME_NO_CONTENT_TYPE 102
-#define ASN1_R_UNKNOWN_OBJECT_TYPE 103
-#define ASN1_R_ILLEGAL_FORMAT 104
-#define ASN1_R_HEADER_TOO_LONG 105
-#define ASN1_R_INVALID_UTF8STRING 106
-#define ASN1_R_EXPLICIT_LENGTH_MISMATCH 107
-#define ASN1_R_ILLEGAL_TAGGED_ANY 108
-#define ASN1_R_DATA_IS_WRONG 109
-#define ASN1_R_NOT_ASCII_FORMAT 110
-#define ASN1_R_NOT_ENOUGH_DATA 111
-#define ASN1_R_MSTRING_NOT_UNIVERSAL 112
-#define ASN1_R_UNKNOWN_FORMAT 113
-#define ASN1_R_BAD_PASSWORD_READ 115
-#define ASN1_R_BAD_OBJECT_HEADER 116
-#define ASN1_R_ILLEGAL_CHARACTERS 117
-#define ASN1_R_CONTEXT_NOT_INITIALISED 118
-#define ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG 119
-#define ASN1_R_BN_LIB 120
-#define ASN1_R_NO_MATCHING_CHOICE_TYPE 121
-#define ASN1_R_SEQUENCE_NOT_CONSTRUCTED 122
-#define ASN1_R_ASN1_PARSE_ERROR 123
-#define ASN1_R_NO_MULTIPART_BOUNDARY 124
-#define ASN1_R_INVALID_SEPARATOR 125
-#define ASN1_R_MALLOC_FAILURE 126
-#define ASN1_R_ILLEGAL_NULL 127
-#define ASN1_R_INVALID_MIME_TYPE 128
-#define ASN1_R_INVALID_NUMBER 129
-#define ASN1_R_STRING_TOO_LONG 130
-#define ASN1_R_BAD_GET_ASN1_OBJECT_CALL 131
-#define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 132
-#define ASN1_R_EXPECTING_A_TIME 133
-#define ASN1_R_TAG_VALUE_TOO_HIGH 134
-#define ASN1_R_NESTED_ASN1_STRING 135
-#define ASN1_R_ILLEGAL_BITSTRING_FORMAT 136
-#define ASN1_R_MISSING_SECOND_NUMBER 137
-#define ASN1_R_TIME_NOT_ASCII_FORMAT 138
-#define ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 139
-#define ASN1_R_WRONG_TYPE 140
-#define ASN1_R_EXPECTING_AN_INTEGER 141
-#define ASN1_R_DEPTH_EXCEEDED 142
-#define ASN1_R_ILLEGAL_OBJECT 143
-#define ASN1_R_UNKNOWN_TAG 144
-#define ASN1_R_ILLEGAL_IMPLICIT_TAG 145
-#define ASN1_R_AUX_ERROR 146
-#define ASN1_R_SEQUENCE_LENGTH_MISMATCH 147
-#define ASN1_R_FIELD_MISSING 148
-#define ASN1_R_TYPE_NOT_CONSTRUCTED 149
-#define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH 150
-#define ASN1_R_FIRST_NUM_TOO_LARGE 151
-#define ASN1_R_INVALID_DIGIT 152
-#define ASN1_R_MSTRING_WRONG_TAG 153
-#define ASN1_R_OBJECT_NOT_ASCII_FORMAT 154
-#define ASN1_R_UNSUPPORTED_TYPE 155
-#define ASN1_R_ERROR_LOADING_SECTION 156
-#define ASN1_R_ODD_NUMBER_OF_CHARS 157
-#define ASN1_R_ASN1_LENGTH_MISMATCH 158
-#define ASN1_R_MISSING_EOC 159
-#define ASN1_R_ILLEGAL_INTEGER 160
-#define ASN1_R_ILLEGAL_HEX 161
-#define ASN1_R_NESTED_ASN1_ERROR 162
-#define ASN1_R_TOO_LONG 163
-#define ASN1_R_LENGTH_ERROR 164
-#define ASN1_R_DECODING_ERROR 165
-#define ASN1_R_MIME_SIG_PARSE_ERROR 166
-#define ASN1_R_ILLEGAL_NULL_VALUE 167
-#define ASN1_R_EXPECTING_A_BOOLEAN 168
-#define ASN1_R_STREAMING_NOT_SUPPORTED 169
-#define ASN1_R_INVALID_BMPSTRING_LENGTH 170
-#define ASN1_R_INTEGER_NOT_ASCII_FORMAT 171
-#define ASN1_R_INVALID_MODIFIER 172
-#define ASN1_R_UNEXPECTED_EOC 173
-#define ASN1_R_ILLEGAL_NESTED_TAGGING 174
-#define ASN1_R_IV_TOO_LARGE 175
-#define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG 176
-#define ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE 177
-#define ASN1_R_BUFFER_TOO_SMALL 178
-#define ASN1_R_INVALID_UNIVERSALSTRING_LENGTH 179
-#define ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM 181
-#define ASN1_R_MIME_PARSE_ERROR 182
-#define ASN1_R_INVALID_OBJECT_ENCODING 183
-#define ASN1_R_PRIVATE_KEY_HEADER_MISSING 184
-#define ASN1_R_UNSUPPORTED_CIPHER 185
-#define ASN1_R_NO_MULTIPART_BODY_FAILURE 186
-#define ASN1_R_NO_CONTENT_TYPE 187
-#define ASN1_R_SECOND_NUMBER_TOO_LARGE 188
-#define ASN1_R_INVALID_TIME_FORMAT 189
-#define ASN1_R_NO_DEFAULT_DIGEST 190
-#define ASN1_R_ERROR_SETTING_CIPHER_PARAMS 191
-#define ASN1_R_EXPECTING_AN_OBJECT 192
-#define ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE 193
-#define ASN1_R_ERROR_GETTING_TIME 194
-#define ASN1_R_MISSING_VALUE 195
-#define ASN1_R_LIST_ERROR 196
-#define ASN1_R_DECODE_ERROR 197
-#define ASN1_R_NON_HEX_CHARACTERS 198
-#define ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE 199
-#define ASN1_R_EXPECTING_AN_ASN1_SEQUENCE 201
-#define ASN1_R_STRING_TOO_SHORT 203
-#define ASN1_R_ILLEGAL_OPTIONAL_ANY 204
-#define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 205
-#define ASN1_R_NO_SIG_CONTENT_TYPE 206
-#define ASN1_R_ENCODE_ERROR 207
-#define ASN1_R_SHORT_LINE 208
-#define ASN1_R_ILLEGAL_TIME_VALUE 209
-#define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 210
-#define ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER 211
-#define ASN1_R_BAD_CLASS 212
-#define ASN1_R_BAD_TAG 213
-#define ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE 214
-#define ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED 215
-#define ASN1_R_ILLEGAL_BOOLEAN 216
-#define ASN1_R_SIG_INVALID_MIME_TYPE 217
-#define ASN1_R_NULL_IS_WRONG_LENGTH 218
-#define ASN1_R_MISSING_ASN1_EOS 219
-#define ASN1_R_ERROR_PARSING_SET_ELEMENT 220
-#define ASN1_R_WRONG_TAG 221
-#define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 222
-#define ASN1_R_TYPE_NOT_PRIMITIVE 223
-#define ASN1_R_INVALID_BIT_STRING_BITS_LEFT 224
+#define ASN1_F_ASN1_BIT_STRING_set_bit 100
+#define ASN1_F_ASN1_ENUMERATED_set 101
+#define ASN1_F_ASN1_ENUMERATED_to_BN 102
+#define ASN1_F_ASN1_GENERALIZEDTIME_adj 103
+#define ASN1_F_ASN1_INTEGER_set 104
+#define ASN1_F_ASN1_INTEGER_to_BN 105
+#define ASN1_F_ASN1_OBJECT_new 106
+#define ASN1_F_ASN1_PCTX_new 107
+#define ASN1_F_ASN1_STRING_TABLE_add 108
+#define ASN1_F_ASN1_STRING_set 109
+#define ASN1_F_ASN1_STRING_type_new 110
+#define ASN1_F_ASN1_TIME_adj 111
+#define ASN1_F_ASN1_UTCTIME_adj 112
+#define ASN1_F_ASN1_d2i_fp 113
+#define ASN1_F_ASN1_dup 114
+#define ASN1_F_ASN1_generate_v3 115
+#define ASN1_F_ASN1_get_object 116
+#define ASN1_F_ASN1_i2d_bio 117
+#define ASN1_F_ASN1_i2d_fp 118
+#define ASN1_F_ASN1_item_d2i_fp 119
+#define ASN1_F_ASN1_item_dup 120
+#define ASN1_F_ASN1_item_ex_d2i 121
+#define ASN1_F_ASN1_item_i2d_bio 122
+#define ASN1_F_ASN1_item_i2d_fp 123
+#define ASN1_F_ASN1_item_pack 124
+#define ASN1_F_ASN1_item_unpack 125
+#define ASN1_F_ASN1_mbstring_ncopy 126
+#define ASN1_F_ASN1_template_new 127
+#define ASN1_F_BIO_new_NDEF 128
+#define ASN1_F_BN_to_ASN1_ENUMERATED 129
+#define ASN1_F_BN_to_ASN1_INTEGER 130
+#define ASN1_F_a2d_ASN1_OBJECT 131
+#define ASN1_F_a2i_ASN1_ENUMERATED 132
+#define ASN1_F_a2i_ASN1_INTEGER 133
+#define ASN1_F_a2i_ASN1_STRING 134
+#define ASN1_F_append_exp 135
+#define ASN1_F_asn1_cb 136
+#define ASN1_F_asn1_check_tlen 137
+#define ASN1_F_asn1_collate_primitive 138
+#define ASN1_F_asn1_collect 139
+#define ASN1_F_asn1_d2i_ex_primitive 140
+#define ASN1_F_asn1_d2i_read_bio 141
+#define ASN1_F_asn1_do_adb 142
+#define ASN1_F_asn1_ex_c2i 143
+#define ASN1_F_asn1_find_end 144
+#define ASN1_F_asn1_item_ex_combine_new 145
+#define ASN1_F_asn1_str2type 146
+#define ASN1_F_asn1_template_ex_d2i 147
+#define ASN1_F_asn1_template_noexp_d2i 148
+#define ASN1_F_bitstr_cb 149
+#define ASN1_F_c2i_ASN1_BIT_STRING 150
+#define ASN1_F_c2i_ASN1_INTEGER 151
+#define ASN1_F_c2i_ASN1_OBJECT 152
+#define ASN1_F_collect_data 153
+#define ASN1_F_d2i_ASN1_BOOLEAN 154
+#define ASN1_F_d2i_ASN1_OBJECT 155
+#define ASN1_F_d2i_ASN1_UINTEGER 156
+#define ASN1_F_d2i_ASN1_UTCTIME 157
+#define ASN1_F_d2i_ASN1_bytes 158
+#define ASN1_F_d2i_ASN1_type_bytes 159
+#define ASN1_F_i2d_ASN1_TIME 160
+#define ASN1_F_i2d_PrivateKey 161
+#define ASN1_F_long_c2i 162
+#define ASN1_F_parse_tagging 163
+#define ASN1_R_ASN1_LENGTH_MISMATCH 100
+#define ASN1_R_AUX_ERROR 101
+#define ASN1_R_BAD_GET_ASN1_OBJECT_CALL 102
+#define ASN1_R_BAD_OBJECT_HEADER 103
+#define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 104
+#define ASN1_R_BN_LIB 105
+#define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106
+#define ASN1_R_BUFFER_TOO_SMALL 107
+#define ASN1_R_DECODE_ERROR 108
+#define ASN1_R_DEPTH_EXCEEDED 109
+#define ASN1_R_ENCODE_ERROR 110
+#define ASN1_R_ERROR_GETTING_TIME 111
+#define ASN1_R_EXPECTING_AN_ASN1_SEQUENCE 112
+#define ASN1_R_EXPECTING_AN_INTEGER 113
+#define ASN1_R_EXPECTING_AN_OBJECT 114
+#define ASN1_R_EXPECTING_A_BOOLEAN 115
+#define ASN1_R_EXPECTING_A_TIME 116
+#define ASN1_R_EXPLICIT_LENGTH_MISMATCH 117
+#define ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED 118
+#define ASN1_R_FIELD_MISSING 119
+#define ASN1_R_FIRST_NUM_TOO_LARGE 120
+#define ASN1_R_HEADER_TOO_LONG 121
+#define ASN1_R_ILLEGAL_BITSTRING_FORMAT 122
+#define ASN1_R_ILLEGAL_BOOLEAN 123
+#define ASN1_R_ILLEGAL_CHARACTERS 124
+#define ASN1_R_ILLEGAL_FORMAT 125
+#define ASN1_R_ILLEGAL_HEX 126
+#define ASN1_R_ILLEGAL_IMPLICIT_TAG 127
+#define ASN1_R_ILLEGAL_INTEGER 128
+#define ASN1_R_ILLEGAL_NESTED_TAGGING 129
+#define ASN1_R_ILLEGAL_NULL 130
+#define ASN1_R_ILLEGAL_NULL_VALUE 131
+#define ASN1_R_ILLEGAL_OBJECT 132
+#define ASN1_R_ILLEGAL_OPTIONAL_ANY 133
+#define ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE 134
+#define ASN1_R_ILLEGAL_TAGGED_ANY 135
+#define ASN1_R_ILLEGAL_TIME_VALUE 136
+#define ASN1_R_INTEGER_NOT_ASCII_FORMAT 137
+#define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG 138
+#define ASN1_R_INVALID_BIT_STRING_BITS_LEFT 139
+#define ASN1_R_INVALID_BMPSTRING_LENGTH 140
+#define ASN1_R_INVALID_DIGIT 141
+#define ASN1_R_INVALID_MODIFIER 142
+#define ASN1_R_INVALID_NUMBER 143
+#define ASN1_R_INVALID_OBJECT_ENCODING 144
+#define ASN1_R_INVALID_SEPARATOR 145
+#define ASN1_R_INVALID_TIME_FORMAT 146
+#define ASN1_R_INVALID_UNIVERSALSTRING_LENGTH 147
+#define ASN1_R_INVALID_UTF8STRING 148
+#define ASN1_R_LIST_ERROR 149
+#define ASN1_R_MALLOC_FAILURE 150
+#define ASN1_R_MISSING_ASN1_EOS 151
+#define ASN1_R_MISSING_EOC 152
+#define ASN1_R_MISSING_SECOND_NUMBER 153
+#define ASN1_R_MISSING_VALUE 154
+#define ASN1_R_MSTRING_NOT_UNIVERSAL 155
+#define ASN1_R_MSTRING_WRONG_TAG 156
+#define ASN1_R_NESTED_ASN1_ERROR 157
+#define ASN1_R_NESTED_ASN1_STRING 158
+#define ASN1_R_NON_HEX_CHARACTERS 159
+#define ASN1_R_NOT_ASCII_FORMAT 160
+#define ASN1_R_NOT_ENOUGH_DATA 161
+#define ASN1_R_NO_MATCHING_CHOICE_TYPE 162
+#define ASN1_R_NULL_IS_WRONG_LENGTH 163
+#define ASN1_R_OBJECT_NOT_ASCII_FORMAT 164
+#define ASN1_R_ODD_NUMBER_OF_CHARS 165
+#define ASN1_R_SECOND_NUMBER_TOO_LARGE 166
+#define ASN1_R_SEQUENCE_LENGTH_MISMATCH 167
+#define ASN1_R_SEQUENCE_NOT_CONSTRUCTED 168
+#define ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG 169
+#define ASN1_R_SHORT_LINE 170
+#define ASN1_R_STREAMING_NOT_SUPPORTED 171
+#define ASN1_R_STRING_TOO_LONG 172
+#define ASN1_R_STRING_TOO_SHORT 173
+#define ASN1_R_TAG_VALUE_TOO_HIGH 174
+#define ASN1_R_TIME_NOT_ASCII_FORMAT 175
+#define ASN1_R_TOO_LONG 176
+#define ASN1_R_TYPE_NOT_CONSTRUCTED 177
+#define ASN1_R_TYPE_NOT_PRIMITIVE 178
+#define ASN1_R_UNEXPECTED_EOC 179
+#define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH 180
+#define ASN1_R_UNKNOWN_FORMAT 181
+#define ASN1_R_UNKNOWN_TAG 182
+#define ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE 183
+#define ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE 184
+#define ASN1_R_UNSUPPORTED_TYPE 185
+#define ASN1_R_WRONG_TAG 186
+#define ASN1_R_WRONG_TYPE 187
 
 #endif
diff --git a/src/include/openssl/asn1_mac.h b/src/include/openssl/asn1_mac.h
index 3e8eebb..49b2a28 100644
--- a/src/include/openssl/asn1_mac.h
+++ b/src/include/openssl/asn1_mac.h
@@ -65,512 +65,10 @@
 extern "C" {
 #endif
 
-#ifndef ASN1_MAC_ERR_LIB
-#define ASN1_MAC_ERR_LIB	ERR_LIB_ASN1
-#endif
-
-#define ASN1_MAC_H_err(f,r,line) \
-	ERR_put_error(ASN1_MAC_ERR_LIB,(f),(r),__FILE__,(line))
-
-#define M_ASN1_D2I_vars(a,type,func) \
-	ASN1_const_CTX c; \
-	type ret=NULL; \
-	\
-	c.pp=(const unsigned char **)pp; \
-	c.q= *(const unsigned char **)pp; \
-	c.error=ASN1_R_NESTED_ASN1_ERROR; \
-	if ((a == NULL) || ((*a) == NULL)) \
-		{ if ((ret=(type)func()) == NULL) \
-			{ c.line=__LINE__; goto err; } } \
-	else	ret=(*a);
-
-#define M_ASN1_D2I_Init() \
-	c.p= *(const unsigned char **)pp; \
-	c.max=(length == 0)?0:(c.p+length);
-
-#define M_ASN1_D2I_Finish_2(a) \
-	if (!asn1_const_Finish(&c)) \
-		{ c.line=__LINE__; goto err; } \
-	*(const unsigned char **)pp=c.p; \
-	if (a != NULL) (*a)=ret; \
-	return(ret);
-
-#define M_ASN1_D2I_Finish(a,func,e) \
-	M_ASN1_D2I_Finish_2(a); \
-err:\
-	ASN1_MAC_H_err((e),c.error,c.line); \
-	asn1_add_error(*(const unsigned char **)pp,(int)(c.q- *pp)); \
-	if ((ret != NULL) && ((a == NULL) || (*a != ret))) func(ret); \
-	return(NULL)
-
-#define M_ASN1_D2I_start_sequence() \
-	if (!asn1_GetSequence(&c,&length)) \
-		{ c.line=__LINE__; goto err; }
-/* Begin reading ASN1 without a surrounding sequence */
-#define M_ASN1_D2I_begin() \
-	c.slen = length;
-
-/* End reading ASN1 with no check on length */
-#define M_ASN1_D2I_Finish_nolen(a, func, e) \
-	*pp=c.p; \
-	if (a != NULL) (*a)=ret; \
-	return(ret); \
-err:\
-	ASN1_MAC_H_err((e),c.error,c.line); \
-	asn1_add_error(*pp,(int)(c.q- *pp)); \
-	if ((ret != NULL) && ((a == NULL) || (*a != ret))) func(ret); \
-	return(NULL)
-
-#define M_ASN1_D2I_end_sequence() \
-	(((c.inf&1) == 0)?(c.slen <= 0): \
-		(c.eos=ASN1_const_check_infinite_end(&c.p,c.slen)))
-
-/* Don't use this with d2i_ASN1_BOOLEAN() */
-#define M_ASN1_D2I_get(b, func) \
-	c.q=c.p; \
-	if (func(&(b),&c.p,c.slen) == NULL) \
-		{c.line=__LINE__; goto err; } \
-	c.slen-=(c.p-c.q);
-
-/* Don't use this with d2i_ASN1_BOOLEAN() */
-#define M_ASN1_D2I_get_x(type,b,func) \
-	c.q=c.p; \
-	if (((D2I_OF(type))func)(&(b),&c.p,c.slen) == NULL) \
-		{c.line=__LINE__; goto err; } \
-	c.slen-=(c.p-c.q);
-
-/* use this instead () */
-#define M_ASN1_D2I_get_int(b,func) \
-	c.q=c.p; \
-	if (func(&(b),&c.p,c.slen) < 0) \
-		{c.line=__LINE__; goto err; } \
-	c.slen-=(c.p-c.q);
-
-#define M_ASN1_D2I_get_opt(b,func,type) \
-	if ((c.slen != 0) && ((M_ASN1_next & (~V_ASN1_CONSTRUCTED)) \
-		== (V_ASN1_UNIVERSAL|(type)))) \
-		{ \
-		M_ASN1_D2I_get(b,func); \
-		}
-
-#define M_ASN1_D2I_get_int_opt(b,func,type) \
-	if ((c.slen != 0) && ((M_ASN1_next & (~V_ASN1_CONSTRUCTED)) \
-		== (V_ASN1_UNIVERSAL|(type)))) \
-		{ \
-		M_ASN1_D2I_get_int(b,func); \
-		}
-
-#define M_ASN1_D2I_get_imp(b,func, type) \
-	M_ASN1_next=(_tmp& V_ASN1_CONSTRUCTED)|type; \
-	c.q=c.p; \
-	if (func(&(b),&c.p,c.slen) == NULL) \
-		{c.line=__LINE__; M_ASN1_next_prev = _tmp; goto err; } \
-	c.slen-=(c.p-c.q);\
-	M_ASN1_next_prev=_tmp;
-
-#define M_ASN1_D2I_get_IMP_opt(b,func,tag,type) \
-	if ((c.slen != 0) && ((M_ASN1_next & (~V_ASN1_CONSTRUCTED)) == \
-		(V_ASN1_CONTEXT_SPECIFIC|(tag)))) \
-		{ \
-		unsigned char _tmp = M_ASN1_next; \
-		M_ASN1_D2I_get_imp(b,func, type);\
-		}
-
-#define M_ASN1_D2I_get_set(r,func,free_func) \
-		M_ASN1_D2I_get_imp_set(r,func,free_func, \
-			V_ASN1_SET,V_ASN1_UNIVERSAL);
-
-#define M_ASN1_D2I_get_set_type(type,r,func,free_func) \
-		M_ASN1_D2I_get_imp_set_type(type,r,func,free_func, \
-			V_ASN1_SET,V_ASN1_UNIVERSAL);
-
-#define M_ASN1_D2I_get_set_opt(r,func,free_func) \
-	if ((c.slen != 0) && (M_ASN1_next == (V_ASN1_UNIVERSAL| \
-		V_ASN1_CONSTRUCTED|V_ASN1_SET)))\
-		{ M_ASN1_D2I_get_set(r,func,free_func); }
-
-#define M_ASN1_D2I_get_set_opt_type(type,r,func,free_func) \
-	if ((c.slen != 0) && (M_ASN1_next == (V_ASN1_UNIVERSAL| \
-		V_ASN1_CONSTRUCTED|V_ASN1_SET)))\
-		{ M_ASN1_D2I_get_set_type(type,r,func,free_func); }
-
-#define M_ASN1_I2D_len_SET_opt(a,f) \
-	if ((a != NULL) && (sk_num(a) != 0)) \
-		M_ASN1_I2D_len_SET(a,f);
-
-#define M_ASN1_I2D_put_SET_opt(a,f) \
-	if ((a != NULL) && (sk_num(a) != 0)) \
-		M_ASN1_I2D_put_SET(a,f);
-
-#define M_ASN1_I2D_put_SEQUENCE_opt(a,f) \
-	if ((a != NULL) && (sk_num(a) != 0)) \
-		M_ASN1_I2D_put_SEQUENCE(a,f);
-
-#define M_ASN1_I2D_put_SEQUENCE_opt_type(type,a,f) \
-	if ((a != NULL) && (sk_##type##_num(a) != 0)) \
-		M_ASN1_I2D_put_SEQUENCE_type(type,a,f);
-
-#define M_ASN1_D2I_get_IMP_set_opt(b,func,free_func,tag) \
-	if ((c.slen != 0) && \
-		(M_ASN1_next == \
-		(V_ASN1_CONTEXT_SPECIFIC|V_ASN1_CONSTRUCTED|(tag))))\
-		{ \
-		M_ASN1_D2I_get_imp_set(b,func,free_func,\
-			tag,V_ASN1_CONTEXT_SPECIFIC); \
-		}
-
-#define M_ASN1_D2I_get_IMP_set_opt_type(type,b,func,free_func,tag) \
-	if ((c.slen != 0) && \
-		(M_ASN1_next == \
-		(V_ASN1_CONTEXT_SPECIFIC|V_ASN1_CONSTRUCTED|(tag))))\
-		{ \
-		M_ASN1_D2I_get_imp_set_type(type,b,func,free_func,\
-			tag,V_ASN1_CONTEXT_SPECIFIC); \
-		}
-
-#define M_ASN1_D2I_get_seq(r,func,free_func) \
-		M_ASN1_D2I_get_imp_set(r,func,free_func,\
-			V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL);
-
-#define M_ASN1_D2I_get_seq_type(type,r,func,free_func) \
-		M_ASN1_D2I_get_imp_set_type(type,r,func,free_func,\
-					    V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL)
-
-#define M_ASN1_D2I_get_seq_opt(r,func,free_func) \
-	if ((c.slen != 0) && (M_ASN1_next == (V_ASN1_UNIVERSAL| \
-		V_ASN1_CONSTRUCTED|V_ASN1_SEQUENCE)))\
-		{ M_ASN1_D2I_get_seq(r,func,free_func); }
-
-#define M_ASN1_D2I_get_seq_opt_type(type,r,func,free_func) \
-	if ((c.slen != 0) && (M_ASN1_next == (V_ASN1_UNIVERSAL| \
-		V_ASN1_CONSTRUCTED|V_ASN1_SEQUENCE)))\
-		{ M_ASN1_D2I_get_seq_type(type,r,func,free_func); }
-
-#define M_ASN1_D2I_get_IMP_set(r,func,free_func,x) \
-		M_ASN1_D2I_get_imp_set(r,func,free_func,\
-			x,V_ASN1_CONTEXT_SPECIFIC);
-
-#define M_ASN1_D2I_get_IMP_set_type(type,r,func,free_func,x) \
-		M_ASN1_D2I_get_imp_set_type(type,r,func,free_func,\
-			x,V_ASN1_CONTEXT_SPECIFIC);
-
-#define M_ASN1_D2I_get_imp_set(r,func,free_func,a,b) \
-	c.q=c.p; \
-	if (d2i_ASN1_SET(&(r),&c.p,c.slen,(char *(*)())func,\
-		(void (*)())free_func,a,b) == NULL) \
-		{ c.line=__LINE__; goto err; } \
-	c.slen-=(c.p-c.q);
-
-#define M_ASN1_D2I_get_imp_set_type(type,r,func,free_func,a,b) \
-	c.q=c.p; \
-	if (d2i_ASN1_SET_OF_##type(&(r),&c.p,c.slen,func,\
-				   free_func,a,b) == NULL) \
-		{ c.line=__LINE__; goto err; } \
-	c.slen-=(c.p-c.q);
-
-#define M_ASN1_D2I_get_set_strings(r,func,a,b) \
-	c.q=c.p; \
-	if (d2i_ASN1_STRING_SET(&(r),&c.p,c.slen,a,b) == NULL) \
-		{ c.line=__LINE__; goto err; } \
-	c.slen-=(c.p-c.q);
-
-#define M_ASN1_D2I_get_EXP_opt(r,func,tag) \
-	if ((c.slen != 0L) && (M_ASN1_next == \
-		(V_ASN1_CONSTRUCTED|V_ASN1_CONTEXT_SPECIFIC|tag))) \
-		{ \
-		int Tinf,Ttag,Tclass; \
-		long Tlen; \
-		\
-		c.q=c.p; \
-		Tinf=ASN1_get_object(&c.p,&Tlen,&Ttag,&Tclass,c.slen); \
-		if (Tinf & 0x80) \
-			{ c.error=ASN1_R_BAD_OBJECT_HEADER; \
-			c.line=__LINE__; goto err; } \
-		if (Tinf == (V_ASN1_CONSTRUCTED+1)) \
-					Tlen = c.slen - (c.p - c.q) - 2; \
-		if (func(&(r),&c.p,Tlen) == NULL) \
-			{ c.line=__LINE__; goto err; } \
-		if (Tinf == (V_ASN1_CONSTRUCTED+1)) { \
-			Tlen = c.slen - (c.p - c.q); \
-			if(!ASN1_const_check_infinite_end(&c.p, Tlen)) \
-				{ c.error=ASN1_R_MISSING_ASN1_EOS; \
-				c.line=__LINE__; goto err; } \
-		}\
-		c.slen-=(c.p-c.q); \
-		}
-
-#define M_ASN1_D2I_get_EXP_set_opt(r,func,free_func,tag,b) \
-	if ((c.slen != 0) && (M_ASN1_next == \
-		(V_ASN1_CONSTRUCTED|V_ASN1_CONTEXT_SPECIFIC|tag))) \
-		{ \
-		int Tinf,Ttag,Tclass; \
-		long Tlen; \
-		\
-		c.q=c.p; \
-		Tinf=ASN1_get_object(&c.p,&Tlen,&Ttag,&Tclass,c.slen); \
-		if (Tinf & 0x80) \
-			{ c.error=ASN1_R_BAD_OBJECT_HEADER; \
-			c.line=__LINE__; goto err; } \
-		if (Tinf == (V_ASN1_CONSTRUCTED+1)) \
-					Tlen = c.slen - (c.p - c.q) - 2; \
-		if (d2i_ASN1_SET(&(r),&c.p,Tlen,(char *(*)())func, \
-			(void (*)())free_func, \
-			b,V_ASN1_UNIVERSAL) == NULL) \
-			{ c.line=__LINE__; goto err; } \
-		if (Tinf == (V_ASN1_CONSTRUCTED+1)) { \
-			Tlen = c.slen - (c.p - c.q); \
-			if(!ASN1_check_infinite_end(&c.p, Tlen)) \
-				{ c.error=ASN1_R_MISSING_ASN1_EOS; \
-				c.line=__LINE__; goto err; } \
-		}\
-		c.slen-=(c.p-c.q); \
-		}
-
-#define M_ASN1_D2I_get_EXP_set_opt_type(type,r,func,free_func,tag,b) \
-	if ((c.slen != 0) && (M_ASN1_next == \
-		(V_ASN1_CONSTRUCTED|V_ASN1_CONTEXT_SPECIFIC|tag))) \
-		{ \
-		int Tinf,Ttag,Tclass; \
-		long Tlen; \
-		\
-		c.q=c.p; \
-		Tinf=ASN1_get_object(&c.p,&Tlen,&Ttag,&Tclass,c.slen); \
-		if (Tinf & 0x80) \
-			{ c.error=ASN1_R_BAD_OBJECT_HEADER; \
-			c.line=__LINE__; goto err; } \
-		if (Tinf == (V_ASN1_CONSTRUCTED+1)) \
-					Tlen = c.slen - (c.p - c.q) - 2; \
-		if (d2i_ASN1_SET_OF_##type(&(r),&c.p,Tlen,func, \
-			free_func,b,V_ASN1_UNIVERSAL) == NULL) \
-			{ c.line=__LINE__; goto err; } \
-		if (Tinf == (V_ASN1_CONSTRUCTED+1)) { \
-			Tlen = c.slen - (c.p - c.q); \
-			if(!ASN1_check_infinite_end(&c.p, Tlen)) \
-				{ c.error=ASN1_R_MISSING_ASN1_EOS; \
-				c.line=__LINE__; goto err; } \
-		}\
-		c.slen-=(c.p-c.q); \
-		}
-
-/* New macros */
-#define M_ASN1_New_Malloc(ret,type) \
-	if ((ret=(type *)OPENSSL_malloc(sizeof(type))) == NULL) \
-		{ c.line=__LINE__; goto err2; }
-
-#define M_ASN1_New(arg,func) \
-	if (((arg)=func()) == NULL) return(NULL)
-
-#define M_ASN1_New_Error(a) \
-/*	err:	ASN1_MAC_H_err((a),ASN1_R_NESTED_ASN1_ERROR,c.line); \
-		return(NULL);*/ \
-	err2:	ASN1_MAC_H_err((a),ASN1_R_MALLOC_FAILURE,c.line); \
-		return(NULL)
 
+OPENSSL_EXPORT int asn1_GetSequence(ASN1_const_CTX *c, long *length);
 
-/* BIG UGLY WARNING!  This is so damn ugly I wanna puke.  Unfortunately,
-   some macros that use ASN1_const_CTX still insist on writing in the input
-   stream.  ARGH!  ARGH!  ARGH!  Let's get rid of this macro package.
-   Please?						-- Richard Levitte */
-#define M_ASN1_next		(*((unsigned char *)(c.p)))
-#define M_ASN1_next_prev	(*((unsigned char *)(c.q)))
-
-/*************************************************/
-
-#define M_ASN1_I2D_vars(a)	int r=0,ret=0; \
-				unsigned char *p; \
-				if (a == NULL) return(0)
-
-/* Length Macros */
-#define M_ASN1_I2D_len(a,f)	ret+=f(a,NULL)
-#define M_ASN1_I2D_len_IMP_opt(a,f)	if (a != NULL) M_ASN1_I2D_len(a,f)
-
-#define M_ASN1_I2D_len_SET(a,f) \
-		ret+=i2d_ASN1_SET(a,NULL,f,V_ASN1_SET,V_ASN1_UNIVERSAL,IS_SET);
-
-#define M_ASN1_I2D_len_SET_type(type,a,f) \
-		ret+=i2d_ASN1_SET_OF_##type(a,NULL,f,V_ASN1_SET, \
-					    V_ASN1_UNIVERSAL,IS_SET);
-
-#define M_ASN1_I2D_len_SEQUENCE(a,f) \
-		ret+=i2d_ASN1_SET(a,NULL,f,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL, \
-				  IS_SEQUENCE);
-
-#define M_ASN1_I2D_len_SEQUENCE_type(type,a,f) \
-		ret+=i2d_ASN1_SET_OF_##type(a,NULL,f,V_ASN1_SEQUENCE, \
-					    V_ASN1_UNIVERSAL,IS_SEQUENCE)
-
-#define M_ASN1_I2D_len_SEQUENCE_opt(a,f) \
-		if ((a != NULL) && (sk_num(a) != 0)) \
-			M_ASN1_I2D_len_SEQUENCE(a,f);
-
-#define M_ASN1_I2D_len_SEQUENCE_opt_type(type,a,f) \
-		if ((a != NULL) && (sk_##type##_num(a) != 0)) \
-			M_ASN1_I2D_len_SEQUENCE_type(type,a,f);
-
-#define M_ASN1_I2D_len_IMP_SET(a,f,x) \
-		ret+=i2d_ASN1_SET(a,NULL,f,x,V_ASN1_CONTEXT_SPECIFIC,IS_SET);
-
-#define M_ASN1_I2D_len_IMP_SET_type(type,a,f,x) \
-		ret+=i2d_ASN1_SET_OF_##type(a,NULL,f,x, \
-					    V_ASN1_CONTEXT_SPECIFIC,IS_SET);
-
-#define M_ASN1_I2D_len_IMP_SET_opt(a,f,x) \
-		if ((a != NULL) && (sk_num(a) != 0)) \
-			ret+=i2d_ASN1_SET(a,NULL,f,x,V_ASN1_CONTEXT_SPECIFIC, \
-					  IS_SET);
-
-#define M_ASN1_I2D_len_IMP_SET_opt_type(type,a,f,x) \
-		if ((a != NULL) && (sk_##type##_num(a) != 0)) \
-			ret+=i2d_ASN1_SET_OF_##type(a,NULL,f,x, \
-					       V_ASN1_CONTEXT_SPECIFIC,IS_SET);
-
-#define M_ASN1_I2D_len_IMP_SEQUENCE(a,f,x) \
-		ret+=i2d_ASN1_SET(a,NULL,f,x,V_ASN1_CONTEXT_SPECIFIC, \
-				  IS_SEQUENCE);
-
-#define M_ASN1_I2D_len_IMP_SEQUENCE_opt(a,f,x) \
-		if ((a != NULL) && (sk_num(a) != 0)) \
-			ret+=i2d_ASN1_SET(a,NULL,f,x,V_ASN1_CONTEXT_SPECIFIC, \
-					  IS_SEQUENCE);
-
-#define M_ASN1_I2D_len_IMP_SEQUENCE_opt_type(type,a,f,x) \
-		if ((a != NULL) && (sk_##type##_num(a) != 0)) \
-			ret+=i2d_ASN1_SET_OF_##type(a,NULL,f,x, \
-						    V_ASN1_CONTEXT_SPECIFIC, \
-						    IS_SEQUENCE);
-
-#define M_ASN1_I2D_len_EXP_opt(a,f,mtag,v) \
-		if (a != NULL)\
-			{ \
-			v=f(a,NULL); \
-			ret+=ASN1_object_size(1,v,mtag); \
-			}
-
-#define M_ASN1_I2D_len_EXP_SET_opt(a,f,mtag,tag,v) \
-		if ((a != NULL) && (sk_num(a) != 0))\
-			{ \
-			v=i2d_ASN1_SET(a,NULL,f,tag,V_ASN1_UNIVERSAL,IS_SET); \
-			ret+=ASN1_object_size(1,v,mtag); \
-			}
-
-#define M_ASN1_I2D_len_EXP_SEQUENCE_opt(a,f,mtag,tag,v) \
-		if ((a != NULL) && (sk_num(a) != 0))\
-			{ \
-			v=i2d_ASN1_SET(a,NULL,f,tag,V_ASN1_UNIVERSAL, \
-				       IS_SEQUENCE); \
-			ret+=ASN1_object_size(1,v,mtag); \
-			}
-
-#define M_ASN1_I2D_len_EXP_SEQUENCE_opt_type(type,a,f,mtag,tag,v) \
-		if ((a != NULL) && (sk_##type##_num(a) != 0))\
-			{ \
-			v=i2d_ASN1_SET_OF_##type(a,NULL,f,tag, \
-						 V_ASN1_UNIVERSAL, \
-						 IS_SEQUENCE); \
-			ret+=ASN1_object_size(1,v,mtag); \
-			}
-
-/* Put Macros */
-#define M_ASN1_I2D_put(a,f)	f(a,&p)
-
-#define M_ASN1_I2D_put_IMP_opt(a,f,t)	\
-		if (a != NULL) \
-			{ \
-			unsigned char *q=p; \
-			f(a,&p); \
-			*q=(V_ASN1_CONTEXT_SPECIFIC|t|(*q&V_ASN1_CONSTRUCTED));\
-			}
-
-#define M_ASN1_I2D_put_SET(a,f) i2d_ASN1_SET(a,&p,f,V_ASN1_SET,\
-			V_ASN1_UNIVERSAL,IS_SET)
-#define M_ASN1_I2D_put_SET_type(type,a,f) \
-     i2d_ASN1_SET_OF_##type(a,&p,f,V_ASN1_SET,V_ASN1_UNIVERSAL,IS_SET)
-#define M_ASN1_I2D_put_IMP_SET(a,f,x) i2d_ASN1_SET(a,&p,f,x,\
-			V_ASN1_CONTEXT_SPECIFIC,IS_SET)
-#define M_ASN1_I2D_put_IMP_SET_type(type,a,f,x) \
-     i2d_ASN1_SET_OF_##type(a,&p,f,x,V_ASN1_CONTEXT_SPECIFIC,IS_SET)
-#define M_ASN1_I2D_put_IMP_SEQUENCE(a,f,x) i2d_ASN1_SET(a,&p,f,x,\
-			V_ASN1_CONTEXT_SPECIFIC,IS_SEQUENCE)
-
-#define M_ASN1_I2D_put_SEQUENCE(a,f) i2d_ASN1_SET(a,&p,f,V_ASN1_SEQUENCE,\
-					     V_ASN1_UNIVERSAL,IS_SEQUENCE)
-
-#define M_ASN1_I2D_put_SEQUENCE_type(type,a,f) \
-     i2d_ASN1_SET_OF_##type(a,&p,f,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL, \
-			    IS_SEQUENCE)
-
-#define M_ASN1_I2D_put_SEQUENCE_opt(a,f) \
-		if ((a != NULL) && (sk_num(a) != 0)) \
-			M_ASN1_I2D_put_SEQUENCE(a,f);
-
-#define M_ASN1_I2D_put_IMP_SET_opt(a,f,x) \
-		if ((a != NULL) && (sk_num(a) != 0)) \
-			{ i2d_ASN1_SET(a,&p,f,x,V_ASN1_CONTEXT_SPECIFIC, \
-				       IS_SET); }
-
-#define M_ASN1_I2D_put_IMP_SET_opt_type(type,a,f,x) \
-		if ((a != NULL) && (sk_##type##_num(a) != 0)) \
-			{ i2d_ASN1_SET_OF_##type(a,&p,f,x, \
-						 V_ASN1_CONTEXT_SPECIFIC, \
-						 IS_SET); }
-
-#define M_ASN1_I2D_put_IMP_SEQUENCE_opt(a,f,x) \
-		if ((a != NULL) && (sk_num(a) != 0)) \
-			{ i2d_ASN1_SET(a,&p,f,x,V_ASN1_CONTEXT_SPECIFIC, \
-				       IS_SEQUENCE); }
-
-#define M_ASN1_I2D_put_IMP_SEQUENCE_opt_type(type,a,f,x) \
-		if ((a != NULL) && (sk_##type##_num(a) != 0)) \
-			{ i2d_ASN1_SET_OF_##type(a,&p,f,x, \
-						 V_ASN1_CONTEXT_SPECIFIC, \
-						 IS_SEQUENCE); }
-
-#define M_ASN1_I2D_put_EXP_opt(a,f,tag,v) \
-		if (a != NULL) \
-			{ \
-			ASN1_put_object(&p,1,v,tag,V_ASN1_CONTEXT_SPECIFIC); \
-			f(a,&p); \
-			}
-
-#define M_ASN1_I2D_put_EXP_SET_opt(a,f,mtag,tag,v) \
-		if ((a != NULL) && (sk_num(a) != 0)) \
-			{ \
-			ASN1_put_object(&p,1,v,mtag,V_ASN1_CONTEXT_SPECIFIC); \
-			i2d_ASN1_SET(a,&p,f,tag,V_ASN1_UNIVERSAL,IS_SET); \
-			}
-
-#define M_ASN1_I2D_put_EXP_SEQUENCE_opt(a,f,mtag,tag,v) \
-		if ((a != NULL) && (sk_num(a) != 0)) \
-			{ \
-			ASN1_put_object(&p,1,v,mtag,V_ASN1_CONTEXT_SPECIFIC); \
-			i2d_ASN1_SET(a,&p,f,tag,V_ASN1_UNIVERSAL,IS_SEQUENCE); \
-			}
-
-#define M_ASN1_I2D_put_EXP_SEQUENCE_opt_type(type,a,f,mtag,tag,v) \
-		if ((a != NULL) && (sk_##type##_num(a) != 0)) \
-			{ \
-			ASN1_put_object(&p,1,v,mtag,V_ASN1_CONTEXT_SPECIFIC); \
-			i2d_ASN1_SET_OF_##type(a,&p,f,tag,V_ASN1_UNIVERSAL, \
-					       IS_SEQUENCE); \
-			}
-
-#define M_ASN1_I2D_seq_total() \
-		r=ASN1_object_size(1,ret,V_ASN1_SEQUENCE); \
-		if (pp == NULL) return(r); \
-		p= *pp; \
-		ASN1_put_object(&p,1,ret,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL)
-
-#define M_ASN1_I2D_INF_seq_start(tag,ctx) \
-		*(p++)=(V_ASN1_CONSTRUCTED|(tag)|(ctx)); \
-		*(p++)=0x80
-
-#define M_ASN1_I2D_INF_seq_end() *(p++)=0x00; *(p++)=0x00
-
-#define M_ASN1_I2D_finish()	*pp=p; \
-				return(r);
 
-OPENSSL_EXPORT int asn1_GetSequence(ASN1_const_CTX *c, long *length);
-OPENSSL_EXPORT void asn1_add_error(const unsigned char *address, int offset);
 #ifdef  __cplusplus
 }
 #endif
diff --git a/src/include/openssl/asn1t.h b/src/include/openssl/asn1t.h
index 72eb2cb..6c91134 100644
--- a/src/include/openssl/asn1t.h
+++ b/src/include/openssl/asn1t.h
@@ -58,7 +58,7 @@
 #ifndef HEADER_ASN1T_H
 #define HEADER_ASN1T_H
 
-#include <stddef.h>
+#include <openssl/base.h>
 #include <openssl/asn1.h>
 
 #ifdef OPENSSL_BUILD_SHLIBCRYPTO
diff --git a/src/include/openssl/base.h b/src/include/openssl/base.h
index d73f269..b769ad5 100644
--- a/src/include/openssl/base.h
+++ b/src/include/openssl/base.h
@@ -56,8 +56,8 @@
 
 /* This file should be the first included by all BoringSSL headers. */
 
+#include <stddef.h>
 #include <stdint.h>
-#include <stdlib.h>
 #include <sys/types.h>
 
 #include <openssl/opensslfeatures.h>
@@ -103,6 +103,11 @@ extern "C" {
 #define OPENSSL_WINDOWS
 #endif
 
+#if defined(TRUSTY)
+#define OPENSSL_TRUSTY
+#define OPENSSL_NO_THREADS
+#endif
+
 #define OPENSSL_IS_BORINGSSL
 #define OPENSSL_VERSION_NUMBER 0x10002000
 
@@ -132,6 +137,9 @@ extern "C" {
 
 #endif  /* defined(BORINGSSL_SHARED_LIBRARY) */
 
+/* CRYPTO_THREADID is a dummy value. */
+typedef int CRYPTO_THREADID;
+
 typedef int ASN1_BOOLEAN;
 typedef int ASN1_NULL;
 typedef struct ASN1_ITEM_st ASN1_ITEM;
@@ -174,7 +182,9 @@ typedef struct bn_mont_ctx_st BN_MONT_CTX;
 typedef struct buf_mem_st BUF_MEM;
 typedef struct cbb_st CBB;
 typedef struct cbs_st CBS;
+typedef struct cmac_ctx_st CMAC_CTX;
 typedef struct conf_st CONF;
+typedef struct conf_value_st CONF_VALUE;
 typedef struct dh_method DH_METHOD;
 typedef struct dh_st DH;
 typedef struct dsa_method DSA_METHOD;
@@ -198,6 +208,7 @@ typedef struct md5_state_st MD5_CTX;
 typedef struct pkcs8_priv_key_info_st PKCS8_PRIV_KEY_INFO;
 typedef struct pkcs12_st PKCS12;
 typedef struct rand_meth_st RAND_METHOD;
+typedef struct rc4_key_st RC4_KEY;
 typedef struct rsa_meth_st RSA_METHOD;
 typedef struct rsa_st RSA;
 typedef struct sha256_state_st SHA256_CTX;
diff --git a/src/include/openssl/bio.h b/src/include/openssl/bio.h
index 4d89d11..b70b42f 100644
--- a/src/include/openssl/bio.h
+++ b/src/include/openssl/bio.h
@@ -59,9 +59,9 @@
 
 #include <openssl/base.h>
 
-#include <stdarg.h>
 #include <stdio.h>  /* For FILE */
 
+#include <openssl/err.h> /* for ERR_print_errors_fp */
 #include <openssl/ex_data.h>
 #include <openssl/stack.h>
 
@@ -96,6 +96,9 @@ OPENSSL_EXPORT int BIO_free(BIO *bio);
  * TODO(fork): remove. */
 OPENSSL_EXPORT void BIO_vfree(BIO *bio);
 
+/* BIO_up_ref increments the reference count of |bio| and returns it. */
+OPENSSL_EXPORT BIO *BIO_up_ref(BIO *bio);
+
 
 /* Basic I/O. */
 
@@ -331,10 +334,6 @@ OPENSSL_EXPORT int BIO_indent(BIO *bio, unsigned indent, unsigned max_indent);
 OPENSSL_EXPORT int BIO_hexdump(BIO *bio, const uint8_t *data, size_t len,
                                unsigned indent);
 
-/* BIO_print_errors_fp prints the current contents of the error stack to |out|
- * using human readable strings where possible. */
-OPENSSL_EXPORT void BIO_print_errors_fp(FILE *out);
-
 /* BIO_print_errors prints the current contents of the error stack to |bio|
  * using human readable strings where possible. */
 OPENSSL_EXPORT void BIO_print_errors(BIO *bio);
@@ -652,7 +651,7 @@ OPENSSL_EXPORT int BIO_zero_copy_get_read_buf_done(BIO* bio, size_t bytes_read);
  * stack.
  *
  * The zero copy write operation is completed by calling
- * |BIO_zero_copy_write_buf_don|e. Neither |BIO_zero_copy_get_write_buf_done|
+ * |BIO_zero_copy_write_buf_done|. Neither |BIO_zero_copy_get_write_buf|
  * nor any other I/O write operation may be called while a zero copy write
  * operation is active. */
 OPENSSL_EXPORT int BIO_zero_copy_get_write_buf(BIO* bio,
@@ -693,8 +692,6 @@ OPENSSL_EXPORT int BIO_zero_copy_get_write_buf_done(BIO* bio,
 #define BIO_CTRL_INFO		3  /* opt - extra tit-bits */
 #define BIO_CTRL_SET		4  /* man - set the 'IO' type */
 #define BIO_CTRL_GET		5  /* man - get the 'IO' type */
-#define BIO_CTRL_PUSH		6  /* opt - internal, used to signify change */
-#define BIO_CTRL_POP		7  /* opt - internal, used to signify change */
 #define BIO_CTRL_GET_CLOSE	8  /* man - set the 'close' on free */
 #define BIO_CTRL_SET_CLOSE	9  /* man - set the 'close' on free */
 #define BIO_CTRL_PENDING	10  /* opt - is their more data buffered */
@@ -706,6 +703,14 @@ OPENSSL_EXPORT int BIO_zero_copy_get_write_buf_done(BIO* bio,
 #define BIO_CTRL_SET_FILENAME	30	/* BIO_s_file special */
 
 
+/* Android compatibility section.
+ *
+ * A previous version of BoringSSL used in Android renamed ERR_print_errors_fp
+ * to BIO_print_errors_fp. It has subsequently been renamed back to
+ * ERR_print_errors_fp. */
+#define BIO_print_errors_fp ERR_print_errors_fp
+
+
 /* Private functions */
 
 #define BIO_FLAGS_READ 0x01
@@ -779,17 +784,12 @@ struct bio_st {
   /* num is a BIO-specific value. For example, in fd BIOs it's used to store a
    * file descriptor. */
   int num;
-  /* TODO(fork): reference counting is only used by the SSL BIO code. If we can
-   * dump that then we can remove this. We could also drop
-   * BIO_CTRL_PUSH/BIO_CTRL_POP. */
   int references;
   void *ptr;
   /* next_bio points to the next |BIO| in a chain. This |BIO| owns a reference
    * to |next_bio|. */
   struct bio_st *next_bio; /* used by filter BIOs */
   size_t num_read, num_write;
-
-  CRYPTO_EX_DATA ex_data;
 };
 
 #define BIO_C_SET_CONNECT			100
@@ -854,43 +854,40 @@ struct bio_st {
 }  /* extern C */
 #endif
 
-#define BIO_F_bio_make_pair 100
-#define BIO_F_bio_ctrl 101
-#define BIO_F_buffer_ctrl 102
+#define BIO_F_BIO_callback_ctrl 100
+#define BIO_F_BIO_ctrl 101
+#define BIO_F_BIO_new 102
 #define BIO_F_BIO_new_file 103
-#define BIO_F_file_read 104
-#define BIO_F_BIO_new 105
-#define BIO_F_bio_io 106
-#define BIO_F_BIO_new_mem_buf 107
-#define BIO_F_mem_write 108
-#define BIO_F_conn_state 109
-#define BIO_F_conn_ctrl 110
-#define BIO_F_file_ctrl 111
-#define BIO_F_BIO_callback_ctrl 112
-#define BIO_F_bio_ip_and_port_to_socket_and_addr 113
-#define BIO_F_bio_write 114
-#define BIO_F_BIO_ctrl 115
-#define BIO_F_BIO_zero_copy_get_write_buf 116
-#define BIO_F_BIO_zero_copy_get_write_buf_done 117
-#define BIO_F_BIO_zero_copy_get_read_buf 118
-#define BIO_F_BIO_zero_copy_get_read_buf_done 119
-#define BIO_R_UNSUPPORTED_METHOD 100
-#define BIO_R_NO_PORT_SPECIFIED 101
-#define BIO_R_NO_HOSTNAME_SPECIFIED 102
-#define BIO_R_IN_USE 103
-#define BIO_R_UNINITIALIZED 104
-#define BIO_R_CONNECT_ERROR 105
+#define BIO_F_BIO_new_mem_buf 104
+#define BIO_F_BIO_zero_copy_get_read_buf 105
+#define BIO_F_BIO_zero_copy_get_read_buf_done 106
+#define BIO_F_BIO_zero_copy_get_write_buf 107
+#define BIO_F_BIO_zero_copy_get_write_buf_done 108
+#define BIO_F_bio_io 109
+#define BIO_F_bio_make_pair 110
+#define BIO_F_bio_write 111
+#define BIO_F_buffer_ctrl 112
+#define BIO_F_conn_ctrl 113
+#define BIO_F_conn_state 114
+#define BIO_F_file_ctrl 115
+#define BIO_F_file_read 116
+#define BIO_F_mem_write 117
+#define BIO_R_BAD_FOPEN_MODE 100
+#define BIO_R_BROKEN_PIPE 101
+#define BIO_R_CONNECT_ERROR 102
+#define BIO_R_ERROR_SETTING_NBIO 103
+#define BIO_R_INVALID_ARGUMENT 104
+#define BIO_R_IN_USE 105
 #define BIO_R_KEEPALIVE 106
-#define BIO_R_BROKEN_PIPE 107
-#define BIO_R_NBIO_CONNECT_ERROR 108
-#define BIO_R_BAD_FOPEN_MODE 109
-#define BIO_R_ASN1_OBJECT_TOO_LONG 110
-#define BIO_R_INVALID_ARGUMENT 111
-#define BIO_R_WRITE_TO_READ_ONLY_BIO 112
-#define BIO_R_ERROR_SETTING_NBIO 113
-#define BIO_R_SYS_LIB 114
-#define BIO_R_NO_SUCH_FILE 115
-#define BIO_R_NULL_PARAMETER 116
-#define BIO_R_UNABLE_TO_CREATE_SOCKET 117
+#define BIO_R_NBIO_CONNECT_ERROR 107
+#define BIO_R_NO_HOSTNAME_SPECIFIED 108
+#define BIO_R_NO_PORT_SPECIFIED 109
+#define BIO_R_NO_SUCH_FILE 110
+#define BIO_R_NULL_PARAMETER 111
+#define BIO_R_SYS_LIB 112
+#define BIO_R_UNABLE_TO_CREATE_SOCKET 113
+#define BIO_R_UNINITIALIZED 114
+#define BIO_R_UNSUPPORTED_METHOD 115
+#define BIO_R_WRITE_TO_READ_ONLY_BIO 116
 
 #endif  /* OPENSSL_HEADER_BIO_H */
diff --git a/src/include/openssl/blowfish.h b/src/include/openssl/blowfish.h
new file mode 100644
index 0000000..fa60d53
--- /dev/null
+++ b/src/include/openssl/blowfish.h
@@ -0,0 +1,93 @@
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.] */
+
+#ifndef OPENSSL_HEADER_BLOWFISH_H
+#define OPENSSL_HEADER_BLOWFISH_H
+
+#include <openssl/base.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+
+#define BF_ENCRYPT 1
+#define BF_DECRYPT 0
+
+#define BF_ROUNDS 16
+#define BF_BLOCK 8
+
+typedef struct bf_key_st {
+  uint32_t P[BF_ROUNDS + 2];
+  uint32_t S[4 * 256];
+} BF_KEY;
+
+OPENSSL_EXPORT void BF_set_key(BF_KEY *key, size_t len, const uint8_t *data);
+OPENSSL_EXPORT void BF_encrypt(uint32_t *data, const BF_KEY *key);
+OPENSSL_EXPORT void BF_decrypt(uint32_t *data, const BF_KEY *key);
+
+OPENSSL_EXPORT void BF_ecb_encrypt(const uint8_t *in, uint8_t *out,
+                                   const BF_KEY *key, int enc);
+OPENSSL_EXPORT void BF_cbc_encrypt(const uint8_t *in, uint8_t *out, long length,
+                                   const BF_KEY *schedule, uint8_t *ivec,
+                                   int enc);
+
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif  /* OPENSSL_HEADER_BLOWFISH_H */
diff --git a/src/include/openssl/bn.h b/src/include/openssl/bn.h
index 0631b8c..2cd0224 100644
--- a/src/include/openssl/bn.h
+++ b/src/include/openssl/bn.h
@@ -124,7 +124,9 @@
 #define OPENSSL_HEADER_BN_H
 
 #include <openssl/base.h>
+#include <openssl/thread.h>
 
+#include <inttypes.h>  /* for PRIu64 and friends */
 #include <stdio.h>  /* for FILE* */
 
 #if defined(__cplusplus)
@@ -137,13 +139,24 @@ extern "C" {
  * will allow you to work with numbers until you run out of memory. */
 
 
-/* BN_ULONG is the native word size when working with big integers. */
+/* BN_ULONG is the native word size when working with big integers.
+ *
+ * Note: on some platforms, inttypes.h does not define print format macros in
+ * C++ unless |__STDC_FORMAT_MACROS| defined. As this is a public header, bn.h
+ * does not define |__STDC_FORMAT_MACROS| itself. C++ source files which use the
+ * FMT macros must define it externally. */
 #if defined(OPENSSL_64_BIT)
 #define BN_ULONG uint64_t
 #define BN_BITS2 64
+#define BN_DEC_FMT1	"%" PRIu64
+#define BN_DEC_FMT2	"%019" PRIu64
+#define BN_HEX_FMT1	"%" PRIx64
 #elif defined(OPENSSL_32_BIT)
 #define BN_ULONG uint32_t
 #define BN_BITS2 32
+#define BN_DEC_FMT1	"%" PRIu32
+#define BN_DEC_FMT2	"%09" PRIu32
+#define BN_HEX_FMT1	"%" PRIx32
 #else
 #error "Must define either OPENSSL_32_BIT or OPENSSL_64_BIT"
 #endif
@@ -473,7 +486,8 @@ OPENSSL_EXPORT BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w);
   BN_div(NULL, (rem), (numerator), (divisor), (ctx))
 
 /* BN_nnmod is a non-negative modulo function. It acts like |BN_mod|, but 0 <=
- * |rem| < |divisor| is always true. */
+ * |rem| < |divisor| is always true. It returns one on success and zero on
+ * error. */
 OPENSSL_EXPORT int BN_nnmod(BIGNUM *rem, const BIGNUM *numerator,
                             const BIGNUM *divisor, BN_CTX *ctx);
 
@@ -710,15 +724,13 @@ OPENSSL_EXPORT BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to,
 OPENSSL_EXPORT int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod,
                                    BN_CTX *ctx);
 
-/* BN_MONT_CTX_set_locked takes the lock indicated by |lock| and checks whether
- * |*pmont| is NULL. If so, it creates a new |BN_MONT_CTX| and sets the modulus
- * for it to |mod|. It then stores it as |*pmont| and returns it, or NULL on
- * error.
+/* BN_MONT_CTX_set_locked takes |lock| and checks whether |*pmont| is NULL. If
+ * so, it creates a new |BN_MONT_CTX| and sets the modulus for it to |mod|. It
+ * then stores it as |*pmont| and returns it, or NULL on error.
  *
  * If |*pmont| is already non-NULL then the existing value is returned. */
-OPENSSL_EXPORT BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont,
-                                                   int lock, const BIGNUM *mod,
-                                                   BN_CTX *ctx);
+BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, CRYPTO_MUTEX *lock,
+                                    const BIGNUM *mod, BN_CTX *bn_ctx);
 
 /* BN_to_montgomery sets |ret| equal to |a| in the Montgomery domain. It
  * returns one on success and zero on error. */
@@ -815,47 +827,47 @@ OPENSSL_EXPORT BIGNUM *get_rfc3526_prime_1536(BIGNUM *bn);
 }  /* extern C */
 #endif
 
-#define BN_F_BN_bn2hex 100
-#define BN_F_BN_new 101
-#define BN_F_BN_exp 102
-#define BN_F_mod_exp_recp 103
-#define BN_F_BN_mod_sqrt 104
-#define BN_F_BN_rand 105
-#define BN_F_BN_rand_range 106
-#define BN_F_bn_wexpand 107
-#define BN_F_BN_mod_exp_mont 108
-#define BN_F_BN_mod_exp2_mont 109
-#define BN_F_BN_CTX_get 110
-#define BN_F_BN_mod_inverse 111
-#define BN_F_BN_bn2dec 112
-#define BN_F_BN_div 113
-#define BN_F_BN_div_recp 114
-#define BN_F_BN_mod_exp_mont_consttime 115
-#define BN_F_BN_mod_exp_mont_word 116
-#define BN_F_BN_CTX_start 117
-#define BN_F_BN_usub 118
-#define BN_F_BN_mod_lshift_quick 119
-#define BN_F_BN_CTX_new 120
-#define BN_F_BN_mod_inverse_no_branch 121
-#define BN_F_BN_generate_dsa_nonce 122
-#define BN_F_BN_generate_prime_ex 123
-#define BN_F_BN_sqrt 124
-#define BN_R_NOT_A_SQUARE 100
-#define BN_R_TOO_MANY_ITERATIONS 101
-#define BN_R_INPUT_NOT_REDUCED 102
-#define BN_R_TOO_MANY_TEMPORARY_VARIABLES 103
-#define BN_R_NO_INVERSE 104
-#define BN_R_NOT_INITIALIZED 105
-#define BN_R_DIV_BY_ZERO 106
-#define BN_R_CALLED_WITH_EVEN_MODULUS 107
-#define BN_R_EXPAND_ON_STATIC_BIGNUM_DATA 108
-#define BN_R_BAD_RECIPROCAL 109
-#define BN_R_P_IS_NOT_PRIME 110
-#define BN_R_INVALID_RANGE 111
-#define BN_R_ARG2_LT_ARG3 112
-#define BN_R_BIGNUM_TOO_LONG 113
-#define BN_R_PRIVATE_KEY_TOO_LARGE 114
-#define BN_R_BITS_TOO_SMALL 115
-#define BN_R_NEGATIVE_NUMBER 116
+#define BN_F_BN_CTX_get 100
+#define BN_F_BN_CTX_new 101
+#define BN_F_BN_CTX_start 102
+#define BN_F_BN_bn2dec 103
+#define BN_F_BN_bn2hex 104
+#define BN_F_BN_div 105
+#define BN_F_BN_div_recp 106
+#define BN_F_BN_exp 107
+#define BN_F_BN_generate_dsa_nonce 108
+#define BN_F_BN_generate_prime_ex 109
+#define BN_F_BN_mod_exp2_mont 110
+#define BN_F_BN_mod_exp_mont 111
+#define BN_F_BN_mod_exp_mont_consttime 112
+#define BN_F_BN_mod_exp_mont_word 113
+#define BN_F_BN_mod_inverse 114
+#define BN_F_BN_mod_inverse_no_branch 115
+#define BN_F_BN_mod_lshift_quick 116
+#define BN_F_BN_mod_sqrt 117
+#define BN_F_BN_new 118
+#define BN_F_BN_rand 119
+#define BN_F_BN_rand_range 120
+#define BN_F_BN_sqrt 121
+#define BN_F_BN_usub 122
+#define BN_F_bn_wexpand 123
+#define BN_F_mod_exp_recp 124
+#define BN_R_ARG2_LT_ARG3 100
+#define BN_R_BAD_RECIPROCAL 101
+#define BN_R_BIGNUM_TOO_LONG 102
+#define BN_R_BITS_TOO_SMALL 103
+#define BN_R_CALLED_WITH_EVEN_MODULUS 104
+#define BN_R_DIV_BY_ZERO 105
+#define BN_R_EXPAND_ON_STATIC_BIGNUM_DATA 106
+#define BN_R_INPUT_NOT_REDUCED 107
+#define BN_R_INVALID_RANGE 108
+#define BN_R_NEGATIVE_NUMBER 109
+#define BN_R_NOT_A_SQUARE 110
+#define BN_R_NOT_INITIALIZED 111
+#define BN_R_NO_INVERSE 112
+#define BN_R_PRIVATE_KEY_TOO_LARGE 113
+#define BN_R_P_IS_NOT_PRIME 114
+#define BN_R_TOO_MANY_ITERATIONS 115
+#define BN_R_TOO_MANY_TEMPORARY_VARIABLES 116
 
 #endif  /* OPENSSL_HEADER_BN_H */
diff --git a/src/include/openssl/buf.h b/src/include/openssl/buf.h
index 0a0a9b8..2b36ce4 100644
--- a/src/include/openssl/buf.h
+++ b/src/include/openssl/buf.h
@@ -116,8 +116,8 @@ OPENSSL_EXPORT size_t BUF_strlcat(char *dst, const char *src, size_t size);
 #endif
 
 #define BUF_F_BUF_MEM_new 100
-#define BUF_F_buf_mem_grow 101
+#define BUF_F_BUF_memdup 101
 #define BUF_F_BUF_strndup 102
-#define BUF_F_BUF_memdup 103
+#define BUF_F_buf_mem_grow 103
 
 #endif  /* OPENSSL_HEADER_BUFFER_H */
diff --git a/src/include/openssl/bytestring.h b/src/include/openssl/bytestring.h
index 2bff3f5..e10621a 100644
--- a/src/include/openssl/bytestring.h
+++ b/src/include/openssl/bytestring.h
@@ -47,7 +47,7 @@ OPENSSL_EXPORT void CBS_init(CBS *cbs, const uint8_t *data, size_t len);
  * otherwise. */
 OPENSSL_EXPORT int CBS_skip(CBS *cbs, size_t len);
 
-/* CBS_data returns a pointer to the contains of |cbs|. */
+/* CBS_data returns a pointer to the contents of |cbs|. */
 OPENSSL_EXPORT const uint8_t *CBS_data(const CBS *cbs);
 
 /* CBS_len returns the number of bytes remaining in |cbs|. */
@@ -134,7 +134,7 @@ OPENSSL_EXPORT int CBS_get_u24_length_prefixed(CBS *cbs, CBS *out);
  * element must match |tag_value|. It returns one on success and zero
  * on error.
  *
- * Tag numbers greater than 31 are not supported. */
+ * Tag numbers greater than 30 are not supported (i.e. short form only). */
 OPENSSL_EXPORT int CBS_get_asn1(CBS *cbs, CBS *out, unsigned tag_value);
 
 /* CBS_get_asn1_element acts like |CBS_get_asn1| but |out| will include the
@@ -155,7 +155,7 @@ OPENSSL_EXPORT int CBS_peek_asn1_tag(const CBS *cbs, unsigned tag_value);
  * header. Each of |out|, |out_tag|, and |out_header_len| may be NULL to ignore
  * the value.
  *
- * Tag numbers greater than 31 are not supported. */
+ * Tag numbers greater than 30 are not supported (i.e. short form only). */
 OPENSSL_EXPORT int CBS_get_any_asn1_element(CBS *cbs, CBS *out,
                                             unsigned *out_tag,
                                             size_t *out_header_len);
@@ -287,7 +287,9 @@ OPENSSL_EXPORT int CBB_add_u24_length_prefixed(CBB *cbb, CBB *out_contents);
 
 /* CBB_add_asn sets |*out_contents| to a |CBB| into which the contents of an
  * ASN.1 object can be written. The |tag| argument will be used as the tag for
- * the object. It returns one on success or zero on error. */
+ * the object. Passing in |tag| number 31 will return in an error since only
+ * single octet identifiers are supported. It returns one on success or zero
+ * on error. */
 OPENSSL_EXPORT int CBB_add_asn1(CBB *cbb, CBB *out_contents, uint8_t tag);
 
 /* CBB_add_bytes appends |len| bytes from |data| to |cbb|. It returns one on
diff --git a/src/include/openssl/cast.h b/src/include/openssl/cast.h
new file mode 100644
index 0000000..8021723
--- /dev/null
+++ b/src/include/openssl/cast.h
@@ -0,0 +1,96 @@
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.] */
+
+#ifndef OPENSSL_HEADER_CAST_H
+#define OPENSSL_HEADER_CAST_H
+
+#include <openssl/base.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+
+#define CAST_ENCRYPT 1
+#define CAST_DECRYPT 0
+
+#define CAST_BLOCK 8
+#define CAST_KEY_LENGTH 16
+
+typedef struct cast_key_st {
+  uint32_t data[32];
+  int short_key; /* Use reduced rounds for short key */
+} CAST_KEY;
+
+OPENSSL_EXPORT void CAST_set_key(CAST_KEY *key, size_t len,
+                                 const uint8_t *data);
+OPENSSL_EXPORT void CAST_ecb_encrypt(const uint8_t *in, uint8_t *out,
+                                     const CAST_KEY *key, int enc);
+OPENSSL_EXPORT void CAST_encrypt(uint32_t *data, const CAST_KEY *key);
+OPENSSL_EXPORT void CAST_decrypt(uint32_t *data, const CAST_KEY *key);
+OPENSSL_EXPORT void CAST_cbc_encrypt(const uint8_t *in, uint8_t *out,
+                                     long length, const CAST_KEY *ks,
+                                     uint8_t *iv, int enc);
+
+OPENSSL_EXPORT void CAST_cfb64_encrypt(const uint8_t *in, uint8_t *out,
+                                       long length, const CAST_KEY *schedule,
+                                       uint8_t *ivec, int *num, int enc);
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif  /* OPENSSL_HEADER_CAST_H */
diff --git a/src/include/openssl/cipher.h b/src/include/openssl/cipher.h
index adca5a9..f1469a0 100644
--- a/src/include/openssl/cipher.h
+++ b/src/include/openssl/cipher.h
@@ -80,10 +80,12 @@ OPENSSL_EXPORT const EVP_CIPHER *EVP_des_ede3_cbc(void);
 OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_128_ecb(void);
 OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_128_cbc(void);
 OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_128_ctr(void);
+OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_128_ofb(void);
 
 OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_ecb(void);
 OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_cbc(void);
 OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_ctr(void);
+OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_ofb(void);
 
 /* Deprecated AES-GCM implementations that set |EVP_CIPH_FLAG_CUSTOM_CIPHER|.
  * Use |EVP_aead_aes_128_gcm| and |EVP_aead_aes_256_gcm| instead. */
@@ -91,9 +93,9 @@ OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_128_gcm(void);
 OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_gcm(void);
 
 /* Deprecated 192-bit version of AES. */
+OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_192_ecb(void);
 OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_192_cbc(void);
 OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_192_ctr(void);
-OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_192_ecb(void);
 OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_192_gcm(void);
 
 /* EVP_enc_null returns a 'cipher' that passes plaintext through as
@@ -123,8 +125,8 @@ OPENSSL_EXPORT void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx);
  * |EVP_CIPHER_CTX_init| and returns it, or NULL on allocation failure. */
 OPENSSL_EXPORT EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void);
 
-/* EVP_CIPHER_CTX_cleanup frees any memory referenced by |ctx|. It returns one
- * on success and zero otherwise. */
+/* EVP_CIPHER_CTX_cleanup frees any memory referenced by |ctx|. It returns
+ * one. */
 OPENSSL_EXPORT int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *ctx);
 
 /* EVP_CIPHER_CTX_free calls |EVP_CIPHER_CTX_cleanup| on |ctx| and then frees
@@ -236,7 +238,8 @@ OPENSSL_EXPORT const EVP_CIPHER *EVP_CIPHER_CTX_cipher(
     const EVP_CIPHER_CTX *ctx);
 
 /* EVP_CIPHER_CTX_nid returns a NID identifying the |EVP_CIPHER| underlying
- * |ctx| (e.g. |NID_rc4|). It will crash if no cipher has been configured. */
+ * |ctx| (e.g. |NID_aes_128_gcm|). It will crash if no cipher has been
+ * configured. */
 OPENSSL_EXPORT int EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx);
 
 /* EVP_CIPHER_CTX_block_size returns the block size, in bytes, of the cipher
@@ -289,13 +292,9 @@ OPENSSL_EXPORT int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *ctx, unsigned k
 /* Cipher accessors. */
 
 /* EVP_CIPHER_nid returns a NID identifing |cipher|. (For example,
- * |NID_rc4|.) */
+ * |NID_aes_128_gcm|.) */
 OPENSSL_EXPORT int EVP_CIPHER_nid(const EVP_CIPHER *cipher);
 
-/* EVP_CIPHER_name returns the short name for |cipher| or NULL if no name is
- * known. */
-OPENSSL_EXPORT const char *EVP_CIPHER_name(const EVP_CIPHER *cipher);
-
 /* EVP_CIPHER_block_size returns the block size, in bytes, for |cipher|, or one
  * if |cipher| is a stream cipher. */
 OPENSSL_EXPORT unsigned EVP_CIPHER_block_size(const EVP_CIPHER *cipher);
@@ -491,7 +490,7 @@ typedef struct evp_cipher_info_st {
 } EVP_CIPHER_INFO;
 
 struct evp_cipher_st {
-  /* type contains a NID identifing the cipher. (For example, NID_rc4.) */
+  /* type contains a NID identifing the cipher. (e.g. NID_aes_128_gcm.) */
   int nid;
 
   /* block_size contains the block size, in bytes, of the cipher, or 1 for a
@@ -521,7 +520,7 @@ struct evp_cipher_st {
   int (*cipher)(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
                 size_t inl);
 
-  int (*cleanup)(EVP_CIPHER_CTX *);
+  void (*cleanup)(EVP_CIPHER_CTX *);
 
   int (*ctrl)(EVP_CIPHER_CTX *, int type, int arg, void *ptr);
 };
@@ -531,62 +530,65 @@ struct evp_cipher_st {
 }  /* extern C */
 #endif
 
-#define CIPHER_F_EVP_CipherInit_ex 100
-#define CIPHER_F_EVP_EncryptFinal_ex 101
-#define CIPHER_F_EVP_DecryptFinal_ex 102
-#define CIPHER_F_EVP_CIPHER_CTX_ctrl 103
-#define CIPHER_F_aes_init_key 104
-#define CIPHER_F_aesni_init_key 105
-#define CIPHER_F_EVP_CIPHER_CTX_copy 106
-#define CIPHER_F_EVP_AEAD_CTX_open 107
-#define CIPHER_F_EVP_AEAD_CTX_init 108
-#define CIPHER_F_EVP_AEAD_CTX_seal 109
-#define CIPHER_F_aead_aes_gcm_seal 110
-#define CIPHER_F_aead_aes_gcm_open 111
-#define CIPHER_F_aead_aes_gcm_init 112
-#define CIPHER_F_aead_chacha20_poly1305_init 113
-#define CIPHER_F_aead_chacha20_poly1305_open 114
-#define CIPHER_F_aead_chacha20_poly1305_seal 115
-#define CIPHER_F_aead_rc4_md5_tls_init 116
-#define CIPHER_F_aead_rc4_md5_tls_seal 117
-#define CIPHER_F_aead_rc4_md5_tls_open 118
-#define CIPHER_F_aead_aes_key_wrap_seal 119
-#define CIPHER_F_aead_aes_key_wrap_init 120
-#define CIPHER_F_aead_aes_key_wrap_open 121
-#define CIPHER_F_EVP_CIPHER_CTX_set_key_length 122
-#define CIPHER_F_aead_tls_init 123
-#define CIPHER_F_aead_tls_open 124
-#define CIPHER_F_aead_tls_seal 125
-#define CIPHER_F_aead_tls_ensure_cipher_init 126
-#define CIPHER_F_aead_ssl3_open 127
-#define CIPHER_F_aead_ssl3_seal 128
-#define CIPHER_F_aead_ssl3_init 129
-#define CIPHER_F_aead_ssl3_ensure_cipher_init 130
-#define CIPHER_R_WRAP_MODE_NOT_ALLOWED 100
-#define CIPHER_R_AES_KEY_SETUP_FAILED 101
-#define CIPHER_R_INPUT_NOT_INITIALIZED 102
-#define CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 103
-#define CIPHER_R_INITIALIZATION_ERROR 104
-#define CIPHER_R_CTRL_NOT_IMPLEMENTED 105
-#define CIPHER_R_NO_CIPHER_SET 106
-#define CIPHER_R_BAD_DECRYPT 107
-#define CIPHER_R_WRONG_FINAL_BLOCK_LENGTH 108
-#define CIPHER_R_CTRL_OPERATION_NOT_IMPLEMENTED 109
-#define CIPHER_R_TAG_TOO_LARGE 110
-#define CIPHER_R_BAD_KEY_LENGTH 111
-#define CIPHER_R_BUFFER_TOO_SMALL 112
-#define CIPHER_R_OUTPUT_ALIASES_INPUT 113
-#define CIPHER_R_UNSUPPORTED_KEY_SIZE 114
-#define CIPHER_R_TOO_LARGE 115
-#define CIPHER_R_IV_TOO_LARGE 116
-#define CIPHER_R_INVALID_AD_SIZE 117
-#define CIPHER_R_INVALID_AD 118
-#define CIPHER_R_UNSUPPORTED_TAG_SIZE 119
-#define CIPHER_R_UNSUPPORTED_INPUT_SIZE 120
-#define CIPHER_R_UNSUPPORTED_AD_SIZE 121
-#define CIPHER_R_UNSUPPORTED_NONCE_SIZE 122
-#define CIPHER_R_INVALID_KEY_LENGTH 123
-#define CIPHER_R_INVALID_OPERATION 124
-#define CIPHER_R_INVALID_NONCE_SIZE 125
+#define CIPHER_F_EVP_AEAD_CTX_init 100
+#define CIPHER_F_EVP_AEAD_CTX_open 101
+#define CIPHER_F_EVP_AEAD_CTX_seal 102
+#define CIPHER_F_EVP_CIPHER_CTX_copy 103
+#define CIPHER_F_EVP_CIPHER_CTX_ctrl 104
+#define CIPHER_F_EVP_CIPHER_CTX_set_key_length 105
+#define CIPHER_F_EVP_CipherInit_ex 106
+#define CIPHER_F_EVP_DecryptFinal_ex 107
+#define CIPHER_F_EVP_EncryptFinal_ex 108
+#define CIPHER_F_aead_aes_gcm_init 109
+#define CIPHER_F_aead_aes_gcm_open 110
+#define CIPHER_F_aead_aes_gcm_seal 111
+#define CIPHER_F_aead_aes_key_wrap_init 112
+#define CIPHER_F_aead_aes_key_wrap_open 113
+#define CIPHER_F_aead_aes_key_wrap_seal 114
+#define CIPHER_F_aead_chacha20_poly1305_init 115
+#define CIPHER_F_aead_chacha20_poly1305_open 116
+#define CIPHER_F_aead_chacha20_poly1305_seal 117
+#define CIPHER_F_aead_rc4_md5_tls_init 118
+#define CIPHER_F_aead_rc4_md5_tls_open 119
+#define CIPHER_F_aead_rc4_md5_tls_seal 120
+#define CIPHER_F_aead_ssl3_ensure_cipher_init 121
+#define CIPHER_F_aead_ssl3_init 122
+#define CIPHER_F_aead_ssl3_open 123
+#define CIPHER_F_aead_ssl3_seal 124
+#define CIPHER_F_aead_tls_ensure_cipher_init 125
+#define CIPHER_F_aead_tls_init 126
+#define CIPHER_F_aead_tls_open 127
+#define CIPHER_F_aead_tls_seal 128
+#define CIPHER_F_aes_init_key 129
+#define CIPHER_F_aesni_init_key 130
+#define CIPHER_F_EVP_AEAD_CTX_init_with_direction 131
+#define CIPHER_F_aead_aes_ctr_hmac_sha256_init 132
+#define CIPHER_F_aead_aes_ctr_hmac_sha256_open 133
+#define CIPHER_F_aead_aes_ctr_hmac_sha256_seal 134
+#define CIPHER_R_AES_KEY_SETUP_FAILED 100
+#define CIPHER_R_BAD_DECRYPT 101
+#define CIPHER_R_BAD_KEY_LENGTH 102
+#define CIPHER_R_BUFFER_TOO_SMALL 103
+#define CIPHER_R_CTRL_NOT_IMPLEMENTED 104
+#define CIPHER_R_CTRL_OPERATION_NOT_IMPLEMENTED 105
+#define CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 106
+#define CIPHER_R_INITIALIZATION_ERROR 107
+#define CIPHER_R_INPUT_NOT_INITIALIZED 108
+#define CIPHER_R_INVALID_AD_SIZE 109
+#define CIPHER_R_INVALID_KEY_LENGTH 110
+#define CIPHER_R_INVALID_NONCE_SIZE 111
+#define CIPHER_R_INVALID_OPERATION 112
+#define CIPHER_R_IV_TOO_LARGE 113
+#define CIPHER_R_NO_CIPHER_SET 114
+#define CIPHER_R_OUTPUT_ALIASES_INPUT 115
+#define CIPHER_R_TAG_TOO_LARGE 116
+#define CIPHER_R_TOO_LARGE 117
+#define CIPHER_R_UNSUPPORTED_AD_SIZE 118
+#define CIPHER_R_UNSUPPORTED_INPUT_SIZE 119
+#define CIPHER_R_UNSUPPORTED_KEY_SIZE 120
+#define CIPHER_R_UNSUPPORTED_NONCE_SIZE 121
+#define CIPHER_R_UNSUPPORTED_TAG_SIZE 122
+#define CIPHER_R_WRONG_FINAL_BLOCK_LENGTH 123
+#define CIPHER_R_NO_DIRECTION_SET 124
 
 #endif  /* OPENSSL_HEADER_CIPHER_H */
diff --git a/src/include/openssl/cmac.h b/src/include/openssl/cmac.h
new file mode 100644
index 0000000..183f41b
--- /dev/null
+++ b/src/include/openssl/cmac.h
@@ -0,0 +1,76 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_CMAC_H
+#define OPENSSL_HEADER_CMAC_H
+
+#include <openssl/base.h>
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+/* CMAC.
+ *
+ * CMAC is a MAC based on AES-CBC and defined in
+ * https://tools.ietf.org/html/rfc4493#section-2.3. */
+
+
+/* One-shot functions. */
+
+/* AES_CMAC calculates the 16-byte, CMAC authenticator of |in_len| bytes of
+ * |in| and writes it to |out|. The |key_len| may be 16 or 32 bytes to select
+ * between AES-128 and AES-256. It returns one on success or zero on error. */
+OPENSSL_EXPORT int AES_CMAC(uint8_t out[16], const uint8_t *key, size_t key_len,
+                            const uint8_t *in, size_t in_len);
+
+
+/* Incremental interface. */
+
+/* CMAC_CTX_new allocates a fresh |CMAC_CTX| and returns it, or NULL on
+ * error. */
+OPENSSL_EXPORT CMAC_CTX *CMAC_CTX_new(void);
+
+/* CMAC_CTX_free frees a |CMAC_CTX|. */
+OPENSSL_EXPORT void CMAC_CTX_free(CMAC_CTX *ctx);
+
+/* CMAC_Init configures |ctx| to use the given |key| and |cipher|. The CMAC RFC
+ * only specifies the use of AES-128 thus |key_len| should be 16 and |cipher|
+ * should be |EVP_aes_128_cbc()|. However, this implementation also supports
+ * AES-256 by setting |key_len| to 32 and |cipher| to |EVP_aes_256_cbc()|. The
+ * |engine| argument is ignored.
+ *
+ * It returns one on success or zero on error. */
+OPENSSL_EXPORT int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t key_len,
+                             const EVP_CIPHER *cipher, ENGINE *engine);
+
+
+/* CMAC_Reset resets |ctx| so that a fresh message can be authenticated. */
+OPENSSL_EXPORT int CMAC_Reset(CMAC_CTX *ctx);
+
+/* CMAC_Update processes |in_len| bytes of message from |in|. It returns one on
+ * success or zero on error. */
+OPENSSL_EXPORT int CMAC_Update(CMAC_CTX *ctx, const uint8_t *in, size_t in_len);
+
+/* CMAC_Final sets |*out_len| to 16 and, if |out| is not NULL, writes 16 bytes
+ * of authenticator to it. It returns one on success or zero on error. */
+OPENSSL_EXPORT int CMAC_Final(CMAC_CTX *ctx, uint8_t *out, size_t *out_len);
+
+
+#if defined(__cplusplus)
+}  /* extern C */
+#endif
+
+#endif  /* OPENSSL_HEADER_CBC_H */
diff --git a/src/include/openssl/conf.h b/src/include/openssl/conf.h
index 0918c0c..84fc94f 100644
--- a/src/include/openssl/conf.h
+++ b/src/include/openssl/conf.h
@@ -79,19 +79,20 @@ extern "C" {
  *
  * Config files are representated by a |CONF|. */
 
-typedef struct {
+struct conf_value_st {
   char *section;
   char *name;
   char *value;
-} CONF_VALUE;
+};
 
 struct conf_st {
   LHASH_OF(CONF_VALUE) *data;
 };
 
 
-/* NCONF_new returns a fresh, empty |CONF|, or NULL on error. */
-CONF *NCONF_new(void);
+/* NCONF_new returns a fresh, empty |CONF|, or NULL on error. The |method|
+ * argument must be NULL. */
+CONF *NCONF_new(void *method);
 
 /* NCONF_free frees all the data owned by |conf| and then |conf| itself. */
 void NCONF_free(CONF *conf);
@@ -102,6 +103,10 @@ void NCONF_free(CONF *conf);
  * number of the line that contained the error. */
 int NCONF_load(CONF *conf, const char *filename, long *out_error_line);
 
+/* NCONF_load_bio acts like |NCONF_load| but reads from |bio| rather than from
+ * a named file. */
+int NCONF_load_bio(CONF *conf, BIO *bio, long *out_error_line);
+
 /* NCONF_get_section returns a stack of values for a given section in |conf|.
  * If |section| is NULL, the default section is returned. It returns NULL on
  * error. */
@@ -131,14 +136,14 @@ int CONF_parse_list(const char *list, char sep, int remove_whitespace,
 #endif
 
 #define CONF_F_CONF_parse_list 100
-#define CONF_F_str_copy 101
+#define CONF_F_NCONF_load 101
 #define CONF_F_def_load_bio 102
-#define CONF_F_NCONF_load 103
-#define CONF_R_MISSING_EQUAL_SIGN 100
-#define CONF_R_LIST_CANNOT_BE_NULL 101
-#define CONF_R_NO_CLOSE_BRACE 102
-#define CONF_R_VARIABLE_HAS_NO_VALUE 103
+#define CONF_F_str_copy 103
+#define CONF_R_LIST_CANNOT_BE_NULL 100
+#define CONF_R_MISSING_CLOSE_SQUARE_BRACKET 101
+#define CONF_R_MISSING_EQUAL_SIGN 102
+#define CONF_R_NO_CLOSE_BRACE 103
 #define CONF_R_UNABLE_TO_CREATE_NEW_SECTION 104
-#define CONF_R_MISSING_CLOSE_SQUARE_BRACKET 105
+#define CONF_R_VARIABLE_HAS_NO_VALUE 105
 
 #endif  /* OPENSSL_HEADER_THREAD_H */
diff --git a/src/include/openssl/cpu.h b/src/include/openssl/cpu.h
index 79441ae..83ec473 100644
--- a/src/include/openssl/cpu.h
+++ b/src/include/openssl/cpu.h
@@ -78,7 +78,6 @@ extern "C" {
  *   Index 0:
  *     EDX for CPUID where EAX = 1
  *     Bit 30 is used to indicate an Intel CPU
- *     Bit 20 is used to indicate RC4_CHAR
  *   Index 1:
  *     ECX for CPUID where EAX = 1
  *   Index 2:
diff --git a/src/include/openssl/crypto.h b/src/include/openssl/crypto.h
index e58d5f0..5c974f8 100644
--- a/src/include/openssl/crypto.h
+++ b/src/include/openssl/crypto.h
@@ -17,8 +17,11 @@
 
 #include <openssl/base.h>
 
+/* Upstream OpenSSL defines |OPENSSL_malloc|, etc., in crypto.h rather than
+ * mem.h. */
 #include <openssl/mem.h>
 
+
 #if defined(__cplusplus)
 extern "C" {
 #endif
@@ -32,6 +35,9 @@ extern "C" {
  * nothing and a static initializer is used instead. */
 OPENSSL_EXPORT void CRYPTO_library_init(void);
 
+
+/* Deprecated functions. */
+
 #define OPENSSL_VERSION_TEXT "BoringSSL"
 
 #define SSLEAY_VERSION 0
@@ -48,9 +54,9 @@ OPENSSL_EXPORT const char *SSLeay(void);
 }  /* extern C */
 #endif
 
-#define CRYPTO_F_CRYPTO_set_ex_data 100
-#define CRYPTO_F_get_class 101
-#define CRYPTO_F_get_new_index 102
+#define CRYPTO_F_CRYPTO_get_ex_new_index 100
+#define CRYPTO_F_CRYPTO_set_ex_data 101
+#define CRYPTO_F_get_class 102
 #define CRYPTO_F_get_func_pointers 103
 
 #endif  /* OPENSSL_HEADER_CRYPTO_H */
diff --git a/src/include/openssl/des.h b/src/include/openssl/des.h
index 1f0dbad..f3804c3 100644
--- a/src/include/openssl/des.h
+++ b/src/include/openssl/des.h
@@ -94,6 +94,10 @@ typedef struct DES_ks {
 OPENSSL_EXPORT void DES_set_key(const DES_cblock *key,
                                 DES_key_schedule *schedule);
 
+/* DES_set_odd_parity sets the parity bits (the least-significant bits in each
+ * byte) of |key| given the other bits in each byte. */
+OPENSSL_EXPORT void DES_set_odd_parity(DES_cblock *key);
+
 /* DES_ecb_encrypt encrypts (or decrypts, if |is_encrypt| is |DES_DECRYPT|) a
  * single DES block (8 bytes) from in to out, using the key configured in
  * |schedule|. */
@@ -108,6 +112,15 @@ OPENSSL_EXPORT void DES_ncbc_encrypt(const uint8_t *in, uint8_t *out,
                                      const DES_key_schedule *schedule,
                                      DES_cblock *ivec, int enc);
 
+/* DES_ecb3_encrypt encrypts (or decrypts, if |enc| is |DES_DECRYPT|) a single
+ * block (8 bytes) of data from |input| to |output| using 3DES. */
+OPENSSL_EXPORT void DES_ecb3_encrypt(const DES_cblock *input,
+                                     DES_cblock *output,
+                                     const DES_key_schedule *ks1,
+                                     const DES_key_schedule *ks2,
+                                     const DES_key_schedule *ks3,
+                                     int enc);
+
 /* DES_ede3_cbc_encrypt encrypts (or decrypts, if |enc| is |DES_DECRYPT|) |len|
  * bytes from |in| to |out| with 3DES in CBC mode. 3DES uses three keys, thus
  * the function takes three different |DES_key_schedule|s. */
diff --git a/src/include/openssl/dh.h b/src/include/openssl/dh.h
index 9d8bda2..60a030d 100644
--- a/src/include/openssl/dh.h
+++ b/src/include/openssl/dh.h
@@ -61,6 +61,7 @@
 
 #include <openssl/engine.h>
 #include <openssl/ex_data.h>
+#include <openssl/thread.h>
 
 #if defined(__cplusplus)
 extern "C" {
@@ -144,6 +145,10 @@ OPENSSL_EXPORT int DH_size(const DH *dh);
 #define DH_CHECK_INVALID_Q_VALUE 0x20
 #define DH_CHECK_INVALID_J_VALUE 0x40
 
+/* These are compatibility defines. */
+#define DH_NOT_SUITABLE_GENERATOR DH_CHECK_NOT_SUITABLE_GENERATOR
+#define DH_UNABLE_TO_CHECK_GENERATOR DH_CHECK_UNABLE_TO_CHECK_GENERATOR
+
 /* DH_check checks the suitability of |dh| as a Diffie-Hellman group. and sets
  * |DH_CHECK_*| flags in |*out_flags| if it finds any errors. It returns one if
  * |*out_flags| was successfully set and zero on error.
@@ -185,7 +190,7 @@ OPENSSL_EXPORT int i2d_DHparams(const DH *in, unsigned char **outp);
 
 /* ex_data functions.
  *
- * These functions are wrappers. See |ex_data.h| for details. */
+ * See |ex_data.h| for details. */
 
 OPENSSL_EXPORT int DH_get_ex_new_index(long argl, void *argp,
                                        CRYPTO_EX_new *new_func,
@@ -232,6 +237,8 @@ struct dh_st {
   /* priv_length contains the length, in bits, of the private value. If zero,
    * the private value will be the same length as |p|. */
   unsigned priv_length;
+
+  CRYPTO_MUTEX method_mont_p_lock;
   BN_MONT_CTX *method_mont_p;
 
   /* Place holders if we want to do X9.42 DH */
@@ -251,12 +258,12 @@ struct dh_st {
 }  /* extern C */
 #endif
 
-#define DH_F_generate_parameters 100
-#define DH_F_generate_key 101
-#define DH_F_compute_key 102
-#define DH_F_DH_new_method 103
-#define DH_R_INVALID_PUBKEY 100
-#define DH_R_BAD_GENERATOR 101
+#define DH_F_DH_new_method 100
+#define DH_F_compute_key 101
+#define DH_F_generate_key 102
+#define DH_F_generate_parameters 103
+#define DH_R_BAD_GENERATOR 100
+#define DH_R_INVALID_PUBKEY 101
 #define DH_R_MODULUS_TOO_LARGE 102
 #define DH_R_NO_PRIVATE_VALUE 103
 
diff --git a/src/include/openssl/digest.h b/src/include/openssl/digest.h
index 95a35e7..8285dce 100644
--- a/src/include/openssl/digest.h
+++ b/src/include/openssl/digest.h
@@ -171,12 +171,9 @@ OPENSSL_EXPORT int EVP_Digest(const void *data, size_t len, uint8_t *md_out,
  * These functions allow code to learn details about an abstract hash
  * function. */
 
-/* EVP_MD_type returns a NID identifing |md|. (For example, |NID_md5|.) */
+/* EVP_MD_type returns a NID identifing |md|. (For example, |NID_sha256|.) */
 OPENSSL_EXPORT int EVP_MD_type(const EVP_MD *md);
 
-/* EVP_MD_name returns the short name for |md| or NULL if no name is known. */
-OPENSSL_EXPORT const char *EVP_MD_name(const EVP_MD *md);
-
 /* EVP_MD_flags returns the flags for |md|, which is a set of |EVP_MD_FLAG_*|
  * values, ORed together. */
 OPENSSL_EXPORT uint32_t EVP_MD_flags(const EVP_MD *md);
@@ -224,7 +221,7 @@ OPENSSL_EXPORT unsigned EVP_MD_CTX_size(const EVP_MD_CTX *ctx);
 OPENSSL_EXPORT unsigned EVP_MD_CTX_block_size(const EVP_MD_CTX *ctx);
 
 /* EVP_MD_CTX_type returns a NID describing the digest function used by |ctx|.
- * (For example, |NID_md5|.) It will crash if a digest hasn't been set on
+ * (For example, |NID_sha256|.) It will crash if a digest hasn't been set on
  * |ctx|. */
 OPENSSL_EXPORT int EVP_MD_CTX_type(const EVP_MD_CTX *ctx);
 
diff --git a/src/include/openssl/dsa.h b/src/include/openssl/dsa.h
index 8a182c2..2271915 100644
--- a/src/include/openssl/dsa.h
+++ b/src/include/openssl/dsa.h
@@ -64,6 +64,7 @@
 
 #include <openssl/engine.h>
 #include <openssl/ex_data.h>
+#include <openssl/thread.h>
 
 #if defined(__cplusplus)
 extern "C" {
@@ -301,7 +302,7 @@ OPENSSL_EXPORT DH *DSA_dup_DH(const DSA *dsa);
 
 /* ex_data functions.
  *
- * These functions are wrappers. See |ex_data.h| for details. */
+ * See |ex_data.h| for details. */
 
 OPENSSL_EXPORT int DSA_get_ex_new_index(long argl, void *argp,
                                         CRYPTO_EX_new *new_func,
@@ -351,6 +352,7 @@ struct dsa_st {
 
   int flags;
   /* Normally used to cache montgomery values */
+  CRYPTO_MUTEX method_mont_p_lock;
   BN_MONT_CTX *method_mont_p;
   int references;
   CRYPTO_EX_DATA ex_data;
@@ -364,14 +366,14 @@ struct dsa_st {
 }  /* extern C */
 #endif
 
-#define DSA_F_sign 100
-#define DSA_F_verify 101
-#define DSA_F_dsa_sig_cb 102
-#define DSA_F_DSA_new_method 103
-#define DSA_F_sign_setup 104
-#define DSA_R_NEED_NEW_SETUP_VALUES 100
-#define DSA_R_BAD_Q_VALUE 101
+#define DSA_F_DSA_new_method 100
+#define DSA_F_dsa_sig_cb 101
+#define DSA_F_sign 102
+#define DSA_F_sign_setup 103
+#define DSA_F_verify 104
+#define DSA_R_BAD_Q_VALUE 100
+#define DSA_R_MISSING_PARAMETERS 101
 #define DSA_R_MODULUS_TOO_LARGE 102
-#define DSA_R_MISSING_PARAMETERS 103
+#define DSA_R_NEED_NEW_SETUP_VALUES 103
 
 #endif  /* OPENSSL_HEADER_DSA_H */
diff --git a/src/include/openssl/dtls1.h b/src/include/openssl/dtls1.h
index 0fc3ae6..38ca801 100644
--- a/src/include/openssl/dtls1.h
+++ b/src/include/openssl/dtls1.h
@@ -1,255 +1,16 @@
-/* ssl/dtls1.h */
-/* 
- * DTLS implementation written by Nagendra Modadugu
- * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
- */
-/* ====================================================================
- * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com). */
-
-#ifndef HEADER_DTLS1_H
-#define HEADER_DTLS1_H
-
-#include <openssl/base.h>
-#include <openssl/buf.h>
-#include <openssl/pqueue.h>
-
-#ifdef  __cplusplus
-extern "C" {
-#endif
-
-
-#define DTLS1_VERSION			0xFEFF
-#define DTLS1_2_VERSION			0xFEFD
-
-/* lengths of messages */
-#define DTLS1_COOKIE_LENGTH                     256
-
-#define DTLS1_RT_HEADER_LENGTH                  13
-
-#define DTLS1_HM_HEADER_LENGTH                  12
-
-#define DTLS1_HM_BAD_FRAGMENT                   -2
-#define DTLS1_HM_FRAGMENT_RETRY                 -3
-
-#define DTLS1_CCS_HEADER_LENGTH                  1
-
-#define DTLS1_AL_HEADER_LENGTH                   2
-
-#ifndef OPENSSL_NO_SSL_INTERN
-
-
-#if defined(OPENSSL_WINDOWS)
-/* Because of Windows header issues, we can't get the normal declaration of
- * timeval. */
-typedef struct OPENSSL_timeval_st {
-	long tv_sec;
-	long tv_usec;
-} OPENSSL_timeval;
-#else
-#include <sys/time.h>
-typedef struct timeval OPENSSL_timeval;
-#endif
-
-typedef struct dtls1_bitmap_st
-	{
-	/* map is a bit mask of the last 64 sequence numbers. Bit
-	 * |1<<i| corresponds to |max_seq_num - i|. */
-	uint64_t map;
-	/* max_seq_num is the largest sequence number seen so far. It
-	 * is a 64-bit value in big-endian encoding. */
-	uint8_t max_seq_num[8];
-	} DTLS1_BITMAP;
-
-struct dtls1_retransmit_state
-	{
-	SSL_AEAD_CTX *aead_write_ctx;
-	SSL_SESSION *session;
-	unsigned short epoch;
-	};
-
-struct hm_header_st
-	{
-	unsigned char type;
-	unsigned long msg_len;
-	unsigned short seq;
-	unsigned long frag_off;
-	unsigned long frag_len;
-	unsigned int is_ccs;
-	struct dtls1_retransmit_state saved_retransmit_state;
-	};
-
-struct ccs_header_st
-	{
-	unsigned char type;
-	unsigned short seq;
-	};
-
-struct dtls1_timeout_st
-	{
-	/* Number of read timeouts so far */
-	unsigned int read_timeouts;
-	
-	/* Number of write timeouts so far */
-	unsigned int write_timeouts;
-	
-	/* Number of alerts received so far */
-	unsigned int num_alerts;
-	};
-
-typedef struct record_pqueue_st
-	{
-	unsigned short epoch;
-	pqueue q;
-	} record_pqueue;
-
-typedef struct hm_fragment_st
-	{
-	struct hm_header_st msg_header;
-	unsigned char *fragment;
-	unsigned char *reassembly;
-	} hm_fragment;
-
-typedef struct dtls1_state_st
-	{
-	/* send_cookie is true if we are resending the ClientHello
-	 * with a cookie from a HelloVerifyRequest. */
-	unsigned int send_cookie;
-
-	uint8_t cookie[DTLS1_COOKIE_LENGTH];
-	size_t cookie_len;
-
-	/* 
-	 * The current data and handshake epoch.  This is initially
-	 * undefined, and starts at zero once the initial handshake is
-	 * completed 
-	 */
-	unsigned short r_epoch;
-	unsigned short w_epoch;
-
-	/* records being received in the current epoch */
-	DTLS1_BITMAP bitmap;
-
-	/* renegotiation starts a new set of sequence numbers */
-	DTLS1_BITMAP next_bitmap;
-
-	/* handshake message numbers */
-	unsigned short handshake_write_seq;
-	unsigned short next_handshake_write_seq;
-
-	unsigned short handshake_read_seq;
-
-	/* save last sequence number for retransmissions */
-	unsigned char last_write_sequence[8];
-
-	/* Received handshake records (processed and unprocessed) */
-	record_pqueue unprocessed_rcds;
-	record_pqueue processed_rcds;
-
-	/* Buffered handshake messages */
-	pqueue buffered_messages;
-
-	/* Buffered (sent) handshake records */
-	pqueue sent_messages;
-
-	/* Buffered application records.
-	 * Only for records between CCS and Finished
-	 * to prevent either protocol violation or
-	 * unnecessary message loss.
-	 */
-	record_pqueue buffered_app_data;
-
-	unsigned int mtu; /* max DTLS packet size */
-
-	struct hm_header_st w_msg_hdr;
-	struct hm_header_st r_msg_hdr;
-
-	struct dtls1_timeout_st timeout;
-
-	/* Indicates when the last handshake msg or heartbeat sent will
-	 * timeout. Because of header issues on Windows, this cannot actually
-	 * be a struct timeval. */
-	OPENSSL_timeval next_timeout;
-
-	/* Timeout duration */
-	unsigned short timeout_duration;
-
-	/* storage for Alert/Handshake protocol data received but not
-	 * yet processed by ssl3_read_bytes: */
-	unsigned char alert_fragment[DTLS1_AL_HEADER_LENGTH];
-	unsigned int alert_fragment_len;
-	unsigned char handshake_fragment[DTLS1_HM_HEADER_LENGTH];
-	unsigned int handshake_fragment_len;
-
-	unsigned int change_cipher_spec_ok;
-	} DTLS1_STATE;
-
-typedef struct dtls1_record_data_st
-	{
-	unsigned char *packet;
-	unsigned int   packet_length;
-	SSL3_BUFFER    rbuf;
-	SSL3_RECORD    rrec;
-	} DTLS1_RECORD_DATA;
-
-#endif
-
-/* Timeout multipliers (timeout slice is defined in apps/timeouts.h */
-#define DTLS1_TMO_READ_COUNT                      2
-#define DTLS1_TMO_WRITE_COUNT                     2
-
-#define DTLS1_TMO_ALERT_COUNT                     12
-
-#ifdef  __cplusplus
-}
-#endif
-#endif
-
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+/* This header is provided in order to make compiling against code that expects
+   OpenSSL easier. */
diff --git a/src/include/openssl/ec.h b/src/include/openssl/ec.h
index 2662c01..633b11b 100644
--- a/src/include/openssl/ec.h
+++ b/src/include/openssl/ec.h
@@ -107,10 +107,6 @@ OPENSSL_EXPORT EC_GROUP *EC_GROUP_new_by_curve_name(int nid);
 /* EC_GROUP_free frees |group| and the data that it points to. */
 OPENSSL_EXPORT void EC_GROUP_free(EC_GROUP *group);
 
-/* EC_GROUP_copy sets |*dest| equal to |*src|. It returns one on success and
- * zero otherwise. */
-OPENSSL_EXPORT int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src);
-
 /* EC_GROUP_dup returns a fresh |EC_GROUP| which is equal to |a| or NULL on
  * error. */
 OPENSSL_EXPORT EC_GROUP *EC_GROUP_dup(const EC_GROUP *a);
@@ -319,91 +315,99 @@ OPENSSL_EXPORT void EC_GROUP_set_point_conversion_form(
 }  /* extern C */
 #endif
 
-#define EC_F_ec_pre_comp_new 100
-#define EC_F_ec_GFp_mont_field_decode 101
-#define EC_F_ec_group_new_from_data 102
-#define EC_F_ec_GFp_simple_point_get_affine_coordinates 103
-#define EC_F_ec_GFp_simple_make_affine 104
-#define EC_F_EC_KEY_new_method 105
-#define EC_F_ec_GFp_mont_field_encode 106
-#define EC_F_EC_GROUP_new_by_curve_name 107
-#define EC_F_ec_group_new 108
-#define EC_F_ec_asn1_group2pkparameters 109
-#define EC_F_EC_POINT_set_compressed_coordinates_GFp 110
-#define EC_F_ec_GFp_mont_field_sqr 111
-#define EC_F_EC_POINT_make_affine 112
-#define EC_F_i2d_ECParameters 113
-#define EC_F_ec_wNAF_mul 114
-#define EC_F_EC_GROUP_copy 115
-#define EC_F_EC_POINT_cmp 116
-#define EC_F_ec_GFp_mont_field_mul 117
-#define EC_F_EC_POINT_dup 118
-#define EC_F_EC_POINT_invert 119
-#define EC_F_ec_GFp_simple_point_set_affine_coordinates 120
-#define EC_F_ec_GFp_simple_points_make_affine 121
-#define EC_F_i2o_ECPublicKey 122
-#define EC_F_EC_KEY_check_key 123
-#define EC_F_ec_wNAF_precompute_mult 124
-#define EC_F_EC_POINT_oct2point 125
-#define EC_F_EC_POINT_is_at_infinity 126
-#define EC_F_EC_POINT_get_affine_coordinates_GFp 127
-#define EC_F_ec_point_set_Jprojective_coordinates_GFp 128
-#define EC_F_o2i_ECPublicKey 129
-#define EC_F_ec_GFp_mont_field_set_to_one 130
-#define EC_F_ec_group_new_curve_GFp 131
-#define EC_F_EC_POINT_dbl 132
-#define EC_F_ec_asn1_pkparameters2group 133
-#define EC_F_i2d_ECPKParameters 134
-#define EC_F_EC_KEY_copy 135
-#define EC_F_EC_POINT_new 136
-#define EC_F_EC_POINT_point2oct 137
-#define EC_F_EC_POINT_copy 138
-#define EC_F_EC_POINT_is_on_curve 139
-#define EC_F_ec_GFp_simple_group_set_curve 140
-#define EC_F_i2d_ECPrivateKey 141
-#define EC_F_d2i_ECParameters 142
-#define EC_F_ec_GFp_mont_group_set_curve 143
-#define EC_F_EC_POINT_set_to_infinity 144
-#define EC_F_EC_POINTs_make_affine 145
-#define EC_F_compute_wNAF 146
-#define EC_F_ec_GFp_simple_point2oct 147
-#define EC_F_EC_GROUP_get_degree 148
-#define EC_F_ec_GFp_simple_group_check_discriminant 149
-#define EC_F_d2i_ECPKParameters 150
-#define EC_F_d2i_ECPrivateKey 151
-#define EC_F_ec_GFp_simple_oct2point 152
-#define EC_F_EC_POINT_set_affine_coordinates_GFp 153
-#define EC_F_EC_KEY_set_public_key_affine_coordinates 154
-#define EC_F_EC_KEY_generate_key 155
-#define EC_F_ec_GFp_simple_set_compressed_coordinates 156
-#define EC_F_EC_POINT_add 157
-#define EC_F_EC_GROUP_get_curve_GFp 158
-#define EC_R_PKPARAMETERS2GROUP_FAILURE 100
-#define EC_R_NON_NAMED_CURVE 101
-#define EC_R_COORDINATES_OUT_OF_RANGE 102
-#define EC_R_POINT_AT_INFINITY 103
-#define EC_R_NOT_INITIALIZED 104
-#define EC_R_MISSING_PRIVATE_KEY 105
-#define EC_R_GROUP2PKPARAMETERS_FAILURE 106
-#define EC_R_INVALID_ENCODING 107
-#define EC_R_BUFFER_TOO_SMALL 108
-#define EC_R_D2I_ECPKPARAMETERS_FAILURE 109
-#define EC_R_INVALID_FORM 110
-#define EC_R_INVALID_PRIVATE_KEY 111
-#define EC_R_INVALID_COMPRESSED_POINT 112
-#define EC_R_MISSING_PARAMETERS 113
-#define EC_R_INVALID_FIELD 114
-#define EC_R_INVALID_COMPRESSION_BIT 115
-#define EC_R_GF2M_NOT_SUPPORTED 116
-#define EC_R_POINT_IS_NOT_ON_CURVE 117
-#define EC_R_UNKNOWN_ORDER 118
-#define EC_R_UNKNOWN_GROUP 119
-#define EC_R_WRONG_ORDER 120
-#define EC_R_UNDEFINED_GENERATOR 121
-#define EC_R_INCOMPATIBLE_OBJECTS 122
-#define EC_R_I2D_ECPKPARAMETERS_FAILURE 123
-#define EC_R_EC_GROUP_NEW_BY_NAME_FAILURE 124
-#define EC_R_INVALID_GROUP_ORDER 125
-#define EC_R_SLOT_FULL 126
+#define EC_F_EC_GROUP_copy 100
+#define EC_F_EC_GROUP_get_curve_GFp 101
+#define EC_F_EC_GROUP_get_degree 102
+#define EC_F_EC_GROUP_new_by_curve_name 103
+#define EC_F_EC_KEY_check_key 104
+#define EC_F_EC_KEY_copy 105
+#define EC_F_EC_KEY_generate_key 106
+#define EC_F_EC_KEY_new_method 107
+#define EC_F_EC_KEY_set_public_key_affine_coordinates 108
+#define EC_F_EC_POINT_add 109
+#define EC_F_EC_POINT_cmp 110
+#define EC_F_EC_POINT_copy 111
+#define EC_F_EC_POINT_dbl 112
+#define EC_F_EC_POINT_dup 113
+#define EC_F_EC_POINT_get_affine_coordinates_GFp 114
+#define EC_F_EC_POINT_invert 115
+#define EC_F_EC_POINT_is_at_infinity 116
+#define EC_F_EC_POINT_is_on_curve 117
+#define EC_F_EC_POINT_make_affine 118
+#define EC_F_EC_POINT_new 119
+#define EC_F_EC_POINT_oct2point 120
+#define EC_F_EC_POINT_point2oct 121
+#define EC_F_EC_POINT_set_affine_coordinates_GFp 122
+#define EC_F_EC_POINT_set_compressed_coordinates_GFp 123
+#define EC_F_EC_POINT_set_to_infinity 124
+#define EC_F_EC_POINTs_make_affine 125
+#define EC_F_compute_wNAF 126
+#define EC_F_d2i_ECPKParameters 127
+#define EC_F_d2i_ECParameters 128
+#define EC_F_d2i_ECPrivateKey 129
+#define EC_F_ec_GFp_mont_field_decode 130
+#define EC_F_ec_GFp_mont_field_encode 131
+#define EC_F_ec_GFp_mont_field_mul 132
+#define EC_F_ec_GFp_mont_field_set_to_one 133
+#define EC_F_ec_GFp_mont_field_sqr 134
+#define EC_F_ec_GFp_mont_group_set_curve 135
+#define EC_F_ec_GFp_simple_group_check_discriminant 136
+#define EC_F_ec_GFp_simple_group_set_curve 137
+#define EC_F_ec_GFp_simple_make_affine 138
+#define EC_F_ec_GFp_simple_oct2point 139
+#define EC_F_ec_GFp_simple_point2oct 140
+#define EC_F_ec_GFp_simple_point_get_affine_coordinates 141
+#define EC_F_ec_GFp_simple_point_set_affine_coordinates 142
+#define EC_F_ec_GFp_simple_points_make_affine 143
+#define EC_F_ec_GFp_simple_set_compressed_coordinates 144
+#define EC_F_ec_asn1_group2pkparameters 145
+#define EC_F_ec_asn1_pkparameters2group 146
+#define EC_F_ec_group_new 147
+#define EC_F_ec_group_new_curve_GFp 148
+#define EC_F_ec_group_new_from_data 149
+#define EC_F_ec_point_set_Jprojective_coordinates_GFp 150
+#define EC_F_ec_pre_comp_new 151
+#define EC_F_ec_wNAF_mul 152
+#define EC_F_ec_wNAF_precompute_mult 153
+#define EC_F_i2d_ECPKParameters 154
+#define EC_F_i2d_ECParameters 155
+#define EC_F_i2d_ECPrivateKey 156
+#define EC_F_i2o_ECPublicKey 157
+#define EC_F_o2i_ECPublicKey 158
+#define EC_F_BN_to_felem 159
+#define EC_F_ec_GFp_nistp256_group_set_curve 160
+#define EC_F_ec_GFp_nistp256_point_get_affine_coordinates 161
+#define EC_F_ec_GFp_nistp256_points_mul 162
+#define EC_F_ec_group_copy 163
+#define EC_F_nistp256_pre_comp_new 164
+#define EC_F_EC_KEY_new_by_curve_name 165
+#define EC_R_BUFFER_TOO_SMALL 100
+#define EC_R_COORDINATES_OUT_OF_RANGE 101
+#define EC_R_D2I_ECPKPARAMETERS_FAILURE 102
+#define EC_R_EC_GROUP_NEW_BY_NAME_FAILURE 103
+#define EC_R_GROUP2PKPARAMETERS_FAILURE 104
+#define EC_R_I2D_ECPKPARAMETERS_FAILURE 105
+#define EC_R_INCOMPATIBLE_OBJECTS 106
+#define EC_R_INVALID_COMPRESSED_POINT 107
+#define EC_R_INVALID_COMPRESSION_BIT 108
+#define EC_R_INVALID_ENCODING 109
+#define EC_R_INVALID_FIELD 110
+#define EC_R_INVALID_FORM 111
+#define EC_R_INVALID_GROUP_ORDER 112
+#define EC_R_INVALID_PRIVATE_KEY 113
+#define EC_R_MISSING_PARAMETERS 114
+#define EC_R_MISSING_PRIVATE_KEY 115
+#define EC_R_NON_NAMED_CURVE 116
+#define EC_R_NOT_INITIALIZED 117
+#define EC_R_PKPARAMETERS2GROUP_FAILURE 118
+#define EC_R_POINT_AT_INFINITY 119
+#define EC_R_POINT_IS_NOT_ON_CURVE 120
+#define EC_R_SLOT_FULL 121
+#define EC_R_UNDEFINED_GENERATOR 122
+#define EC_R_UNKNOWN_GROUP 123
+#define EC_R_UNKNOWN_ORDER 124
+#define EC_R_WRONG_ORDER 125
+#define EC_R_BIGNUM_OUT_OF_RANGE 126
+#define EC_R_WRONG_CURVE_PARAMETERS 127
 
 #endif  /* OPENSSL_HEADER_EC_H */
diff --git a/src/include/openssl/ec_key.h b/src/include/openssl/ec_key.h
index 115c0cd..ee64030 100644
--- a/src/include/openssl/ec_key.h
+++ b/src/include/openssl/ec_key.h
@@ -79,7 +79,7 @@ extern "C" {
 #endif
 
 
-/* ec_key.h conatins functions that handle elliptic-curve points that are
+/* ec_key.h contains functions that handle elliptic-curve points that are
  * public/private keys. */
 
 
diff --git a/src/include/openssl/ecdh.h b/src/include/openssl/ecdh.h
index 46cf839..27a8578 100644
--- a/src/include/openssl/ecdh.h
+++ b/src/include/openssl/ecdh.h
@@ -96,8 +96,8 @@ OPENSSL_EXPORT int ECDH_compute_key(void *out, size_t outlen,
 #endif
 
 #define ECDH_F_ECDH_compute_key 100
-#define ECDH_R_POINT_ARITHMETIC_FAILURE 100
-#define ECDH_R_KDF_FAILED 101
-#define ECDH_R_NO_PRIVATE_VALUE 102
+#define ECDH_R_KDF_FAILED 100
+#define ECDH_R_NO_PRIVATE_VALUE 101
+#define ECDH_R_POINT_ARITHMETIC_FAILURE 102
 
 #endif  /* OPENSSL_HEADER_ECDH_H */
diff --git a/src/include/openssl/ecdsa.h b/src/include/openssl/ecdsa.h
index f3ff49f..e045463 100644
--- a/src/include/openssl/ecdsa.h
+++ b/src/include/openssl/ecdsa.h
@@ -107,17 +107,13 @@ OPENSSL_EXPORT ECDSA_SIG *ECDSA_SIG_new(void);
 OPENSSL_EXPORT void ECDSA_SIG_free(ECDSA_SIG *sig);
 
 /* ECDSA_sign signs |digest_len| bytes from |digest| with |key| and returns the
- * resulting signature structure, or NULL on error.
- *
- * TODO(fork): remove this function. */
+ * resulting signature structure, or NULL on error. */
 OPENSSL_EXPORT ECDSA_SIG *ECDSA_do_sign(const uint8_t *digest,
                                         size_t digest_len, EC_KEY *key);
 
 /* ECDSA_verify verifies that |sig| constitutes a valid signature by |key| of
  * |digest|. It returns one on success or zero if the signature is invalid or
- * on error.
- *
- * TODO(fork): remove this function. */
+ * on error. */
 OPENSSL_EXPORT int ECDSA_do_verify(const uint8_t *digest, size_t digest_len,
                                    const ECDSA_SIG *sig, EC_KEY *key);
 
@@ -172,16 +168,15 @@ OPENSSL_EXPORT int i2d_ECDSA_SIG(const ECDSA_SIG *sig, uint8_t **outp);
 }  /* extern C */
 #endif
 
-#define ECDSA_F_digest_to_bn 100
+#define ECDSA_F_ECDSA_do_sign_ex 100
 #define ECDSA_F_ECDSA_do_verify 101
-#define ECDSA_F_ECDSA_sign_setup 102
-#define ECDSA_F_ECDSA_do_sign_ex 103
-#define ECDSA_F_ECDSA_sign_ex 104
-#define ECDSA_F_ecdsa_sign_setup 105
-#define ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED 100
-#define ECDSA_R_NEED_NEW_SETUP_VALUES 101
-#define ECDSA_R_MISSING_PARAMETERS 102
-#define ECDSA_R_BAD_SIGNATURE 103
-#define ECDSA_R_NOT_IMPLEMENTED 104
+#define ECDSA_F_ECDSA_sign_ex 102
+#define ECDSA_F_digest_to_bn 103
+#define ECDSA_F_ecdsa_sign_setup 104
+#define ECDSA_R_BAD_SIGNATURE 100
+#define ECDSA_R_MISSING_PARAMETERS 101
+#define ECDSA_R_NEED_NEW_SETUP_VALUES 102
+#define ECDSA_R_NOT_IMPLEMENTED 103
+#define ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED 104
 
 #endif  /* OPENSSL_HEADER_ECDSA_H */
diff --git a/src/include/openssl/engine.h b/src/include/openssl/engine.h
index 4a4f37d..da242f6 100644
--- a/src/include/openssl/engine.h
+++ b/src/include/openssl/engine.h
@@ -78,12 +78,14 @@ OPENSSL_EXPORT ECDSA_METHOD *ENGINE_get_ECDSA_method(const ENGINE *engine);
  * These functions take a void* type but actually operate on all method
  * structures. */
 
-/* METHOD_ref increments the reference count of |method|. */
-OPENSSL_EXPORT void METHOD_ref(void *method);
+/* METHOD_ref increments the reference count of |method|. This is a no-op for
+ * now because all methods are currently static. */
+void METHOD_ref(void *method);
 
 /* METHOD_unref decrements the reference count of |method| and frees it if the
- * reference count drops to zero. */
-OPENSSL_EXPORT void METHOD_unref(void *method);
+ * reference count drops to zero. This is a no-op for now because all methods
+ * are currently static. */
+void METHOD_unref(void *method);
 
 
 /* Private functions. */
diff --git a/src/include/openssl/err.h b/src/include/openssl/err.h
index c749659..e591534 100644
--- a/src/include/openssl/err.h
+++ b/src/include/openssl/err.h
@@ -109,9 +109,9 @@
 #ifndef OPENSSL_HEADER_ERR_H
 #define OPENSSL_HEADER_ERR_H
 
+#include <stdio.h>
+
 #include <openssl/base.h>
-#include <openssl/thread.h>
-#include <openssl/lhash.h>
 
 #if defined(__cplusplus)
 extern "C" {
@@ -142,16 +142,18 @@ extern "C" {
 
 /* Startup and shutdown. */
 
-/* ERR_load_crypto_strings initialises the error string hash with builtin
- * values. If this is not called then the string forms of errors produced by
- * the functions below will contain numeric identifiers rather than
- * human-readable strings. */
+/* ERR_load_BIO_strings does nothing.
+ *
+ * TODO(fork): remove. libjingle calls this. */
+OPENSSL_EXPORT void ERR_load_BIO_strings(void);
+
+/* ERR_load_ERR_strings does nothing. */
+OPENSSL_EXPORT void ERR_load_ERR_strings(void);
+
+/* ERR_load_crypto_strings does nothing. */
 OPENSSL_EXPORT void ERR_load_crypto_strings(void);
 
-/* ERR_free_strings frees any memory retained by the error system, expect for
- * per-thread structures which are assumed to have already been freed with
- * |ERR_remove_thread_state|. This should only be called at process
- * shutdown. */
+/* ERR_free_strings does nothing. */
 OPENSSL_EXPORT void ERR_free_strings(void);
 
 
@@ -257,13 +259,21 @@ OPENSSL_EXPORT void ERR_print_errors_cb(ERR_print_errors_callback_t callback,
                                         void *ctx);
 
 
+/* ERR_print_errors_fp prints the current contents of the error stack to |file|
+ * using human readable strings where possible. */
+OPENSSL_EXPORT void ERR_print_errors_fp(FILE *file);
+
 /* Clearing errors. */
 
 /* ERR_clear_error clears the error queue for the current thread. */
 OPENSSL_EXPORT void ERR_clear_error(void);
 
-/* ERR_remove_thread_state deletes the error queue for the given thread. If
- * |tid| is NULL then the error queue for the current thread is deleted. */
+/* ERR_remove_thread_state clears the error queue for the current thread if
+ * |tid| is NULL. Otherwise it does nothing because it's no longer possible to
+ * delete the error queue for other threads.
+ *
+ * Error queues are thread-local data and are deleted automatically. You do not
+ * need to call this function. See |ERR_clear_error|. */
 OPENSSL_EXPORT void ERR_remove_thread_state(const CRYPTO_THREADID *tid);
 
 
@@ -357,9 +367,6 @@ struct err_error_st {
 
 /* ERR_STATE contains the per-thread, error queue. */
 typedef struct err_state_st {
-  /* tid is the identifier of the thread that owns this queue. */
-  CRYPTO_THREADID tid;
-
   /* errors contains the ERR_NUM_ERRORS most recent errors, organised as a ring
    * buffer. */
   struct err_error_st errors[ERR_NUM_ERRORS];
@@ -474,40 +481,6 @@ enum {
 #define ERR_GET_FUNC(packed_error) ((int)(((packed_error) >> 12) & 0xfff))
 #define ERR_GET_REASON(packed_error) ((int)((packed_error) & 0xfff))
 
-/* ERR_STRING_DATA is the type of an lhash node that contains a mapping from a
- * library, function or reason code to a string representation of it. */
-typedef struct err_string_data_st {
-  uint32_t error;
-  const char *string;
-} ERR_STRING_DATA;
-
-/* ERR_load_strings loads an array of ERR_STRING_DATA into the hash table. The
- * array must be terminated by an entry with a NULL string. */
-OPENSSL_EXPORT void ERR_load_strings(const ERR_STRING_DATA *str);
-
-/* ERR_FNS_st is a structure of function pointers that contains the actual
- * implementation of the error queue handling functions. */
-struct ERR_FNS_st {
-  void (*shutdown)(void (*err_state_free_cb)(ERR_STATE*));
-  ERR_STRING_DATA *(*get_item)(uint32_t packed_error);
-  ERR_STRING_DATA *(*set_item)(const ERR_STRING_DATA *);
-  ERR_STRING_DATA *(*del_item)(uint32_t packed_error);
-
-  /* get_state returns the ERR_STATE for the current thread. This function
-   * never returns NULL. */
-  ERR_STATE *(*get_state)(void);
-
-  /* release_state returns the |ERR_STATE| for the given thread, or NULL if
-   * none exists. It the return value is not NULL, it also returns ownership of
-   * the |ERR_STATE| and deletes it from its data structures. */
-  ERR_STATE *(*release_state)(const CRYPTO_THREADID *tid);
-
-  /* get_next_library returns a unique value suitable for passing as the
-   * |library| to error calls. It will be distinct from all built-in library
-   * values. */
-  int (*get_next_library)(void);
-};
-
 /* OPENSSL_DECLARE_ERROR_REASON is used by util/make_errors.h (which generates
  * the error defines) to recognise that an additional reason value is needed.
  * This is needed when the reason value is used outside of an
@@ -522,11 +495,6 @@ struct ERR_FNS_st {
  * ${lib}_F_${reason}. */
 #define OPENSSL_DECLARE_ERROR_FUNCTION(lib, function_name)
 
-/* ERR_load_BIO_strings does nothing.
- *
- * TODO(fork): remove. libjingle calls this. */
-OPENSSL_EXPORT void ERR_load_BIO_strings(void);
-
 
 /* Android compatibility section.
  *
diff --git a/src/include/openssl/evp.h b/src/include/openssl/evp.h
index 39da689..54ad4be 100644
--- a/src/include/openssl/evp.h
+++ b/src/include/openssl/evp.h
@@ -58,7 +58,6 @@
 #define OPENSSL_HEADER_EVP_H
 
 #include <openssl/base.h>
-#include <openssl/stack.h>
 
 /* OpenSSL included digest and cipher functions in this header so we include
  * them for users that still expect that.
@@ -67,9 +66,7 @@
 #include <openssl/aead.h>
 #include <openssl/cipher.h>
 #include <openssl/digest.h>
-#include <openssl/mem.h>
 #include <openssl/obj.h>
-#include <openssl/thread.h>
 
 #if defined(__cplusplus)
 extern "C" {
@@ -89,6 +86,9 @@ OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_new(void);
  * itself. */
 OPENSSL_EXPORT void EVP_PKEY_free(EVP_PKEY *pkey);
 
+/* EVP_PKEY_up_ref increments the reference count of |pkey| and returns it. */
+OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_up_ref(EVP_PKEY *pkey);
+
 /* EVP_PKEY_is_opaque returns one if |pkey| is opaque. Opaque keys are backed by
  * custom implementations which do not expose key material and parameters. It is
  * an error to attempt to duplicate, export, or compare an opaque key. */
@@ -107,10 +107,6 @@ OPENSSL_EXPORT int EVP_PKEY_supports_digest(const EVP_PKEY *pkey,
  * function. */
 OPENSSL_EXPORT int EVP_PKEY_cmp(const EVP_PKEY *a, const EVP_PKEY *b);
 
-/* EVP_PKEY_dup adds one to the reference count of |pkey| and returns
- * |pkey|. */
-OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_dup(EVP_PKEY *pkey);
-
 /* EVP_PKEY_copy_parameters sets the parameters of |to| to equal the parameters
  * of |from|. It returns one on success and zero on error. */
 OPENSSL_EXPORT int EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from);
@@ -119,12 +115,15 @@ OPENSSL_EXPORT int EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from);
  * parameters or zero if not, or if the algorithm doesn't take parameters. */
 OPENSSL_EXPORT int EVP_PKEY_missing_parameters(const EVP_PKEY *pkey);
 
-/* EVP_PKEY_size returns the "size", in bytes, of |pkey|. For example, for an
- * RSA key this returns the number of bytes needed to represent the modulus. */
+/* EVP_PKEY_size returns the maximum size, in bytes, of a signature signed by
+ * |pkey|. For an RSA key, this returns the number of bytes needed to represent
+ * the modulus. For an EC key, this returns the maximum size of a DER-encoded
+ * ECDSA signature. */
 OPENSSL_EXPORT int EVP_PKEY_size(const EVP_PKEY *pkey);
 
-/* EVP_PKEY_bits returns the "size", in bits, of |pkey|. For example, for an
- * RSA key, this returns the bit length of the modulus. */
+/* EVP_PKEY_bits returns the "size", in bits, of |pkey|. For an RSA key, this
+ * returns the bit length of the modulus. For an EC key, this returns the bit
+ * length of the group order. */
 OPENSSL_EXPORT int EVP_PKEY_bits(EVP_PKEY *pkey);
 
 /* EVP_PKEY_id returns the type of |pkey|, which is one of the |EVP_PKEY_*|
@@ -444,18 +443,6 @@ OPENSSL_EXPORT void EVP_PKEY_CTX_set_app_data(EVP_PKEY_CTX *ctx, void *data);
  * set. */
 OPENSSL_EXPORT void *EVP_PKEY_CTX_get_app_data(EVP_PKEY_CTX *ctx);
 
-/* EVP_PKEY_CTX_ctrl performs |cmd| on |ctx|. The |keytype| and |optype|
- * arguments can be -1 to specify that any type and operation are acceptable,
- * otherwise |keytype| must match the type of |ctx| and the bits of |optype|
- * must intersect the operation flags set on |ctx|.
- *
- * The |p1| and |p2| arguments depend on the value of |cmd|.
- *
- * It returns -2 if |cmd| is not recognised, -1 on error or a |cmd| specific
- * value otherwise. */
-OPENSSL_EXPORT int EVP_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int keytype, int optype,
-                                     int cmd, int p1, void *p2);
-
 /* EVP_PKEY_sign_init initialises an |EVP_PKEY_CTX| for a signing operation. It
  * should be called before |EVP_PKEY_sign|.
  *
@@ -569,64 +556,28 @@ OPENSSL_EXPORT int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx);
 OPENSSL_EXPORT int EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey);
 
 
-/* EVP_PKEY_CTX_ctrl operations.
- *
- * These values are passed as the |cmd| argument to
- * EVP_PKEY_CTX_ctrl */
-
-/* Generic. */
+/* Generic control functions. */
 
 /* EVP_PKEY_CTX_set_signature_md sets |md| as the digest to be used in a
- * signature operation. It returns one on success or otherwise on error. See
- * the return values of |EVP_PKEY_CTX_ctrl| for details. */
+ * signature operation. It returns one on success or zero on error. */
 OPENSSL_EXPORT int EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *ctx,
                                                  const EVP_MD *md);
 
 /* EVP_PKEY_CTX_get_signature_md sets |*out_md| to the digest to be used in a
- * signature operation. It returns one on success or otherwise on error. See
- * the return values of |EVP_PKEY_CTX_ctrl| for details. */
+ * signature operation. It returns one on success or zero on error. */
 OPENSSL_EXPORT int EVP_PKEY_CTX_get_signature_md(EVP_PKEY_CTX *ctx,
                                                  const EVP_MD **out_md);
 
-/* EVP_PKEY_CTRL_DIGESTINIT is an internal value. It's called by
- * EVP_DigestInit_ex to signal the |EVP_PKEY| that a digest operation is
- * starting. */
-#define EVP_PKEY_CTRL_DIGESTINIT 3
-
-/* EVP_PKEY_CTRL_PEER_KEY is called with different values of |p1|:
- *   0: Is called from |EVP_PKEY_derive_set_peer| and |p2| contains a peer key.
- *      If the return value is <= 0, the key is rejected.
- *   1: Is called at the end of |EVP_PKEY_derive_set_peer| and |p2| contains a
- *      peer key. If the return value is <= 0, the key is rejected.
- *   2: Is called with |p2| == NULL to test whether the peer's key was used.
- *      (EC)DH always return one in this case.
- *   3: Is called with |p2| == NULL to set whether the peer's key was used.
- *      (EC)DH always return one in this case. This was only used for GOST. */
-#define EVP_PKEY_CTRL_PEER_KEY 4
-
-/* EVP_PKEY_CTRL_SET_MAC_KEY sets a MAC key. For example, this can be done an
- * |EVP_PKEY_CTX| prior to calling |EVP_PKEY_keygen| in order to generate an
- * HMAC |EVP_PKEY| with the given key. It returns one on success and zero on
- * error. */
-#define EVP_PKEY_CTRL_SET_MAC_KEY 5
-
-/* EVP_PKEY_ALG_CTRL is the base value from which key-type specific ctrl
- * commands are numbered. */
-#define EVP_PKEY_ALG_CTRL 0x1000
-
 
 /* RSA specific control functions. */
 
 /* EVP_PKEY_CTX_set_rsa_padding sets the padding type to use. It should be one
- * of the |RSA_*_PADDING| values. Returns one on success or another value on
- * error. See |EVP_PKEY_CTX_ctrl| for the other return values, which are
- * non-standard. */
+ * of the |RSA_*_PADDING| values. Returns one on success or zero on error. */
 OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int padding);
 
 /* EVP_PKEY_CTX_get_rsa_padding sets |*out_padding| to the current padding
  * value, which is one of the |RSA_*_PADDING| values. Returns one on success or
- * another value on error. See |EVP_PKEY_CTX_ctrl| for the other return values,
- * which are non-standard. */
+ * zero on error. */
 OPENSSL_EXPORT int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx,
                                                 int *out_padding);
 
@@ -635,8 +586,7 @@ OPENSSL_EXPORT int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx,
  * in the signature. A value of -2 causes the salt to be the maximum length
  * that will fit. Otherwise the value gives the size of the salt in bytes.
  *
- * Returns one on success or another value on error. See |EVP_PKEY_CTX_ctrl|
- * for the other return values, which are non-standard. */
+ * Returns one on success or zero on error. */
 OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx,
                                                     int salt_len);
 
@@ -645,68 +595,68 @@ OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx,
  * |EVP_PKEY_CTX_set_rsa_pss_saltlen| for details of the special values that it
  * can take.
  *
- * Returns one on success or another value on error. See |EVP_PKEY_CTX_ctrl|
- * for the other return values, which are non-standard. */
+ * Returns one on success or zero on error. */
 OPENSSL_EXPORT int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx,
                                                     int *out_salt_len);
 
 /* EVP_PKEY_CTX_set_rsa_keygen_bits sets the size of the desired RSA modulus,
- * in bits, for key generation. Returns one on success or another value on
- * error. See |EVP_PKEY_CTX_ctrl| for the other return values, which are
- * non-standard. */
+ * in bits, for key generation. Returns one on success or zero on
+ * error. */
 OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx,
                                                     int bits);
 
 /* EVP_PKEY_CTX_set_rsa_keygen_pubexp sets |e| as the public exponent for key
- * generation. Returns one on success or another value on error. See
- * |EVP_PKEY_CTX_ctrl| for the other return values, which are non-standard. */
+ * generation. Returns one on success or zero on error. */
 OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx,
                                                       BIGNUM *e);
 
 /* EVP_PKEY_CTX_set_rsa_oaep_md sets |md| as the digest used in OAEP padding.
- * Returns one on success or another value on error. See |EVP_PKEY_CTX_ctrl|
- * for the other return values, which are non-standard. */
+ * Returns one on success or zero on error. */
 OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx,
                                                 const EVP_MD *md);
 
 /* EVP_PKEY_CTX_get_rsa_oaep_md sets |*out_md| to the digest function used in
- * OAEP padding. Returns one on success or another value on error. See
- * |EVP_PKEY_CTX_ctrl| for the other return values, which are non-standard. */
+ * OAEP padding. Returns one on success or zero on error. */
 OPENSSL_EXPORT int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx,
                                                 const EVP_MD **out_md);
 
 /* EVP_PKEY_CTX_set_rsa_mgf1_md sets |md| as the digest used in MGF1. Returns
- * one on success or another value on error. See |EVP_PKEY_CTX_ctrl| for the
- * other return values, which are non-standard. */
+ * one on success or zero on error. */
 OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx,
                                                 const EVP_MD *md);
 
 /* EVP_PKEY_CTX_get_rsa_mgf1_md sets |*out_md| to the digest function used in
- * MGF1. Returns one on success or another value on error. See
- * |EVP_PKEY_CTX_ctrl| for the other return values, which are non-standard. */
+ * MGF1. Returns one on success or zero on error. */
 OPENSSL_EXPORT int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx,
                                                 const EVP_MD **out_md);
 
 /* EVP_PKEY_CTX_set0_rsa_oaep_label sets |label_len| bytes from |label| as the
- * label used in OAEP. DANGER: this call takes ownership of |label| and will
- * call |free| on it when |ctx| is destroyed.
+ * label used in OAEP. DANGER: On success, this call takes ownership of |label|
+ * and will call |OPENSSL_free| on it when |ctx| is destroyed.
  *
- * Returns one on success or another value on error. See |EVP_PKEY_CTX_ctrl|
- * for the other return values, which are non-standard. */
+ * Returns one on success or zero on error. */
 OPENSSL_EXPORT int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx,
                                                     const uint8_t *label,
                                                     size_t label_len);
 
 /* EVP_PKEY_CTX_get0_rsa_oaep_label sets |*out_label| to point to the internal
  * buffer containing the OAEP label (which may be NULL) and returns the length
- * of the label or a negative value on error. */
+ * of the label or a negative value on error.
+ *
+ * WARNING: the return value differs from the usual return value convention. */
 OPENSSL_EXPORT int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx,
                                                     const uint8_t **out_label);
 
 
-/* EC specific */
+/* Deprecated functions. */
 
-#define EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID		(EVP_PKEY_ALG_CTRL + 1)
+/* EVP_PKEY_dup adds one to the reference count of |pkey| and returns
+ * |pkey|.
+ *
+ * WARNING: this is a |_dup| function that doesn't actually duplicate! Use
+ * |EVP_PKEY_up_ref| if you want to increment the reference count without
+ * confusion. */
+OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_dup(EVP_PKEY *pkey);
 
 
 /* Private functions */
@@ -734,9 +684,6 @@ struct evp_pkey_st {
    * which element (if any) of the |pkey| union is valid. */
   int type;
 
-  /* TODO(fork): document */
-  int save_type;
-
   union {
     char *ptr;
     struct rsa_st *rsa; /* RSA */
@@ -745,16 +692,9 @@ struct evp_pkey_st {
     struct ec_key_st *ec; /* ECC */
   } pkey;
 
-  ENGINE *engine;
-
-  /* TODO(fork): document */
-  int save_parameters;
   /* ameth contains a pointer to a method table that contains many ASN.1
    * methods for the key type. */
   const EVP_PKEY_ASN1_METHOD *ameth;
-
-  /* TODO(fork): document; */
-  STACK_OF(X509_ATTRIBUTE) * attributes; /* [ 0 ] */
 } /* EVP_PKEY */;
 
 
@@ -762,105 +702,105 @@ struct evp_pkey_st {
 }  /* extern C */
 #endif
 
-#define EVP_F_rsa_item_verify 100
-#define EVP_F_do_sigver_init 101
-#define EVP_F_eckey_priv_decode 102
-#define EVP_F_pkey_ec_sign 103
-#define EVP_F_EVP_PKEY_sign_init 104
-#define EVP_F_d2i_PrivateKey 105
-#define EVP_F_rsa_priv_encode 106
-#define EVP_F_rsa_mgf1_to_md 107
-#define EVP_F_EVP_PKEY_get1_DH 108
-#define EVP_F_EVP_PKEY_sign 109
-#define EVP_F_old_ec_priv_decode 110
-#define EVP_F_EVP_PKEY_get1_RSA 111
-#define EVP_F_pkey_ec_ctrl 112
-#define EVP_F_evp_pkey_ctx_new 113
-#define EVP_F_EVP_PKEY_verify 114
-#define EVP_F_EVP_PKEY_encrypt 115
+#define EVP_F_EVP_PKEY_derive_init 108
+#define EVP_F_EVP_PKEY_encrypt 110
+#define EVP_F_EVP_PKEY_encrypt_init 111
+#define EVP_F_EVP_PKEY_get1_DH 112
+#define EVP_F_EVP_PKEY_get1_EC_KEY 114
+#define EVP_F_EVP_PKEY_get1_RSA 115
 #define EVP_F_EVP_PKEY_keygen 116
-#define EVP_F_eckey_type2param 117
-#define EVP_F_eckey_priv_encode 118
-#define EVP_F_do_EC_KEY_print 119
-#define EVP_F_pkey_ec_keygen 120
-#define EVP_F_EVP_PKEY_encrypt_init 121
-#define EVP_F_pkey_rsa_ctrl 122
-#define EVP_F_rsa_priv_decode 123
-#define EVP_F_rsa_pss_to_ctx 124
-#define EVP_F_EVP_PKEY_get1_EC_KEY 125
-#define EVP_F_EVP_PKEY_verify_init 126
-#define EVP_F_EVP_PKEY_derive_init 127
-#define EVP_F_eckey_param2type 128
-#define EVP_F_eckey_pub_decode 129
-#define EVP_F_d2i_AutoPrivateKey 130
+#define EVP_F_EVP_PKEY_sign 120
+#define EVP_F_EVP_PKEY_sign_init 121
+#define EVP_F_EVP_PKEY_verify 122
+#define EVP_F_EVP_PKEY_verify_init 123
+#define EVP_F_d2i_AutoPrivateKey 125
+#define EVP_F_d2i_PrivateKey 126
+#define EVP_F_do_EC_KEY_print 127
+#define EVP_F_do_sigver_init 129
+#define EVP_F_eckey_param2type 130
 #define EVP_F_eckey_param_decode 131
-#define EVP_F_EVP_PKEY_new 132
-#define EVP_F_pkey_ec_derive 133
-#define EVP_F_pkey_ec_paramgen 134
-#define EVP_F_EVP_PKEY_CTX_ctrl 135
-#define EVP_F_EVP_PKEY_decrypt_init 136
-#define EVP_F_EVP_PKEY_decrypt 137
-#define EVP_F_EVP_PKEY_copy_parameters 138
-#define EVP_F_EVP_PKEY_set_type 139
-#define EVP_F_EVP_PKEY_derive 140
-#define EVP_F_EVP_PKEY_keygen_init 141
-#define EVP_F_do_rsa_print 142
-#define EVP_F_old_rsa_priv_decode 143
-#define EVP_F_rsa_algor_to_md 144
-#define EVP_F_eckey_pub_encode 145
-#define EVP_F_EVP_PKEY_derive_set_peer 146
-#define EVP_F_pkey_rsa_sign 147
-#define EVP_F_check_padding_md 148
-#define EVP_F_i2d_PublicKey 149
-#define EVP_F_rsa_pub_decode 150
-#define EVP_F_EVP_PKEY_get1_DSA 151
-#define EVP_F_pkey_rsa_encrypt 152
-#define EVP_F_pkey_rsa_decrypt 153
-#define EVP_F_hmac_signctx 154
-#define EVP_F_EVP_DigestVerifyInitFromAlgorithm 155
-#define EVP_F_EVP_DigestSignAlgorithm 156
-#define EVP_F_rsa_digest_verify_init_from_algorithm 157
-#define EVP_F_EVP_PKEY_CTX_dup 158
-#define EVP_R_UNSUPPORTED_PUBLIC_KEY_TYPE 100
-#define EVP_R_UNSUPPORTED_SIGNATURE_TYPE 101
-#define EVP_R_INVALID_DIGEST_TYPE 102
-#define EVP_R_EXPECTING_A_DH_KEY 103
-#define EVP_R_OPERATON_NOT_INITIALIZED 104
-#define EVP_R_MISSING_PARAMETERS 105
-#define EVP_R_NO_DEFAULT_DIGEST 106
-#define EVP_R_UNKNOWN_DIGEST 107
-#define EVP_R_KEYS_NOT_SET 108
-#define EVP_R_X931_UNSUPPORTED 109
-#define EVP_R_DIGEST_DOES_NOT_MATCH 110
-#define EVP_R_DIFFERENT_PARAMETERS 111
-#define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 112
-#define EVP_R_DIFFERENT_KEY_TYPES 113
-#define EVP_R_NO_PARAMETERS_SET 114
-#define EVP_R_NO_NID_FOR_CURVE 115
-#define EVP_R_NO_OPERATION_SET 116
-#define EVP_R_UNSUPPORTED_ALGORITHM 117
-#define EVP_R_EXPECTING_AN_DSA_KEY 118
-#define EVP_R_UNKNOWN_MASK_DIGEST 119
-#define EVP_R_INVALID_SALT_LENGTH 120
-#define EVP_R_BUFFER_TOO_SMALL 121
-#define EVP_R_INVALID_PADDING_MODE 122
-#define EVP_R_INVALID_MGF1_MD 123
-#define EVP_R_SHARED_INFO_ERROR 124
-#define EVP_R_INVALID_KEYBITS 125
-#define EVP_R_PEER_KEY_ERROR 126
-#define EVP_R_EXPECTING_A_DSA_KEY 127
-#define EVP_R_UNSUPPORTED_MASK_ALGORITHM 128
-#define EVP_R_EXPECTING_AN_EC_KEY_KEY 129
-#define EVP_R_INVALID_TRAILER 130
-#define EVP_R_INVALID_DIGEST_LENGTH 131
-#define EVP_R_COMMAND_NOT_SUPPORTED 132
-#define EVP_R_EXPLICIT_EC_PARAMETERS_NOT_SUPPORTED 133
-#define EVP_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE 134
-#define EVP_R_NO_MDC2_SUPPORT 135
-#define EVP_R_INVALID_CURVE 136
-#define EVP_R_NO_KEY_SET 137
-#define EVP_R_INVALID_PSS_PARAMETERS 138
-#define EVP_R_KDF_PARAMETER_ERROR 139
+#define EVP_F_eckey_priv_decode 132
+#define EVP_F_eckey_priv_encode 133
+#define EVP_F_eckey_pub_decode 134
+#define EVP_F_eckey_pub_encode 135
+#define EVP_F_eckey_type2param 136
+#define EVP_F_evp_pkey_ctx_new 137
+#define EVP_F_hmac_signctx 138
+#define EVP_F_i2d_PublicKey 139
+#define EVP_F_old_ec_priv_decode 140
+#define EVP_F_old_rsa_priv_decode 141
+#define EVP_F_pkey_ec_ctrl 142
+#define EVP_F_pkey_ec_derive 143
+#define EVP_F_pkey_ec_keygen 144
+#define EVP_F_pkey_ec_paramgen 145
+#define EVP_F_pkey_ec_sign 146
+#define EVP_F_pkey_rsa_ctrl 147
+#define EVP_F_pkey_rsa_decrypt 148
+#define EVP_F_pkey_rsa_encrypt 149
+#define EVP_F_pkey_rsa_sign 150
+#define EVP_F_rsa_algor_to_md 151
+#define EVP_F_rsa_digest_verify_init_from_algorithm 152
+#define EVP_F_rsa_mgf1_to_md 153
+#define EVP_F_rsa_priv_decode 154
+#define EVP_F_rsa_priv_encode 155
+#define EVP_F_rsa_pss_to_ctx 156
+#define EVP_F_rsa_pub_decode 157
+#define EVP_F_pkey_hmac_ctrl 158
+#define EVP_F_EVP_PKEY_CTX_get0_rsa_oaep_label 159
+#define EVP_F_EVP_DigestSignAlgorithm 160
+#define EVP_F_EVP_DigestVerifyInitFromAlgorithm 161
+#define EVP_F_EVP_PKEY_CTX_ctrl 162
+#define EVP_F_EVP_PKEY_CTX_dup 163
+#define EVP_F_EVP_PKEY_copy_parameters 164
+#define EVP_F_EVP_PKEY_decrypt 165
+#define EVP_F_EVP_PKEY_decrypt_init 166
+#define EVP_F_EVP_PKEY_derive 167
+#define EVP_F_EVP_PKEY_derive_set_peer 168
+#define EVP_F_EVP_PKEY_get1_DSA 169
+#define EVP_F_EVP_PKEY_keygen_init 170
+#define EVP_F_EVP_PKEY_new 171
+#define EVP_F_EVP_PKEY_set_type 172
+#define EVP_F_check_padding_md 173
+#define EVP_F_do_dsa_print 174
+#define EVP_F_do_rsa_print 175
+#define EVP_F_dsa_param_decode 176
+#define EVP_F_dsa_priv_decode 177
+#define EVP_F_dsa_priv_encode 178
+#define EVP_F_dsa_pub_decode 179
+#define EVP_F_dsa_pub_encode 180
+#define EVP_F_dsa_sig_print 181
+#define EVP_F_old_dsa_priv_decode 182
+#define EVP_R_BUFFER_TOO_SMALL 100
+#define EVP_R_COMMAND_NOT_SUPPORTED 101
+#define EVP_R_DIFFERENT_KEY_TYPES 104
+#define EVP_R_DIFFERENT_PARAMETERS 105
+#define EVP_R_EXPECTING_AN_EC_KEY_KEY 107
+#define EVP_R_EXPECTING_A_DH_KEY 109
+#define EVP_R_EXPECTING_A_DSA_KEY 110
+#define EVP_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE 111
+#define EVP_R_INVALID_CURVE 112
+#define EVP_R_INVALID_DIGEST_LENGTH 113
+#define EVP_R_INVALID_DIGEST_TYPE 114
+#define EVP_R_INVALID_KEYBITS 115
+#define EVP_R_INVALID_MGF1_MD 116
+#define EVP_R_INVALID_PADDING_MODE 118
+#define EVP_R_INVALID_PSS_PARAMETERS 119
+#define EVP_R_INVALID_SALT_LENGTH 121
+#define EVP_R_INVALID_TRAILER 122
+#define EVP_R_KEYS_NOT_SET 123
+#define EVP_R_MISSING_PARAMETERS 124
+#define EVP_R_NO_DEFAULT_DIGEST 125
+#define EVP_R_NO_KEY_SET 126
+#define EVP_R_NO_MDC2_SUPPORT 127
+#define EVP_R_NO_NID_FOR_CURVE 128
+#define EVP_R_NO_OPERATION_SET 129
+#define EVP_R_NO_PARAMETERS_SET 130
+#define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 131
+#define EVP_R_OPERATON_NOT_INITIALIZED 132
+#define EVP_R_UNKNOWN_DIGEST 133
+#define EVP_R_UNKNOWN_MASK_DIGEST 134
+#define EVP_R_UNSUPPORTED_ALGORITHM 138
+#define EVP_R_UNSUPPORTED_MASK_ALGORITHM 139
 #define EVP_R_UNSUPPORTED_MASK_PARAMETER 140
 #define EVP_R_EXPECTING_AN_RSA_KEY 141
 #define EVP_R_INVALID_OPERATION 142
@@ -872,5 +812,9 @@ struct evp_pkey_st {
 #define EVP_R_WRONG_PUBLIC_KEY_TYPE 148
 #define EVP_R_UNKNOWN_SIGNATURE_ALGORITHM 149
 #define EVP_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM 150
+#define EVP_R_BN_DECODE_ERROR 151
+#define EVP_R_PARAMETER_ENCODING_ERROR 152
+#define EVP_R_UNSUPPORTED_PUBLIC_KEY_TYPE 153
+#define EVP_R_UNSUPPORTED_SIGNATURE_TYPE 154
 
 #endif  /* OPENSSL_HEADER_EVP_H */
diff --git a/src/include/openssl/ex_data.h b/src/include/openssl/ex_data.h
index f61501a..2303eb4 100644
--- a/src/include/openssl/ex_data.h
+++ b/src/include/openssl/ex_data.h
@@ -119,21 +119,51 @@ extern "C" {
 
 
 /* ex_data is a mechanism for associating arbitrary extra data with objects.
- * The different types of objects which can have data associated with them are
- * called "classes" and there are predefined classes for all the OpenSSL
- * objects that support ex_data.
- *
- * Within a given class, different users can be assigned indexes in which to
- * store their data. Each index has callback functions that are called when a
- * new object of that type is created, freed and duplicated. */
+ * For each type of object that supports ex_data, different users can be
+ * assigned indexes in which to store their data. Each index has callback
+ * functions that are called when a new object of that type is created, freed
+ * and duplicated. */
 
 
 typedef struct crypto_ex_data_st CRYPTO_EX_DATA;
 
+
+/* Type-specific functions.
+ *
+ * Each type that supports ex_data provides three functions: */
+
+#if 0 /* Sample */
+
+/* |TYPE_get_ex_new_index| allocates a new index for |TYPE|. See the
+ * descriptions of the callback typedefs for details of when they are
+ * called. Any of the callback arguments may be NULL. The |argl| and |argp|
+ * arguments are opaque values that are passed to the callbacks. It returns the
+ * new index or a negative number on error.
+ *
+ * TODO(fork): this should follow the standard calling convention. */
+OPENSSL_EXPORT int TYPE_get_ex_new_index(long argl, void *argp,
+                                         CRYPTO_EX_new *new_func,
+                                         CRYPTO_EX_dup *dup_func,
+                                         CRYPTO_EX_free *free_func);
+
+/* |TYPE_set_ex_data| sets an extra data pointer on |t|. The |index| argument
+ * should have been returned from a previous call to |TYPE_get_ex_new_index|. */
+OPENSSL_EXPORT int TYPE_set_ex_data(TYPE *t, int index, void *arg);
+
+/* |TYPE_get_ex_data| returns an extra data pointer for |t|, or NULL if no such
+ * pointer exists. The |index| argument should have been returned from a
+ * previous call to |TYPE_get_ex_new_index|. */
+OPENSSL_EXPORT void *TYPE_get_ex_data(const TYPE *t, int index);
+
+#endif /* Sample */
+
+
+/* Callback types. */
+
 /* CRYPTO_EX_new is the type of a callback function that is called whenever a
  * new object of a given class is created. For example, if this callback has
- * been passed to |CRYPTO_get_ex_new_index| with a |class| of
- * |CRYPTO_EX_INDEX_SSL| then it'll be called each time an SSL* is created.
+ * been passed to |SSL_get_ex_new_index| then it'll be called each time an SSL*
+ * is created.
  *
  * The callback is passed the new object (i.e. the SSL*) in |parent|. The
  * arguments |argl| and |argp| contain opaque values that were given to
@@ -166,126 +196,10 @@ typedef void CRYPTO_EX_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
 typedef int CRYPTO_EX_dup(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
                           void **from_d, int index, long argl, void *argp);
 
-/* CRYPTO_get_ex_new_index allocates a new index for ex_data linked with
- * objects of the given |class|. This should not be called directly, rather
- * each class of object should provide a wrapper function that sets
- * |class_value| correctly.
- *
- * The |class_value| argument should be one of |CRYPTO_EX_INDEX_*| or a
- * user-defined class value returned from |CRYPTO_ex_data_new_class|.
- *
- * See the descriptions of the callback typedefs for details of when they are
- * called. Any of the callback arguments may be NULL. The |argl| and |argp|
- * arguments are opaque values that are passed to the callbacks.
- *
- * It returns the new index, or a negative number on error.
- *
- * TODO(fork): this should follow the standard calling convention.
- *
- * TODO(fork): replace the class_value with a pointer to EX_CLASS_ITEM. Saves
- * having that hash table and some of the lock-bouncing. Maybe have every
- * module have a private global EX_CLASS_ITEM somewhere and any direct callers
- * of CRYPTO_{get,set}_ex_data{,_index} would have to always call the
- * wrappers. */
-OPENSSL_EXPORT int CRYPTO_get_ex_new_index(int class_value, long argl,
-                                           void *argp, CRYPTO_EX_new *new_func,
-                                           CRYPTO_EX_dup *dup_func,
-                                           CRYPTO_EX_free *free_func);
-
-/* CRYPTO_set_ex_data sets an extra data pointer on a given object. This should
- * not be called directly, rather each class of object should provide a wrapper
- * function.
- *
- * The |index| argument should have been returned from a previous call to
- * |CRYPTO_get_ex_new_index|. */
-OPENSSL_EXPORT int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int index, void *val);
-
-/* CRYPTO_set_ex_data return an extra data pointer for a given object, or NULL
- * if no such index exists. This should not be called directly, rather each
- * class of object should provide a wrapper function.
- *
- * The |index| argument should have been returned from a previous call to
- * |CRYPTO_get_ex_new_index|. */
-OPENSSL_EXPORT void *CRYPTO_get_ex_data(const CRYPTO_EX_DATA *ad, int index);
-
-/* CRYPTO_EX_INDEX_* are the built-in classes of objects.
- *
- * User defined classes start at 100.
- *
- * TODO(fork): WARNING: these are called "INDEX", but they aren't! */
-#define CRYPTO_EX_INDEX_BIO 0
-#define CRYPTO_EX_INDEX_SSL 1
-#define CRYPTO_EX_INDEX_SSL_CTX 2
-#define CRYPTO_EX_INDEX_SSL_SESSION 3
-#define CRYPTO_EX_INDEX_X509_STORE 4
-#define CRYPTO_EX_INDEX_X509_STORE_CTX 5
-#define CRYPTO_EX_INDEX_RSA 6
-#define CRYPTO_EX_INDEX_DSA 7
-#define CRYPTO_EX_INDEX_DH 8
-#define CRYPTO_EX_INDEX_ENGINE 9
-#define CRYPTO_EX_INDEX_X509 10
-#define CRYPTO_EX_INDEX_UI 11
-#define CRYPTO_EX_INDEX_EC_KEY 12
-#define CRYPTO_EX_INDEX_EC_GROUP 13
-#define CRYPTO_EX_INDEX_COMP 14
-#define CRYPTO_EX_INDEX_STORE 15
-
-
-/* User-defined classes of objects.
- *
- * Core OpenSSL code has predefined class values given above (the
- * |CRYPTO_EX_INDEX_*| values). It's possible to get dynamic class values
- * assigned for user-defined objects. */
-
-/* CRYPTO_ex_data_new_class returns a fresh class value for a user-defined type
- * that wishes to use ex_data.
- *
- * TODO(fork): hopefully remove this. */
-OPENSSL_EXPORT int CRYPTO_ex_data_new_class(void);
-
-
-/* Embedding, allocating and freeing |CRYPTO_EX_DATA| structures for objects
- * that embed them. */
-
-/* CRYPTO_new_ex_data initialises a newly allocated |CRYPTO_EX_DATA| which is
- * embedded inside of |obj| which is of class |class_value|. Returns one on
- * success and zero otherwise. */
-OPENSSL_EXPORT int CRYPTO_new_ex_data(int class_value, void *obj,
-                                      CRYPTO_EX_DATA *ad);
-
-/* CRYPTO_dup_ex_data duplicates |from| into a freshly allocated
- * |CRYPTO_EX_DATA|, |to|. Both of which are inside objects of the given
- * class. It returns one on success and zero otherwise. */
-OPENSSL_EXPORT int CRYPTO_dup_ex_data(int class_value, CRYPTO_EX_DATA *to,
-                                      const CRYPTO_EX_DATA *from);
-
-/* CRYPTO_free_ex_data frees |ad|, which is embedded inside |obj|, which is an
- * object of the given class. */
-OPENSSL_EXPORT void CRYPTO_free_ex_data(int class_value, void *obj,
-                                        CRYPTO_EX_DATA *ad);
-
-
-/* Handling different ex_data implementations. */
-
-/* CRYPTO_EX_DATA_IMPL is the opaque type of an implementation of ex_data. */
-typedef struct st_CRYPTO_EX_DATA_IMPL CRYPTO_EX_DATA_IMPL;
-
-/* CRYPTO_get_ex_data_implementation returns the current implementation of
- * ex_data. */
-OPENSSL_EXPORT const CRYPTO_EX_DATA_IMPL *CRYPTO_get_ex_data_implementation(
-    void);
-
-/* CRYPTO_set_ex_data_implementation sets the implementation of ex_data to use,
- * unless ex_data has already been used and the default implementation
- * installed. It returns one on success and zero otherwise. */
-OPENSSL_EXPORT int CRYPTO_set_ex_data_implementation(
-    const CRYPTO_EX_DATA_IMPL *impl);
-
 
-/* Private functions. */
+/* Deprecated functions. */
 
-/* CRYPTO_cleanup_all_ex_data cleans up all ex_data state. It assumes that no
- * other threads are executing code that might call ex_data functions. */
+/* CRYPTO_cleanup_all_ex_data does nothing. */
 OPENSSL_EXPORT void CRYPTO_cleanup_all_ex_data(void);
 
 struct crypto_ex_data_st {
diff --git a/src/include/openssl/hmac.h b/src/include/openssl/hmac.h
index 6c34cdc..89cdf8f 100644
--- a/src/include/openssl/hmac.h
+++ b/src/include/openssl/hmac.h
@@ -94,9 +94,14 @@ OPENSSL_EXPORT void HMAC_CTX_init(HMAC_CTX *ctx);
 OPENSSL_EXPORT void HMAC_CTX_cleanup(HMAC_CTX *ctx);
 
 /* HMAC_Init_ex sets up an initialised |HMAC_CTX| to use |md| as the hash
- * function and |key| as the key. Any of |md| or |key| can be NULL, in which
- * case the previous value will be used. It returns one on success or zero
- * otherwise. */
+ * function and |key| as the key. For a non-initial call, |md| may be NULL, in
+ * which case the previous hash function will be used. If the hash function has
+ * not changed and |key| is NULL, |ctx| reuses the previous key. It returns one
+ * on success or zero otherwise.
+ *
+ * WARNING: NULL and empty keys are ambiguous on non-initial calls. Passing NULL
+ * |key| but repeating the previous |md| reuses the previous key rather than the
+ * empty key. */
 OPENSSL_EXPORT int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, size_t key_len,
                                 const EVP_MD *md, ENGINE *impl);
 
@@ -152,8 +157,6 @@ struct hmac_ctx_st {
   EVP_MD_CTX md_ctx;
   EVP_MD_CTX i_ctx;
   EVP_MD_CTX o_ctx;
-  unsigned int key_length;
-  unsigned char key[HMAC_MAX_MD_CBLOCK];
 } /* HMAC_CTX */;
 
 
diff --git a/src/include/openssl/lhash.h b/src/include/openssl/lhash.h
index c8628d1..d2ee982 100644
--- a/src/include/openssl/lhash.h
+++ b/src/include/openssl/lhash.h
@@ -96,9 +96,6 @@ extern "C" {
  *
  * LHASH_OF:ASN1_OBJECT
  * LHASH_OF:CONF_VALUE
- * LHASH_OF:ERR_STATE
- * LHASH_OF:ERR_STRING_DATA
- * LHASH_OF:EX_CLASS_ITEM
  * LHASH_OF:SSL_SESSION */
 
 #define IN_LHASH_H
diff --git a/src/include/openssl/lhash_macros.h b/src/include/openssl/lhash_macros.h
index f84b5ed..1d98107 100644
--- a/src/include/openssl/lhash_macros.h
+++ b/src/include/openssl/lhash_macros.h
@@ -92,122 +92,6 @@
                             void (*)(CONF_VALUE *, void *), func), \
                arg);
 
-/* ERR_STATE */
-#define lh_ERR_STATE_new(hash, comp)                                        \
-  ((LHASH_OF(ERR_STATE) *)lh_new(                                           \
-      CHECKED_CAST(lhash_hash_func, uint32_t (*)(const ERR_STATE *), hash), \
-      CHECKED_CAST(lhash_cmp_func,                                          \
-                   int (*)(const ERR_STATE *a, const ERR_STATE *b), comp)))
-
-#define lh_ERR_STATE_free(lh) \
-  lh_free(CHECKED_CAST(_LHASH *, LHASH_OF(ERR_STATE) *, lh));
-
-#define lh_ERR_STATE_num_items(lh) \
-  lh_num_items(CHECKED_CAST(_LHASH *, LHASH_OF(ERR_STATE) *, lh))
-
-#define lh_ERR_STATE_retrieve(lh, data)                                        \
-  ((ERR_STATE *)lh_retrieve(CHECKED_CAST(_LHASH *, LHASH_OF(ERR_STATE) *, lh), \
-                            CHECKED_CAST(void *, ERR_STATE *, data)))
-
-#define lh_ERR_STATE_insert(lh, old_data, data)                \
-  lh_insert(CHECKED_CAST(_LHASH *, LHASH_OF(ERR_STATE) *, lh), \
-            CHECKED_CAST(void **, ERR_STATE **, old_data),     \
-            CHECKED_CAST(void *, ERR_STATE *, data))
-
-#define lh_ERR_STATE_delete(lh, data)                                        \
-  ((ERR_STATE *)lh_delete(CHECKED_CAST(_LHASH *, LHASH_OF(ERR_STATE) *, lh), \
-                          CHECKED_CAST(void *, ERR_STATE *, data)))
-
-#define lh_ERR_STATE_doall(lh, func)                          \
-  lh_doall(CHECKED_CAST(_LHASH *, LHASH_OF(ERR_STATE) *, lh), \
-           CHECKED_CAST(void (*)(void *), void (*)(ERR_STATE *), func));
-
-#define lh_ERR_STATE_doall_arg(lh, func, arg)                     \
-  lh_doall_arg(CHECKED_CAST(_LHASH *, LHASH_OF(ERR_STATE) *, lh), \
-               CHECKED_CAST(void (*)(void *, void *),             \
-                            void (*)(ERR_STATE *, void *), func), \
-               arg);
-
-/* ERR_STRING_DATA */
-#define lh_ERR_STRING_DATA_new(hash, comp)                                 \
-  ((LHASH_OF(ERR_STRING_DATA) *)lh_new(                                    \
-      CHECKED_CAST(lhash_hash_func, uint32_t (*)(const ERR_STRING_DATA *), \
-                   hash),                                                  \
-      CHECKED_CAST(                                                        \
-          lhash_cmp_func,                                                  \
-          int (*)(const ERR_STRING_DATA *a, const ERR_STRING_DATA *b), comp)))
-
-#define lh_ERR_STRING_DATA_free(lh) \
-  lh_free(CHECKED_CAST(_LHASH *, LHASH_OF(ERR_STRING_DATA) *, lh));
-
-#define lh_ERR_STRING_DATA_num_items(lh) \
-  lh_num_items(CHECKED_CAST(_LHASH *, LHASH_OF(ERR_STRING_DATA) *, lh))
-
-#define lh_ERR_STRING_DATA_retrieve(lh, data)                  \
-  ((ERR_STRING_DATA *)lh_retrieve(                             \
-      CHECKED_CAST(_LHASH *, LHASH_OF(ERR_STRING_DATA) *, lh), \
-      CHECKED_CAST(void *, ERR_STRING_DATA *, data)))
-
-#define lh_ERR_STRING_DATA_insert(lh, old_data, data)                \
-  lh_insert(CHECKED_CAST(_LHASH *, LHASH_OF(ERR_STRING_DATA) *, lh), \
-            CHECKED_CAST(void **, ERR_STRING_DATA **, old_data),     \
-            CHECKED_CAST(void *, ERR_STRING_DATA *, data))
-
-#define lh_ERR_STRING_DATA_delete(lh, data)                    \
-  ((ERR_STRING_DATA *)lh_delete(                               \
-      CHECKED_CAST(_LHASH *, LHASH_OF(ERR_STRING_DATA) *, lh), \
-      CHECKED_CAST(void *, ERR_STRING_DATA *, data)))
-
-#define lh_ERR_STRING_DATA_doall(lh, func)                          \
-  lh_doall(CHECKED_CAST(_LHASH *, LHASH_OF(ERR_STRING_DATA) *, lh), \
-           CHECKED_CAST(void (*)(void *), void (*)(ERR_STRING_DATA *), func));
-
-#define lh_ERR_STRING_DATA_doall_arg(lh, func, arg)                     \
-  lh_doall_arg(CHECKED_CAST(_LHASH *, LHASH_OF(ERR_STRING_DATA) *, lh), \
-               CHECKED_CAST(void (*)(void *, void *),                   \
-                            void (*)(ERR_STRING_DATA *, void *), func), \
-               arg);
-
-/* EX_CLASS_ITEM */
-#define lh_EX_CLASS_ITEM_new(hash, comp)                                    \
-  ((LHASH_OF(EX_CLASS_ITEM) *)lh_new(                                       \
-      CHECKED_CAST(lhash_hash_func, uint32_t (*)(const EX_CLASS_ITEM *),    \
-                   hash),                                                   \
-      CHECKED_CAST(lhash_cmp_func,                                          \
-                   int (*)(const EX_CLASS_ITEM *a, const EX_CLASS_ITEM *b), \
-                   comp)))
-
-#define lh_EX_CLASS_ITEM_free(lh) \
-  lh_free(CHECKED_CAST(_LHASH *, LHASH_OF(EX_CLASS_ITEM) *, lh));
-
-#define lh_EX_CLASS_ITEM_num_items(lh) \
-  lh_num_items(CHECKED_CAST(_LHASH *, LHASH_OF(EX_CLASS_ITEM) *, lh))
-
-#define lh_EX_CLASS_ITEM_retrieve(lh, data)                  \
-  ((EX_CLASS_ITEM *)lh_retrieve(                             \
-      CHECKED_CAST(_LHASH *, LHASH_OF(EX_CLASS_ITEM) *, lh), \
-      CHECKED_CAST(void *, EX_CLASS_ITEM *, data)))
-
-#define lh_EX_CLASS_ITEM_insert(lh, old_data, data)                \
-  lh_insert(CHECKED_CAST(_LHASH *, LHASH_OF(EX_CLASS_ITEM) *, lh), \
-            CHECKED_CAST(void **, EX_CLASS_ITEM **, old_data),     \
-            CHECKED_CAST(void *, EX_CLASS_ITEM *, data))
-
-#define lh_EX_CLASS_ITEM_delete(lh, data)                    \
-  ((EX_CLASS_ITEM *)lh_delete(                               \
-      CHECKED_CAST(_LHASH *, LHASH_OF(EX_CLASS_ITEM) *, lh), \
-      CHECKED_CAST(void *, EX_CLASS_ITEM *, data)))
-
-#define lh_EX_CLASS_ITEM_doall(lh, func)                          \
-  lh_doall(CHECKED_CAST(_LHASH *, LHASH_OF(EX_CLASS_ITEM) *, lh), \
-           CHECKED_CAST(void (*)(void *), void (*)(EX_CLASS_ITEM *), func));
-
-#define lh_EX_CLASS_ITEM_doall_arg(lh, func, arg)                     \
-  lh_doall_arg(CHECKED_CAST(_LHASH *, LHASH_OF(EX_CLASS_ITEM) *, lh), \
-               CHECKED_CAST(void (*)(void *, void *),                 \
-                            void (*)(EX_CLASS_ITEM *, void *), func), \
-               arg);
-
 /* SSL_SESSION */
 #define lh_SSL_SESSION_new(hash, comp)                                        \
   ((LHASH_OF(SSL_SESSION) *)lh_new(                                           \
diff --git a/src/include/openssl/mem.h b/src/include/openssl/mem.h
index 3bd01c0..42ec46a 100644
--- a/src/include/openssl/mem.h
+++ b/src/include/openssl/mem.h
@@ -58,6 +58,7 @@
 
 #include <openssl/base.h>
 
+#include <stdlib.h>
 #include <stdarg.h>
 
 #if defined(__cplusplus)
diff --git a/src/include/openssl/obj.h b/src/include/openssl/obj.h
index 5dd8886..f476617 100644
--- a/src/include/openssl/obj.h
+++ b/src/include/openssl/obj.h
@@ -193,10 +193,10 @@ OPENSSL_EXPORT int OBJ_find_sigid_by_algs(int *out_sign_nid, int digest_nid,
 }  /* extern C */
 #endif
 
-#define OBJ_F_OBJ_txt2obj 100
-#define OBJ_F_OBJ_create 101
-#define OBJ_F_OBJ_dup 102
-#define OBJ_F_OBJ_nid2obj 103
+#define OBJ_F_OBJ_create 100
+#define OBJ_F_OBJ_dup 101
+#define OBJ_F_OBJ_nid2obj 102
+#define OBJ_F_OBJ_txt2obj 103
 #define OBJ_R_UNKNOWN_NID 100
 
 #endif  /* OPENSSL_HEADER_OBJECTS_H */
diff --git a/src/include/openssl/opensslfeatures.h b/src/include/openssl/opensslfeatures.h
index 4f5cb31..c3f97d5 100644
--- a/src/include/openssl/opensslfeatures.h
+++ b/src/include/openssl/opensslfeatures.h
@@ -22,12 +22,15 @@
 #define OPENSSL_NO_BF
 #define OPENSSL_NO_BUF_FREELISTS
 #define OPENSSL_NO_CAMELLIA
+#define OPENSSL_NO_CAPIENG
 #define OPENSSL_NO_CAST
 #define OPENSSL_NO_CMS
 #define OPENSSL_NO_COMP
 #define OPENSSL_NO_DANE
 #define OPENSSL_NO_DEPRECATED
 #define OPENSSL_NO_DYNAMIC_ENGINE
+#define OPENSSL_NO_EC_NISTP_64_GCC_128
+#define OPENSSL_NO_EC2M
 #define OPENSSL_NO_ENGINE
 #define OPENSSL_NO_GMP
 #define OPENSSL_NO_GOST
@@ -38,11 +41,13 @@
 #define OPENSSL_NO_KRB5
 #define OPENSSL_NO_MD2
 #define OPENSSL_NO_MDC2
+#define OPENSSL_NO_OCB
 #define OPENSSL_NO_OCSP
 #define OPENSSL_NO_RC2
 #define OPENSSL_NO_RC5
 #define OPENSSL_NO_RFC3779
 #define OPENSSL_NO_RIPEMD
+#define OPENSSL_NO_RMD160
 #define OPENSSL_NO_SCTP
 #define OPENSSL_NO_SEED
 #define OPENSSL_NO_SRP
diff --git a/src/include/openssl/opensslv.h b/src/include/openssl/opensslv.h
index a3555d4..22f7e25 100644
--- a/src/include/openssl/opensslv.h
+++ b/src/include/openssl/opensslv.h
@@ -15,4 +15,4 @@
 /* This header is provided in order to make compiling against code that expects
    OpenSSL easier. */
 
-#include "crypto.h"
+#include "ssl.h"
diff --git a/src/include/openssl/pem.h b/src/include/openssl/pem.h
index 5f61cab..adc8d86 100644
--- a/src/include/openssl/pem.h
+++ b/src/include/openssl/pem.h
@@ -502,57 +502,44 @@ void ERR_load_PEM_strings(void);
 }
 #endif
 
-#define PEM_F_PEM_read_bio_DHparams 100
-#define PEM_F_load_iv 101
-#define PEM_F_PEM_write 102
-#define PEM_F_do_pk8pkey_fp 103
-#define PEM_F_PEM_read_PrivateKey 104
-#define PEM_F_PEM_read_DHparams 105
-#define PEM_F_PEM_ASN1_read_bio 106
-#define PEM_F_PEM_ASN1_read 107
+#define PEM_F_PEM_ASN1_read 100
+#define PEM_F_PEM_ASN1_read_bio 101
+#define PEM_F_PEM_ASN1_write 102
+#define PEM_F_PEM_ASN1_write_bio 103
+#define PEM_F_PEM_X509_INFO_read 104
+#define PEM_F_PEM_X509_INFO_read_bio 105
+#define PEM_F_PEM_X509_INFO_write_bio 106
+#define PEM_F_PEM_do_header 107
 #define PEM_F_PEM_get_EVP_CIPHER_INFO 108
-#define PEM_F_PEM_X509_INFO_read 109
-#define PEM_F_PEM_read_bio_Parameters 110
-#define PEM_F_PEM_read 111
-#define PEM_F_PEM_X509_INFO_read_bio 112
-#define PEM_F_PEM_X509_INFO_write_bio 113
-#define PEM_F_PEM_ASN1_write 114
-#define PEM_F_d2i_PKCS8PrivateKey_bio 115
-#define PEM_F_d2i_PKCS8PrivateKey_fp 116
-#define PEM_F_PEM_read_bio_PrivateKey 117
-#define PEM_F_PEM_write_PrivateKey 118
-#define PEM_F_PEM_ASN1_write_bio 119
-#define PEM_F_PEM_do_header 120
-#define PEM_F_PEM_write_bio 121
-#define PEM_F_do_pk8pkey 122
-#define PEM_F_PEM_read_bio 123
-#define PEM_R_NO_START_LINE 100
-#define PEM_R_NOT_PROC_TYPE 101
-#define PEM_R_SHORT_HEADER 102
+#define PEM_F_PEM_read 109
+#define PEM_F_PEM_read_DHparams 110
+#define PEM_F_PEM_read_PrivateKey 111
+#define PEM_F_PEM_read_bio 112
+#define PEM_F_PEM_read_bio_DHparams 113
+#define PEM_F_PEM_read_bio_Parameters 114
+#define PEM_F_PEM_read_bio_PrivateKey 115
+#define PEM_F_PEM_write 116
+#define PEM_F_PEM_write_PrivateKey 117
+#define PEM_F_PEM_write_bio 118
+#define PEM_F_d2i_PKCS8PrivateKey_bio 119
+#define PEM_F_d2i_PKCS8PrivateKey_fp 120
+#define PEM_F_do_pk8pkey 121
+#define PEM_F_do_pk8pkey_fp 122
+#define PEM_F_load_iv 123
+#define PEM_R_BAD_BASE64_DECODE 100
+#define PEM_R_BAD_DECRYPT 101
+#define PEM_R_BAD_END_LINE 102
 #define PEM_R_BAD_IV_CHARS 103
-#define PEM_R_ERROR_CONVERTING_PRIVATE_KEY 104
-#define PEM_R_BAD_END_LINE 105
-#define PEM_R_CIPHER_IS_NULL 106
-#define PEM_R_BAD_MAGIC_NUMBER 107
-#define PEM_R_BAD_DECRYPT 108
-#define PEM_R_UNSUPPORTED_ENCRYPTION 109
-#define PEM_R_PVK_DATA_TOO_SHORT 110
-#define PEM_R_PROBLEMS_GETTING_PASSWORD 111
-#define PEM_R_KEYBLOB_HEADER_PARSE_ERROR 112
-#define PEM_R_BIO_WRITE_FAILURE 113
-#define PEM_R_INCONSISTENT_HEADER 114
-#define PEM_R_PUBLIC_KEY_NO_RSA 115
-#define PEM_R_EXPECTING_PUBLIC_KEY_BLOB 116
-#define PEM_R_KEYBLOB_TOO_SHORT 117
-#define PEM_R_BAD_BASE64_DECODE 118
-#define PEM_R_READ_KEY 119
-#define PEM_R_BAD_PASSWORD_READ 120
-#define PEM_R_UNSUPPORTED_KEY_COMPONENTS 121
-#define PEM_R_UNSUPPORTED_CIPHER 122
-#define PEM_R_NOT_ENCRYPTED 123
-#define PEM_R_NOT_DEK_INFO 124
-#define PEM_R_BAD_VERSION_NUMBER 125
-#define PEM_R_EXPECTING_PRIVATE_KEY_BLOB 126
-#define PEM_R_PVK_TOO_SHORT 127
+#define PEM_R_BAD_PASSWORD_READ 104
+#define PEM_R_CIPHER_IS_NULL 105
+#define PEM_R_ERROR_CONVERTING_PRIVATE_KEY 106
+#define PEM_R_NOT_DEK_INFO 107
+#define PEM_R_NOT_ENCRYPTED 108
+#define PEM_R_NOT_PROC_TYPE 109
+#define PEM_R_NO_START_LINE 110
+#define PEM_R_READ_KEY 111
+#define PEM_R_SHORT_HEADER 112
+#define PEM_R_UNSUPPORTED_CIPHER 113
+#define PEM_R_UNSUPPORTED_ENCRYPTION 114
 
 #endif  /* OPENSSL_HEADER_PEM_H */
diff --git a/src/include/openssl/pkcs8.h b/src/include/openssl/pkcs8.h
index 826ac7f..8dc7731 100644
--- a/src/include/openssl/pkcs8.h
+++ b/src/include/openssl/pkcs8.h
@@ -58,11 +58,9 @@
 #define OPENSSL_HEADER_PKCS8_H
 
 #include <openssl/base.h>
-
-#include <stdio.h>
-
 #include <openssl/x509.h>
 
+
 #if defined(__cplusplus)
 extern "C" {
 #endif
@@ -172,52 +170,48 @@ OPENSSL_EXPORT void PKCS12_free(PKCS12 *p12);
 }  /* extern C */
 #endif
 
-#define PKCS8_F_PKCS8_encrypt 100
+#define PKCS8_F_EVP_PKCS82PKEY 100
 #define PKCS8_F_EVP_PKEY2PKCS8 101
-#define PKCS8_F_EVP_PKCS82PKEY 102
-#define PKCS8_F_PKCS5_pbe_set0_algor 103
-#define PKCS8_F_pbe_crypt 104
-#define PKCS8_F_pkcs12_item_decrypt_d2i 105
+#define PKCS8_F_PKCS12_get_key_and_certs 102
+#define PKCS8_F_PKCS12_handle_content_info 103
+#define PKCS8_F_PKCS12_handle_content_infos 104
+#define PKCS8_F_PKCS5_pbe2_set_iv 105
 #define PKCS8_F_PKCS5_pbe_set 106
-#define PKCS8_F_pkcs12_key_gen_uni 107
-#define PKCS8_F_pkcs12_key_gen_asc 108
-#define PKCS8_F_pkcs12_pbe_keyivgen 109
-#define PKCS8_F_pbe_cipher_init 110
-#define PKCS8_F_pkcs12_item_i2d_encrypt 111
-#define PKCS8_F_PKCS5_pbe2_set_iv 112
-#define PKCS8_F_PKCS5_pbkdf2_set 113
-#define PKCS8_F_pkcs12_key_gen_raw 114
-#define PKCS8_F_PKCS8_decrypt 115
-#define PKCS8_F_PKCS8_encrypt_pbe 116
-#define PKCS8_F_PKCS12_parse 117
-#define PKCS8_F_PKCS12_handle_content_info 118
-#define PKCS8_F_PKCS12_handle_content_infos 119
-#define PKCS8_F_PKCS12_get_key_and_certs 120
-#define PKCS8_R_ERROR_SETTING_CIPHER_PARAMS 100
-#define PKCS8_R_PRIVATE_KEY_ENCODE_ERROR 101
-#define PKCS8_R_UNKNOWN_ALGORITHM 102
-#define PKCS8_R_UNKNOWN_CIPHER 103
-#define PKCS8_R_UNKNOWN_DIGEST 104
+#define PKCS8_F_PKCS5_pbe_set0_algor 107
+#define PKCS8_F_PKCS5_pbkdf2_set 108
+#define PKCS8_F_PKCS8_decrypt 109
+#define PKCS8_F_PKCS8_encrypt 110
+#define PKCS8_F_PKCS8_encrypt_pbe 111
+#define PKCS8_F_pbe_cipher_init 112
+#define PKCS8_F_pbe_crypt 113
+#define PKCS8_F_pkcs12_item_decrypt_d2i 114
+#define PKCS8_F_pkcs12_item_i2d_encrypt 115
+#define PKCS8_F_pkcs12_key_gen_raw 116
+#define PKCS8_F_pkcs12_pbe_keyivgen 117
+#define PKCS8_R_BAD_PKCS12_DATA 100
+#define PKCS8_R_BAD_PKCS12_VERSION 101
+#define PKCS8_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER 102
+#define PKCS8_R_CRYPT_ERROR 103
+#define PKCS8_R_DECODE_ERROR 104
 #define PKCS8_R_ENCODE_ERROR 105
-#define PKCS8_R_DECODE_ERROR 106
-#define PKCS8_R_ENCRYPT_ERROR 107
-#define PKCS8_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM 108
-#define PKCS8_R_PRIVATE_KEY_DECODE_ERROR 109
-#define PKCS8_R_UNKNOWN_CIPHER_ALGORITHM 110
-#define PKCS8_R_KEYGEN_FAILURE 111
-#define PKCS8_R_TOO_LONG 112
-#define PKCS8_R_CRYPT_ERROR 113
-#define PKCS8_R_METHOD_NOT_SUPPORTED 114
-#define PKCS8_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER 115
-#define PKCS8_R_KEY_GEN_ERROR 116
-#define PKCS8_R_BAD_PKCS12_DATA 117
-#define PKCS8_R_PKCS12_PUBLIC_KEY_INTEGRITY_NOT_SUPPORTED 118
-#define PKCS8_R_BAD_PKCS12_VERSION 119
-#define PKCS8_R_PKCS12_TOO_DEEPLY_NESTED 120
-#define PKCS8_R_MULTIPLE_PRIVATE_KEYS_IN_PKCS12 121
-#define PKCS8_R_UNKNOWN_HASH 122
-#define PKCS8_R_BAD_MAC 123
-#define PKCS8_R_MISSING_MAC 124
-#define PKCS8_R_INCORRECT_PASSWORD 125
+#define PKCS8_R_ENCRYPT_ERROR 106
+#define PKCS8_R_ERROR_SETTING_CIPHER_PARAMS 107
+#define PKCS8_R_INCORRECT_PASSWORD 108
+#define PKCS8_R_KEYGEN_FAILURE 109
+#define PKCS8_R_KEY_GEN_ERROR 110
+#define PKCS8_R_METHOD_NOT_SUPPORTED 111
+#define PKCS8_R_MISSING_MAC 112
+#define PKCS8_R_MULTIPLE_PRIVATE_KEYS_IN_PKCS12 113
+#define PKCS8_R_PKCS12_PUBLIC_KEY_INTEGRITY_NOT_SUPPORTED 114
+#define PKCS8_R_PKCS12_TOO_DEEPLY_NESTED 115
+#define PKCS8_R_PRIVATE_KEY_DECODE_ERROR 116
+#define PKCS8_R_PRIVATE_KEY_ENCODE_ERROR 117
+#define PKCS8_R_TOO_LONG 118
+#define PKCS8_R_UNKNOWN_ALGORITHM 119
+#define PKCS8_R_UNKNOWN_CIPHER 120
+#define PKCS8_R_UNKNOWN_CIPHER_ALGORITHM 121
+#define PKCS8_R_UNKNOWN_DIGEST 122
+#define PKCS8_R_UNKNOWN_HASH 123
+#define PKCS8_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM 124
 
 #endif  /* OPENSSL_HEADER_PKCS8_H */
diff --git a/src/include/openssl/rand.h b/src/include/openssl/rand.h
index 6186044..01ef4f8 100644
--- a/src/include/openssl/rand.h
+++ b/src/include/openssl/rand.h
@@ -22,8 +22,10 @@ extern "C" {
 #endif
 
 
-/* RAND_bytes writes |len| bytes of random data to |buf|. It returns one on
- * success and zero on otherwise. */
+/* Random number generation. */
+
+
+/* RAND_bytes writes |len| bytes of random data to |buf| and returns one. */
 OPENSSL_EXPORT int RAND_bytes(uint8_t *buf, size_t len);
 
 /* RAND_cleanup frees any resources used by the RNG. This is not safe if other
diff --git a/src/include/openssl/rc4.h b/src/include/openssl/rc4.h
index 727b474..0619cac 100644
--- a/src/include/openssl/rc4.h
+++ b/src/include/openssl/rc4.h
@@ -67,13 +67,10 @@ extern "C" {
 /* RC4. */
 
 
-typedef struct rc4_key_st {
+struct rc4_key_st {
   uint32_t x, y;
-  /* data is sometimes used as an array of 32-bit values and sometimes as 8-bit
-   * values, depending on the platform. */
   uint32_t data[256];
-} RC4_KEY;
-
+} /* RC4_KEY */;
 
 /* RC4_set_key performs an RC4 key schedule and initialises |rc4key| with |len|
  * bytes of key material from |key|. */
diff --git a/src/include/openssl/rsa.h b/src/include/openssl/rsa.h
index a4596c7..2e24231 100644
--- a/src/include/openssl/rsa.h
+++ b/src/include/openssl/rsa.h
@@ -61,6 +61,7 @@
 
 #include <openssl/engine.h>
 #include <openssl/ex_data.h>
+#include <openssl/thread.h>
 
 #if defined(__cplusplus)
 extern "C" {
@@ -190,7 +191,7 @@ OPENSSL_EXPORT int RSA_sign(int hash_nid, const uint8_t *in,
                             unsigned int *out_len, RSA *rsa);
 
 /* RSA_sign_raw signs |in_len| bytes from |in| with the public key from |rsa|
- * and writes, at most, |max_out| bytes of encrypted data to |out|. The
+ * and writes, at most, |max_out| bytes of signature data to |out|. The
  * |max_out| argument must be, at least, |RSA_size| in order to ensure success.
  *
  * It returns 1 on success or zero on error.
@@ -254,7 +255,7 @@ OPENSSL_EXPORT int RSA_public_decrypt(int flen, const uint8_t *from,
 /* Utility functions. */
 
 /* RSA_size returns the number of bytes in the modulus, which is also the size
- * of a signature of encrypted value using |rsa|. */
+ * of a signature or encrypted value using |rsa|. */
 OPENSSL_EXPORT unsigned RSA_size(const RSA *rsa);
 
 /* RSA_is_opaque returns one if |rsa| is opaque and doesn't expose its key
@@ -286,11 +287,12 @@ OPENSSL_EXPORT int RSA_check_key(const RSA *rsa);
 OPENSSL_EXPORT int RSA_recover_crt_params(RSA *rsa);
 
 /* RSA_verify_PKCS1_PSS_mgf1 verifies that |EM| is a correct PSS padding of
- * |mHash|, where |mHash| is a digest produced by |Hash|. The |mgf1Hash|
- * argument specifies the hash function for generating the mask. If NULL,
- * |Hash| is used. The |sLen| argument specifies the expected salt length in
- * bytes. If |sLen| is -1 then the salt length is the same as the hash length.
- * If -2, then the salt length is maximal and is taken from the size of |EM|.
+ * |mHash|, where |mHash| is a digest produced by |Hash|. |EM| must point to
+ * exactly |RSA_size(rsa)| bytes of data. The |mgf1Hash| argument specifies the
+ * hash function for generating the mask. If NULL, |Hash| is used. The |sLen|
+ * argument specifies the expected salt length in bytes. If |sLen| is -1 then
+ * the salt length is the same as the hash length. If -2, then the salt length
+ * is maximal and is taken from the size of |EM|.
  *
  * It returns one on success or zero on error. */
 OPENSSL_EXPORT int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const uint8_t *mHash,
@@ -299,12 +301,12 @@ OPENSSL_EXPORT int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const uint8_t *mHash,
                                              const uint8_t *EM, int sLen);
 
 /* RSA_padding_add_PKCS1_PSS_mgf1 writes a PSS padding of |mHash| to |EM|,
- * where |mHash| is a digest produced by |Hash|. There must be at least
- * |RSA_size(rsa)| bytes of space in |EM|. The |mgf1Hash| argument specifies
- * the hash function for generating the mask. If NULL, |Hash| is used. The
- * |sLen| argument specifies the expected salt length in bytes. If |sLen| is -1
- * then the salt length is the same as the hash length. If -2, then the salt
- * length is maximal given the space in |EM|.
+ * where |mHash| is a digest produced by |Hash|. |RSA_size(rsa)| bytes of
+ * output will be written to |EM|. The |mgf1Hash| argument specifies the hash
+ * function for generating the mask. If NULL, |Hash| is used. The |sLen|
+ * argument specifies the expected salt length in bytes. If |sLen| is -1 then
+ * the salt length is the same as the hash length. If -2, then the salt length
+ * is maximal given the space in |EM|.
  *
  * It returns one on success or zero on error. */
 OPENSSL_EXPORT int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, uint8_t *EM,
@@ -314,7 +316,6 @@ OPENSSL_EXPORT int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, uint8_t *EM,
                                                   int sLen);
 
 
-
 /* ASN.1 functions. */
 
 /* d2i_RSAPublicKey parses an ASN.1, DER-encoded, RSA public key from |len|
@@ -348,7 +349,7 @@ OPENSSL_EXPORT int i2d_RSAPrivateKey(const RSA *in, uint8_t **outp);
 
 /* ex_data functions.
  *
- * These functions are wrappers. See |ex_data.h| for details. */
+ * See |ex_data.h| for details. */
 
 OPENSSL_EXPORT int RSA_get_ex_new_index(long argl, void *argp,
                                         CRYPTO_EX_new *new_func,
@@ -477,18 +478,21 @@ struct rsa_st {
   int references;
   int flags;
 
-  /* Used to cache montgomery values */
+  CRYPTO_MUTEX lock;
+
+  /* Used to cache montgomery values. The creation of these values is protected
+   * by |lock|. */
   BN_MONT_CTX *_method_mod_n;
   BN_MONT_CTX *_method_mod_p;
   BN_MONT_CTX *_method_mod_q;
 
   /* num_blindings contains the size of the |blindings| and |blindings_inuse|
    * arrays. This member and the |blindings_inuse| array are protected by
-   * CRYPTO_LOCK_RSA_BLINDING. */
+   * |lock|. */
   unsigned num_blindings;
   /* blindings is an array of BN_BLINDING structures that can be reserved by a
-   * thread by locking CRYPTO_LOCK_RSA_BLINDING and changing the corresponding
-   * element in |blindings_inuse| from 0 to 1. */
+   * thread by locking |lock| and changing the corresponding element in
+   * |blindings_inuse| from 0 to 1. */
   BN_BLINDING **blindings;
   unsigned char *blindings_inuse;
 };
@@ -498,79 +502,74 @@ struct rsa_st {
 }  /* extern C */
 #endif
 
-#define RSA_F_RSA_padding_check_none 100
-#define RSA_F_RSA_padding_add_none 101
-#define RSA_F_RSA_padding_check_PKCS1_OAEP_mgf1 102
-#define RSA_F_RSA_verify_PKCS1_PSS_mgf1 103
-#define RSA_F_RSA_padding_add_PKCS1_PSS_mgf1 104
-#define RSA_F_RSA_verify 105
-#define RSA_F_rsa_setup_blinding 106
-#define RSA_F_verify_raw 107
-#define RSA_F_RSA_padding_add_PKCS1_type_1 108
-#define RSA_F_keygen 109
-#define RSA_F_RSA_padding_add_PKCS1_OAEP_mgf1 110
-#define RSA_F_pkcs1_prefixed_msg 111
-#define RSA_F_BN_BLINDING_update 112
-#define RSA_F_RSA_padding_check_SSLv23 113
-#define RSA_F_RSA_padding_add_SSLv23 114
-#define RSA_F_BN_BLINDING_new 115
-#define RSA_F_RSA_padding_add_PKCS1_type_2 116
-#define RSA_F_BN_BLINDING_convert_ex 117
-#define RSA_F_BN_BLINDING_invert_ex 118
-#define RSA_F_encrypt 119
-#define RSA_F_sign_raw 120
-#define RSA_F_RSA_new_method 121
-#define RSA_F_RSA_padding_check_PKCS1_type_1 122
-#define RSA_F_RSA_sign 123
-#define RSA_F_BN_BLINDING_create_param 124
-#define RSA_F_decrypt 125
-#define RSA_F_RSA_padding_check_PKCS1_type_2 126
-#define RSA_F_RSA_recover_crt_params 127
-#define RSA_F_RSA_check_key 128
-#define RSA_F_private_transform 129
-#define RSA_R_INVALID_MESSAGE_LENGTH 100
-#define RSA_R_NO_PUBLIC_EXPONENT 102
-#define RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 103
-#define RSA_R_BLOCK_TYPE_IS_NOT_01 104
-#define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE 105
-#define RSA_R_UNKNOWN_PADDING_TYPE 106
-#define RSA_R_TOO_MANY_ITERATIONS 107
-#define RSA_R_SLEN_RECOVERY_FAILED 108
-#define RSA_R_WRONG_SIGNATURE_LENGTH 109
-#define RSA_R_MODULUS_TOO_LARGE 110
-#define RSA_R_NULL_BEFORE_BLOCK_MISSING 111
-#define RSA_R_DATA_TOO_LARGE 112
-#define RSA_R_OUTPUT_BUFFER_TOO_SMALL 113
-#define RSA_R_SLEN_CHECK_FAILED 114
-#define RSA_R_FIRST_OCTET_INVALID 115
-#define RSA_R_BAD_E_VALUE 116
-#define RSA_R_DATA_TOO_LARGE_FOR_MODULUS 117
-#define RSA_R_EMPTY_PUBLIC_KEY 118
-#define RSA_R_BAD_PAD_BYTE_COUNT 119
-#define RSA_R_OAEP_DECODING_ERROR 120
-#define RSA_R_TOO_LONG 121
-#define RSA_R_BAD_FIXED_HEADER_DECRYPT 122
-#define RSA_R_DATA_TOO_SMALL 123
-#define RSA_R_UNKNOWN_ALGORITHM_TYPE 124
-#define RSA_R_PADDING_CHECK_FAILED 125
-#define RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 126
-#define RSA_R_BLOCK_TYPE_IS_NOT_02 127
-#define RSA_R_LAST_OCTET_INVALID 128
-#define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY 129
-#define RSA_R_SSLV3_ROLLBACK_ATTACK 130
-#define RSA_R_KEY_SIZE_TOO_SMALL 131
-#define RSA_R_BAD_SIGNATURE 132
-#define RSA_R_BN_NOT_INITIALIZED 133
-#define RSA_R_PKCS_DECODING_ERROR 134
-#define RSA_R_BAD_RSA_PARAMETERS 135
-#define RSA_R_INTERNAL_ERROR 136
-#define RSA_R_CRT_PARAMS_ALREADY_GIVEN 137
-#define RSA_R_D_E_NOT_CONGRUENT_TO_1 138
+#define RSA_F_BN_BLINDING_convert_ex 100
+#define RSA_F_BN_BLINDING_create_param 101
+#define RSA_F_BN_BLINDING_invert_ex 102
+#define RSA_F_BN_BLINDING_new 103
+#define RSA_F_BN_BLINDING_update 104
+#define RSA_F_RSA_check_key 105
+#define RSA_F_RSA_new_method 106
+#define RSA_F_RSA_padding_add_PKCS1_OAEP_mgf1 107
+#define RSA_F_RSA_padding_add_PKCS1_PSS_mgf1 108
+#define RSA_F_RSA_padding_add_PKCS1_type_1 109
+#define RSA_F_RSA_padding_add_PKCS1_type_2 110
+#define RSA_F_RSA_padding_add_none 111
+#define RSA_F_RSA_padding_check_PKCS1_OAEP_mgf1 112
+#define RSA_F_RSA_padding_check_PKCS1_type_1 113
+#define RSA_F_RSA_padding_check_PKCS1_type_2 114
+#define RSA_F_RSA_padding_check_none 115
+#define RSA_F_RSA_recover_crt_params 116
+#define RSA_F_RSA_sign 117
+#define RSA_F_RSA_verify 118
+#define RSA_F_RSA_verify_PKCS1_PSS_mgf1 119
+#define RSA_F_decrypt 120
+#define RSA_F_encrypt 121
+#define RSA_F_keygen 122
+#define RSA_F_pkcs1_prefixed_msg 123
+#define RSA_F_private_transform 124
+#define RSA_F_rsa_setup_blinding 125
+#define RSA_F_sign_raw 126
+#define RSA_F_verify_raw 127
+#define RSA_R_BAD_E_VALUE 100
+#define RSA_R_BAD_FIXED_HEADER_DECRYPT 101
+#define RSA_R_BAD_PAD_BYTE_COUNT 102
+#define RSA_R_BAD_RSA_PARAMETERS 103
+#define RSA_R_BAD_SIGNATURE 104
+#define RSA_R_BLOCK_TYPE_IS_NOT_01 105
+#define RSA_R_BN_NOT_INITIALIZED 106
+#define RSA_R_CRT_PARAMS_ALREADY_GIVEN 107
+#define RSA_R_CRT_VALUES_INCORRECT 108
+#define RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN 109
+#define RSA_R_DATA_TOO_LARGE 110
+#define RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 111
+#define RSA_R_DATA_TOO_LARGE_FOR_MODULUS 112
+#define RSA_R_DATA_TOO_SMALL 113
+#define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE 114
+#define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY 115
+#define RSA_R_D_E_NOT_CONGRUENT_TO_1 116
+#define RSA_R_EMPTY_PUBLIC_KEY 117
+#define RSA_R_FIRST_OCTET_INVALID 118
+#define RSA_R_INCONSISTENT_SET_OF_CRT_VALUES 119
+#define RSA_R_INTERNAL_ERROR 120
+#define RSA_R_INVALID_MESSAGE_LENGTH 121
+#define RSA_R_KEY_SIZE_TOO_SMALL 122
+#define RSA_R_LAST_OCTET_INVALID 123
+#define RSA_R_MODULUS_TOO_LARGE 124
+#define RSA_R_NO_PUBLIC_EXPONENT 125
+#define RSA_R_NULL_BEFORE_BLOCK_MISSING 126
+#define RSA_R_N_NOT_EQUAL_P_Q 127
+#define RSA_R_OAEP_DECODING_ERROR 128
+#define RSA_R_ONLY_ONE_OF_P_Q_GIVEN 129
+#define RSA_R_OUTPUT_BUFFER_TOO_SMALL 130
+#define RSA_R_PADDING_CHECK_FAILED 131
+#define RSA_R_PKCS_DECODING_ERROR 132
+#define RSA_R_SLEN_CHECK_FAILED 133
+#define RSA_R_SLEN_RECOVERY_FAILED 134
+#define RSA_R_TOO_LONG 135
+#define RSA_R_TOO_MANY_ITERATIONS 136
+#define RSA_R_UNKNOWN_ALGORITHM_TYPE 137
+#define RSA_R_UNKNOWN_PADDING_TYPE 138
 #define RSA_R_VALUE_MISSING 139
-#define RSA_R_N_NOT_EQUAL_P_Q 140
-#define RSA_R_CRT_VALUES_INCORRECT 141
-#define RSA_R_INCONSISTENT_SET_OF_CRT_VALUES 142
-#define RSA_R_ONLY_ONE_OF_P_Q_GIVEN 143
-#define RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN 144
+#define RSA_R_WRONG_SIGNATURE_LENGTH 140
 
 #endif  /* OPENSSL_HEADER_RSA_H */
diff --git a/src/include/openssl/safe_stack.h b/src/include/openssl/safestack.h
index 6e5e433..6e5e433 100644
--- a/src/include/openssl/safe_stack.h
+++ b/src/include/openssl/safestack.h
diff --git a/src/include/openssl/ssl.h b/src/include/openssl/ssl.h
index ef73c8d..b746007 100644
--- a/src/include/openssl/ssl.h
+++ b/src/include/openssl/ssl.h
@@ -140,8 +140,8 @@
  * OTHERWISE.
  */
 
-#ifndef HEADER_SSL_H
-#define HEADER_SSL_H
+#ifndef OPENSSL_HEADER_SSL_H
+#define OPENSSL_HEADER_SSL_H
 
 #include <openssl/base.h>
 
@@ -152,17 +152,132 @@
 #include <openssl/pem.h>
 #include <openssl/x509.h>
 
+#if !defined(OPENSSL_WINDOWS)
+#include <sys/time.h>
+#endif
+
 /* Some code expected to get the threading functions by including ssl.h. */
 #include <openssl/thread.h>
 
 /* wpa_supplicant expects to get the version functions from ssl.h */
 #include <openssl/crypto.h>
 
-#ifdef  __cplusplus
+/* Forward-declare struct timeval. On Windows, it is defined in winsock2.h and
+ * Windows headers define too many macros to be included in public headers.
+ * However, only a forward declaration is needed. */
+struct timeval;
+
+#if defined(__cplusplus)
 extern "C" {
 #endif
 
 
+/* SSL implementation. */
+
+
+/* Initialization. */
+
+/* SSL_library_init initializes the crypto and SSL libraries and returns one. */
+OPENSSL_EXPORT int SSL_library_init(void);
+
+
+/* Protocol version constants */
+
+#define SSL3_VERSION 0x0300
+#define SSL3_VERSION_MAJOR 0x03
+#define SSL3_VERSION_MINOR 0x00
+
+#define TLS1_2_VERSION 0x0303
+#define TLS1_2_VERSION_MAJOR 0x03
+#define TLS1_2_VERSION_MINOR 0x03
+
+#define TLS1_1_VERSION 0x0302
+#define TLS1_1_VERSION_MAJOR 0x03
+#define TLS1_1_VERSION_MINOR 0x02
+
+#define TLS1_VERSION 0x0301
+#define TLS1_VERSION_MAJOR 0x03
+#define TLS1_VERSION_MINOR 0x01
+
+#define DTLS1_VERSION 0xFEFF
+#define DTLS1_2_VERSION 0xFEFD
+
+
+/* Cipher suites. */
+
+/* An SSL_CIPHER represents a cipher suite. */
+typedef struct ssl_cipher_st {
+  /* name is the OpenSSL name for the cipher. */
+  const char *name;
+  /* id is the cipher suite value bitwise OR-d with 0x03000000. */
+  uint32_t id;
+
+  /* The following are internal fields. See ssl/internal.h for their values. */
+
+  uint32_t algorithm_mkey;
+  uint32_t algorithm_auth;
+  uint32_t algorithm_enc;
+  uint32_t algorithm_mac;
+  uint32_t algorithm_ssl;
+  uint32_t algo_strength;
+
+  /* algorithm2 contains extra flags. See ssl/internal.h. */
+  uint32_t algorithm2;
+
+  /* strength_bits is the strength of the cipher in bits. */
+  int strength_bits;
+  /* alg_bits is the number of bits of key material used by the algorithm. */
+  int alg_bits;
+} SSL_CIPHER;
+
+DECLARE_STACK_OF(SSL_CIPHER)
+
+/* SSL_get_cipher_by_value returns the structure representing a TLS cipher
+ * suite based on its assigned number, or NULL if unknown. See
+ * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4. */
+OPENSSL_EXPORT const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value);
+
+/* SSL_CIPHER_get_id returns |cipher|'s id. It may be cast to a |uint16_t| to
+ * get the cipher suite value. */
+OPENSSL_EXPORT uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_is_AES returns one if |cipher| uses AES (either GCM or CBC
+ * mode). */
+OPENSSL_EXPORT int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_has_MD5_HMAC returns one if |cipher| uses HMAC-MD5. */
+OPENSSL_EXPORT int SSL_CIPHER_has_MD5_HMAC(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_is_AESGCM returns one if |cipher| uses AES-GCM. */
+OPENSSL_EXPORT int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_is_CHACHA20POLY1305 returns one if |cipher| uses
+ * CHACHA20_POLY1305. */
+OPENSSL_EXPORT int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_get_name returns the OpenSSL name of |cipher|. */
+OPENSSL_EXPORT const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_get_kx_name returns a string that describes the key-exchange
+ * method used by |cipher|. For example, "ECDHE_ECDSA". */
+OPENSSL_EXPORT const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_get_rfc_name returns a newly-allocated string with the standard
+ * name for |cipher|. For example, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256". The
+ * caller is responsible for calling |OPENSSL_free| on the result. */
+OPENSSL_EXPORT char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_get_bits returns the strength, in bits, of |cipher|. If
+ * |out_alg_bits| is not NULL, it writes the number of bits consumed by the
+ * symmetric algorithm to |*out_alg_bits|. */
+OPENSSL_EXPORT int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher,
+                                       int *out_alg_bits);
+
+
+/* Underdocumented functions.
+ *
+ * Functions below here haven't been touched up and may be underdocumented. */
+
 /* SSLeay version number for ASN.1 encoding of the session information */
 /* Version 0 - initial version
  * Version 1 - added the optional peer certificate. */
@@ -178,11 +293,11 @@ extern "C" {
 #define SSL_TXT_HIGH "HIGH"
 #define SSL_TXT_FIPS "FIPS"
 
-#define SSL_TXT_aNULL "aNULL"
-
 #define SSL_TXT_kRSA "kRSA"
-#define SSL_TXT_kEDH "kEDH"
-#define SSL_TXT_kEECDH "kEECDH"
+#define SSL_TXT_kDHE "kDHE"
+#define SSL_TXT_kEDH "kEDH" /* same as "kDHE" */
+#define SSL_TXT_kECDHE "kECDHE"
+#define SSL_TXT_kEECDH "kEECDH" /* same as "kECDHE" */
 #define SSL_TXT_kPSK "kPSK"
 
 #define SSL_TXT_aRSA "aRSA"
@@ -190,12 +305,12 @@ extern "C" {
 #define SSL_TXT_aPSK "aPSK"
 
 #define SSL_TXT_DH "DH"
-#define SSL_TXT_EDH "EDH" /* same as "kEDH:-ADH" */
-#define SSL_TXT_ADH "ADH"
+#define SSL_TXT_DHE "DHE" /* same as "kDHE" */
+#define SSL_TXT_EDH "EDH" /* same as "DHE" */
 #define SSL_TXT_RSA "RSA"
 #define SSL_TXT_ECDH "ECDH"
-#define SSL_TXT_EECDH "EECDH" /* same as "kEECDH:-AECDH" */
-#define SSL_TXT_AECDH "AECDH"
+#define SSL_TXT_ECDHE "ECDHE" /* same as "kECDHE" */
+#define SSL_TXT_EECDH "EECDH" /* same as "ECDHE" */
 #define SSL_TXT_ECDSA "ECDSA"
 #define SSL_TXT_PSK "PSK"
 
@@ -237,7 +352,7 @@ extern "C" {
 
 /* The following cipher list is used by default. It also is substituted when an
  * application-defined cipher list string starts with 'DEFAULT'. */
-#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2"
+#define SSL_DEFAULT_CIPHER_LIST "ALL"
 
 /* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
  * starts with a reasonable order, and all we have to do for DEFAULT is
@@ -253,14 +368,11 @@ extern "C" {
 
 typedef struct ssl_method_st SSL_METHOD;
 typedef struct ssl_protocol_method_st SSL_PROTOCOL_METHOD;
-typedef struct ssl_cipher_st SSL_CIPHER;
 typedef struct ssl_session_st SSL_SESSION;
 typedef struct tls_sigalgs_st TLS_SIGALGS;
 typedef struct ssl_conf_ctx_st SSL_CONF_CTX;
 typedef struct ssl3_enc_method SSL3_ENC_METHOD;
 
-DECLARE_STACK_OF(SSL_CIPHER)
-
 /* SRTP protection profiles for use with the use_srtp extension (RFC 5764). */
 typedef struct srtp_protection_profile_st {
   const char *name;
@@ -269,28 +381,6 @@ typedef struct srtp_protection_profile_st {
 
 DECLARE_STACK_OF(SRTP_PROTECTION_PROFILE)
 
-/* used to hold info on the particular ciphers used */
-struct ssl_cipher_st {
-  int valid;
-  const char *name; /* text name */
-  unsigned long id; /* id, 4 bytes, first is version */
-
-  /* changed in 0.9.9: these four used to be portions of a single value
-   * 'algorithms' */
-  unsigned long algorithm_mkey; /* key exchange algorithm */
-  unsigned long algorithm_auth; /* server authentication */
-  unsigned long algorithm_enc;  /* symmetric encryption */
-  unsigned long algorithm_mac;  /* symmetric authentication */
-  unsigned long algorithm_ssl;  /* (major) protocol version */
-
-  unsigned long algo_strength; /* strength and export flags */
-  unsigned long algorithm2;    /* Extra flags. See SSL2_CF_* in ssl2.h
-                                  and algorithm2 section in
-                                  ssl_locl.h */
-  int strength_bits;           /* Number of bits really used */
-  int alg_bits;                /* Number of bits for algorithm */
-};
-
 /* An SSL_SESSION represents an SSL session that may be resumed in an
  * abbreviated handshake. */
 struct ssl_session_st {
@@ -382,8 +472,6 @@ struct ssl_session_st {
 
 /* DTLS options */
 #define SSL_OP_NO_QUERY_MTU 0x00001000L
-/* Turn on Cookie Exchange (on relevant for servers) */
-#define SSL_OP_COOKIE_EXCHANGE 0x00002000L
 /* Don't use RFC4507 ticket extension */
 #define SSL_OP_NO_TICKET 0x00004000L
 
@@ -393,9 +481,9 @@ struct ssl_session_st {
 #define SSL_OP_NO_COMPRESSION 0x00020000L
 /* Permit unsafe legacy renegotiation */
 #define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L
-/* If set, always create a new key when using tmp_ecdh parameters */
+/* SSL_OP_SINGLE_ECDH_USE does nothing. */
 #define SSL_OP_SINGLE_ECDH_USE 0x00080000L
-/* If set, always create a new key when using tmp_dh parameters */
+/* SSL_OP_SINGLE_DH_USE does nothing. */
 #define SSL_OP_SINGLE_DH_USE 0x00100000L
 /* Set on servers to choose the cipher according to the server's preferences */
 #define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L
@@ -435,14 +523,11 @@ struct ssl_session_st {
 #define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L
 /* Don't attempt to automatically build certificate chain */
 #define SSL_MODE_NO_AUTO_CHAIN 0x00000008L
-/* Save RAM by releasing read and write buffers when they're empty. (SSL3 and
- * TLS only.)  "Released" buffers are put onto a free-list in the context or
- * just freed (depending on the context's setting for freelist_max_len). */
-#define SSL_MODE_RELEASE_BUFFERS 0x00000010L
 
 /* The following flags do nothing and are included only to make it easier to
  * compile code with BoringSSL. */
 #define SSL_MODE_AUTO_RETRY 0
+#define SSL_MODE_RELEASE_BUFFERS 0
 
 /* Send the current time in the Random fields of the ClientHello and
  * ServerHello records for compatibility with hypothetical implementations that
@@ -467,9 +552,14 @@ struct ssl_session_st {
 /* Clear verification errors from queue */
 #define SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR 0x10
 
-/* When set, clients may send application data before receipt of CCS and
- * Finished.  This mode enables full-handshakes to 'complete' in one RTT. */
-#define SSL_MODE_HANDSHAKE_CUTTHROUGH 0x00000080L
+/* SSL_MODE_ENABLE_FALSE_START allows clients to send application data before
+ * receipt of CCS and Finished. This mode enables full-handshakes to 'complete'
+ * in one RTT. See draft-bmoeller-tls-falsestart-01. */
+#define SSL_MODE_ENABLE_FALSE_START 0x00000080L
+
+/* Deprecated: SSL_MODE_HANDSHAKE_CUTTHROUGH is the same as
+ * SSL_MODE_ENABLE_FALSE_START. */
+#define SSL_MODE_HANDSHAKE_CUTTHROUGH SSL_MODE_ENABLE_FALSE_START
 
 /* When set, TLS 1.0 and SSLv3, multi-byte, CBC records will be split in two:
  * the first record will contain a single byte and the second will contain the
@@ -482,7 +572,7 @@ struct ssl_session_st {
  * session resumption is used for a given SSL*. */
 #define SSL_MODE_NO_SESSION_CREATION 0x00000200L
 
-/* SSL_MODE_SEND_SERVERHELLO_TIME sends TLS_FALLBACK_SCSV in the ClientHello.
+/* SSL_MODE_SEND_FALLBACK_SCSV sends TLS_FALLBACK_SCSV in the ClientHello.
  * To be set only by applications that reconnect with a downgraded protocol
  * version; see https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-05
  * for details.
@@ -492,38 +582,69 @@ struct ssl_session_st {
  * draft-ietf-tls-downgrade-scsv-05. */
 #define SSL_MODE_SEND_FALLBACK_SCSV 0x00000400L
 
-/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, they
- * cannot be used to clear bits. */
-
-#define SSL_CTX_set_options(ctx, op) \
-  SSL_CTX_ctrl((ctx), SSL_CTRL_OPTIONS, (op), NULL)
-#define SSL_CTX_clear_options(ctx, op) \
-  SSL_CTX_ctrl((ctx), SSL_CTRL_CLEAR_OPTIONS, (op), NULL)
-#define SSL_CTX_get_options(ctx) SSL_CTX_ctrl((ctx), SSL_CTRL_OPTIONS, 0, NULL)
-#define SSL_set_options(ssl, op) SSL_ctrl((ssl), SSL_CTRL_OPTIONS, (op), NULL)
-#define SSL_clear_options(ssl, op) \
-  SSL_ctrl((ssl), SSL_CTRL_CLEAR_OPTIONS, (op), NULL)
-#define SSL_get_options(ssl) SSL_ctrl((ssl), SSL_CTRL_OPTIONS, 0, NULL)
-
-#define SSL_CTX_set_mode(ctx, op) SSL_CTX_ctrl((ctx), SSL_CTRL_MODE, (op), NULL)
-#define SSL_CTX_clear_mode(ctx, op) \
-  SSL_CTX_ctrl((ctx), SSL_CTRL_CLEAR_MODE, (op), NULL)
-#define SSL_CTX_get_mode(ctx) SSL_CTX_ctrl((ctx), SSL_CTRL_MODE, 0, NULL)
-#define SSL_clear_mode(ssl, op) SSL_ctrl((ssl), SSL_CTRL_CLEAR_MODE, (op), NULL)
-#define SSL_set_mode(ssl, op) SSL_ctrl((ssl), SSL_CTRL_MODE, (op), NULL)
-#define SSL_get_mode(ssl) SSL_ctrl((ssl), SSL_CTRL_MODE, 0, NULL)
-#define SSL_set_mtu(ssl, mtu) SSL_ctrl((ssl), SSL_CTRL_SET_MTU, (mtu), NULL)
-
-#define SSL_get_secure_renegotiation_support(ssl) \
-  SSL_ctrl((SSL *)(ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL)
-
-#define SSL_CTX_set_cert_flags(ctx, op) \
-  SSL_CTX_ctrl((ctx), SSL_CTRL_CERT_FLAGS, (op), NULL)
-#define SSL_set_cert_flags(s, op) SSL_ctrl((s), SSL_CTRL_CERT_FLAGS, (op), NULL)
-#define SSL_CTX_clear_cert_flags(ctx, op) \
-  SSL_CTX_ctrl((ctx), SSL_CTRL_CLEAR_CERT_FLAGS, (op), NULL)
-#define SSL_clear_cert_flags(s, op) \
-  SSL_ctrl((s), SSL_CTRL_CLEAR_CERT_FLAGS, (op), NULL)
+/* SSL_CTX_set_options enables all options set in |options| (which should be one
+ * or more of the |SSL_OP_*| values, ORed together) in |ctx|. It returns a
+ * bitmask representing the resulting enabled options. */
+OPENSSL_EXPORT uint32_t SSL_CTX_set_options(SSL_CTX *ctx, uint32_t options);
+
+/* SSL_CTX_clear_options disables all options set in |options| (which should be
+ * one or more of the |SSL_OP_*| values, ORed together) in |ctx|. It returns a
+ * bitmask representing the resulting enabled options. */
+OPENSSL_EXPORT uint32_t SSL_CTX_clear_options(SSL_CTX *ctx, uint32_t options);
+
+/* SSL_CTX_get_options returns a bitmask of |SSL_OP_*| values that represent all
+ * the options enabled for |ctx|. */
+OPENSSL_EXPORT uint32_t SSL_CTX_get_options(const SSL_CTX *ctx);
+
+/* SSL_set_options enables all options set in |options| (which should be one or
+ * more of the |SSL_OP_*| values, ORed together) in |ssl|. It returns a bitmask
+ * representing the resulting enabled options. */
+OPENSSL_EXPORT uint32_t SSL_set_options(SSL *ssl, uint32_t options);
+
+/* SSL_clear_options disables all options set in |options| (which should be one
+ * or more of the |SSL_OP_*| values, ORed together) in |ssl|. It returns a
+ * bitmask representing the resulting enabled options. */
+OPENSSL_EXPORT uint32_t SSL_clear_options(SSL *ssl, uint32_t options);
+
+/* SSL_get_options returns a bitmask of |SSL_OP_*| values that represent all the
+ * options enabled for |ssl|. */
+OPENSSL_EXPORT uint32_t SSL_get_options(const SSL *ssl);
+
+/* SSL_CTX_set_mode enables all modes set in |mode| (which should be one or more
+ * of the |SSL_MODE_*| values, ORed together) in |ctx|. It returns a bitmask
+ * representing the resulting enabled modes. */
+OPENSSL_EXPORT uint32_t SSL_CTX_set_mode(SSL_CTX *ctx, uint32_t mode);
+
+/* SSL_CTX_clear_mode disables all modes set in |mode| (which should be one or
+ * more of the |SSL_MODE_*| values, ORed together) in |ctx|. It returns a
+ * bitmask representing the resulting enabled modes. */
+OPENSSL_EXPORT uint32_t SSL_CTX_clear_mode(SSL_CTX *ctx, uint32_t mode);
+
+/* SSL_CTX_get_mode returns a bitmask of |SSL_MODE_*| values that represent all
+ * the modes enabled for |ssl|. */
+OPENSSL_EXPORT uint32_t SSL_CTX_get_mode(const SSL_CTX *ctx);
+
+/* SSL_set_mode enables all modes set in |mode| (which should be one or more of
+ * the |SSL_MODE_*| values, ORed together) in |ssl|. It returns a bitmask
+ * representing the resulting enabled modes. */
+OPENSSL_EXPORT uint32_t SSL_set_mode(SSL *ssl, uint32_t mode);
+
+/* SSL_clear_mode disables all modes set in |mode| (which should be one or more
+ * of the |SSL_MODE_*| values, ORed together) in |ssl|. It returns a bitmask
+ * representing the resulting enabled modes. */
+OPENSSL_EXPORT uint32_t SSL_clear_mode(SSL *ssl, uint32_t mode);
+
+/* SSL_get_mode returns a bitmask of |SSL_MODE_*| values that represent all the
+ * modes enabled for |ssl|. */
+OPENSSL_EXPORT uint32_t SSL_get_mode(const SSL *ssl);
+
+/* SSL_set_mtu sets the |ssl|'s MTU in DTLS to |mtu|. It returns one on success
+ * and zero on failure. */
+OPENSSL_EXPORT int SSL_set_mtu(SSL *ssl, unsigned mtu);
+
+/* SSL_get_secure_renegotiation_support returns one if the peer supports secure
+ * renegotiation (RFC 5746) and zero otherwise. */
+OPENSSL_EXPORT int SSL_get_secure_renegotiation_support(const SSL *ssl);
 
 /* SSL_CTX_set_min_version sets the minimum protocol version for |ctx| to
  * |version|. */
@@ -541,16 +662,36 @@ OPENSSL_EXPORT void SSL_set_min_version(SSL *ssl, uint16_t version);
  * |version|. */
 OPENSSL_EXPORT void SSL_set_max_version(SSL *ssl, uint16_t version);
 
+/* SSL_CTX_set_msg_callback installs |cb| as the message callback for |ctx|.
+ * This callback will be called when sending or receiving low-level record
+ * headers, complete handshake messages, ChangeCipherSpec, and alerts.
+ * |write_p| is one for outgoing messages and zero for incoming messages.
+ *
+ * For each record header, |cb| is called with |version| = 0 and |content_type|
+ * = |SSL3_RT_HEADER|. The |len| bytes from |buf| contain the header. Note that
+ * this does not include the record body. If the record is sealed, the length
+ * in the header is the length of the ciphertext.
+ *
+ * For each handshake message, ChangeCipherSpec, and alert, |version| is the
+ * protocol version and |content_type| is the corresponding record type. The
+ * |len| bytes from |buf| contain the handshake message, one-byte
+ * ChangeCipherSpec body, and two-byte alert, respectively. */
 OPENSSL_EXPORT void SSL_CTX_set_msg_callback(
     SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type,
                              const void *buf, size_t len, SSL *ssl, void *arg));
+
+/* SSL_CTX_set_msg_callback_arg sets the |arg| parameter of the message
+ * callback. */
+OPENSSL_EXPORT void SSL_CTX_set_msg_callback_arg(SSL_CTX *ctx, void *arg);
+
+/* SSL_set_msg_callback installs |cb| as the message callback of |ssl|. See
+ * |SSL_CTX_set_msg_callback| for when this callback is called. */
 OPENSSL_EXPORT void SSL_set_msg_callback(
     SSL *ssl, void (*cb)(int write_p, int version, int content_type,
                          const void *buf, size_t len, SSL *ssl, void *arg));
-#define SSL_CTX_set_msg_callback_arg(ctx, arg) \
-  SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
-#define SSL_set_msg_callback_arg(ssl, arg) \
-  SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
+
+/* set_msg_callback_arg sets the |arg| parameter of the message callback. */
+OPENSSL_EXPORT void SSL_set_msg_callback_arg(SSL *ssl, void *arg);
 
 /* SSL_CTX_set_keylog_bio sets configures all SSL objects attached to |ctx| to
  * log session material to |keylog_bio|. This is intended for debugging use
@@ -686,6 +827,10 @@ struct ssl_ctx_st {
   struct ssl_session_st *session_cache_head;
   struct ssl_session_st *session_cache_tail;
 
+  /* handshakes_since_cache_flush is the number of successful handshakes since
+   * the last cache flush. */
+  int handshakes_since_cache_flush;
+
   /* This can have one of 2 values, ored together,
    * SSL_SESS_CACHE_CLIENT,
    * SSL_SESS_CACHE_SERVER,
@@ -709,26 +854,6 @@ struct ssl_ctx_st {
   SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, uint8_t *data, int len,
                                  int *copy);
 
-  /* TODO(agl): remove the stats stuff. */
-  struct {
-    int sess_connect;             /* SSL new conn - started */
-    int sess_connect_renegotiate; /* SSL reneg - requested */
-    int sess_connect_good;        /* SSL new conne/reneg - finished */
-    int sess_accept;              /* SSL new accept - started */
-    int sess_accept_renegotiate;  /* SSL reneg - requested */
-    int sess_accept_good;         /* SSL accept/reneg - finished */
-    int sess_miss;                /* session lookup misses  */
-    int sess_timeout;             /* reuse attempt on timeouted session */
-    int sess_cache_full;          /* session removed due to full cache */
-    int sess_hit;                 /* session reuse actually done */
-    int sess_cb_hit;              /* session-id that was not
-                                   * in the cache was
-                                   * passed back via the callback.  This
-                                   * indicates that the application is
-                                   * supplying session-id's from other
-                                   * processes - spooky :-) */
-  } stats;
-
   int references;
 
   /* if defined, these override the X509_verify_cert() calls */
@@ -749,13 +874,6 @@ struct ssl_ctx_st {
   /* get channel id callback */
   void (*channel_id_cb)(SSL *ssl, EVP_PKEY **pkey);
 
-  /* cookie generate callback */
-  int (*app_gen_cookie_cb)(SSL *ssl, uint8_t *cookie, size_t *cookie_len);
-
-  /* verify cookie callback */
-  int (*app_verify_cookie_cb)(SSL *ssl, const uint8_t *cookie,
-                              size_t cookie_len);
-
   CRYPTO_EX_DATA ex_data;
 
   STACK_OF(X509) *extra_certs;
@@ -773,9 +891,9 @@ struct ssl_ctx_st {
   /* Default values to use in SSL structures follow (these are copied by
    * SSL_new) */
 
-  unsigned long options;
-  unsigned long mode;
-  long max_cert_list;
+  uint32_t options;
+  uint32_t mode;
+  uint32_t max_cert_list;
 
   struct cert_st /* CERT */ *cert;
   int read_ahead;
@@ -800,16 +918,22 @@ struct ssl_ctx_st {
    * before the decision whether to resume a session is made. It may return one
    * to continue the handshake or zero to cause the handshake loop to return
    * with an error and cause SSL_get_error to return
-   * SSL_ERROR_PENDING_CERTIFICATE. */
+   * SSL_ERROR_PENDING_CERTIFICATE. Note: when the handshake loop is resumed, it
+   * will not call the callback a second time. */
   int (*select_certificate_cb)(const struct ssl_early_callback_ctx *);
 
+  /* dos_protection_cb is called once the resumption decision for a ClientHello
+   * has been made. It returns one to continue the handshake or zero to
+   * abort. */
+  int (*dos_protection_cb) (const struct ssl_early_callback_ctx *);
+
   /* quiet_shutdown is true if the connection should not send a close_notify on
    * shutdown. */
   int quiet_shutdown;
 
   /* Maximum amount of data to send in one fragment. actual record size can be
    * more than this due to padding and MAC overheads. */
-  unsigned int max_send_fragment;
+  uint16_t max_send_fragment;
 
   /* TLS extensions servername callback */
   int (*tlsext_servername_callback)(SSL *, int *, void *);
@@ -822,11 +946,6 @@ struct ssl_ctx_st {
   int (*tlsext_ticket_key_cb)(SSL *ssl, uint8_t *name, uint8_t *iv,
                               EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc);
 
-  /* certificate status request info */
-  /* Callback for status request */
-  int (*tlsext_status_cb)(SSL *ssl, void *arg);
-  void *tlsext_status_arg;
-
   /* Server-only: psk_identity_hint is the default identity hint to send in
    * PSK-based key exchanges. */
   char *psk_identity_hint;
@@ -906,47 +1025,17 @@ struct ssl_ctx_st {
   /* If not NULL, session key material will be logged to this BIO for debugging
    * purposes. The format matches NSS's and is readable by Wireshark. */
   BIO *keylog_bio;
-};
 
-#define SSL_SESS_CACHE_OFF 0x0000
-#define SSL_SESS_CACHE_CLIENT 0x0001
-#define SSL_SESS_CACHE_SERVER 0x0002
-#define SSL_SESS_CACHE_BOTH (SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_SERVER)
-#define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080
-/* See SSL_CTX_set_session_cache_mode(3) */
-#define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100
-#define SSL_SESS_CACHE_NO_INTERNAL_STORE 0x0200
-#define SSL_SESS_CACHE_NO_INTERNAL \
-  (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP | SSL_SESS_CACHE_NO_INTERNAL_STORE)
+  /* current_time_cb, if not NULL, is the function to use to get the current
+   * time. It sets |*out_clock| to the current time. */
+  void (*current_time_cb)(const SSL *ssl, struct timeval *out_clock);
+};
 
 OPENSSL_EXPORT LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx);
-#define SSL_CTX_sess_number(ctx) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_NUMBER, 0, NULL)
-#define SSL_CTX_sess_connect(ctx) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_CONNECT, 0, NULL)
-#define SSL_CTX_sess_connect_good(ctx) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_CONNECT_GOOD, 0, NULL)
-#define SSL_CTX_sess_connect_renegotiate(ctx) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_CONNECT_RENEGOTIATE, 0, NULL)
-#define SSL_CTX_sess_accept(ctx) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_ACCEPT, 0, NULL)
-#define SSL_CTX_sess_accept_renegotiate(ctx) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_ACCEPT_RENEGOTIATE, 0, NULL)
-#define SSL_CTX_sess_accept_good(ctx) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_ACCEPT_GOOD, 0, NULL)
-#define SSL_CTX_sess_hits(ctx) SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_HIT, 0, NULL)
-#define SSL_CTX_sess_cb_hits(ctx) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_CB_HIT, 0, NULL)
-#define SSL_CTX_sess_misses(ctx) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_MISSES, 0, NULL)
-#define SSL_CTX_sess_timeouts(ctx) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_TIMEOUTS, 0, NULL)
-#define SSL_CTX_sess_cache_full(ctx) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_CACHE_FULL, 0, NULL)
-/* SSL_CTX_enable_tls_channel_id configures a TLS server to accept TLS client
- * IDs from clients. Returns 1 on success. */
-#define SSL_CTX_enable_tls_channel_id(ctx) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_CHANNEL_ID, 0, NULL)
+
+/* SSL_CTX_sess_number returns the number of sessions in |ctx|'s internal
+ * session cache. */
+OPENSSL_EXPORT size_t SSL_CTX_sess_number(const SSL_CTX *ctx);
 
 OPENSSL_EXPORT void SSL_CTX_sess_set_new_cb(
     SSL_CTX *ctx, int (*new_session_cb)(struct ssl_st *ssl, SSL_SESSION *sess));
@@ -984,13 +1073,6 @@ OPENSSL_EXPORT void SSL_CTX_set_channel_id_cb(
     SSL_CTX *ctx, void (*channel_id_cb)(SSL *ssl, EVP_PKEY **pkey));
 OPENSSL_EXPORT void (*SSL_CTX_get_channel_id_cb(SSL_CTX *ctx))(SSL *ssl,
                                                                EVP_PKEY **pkey);
-OPENSSL_EXPORT void SSL_CTX_set_cookie_generate_cb(
-    SSL_CTX *ctx,
-    int (*app_gen_cookie_cb)(SSL *ssl, uint8_t *cookie, size_t *cookie_len));
-OPENSSL_EXPORT void SSL_CTX_set_cookie_verify_cb(
-    SSL_CTX *ctx, int (*app_verify_cookie_cb)(SSL *ssl, const uint8_t *cookie,
-                                              size_t cookie_len));
-
 
 /* SSL_enable_signed_cert_timestamps causes |ssl| (which must be the client end
  * of a connection) to request SCTs from the server. See
@@ -1051,10 +1133,24 @@ OPENSSL_EXPORT int SSL_select_next_proto(uint8_t **out, uint8_t *outlen,
 #define OPENSSL_NPN_NEGOTIATED 1
 #define OPENSSL_NPN_NO_OVERLAP 2
 
+/* SSL_CTX_set_alpn_protos sets the ALPN protocol list on |ctx| to |protos|.
+ * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
+ * length-prefixed strings). It returns zero on success and one on failure.
+ *
+ * WARNING: this function is dangerous because it breaks the usual return value
+ * convention. */
 OPENSSL_EXPORT int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos,
                                            unsigned protos_len);
+
+/* SSL_set_alpn_protos sets the ALPN protocol list on |ssl| to |protos|.
+ * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
+ * length-prefixed strings). It returns zero on success and one on failure.
+ *
+ * WARNING: this function is dangerous because it breaks the usual return value
+ * convention. */
 OPENSSL_EXPORT int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos,
                                        unsigned protos_len);
+
 OPENSSL_EXPORT void SSL_CTX_set_alpn_select_cb(
     SSL_CTX *ctx, int (*cb)(SSL *ssl, const uint8_t **out, uint8_t *outlen,
                             const uint8_t *in, unsigned int inlen, void *arg),
@@ -1067,6 +1163,11 @@ OPENSSL_EXPORT void SSL_get0_alpn_selected(const SSL *ssl, const uint8_t **data,
  * causes 3G radios to switch to DCH mode (high data rate). */
 OPENSSL_EXPORT void SSL_enable_fastradio_padding(SSL *ssl, char on_off);
 
+/* SSL_set_reject_peer_renegotiations controls whether renegotiation attempts by
+ * the peer are rejected. It may be set at any point in a connection's lifetime
+ * to disallow future renegotiations programmatically. */
+OPENSSL_EXPORT void SSL_set_reject_peer_renegotiations(SSL *ssl, int reject);
+
 /* the maximum length of the buffer given to callbacks containing the resulting
  * identity/psk */
 #define PSK_MAX_IDENTITY_LEN 128
@@ -1259,17 +1360,12 @@ struct ssl_st {
   /* for server side, keep the list of CA_dn we can use */
   STACK_OF(X509_NAME) *client_CA;
 
-  int references;
-  unsigned long options; /* protocol behaviour */
-  unsigned long mode;    /* API behaviour */
-  long max_cert_list;
+  uint32_t options; /* protocol behaviour */
+  uint32_t mode;    /* API behaviour */
+  uint32_t max_cert_list;
   int client_version; /* what was passed, used for
                        * SSLv3/TLS rollback check */
-  unsigned int max_send_fragment;
-  /* TLS extension debug callback */
-  void (*tlsext_debug_cb)(SSL *s, int client_server, int type, uint8_t *data,
-                          int len, void *arg);
-  void *tlsext_debug_arg;
+  uint16_t max_send_fragment;
   char *tlsext_hostname;
   /* should_ack_sni is true if the SNI extension should be acked. This is
    * only used by a server. */
@@ -1328,6 +1424,10 @@ struct ssl_st {
    * data rate) state in 3G networks. */
   char fastradio_padding;
 
+  /* reject_peer_renegotiations, if one, causes causes renegotiation attempts
+   * from the peer to be rejected with a fatal error. */
+  char reject_peer_renegotiations;
+
   /* These fields are always NULL and exist only to keep wpa_supplicant happy
    * about the change to EVP_AEAD. They are only needed for EAP-FAST, which we
    * don't support. */
@@ -1335,21 +1435,6 @@ struct ssl_st {
   EVP_MD_CTX *read_hash;
 };
 
-#ifdef __cplusplus
-}
-#endif
-
-#include <openssl/ssl2.h>
-#include <openssl/ssl3.h>
-#include <openssl/tls1.h> /* This is mostly sslv3 with a few tweaks */
-#include <openssl/dtls1.h> /* Datagram TLS */
-#include <openssl/ssl23.h>
-#include <openssl/srtp.h>  /* Support for the use_srtp extension */
-
-#ifdef  __cplusplus
-extern "C" {
-#endif
-
 /* compatibility */
 #define SSL_set_app_data(s, arg) (SSL_set_ex_data(s, 0, (char *)arg))
 #define SSL_get_app_data(s) (SSL_get_ex_data(s, 0))
@@ -1391,12 +1476,15 @@ extern "C" {
 /* Is the SSL_connection established? */
 #define SSL_get_state(a) SSL_state(a)
 #define SSL_is_init_finished(a) (SSL_state(a) == SSL_ST_OK)
-#define SSL_in_init(a) \
-  ((SSL_state(a) & SSL_ST_INIT) && !SSL_cutthrough_complete(a))
+#define SSL_in_init(a) (SSL_state(a) & SSL_ST_INIT)
 #define SSL_in_before(a) (SSL_state(a) & SSL_ST_BEFORE)
 #define SSL_in_connect_init(a) (SSL_state(a) & SSL_ST_CONNECT)
 #define SSL_in_accept_init(a) (SSL_state(a) & SSL_ST_ACCEPT)
-OPENSSL_EXPORT int SSL_cutthrough_complete(const SSL *s);
+
+/* SSL_in_false_start returns one if |s| has a pending unfinished handshake that
+ * is in False Start. |SSL_write| may be called at this point without waiting
+ * for the peer, but |SSL_read| will require the handshake to be completed. */
+OPENSSL_EXPORT int SSL_in_false_start(const SSL *s);
 
 /* The following 2 states are kept in ssl->rstate when reads fail,
  * you should not need these */
@@ -1493,84 +1581,17 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_ERROR_PENDING_SESSION 11
 #define SSL_ERROR_PENDING_CERTIFICATE 12
 
-#define SSL_CTRL_NEED_TMP_RSA 1
-#define SSL_CTRL_SET_TMP_RSA 2
-#define SSL_CTRL_SET_TMP_DH 3
-#define SSL_CTRL_SET_TMP_ECDH 4
-#define SSL_CTRL_SET_TMP_RSA_CB 5
-#define SSL_CTRL_SET_TMP_DH_CB 6
-#define SSL_CTRL_SET_TMP_ECDH_CB 7
-
-#define SSL_CTRL_GET_SESSION_REUSED 8
-#define SSL_CTRL_GET_CLIENT_CERT_REQUEST 9
-#define SSL_CTRL_GET_NUM_RENEGOTIATIONS 10
-#define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS 11
-#define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS 12
-#define SSL_CTRL_GET_FLAGS 13
 #define SSL_CTRL_EXTRA_CHAIN_CERT 14
 
-#define SSL_CTRL_SET_MSG_CALLBACK 15
-#define SSL_CTRL_SET_MSG_CALLBACK_ARG 16
-
-/* only applies to datagram connections */
-#define SSL_CTRL_SET_MTU 17
-/* Stats */
-#define SSL_CTRL_SESS_NUMBER 20
-#define SSL_CTRL_SESS_CONNECT 21
-#define SSL_CTRL_SESS_CONNECT_GOOD 22
-#define SSL_CTRL_SESS_CONNECT_RENEGOTIATE 23
-#define SSL_CTRL_SESS_ACCEPT 24
-#define SSL_CTRL_SESS_ACCEPT_GOOD 25
-#define SSL_CTRL_SESS_ACCEPT_RENEGOTIATE 26
-#define SSL_CTRL_SESS_HIT 27
-#define SSL_CTRL_SESS_CB_HIT 28
-#define SSL_CTRL_SESS_MISSES 29
-#define SSL_CTRL_SESS_TIMEOUTS 30
-#define SSL_CTRL_SESS_CACHE_FULL 31
-#define SSL_CTRL_OPTIONS 32
-#define SSL_CTRL_MODE 33
-
-#define SSL_CTRL_GET_READ_AHEAD 40
-#define SSL_CTRL_SET_READ_AHEAD 41
-#define SSL_CTRL_SET_SESS_CACHE_SIZE 42
-#define SSL_CTRL_GET_SESS_CACHE_SIZE 43
-#define SSL_CTRL_SET_SESS_CACHE_MODE 44
-#define SSL_CTRL_GET_SESS_CACHE_MODE 45
-
-#define SSL_CTRL_GET_MAX_CERT_LIST 50
-#define SSL_CTRL_SET_MAX_CERT_LIST 51
-
-#define SSL_CTRL_SET_MAX_SEND_FRAGMENT 52
-
 /* see tls1.h for macros based on these */
-#define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 53
-#define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 54
-#define SSL_CTRL_SET_TLSEXT_HOSTNAME 55
-#define SSL_CTRL_SET_TLSEXT_DEBUG_CB 56
-#define SSL_CTRL_SET_TLSEXT_DEBUG_ARG 57
 #define SSL_CTRL_GET_TLSEXT_TICKET_KEYS 58
 #define SSL_CTRL_SET_TLSEXT_TICKET_KEYS 59
-#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB 63
-#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG 64
-
-#define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB 72
-
-#define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB 75
-#define SSL_CTRL_SET_SRP_VERIFY_PARAM_CB 76
-#define SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB 77
 
 #define SSL_CTRL_SET_SRP_ARG 78
 #define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME 79
 #define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH 80
 #define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD 81
 
-#define DTLS_CTRL_GET_TIMEOUT 73
-#define DTLS_CTRL_HANDLE_TIMEOUT 74
-
-#define SSL_CTRL_GET_RI_SUPPORT 76
-#define SSL_CTRL_CLEAR_OPTIONS 77
-#define SSL_CTRL_CLEAR_MODE 78
-
 #define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82
 #define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83
 
@@ -1580,11 +1601,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_CTRL_GET_CURVES 90
 #define SSL_CTRL_SET_CURVES 91
 #define SSL_CTRL_SET_CURVES_LIST 92
-#define SSL_CTRL_SET_ECDH_AUTO 94
 #define SSL_CTRL_SET_SIGALGS 97
 #define SSL_CTRL_SET_SIGALGS_LIST 98
-#define SSL_CTRL_CERT_FLAGS 99
-#define SSL_CTRL_CLEAR_CERT_FLAGS 100
 #define SSL_CTRL_SET_CLIENT_SIGALGS 101
 #define SSL_CTRL_SET_CLIENT_SIGALGS_LIST 102
 #define SSL_CTRL_GET_CLIENT_CERT_TYPES 103
@@ -1593,70 +1611,97 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_CTRL_SET_VERIFY_CERT_STORE 106
 #define SSL_CTRL_SET_CHAIN_CERT_STORE 107
 #define SSL_CTRL_GET_SERVER_TMP_KEY 109
-#define SSL_CTRL_GET_RAW_CIPHERLIST 110
 #define SSL_CTRL_GET_EC_POINT_FORMATS 111
 
 #define SSL_CTRL_GET_CHAIN_CERTS 115
 #define SSL_CTRL_SELECT_CURRENT_CERT 116
 
-#define SSL_CTRL_CHANNEL_ID 117
-#define SSL_CTRL_GET_CHANNEL_ID 118
-#define SSL_CTRL_SET_CHANNEL_ID 119
-
 /* DTLSv1_get_timeout queries the next DTLS handshake timeout. If there is a
- * timeout in progress, it sets |*((OPENSSL_timeval*)arg)| to the time remaining
- * and returns one. Otherwise, it returns zero. */
-#define DTLSv1_get_timeout(ssl, arg) \
-  SSL_ctrl(ssl, DTLS_CTRL_GET_TIMEOUT, 0, (void *)arg)
-#define DTLSv1_handle_timeout(ssl) \
-  SSL_ctrl(ssl, DTLS_CTRL_HANDLE_TIMEOUT, 0, NULL)
-
-#define SSL_session_reused(ssl) \
-  SSL_ctrl((ssl), SSL_CTRL_GET_SESSION_REUSED, 0, NULL)
-#define SSL_num_renegotiations(ssl) \
-  SSL_ctrl((ssl), SSL_CTRL_GET_NUM_RENEGOTIATIONS, 0, NULL)
-#define SSL_clear_num_renegotiations(ssl) \
-  SSL_ctrl((ssl), SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS, 0, NULL)
-#define SSL_total_renegotiations(ssl) \
-  SSL_ctrl((ssl), SSL_CTRL_GET_TOTAL_RENEGOTIATIONS, 0, NULL)
-
-#define SSL_CTX_need_tmp_RSA(ctx) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_NEED_TMP_RSA, 0, NULL)
-#define SSL_CTX_set_tmp_rsa(ctx, rsa) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_RSA, 0, (char *)rsa)
-#define SSL_CTX_set_tmp_dh(ctx, dh) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_DH, 0, (char *)dh)
-#define SSL_CTX_set_tmp_ecdh(ctx, ecdh) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH, 0, (char *)ecdh)
-
-#define SSL_need_tmp_RSA(ssl) SSL_ctrl(ssl, SSL_CTRL_NEED_TMP_RSA, 0, NULL)
-#define SSL_set_tmp_rsa(ssl, rsa) \
-  SSL_ctrl(ssl, SSL_CTRL_SET_TMP_RSA, 0, (char *)rsa)
-#define SSL_set_tmp_dh(ssl, dh) \
-  SSL_ctrl(ssl, SSL_CTRL_SET_TMP_DH, 0, (char *)dh)
-#define SSL_set_tmp_ecdh(ssl, ecdh) \
-  SSL_ctrl(ssl, SSL_CTRL_SET_TMP_ECDH, 0, (char *)ecdh)
+ * timeout in progress, it sets |*out| to the time remaining and returns one.
+ * Otherwise, it returns zero.
+ *
+ * When the timeout expires, call |DTLSv1_handle_timeout| to handle the
+ * retransmit behavior.
+ *
+ * NOTE: This function must be queried again whenever the handshake state
+ * machine changes, including when |DTLSv1_handle_timeout| is called. */
+OPENSSL_EXPORT int DTLSv1_get_timeout(const SSL *ssl, struct timeval *out);
+
+/* DTLSv1_handle_timeout is called when a DTLS handshake timeout expires. If no
+ * timeout had expired, it returns 0. Otherwise, it retransmits the previous
+ * flight of handshake messages and returns 1. If too many timeouts had expired
+ * without progress or an error occurs, it returns -1.
+ *
+ * NOTE: The caller's external timer should be compatible with the one |ssl|
+ * queries within some fudge factor. Otherwise, the call will be a no-op, but
+ * |DTLSv1_get_timeout| will return an updated timeout.
+ *
+ * WARNING: This function breaks the usual return value convention. */
+OPENSSL_EXPORT int DTLSv1_handle_timeout(SSL *ssl);
+
+/* SSL_session_reused returns one if |ssl| performed an abbreviated handshake
+ * and zero otherwise.
+ *
+ * TODO(davidben): Hammer down the semantics of this API while a handshake,
+ * initial or renego, is in progress. */
+OPENSSL_EXPORT int SSL_session_reused(const SSL *ssl);
+
+/* SSL_total_renegotiations returns the total number of renegotiation handshakes
+ * peformed by |ssl|. This includes the pending renegotiation, if any. */
+OPENSSL_EXPORT int SSL_total_renegotiations(const SSL *ssl);
+
+/* SSL_CTX_set_tmp_dh configures |ctx| to use the group from |dh| as the group
+ * for DHE. Only the group is used, so |dh| needn't have a keypair. It returns
+ * one on success and zero on error. */
+OPENSSL_EXPORT int SSL_CTX_set_tmp_dh(SSL_CTX *ctx, const DH *dh);
+
+/* SSL_set_tmp_dh configures |ssl| to use the group from |dh| as the group for
+ * DHE. Only the group is used, so |dh| needn't have a keypair. It returns one
+ * on success and zero on error. */
+OPENSSL_EXPORT int SSL_set_tmp_dh(SSL *ssl, const DH *dh);
+
+/* SSL_CTX_set_tmp_ecdh configures |ctx| to use the curve from |ecdh| as the
+ * curve for ephemeral ECDH keys. For historical reasons, this API expects an
+ * |EC_KEY|, but only the curve is used. It returns one on success and zero on
+ * error. If unset, an appropriate curve will be chosen automatically. (This is
+ * recommended.) */
+OPENSSL_EXPORT int SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, const EC_KEY *ec_key);
+
+/* SSL_set_tmp_ecdh configures |ssl| to use the curve from |ecdh| as the curve
+ * for ephemeral ECDH keys. For historical reasons, this API expects an
+ * |EC_KEY|, but only the curve is used. It returns one on success and zero on
+ * error. If unset, an appropriate curve will be chosen automatically. (This is
+ * recommended.) */
+OPENSSL_EXPORT int SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ec_key);
+
+/* SSL_CTX_enable_tls_channel_id either configures a TLS server to accept TLS
+ * client IDs from clients, or configures a client to send TLS client IDs to
+ * a server. It returns one. */
+OPENSSL_EXPORT int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx);
 
 /* SSL_enable_tls_channel_id either configures a TLS server to accept TLS
  * client IDs from clients, or configure a client to send TLS client IDs to
- * server. Returns 1 on success. */
-#define SSL_enable_tls_channel_id(s) SSL_ctrl(s, SSL_CTRL_CHANNEL_ID, 0, NULL)
+ * server. It returns one. */
+OPENSSL_EXPORT int SSL_enable_tls_channel_id(SSL *ssl);
+
+/* SSL_CTX_set1_tls_channel_id configures a TLS client to send a TLS Channel ID
+ * to compatible servers. |private_key| must be a P-256 EC key. It returns one
+ * on success and zero on error. */
+OPENSSL_EXPORT int SSL_CTX_set1_tls_channel_id(SSL_CTX *ctx,
+                                               EVP_PKEY *private_key);
 
 /* SSL_set1_tls_channel_id configures a TLS client to send a TLS Channel ID to
- * compatible servers. private_key must be a P-256 EVP_PKEY*. Returns 1 on
- * success. */
-#define SSL_set1_tls_channel_id(s, private_key) \
-  SSL_ctrl(s, SSL_CTRL_SET_CHANNEL_ID, 0, (void *)private_key)
-#define SSL_CTX_set1_tls_channel_id(ctx, private_key) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_SET_CHANNEL_ID, 0, (void *)private_key)
+ * compatible servers. |private_key| must be a P-256 EC key. It returns one on
+ * success and zero on error. */
+OPENSSL_EXPORT int SSL_set1_tls_channel_id(SSL *ssl, EVP_PKEY *private_key);
 
 /* SSL_get_tls_channel_id gets the client's TLS Channel ID from a server SSL*
- * and copies up to the first |channel_id_len| bytes into |channel_id|. The
- * Channel ID consists of the client's P-256 public key as an (x,y) pair where
- * each is a 32-byte, big-endian field element. Returns 0 if the client didn't
- * offer a Channel ID and the length of the complete Channel ID otherwise. */
-#define SSL_get_tls_channel_id(ctx, channel_id, channel_id_len) \
-  SSL_ctrl(ctx, SSL_CTRL_GET_CHANNEL_ID, channel_id_len, (void *)channel_id)
+ * and copies up to the first |max_out| bytes into |out|. The Channel ID
+ * consists of the client's P-256 public key as an (x,y) pair where each is a
+ * 32-byte, big-endian field element. It returns 0 if the client didn't offer a
+ * Channel ID and the length of the complete Channel ID otherwise. */
+OPENSSL_EXPORT size_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out,
+                                             size_t max_out);
 
 #define SSL_CTX_add_extra_chain_cert(ctx, x509) \
   SSL_CTX_ctrl(ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, (char *)x509)
@@ -1724,10 +1769,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
   SSL_ctrl(ctx, SSL_CTRL_SET_CURVES, clistlen, (char *)clist)
 #define SSL_set1_curves_list(ctx, s) \
   SSL_ctrl(ctx, SSL_CTRL_SET_CURVES_LIST, 0, (char *)s)
-#define SSL_CTX_set_ecdh_auto(ctx, onoff) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_SET_ECDH_AUTO, onoff, NULL)
-#define SSL_set_ecdh_auto(s, onoff) \
-  SSL_ctrl(s, SSL_CTRL_SET_ECDH_AUTO, onoff, NULL)
 
 #define SSL_CTX_set1_sigalgs(ctx, slist, slistlen) \
   SSL_CTX_ctrl(ctx, SSL_CTRL_SET_SIGALGS, slistlen, (int *)slist)
@@ -1758,9 +1799,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_get_server_tmp_key(s, pk) \
   SSL_ctrl(s, SSL_CTRL_GET_SERVER_TMP_KEY, 0, pk)
 
-#define SSL_get0_raw_cipherlist(s, plst) \
-  SSL_ctrl(s, SSL_CTRL_GET_RAW_CIPHERLIST, 0, (char *)plst)
-
 #define SSL_get0_ec_point_formats(s, plst) \
   SSL_ctrl(s, SSL_CTRL_GET_EC_POINT_FORMATS, 0, (char *)plst)
 
@@ -1778,13 +1816,6 @@ OPENSSL_EXPORT int SSL_clear(SSL *s);
 OPENSSL_EXPORT void SSL_CTX_flush_sessions(SSL_CTX *ctx, long tm);
 
 OPENSSL_EXPORT const SSL_CIPHER *SSL_get_current_cipher(const SSL *s);
-OPENSSL_EXPORT int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits);
-OPENSSL_EXPORT const char *SSL_CIPHER_get_version(const SSL_CIPHER *c);
-OPENSSL_EXPORT const char *SSL_CIPHER_get_name(const SSL_CIPHER *c);
-/* SSL_CIPHER_get_kx_name returns a string that describes the key-exchange
- * method used by |c|. For example, "ECDHE-ECDSA". */
-OPENSSL_EXPORT const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher);
-OPENSSL_EXPORT unsigned long SSL_CIPHER_get_id(const SSL_CIPHER *c);
 
 OPENSSL_EXPORT int SSL_get_fd(const SSL *s);
 OPENSSL_EXPORT int SSL_get_rfd(const SSL *s);
@@ -1862,7 +1893,15 @@ OPENSSL_EXPORT const uint8_t *SSL_SESSION_get_id(const SSL_SESSION *s,
                                                  unsigned int *len);
 OPENSSL_EXPORT int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *ses);
 OPENSSL_EXPORT int SSL_SESSION_print(BIO *fp, const SSL_SESSION *ses);
-OPENSSL_EXPORT void SSL_SESSION_free(SSL_SESSION *ses);
+
+/* SSL_SESSION_up_ref, if |session| is not NULL, increments the reference count
+ * of |session|. It then returns |session|. */
+OPENSSL_EXPORT SSL_SESSION *SSL_SESSION_up_ref(SSL_SESSION *session);
+
+/* SSL_SESSION_free decrements the reference count of |session|. If it reaches
+ * zero, all data referenced by |session| and |session| itself are released. */
+OPENSSL_EXPORT void SSL_SESSION_free(SSL_SESSION *session);
+
 OPENSSL_EXPORT int SSL_set_session(SSL *to, SSL_SESSION *session);
 OPENSSL_EXPORT int SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c);
 OPENSSL_EXPORT int SSL_CTX_remove_session(SSL_CTX *, SSL_SESSION *c);
@@ -1968,9 +2007,7 @@ OPENSSL_EXPORT int SSL_read(SSL *ssl, void *buf, int num);
 OPENSSL_EXPORT int SSL_peek(SSL *ssl, void *buf, int num);
 OPENSSL_EXPORT int SSL_write(SSL *ssl, const void *buf, int num);
 OPENSSL_EXPORT long SSL_ctrl(SSL *ssl, int cmd, long larg, void *parg);
-OPENSSL_EXPORT long SSL_callback_ctrl(SSL *, int, void (*)(void));
 OPENSSL_EXPORT long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg);
-OPENSSL_EXPORT long SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)(void));
 
 OPENSSL_EXPORT int SSL_get_error(const SSL *s, int ret_code);
 /* SSL_get_version returns a string describing the TLS version used by |s|. For
@@ -1980,58 +2017,16 @@ OPENSSL_EXPORT const char *SSL_get_version(const SSL *s);
  * |sess|. For example, "TLSv1.2" or "SSLv3". */
 OPENSSL_EXPORT const char *SSL_SESSION_get_version(const SSL_SESSION *sess);
 
-OPENSSL_EXPORT int SSL_CIPHER_is_AES(const SSL_CIPHER *c);
-OPENSSL_EXPORT int SSL_CIPHER_has_MD5_HMAC(const SSL_CIPHER *c);
-OPENSSL_EXPORT int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *c);
-OPENSSL_EXPORT int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *c);
-
 /* TLS_method is the SSL_METHOD used for TLS (and SSLv3) connections. */
 OPENSSL_EXPORT const SSL_METHOD *TLS_method(void);
 
 /* DTLS_method is the SSL_METHOD used for DTLS connections. */
 OPENSSL_EXPORT const SSL_METHOD *DTLS_method(void);
 
-
-/* Deprecated methods. */
-
-/* SSLv23_method calls TLS_method. */
-OPENSSL_EXPORT const SSL_METHOD *SSLv23_method(void);
-
-/* Version-specific methods behave exactly like TLS_method and DTLS_method
- * except they also call SSL_CTX_set_min_version and SSL_CTX_set_max_version to
- * lock connections to that protocol version. */
-OPENSSL_EXPORT const SSL_METHOD *SSLv3_method(void);
-OPENSSL_EXPORT const SSL_METHOD *TLSv1_method(void);
-OPENSSL_EXPORT const SSL_METHOD *TLSv1_1_method(void);
-OPENSSL_EXPORT const SSL_METHOD *TLSv1_2_method(void);
-OPENSSL_EXPORT const SSL_METHOD *DTLSv1_method(void);
-OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_method(void);
-
-/* Client- and server-specific methods call their corresponding generic
- * methods. */
-OPENSSL_EXPORT const SSL_METHOD *SSLv23_server_method(void);
-OPENSSL_EXPORT const SSL_METHOD *SSLv23_client_method(void);
-OPENSSL_EXPORT const SSL_METHOD *SSLv3_server_method(void);
-OPENSSL_EXPORT const SSL_METHOD *SSLv3_client_method(void);
-OPENSSL_EXPORT const SSL_METHOD *TLSv1_server_method(void);
-OPENSSL_EXPORT const SSL_METHOD *TLSv1_client_method(void);
-OPENSSL_EXPORT const SSL_METHOD *TLSv1_1_server_method(void);
-OPENSSL_EXPORT const SSL_METHOD *TLSv1_1_client_method(void);
-OPENSSL_EXPORT const SSL_METHOD *TLSv1_2_server_method(void);
-OPENSSL_EXPORT const SSL_METHOD *TLSv1_2_client_method(void);
-OPENSSL_EXPORT const SSL_METHOD *DTLS_server_method(void);
-OPENSSL_EXPORT const SSL_METHOD *DTLS_client_method(void);
-OPENSSL_EXPORT const SSL_METHOD *DTLSv1_server_method(void);
-OPENSSL_EXPORT const SSL_METHOD *DTLSv1_client_method(void);
-OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_server_method(void);
-OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_client_method(void);
-
-
 OPENSSL_EXPORT STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s);
 
 OPENSSL_EXPORT int SSL_do_handshake(SSL *s);
 OPENSSL_EXPORT int SSL_renegotiate(SSL *s);
-OPENSSL_EXPORT int SSL_renegotiate_abbreviated(SSL *s);
 OPENSSL_EXPORT int SSL_renegotiate_pending(SSL *s);
 OPENSSL_EXPORT int SSL_shutdown(SSL *s);
 
@@ -2055,12 +2050,6 @@ OPENSSL_EXPORT void SSL_set_accept_state(SSL *s);
 
 OPENSSL_EXPORT long SSL_get_default_timeout(const SSL *s);
 
-/* SSL_library_init initializes the crypto and SSL libraries, loads their error
- * strings, and returns one. */
-OPENSSL_EXPORT int SSL_library_init(void);
-
-OPENSSL_EXPORT const char *SSL_CIPHER_description(const SSL_CIPHER *, char *buf,
-                                                  int size);
 OPENSSL_EXPORT STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk);
 
 OPENSSL_EXPORT X509 *SSL_get_certificate(const SSL *ssl);
@@ -2122,61 +2111,132 @@ OPENSSL_EXPORT int SSL_CTX_get_ex_new_index(long argl, void *argp,
 
 OPENSSL_EXPORT int SSL_get_ex_data_X509_STORE_CTX_idx(void);
 
-#define SSL_CTX_sess_set_cache_size(ctx, t) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_SET_SESS_CACHE_SIZE, t, NULL)
-#define SSL_CTX_sess_get_cache_size(ctx) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_GET_SESS_CACHE_SIZE, 0, NULL)
-#define SSL_CTX_set_session_cache_mode(ctx, m) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_SET_SESS_CACHE_MODE, m, NULL)
-#define SSL_CTX_get_session_cache_mode(ctx) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_GET_SESS_CACHE_MODE, 0, NULL)
-
-#define SSL_CTX_get_default_read_ahead(ctx) SSL_CTX_get_read_ahead(ctx)
-#define SSL_CTX_set_default_read_ahead(ctx, m) SSL_CTX_set_read_ahead(ctx, m)
-#define SSL_CTX_get_read_ahead(ctx) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_GET_READ_AHEAD, 0, NULL)
-#define SSL_CTX_set_read_ahead(ctx, m) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_SET_READ_AHEAD, m, NULL)
-#define SSL_CTX_get_max_cert_list(ctx) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_GET_MAX_CERT_LIST, 0, NULL)
-#define SSL_CTX_set_max_cert_list(ctx, m) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_CERT_LIST, m, NULL)
-#define SSL_get_max_cert_list(ssl) \
-  SSL_ctrl(ssl, SSL_CTRL_GET_MAX_CERT_LIST, 0, NULL)
-#define SSL_set_max_cert_list(ssl, m) \
-  SSL_ctrl(ssl, SSL_CTRL_SET_MAX_CERT_LIST, m, NULL)
-
-#define SSL_CTX_set_max_send_fragment(ctx, m) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_SEND_FRAGMENT, m, NULL)
-#define SSL_set_max_send_fragment(ssl, m) \
-  SSL_ctrl(ssl, SSL_CTRL_SET_MAX_SEND_FRAGMENT, m, NULL)
-
-/* NB: the keylength is only applicable when is_export is true */
-OPENSSL_EXPORT void SSL_CTX_set_tmp_rsa_callback(
-    SSL_CTX *ctx, RSA *(*cb)(SSL *ssl, int is_export, int keylength));
+/* SSL_CTX_sess_set_cache_size sets the maximum size of |ctx|'s session cache to
+ * |size|. It returns the previous value. */
+OPENSSL_EXPORT unsigned long SSL_CTX_sess_set_cache_size(SSL_CTX *ctx,
+                                                         unsigned long size);
 
-OPENSSL_EXPORT void SSL_set_tmp_rsa_callback(SSL *ssl,
-                                             RSA *(*cb)(SSL *ssl, int is_export,
-                                                        int keylength));
+/* SSL_CTX_sess_set_cache_size returns the maximum size of |ctx|'s session
+ * cache. */
+OPENSSL_EXPORT unsigned long SSL_CTX_sess_get_cache_size(const SSL_CTX *ctx);
+
+/* SSL_SESS_CACHE_* are the possible session cache mode bits.
+ * TODO(davidben): Document. */
+#define SSL_SESS_CACHE_OFF 0x0000
+#define SSL_SESS_CACHE_CLIENT 0x0001
+#define SSL_SESS_CACHE_SERVER 0x0002
+#define SSL_SESS_CACHE_BOTH (SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_SERVER)
+#define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080
+#define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100
+#define SSL_SESS_CACHE_NO_INTERNAL_STORE 0x0200
+#define SSL_SESS_CACHE_NO_INTERNAL \
+  (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP | SSL_SESS_CACHE_NO_INTERNAL_STORE)
+
+/* SSL_CTX_set_session_cache_mode sets the session cache mode bits for |ctx| to
+ * |mode|. It returns the previous value. */
+OPENSSL_EXPORT int SSL_CTX_set_session_cache_mode(SSL_CTX *ctx, int mode);
+
+/* SSL_CTX_get_session_cache_mode returns the session cache mode bits for
+ * |ctx| */
+OPENSSL_EXPORT int SSL_CTX_get_session_cache_mode(const SSL_CTX *ctx);
+
+/* TODO(davidben): Deprecate read_ahead functions after https://crbug.com/447431
+ * is resolved. */
+OPENSSL_EXPORT int SSL_CTX_get_read_ahead(const SSL_CTX *ctx);
+OPENSSL_EXPORT void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes);
+
+/* SSL_CTX_get_max_cert_list returns the maximum length, in bytes, of a peer
+ * certificate chain accepted by |ctx|. */
+OPENSSL_EXPORT size_t SSL_CTX_get_max_cert_list(const SSL_CTX *ctx);
+
+/* SSL_CTX_set_max_cert_list sets the maximum length, in bytes, of a peer
+ * certificate chain to |max_cert_list|. This affects how much memory may be
+ * consumed during the handshake. */
+OPENSSL_EXPORT void SSL_CTX_set_max_cert_list(SSL_CTX *ctx,
+                                              size_t max_cert_list);
+
+/* SSL_get_max_cert_list returns the maximum length, in bytes, of a peer
+ * certificate chain accepted by |ssl|. */
+OPENSSL_EXPORT size_t SSL_get_max_cert_list(const SSL *ssl);
+
+/* SSL_set_max_cert_list sets the maximum length, in bytes, of a peer
+ * certificate chain to |max_cert_list|. This affects how much memory may be
+ * consumed during the handshake. */
+OPENSSL_EXPORT void SSL_set_max_cert_list(SSL *ssl, size_t max_cert_list);
+
+/* SSL_CTX_set_max_send_fragment sets the maximum length, in bytes, of records
+ * sent by |ctx|. Beyond this length, handshake messages and application data
+ * will be split into multiple records. */
+OPENSSL_EXPORT void SSL_CTX_set_max_send_fragment(SSL_CTX *ctx,
+                                                  size_t max_send_fragment);
+
+/* SSL_set_max_send_fragment sets the maximum length, in bytes, of records
+ * sent by |ssl|. Beyond this length, handshake messages and application data
+ * will be split into multiple records. */
+OPENSSL_EXPORT void SSL_set_max_send_fragment(SSL *ssl,
+                                              size_t max_send_fragment);
+
+/* SSL_CTX_set_tmp_dh_callback configures |ctx| to use |callback| to determine
+ * the group for DHE ciphers. |callback| should ignore |is_export| and
+ * |keylength| and return a |DH| of the selected group or NULL on error. Only
+ * the parameters are used, so the |DH| needn't have a generated keypair.
+ *
+ * WARNING: The caller does not take ownership of the resulting |DH|, so
+ * |callback| must save and release the object elsewhere. */
 OPENSSL_EXPORT void SSL_CTX_set_tmp_dh_callback(
-    SSL_CTX *ctx, DH *(*dh)(SSL *ssl, int is_export, int keylength));
+    SSL_CTX *ctx, DH *(*callback)(SSL *ssl, int is_export, int keylength));
+
+/* SSL_set_tmp_dh_callback configures |ssl| to use |callback| to determine the
+ * group for DHE ciphers. |callback| should ignore |is_export| and |keylength|
+ * and return a |DH| of the selected group or NULL on error. Only the
+ * parameters are used, so the |DH| needn't have a generated keypair.
+ *
+ * WARNING: The caller does not take ownership of the resulting |DH|, so
+ * |callback| must save and release the object elsewhere. */
 OPENSSL_EXPORT void SSL_set_tmp_dh_callback(SSL *ssl,
                                             DH *(*dh)(SSL *ssl, int is_export,
                                                       int keylength));
+
+/* SSL_CTX_set_tmp_ecdh_callback configures |ctx| to use |callback| to determine
+ * the curve for ephemeral ECDH keys. |callback| should ignore |is_export| and
+ * |keylength| and return an |EC_KEY| of the selected curve or NULL on
+ * error. Only the curve is used, so the |EC_KEY| needn't have a generated
+ * keypair.
+ *
+ * If the callback is unset, an appropriate curve will be chosen automatically.
+ * (This is recommended.)
+ *
+ * WARNING: The caller does not take ownership of the resulting |EC_KEY|, so
+ * |callback| must save and release the object elsewhere. */
 OPENSSL_EXPORT void SSL_CTX_set_tmp_ecdh_callback(
-    SSL_CTX *ctx, EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength));
+    SSL_CTX *ctx, EC_KEY *(*callback)(SSL *ssl, int is_export, int keylength));
+
+/* SSL_set_tmp_ecdh_callback configures |ssl| to use |callback| to determine the
+ * curve for ephemeral ECDH keys. |callback| should ignore |is_export| and
+ * |keylength| and return an |EC_KEY| of the selected curve or NULL on
+ * error. Only the curve is used, so the |EC_KEY| needn't have a generated
+ * keypair.
+ *
+ * If the callback is unset, an appropriate curve will be chosen automatically.
+ * (This is recommended.)
+ *
+ * WARNING: The caller does not take ownership of the resulting |EC_KEY|, so
+ * |callback| must save and release the object elsewhere. */
 OPENSSL_EXPORT void SSL_set_tmp_ecdh_callback(
-    SSL *ssl, EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength));
+    SSL *ssl, EC_KEY *(*callback)(SSL *ssl, int is_export, int keylength));
 
 OPENSSL_EXPORT const void *SSL_get_current_compression(SSL *s);
 OPENSSL_EXPORT const void *SSL_get_current_expansion(SSL *s);
-OPENSSL_EXPORT const char *SSL_COMP_get_name(const void *comp);
-OPENSSL_EXPORT void *SSL_COMP_get_compression_methods(void);
-OPENSSL_EXPORT int SSL_COMP_add_compression_method(int id, void *cm);
 
 OPENSSL_EXPORT int SSL_cache_hit(SSL *s);
 OPENSSL_EXPORT int SSL_is_server(SSL *s);
 
+/* SSL_CTX_set_dos_protection_cb sets a callback that is called once the
+ * resumption decision for a ClientHello has been made. It can return 1 to
+ * allow the handshake to continue or zero to cause the handshake to abort. */
+OPENSSL_EXPORT void SSL_CTX_set_dos_protection_cb(
+    SSL_CTX *ctx, int (*cb)(const struct ssl_early_callback_ctx *));
+
 /* SSL_get_structure_sizes returns the sizes of the SSL, SSL_CTX and
  * SSL_SESSION structures so that a test can ensure that outside code agrees on
  * these values. */
@@ -2186,6 +2246,130 @@ OPENSSL_EXPORT void SSL_get_structure_sizes(size_t *ssl_size,
 
 OPENSSL_EXPORT void ERR_load_SSL_strings(void);
 
+/* SSL_get_rc4_state sets |*read_key| and |*write_key| to the RC4 states for
+ * the read and write directions. It returns one on success or zero if |ssl|
+ * isn't using an RC4-based cipher suite. */
+OPENSSL_EXPORT int SSL_get_rc4_state(const SSL *ssl, const RC4_KEY **read_key,
+                                     const RC4_KEY **write_key);
+
+
+/* Deprecated functions. */
+
+/* SSL_CIPHER_description writes a description of |cipher| into |buf| and
+ * returns |buf|. If |buf| is NULL, it returns a newly allocated string, to be
+ * freed with |OPENSSL_free|, or NULL on error.
+ *
+ * The description includes a trailing newline and has the form:
+ * AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
+ *
+ * Consider |SSL_CIPHER_get_name| or |SSL_CIPHER_get_rfc_name| instead. */
+OPENSSL_EXPORT const char *SSL_CIPHER_description(const SSL_CIPHER *cipher,
+                                                  char *buf, int len);
+
+/* SSL_CIPHER_get_version returns the string "TLSv1/SSLv3". */
+OPENSSL_EXPORT const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher);
+
+/* SSL_COMP_get_compression_methods returns NULL. */
+OPENSSL_EXPORT void *SSL_COMP_get_compression_methods(void);
+
+/* SSL_COMP_add_compression_method returns one. */
+OPENSSL_EXPORT int SSL_COMP_add_compression_method(int id, void *cm);
+
+/* SSL_COMP_get_name returns NULL. */
+OPENSSL_EXPORT const char *SSL_COMP_get_name(const void *comp);
+
+/* SSLv23_method calls |TLS_method|. */
+OPENSSL_EXPORT const SSL_METHOD *SSLv23_method(void);
+
+/* Version-specific methods behave exactly like |TLS_method| and |DTLS_method|
+ * except they also call |SSL_CTX_set_min_version| and |SSL_CTX_set_max_version|
+ * to lock connections to that protocol version. */
+OPENSSL_EXPORT const SSL_METHOD *SSLv3_method(void);
+OPENSSL_EXPORT const SSL_METHOD *TLSv1_method(void);
+OPENSSL_EXPORT const SSL_METHOD *TLSv1_1_method(void);
+OPENSSL_EXPORT const SSL_METHOD *TLSv1_2_method(void);
+OPENSSL_EXPORT const SSL_METHOD *DTLSv1_method(void);
+OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_method(void);
+
+/* Client- and server-specific methods call their corresponding generic
+ * methods. */
+OPENSSL_EXPORT const SSL_METHOD *SSLv23_server_method(void);
+OPENSSL_EXPORT const SSL_METHOD *SSLv23_client_method(void);
+OPENSSL_EXPORT const SSL_METHOD *SSLv3_server_method(void);
+OPENSSL_EXPORT const SSL_METHOD *SSLv3_client_method(void);
+OPENSSL_EXPORT const SSL_METHOD *TLSv1_server_method(void);
+OPENSSL_EXPORT const SSL_METHOD *TLSv1_client_method(void);
+OPENSSL_EXPORT const SSL_METHOD *TLSv1_1_server_method(void);
+OPENSSL_EXPORT const SSL_METHOD *TLSv1_1_client_method(void);
+OPENSSL_EXPORT const SSL_METHOD *TLSv1_2_server_method(void);
+OPENSSL_EXPORT const SSL_METHOD *TLSv1_2_client_method(void);
+OPENSSL_EXPORT const SSL_METHOD *DTLS_server_method(void);
+OPENSSL_EXPORT const SSL_METHOD *DTLS_client_method(void);
+OPENSSL_EXPORT const SSL_METHOD *DTLSv1_server_method(void);
+OPENSSL_EXPORT const SSL_METHOD *DTLSv1_client_method(void);
+OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_server_method(void);
+OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_client_method(void);
+
+/* SSL_CTX_set_tmp_rsa_callback does nothing. */
+OPENSSL_EXPORT void SSL_CTX_set_tmp_rsa_callback(
+    SSL_CTX *ctx, RSA *(*cb)(SSL *ssl, int is_export, int keylength));
+
+/* SSL_set_tmp_rsa_callback does nothing. */
+OPENSSL_EXPORT void SSL_set_tmp_rsa_callback(SSL *ssl,
+                                             RSA *(*cb)(SSL *ssl, int is_export,
+                                                        int keylength));
+
+/* SSL_CTX_sess_connect returns zero. */
+OPENSSL_EXPORT int SSL_CTX_sess_connect(const SSL_CTX *ctx);
+
+/* SSL_CTX_sess_connect_good returns zero. */
+OPENSSL_EXPORT int SSL_CTX_sess_connect_good(const SSL_CTX *ctx);
+
+/* SSL_CTX_sess_connect_renegotiate returns zero. */
+OPENSSL_EXPORT int SSL_CTX_sess_connect_renegotiate(const SSL_CTX *ctx);
+
+/* SSL_CTX_sess_accept returns zero. */
+OPENSSL_EXPORT int SSL_CTX_sess_accept(const SSL_CTX *ctx);
+
+/* SSL_CTX_sess_accept_renegotiate returns zero. */
+OPENSSL_EXPORT int SSL_CTX_sess_accept_renegotiate(const SSL_CTX *ctx);
+
+/* SSL_CTX_sess_accept_good returns zero. */
+OPENSSL_EXPORT int SSL_CTX_sess_accept_good(const SSL_CTX *ctx);
+
+/* SSL_CTX_sess_hits returns zero. */
+OPENSSL_EXPORT int SSL_CTX_sess_hits(const SSL_CTX *ctx);
+
+/* SSL_CTX_sess_cb_hits returns zero. */
+OPENSSL_EXPORT int SSL_CTX_sess_cb_hits(const SSL_CTX *ctx);
+
+/* SSL_CTX_sess_misses returns zero. */
+OPENSSL_EXPORT int SSL_CTX_sess_misses(const SSL_CTX *ctx);
+
+/* SSL_CTX_sess_timeouts returns zero. */
+OPENSSL_EXPORT int SSL_CTX_sess_timeouts(const SSL_CTX *ctx);
+
+/* SSL_CTX_sess_cache_full returns zero. */
+OPENSSL_EXPORT int SSL_CTX_sess_cache_full(const SSL_CTX *ctx);
+
+/* SSL_cutthrough_complete calls |SSL_in_false_start|. */
+OPENSSL_EXPORT int SSL_cutthrough_complete(const SSL *s);
+
+/* SSL_num_renegotiations calls |SSL_total_renegotiations|. */
+OPENSSL_EXPORT int SSL_num_renegotiations(const SSL *ssl);
+
+/* SSL_CTX_need_tmp_RSA returns zero. */
+OPENSSL_EXPORT int SSL_CTX_need_tmp_RSA(const SSL_CTX *ctx);
+
+/* SSL_need_tmp_RSA returns zero. */
+OPENSSL_EXPORT int SSL_need_tmp_RSA(const SSL *ssl);
+
+/* SSL_CTX_set_tmp_rsa returns one. */
+OPENSSL_EXPORT int SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, const RSA *rsa);
+
+/* SSL_set_tmp_rsa returns one. */
+OPENSSL_EXPORT int SSL_set_tmp_rsa(SSL *ssl, const RSA *rsa);
+
 
 /* Android compatibility section.
  *
@@ -2201,530 +2385,483 @@ OPENSSL_EXPORT int SSL_set_session_secret_cb(SSL *s, void *cb, void *arg);
 OPENSSL_EXPORT int SSL_set_session_ticket_ext_cb(SSL *s, void *cb, void *arg);
 OPENSSL_EXPORT int SSL_set_ssl_method(SSL *s, const SSL_METHOD *method);
 
+#define OPENSSL_VERSION_TEXT "BoringSSL"
+
+#define SSLEAY_VERSION 0
+
+/* SSLeay_version is a compatibility function that returns the string
+ * "BoringSSL". */
+OPENSSL_EXPORT const char *SSLeay_version(int unused);
 
-#ifdef  __cplusplus
-}
+
+/* Preprocessor compatibility section.
+ *
+ * Historically, a number of APIs were implemented in OpenSSL as macros and
+ * constants to 'ctrl' functions. To avoid breaking #ifdefs in consumers, this
+ * section defines a number of legacy macros. */
+
+#define SSL_CTRL_NEED_TMP_RSA doesnt_exist
+#define SSL_CTRL_SET_TMP_RSA doesnt_exist
+#define SSL_CTRL_SET_TMP_DH doesnt_exist
+#define SSL_CTRL_SET_TMP_ECDH doesnt_exist
+#define SSL_CTRL_SET_TMP_RSA_CB doesnt_exist
+#define SSL_CTRL_SET_TMP_DH_CB doesnt_exist
+#define SSL_CTRL_SET_TMP_ECDH_CB doesnt_exist
+#define SSL_CTRL_GET_SESSION_REUSED doesnt_exist
+#define SSL_CTRL_GET_NUM_RENEGOTIATIONS doesnt_exist
+#define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS doesnt_exist
+#define SSL_CTRL_SET_MSG_CALLBACK doesnt_exist
+#define SSL_CTRL_SET_MSG_CALLBACK_ARG doesnt_exist
+#define SSL_CTRL_SET_MTU doesnt_exist
+#define SSL_CTRL_SESS_NUMBER doesnt_exist
+#define SSL_CTRL_OPTIONS doesnt_exist
+#define SSL_CTRL_MODE doesnt_exist
+#define SSL_CTRL_GET_READ_AHEAD doesnt_exist
+#define SSL_CTRL_SET_READ_AHEAD doesnt_exist
+#define SSL_CTRL_SET_SESS_CACHE_SIZE doesnt_exist
+#define SSL_CTRL_GET_SESS_CACHE_SIZE doesnt_exist
+#define SSL_CTRL_SET_SESS_CACHE_MODE doesnt_exist
+#define SSL_CTRL_GET_SESS_CACHE_MODE doesnt_exist
+#define SSL_CTRL_GET_MAX_CERT_LIST doesnt_exist
+#define SSL_CTRL_SET_MAX_CERT_LIST doesnt_exist
+#define SSL_CTRL_SET_MAX_SEND_FRAGMENT doesnt_exist
+#define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB doesnt_exist
+#define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG doesnt_exist
+#define SSL_CTRL_SET_TLSEXT_HOSTNAME doesnt_exist
+#define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB doesnt_exist
+#define DTLS_CTRL_GET_TIMEOUT doesnt_exist
+#define DTLS_CTRL_HANDLE_TIMEOUT doesnt_exist
+#define SSL_CTRL_GET_RI_SUPPORT doesnt_exist
+#define SSL_CTRL_CLEAR_OPTIONS doesnt_exist
+#define SSL_CTRL_CLEAR_MODE doesnt_exist
+#define SSL_CTRL_CHANNEL_ID doesnt_exist
+#define SSL_CTRL_GET_CHANNEL_ID doesnt_exist
+#define SSL_CTRL_SET_CHANNEL_ID doesnt_exist
+
+#define SSL_CTX_need_tmp_RSA SSL_CTX_need_tmp_RSA
+#define SSL_need_tmp_RSA SSL_need_tmp_RSA
+#define SSL_CTX_set_tmp_rsa SSL_CTX_set_tmp_rsa
+#define SSL_set_tmp_rsa SSL_set_tmp_rsa
+#define SSL_CTX_set_tmp_dh SSL_CTX_set_tmp_dh
+#define SSL_set_tmp_dh SSL_set_tmp_dh
+#define SSL_CTX_set_tmp_ecdh SSL_CTX_set_tmp_ecdh
+#define SSL_set_tmp_ecdh SSL_set_tmp_ecdh
+#define SSL_session_reused SSL_session_reused
+#define SSL_num_renegotiations SSL_num_renegotiations
+#define SSL_total_renegotiations SSL_total_renegotiations
+#define SSL_CTX_set_msg_callback_arg SSL_CTX_set_msg_callback_arg
+#define SSL_set_msg_callback_arg SSL_set_msg_callback_arg
+#define SSL_set_mtu SSL_set_mtu
+#define SSL_CTX_sess_number SSL_CTX_sess_number
+#define SSL_CTX_get_options SSL_CTX_get_options
+#define SSL_CTX_set_options SSL_CTX_set_options
+#define SSL_get_options SSL_get_options
+#define SSL_set_options SSL_set_options
+#define SSL_CTX_get_mode SSL_CTX_get_mode
+#define SSL_CTX_set_mode SSL_CTX_set_mode
+#define SSL_get_mode SSL_get_mode
+#define SSL_set_mode SSL_set_mode
+#define SSL_CTX_get_read_ahead SSL_CTX_get_read_ahead
+#define SSL_CTX_set_read_ahead SSL_CTX_set_read_ahead
+#define SSL_CTX_sess_set_cache_size SSL_CTX_sess_set_cache_size
+#define SSL_CTX_sess_get_cache_size SSL_CTX_sess_get_cache_size
+#define SSL_CTX_set_session_cache_mode SSL_CTX_set_session_cache_mode
+#define SSL_CTX_get_session_cache_mode SSL_CTX_get_session_cache_mode
+#define SSL_CTX_get_max_cert_list SSL_CTX_get_max_cert_list
+#define SSL_get_max_cert_list SSL_get_max_cert_list
+#define SSL_CTX_set_max_cert_list SSL_CTX_set_max_cert_list
+#define SSL_set_max_cert_list SSL_set_max_cert_list
+#define SSL_CTX_set_max_send_fragment SSL_CTX_set_max_send_fragment
+#define SSL_set_max_send_fragment SSL_set_max_send_fragment
+#define SSL_CTX_set_tlsext_servername_callback \
+    SSL_CTX_set_tlsext_servername_callback
+#define SSL_CTX_set_tlsext_servername_arg SSL_CTX_set_tlsext_servername_arg
+#define SSL_set_tlsext_host_name SSL_set_tlsext_host_name
+#define SSL_CTX_set_tlsext_ticket_key_cb SSL_CTX_set_tlsext_ticket_key_cb
+#define DTLSv1_get_timeout DTLSv1_get_timeout
+#define DTLSv1_handle_timeout DTLSv1_handle_timeout
+#define SSL_get_secure_renegotiation_support \
+    SSL_get_secure_renegotiation_support
+#define SSL_CTX_clear_options SSL_CTX_clear_options
+#define SSL_clear_options SSL_clear_options
+#define SSL_CTX_clear_mode SSL_CTX_clear_mode
+#define SSL_clear_mode SSL_clear_mode
+#define SSL_CTX_enable_tls_channel_id SSL_CTX_enable_tls_channel_id
+#define SSL_enable_tls_channel_id SSL_enable_tls_channel_id
+#define SSL_set1_tls_channel_id SSL_set1_tls_channel_id
+#define SSL_CTX_set1_tls_channel_id SSL_CTX_set1_tls_channel_id
+#define SSL_get_tls_channel_id SSL_get_tls_channel_id
+
+
+#if defined(__cplusplus)
+} /* extern C */
 #endif
 
+
+/* Library consumers assume these headers are included by ssl.h, but they depend
+ * on ssl.h, so include them after all declarations.
+ *
+ * TODO(davidben): The separation between ssl.h and these version-specific
+ * headers introduces circular dependencies and is inconsistent. The function
+ * declarations should move to ssl.h. Many of the constants can probably be
+ * pruned or unexported. */
+#include <openssl/ssl2.h>
+#include <openssl/ssl3.h>
+#include <openssl/tls1.h> /* This is mostly sslv3 with a few tweaks */
+#include <openssl/ssl23.h>
+#include <openssl/srtp.h>  /* Support for the use_srtp extension */
+
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script make_errors.go. Any
  * changes made after this point may be overwritten when the script is next run.
  */
-#define SSL_F_SSL_use_PrivateKey_file 100
-#define SSL_F_dtls1_write_app_data_bytes 101
-#define SSL_F_ssl_cipher_process_rulestr 102
-#define SSL_F_SSL_set_session_id_context 103
-#define SSL_F_SSL_read 104
-#define SSL_F_ssl_cert_new 105
-#define SSL_F_dtls1_heartbeat 106
-#define SSL_F_ssl3_digest_cached_records 107
-#define SSL_F_SSL_set_wfd 108
-#define SSL_F_ssl_set_pkey 110
+#define SSL_F_SSL_CTX_check_private_key 100
+#define SSL_F_SSL_CTX_new 101
+#define SSL_F_SSL_CTX_set_cipher_list 102
+#define SSL_F_SSL_CTX_set_cipher_list_tls11 103
+#define SSL_F_SSL_CTX_set_session_id_context 104
+#define SSL_F_SSL_CTX_use_PrivateKey 105
+#define SSL_F_SSL_CTX_use_PrivateKey_ASN1 106
+#define SSL_F_SSL_CTX_use_PrivateKey_file 107
+#define SSL_F_SSL_CTX_use_RSAPrivateKey 108
+#define SSL_F_SSL_CTX_use_RSAPrivateKey_ASN1 109
+#define SSL_F_SSL_CTX_use_RSAPrivateKey_file 110
 #define SSL_F_SSL_CTX_use_certificate 111
-#define SSL_F_dtls1_read_bytes 112
-#define SSL_F_ssl23_write 113
-#define SSL_F_ssl3_check_client_hello 114
-#define SSL_F_SSL_use_certificate_ASN1 115
-#define SSL_F_ssl_verify_cert_chain 116
-#define SSL_F_ssl_parse_serverhello_renegotiate_ext 117
-#define SSL_F_ssl_undefined_const_function 118
-#define SSL_F_ssl3_get_server_certificate 119
-#define SSL_F_tls1_get_server_supplemental_data 120
-#define SSL_F_dtls1_buffer_record 121
-#define SSL_F_ssl_prepare_clienthello_tlsext 122
-#define SSL_F_ssl3_get_server_hello 123
-#define SSL_F_ssl3_send_client_key_exchange 124
-#define SSL_F_ssl3_write_bytes 125
-#define SSL_F_SSL_use_RSAPrivateKey_file 126
-#define SSL_F_ssl_bad_method 127
-#define SSL_F_ssl3_connect 128
-#define SSL_F_dtls1_connect 129
-#define SSL_F_SSL_use_RSAPrivateKey 130
-#define SSL_F_tls1_prf 131
-#define SSL_F_ssl_bytes_to_cipher_list 132
-#define SSL_F_ssl3_do_change_cipher_spec 133
-#define SSL_F_SSL_SESSION_set1_id_context 134
-#define SSL_F_ssl_add_serverhello_tlsext 135
-#define SSL_F_read_authz 136
-#define SSL_F_ssl3_get_client_hello 137
-#define SSL_F_ssl3_get_certificate_request 138
-#define SSL_F_authz_find_data 139
-#define SSL_F_ssl_add_cert_to_buf 140
-#define SSL_F_ssl_add_serverhello_renegotiate_ext 141
-#define SSL_F_ssl3_get_message 142
-#define SSL_F_ssl_check_srvr_ecc_cert_and_alg 143
-#define SSL_F_ssl_parse_clienthello_tlsext 144
-#define SSL_F_SSL_add_file_cert_subjects_to_stack 145
-#define SSL_F_ssl3_ctx_ctrl 146
-#define SSL_F_ssl3_get_record 147
-#define SSL_F_SSL_CTX_use_RSAPrivateKey 148
-#define SSL_F_SSL_use_certificate_file 149
-#define SSL_F_SSL_load_client_CA_file 151
-#define SSL_F_dtls1_preprocess_fragment 152
-#define SSL_F_SSL_CTX_check_private_key 153
-#define SSL_F_ssl3_get_cert_status 154
-#define SSL_F_printf 155
-#define SSL_F_SSL_CTX_new 156
-#define SSL_F_ssl23_accept 157
-#define SSL_F_SSL_use_authz 158
-#define SSL_F_ssl_undefined_function 159
-#define SSL_F_dtls1_send_hello_verify_request 160
-#define SSL_F_ssl_build_cert_chain 161
-#define SSL_F_SSL_SESSION_print_fp 162
-#define SSL_F_tls1_change_cipher_state 163
-#define SSL_F_tls12_check_peer_sigalg 164
-#define SSL_F_ssl_sess_cert_new 165
-#define SSL_F_ssl3_read_bytes 166
-#define SSL_F_dtls1_get_hello_verify 167
-#define SSL_F_tls1_cert_verify_mac 168
-#define SSL_F_ssl23_client_hello 169
-#define SSL_F_SSL_shutdown 170
-#define SSL_F_ssl_init_wbio_buffer 171
-#define SSL_F_SSL_use_certificate 172
-#define SSL_F_SSL_CTX_use_RSAPrivateKey_ASN1 173
-#define SSL_F_ssl_set_authz 174
-#define SSL_F_ssl23_peek 175
-#define SSL_F_SSL_use_psk_identity_hint 176
-#define SSL_F_ssl3_get_cert_verify 177
-#define SSL_F_ssl_ctx_make_profiles 178
-#define SSL_F_ssl_add_clienthello_use_srtp_ext 179
-#define SSL_F_ssl3_get_client_key_exchange 180
-#define SSL_F_do_ssl3_write 181
-#define SSL_F_ssl3_handshake_mac 182
-#define SSL_F_tls1_setup_key_block 183
-#define SSL_F_SSL_set_fd 184
-#define SSL_F_SSL_check_private_key 185
-#define SSL_F_ssl3_send_cert_verify 186
-#define SSL_F_ssl3_write_pending 187
-#define SSL_F_ssl_cert_inst 188
-#define SSL_F_ssl3_change_cipher_state 189
-#define SSL_F_ssl23_get_server_hello 190
-#define SSL_F_SSL_write 191
-#define SSL_F_ssl_get_sign_pkey 192
-#define SSL_F_ssl_set_cert 193
-#define SSL_F_SSL_CTX_use_RSAPrivateKey_file 194
-#define SSL_F_SSL_CTX_use_authz 195
-#define SSL_F_ssl_get_new_session 196
-#define SSL_F_SSL_set_session_ticket_ext 197
-#define SSL_F_ssl_add_clienthello_renegotiate_ext 198
-#define SSL_F_ssl3_send_server_key_exchange 199
-#define SSL_F_fprintf 200
-#define SSL_F_ssl3_get_new_session_ticket 201
-#define SSL_F_SSL_CTX_use_certificate_ASN1 202
-#define SSL_F_ssl_add_cert_chain 203
-#define SSL_F_ssl_create_cipher_list 204
-#define SSL_F_ssl3_callback_ctrl 205
-#define SSL_F_SSL_CTX_set_cipher_list 206
-#define SSL_F_ssl3_send_certificate_request 207
-#define SSL_F_SSL_use_PrivateKey_ASN1 208
-#define SSL_F_SSL_CTX_use_certificate_chain_file 209
-#define SSL_F_SSL_SESSION_new 210
-#define SSL_F_check_suiteb_cipher_list 211
-#define SSL_F_ssl_scan_clienthello_tlsext 212
-#define SSL_F_ssl3_send_client_hello 213
-#define SSL_F_SSL_use_RSAPrivateKey_ASN1 214
-#define SSL_F_ssl3_ctrl 215
-#define SSL_F_ssl3_setup_write_buffer 216
-#define SSL_F_ssl_parse_serverhello_use_srtp_ext 217
-#define SSL_F_ssl3_get_server_key_exchange 218
-#define SSL_F_ssl3_send_server_hello 219
-#define SSL_F_SSL_add_dir_cert_subjects_to_stack 220
-#define SSL_F_ssl_check_serverhello_tlsext 221
-#define SSL_F_ssl3_get_server_done 222
-#define SSL_F_ssl3_check_cert_and_algorithm 223
-#define SSL_F_do_dtls1_write 224
-#define SSL_F_dtls1_check_timeout_num 225
-#define SSL_F_tls1_export_keying_material 226
-#define SSL_F_SSL_CTX_set_session_id_context 227
-#define SSL_F_SSL_set_rfd 228
-#define SSL_F_ssl3_send_client_certificate 229
-#define SSL_F_ssl_cert_dup 230
-#define SSL_F_dtls1_process_record 231
-#define SSL_F_ssl_new 232
-#define SSL_F_ssl_get_server_cert_index 233
-#define SSL_F_tls1_send_server_supplemental_data 234
-#define SSL_F_D2I_SSL_SESSION 235
-#define SSL_F_ssl_cipher_strength_sort 236
-#define SSL_F_dtls1_get_message 237
-#define SSL_F_ssl23_connect 238
-#define SSL_F_tls1_heartbeat 239
-#define SSL_F_ssl3_read_n 240
-#define SSL_F_ssl_get_prev_session 241
-#define SSL_F_ssl_parse_clienthello_renegotiate_ext 242
-#define SSL_F_ssl3_setup_read_buffer 243
-#define SSL_F_SSL_CTX_set_ssl_version 244
-#define SSL_F_SSL_peek 245
-#define SSL_F_ssl3_send_server_certificate 246
-#define SSL_F_SSL_do_handshake 247
-#define SSL_F_ssl_undefined_void_function 248
-#define SSL_F_ssl_add_serverhello_use_srtp_ext 249
-#define SSL_F_fclose 250
-#define SSL_F_SSL_use_PrivateKey 251
-#define SSL_F_SSL_CTX_use_certificate_file 252
-#define SSL_F_SSL_CTX_use_PrivateKey 253
-#define SSL_F_SSL_set_session 254
-#define SSL_F_SSL_CTX_use_psk_identity_hint 255
-#define SSL_F_ssl_scan_serverhello_tlsext 256
-#define SSL_F_ssl23_read 257
-#define SSL_F_ssl_parse_clienthello_use_srtp_ext 258
-#define SSL_F_ssl3_accept 259
-#define SSL_F_ssl3_get_client_certificate 260
-#define SSL_F_SSL_CTX_use_PrivateKey_ASN1 261
-#define SSL_F_dtls1_get_message_fragment 262
-#define SSL_F_SSL_clear 263
-#define SSL_F_dtls1_accept 264
-#define SSL_F_ssl3_get_next_proto 265
-#define SSL_F_SSL_set_cipher_list 266
-#define SSL_F_ssl_add_clienthello_tlsext 267
-#define SSL_F_ssl23_get_client_hello 268
-#define SSL_F_SSL_CTX_use_PrivateKey_file 269
-#define SSL_F_ssl3_get_finished 270
-#define SSL_F_ssl3_generate_key_block 271
-#define SSL_F_ssl3_setup_key_block 272
-#define SSL_F_SSL_new 273
-#define SSL_F_ssl_parse_serverhello_tlsext 274
-#define SSL_F_ssl3_get_channel_id 275
-#define SSL_F_ssl3_send_channel_id 276
-#define SSL_F_SSL_CTX_set_cipher_list_tls11 277
-#define SSL_F_tls1_change_cipher_state_cipher 278
-#define SSL_F_tls1_change_cipher_state_aead 279
-#define SSL_F_tls1_aead_ctx_init 280
-#define SSL_F_tls1_check_duplicate_extensions 281
-#define SSL_F_ssl3_expect_change_cipher_spec 282
-#define SSL_F_ssl23_get_v2_client_hello 283
-#define SSL_F_ssl3_cert_verify_hash 284
-#define SSL_F_ssl_ctx_log_rsa_client_key_exchange 285
-#define SSL_F_ssl_ctx_log_master_secret 286
-#define SSL_F_d2i_SSL_SESSION 287
-#define SSL_F_i2d_SSL_SESSION 288
-#define SSL_F_d2i_SSL_SESSION_get_octet_string 289
-#define SSL_F_d2i_SSL_SESSION_get_string 290
-#define SSL_F_ssl3_send_new_session_ticket 291
-#define SSL_F_SSL_SESSION_to_bytes_full 292
-#define SSL_F_SSL_accept 293
-#define SSL_F_SSL_connect 294
-#define SSL_F_ssl3_get_v2_client_hello 295
-#define SSL_F_ssl3_get_initial_bytes 296
-#define SSL_F_tls1_enc 297
-#define SSL_F_ssl3_prf 298
-#define SSL_F_dtls1_do_write 299
-#define SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS 100
-#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 101
-#define SSL_R_INVALID_NULL_CMD_NAME 102
-#define SSL_R_BAD_RSA_DECRYPT 103
-#define SSL_R_NO_SHARED_CIPHER 104
-#define SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH 105
-#define SSL_R_SSL_HANDSHAKE_FAILURE 106
-#define SSL_R_INVALID_TICKET_KEYS_LENGTH 107
-#define SSL_R_PEER_ERROR 108
-#define SSL_R_ECC_CERT_NOT_FOR_SIGNING 109
-#define SSL_R_INCONSISTENT_COMPRESSION 110
+#define SSL_F_SSL_CTX_use_certificate_ASN1 112
+#define SSL_F_SSL_CTX_use_certificate_chain_file 113
+#define SSL_F_SSL_CTX_use_certificate_file 114
+#define SSL_F_SSL_CTX_use_psk_identity_hint 115
+#define SSL_F_SSL_SESSION_new 116
+#define SSL_F_SSL_SESSION_print_fp 117
+#define SSL_F_SSL_SESSION_set1_id_context 118
+#define SSL_F_SSL_SESSION_to_bytes_full 119
+#define SSL_F_SSL_accept 120
+#define SSL_F_SSL_add_dir_cert_subjects_to_stack 121
+#define SSL_F_SSL_add_file_cert_subjects_to_stack 122
+#define SSL_F_SSL_check_private_key 123
+#define SSL_F_SSL_clear 124
+#define SSL_F_SSL_connect 125
+#define SSL_F_SSL_do_handshake 126
+#define SSL_F_SSL_load_client_CA_file 127
+#define SSL_F_SSL_new 128
+#define SSL_F_SSL_peek 129
+#define SSL_F_SSL_read 130
+#define SSL_F_SSL_renegotiate 131
+#define SSL_F_SSL_set_cipher_list 132
+#define SSL_F_SSL_set_fd 133
+#define SSL_F_SSL_set_rfd 134
+#define SSL_F_SSL_set_session_id_context 135
+#define SSL_F_SSL_set_wfd 136
+#define SSL_F_SSL_shutdown 137
+#define SSL_F_SSL_use_PrivateKey 138
+#define SSL_F_SSL_use_PrivateKey_ASN1 139
+#define SSL_F_SSL_use_PrivateKey_file 140
+#define SSL_F_SSL_use_RSAPrivateKey 141
+#define SSL_F_SSL_use_RSAPrivateKey_ASN1 142
+#define SSL_F_SSL_use_RSAPrivateKey_file 143
+#define SSL_F_SSL_use_certificate 144
+#define SSL_F_SSL_use_certificate_ASN1 145
+#define SSL_F_SSL_use_certificate_file 146
+#define SSL_F_SSL_use_psk_identity_hint 147
+#define SSL_F_SSL_write 148
+#define SSL_F_d2i_SSL_SESSION 149
+#define SSL_F_d2i_SSL_SESSION_get_octet_string 150
+#define SSL_F_d2i_SSL_SESSION_get_string 151
+#define SSL_F_do_ssl3_write 152
+#define SSL_F_dtls1_accept 153
+#define SSL_F_dtls1_buffer_record 154
+#define SSL_F_dtls1_check_timeout_num 155
+#define SSL_F_dtls1_connect 156
+#define SSL_F_dtls1_do_write 157
+#define SSL_F_dtls1_get_hello_verify 158
+#define SSL_F_dtls1_get_message 159
+#define SSL_F_dtls1_get_message_fragment 160
+#define SSL_F_dtls1_preprocess_fragment 161
+#define SSL_F_dtls1_process_record 162
+#define SSL_F_dtls1_read_bytes 163
+#define SSL_F_dtls1_send_hello_verify_request 164
+#define SSL_F_dtls1_write_app_data_bytes 165
+#define SSL_F_i2d_SSL_SESSION 166
+#define SSL_F_ssl3_accept 167
+#define SSL_F_ssl3_cert_verify_hash 169
+#define SSL_F_ssl3_check_cert_and_algorithm 170
+#define SSL_F_ssl3_connect 171
+#define SSL_F_ssl3_ctrl 172
+#define SSL_F_ssl3_ctx_ctrl 173
+#define SSL_F_ssl3_digest_cached_records 174
+#define SSL_F_ssl3_do_change_cipher_spec 175
+#define SSL_F_ssl3_expect_change_cipher_spec 176
+#define SSL_F_ssl3_get_cert_status 177
+#define SSL_F_ssl3_get_cert_verify 178
+#define SSL_F_ssl3_get_certificate_request 179
+#define SSL_F_ssl3_get_channel_id 180
+#define SSL_F_ssl3_get_client_certificate 181
+#define SSL_F_ssl3_get_client_hello 182
+#define SSL_F_ssl3_get_client_key_exchange 183
+#define SSL_F_ssl3_get_finished 184
+#define SSL_F_ssl3_get_initial_bytes 185
+#define SSL_F_ssl3_get_message 186
+#define SSL_F_ssl3_get_new_session_ticket 187
+#define SSL_F_ssl3_get_next_proto 188
+#define SSL_F_ssl3_get_record 189
+#define SSL_F_ssl3_get_server_certificate 190
+#define SSL_F_ssl3_get_server_done 191
+#define SSL_F_ssl3_get_server_hello 192
+#define SSL_F_ssl3_get_server_key_exchange 193
+#define SSL_F_ssl3_get_v2_client_hello 194
+#define SSL_F_ssl3_handshake_mac 195
+#define SSL_F_ssl3_prf 196
+#define SSL_F_ssl3_read_bytes 197
+#define SSL_F_ssl3_read_n 198
+#define SSL_F_ssl3_send_cert_verify 199
+#define SSL_F_ssl3_send_certificate_request 200
+#define SSL_F_ssl3_send_channel_id 201
+#define SSL_F_ssl3_send_client_certificate 202
+#define SSL_F_ssl3_send_client_hello 203
+#define SSL_F_ssl3_send_client_key_exchange 204
+#define SSL_F_ssl3_send_server_certificate 205
+#define SSL_F_ssl3_send_server_hello 206
+#define SSL_F_ssl3_send_server_key_exchange 207
+#define SSL_F_ssl3_setup_read_buffer 208
+#define SSL_F_ssl3_setup_write_buffer 209
+#define SSL_F_ssl3_write_bytes 210
+#define SSL_F_ssl3_write_pending 211
+#define SSL_F_ssl_add_cert_chain 212
+#define SSL_F_ssl_add_cert_to_buf 213
+#define SSL_F_ssl_add_clienthello_renegotiate_ext 214
+#define SSL_F_ssl_add_clienthello_tlsext 215
+#define SSL_F_ssl_add_clienthello_use_srtp_ext 216
+#define SSL_F_ssl_add_serverhello_renegotiate_ext 217
+#define SSL_F_ssl_add_serverhello_tlsext 218
+#define SSL_F_ssl_add_serverhello_use_srtp_ext 219
+#define SSL_F_ssl_build_cert_chain 220
+#define SSL_F_ssl_bytes_to_cipher_list 221
+#define SSL_F_ssl_cert_dup 222
+#define SSL_F_ssl_cert_inst 223
+#define SSL_F_ssl_cert_new 224
+#define SSL_F_ssl_check_serverhello_tlsext 225
+#define SSL_F_ssl_check_srvr_ecc_cert_and_alg 226
+#define SSL_F_ssl_cipher_process_rulestr 227
+#define SSL_F_ssl_cipher_strength_sort 228
+#define SSL_F_ssl_create_cipher_list 229
+#define SSL_F_ssl_ctx_log_master_secret 230
+#define SSL_F_ssl_ctx_log_rsa_client_key_exchange 231
+#define SSL_F_ssl_ctx_make_profiles 232
+#define SSL_F_ssl_get_new_session 233
+#define SSL_F_ssl_get_prev_session 234
+#define SSL_F_ssl_get_server_cert_index 235
+#define SSL_F_ssl_get_sign_pkey 236
+#define SSL_F_ssl_init_wbio_buffer 237
+#define SSL_F_ssl_parse_clienthello_renegotiate_ext 238
+#define SSL_F_ssl_parse_clienthello_tlsext 239
+#define SSL_F_ssl_parse_clienthello_use_srtp_ext 240
+#define SSL_F_ssl_parse_serverhello_renegotiate_ext 241
+#define SSL_F_ssl_parse_serverhello_tlsext 242
+#define SSL_F_ssl_parse_serverhello_use_srtp_ext 243
+#define SSL_F_ssl_scan_clienthello_tlsext 244
+#define SSL_F_ssl_scan_serverhello_tlsext 245
+#define SSL_F_ssl_sess_cert_new 246
+#define SSL_F_ssl_set_cert 247
+#define SSL_F_ssl_set_pkey 248
+#define SSL_F_ssl_verify_cert_chain 252
+#define SSL_F_tls12_check_peer_sigalg 253
+#define SSL_F_tls1_aead_ctx_init 254
+#define SSL_F_tls1_cert_verify_mac 255
+#define SSL_F_tls1_change_cipher_state 256
+#define SSL_F_tls1_change_cipher_state_aead 257
+#define SSL_F_tls1_check_duplicate_extensions 258
+#define SSL_F_tls1_enc 259
+#define SSL_F_tls1_export_keying_material 260
+#define SSL_F_tls1_prf 261
+#define SSL_F_tls1_setup_key_block 262
+#define SSL_F_dtls1_get_buffered_message 263
+#define SSL_F_dtls1_process_fragment 264
+#define SSL_F_dtls1_hm_fragment_new 265
+#define SSL_F_ssl3_seal_record 266
+#define SSL_F_ssl3_record_sequence_update 267
+#define SSL_F_SSL_CTX_set_tmp_dh 268
+#define SSL_F_SSL_CTX_set_tmp_ecdh 269
+#define SSL_F_SSL_set_tmp_dh 270
+#define SSL_F_SSL_set_tmp_ecdh 271
+#define SSL_F_SSL_CTX_set1_tls_channel_id 272
+#define SSL_F_SSL_set1_tls_channel_id 273
+#define SSL_F_SSL_set_tlsext_host_name 274
+#define SSL_F_ssl3_output_cert_chain 275
+#define SSL_R_APP_DATA_IN_HANDSHAKE 100
+#define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 101
+#define SSL_R_BAD_ALERT 102
+#define SSL_R_BAD_CHANGE_CIPHER_SPEC 103
+#define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK 104
+#define SSL_R_BAD_DH_P_LENGTH 105
+#define SSL_R_BAD_DIGEST_LENGTH 106
+#define SSL_R_BAD_ECC_CERT 107
+#define SSL_R_BAD_ECPOINT 108
+#define SSL_R_BAD_HANDSHAKE_LENGTH 109
+#define SSL_R_BAD_HANDSHAKE_RECORD 110
 #define SSL_R_BAD_HELLO_REQUEST 111
-#define SSL_R_NULL_SSL_METHOD_PASSED 112
-#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 113
-#define SSL_R_BAD_ECDSA_SIGNATURE 114
-#define SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION 115
-#define SSL_R_BAD_DH_PUB_KEY_LENGTH 116
-#define SSL_R_COMPRESSED_LENGTH_TOO_LONG 117
-#define SSL_R_APP_DATA_IN_HANDSHAKE 118
-#define SSL_R_NO_PEM_EXTENSIONS 119
-#define SSL_R_BAD_SRP_B_LENGTH 120
-#define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 121
-#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 122
-#define SSL_R_MISSING_SRP_PARAM 123
-#define SSL_R_MISSING_RSA_SIGNING_CERT 124
-#define SSL_R_MISSING_DSA_SIGNING_CERT 125
-#define SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE 126
-#define SSL_R_UNEXPECTED_RECORD 127
-#define SSL_R_BAD_DIGEST_LENGTH 128
-#define SSL_R_READ_TIMEOUT_EXPIRED 129
-#define SSL_R_KRB5_C_GET_CRED 130
-#define SSL_R_NULL_SSL_CTX 131
-#define SSL_R_ERROR_GENERATING_TMP_RSA_KEY 134
-#define SSL_R_SSL3_SESSION_ID_TOO_LONG 135
-#define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK 136
-#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 137
-#define SSL_R_COOKIE_MISMATCH 139
-#define SSL_R_UNINITIALIZED 140
-#define SSL_R_BAD_CHANGE_CIPHER_SPEC 141
-#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 142
-#define SSL_R_BAD_SRP_G_LENGTH 143
-#define SSL_R_NO_CERTIFICATE_ASSIGNED 144
-#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 145
-#define SSL_R_PEM_NAME_TOO_SHORT 146
-#define SSL_R_PROTOCOL_IS_SHUTDOWN 148
-#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 149
-#define SSL_R_WRONG_MESSAGE_TYPE 150
-#define SSL_R_BAD_RSA_MODULUS_LENGTH 151
-#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 152
-#define SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE 153
-#define SSL_R_NO_CLIENT_CERT_RECEIVED 154
-#define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 155
-#define SSL_R_CERT_LENGTH_MISMATCH 156
-#define SSL_R_MISSING_EXPORT_TMP_DH_KEY 157
-#define SSL_R_DUPLICATE_COMPRESSION_ID 158
-#define SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT 159
-#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 160
-#define SSL_R_DATA_LENGTH_TOO_LONG 161
-#define SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER 162
-#define SSL_R_WRONG_SIGNATURE_LENGTH 163
-#define SSL_R_SSL2_CONNECTION_ID_TOO_LONG 164
-#define SSL_R_WRONG_VERSION_NUMBER 165
-#define SSL_R_RECORD_TOO_LARGE 166
-#define SSL_R_BIO_NOT_SET 167
-#define SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES 168
-#define SSL_R_UNKNOWN_PKEY_TYPE 170
-#define SSL_R_CIPHER_CODE_WRONG_LENGTH 171
-#define SSL_R_SSL_SESSION_ID_CONFLICT 172
-#define SSL_R_INVALID_COMMAND 173
-#define SSL_R_NO_PROTOCOLS_AVAILABLE 174
-#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 175
-#define SSL_R_LIBRARY_BUG 176
-#define SSL_R_UNSUPPORTED_CIPHER 177
-#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 178
-#define SSL_R_WRONG_SIGNATURE_TYPE 179
-#define SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST 180
-#define SSL_R_PSK_NO_SERVER_CB 181
-#define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG 182
-#define SSL_R_INVALID_TRUST 183
-#define SSL_R_PARSE_TLSEXT 184
-#define SSL_R_NO_SRTP_PROFILES 185
-#define SSL_R_UNSUPPORTED_ELLIPTIC_CURVE 186
-#define SSL_R_UNKNOWN_STATE 187
-#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 188
-#define SSL_R_WRONG_CIPHER_RETURNED 189
-#define SSL_R_BAD_DH_G_LENGTH 190
-#define SSL_R_BAD_ALERT_RECORD 191
-#define SSL_R_CIPHER_TABLE_SRC_ERROR 192
-#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 194
-#define SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE 195
-#define SSL_R_MESSAGE_TOO_LONG 196
-#define SSL_R_BAD_RSA_SIGNATURE 197
-#define SSL_R_X509_LIB 198
-#define SSL_R_BAD_SRP_N_LENGTH 199
-#define SSL_R_BAD_SSL_SESSION_ID_LENGTH 200
-#define SSL_R_UNKNOWN_CIPHER_TYPE 201
-#define SSL_R_BAD_DH_P_LENGTH 202
-#define SSL_R_MISSING_DH_RSA_CERT 203
-#define SSL_R_NO_METHOD_SPECIFIED 204
-#define SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST 205
-#define SSL_R_MULTIPLE_SGC_RESTARTS 206
-#define SSL_R_UNABLE_TO_DECODE_ECDH_CERTS 207
-#define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 208
-#define SSL_R_SSL3_EXT_INVALID_SERVERNAME 209
-#define SSL_R_BAD_SRP_S_LENGTH 210
-#define SSL_R_MISSING_TMP_RSA_KEY 211
-#define SSL_R_PSK_NO_CLIENT_CB 212
-#define SSL_R_PEM_NAME_BAD_PREFIX 213
-#define SSL_R_BAD_CHECKSUM 214
-#define SSL_R_NO_CIPHER_MATCH 216
-#define SSL_R_MISSING_TMP_DH_KEY 217
-#define SSL_R_UNSUPPORTED_STATUS_TYPE 218
-#define SSL_R_UNKNOWN_AUTHZ_DATA_TYPE 219
-#define SSL_R_CONNECTION_TYPE_NOT_SET 220
-#define SSL_R_MISSING_DH_KEY 221
-#define SSL_R_CHANNEL_ID_NOT_P256 222
-#define SSL_R_UNKNOWN_SUPPLEMENTAL_DATA_TYPE 223
-#define SSL_R_UNKNOWN_PROTOCOL 224
-#define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED 225
-#define SSL_R_KRB5_S_TKT_SKEW 226
-#define SSL_R_PUBLIC_KEY_NOT_RSA 227
-#define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 228
-#define SSL_R_GOST_NOT_SUPPORTED 229
-#define SSL_R_KRB5_C_CC_PRINC 230
-#define SSL_R_INVALID_PURPOSE 234
-#define SSL_R_KRB5_C_MK_REQ 235
-#define SSL_R_BAD_SRTP_MKI_VALUE 237
-#define SSL_R_EVP_DIGESTSIGNINIT_FAILED 238
-#define SSL_R_DIGEST_CHECK_FAILED 239
-#define SSL_R_BAD_SRP_A_LENGTH 240
-#define SSL_R_SERVERHELLO_TLSEXT 241
-#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 242
-#define SSL_R_NO_CIPHERS_AVAILABLE 243
-#define SSL_R_COMPRESSION_FAILURE 244
-#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 245
-#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 246
-#define SSL_R_BAD_RSA_ENCRYPT 247
-#define SSL_R_EXCESSIVE_MESSAGE_SIZE 248
-#define SSL_R_INVALID_COMPRESSION_ALGORITHM 249
-#define SSL_R_SHORT_READ 250
-#define SSL_R_CA_DN_LENGTH_MISMATCH 252
-#define SSL_R_BAD_ECC_CERT 253
-#define SSL_R_NON_SSLV2_INITIAL_PACKET 254
-#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 255
-#define SSL_R_MISSING_TMP_RSA_PKEY 256
-#define SSL_R_BN_LIB 257
-#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 258
-#define SSL_R_MISSING_RSA_ENCRYPTING_CERT 259
-#define SSL_R_NO_RENEGOTIATION 260
-#define SSL_R_NO_COMPRESSION_SPECIFIED 261
+#define SSL_R_BAD_LENGTH 112
+#define SSL_R_BAD_PACKET_LENGTH 113
+#define SSL_R_BAD_RSA_ENCRYPT 114
+#define SSL_R_BAD_SIGNATURE 115
+#define SSL_R_BAD_SRTP_MKI_VALUE 116
+#define SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST 117
+#define SSL_R_BAD_SSL_FILETYPE 118
+#define SSL_R_BAD_WRITE_RETRY 119
+#define SSL_R_BIO_NOT_SET 120
+#define SSL_R_BN_LIB 121
+#define SSL_R_CANNOT_SERIALIZE_PUBLIC_KEY 122
+#define SSL_R_CA_DN_LENGTH_MISMATCH 123
+#define SSL_R_CA_DN_TOO_LONG 124
+#define SSL_R_CCS_RECEIVED_EARLY 125
+#define SSL_R_CERTIFICATE_VERIFY_FAILED 126
+#define SSL_R_CERT_CB_ERROR 127
+#define SSL_R_CERT_LENGTH_MISMATCH 128
+#define SSL_R_CHANNEL_ID_NOT_P256 129
+#define SSL_R_CHANNEL_ID_SIGNATURE_INVALID 130
+#define SSL_R_CIPHER_CODE_WRONG_LENGTH 131
+#define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 132
+#define SSL_R_CLIENTHELLO_PARSE_FAILED 133
+#define SSL_R_CLIENTHELLO_TLSEXT 134
+#define SSL_R_CONNECTION_REJECTED 135
+#define SSL_R_CONNECTION_TYPE_NOT_SET 136
+#define SSL_R_COOKIE_MISMATCH 137
+#define SSL_R_D2I_ECDSA_SIG 138
+#define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED 139
+#define SSL_R_DATA_LENGTH_TOO_LONG 140
+#define SSL_R_DECODE_ERROR 141
+#define SSL_R_DECRYPTION_FAILED 142
+#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 143
+#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 144
+#define SSL_R_DIGEST_CHECK_FAILED 145
+#define SSL_R_DTLS_MESSAGE_TOO_BIG 146
+#define SSL_R_ECC_CERT_NOT_FOR_SIGNING 147
+#define SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST 148
+#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 149
+#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 150
+#define SSL_R_EVP_DIGESTSIGNFINAL_FAILED 151
+#define SSL_R_EVP_DIGESTSIGNINIT_FAILED 152
+#define SSL_R_EXCESSIVE_MESSAGE_SIZE 153
+#define SSL_R_EXTRA_DATA_IN_MESSAGE 154
+#define SSL_R_GOT_A_FIN_BEFORE_A_CCS 155
+#define SSL_R_GOT_CHANNEL_ID_BEFORE_A_CCS 156
+#define SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS 157
+#define SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION 158
+#define SSL_R_HANDSHAKE_FAILURE_ON_CLIENT_HELLO 159
+#define SSL_R_HANDSHAKE_RECORD_BEFORE_CCS 160
+#define SSL_R_HTTPS_PROXY_REQUEST 161
+#define SSL_R_HTTP_REQUEST 162
+#define SSL_R_INAPPROPRIATE_FALLBACK 163
+#define SSL_R_INVALID_COMMAND 164
+#define SSL_R_INVALID_MESSAGE 165
+#define SSL_R_INVALID_SSL_SESSION 166
+#define SSL_R_INVALID_TICKET_KEYS_LENGTH 167
+#define SSL_R_LENGTH_MISMATCH 168
+#define SSL_R_LIBRARY_HAS_NO_CIPHERS 169
+#define SSL_R_MISSING_DH_KEY 170
+#define SSL_R_MISSING_ECDSA_SIGNING_CERT 171
+#define SSL_R_MISSING_RSA_CERTIFICATE 172
+#define SSL_R_MISSING_RSA_ENCRYPTING_CERT 173
+#define SSL_R_MISSING_RSA_SIGNING_CERT 174
+#define SSL_R_MISSING_TMP_DH_KEY 175
+#define SSL_R_MISSING_TMP_ECDH_KEY 176
+#define SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS 177
+#define SSL_R_MTU_TOO_SMALL 178
+#define SSL_R_NESTED_GROUP 179
+#define SSL_R_NO_CERTIFICATES_RETURNED 180
+#define SSL_R_NO_CERTIFICATE_ASSIGNED 181
+#define SSL_R_NO_CERTIFICATE_SET 182
+#define SSL_R_NO_CIPHERS_AVAILABLE 183
+#define SSL_R_NO_CIPHERS_PASSED 184
+#define SSL_R_NO_CIPHERS_SPECIFIED 185
+#define SSL_R_NO_CIPHER_MATCH 186
+#define SSL_R_NO_COMPRESSION_SPECIFIED 187
+#define SSL_R_NO_METHOD_SPECIFIED 188
+#define SSL_R_NO_P256_SUPPORT 189
+#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190
+#define SSL_R_NO_RENEGOTIATION 191
+#define SSL_R_NO_REQUIRED_DIGEST 192
+#define SSL_R_NO_SHARED_CIPHER 193
+#define SSL_R_NO_SHARED_SIGATURE_ALGORITHMS 194
+#define SSL_R_NO_SRTP_PROFILES 195
+#define SSL_R_NULL_SSL_CTX 196
+#define SSL_R_NULL_SSL_METHOD_PASSED 197
+#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 198
+#define SSL_R_PACKET_LENGTH_TOO_LONG 199
+#define SSL_R_PARSE_TLSEXT 200
+#define SSL_R_PATH_TOO_LONG 201
+#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 202
+#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 203
+#define SSL_R_PROTOCOL_IS_SHUTDOWN 204
+#define SSL_R_PSK_IDENTITY_NOT_FOUND 205
+#define SSL_R_PSK_NO_CLIENT_CB 206
+#define SSL_R_PSK_NO_SERVER_CB 207
+#define SSL_R_READ_BIO_NOT_SET 208
+#define SSL_R_READ_TIMEOUT_EXPIRED 209
+#define SSL_R_RECORD_LENGTH_MISMATCH 210
+#define SSL_R_RECORD_TOO_LARGE 211
+#define SSL_R_RENEGOTIATE_EXT_TOO_LONG 212
+#define SSL_R_RENEGOTIATION_ENCODING_ERR 213
+#define SSL_R_RENEGOTIATION_MISMATCH 214
+#define SSL_R_REQUIRED_CIPHER_MISSING 215
+#define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 216
+#define SSL_R_SERVERHELLO_TLSEXT 217
+#define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 218
+#define SSL_R_SESSION_MAY_NOT_BE_CREATED 219
+#define SSL_R_SIGNATURE_ALGORITHMS_ERROR 220
+#define SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES 221
+#define SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG 222
+#define SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE 223
+#define SSL_R_SSL3_EXT_INVALID_SERVERNAME 224
+#define SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE 225
+#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 226
+#define SSL_R_SSL_HANDSHAKE_FAILURE 227
+#define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED 228
+#define SSL_R_SSL_SESSION_ID_CONFLICT 229
+#define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 230
+#define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH 231
+#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232
+#define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL 233
+#define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 234
+#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 235
+#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 236
+#define SSL_R_TOO_MANY_EMPTY_FRAGMENTS 237
+#define SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS 238
+#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 239
+#define SSL_R_UNEXPECTED_GROUP_CLOSE 240
+#define SSL_R_UNEXPECTED_MESSAGE 241
+#define SSL_R_UNEXPECTED_OPERATOR_IN_GROUP 242
+#define SSL_R_UNEXPECTED_RECORD 243
+#define SSL_R_UNINITIALIZED 244
+#define SSL_R_UNKNOWN_ALERT_TYPE 245
+#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 246
+#define SSL_R_UNKNOWN_CIPHER_RETURNED 247
+#define SSL_R_UNKNOWN_CIPHER_TYPE 248
+#define SSL_R_UNKNOWN_DIGEST 249
+#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 250
+#define SSL_R_UNKNOWN_PROTOCOL 251
+#define SSL_R_UNKNOWN_SSL_VERSION 252
+#define SSL_R_UNKNOWN_STATE 253
+#define SSL_R_UNPROCESSED_HANDSHAKE_DATA 254
+#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 255
+#define SSL_R_UNSUPPORTED_CIPHER 256
+#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257
+#define SSL_R_UNSUPPORTED_ELLIPTIC_CURVE 258
+#define SSL_R_UNSUPPORTED_PROTOCOL 259
+#define SSL_R_UNSUPPORTED_SSL_VERSION 260
+#define SSL_R_USE_SRTP_NOT_NEGOTIATED 261
 #define SSL_R_WRONG_CERTIFICATE_TYPE 262
-#define SSL_R_CHANNEL_ID_SIGNATURE_INVALID 264
-#define SSL_R_READ_BIO_NOT_SET 265
-#define SSL_R_SSL23_DOING_SESSION_ID_REUSE 266
-#define SSL_R_RENEGOTIATE_EXT_TOO_LONG 267
-#define SSL_R_INVALID_CHALLENGE_LENGTH 268
-#define SSL_R_LIBRARY_HAS_NO_CIPHERS 270
-#define SSL_R_WRONG_CURVE 271
-#define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 272
-#define SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT 275
-#define SSL_R_MISSING_RSA_CERTIFICATE 276
-#define SSL_R_NO_P256_SUPPORT 277
-#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 278
-#define SSL_R_INVALID_SERVERINFO_DATA 279
-#define SSL_R_GOT_CHANNEL_ID_BEFORE_A_CCS 280
-#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 281
-#define SSL_R_KRB5_S_BAD_TICKET 282
-#define SSL_R_EVP_DIGESTSIGNFINAL_FAILED 283
-#define SSL_R_PACKET_LENGTH_TOO_LONG 284
-#define SSL_R_BAD_STATE 285
-#define SSL_R_USE_SRTP_NOT_NEGOTIATED 286
-#define SSL_R_BAD_RSA_E_LENGTH 287
-#define SSL_R_ILLEGAL_PADDING 288
-#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 289
-#define SSL_R_BAD_VALUE 290
-#define SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE 291
-#define SSL_R_COMPRESSION_DISABLED 292
-#define SSL_R_BAD_DECOMPRESSION 293
-#define SSL_R_CHALLENGE_IS_DIFFERENT 294
-#define SSL_R_NO_CLIENT_CERT_METHOD 295
-#define SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG 296
-#define SSL_R_INVALID_MESSAGE 297
-#define SSL_R_HTTPS_PROXY_REQUEST 298
-#define SSL_R_AUTHZ_DATA_TOO_LARGE 299
-#define SSL_R_KRB5_S_TKT_EXPIRED 300
-#define SSL_R_NO_CERTIFICATE_SPECIFIED 301
-#define SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE 302
-#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 303
-#define SSL_R_INVALID_STATUS_RESPONSE 304
-#define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL 305
-#define SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE 306
-#define SSL_R_MISSING_TMP_ECDH_KEY 307
-#define SSL_R_CERTIFICATE_VERIFY_FAILED 308
-#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 309
-#define SSL_R_RENEGOTIATION_ENCODING_ERR 310
-#define SSL_R_NO_PRIVATEKEY 311
-#define SSL_R_READ_WRONG_PACKET_TYPE 313
-#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 314
-#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 315
-#define SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS 316
-#define SSL_R_HTTP_REQUEST 317
-#define SSL_R_KRB5_S_INIT 318
-#define SSL_R_RECORD_LENGTH_MISMATCH 320
-#define SSL_R_BAD_LENGTH 321
-#define SSL_R_NO_REQUIRED_DIGEST 322
-#define SSL_R_KRB5 323
-#define SSL_R_CCS_RECEIVED_EARLY 325
-#define SSL_R_MISSING_ECDSA_SIGNING_CERT 326
-#define SSL_R_D2I_ECDSA_SIG 327
-#define SSL_R_PATH_TOO_LONG 328
-#define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 329
-#define SSL_R_UNSUPPORTED_DIGEST_TYPE 330
-#define SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED 331
-#define SSL_R_PEER_ERROR_CERTIFICATE 332
-#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 333
-#define SSL_R_NO_CERTIFICATE_SET 334
-#define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED 335
-#define SSL_R_NO_CERTIFICATES_RETURNED 337
-#define SSL_R_BAD_WRITE_RETRY 338
-#define SSL_R_BAD_SSL_FILETYPE 339
-#define SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE 340
-#define SSL_R_NO_CIPHERS_SPECIFIED 341
-#define SSL_R_LENGTH_MISMATCH 342
-#define SSL_R_NO_CIPHERS_PASSED 343
-#define SSL_R_NO_VERIFY_CALLBACK 344
-#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 345
-#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 347
-#define SSL_R_UNEXPECTED_MESSAGE 348
-#define SSL_R_MISSING_DH_DSA_CERT 349
-#define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH 350
-#define SSL_R_OPAQUE_PRF_INPUT_TOO_LONG 351
-#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 352
-#define SSL_R_ILLEGAL_SUITEB_DIGEST 353
-#define SSL_R_NO_SHARED_SIGATURE_ALGORITHMS 354
-#define SSL_R_CLIENTHELLO_TLSEXT 355
-#define SSL_R_INVALID_AUTHZ_DATA 356
-#define SSL_R_BAD_RESPONSE_ARGUMENT 357
-#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 358
-#define SSL_R_REQUIRED_CIPHER_MISSING 359
-#define SSL_R_INVALID_AUDIT_PROOF 360
-#define SSL_R_PSK_IDENTITY_NOT_FOUND 361
-#define SSL_R_UNKNOWN_ALERT_TYPE 362
-#define SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER 363
-#define SSL_R_BAD_AUTHENTICATION_TYPE 365
-#define SSL_R_DECRYPTION_FAILED 366
-#define SSL_R_WRONG_SSL_VERSION 367
-#define SSL_R_NO_CERTIFICATE_RETURNED 368
-#define SSL_R_CA_DN_TOO_LONG 370
-#define SSL_R_GOT_A_FIN_BEFORE_A_CCS 371
-#define SSL_R_COMPRESSION_LIBRARY_ERROR 372
-#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 374
-#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 375
-#define SSL_R_BAD_ECPOINT 376
-#define SSL_R_BAD_HANDSHAKE_LENGTH 377
-#define SSL_R_KRB5_S_RD_REQ 380
-#define SSL_R_PEER_ERROR_NO_CERTIFICATE 381
-#define SSL_R_PRE_MAC_LENGTH_TOO_LONG 382
-#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 383
-#define SSL_R_UNKNOWN_DIGEST 384
-#define SSL_R_WRONG_SIGNATURE_SIZE 385
-#define SSL_R_SIGNATURE_ALGORITHMS_ERROR 386
-#define SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING 387
-#define SSL_R_BAD_SIGNATURE 388
-#define SSL_R_BAD_PACKET_LENGTH 389
-#define SSL_R_CANNOT_SERIALIZE_PUBLIC_KEY 390
-#define SSL_R_RENEGOTIATION_MISMATCH 391
-#define SSL_R_BAD_MAC_LENGTH 392
-#define SSL_R_NO_PUBLICKEY 393
-#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 394
-#define SSL_R_BAD_MAC_DECODE 395
-#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 396
-#define SSL_R_EXTRA_DATA_IN_MESSAGE 397
-#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 398
-#define SSL_R_CONNECTION_ID_IS_DIFFERENT 399
-#define SSL_R_MISSING_VERIFY_MESSAGE 402
-#define SSL_R_BAD_DSA_SIGNATURE 403
-#define SSL_R_UNKNOWN_SSL_VERSION 404
-#define SSL_R_KEY_ARG_TOO_LONG 405
-#define SSL_R_KRB5_C_INIT 406
-#define SSL_R_NO_CIPHER_LIST 407
-#define SSL_R_PEER_ERROR_NO_CIPHER 408
-#define SSL_R_UNKNOWN_CMD_NAME 409
-#define SSL_R_UNKNOWN_CIPHER_RETURNED 410
-#define SSL_R_RECORD_TOO_SMALL 411
-#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 412
-#define SSL_R_UNSUPPORTED_SSL_VERSION 413
-#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 415
-#define SSL_R_MISSING_EXPORT_TMP_RSA_KEY 416
-#define SSL_R_BAD_DATA 417
-#define SSL_R_KRB5_S_TKT_NYV 418
-#define SSL_R_BAD_PROTOCOL_VERSION_NUMBER 420
-#define SSL_R_BAD_MESSAGE_TYPE 421
-#define SSL_R_MISSING_ECDH_CERT 422
-#define SSL_R_UNSUPPORTED_PROTOCOL 423
-#define SSL_R_SRP_A_CALC 424
-#define SSL_R_WRITE_BIO_NOT_SET 425
-#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE 426
-#define SSL_R_LENGTH_TOO_SHORT 427
-#define SSL_R_CERT_CB_ERROR 428
-#define SSL_R_DTLS_MESSAGE_TOO_BIG 429
-#define SSL_R_INVALID_SRP_USERNAME 430
-#define SSL_R_TOO_MANY_EMPTY_FRAGMENTS 431
-#define SSL_R_NESTED_GROUP 432
-#define SSL_R_UNEXPECTED_GROUP_CLOSE 433
-#define SSL_R_UNEXPECTED_OPERATOR_IN_GROUP 434
-#define SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS 435
-#define SSL_R_INAPPROPRIATE_FALLBACK 436
-#define SSL_R_CLIENTHELLO_PARSE_FAILED 437
-#define SSL_R_CONNECTION_REJECTED 438
-#define SSL_R_DECODE_ERROR 439
-#define SSL_R_UNPROCESSED_HANDSHAKE_DATA 440
-#define SSL_R_HANDSHAKE_RECORD_BEFORE_CCS 441
-#define SSL_R_SESSION_MAY_NOT_BE_CREATED 442
-#define SSL_R_INVALID_SSL_SESSION 443
-#define SSL_R_BAD_ALERT 444
-#define SSL_R_HANDSHAKE_FAILURE_ON_CLIENT_HELLO 445
-#define SSL_R_MTU_TOO_SMALL 446
+#define SSL_R_WRONG_CIPHER_RETURNED 263
+#define SSL_R_WRONG_CURVE 264
+#define SSL_R_WRONG_MESSAGE_TYPE 265
+#define SSL_R_WRONG_SIGNATURE_TYPE 266
+#define SSL_R_WRONG_SSL_VERSION 267
+#define SSL_R_WRONG_VERSION_NUMBER 268
+#define SSL_R_X509_LIB 269
+#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 270
+#define SSL_R_FRAGMENT_MISMATCH 271
+#define SSL_R_BUFFER_TOO_SMALL 272
+#define SSL_R_OLD_SESSION_VERSION_NOT_RETURNED 273
 #define SSL_R_SSLV3_ALERT_CLOSE_NOTIFY 1000
 #define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010
 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020
@@ -2756,4 +2893,4 @@ OPENSSL_EXPORT int SSL_set_ssl_method(SSL *s, const SSL_METHOD *method);
 #define SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE 1113
 #define SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE 1114
 
-#endif
+#endif /* OPENSSL_HEADER_SSL_H */
diff --git a/src/include/openssl/ssl2.h b/src/include/openssl/ssl2.h
index eb25dcb..b8401fa 100644
--- a/src/include/openssl/ssl2.h
+++ b/src/include/openssl/ssl2.h
@@ -151,10 +151,6 @@ extern "C" {
 #define SSL2_MIN_CERT_CHALLENGE_LENGTH	16
 #define SSL2_MAX_KEY_MATERIAL_LENGTH	24
 
-#ifndef HEADER_SSL_LOCL_H
-#define  CERT		char
-#endif
-
 #ifndef OPENSSL_NO_SSL_INTERN
 
 typedef struct ssl2_state_st
diff --git a/src/include/openssl/ssl3.h b/src/include/openssl/ssl3.h
index 8745281..96f00cf 100644
--- a/src/include/openssl/ssl3.h
+++ b/src/include/openssl/ssl3.h
@@ -117,9 +117,11 @@
 #ifndef HEADER_SSL3_H
 #define HEADER_SSL3_H
 
+#include <openssl/aead.h>
 #include <openssl/buf.h>
 #include <openssl/evp.h>
 #include <openssl/ssl.h>
+#include <openssl/type_check.h>
 
 #ifdef  __cplusplus
 extern "C" {
@@ -237,19 +239,28 @@ extern "C" {
 
 /* The standards give a maximum encryption overhead of 1024 bytes. In practice
  * the value is lower than this. The overhead is the maximum number of padding
- * bytes (256) plus the mac size. */
+ * bytes (256) plus the mac size.
+ *
+ * TODO(davidben): This derivation doesn't take AEADs into account, or TLS 1.1
+ * explicit nonces. It happens to work because |SSL3_RT_MAX_MD_SIZE| is larger
+ * than necessary and no true AEAD has variable overhead in TLS 1.2. */
 #define SSL3_RT_MAX_ENCRYPTED_OVERHEAD (256 + SSL3_RT_MAX_MD_SIZE)
 
-/* OpenSSL currently only uses a padding length of at most one block so the
- * send overhead is smaller. */
-
+/* SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD is the maximum overhead in encrypting a
+ * record. This does not include the record header. Some ciphers use explicit
+ * nonces, so it includes both the AEAD overhead as well as the nonce. */
 #define SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD \
-  (SSL_RT_MAX_CIPHER_BLOCK_SIZE + SSL3_RT_MAX_MD_SIZE)
+    (EVP_AEAD_MAX_OVERHEAD + EVP_AEAD_MAX_NONCE_LENGTH)
+
+OPENSSL_COMPILE_ASSERT(
+    SSL3_RT_MAX_ENCRYPTED_OVERHEAD >= SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD,
+    max_overheads_are_consistent);
 
-/* If compression isn't used don't include the compression overhead */
+/* SSL3_RT_MAX_COMPRESSED_LENGTH is an alias for
+ * |SSL3_RT_MAX_PLAIN_LENGTH|. Compression is gone, so don't include the
+ * compression overhead. */
+#define SSL3_RT_MAX_COMPRESSED_LENGTH SSL3_RT_MAX_PLAIN_LENGTH
 
-#define SSL3_RT_MAX_COMPRESSED_LENGTH \
-  (SSL3_RT_MAX_PLAIN_LENGTH + SSL3_RT_MAX_COMPRESSED_OVERHEAD)
 #define SSL3_RT_MAX_ENCRYPTED_LENGTH \
   (SSL3_RT_MAX_ENCRYPTED_OVERHEAD + SSL3_RT_MAX_COMPRESSED_LENGTH)
 #define SSL3_RT_MAX_PACKET_SIZE \
@@ -347,7 +358,6 @@ typedef struct ssl3_state_st {
 
   /* flags for countermeasure against known-IV weakness */
   int need_record_splitting;
-  int record_split_done;
 
   /* The value of 'extra' when the buffers were initialized */
   int init_extra;
@@ -399,9 +409,6 @@ typedef struct ssl3_state_st {
    * no more data in the read or write buffers */
   int renegotiate;
   int total_renegotiations;
-  int num_renegotiations;
-
-  int in_read_app_data;
 
   /* State pertaining to the pending handshake.
    *
@@ -486,6 +493,10 @@ typedef struct ssl3_state_st {
     /* new_mac_secret_size is unused and exists only until wpa_supplicant can
      * be updated. It is only needed for EAP-FAST, which we don't support. */
     uint8_t new_mac_secret_size;
+
+    /* Client-only: in_false_start is one if there is a pending handshake in
+     * False Start. The client may write data at this point. */
+    char in_false_start;
   } tmp;
 
   /* Connection binding to prevent renegotiation attacks */
@@ -528,7 +539,7 @@ typedef struct ssl3_state_st {
 /* client */
 /* extra state */
 #define SSL3_ST_CW_FLUSH (0x100 | SSL_ST_CONNECT)
-#define SSL3_ST_CUTTHROUGH_COMPLETE (0x101 | SSL_ST_CONNECT)
+#define SSL3_ST_FALSE_START (0x101 | SSL_ST_CONNECT)
 /* write to server */
 #define SSL3_ST_CW_CLNT_HELLO_A (0x110 | SSL_ST_CONNECT)
 #define SSL3_ST_CW_CLNT_HELLO_B (0x111 | SSL_ST_CONNECT)
@@ -583,8 +594,6 @@ typedef struct ssl3_state_st {
 #define SSL3_ST_SR_CLNT_HELLO_C (0x112 | SSL_ST_ACCEPT)
 #define SSL3_ST_SR_CLNT_HELLO_D (0x115 | SSL_ST_ACCEPT)
 /* write to client */
-#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A (0x113 | SSL_ST_ACCEPT)
-#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B (0x114 | SSL_ST_ACCEPT)
 #define SSL3_ST_SW_HELLO_REQ_A (0x120 | SSL_ST_ACCEPT)
 #define SSL3_ST_SW_HELLO_REQ_B (0x121 | SSL_ST_ACCEPT)
 #define SSL3_ST_SW_HELLO_REQ_C (0x122 | SSL_ST_ACCEPT)
diff --git a/src/include/openssl/stack.h b/src/include/openssl/stack.h
index 0eeda7f..350fa14 100644
--- a/src/include/openssl/stack.h
+++ b/src/include/openssl/stack.h
@@ -114,7 +114,7 @@ typedef struct stack_st {
 #define DEFINE_STACK_OF(type) \
 STACK_OF(type) {\
   _STACK stack; \
-};
+}
 
 #define DECLARE_STACK_OF(type) STACK_OF(type);
 
@@ -286,6 +286,13 @@ OPENSSL_EXPORT int sk_is_sorted(const _STACK *sk);
  * the previous one. */
 OPENSSL_EXPORT stack_cmp_func sk_set_cmp_func(_STACK *sk, stack_cmp_func comp);
 
+/* sk_deep_copy performs a copy of |sk| and of each of the non-NULL elements in
+ * |sk| by using |copy_func|. If an error occurs, |free_func| is used to free
+ * any copies already made and NULL is returned. */
+OPENSSL_EXPORT _STACK *sk_deep_copy(const _STACK *sk,
+                                    void *(*copy_func)(void *),
+                                    void (*free_func)(void *));
+
 
 #if defined(__cplusplus)
 }  /* extern C */
diff --git a/src/include/openssl/stack_macros.h b/src/include/openssl/stack_macros.h
index a62fce3..dadcf6b 100644
--- a/src/include/openssl/stack_macros.h
+++ b/src/include/openssl/stack_macros.h
@@ -88,14 +88,21 @@
 #define sk_ACCESS_DESCRIPTION_is_sorted(sk) \
   sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(ACCESS_DESCRIPTION) *, sk))
 
-#define sk_ACCESS_DESCRIPTION_set_cmp_func(sk, comp)                       \
-  ((int (*)(const ACCESS_DESCRIPTION **a, const ACCESS_DESCRIPTION **b))   \
-   sk_set_cmp_func(                                                        \
-       CHECKED_CAST(_STACK *, STACK_OF(ACCESS_DESCRIPTION) *, sk),         \
-       CHECKED_CAST(stack_cmp_func, int (*)(const ACCESS_DESCRIPTION **a,  \
-                                            const ACCESS_DESCRIPTION **b), \
-                    comp)))
-
+#define sk_ACCESS_DESCRIPTION_set_cmp_func(sk, comp)                           \
+  ((int (*)(const ACCESS_DESCRIPTION **a, const ACCESS_DESCRIPTION **b))       \
+       sk_set_cmp_func(                                                        \
+           CHECKED_CAST(_STACK *, STACK_OF(ACCESS_DESCRIPTION) *, sk),         \
+           CHECKED_CAST(stack_cmp_func, int (*)(const ACCESS_DESCRIPTION **a,  \
+                                                const ACCESS_DESCRIPTION **b), \
+                        comp)))
+
+#define sk_ACCESS_DESCRIPTION_deep_copy(sk, copy_func, free_func)             \
+  ((STACK_OF(ACCESS_DESCRIPTION) *)sk_deep_copy(                              \
+      CHECKED_CAST(const _STACK *, const STACK_OF(ACCESS_DESCRIPTION) *, sk), \
+      CHECKED_CAST(void *(*)(void *),                                         \
+                   ACCESS_DESCRIPTION *(*)(ACCESS_DESCRIPTION *), copy_func), \
+      CHECKED_CAST(void (*)(void *), void (*)(ACCESS_DESCRIPTION *),          \
+                   free_func)))
 
 /* ASN1_ADB_TABLE */
 #define sk_ASN1_ADB_TABLE_new(comp)                 \
@@ -167,14 +174,20 @@
 #define sk_ASN1_ADB_TABLE_is_sorted(sk) \
   sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(ASN1_ADB_TABLE) *, sk))
 
-#define sk_ASN1_ADB_TABLE_set_cmp_func(sk, comp)                       \
-  ((int (*)(const ASN1_ADB_TABLE **a, const ASN1_ADB_TABLE **b))       \
-   sk_set_cmp_func(                                                    \
-       CHECKED_CAST(_STACK *, STACK_OF(ASN1_ADB_TABLE) *, sk),         \
-       CHECKED_CAST(stack_cmp_func, int (*)(const ASN1_ADB_TABLE **a,  \
-                                            const ASN1_ADB_TABLE **b), \
-                    comp)))
-
+#define sk_ASN1_ADB_TABLE_set_cmp_func(sk, comp)                           \
+  ((int (*)(const ASN1_ADB_TABLE **a, const ASN1_ADB_TABLE **b))           \
+       sk_set_cmp_func(                                                    \
+           CHECKED_CAST(_STACK *, STACK_OF(ASN1_ADB_TABLE) *, sk),         \
+           CHECKED_CAST(stack_cmp_func, int (*)(const ASN1_ADB_TABLE **a,  \
+                                                const ASN1_ADB_TABLE **b), \
+                        comp)))
+
+#define sk_ASN1_ADB_TABLE_deep_copy(sk, copy_func, free_func)                \
+  ((STACK_OF(ASN1_ADB_TABLE) *)sk_deep_copy(                                 \
+      CHECKED_CAST(const _STACK *, const STACK_OF(ASN1_ADB_TABLE) *, sk),    \
+      CHECKED_CAST(void *(*)(void *), ASN1_ADB_TABLE *(*)(ASN1_ADB_TABLE *), \
+                   copy_func),                                               \
+      CHECKED_CAST(void (*)(void *), void (*)(ASN1_ADB_TABLE *), free_func)))
 
 /* ASN1_GENERALSTRING */
 #define sk_ASN1_GENERALSTRING_new(comp)                                    \
@@ -248,14 +261,21 @@
 #define sk_ASN1_GENERALSTRING_is_sorted(sk) \
   sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(ASN1_GENERALSTRING) *, sk))
 
-#define sk_ASN1_GENERALSTRING_set_cmp_func(sk, comp)                       \
-  ((int (*)(const ASN1_GENERALSTRING **a, const ASN1_GENERALSTRING **b))   \
-   sk_set_cmp_func(                                                        \
-       CHECKED_CAST(_STACK *, STACK_OF(ASN1_GENERALSTRING) *, sk),         \
-       CHECKED_CAST(stack_cmp_func, int (*)(const ASN1_GENERALSTRING **a,  \
-                                            const ASN1_GENERALSTRING **b), \
-                    comp)))
-
+#define sk_ASN1_GENERALSTRING_set_cmp_func(sk, comp)                           \
+  ((int (*)(const ASN1_GENERALSTRING **a, const ASN1_GENERALSTRING **b))       \
+       sk_set_cmp_func(                                                        \
+           CHECKED_CAST(_STACK *, STACK_OF(ASN1_GENERALSTRING) *, sk),         \
+           CHECKED_CAST(stack_cmp_func, int (*)(const ASN1_GENERALSTRING **a,  \
+                                                const ASN1_GENERALSTRING **b), \
+                        comp)))
+
+#define sk_ASN1_GENERALSTRING_deep_copy(sk, copy_func, free_func)             \
+  ((STACK_OF(ASN1_GENERALSTRING) *)sk_deep_copy(                              \
+      CHECKED_CAST(const _STACK *, const STACK_OF(ASN1_GENERALSTRING) *, sk), \
+      CHECKED_CAST(void *(*)(void *),                                         \
+                   ASN1_GENERALSTRING *(*)(ASN1_GENERALSTRING *), copy_func), \
+      CHECKED_CAST(void (*)(void *), void (*)(ASN1_GENERALSTRING *),          \
+                   free_func)))
 
 /* ASN1_INTEGER */
 #define sk_ASN1_INTEGER_new(comp)                                              \
@@ -333,6 +353,12 @@
                    int (*)(const ASN1_INTEGER **a, const ASN1_INTEGER **b),  \
                    comp)))
 
+#define sk_ASN1_INTEGER_deep_copy(sk, copy_func, free_func)              \
+  ((STACK_OF(ASN1_INTEGER) *)sk_deep_copy(                               \
+      CHECKED_CAST(const _STACK *, const STACK_OF(ASN1_INTEGER) *, sk),  \
+      CHECKED_CAST(void *(*)(void *), ASN1_INTEGER *(*)(ASN1_INTEGER *), \
+                   copy_func),                                           \
+      CHECKED_CAST(void (*)(void *), void (*)(ASN1_INTEGER *), free_func)))
 
 /* ASN1_OBJECT */
 #define sk_ASN1_OBJECT_new(comp)                                             \
@@ -408,6 +434,12 @@
                    int (*)(const ASN1_OBJECT **a, const ASN1_OBJECT **b),  \
                    comp)))
 
+#define sk_ASN1_OBJECT_deep_copy(sk, copy_func, free_func)             \
+  ((STACK_OF(ASN1_OBJECT) *)sk_deep_copy(                              \
+      CHECKED_CAST(const _STACK *, const STACK_OF(ASN1_OBJECT) *, sk), \
+      CHECKED_CAST(void *(*)(void *), ASN1_OBJECT *(*)(ASN1_OBJECT *), \
+                   copy_func),                                         \
+      CHECKED_CAST(void (*)(void *), void (*)(ASN1_OBJECT *), free_func)))
 
 /* ASN1_STRING_TABLE */
 #define sk_ASN1_STRING_TABLE_new(comp)                                   \
@@ -481,14 +513,21 @@
 #define sk_ASN1_STRING_TABLE_is_sorted(sk) \
   sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(ASN1_STRING_TABLE) *, sk))
 
-#define sk_ASN1_STRING_TABLE_set_cmp_func(sk, comp)                       \
-  ((int (*)(const ASN1_STRING_TABLE **a, const ASN1_STRING_TABLE **b))    \
-   sk_set_cmp_func(                                                       \
-       CHECKED_CAST(_STACK *, STACK_OF(ASN1_STRING_TABLE) *, sk),         \
-       CHECKED_CAST(stack_cmp_func, int (*)(const ASN1_STRING_TABLE **a,  \
-                                            const ASN1_STRING_TABLE **b), \
-                    comp)))
-
+#define sk_ASN1_STRING_TABLE_set_cmp_func(sk, comp)                           \
+  ((int (*)(const ASN1_STRING_TABLE **a, const ASN1_STRING_TABLE **b))        \
+       sk_set_cmp_func(                                                       \
+           CHECKED_CAST(_STACK *, STACK_OF(ASN1_STRING_TABLE) *, sk),         \
+           CHECKED_CAST(stack_cmp_func, int (*)(const ASN1_STRING_TABLE **a,  \
+                                                const ASN1_STRING_TABLE **b), \
+                        comp)))
+
+#define sk_ASN1_STRING_TABLE_deep_copy(sk, copy_func, free_func)             \
+  ((STACK_OF(ASN1_STRING_TABLE) *)sk_deep_copy(                              \
+      CHECKED_CAST(const _STACK *, const STACK_OF(ASN1_STRING_TABLE) *, sk), \
+      CHECKED_CAST(void *(*)(void *),                                        \
+                   ASN1_STRING_TABLE *(*)(ASN1_STRING_TABLE *), copy_func),  \
+      CHECKED_CAST(void (*)(void *), void (*)(ASN1_STRING_TABLE *),          \
+                   free_func)))
 
 /* ASN1_TYPE */
 #define sk_ASN1_TYPE_new(comp)     \
@@ -563,6 +602,11 @@
       CHECKED_CAST(stack_cmp_func,                                     \
                    int (*)(const ASN1_TYPE **a, const ASN1_TYPE **b), comp)))
 
+#define sk_ASN1_TYPE_deep_copy(sk, copy_func, free_func)                       \
+  ((STACK_OF(ASN1_TYPE) *)sk_deep_copy(                                        \
+      CHECKED_CAST(const _STACK *, const STACK_OF(ASN1_TYPE) *, sk),           \
+      CHECKED_CAST(void *(*)(void *), ASN1_TYPE *(*)(ASN1_TYPE *), copy_func), \
+      CHECKED_CAST(void (*)(void *), void (*)(ASN1_TYPE *), free_func)))
 
 /* ASN1_VALUE */
 #define sk_ASN1_VALUE_new(comp)                                            \
@@ -638,6 +682,12 @@
                    int (*)(const ASN1_VALUE **a, const ASN1_VALUE **b),  \
                    comp)))
 
+#define sk_ASN1_VALUE_deep_copy(sk, copy_func, free_func)             \
+  ((STACK_OF(ASN1_VALUE) *)sk_deep_copy(                              \
+      CHECKED_CAST(const _STACK *, const STACK_OF(ASN1_VALUE) *, sk), \
+      CHECKED_CAST(void *(*)(void *), ASN1_VALUE *(*)(ASN1_VALUE *),  \
+                   copy_func),                                        \
+      CHECKED_CAST(void (*)(void *), void (*)(ASN1_VALUE *), free_func)))
 
 /* BIO */
 #define sk_BIO_new(comp)                 \
@@ -702,6 +752,11 @@
       CHECKED_CAST(stack_cmp_func, int (*)(const BIO **a, const BIO **b), \
                    comp)))
 
+#define sk_BIO_deep_copy(sk, copy_func, free_func)                 \
+  ((STACK_OF(BIO) *)sk_deep_copy(                                  \
+      CHECKED_CAST(const _STACK *, const STACK_OF(BIO) *, sk),     \
+      CHECKED_CAST(void *(*)(void *), BIO *(*)(BIO *), copy_func), \
+      CHECKED_CAST(void (*)(void *), void (*)(BIO *), free_func)))
 
 /* BY_DIR_ENTRY */
 #define sk_BY_DIR_ENTRY_new(comp)                                              \
@@ -779,6 +834,12 @@
                    int (*)(const BY_DIR_ENTRY **a, const BY_DIR_ENTRY **b),  \
                    comp)))
 
+#define sk_BY_DIR_ENTRY_deep_copy(sk, copy_func, free_func)              \
+  ((STACK_OF(BY_DIR_ENTRY) *)sk_deep_copy(                               \
+      CHECKED_CAST(const _STACK *, const STACK_OF(BY_DIR_ENTRY) *, sk),  \
+      CHECKED_CAST(void *(*)(void *), BY_DIR_ENTRY *(*)(BY_DIR_ENTRY *), \
+                   copy_func),                                           \
+      CHECKED_CAST(void (*)(void *), void (*)(BY_DIR_ENTRY *), free_func)))
 
 /* BY_DIR_HASH */
 #define sk_BY_DIR_HASH_new(comp)                                             \
@@ -854,6 +915,12 @@
                    int (*)(const BY_DIR_HASH **a, const BY_DIR_HASH **b),  \
                    comp)))
 
+#define sk_BY_DIR_HASH_deep_copy(sk, copy_func, free_func)             \
+  ((STACK_OF(BY_DIR_HASH) *)sk_deep_copy(                              \
+      CHECKED_CAST(const _STACK *, const STACK_OF(BY_DIR_HASH) *, sk), \
+      CHECKED_CAST(void *(*)(void *), BY_DIR_HASH *(*)(BY_DIR_HASH *), \
+                   copy_func),                                         \
+      CHECKED_CAST(void (*)(void *), void (*)(BY_DIR_HASH *), free_func)))
 
 /* CONF_VALUE */
 #define sk_CONF_VALUE_new(comp)                                            \
@@ -929,6 +996,12 @@
                    int (*)(const CONF_VALUE **a, const CONF_VALUE **b),  \
                    comp)))
 
+#define sk_CONF_VALUE_deep_copy(sk, copy_func, free_func)             \
+  ((STACK_OF(CONF_VALUE) *)sk_deep_copy(                              \
+      CHECKED_CAST(const _STACK *, const STACK_OF(CONF_VALUE) *, sk), \
+      CHECKED_CAST(void *(*)(void *), CONF_VALUE *(*)(CONF_VALUE *),  \
+                   copy_func),                                        \
+      CHECKED_CAST(void (*)(void *), void (*)(CONF_VALUE *), free_func)))
 
 /* CRYPTO_EX_DATA_FUNCS */
 #define sk_CRYPTO_EX_DATA_FUNCS_new(comp)                                      \
@@ -1006,12 +1079,22 @@
 
 #define sk_CRYPTO_EX_DATA_FUNCS_set_cmp_func(sk, comp)                       \
   ((int (*)(const CRYPTO_EX_DATA_FUNCS **a, const CRYPTO_EX_DATA_FUNCS **b)) \
-   sk_set_cmp_func(                                                          \
-       CHECKED_CAST(_STACK *, STACK_OF(CRYPTO_EX_DATA_FUNCS) *, sk),         \
-       CHECKED_CAST(stack_cmp_func, int (*)(const CRYPTO_EX_DATA_FUNCS **a,  \
-                                            const CRYPTO_EX_DATA_FUNCS **b), \
-                    comp)))
-
+       sk_set_cmp_func(                                                      \
+           CHECKED_CAST(_STACK *, STACK_OF(CRYPTO_EX_DATA_FUNCS) *, sk),     \
+           CHECKED_CAST(stack_cmp_func,                                      \
+                        int (*)(const CRYPTO_EX_DATA_FUNCS **a,              \
+                                const CRYPTO_EX_DATA_FUNCS **b),             \
+                        comp)))
+
+#define sk_CRYPTO_EX_DATA_FUNCS_deep_copy(sk, copy_func, free_func)        \
+  ((STACK_OF(CRYPTO_EX_DATA_FUNCS) *)sk_deep_copy(                         \
+      CHECKED_CAST(const _STACK *, const STACK_OF(CRYPTO_EX_DATA_FUNCS) *, \
+                   sk),                                                    \
+      CHECKED_CAST(void *(*)(void *),                                      \
+                   CRYPTO_EX_DATA_FUNCS *(*)(CRYPTO_EX_DATA_FUNCS *),      \
+                   copy_func),                                             \
+      CHECKED_CAST(void (*)(void *), void (*)(CRYPTO_EX_DATA_FUNCS *),     \
+                   free_func)))
 
 /* DIST_POINT */
 #define sk_DIST_POINT_new(comp)                                            \
@@ -1087,6 +1170,12 @@
                    int (*)(const DIST_POINT **a, const DIST_POINT **b),  \
                    comp)))
 
+#define sk_DIST_POINT_deep_copy(sk, copy_func, free_func)             \
+  ((STACK_OF(DIST_POINT) *)sk_deep_copy(                              \
+      CHECKED_CAST(const _STACK *, const STACK_OF(DIST_POINT) *, sk), \
+      CHECKED_CAST(void *(*)(void *), DIST_POINT *(*)(DIST_POINT *),  \
+                   copy_func),                                        \
+      CHECKED_CAST(void (*)(void *), void (*)(DIST_POINT *), free_func)))
 
 /* GENERAL_NAME */
 #define sk_GENERAL_NAME_new(comp)                                              \
@@ -1164,6 +1253,12 @@
                    int (*)(const GENERAL_NAME **a, const GENERAL_NAME **b),  \
                    comp)))
 
+#define sk_GENERAL_NAME_deep_copy(sk, copy_func, free_func)              \
+  ((STACK_OF(GENERAL_NAME) *)sk_deep_copy(                               \
+      CHECKED_CAST(const _STACK *, const STACK_OF(GENERAL_NAME) *, sk),  \
+      CHECKED_CAST(void *(*)(void *), GENERAL_NAME *(*)(GENERAL_NAME *), \
+                   copy_func),                                           \
+      CHECKED_CAST(void (*)(void *), void (*)(GENERAL_NAME *), free_func)))
 
 /* GENERAL_NAMES */
 #define sk_GENERAL_NAMES_new(comp)                 \
@@ -1242,6 +1337,12 @@
                    int (*)(const GENERAL_NAMES **a, const GENERAL_NAMES **b),  \
                    comp)))
 
+#define sk_GENERAL_NAMES_deep_copy(sk, copy_func, free_func)               \
+  ((STACK_OF(GENERAL_NAMES) *)sk_deep_copy(                                \
+      CHECKED_CAST(const _STACK *, const STACK_OF(GENERAL_NAMES) *, sk),   \
+      CHECKED_CAST(void *(*)(void *), GENERAL_NAMES *(*)(GENERAL_NAMES *), \
+                   copy_func),                                             \
+      CHECKED_CAST(void (*)(void *), void (*)(GENERAL_NAMES *), free_func)))
 
 /* GENERAL_SUBTREE */
 #define sk_GENERAL_SUBTREE_new(comp)                 \
@@ -1314,14 +1415,20 @@
 #define sk_GENERAL_SUBTREE_is_sorted(sk) \
   sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(GENERAL_SUBTREE) *, sk))
 
-#define sk_GENERAL_SUBTREE_set_cmp_func(sk, comp)                       \
-  ((int (*)(const GENERAL_SUBTREE **a, const GENERAL_SUBTREE **b))      \
-   sk_set_cmp_func(                                                     \
-       CHECKED_CAST(_STACK *, STACK_OF(GENERAL_SUBTREE) *, sk),         \
-       CHECKED_CAST(stack_cmp_func, int (*)(const GENERAL_SUBTREE **a,  \
-                                            const GENERAL_SUBTREE **b), \
-                    comp)))
-
+#define sk_GENERAL_SUBTREE_set_cmp_func(sk, comp)                           \
+  ((int (*)(const GENERAL_SUBTREE **a, const GENERAL_SUBTREE **b))          \
+       sk_set_cmp_func(                                                     \
+           CHECKED_CAST(_STACK *, STACK_OF(GENERAL_SUBTREE) *, sk),         \
+           CHECKED_CAST(stack_cmp_func, int (*)(const GENERAL_SUBTREE **a,  \
+                                                const GENERAL_SUBTREE **b), \
+                        comp)))
+
+#define sk_GENERAL_SUBTREE_deep_copy(sk, copy_func, free_func)                 \
+  ((STACK_OF(GENERAL_SUBTREE) *)sk_deep_copy(                                  \
+      CHECKED_CAST(const _STACK *, const STACK_OF(GENERAL_SUBTREE) *, sk),     \
+      CHECKED_CAST(void *(*)(void *), GENERAL_SUBTREE *(*)(GENERAL_SUBTREE *), \
+                   copy_func),                                                 \
+      CHECKED_CAST(void (*)(void *), void (*)(GENERAL_SUBTREE *), free_func)))
 
 /* MIME_HEADER */
 #define sk_MIME_HEADER_new(comp)                                             \
@@ -1397,6 +1504,12 @@
                    int (*)(const MIME_HEADER **a, const MIME_HEADER **b),  \
                    comp)))
 
+#define sk_MIME_HEADER_deep_copy(sk, copy_func, free_func)             \
+  ((STACK_OF(MIME_HEADER) *)sk_deep_copy(                              \
+      CHECKED_CAST(const _STACK *, const STACK_OF(MIME_HEADER) *, sk), \
+      CHECKED_CAST(void *(*)(void *), MIME_HEADER *(*)(MIME_HEADER *), \
+                   copy_func),                                         \
+      CHECKED_CAST(void (*)(void *), void (*)(MIME_HEADER *), free_func)))
 
 /* PKCS7_SIGNER_INFO */
 #define sk_PKCS7_SIGNER_INFO_new(comp)                                   \
@@ -1470,14 +1583,21 @@
 #define sk_PKCS7_SIGNER_INFO_is_sorted(sk) \
   sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(PKCS7_SIGNER_INFO) *, sk))
 
-#define sk_PKCS7_SIGNER_INFO_set_cmp_func(sk, comp)                       \
-  ((int (*)(const PKCS7_SIGNER_INFO **a, const PKCS7_SIGNER_INFO **b))    \
-   sk_set_cmp_func(                                                       \
-       CHECKED_CAST(_STACK *, STACK_OF(PKCS7_SIGNER_INFO) *, sk),         \
-       CHECKED_CAST(stack_cmp_func, int (*)(const PKCS7_SIGNER_INFO **a,  \
-                                            const PKCS7_SIGNER_INFO **b), \
-                    comp)))
-
+#define sk_PKCS7_SIGNER_INFO_set_cmp_func(sk, comp)                           \
+  ((int (*)(const PKCS7_SIGNER_INFO **a, const PKCS7_SIGNER_INFO **b))        \
+       sk_set_cmp_func(                                                       \
+           CHECKED_CAST(_STACK *, STACK_OF(PKCS7_SIGNER_INFO) *, sk),         \
+           CHECKED_CAST(stack_cmp_func, int (*)(const PKCS7_SIGNER_INFO **a,  \
+                                                const PKCS7_SIGNER_INFO **b), \
+                        comp)))
+
+#define sk_PKCS7_SIGNER_INFO_deep_copy(sk, copy_func, free_func)             \
+  ((STACK_OF(PKCS7_SIGNER_INFO) *)sk_deep_copy(                              \
+      CHECKED_CAST(const _STACK *, const STACK_OF(PKCS7_SIGNER_INFO) *, sk), \
+      CHECKED_CAST(void *(*)(void *),                                        \
+                   PKCS7_SIGNER_INFO *(*)(PKCS7_SIGNER_INFO *), copy_func),  \
+      CHECKED_CAST(void (*)(void *), void (*)(PKCS7_SIGNER_INFO *),          \
+                   free_func)))
 
 /* PKCS7_RECIP_INFO */
 #define sk_PKCS7_RECIP_INFO_new(comp)                 \
@@ -1550,14 +1670,21 @@
 #define sk_PKCS7_RECIP_INFO_is_sorted(sk) \
   sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(PKCS7_RECIP_INFO) *, sk))
 
-#define sk_PKCS7_RECIP_INFO_set_cmp_func(sk, comp)                       \
-  ((int (*)(const PKCS7_RECIP_INFO **a, const PKCS7_RECIP_INFO **b))     \
-   sk_set_cmp_func(                                                      \
-       CHECKED_CAST(_STACK *, STACK_OF(PKCS7_RECIP_INFO) *, sk),         \
-       CHECKED_CAST(stack_cmp_func, int (*)(const PKCS7_RECIP_INFO **a,  \
-                                            const PKCS7_RECIP_INFO **b), \
-                    comp)))
-
+#define sk_PKCS7_RECIP_INFO_set_cmp_func(sk, comp)                           \
+  ((int (*)(const PKCS7_RECIP_INFO **a, const PKCS7_RECIP_INFO **b))         \
+       sk_set_cmp_func(                                                      \
+           CHECKED_CAST(_STACK *, STACK_OF(PKCS7_RECIP_INFO) *, sk),         \
+           CHECKED_CAST(stack_cmp_func, int (*)(const PKCS7_RECIP_INFO **a,  \
+                                                const PKCS7_RECIP_INFO **b), \
+                        comp)))
+
+#define sk_PKCS7_RECIP_INFO_deep_copy(sk, copy_func, free_func)             \
+  ((STACK_OF(PKCS7_RECIP_INFO) *)sk_deep_copy(                              \
+      CHECKED_CAST(const _STACK *, const STACK_OF(PKCS7_RECIP_INFO) *, sk), \
+      CHECKED_CAST(void *(*)(void *),                                       \
+                   PKCS7_RECIP_INFO *(*)(PKCS7_RECIP_INFO *), copy_func),   \
+      CHECKED_CAST(void (*)(void *), void (*)(PKCS7_RECIP_INFO *),          \
+                   free_func)))
 
 /* POLICYINFO */
 #define sk_POLICYINFO_new(comp)                                            \
@@ -1633,6 +1760,12 @@
                    int (*)(const POLICYINFO **a, const POLICYINFO **b),  \
                    comp)))
 
+#define sk_POLICYINFO_deep_copy(sk, copy_func, free_func)             \
+  ((STACK_OF(POLICYINFO) *)sk_deep_copy(                              \
+      CHECKED_CAST(const _STACK *, const STACK_OF(POLICYINFO) *, sk), \
+      CHECKED_CAST(void *(*)(void *), POLICYINFO *(*)(POLICYINFO *),  \
+                   copy_func),                                        \
+      CHECKED_CAST(void (*)(void *), void (*)(POLICYINFO *), free_func)))
 
 /* POLICYQUALINFO */
 #define sk_POLICYQUALINFO_new(comp)                 \
@@ -1704,14 +1837,20 @@
 #define sk_POLICYQUALINFO_is_sorted(sk) \
   sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(POLICYQUALINFO) *, sk))
 
-#define sk_POLICYQUALINFO_set_cmp_func(sk, comp)                       \
-  ((int (*)(const POLICYQUALINFO **a, const POLICYQUALINFO **b))       \
-   sk_set_cmp_func(                                                    \
-       CHECKED_CAST(_STACK *, STACK_OF(POLICYQUALINFO) *, sk),         \
-       CHECKED_CAST(stack_cmp_func, int (*)(const POLICYQUALINFO **a,  \
-                                            const POLICYQUALINFO **b), \
-                    comp)))
-
+#define sk_POLICYQUALINFO_set_cmp_func(sk, comp)                           \
+  ((int (*)(const POLICYQUALINFO **a, const POLICYQUALINFO **b))           \
+       sk_set_cmp_func(                                                    \
+           CHECKED_CAST(_STACK *, STACK_OF(POLICYQUALINFO) *, sk),         \
+           CHECKED_CAST(stack_cmp_func, int (*)(const POLICYQUALINFO **a,  \
+                                                const POLICYQUALINFO **b), \
+                        comp)))
+
+#define sk_POLICYQUALINFO_deep_copy(sk, copy_func, free_func)                \
+  ((STACK_OF(POLICYQUALINFO) *)sk_deep_copy(                                 \
+      CHECKED_CAST(const _STACK *, const STACK_OF(POLICYQUALINFO) *, sk),    \
+      CHECKED_CAST(void *(*)(void *), POLICYQUALINFO *(*)(POLICYQUALINFO *), \
+                   copy_func),                                               \
+      CHECKED_CAST(void (*)(void *), void (*)(POLICYQUALINFO *), free_func)))
 
 /* POLICY_MAPPING */
 #define sk_POLICY_MAPPING_new(comp)                 \
@@ -1783,14 +1922,20 @@
 #define sk_POLICY_MAPPING_is_sorted(sk) \
   sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(POLICY_MAPPING) *, sk))
 
-#define sk_POLICY_MAPPING_set_cmp_func(sk, comp)                       \
-  ((int (*)(const POLICY_MAPPING **a, const POLICY_MAPPING **b))       \
-   sk_set_cmp_func(                                                    \
-       CHECKED_CAST(_STACK *, STACK_OF(POLICY_MAPPING) *, sk),         \
-       CHECKED_CAST(stack_cmp_func, int (*)(const POLICY_MAPPING **a,  \
-                                            const POLICY_MAPPING **b), \
-                    comp)))
-
+#define sk_POLICY_MAPPING_set_cmp_func(sk, comp)                           \
+  ((int (*)(const POLICY_MAPPING **a, const POLICY_MAPPING **b))           \
+       sk_set_cmp_func(                                                    \
+           CHECKED_CAST(_STACK *, STACK_OF(POLICY_MAPPING) *, sk),         \
+           CHECKED_CAST(stack_cmp_func, int (*)(const POLICY_MAPPING **a,  \
+                                                const POLICY_MAPPING **b), \
+                        comp)))
+
+#define sk_POLICY_MAPPING_deep_copy(sk, copy_func, free_func)                \
+  ((STACK_OF(POLICY_MAPPING) *)sk_deep_copy(                                 \
+      CHECKED_CAST(const _STACK *, const STACK_OF(POLICY_MAPPING) *, sk),    \
+      CHECKED_CAST(void *(*)(void *), POLICY_MAPPING *(*)(POLICY_MAPPING *), \
+                   copy_func),                                               \
+      CHECKED_CAST(void (*)(void *), void (*)(POLICY_MAPPING *), free_func)))
 
 /* SSL_COMP */
 #define sk_SSL_COMP_new(comp)                 \
@@ -1862,6 +2007,11 @@
       CHECKED_CAST(stack_cmp_func,                                   \
                    int (*)(const SSL_COMP **a, const SSL_COMP **b), comp)))
 
+#define sk_SSL_COMP_deep_copy(sk, copy_func, free_func)                      \
+  ((STACK_OF(SSL_COMP) *)sk_deep_copy(                                       \
+      CHECKED_CAST(const _STACK *, const STACK_OF(SSL_COMP) *, sk),          \
+      CHECKED_CAST(void *(*)(void *), SSL_COMP *(*)(SSL_COMP *), copy_func), \
+      CHECKED_CAST(void (*)(void *), void (*)(SSL_COMP *), free_func)))
 
 /* STACK_OF_X509_NAME_ENTRY */
 #define sk_STACK_OF_X509_NAME_ENTRY_new(comp)                      \
@@ -1939,16 +2089,25 @@
   sk_is_sorted(                                   \
       CHECKED_CAST(_STACK *, const STACK_OF(STACK_OF_X509_NAME_ENTRY) *, sk))
 
-#define sk_STACK_OF_X509_NAME_ENTRY_set_cmp_func(sk, comp)               \
-  ((int (*)(const STACK_OF_X509_NAME_ENTRY **a,                          \
-            const STACK_OF_X509_NAME_ENTRY **b))                         \
-   sk_set_cmp_func(                                                      \
-       CHECKED_CAST(_STACK *, STACK_OF(STACK_OF_X509_NAME_ENTRY) *, sk), \
-       CHECKED_CAST(stack_cmp_func,                                      \
-                    int (*)(const STACK_OF_X509_NAME_ENTRY **a,          \
-                            const STACK_OF_X509_NAME_ENTRY **b),         \
-                    comp)))
-
+#define sk_STACK_OF_X509_NAME_ENTRY_set_cmp_func(sk, comp)                   \
+  ((int (*)(const STACK_OF_X509_NAME_ENTRY **a,                              \
+            const STACK_OF_X509_NAME_ENTRY **b))                             \
+       sk_set_cmp_func(                                                      \
+           CHECKED_CAST(_STACK *, STACK_OF(STACK_OF_X509_NAME_ENTRY) *, sk), \
+           CHECKED_CAST(stack_cmp_func,                                      \
+                        int (*)(const STACK_OF_X509_NAME_ENTRY **a,          \
+                                const STACK_OF_X509_NAME_ENTRY **b),         \
+                        comp)))
+
+#define sk_STACK_OF_X509_NAME_ENTRY_deep_copy(sk, copy_func, free_func)        \
+  ((STACK_OF(STACK_OF_X509_NAME_ENTRY) *)sk_deep_copy(                         \
+      CHECKED_CAST(const _STACK *, const STACK_OF(STACK_OF_X509_NAME_ENTRY) *, \
+                   sk),                                                        \
+      CHECKED_CAST(void *(*)(void *),                                          \
+                   STACK_OF_X509_NAME_ENTRY *(*)(STACK_OF_X509_NAME_ENTRY *),  \
+                   copy_func),                                                 \
+      CHECKED_CAST(void (*)(void *), void (*)(STACK_OF_X509_NAME_ENTRY *),     \
+                   free_func)))
 
 /* SXNETID */
 #define sk_SXNETID_new(comp)                 \
@@ -2020,6 +2179,11 @@
       CHECKED_CAST(stack_cmp_func,                                 \
                    int (*)(const SXNETID **a, const SXNETID **b), comp)))
 
+#define sk_SXNETID_deep_copy(sk, copy_func, free_func)                     \
+  ((STACK_OF(SXNETID) *)sk_deep_copy(                                      \
+      CHECKED_CAST(const _STACK *, const STACK_OF(SXNETID) *, sk),         \
+      CHECKED_CAST(void *(*)(void *), SXNETID *(*)(SXNETID *), copy_func), \
+      CHECKED_CAST(void (*)(void *), void (*)(SXNETID *), free_func)))
 
 /* X509 */
 #define sk_X509_new(comp)                 \
@@ -2084,6 +2248,11 @@
       CHECKED_CAST(stack_cmp_func, int (*)(const X509 **a, const X509 **b), \
                    comp)))
 
+#define sk_X509_deep_copy(sk, copy_func, free_func)                  \
+  ((STACK_OF(X509) *)sk_deep_copy(                                   \
+      CHECKED_CAST(const _STACK *, const STACK_OF(X509) *, sk),      \
+      CHECKED_CAST(void *(*)(void *), X509 *(*)(X509 *), copy_func), \
+      CHECKED_CAST(void (*)(void *), void (*)(X509 *), free_func)))
 
 /* X509V3_EXT_METHOD */
 #define sk_X509V3_EXT_METHOD_new(comp)                                   \
@@ -2157,14 +2326,21 @@
 #define sk_X509V3_EXT_METHOD_is_sorted(sk) \
   sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(X509V3_EXT_METHOD) *, sk))
 
-#define sk_X509V3_EXT_METHOD_set_cmp_func(sk, comp)                       \
-  ((int (*)(const X509V3_EXT_METHOD **a, const X509V3_EXT_METHOD **b))    \
-   sk_set_cmp_func(                                                       \
-       CHECKED_CAST(_STACK *, STACK_OF(X509V3_EXT_METHOD) *, sk),         \
-       CHECKED_CAST(stack_cmp_func, int (*)(const X509V3_EXT_METHOD **a,  \
-                                            const X509V3_EXT_METHOD **b), \
-                    comp)))
-
+#define sk_X509V3_EXT_METHOD_set_cmp_func(sk, comp)                           \
+  ((int (*)(const X509V3_EXT_METHOD **a, const X509V3_EXT_METHOD **b))        \
+       sk_set_cmp_func(                                                       \
+           CHECKED_CAST(_STACK *, STACK_OF(X509V3_EXT_METHOD) *, sk),         \
+           CHECKED_CAST(stack_cmp_func, int (*)(const X509V3_EXT_METHOD **a,  \
+                                                const X509V3_EXT_METHOD **b), \
+                        comp)))
+
+#define sk_X509V3_EXT_METHOD_deep_copy(sk, copy_func, free_func)             \
+  ((STACK_OF(X509V3_EXT_METHOD) *)sk_deep_copy(                              \
+      CHECKED_CAST(const _STACK *, const STACK_OF(X509V3_EXT_METHOD) *, sk), \
+      CHECKED_CAST(void *(*)(void *),                                        \
+                   X509V3_EXT_METHOD *(*)(X509V3_EXT_METHOD *), copy_func),  \
+      CHECKED_CAST(void (*)(void *), void (*)(X509V3_EXT_METHOD *),          \
+                   free_func)))
 
 /* X509_ALGOR */
 #define sk_X509_ALGOR_new(comp)                                            \
@@ -2240,6 +2416,12 @@
                    int (*)(const X509_ALGOR **a, const X509_ALGOR **b),  \
                    comp)))
 
+#define sk_X509_ALGOR_deep_copy(sk, copy_func, free_func)             \
+  ((STACK_OF(X509_ALGOR) *)sk_deep_copy(                              \
+      CHECKED_CAST(const _STACK *, const STACK_OF(X509_ALGOR) *, sk), \
+      CHECKED_CAST(void *(*)(void *), X509_ALGOR *(*)(X509_ALGOR *),  \
+                   copy_func),                                        \
+      CHECKED_CAST(void (*)(void *), void (*)(X509_ALGOR *), free_func)))
 
 /* X509_ATTRIBUTE */
 #define sk_X509_ATTRIBUTE_new(comp)                 \
@@ -2311,14 +2493,20 @@
 #define sk_X509_ATTRIBUTE_is_sorted(sk) \
   sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(X509_ATTRIBUTE) *, sk))
 
-#define sk_X509_ATTRIBUTE_set_cmp_func(sk, comp)                       \
-  ((int (*)(const X509_ATTRIBUTE **a, const X509_ATTRIBUTE **b))       \
-   sk_set_cmp_func(                                                    \
-       CHECKED_CAST(_STACK *, STACK_OF(X509_ATTRIBUTE) *, sk),         \
-       CHECKED_CAST(stack_cmp_func, int (*)(const X509_ATTRIBUTE **a,  \
-                                            const X509_ATTRIBUTE **b), \
-                    comp)))
-
+#define sk_X509_ATTRIBUTE_set_cmp_func(sk, comp)                           \
+  ((int (*)(const X509_ATTRIBUTE **a, const X509_ATTRIBUTE **b))           \
+       sk_set_cmp_func(                                                    \
+           CHECKED_CAST(_STACK *, STACK_OF(X509_ATTRIBUTE) *, sk),         \
+           CHECKED_CAST(stack_cmp_func, int (*)(const X509_ATTRIBUTE **a,  \
+                                                const X509_ATTRIBUTE **b), \
+                        comp)))
+
+#define sk_X509_ATTRIBUTE_deep_copy(sk, copy_func, free_func)                \
+  ((STACK_OF(X509_ATTRIBUTE) *)sk_deep_copy(                                 \
+      CHECKED_CAST(const _STACK *, const STACK_OF(X509_ATTRIBUTE) *, sk),    \
+      CHECKED_CAST(void *(*)(void *), X509_ATTRIBUTE *(*)(X509_ATTRIBUTE *), \
+                   copy_func),                                               \
+      CHECKED_CAST(void (*)(void *), void (*)(X509_ATTRIBUTE *), free_func)))
 
 /* X509_CRL */
 #define sk_X509_CRL_new(comp)                 \
@@ -2390,6 +2578,11 @@
       CHECKED_CAST(stack_cmp_func,                                   \
                    int (*)(const X509_CRL **a, const X509_CRL **b), comp)))
 
+#define sk_X509_CRL_deep_copy(sk, copy_func, free_func)                      \
+  ((STACK_OF(X509_CRL) *)sk_deep_copy(                                       \
+      CHECKED_CAST(const _STACK *, const STACK_OF(X509_CRL) *, sk),          \
+      CHECKED_CAST(void *(*)(void *), X509_CRL *(*)(X509_CRL *), copy_func), \
+      CHECKED_CAST(void (*)(void *), void (*)(X509_CRL *), free_func)))
 
 /* X509_EXTENSION */
 #define sk_X509_EXTENSION_new(comp)                 \
@@ -2461,14 +2654,20 @@
 #define sk_X509_EXTENSION_is_sorted(sk) \
   sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(X509_EXTENSION) *, sk))
 
-#define sk_X509_EXTENSION_set_cmp_func(sk, comp)                       \
-  ((int (*)(const X509_EXTENSION **a, const X509_EXTENSION **b))       \
-   sk_set_cmp_func(                                                    \
-       CHECKED_CAST(_STACK *, STACK_OF(X509_EXTENSION) *, sk),         \
-       CHECKED_CAST(stack_cmp_func, int (*)(const X509_EXTENSION **a,  \
-                                            const X509_EXTENSION **b), \
-                    comp)))
-
+#define sk_X509_EXTENSION_set_cmp_func(sk, comp)                           \
+  ((int (*)(const X509_EXTENSION **a, const X509_EXTENSION **b))           \
+       sk_set_cmp_func(                                                    \
+           CHECKED_CAST(_STACK *, STACK_OF(X509_EXTENSION) *, sk),         \
+           CHECKED_CAST(stack_cmp_func, int (*)(const X509_EXTENSION **a,  \
+                                                const X509_EXTENSION **b), \
+                        comp)))
+
+#define sk_X509_EXTENSION_deep_copy(sk, copy_func, free_func)                \
+  ((STACK_OF(X509_EXTENSION) *)sk_deep_copy(                                 \
+      CHECKED_CAST(const _STACK *, const STACK_OF(X509_EXTENSION) *, sk),    \
+      CHECKED_CAST(void *(*)(void *), X509_EXTENSION *(*)(X509_EXTENSION *), \
+                   copy_func),                                               \
+      CHECKED_CAST(void (*)(void *), void (*)(X509_EXTENSION *), free_func)))
 
 /* X509_INFO */
 #define sk_X509_INFO_new(comp)     \
@@ -2543,6 +2742,11 @@
       CHECKED_CAST(stack_cmp_func,                                     \
                    int (*)(const X509_INFO **a, const X509_INFO **b), comp)))
 
+#define sk_X509_INFO_deep_copy(sk, copy_func, free_func)                       \
+  ((STACK_OF(X509_INFO) *)sk_deep_copy(                                        \
+      CHECKED_CAST(const _STACK *, const STACK_OF(X509_INFO) *, sk),           \
+      CHECKED_CAST(void *(*)(void *), X509_INFO *(*)(X509_INFO *), copy_func), \
+      CHECKED_CAST(void (*)(void *), void (*)(X509_INFO *), free_func)))
 
 /* X509_LOOKUP */
 #define sk_X509_LOOKUP_new(comp)                                             \
@@ -2618,6 +2822,12 @@
                    int (*)(const X509_LOOKUP **a, const X509_LOOKUP **b),  \
                    comp)))
 
+#define sk_X509_LOOKUP_deep_copy(sk, copy_func, free_func)             \
+  ((STACK_OF(X509_LOOKUP) *)sk_deep_copy(                              \
+      CHECKED_CAST(const _STACK *, const STACK_OF(X509_LOOKUP) *, sk), \
+      CHECKED_CAST(void *(*)(void *), X509_LOOKUP *(*)(X509_LOOKUP *), \
+                   copy_func),                                         \
+      CHECKED_CAST(void (*)(void *), void (*)(X509_LOOKUP *), free_func)))
 
 /* X509_NAME */
 #define sk_X509_NAME_new(comp)     \
@@ -2692,6 +2902,11 @@
       CHECKED_CAST(stack_cmp_func,                                     \
                    int (*)(const X509_NAME **a, const X509_NAME **b), comp)))
 
+#define sk_X509_NAME_deep_copy(sk, copy_func, free_func)                       \
+  ((STACK_OF(X509_NAME) *)sk_deep_copy(                                        \
+      CHECKED_CAST(const _STACK *, const STACK_OF(X509_NAME) *, sk),           \
+      CHECKED_CAST(void *(*)(void *), X509_NAME *(*)(X509_NAME *), copy_func), \
+      CHECKED_CAST(void (*)(void *), void (*)(X509_NAME *), free_func)))
 
 /* X509_NAME_ENTRY */
 #define sk_X509_NAME_ENTRY_new(comp)                 \
@@ -2764,14 +2979,20 @@
 #define sk_X509_NAME_ENTRY_is_sorted(sk) \
   sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(X509_NAME_ENTRY) *, sk))
 
-#define sk_X509_NAME_ENTRY_set_cmp_func(sk, comp)                       \
-  ((int (*)(const X509_NAME_ENTRY **a, const X509_NAME_ENTRY **b))      \
-   sk_set_cmp_func(                                                     \
-       CHECKED_CAST(_STACK *, STACK_OF(X509_NAME_ENTRY) *, sk),         \
-       CHECKED_CAST(stack_cmp_func, int (*)(const X509_NAME_ENTRY **a,  \
-                                            const X509_NAME_ENTRY **b), \
-                    comp)))
-
+#define sk_X509_NAME_ENTRY_set_cmp_func(sk, comp)                           \
+  ((int (*)(const X509_NAME_ENTRY **a, const X509_NAME_ENTRY **b))          \
+       sk_set_cmp_func(                                                     \
+           CHECKED_CAST(_STACK *, STACK_OF(X509_NAME_ENTRY) *, sk),         \
+           CHECKED_CAST(stack_cmp_func, int (*)(const X509_NAME_ENTRY **a,  \
+                                                const X509_NAME_ENTRY **b), \
+                        comp)))
+
+#define sk_X509_NAME_ENTRY_deep_copy(sk, copy_func, free_func)                 \
+  ((STACK_OF(X509_NAME_ENTRY) *)sk_deep_copy(                                  \
+      CHECKED_CAST(const _STACK *, const STACK_OF(X509_NAME_ENTRY) *, sk),     \
+      CHECKED_CAST(void *(*)(void *), X509_NAME_ENTRY *(*)(X509_NAME_ENTRY *), \
+                   copy_func),                                                 \
+      CHECKED_CAST(void (*)(void *), void (*)(X509_NAME_ENTRY *), free_func)))
 
 /* X509_OBJECT */
 #define sk_X509_OBJECT_new(comp)                                             \
@@ -2847,6 +3068,12 @@
                    int (*)(const X509_OBJECT **a, const X509_OBJECT **b),  \
                    comp)))
 
+#define sk_X509_OBJECT_deep_copy(sk, copy_func, free_func)             \
+  ((STACK_OF(X509_OBJECT) *)sk_deep_copy(                              \
+      CHECKED_CAST(const _STACK *, const STACK_OF(X509_OBJECT) *, sk), \
+      CHECKED_CAST(void *(*)(void *), X509_OBJECT *(*)(X509_OBJECT *), \
+                   copy_func),                                         \
+      CHECKED_CAST(void (*)(void *), void (*)(X509_OBJECT *), free_func)))
 
 /* X509_POLICY_DATA */
 #define sk_X509_POLICY_DATA_new(comp)                 \
@@ -2919,14 +3146,21 @@
 #define sk_X509_POLICY_DATA_is_sorted(sk) \
   sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(X509_POLICY_DATA) *, sk))
 
-#define sk_X509_POLICY_DATA_set_cmp_func(sk, comp)                       \
-  ((int (*)(const X509_POLICY_DATA **a, const X509_POLICY_DATA **b))     \
-   sk_set_cmp_func(                                                      \
-       CHECKED_CAST(_STACK *, STACK_OF(X509_POLICY_DATA) *, sk),         \
-       CHECKED_CAST(stack_cmp_func, int (*)(const X509_POLICY_DATA **a,  \
-                                            const X509_POLICY_DATA **b), \
-                    comp)))
-
+#define sk_X509_POLICY_DATA_set_cmp_func(sk, comp)                           \
+  ((int (*)(const X509_POLICY_DATA **a, const X509_POLICY_DATA **b))         \
+       sk_set_cmp_func(                                                      \
+           CHECKED_CAST(_STACK *, STACK_OF(X509_POLICY_DATA) *, sk),         \
+           CHECKED_CAST(stack_cmp_func, int (*)(const X509_POLICY_DATA **a,  \
+                                                const X509_POLICY_DATA **b), \
+                        comp)))
+
+#define sk_X509_POLICY_DATA_deep_copy(sk, copy_func, free_func)             \
+  ((STACK_OF(X509_POLICY_DATA) *)sk_deep_copy(                              \
+      CHECKED_CAST(const _STACK *, const STACK_OF(X509_POLICY_DATA) *, sk), \
+      CHECKED_CAST(void *(*)(void *),                                       \
+                   X509_POLICY_DATA *(*)(X509_POLICY_DATA *), copy_func),   \
+      CHECKED_CAST(void (*)(void *), void (*)(X509_POLICY_DATA *),          \
+                   free_func)))
 
 /* X509_POLICY_NODE */
 #define sk_X509_POLICY_NODE_new(comp)                 \
@@ -2999,14 +3233,21 @@
 #define sk_X509_POLICY_NODE_is_sorted(sk) \
   sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(X509_POLICY_NODE) *, sk))
 
-#define sk_X509_POLICY_NODE_set_cmp_func(sk, comp)                       \
-  ((int (*)(const X509_POLICY_NODE **a, const X509_POLICY_NODE **b))     \
-   sk_set_cmp_func(                                                      \
-       CHECKED_CAST(_STACK *, STACK_OF(X509_POLICY_NODE) *, sk),         \
-       CHECKED_CAST(stack_cmp_func, int (*)(const X509_POLICY_NODE **a,  \
-                                            const X509_POLICY_NODE **b), \
-                    comp)))
-
+#define sk_X509_POLICY_NODE_set_cmp_func(sk, comp)                           \
+  ((int (*)(const X509_POLICY_NODE **a, const X509_POLICY_NODE **b))         \
+       sk_set_cmp_func(                                                      \
+           CHECKED_CAST(_STACK *, STACK_OF(X509_POLICY_NODE) *, sk),         \
+           CHECKED_CAST(stack_cmp_func, int (*)(const X509_POLICY_NODE **a,  \
+                                                const X509_POLICY_NODE **b), \
+                        comp)))
+
+#define sk_X509_POLICY_NODE_deep_copy(sk, copy_func, free_func)             \
+  ((STACK_OF(X509_POLICY_NODE) *)sk_deep_copy(                              \
+      CHECKED_CAST(const _STACK *, const STACK_OF(X509_POLICY_NODE) *, sk), \
+      CHECKED_CAST(void *(*)(void *),                                       \
+                   X509_POLICY_NODE *(*)(X509_POLICY_NODE *), copy_func),   \
+      CHECKED_CAST(void (*)(void *), void (*)(X509_POLICY_NODE *),          \
+                   free_func)))
 
 /* X509_PURPOSE */
 #define sk_X509_PURPOSE_new(comp)                                              \
@@ -3084,6 +3325,12 @@
                    int (*)(const X509_PURPOSE **a, const X509_PURPOSE **b),  \
                    comp)))
 
+#define sk_X509_PURPOSE_deep_copy(sk, copy_func, free_func)              \
+  ((STACK_OF(X509_PURPOSE) *)sk_deep_copy(                               \
+      CHECKED_CAST(const _STACK *, const STACK_OF(X509_PURPOSE) *, sk),  \
+      CHECKED_CAST(void *(*)(void *), X509_PURPOSE *(*)(X509_PURPOSE *), \
+                   copy_func),                                           \
+      CHECKED_CAST(void (*)(void *), void (*)(X509_PURPOSE *), free_func)))
 
 /* X509_REVOKED */
 #define sk_X509_REVOKED_new(comp)                                              \
@@ -3161,6 +3408,12 @@
                    int (*)(const X509_REVOKED **a, const X509_REVOKED **b),  \
                    comp)))
 
+#define sk_X509_REVOKED_deep_copy(sk, copy_func, free_func)              \
+  ((STACK_OF(X509_REVOKED) *)sk_deep_copy(                               \
+      CHECKED_CAST(const _STACK *, const STACK_OF(X509_REVOKED) *, sk),  \
+      CHECKED_CAST(void *(*)(void *), X509_REVOKED *(*)(X509_REVOKED *), \
+                   copy_func),                                           \
+      CHECKED_CAST(void (*)(void *), void (*)(X509_REVOKED *), free_func)))
 
 /* X509_TRUST */
 #define sk_X509_TRUST_new(comp)                                            \
@@ -3236,6 +3489,12 @@
                    int (*)(const X509_TRUST **a, const X509_TRUST **b),  \
                    comp)))
 
+#define sk_X509_TRUST_deep_copy(sk, copy_func, free_func)             \
+  ((STACK_OF(X509_TRUST) *)sk_deep_copy(                              \
+      CHECKED_CAST(const _STACK *, const STACK_OF(X509_TRUST) *, sk), \
+      CHECKED_CAST(void *(*)(void *), X509_TRUST *(*)(X509_TRUST *),  \
+                   copy_func),                                        \
+      CHECKED_CAST(void (*)(void *), void (*)(X509_TRUST *), free_func)))
 
 /* X509_VERIFY_PARAM */
 #define sk_X509_VERIFY_PARAM_new(comp)                                   \
@@ -3309,14 +3568,21 @@
 #define sk_X509_VERIFY_PARAM_is_sorted(sk) \
   sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(X509_VERIFY_PARAM) *, sk))
 
-#define sk_X509_VERIFY_PARAM_set_cmp_func(sk, comp)                       \
-  ((int (*)(const X509_VERIFY_PARAM **a, const X509_VERIFY_PARAM **b))    \
-   sk_set_cmp_func(                                                       \
-       CHECKED_CAST(_STACK *, STACK_OF(X509_VERIFY_PARAM) *, sk),         \
-       CHECKED_CAST(stack_cmp_func, int (*)(const X509_VERIFY_PARAM **a,  \
-                                            const X509_VERIFY_PARAM **b), \
-                    comp)))
-
+#define sk_X509_VERIFY_PARAM_set_cmp_func(sk, comp)                           \
+  ((int (*)(const X509_VERIFY_PARAM **a, const X509_VERIFY_PARAM **b))        \
+       sk_set_cmp_func(                                                       \
+           CHECKED_CAST(_STACK *, STACK_OF(X509_VERIFY_PARAM) *, sk),         \
+           CHECKED_CAST(stack_cmp_func, int (*)(const X509_VERIFY_PARAM **a,  \
+                                                const X509_VERIFY_PARAM **b), \
+                        comp)))
+
+#define sk_X509_VERIFY_PARAM_deep_copy(sk, copy_func, free_func)             \
+  ((STACK_OF(X509_VERIFY_PARAM) *)sk_deep_copy(                              \
+      CHECKED_CAST(const _STACK *, const STACK_OF(X509_VERIFY_PARAM) *, sk), \
+      CHECKED_CAST(void *(*)(void *),                                        \
+                   X509_VERIFY_PARAM *(*)(X509_VERIFY_PARAM *), copy_func),  \
+      CHECKED_CAST(void (*)(void *), void (*)(X509_VERIFY_PARAM *),          \
+                   free_func)))
 
 /* void */
 #define sk_void_new(comp)                \
@@ -3381,6 +3647,11 @@
       CHECKED_CAST(stack_cmp_func, int (*)(const void **a, const void **b), \
                    comp)))
 
+#define sk_void_deep_copy(sk, copy_func, free_func)                  \
+  ((STACK_OF(void)*)sk_deep_copy(                                    \
+      CHECKED_CAST(const _STACK *, const STACK_OF(void)*, sk),       \
+      CHECKED_CAST(void *(*)(void *), void *(*)(void *), copy_func), \
+      CHECKED_CAST(void (*)(void *), void (*)(void *), free_func)))
 
 /* SRTP_PROTECTION_PROFILE */
 #define sk_SRTP_PROTECTION_PROFILE_new(comp)                            \
@@ -3459,16 +3730,25 @@
   sk_is_sorted(                                  \
       CHECKED_CAST(_STACK *, const STACK_OF(SRTP_PROTECTION_PROFILE) *, sk))
 
-#define sk_SRTP_PROTECTION_PROFILE_set_cmp_func(sk, comp)               \
-  ((int (*)(const SRTP_PROTECTION_PROFILE **a,                          \
-            const SRTP_PROTECTION_PROFILE **b))                         \
-   sk_set_cmp_func(                                                     \
-       CHECKED_CAST(_STACK *, STACK_OF(SRTP_PROTECTION_PROFILE) *, sk), \
-       CHECKED_CAST(stack_cmp_func,                                     \
-                    int (*)(const SRTP_PROTECTION_PROFILE **a,          \
-                            const SRTP_PROTECTION_PROFILE **b),         \
-                    comp)))
-
+#define sk_SRTP_PROTECTION_PROFILE_set_cmp_func(sk, comp)                   \
+  ((int (*)(const SRTP_PROTECTION_PROFILE **a,                              \
+            const SRTP_PROTECTION_PROFILE **b))                             \
+       sk_set_cmp_func(                                                     \
+           CHECKED_CAST(_STACK *, STACK_OF(SRTP_PROTECTION_PROFILE) *, sk), \
+           CHECKED_CAST(stack_cmp_func,                                     \
+                        int (*)(const SRTP_PROTECTION_PROFILE **a,          \
+                                const SRTP_PROTECTION_PROFILE **b),         \
+                        comp)))
+
+#define sk_SRTP_PROTECTION_PROFILE_deep_copy(sk, copy_func, free_func)        \
+  ((STACK_OF(SRTP_PROTECTION_PROFILE) *)sk_deep_copy(                         \
+      CHECKED_CAST(const _STACK *, const STACK_OF(SRTP_PROTECTION_PROFILE) *, \
+                   sk),                                                       \
+      CHECKED_CAST(void *(*)(void *), const SRTP_PROTECTION_PROFILE *(*)(     \
+                                          const SRTP_PROTECTION_PROFILE *),   \
+                   copy_func),                                                \
+      CHECKED_CAST(void (*)(void *),                                          \
+                   void (*)(const SRTP_PROTECTION_PROFILE *), free_func)))
 
 /* SSL_CIPHER */
 #define sk_SSL_CIPHER_new(comp)                 \
@@ -3547,6 +3827,13 @@
                    int (*)(const SSL_CIPHER **a, const SSL_CIPHER **b),  \
                    comp)))
 
+#define sk_SSL_CIPHER_deep_copy(sk, copy_func, free_func)                 \
+  ((STACK_OF(SSL_CIPHER) *)sk_deep_copy(                                  \
+      CHECKED_CAST(const _STACK *, const STACK_OF(SSL_CIPHER) *, sk),     \
+      CHECKED_CAST(void *(*)(void *),                                     \
+                   const SSL_CIPHER *(*)(const SSL_CIPHER *), copy_func), \
+      CHECKED_CAST(void (*)(void *), void (*)(const SSL_CIPHER *),        \
+                   free_func)))
 
 /* OPENSSL_STRING */
 #define sk_OPENSSL_STRING_new(comp)                 \
@@ -3618,14 +3905,20 @@
 #define sk_OPENSSL_STRING_is_sorted(sk) \
   sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(OPENSSL_STRING) *, sk))
 
-#define sk_OPENSSL_STRING_set_cmp_func(sk, comp)                       \
-  ((int (*)(const OPENSSL_STRING **a, const OPENSSL_STRING **b))       \
-   sk_set_cmp_func(                                                    \
-       CHECKED_CAST(_STACK *, STACK_OF(OPENSSL_STRING) *, sk),         \
-       CHECKED_CAST(stack_cmp_func, int (*)(const OPENSSL_STRING **a,  \
-                                            const OPENSSL_STRING **b), \
-                    comp)))
-
+#define sk_OPENSSL_STRING_set_cmp_func(sk, comp)                           \
+  ((int (*)(const OPENSSL_STRING **a, const OPENSSL_STRING **b))           \
+       sk_set_cmp_func(                                                    \
+           CHECKED_CAST(_STACK *, STACK_OF(OPENSSL_STRING) *, sk),         \
+           CHECKED_CAST(stack_cmp_func, int (*)(const OPENSSL_STRING **a,  \
+                                                const OPENSSL_STRING **b), \
+                        comp)))
+
+#define sk_OPENSSL_STRING_deep_copy(sk, copy_func, free_func)             \
+  ((STACK_OF(OPENSSL_STRING) *)sk_deep_copy(                              \
+      CHECKED_CAST(const _STACK *, const STACK_OF(OPENSSL_STRING) *, sk), \
+      CHECKED_CAST(void *(*)(void *), OPENSSL_STRING (*)(OPENSSL_STRING), \
+                   copy_func),                                            \
+      CHECKED_CAST(void (*)(void *), void (*)(OPENSSL_STRING), free_func)))
 
 /* OPENSSL_BLOCK */
 #define sk_OPENSSL_BLOCK_new(comp)                                             \
@@ -3702,3 +3995,10 @@
       CHECKED_CAST(stack_cmp_func,                                             \
                    int (*)(const OPENSSL_BLOCK **a, const OPENSSL_BLOCK **b),  \
                    comp)))
+
+#define sk_OPENSSL_BLOCK_deep_copy(sk, copy_func, free_func)             \
+  ((STACK_OF(OPENSSL_BLOCK) *)sk_deep_copy(                              \
+      CHECKED_CAST(const _STACK *, const STACK_OF(OPENSSL_BLOCK) *, sk), \
+      CHECKED_CAST(void *(*)(void *), OPENSSL_BLOCK (*)(OPENSSL_BLOCK),  \
+                   copy_func),                                           \
+      CHECKED_CAST(void (*)(void *), void (*)(OPENSSL_BLOCK), free_func)))
diff --git a/src/include/openssl/thread.h b/src/include/openssl/thread.h
index ea65405..f6e7529 100644
--- a/src/include/openssl/thread.h
+++ b/src/include/openssl/thread.h
@@ -57,6 +57,8 @@
 #ifndef OPENSSL_HEADER_THREAD_H
 #define OPENSSL_HEADER_THREAD_H
 
+#include <sys/types.h>
+
 #include <openssl/base.h>
 
 #if defined(__cplusplus)
@@ -64,21 +66,40 @@ extern "C" {
 #endif
 
 
+#if defined(OPENSSL_NO_THREADS)
+typedef struct crypto_mutex_st {} CRYPTO_MUTEX;
+#elif defined(OPENSSL_WINDOWS)
+/* CRYPTO_MUTEX can appear in public header files so we really don't want to
+ * pull in windows.h. It's statically asserted that this structure is large
+ * enough to contain a Windows CRITICAL_SECTION by thread_win.c. */
+typedef union crypto_mutex_st {
+  double alignment;
+  uint8_t padding[4*sizeof(void*) + 2*sizeof(int)];
+} CRYPTO_MUTEX;
+#elif defined(__MACH__) && defined(__APPLE__)
+typedef pthread_rwlock_t CRYPTO_MUTEX;
+#else
+/* It is reasonable to include pthread.h on non-Windows systems, however the
+ * |pthread_rwlock_t| that we need is hidden under feature flags, and we can't
+ * ensure that we'll be able to get it. It's statically asserted that this
+ * structure is large enough to contain a |pthread_rwlock_t| by
+ * thread_pthread.c. */
+typedef union crypto_mutex_st {
+  double alignment;
+  uint8_t padding[3*sizeof(int) + 5*sizeof(unsigned) + 16 + 8];
+} CRYPTO_MUTEX;
+#endif
+
+
 /* Functions to support multithreading.
  *
  * OpenSSL can safely be used in multi-threaded applications provided that at
- * least two callback functions are set with |CRYPTO_set_locking_callback| and
- * |CRYPTO_THREADID_set_callback|.
+ * least |CRYPTO_set_locking_callback| is set.
  *
  * The locking callback performs mutual exclusion. Rather than using a single
  * lock for all, shared data-structures, OpenSSL requires that the locking
  * callback support a fixed (at run-time) number of different locks, given by
- * |CRYPTO_num_locks|.
- *
- * The thread ID callback is called to record the currently executing thread's
- * identifier in a |CRYPTO_THREADID| structure. If this callback is not
- * provided then the address of |errno| is used as the thread identifier. This
- * is sufficient only if the system has a thread-local |errno| value. */
+ * |CRYPTO_num_locks|. */
 
 
 /* CRYPTO_num_locks returns the number of static locks that the callback
@@ -116,27 +137,22 @@ OPENSSL_EXPORT void CRYPTO_set_add_lock_callback(int (*func)(
 OPENSSL_EXPORT const char *CRYPTO_get_lock_name(int lock_num);
 
 
-/* CRYPTO_THREADID identifies a thread in a multithreaded program. This
- * structure should not be used directly. Rather applications should use
- * |CRYPTO_THREADID_set_numeric| and |CRYPTO_THREADID_set_pointer|. */
-typedef struct crypto_threadid_st {
-  void *ptr;
-  unsigned long val;
-} CRYPTO_THREADID;
-
-/* CRYPTO_THREADID_set_callback sets a callback function that stores an
- * identifier of the currently executing thread into |threadid|. The
- * CRYPTO_THREADID structure should not be accessed directly. Rather one of
- * |CRYPTO_THREADID_set_numeric| or |CRYPTO_THREADID_set_pointer| should be
- * used depending on whether thread IDs are numbers or pointers on the host
- * system. */
+/* Deprecated functions */
+
+/* CRYPTO_THREADID_set_callback does nothing. */
 OPENSSL_EXPORT int CRYPTO_THREADID_set_callback(
     void (*threadid_func)(CRYPTO_THREADID *threadid));
 
+/* CRYPTO_THREADID_set_numeric does nothing. */
 OPENSSL_EXPORT void CRYPTO_THREADID_set_numeric(CRYPTO_THREADID *id,
                                                 unsigned long val);
+
+/* CRYPTO_THREADID_set_pointer does nothing. */
 OPENSSL_EXPORT void CRYPTO_THREADID_set_pointer(CRYPTO_THREADID *id, void *ptr);
 
+/* CRYPTO_THREADID_current does nothing. */
+OPENSSL_EXPORT void CRYPTO_THREADID_current(CRYPTO_THREADID *id);
+
 
 /* Private functions: */
 
@@ -158,70 +174,43 @@ OPENSSL_EXPORT void CRYPTO_lock(int mode, int lock_num, const char *file,
 
 /* CRYPTO_add_lock adds |amount| to |*pointer|, protected by the lock specified
  * by |lock_num|. It returns the new value of |*pointer|. Don't call this
- * function directly, rather use the |CRYPTO_add_lock| macro.
- *
- * TODO(fork): rename to CRYPTO_add_locked. */
+ * function directly, rather use the |CRYPTO_add| macro. */
 OPENSSL_EXPORT int CRYPTO_add_lock(int *pointer, int amount, int lock_num,
                                    const char *file, int line);
 
-
-/* CRYPTO_THREADID_current stores the current thread identifier in |id|. */
-OPENSSL_EXPORT void CRYPTO_THREADID_current(CRYPTO_THREADID *id);
-
-/* CRYPTO_THREADID_cmp returns < 0, 0 or > 0 if |a| is less than, equal to or
- * greater than |b|, respectively. */
-int CRYPTO_THREADID_cmp(const CRYPTO_THREADID *a, const CRYPTO_THREADID *b);
-
-/* CRYPTO_THREADID_cpy sets |*dest| equal to |*src|. */
-void CRYPTO_THREADID_cpy(CRYPTO_THREADID *dest, const CRYPTO_THREADID *src);
-
-/* CRYPTO_THREADID_hash returns a hash of the numeric value of |id|. */
-uint32_t CRYPTO_THREADID_hash(const CRYPTO_THREADID *id);
-
-/* These are the locks used by OpenSSL. These values should match up with the
- * table in thread.c. */
-#define CRYPTO_LOCK_ERR 1
-#define CRYPTO_LOCK_EX_DATA 2
-#define CRYPTO_LOCK_X509 3
-#define CRYPTO_LOCK_X509_INFO 4
-#define CRYPTO_LOCK_X509_PKEY 5
-#define CRYPTO_LOCK_X509_CRL 6
-#define CRYPTO_LOCK_X509_REQ 7
-#define CRYPTO_LOCK_DSA 8
-#define CRYPTO_LOCK_RSA 9
-#define CRYPTO_LOCK_EVP_PKEY 10
-#define CRYPTO_LOCK_X509_STORE 11
-#define CRYPTO_LOCK_SSL_CTX 12
-#define CRYPTO_LOCK_SSL_CERT 13
-#define CRYPTO_LOCK_SSL_SESSION 14
-#define CRYPTO_LOCK_SSL_SESS_CERT 15
-#define CRYPTO_LOCK_SSL 16
-#define CRYPTO_LOCK_SSL_METHOD 17
-#define CRYPTO_LOCK_RAND 18
-#define CRYPTO_LOCK_RAND2 19
-#define CRYPTO_LOCK_MALLOC 20
-#define CRYPTO_LOCK_BIO 21
-#define CRYPTO_LOCK_GETHOSTBYNAME 22
-#define CRYPTO_LOCK_GETSERVBYNAME 23
-#define CRYPTO_LOCK_READDIR 24
-#define CRYPTO_LOCK_RSA_BLINDING 25
-#define CRYPTO_LOCK_DH 26
-#define CRYPTO_LOCK_MALLOC2 27
-#define CRYPTO_LOCK_DSO 28
-#define CRYPTO_LOCK_DYNLOCK 29
-#define CRYPTO_LOCK_ENGINE 30
-#define CRYPTO_LOCK_UI 31
-#define CRYPTO_LOCK_ECDSA 32
-#define CRYPTO_LOCK_EC 33
-#define CRYPTO_LOCK_ECDH 34
-#define CRYPTO_LOCK_BN 35
-#define CRYPTO_LOCK_EC_PRE_COMP 36
-#define CRYPTO_LOCK_STORE 37
-#define CRYPTO_LOCK_COMP 38
-#define CRYPTO_LOCK_FIPS 39
-#define CRYPTO_LOCK_FIPS2 40
-#define CRYPTO_LOCK_OBJ 40
-#define CRYPTO_NUM_LOCKS 42
+/* Lock IDs start from 1. CRYPTO_LOCK_INVALID_LOCK is an unused placeholder
+ * used to ensure no lock has ID 0. */
+#define CRYPTO_LOCK_LIST \
+  CRYPTO_LOCK_ITEM(CRYPTO_LOCK_INVALID_LOCK), \
+  CRYPTO_LOCK_ITEM(CRYPTO_LOCK_BIO), \
+  CRYPTO_LOCK_ITEM(CRYPTO_LOCK_DH), \
+  CRYPTO_LOCK_ITEM(CRYPTO_LOCK_DSA), \
+  CRYPTO_LOCK_ITEM(CRYPTO_LOCK_EC), \
+  CRYPTO_LOCK_ITEM(CRYPTO_LOCK_EC_PRE_COMP), \
+  CRYPTO_LOCK_ITEM(CRYPTO_LOCK_ERR), \
+  CRYPTO_LOCK_ITEM(CRYPTO_LOCK_EVP_PKEY), \
+  CRYPTO_LOCK_ITEM(CRYPTO_LOCK_EX_DATA), \
+  CRYPTO_LOCK_ITEM(CRYPTO_LOCK_OBJ), \
+  CRYPTO_LOCK_ITEM(CRYPTO_LOCK_RAND), \
+  CRYPTO_LOCK_ITEM(CRYPTO_LOCK_READDIR), \
+  CRYPTO_LOCK_ITEM(CRYPTO_LOCK_RSA), \
+  CRYPTO_LOCK_ITEM(CRYPTO_LOCK_RSA_BLINDING), \
+  CRYPTO_LOCK_ITEM(CRYPTO_LOCK_SSL_CTX), \
+  CRYPTO_LOCK_ITEM(CRYPTO_LOCK_SSL_SESSION), \
+  CRYPTO_LOCK_ITEM(CRYPTO_LOCK_X509), \
+  CRYPTO_LOCK_ITEM(CRYPTO_LOCK_X509_INFO), \
+  CRYPTO_LOCK_ITEM(CRYPTO_LOCK_X509_PKEY), \
+  CRYPTO_LOCK_ITEM(CRYPTO_LOCK_X509_CRL), \
+  CRYPTO_LOCK_ITEM(CRYPTO_LOCK_X509_REQ), \
+  CRYPTO_LOCK_ITEM(CRYPTO_LOCK_X509_STORE), \
+
+#define CRYPTO_LOCK_ITEM(x) x
+
+enum {
+  CRYPTO_LOCK_LIST
+};
+
+#undef CRYPTO_LOCK_ITEM
 
 #define CRYPTO_LOCK 1
 #define CRYPTO_UNLOCK 2
diff --git a/src/include/openssl/time_support.h b/src/include/openssl/time_support.h
index d03a99d..912e672 100644
--- a/src/include/openssl/time_support.h
+++ b/src/include/openssl/time_support.h
@@ -60,7 +60,6 @@
 
 #include <openssl/base.h>
 
-#include <time.h>
 
 #if defined(__cplusplus)
 extern "C" {
diff --git a/src/include/openssl/tls1.h b/src/include/openssl/tls1.h
index 95731ff..e085e15 100644
--- a/src/include/openssl/tls1.h
+++ b/src/include/openssl/tls1.h
@@ -161,24 +161,6 @@ extern "C" {
 
 #define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0
 
-#define TLS1_2_VERSION 0x0303
-#define TLS1_2_VERSION_MAJOR 0x03
-#define TLS1_2_VERSION_MINOR 0x03
-
-#define TLS1_1_VERSION 0x0302
-#define TLS1_1_VERSION_MAJOR 0x03
-#define TLS1_1_VERSION_MINOR 0x02
-
-#define TLS1_VERSION 0x0301
-#define TLS1_VERSION_MAJOR 0x03
-#define TLS1_VERSION_MINOR 0x01
-
-#define TLS1_get_version(s) \
-  ((s->version >> 8) == TLS1_VERSION_MAJOR ? s->version : 0)
-
-#define TLS1_get_client_version(s) \
-  ((s->client_version >> 8) == TLS1_VERSION_MAJOR ? s->client_version : 0)
-
 #define TLS1_AD_DECRYPTION_FAILED 21
 #define TLS1_AD_RECORD_OVERFLOW 22
 #define TLS1_AD_UNKNOWN_CA 48    /* fatal */
@@ -298,16 +280,16 @@ extern "C" {
 
 OPENSSL_EXPORT const char *SSL_get_servername(const SSL *s, const int type);
 OPENSSL_EXPORT int SSL_get_servername_type(const SSL *s);
-/* SSL_export_keying_material exports a value derived from the master secret,
- * as specified in RFC 5705. It writes |olen| bytes to |out| given a label and
+
+/* SSL_export_keying_material exports a value derived from the master secret, as
+ * specified in RFC 5705. It writes |out_len| bytes to |out| given a label and
  * optional context. (Since a zero length context is allowed, the |use_context|
  * flag controls whether a context is included.)
  *
- * It returns 1 on success and zero otherwise. */
-OPENSSL_EXPORT int SSL_export_keying_material(SSL *s, uint8_t *out, size_t olen,
-                                              const char *label, size_t llen,
-                                              const uint8_t *p, size_t plen,
-                                              int use_context);
+ * It returns one on success and zero otherwise. */
+OPENSSL_EXPORT int SSL_export_keying_material(
+    SSL *s, uint8_t *out, size_t out_len, const char *label, size_t label_len,
+    const uint8_t *context, size_t context_len, int use_context);
 
 OPENSSL_EXPORT int SSL_get_sigalgs(SSL *s, int idx, int *psign, int *phash,
                                    int *psignandhash, uint8_t *rsig,
@@ -317,44 +299,61 @@ OPENSSL_EXPORT int SSL_get_shared_sigalgs(SSL *s, int idx, int *psign,
                                           int *phash, int *psignandhash,
                                           uint8_t *rsig, uint8_t *rhash);
 
-#define SSL_set_tlsext_host_name(s, name)                              \
-  SSL_ctrl(s, SSL_CTRL_SET_TLSEXT_HOSTNAME, TLSEXT_NAMETYPE_host_name, \
-           (char *)name)
-
-#define SSL_set_tlsext_debug_callback(ssl, cb) \
-  SSL_callback_ctrl(ssl, SSL_CTRL_SET_TLSEXT_DEBUG_CB, (void (*)(void))cb)
-
-#define SSL_set_tlsext_debug_arg(ssl, arg) \
-  SSL_ctrl(ssl, SSL_CTRL_SET_TLSEXT_DEBUG_ARG, 0, (void *)arg)
+/* SSL_set_tlsext_host_name, for a client, configures |ssl| to advertise |name|
+ * in the server_name extension. It returns one on success and zero on error. */
+OPENSSL_EXPORT int SSL_set_tlsext_host_name(SSL *ssl, const char *name);
 
-#define SSL_CTX_set_tlsext_servername_callback(ctx, cb)         \
-  SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TLSEXT_SERVERNAME_CB, \
-                        (void (*)(void))cb)
+/* SSL_CTX_set_tlsext_servername_callback configures |callback| to be called on
+ * the server after ClientHello extensions have been parsed and returns one.
+ * |callback| may use |SSL_get_servername| to examine the server_name extension
+ * and return a |SSL_TLSEXT_ERR_*| value. If it returns |SSL_TLSEXT_ERR_NOACK|,
+ * the server_name extension is not acknowledged in the ServerHello. If the
+ * return value signals an alert, |callback| should set |*out_alert| to the
+ * alert to send. */
+OPENSSL_EXPORT int SSL_CTX_set_tlsext_servername_callback(
+    SSL_CTX *ctx, int (*callback)(SSL *ssl, int *out_alert, void *arg));
 
 #define SSL_TLSEXT_ERR_OK 0
 #define SSL_TLSEXT_ERR_ALERT_WARNING 1
 #define SSL_TLSEXT_ERR_ALERT_FATAL 2
 #define SSL_TLSEXT_ERR_NOACK 3
 
-#define SSL_CTX_set_tlsext_servername_arg(ctx, arg) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG, 0, (void *)arg)
+/* SSL_CTX_set_tlsext_servername_arg sets the argument to the servername
+ * callback and returns one. See |SSL_CTX_set_tlsext_servername_callback|. */
+OPENSSL_EXPORT int SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg);
 
 #define SSL_CTX_get_tlsext_ticket_keys(ctx, keys, keylen) \
   SSL_CTX_ctrl((ctx), SSL_CTRL_GET_TLSEXT_TICKET_KEYS, (keylen), (keys))
 #define SSL_CTX_set_tlsext_ticket_keys(ctx, keys, keylen) \
   SSL_CTX_ctrl((ctx), SSL_CTRL_SET_TLSEXT_TICKET_KEYS, (keylen), (keys))
 
-#define SSL_CTX_set_tlsext_status_cb(ssl, cb)                   \
-  SSL_CTX_callback_ctrl(ssl, SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB, \
-                        (void (*)(void))cb)
-
-#define SSL_CTX_set_tlsext_status_arg(ssl, arg) \
-  SSL_CTX_ctrl(ssl, SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG, 0, (void *)arg)
-
-#define SSL_CTX_set_tlsext_ticket_key_cb(ssl, cb)               \
-  SSL_CTX_callback_ctrl(ssl, SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB, \
-                        (void (*)(void))cb)
-
+/* SSL_CTX_set_tlsext_ticket_key_cb sets the ticket callback to |callback| and
+ * returns one. |callback| will be called when encrypting a new ticket and when
+ * decrypting a ticket from the client.
+ *
+ * In both modes, |ctx| and |hmac_ctx| will already have been initialized with
+ * |EVP_CIPHER_CTX_init| and |HMAC_CTX_init|, respectively. |callback|
+ * configures |hmac_ctx| with an HMAC digest and key, and configures |ctx|
+ * for encryption or decryption, based on the mode.
+ *
+ * When encrypting a new ticket, |encrypt| will be one. It writes a public
+ * 16-byte key name to |key_name| and a fresh IV to |iv|. The output IV length
+ * must match |EVP_CIPHER_CTX_iv_length| of the cipher selected. In this mode,
+ * |callback| returns 1 on success and -1 on error.
+ *
+ * When decrypting a ticket, |encrypt| will be zero. |key_name| will point to a
+ * 16-byte key name and |iv| points to an IV. The length of the IV consumed must
+ * match |EVP_CIPHER_CTX_iv_length| of the cipher selected. In this mode,
+ * |callback| returns -1 to abort the handshake, 0 if decrypting the ticket
+ * failed, and 1 or 2 on success. If it returns 2, the ticket will be renewed.
+ * This may be used to re-key the ticket.
+ *
+ * WARNING: |callback| wildly breaks the usual return value convention and is
+ * called in two different modes. */
+OPENSSL_EXPORT int SSL_CTX_set_tlsext_ticket_key_cb(
+    SSL_CTX *ctx, int (*callback)(SSL *ssl, uint8_t *key_name, uint8_t *iv,
+                                  EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
+                                  int encrypt));
 
 /* PSK ciphersuites from 4279 */
 #define TLS1_CK_PSK_WITH_RC4_128_SHA                    0x0300008A
@@ -689,8 +688,6 @@ OPENSSL_EXPORT int SSL_get_shared_sigalgs(SSL *s, int idx, int *psign,
 #define TLS_CT_RSA_FIXED_ECDH 65
 #define TLS_CT_ECDSA_FIXED_ECDH 66
 
-#define TLS1_FINISH_MAC_LENGTH 12
-
 #define TLS_MD_MAX_CONST_SIZE 20
 #define TLS_MD_CLIENT_FINISH_CONST "client finished"
 #define TLS_MD_CLIENT_FINISH_CONST_SIZE 15
diff --git a/src/include/openssl/x509.h b/src/include/openssl/x509.h
index 2a79887..ef1d7fb 100644
--- a/src/include/openssl/x509.h
+++ b/src/include/openssl/x509.h
@@ -748,8 +748,6 @@ DECLARE_ASN1_FUNCTIONS(X509_PUBKEY)
 
 OPENSSL_EXPORT int		X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey);
 OPENSSL_EXPORT EVP_PKEY *	X509_PUBKEY_get(X509_PUBKEY *key);
-OPENSSL_EXPORT int		X509_get_pubkey_parameters(EVP_PKEY *pkey,
-					   STACK_OF(X509) *chain);
 OPENSSL_EXPORT int		i2d_PUBKEY(const EVP_PKEY *a,unsigned char **pp);
 OPENSSL_EXPORT EVP_PKEY *	d2i_PUBKEY(EVP_PKEY **a,const unsigned char **pp,
 			long length);
@@ -1221,112 +1219,101 @@ OPENSSL_EXPORT int PKCS7_get_PEM_CRLs(STACK_OF(X509_CRL) *out_crls,
 }
 #endif
 
-#define X509_F_x509_name_ex_new 100
-#define X509_F_X509_EXTENSION_create_by_NID 101
-#define X509_F_X509_load_crl_file 102
-#define X509_F_X509_TRUST_set 103
-#define X509_F_X509_EXTENSION_create_by_OBJ 104
-#define X509_F_by_file_ctrl 105
-#define X509_F_X509_load_cert_crl_file 106
-#define X509_F_X509_CRL_add0_revoked 107
-#define X509_F_bitstr_cb 108
-#define X509_F_X509_STORE_CTX_new 109
-#define X509_F_X509_REQ_to_X509 110
-#define X509_F_X509v3_add_ext 111
-#define X509_F_ASN1_sign 112
-#define X509_F_asn1_str2type 113
-#define X509_F_i2d_RSA_PUBKEY 114
-#define X509_F_ASN1_item_sign_ctx 115
-#define X509_F_x509_name_encode 116
-#define X509_F_d2i_X509_PKEY 117
-#define X509_F_ASN1_generate_v3 118
-#define X509_F_dir_ctrl 119
-#define X509_F_X509_print_ex_fp 120
-#define X509_F_X509_ATTRIBUTE_get0_data 121
-#define X509_F_X509_NAME_oneline 122
-#define X509_F_X509_CRL_print_fp 123
-#define X509_F_X509_STORE_CTX_get1_issuer 124
-#define X509_F_add_cert_dir 125
-#define X509_F_PKCS7_get_certificates 126
-#define X509_F_X509_ATTRIBUTE_create_by_NID 127
-#define X509_F_X509_ATTRIBUTE_set1_data 128
+#define X509_F_ASN1_digest 100
+#define X509_F_ASN1_item_sign_ctx 101
+#define X509_F_ASN1_item_verify 102
+#define X509_F_NETSCAPE_SPKI_b64_decode 103
+#define X509_F_NETSCAPE_SPKI_b64_encode 104
+#define X509_F_PKCS7_get_certificates 105
+#define X509_F_X509_ATTRIBUTE_create_by_NID 106
+#define X509_F_X509_ATTRIBUTE_create_by_OBJ 107
+#define X509_F_X509_ATTRIBUTE_create_by_txt 108
+#define X509_F_X509_ATTRIBUTE_get0_data 109
+#define X509_F_X509_ATTRIBUTE_set1_data 110
+#define X509_F_X509_CRL_add0_revoked 111
+#define X509_F_X509_CRL_diff 112
+#define X509_F_X509_CRL_print_fp 113
+#define X509_F_X509_EXTENSION_create_by_NID 114
+#define X509_F_X509_EXTENSION_create_by_OBJ 115
+#define X509_F_X509_INFO_new 116
+#define X509_F_X509_NAME_ENTRY_create_by_NID 117
+#define X509_F_X509_NAME_ENTRY_create_by_txt 118
+#define X509_F_X509_NAME_ENTRY_set_object 119
+#define X509_F_X509_NAME_add_entry 120
+#define X509_F_X509_NAME_oneline 121
+#define X509_F_X509_NAME_print 122
+#define X509_F_X509_PKEY_new 123
+#define X509_F_X509_PUBKEY_get 124
+#define X509_F_X509_PUBKEY_set 125
+#define X509_F_X509_REQ_check_private_key 126
+#define X509_F_X509_REQ_to_X509 127
+#define X509_F_X509_STORE_CTX_get1_issuer 128
 #define X509_F_X509_STORE_CTX_init 129
-#define X509_F_NETSCAPE_SPKI_b64_decode 130
-#define X509_F_X509_NAME_print 131
-#define X509_F_x509_name_ex_d2i 132
-#define X509_F_X509_PKEY_new 133
-#define X509_F_X509_STORE_add_cert 134
-#define X509_F_parse_tagging 135
-#define X509_F_check_policy 136
-#define X509_F_ASN1_digest 137
-#define X509_F_X509_load_cert_file 138
-#define X509_F_X509_ATTRIBUTE_create_by_txt 139
-#define X509_F_X509_PUBKEY_set 140
-#define X509_F_X509_PUBKEY_get 141
-#define X509_F_get_cert_by_subject 142
-#define X509_F_X509_NAME_add_entry 143
+#define X509_F_X509_STORE_CTX_new 130
+#define X509_F_X509_STORE_CTX_purpose_inherit 131
+#define X509_F_X509_STORE_add_cert 132
+#define X509_F_X509_STORE_add_crl 133
+#define X509_F_X509_TRUST_add 134
+#define X509_F_X509_TRUST_set 135
+#define X509_F_X509_check_private_key 136
+#define X509_F_X509_get_pubkey_parameters 137
+#define X509_F_X509_load_cert_crl_file 138
+#define X509_F_X509_load_cert_file 139
+#define X509_F_X509_load_crl_file 140
+#define X509_F_X509_print_ex_fp 141
+#define X509_F_X509_to_X509_REQ 142
+#define X509_F_X509_verify_cert 143
 #define X509_F_X509at_add1_attr 144
-#define X509_F_X509_check_private_key 145
-#define X509_F_append_exp 146
-#define X509_F_i2d_EC_PUBKEY 147
-#define X509_F_X509_INFO_new 148
-#define X509_F_X509_STORE_CTX_purpose_inherit 149
-#define X509_F_NETSCAPE_SPKI_b64_encode 150
-#define X509_F_X509_to_X509_REQ 151
-#define X509_F_X509_NAME_ENTRY_create_by_txt 152
-#define X509_F_X509_NAME_ENTRY_set_object 153
-#define X509_F_asn1_cb 154
-#define X509_F_X509_verify_cert 155
-#define X509_F_X509_CRL_diff 156
-#define X509_F_i2d_PrivateKey 157
-#define X509_F_X509_REQ_check_private_key 158
-#define X509_F_X509_STORE_add_crl 159
-#define X509_F_X509_get_pubkey_parameters 160
-#define X509_F_ASN1_item_verify 161
-#define X509_F_X509_ATTRIBUTE_create_by_OBJ 162
-#define X509_F_i2d_DSA_PUBKEY 163
-#define X509_F_X509_TRUST_add 164
-#define X509_F_X509_NAME_ENTRY_create_by_NID 165
-#define X509_F_PKCS7_get_CRLs 166
-#define X509_F_pkcs7_parse_header 167
-#define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY 100
-#define X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN 101
-#define X509_R_METHOD_NOT_SUPPORTED 102
-#define X509_R_UNSUPPORTED_ALGORITHM 103
-#define X509_R_CRL_VERIFY_FAILURE 104
-#define X509_R_BASE64_DECODE_ERROR 105
-#define X509_R_INVALID_TRUST 106
-#define X509_R_UNKNOWN_NID 107
-#define X509_R_INVALID_DIRECTORY 108
-#define X509_R_KEY_VALUES_MISMATCH 109
-#define X509_R_CERT_ALREADY_IN_HASH_TABLE 110
-#define X509_R_PUBLIC_KEY_DECODE_ERROR 111
-#define X509_R_NOT_PKCS7_SIGNED_DATA 112
-#define X509_R_PUBLIC_KEY_ENCODE_ERROR 113
-#define X509_R_LOADING_CERT_DIR 114
-#define X509_R_WRONG_TYPE 115
-#define X509_R_UNKNOWN_PURPOSE_ID 116
-#define X509_R_NEWER_CRL_NOT_NEWER 117
-#define X509_R_UNKNOWN_TRUST_ID 118
-#define X509_R_KEY_TYPE_MISMATCH 120
-#define X509_R_UNKNOWN_KEY_TYPE 121
-#define X509_R_BAD_X509_FILETYPE 122
-#define X509_R_ISSUER_MISMATCH 123
-#define X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY 124
-#define X509_R_WRONG_LOOKUP_TYPE 125
-#define X509_R_CONTEXT_NOT_INITIALISED 126
-#define X509_R_CANT_CHECK_DH_KEY 127
-#define X509_R_NO_CERTIFICATES_INCLUDED 128
-#define X509_R_INVALID_FIELD_NAME 129
-#define X509_R_SHOULD_RETRY 130
-#define X509_R_NO_CRL_NUMBER 131
-#define X509_R_IDP_MISMATCH 132
-#define X509_R_LOADING_DEFAULTS 133
-#define X509_R_BAD_PKCS7_VERSION 134
-#define X509_R_CRL_ALREADY_DELTA 135
-#define X509_R_ERR_ASN1_LIB 136
-#define X509_R_AKID_MISMATCH 137
-#define X509_R_INVALID_BIT_STRING_BITS_LEFT 138
-#define X509_R_NO_CRLS_INCLUDED 139
+#define X509_F_X509v3_add_ext 145
+#define X509_F_add_cert_dir 146
+#define X509_F_by_file_ctrl 147
+#define X509_F_check_policy 148
+#define X509_F_dir_ctrl 149
+#define X509_F_get_cert_by_subject 150
+#define X509_F_i2d_DSA_PUBKEY 151
+#define X509_F_i2d_EC_PUBKEY 152
+#define X509_F_i2d_RSA_PUBKEY 153
+#define X509_F_x509_name_encode 154
+#define X509_F_x509_name_ex_d2i 155
+#define X509_F_x509_name_ex_new 156
+#define X509_F_pkcs7_parse_header 157
+#define X509_F_PKCS7_get_CRLs 158
+#define X509_R_AKID_MISMATCH 100
+#define X509_R_BAD_PKCS7_VERSION 101
+#define X509_R_BAD_X509_FILETYPE 102
+#define X509_R_BASE64_DECODE_ERROR 103
+#define X509_R_CANT_CHECK_DH_KEY 104
+#define X509_R_CERT_ALREADY_IN_HASH_TABLE 105
+#define X509_R_CRL_ALREADY_DELTA 106
+#define X509_R_CRL_VERIFY_FAILURE 107
+#define X509_R_IDP_MISMATCH 108
+#define X509_R_INVALID_BIT_STRING_BITS_LEFT 109
+#define X509_R_INVALID_DIRECTORY 110
+#define X509_R_INVALID_FIELD_NAME 111
+#define X509_R_INVALID_TRUST 112
+#define X509_R_ISSUER_MISMATCH 113
+#define X509_R_KEY_TYPE_MISMATCH 114
+#define X509_R_KEY_VALUES_MISMATCH 115
+#define X509_R_LOADING_CERT_DIR 116
+#define X509_R_LOADING_DEFAULTS 117
+#define X509_R_METHOD_NOT_SUPPORTED 118
+#define X509_R_NEWER_CRL_NOT_NEWER 119
+#define X509_R_NOT_PKCS7_SIGNED_DATA 120
+#define X509_R_NO_CERTIFICATES_INCLUDED 121
+#define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY 122
+#define X509_R_NO_CRL_NUMBER 123
+#define X509_R_PUBLIC_KEY_DECODE_ERROR 124
+#define X509_R_PUBLIC_KEY_ENCODE_ERROR 125
+#define X509_R_SHOULD_RETRY 126
+#define X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN 127
+#define X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY 128
+#define X509_R_UNKNOWN_KEY_TYPE 129
+#define X509_R_UNKNOWN_NID 130
+#define X509_R_UNKNOWN_PURPOSE_ID 131
+#define X509_R_UNKNOWN_TRUST_ID 132
+#define X509_R_UNSUPPORTED_ALGORITHM 133
+#define X509_R_WRONG_LOOKUP_TYPE 134
+#define X509_R_WRONG_TYPE 135
+#define X509_R_NO_CRLS_INCLUDED 136
 
 #endif
diff --git a/src/include/openssl/x509_vfy.h b/src/include/openssl/x509_vfy.h
index c65bfde..299cad7 100644
--- a/src/include/openssl/x509_vfy.h
+++ b/src/include/openssl/x509_vfy.h
@@ -202,7 +202,6 @@ struct x509_store_st
 	STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm);
 	int (*cleanup)(X509_STORE_CTX *ctx);
 
-	CRYPTO_EX_DATA ex_data;
 	int references;
 	} /* X509_STORE */;
 
@@ -554,11 +553,15 @@ OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
 					STACK_OF(ASN1_OBJECT) *policies);
 
 OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
-				const unsigned char *name, size_t namelen);
+				const char *name, size_t namelen);
+OPENSSL_EXPORT int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
+					       const char *name,
+					       size_t namelen);
 OPENSSL_EXPORT void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
 					unsigned int flags);
+OPENSSL_EXPORT char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *);
 OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
-				const unsigned char *email, size_t emaillen);
+				const char *email, size_t emaillen);
 OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param,
 					const unsigned char *ip, size_t iplen);
 OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc);
diff --git a/src/include/openssl/x509v3.h b/src/include/openssl/x509v3.h
index c891022..5caa5c1 100644
--- a/src/include/openssl/x509v3.h
+++ b/src/include/openssl/x509v3.h
@@ -607,14 +607,6 @@ OPENSSL_EXPORT int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *secti
 OPENSSL_EXPORT int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509_REQ *req);
 OPENSSL_EXPORT int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509_CRL *crl);
 
-OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-				    int ext_nid, char *value);
-OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-				char *name, char *value);
-OPENSSL_EXPORT int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-			char *section, X509 *cert);
-OPENSSL_EXPORT int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-			    char *section, X509_REQ *req);
 OPENSSL_EXPORT int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
 			    char *section, X509_CRL *crl);
 
@@ -623,7 +615,6 @@ OPENSSL_EXPORT int X509V3_add_value_bool_nf(char *name, int asn1_bool,
 OPENSSL_EXPORT int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool);
 OPENSSL_EXPORT int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint);
 OPENSSL_EXPORT void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf);
-OPENSSL_EXPORT void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash);
 
 OPENSSL_EXPORT char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section);
 OPENSSL_EXPORT STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section);
@@ -713,9 +704,9 @@ OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
  */
 #define _X509_CHECK_FLAG_DOT_SUBDOMAINS 0x8000
 
-OPENSSL_EXPORT int X509_check_host(X509 *x, const unsigned char *chk, size_t chklen,
-					unsigned int flags);
-OPENSSL_EXPORT int X509_check_email(X509 *x, const unsigned char *chk, size_t chklen,
+OPENSSL_EXPORT int X509_check_host(X509 *x, const char *chk, size_t chklen,
+					unsigned int flags, char **peername);
+OPENSSL_EXPORT int X509_check_email(X509 *x, const char *chk, size_t chklen,
 					unsigned int flags);
 OPENSSL_EXPORT int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
 					unsigned int flags);
@@ -740,131 +731,125 @@ void ERR_load_X509V3_strings(void);
 #ifdef  __cplusplus
 }
 #endif
-#define X509V3_F_do_ext_i2d 100
-#define X509V3_F_v2i_AUTHORITY_KEYID 101
-#define X509V3_F_X509V3_parse_list 102
-#define X509V3_F_SXNET_add_id_asc 103
+#define X509V3_F_SXNET_add_id_INTEGER 100
+#define X509V3_F_SXNET_add_id_asc 101
+#define X509V3_F_SXNET_add_id_ulong 102
+#define X509V3_F_SXNET_get_id_asc 103
 #define X509V3_F_SXNET_get_id_ulong 104
-#define X509V3_F_v2i_AUTHORITY_INFO_ACCESS 105
-#define X509V3_F_X509V3_EXT_add 106
-#define X509V3_F_i2s_ASN1_INTEGER 107
-#define X509V3_F_s2i_ASN1_OCTET_STRING 108
-#define X509V3_F_copy_issuer 109
-#define X509V3_F_v2i_subject_alt 110
-#define X509V3_F_copy_email 111
-#define X509V3_F_X509V3_EXT_i2d 112
-#define X509V3_F_v2i_crld 113
-#define X509V3_F_policy_section 114
-#define X509V3_F_a2i_GENERAL_NAME 115
-#define X509V3_F_hex_to_string 116
-#define X509V3_F_i2s_ASN1_IA5STRING 117
-#define X509V3_F_string_to_hex 118
-#define X509V3_F_v3_generic_extension 119
-#define X509V3_F_X509V3_get_section 120
-#define X509V3_F_s2i_skey_id 121
-#define X509V3_F_nref_nos 122
-#define X509V3_F_X509V3_get_value_bool 123
-#define X509V3_F_v2i_NAME_CONSTRAINTS 124
-#define X509V3_F_v2i_POLICY_MAPPINGS 125
-#define X509V3_F_v2i_GENERAL_NAMES 126
-#define X509V3_F_do_dirname 127
-#define X509V3_F_v2i_ASN1_BIT_STRING 128
-#define X509V3_F_SXNET_add_id_ulong 129
-#define X509V3_F_X509V3_EXT_add_alias 130
-#define X509V3_F_X509V3_add1_i2d 131
-#define X509V3_F_r2i_pci 132
-#define X509V3_F_X509V3_get_string 133
-#define X509V3_F_gnames_from_sectname 134
-#define X509V3_F_r2i_certpol 135
-#define X509V3_F_X509V3_add_value 136
+#define X509V3_F_X509V3_EXT_add 105
+#define X509V3_F_X509V3_EXT_add_alias 106
+#define X509V3_F_X509V3_EXT_free 107
+#define X509V3_F_X509V3_EXT_i2d 108
+#define X509V3_F_X509V3_EXT_nconf 109
+#define X509V3_F_X509V3_add1_i2d 110
+#define X509V3_F_X509V3_add_value 111
+#define X509V3_F_X509V3_get_section 112
+#define X509V3_F_X509V3_get_string 113
+#define X509V3_F_X509V3_get_value_bool 114
+#define X509V3_F_X509V3_parse_list 115
+#define X509V3_F_X509_PURPOSE_add 116
+#define X509V3_F_X509_PURPOSE_set 117
+#define X509V3_F_a2i_GENERAL_NAME 118
+#define X509V3_F_copy_email 119
+#define X509V3_F_copy_issuer 120
+#define X509V3_F_do_dirname 121
+#define X509V3_F_do_ext_i2d 122
+#define X509V3_F_do_ext_nconf 123
+#define X509V3_F_gnames_from_sectname 124
+#define X509V3_F_hex_to_string 125
+#define X509V3_F_i2s_ASN1_ENUMERATED 126
+#define X509V3_F_i2s_ASN1_IA5STRING 127
+#define X509V3_F_i2s_ASN1_INTEGER 128
+#define X509V3_F_i2v_AUTHORITY_INFO_ACCESS 129
+#define X509V3_F_notice_section 130
+#define X509V3_F_nref_nos 131
+#define X509V3_F_policy_section 132
+#define X509V3_F_process_pci_value 133
+#define X509V3_F_r2i_certpol 134
+#define X509V3_F_r2i_pci 135
+#define X509V3_F_s2i_ASN1_IA5STRING 136
 #define X509V3_F_s2i_ASN1_INTEGER 137
-#define X509V3_F_v2i_issuer_alt 138
-#define X509V3_F_v2i_GENERAL_NAME_ex 139
-#define X509V3_F_X509V3_EXT_nconf 140
-#define X509V3_F_v2i_BASIC_CONSTRAINTS 141
-#define X509V3_F_process_pci_value 142
-#define X509V3_F_notice_section 143
-#define X509V3_F_X509_PURPOSE_set 144
-#define X509V3_F_do_ext_nconf 145
-#define X509V3_F_i2s_ASN1_ENUMERATED 146
-#define X509V3_F_s2i_ASN1_IA5STRING 147
-#define X509V3_F_v2i_POLICY_CONSTRAINTS 148
-#define X509V3_F_v2i_EXTENDED_KEY_USAGE 149
-#define X509V3_F_SXNET_get_id_asc 150
-#define X509V3_F_set_dist_point_name 151
-#define X509V3_F_v2i_idp 152
-#define X509V3_F_X509_PURPOSE_add 153
-#define X509V3_F_SXNET_add_id_INTEGER 154
-#define X509V3_F_i2v_AUTHORITY_INFO_ACCESS 155
-#define X509V3_F_X509V3_EXT_free 156
-#define X509V3_R_INVALID_BOOLEAN_STRING 100
-#define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED 101
-#define X509V3_R_INVALID_NAME 102
-#define X509V3_R_OPERATION_NOT_DEFINED 103
-#define X509V3_R_POLICY_PATH_LENGTH 104
-#define X509V3_R_INVALID_PROXY_POLICY_SETTING 105
-#define X509V3_R_INVALID_ASRANGE 106
-#define X509V3_R_ERROR_CREATING_EXTENSION 107
-#define X509V3_R_ISSUER_DECODE_ERROR 108
-#define X509V3_R_OTHERNAME_ERROR 109
-#define X509V3_R_ILLEGAL_HEX_DIGIT 110
-#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 111
-#define X509V3_R_USER_TOO_LONG 112
-#define X509V3_R_INVALID_INHERITANCE 113
-#define X509V3_R_INVALID_SAFI 114
-#define X509V3_R_INVALID_NULL_VALUE 115
-#define X509V3_R_NO_SUBJECT_DETAILS 116
-#define X509V3_R_BAD_OBJECT 117
-#define X509V3_R_DIRNAME_ERROR 118
-#define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 119
-#define X509V3_R_INVALID_EXTENSION_STRING 120
-#define X509V3_R_NEED_ORGANIZATION_AND_NUMBERS 121
-#define X509V3_R_BN_TO_ASN1_INTEGER_ERROR 122
-#define X509V3_R_INVALID_OPTION 123
-#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 124
-#define X509V3_R_INVALID_POLICY_IDENTIFIER 125
-#define X509V3_R_INVALID_PURPOSE 126
-#define X509V3_R_UNKNOWN_EXTENSION 127
-#define X509V3_R_NO_ISSUER_CERTIFICATE 128
-#define X509V3_R_BN_DEC2BN_ERROR 129
-#define X509V3_R_EXPECTED_A_SECTION_NAME 130
-#define X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED 131
-#define X509V3_R_MISSING_VALUE 132
-#define X509V3_R_SECTION_NOT_FOUND 133
-#define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 134
-#define X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED 135
-#define X509V3_R_ILLEGAL_EMPTY_EXTENSION 136
-#define X509V3_R_NO_POLICY_IDENTIFIER 137
-#define X509V3_R_NO_ISSUER_DETAILS 138
+#define X509V3_F_s2i_ASN1_OCTET_STRING 138
+#define X509V3_F_s2i_skey_id 139
+#define X509V3_F_set_dist_point_name 140
+#define X509V3_F_string_to_hex 141
+#define X509V3_F_v2i_ASN1_BIT_STRING 142
+#define X509V3_F_v2i_AUTHORITY_INFO_ACCESS 143
+#define X509V3_F_v2i_AUTHORITY_KEYID 144
+#define X509V3_F_v2i_BASIC_CONSTRAINTS 145
+#define X509V3_F_v2i_EXTENDED_KEY_USAGE 146
+#define X509V3_F_v2i_GENERAL_NAMES 147
+#define X509V3_F_v2i_GENERAL_NAME_ex 148
+#define X509V3_F_v2i_NAME_CONSTRAINTS 149
+#define X509V3_F_v2i_POLICY_CONSTRAINTS 150
+#define X509V3_F_v2i_POLICY_MAPPINGS 151
+#define X509V3_F_v2i_crld 152
+#define X509V3_F_v2i_idp 153
+#define X509V3_F_v2i_issuer_alt 154
+#define X509V3_F_v2i_subject_alt 155
+#define X509V3_F_v3_generic_extension 156
+#define X509V3_R_BAD_IP_ADDRESS 100
+#define X509V3_R_BAD_OBJECT 101
+#define X509V3_R_BN_DEC2BN_ERROR 102
+#define X509V3_R_BN_TO_ASN1_INTEGER_ERROR 103
+#define X509V3_R_CANNOT_FIND_FREE_FUNCTION 104
+#define X509V3_R_DIRNAME_ERROR 105
+#define X509V3_R_DISTPOINT_ALREADY_SET 106
+#define X509V3_R_DUPLICATE_ZONE_ID 107
+#define X509V3_R_ERROR_CONVERTING_ZONE 108
+#define X509V3_R_ERROR_CREATING_EXTENSION 109
+#define X509V3_R_ERROR_IN_EXTENSION 110
+#define X509V3_R_EXPECTED_A_SECTION_NAME 111
+#define X509V3_R_EXTENSION_EXISTS 112
+#define X509V3_R_EXTENSION_NAME_ERROR 113
+#define X509V3_R_EXTENSION_NOT_FOUND 114
+#define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 115
+#define X509V3_R_EXTENSION_VALUE_ERROR 116
+#define X509V3_R_ILLEGAL_EMPTY_EXTENSION 117
+#define X509V3_R_ILLEGAL_HEX_DIGIT 118
+#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 119
+#define X509V3_R_INVALID_BOOLEAN_STRING 120
+#define X509V3_R_INVALID_EXTENSION_STRING 121
+#define X509V3_R_INVALID_MULTIPLE_RDNS 122
+#define X509V3_R_INVALID_NAME 123
+#define X509V3_R_INVALID_NULL_ARGUMENT 124
+#define X509V3_R_INVALID_NULL_NAME 125
+#define X509V3_R_INVALID_NULL_VALUE 126
+#define X509V3_R_INVALID_NUMBER 127
+#define X509V3_R_INVALID_NUMBERS 128
+#define X509V3_R_INVALID_OBJECT_IDENTIFIER 129
+#define X509V3_R_INVALID_OPTION 130
+#define X509V3_R_INVALID_POLICY_IDENTIFIER 131
+#define X509V3_R_INVALID_PROXY_POLICY_SETTING 132
+#define X509V3_R_INVALID_PURPOSE 133
+#define X509V3_R_INVALID_SECTION 134
+#define X509V3_R_INVALID_SYNTAX 135
+#define X509V3_R_ISSUER_DECODE_ERROR 136
+#define X509V3_R_MISSING_VALUE 137
+#define X509V3_R_NEED_ORGANIZATION_AND_NUMBERS 138
 #define X509V3_R_NO_CONFIG_DATABASE 139
-#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 140
-#define X509V3_R_INVALID_SECTION 141
-#define X509V3_R_INVALID_IPADDRESS 142
-#define X509V3_R_EXTENSION_VALUE_ERROR 143
-#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 144
-#define X509V3_R_INVALID_NULL_ARGUMENT 145
-#define X509V3_R_ERROR_IN_EXTENSION 146
-#define X509V3_R_INVALID_NULL_NAME 147
-#define X509V3_R_BAD_IP_ADDRESS 148
-#define X509V3_R_UNSUPPORTED_OPTION 149
-#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 150
-#define X509V3_R_EXTENSION_EXISTS 151
-#define X509V3_R_UNKNOWN_OPTION 152
-#define X509V3_R_ERROR_CONVERTING_ZONE 153
-#define X509V3_R_NO_PUBLIC_KEY 154
-#define X509V3_R_INVALID_MULTIPLE_RDNS 155
-#define X509V3_R_INVALID_SYNTAX 156
-#define X509V3_R_UNKNOWN_EXTENSION_NAME 157
-#define X509V3_R_ODD_NUMBER_OF_DIGITS 158
-#define X509V3_R_DISTPOINT_ALREADY_SET 159
-#define X509V3_R_UNSUPPORTED_TYPE 160
-#define X509V3_R_EXTENSION_NAME_ERROR 161
-#define X509V3_R_INVALID_NUMBERS 162
-#define X509V3_R_INVALID_NUMBER 163
-#define X509V3_R_INVALID_OBJECT_IDENTIFIER 164
-#define X509V3_R_DUPLICATE_ZONE_ID 165
-#define X509V3_R_EXTENSION_NOT_FOUND 166
-#define X509V3_R_INVALID_ASNUMBER 167
-#define X509V3_R_CANNOT_FIND_FREE_FUNCTION 168
+#define X509V3_R_NO_ISSUER_CERTIFICATE 140
+#define X509V3_R_NO_ISSUER_DETAILS 141
+#define X509V3_R_NO_POLICY_IDENTIFIER 142
+#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 143
+#define X509V3_R_NO_PUBLIC_KEY 144
+#define X509V3_R_NO_SUBJECT_DETAILS 145
+#define X509V3_R_ODD_NUMBER_OF_DIGITS 146
+#define X509V3_R_OPERATION_NOT_DEFINED 147
+#define X509V3_R_OTHERNAME_ERROR 148
+#define X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED 149
+#define X509V3_R_POLICY_PATH_LENGTH 150
+#define X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED 151
+#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 152
+#define X509V3_R_SECTION_NOT_FOUND 153
+#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 154
+#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 155
+#define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 156
+#define X509V3_R_UNKNOWN_EXTENSION 157
+#define X509V3_R_UNKNOWN_EXTENSION_NAME 158
+#define X509V3_R_UNKNOWN_OPTION 159
+#define X509V3_R_UNSUPPORTED_OPTION 160
+#define X509V3_R_UNSUPPORTED_TYPE 161
+#define X509V3_R_USER_TOO_LONG 162
 
 #endif
diff --git a/src/ssl/CMakeLists.txt b/src/ssl/CMakeLists.txt
index 91bd5ea..9cc6de4 100644
--- a/src/ssl/CMakeLists.txt
+++ b/src/ssl/CMakeLists.txt
@@ -22,8 +22,7 @@ add_library(
   ssl_algs.c
   ssl_asn1.c
   ssl_cert.c
-  ssl_ciph.c
-  ssl_error.c
+  ssl_cipher.c
   ssl_lib.c
   ssl_rsa.c
   ssl_sess.c
@@ -39,7 +38,7 @@ add_library(
 add_executable(
   ssl_test
 
-  ssl_test.c
+  ssl_test.cc
 )
 
 target_link_libraries(ssl_test ssl crypto)
diff --git a/src/ssl/d1_both.c b/src/ssl/d1_both.c
index 5edc93f..662f518 100644
--- a/src/ssl/d1_both.c
+++ b/src/ssl/d1_both.c
@@ -124,44 +124,8 @@
 #include <openssl/rand.h>
 #include <openssl/x509.h>
 
-#include "ssl_locl.h"
-
-#define RSMBLY_BITMASK_SIZE(msg_len) (((msg_len) + 7) / 8)
-
-#define RSMBLY_BITMASK_MARK(bitmask, start, end)                     \
-  {                                                                  \
-    if ((end) - (start) <= 8) {                                      \
-      long ii;                                                       \
-      for (ii = (start); ii < (end); ii++)                           \
-        bitmask[((ii) >> 3)] |= (1 << ((ii)&7));                     \
-    } else {                                                         \
-      long ii;                                                       \
-      bitmask[((start) >> 3)] |= bitmask_start_values[((start)&7)];  \
-      for (ii = (((start) >> 3) + 1); ii < ((((end)-1)) >> 3); ii++) \
-        bitmask[ii] = 0xff;                                          \
-      bitmask[(((end)-1) >> 3)] |= bitmask_end_values[((end)&7)];    \
-    }                                                                \
-  }
-
-#define RSMBLY_BITMASK_IS_COMPLETE(bitmask, msg_len, is_complete)           \
-  {                                                                         \
-    long ii;                                                                \
-    assert((msg_len) > 0);                                                  \
-    is_complete = 1;                                                        \
-    if (bitmask[(((msg_len)-1) >> 3)] != bitmask_end_values[((msg_len)&7)]) \
-      is_complete = 0;                                                      \
-    if (is_complete)                                                        \
-      for (ii = (((msg_len)-1) >> 3) - 1; ii >= 0; ii--)                    \
-        if (bitmask[ii] != 0xff) {                                          \
-          is_complete = 0;                                                  \
-          break;                                                            \
-        }                                                                   \
-  }
+#include "internal.h"
 
-static const uint8_t bitmask_start_values[] = {0xff, 0xfe, 0xfc, 0xf8,
-                                               0xf0, 0xe0, 0xc0, 0x80};
-static const uint8_t bitmask_end_values[] = {0xff, 0x01, 0x03, 0x07,
-                                             0x0f, 0x1f, 0x3f, 0x7f};
 
 /* TODO(davidben): 28 comes from the size of IP + UDP header. Is this reasonable
  * for these values? Notably, why is kMinMTU a function of the transport
@@ -175,25 +139,30 @@ static const unsigned int kMinMTU = 256 - 28;
  * the underlying BIO supplies one. */
 static const unsigned int kDefaultMTU = 1500 - 28;
 
+/* kMaxHandshakeBuffer is the maximum number of handshake messages ahead of the
+ * current one to buffer. */
+static const unsigned int kHandshakeBufferSize = 10;
+
 static void dtls1_fix_message_header(SSL *s, unsigned long frag_off,
                                      unsigned long frag_len);
 static unsigned char *dtls1_write_message_header(SSL *s, unsigned char *p);
-static long dtls1_get_message_fragment(SSL *s, int stn, long max, int *ok);
 
 static hm_fragment *dtls1_hm_fragment_new(unsigned long frag_len,
                                           int reassembly) {
   hm_fragment *frag = NULL;
-  unsigned char *buf = NULL;
-  unsigned char *bitmask = NULL;
+  uint8_t *buf = NULL;
+  uint8_t *bitmask = NULL;
 
   frag = (hm_fragment *)OPENSSL_malloc(sizeof(hm_fragment));
   if (frag == NULL) {
+    OPENSSL_PUT_ERROR(SSL, dtls1_hm_fragment_new, ERR_R_MALLOC_FAILURE);
     return NULL;
   }
 
   if (frag_len) {
-    buf = (unsigned char *)OPENSSL_malloc(frag_len);
+    buf = (uint8_t *)OPENSSL_malloc(frag_len);
     if (buf == NULL) {
+      OPENSSL_PUT_ERROR(SSL, dtls1_hm_fragment_new, ERR_R_MALLOC_FAILURE);
       OPENSSL_free(frag);
       return NULL;
     }
@@ -203,16 +172,22 @@ static hm_fragment *dtls1_hm_fragment_new(unsigned long frag_len,
   frag->fragment = buf;
 
   /* Initialize reassembly bitmask if necessary */
-  if (reassembly) {
-    bitmask = (unsigned char *)OPENSSL_malloc(RSMBLY_BITMASK_SIZE(frag_len));
+  if (reassembly && frag_len > 0) {
+    if (frag_len + 7 < frag_len) {
+      OPENSSL_PUT_ERROR(SSL, dtls1_hm_fragment_new, ERR_R_OVERFLOW);
+      return NULL;
+    }
+    size_t bitmask_len = (frag_len + 7) / 8;
+    bitmask = (uint8_t *)OPENSSL_malloc(bitmask_len);
     if (bitmask == NULL) {
+      OPENSSL_PUT_ERROR(SSL, dtls1_hm_fragment_new, ERR_R_MALLOC_FAILURE);
       if (buf != NULL) {
         OPENSSL_free(buf);
       }
       OPENSSL_free(frag);
       return NULL;
     }
-    memset(bitmask, 0, RSMBLY_BITMASK_SIZE(frag_len));
+    memset(bitmask, 0, bitmask_len);
   }
 
   frag->reassembly = bitmask;
@@ -221,23 +196,65 @@ static hm_fragment *dtls1_hm_fragment_new(unsigned long frag_len,
 }
 
 void dtls1_hm_fragment_free(hm_fragment *frag) {
-  if (frag->msg_header.is_ccs) {
-    /* TODO(davidben): Simplify aead_write_ctx ownership, probably by just
-     * forbidding DTLS renego. */
-    SSL_AEAD_CTX *aead_write_ctx =
-        frag->msg_header.saved_retransmit_state.aead_write_ctx;
-    if (aead_write_ctx) {
-      EVP_AEAD_CTX_cleanup(&aead_write_ctx->ctx);
-      OPENSSL_free(aead_write_ctx);
+  if (frag == NULL) {
+    return;
+  }
+  OPENSSL_free(frag->fragment);
+  OPENSSL_free(frag->reassembly);
+  OPENSSL_free(frag);
+}
+
+#if !defined(inline)
+#define inline __inline
+#endif
+
+/* bit_range returns a |uint8_t| with bits |start|, inclusive, to |end|,
+ * exclusive, set. */
+static inline uint8_t bit_range(size_t start, size_t end) {
+  return (uint8_t)(~((1u << start) - 1) & ((1u << end) - 1));
+}
+
+/* dtls1_hm_fragment_mark marks bytes |start|, inclusive, to |end|, exclusive,
+ * as received in |frag|. If |frag| becomes complete, it clears
+ * |frag->reassembly|. The range must be within the bounds of |frag|'s message
+ * and |frag->reassembly| must not be NULL. */
+static void dtls1_hm_fragment_mark(hm_fragment *frag, size_t start,
+                                   size_t end) {
+  size_t i;
+  size_t msg_len = frag->msg_header.msg_len;
+
+  if (frag->reassembly == NULL || start > end || end > msg_len) {
+    assert(0);
+    return;
+  }
+  /* A zero-length message will never have a pending reassembly. */
+  assert(msg_len > 0);
+
+  if ((start >> 3) == (end >> 3)) {
+    frag->reassembly[start >> 3] |= bit_range(start & 7, end & 7);
+  } else {
+    frag->reassembly[start >> 3] |= bit_range(start & 7, 8);
+    for (i = (start >> 3) + 1; i < (end >> 3); i++) {
+      frag->reassembly[i] = 0xff;
+    }
+    if ((end & 7) != 0) {
+      frag->reassembly[end >> 3] |= bit_range(0, end & 7);
     }
   }
-  if (frag->fragment) {
-    OPENSSL_free(frag->fragment);
+
+  /* Check if the fragment is complete. */
+  for (i = 0; i < (msg_len >> 3); i++) {
+    if (frag->reassembly[i] != 0xff) {
+      return;
+    }
   }
-  if (frag->reassembly) {
-    OPENSSL_free(frag->reassembly);
+  if ((msg_len & 7) != 0 &&
+      frag->reassembly[msg_len >> 3] != bit_range(0, msg_len & 7)) {
+    return;
   }
-  OPENSSL_free(frag);
+
+  OPENSSL_free(frag->reassembly);
+  frag->reassembly = NULL;
 }
 
 /* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
@@ -368,514 +385,279 @@ int dtls1_do_write(SSL *s, int type) {
   return 0;
 }
 
-
-/* Obtain handshake message of message type 'mt' (any if mt == -1), maximum
- * acceptable body length 'max'. Read an entire handshake message. Handshake
- * messages arrive in fragments. */
-long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max,
-                       int hash_message, int *ok) {
-  int i, al;
-  struct hm_header_st *msg_hdr;
-  uint8_t *p;
-  unsigned long msg_len;
-
-  /* s3->tmp is used to store messages that are unexpected, caused
-   * by the absence of an optional handshake message */
-  if (s->s3->tmp.reuse_message) {
-    /* A SSL_GET_MESSAGE_DONT_HASH_MESSAGE call cannot be combined
-     * with reuse_message; the SSL_GET_MESSAGE_DONT_HASH_MESSAGE
-     * would have to have been applied to the previous call. */
-    assert(hash_message != SSL_GET_MESSAGE_DONT_HASH_MESSAGE);
-    s->s3->tmp.reuse_message = 0;
-    if (mt >= 0 && s->s3->tmp.message_type != mt) {
-      al = SSL_AD_UNEXPECTED_MESSAGE;
-      OPENSSL_PUT_ERROR(SSL, dtls1_get_message, SSL_R_UNEXPECTED_MESSAGE);
-      goto f_err;
-    }
-    *ok = 1;
-    s->init_msg = (uint8_t *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
-    s->init_num = (int)s->s3->tmp.message_size;
-    return s->init_num;
-  }
-
-  msg_hdr = &s->d1->r_msg_hdr;
-  memset(msg_hdr, 0x00, sizeof(struct hm_header_st));
-
-again:
-  i = dtls1_get_message_fragment(s, stn, max, ok);
-  if (i == DTLS1_HM_BAD_FRAGMENT ||
-      i == DTLS1_HM_FRAGMENT_RETRY) {
-    /* bad fragment received */
-    goto again;
-  } else if (i <= 0 && !*ok) {
-    return i;
-  }
-
-  p = (uint8_t *)s->init_buf->data;
-  msg_len = msg_hdr->msg_len;
-
-  /* reconstruct message header */
-  *(p++) = msg_hdr->type;
-  l2n3(msg_len, p);
-  s2n(msg_hdr->seq, p);
-  l2n3(0, p);
-  l2n3(msg_len, p);
-  p -= DTLS1_HM_HEADER_LENGTH;
-  msg_len += DTLS1_HM_HEADER_LENGTH;
-
-  s->init_msg = (uint8_t *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
-
-  if (hash_message != SSL_GET_MESSAGE_DONT_HASH_MESSAGE) {
-    ssl3_hash_current_message(s);
-  }
-  if (s->msg_callback) {
-    s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, p, msg_len, s,
-                    s->msg_callback_arg);
+/* dtls1_is_next_message_complete returns one if the next handshake message is
+ * complete and zero otherwise. */
+static int dtls1_is_next_message_complete(SSL *s) {
+  pitem *item = pqueue_peek(s->d1->buffered_messages);
+  if (item == NULL) {
+    return 0;
   }
 
-  memset(msg_hdr, 0x00, sizeof(struct hm_header_st));
-
-  s->d1->handshake_read_seq++;
+  hm_fragment *frag = (hm_fragment *)item->data;
+  assert(s->d1->handshake_read_seq <= frag->msg_header.seq);
 
-  return s->init_num;
-
-f_err:
-  ssl3_send_alert(s, SSL3_AL_FATAL, al);
-  *ok = 0;
-  return -1;
+  return s->d1->handshake_read_seq == frag->msg_header.seq &&
+      frag->reassembly == NULL;
 }
 
-static int dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr,
-                                     int max) {
-  size_t frag_off, frag_len, msg_len;
-
-  msg_len = msg_hdr->msg_len;
-  frag_off = msg_hdr->frag_off;
-  frag_len = msg_hdr->frag_len;
-
-  /* sanity checking */
-  if ((frag_off + frag_len) > msg_len) {
-    OPENSSL_PUT_ERROR(SSL, dtls1_preprocess_fragment,
-                      SSL_R_EXCESSIVE_MESSAGE_SIZE);
-    return SSL_AD_ILLEGAL_PARAMETER;
-  }
-
-  if ((frag_off + frag_len) > (unsigned long)max) {
-    OPENSSL_PUT_ERROR(SSL, dtls1_preprocess_fragment,
-                      SSL_R_EXCESSIVE_MESSAGE_SIZE);
-    return SSL_AD_ILLEGAL_PARAMETER;
-  }
-
-  if (s->d1->r_msg_hdr.frag_off == 0) {
-    /* first fragment */
-    /* msg_len is limited to 2^24, but is effectively checked
-     * against max above */
-    if (!BUF_MEM_grow_clean(s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH)) {
-      OPENSSL_PUT_ERROR(SSL, dtls1_preprocess_fragment, ERR_R_BUF_LIB);
-      return SSL_AD_INTERNAL_ERROR;
+/* dtls1_discard_fragment_body discards a handshake fragment body of length
+ * |frag_len|. It returns one on success and zero on error.
+ *
+ * TODO(davidben): This function will go away when ssl_read_bytes is gone from
+ * the DTLS side. */
+static int dtls1_discard_fragment_body(SSL *s, size_t frag_len) {
+  uint8_t discard[256];
+  while (frag_len > 0) {
+    size_t chunk = frag_len < sizeof(discard) ? frag_len : sizeof(discard);
+    int ret = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, discard, chunk,
+                                        0);
+    if (ret != chunk) {
+      return 0;
     }
-
-    s->s3->tmp.message_size = msg_len;
-    s->d1->r_msg_hdr.msg_len = msg_len;
-    s->s3->tmp.message_type = msg_hdr->type;
-    s->d1->r_msg_hdr.type = msg_hdr->type;
-    s->d1->r_msg_hdr.seq = msg_hdr->seq;
-  } else if (msg_len != s->d1->r_msg_hdr.msg_len) {
-    /* They must be playing with us! BTW, failure to enforce
-     * upper limit would open possibility for buffer overrun. */
-    OPENSSL_PUT_ERROR(SSL, dtls1_preprocess_fragment,
-                      SSL_R_EXCESSIVE_MESSAGE_SIZE);
-    return SSL_AD_ILLEGAL_PARAMETER;
+    frag_len -= chunk;
   }
-
-  return 0; /* no error */
+  return 1;
 }
 
+/* dtls1_get_buffered_message returns the buffered message corresponding to
+ * |msg_hdr|. If none exists, it creates a new one and inserts it in the
+ * queue. Otherwise, it checks |msg_hdr| is consistent with the existing one. It
+ * returns NULL on failure. The caller does not take ownership of the result. */
+static hm_fragment *dtls1_get_buffered_message(
+    SSL *s, const struct hm_header_st *msg_hdr) {
+  uint8_t seq64be[8];
+  memset(seq64be, 0, sizeof(seq64be));
+  seq64be[6] = (uint8_t)(msg_hdr->seq >> 8);
+  seq64be[7] = (uint8_t)msg_hdr->seq;
+  pitem *item = pqueue_find(s->d1->buffered_messages, seq64be);
 
-static int dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) {
-  /* (0) check whether the desired fragment is available
-   * if so:
-   * (1) copy over the fragment to s->init_buf->data[]
-   * (2) update s->init_num */
-  pitem *item;
   hm_fragment *frag;
-  int al;
-  unsigned long frag_len;
-
-  *ok = 0;
-  item = pqueue_peek(s->d1->buffered_messages);
   if (item == NULL) {
-    return 0;
-  }
-
-  frag = (hm_fragment *)item->data;
-
-  /* Don't return if reassembly still in progress */
-  if (frag->reassembly != NULL) {
-    return 0;
-  }
-
-  if (s->d1->handshake_read_seq != frag->msg_header.seq) {
-    return 0;
-  }
-
-  frag_len = frag->msg_header.frag_len;
-  pqueue_pop(s->d1->buffered_messages);
-
-  al = dtls1_preprocess_fragment(s, &frag->msg_header, max);
-
-  if (al == 0) {
-    /* no alert */
-    uint8_t *p = (uint8_t *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
-    memcpy(&p[frag->msg_header.frag_off], frag->fragment,
-           frag->msg_header.frag_len);
-  }
-
-  dtls1_hm_fragment_free(frag);
-  pitem_free(item);
-
-  if (al == 0) {
-    *ok = 1;
-    return frag_len;
+    /* This is the first fragment from this message. */
+    frag = dtls1_hm_fragment_new(msg_hdr->msg_len,
+                                 1 /* reassembly buffer needed */);
+    if (frag == NULL) {
+      return NULL;
+    }
+    memcpy(&frag->msg_header, msg_hdr, sizeof(*msg_hdr));
+    item = pitem_new(seq64be, frag);
+    if (item == NULL) {
+      dtls1_hm_fragment_free(frag);
+      return NULL;
+    }
+    item = pqueue_insert(s->d1->buffered_messages, item);
+    /* |pqueue_insert| fails iff a duplicate item is inserted, but |item| cannot
+     * be a duplicate. */
+    assert(item != NULL);
+  } else {
+    frag = item->data;
+    assert(frag->msg_header.seq == msg_hdr->seq);
+    if (frag->msg_header.type != msg_hdr->type ||
+        frag->msg_header.msg_len != msg_hdr->msg_len) {
+      /* The new fragment must be compatible with the previous fragments from
+       * this message. */
+      OPENSSL_PUT_ERROR(SSL, dtls1_get_buffered_message,
+                        SSL_R_FRAGMENT_MISMATCH);
+      ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
+      return NULL;
+    }
   }
-
-  ssl3_send_alert(s, SSL3_AL_FATAL, al);
-  s->init_num = 0;
-  *ok = 0;
-  return -1;
+  return frag;
 }
 
 /* dtls1_max_handshake_message_len returns the maximum number of bytes
  * permitted in a DTLS handshake message for |s|. The minimum is 16KB, but may
  * be greater if the maximum certificate list size requires it. */
-static unsigned long dtls1_max_handshake_message_len(const SSL *s) {
-  unsigned long max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
-  if (max_len < (unsigned long)s->max_cert_list) {
+static size_t dtls1_max_handshake_message_len(const SSL *s) {
+  size_t max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
+  if (max_len < s->max_cert_list) {
     return s->max_cert_list;
   }
   return max_len;
 }
 
-static int dtls1_reassemble_fragment(SSL *s, const struct hm_header_st *msg_hdr,
-                                     int *ok) {
-  hm_fragment *frag = NULL;
-  pitem *item = NULL;
-  int i = -1, is_complete;
-  uint8_t seq64be[8];
-  unsigned long frag_len = msg_hdr->frag_len;
-
-  if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len ||
-      msg_hdr->msg_len > dtls1_max_handshake_message_len(s)) {
-    goto err;
+/* dtls1_process_fragment reads a handshake fragment and processes it. It
+ * returns one if a fragment was successfully processed and 0 or -1 on error. */
+static int dtls1_process_fragment(SSL *s) {
+  /* Read handshake message header.
+   *
+   * TODO(davidben): ssl_read_bytes allows splitting the fragment header and
+   * body across two records. Change this interface to consume the fragment in
+   * one pass. */
+  uint8_t header[DTLS1_HM_HEADER_LENGTH];
+  int ret = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, header,
+                                      DTLS1_HM_HEADER_LENGTH, 0);
+  if (ret <= 0) {
+    return ret;
+  }
+  if (ret != DTLS1_HM_HEADER_LENGTH) {
+    OPENSSL_PUT_ERROR(SSL, dtls1_process_fragment, SSL_R_UNEXPECTED_MESSAGE);
+    ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
+    return -1;
+  }
+
+  /* Parse the message fragment header. */
+  struct hm_header_st msg_hdr;
+  dtls1_get_message_header(header, &msg_hdr);
+
+  const size_t frag_off = msg_hdr.frag_off;
+  const size_t frag_len = msg_hdr.frag_len;
+  const size_t msg_len = msg_hdr.msg_len;
+  if (frag_off > msg_len || frag_off + frag_len < frag_off ||
+      frag_off + frag_len > msg_len ||
+      msg_len > dtls1_max_handshake_message_len(s)) {
+    OPENSSL_PUT_ERROR(SSL, dtls1_process_fragment,
+                      SSL_R_EXCESSIVE_MESSAGE_SIZE);
+    ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
+    return -1;
   }
 
-  if (frag_len == 0) {
-    return DTLS1_HM_FRAGMENT_RETRY;
+  if (msg_hdr.seq < s->d1->handshake_read_seq ||
+      msg_hdr.seq > (unsigned)s->d1->handshake_read_seq +
+                    kHandshakeBufferSize) {
+    /* Ignore fragments from the past, or ones too far in the future. */
+    if (!dtls1_discard_fragment_body(s, frag_len)) {
+      return -1;
+    }
+    return 1;
   }
 
-  /* Try to find item in queue */
-  memset(seq64be, 0, sizeof(seq64be));
-  seq64be[6] = (uint8_t)(msg_hdr->seq >> 8);
-  seq64be[7] = (uint8_t)msg_hdr->seq;
-  item = pqueue_find(s->d1->buffered_messages, seq64be);
-
-  if (item == NULL) {
-    frag = dtls1_hm_fragment_new(msg_hdr->msg_len, 1);
-    if (frag == NULL) {
-      goto err;
-    }
-    memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
-    frag->msg_header.frag_len = frag->msg_header.msg_len;
-    frag->msg_header.frag_off = 0;
-  } else {
-    frag = (hm_fragment *)item->data;
-    if (frag->msg_header.msg_len != msg_hdr->msg_len) {
-      item = NULL;
-      frag = NULL;
-      goto err;
-    }
+  hm_fragment *frag = dtls1_get_buffered_message(s, &msg_hdr);
+  if (frag == NULL) {
+    return -1;
   }
+  assert(frag->msg_header.msg_len == msg_len);
 
-  /* If message is already reassembled, this must be a
-   * retransmit and can be dropped. In this case item != NULL and so frag
-   * does not need to be freed. */
   if (frag->reassembly == NULL) {
-    uint8_t devnull[256];
-
-    assert(item != NULL);
-    while (frag_len) {
-      i = s->method->ssl_read_bytes(
-          s, SSL3_RT_HANDSHAKE, devnull,
-          frag_len > sizeof(devnull) ? sizeof(devnull) : frag_len, 0);
-      if (i <= 0) {
-        goto err;
-      }
-      frag_len -= i;
+    /* The message is already assembled. */
+    if (!dtls1_discard_fragment_body(s, frag_len)) {
+      return -1;
     }
-    return DTLS1_HM_FRAGMENT_RETRY;
+    return 1;
   }
+  assert(msg_len > 0);
 
-  /* read the body of the fragment (header has already been read */
-  i = s->method->ssl_read_bytes(
-      s, SSL3_RT_HANDSHAKE, frag->fragment + msg_hdr->frag_off, frag_len, 0);
-  if ((unsigned long)i != frag_len) {
-    i = -1;
-  }
-  if (i <= 0) {
-    goto err;
+  /* Read the body of the fragment. */
+  ret = s->method->ssl_read_bytes(
+      s, SSL3_RT_HANDSHAKE, frag->fragment + frag_off, frag_len, 0);
+  if (ret != frag_len) {
+    OPENSSL_PUT_ERROR(SSL, dtls1_process_fragment, SSL_R_UNEXPECTED_MESSAGE);
+    ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
+    return -1;
   }
+  dtls1_hm_fragment_mark(frag, frag_off, frag_off + frag_len);
 
-  RSMBLY_BITMASK_MARK(frag->reassembly, (long)msg_hdr->frag_off,
-                      (long)(msg_hdr->frag_off + frag_len));
-
-  RSMBLY_BITMASK_IS_COMPLETE(frag->reassembly, (long)msg_hdr->msg_len,
-                             is_complete);
+  return 1;
+}
 
-  if (is_complete) {
-    OPENSSL_free(frag->reassembly);
-    frag->reassembly = NULL;
-  }
+/* dtls1_get_message reads a handshake message of message type |msg_type| (any
+ * if |msg_type| == -1), maximum acceptable body length |max|. Read an entire
+ * handshake message. Handshake messages arrive in fragments. */
+long dtls1_get_message(SSL *s, int st1, int stn, int msg_type, long max,
+                       enum ssl_hash_message_t hash_message, int *ok) {
+  pitem *item = NULL;
+  hm_fragment *frag = NULL;
+  int al;
 
-  if (item == NULL) {
-    item = pitem_new(seq64be, frag);
-    if (item == NULL) {
-      i = -1;
-      goto err;
+  /* s3->tmp is used to store messages that are unexpected, caused
+   * by the absence of an optional handshake message */
+  if (s->s3->tmp.reuse_message) {
+    /* A ssl_dont_hash_message call cannot be combined with reuse_message; the
+     * ssl_dont_hash_message would have to have been applied to the previous
+     * call. */
+    assert(hash_message == ssl_hash_message);
+    s->s3->tmp.reuse_message = 0;
+    if (msg_type >= 0 && s->s3->tmp.message_type != msg_type) {
+      al = SSL_AD_UNEXPECTED_MESSAGE;
+      OPENSSL_PUT_ERROR(SSL, dtls1_get_message, SSL_R_UNEXPECTED_MESSAGE);
+      goto f_err;
     }
-
-    item = pqueue_insert(s->d1->buffered_messages, item);
-    /* pqueue_insert fails iff a duplicate item is inserted.
-     * However, |item| cannot be a duplicate. If it were,
-     * |pqueue_find|, above, would have returned it and control
-     * would never have reached this branch. */
-    assert(item != NULL);
+    *ok = 1;
+    s->init_msg = (uint8_t *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
+    s->init_num = (int)s->s3->tmp.message_size;
+    return s->init_num;
   }
 
-  return DTLS1_HM_FRAGMENT_RETRY;
-
-err:
-  if (frag != NULL && item == NULL) {
-    dtls1_hm_fragment_free(frag);
+  /* Process fragments until one is found. */
+  while (!dtls1_is_next_message_complete(s)) {
+    int ret = dtls1_process_fragment(s);
+    if (ret <= 0) {
+      *ok = 0;
+      return ret;
+    }
   }
-  *ok = 0;
-  return i;
-}
 
-static int dtls1_process_out_of_seq_message(SSL *s,
-                                            const struct hm_header_st *msg_hdr,
-                                            int *ok) {
-  int i = -1;
-  hm_fragment *frag = NULL;
-  pitem *item = NULL;
-  uint8_t seq64be[8];
-  unsigned long frag_len = msg_hdr->frag_len;
+  /* Read out the next complete handshake message. */
+  item = pqueue_pop(s->d1->buffered_messages);
+  assert(item != NULL);
+  frag = (hm_fragment *)item->data;
+  assert(s->d1->handshake_read_seq == frag->msg_header.seq);
+  assert(frag->reassembly == NULL);
 
-  if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len) {
+  if (frag->msg_header.msg_len > (size_t)max) {
+    OPENSSL_PUT_ERROR(SSL, dtls1_get_message, SSL_R_EXCESSIVE_MESSAGE_SIZE);
     goto err;
   }
 
-  /* Try to find item in queue, to prevent duplicate entries */
-  memset(seq64be, 0, sizeof(seq64be));
-  seq64be[6] = (uint8_t)(msg_hdr->seq >> 8);
-  seq64be[7] = (uint8_t)msg_hdr->seq;
-  item = pqueue_find(s->d1->buffered_messages, seq64be);
-
-  /* If we already have an entry and this one is a fragment,
-   * don't discard it and rather try to reassemble it. */
-  if (item != NULL && frag_len != msg_hdr->msg_len) {
-    item = NULL;
-  }
-
-  /* Discard the message if sequence number was already there, is
-   * too far in the future, already in the queue or if we received
-   * a FINISHED before the SERVER_HELLO, which then must be a stale
-   * retransmit. */
-  if (msg_hdr->seq <= s->d1->handshake_read_seq ||
-      msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL ||
-      (s->d1->handshake_read_seq == 0 && msg_hdr->type == SSL3_MT_FINISHED)) {
-    uint8_t devnull[256];
-
-    while (frag_len) {
-      i = s->method->ssl_read_bytes(
-          s, SSL3_RT_HANDSHAKE, devnull,
-          frag_len > sizeof(devnull) ? sizeof(devnull) : frag_len, 0);
-      if (i <= 0) {
-        goto err;
-      }
-      frag_len -= i;
-    }
-  } else {
-    if (frag_len != msg_hdr->msg_len) {
-      return dtls1_reassemble_fragment(s, msg_hdr, ok);
-    }
-
-    if (frag_len > dtls1_max_handshake_message_len(s)) {
-      goto err;
-    }
-
-    frag = dtls1_hm_fragment_new(frag_len, 0);
-    if (frag == NULL) {
-      goto err;
-    }
-
-    memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
-
-    if (frag_len) {
-      /* read the body of the fragment (header has already been read */
-      i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, frag->fragment,
-                                    frag_len, 0);
-      if ((unsigned long)i != frag_len) {
-        i = -1;
-      }
-      if (i <= 0) {
-        goto err;
-      }
-    }
-
-    item = pitem_new(seq64be, frag);
-    if (item == NULL) {
-      goto err;
-    }
-
-    item = pqueue_insert(s->d1->buffered_messages, item);
-    /* pqueue_insert fails iff a duplicate item is inserted.
-     * However, |item| cannot be a duplicate. If it were,
-     * |pqueue_find|, above, would have returned it. Then, either
-     * |frag_len| != |msg_hdr->msg_len| in which case |item| is set
-     * to NULL and it will have been processed with
-     * |dtls1_reassemble_fragment|, above, or the record will have
-     * been discarded. */
-    assert(item != NULL);
+  CBB cbb;
+  if (!BUF_MEM_grow(s->init_buf,
+                    (size_t)frag->msg_header.msg_len +
+                    DTLS1_HM_HEADER_LENGTH) ||
+      !CBB_init_fixed(&cbb, (uint8_t *)s->init_buf->data, s->init_buf->max)) {
+    OPENSSL_PUT_ERROR(SSL, dtls1_get_message, ERR_R_MALLOC_FAILURE);
+    goto err;
   }
 
-  return DTLS1_HM_FRAGMENT_RETRY;
-
-err:
-  if (frag != NULL && item == NULL) {
-    dtls1_hm_fragment_free(frag);
+  /* Reconstruct the assembled message. */
+  size_t len;
+  if (!CBB_add_u8(&cbb, frag->msg_header.type) ||
+      !CBB_add_u24(&cbb, frag->msg_header.msg_len) ||
+      !CBB_add_u16(&cbb, frag->msg_header.seq) ||
+      !CBB_add_u24(&cbb, 0 /* frag_off */) ||
+      !CBB_add_u24(&cbb, frag->msg_header.msg_len) ||
+      !CBB_add_bytes(&cbb, frag->fragment, frag->msg_header.msg_len) ||
+      !CBB_finish(&cbb, NULL, &len)) {
+    CBB_cleanup(&cbb);
+    OPENSSL_PUT_ERROR(SSL, dtls1_get_message, ERR_R_INTERNAL_ERROR);
+    goto err;
   }
-  *ok = 0;
-  return i;
-}
-
+  assert(len == (size_t)frag->msg_header.msg_len + DTLS1_HM_HEADER_LENGTH);
 
-static long dtls1_get_message_fragment(SSL *s, int stn, long max, int *ok) {
-  uint8_t wire[DTLS1_HM_HEADER_LENGTH];
-  unsigned long len, frag_off, frag_len;
-  int i, al;
-  struct hm_header_st msg_hdr;
-
-redo:
-  /* see if we have the required fragment already */
-  if ((frag_len = dtls1_retrieve_buffered_fragment(s, max, ok)) || *ok) {
-    if (*ok) {
-      s->init_num = frag_len;
-    }
-    return frag_len;
-  }
+  s->d1->handshake_read_seq++;
 
-  /* read handshake message header */
-  i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, wire,
-                                DTLS1_HM_HEADER_LENGTH, 0);
-  if (i <= 0) {
-    /* nbio, or an error */
-    s->rwstate = SSL_READING;
-    *ok = 0;
-    return i;
-  }
+  /* TODO(davidben): This function has a lot of implicit outputs. Simplify the
+   * |ssl_get_message| API. */
+  s->s3->tmp.message_type = frag->msg_header.type;
+  s->s3->tmp.message_size = frag->msg_header.msg_len;
+  s->init_msg = (uint8_t *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
+  s->init_num = frag->msg_header.msg_len;
 
-  /* Handshake fails if message header is incomplete */
-  if (i != DTLS1_HM_HEADER_LENGTH) {
+  if (msg_type >= 0 && s->s3->tmp.message_type != msg_type) {
     al = SSL_AD_UNEXPECTED_MESSAGE;
-    OPENSSL_PUT_ERROR(SSL, dtls1_get_message_fragment,
-                      SSL_R_UNEXPECTED_MESSAGE);
+    OPENSSL_PUT_ERROR(SSL, dtls1_get_message, SSL_R_UNEXPECTED_MESSAGE);
     goto f_err;
   }
-
-  /* parse the message fragment header */
-  dtls1_get_message_header(wire, &msg_hdr);
-
-  /* if this is a future (or stale) message it gets buffered
-   * (or dropped)--no further processing at this time. */
-  if (msg_hdr.seq != s->d1->handshake_read_seq) {
-    return dtls1_process_out_of_seq_message(s, &msg_hdr, ok);
-  }
-
-  len = msg_hdr.msg_len;
-  frag_off = msg_hdr.frag_off;
-  frag_len = msg_hdr.frag_len;
-
-  if (frag_len && frag_len < len) {
-    return dtls1_reassemble_fragment(s, &msg_hdr, ok);
+  if (hash_message == ssl_hash_message && !ssl3_hash_current_message(s)) {
+    goto err;
   }
-
-  if (!s->server && s->d1->r_msg_hdr.frag_off == 0 &&
-      wire[0] == SSL3_MT_HELLO_REQUEST) {
-    /* The server may always send 'Hello Request' messages --
-     * we are doing a handshake anyway now, so ignore them
-     * if their format is correct. Does not count for
-     * 'Finished' MAC. */
-    if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0) {
-      if (s->msg_callback) {
-        s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, wire,
-                        DTLS1_HM_HEADER_LENGTH, s, s->msg_callback_arg);
-      }
-
-      s->init_num = 0;
-      goto redo;
-    } else {
-      /* Incorrectly formated Hello request */
-      al = SSL_AD_UNEXPECTED_MESSAGE;
-      OPENSSL_PUT_ERROR(SSL, dtls1_get_message_fragment,
-                        SSL_R_UNEXPECTED_MESSAGE);
-      goto f_err;
-    }
+  if (s->msg_callback) {
+    s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
+                    s->init_num + DTLS1_HM_HEADER_LENGTH, s,
+                    s->msg_callback_arg);
   }
 
-  if ((al = dtls1_preprocess_fragment(s, &msg_hdr, max))) {
-    goto f_err;
-  }
+  pitem_free(item);
+  dtls1_hm_fragment_free(frag);
 
-  /* XDTLS:  ressurect this when restart is in place */
   s->state = stn;
-
-  if (frag_len > 0) {
-    uint8_t *p = (uint8_t *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
-
-    i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &p[frag_off], frag_len,
-                                  0);
-    /* XDTLS:  fix this--message fragments cannot span multiple packets */
-    if (i <= 0) {
-      s->rwstate = SSL_READING;
-      *ok = 0;
-      return i;
-    }
-  } else {
-    i = 0;
-  }
-
-  /* XDTLS:  an incorrectly formatted fragment should cause the
-   * handshake to fail */
-  if (i != (int)frag_len) {
-    al = SSL3_AD_ILLEGAL_PARAMETER;
-    OPENSSL_PUT_ERROR(SSL, dtls1_get_message_fragment,
-                      SSL3_AD_ILLEGAL_PARAMETER);
-    goto f_err;
-  }
-
   *ok = 1;
-
-  /* Note that s->init_num is *not* used as current offset in
-   * s->init_buf->data, but as a counter summing up fragments'
-   * lengths: as soon as they sum up to handshake packet
-   * length, we assume we have got all the fragments. */
-  s->init_num = frag_len;
-  return frag_len;
+  return s->init_num;
 
 f_err:
   ssl3_send_alert(s, SSL3_AL_FATAL, al);
-  s->init_num = 0;
-
+err:
+  pitem_free(item);
+  dtls1_hm_fragment_free(frag);
   *ok = 0;
   return -1;
 }
@@ -913,7 +695,7 @@ int dtls1_send_change_cipher_spec(SSL *s, int a, int b) {
 
 int dtls1_read_failed(SSL *s, int code) {
   if (code > 0) {
-    fprintf(stderr, "invalid state reached %s:%d", __FILE__, __LINE__);
+    assert(0);
     return 1;
   }
 
@@ -929,7 +711,7 @@ int dtls1_read_failed(SSL *s, int code) {
     return code;
   }
 
-  return dtls1_handle_timeout(s);
+  return DTLSv1_handle_timeout(s);
 }
 
 int dtls1_get_queue_priority(unsigned short seq, int is_ccs) {
@@ -944,23 +726,82 @@ int dtls1_get_queue_priority(unsigned short seq, int is_ccs) {
   return seq * 2 - is_ccs;
 }
 
+static int dtls1_retransmit_message(SSL *s, hm_fragment *frag) {
+  int ret;
+  /* XDTLS: for now assuming that read/writes are blocking */
+  unsigned long header_length;
+  uint8_t save_write_sequence[8];
+
+  /* assert(s->init_num == 0);
+     assert(s->init_off == 0); */
+
+  if (frag->msg_header.is_ccs) {
+    header_length = DTLS1_CCS_HEADER_LENGTH;
+  } else {
+    header_length = DTLS1_HM_HEADER_LENGTH;
+  }
+
+  memcpy(s->init_buf->data, frag->fragment,
+         frag->msg_header.msg_len + header_length);
+  s->init_num = frag->msg_header.msg_len + header_length;
+
+  dtls1_set_message_header(s, frag->msg_header.type,
+                           frag->msg_header.msg_len, frag->msg_header.seq,
+                           0, frag->msg_header.frag_len);
+
+  /* Save current state. */
+  SSL_AEAD_CTX *aead_write_ctx = s->aead_write_ctx;
+  uint16_t epoch = s->d1->w_epoch;
+
+  /* DTLS renegotiation is unsupported, so only epochs 0 (NULL cipher) and 1
+   * (negotiated cipher) exist. */
+  assert(epoch == 0 || epoch == 1);
+  assert(frag->msg_header.epoch <= epoch);
+  const int fragment_from_previous_epoch = (epoch == 1 &&
+                                            frag->msg_header.epoch == 0);
+  if (fragment_from_previous_epoch) {
+    /* Rewind to the previous epoch.
+     *
+     * TODO(davidben): Instead of swapping out connection-global state, this
+     * logic should pass a "use previous epoch" parameter down to lower-level
+     * functions. */
+    s->d1->w_epoch = frag->msg_header.epoch;
+    s->aead_write_ctx = NULL;
+    memcpy(save_write_sequence, s->s3->write_sequence,
+           sizeof(s->s3->write_sequence));
+    memcpy(s->s3->write_sequence, s->d1->last_write_sequence,
+           sizeof(s->s3->write_sequence));
+  } else {
+    /* Otherwise the messages must be from the same epoch. */
+    assert(frag->msg_header.epoch == epoch);
+  }
+
+  ret = dtls1_do_write(s, frag->msg_header.is_ccs ? SSL3_RT_CHANGE_CIPHER_SPEC
+                                                  : SSL3_RT_HANDSHAKE);
+
+  if (fragment_from_previous_epoch) {
+    /* Restore the current epoch. */
+    s->aead_write_ctx = aead_write_ctx;
+    s->d1->w_epoch = epoch;
+    memcpy(s->d1->last_write_sequence, s->s3->write_sequence,
+           sizeof(s->s3->write_sequence));
+    memcpy(s->s3->write_sequence, save_write_sequence,
+           sizeof(s->s3->write_sequence));
+  }
+
+  (void)BIO_flush(SSL_get_wbio(s));
+  return ret;
+}
+
+
 int dtls1_retransmit_buffered_messages(SSL *s) {
   pqueue sent = s->d1->sent_messages;
-  piterator iter;
+  piterator iter = pqueue_iterator(sent);
   pitem *item;
-  hm_fragment *frag;
-  int found = 0;
-
-  iter = pqueue_iterator(sent);
 
   for (item = pqueue_next(&iter); item != NULL; item = pqueue_next(&iter)) {
-    frag = (hm_fragment *)item->data;
-    if (dtls1_retransmit_message(
-            s, (unsigned short)dtls1_get_queue_priority(
-                   frag->msg_header.seq, frag->msg_header.is_ccs),
-            0, &found) <= 0 &&
-        found) {
-      fprintf(stderr, "dtls1_retransmit_message() failed\n");
+    hm_fragment *frag = (hm_fragment *)item->data;
+    if (dtls1_retransmit_message(s, frag) <= 0) {
       return -1;
     }
   }
@@ -998,11 +839,7 @@ int dtls1_buffer_message(SSL *s, int is_ccs) {
   frag->msg_header.frag_off = 0;
   frag->msg_header.frag_len = s->d1->w_msg_hdr.msg_len;
   frag->msg_header.is_ccs = is_ccs;
-
-  /* save current state*/
-  frag->msg_header.saved_retransmit_state.aead_write_ctx = s->aead_write_ctx;
-  frag->msg_header.saved_retransmit_state.session = s->session;
-  frag->msg_header.saved_retransmit_state.epoch = s->d1->w_epoch;
+  frag->msg_header.epoch = s->d1->w_epoch;
 
   memset(seq64be, 0, sizeof(seq64be));
   seq64be[6] = (uint8_t)(
@@ -1021,85 +858,6 @@ int dtls1_buffer_message(SSL *s, int is_ccs) {
   return 1;
 }
 
-int dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
-                             int *found) {
-  int ret;
-  /* XDTLS: for now assuming that read/writes are blocking */
-  pitem *item;
-  hm_fragment *frag;
-  unsigned long header_length;
-  uint8_t seq64be[8];
-  struct dtls1_retransmit_state saved_state;
-  uint8_t save_write_sequence[8];
-
-  /* assert(s->init_num == 0);
-     assert(s->init_off == 0); */
-
-  /* XDTLS:  the requested message ought to be found, otherwise error */
-  memset(seq64be, 0, sizeof(seq64be));
-  seq64be[6] = (uint8_t)(seq >> 8);
-  seq64be[7] = (uint8_t)seq;
-
-  item = pqueue_find(s->d1->sent_messages, seq64be);
-  if (item == NULL) {
-    fprintf(stderr, "retransmit:  message %d non-existant\n", seq);
-    *found = 0;
-    return 0;
-  }
-
-  *found = 1;
-  frag = (hm_fragment *)item->data;
-
-  if (frag->msg_header.is_ccs) {
-    header_length = DTLS1_CCS_HEADER_LENGTH;
-  } else {
-    header_length = DTLS1_HM_HEADER_LENGTH;
-  }
-
-  memcpy(s->init_buf->data, frag->fragment,
-         frag->msg_header.msg_len + header_length);
-  s->init_num = frag->msg_header.msg_len + header_length;
-
-  dtls1_set_message_header(s, frag->msg_header.type,
-                           frag->msg_header.msg_len, frag->msg_header.seq,
-                           0, frag->msg_header.frag_len);
-
-  /* save current state */
-  saved_state.aead_write_ctx = s->aead_write_ctx;
-  saved_state.session = s->session;
-  saved_state.epoch = s->d1->w_epoch;
-
-  /* restore state in which the message was originally sent */
-  s->aead_write_ctx = frag->msg_header.saved_retransmit_state.aead_write_ctx;
-  s->session = frag->msg_header.saved_retransmit_state.session;
-  s->d1->w_epoch = frag->msg_header.saved_retransmit_state.epoch;
-
-  if (frag->msg_header.saved_retransmit_state.epoch == saved_state.epoch - 1) {
-    memcpy(save_write_sequence, s->s3->write_sequence,
-           sizeof(s->s3->write_sequence));
-    memcpy(s->s3->write_sequence, s->d1->last_write_sequence,
-           sizeof(s->s3->write_sequence));
-  }
-
-  ret = dtls1_do_write(s, frag->msg_header.is_ccs ? SSL3_RT_CHANGE_CIPHER_SPEC
-                                                  : SSL3_RT_HANDSHAKE);
-
-  /* restore current state */
-  s->aead_write_ctx = saved_state.aead_write_ctx;
-  s->session = saved_state.session;
-  s->d1->w_epoch = saved_state.epoch;
-
-  if (frag->msg_header.saved_retransmit_state.epoch == saved_state.epoch - 1) {
-    memcpy(s->d1->last_write_sequence, s->s3->write_sequence,
-           sizeof(s->s3->write_sequence));
-    memcpy(s->s3->write_sequence, save_write_sequence,
-           sizeof(s->s3->write_sequence));
-  }
-
-  (void)BIO_flush(SSL_get_wbio(s));
-  return ret;
-}
-
 /* call this function when the buffered messages are no longer needed */
 void dtls1_clear_record_buffer(SSL *s) {
   pitem *item;
@@ -1160,12 +918,6 @@ void dtls1_get_message_header(uint8_t *data,
   n2l3(data, msg_hdr->frag_len);
 }
 
-void dtls1_get_ccs_header(uint8_t *data, struct ccs_header_st *ccs_hdr) {
-  memset(ccs_hdr, 0x00, sizeof(struct ccs_header_st));
-
-  ccs_hdr->type = *(data++);
-}
-
 int dtls1_shutdown(SSL *s) {
   int ret;
   ret = ssl3_shutdown(s);
diff --git a/src/ssl/d1_clnt.c b/src/ssl/d1_clnt.c
index 3f9e814..1827a67 100644
--- a/src/ssl/d1_clnt.c
+++ b/src/ssl/d1_clnt.c
@@ -114,17 +114,19 @@
 
 #include <assert.h>
 #include <stdio.h>
+#include <string.h>
 
 #include <openssl/bn.h>
 #include <openssl/buf.h>
 #include <openssl/dh.h>
 #include <openssl/evp.h>
+#include <openssl/err.h>
 #include <openssl/md5.h>
 #include <openssl/mem.h>
 #include <openssl/obj.h>
 #include <openssl/rand.h>
 
-#include "ssl_locl.h"
+#include "internal.h"
 
 static int dtls1_get_hello_verify(SSL *s);
 
@@ -156,7 +158,6 @@ int dtls1_connect(SSL *s) {
       case SSL_ST_RENEGOTIATE:
         s->renegotiate = 1;
         s->state = SSL_ST_CONNECT;
-        s->ctx->stats.sess_connect_renegotiate++;
       /* break */
       case SSL_ST_CONNECT:
       case SSL_ST_BEFORE | SSL_ST_CONNECT:
@@ -175,8 +176,7 @@ int dtls1_connect(SSL *s) {
           buf = NULL;
         }
 
-        if (!ssl3_setup_buffers(s) ||
-            !ssl_init_wbio_buffer(s, 0)) {
+        if (!ssl_init_wbio_buffer(s, 0)) {
           ret = -1;
           goto end;
         }
@@ -184,7 +184,6 @@ int dtls1_connect(SSL *s) {
         /* don't push the buffering BIO quite yet */
 
         s->state = SSL3_ST_CW_CLNT_HELLO_A;
-        s->ctx->stats.sess_connect++;
         s->init_num = 0;
         s->d1->send_cookie = 0;
         s->hit = 0;
@@ -458,12 +457,6 @@ int dtls1_connect(SSL *s) {
       case SSL3_ST_CW_FLUSH:
         s->rwstate = SSL_WRITING;
         if (BIO_flush(s->wbio) <= 0) {
-          /* If the write error was fatal, stop trying */
-          if (!BIO_should_retry(s->wbio)) {
-            s->rwstate = SSL_NOTHING;
-            s->state = s->s3->tmp.next_state;
-          }
-
           ret = -1;
           goto end;
         }
@@ -483,15 +476,12 @@ int dtls1_connect(SSL *s) {
         s->new_session = 0;
 
         ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
-        if (s->hit) {
-          s->ctx->stats.sess_hit++;
-        }
 
         ret = 1;
-        s->ctx->stats.sess_connect_good++;
 
-        if (cb != NULL)
+        if (cb != NULL) {
           cb(s, SSL_CB_HANDSHAKE_DONE, 1);
+        }
 
         /* done with handshaking */
         s->d1->handshake_read_seq = 0;
@@ -519,9 +509,7 @@ int dtls1_connect(SSL *s) {
 end:
   s->in_handshake--;
 
-  if (buf != NULL) {
-    BUF_MEM_free(buf);
-  }
+  BUF_MEM_free(buf);
   if (cb != NULL) {
     cb(s, SSL_CB_CONNECT_EXIT, ret);
   }
@@ -538,7 +526,7 @@ static int dtls1_get_hello_verify(SSL *s) {
       s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B,
       -1,
       /* Use the same maximum size as ssl3_get_server_hello. */
-      20000, SSL_GET_MESSAGE_HASH_MESSAGE, &ok);
+      20000, ssl_hash_message, &ok);
 
   if (!ok) {
     return n;
@@ -556,7 +544,7 @@ static int dtls1_get_hello_verify(SSL *s) {
       !CBS_get_u8_length_prefixed(&hello_verify_request, &cookie) ||
       CBS_len(&hello_verify_request) != 0) {
     al = SSL_AD_DECODE_ERROR;
-    OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_status, SSL_R_DECODE_ERROR);
+    OPENSSL_PUT_ERROR(SSL, dtls1_get_hello_verify, SSL_R_DECODE_ERROR);
     goto f_err;
   }
 
diff --git a/src/ssl/d1_lib.c b/src/ssl/d1_lib.c
index 8244cb9..e53156f 100644
--- a/src/ssl/d1_lib.c
+++ b/src/ssl/d1_lib.c
@@ -58,6 +58,7 @@
 
 #include <limits.h>
 #include <stdio.h>
+#include <string.h>
 
 #if defined(OPENSSL_WINDOWS)
 #include <sys/timeb.h>
@@ -70,51 +71,17 @@
 #include <openssl/mem.h>
 #include <openssl/obj.h>
 
-#include "ssl_locl.h"
-
-static void get_current_time(OPENSSL_timeval *t);
-static OPENSSL_timeval *dtls1_get_timeout(SSL *s, OPENSSL_timeval *timeleft);
-static void dtls1_set_handshake_header(SSL *s, int type, unsigned long len);
-static int dtls1_handshake_write(SSL *s);
-
-const SSL3_ENC_METHOD DTLSv1_enc_data = {
-  tls1_enc,
-  tls1_prf,
-  tls1_setup_key_block,
-  tls1_generate_master_secret,
-  tls1_change_cipher_state,
-  tls1_final_finish_mac,
-  TLS1_FINISH_MAC_LENGTH,
-  tls1_cert_verify_mac,
-  TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
-  TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
-  tls1_alert_code,
-  tls1_export_keying_material,
-  SSL_ENC_FLAG_DTLS|SSL_ENC_FLAG_EXPLICIT_IV,
-  DTLS1_HM_HEADER_LENGTH,
-  dtls1_set_handshake_header,
-  dtls1_handshake_write,
-};
-
-const SSL3_ENC_METHOD DTLSv1_2_enc_data = {
-  tls1_enc,
-  tls1_prf,
-  tls1_setup_key_block,
-  tls1_generate_master_secret,
-  tls1_change_cipher_state,
-  tls1_final_finish_mac,
-  TLS1_FINISH_MAC_LENGTH,
-  tls1_cert_verify_mac,
-  TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
-  TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
-  tls1_alert_code,
-  tls1_export_keying_material,
-  SSL_ENC_FLAG_DTLS | SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS |
-      SSL_ENC_FLAG_SHA256_PRF | SSL_ENC_FLAG_TLS1_2_CIPHERS,
-  DTLS1_HM_HEADER_LENGTH,
-  dtls1_set_handshake_header,
-  dtls1_handshake_write,
-};
+#include "internal.h"
+
+/* DTLS1_MTU_TIMEOUTS is the maximum number of timeouts to expire
+ * before starting to decrease the MTU. */
+#define DTLS1_MTU_TIMEOUTS                     2
+
+/* DTLS1_MAX_TIMEOUTS is the maximum number of timeouts to expire
+ * before failing the DTLS handshake. */
+#define DTLS1_MAX_TIMEOUTS                     12
+
+static void get_current_time(const SSL *ssl, struct timeval *out_clock);
 
 int dtls1_new(SSL *s) {
   DTLS1_STATE *d1;
@@ -129,30 +96,12 @@ int dtls1_new(SSL *s) {
   }
   memset(d1, 0, sizeof *d1);
 
-  d1->unprocessed_rcds.q = pqueue_new();
-  d1->processed_rcds.q = pqueue_new();
   d1->buffered_messages = pqueue_new();
   d1->sent_messages = pqueue_new();
-  d1->buffered_app_data.q = pqueue_new();
 
-  if (!d1->unprocessed_rcds.q || !d1->processed_rcds.q ||
-      !d1->buffered_messages || !d1->sent_messages ||
-      !d1->buffered_app_data.q) {
-    if (d1->unprocessed_rcds.q) {
-      pqueue_free(d1->unprocessed_rcds.q);
-    }
-    if (d1->processed_rcds.q) {
-      pqueue_free(d1->processed_rcds.q);
-    }
-    if (d1->buffered_messages) {
-      pqueue_free(d1->buffered_messages);
-    }
-    if (d1->sent_messages) {
-      pqueue_free(d1->sent_messages);
-    }
-    if (d1->buffered_app_data.q) {
-      pqueue_free(d1->buffered_app_data.q);
-    }
+  if (!d1->buffered_messages || !d1->sent_messages) {
+    pqueue_free(d1->buffered_messages);
+    pqueue_free(d1->sent_messages);
     OPENSSL_free(d1);
     ssl3_free(s);
     return 0;
@@ -172,25 +121,6 @@ int dtls1_new(SSL *s) {
 static void dtls1_clear_queues(SSL *s) {
   pitem *item = NULL;
   hm_fragment *frag = NULL;
-  DTLS1_RECORD_DATA *rdata;
-
-  while ((item = pqueue_pop(s->d1->unprocessed_rcds.q)) != NULL) {
-    rdata = (DTLS1_RECORD_DATA *)item->data;
-    if (rdata->rbuf.buf) {
-      OPENSSL_free(rdata->rbuf.buf);
-    }
-    OPENSSL_free(item->data);
-    pitem_free(item);
-  }
-
-  while ((item = pqueue_pop(s->d1->processed_rcds.q)) != NULL) {
-    rdata = (DTLS1_RECORD_DATA *)item->data;
-    if (rdata->rbuf.buf) {
-      OPENSSL_free(rdata->rbuf.buf);
-    }
-    OPENSSL_free(item->data);
-    pitem_free(item);
-  }
 
   while ((item = pqueue_pop(s->d1->buffered_messages)) != NULL) {
     frag = (hm_fragment *)item->data;
@@ -203,15 +133,6 @@ static void dtls1_clear_queues(SSL *s) {
     dtls1_hm_fragment_free(frag);
     pitem_free(item);
   }
-
-  while ((item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL) {
-    rdata = (DTLS1_RECORD_DATA *)item->data;
-    if (rdata->rbuf.buf) {
-      OPENSSL_free(rdata->rbuf.buf);
-    }
-    OPENSSL_free(item->data);
-    pitem_free(item);
-  }
 }
 
 void dtls1_free(SSL *s) {
@@ -223,40 +144,15 @@ void dtls1_free(SSL *s) {
 
   dtls1_clear_queues(s);
 
-  pqueue_free(s->d1->unprocessed_rcds.q);
-  pqueue_free(s->d1->processed_rcds.q);
   pqueue_free(s->d1->buffered_messages);
   pqueue_free(s->d1->sent_messages);
-  pqueue_free(s->d1->buffered_app_data.q);
 
   OPENSSL_free(s->d1);
   s->d1 = NULL;
 }
 
-long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg) {
-  int ret = 0;
-
-  switch (cmd) {
-    case DTLS_CTRL_GET_TIMEOUT:
-      if (dtls1_get_timeout(s, (OPENSSL_timeval *)parg) != NULL) {
-        ret = 1;
-      }
-      break;
-
-    case DTLS_CTRL_HANDLE_TIMEOUT:
-      ret = dtls1_handle_timeout(s);
-      break;
-
-    default:
-      ret = ssl3_ctrl(s, cmd, larg, parg);
-      break;
-  }
-
-  return ret;
-}
-
-const SSL_CIPHER *dtls1_get_cipher(unsigned int u) {
-  const SSL_CIPHER *ciph = ssl3_get_cipher(u);
+const SSL_CIPHER *dtls1_get_cipher(size_t i) {
+  const SSL_CIPHER *ciph = ssl3_get_cipher(i);
   /* DTLS does not support stream ciphers. */
   if (ciph == NULL || ciph->algorithm_enc == SSL_RC4) {
     return NULL;
@@ -272,7 +168,7 @@ void dtls1_start_timer(SSL *s) {
   }
 
   /* Set timeout to current time */
-  get_current_time(&s->d1->next_timeout);
+  get_current_time(s, &s->d1->next_timeout);
 
   /* Add duration to current time */
   s->d1->next_timeout.tv_sec += s->d1->timeout_duration;
@@ -280,48 +176,51 @@ void dtls1_start_timer(SSL *s) {
            &s->d1->next_timeout);
 }
 
-static OPENSSL_timeval *dtls1_get_timeout(SSL *s, OPENSSL_timeval *timeleft) {
-  OPENSSL_timeval timenow;
+int DTLSv1_get_timeout(const SSL *ssl, struct timeval *out) {
+  if (!SSL_IS_DTLS(ssl)) {
+    return 0;
+  }
 
   /* If no timeout is set, just return NULL */
-  if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) {
-    return NULL;
+  if (ssl->d1->next_timeout.tv_sec == 0 && ssl->d1->next_timeout.tv_usec == 0) {
+    return 0;
   }
 
   /* Get current time */
-  get_current_time(&timenow);
+  struct timeval timenow;
+  get_current_time(ssl, &timenow);
 
   /* If timer already expired, set remaining time to 0 */
-  if (s->d1->next_timeout.tv_sec < timenow.tv_sec ||
-      (s->d1->next_timeout.tv_sec == timenow.tv_sec &&
-       s->d1->next_timeout.tv_usec <= timenow.tv_usec)) {
-    memset(timeleft, 0, sizeof(OPENSSL_timeval));
-    return timeleft;
+  if (ssl->d1->next_timeout.tv_sec < timenow.tv_sec ||
+      (ssl->d1->next_timeout.tv_sec == timenow.tv_sec &&
+       ssl->d1->next_timeout.tv_usec <= timenow.tv_usec)) {
+    memset(out, 0, sizeof(struct timeval));
+    return 1;
   }
 
   /* Calculate time left until timer expires */
-  memcpy(timeleft, &s->d1->next_timeout, sizeof(OPENSSL_timeval));
-  timeleft->tv_sec -= timenow.tv_sec;
-  timeleft->tv_usec -= timenow.tv_usec;
-  if (timeleft->tv_usec < 0) {
-    timeleft->tv_sec--;
-    timeleft->tv_usec += 1000000;
+  memcpy(out, &ssl->d1->next_timeout, sizeof(struct timeval));
+  out->tv_sec -= timenow.tv_sec;
+  out->tv_usec -= timenow.tv_usec;
+  if (out->tv_usec < 0) {
+    out->tv_sec--;
+    out->tv_usec += 1000000;
   }
 
   /* If remaining time is less than 15 ms, set it to 0 to prevent issues
    * because of small devergences with socket timeouts. */
-  if (timeleft->tv_sec == 0 && timeleft->tv_usec < 15000) {
-    memset(timeleft, 0, sizeof(OPENSSL_timeval));
+  if (out->tv_sec == 0 && out->tv_usec < 15000) {
+    memset(out, 0, sizeof(struct timeval));
   }
 
-  return timeleft;
+  return 1;
 }
 
 int dtls1_is_timer_expired(SSL *s) {
-  OPENSSL_timeval timeleft;
+  struct timeval timeleft;
 
   /* Get time left until timeout, return false if no timer running */
-  if (dtls1_get_timeout(s, &timeleft) == NULL) {
+  if (!DTLSv1_get_timeout(s, &timeleft)) {
     return 0;
   }
 
@@ -344,8 +243,8 @@ void dtls1_double_timeout(SSL *s) {
 
 void dtls1_stop_timer(SSL *s) {
   /* Reset everything */
-  memset(&(s->d1->timeout), 0, sizeof(struct dtls1_timeout_st));
-  memset(&s->d1->next_timeout, 0, sizeof(OPENSSL_timeval));
+  s->d1->num_timeouts = 0;
+  memset(&s->d1->next_timeout, 0, sizeof(struct timeval));
   s->d1->timeout_duration = 1;
   BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
            &s->d1->next_timeout);
@@ -354,10 +253,10 @@ void dtls1_stop_timer(SSL *s) {
 }
 
 int dtls1_check_timeout_num(SSL *s) {
-  s->d1->timeout.num_alerts++;
+  s->d1->num_timeouts++;
 
   /* Reduce MTU after 2 unsuccessful retransmissions */
-  if (s->d1->timeout.num_alerts > 2 &&
+  if (s->d1->num_timeouts > DTLS1_MTU_TIMEOUTS &&
       !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) {
     long mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0,
                         NULL);
@@ -366,7 +265,7 @@ int dtls1_check_timeout_num(SSL *s) {
     }
   }
 
-  if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) {
+  if (s->d1->num_timeouts > DTLS1_MAX_TIMEOUTS) {
     /* fail the connection, enough alerts have been sent */
     OPENSSL_PUT_ERROR(SSL, dtls1_check_timeout_num, SSL_R_READ_TIMEOUT_EXPIRED);
     return -1;
@@ -375,39 +274,43 @@ int dtls1_check_timeout_num(SSL *s) {
   return 0;
 }
 
-int dtls1_handle_timeout(SSL *s) {
+int DTLSv1_handle_timeout(SSL *ssl) {
+  if (!SSL_IS_DTLS(ssl)) {
+    return -1;
+  }
+
   /* if no timer is expired, don't do anything */
-  if (!dtls1_is_timer_expired(s)) {
+  if (!dtls1_is_timer_expired(ssl)) {
     return 0;
   }
 
-  dtls1_double_timeout(s);
+  dtls1_double_timeout(ssl);
 
-  if (dtls1_check_timeout_num(s) < 0) {
+  if (dtls1_check_timeout_num(ssl) < 0) {
     return -1;
   }
 
-  s->d1->timeout.read_timeouts++;
-  if (s->d1->timeout.read_timeouts > DTLS1_TMO_READ_COUNT) {
-    s->d1->timeout.read_timeouts = 1;
-  }
-
-  dtls1_start_timer(s);
-  return dtls1_retransmit_buffered_messages(s);
+  dtls1_start_timer(ssl);
+  return dtls1_retransmit_buffered_messages(ssl);
 }
 
-static void get_current_time(OPENSSL_timeval *t) {
+static void get_current_time(const SSL *ssl, struct timeval *out_clock) {
+  if (ssl->ctx->current_time_cb != NULL) {
+    ssl->ctx->current_time_cb(ssl, out_clock);
+    return;
+  }
+
 #if defined(OPENSSL_WINDOWS)
   struct _timeb time;
   _ftime(&time);
-  t->tv_sec = time.time;
-  t->tv_usec = time.millitm * 1000;
+  out_clock->tv_sec = time.time;
+  out_clock->tv_usec = time.millitm * 1000;
 #else
-  gettimeofday(t, NULL);
+  gettimeofday(out_clock, NULL);
 #endif
 }
 
-static void dtls1_set_handshake_header(SSL *s, int htype, unsigned long len) {
+int dtls1_set_handshake_header(SSL *s, int htype, unsigned long len) {
   uint8_t *message = (uint8_t *)s->init_buf->data;
   const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
   uint8_t serialised_header[DTLS1_HM_HEADER_LENGTH];
@@ -430,10 +333,10 @@ static void dtls1_set_handshake_header(SSL *s, int htype, unsigned long len) {
   s2n(msg_hdr->seq, p);
   l2n3(0, p);
   l2n3(msg_hdr->msg_len, p);
-  ssl3_finish_mac(s, serialised_header, sizeof(serialised_header));
-  ssl3_finish_mac(s, message + DTLS1_HM_HEADER_LENGTH, len);
+  return ssl3_finish_mac(s, serialised_header, sizeof(serialised_header)) &&
+         ssl3_finish_mac(s, message + DTLS1_HM_HEADER_LENGTH, len);
 }
 
-static int dtls1_handshake_write(SSL *s) {
+int dtls1_handshake_write(SSL *s) {
   return dtls1_do_write(s, SSL3_RT_HANDSHAKE);
 }
diff --git a/src/ssl/d1_meth.c b/src/ssl/d1_meth.c
index a894222..a11fbdd 100644
--- a/src/ssl/d1_meth.c
+++ b/src/ssl/d1_meth.c
@@ -55,32 +55,33 @@
  * (eay@cryptsoft.com).  This product includes software written by Tim
  * Hudson (tjh@cryptsoft.com). */
 
-#include "ssl_locl.h"
+#include "internal.h"
 
 
 static const SSL_PROTOCOL_METHOD DTLS_protocol_method = {
-  dtls1_new,
-  dtls1_free,
-  dtls1_accept,
-  dtls1_connect,
-  ssl3_read,
-  ssl3_peek,
-  ssl3_write,
-  dtls1_shutdown,
-  ssl3_renegotiate,
-  ssl3_renegotiate_check,
-  dtls1_get_message,
-  dtls1_read_bytes,
-  dtls1_write_app_data_bytes,
-  dtls1_dispatch_alert,
-  dtls1_ctrl,
-  ssl3_ctx_ctrl,
-  ssl3_pending,
-  ssl3_num_ciphers,
-  dtls1_get_cipher,
-  ssl_undefined_void_function,
-  ssl3_callback_ctrl,
-  ssl3_ctx_callback_ctrl,
+    1 /* is_dtls */,
+    dtls1_new,
+    dtls1_free,
+    dtls1_accept,
+    dtls1_connect,
+    ssl3_read,
+    ssl3_peek,
+    ssl3_write,
+    dtls1_shutdown,
+    ssl3_renegotiate,
+    ssl3_renegotiate_check,
+    dtls1_get_message,
+    dtls1_read_bytes,
+    dtls1_write_app_data_bytes,
+    dtls1_dispatch_alert,
+    ssl3_ctrl,
+    ssl3_ctx_ctrl,
+    ssl3_pending,
+    ssl3_num_ciphers,
+    dtls1_get_cipher,
+    DTLS1_HM_HEADER_LENGTH,
+    dtls1_set_handshake_header,
+    dtls1_handshake_write,
 };
 
 const SSL_METHOD *DTLS_method(void) {
diff --git a/src/ssl/d1_pkt.c b/src/ssl/d1_pkt.c
index a77ad4e..9e056ac 100644
--- a/src/ssl/d1_pkt.c
+++ b/src/ssl/d1_pkt.c
@@ -109,9 +109,9 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.] */
 
-#include <stdio.h>
-#include <errno.h>
 #include <assert.h>
+#include <stdio.h>
+#include <string.h>
 
 #include <openssl/buf.h>
 #include <openssl/mem.h>
@@ -119,7 +119,7 @@
 #include <openssl/err.h>
 #include <openssl/rand.h>
 
-#include "ssl_locl.h"
+#include "internal.h"
 
 
 /* mod 128 saturating subtract of two 64-bit values in big-endian order */
@@ -181,152 +181,12 @@ static int satsub64be(const uint8_t *v1, const uint8_t *v2) {
   }
 }
 
-static int have_handshake_fragment(SSL *s, int type, uint8_t *buf, int len,
-                                   int peek);
 static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap);
 static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap);
-static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,
-                                      unsigned int *is_next_epoch);
-static int dtls1_buffer_record(SSL *s, record_pqueue *q,
-                               uint8_t *priority);
 static int dtls1_process_record(SSL *s);
 static int do_dtls1_write(SSL *s, int type, const uint8_t *buf,
                           unsigned int len);
 
-/* copy buffered record into SSL structure */
-static int dtls1_copy_record(SSL *s, pitem *item) {
-  DTLS1_RECORD_DATA *rdata;
-
-  rdata = (DTLS1_RECORD_DATA *)item->data;
-
-  if (s->s3->rbuf.buf != NULL) {
-    OPENSSL_free(s->s3->rbuf.buf);
-  }
-
-  s->packet = rdata->packet;
-  s->packet_length = rdata->packet_length;
-  memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
-  memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
-
-  /* Set proper sequence number for mac calculation */
-  memcpy(&(s->s3->read_sequence[2]), &(rdata->packet[5]), 6);
-
-  return 1;
-}
-
-static int dtls1_buffer_record(SSL *s, record_pqueue *queue,
-                               uint8_t *priority) {
-  DTLS1_RECORD_DATA *rdata;
-  pitem *item;
-
-  /* Limit the size of the queue to prevent DOS attacks */
-  if (pqueue_size(queue->q) >= 100) {
-    return 0;
-  }
-
-  rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
-  item = pitem_new(priority, rdata);
-  if (rdata == NULL || item == NULL) {
-    if (rdata != NULL) {
-      OPENSSL_free(rdata);
-    }
-    if (item != NULL) {
-      pitem_free(item);
-    }
-
-    OPENSSL_PUT_ERROR(SSL, dtls1_buffer_record, ERR_R_INTERNAL_ERROR);
-    return -1;
-  }
-
-  rdata->packet = s->packet;
-  rdata->packet_length = s->packet_length;
-  memcpy(&(rdata->rbuf), &(s->s3->rbuf), sizeof(SSL3_BUFFER));
-  memcpy(&(rdata->rrec), &(s->s3->rrec), sizeof(SSL3_RECORD));
-
-  item->data = rdata;
-
-  s->packet = NULL;
-  s->packet_length = 0;
-  memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));
-  memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD));
-
-  if (!ssl3_setup_buffers(s)) {
-    goto internal_error;
-  }
-
-  /* insert should not fail, since duplicates are dropped */
-  if (pqueue_insert(queue->q, item) == NULL) {
-    goto internal_error;
-  }
-
-  return 1;
-
-internal_error:
-  OPENSSL_PUT_ERROR(SSL, dtls1_buffer_record, ERR_R_INTERNAL_ERROR);
-  if (rdata->rbuf.buf != NULL) {
-    OPENSSL_free(rdata->rbuf.buf);
-  }
-  OPENSSL_free(rdata);
-  pitem_free(item);
-  return -1;
-}
-
-static int dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) {
-  pitem *item;
-
-  item = pqueue_pop(queue->q);
-  if (item) {
-    dtls1_copy_record(s, item);
-
-    OPENSSL_free(item->data);
-    pitem_free(item);
-
-    return 1;
-  }
-
-  return 0;
-}
-
-/* retrieve a buffered record that belongs to the new epoch, i.e., not
- * processed yet */
-#define dtls1_get_unprocessed_record(s) \
-  dtls1_retrieve_buffered_record((s), &((s)->d1->unprocessed_rcds))
-
-/* retrieve a buffered record that belongs to the current epoch, i.e.,
- * processed */
-#define dtls1_get_processed_record(s) \
-  dtls1_retrieve_buffered_record((s), &((s)->d1->processed_rcds))
-
-static int dtls1_process_buffered_records(SSL *s) {
-  pitem *item;
-
-  item = pqueue_peek(s->d1->unprocessed_rcds.q);
-  if (item) {
-    /* Check if epoch is current. */
-    if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch) {
-      return 1; /* Nothing to do. */
-    }
-
-    /* Process all the records. */
-    while (pqueue_peek(s->d1->unprocessed_rcds.q)) {
-      dtls1_get_unprocessed_record(s);
-      if (!dtls1_process_record(s)) {
-        return 0;
-      }
-      if (dtls1_buffer_record(s, &(s->d1->processed_rcds),
-                              s->s3->rrec.seq_num) < 0) {
-        return -1;
-      }
-    }
-  }
-
-  /* sync epoch numbers once all the unprocessed records have been processed */
-  s->d1->processed_rcds.epoch = s->d1->r_epoch;
-  s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1;
-
-  return 1;
-}
-
 static int dtls1_process_record(SSL *s) {
   int al;
   SSL3_RECORD *rr;
@@ -405,28 +265,15 @@ int dtls1_get_record(SSL *s) {
   SSL3_RECORD *rr;
   unsigned char *p = NULL;
   unsigned short version;
-  DTLS1_BITMAP *bitmap;
-  unsigned int is_next_epoch;
 
   rr = &(s->s3->rrec);
 
-  /* The epoch may have changed. If so, process all the pending records. This
-   * is a non-blocking operation. */
-  if (dtls1_process_buffered_records(s) < 0) {
-    return -1;
-  }
-
-  /* If we're renegotiating, then there may be buffered records. */
-  if (dtls1_get_processed_record(s)) {
-    return 1;
-  }
-
   /* get something from the wire */
 again:
   /* check if we have the header */
   if ((s->rstate != SSL_ST_READ_BODY) ||
       (s->packet_length < DTLS1_RT_HEADER_LENGTH)) {
-    n = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);
+    n = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, 0);
     /* read timeout is handled by dtls1_read_bytes */
     if (n <= 0) {
       return n; /* error or non-blocking */
@@ -498,7 +345,7 @@ again:
   if (rr->length > s->packet_length - DTLS1_RT_HEADER_LENGTH) {
     /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
     i = rr->length;
-    n = ssl3_read_n(s, i, i, 1);
+    n = ssl3_read_n(s, i, 1);
     if (n <= 0) {
       return n; /* error or non-blocking io */
     }
@@ -515,16 +362,17 @@ again:
   }
   s->rstate = SSL_ST_READ_HEADER; /* set state for later operations */
 
-  /* match epochs.  NULL means the packet is dropped on the floor */
-  bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
-  if (bitmap == NULL) {
+  if (rr->epoch != s->d1->r_epoch) {
+    /* This record is from the wrong epoch. If it is the next epoch, it could be
+     * buffered. For simplicity, drop it and expect retransmit to handle it
+     * later; DTLS is supposed to handle packet loss. */
     rr->length = 0;
-    s->packet_length = 0; /* dump this record */
-    goto again;           /* get another record */
+    s->packet_length = 0;
+    goto again;
   }
 
   /* Check whether this is a repeat, or aged record. */
-  if (!dtls1_record_replay_check(s, bitmap)) {
+  if (!dtls1_record_replay_check(s, &s->d1->bitmap)) {
     rr->length = 0;
     s->packet_length = 0; /* dump this record */
     goto again;           /* get another record */
@@ -535,28 +383,12 @@ again:
     goto again;
   }
 
-  /* If this record is from the next epoch (either HM or ALERT),
-   * and a handshake is currently in progress, buffer it since it
-   * cannot be processed at this time.
-   */
-  if (is_next_epoch) {
-    if (SSL_in_init(s) || s->in_handshake) {
-      if (dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num) < 0) {
-        return -1;
-      }
-      dtls1_record_bitmap_update(s, bitmap); /* Mark receipt of record. */
-    }
-    rr->length = 0;
-    s->packet_length = 0;
-    goto again;
-  }
-
   if (!dtls1_process_record(s)) {
     rr->length = 0;
     s->packet_length = 0; /* dump this record */
     goto again;           /* get another record */
   }
-  dtls1_record_bitmap_update(s, bitmap); /* Mark receipt of record. */
+  dtls1_record_bitmap_update(s, &s->d1->bitmap); /* Mark receipt of record. */
 
   return 1;
 }
@@ -589,15 +421,11 @@ again:
  *             none of our business
  */
 int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) {
-  int al, i, j, ret;
+  int al, i, ret;
   unsigned int n;
   SSL3_RECORD *rr;
   void (*cb)(const SSL *ssl, int type2, int val) = NULL;
 
-  if (s->s3->rbuf.buf == NULL && !ssl3_setup_buffers(s)) {
-      return -1;
-  }
-
   /* XXX: check what the second '&& type' is about */
   if ((type && (type != SSL3_RT_APPLICATION_DATA) &&
        (type != SSL3_RT_HANDSHAKE) && type) ||
@@ -606,14 +434,6 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) {
     return -1;
   }
 
-  /* check whether there's a handshake message (client hello?) waiting */
-  ret = have_handshake_fragment(s, type, buf, len, peek);
-  if (ret) {
-    return ret;
-  }
-
-  /* Now s->d1->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */
-
   if (!s->in_handshake && SSL_in_init(s)) {
     /* type == SSL3_RT_APPLICATION_DATA */
     i = s->handshake_func(s);
@@ -635,23 +455,8 @@ start:
    * s->s3->rrec.length   - number of bytes. */
   rr = &s->s3->rrec;
 
-  /* We are not handshaking and have no data yet,
-   * so process data buffered during the last handshake
-   * in advance, if any.
-   */
-  if (s->state == SSL_ST_OK && rr->length == 0) {
-    pitem *item;
-    item = pqueue_pop(s->d1->buffered_app_data.q);
-    if (item) {
-      dtls1_copy_record(s, item);
-
-      OPENSSL_free(item->data);
-      pitem_free(item);
-    }
-  }
-
   /* Check for timeout */
-  if (dtls1_handle_timeout(s) > 0) {
+  if (DTLSv1_handle_timeout(s) > 0) {
     goto start;
   }
 
@@ -673,14 +478,11 @@ start:
 
   /* |change_cipher_spec is set when we receive a ChangeCipherSpec and reset by
    * ssl3_get_finished. */
-  if (s->s3->change_cipher_spec && rr->type != SSL3_RT_HANDSHAKE) {
-    /* We now have application data between CCS and Finished. Most likely the
-     * packets were reordered on their way, so buffer the application data for
-     * later processing rather than dropping the connection. */
-    if (dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num) < 0) {
-      OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, ERR_R_INTERNAL_ERROR);
-      return -1;
-    }
+  if (s->s3->change_cipher_spec && rr->type != SSL3_RT_HANDSHAKE &&
+      rr->type != SSL3_RT_ALERT) {
+    /* We now have an unexpected record between CCS and Finished. Most likely
+     * the packets were reordered on their way. DTLS is unreliable, so drop the
+     * packet and expect the peer to retransmit. */
     rr->length = 0;
     goto start;
   }
@@ -729,118 +531,25 @@ start:
     return n;
   }
 
-  /* If we get here, then type != rr->type; if we have a handshake message,
-   * then it was unexpected (Hello Request or Client Hello). */
-
-  /* In case of record types for which we have 'fragment' storage, fill that so
-   * that we can process the data at a fixed place. */
-  {
-    unsigned int k, dest_maxlen = 0;
-    uint8_t *dest = NULL;
-    unsigned int *dest_len = NULL;
-
-    if (rr->type == SSL3_RT_HANDSHAKE) {
-      dest_maxlen = sizeof s->d1->handshake_fragment;
-      dest = s->d1->handshake_fragment;
-      dest_len = &s->d1->handshake_fragment_len;
-    } else if (rr->type == SSL3_RT_ALERT) {
-      dest_maxlen = sizeof(s->d1->alert_fragment);
-      dest = s->d1->alert_fragment;
-      dest_len = &s->d1->alert_fragment_len;
-    }
-    /* else it's a CCS message, or application data or wrong */
-    else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC) {
-      /* Application data while renegotiating is allowed. Try again reading. */
-      if (rr->type == SSL3_RT_APPLICATION_DATA) {
-        BIO *bio;
-        s->s3->in_read_app_data = 2;
-        bio = SSL_get_rbio(s);
-        s->rwstate = SSL_READING;
-        BIO_clear_retry_flags(bio);
-        BIO_set_retry_read(bio);
-        return -1;
-      }
-
-      /* Not certain if this is the right error handling */
-      al = SSL_AD_UNEXPECTED_MESSAGE;
-      OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, SSL_R_UNEXPECTED_RECORD);
-      goto f_err;
-    }
-
-    if (dest_maxlen > 0) {
-      /* XDTLS:  In a pathalogical case, the Client Hello
-       *  may be fragmented--don't always expect dest_maxlen bytes */
-      if (rr->length < dest_maxlen) {
-        s->rstate = SSL_ST_READ_HEADER;
-        rr->length = 0;
-        goto start;
-      }
-
-      /* now move 'n' bytes: */
-      for (k = 0; k < dest_maxlen; k++) {
-        dest[k] = rr->data[rr->off++];
-        rr->length--;
-      }
-      *dest_len = dest_maxlen;
-    }
-  }
-
-  /* s->d1->handshake_fragment_len == 12  iff  rr->type == SSL3_RT_HANDSHAKE;
-   * s->d1->alert_fragment_len == 7      iff  rr->type == SSL3_RT_ALERT.
-   * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */
-
-  /* If we are a client, check for an incoming 'Hello Request': */
-  if (!s->server && s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH &&
-      s->d1->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST &&
-      s->session != NULL && s->session->cipher != NULL) {
-    s->d1->handshake_fragment_len = 0;
+  /* If we get here, then type != rr->type. */
 
-    if ((s->d1->handshake_fragment[1] != 0) ||
-        (s->d1->handshake_fragment[2] != 0) ||
-        (s->d1->handshake_fragment[3] != 0)) {
+  /* If an alert record, process one alert out of the record. Note that we allow
+   * a single record to contain multiple alerts. */
+  if (rr->type == SSL3_RT_ALERT) {
+    /* Alerts may not be fragmented. */
+    if (rr->length < 2) {
       al = SSL_AD_DECODE_ERROR;
-      OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, SSL_R_BAD_HELLO_REQUEST);
+      OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, SSL_R_BAD_ALERT);
       goto f_err;
     }
 
-    /* no need to check sequence number on HELLO REQUEST messages */
-
-    if (s->msg_callback) {
-      s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
-                      s->d1->handshake_fragment, 4, s, s->msg_callback_arg);
-    }
-
-    if (SSL_is_init_finished(s) && !s->s3->renegotiate) {
-      s->d1->handshake_read_seq++;
-      s->new_session = 1;
-      ssl3_renegotiate(s);
-      if (ssl3_renegotiate_check(s)) {
-        i = s->handshake_func(s);
-        if (i < 0) {
-          return i;
-        }
-        if (i == 0) {
-          OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, SSL_R_SSL_HANDSHAKE_FAILURE);
-          return -1;
-        }
-      }
-    }
-
-    /* we either finished a handshake or ignored the request, now try again to
-     * obtain the (application) data we were asked for */
-    goto start;
-  }
-
-  if (s->d1->alert_fragment_len >= DTLS1_AL_HEADER_LENGTH) {
-    int alert_level = s->d1->alert_fragment[0];
-    int alert_descr = s->d1->alert_fragment[1];
-
-    s->d1->alert_fragment_len = 0;
-
     if (s->msg_callback) {
-      s->msg_callback(0, s->version, SSL3_RT_ALERT, s->d1->alert_fragment, 2, s,
+      s->msg_callback(0, s->version, SSL3_RT_ALERT, &rr->data[rr->off], 2, s,
                       s->msg_callback_arg);
     }
+    const uint8_t alert_level = rr->data[rr->off++];
+    const uint8_t alert_descr = rr->data[rr->off++];
+    rr->length -= 2;
 
     if (s->info_callback != NULL) {
       cb = s->info_callback;
@@ -849,17 +558,17 @@ start:
     }
 
     if (cb != NULL) {
-      j = (alert_level << 8) | alert_descr;
-      cb(s, SSL_CB_READ_ALERT, j);
+      uint16_t alert = (alert_level << 8) | alert_descr;
+      cb(s, SSL_CB_READ_ALERT, alert);
     }
 
-    if (alert_level == 1) { /* warning */
+    if (alert_level == SSL3_AL_WARNING) {
       s->s3->warn_alert = alert_descr;
       if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
         s->shutdown |= SSL_RECEIVED_SHUTDOWN;
         return 0;
       }
-    } else if (alert_level == 2) { /* fatal */
+    } else if (alert_level == SSL3_AL_FATAL) {
       char tmp[16];
 
       s->rwstate = SSL_NOTHING;
@@ -888,16 +597,9 @@ start:
   }
 
   if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) {
-    struct ccs_header_st ccs_hdr;
-    unsigned int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH;
-
-    dtls1_get_ccs_header(rr->data, &ccs_hdr);
-
-    /* 'Change Cipher Spec' is just a single byte, so we know
-     * exactly what the record payload has to look like */
-    /* XDTLS: check that epoch is consistent */
-    if ((rr->length != ccs_hdr_len) || (rr->off != 0) ||
-        (rr->data[0] != SSL3_MT_CCS)) {
+    /* 'Change Cipher Spec' is just a single byte, so we know exactly what the
+     * record payload has to look like */
+    if (rr->length != 1 || rr->off != 0 || rr->data[0] != SSL3_MT_CCS) {
       al = SSL_AD_ILLEGAL_PARAMETER;
       OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, SSL_R_BAD_CHANGE_CIPHER_SPEC);
       goto f_err;
@@ -930,91 +632,41 @@ start:
     goto start;
   }
 
-  /* Unexpected handshake message (Client Hello, or protocol violation) */
-  if ((s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) &&
-      !s->in_handshake) {
-    struct hm_header_st msg_hdr;
-
-    /* this may just be a stale retransmit */
-    dtls1_get_message_header(rr->data, &msg_hdr);
-    if (rr->epoch != s->d1->r_epoch) {
-      rr->length = 0;
-      goto start;
+  /* Unexpected handshake message. It may be a retransmitted Finished (the only
+   * post-CCS message). Otherwise, it's a pre-CCS handshake message from an
+   * unsupported renegotiation attempt. */
+  if (rr->type == SSL3_RT_HANDSHAKE && !s->in_handshake) {
+    if (rr->length < DTLS1_HM_HEADER_LENGTH) {
+      al = SSL_AD_DECODE_ERROR;
+      OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, SSL_R_BAD_HANDSHAKE_RECORD);
+      goto f_err;
     }
+    struct hm_header_st msg_hdr;
+    dtls1_get_message_header(&rr->data[rr->off], &msg_hdr);
 
-    /* If we are server, we may have a repeated FINISHED of the client here,
-     * then retransmit our CCS and FINISHED. */
+    /* Ignore a stray Finished from the previous handshake. */
     if (msg_hdr.type == SSL3_MT_FINISHED) {
-      if (dtls1_check_timeout_num(s) < 0) {
-        return -1;
+      if (msg_hdr.frag_off == 0) {
+        /* Retransmit our last flight of messages. If the peer sends the second
+         * Finished, they may not have received ours. Only do this for the
+         * first fragment, in case the Finished was fragmented. */
+        if (dtls1_check_timeout_num(s) < 0) {
+          return -1;
+        }
+
+        dtls1_retransmit_buffered_messages(s);
       }
 
-      dtls1_retransmit_buffered_messages(s);
       rr->length = 0;
       goto start;
     }
-
-    if ((s->state & SSL_ST_MASK) == SSL_ST_OK) {
-      s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
-      s->renegotiate = 1;
-      s->new_session = 1;
-    }
-    i = s->handshake_func(s);
-    if (i < 0) {
-      return i;
-    }
-    if (i == 0) {
-      OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, SSL_R_SSL_HANDSHAKE_FAILURE);
-      return -1;
-    }
-
-    goto start;
   }
 
-  switch (rr->type) {
-    default:
-      /* TLS just ignores unknown message types */
-      if (s->version == TLS1_VERSION) {
-        rr->length = 0;
-        goto start;
-      }
-      al = SSL_AD_UNEXPECTED_MESSAGE;
-      OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, SSL_R_UNEXPECTED_RECORD);
-      goto f_err;
-
-    case SSL3_RT_CHANGE_CIPHER_SPEC:
-    case SSL3_RT_ALERT:
-    case SSL3_RT_HANDSHAKE:
-      /* we already handled all of these, with the possible exception of
-       * SSL3_RT_HANDSHAKE when s->in_handshake is set, but that should not
-       * happen when type != rr->type */
-      al = SSL_AD_UNEXPECTED_MESSAGE;
-      OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, ERR_R_INTERNAL_ERROR);
-      goto f_err;
-
-    case SSL3_RT_APPLICATION_DATA:
-      /* At this point, we were expecting handshake data, but have application
-       * data. If the library was running inside ssl3_read() (i.e.
-       * in_read_app_data is set) and it makes sense to read application data
-       * at this point (session renegotiation not yet started), we will indulge
-       * it. */
-      if (s->s3->in_read_app_data && (s->s3->total_renegotiations != 0) &&
-          (((s->state & SSL_ST_CONNECT) &&
-            (s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
-            (s->state <= SSL3_ST_CR_SRVR_HELLO_A)) ||
-           ((s->state & SSL_ST_ACCEPT) &&
-            (s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
-            (s->state >= SSL3_ST_SR_CLNT_HELLO_A)))) {
-        s->s3->in_read_app_data = 2;
-        return -1;
-      } else {
-        al = SSL_AD_UNEXPECTED_MESSAGE;
-        OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, SSL_R_UNEXPECTED_RECORD);
-        goto f_err;
-      }
-  }
+  /* We already handled these. */
+  assert(rr->type != SSL3_RT_CHANGE_CIPHER_SPEC && rr->type != SSL3_RT_ALERT);
 
-  /* not reached */
+  al = SSL_AD_UNEXPECTED_MESSAGE;
+  OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, SSL_R_UNEXPECTED_RECORD);
 
 f_err:
   ssl3_send_alert(s, SSL3_AL_FATAL, al);
@@ -1047,35 +699,6 @@ int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len) {
   return i;
 }
 
-
-/* this only happens when a client hello is received and a handshake is
- * started. */
-static int have_handshake_fragment(SSL *s, int type, uint8_t *buf,
-                                   int len, int peek) {
-  if (type == SSL3_RT_HANDSHAKE && s->d1->handshake_fragment_len > 0) {
-    /* (partially) satisfy request from storage */
-    uint8_t *src = s->d1->handshake_fragment;
-    uint8_t *dst = buf;
-    unsigned int k, n;
-
-    /* peek == 0 */
-    n = 0;
-    while (len > 0 && s->d1->handshake_fragment_len > 0) {
-      *dst++ = *src++;
-      len--;
-      s->d1->handshake_fragment_len--;
-      n++;
-    }
-    /* move any remaining fragment bytes: */
-    for (k = 0; k < s->d1->handshake_fragment_len; k++) {
-      s->d1->handshake_fragment[k] = *src++;
-    }
-    return n;
-  }
-
-  return 0;
-}
-
 /* Call this to write data in records of type 'type' It will return <= 0 if not
  * all data has been sent or non-blocking IO. */
 int dtls1_write_bytes(SSL *s, int type, const void *buf, int len) {
@@ -1096,12 +719,9 @@ static int do_dtls1_write(SSL *s, int type, const uint8_t *buf,
   SSL3_RECORD *wr;
   SSL3_BUFFER *wb;
 
-  /* first check if there is a SSL3_BUFFER still being written
-   * out.  This will happen with non blocking IO */
-  if (s->s3->wbuf.left != 0) {
-    assert(0); /* XDTLS:  want to see if we ever get here */
-    return ssl3_write_pending(s, type, buf, len);
-  }
+  /* ssl3_write_pending drops the write if |BIO_write| fails in DTLS, so there
+   * is never pending data. */
+  assert(s->s3->wbuf.left == 0);
 
   /* If we have an alert to send, lets send it */
   if (s->s3->alert_dispatch) {
@@ -1119,6 +739,9 @@ static int do_dtls1_write(SSL *s, int type, const uint8_t *buf,
   wr = &(s->s3->wrec);
   wb = &(s->s3->wbuf);
 
+  if (wb->buf == NULL && !ssl3_setup_write_buffer(s)) {
+    return -1;
+  }
   p = wb->buf + prefix_len;
 
   /* write the header */
@@ -1147,19 +770,14 @@ static int do_dtls1_write(SSL *s, int type, const uint8_t *buf,
     eivlen = s->aead_write_ctx->variable_nonce_len;
   }
 
-  /* lets setup the record stuff. */
-  wr->data = p + eivlen; /* make room for IV in case of CBC */
-  wr->length = (int)len;
-  wr->input = (unsigned char *)buf;
-
-  /* we now 'read' from wr->input, wr->length bytes into wr->data */
-  memcpy(wr->data, wr->input, wr->length);
-  wr->input = wr->data;
-
-  /* this is true regardless of mac size */
+  /* Assemble the input for |s->enc_method->enc|. The input is the plaintext
+   * with |eivlen| bytes of space prepended for the explicit nonce. */
   wr->input = p;
+  wr->length = eivlen + len;
+  memcpy(p + eivlen, buf, len);
+
+  /* Encrypt in-place, so the output also goes into |p|. */
   wr->data = p;
-  wr->length += eivlen;
 
   if (!s->enc_method->enc(s, 1)) {
     goto err;
@@ -1182,7 +800,9 @@ static int do_dtls1_write(SSL *s, int type, const uint8_t *buf,
   wr->type = type; /* not needed but helps for debugging */
   wr->length += DTLS1_RT_HEADER_LENGTH;
 
-  ssl3_record_sequence_update(&(s->s3->write_sequence[0]));
+  if (!ssl3_record_sequence_update(&s->s3->write_sequence[2], 6)) {
+    goto err;
+  }
 
   /* now let's set up wb */
   wb->left = prefix_len + wr->length;
@@ -1285,23 +905,6 @@ int dtls1_dispatch_alert(SSL *s) {
   return i;
 }
 
-static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,
-                                      unsigned int *is_next_epoch) {
-  *is_next_epoch = 0;
-
-  /* In current epoch, accept HM, CCS, DATA, & ALERT */
-  if (rr->epoch == s->d1->r_epoch) {
-    return &s->d1->bitmap;
-  } else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) &&
-             (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) {
-    /* Only HM and ALERT messages can be from the next epoch */
-    *is_next_epoch = 1;
-    return &s->d1->next_bitmap;
-  }
-
-  return NULL;
-}
-
 void dtls1_reset_seq_numbers(SSL *s, int rw) {
   uint8_t *seq;
   unsigned int seq_bytes = sizeof(s->s3->read_sequence);
@@ -1309,8 +912,7 @@ void dtls1_reset_seq_numbers(SSL *s, int rw) {
   if (rw & SSL3_CC_READ) {
     seq = s->s3->read_sequence;
     s->d1->r_epoch++;
-    memcpy(&(s->d1->bitmap), &(s->d1->next_bitmap), sizeof(DTLS1_BITMAP));
-    memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP));
+    memset(&s->d1->bitmap, 0, sizeof(DTLS1_BITMAP));
   } else {
     seq = s->s3->write_sequence;
     memcpy(s->d1->last_write_sequence, seq, sizeof(s->s3->write_sequence));
diff --git a/src/ssl/d1_srtp.c b/src/ssl/d1_srtp.c
index b85ff9b..5928fc8 100644
--- a/src/ssl/d1_srtp.c
+++ b/src/ssl/d1_srtp.c
@@ -115,12 +115,13 @@
 */
 
 #include <stdio.h>
+#include <string.h>
 
 #include <openssl/bytestring.h>
-#include <openssl/obj.h>
 #include <openssl/err.h>
+#include <openssl/obj.h>
 
-#include "ssl_locl.h"
+#include "internal.h"
 #include <openssl/srtp.h>
 
 
@@ -169,7 +170,7 @@ static int find_profile_by_num(unsigned profile_num,
 }
 
 static int ssl_ctx_make_profiles(const char *profiles_string,
-                                 STACK_OF(SRTP_PROTECTION_PROFILE) * *out) {
+                                 STACK_OF(SRTP_PROTECTION_PROFILE) **out) {
   STACK_OF(SRTP_PROTECTION_PROFILE) *profiles;
 
   const char *col;
diff --git a/src/ssl/d1_srvr.c b/src/ssl/d1_srvr.c
index 5bce98e..e314910 100644
--- a/src/ssl/d1_srvr.c
+++ b/src/ssl/d1_srvr.c
@@ -118,21 +118,20 @@
 #include <openssl/bn.h>
 #include <openssl/buf.h>
 #include <openssl/dh.h>
+#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/md5.h>
 #include <openssl/obj.h>
 #include <openssl/rand.h>
 #include <openssl/x509.h>
 
-#include "ssl_locl.h"
+#include "internal.h"
 
 
-static int dtls1_send_hello_verify_request(SSL *s);
-
 int dtls1_accept(SSL *s) {
   BUF_MEM *buf = NULL;
   void (*cb)(const SSL *ssl, int type, int val) = NULL;
-  unsigned long alg_a;
+  uint32_t alg_a;
   int ret = -1;
   int new_state, state, skip = 0;
 
@@ -180,11 +179,6 @@ int dtls1_accept(SSL *s) {
           buf = NULL;
         }
 
-        if (!ssl3_setup_buffers(s)) {
-          ret = -1;
-          goto end;
-        }
-
         s->init_num = 0;
 
         if (s->state != SSL_ST_RENEGOTIATE) {
@@ -200,11 +194,9 @@ int dtls1_accept(SSL *s) {
           }
 
           s->state = SSL3_ST_SR_CLNT_HELLO_A;
-          s->ctx->stats.sess_accept++;
         } else {
           /* s->state == SSL_ST_RENEGOTIATE, * we will just send a
            * HelloRequest */
-          s->ctx->stats.sess_accept_renegotiate++;
           s->state = SSL3_ST_SW_HELLO_REQ_A;
         }
 
@@ -244,33 +236,10 @@ int dtls1_accept(SSL *s) {
           goto end;
         }
         dtls1_stop_timer(s);
-
-        if (ret == 1 && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) {
-          s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
-        } else {
-          s->state = SSL3_ST_SW_SRVR_HELLO_A;
-        }
-
+        s->state = SSL3_ST_SW_SRVR_HELLO_A;
         s->init_num = 0;
         break;
 
-      case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
-      case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
-        ret = dtls1_send_hello_verify_request(s);
-        if (ret <= 0) {
-          goto end;
-        }
-        s->state = SSL3_ST_SW_FLUSH;
-        s->s3->tmp.next_state = SSL3_ST_SR_CLNT_HELLO_A;
-
-        /* HelloVerifyRequest resets Finished MAC */
-        if (!ssl3_init_finished_mac(s)) {
-          OPENSSL_PUT_ERROR(SSL, dtls1_accept, ERR_R_INTERNAL_ERROR);
-          ret = -1;
-          goto end;
-        }
-        break;
-
       case SSL3_ST_SW_SRVR_HELLO_A:
       case SSL3_ST_SW_SRVR_HELLO_B:
         s->renegotiate = 2;
@@ -347,13 +316,6 @@ int dtls1_accept(SSL *s) {
              * don't request cert during re-negotiation: */
             ((s->session->peer != NULL) &&
              (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
-            /* never request cert in anonymous ciphersuites
-             * (see section "Certificate request" in SSL 3 drafts
-             * and in RFC 2246): */
-            ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
-             /* ... except when the application insists on verification
-              * (against the specs, but s3_clnt.c accepts this for SSL 3) */
-             !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
             /* With normal PSK Certificates and
              * Certificate Requests are omitted */
             (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
@@ -368,12 +330,7 @@ int dtls1_accept(SSL *s) {
           if (ret <= 0) {
             goto end;
           }
-#ifndef NETSCAPE_HANG_BUG
           s->state = SSL3_ST_SW_SRVR_DONE_A;
-#else
-          s->state = SSL3_ST_SW_FLUSH;
-          s->s3->tmp.next_state = SSL3_ST_SR_CERT_A;
-#endif
           s->init_num = 0;
         }
         break;
@@ -393,12 +350,6 @@ int dtls1_accept(SSL *s) {
       case SSL3_ST_SW_FLUSH:
         s->rwstate = SSL_WRITING;
         if (BIO_flush(s->wbio) <= 0) {
-          /* If the write error was fatal, stop trying */
-          if (!BIO_should_retry(s->wbio)) {
-            s->rwstate = SSL_NOTHING;
-            s->state = s->s3->tmp.next_state;
-          }
-
           ret = -1;
           goto end;
         }
@@ -527,8 +478,6 @@ int dtls1_accept(SSL *s) {
 
           ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
 
-          s->ctx->stats.sess_accept_good++;
-
           if (cb != NULL) {
             cb(s, SSL_CB_HANDSHAKE_DONE, 1);
           }
@@ -562,44 +511,9 @@ int dtls1_accept(SSL *s) {
 
 end:
   s->in_handshake--;
-  if (buf != NULL) {
-    BUF_MEM_free(buf);
-  }
+  BUF_MEM_free(buf);
   if (cb != NULL) {
     cb(s, SSL_CB_ACCEPT_EXIT, ret);
   }
   return ret;
 }
-
-int dtls1_send_hello_verify_request(SSL *s) {
-  uint8_t *msg, *p;
-
-  if (s->state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) {
-    msg = p = ssl_handshake_start(s);
-    /* Always use DTLS 1.0 version: see RFC 6347 */
-    *(p++) = DTLS1_VERSION >> 8;
-    *(p++) = DTLS1_VERSION & 0xFF;
-
-    /* Inform the callback how much space is in the
-     * cookie's buffer. */
-    s->d1->cookie_len = sizeof(s->d1->cookie);
-
-    if (s->ctx->app_gen_cookie_cb == NULL ||
-        s->ctx->app_gen_cookie_cb(s, s->d1->cookie, &(s->d1->cookie_len)) ==
-            0) {
-      OPENSSL_PUT_ERROR(SSL, dtls1_send_hello_verify_request,
-                        ERR_R_INTERNAL_ERROR);
-      return 0;
-    }
-
-    *(p++) = (uint8_t)s->d1->cookie_len;
-    memcpy(p, s->d1->cookie, s->d1->cookie_len);
-    p += s->d1->cookie_len;
-
-    ssl_set_handshake_header(s, DTLS1_MT_HELLO_VERIFY_REQUEST, p - msg);
-    s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B;
-  }
-
-  /* s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */
-  return ssl_do_write(s);
-}
diff --git a/src/ssl/ssl_locl.h b/src/ssl/internal.h
index a0c323c..3bd749d 100644
--- a/src/ssl/ssl_locl.h
+++ b/src/ssl/internal.h
@@ -139,25 +139,161 @@
  * OTHERWISE.
  */
 
-#ifndef HEADER_SSL_LOCL_H
-#define HEADER_SSL_LOCL_H
+#ifndef OPENSSL_HEADER_SSL_INTERNAL_H
+#define OPENSSL_HEADER_SSL_INTERNAL_H
 
 #include <openssl/base.h>
 
-#include <errno.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-
 #include <openssl/aead.h>
-#include <openssl/bio.h>
-#include <openssl/buf.h>
-#include <openssl/dsa.h>
-#include <openssl/err.h>
-#include <openssl/rsa.h>
+#include <openssl/pqueue.h>
 #include <openssl/ssl.h>
 #include <openssl/stack.h>
 
+#if defined(OPENSSL_WINDOWS)
+/* Windows defines struct timeval in winsock2.h. */
+#pragma warning(push, 3)
+#include <winsock2.h>
+#pragma warning(pop)
+#else
+#include <sys/types.h>
+#endif
+
+
+/* Cipher suites. */
+
+/* Bits for |algorithm_mkey| (key exchange algorithm). */
+#define SSL_kRSA 0x00000001L
+#define SSL_kDHE 0x00000002L
+#define SSL_kECDHE 0x00000004L
+/* SSL_kPSK is only set for plain PSK, not ECDHE_PSK. */
+#define SSL_kPSK 0x00000008L
+
+/* Bits for |algorithm_auth| (server authentication). */
+#define SSL_aRSA 0x00000001L
+#define SSL_aECDSA 0x00000002L
+/* SSL_aPSK is set for both PSK and ECDHE_PSK. */
+#define SSL_aPSK 0x00000004L
+
+/* Bits for |algorithm_enc| (symmetric encryption). */
+#define SSL_3DES 0x00000001L
+#define SSL_RC4 0x00000002L
+#define SSL_AES128 0x00000004L
+#define SSL_AES256 0x00000008L
+#define SSL_AES128GCM 0x00000010L
+#define SSL_AES256GCM 0x00000020L
+#define SSL_CHACHA20POLY1305 0x00000040L
+
+#define SSL_AES (SSL_AES128 | SSL_AES256 | SSL_AES128GCM | SSL_AES256GCM)
+
+/* Bits for |algorithm_mac| (symmetric authentication). */
+#define SSL_MD5 0x00000001L
+#define SSL_SHA1 0x00000002L
+#define SSL_SHA256 0x00000004L
+#define SSL_SHA384 0x00000008L
+/* SSL_AEAD is set for all AEADs. */
+#define SSL_AEAD 0x00000010L
+
+/* Bits for |algorithm_ssl| (protocol version). These denote the first protocol
+ * version which introduced the cipher.
+ *
+ * TODO(davidben): These are extremely confusing, both in code and in
+ * cipher rules. Try to remove them. */
+#define SSL_SSLV3 0x00000002L
+#define SSL_TLSV1 SSL_SSLV3
+#define SSL_TLSV1_2 0x00000004L
+
+/* Bits for |algorithm2| (handshake digests and other extra flags). */
+
+#define SSL_HANDSHAKE_MAC_MD5 0x10
+#define SSL_HANDSHAKE_MAC_SHA 0x20
+#define SSL_HANDSHAKE_MAC_SHA256 0x40
+#define SSL_HANDSHAKE_MAC_SHA384 0x80
+#define SSL_HANDSHAKE_MAC_DEFAULT \
+  (SSL_HANDSHAKE_MAC_MD5 | SSL_HANDSHAKE_MAC_SHA)
+
+/* SSL_MAX_DIGEST is the number of digest types which exist. When adding a new
+ * one, update the table in ssl_cipher.c. */
+#define SSL_MAX_DIGEST 4
+
+#define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT)
+
+#define TLS1_PRF_DGST_SHIFT 10
+#define TLS1_PRF_MD5 (SSL_HANDSHAKE_MAC_MD5 << TLS1_PRF_DGST_SHIFT)
+#define TLS1_PRF_SHA1 (SSL_HANDSHAKE_MAC_SHA << TLS1_PRF_DGST_SHIFT)
+#define TLS1_PRF_SHA256 (SSL_HANDSHAKE_MAC_SHA256 << TLS1_PRF_DGST_SHIFT)
+#define TLS1_PRF_SHA384 (SSL_HANDSHAKE_MAC_SHA384 << TLS1_PRF_DGST_SHIFT)
+#define TLS1_PRF (TLS1_PRF_MD5 | TLS1_PRF_SHA1)
+
+/* SSL_CIPHER_ALGORITHM2_AEAD is a flag in SSL_CIPHER.algorithm2 which
+ * indicates that the cipher is implemented via an EVP_AEAD. */
+#define SSL_CIPHER_ALGORITHM2_AEAD (1 << 23)
+
+/* SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD is a flag in
+ * SSL_CIPHER.algorithm2 which indicates that the variable part of the nonce is
+ * included as a prefix of the record. (AES-GCM, for example, does with with an
+ * 8-byte variable nonce.) */
+#define SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD (1<<22)
+
+/* Bits for |algo_strength|, cipher strength information. */
+#define SSL_MEDIUM 0x00000001L
+#define SSL_HIGH 0x00000002L
+#define SSL_FIPS 0x00000004L
+
+/* ssl_cipher_get_evp_aead sets |*out_aead| to point to the correct EVP_AEAD
+ * object for |cipher| protocol version |version|. It sets |*out_mac_secret_len|
+ * and |*out_fixed_iv_len| to the MAC key length and fixed IV length,
+ * respectively. The MAC key length is zero except for legacy block and stream
+ * ciphers. It returns 1 on success and 0 on error. */
+int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
+                            size_t *out_mac_secret_len,
+                            size_t *out_fixed_iv_len,
+                            const SSL_CIPHER *cipher, uint16_t version);
+
+/* ssl_get_handshake_digest looks up the |i|th handshake digest type and sets
+ * |*out_mask| to the |SSL_HANDSHAKE_MAC_*| mask and |*out_md| to the
+ * |EVP_MD|. It returns one on successs and zero if |i| >= |SSL_MAX_DIGEST|. */
+int ssl_get_handshake_digest(uint32_t *out_mask, const EVP_MD **out_md,
+                             size_t i);
+
+/* ssl_create_cipher_list evaluates |rule_str| according to the ciphers in
+ * |ssl_method|. It sets |*out_cipher_list| to a newly-allocated
+ * |ssl_cipher_preference_list_st| containing the result.
+ * |*out_cipher_list_by_id| is set to a list of selected ciphers sorted by
+ * id. It returns |(*out_cipher_list)->ciphers| on success and NULL on
+ * failure. */
+STACK_OF(SSL_CIPHER) *
+ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *ssl_method,
+                       struct ssl_cipher_preference_list_st **out_cipher_list,
+                       STACK_OF(SSL_CIPHER) **out_cipher_list_by_id,
+                       const char *rule_str);
+
+/* SSL_PKEY_* denote certificate types. */
+#define SSL_PKEY_RSA_ENC 0
+#define SSL_PKEY_RSA_SIGN 1
+#define SSL_PKEY_ECC 2
+#define SSL_PKEY_NUM 3
+
+/* ssl_cipher_get_cert_index returns the |SSL_PKEY_*| value corresponding to the
+ * certificate type of |cipher| or -1 if there is none. */
+int ssl_cipher_get_cert_index(const SSL_CIPHER *cipher);
+
+/* ssl_cipher_has_server_public_key returns 1 if |cipher| involves a server
+ * public key in the key exchange, sent in a server Certificate message.
+ * Otherwise it returns 0. */
+int ssl_cipher_has_server_public_key(const SSL_CIPHER *cipher);
+
+/* ssl_cipher_requires_server_key_exchange returns 1 if |cipher| requires a
+ * ServerKeyExchange message. Otherwise it returns 0.
+ *
+ * Unlike ssl_cipher_has_server_public_key, some ciphers take optional
+ * ServerKeyExchanges. PSK and RSA_PSK only use the ServerKeyExchange to
+ * communicate a psk_identity_hint, so it is optional. */
+int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher);
+
+
+/* Underdocumented functions.
+ *
+ * Functions below here haven't been touched up and may be underdocumented. */
 
 #define c2l(c, l)                                                            \
   (l = ((unsigned long)(*((c)++))), l |= (((unsigned long)(*((c)++))) << 8), \
@@ -261,110 +397,10 @@
 
 /* LOCAL STUFF */
 
-#define SSL_DECRYPT 0
-#define SSL_ENCRYPT 1
-
-#define TWO_BYTE_BIT 0x80
-#define SEC_ESC_BIT 0x40
-#define TWO_BYTE_MASK 0x7fff
-#define THREE_BYTE_MASK 0x3fff
-
-#define INC32(a) ((a) = ((a) + 1) & 0xffffffffL)
-#define DEC32(a) ((a) = ((a)-1) & 0xffffffffL)
-#define MAX_MAC_SIZE 20 /* up from 16 for SSLv3 */
-
-/* Define the Bitmasks for SSL_CIPHER.algorithms.
- *
- * This bits are used packed as dense as possible. If new methods/ciphers etc
- * will be added, the bits a likely to change, so this information is for
- * internal library use only, even though SSL_CIPHER.algorithms can be publicly
- * accessed. Use the according functions for cipher management instead.
- *
- * The bit mask handling in the selection and sorting scheme in
- * ssl_create_cipher_list() has only limited capabilities, reflecting that the
- * different entities within are mutually exclusive:
- * ONLY ONE BIT PER MASK CAN BE SET AT A TIME. */
-
-/* Bits for algorithm_mkey (key exchange algorithm) */
-#define SSL_kRSA 0x00000001L   /* RSA key exchange */
-#define SSL_kEDH 0x00000002L   /* tmp DH key no DH cert */
-#define SSL_kEECDH 0x00000004L /* ephemeral ECDH */
-#define SSL_kPSK 0x00000008L   /* PSK */
-
-/* Bits for algorithm_auth (server authentication) */
-#define SSL_aRSA 0x00000001L   /* RSA auth */
-#define SSL_aNULL 0x00000002L  /* no auth (i.e. use ADH or AECDH) */
-#define SSL_aECDSA 0x00000004L /* ECDSA auth*/
-#define SSL_aPSK 0x00000008L   /* PSK auth */
-
-/* Bits for algorithm_enc (symmetric encryption) */
-#define SSL_3DES 0x00000001L
-#define SSL_RC4 0x00000002L
-#define SSL_AES128 0x00000004L
-#define SSL_AES256 0x00000008L
-#define SSL_AES128GCM 0x00000010L
-#define SSL_AES256GCM 0x00000020L
-#define SSL_CHACHA20POLY1305 0x00000040L
-
-#define SSL_AES (SSL_AES128 | SSL_AES256 | SSL_AES128GCM | SSL_AES256GCM)
-
-/* Bits for algorithm_mac (symmetric authentication) */
-
-#define SSL_MD5 0x00000001L
-#define SSL_SHA1 0x00000002L
-#define SSL_SHA256 0x00000004L
-#define SSL_SHA384 0x00000008L
-/* Not a real MAC, just an indication it is part of cipher */
-#define SSL_AEAD 0x00000010L
-
-/* Bits for algorithm_ssl (protocol version) */
-#define SSL_SSLV3 0x00000002L
-#define SSL_TLSV1 SSL_SSLV3 /* for now */
-#define SSL_TLSV1_2 0x00000004L
-
-/* Bits for algorithm2 (handshake digests and other extra flags) */
-
-#define SSL_HANDSHAKE_MAC_MD5 0x10
-#define SSL_HANDSHAKE_MAC_SHA 0x20
-#define SSL_HANDSHAKE_MAC_SHA256 0x40
-#define SSL_HANDSHAKE_MAC_SHA384 0x80
-#define SSL_HANDSHAKE_MAC_DEFAULT \
-  (SSL_HANDSHAKE_MAC_MD5 | SSL_HANDSHAKE_MAC_SHA)
-
-/* When adding new digest in the ssl_ciph.c and increment SSM_MD_NUM_IDX
- * make sure to update this constant too */
-#define SSL_MAX_DIGEST 4
-
-#define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT)
-
-#define TLS1_PRF_DGST_SHIFT 10
-#define TLS1_PRF_MD5 (SSL_HANDSHAKE_MAC_MD5 << TLS1_PRF_DGST_SHIFT)
-#define TLS1_PRF_SHA1 (SSL_HANDSHAKE_MAC_SHA << TLS1_PRF_DGST_SHIFT)
-#define TLS1_PRF_SHA256 (SSL_HANDSHAKE_MAC_SHA256 << TLS1_PRF_DGST_SHIFT)
-#define TLS1_PRF_SHA384 (SSL_HANDSHAKE_MAC_SHA384 << TLS1_PRF_DGST_SHIFT)
-#define TLS1_PRF (TLS1_PRF_MD5 | TLS1_PRF_SHA1)
-
 #define TLSEXT_CHANNEL_ID_SIZE 128
 
-/* SSL_CIPHER_ALGORITHM2_AEAD is a flag in SSL_CIPHER.algorithm2 which
- * indicates that the cipher is implemented via an EVP_AEAD. */
-#define SSL_CIPHER_ALGORITHM2_AEAD (1 << 23)
-
-/* SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD is a flag in
- * SSL_CIPHER.algorithm2 which indicates that the variable part of the nonce is
- * included as a prefix of the record. (AES-GCM, for example, does with with an
- * 8-byte variable nonce.) */
-#define SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD (1<<22)
-
-/* Cipher strength information. */
-#define SSL_MEDIUM 0x00000001L
-#define SSL_HIGH 0x00000002L
-#define SSL_FIPS 0x00000004L
-
-/* we have used 000001ff - 23 bits left to go */
-
 /* Check if an SSL structure is using DTLS */
-#define SSL_IS_DTLS(s) (s->enc_method->enc_flags & SSL_ENC_FLAG_DTLS)
+#define SSL_IS_DTLS(s) (s->method->is_dtls)
 /* See if we need explicit IV */
 #define SSL_USE_EXPLICIT_IV(s) \
   (s->enc_method->enc_flags & SSL_ENC_FLAG_EXPLICIT_IV)
@@ -381,36 +417,30 @@
   ((SSL_IS_DTLS(s) && s->client_version <= DTLS1_2_VERSION) || \
    (!SSL_IS_DTLS(s) && s->client_version >= TLS1_2_VERSION))
 
-/* Mostly for SSLv3 */
-#define SSL_PKEY_RSA_ENC 0
-#define SSL_PKEY_RSA_SIGN 1
-#define SSL_PKEY_ECC 2
-#define SSL_PKEY_NUM 3
-
 /* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) |
  * 	    <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN)
  * SSL_kDH  <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN)
- * SSL_kEDH <- RSA_ENC | RSA_SIGN | DSA_SIGN
+ * SSL_kDHE <- RSA_ENC | RSA_SIGN | DSA_SIGN
  * SSL_aRSA <- RSA_ENC | RSA_SIGN
  * SSL_aDSS <- DSA_SIGN */
 
 #define PENDING_SESSION -10000
-#define CERTIFICATE_SELECTION_PENDING -10001
 
 /* From RFC4492, used in encoding the curve type in ECParameters */
 #define EXPLICIT_PRIME_CURVE_TYPE 1
 #define EXPLICIT_CHAR2_CURVE_TYPE 2
 #define NAMED_CURVE_TYPE 3
 
-/* Values for the |hash_message| parameter of |s->method->ssl_get_message|. */
-#define SSL_GET_MESSAGE_DONT_HASH_MESSAGE 0
-#define SSL_GET_MESSAGE_HASH_MESSAGE 1
+enum ssl_hash_message_t {
+  ssl_dont_hash_message,
+  ssl_hash_message,
+};
 
 typedef struct cert_pkey_st {
   X509 *x509;
   EVP_PKEY *privatekey;
   /* Chain for this certificate */
-  STACK_OF(X509) * chain;
+  STACK_OF(X509) *chain;
 } CERT_PKEY;
 
 typedef struct cert_st {
@@ -428,19 +458,20 @@ typedef struct cert_st {
    * round-about way of checking the server's cipher was one of the advertised
    * ones. (Currently it checks the masks and then the list of ciphers prior to
    * applying the masks in ClientHello.) */
-  unsigned long mask_k;
-  unsigned long mask_a;
-  unsigned long mask_ssl;
+  uint32_t mask_k;
+  uint32_t mask_a;
+  uint32_t mask_ssl;
 
   DH *dh_tmp;
   DH *(*dh_tmp_cb)(SSL *ssl, int is_export, int keysize);
-  EC_KEY *ecdh_tmp;
-  /* Callback for generating ephemeral ECDH keys */
+
+  /* ecdh_nid, if not |NID_undef|, is the NID of the curve to use for ephemeral
+   * ECDH keys. If unset, |ecdh_tmp_cb| is consulted. */
+  int ecdh_nid;
+  /* ecdh_tmp_cb is a callback for selecting the curve to use for ephemeral ECDH
+   * keys. If NULL, a curve is selected automatically. See
+   * |SSL_CTX_set_tmp_ecdh_callback|. */
   EC_KEY *(*ecdh_tmp_cb)(SSL *ssl, int is_export, int keysize);
-  /* Select ECDH parameters automatically */
-  int ecdh_tmp_auto;
-  /* Flags related to certificates */
-  unsigned int cert_flags;
   CERT_PKEY pkeys[SSL_PKEY_NUM];
 
   /* Server-only: client_certificate_types is list of certificate types to
@@ -488,14 +519,10 @@ typedef struct cert_st {
    * If NULL the parent SSL_CTX store is used instead. */
   X509_STORE *chain_store;
   X509_STORE *verify_store;
-
-  /* Raw values of the cipher list from a client */
-  uint8_t *ciphers_raw;
-  size_t ciphers_rawlen;
 } CERT;
 
 typedef struct sess_cert_st {
-  STACK_OF(X509) * cert_chain; /* as received from peer (not for SSL2) */
+  STACK_OF(X509) *cert_chain; /* as received from peer (not for SSL2) */
 
   /* The 'peer_...' members are used only by clients. */
   int peer_cert_type;
@@ -535,6 +562,8 @@ struct ssl_method_st {
 
 /* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
 struct ssl_protocol_method_st {
+  /* is_dtls is one if the protocol is DTLS and zero otherwise. */
+  char is_dtls;
   int (*ssl_new)(SSL *s);
   void (*ssl_free)(SSL *s);
   int (*ssl_accept)(SSL *s);
@@ -546,18 +575,22 @@ struct ssl_protocol_method_st {
   int (*ssl_renegotiate)(SSL *s);
   int (*ssl_renegotiate_check)(SSL *s);
   long (*ssl_get_message)(SSL *s, int header_state, int body_state,
-                          int msg_type, long max, int hash_message, int *ok);
+                          int msg_type, long max,
+                          enum ssl_hash_message_t hash_message, int *ok);
   int (*ssl_read_bytes)(SSL *s, int type, uint8_t *buf, int len, int peek);
   int (*ssl_write_bytes)(SSL *s, int type, const void *buf_, int len);
   int (*ssl_dispatch_alert)(SSL *s);
   long (*ssl_ctrl)(SSL *s, int cmd, long larg, void *parg);
   long (*ssl_ctx_ctrl)(SSL_CTX *ctx, int cmd, long larg, void *parg);
   int (*ssl_pending)(const SSL *s);
-  int (*num_ciphers)(void);
-  const SSL_CIPHER *(*get_cipher)(unsigned ncipher);
-  int (*ssl_version)(void);
-  long (*ssl_callback_ctrl)(SSL *s, int cb_id, void (*fp)(void));
-  long (*ssl_ctx_callback_ctrl)(SSL_CTX *s, int cb_id, void (*fp)(void));
+  size_t (*num_ciphers)(void);
+  const SSL_CIPHER *(*get_cipher)(size_t i);
+  /* Handshake header length */
+  unsigned int hhlen;
+  /* Set the handshake header */
+  int (*set_handshake_header)(SSL *s, int type, unsigned long len);
+  /* Write out handshake message */
+  int (*do_write)(SSL *s);
 };
 
 /* This is for the SSLv3/TLSv1.0 differences in crypto/hash stuff It is a bit
@@ -570,7 +603,6 @@ struct ssl3_enc_method {
   int (*generate_master_secret)(SSL *, uint8_t *, const uint8_t *, size_t);
   int (*change_cipher_state)(SSL *, int);
   int (*final_finish_mac)(SSL *, const char *, int, uint8_t *);
-  int finish_mac_length;
   int (*cert_verify_mac)(SSL *, int, uint8_t *);
   const char *client_finished_label;
   int client_finished_label_len;
@@ -581,20 +613,14 @@ struct ssl3_enc_method {
                                 const uint8_t *, size_t, int use_context);
   /* Various flags indicating protocol version requirements */
   unsigned int enc_flags;
-  /* Handshake header length */
-  unsigned int hhlen;
-  /* Set the handshake header */
-  void (*set_handshake_header)(SSL *s, int type, unsigned long len);
-  /* Write out handshake message */
-  int (*do_write)(SSL *s);
 };
 
-#define SSL_HM_HEADER_LENGTH(s) s->enc_method->hhlen
+#define SSL_HM_HEADER_LENGTH(s) s->method->hhlen
 #define ssl_handshake_start(s) \
-  (((uint8_t *)s->init_buf->data) + s->enc_method->hhlen)
+  (((uint8_t *)s->init_buf->data) + s->method->hhlen)
 #define ssl_set_handshake_header(s, htype, len) \
-  s->enc_method->set_handshake_header(s, htype, len)
-#define ssl_do_write(s) s->enc_method->do_write(s)
+  s->method->set_handshake_header(s, htype, len)
+#define ssl_do_write(s) s->method->do_write(s)
 
 /* Values for enc_flags */
 
@@ -604,11 +630,9 @@ struct ssl3_enc_method {
 #define SSL_ENC_FLAG_SIGALGS 0x2
 /* Uses SHA256 default PRF */
 #define SSL_ENC_FLAG_SHA256_PRF 0x4
-/* Is DTLS */
-#define SSL_ENC_FLAG_DTLS 0x8
 /* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2:
  * may apply to others in future. */
-#define SSL_ENC_FLAG_TLS1_2_CIPHERS 0x10
+#define SSL_ENC_FLAG_TLS1_2_CIPHERS 0x8
 
 /* ssl_aead_ctx_st contains information about an AEAD that is being used to
  * encrypt an SSL connection. */
@@ -633,20 +657,117 @@ struct ssl_aead_ctx_st {
   char omit_version_in_ad;
 };
 
+/* lengths of messages */
+#define DTLS1_COOKIE_LENGTH 256
+
+#define DTLS1_RT_HEADER_LENGTH 13
+
+#define DTLS1_HM_HEADER_LENGTH 12
+
+#define DTLS1_CCS_HEADER_LENGTH 1
+
+#define DTLS1_AL_HEADER_LENGTH 2
+
+typedef struct dtls1_bitmap_st {
+  /* map is a bit mask of the last 64 sequence numbers. Bit
+   * |1<<i| corresponds to |max_seq_num - i|. */
+  uint64_t map;
+  /* max_seq_num is the largest sequence number seen so far. It
+   * is a 64-bit value in big-endian encoding. */
+  uint8_t max_seq_num[8];
+} DTLS1_BITMAP;
+
+/* TODO(davidben): This structure is used for both incoming messages and
+ * outgoing messages. |is_ccs| and |epoch| are only used in the latter and
+ * should be moved elsewhere. */
+struct hm_header_st {
+  uint8_t type;
+  uint32_t msg_len;
+  uint16_t seq;
+  uint32_t frag_off;
+  uint32_t frag_len;
+  int is_ccs;
+  /* epoch, for buffered outgoing messages, is the epoch the message was
+   * originally sent in. */
+  uint16_t epoch;
+};
+
+/* TODO(davidben): This structure is used for both incoming messages and
+ * outgoing messages. |fragment| and |reassembly| are only used in the former
+ * and should be moved elsewhere. */
+typedef struct hm_fragment_st {
+  struct hm_header_st msg_header;
+  uint8_t *fragment;
+  uint8_t *reassembly;
+} hm_fragment;
+
+typedef struct dtls1_state_st {
+  /* send_cookie is true if we are resending the ClientHello
+   * with a cookie from a HelloVerifyRequest. */
+  unsigned int send_cookie;
+
+  uint8_t cookie[DTLS1_COOKIE_LENGTH];
+  size_t cookie_len;
+
+  /* The current data and handshake epoch.  This is initially undefined, and
+   * starts at zero once the initial handshake is completed. */
+  uint16_t r_epoch;
+  uint16_t w_epoch;
+
+  /* records being received in the current epoch */
+  DTLS1_BITMAP bitmap;
+
+  /* handshake message numbers */
+  uint16_t handshake_write_seq;
+  uint16_t next_handshake_write_seq;
+
+  uint16_t handshake_read_seq;
+
+  /* save last sequence number for retransmissions */
+  uint8_t last_write_sequence[8];
+
+  /* buffered_messages is a priority queue of incoming handshake messages that
+   * have yet to be processed.
+   *
+   * TODO(davidben): This data structure may as well be a ring buffer of fixed
+   * size. */
+  pqueue buffered_messages;
+
+  /* send_messages is a priority queue of outgoing handshake messages sent in
+   * the most recent handshake flight.
+   *
+   * TODO(davidben): This data structure may as well be a STACK_OF(T). */
+  pqueue sent_messages;
+
+  unsigned int mtu; /* max DTLS packet size */
+
+  struct hm_header_st w_msg_hdr;
+
+  /* num_timeouts is the number of times the retransmit timer has fired since
+   * the last time it was reset. */
+  unsigned int num_timeouts;
+
+  /* Indicates when the last handshake msg or heartbeat sent will
+   * timeout. */
+  struct timeval next_timeout;
+
+  /* Timeout duration */
+  unsigned short timeout_duration;
+
+  unsigned int change_cipher_spec_ok;
+} DTLS1_STATE;
+
 extern const SSL_CIPHER ssl3_ciphers[];
 
 extern const SSL3_ENC_METHOD TLSv1_enc_data;
 extern const SSL3_ENC_METHOD TLSv1_1_enc_data;
 extern const SSL3_ENC_METHOD TLSv1_2_enc_data;
 extern const SSL3_ENC_METHOD SSLv3_enc_data;
-extern const SSL3_ENC_METHOD DTLSv1_enc_data;
-extern const SSL3_ENC_METHOD DTLSv1_2_enc_data;
 
 void ssl_clear_cipher_ctx(SSL *s);
 int ssl_clear_bad_session(SSL *s);
 CERT *ssl_cert_new(void);
 CERT *ssl_cert_dup(CERT *cert);
-int ssl_cert_inst(CERT **o);
 void ssl_cert_clear_certs(CERT *c);
 void ssl_cert_free(CERT *c);
 SESS_CERT *ssl_sess_cert_new(void);
@@ -655,50 +776,27 @@ int ssl_set_peer_cert_type(SESS_CERT *c, int type);
 int ssl_get_prev_session(SSL *s, const struct ssl_early_callback_ctx *ctx);
 int ssl_cipher_id_cmp(const void *in_a, const void *in_b);
 int ssl_cipher_ptr_id_cmp(const SSL_CIPHER **ap, const SSL_CIPHER **bp);
-STACK_OF(SSL_CIPHER) * ssl_bytes_to_cipher_list(SSL *s, const CBS *cbs);
-int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) * sk, uint8_t *p);
-STACK_OF(SSL_CIPHER) *
-    ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *meth,
-                           struct ssl_cipher_preference_list_st **pref,
-                           STACK_OF(SSL_CIPHER) * *sorted, const char *rule_str,
-                           CERT *c);
+STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, const CBS *cbs);
+int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, uint8_t *p);
 struct ssl_cipher_preference_list_st *ssl_cipher_preference_list_dup(
     struct ssl_cipher_preference_list_st *cipher_list);
 void ssl_cipher_preference_list_free(
     struct ssl_cipher_preference_list_st *cipher_list);
 struct ssl_cipher_preference_list_st *ssl_cipher_preference_list_from_ciphers(
-    STACK_OF(SSL_CIPHER) * ciphers);
+    STACK_OF(SSL_CIPHER) *ciphers);
 struct ssl_cipher_preference_list_st *ssl_get_cipher_preferences(SSL *s);
 
-/* ssl_cipher_get_evp_aead sets |*out_aead| to point to the correct EVP_AEAD
-* object for |cipher| protocol version |version|. It sets |*out_mac_secret_len|
-* and |*out_fixed_iv_len| to the MAC key length and fixed IV length,
-* respectively. The MAC key length is zero except for legacy block and stream
-* ciphers. It returns 1 on success and 0 on error. */
-int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
-                            size_t *out_mac_secret_len,
-                            size_t *out_fixed_iv_len,
-                            const SSL_CIPHER *cipher, uint16_t version);
-
-int ssl_get_handshake_digest(size_t i, long *mask, const EVP_MD **md);
-int ssl_cipher_get_cert_index(const SSL_CIPHER *c);
-int ssl_cipher_has_server_public_key(const SSL_CIPHER *cipher);
-int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher);
-
-int ssl_cert_set0_chain(CERT *c, STACK_OF(X509) * chain);
-int ssl_cert_set1_chain(CERT *c, STACK_OF(X509) * chain);
+int ssl_cert_set0_chain(CERT *c, STACK_OF(X509) *chain);
+int ssl_cert_set1_chain(CERT *c, STACK_OF(X509) *chain);
 int ssl_cert_add0_chain_cert(CERT *c, X509 *x);
 int ssl_cert_add1_chain_cert(CERT *c, X509 *x);
 int ssl_cert_select_current(CERT *c, X509 *x);
 void ssl_cert_set_cert_cb(CERT *c, int (*cb)(SSL *ssl, void *arg), void *arg);
 
-int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) * sk);
+int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk);
 int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l);
 int ssl_build_cert_chain(CERT *c, X509_STORE *chain_store, int flags);
 int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref);
-int ssl_undefined_function(SSL *s);
-int ssl_undefined_void_function(void);
-int ssl_undefined_const_function(const SSL *s);
 CERT_PKEY *ssl_get_server_send_pkey(const SSL *s);
 EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c);
 int ssl_cert_type(EVP_PKEY *pkey);
@@ -707,10 +805,10 @@ int ssl_cert_type(EVP_PKEY *pkey);
  * authentication cipher suite masks compatible with the server configuration
  * and current ClientHello parameters of |s|. It sets |*out_mask_k| to the key
  * exchange mask and |*out_mask_a| to the authentication mask. */
-void ssl_get_compatible_server_ciphers(SSL *s, unsigned long *out_mask_k,
-                                       unsigned long *out_mask_a);
+void ssl_get_compatible_server_ciphers(SSL *s, uint32_t *out_mask_k,
+                                       uint32_t *out_mask_a);
 
-STACK_OF(SSL_CIPHER) * ssl_get_ciphers_by_id(SSL *s);
+STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
 int ssl_verify_alarm_type(long type);
 int ssl_fill_hello_random(SSL *s, int server, uint8_t *field, size_t len);
 
@@ -731,11 +829,11 @@ int ssl3_do_write(SSL *s, int type);
 int ssl3_send_alert(SSL *s, int level, int desc);
 int ssl3_get_req_cert_type(SSL *s, uint8_t *p);
 long ssl3_get_message(SSL *s, int header_state, int body_state, int msg_type,
-                      long max, int hash_message, int *ok);
+                      long max, enum ssl_hash_message_t hash_message, int *ok);
 
-/* ssl3_hash_current_message incorporates the current handshake message into
- * the handshake hash. */
-void ssl3_hash_current_message(SSL *s);
+/* ssl3_hash_current_message incorporates the current handshake message into the
+ * handshake hash. It returns one on success and zero on allocation failure. */
+int ssl3_hash_current_message(SSL *s);
 
 /* ssl3_cert_verify_hash writes the CertificateVerify hash into the bytes
  * pointed to by |out| and writes the number of bytes to |*out_len|. |out| must
@@ -747,8 +845,8 @@ int ssl3_cert_verify_hash(SSL *s, uint8_t *out, size_t *out_len,
                           const EVP_MD **out_md, EVP_PKEY *pkey);
 
 int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen);
-int ssl3_num_ciphers(void);
-const SSL_CIPHER *ssl3_get_cipher(unsigned int u);
+size_t ssl3_num_ciphers(void);
+const SSL_CIPHER *ssl3_get_cipher(size_t i);
 int ssl3_renegotiate(SSL *ssl);
 int ssl3_renegotiate_check(SSL *ssl);
 int ssl3_dispatch_alert(SSL *s);
@@ -757,13 +855,12 @@ int ssl3_read_bytes(SSL *s, int type, uint8_t *buf, int len, int peek);
 int ssl3_write_bytes(SSL *s, int type, const void *buf, int len);
 int ssl3_final_finish_mac(SSL *s, const char *sender, int slen, uint8_t *p);
 int ssl3_cert_verify_mac(SSL *s, int md_nid, uint8_t *p);
-void ssl3_finish_mac(SSL *s, const uint8_t *buf, int len);
+int ssl3_finish_mac(SSL *s, const uint8_t *buf, int len);
 void ssl3_free_digest_list(SSL *s);
-unsigned long ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk);
+int ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk);
 const SSL_CIPHER *ssl3_choose_cipher(
-    SSL *ssl, STACK_OF(SSL_CIPHER) * clnt,
+    SSL *ssl, STACK_OF(SSL_CIPHER) *clnt,
     struct ssl_cipher_preference_list_st *srvr);
-int ssl3_setup_buffers(SSL *s);
 int ssl3_setup_read_buffer(SSL *s);
 int ssl3_setup_write_buffer(SSL *s);
 int ssl3_release_read_buffer(SSL *s);
@@ -785,18 +882,19 @@ int ssl3_write(SSL *s, const void *buf, int len);
 int ssl3_shutdown(SSL *s);
 long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg);
 long ssl3_ctx_ctrl(SSL_CTX *s, int cmd, long larg, void *parg);
-long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void));
-long ssl3_ctx_callback_ctrl(SSL_CTX *s, int cmd, void (*fp)(void));
 int ssl3_pending(const SSL *s);
 
-void ssl3_record_sequence_update(uint8_t *seq);
+/* ssl3_record_sequence_update increments the sequence number in |seq|. It
+ * returns one on success and zero on wraparound. */
+int ssl3_record_sequence_update(uint8_t *seq, size_t seq_len);
+
 int ssl3_do_change_cipher_spec(SSL *ssl);
 
-void ssl3_set_handshake_header(SSL *s, int htype, unsigned long len);
+int ssl3_set_handshake_header(SSL *s, int htype, unsigned long len);
 int ssl3_handshake_write(SSL *s);
 
 int dtls1_do_write(SSL *s, int type);
-int ssl3_read_n(SSL *s, int n, int max, int extend);
+int ssl3_read_n(SSL *s, int n, int extend);
 int dtls1_read_bytes(SSL *s, int type, uint8_t *buf, int len, int peek);
 int ssl3_write_pending(SSL *s, int type, const uint8_t *buf, unsigned int len);
 void dtls1_set_message_header(SSL *s, uint8_t mt, unsigned long len,
@@ -810,17 +908,16 @@ int dtls1_send_change_cipher_spec(SSL *s, int a, int b);
 int dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen);
 int dtls1_read_failed(SSL *s, int code);
 int dtls1_buffer_message(SSL *s, int ccs);
-int dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
-                             int *found);
 int dtls1_get_queue_priority(unsigned short seq, int is_ccs);
 int dtls1_retransmit_buffered_messages(SSL *s);
 void dtls1_clear_record_buffer(SSL *s);
 void dtls1_get_message_header(uint8_t *data, struct hm_header_st *msg_hdr);
-void dtls1_get_ccs_header(uint8_t *data, struct ccs_header_st *ccs_hdr);
 void dtls1_reset_seq_numbers(SSL *s, int rw);
 int dtls1_check_timeout_num(SSL *s);
-int dtls1_handle_timeout(SSL *s);
-const SSL_CIPHER *dtls1_get_cipher(unsigned int u);
+int dtls1_set_handshake_header(SSL *s, int type, unsigned long len);
+int dtls1_handshake_write(SSL *s);
+
+const SSL_CIPHER *dtls1_get_cipher(size_t i);
 void dtls1_start_timer(SSL *s);
 void dtls1_stop_timer(SSL *s);
 int dtls1_is_timer_expired(SSL *s);
@@ -866,11 +963,10 @@ int dtls1_new(SSL *s);
 int dtls1_accept(SSL *s);
 int dtls1_connect(SSL *s);
 void dtls1_free(SSL *s);
-long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg);
 int dtls1_shutdown(SSL *s);
 
 long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max,
-                       int hash_message, int *ok);
+                       enum ssl_hash_message_t hash_message, int *ok);
 int dtls1_get_record(SSL *s);
 int dtls1_dispatch_alert(SSL *s);
 
@@ -895,9 +991,10 @@ int tls1_final_finish_mac(SSL *s, const char *str, int slen, uint8_t *p);
 int tls1_cert_verify_mac(SSL *s, int md_nid, uint8_t *p);
 int tls1_generate_master_secret(SSL *s, uint8_t *out, const uint8_t *premaster,
                                 size_t premaster_len);
-int tls1_export_keying_material(SSL *s, uint8_t *out, size_t olen,
-                                const char *label, size_t llen,
-                                const uint8_t *p, size_t plen, int use_context);
+int tls1_export_keying_material(SSL *s, uint8_t *out, size_t out_len,
+                                const char *label, size_t label_len,
+                                const uint8_t *context, size_t context_len,
+                                int use_context);
 int tls1_alert_code(int code);
 int ssl3_alert_code(int code);
 int ssl_ok(SSL *s);
@@ -975,7 +1072,9 @@ int ssl_ctx_log_master_secret(SSL_CTX *ctx, const uint8_t *client_random,
                               size_t client_random_len, const uint8_t *master,
                               size_t master_len);
 
-int ssl3_can_cutthrough(const SSL *s);
+/* ssl3_can_false_start returns one if |s| is allowed to False Start and zero
+ * otherwise. */
+int ssl3_can_false_start(const SSL *s);
 
 /* ssl3_get_enc_method returns the SSL3_ENC_METHOD corresponding to
  * |version|. */
@@ -1015,7 +1114,7 @@ int ssl_parse_serverhello_renegotiate_ext(SSL *s, CBS *cbs, int *out_alert);
 int ssl_add_clienthello_renegotiate_ext(SSL *s, uint8_t *p, int *len,
                                         int maxlen);
 int ssl_parse_clienthello_renegotiate_ext(SSL *s, CBS *cbs, int *out_alert);
-long ssl_get_algorithm2(SSL *s);
+uint32_t ssl_get_algorithm2(SSL *s);
 int tls1_process_sigalgs(SSL *s, const CBS *sigalgs);
 
 /* tls1_choose_signing_digest returns a digest for use with |pkey| based on the
@@ -1032,4 +1131,4 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, CBS *cbs, int *out_alert);
 int ssl_add_serverhello_use_srtp_ext(SSL *s, uint8_t *p, int *len, int maxlen);
 int ssl_parse_serverhello_use_srtp_ext(SSL *s, CBS *cbs, int *out_alert);
 
-#endif
+#endif /* OPENSSL_HEADER_SSL_INTERNAL_H */
diff --git a/src/ssl/pqueue/pqueue.c b/src/ssl/pqueue/pqueue.c
index ecaa139..14bd9b6 100644
--- a/src/ssl/pqueue/pqueue.c
+++ b/src/ssl/pqueue/pqueue.c
@@ -56,6 +56,7 @@
 
 #include <openssl/pqueue.h>
 
+#include <assert.h>
 #include <string.h>
 
 #include <openssl/mem.h>
@@ -104,6 +105,8 @@ void pqueue_free(pqueue_s *pq) {
     return;
   }
 
+  /* The queue must be empty. */
+  assert(pq->items == NULL);
   OPENSSL_free(pq);
 }
 
diff --git a/src/ssl/pqueue/pqueue_test.c b/src/ssl/pqueue/pqueue_test.c
index c4b4b9d..cb688f7 100644
--- a/src/ssl/pqueue/pqueue_test.c
+++ b/src/ssl/pqueue/pqueue_test.c
@@ -19,6 +19,17 @@
 #include <openssl/ssl.h>
 
 
+static void clear_and_free_queue(pqueue q) {
+  for (;;) {
+    pitem *item = pqueue_pop(q);
+    if (item == NULL) {
+      break;
+    }
+    pitem_free(item);
+  }
+  pqueue_free(q);
+}
+
 static int trivial(void) {
   pqueue q = pqueue_new();
   if (q == NULL) {
@@ -37,7 +48,7 @@ static int trivial(void) {
     return 0;
   }
   pitem_free(item);
-  pqueue_free(q);
+  clear_and_free_queue(q);
   return 1;
 }
 
@@ -101,7 +112,7 @@ static int fixed_random(void) {
     }
     curr = next;
   }
-  pqueue_free(q);
+  clear_and_free_queue(q);
   return 1;
 }
 
diff --git a/src/ssl/s3_both.c b/src/ssl/s3_both.c
index a34d221..b78f6d3 100644
--- a/src/ssl/s3_both.c
+++ b/src/ssl/s3_both.c
@@ -116,6 +116,7 @@
 #include <string.h>
 
 #include <openssl/buf.h>
+#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/mem.h>
 #include <openssl/md5.h>
@@ -124,7 +125,7 @@
 #include <openssl/sha.h>
 #include <openssl/x509.h>
 
-#include "ssl_locl.h"
+#include "internal.h"
 
 
 /* ssl3_do_write sends |s->init_buf| in records of type 'type'
@@ -173,8 +174,7 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) {
       return 0;
     }
 
-    /* Copy the finished so we can use it for
-     * renegotiation checks */
+    /* Copy the finished so we can use it for renegotiation checks */
     if (s->server) {
       assert(n <= EVP_MAX_MD_SIZE);
       memcpy(s->s3->previous_server_finished, s->s3->tmp.finish_md, n);
@@ -185,7 +185,9 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) {
       s->s3->previous_client_finished_len = n;
     }
 
-    ssl_set_handshake_header(s, SSL3_MT_FINISHED, n);
+    if (!ssl_set_handshake_header(s, SSL3_MT_FINISHED, n)) {
+      return 0;
+    }
     s->state = b;
   }
 
@@ -224,7 +226,7 @@ int ssl3_get_finished(SSL *s, int a, int b) {
 
   message_len =
       s->method->ssl_get_message(s, a, b, SSL3_MT_FINISHED, EVP_MAX_MD_SIZE,
-                                 SSL_GET_MESSAGE_DONT_HASH_MESSAGE, &ok);
+                                 ssl_dont_hash_message, &ok);
 
   if (!ok) {
     return message_len;
@@ -232,7 +234,9 @@ int ssl3_get_finished(SSL *s, int a, int b) {
 
   /* Snapshot the finished hash before incorporating the new message. */
   ssl3_take_mac(s);
-  ssl3_hash_current_message(s);
+  if (!ssl3_hash_current_message(s)) {
+    goto err;
+  }
 
   /* If this occurs, we have missed a message.
    * TODO(davidben): Is this check now redundant with SSL3_FLAGS_EXPECT_CCS? */
@@ -273,6 +277,7 @@ int ssl3_get_finished(SSL *s, int a, int b) {
 
 f_err:
   ssl3_send_alert(s, SSL3_AL_FATAL, al);
+err:
   return 0;
 }
 
@@ -296,11 +301,17 @@ int ssl3_send_change_cipher_spec(SSL *s, int a, int b) {
   return ssl3_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);
 }
 
-unsigned long ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk) {
+int ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk) {
   uint8_t *p;
   unsigned long l = 3 + SSL_HM_HEADER_LENGTH(s);
 
-  if (!ssl_add_cert_chain(s, cpk, &l)) {
+  if (cpk == NULL) {
+    /* TLSv1 sends a chain with nothing in it, instead of an alert. */
+    if (!BUF_MEM_grow_clean(s->init_buf, l)) {
+      OPENSSL_PUT_ERROR(SSL, ssl3_output_cert_chain, ERR_R_BUF_LIB);
+      return 0;
+    }
+  } else if (!ssl_add_cert_chain(s, cpk, &l)) {
     return 0;
   }
 
@@ -308,25 +319,24 @@ unsigned long ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk) {
   p = ssl_handshake_start(s);
   l2n3(l, p);
   l += 3;
-  ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE, l);
-  return l + SSL_HM_HEADER_LENGTH(s);
+  return ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE, l);
 }
 
 /* Obtain handshake message of message type |msg_type| (any if |msg_type| == -1),
  * maximum acceptable body length |max|. The first four bytes (msg_type and
  * length) are read in state |header_state|, the body is read in state |body_state|. */
 long ssl3_get_message(SSL *s, int header_state, int body_state, int msg_type,
-                      long max, int hash_message, int *ok) {
+                      long max, enum ssl_hash_message_t hash_message, int *ok) {
   uint8_t *p;
   unsigned long l;
   long n;
   int al;
 
   if (s->s3->tmp.reuse_message) {
-    /* A SSL_GET_MESSAGE_DONT_HASH_MESSAGE call cannot be combined with
-     * reuse_message; the SSL_GET_MESSAGE_DONT_HASH_MESSAGE would have to have
-     * been applied to the previous call. */
-    assert(hash_message != SSL_GET_MESSAGE_DONT_HASH_MESSAGE);
+    /* A ssl_dont_hash_message call cannot be combined with reuse_message; the
+     * ssl_dont_hash_message would have to have been applied to the previous
+     * call. */
+    assert(hash_message == ssl_hash_message);
     s->s3->tmp.reuse_message = 0;
     if (msg_type >= 0 && s->s3->tmp.message_type != msg_type) {
       al = SSL_AD_UNEXPECTED_MESSAGE;
@@ -350,7 +360,6 @@ long ssl3_get_message(SSL *s, int header_state, int body_state, int msg_type,
         int bytes_read = s->method->ssl_read_bytes(
             s, SSL3_RT_HANDSHAKE, &p[s->init_num], 4 - s->init_num, 0);
         if (bytes_read <= 0) {
-          s->rwstate = SSL_READING;
           *ok = 0;
           return bytes_read;
         }
@@ -416,8 +425,8 @@ long ssl3_get_message(SSL *s, int header_state, int body_state, int msg_type,
   }
 
   /* Feed this message into MAC computation. */
-  if (hash_message != SSL_GET_MESSAGE_DONT_HASH_MESSAGE) {
-    ssl3_hash_current_message(s);
+  if (hash_message == ssl_hash_message && !ssl3_hash_current_message(s)) {
+    goto err;
   }
   if (s->msg_callback) {
     s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
@@ -434,11 +443,12 @@ err:
   return -1;
 }
 
-void ssl3_hash_current_message(SSL *s) {
+int ssl3_hash_current_message(SSL *s) {
   /* The handshake header (different size between DTLS and TLS) is included in
    * the hash. */
   size_t header_len = s->init_msg - (uint8_t *)s->init_buf->data;
-  ssl3_finish_mac(s, (uint8_t *)s->init_buf->data, s->init_num + header_len);
+  return ssl3_finish_mac(s, (uint8_t *)s->init_buf->data,
+                         s->init_num + header_len);
 }
 
 /* ssl3_cert_verify_hash is documented as needing EVP_MAX_MD_SIZE because that
@@ -586,8 +596,7 @@ int ssl3_setup_read_buffer(SSL *s) {
 #endif
 
   if (s->s3->rbuf.buf == NULL) {
-    len = SSL3_RT_MAX_PLAIN_LENGTH + SSL3_RT_MAX_ENCRYPTED_OVERHEAD +
-          headerlen + align;
+    len = SSL3_RT_MAX_ENCRYPTED_LENGTH + headerlen + align;
     if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER) {
       s->s3->init_extra = 1;
       len += SSL3_RT_MAX_EXTRA;
@@ -645,28 +654,16 @@ err:
   return 0;
 }
 
-
-int ssl3_setup_buffers(SSL *s) {
-  if (!ssl3_setup_read_buffer(s) ||
-      !ssl3_setup_write_buffer(s)) {
-    return 0;
-  }
-  return 1;
-}
-
 int ssl3_release_write_buffer(SSL *s) {
-  if (s->s3->wbuf.buf != NULL) {
-    OPENSSL_free(s->s3->wbuf.buf);
-    s->s3->wbuf.buf = NULL;
-  }
+  OPENSSL_free(s->s3->wbuf.buf);
+  s->s3->wbuf.buf = NULL;
   return 1;
 }
 
 int ssl3_release_read_buffer(SSL *s) {
-  if (s->s3->rbuf.buf != NULL) {
-    OPENSSL_free(s->s3->rbuf.buf);
-    s->s3->rbuf.buf = NULL;
-  }
+  OPENSSL_free(s->s3->rbuf.buf);
+  s->s3->rbuf.buf = NULL;
+  s->packet = NULL;
   return 1;
 }
 
diff --git a/src/ssl/s3_clnt.c b/src/ssl/s3_clnt.c
index 231cc65..d01acae 100644
--- a/src/ssl/s3_clnt.c
+++ b/src/ssl/s3_clnt.c
@@ -150,20 +150,21 @@
 
 #include <assert.h>
 #include <stdio.h>
+#include <string.h>
 
 #include <openssl/buf.h>
 #include <openssl/bytestring.h>
 #include <openssl/rand.h>
 #include <openssl/obj.h>
+#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/mem.h>
 #include <openssl/md5.h>
 #include <openssl/dh.h>
 #include <openssl/bn.h>
-#include <openssl/engine.h>
 #include <openssl/x509.h>
 
-#include "ssl_locl.h"
+#include "internal.h"
 #include "../crypto/dh/internal.h"
 
 
@@ -195,12 +196,21 @@ int ssl3_connect(SSL *s) {
       case SSL_ST_RENEGOTIATE:
         s->renegotiate = 1;
         s->state = SSL_ST_CONNECT;
-        s->ctx->stats.sess_connect_renegotiate++;
         /* fallthrough */
       case SSL_ST_CONNECT:
       case SSL_ST_BEFORE | SSL_ST_CONNECT:
-        if (cb != NULL)
+        if (cb != NULL) {
           cb(s, SSL_CB_HANDSHAKE_START, 1);
+        }
+
+        if ((s->version >> 8) != 3) {
+          /* TODO(davidben): Some consumers clear |s->version| to break the
+           * handshake in a callback. Remove this when they're using proper
+           * APIs. */
+          OPENSSL_PUT_ERROR(SSL, ssl3_connect, ERR_R_INTERNAL_ERROR);
+          ret = -1;
+          goto end;
+        }
 
         if (s->init_buf == NULL) {
           buf = BUF_MEM_new();
@@ -214,8 +224,7 @@ int ssl3_connect(SSL *s) {
           buf = NULL;
         }
 
-        if (!ssl3_setup_buffers(s) ||
-            !ssl_init_wbio_buffer(s, 0)) {
+        if (!ssl_init_wbio_buffer(s, 0)) {
           ret = -1;
           goto end;
         }
@@ -229,7 +238,6 @@ int ssl3_connect(SSL *s) {
         }
 
         s->state = SSL3_ST_CW_CLNT_HELLO_A;
-        s->ctx->stats.sess_connect++;
         s->init_num = 0;
         break;
 
@@ -389,12 +397,8 @@ int ssl3_connect(SSL *s) {
         s->init_num = 0;
 
         s->session->cipher = s->s3->tmp.new_cipher;
-        if (!s->enc_method->setup_key_block(s)) {
-          ret = -1;
-          goto end;
-        }
-
-        if (!s->enc_method->change_cipher_state(
+        if (!s->enc_method->setup_key_block(s) ||
+            !s->enc_method->change_cipher_state(
                 s, SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
           ret = -1;
           goto end;
@@ -445,15 +449,16 @@ int ssl3_connect(SSL *s) {
            * hashes. */
           if (s->s3->tlsext_channel_id_new) {
             ret = tls1_record_handshake_hashes_for_channel_id(s);
-            if (ret <= 0)
+            if (ret <= 0) {
               goto end;
+            }
           }
-          if ((SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) &&
-              ssl3_can_cutthrough(s) &&
-              /* no cutthrough on renegotiation (would complicate the state
-               * machine) */
+          if ((SSL_get_mode(s) & SSL_MODE_ENABLE_FALSE_START) &&
+              ssl3_can_false_start(s) &&
+              /* No False Start on renegotiation (would complicate the state
+               * machine). */
               s->s3->previous_server_finished_len == 0) {
-            s->s3->tmp.next_state = SSL3_ST_CUTTHROUGH_COMPLETE;
+            s->s3->tmp.next_state = SSL3_ST_FALSE_START;
           } else {
             /* Allow NewSessionTicket if ticket expected */
             if (s->tlsext_ticket_expected) {
@@ -522,13 +527,14 @@ int ssl3_connect(SSL *s) {
         s->state = s->s3->tmp.next_state;
         break;
 
-      case SSL3_ST_CUTTHROUGH_COMPLETE:
+      case SSL3_ST_FALSE_START:
         /* Allow NewSessionTicket if ticket expected */
         if (s->tlsext_ticket_expected) {
           s->state = SSL3_ST_CR_SESSION_TICKET_A;
         } else {
           s->state = SSL3_ST_CR_CHANGE;
         }
+        s->s3->tmp.in_false_start = 1;
 
         ssl_free_wbio_buffer(s);
         ret = 1;
@@ -538,10 +544,8 @@ int ssl3_connect(SSL *s) {
         /* clean a few things up */
         ssl3_cleanup_key_block(s);
 
-        if (s->init_buf != NULL) {
-          BUF_MEM_free(s->init_buf);
-          s->init_buf = NULL;
-        }
+        BUF_MEM_free(s->init_buf);
+        s->init_buf = NULL;
 
         /* Remove write buffering now. */
         ssl_free_wbio_buffer(s);
@@ -549,15 +553,12 @@ int ssl3_connect(SSL *s) {
         s->init_num = 0;
         s->renegotiate = 0;
         s->new_session = 0;
+        s->s3->tmp.in_false_start = 0;
 
         ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
-        if (s->hit) {
-          s->ctx->stats.sess_hit++;
-        }
 
         ret = 1;
         /* s->server=0; */
-        s->ctx->stats.sess_connect_good++;
 
         if (cb != NULL) {
           cb(s, SSL_CB_HANDSHAKE_DONE, 1);
@@ -584,9 +585,7 @@ int ssl3_connect(SSL *s) {
 
 end:
   s->in_handshake--;
-  if (buf != NULL) {
-    BUF_MEM_free(buf);
-  }
+  BUF_MEM_free(buf);
   if (cb != NULL) {
     cb(s, SSL_CB_CONNECT_EXIT, ret);
   }
@@ -625,8 +624,9 @@ int ssl3_send_client_hello(SSL *s) {
 
     /* If resending the ClientHello in DTLS after a HelloVerifyRequest, don't
      * renegerate the client_random. The random must be reused. */
-    if (!SSL_IS_DTLS(s) || !s->d1->send_cookie) {
-      ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random));
+    if ((!SSL_IS_DTLS(s) || !s->d1->send_cookie) &&
+        !ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random))) {
+      goto err;
     }
 
     /* Do the message type and length last. Note: the final argument to
@@ -720,7 +720,9 @@ int ssl3_send_client_hello(SSL *s) {
     }
 
     l = p - d;
-    ssl_set_handshake_header(s, SSL3_MT_CLIENT_HELLO, l);
+    if (!ssl_set_handshake_header(s, SSL3_MT_CLIENT_HELLO, l)) {
+      goto err;
+    }
     s->state = SSL3_ST_CW_CLNT_HELLO_B;
   }
 
@@ -732,7 +734,7 @@ err:
 }
 
 int ssl3_get_server_hello(SSL *s) {
-  STACK_OF(SSL_CIPHER) * sk;
+  STACK_OF(SSL_CIPHER) *sk;
   const SSL_CIPHER *c;
   CERT *ct = s->cert;
   int al = SSL_AD_INTERNAL_ERROR, ok;
@@ -740,12 +742,12 @@ int ssl3_get_server_hello(SSL *s) {
   CBS server_hello, server_random, session_id;
   uint16_t server_version, cipher_suite;
   uint8_t compression_method;
-  unsigned long mask_ssl;
+  uint32_t mask_ssl;
 
   n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A,
                                  SSL3_ST_CR_SRVR_HELLO_B, SSL3_MT_SERVER_HELLO,
                                  20000, /* ?? */
-                                 SSL_GET_MESSAGE_HASH_MESSAGE, &ok);
+                                 ssl_hash_message, &ok);
 
   if (!ok) {
     uint32_t err = ERR_peek_error();
@@ -858,24 +860,22 @@ int ssl3_get_server_hello(SSL *s) {
     goto f_err;
   }
 
-  if (s->hit && s->session->cipher != c) {
-    al = SSL_AD_ILLEGAL_PARAMETER;
-    OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello,
-                      SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
-    goto f_err;
+  if (s->hit) {
+    if (s->session->cipher != c) {
+      al = SSL_AD_ILLEGAL_PARAMETER;
+      OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello,
+                        SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
+      goto f_err;
+    }
+    if (s->session->ssl_version != s->version) {
+      al = SSL_AD_ILLEGAL_PARAMETER;
+      OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello,
+                        SSL_R_OLD_SESSION_VERSION_NOT_RETURNED);
+      goto f_err;
+    }
   }
   s->s3->tmp.new_cipher = c;
 
-  /* Most clients also require that the negotiated version match the session's
-   * version if resuming. However OpenSSL has historically not had the
-   * corresponding logic on the server, so this may not be compatible,
-   * depending on other factors. (Whether the ClientHello version is clamped to
-   * the session's version and whether the session cache is keyed on IP
-   * address.)
-   *
-   * TODO(davidben): See if we can still enforce this? Perhaps for the future
-   * TLS 1.3 and forward if this is fixed upstream. */
-
   /* Don't digest cached records if no sigalgs: we may need them for client
    * authentication. */
   if (!SSL_USE_SIGALGS(s) &&
@@ -924,8 +924,8 @@ int ssl3_get_server_certificate(SSL *s) {
   const uint8_t *data;
 
   n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A, SSL3_ST_CR_CERT_B,
-                                 SSL3_MT_CERTIFICATE, s->max_cert_list,
-                                 SSL_GET_MESSAGE_HASH_MESSAGE, &ok);
+                                 SSL3_MT_CERTIFICATE, (long)s->max_cert_list,
+                                 ssl_hash_message, &ok);
 
   if (!ok) {
     return n;
@@ -988,9 +988,7 @@ int ssl3_get_server_certificate(SSL *s) {
     goto err;
   }
 
-  if (s->session->sess_cert) {
-    ssl_sess_cert_free(s->session->sess_cert);
-  }
+  ssl_sess_cert_free(s->session->sess_cert);
   s->session->sess_cert = sc;
 
   sc->cert_chain = sk;
@@ -1028,17 +1026,11 @@ int ssl3_get_server_certificate(SSL *s) {
     goto f_err;
   }
   sc->peer_cert_type = i;
-  /* Why would the following ever happen? We just created sc a couple of lines
-   * ago. */
-  if (sc->peer_pkeys[i].x509 != NULL) {
-    X509_free(sc->peer_pkeys[i].x509);
-  }
+  X509_free(sc->peer_pkeys[i].x509);
   sc->peer_pkeys[i].x509 = X509_up_ref(x);
   sc->peer_key = &(sc->peer_pkeys[i]);
 
-  if (s->session->peer != NULL) {
-    X509_free(s->session->peer);
-  }
+  X509_free(s->session->peer);
   s->session->peer = X509_up_ref(x);
 
   s->session->verify_result = s->verify_result;
@@ -1075,7 +1067,7 @@ int ssl3_get_server_key_exchange(SSL *s) {
    * ServerKeyExchange message may be skipped */
   n = s->method->ssl_get_message(s, SSL3_ST_CR_KEY_EXCH_A,
                                  SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list,
-                                 SSL_GET_MESSAGE_HASH_MESSAGE, &ok);
+                                 ssl_hash_message, &ok);
   if (!ok) {
     return n;
   }
@@ -1096,14 +1088,15 @@ int ssl3_get_server_key_exchange(SSL *s) {
        * initialized |sess_cert|. */
       if (s->session->sess_cert == NULL) {
         s->session->sess_cert = ssl_sess_cert_new();
+        if (s->session->sess_cert == NULL) {
+          return -1;
+        }
       }
 
       /* TODO(davidben): This should be reset in one place with the rest of the
        * handshake state. */
-      if (s->s3->tmp.peer_psk_identity_hint) {
-        OPENSSL_free(s->s3->tmp.peer_psk_identity_hint);
-        s->s3->tmp.peer_psk_identity_hint = NULL;
-      }
+      OPENSSL_free(s->s3->tmp.peer_psk_identity_hint);
+      s->s3->tmp.peer_psk_identity_hint = NULL;
     }
     s->s3->tmp.reuse_message = 1;
     return 1;
@@ -1114,16 +1107,15 @@ int ssl3_get_server_key_exchange(SSL *s) {
   server_key_exchange_orig = server_key_exchange;
 
   if (s->session->sess_cert != NULL) {
-    if (s->session->sess_cert->peer_dh_tmp) {
-      DH_free(s->session->sess_cert->peer_dh_tmp);
-      s->session->sess_cert->peer_dh_tmp = NULL;
-    }
-    if (s->session->sess_cert->peer_ecdh_tmp) {
-      EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
-      s->session->sess_cert->peer_ecdh_tmp = NULL;
-    }
+    DH_free(s->session->sess_cert->peer_dh_tmp);
+    s->session->sess_cert->peer_dh_tmp = NULL;
+    EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
+    s->session->sess_cert->peer_ecdh_tmp = NULL;
   } else {
     s->session->sess_cert = ssl_sess_cert_new();
+    if (s->session->sess_cert == NULL) {
+      return -1;
+    }
   }
 
   alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
@@ -1165,7 +1157,7 @@ int ssl3_get_server_key_exchange(SSL *s) {
     }
   }
 
-  if (alg_k & SSL_kEDH) {
+  if (alg_k & SSL_kDHE) {
     CBS dh_p, dh_g, dh_Ys;
 
     if (!CBS_get_u16_length_prefixed(&server_key_exchange, &dh_p) ||
@@ -1207,10 +1199,9 @@ int ssl3_get_server_key_exchange(SSL *s) {
 
     s->session->sess_cert->peer_dh_tmp = dh;
     dh = NULL;
-  } else if (alg_k & SSL_kEECDH) {
+  } else if (alg_k & SSL_kECDHE) {
     uint16_t curve_id;
     int curve_nid = 0;
-    EC_GROUP *ngroup;
     const EC_GROUP *group;
     CBS point;
 
@@ -1231,20 +1222,12 @@ int ssl3_get_server_key_exchange(SSL *s) {
       goto f_err;
     }
 
-    ecdh = EC_KEY_new();
+    ecdh = EC_KEY_new_by_curve_name(curve_nid);
     if (ecdh == NULL) {
       OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange,
-                        ERR_R_MALLOC_FAILURE);
-      goto err;
-    }
-
-    ngroup = EC_GROUP_new_by_curve_name(curve_nid);
-    if (ngroup == NULL ||
-        EC_KEY_set_group(ecdh, ngroup) == 0) {
-      OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_EC_LIB);
+                        ERR_R_EC_LIB);
       goto err;
     }
-    EC_GROUP_free(ngroup);
 
     group = EC_KEY_get0_group(ecdh);
 
@@ -1362,17 +1345,11 @@ f_err:
   ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
   EVP_PKEY_free(pkey);
-  if (rsa != NULL) {
-    RSA_free(rsa);
-  }
-  if (dh != NULL) {
-    DH_free(dh);
-  }
+  RSA_free(rsa);
+  DH_free(dh);
   BN_CTX_free(bn_ctx);
   EC_POINT_free(srvr_ecpoint);
-  if (ecdh != NULL) {
-    EC_KEY_free(ecdh);
-  }
+  EC_KEY_free(ecdh);
   EVP_MD_CTX_cleanup(&md_ctx);
   return -1;
 }
@@ -1393,7 +1370,7 @@ int ssl3_get_certificate_request(SSL *s) {
 
   n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_REQ_A,
                                  SSL3_ST_CR_CERT_REQ_B, -1, s->max_cert_list,
-                                 SSL_GET_MESSAGE_HASH_MESSAGE, &ok);
+                                 ssl_hash_message, &ok);
 
   if (!ok) {
     return n;
@@ -1419,15 +1396,6 @@ int ssl3_get_certificate_request(SSL *s) {
     goto err;
   }
 
-  /* TLS does not like anon-DH with client cert */
-  if (s->version > SSL3_VERSION &&
-      (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) {
-    ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
-    OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request,
-                      SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
-    goto err;
-  }
-
   CBS_init(&cbs, s->init_msg, n);
 
   ca_sk = sk_X509_NAME_new(ca_dn_cmp);
@@ -1493,7 +1461,7 @@ int ssl3_get_certificate_request(SSL *s) {
 
     if (!CBS_skip(&distinguished_name, data - CBS_data(&distinguished_name))) {
       ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-      OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, ERR_R_INTERNAL_ERROR);
+      OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, ERR_R_INTERNAL_ERROR);
       goto err;
     }
 
@@ -1513,29 +1481,25 @@ int ssl3_get_certificate_request(SSL *s) {
 
   /* we should setup a certificate to return.... */
   s->s3->tmp.cert_req = 1;
-  if (s->s3->tmp.ca_names != NULL) {
-    sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
-  }
+  sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
   s->s3->tmp.ca_names = ca_sk;
   ca_sk = NULL;
 
   ret = 1;
 
 err:
-  if (ca_sk != NULL) {
-    sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
-  }
+  sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
   return ret;
 }
 
 int ssl3_get_new_session_ticket(SSL *s) {
-  int ok, al, ret = 0;
+  int ok, al;
   long n;
   CBS new_session_ticket, ticket;
 
   n = s->method->ssl_get_message(
       s, SSL3_ST_CR_SESSION_TICKET_A, SSL3_ST_CR_SESSION_TICKET_B,
-      SSL3_MT_NEWSESSION_TICKET, 16384, SSL_GET_MESSAGE_HASH_MESSAGE, &ok);
+      SSL3_MT_NEWSESSION_TICKET, 16384, ssl_hash_message, &ok);
 
   if (!ok) {
     return n;
@@ -1558,21 +1522,15 @@ int ssl3_get_new_session_ticket(SSL *s) {
     goto err;
   }
 
-  /* There are two ways to detect a resumed ticket sesion. One is to set an
-   * appropriate session ID and then the server must return a match in
-   * ServerHello. This allows the normal client session ID matching to work and
-   * we know much earlier that the ticket has been accepted.
-   *
-   * The other way is to set zero length session ID when the ticket is
-   * presented and rely on the handshake to determine session resumption.
-   *
-   * We choose the former approach because this fits in with assumptions
-   * elsewhere in OpenSSL. The session ID is set to the SHA256 (or SHA1 is
-   * SHA256 is disabled) hash of the ticket. */
-  EVP_Digest(CBS_data(&ticket), CBS_len(&ticket), s->session->session_id,
-             &s->session->session_id_length, EVP_sha256(), NULL);
-  ret = 1;
-  return ret;
+  /* Generate a session ID for this session based on the session ticket. We use
+   * the session ID mechanism for detecting ticket resumption. This also fits in
+   * with assumptions elsewhere in OpenSSL.*/
+  if (!EVP_Digest(CBS_data(&ticket), CBS_len(&ticket), s->session->session_id,
+                  &s->session->session_id_length, EVP_sha256(), NULL)) {
+    goto err;
+  }
+
+  return 1;
 
 f_err:
   ssl3_send_alert(s, SSL3_AL_FATAL, al);
@@ -1588,12 +1546,19 @@ int ssl3_get_cert_status(SSL *s) {
 
   n = s->method->ssl_get_message(
       s, SSL3_ST_CR_CERT_STATUS_A, SSL3_ST_CR_CERT_STATUS_B,
-      SSL3_MT_CERTIFICATE_STATUS, 16384, SSL_GET_MESSAGE_HASH_MESSAGE, &ok);
+      -1, 16384, ssl_hash_message, &ok);
 
   if (!ok) {
     return n;
   }
 
+  if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_STATUS) {
+    /* A server may send status_request in ServerHello and then change
+     * its mind about sending CertificateStatus. */
+    s->s3->tmp.reuse_message = 1;
+    return 1;
+  }
+
   CBS_init(&certificate_status, s->init_msg, n);
   if (!CBS_get_u8(&certificate_status, &status_type) ||
       status_type != TLSEXT_STATUSTYPE_ocsp ||
@@ -1625,7 +1590,7 @@ int ssl3_get_server_done(SSL *s) {
   n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_DONE_A,
                                  SSL3_ST_CR_SRVR_DONE_B, SSL3_MT_SERVER_DONE,
                                  30, /* should be very small, like 0 :-) */
-                                 SSL_GET_MESSAGE_HASH_MESSAGE, &ok);
+                                 ssl_hash_message, &ok);
 
   if (!ok) {
     return n;
@@ -1645,8 +1610,8 @@ int ssl3_get_server_done(SSL *s) {
 int ssl3_send_client_key_exchange(SSL *s) {
   uint8_t *p;
   int n = 0;
-  unsigned long alg_k;
-  unsigned long alg_a;
+  uint32_t alg_k;
+  uint32_t alg_a;
   uint8_t *q;
   EVP_PKEY *pkey = NULL;
   EC_KEY *clnt_ecdh = NULL;
@@ -1699,10 +1664,7 @@ int ssl3_send_client_key_exchange(SSL *s) {
         goto err;
       }
 
-      if (s->session->psk_identity != NULL) {
-        OPENSSL_free(s->session->psk_identity);
-      }
-
+      OPENSSL_free(s->session->psk_identity);
       s->session->psk_identity = BUF_strdup(identity);
       if (s->session->psk_identity == NULL) {
         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange,
@@ -1744,9 +1706,7 @@ int ssl3_send_client_key_exchange(SSL *s) {
           pkey->pkey.rsa == NULL) {
         OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange,
                           ERR_R_INTERNAL_ERROR);
-        if (pkey != NULL) {
-          EVP_PKEY_free(pkey);
-        }
+        EVP_PKEY_free(pkey);
         goto err;
       }
 
@@ -1785,7 +1745,7 @@ int ssl3_send_client_key_exchange(SSL *s) {
       if (s->version > SSL3_VERSION) {
         s2n(enc_pms_len, q);
       }
-    } else if (alg_k & SSL_kEDH) {
+    } else if (alg_k & SSL_kDHE) {
       DH *dh_srvr, *dh_clnt;
       SESS_CERT *scert = s->session->sess_cert;
       int dh_len;
@@ -1841,7 +1801,7 @@ int ssl3_send_client_key_exchange(SSL *s) {
       n += 2 + pub_len;
 
       DH_free(dh_clnt);
-    } else if (alg_k & SSL_kEECDH) {
+    } else if (alg_k & SSL_kECDHE) {
       const EC_GROUP *srvr_group = NULL;
       EC_KEY *tkey;
       int field_size = 0, ecdh_len;
@@ -1993,7 +1953,9 @@ int ssl3_send_client_key_exchange(SSL *s) {
 
     /* The message must be added to the finished hash before calculating the
      * master secret. */
-    ssl_set_handshake_header(s, SSL3_MT_CLIENT_KEY_EXCHANGE, n);
+    if (!ssl_set_handshake_header(s, SSL3_MT_CLIENT_KEY_EXCHANGE, n)) {
+      goto err;
+    }
     s->state = SSL3_ST_CW_KEY_EXCH_B;
 
     s->session->master_key_length = s->enc_method->generate_master_secret(
@@ -2007,16 +1969,12 @@ int ssl3_send_client_key_exchange(SSL *s) {
   }
 
   /* SSL3_ST_CW_KEY_EXCH_B */
-  return s->enc_method->do_write(s);
+  return s->method->do_write(s);
 
 err:
   BN_CTX_free(bn_ctx);
-  if (encodedPoint != NULL) {
-    OPENSSL_free(encodedPoint);
-  }
-  if (clnt_ecdh != NULL) {
-    EC_KEY_free(clnt_ecdh);
-  }
+  OPENSSL_free(encodedPoint);
+  EC_KEY_free(clnt_ecdh);
   EVP_PKEY_free(srvr_pub_pkey);
   if (pms) {
     OPENSSL_cleanse(pms, pms_len);
@@ -2089,7 +2047,9 @@ int ssl3_send_cert_verify(SSL *s) {
     s2n(signature_length, p);
     n += signature_length + 2;
 
-    ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_VERIFY, n);
+    if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_VERIFY, n)) {
+      goto err;
+    }
     s->state = SSL3_ST_CW_CERT_VRFY_B;
   }
 
@@ -2156,12 +2116,8 @@ int ssl3_send_client_certificate(SSL *s) {
                         SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
     }
 
-    if (x509 != NULL) {
-      X509_free(x509);
-    }
-    if (pkey != NULL) {
-      EVP_PKEY_free(pkey);
-    }
+    X509_free(x509);
+    EVP_PKEY_free(pkey);
     if (i && !ssl3_has_client_certificate(s)) {
       i = 0;
     }
@@ -2180,8 +2136,10 @@ int ssl3_send_client_certificate(SSL *s) {
   }
 
   if (s->state == SSL3_ST_CW_CERT_C) {
-    s->state = SSL3_ST_CW_CERT_D;
-    ssl3_output_cert_chain(s, (s->s3->tmp.cert_req == 2) ? NULL : s->cert->key);
+    CERT_PKEY *cert_pkey = (s->s3->tmp.cert_req == 2) ? NULL : s->cert->key;
+    if (!ssl3_output_cert_chain(s, cert_pkey)) {
+      return -1;
+    }
   }
 
   /* SSL3_ST_CW_CERT_D */
@@ -2246,7 +2204,7 @@ int ssl3_check_cert_and_algorithm(SSL *s) {
     goto f_err;
   }
 
-  if ((alg_k & SSL_kEDH) &&
+  if ((alg_k & SSL_kDHE) &&
       !(has_bits(i, EVP_PK_DH | EVP_PKT_EXCH) || dh != NULL)) {
     OPENSSL_PUT_ERROR(SSL, ssl3_check_cert_and_algorithm, SSL_R_MISSING_DH_KEY);
     goto f_err;
@@ -2276,7 +2234,9 @@ int ssl3_send_next_proto(SSL *s) {
     memset(p, 0, padding_len);
     p += padding_len;
 
-    ssl_set_handshake_header(s, SSL3_MT_NEXT_PROTO, p - d);
+    if (!ssl_set_handshake_header(s, SSL3_MT_NEXT_PROTO, p - d)) {
+      return -1;
+    }
     s->state = SSL3_ST_CW_NEXT_PROTO_B;
   }
 
@@ -2387,23 +2347,19 @@ int ssl3_send_channel_id(SSL *s) {
     goto err;
   }
 
-  ssl_set_handshake_header(s, SSL3_MT_ENCRYPTED_EXTENSIONS,
-                           2 + 2 + TLSEXT_CHANNEL_ID_SIZE);
+  if (!ssl_set_handshake_header(s, SSL3_MT_ENCRYPTED_EXTENSIONS,
+                                2 + 2 + TLSEXT_CHANNEL_ID_SIZE)) {
+    goto err;
+  }
   s->state = SSL3_ST_CW_CHANNEL_ID_B;
 
   ret = ssl_do_write(s);
 
 err:
   EVP_MD_CTX_cleanup(&md_ctx);
-  if (public_key) {
-    OPENSSL_free(public_key);
-  }
-  if (der_sig) {
-    OPENSSL_free(der_sig);
-  }
-  if (sig) {
-    ECDSA_SIG_free(sig);
-  }
+  OPENSSL_free(public_key);
+  OPENSSL_free(der_sig);
+  ECDSA_SIG_free(sig);
 
   return ret;
 }
diff --git a/src/ssl/s3_enc.c b/src/ssl/s3_enc.c
index 562cb84..fbe68da 100644
--- a/src/ssl/s3_enc.c
+++ b/src/ssl/s3_enc.c
@@ -133,8 +133,9 @@
  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
  * OTHERWISE. */
 
-#include <stdio.h>
 #include <assert.h>
+#include <stdio.h>
+#include <string.h>
 
 #include <openssl/err.h>
 #include <openssl/evp.h>
@@ -142,7 +143,7 @@
 #include <openssl/md5.h>
 #include <openssl/obj.h>
 
-#include "ssl_locl.h"
+#include "internal.h"
 
 
 static const uint8_t ssl3_pad_1[48] = {
@@ -235,12 +236,8 @@ void ssl3_cleanup_key_block(SSL *s) {
 }
 
 int ssl3_init_finished_mac(SSL *s) {
-  if (s->s3->handshake_buffer) {
-    BIO_free(s->s3->handshake_buffer);
-  }
-  if (s->s3->handshake_dgst) {
-    ssl3_free_digest_list(s);
-  }
+  BIO_free(s->s3->handshake_buffer);
+  ssl3_free_digest_list(s);
   s->s3->handshake_buffer = BIO_new(BIO_s_mem());
   if (s->s3->handshake_buffer == NULL) {
     return 0;
@@ -264,12 +261,11 @@ void ssl3_free_digest_list(SSL *s) {
   s->s3->handshake_dgst = NULL;
 }
 
-void ssl3_finish_mac(SSL *s, const uint8_t *buf, int len) {
+int ssl3_finish_mac(SSL *s, const uint8_t *buf, int len) {
   int i;
 
   if (s->s3->handshake_buffer) {
-    BIO_write(s->s3->handshake_buffer, (void *)buf, len);
-    return;
+    return BIO_write(s->s3->handshake_buffer, (void *)buf, len) >= 0;
   }
 
   for (i = 0; i < SSL_MAX_DIGEST; i++) {
@@ -277,12 +273,13 @@ void ssl3_finish_mac(SSL *s, const uint8_t *buf, int len) {
       EVP_DigestUpdate(s->s3->handshake_dgst[i], buf, len);
     }
   }
+  return 1;
 }
 
 int ssl3_digest_cached_records(
     SSL *s, enum should_free_handshake_buffer_t should_free_handshake_buffer) {
   int i;
-  long mask;
+  uint32_t mask;
   const EVP_MD *md;
   const uint8_t *hdata;
   size_t hdatalen;
@@ -303,7 +300,7 @@ int ssl3_digest_cached_records(
   }
 
   /* Loop through bits of algorithm2 field and create MD_CTX-es */
-  for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) {
+  for (i = 0; ssl_get_handshake_digest(&mask, &md, i); i++) {
     if ((mask & ssl_get_algorithm2(s)) && md) {
       s->s3->handshake_dgst[i] = EVP_MD_CTX_create();
       if (s->s3->handshake_dgst[i] == NULL) {
@@ -383,7 +380,7 @@ static int ssl3_handshake_mac(SSL *s, int md_nid, const char *sender, int len,
   EVP_MD_CTX_init(&ctx);
   if (!EVP_MD_CTX_copy_ex(&ctx, d)) {
     EVP_MD_CTX_cleanup(&ctx);
-    OPENSSL_PUT_ERROR(SSL, ssl3_generate_key_block, ERR_LIB_EVP);
+    OPENSSL_PUT_ERROR(SSL, ssl3_handshake_mac, ERR_LIB_EVP);
     return 0;
   }
 
@@ -402,7 +399,7 @@ static int ssl3_handshake_mac(SSL *s, int md_nid, const char *sender, int len,
 
   if (!EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL)) {
     EVP_MD_CTX_cleanup(&ctx);
-    OPENSSL_PUT_ERROR(SSL, ssl3_generate_key_block, ERR_LIB_EVP);
+    OPENSSL_PUT_ERROR(SSL, ssl3_handshake_mac, ERR_LIB_EVP);
     return 0;
   }
   EVP_DigestUpdate(&ctx, s->session->master_key, s->session->master_key_length);
@@ -415,15 +412,16 @@ static int ssl3_handshake_mac(SSL *s, int md_nid, const char *sender, int len,
   return ret;
 }
 
-void ssl3_record_sequence_update(uint8_t *seq) {
-  int i;
-
-  for (i = 7; i >= 0; i--) {
+int ssl3_record_sequence_update(uint8_t *seq, size_t seq_len) {
+  size_t i;
+  for (i = seq_len - 1; i < seq_len; i--) {
     ++seq[i];
     if (seq[i] != 0) {
-      break;
+      return 1;
     }
   }
+  OPENSSL_PUT_ERROR(SSL, ssl3_record_sequence_update, ERR_R_OVERFLOW);
+  return 0;
 }
 
 int ssl3_alert_code(int code) {
diff --git a/src/ssl/s3_lib.c b/src/ssl/s3_lib.c
index e0ccedc..674277f 100644
--- a/src/ssl/s3_lib.c
+++ b/src/ssl/s3_lib.c
@@ -148,14 +148,16 @@
 
 #include <assert.h>
 #include <stdio.h>
+#include <string.h>
 
 #include <openssl/buf.h>
 #include <openssl/dh.h>
+#include <openssl/err.h>
 #include <openssl/md5.h>
 #include <openssl/mem.h>
 #include <openssl/obj.h>
 
-#include "ssl_locl.h"
+#include "internal.h"
 
 
 #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER))
@@ -165,77 +167,53 @@ const SSL_CIPHER ssl3_ciphers[] = {
     /* The RSA ciphers */
     /* Cipher 04 */
     {
-     1, SSL3_TXT_RSA_RC4_128_MD5, SSL3_CK_RSA_RC4_128_MD5, SSL_kRSA, SSL_aRSA,
+     SSL3_TXT_RSA_RC4_128_MD5, SSL3_CK_RSA_RC4_128_MD5, SSL_kRSA, SSL_aRSA,
      SSL_RC4, SSL_MD5, SSL_SSLV3, SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
     },
 
     /* Cipher 05 */
     {
-     1, SSL3_TXT_RSA_RC4_128_SHA, SSL3_CK_RSA_RC4_128_SHA, SSL_kRSA, SSL_aRSA,
+     SSL3_TXT_RSA_RC4_128_SHA, SSL3_CK_RSA_RC4_128_SHA, SSL_kRSA, SSL_aRSA,
      SSL_RC4, SSL_SHA1, SSL_SSLV3, SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
     },
 
     /* Cipher 0A */
     {
-     1, SSL3_TXT_RSA_DES_192_CBC3_SHA, SSL3_CK_RSA_DES_192_CBC3_SHA, SSL_kRSA,
+     SSL3_TXT_RSA_DES_192_CBC3_SHA, SSL3_CK_RSA_DES_192_CBC3_SHA, SSL_kRSA,
      SSL_aRSA, SSL_3DES, SSL_SHA1, SSL_SSLV3, SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168,
     },
 
 
-    /* The Ephemeral DH ciphers */
-
-    /* Cipher 18 */
-    {
-     1, SSL3_TXT_ADH_RC4_128_MD5, SSL3_CK_ADH_RC4_128_MD5, SSL_kEDH, SSL_aNULL,
-     SSL_RC4, SSL_MD5, SSL_SSLV3, SSL_MEDIUM,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
-    },
-
-
     /* New AES ciphersuites */
 
     /* Cipher 2F */
     {
-     1, TLS1_TXT_RSA_WITH_AES_128_SHA, TLS1_CK_RSA_WITH_AES_128_SHA, SSL_kRSA,
+     TLS1_TXT_RSA_WITH_AES_128_SHA, TLS1_CK_RSA_WITH_AES_128_SHA, SSL_kRSA,
      SSL_aRSA, SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
     },
 
     /* Cipher 33 */
     {
-     1, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
-     SSL_kEDH, SSL_aRSA, SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
-    },
-
-    /* Cipher 34 */
-    {
-     1, TLS1_TXT_ADH_WITH_AES_128_SHA, TLS1_CK_ADH_WITH_AES_128_SHA, SSL_kEDH,
-     SSL_aNULL, SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
+     TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
+     SSL_kDHE, SSL_aRSA, SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
     },
 
     /* Cipher 35 */
     {
-     1, TLS1_TXT_RSA_WITH_AES_256_SHA, TLS1_CK_RSA_WITH_AES_256_SHA, SSL_kRSA,
+     TLS1_TXT_RSA_WITH_AES_256_SHA, TLS1_CK_RSA_WITH_AES_256_SHA, SSL_kRSA,
      SSL_aRSA, SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,
     },
 
     /* Cipher 39 */
     {
-     1, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
-     SSL_kEDH, SSL_aRSA, SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,
-    },
-
-    /* Cipher 3A */
-    {
-     1, TLS1_TXT_ADH_WITH_AES_256_SHA, TLS1_CK_ADH_WITH_AES_256_SHA, SSL_kEDH,
-     SSL_aNULL, SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
+     TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
+     SSL_kDHE, SSL_aRSA, SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,
     },
 
@@ -244,65 +222,51 @@ const SSL_CIPHER ssl3_ciphers[] = {
 
     /* Cipher 3C */
     {
-     1, TLS1_TXT_RSA_WITH_AES_128_SHA256, TLS1_CK_RSA_WITH_AES_128_SHA256,
+     TLS1_TXT_RSA_WITH_AES_128_SHA256, TLS1_CK_RSA_WITH_AES_128_SHA256,
      SSL_kRSA, SSL_aRSA, SSL_AES128, SSL_SHA256, SSL_TLSV1_2,
-     SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
+     SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128,
     },
 
     /* Cipher 3D */
     {
-     1, TLS1_TXT_RSA_WITH_AES_256_SHA256, TLS1_CK_RSA_WITH_AES_256_SHA256,
+     TLS1_TXT_RSA_WITH_AES_256_SHA256, TLS1_CK_RSA_WITH_AES_256_SHA256,
      SSL_kRSA, SSL_aRSA, SSL_AES256, SSL_SHA256, SSL_TLSV1_2,
-     SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,
+     SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256,
     },
 
     /* Cipher 67 */
     {
-     1, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,
-     TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, SSL_kEDH, SSL_aRSA, SSL_AES128,
+     TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,
+     TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, SSL_kDHE, SSL_aRSA, SSL_AES128,
      SSL_SHA256, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
+     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128,
     },
 
     /* Cipher 6B */
     {
-     1, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256,
-     TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, SSL_kEDH, SSL_aRSA, SSL_AES256,
+     TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256,
+     TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, SSL_kDHE, SSL_aRSA, SSL_AES256,
      SSL_SHA256, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,
-    },
-
-    /* Cipher 6C */
-    {
-     1, TLS1_TXT_ADH_WITH_AES_128_SHA256, TLS1_CK_ADH_WITH_AES_128_SHA256,
-     SSL_kEDH, SSL_aNULL, SSL_AES128, SSL_SHA256, SSL_TLSV1_2,
-     SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
-    },
-
-    /* Cipher 6D */
-    {
-     1, TLS1_TXT_ADH_WITH_AES_256_SHA256, TLS1_CK_ADH_WITH_AES_256_SHA256,
-     SSL_kEDH, SSL_aNULL, SSL_AES256, SSL_SHA256, SSL_TLSV1_2,
-     SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,
+     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256,
     },
 
     /* Cipher 8A */
     {
-     1, TLS1_TXT_PSK_WITH_RC4_128_SHA, TLS1_CK_PSK_WITH_RC4_128_SHA, SSL_kPSK,
+     TLS1_TXT_PSK_WITH_RC4_128_SHA, TLS1_CK_PSK_WITH_RC4_128_SHA, SSL_kPSK,
      SSL_aPSK, SSL_RC4, SSL_SHA1, SSL_TLSV1, SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
     },
 
     /* Cipher 8C */
     {
-     1, TLS1_TXT_PSK_WITH_AES_128_CBC_SHA, TLS1_CK_PSK_WITH_AES_128_CBC_SHA,
+     TLS1_TXT_PSK_WITH_AES_128_CBC_SHA, TLS1_CK_PSK_WITH_AES_128_CBC_SHA,
      SSL_kPSK, SSL_aPSK, SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
     },
 
     /* Cipher 8D */
     {
-     1, TLS1_TXT_PSK_WITH_AES_256_CBC_SHA, TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
+     TLS1_TXT_PSK_WITH_AES_256_CBC_SHA, TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
      SSL_kPSK, SSL_aPSK, SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,
     },
@@ -312,7 +276,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 
     /* Cipher 9C */
     {
-     1, TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
+     TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
      TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, SSL_kRSA, SSL_aRSA, SSL_AES128GCM,
      SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD |
@@ -322,7 +286,7 @@ const SSL_CIPHER ssl3_ciphers[] = {
 
     /* Cipher 9D */
     {
-     1, TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
+     TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
      TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, SSL_kRSA, SSL_aRSA, SSL_AES256GCM,
      SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384 | SSL_CIPHER_ALGORITHM2_AEAD |
@@ -332,8 +296,8 @@ const SSL_CIPHER ssl3_ciphers[] = {
 
     /* Cipher 9E */
     {
-     1, TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256,
-     TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kEDH, SSL_aRSA, SSL_AES128GCM,
+     TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256,
+     TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kDHE, SSL_aRSA, SSL_AES128GCM,
      SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD |
          SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
@@ -342,28 +306,8 @@ const SSL_CIPHER ssl3_ciphers[] = {
 
     /* Cipher 9F */
     {
-     1, TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384,
-     TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kEDH, SSL_aRSA, SSL_AES256GCM,
-     SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
-     SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384 | SSL_CIPHER_ALGORITHM2_AEAD |
-         SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
-     256, 256,
-    },
-
-    /* Cipher A6 */
-    {
-     1, TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256,
-     TLS1_CK_ADH_WITH_AES_128_GCM_SHA256, SSL_kEDH, SSL_aNULL, SSL_AES128GCM,
-     SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
-     SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD |
-         SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
-     128, 128,
-    },
-
-    /* Cipher A7 */
-    {
-     1, TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384,
-     TLS1_CK_ADH_WITH_AES_256_GCM_SHA384, SSL_kEDH, SSL_aNULL, SSL_AES256GCM,
+     TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384,
+     TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kDHE, SSL_aRSA, SSL_AES256GCM,
      SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384 | SSL_CIPHER_ALGORITHM2_AEAD |
          SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
@@ -372,70 +316,47 @@ const SSL_CIPHER ssl3_ciphers[] = {
 
     /* Cipher C007 */
     {
-     1, TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
-     TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_kEECDH, SSL_aECDSA, SSL_RC4,
+     TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
+     TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_kECDHE, SSL_aECDSA, SSL_RC4,
      SSL_SHA1, SSL_TLSV1, SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128,
      128,
     },
 
     /* Cipher C009 */
     {
-     1, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-     TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_kEECDH, SSL_aECDSA,
+     TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+     TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDHE, SSL_aECDSA,
      SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
     },
 
     /* Cipher C00A */
     {
-     1, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-     TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_kEECDH, SSL_aECDSA,
+     TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+     TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDHE, SSL_aECDSA,
      SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,
     },
 
     /* Cipher C011 */
     {
-     1, TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
-     SSL_kEECDH, SSL_aRSA, SSL_RC4, SSL_SHA1, SSL_TLSV1, SSL_MEDIUM,
+     TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
+     SSL_kECDHE, SSL_aRSA, SSL_RC4, SSL_SHA1, SSL_TLSV1, SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
     },
 
     /* Cipher C013 */
     {
-     1, TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-     TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_kEECDH, SSL_aRSA, SSL_AES128,
+     TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+     TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_kECDHE, SSL_aRSA, SSL_AES128,
      SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
     },
 
     /* Cipher C014 */
     {
-     1, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-     TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_kEECDH, SSL_aRSA, SSL_AES256,
-     SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,
-    },
-
-    /* Cipher C016 */
-    {
-     1, TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, TLS1_CK_ECDH_anon_WITH_RC4_128_SHA,
-     SSL_kEECDH, SSL_aNULL, SSL_RC4, SSL_SHA1, SSL_TLSV1, SSL_MEDIUM,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
-    },
-
-    /* Cipher C018 */
-    {
-     1, TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA,
-     TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, SSL_kEECDH, SSL_aNULL, SSL_AES128,
-     SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
-    },
-
-    /* Cipher C019 */
-    {
-     1, TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA,
-     TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, SSL_kEECDH, SSL_aNULL, SSL_AES256,
+     TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+     TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_kECDHE, SSL_aRSA, SSL_AES256,
      SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,
     },
@@ -445,32 +366,32 @@ const SSL_CIPHER ssl3_ciphers[] = {
 
     /* Cipher C023 */
     {
-     1, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
-     TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, SSL_kEECDH, SSL_aECDSA,
+     TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
+     TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, SSL_kECDHE, SSL_aECDSA,
      SSL_AES128, SSL_SHA256, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128,
     },
 
     /* Cipher C024 */
     {
-     1, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
-     TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, SSL_kEECDH, SSL_aECDSA,
+     TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
+     TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, SSL_kECDHE, SSL_aECDSA,
      SSL_AES256, SSL_SHA384, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, 256,
     },
 
     /* Cipher C027 */
     {
-     1, TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
-     TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, SSL_kEECDH, SSL_aRSA, SSL_AES128,
+     TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
+     TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, SSL_kECDHE, SSL_aRSA, SSL_AES128,
      SSL_SHA256, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128,
     },
 
     /* Cipher C028 */
     {
-     1, TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
-     TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, SSL_kEECDH, SSL_aRSA, SSL_AES256,
+     TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
+     TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, SSL_kECDHE, SSL_aRSA, SSL_AES256,
      SSL_SHA384, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, 256,
     },
@@ -480,8 +401,8 @@ const SSL_CIPHER ssl3_ciphers[] = {
 
     /* Cipher C02B */
     {
-     1, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-     TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_kEECDH, SSL_aECDSA,
+     TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+     TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE, SSL_aECDSA,
      SSL_AES128GCM, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD |
          SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
@@ -490,8 +411,8 @@ const SSL_CIPHER ssl3_ciphers[] = {
 
     /* Cipher C02C */
     {
-     1, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-     TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_kEECDH, SSL_aECDSA,
+     TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+     TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_kECDHE, SSL_aECDSA,
      SSL_AES256GCM, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384 | SSL_CIPHER_ALGORITHM2_AEAD |
          SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
@@ -500,8 +421,8 @@ const SSL_CIPHER ssl3_ciphers[] = {
 
     /* Cipher C02F */
     {
-     1, TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-     TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kEECDH, SSL_aRSA,
+     TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+     TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE, SSL_aRSA,
      SSL_AES128GCM, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD |
          SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
@@ -510,8 +431,8 @@ const SSL_CIPHER ssl3_ciphers[] = {
 
     /* Cipher C030 */
     {
-     1, TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-     TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kEECDH, SSL_aRSA,
+     TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+     TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kECDHE, SSL_aRSA,
      SSL_AES256GCM, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384 | SSL_CIPHER_ALGORITHM2_AEAD |
          SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
@@ -523,8 +444,8 @@ const SSL_CIPHER ssl3_ciphers[] = {
 
     /* Cipher CAFE */
     {
-     1, TLS1_TXT_ECDHE_PSK_WITH_AES_128_GCM_SHA256,
-     TLS1_CK_ECDHE_PSK_WITH_AES_128_GCM_SHA256, SSL_kEECDH, SSL_aPSK,
+     TLS1_TXT_ECDHE_PSK_WITH_AES_128_GCM_SHA256,
+     TLS1_CK_ECDHE_PSK_WITH_AES_128_GCM_SHA256, SSL_kECDHE, SSL_aPSK,
      SSL_AES128GCM, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD |
          SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
@@ -532,24 +453,24 @@ const SSL_CIPHER ssl3_ciphers[] = {
     },
 
     {
-     1, TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305,
-     TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, SSL_kEECDH, SSL_aRSA,
+     TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+     TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, SSL_kECDHE, SSL_aRSA,
      SSL_CHACHA20POLY1305, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD,
      256, 0,
     },
 
     {
-     1, TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
-     TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, SSL_kEECDH, SSL_aECDSA,
+     TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+     TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, SSL_kECDHE, SSL_aECDSA,
      SSL_CHACHA20POLY1305, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD,
      256, 0,
     },
 
     {
-     1, TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305,
-     TLS1_CK_DHE_RSA_CHACHA20_POLY1305, SSL_kEDH, SSL_aRSA,
+     TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305,
+     TLS1_CK_DHE_RSA_CHACHA20_POLY1305, SSL_kDHE, SSL_aRSA,
      SSL_CHACHA20POLY1305, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD,
      256, 0,
@@ -563,27 +484,22 @@ const SSL3_ENC_METHOD SSLv3_enc_data = {
     tls1_generate_master_secret,
     tls1_change_cipher_state,
     ssl3_final_finish_mac,
-    MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
     ssl3_cert_verify_mac,
     SSL3_MD_CLIENT_FINISHED_CONST, 4,
     SSL3_MD_SERVER_FINISHED_CONST, 4,
     ssl3_alert_code,
-    (int (*)(SSL *, uint8_t *, size_t, const char *, size_t, const uint8_t *,
-             size_t, int use_context)) ssl_undefined_function,
+    tls1_export_keying_material,
     0,
-    SSL3_HM_HEADER_LENGTH,
-    ssl3_set_handshake_header,
-    ssl3_handshake_write,
 };
 
-int ssl3_num_ciphers(void) { return SSL3_NUM_CIPHERS; }
+size_t ssl3_num_ciphers(void) { return SSL3_NUM_CIPHERS; }
 
-const SSL_CIPHER *ssl3_get_cipher(unsigned int u) {
-  if (u >= SSL3_NUM_CIPHERS) {
+const SSL_CIPHER *ssl3_get_cipher(size_t i) {
+  if (i >= SSL3_NUM_CIPHERS) {
     return NULL;
   }
 
-  return &ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u];
+  return &ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - i];
 }
 
 int ssl3_pending(const SSL *s) {
@@ -595,7 +511,7 @@ int ssl3_pending(const SSL *s) {
                                                         : 0;
 }
 
-void ssl3_set_handshake_header(SSL *s, int htype, unsigned long len) {
+int ssl3_set_handshake_header(SSL *s, int htype, unsigned long len) {
   uint8_t *p = (uint8_t *)s->init_buf->data;
   *(p++) = htype;
   l2n3(len, p);
@@ -603,7 +519,7 @@ void ssl3_set_handshake_header(SSL *s, int htype, unsigned long len) {
   s->init_off = 0;
 
   /* Add the message to the handshake hash. */
-  ssl3_finish_mac(s, (uint8_t *)s->init_buf->data, s->init_num);
+  return ssl3_finish_mac(s, (uint8_t *)s->init_buf->data, s->init_num);
 }
 
 int ssl3_handshake_write(SSL *s) { return ssl3_do_write(s, SSL3_RT_HANDSHAKE); }
@@ -637,47 +553,21 @@ void ssl3_free(SSL *s) {
     return;
   }
 
-  if (s->s3->sniff_buffer != NULL) {
-    BUF_MEM_free(s->s3->sniff_buffer);
-  }
+  BUF_MEM_free(s->s3->sniff_buffer);
   ssl3_cleanup_key_block(s);
-  if (s->s3->rbuf.buf != NULL) {
-    ssl3_release_read_buffer(s);
-  }
-  if (s->s3->wbuf.buf != NULL) {
-    ssl3_release_write_buffer(s);
-  }
-  if (s->s3->tmp.dh != NULL) {
-    DH_free(s->s3->tmp.dh);
-  }
-  if (s->s3->tmp.ecdh != NULL) {
-    EC_KEY_free(s->s3->tmp.ecdh);
-  }
-
-  if (s->s3->tmp.ca_names != NULL) {
-    sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
-  }
-  if (s->s3->tmp.certificate_types != NULL) {
-    OPENSSL_free(s->s3->tmp.certificate_types);
-  }
-  if (s->s3->tmp.peer_ecpointformatlist) {
-    OPENSSL_free(s->s3->tmp.peer_ecpointformatlist);
-  }
-  if (s->s3->tmp.peer_ellipticcurvelist) {
-    OPENSSL_free(s->s3->tmp.peer_ellipticcurvelist);
-  }
-  if (s->s3->tmp.peer_psk_identity_hint) {
-    OPENSSL_free(s->s3->tmp.peer_psk_identity_hint);
-  }
-  if (s->s3->handshake_buffer) {
-    BIO_free(s->s3->handshake_buffer);
-  }
-  if (s->s3->handshake_dgst) {
-    ssl3_free_digest_list(s);
-  }
-  if (s->s3->alpn_selected) {
-    OPENSSL_free(s->s3->alpn_selected);
-  }
+  ssl3_release_read_buffer(s);
+  ssl3_release_write_buffer(s);
+  DH_free(s->s3->tmp.dh);
+  EC_KEY_free(s->s3->tmp.ecdh);
+
+  sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
+  OPENSSL_free(s->s3->tmp.certificate_types);
+  OPENSSL_free(s->s3->tmp.peer_ecpointformatlist);
+  OPENSSL_free(s->s3->tmp.peer_ellipticcurvelist);
+  OPENSSL_free(s->s3->tmp.peer_psk_identity_hint);
+  BIO_free(s->s3->handshake_buffer);
+  ssl3_free_digest_list(s);
+  OPENSSL_free(s->s3->alpn_selected);
 
   OPENSSL_cleanse(s->s3, sizeof *s->s3);
   OPENSSL_free(s->s3);
@@ -686,145 +576,139 @@ void ssl3_free(SSL *s) {
 
 static int ssl3_set_req_cert_type(CERT *c, const uint8_t *p, size_t len);
 
-long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) {
-  int ret = 0;
+int SSL_session_reused(const SSL *ssl) {
+  return ssl->hit;
+}
 
-  if (cmd == SSL_CTRL_SET_TMP_RSA || cmd == SSL_CTRL_SET_TMP_RSA_CB ||
-      cmd == SSL_CTRL_SET_TMP_DH || cmd == SSL_CTRL_SET_TMP_DH_CB) {
-    if (!ssl_cert_inst(&s->cert)) {
-      OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_MALLOC_FAILURE);
-      return 0;
-    }
-  }
+int SSL_total_renegotiations(const SSL *ssl) {
+  return ssl->s3->total_renegotiations;
+}
 
-  switch (cmd) {
-    case SSL_CTRL_GET_SESSION_REUSED:
-      ret = s->hit;
-      break;
+int SSL_num_renegotiations(const SSL *ssl) {
+  return SSL_total_renegotiations(ssl);
+}
 
-    case SSL_CTRL_GET_CLIENT_CERT_REQUEST:
-      break;
+int SSL_CTX_need_tmp_RSA(const SSL_CTX *ctx) {
+  return 0;
+}
 
-    case SSL_CTRL_GET_NUM_RENEGOTIATIONS:
-      ret = s->s3->num_renegotiations;
-      break;
+int SSL_need_rsa(const SSL *ssl) {
+  return 0;
+}
 
-    case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS:
-      ret = s->s3->num_renegotiations;
-      s->s3->num_renegotiations = 0;
-      break;
+int SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, const RSA *rsa) {
+  return 1;
+}
 
-    case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:
-      ret = s->s3->total_renegotiations;
-      break;
+int SSL_set_tmp_rsa(SSL *ssl, const RSA *rsa) {
+  return 1;
+}
 
-    case SSL_CTRL_GET_FLAGS:
-      ret = (int)(s->s3->flags);
-      break;
+int SSL_CTX_set_tmp_dh(SSL_CTX *ctx, const DH *dh) {
+  DH_free(ctx->cert->dh_tmp);
+  ctx->cert->dh_tmp = DHparams_dup(dh);
+  if (ctx->cert->dh_tmp == NULL) {
+    OPENSSL_PUT_ERROR(SSL, SSL_CTX_set_tmp_dh, ERR_R_DH_LIB);
+    return 0;
+  }
+  return 1;
+}
 
-    case SSL_CTRL_NEED_TMP_RSA:
-      /* Temporary RSA keys are never used. */
-      ret = 0;
-      break;
+int SSL_set_tmp_dh(SSL *ssl, const DH *dh) {
+  DH_free(ssl->cert->dh_tmp);
+  ssl->cert->dh_tmp = DHparams_dup(dh);
+  if (ssl->cert->dh_tmp == NULL) {
+    OPENSSL_PUT_ERROR(SSL, SSL_set_tmp_dh, ERR_R_DH_LIB);
+    return 0;
+  }
+  return 1;
+}
 
-    case SSL_CTRL_SET_TMP_RSA:
-      /* Temporary RSA keys are never used. */
-      OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-      break;
+int SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, const EC_KEY *ec_key) {
+  if (ec_key == NULL || EC_KEY_get0_group(ec_key) == NULL) {
+    OPENSSL_PUT_ERROR(SSL, SSL_CTX_set_tmp_ecdh, ERR_R_PASSED_NULL_PARAMETER);
+    return 0;
+  }
+  ctx->cert->ecdh_nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key));
+  return 1;
+}
 
-    case SSL_CTRL_SET_TMP_RSA_CB:
-      OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-      return ret;
+int SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ec_key) {
+  if (ec_key == NULL || EC_KEY_get0_group(ec_key) == NULL) {
+    OPENSSL_PUT_ERROR(SSL, SSL_set_tmp_ecdh, ERR_R_PASSED_NULL_PARAMETER);
+    return 0;
+  }
+  ssl->cert->ecdh_nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key));
+  return 1;
+}
 
-    case SSL_CTRL_SET_TMP_DH: {
-      DH *dh = (DH *)parg;
-      if (dh == NULL) {
-        OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_PASSED_NULL_PARAMETER);
-        return ret;
-      }
-      dh = DHparams_dup(dh);
-      if (dh == NULL) {
-        OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_DH_LIB);
-        return ret;
-      }
-      if (!(s->options & SSL_OP_SINGLE_DH_USE) && !DH_generate_key(dh)) {
-        DH_free(dh);
-        OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_DH_LIB);
-        return ret;
-      }
-      if (s->cert->dh_tmp != NULL) {
-        DH_free(s->cert->dh_tmp);
-      }
-      s->cert->dh_tmp = dh;
-      ret = 1;
-      break;
-    }
+int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx) {
+  ctx->tlsext_channel_id_enabled = 1;
+  return 1;
+}
 
-    case SSL_CTRL_SET_TMP_DH_CB:
-      OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-      return ret;
+int SSL_enable_tls_channel_id(SSL *ssl) {
+  ssl->tlsext_channel_id_enabled = 1;
+  return 1;
+}
 
-    case SSL_CTRL_SET_TMP_ECDH: {
-      EC_KEY *ecdh = NULL;
+int SSL_CTX_set1_tls_channel_id(SSL_CTX *ctx, EVP_PKEY *private_key) {
+  ctx->tlsext_channel_id_enabled = 1;
+  if (EVP_PKEY_id(private_key) != EVP_PKEY_EC ||
+      EVP_PKEY_bits(private_key) != 256) {
+    OPENSSL_PUT_ERROR(SSL, SSL_CTX_set1_tls_channel_id,
+                      SSL_R_CHANNEL_ID_NOT_P256);
+    return 0;
+  }
+  EVP_PKEY_free(ctx->tlsext_channel_id_private);
+  ctx->tlsext_channel_id_private = EVP_PKEY_up_ref(private_key);
+  return 1;
+}
 
-      if (parg == NULL) {
-        OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_PASSED_NULL_PARAMETER);
-        return ret;
-      }
-      if (!EC_KEY_up_ref((EC_KEY *)parg)) {
-        OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_ECDH_LIB);
-        return ret;
-      }
-      ecdh = (EC_KEY *)parg;
-      if (!(s->options & SSL_OP_SINGLE_ECDH_USE) && !EC_KEY_generate_key(ecdh)) {
-        EC_KEY_free(ecdh);
-        OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_ECDH_LIB);
-        return ret;
-      }
-      if (s->cert->ecdh_tmp != NULL) {
-        EC_KEY_free(s->cert->ecdh_tmp);
-      }
-      s->cert->ecdh_tmp = ecdh;
-      ret = 1;
-      break;
-    }
+int SSL_set1_tls_channel_id(SSL *ssl, EVP_PKEY *private_key) {
+  ssl->tlsext_channel_id_enabled = 1;
+  if (EVP_PKEY_id(private_key) != EVP_PKEY_EC ||
+      EVP_PKEY_bits(private_key) != 256) {
+    OPENSSL_PUT_ERROR(SSL, SSL_set1_tls_channel_id, SSL_R_CHANNEL_ID_NOT_P256);
+    return 0;
+  }
+  EVP_PKEY_free(ssl->tlsext_channel_id_private);
+  ssl->tlsext_channel_id_private = EVP_PKEY_up_ref(private_key);
+  return 1;
+}
 
-    case SSL_CTRL_SET_TMP_ECDH_CB:
-      OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-      return ret;
+size_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out, size_t max_out) {
+  if (!ssl->s3->tlsext_channel_id_valid) {
+    return 0;
+  }
+  memcpy(out, ssl->s3->tlsext_channel_id, (max_out < 64) ? max_out : 64);
+  return 64;
+}
 
-    case SSL_CTRL_SET_TLSEXT_HOSTNAME:
-      if (larg == TLSEXT_NAMETYPE_host_name) {
-        if (s->tlsext_hostname != NULL) {
-          OPENSSL_free(s->tlsext_hostname);
-        }
-        s->tlsext_hostname = NULL;
+int SSL_set_tlsext_host_name(SSL *ssl, const char *name) {
+  OPENSSL_free(ssl->tlsext_hostname);
+  ssl->tlsext_hostname = NULL;
 
-        ret = 1;
-        if (parg == NULL) {
-          break;
-        }
-        if (strlen((char *)parg) > TLSEXT_MAXLEN_host_name) {
-          OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
-          return 0;
-        }
-        s->tlsext_hostname = BUF_strdup((char *) parg);
-        if (s->tlsext_hostname == NULL) {
-          OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_INTERNAL_ERROR);
-          return 0;
-        }
-      } else {
-        OPENSSL_PUT_ERROR(SSL, ssl3_ctrl,
-                          SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
-        return 0;
-      }
-      break;
+  if (name == NULL) {
+    return 1;
+  }
+  if (strlen(name) > TLSEXT_MAXLEN_host_name) {
+    OPENSSL_PUT_ERROR(SSL, SSL_set_tlsext_host_name,
+                      SSL_R_SSL3_EXT_INVALID_SERVERNAME);
+    return 0;
+  }
+  ssl->tlsext_hostname = BUF_strdup(name);
+  if (ssl->tlsext_hostname == NULL) {
+    OPENSSL_PUT_ERROR(SSL, SSL_set_tlsext_host_name, ERR_R_MALLOC_FAILURE);
+    return 0;
+  }
+  return 1;
+}
 
-    case SSL_CTRL_SET_TLSEXT_DEBUG_ARG:
-      s->tlsext_debug_arg = parg;
-      ret = 1;
-      break;
+long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) {
+  int ret = 0;
 
+  switch (cmd) {
     case SSL_CTRL_CHAIN:
       if (larg) {
         return ssl_cert_set1_chain(s->cert, (STACK_OF(X509) *)parg);
@@ -870,10 +754,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) {
       return tls1_set_curves(&s->tlsext_ellipticcurvelist,
                              &s->tlsext_ellipticcurvelist_length, parg, larg);
 
-    case SSL_CTRL_SET_ECDH_AUTO:
-      s->cert->ecdh_tmp_auto = larg;
-      return 1;
-
     case SSL_CTRL_SET_SIGALGS:
       return tls1_set_sigalgs(s->cert, parg, larg, 0);
 
@@ -943,65 +823,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) {
       return (int)s->s3->tmp.peer_ecpointformatlist_length;
     }
 
-    case SSL_CTRL_CHANNEL_ID:
-      s->tlsext_channel_id_enabled = 1;
-      ret = 1;
-      break;
-
-    case SSL_CTRL_SET_CHANNEL_ID:
-      s->tlsext_channel_id_enabled = 1;
-      if (EVP_PKEY_bits(parg) != 256) {
-        OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, SSL_R_CHANNEL_ID_NOT_P256);
-        break;
-      }
-      if (s->tlsext_channel_id_private) {
-        EVP_PKEY_free(s->tlsext_channel_id_private);
-      }
-      s->tlsext_channel_id_private = EVP_PKEY_dup((EVP_PKEY *)parg);
-      ret = 1;
-      break;
-
-    case SSL_CTRL_GET_CHANNEL_ID:
-      if (!s->s3->tlsext_channel_id_valid) {
-        break;
-      }
-      memcpy(parg, s->s3->tlsext_channel_id, larg < 64 ? larg : 64);
-      return 64;
-
-    default:
-      break;
-  }
-
-  return ret;
-}
-
-long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) {
-  int ret = 0;
-
-  if ((cmd == SSL_CTRL_SET_TMP_RSA_CB || cmd == SSL_CTRL_SET_TMP_DH_CB) &&
-      !ssl_cert_inst(&s->cert)) {
-    OPENSSL_PUT_ERROR(SSL, ssl3_callback_ctrl, ERR_R_MALLOC_FAILURE);
-    return 0;
-  }
-
-  switch (cmd) {
-    case SSL_CTRL_SET_TMP_RSA_CB:
-      /* Ignore the callback; temporary RSA keys are never used. */
-      break;
-
-    case SSL_CTRL_SET_TMP_DH_CB:
-      s->cert->dh_tmp_cb = (DH * (*)(SSL *, int, int))fp;
-      break;
-
-    case SSL_CTRL_SET_TMP_ECDH_CB:
-      s->cert->ecdh_tmp_cb = (EC_KEY * (*)(SSL *, int, int))fp;
-      break;
-
-    case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
-      s->tlsext_debug_cb =
-          (void (*)(SSL *, int, int, uint8_t *, int, void *))fp;
-      break;
-
     default:
       break;
   }
@@ -1010,82 +831,7 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) {
 }
 
 long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) {
-  CERT *cert;
-
-  cert = ctx->cert;
-
   switch (cmd) {
-    case SSL_CTRL_NEED_TMP_RSA:
-      /* Temporary RSA keys are never used. */
-      return 0;
-
-    case SSL_CTRL_SET_TMP_RSA:
-      OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-      return 0;
-
-    case SSL_CTRL_SET_TMP_RSA_CB:
-      OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-      return 0;
-
-    case SSL_CTRL_SET_TMP_DH: {
-      DH *new = NULL, *dh;
-
-      dh = (DH *)parg;
-      new = DHparams_dup(dh);
-      if (new == NULL) {
-        OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_DH_LIB);
-        return 0;
-      }
-      if (!(ctx->options & SSL_OP_SINGLE_DH_USE) && !DH_generate_key(new)) {
-        OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_DH_LIB);
-        DH_free(new);
-        return 0;
-      }
-      if (cert->dh_tmp != NULL) {
-        DH_free(cert->dh_tmp);
-      }
-      cert->dh_tmp = new;
-      return 1;
-    }
-
-    case SSL_CTRL_SET_TMP_DH_CB:
-      OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-      return 0;
-
-    case SSL_CTRL_SET_TMP_ECDH: {
-      EC_KEY *ecdh = NULL;
-
-      if (parg == NULL) {
-        OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_ECDH_LIB);
-        return 0;
-      }
-      ecdh = EC_KEY_dup((EC_KEY *)parg);
-      if (ecdh == NULL) {
-        OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_EC_LIB);
-        return 0;
-      }
-      if (!(ctx->options & SSL_OP_SINGLE_ECDH_USE) &&
-          !EC_KEY_generate_key(ecdh)) {
-        EC_KEY_free(ecdh);
-        OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_ECDH_LIB);
-        return 0;
-      }
-
-      if (cert->ecdh_tmp != NULL) {
-        EC_KEY_free(cert->ecdh_tmp);
-      }
-      cert->ecdh_tmp = ecdh;
-      return 1;
-    }
-
-    case SSL_CTRL_SET_TMP_ECDH_CB:
-      OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-      return 0;
-
-    case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
-      ctx->tlsext_servername_arg = parg;
-      break;
-
     case SSL_CTRL_SET_TLSEXT_TICKET_KEYS:
     case SSL_CTRL_GET_TLSEXT_TICKET_KEYS: {
       uint8_t *keys = parg;
@@ -1108,19 +854,10 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) {
       return 1;
     }
 
-    case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG:
-      ctx->tlsext_status_arg = parg;
-      return 1;
-      break;
-
     case SSL_CTRL_SET_CURVES:
       return tls1_set_curves(&ctx->tlsext_ellipticcurvelist,
                              &ctx->tlsext_ellipticcurvelist_length, parg, larg);
 
-    case SSL_CTRL_SET_ECDH_AUTO:
-      ctx->cert->ecdh_tmp_auto = larg;
-      return 1;
-
     case SSL_CTRL_SET_SIGALGS:
       return tls1_set_sigalgs(ctx->cert, parg, larg, 0);
 
@@ -1158,10 +895,8 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) {
       break;
 
     case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS:
-      if (ctx->extra_certs) {
-        sk_X509_pop_free(ctx->extra_certs, X509_free);
-        ctx->extra_certs = NULL;
-      }
+      sk_X509_pop_free(ctx->extra_certs, X509_free);
+      ctx->extra_certs = NULL;
       break;
 
     case SSL_CTRL_CHAIN:
@@ -1185,22 +920,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) {
     case SSL_CTRL_SELECT_CURRENT_CERT:
       return ssl_cert_select_current(ctx->cert, (X509 *)parg);
 
-    case SSL_CTRL_CHANNEL_ID:
-      ctx->tlsext_channel_id_enabled = 1;
-      return 1;
-
-    case SSL_CTRL_SET_CHANNEL_ID:
-      ctx->tlsext_channel_id_enabled = 1;
-      if (EVP_PKEY_bits(parg) != 256) {
-        OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, SSL_R_CHANNEL_ID_NOT_P256);
-        break;
-      }
-      if (ctx->tlsext_channel_id_private) {
-        EVP_PKEY_free(ctx->tlsext_channel_id_private);
-      }
-      ctx->tlsext_channel_id_private = EVP_PKEY_dup((EVP_PKEY *)parg);
-      break;
-
     default:
       return 0;
   }
@@ -1208,41 +927,22 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) {
   return 1;
 }
 
-long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) {
-  CERT *cert;
-
-  cert = ctx->cert;
-
-  switch (cmd) {
-    case SSL_CTRL_SET_TMP_RSA_CB:
-      /* Ignore the callback; temporary RSA keys are never used. */
-      break;
-
-    case SSL_CTRL_SET_TMP_DH_CB:
-      cert->dh_tmp_cb = (DH * (*)(SSL *, int, int))fp;
-      break;
-
-    case SSL_CTRL_SET_TMP_ECDH_CB:
-      cert->ecdh_tmp_cb = (EC_KEY * (*)(SSL *, int, int))fp;
-      break;
-
-    case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
-      ctx->tlsext_servername_callback = (int (*)(SSL *, int *, void *))fp;
-      break;
-
-    case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB:
-      ctx->tlsext_status_cb = (int (*)(SSL *, void *))fp;
-      break;
-
-    case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB:
-      ctx->tlsext_ticket_key_cb = (int (
-          *)(SSL *, uint8_t *, uint8_t *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp;
-      break;
+int SSL_CTX_set_tlsext_servername_callback(
+    SSL_CTX *ctx, int (*callback)(SSL *ssl, int *out_alert, void *arg)) {
+  ctx->tlsext_servername_callback = callback;
+  return 1;
+}
 
-    default:
-      return 0;
-  }
+int SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg) {
+  ctx->tlsext_servername_arg = arg;
+  return 1;
+}
 
+int SSL_CTX_set_tlsext_ticket_key_cb(
+    SSL_CTX *ctx, int (*callback)(SSL *ssl, uint8_t *key_name, uint8_t *iv,
+                                  EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
+                                  int encrypt)) {
+  ctx->tlsext_ticket_key_cb = callback;
   return 1;
 }
 
@@ -1261,7 +961,7 @@ const SSL_CIPHER *ssl3_get_cipher_by_value(uint16_t value) {
 
 /* ssl3_get_cipher_by_value returns the cipher value of |c|. */
 uint16_t ssl3_get_cipher_value(const SSL_CIPHER *c) {
-  unsigned long id = c->id;
+  uint32_t id = c->id;
   /* All ciphers are SSLv3 now. */
   assert((id & 0xff000000) == 0x03000000);
   return id & 0xffff;
@@ -1285,14 +985,14 @@ struct ssl_cipher_preference_list_st *ssl_get_cipher_preferences(SSL *s) {
 }
 
 const SSL_CIPHER *ssl3_choose_cipher(
-    SSL *s, STACK_OF(SSL_CIPHER) * clnt,
+    SSL *s, STACK_OF(SSL_CIPHER) *clnt,
     struct ssl_cipher_preference_list_st *server_pref) {
   const SSL_CIPHER *c, *ret = NULL;
   STACK_OF(SSL_CIPHER) *srvr = server_pref->ciphers, *prio, *allow;
   size_t i;
   int ok;
   size_t cipher_index;
-  unsigned long alg_k, alg_a, mask_k, mask_a;
+  uint32_t alg_k, alg_a, mask_k, mask_a;
   /* in_group_flags will either be NULL, or will point to an array of bytes
    * which indicate equal-preference groups in the |prio| stack. See the
    * comment about |in_group_flags| in the |ssl_cipher_preference_list_st|
@@ -1389,7 +1089,7 @@ int ssl3_get_req_cert_type(SSL *s, uint8_t *p) {
   }
 
   /* ECDSA certs can be used with RSA cipher suites as well so we don't need to
-   * check for SSL_kECDH or SSL_kEECDH. */
+   * check for SSL_kECDH or SSL_kECDHE. */
   if (s->version >= TLS1_VERSION && have_ecdsa_sign) {
       p[ret++] = TLS_CT_ECDSA_SIGN;
   }
@@ -1398,12 +1098,10 @@ int ssl3_get_req_cert_type(SSL *s, uint8_t *p) {
 }
 
 static int ssl3_set_req_cert_type(CERT *c, const uint8_t *p, size_t len) {
-  if (c->client_certificate_types) {
-    OPENSSL_free(c->client_certificate_types);
-    c->client_certificate_types = NULL;
-  }
-
+  OPENSSL_free(c->client_certificate_types);
+  c->client_certificate_types = NULL;
   c->num_client_certificate_types = 0;
+
   if (!p || !len) {
     return 1;
   }
@@ -1474,29 +1172,12 @@ int ssl3_write(SSL *s, const void *buf, int len) {
 }
 
 static int ssl3_read_internal(SSL *s, void *buf, int len, int peek) {
-  int ret;
-
   ERR_clear_system_error();
   if (s->s3->renegotiate) {
     ssl3_renegotiate_check(s);
   }
-  s->s3->in_read_app_data = 1;
-  ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len, peek);
-  if (ret == -1 && s->s3->in_read_app_data == 2) {
-    /* ssl3_read_bytes decided to call s->handshake_func, which called
-     * ssl3_read_bytes to read handshake data. However, ssl3_read_bytes
-     * actually found application data and thinks that application data makes
-     * sense here; so disable handshake processing and try to read application
-     * data again. */
-    s->in_handshake++;
-    ret =
-        s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len, peek);
-    s->in_handshake--;
-  } else {
-    s->s3->in_read_app_data = 0;
-  }
 
-  return ret;
+  return s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len, peek);
 }
 
 int ssl3_read(SSL *s, void *buf, int len) {
@@ -1523,7 +1204,6 @@ int ssl3_renegotiate_check(SSL *s) {
      * need to go to SSL_ST_ACCEPT. */
     s->state = SSL_ST_RENEGOTIATE;
     s->s3->renegotiate = 0;
-    s->s3->num_renegotiations++;
     s->s3->total_renegotiations++;
     return 1;
   }
@@ -1533,9 +1213,9 @@ int ssl3_renegotiate_check(SSL *s) {
 
 /* If we are using default SHA1+MD5 algorithms switch to new SHA256 PRF and
  * handshake macs if required. */
-long ssl_get_algorithm2(SSL *s) {
-  static const unsigned long kMask = SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF;
-  long alg2 = s->s3->tmp.new_cipher->algorithm2;
+uint32_t ssl_get_algorithm2(SSL *s) {
+  static const uint32_t kMask = SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF;
+  uint32_t alg2 = s->s3->tmp.new_cipher->algorithm2;
   if (s->enc_method->enc_flags & SSL_ENC_FLAG_SHA256_PRF &&
       (alg2 & kMask) == kMask) {
     return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
diff --git a/src/ssl/s3_meth.c b/src/ssl/s3_meth.c
index 5a25d7b..28b9051 100644
--- a/src/ssl/s3_meth.c
+++ b/src/ssl/s3_meth.c
@@ -54,10 +54,11 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.] */
 
-#include "ssl_locl.h"
+#include "internal.h"
 
 
 static const SSL_PROTOCOL_METHOD TLS_protocol_method = {
+    0 /* is_dtls */,
     ssl3_new,
     ssl3_free,
     ssl3_accept,
@@ -77,9 +78,9 @@ static const SSL_PROTOCOL_METHOD TLS_protocol_method = {
     ssl3_pending,
     ssl3_num_ciphers,
     ssl3_get_cipher,
-    ssl_undefined_void_function,
-    ssl3_callback_ctrl,
-    ssl3_ctx_callback_ctrl,
+    SSL3_HM_HEADER_LENGTH,
+    ssl3_set_handshake_header,
+    ssl3_handshake_write,
 };
 
 const SSL_METHOD *TLS_method(void) {
diff --git a/src/ssl/s3_pkt.c b/src/ssl/s3_pkt.c
index 3a42c3a..c42d000 100644
--- a/src/ssl/s3_pkt.c
+++ b/src/ssl/s3_pkt.c
@@ -107,9 +107,9 @@
  * Hudson (tjh@cryptsoft.com). */
 
 #include <assert.h>
-#include <errno.h>
 #include <limits.h>
 #include <stdio.h>
+#include <string.h>
 
 #include <openssl/buf.h>
 #include <openssl/err.h>
@@ -117,23 +117,23 @@
 #include <openssl/mem.h>
 #include <openssl/rand.h>
 
-#include "ssl_locl.h"
+#include "internal.h"
 
 
 static int do_ssl3_write(SSL *s, int type, const uint8_t *buf, unsigned int len,
-                         char fragment, char is_fragment);
+                         char fragment);
 static int ssl3_get_record(SSL *s);
 
-int ssl3_read_n(SSL *s, int n, int max, int extend) {
+int ssl3_read_n(SSL *s, int n, int extend) {
   /* If |extend| is 0, obtain new n-byte packet;
    * if |extend| is 1, increase packet by another n bytes.
    *
    * The packet will be in the sub-array of |s->s3->rbuf.buf| specified by
-   * |s->packet| and |s->packet_length|. (If |s->read_ahead| is set, |max|
-   * bytes may be stored in |rbuf| (plus |s->packet_length| bytes if |extend|
-   * is one.) */
+   * |s->packet| and |s->packet_length|. (If |s->read_ahead| is set and |extend|
+   * is 0, additional bytes may be read into |rbuf|, up to the size of the
+   * buffer.) */
   int i, len, left;
-  long align = 0;
+  uintptr_t align = 0;
   uint8_t *pkt;
   SSL3_BUFFER *rb;
 
@@ -148,8 +148,8 @@ int ssl3_read_n(SSL *s, int n, int max, int extend) {
 
   left = rb->left;
 
-  align = (long)rb->buf + SSL3_RT_HEADER_LENGTH;
-  align = (-align) & (SSL3_ALIGN_PAYLOAD - 1);
+  align = (uintptr_t)rb->buf + SSL3_RT_HEADER_LENGTH;
+  align = (0 - align) & (SSL3_ALIGN_PAYLOAD - 1);
 
   if (!extend) {
     /* start with empty packet ... */
@@ -201,22 +201,14 @@ int ssl3_read_n(SSL *s, int n, int max, int extend) {
     rb->offset = len + align;
   }
 
-  assert(n <= (int)(rb->len - rb->offset));
   if (n > (int)(rb->len - rb->offset)) {
     OPENSSL_PUT_ERROR(SSL, ssl3_read_n, ERR_R_INTERNAL_ERROR);
     return -1;
   }
 
-  if (!s->read_ahead) {
-    /* ignore max parameter */
-    max = n;
-  } else {
-    if (max < n) {
-      max = n;
-    }
-    if (max > (int)(rb->len - rb->offset)) {
-      max = rb->len - rb->offset;
-    }
+  int max = n;
+  if (s->read_ahead && !extend) {
+    max = rb->len - rb->offset;
   }
 
   while (left < n) {
@@ -233,8 +225,7 @@ int ssl3_read_n(SSL *s, int n, int max, int extend) {
 
     if (i <= 0) {
       rb->left = left;
-      if (s->mode & SSL_MODE_RELEASE_BUFFERS && !SSL_IS_DTLS(s) &&
-          len + left == 0) {
+      if (len + left == 0) {
         ssl3_release_read_buffer(s);
       }
       return i;
@@ -281,29 +272,21 @@ static int ssl3_get_record(SSL *s) {
 
   rr = &s->s3->rrec;
 
-  if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER) {
-    extra = SSL3_RT_MAX_EXTRA;
-  } else {
-    extra = 0;
-  }
-
-  if (extra && !s->s3->init_extra) {
-    /* An application error: SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER set after
-     * ssl3_setup_buffers() was done */
-    OPENSSL_PUT_ERROR(SSL, ssl3_get_record, ERR_R_INTERNAL_ERROR);
-    return -1;
-  }
-
 again:
   /* check if we have the header */
   if (s->rstate != SSL_ST_READ_BODY ||
       s->packet_length < SSL3_RT_HEADER_LENGTH) {
-    n = ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);
+    n = ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, 0);
     if (n <= 0) {
       return n; /* error or non-blocking */
     }
     s->rstate = SSL_ST_READ_BODY;
 
+    /* Some bytes were read, so the read buffer must be existant and
+     * |s->s3->init_extra| is defined. */
+    assert(s->s3->rbuf.buf != NULL);
+    extra = s->s3->init_extra ? SSL3_RT_MAX_EXTRA : 0;
+
     p = s->packet;
     if (s->msg_callback) {
       s->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, s, s->msg_callback_arg);
@@ -318,10 +301,6 @@ again:
 
     if (s->s3->have_version && version != s->version) {
       OPENSSL_PUT_ERROR(SSL, ssl3_get_record, SSL_R_WRONG_VERSION_NUMBER);
-      if ((s->version & 0xFF00) == (version & 0xFF00)) {
-        /* Send back error using their minor version number. */
-        s->version = (unsigned short)version;
-      }
       al = SSL_AD_PROTOCOL_VERSION;
       goto f_err;
     }
@@ -331,13 +310,18 @@ again:
       goto err;
     }
 
-    if (rr->length > s->s3->rbuf.len - SSL3_RT_HEADER_LENGTH) {
+    if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH + extra) {
       al = SSL_AD_RECORD_OVERFLOW;
-      OPENSSL_PUT_ERROR(SSL, ssl3_get_record, SSL_R_PACKET_LENGTH_TOO_LONG);
+      OPENSSL_PUT_ERROR(SSL, ssl3_get_record, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
       goto f_err;
     }
 
     /* now s->rstate == SSL_ST_READ_BODY */
+  } else {
+    /* |packet_length| is non-zero and |s->rstate| is |SSL_ST_READ_BODY|. The
+     * read buffer must be existant and |s->s3->init_extra| is defined. */
+    assert(s->s3->rbuf.buf != NULL);
+    extra = s->s3->init_extra ? SSL3_RT_MAX_EXTRA : 0;
   }
 
   /* s->rstate == SSL_ST_READ_BODY, get and decode the data */
@@ -345,7 +329,7 @@ again:
   if (rr->length > s->packet_length - SSL3_RT_HEADER_LENGTH) {
     /* now s->packet_length == SSL3_RT_HEADER_LENGTH */
     i = rr->length;
-    n = ssl3_read_n(s, i, i, 1);
+    n = ssl3_read_n(s, i, 1);
     if (n <= 0) {
       /* Error or non-blocking IO. Now |n| == |rr->length|, and
        * |s->packet_length| == |SSL3_RT_HEADER_LENGTH| + |rr->length|. */
@@ -367,13 +351,6 @@ again:
   /* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
    * rr->length bytes of encrypted compressed stuff. */
 
-  /* check is not needed I believe */
-  if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH + extra) {
-    al = SSL_AD_RECORD_OVERFLOW;
-    OPENSSL_PUT_ERROR(SSL, ssl3_get_record, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
-    goto f_err;
-  }
-
   /* decrypt in place in 'rr->input' */
   rr->data = rr->input;
 
@@ -431,7 +408,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) {
   tot = s->s3->wnum;
   s->s3->wnum = 0;
 
-  if (SSL_in_init(s) && !s->in_handshake) {
+  if (!s->in_handshake && SSL_in_init(s) && !SSL_in_false_start(s)) {
     i = s->handshake_func(s);
     if (i < 0) {
       return i;
@@ -454,6 +431,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) {
     return -1;
   }
 
+  int record_split_done = 0;
   n = (len - tot);
   for (;;) {
     /* max contains the maximum number of bytes that we can put into a
@@ -462,34 +440,27 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) {
     /* fragment is true if do_ssl3_write should send the first byte in its own
      * record in order to randomise a CBC IV. */
     int fragment = 0;
-
-    if (n > 1 && s->s3->need_record_splitting &&
-        type == SSL3_RT_APPLICATION_DATA && !s->s3->record_split_done) {
+    if (!record_split_done && s->s3->need_record_splitting &&
+        type == SSL3_RT_APPLICATION_DATA) {
+      /* Only the the first record per write call needs to be split. The
+       * remaining plaintext was determined before the IV was randomized. */
       fragment = 1;
-      /* record_split_done records that the splitting has been done in case we
-       * hit an SSL_WANT_WRITE condition. In that case, we don't need to do the
-       * split again. */
-      s->s3->record_split_done = 1;
+      record_split_done = 1;
     }
-
     if (n > max) {
       nw = max;
     } else {
       nw = n;
     }
 
-    i = do_ssl3_write(s, type, &(buf[tot]), nw, fragment, 0);
+    i = do_ssl3_write(s, type, &buf[tot], nw, fragment);
     if (i <= 0) {
       s->s3->wnum = tot;
-      s->s3->record_split_done = 0;
       return i;
     }
 
     if (i == (int)n || (type == SSL3_RT_APPLICATION_DATA &&
                         (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) {
-      /* next chunk of data should get another prepended, one-byte fragment in
-       * ciphersuites with known-IV weakness. */
-      s->s3->record_split_done = 0;
       return tot + i;
     }
 
@@ -498,20 +469,92 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) {
   }
 }
 
+/* ssl3_seal_record seals a new record of type |type| and plaintext |in| and
+ * writes it to |out|. At most |max_out| bytes will be written. It returns one
+ * on success and zero on error. On success, |s->s3->wrec| is updated to include
+ * the new record. */
+static int ssl3_seal_record(SSL *s, uint8_t *out, size_t *out_len,
+                            size_t max_out, uint8_t type, const uint8_t *in,
+                            size_t in_len) {
+  if (max_out < SSL3_RT_HEADER_LENGTH) {
+    OPENSSL_PUT_ERROR(SSL, ssl3_seal_record, SSL_R_BUFFER_TOO_SMALL);
+    return 0;
+  }
+
+  out[0] = type;
+
+  /* Some servers hang if initial ClientHello is larger than 256 bytes and
+   * record version number > TLS 1.0. */
+  if (!s->s3->have_version && s->version > SSL3_VERSION) {
+    out[1] = TLS1_VERSION >> 8;
+    out[2] = TLS1_VERSION & 0xff;
+  } else {
+    out[1] = s->version >> 8;
+    out[2] = s->version & 0xff;
+  }
+
+  size_t explicit_nonce_len = 0;
+  if (s->aead_write_ctx != NULL &&
+      s->aead_write_ctx->variable_nonce_included_in_record) {
+    explicit_nonce_len = s->aead_write_ctx->variable_nonce_len;
+  }
+  size_t max_overhead = 0;
+  if (s->aead_write_ctx != NULL) {
+    max_overhead = s->aead_write_ctx->tag_len;
+  }
+
+  /* Assemble the input for |s->enc_method->enc|. The input is the plaintext
+   * with |explicit_nonce_len| bytes of space prepended for the explicit
+   * nonce. The input is copied into |out| and then encrypted in-place to take
+   * advantage of alignment.
+   *
+   * TODO(davidben): |tls1_enc| should accept its inputs and outputs directly
+   * rather than looking up in |wrec| and friends. The |max_overhead| bounds
+   * check would also be unnecessary if |max_out| were passed down. */
+  SSL3_RECORD *wr = &s->s3->wrec;
+  size_t plaintext_len = in_len + explicit_nonce_len;
+  if (plaintext_len < in_len || plaintext_len > INT_MAX ||
+      plaintext_len + max_overhead < plaintext_len) {
+    OPENSSL_PUT_ERROR(SSL, ssl3_seal_record, ERR_R_OVERFLOW);
+    return 0;
+  }
+  if (max_out - SSL3_RT_HEADER_LENGTH < plaintext_len + max_overhead) {
+    OPENSSL_PUT_ERROR(SSL, ssl3_seal_record, SSL_R_BUFFER_TOO_SMALL);
+    return 0;
+  }
+  wr->type = type;
+  wr->input = out + SSL3_RT_HEADER_LENGTH;
+  wr->data = wr->input;
+  wr->length = plaintext_len;
+  memcpy(wr->input + explicit_nonce_len, in, in_len);
+
+  if (!s->enc_method->enc(s, 1)) {
+    return 0;
+  }
+
+  /* |wr->length| has now been set to the ciphertext length. */
+  if (wr->length >= 1 << 16) {
+    OPENSSL_PUT_ERROR(SSL, ssl3_seal_record, ERR_R_OVERFLOW);
+    return 0;
+  }
+  out[3] = wr->length >> 8;
+  out[4] = wr->length & 0xff;
+  *out_len = SSL3_RT_HEADER_LENGTH + (size_t)wr->length;
+
+ if (s->msg_callback) {
+   s->msg_callback(1 /* write */, 0, SSL3_RT_HEADER, out, SSL3_RT_HEADER_LENGTH,
+                   s, s->msg_callback_arg);
+ }
+
+  return 1;
+}
+
 /* do_ssl3_write writes an SSL record of the given type. If |fragment| is 1
  * then it splits the record into a one byte record and a record with the rest
- * of the data in order to randomise a CBC IV. If |is_fragment| is true then
- * this call resulted from do_ssl3_write calling itself in order to create that
- * one byte fragment. */
+ * of the data in order to randomise a CBC IV. */
 static int do_ssl3_write(SSL *s, int type, const uint8_t *buf, unsigned int len,
-                         char fragment, char is_fragment) {
-  uint8_t *p, *plen;
-  int i;
-  int prefix_len = 0;
-  int eivlen = 0;
-  long align = 0;
-  SSL3_RECORD *wr;
-  SSL3_BUFFER *wb = &(s->s3->wbuf);
+                         char fragment) {
+  SSL3_BUFFER *wb = &s->s3->wbuf;
 
   /* first check if there is a SSL3_BUFFER still being written out. This will
    * happen with non blocking IO */
@@ -521,9 +564,9 @@ static int do_ssl3_write(SSL *s, int type, const uint8_t *buf, unsigned int len,
 
   /* If we have an alert to send, lets send it */
   if (s->s3->alert_dispatch) {
-    i = s->method->ssl_dispatch_alert(s);
-    if (i <= 0) {
-      return i;
+    int ret = s->method->ssl_dispatch_alert(s);
+    if (ret <= 0) {
+      return ret;
     }
     /* if it went, fall through and send more stuff */
   }
@@ -535,122 +578,62 @@ static int do_ssl3_write(SSL *s, int type, const uint8_t *buf, unsigned int len,
   if (len == 0) {
     return 0;
   }
-
-  wr = &s->s3->wrec;
-
-  if (fragment) {
-    /* countermeasure against known-IV weakness in CBC ciphersuites (see
-     * http://www.openssl.org/~bodo/tls-cbc.txt) */
-    prefix_len = do_ssl3_write(s, type, buf, 1 /* length */, 0 /* fragment */,
-                               1 /* is_fragment */);
-    if (prefix_len <= 0) {
-      goto err;
-    }
-
-    if (prefix_len >
-        (SSL3_RT_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD)) {
-      /* insufficient space */
-      OPENSSL_PUT_ERROR(SSL, do_ssl3_write, ERR_R_INTERNAL_ERROR);
-      goto err;
-    }
-  }
-
-  if (is_fragment) {
-    /* The extra fragment would be couple of cipher blocks, and that will be a
-     * multiple of SSL3_ALIGN_PAYLOAD. So, if we want to align the real
-     * payload, we can just pretend that we have two headers and a byte. */
-    align = (long)wb->buf + 2 * SSL3_RT_HEADER_LENGTH + 1;
-    align = (-align) & (SSL3_ALIGN_PAYLOAD - 1);
-    p = wb->buf + align;
-    wb->offset = align;
-  } else if (prefix_len) {
-    p = wb->buf + wb->offset + prefix_len;
-  } else {
-    align = (long)wb->buf + SSL3_RT_HEADER_LENGTH;
-    align = (-align) & (SSL3_ALIGN_PAYLOAD - 1);
-    p = wb->buf + align;
-    wb->offset = align;
+  if (len == 1) {
+    /* No sense in fragmenting a one-byte record. */
+    fragment = 0;
   }
 
-  /* write the header */
-
-  *(p++) = type & 0xff;
-  wr->type = type;
-
-  /* Some servers hang if initial ClientHello is larger than 256 bytes and
-   * record version number > TLS 1.0. */
-  if (!s->s3->have_version && s->version > SSL3_VERSION) {
-    *(p++) = TLS1_VERSION >> 8;
-    *(p++) = TLS1_VERSION & 0xff;
+  /* Align the output so the ciphertext is aligned to |SSL3_ALIGN_PAYLOAD|. */
+  uintptr_t align;
+  if (fragment) {
+    /* Only CBC-mode ciphers require fragmenting. CBC-mode ciphertext is a
+     * multiple of the block size which we may assume is aligned. Thus we only
+     * need to account for a second copy of the record header. */
+    align = (uintptr_t)wb->buf + 2 * SSL3_RT_HEADER_LENGTH;
   } else {
-    *(p++) = s->version >> 8;
-    *(p++) = s->version & 0xff;
+    align = (uintptr_t)wb->buf + SSL3_RT_HEADER_LENGTH;
   }
-
-  /* field where we are to write out packet length */
-  plen = p;
-  p += 2;
-
-  /* Leave room for the variable nonce for AEADs which specify it explicitly. */
-  if (s->aead_write_ctx != NULL &&
-      s->aead_write_ctx->variable_nonce_included_in_record) {
-    eivlen = s->aead_write_ctx->variable_nonce_len;
-  }
-
-  /* lets setup the record stuff. */
-  wr->data = p + eivlen;
-  wr->length = (int)(len - (fragment != 0));
-  wr->input = (uint8_t *)buf + (fragment != 0);
-
-  /* we now 'read' from wr->input, wr->length bytes into wr->data */
-
-  memcpy(wr->data, wr->input, wr->length);
-  wr->input = wr->data;
-
-  /* we should still have the output to wr->data and the input from wr->input.
-   * Length should be wr->length. wr->data still points in the wb->buf */
-
-  wr->input = p;
-  wr->data = p;
-  wr->length += eivlen;
-
-  if (!s->enc_method->enc(s, 1)) {
-    goto err;
-  }
-
-  /* record length after mac and block padding */
-  s2n(wr->length, plen);
-
-  if (s->msg_callback) {
-    s->msg_callback(1, 0, SSL3_RT_HEADER, plen - 5, 5, s, s->msg_callback_arg);
+  align = (0 - align) & (SSL3_ALIGN_PAYLOAD - 1);
+  uint8_t *out = wb->buf + align;
+  wb->offset = align;
+  size_t max_out = wb->len - wb->offset;
+
+  const uint8_t *orig_buf = buf;
+  unsigned int orig_len = len;
+  size_t fragment_len = 0;
+  if (fragment) {
+    /* Write the first byte in its own record as a countermeasure against
+     * known-IV weaknesses in CBC ciphersuites. (See
+     * http://www.openssl.org/~bodo/tls-cbc.txt.) */
+    if (!ssl3_seal_record(s, out, &fragment_len, max_out, type, buf, 1)) {
+      return -1;
+    }
+    out += fragment_len;
+    max_out -= fragment_len;
+    buf++;
+    len--;
   }
 
-  /* we should now have wr->data pointing to the encrypted data, which is
-   * wr->length long. */
-  wr->type = type; /* not needed but helps for debugging */
-  wr->length += SSL3_RT_HEADER_LENGTH;
-
-  if (is_fragment) {
-    /* we are in a recursive call; just return the length, don't write out
-     * anything. */
-    return wr->length;
+  assert((((uintptr_t)out + SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1))
+         == 0);
+  size_t ciphertext_len;
+  if (!ssl3_seal_record(s, out, &ciphertext_len, max_out, type, buf, len)) {
+    return -1;
   }
+  ciphertext_len += fragment_len;
 
   /* now let's set up wb */
-  wb->left = prefix_len + wr->length;
+  wb->left = ciphertext_len;
 
   /* memorize arguments so that ssl3_write_pending can detect bad write retries
    * later */
-  s->s3->wpend_tot = len;
-  s->s3->wpend_buf = buf;
+  s->s3->wpend_tot = orig_len;
+  s->s3->wpend_buf = orig_buf;
   s->s3->wpend_type = type;
-  s->s3->wpend_ret = len;
+  s->s3->wpend_ret = orig_len;
 
   /* we now just need to write the buffer */
-  return ssl3_write_pending(s, type, buf, len);
-
-err:
-  return -1;
+  return ssl3_write_pending(s, type, orig_buf, orig_len);
 }
 
 /* if s->s3->wbuf.left != 0, we need to call this */
@@ -679,19 +662,19 @@ int ssl3_write_pending(SSL *s, int type, const uint8_t *buf, unsigned int len) {
     if (i == wb->left) {
       wb->left = 0;
       wb->offset += i;
-      if (s->mode & SSL_MODE_RELEASE_BUFFERS && !SSL_IS_DTLS(s)) {
-        ssl3_release_write_buffer(s);
-      }
+      ssl3_release_write_buffer(s);
       s->rwstate = SSL_NOTHING;
       return s->s3->wpend_ret;
     } else if (i <= 0) {
       if (SSL_IS_DTLS(s)) {
-        /* For DTLS, just drop it. That's kind of the whole
-           point in using a datagram service */
+        /* For DTLS, just drop it. That's kind of the whole point in
+         * using a datagram service */
         wb->left = 0;
       }
       return i;
     }
+    /* TODO(davidben): This codepath is used in DTLS, but the write
+     * payload may not split across packets. */
     wb->offset += i;
     wb->left -= i;
   }
@@ -741,15 +724,10 @@ int ssl3_expect_change_cipher_spec(SSL *s) {
  *             none of our business
  */
 int ssl3_read_bytes(SSL *s, int type, uint8_t *buf, int len, int peek) {
-  int al, i, j, ret;
+  int al, i, ret;
   unsigned int n;
   SSL3_RECORD *rr;
   void (*cb)(const SSL *ssl, int type2, int val) = NULL;
-  uint8_t alert_buffer[2];
-
-  if (s->s3->rbuf.buf == NULL && !ssl3_setup_read_buffer(s)) {
-    return -1;
-  }
 
   if ((type && type != SSL3_RT_APPLICATION_DATA && type != SSL3_RT_HANDSHAKE) ||
       (peek && type != SSL3_RT_APPLICATION_DATA)) {
@@ -780,8 +758,13 @@ int ssl3_read_bytes(SSL *s, int type, uint8_t *buf, int len, int peek) {
 
   /* Now s->s3->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */
 
-  if (!s->in_handshake && SSL_in_init(s)) {
-    /* type == SSL3_RT_APPLICATION_DATA */
+  /* This may require multiple iterations. False Start will cause
+   * |s->handshake_func| to signal success one step early, but the handshake
+   * must be completely finished before other modes are accepted.
+   *
+   * TODO(davidben): Move this check up to a higher level. */
+  while (!s->in_handshake && SSL_in_init(s)) {
+    assert(type == SSL3_RT_APPLICATION_DATA);
     i = s->handshake_func(s);
     if (i < 0) {
       return i;
@@ -811,9 +794,10 @@ start:
 
   /* we now have a packet which can be read and processed */
 
-  if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
-                                 * reset by ssl3_get_finished */
-      && rr->type != SSL3_RT_HANDSHAKE) {
+  /* |change_cipher_spec is set when we receive a ChangeCipherSpec and reset by
+   * ssl3_get_finished. */
+  if (s->s3->change_cipher_spec && rr->type != SSL3_RT_HANDSHAKE &&
+      rr->type != SSL3_RT_ALERT) {
     al = SSL_AD_UNEXPECTED_MESSAGE;
     OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes,
                       SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
@@ -866,7 +850,7 @@ start:
       if (rr->length == 0) {
         s->rstate = SSL_ST_READ_HEADER;
         rr->off = 0;
-        if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0) {
+        if (s->s3->rbuf.left == 0) {
           ssl3_release_read_buffer(s);
         }
       }
@@ -883,6 +867,14 @@ start:
    * that we can process the data at a fixed place. */
 
   if (rr->type == SSL3_RT_HANDSHAKE) {
+    /* If peer renegotiations are disabled, all out-of-order handshake records
+     * are fatal. */
+    if (s->reject_peer_renegotiations) {
+      al = SSL_AD_NO_RENEGOTIATION;
+      OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_NO_RENEGOTIATION);
+      goto f_err;
+    }
+
     const size_t size = sizeof(s->s3->handshake_fragment);
     const size_t avail = size - s->s3->handshake_fragment_len;
     const size_t todo = (rr->length < avail) ? rr->length : avail;
@@ -894,17 +886,6 @@ start:
     if (s->s3->handshake_fragment_len < size) {
       goto start; /* fragment was too small */
     }
-  } else if (rr->type == SSL3_RT_ALERT) {
-    /* Note that this will still allow multiple alerts to be processed in the
-     * same record */
-    if (rr->length < sizeof(alert_buffer)) {
-      al = SSL_AD_DECODE_ERROR;
-      OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_BAD_ALERT);
-      goto f_err;
-    }
-    memcpy(alert_buffer, &rr->data[rr->off], sizeof(alert_buffer));
-    rr->off += sizeof(alert_buffer);
-    rr->length -= sizeof(alert_buffer);
   }
 
   /* s->s3->handshake_fragment_len == 4  iff  rr->type == SSL3_RT_HANDSHAKE;
@@ -947,14 +928,23 @@ start:
     goto start;
   }
 
+  /* If an alert record, process one alert out of the record. Note that we allow
+   * a single record to contain multiple alerts. */
   if (rr->type == SSL3_RT_ALERT) {
-    const uint8_t alert_level = alert_buffer[0];
-    const uint8_t alert_descr = alert_buffer[1];
+    /* Alerts may not be fragmented. */
+    if (rr->length < 2) {
+      al = SSL_AD_DECODE_ERROR;
+      OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_BAD_ALERT);
+      goto f_err;
+    }
 
     if (s->msg_callback) {
-      s->msg_callback(0, s->version, SSL3_RT_ALERT, alert_buffer, 2, s,
+      s->msg_callback(0, s->version, SSL3_RT_ALERT, &rr->data[rr->off], 2, s,
                       s->msg_callback_arg);
     }
+    const uint8_t alert_level = rr->data[rr->off++];
+    const uint8_t alert_descr = rr->data[rr->off++];
+    rr->length -= 2;
 
     if (s->info_callback != NULL) {
       cb = s->info_callback;
@@ -963,12 +953,11 @@ start:
     }
 
     if (cb != NULL) {
-      j = (alert_level << 8) | alert_descr;
-      cb(s, SSL_CB_READ_ALERT, j);
+      uint16_t alert = (alert_level << 8) | alert_descr;
+      cb(s, SSL_CB_READ_ALERT, alert);
     }
 
-    if (alert_level == 1) {
-      /* warning */
+    if (alert_level == SSL3_AL_WARNING) {
       s->s3->warn_alert = alert_descr;
       if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
         s->shutdown |= SSL_RECEIVED_SHUTDOWN;
@@ -987,8 +976,7 @@ start:
         OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_NO_RENEGOTIATION);
         goto f_err;
       }
-    } else if (alert_level == 2) {
-      /* fatal */
+    } else if (alert_level == SSL3_AL_FATAL) {
       char tmp[16];
 
       s->rwstate = SSL_NOTHING;
@@ -1074,50 +1062,12 @@ start:
     goto start;
   }
 
-  switch (rr->type) {
-    default:
-      /* TLS up to v1.1 just ignores unknown message types. TLS v1.2 gives an
-       * unexpected message alert. */
-      if (s->version >= TLS1_VERSION && s->version <= TLS1_1_VERSION) {
-        rr->length = 0;
-        goto start;
-      }
-      al = SSL_AD_UNEXPECTED_MESSAGE;
-      OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_UNEXPECTED_RECORD);
-      goto f_err;
-
-    case SSL3_RT_CHANGE_CIPHER_SPEC:
-    case SSL3_RT_ALERT:
-    case SSL3_RT_HANDSHAKE:
-      /* we already handled all of these, with the possible exception of
-       * SSL3_RT_HANDSHAKE when s->in_handshake is set, but that should not
-       * happen when type != rr->type */
-      al = SSL_AD_UNEXPECTED_MESSAGE;
-      OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, ERR_R_INTERNAL_ERROR);
-      goto f_err;
+  /* We already handled these. */
+  assert(rr->type != SSL3_RT_CHANGE_CIPHER_SPEC && rr->type != SSL3_RT_ALERT &&
+         rr->type != SSL3_RT_HANDSHAKE);
 
-    case SSL3_RT_APPLICATION_DATA:
-      /* At this point we were expecting handshake data but have application
-       * data. If the library was running inside ssl3_read() (i.e.
-       * |in_read_app_data| is set) and it makes sense to read application data
-       * at this point (session renegotiation not yet started), we will indulge
-       * it. */
-      if (s->s3->in_read_app_data && s->s3->total_renegotiations != 0 &&
-          (((s->state & SSL_ST_CONNECT) &&
-            s->state >= SSL3_ST_CW_CLNT_HELLO_A &&
-            s->state <= SSL3_ST_CR_SRVR_HELLO_A) ||
-           ((s->state & SSL_ST_ACCEPT) &&
-            s->state <= SSL3_ST_SW_HELLO_REQ_A &&
-            s->state >= SSL3_ST_SR_CLNT_HELLO_A))) {
-        s->s3->in_read_app_data = 2;
-        return -1;
-      } else {
-        al = SSL_AD_UNEXPECTED_MESSAGE;
-        OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_UNEXPECTED_RECORD);
-        goto f_err;
-      }
-  }
-  /* not reached */
+  al = SSL_AD_UNEXPECTED_MESSAGE;
+  OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_UNEXPECTED_RECORD);
 
 f_err:
   ssl3_send_alert(s, SSL3_AL_FATAL, al);
@@ -1189,7 +1139,7 @@ int ssl3_dispatch_alert(SSL *s) {
   void (*cb)(const SSL *ssl, int type, int val) = NULL;
 
   s->s3->alert_dispatch = 0;
-  i = do_ssl3_write(s, SSL3_RT_ALERT, &s->s3->send_alert[0], 2, 0, 0);
+  i = do_ssl3_write(s, SSL3_RT_ALERT, &s->s3->send_alert[0], 2, 0);
   if (i <= 0) {
     s->s3->alert_dispatch = 1;
   } else {
diff --git a/src/ssl/s3_srvr.c b/src/ssl/s3_srvr.c
index b346d14..3cc3032 100644
--- a/src/ssl/s3_srvr.c
+++ b/src/ssl/s3_srvr.c
@@ -146,8 +146,6 @@
  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
  * OTHERWISE. */
 
-#define NETSCAPE_HANG_BUG
-
 #include <assert.h>
 #include <stdio.h>
 #include <string.h>
@@ -159,6 +157,7 @@
 #include <openssl/dh.h>
 #include <openssl/ec.h>
 #include <openssl/ecdsa.h>
+#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include <openssl/md5.h>
@@ -168,7 +167,7 @@
 #include <openssl/sha.h>
 #include <openssl/x509.h>
 
-#include "ssl_locl.h"
+#include "internal.h"
 #include "../crypto/internal.h"
 #include "../crypto/dh/internal.h"
 
@@ -179,7 +178,7 @@
 
 int ssl3_accept(SSL *s) {
   BUF_MEM *buf = NULL;
-  unsigned long alg_a;
+  uint32_t alg_a;
   void (*cb)(const SSL *ssl, int type, int val) = NULL;
   int ret = -1;
   int new_state, state, skip = 0;
@@ -228,11 +227,6 @@ int ssl3_accept(SSL *s) {
         }
         s->init_num = 0;
 
-        if (!ssl3_setup_buffers(s)) {
-          ret = -1;
-          goto end;
-        }
-
         if (!s->s3->send_connection_binding &&
             !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
           /* Server attempting to renegotiate with client that doesn't support
@@ -244,7 +238,6 @@ int ssl3_accept(SSL *s) {
           goto end;
         }
 
-        s->ctx->stats.sess_accept_renegotiate++;
         s->state = SSL3_ST_SW_HELLO_REQ_A;
         break;
 
@@ -278,6 +271,15 @@ int ssl3_accept(SSL *s) {
           cb(s, SSL_CB_HANDSHAKE_START, 1);
         }
 
+        if ((s->version >> 8) != 3) {
+          /* TODO(davidben): Some consumers clear |s->version| to break the
+           * handshake in a callback. Remove this when they're using proper
+           * APIs. */
+          OPENSSL_PUT_ERROR(SSL, ssl3_accept, ERR_R_INTERNAL_ERROR);
+          ret = -1;
+          goto end;
+        }
+
         if (s->init_buf == NULL) {
           buf = BUF_MEM_new();
           if (!buf || !BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
@@ -289,6 +291,13 @@ int ssl3_accept(SSL *s) {
         }
         s->init_num = 0;
 
+        /* Enable a write buffer. This groups handshake messages within a flight
+         * into a single write. */
+        if (!ssl_init_wbio_buffer(s, 1)) {
+          ret = -1;
+          goto end;
+        }
+
         if (!ssl3_init_finished_mac(s)) {
           OPENSSL_PUT_ERROR(SSL, ssl3_accept, ERR_R_INTERNAL_ERROR);
           ret = -1;
@@ -296,22 +305,10 @@ int ssl3_accept(SSL *s) {
         }
 
         if (!s->s3->have_version) {
-          /* This is the initial handshake. The record layer has not been
-           * initialized yet. Sniff for a V2ClientHello before reading a
-           * ClientHello normally. */
-          assert(s->s3->rbuf.buf == NULL);
-          assert(s->s3->wbuf.buf == NULL);
           s->state = SSL3_ST_SR_INITIAL_BYTES;
         } else {
-          /* Enable a write buffer. This groups handshake messages within a
-           * flight into a single write. */
-          if (!ssl3_setup_buffers(s) || !ssl_init_wbio_buffer(s, 1)) {
-            ret = -1;
-            goto end;
-          }
           s->state = SSL3_ST_SR_CLNT_HELLO_A;
         }
-        s->ctx->stats.sess_accept++;
         break;
 
       case SSL3_ST_SR_INITIAL_BYTES:
@@ -337,14 +334,6 @@ int ssl3_accept(SSL *s) {
       case SSL3_ST_SR_CLNT_HELLO_D:
         s->shutdown = 0;
         ret = ssl3_get_client_hello(s);
-        if (ret == PENDING_SESSION) {
-          s->rwstate = SSL_PENDING_SESSION;
-          goto end;
-        }
-        if (ret == CERTIFICATE_SELECTION_PENDING) {
-          s->rwstate = SSL_CERTIFICATE_SELECTION_PENDING;
-          goto end;
-        }
         if (ret <= 0) {
           goto end;
         }
@@ -404,8 +393,9 @@ int ssl3_accept(SSL *s) {
         if (ssl_cipher_requires_server_key_exchange(s->s3->tmp.new_cipher) ||
             ((alg_a & SSL_aPSK) && s->psk_identity_hint)) {
           ret = ssl3_send_server_key_exchange(s);
-          if (ret <= 0)
+          if (ret <= 0) {
             goto end;
+          }
         } else {
           skip = 1;
         }
@@ -425,13 +415,6 @@ int ssl3_accept(SSL *s) {
              * don't request cert during re-negotiation: */
             ((s->session->peer != NULL) &&
              (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
-            /* never request cert in anonymous ciphersuites
-             * (see section "Certificate request" in SSL 3 drafts
-             * and in RFC 2246): */
-            ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
-             /* ... except when the application insists on verification
-              * (against the specs, but s3_clnt.c accepts this for SSL 3) */
-             !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
             /* With normal PSK Certificates and
              * Certificate Requests are omitted */
             (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
@@ -449,14 +432,7 @@ int ssl3_accept(SSL *s) {
           if (ret <= 0) {
             goto end;
           }
-#ifndef NETSCAPE_HANG_BUG
           s->state = SSL3_ST_SW_SRVR_DONE_A;
-#else
-          /* ServerHelloDone was already sent in the
-           * previous record. */
-          s->state = SSL3_ST_SW_FLUSH;
-          s->s3->tmp.next_state = SSL3_ST_SR_CERT_A;
-#endif
           s->init_num = 0;
         }
         break;
@@ -659,7 +635,7 @@ int ssl3_accept(SSL *s) {
 
         /* If we aren't retaining peer certificates then we can discard it
          * now. */
-        if (s->session->peer && s->ctx->retain_only_sha256_of_client_certs) {
+        if (s->ctx->retain_only_sha256_of_client_certs) {
           X509_free(s->session->peer);
           s->session->peer = NULL;
         }
@@ -671,8 +647,6 @@ int ssl3_accept(SSL *s) {
 
           ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
 
-          s->ctx->stats.sess_accept_good++;
-
           if (cb != NULL) {
             cb(s, SSL_CB_HANDSHAKE_DONE, 1);
           }
@@ -698,9 +672,7 @@ int ssl3_accept(SSL *s) {
 
 end:
   s->in_handshake--;
-  if (buf != NULL) {
-    BUF_MEM_free(buf);
-  }
+  BUF_MEM_free(buf);
   if (cb != NULL) {
     cb(s, SSL_CB_ACCEPT_EXIT, ret);
   }
@@ -770,10 +742,12 @@ int ssl3_get_initial_bytes(SSL *s) {
       p[5] == SSL3_MT_CLIENT_HELLO) {
     /* This is a ClientHello. Initialize the record layer with the already
      * consumed data and continue the handshake. */
-    if (!ssl3_setup_buffers(s) || !ssl_init_wbio_buffer(s, 1)) {
+    if (!ssl3_setup_read_buffer(s)) {
       return -1;
     }
     assert(s->rstate == SSL_ST_READ_HEADER);
+    /* There cannot have already been data in the record layer. */
+    assert(s->s3->rbuf.left == 0);
     memcpy(s->s3->rbuf.buf, p, s->s3->sniff_buffer_len);
     s->s3->rbuf.offset = 0;
     s->s3->rbuf.left = s->s3->sniff_buffer_len;
@@ -829,7 +803,10 @@ int ssl3_get_v2_client_hello(SSL *s) {
 
   /* The V2ClientHello without the length is incorporated into the Finished
    * hash. */
-  ssl3_finish_mac(s, CBS_data(&v2_client_hello), CBS_len(&v2_client_hello));
+  if (!ssl3_finish_mac(s, CBS_data(&v2_client_hello),
+                       CBS_len(&v2_client_hello))) {
+    return -1;
+  }
   if (s->msg_callback) {
     s->msg_callback(0, SSL2_VERSION, 0, CBS_data(&v2_client_hello),
                     CBS_len(&v2_client_hello), s, s->msg_callback_arg);
@@ -913,11 +890,6 @@ int ssl3_get_v2_client_hello(SSL *s) {
   /* The handshake message header is 4 bytes. */
   s->s3->tmp.message_size = len - 4;
 
-  /* Initialize the record layer. */
-  if (!ssl3_setup_buffers(s) || !ssl_init_wbio_buffer(s, 1)) {
-    return -1;
-  }
-
   /* Drop the sniff buffer. */
   BUF_MEM_free(s->s3->sniff_buffer);
   s->s3->sniff_buffer = NULL;
@@ -928,7 +900,9 @@ int ssl3_get_v2_client_hello(SSL *s) {
 
 int ssl3_send_hello_request(SSL *s) {
   if (s->state == SSL3_ST_SW_HELLO_REQ_A) {
-    ssl_set_handshake_header(s, SSL3_MT_HELLO_REQUEST, 0);
+    if (!ssl_set_handshake_header(s, SSL3_MT_HELLO_REQUEST, 0)) {
+      return -1;
+    }
     s->state = SSL3_ST_SW_HELLO_REQ_B;
   }
 
@@ -956,31 +930,12 @@ int ssl3_get_client_hello(SSL *s) {
       n = s->method->ssl_get_message(
           s, SSL3_ST_SR_CLNT_HELLO_A, SSL3_ST_SR_CLNT_HELLO_B,
           SSL3_MT_CLIENT_HELLO, SSL3_RT_MAX_PLAIN_LENGTH,
-          SSL_GET_MESSAGE_HASH_MESSAGE, &ok);
+          ssl_hash_message, &ok);
 
       if (!ok) {
         return n;
       }
 
-      /* If we require cookies and this ClientHello doesn't contain one, just
-       * return since we do not want to allocate any memory yet. So check
-       * cookie length... */
-      if (SSL_IS_DTLS(s) && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) {
-        uint8_t cookie_length;
-
-        CBS_init(&client_hello, s->init_msg, n);
-        if (!CBS_skip(&client_hello, 2 + SSL3_RANDOM_SIZE) ||
-            !CBS_get_u8_length_prefixed(&client_hello, &session_id) ||
-            !CBS_get_u8(&client_hello, &cookie_length)) {
-          al = SSL_AD_DECODE_ERROR;
-          OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello, SSL_R_DECODE_ERROR);
-          goto f_err;
-        }
-
-        if (cookie_length == 0) {
-          return 1;
-        }
-      }
       s->state = SSL3_ST_SR_CLNT_HELLO_C;
       /* fallthrough */
     case SSL3_ST_SR_CLNT_HELLO_C:
@@ -1006,7 +961,8 @@ int ssl3_get_client_hello(SSL *s) {
         s->state = SSL3_ST_SR_CLNT_HELLO_D;
         switch (s->ctx->select_certificate_cb(&early_ctx)) {
           case 0:
-            return CERTIFICATE_SELECTION_PENDING;
+            s->rwstate = SSL_CERTIFICATE_SELECTION_PENDING;
+            goto err;
 
           case -1:
             /* Connection rejected. */
@@ -1053,27 +1009,6 @@ int ssl3_get_client_hello(SSL *s) {
       OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello, SSL_R_DECODE_ERROR);
       goto f_err;
     }
-
-    /* Verify the cookie if appropriate option is set. */
-    if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) && CBS_len(&cookie) > 0) {
-      if (s->ctx->app_verify_cookie_cb != NULL) {
-        if (s->ctx->app_verify_cookie_cb(s, CBS_data(&cookie),
-                                         CBS_len(&cookie)) == 0) {
-          al = SSL_AD_HANDSHAKE_FAILURE;
-          OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello, SSL_R_COOKIE_MISMATCH);
-          goto f_err;
-        }
-        /* else cookie verification succeeded */
-      } else if (!CBS_mem_equal(&cookie, s->d1->cookie, s->d1->cookie_len)) {
-        /* default verification */
-        al = SSL_AD_HANDSHAKE_FAILURE;
-        OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello, SSL_R_COOKIE_MISMATCH);
-        goto f_err;
-      }
-      /* Set to -2 so if successful we return 2 and don't send
-       * HelloVerifyRequest. */
-      ret = -2;
-    }
   }
 
   if (!s->s3->have_version) {
@@ -1118,7 +1053,7 @@ int ssl3_get_client_hello(SSL *s) {
   } else {
     i = ssl_get_prev_session(s, &early_ctx);
     if (i == PENDING_SESSION) {
-      ret = PENDING_SESSION;
+      s->rwstate = SSL_PENDING_SESSION;
       goto err;
     } else if (i == -1) {
       goto err;
@@ -1136,7 +1071,16 @@ int ssl3_get_client_hello(SSL *s) {
     }
   }
 
+  if (s->ctx->dos_protection_cb != NULL && s->ctx->dos_protection_cb(&early_ctx) == 0) {
+    /* Connection rejected for DOS reasons. */
+    al = SSL_AD_ACCESS_DENIED;
+    OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello, SSL_R_CONNECTION_REJECTED);
+    goto f_err;
+  }
+
   if (!CBS_get_u16_length_prefixed(&client_hello, &cipher_suites) ||
+      CBS_len(&cipher_suites) == 0 ||
+      CBS_len(&cipher_suites) % 2 != 0 ||
       !CBS_get_u8_length_prefixed(&client_hello, &compression_methods) ||
       CBS_len(&compression_methods) == 0) {
     al = SSL_AD_DECODE_ERROR;
@@ -1144,28 +1088,16 @@ int ssl3_get_client_hello(SSL *s) {
     goto f_err;
   }
 
-  /* TODO(davidben): Per spec, cipher_suites can never be empty (specified at
-   * the ClientHello structure level). This logic allows it to be empty if
-   * resuming a session. Can we always require non-empty? If a client sends
-   * empty cipher_suites because it's resuming a session, it could always fail
-   * to resume a session, so it's unlikely to actually work. */
-  if (CBS_len(&cipher_suites) == 0 && CBS_len(&session_id) != 0) {
-    /* We need a cipher if we are not resuming a session. */
-    al = SSL_AD_ILLEGAL_PARAMETER;
-    OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello, SSL_R_NO_CIPHERS_SPECIFIED);
-    goto f_err;
-  }
-
   ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites);
   if (ciphers == NULL) {
     goto err;
   }
 
   /* If it is a hit, check that the cipher is in the list. */
-  if (s->hit && CBS_len(&cipher_suites) > 0) {
+  if (s->hit) {
     size_t j;
     int found_cipher = 0;
-    unsigned long id = s->session->cipher->id;
+    uint32_t id = s->session->cipher->id;
 
     for (j = 0; j < sk_SSL_CIPHER_num(ciphers); j++) {
       c = sk_SSL_CIPHER_value(ciphers, j);
@@ -1269,9 +1201,7 @@ int ssl3_get_client_hello(SSL *s) {
   }
 
 err:
-  if (ciphers != NULL) {
-    sk_SSL_CIPHER_free(ciphers);
-  }
+  sk_SSL_CIPHER_free(ciphers);
   return ret;
 }
 
@@ -1285,7 +1215,7 @@ int ssl3_send_server_hello(SSL *s) {
     /* We only accept ChannelIDs on connections with ECDHE in order to avoid a
      * known attack while we fix ChannelID itself. */
     if (s->s3->tlsext_channel_id_valid &&
-        (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kEECDH) == 0) {
+        (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kECDHE) == 0) {
       s->s3->tlsext_channel_id_valid = 0;
     }
 
@@ -1354,7 +1284,9 @@ int ssl3_send_server_hello(SSL *s) {
 
     /* do the header */
     l = (p - d);
-    ssl_set_handshake_header(s, SSL3_MT_SERVER_HELLO, l);
+    if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_HELLO, l)) {
+      return -1;
+    }
     s->state = SSL3_ST_SW_SRVR_HELLO_B;
   }
 
@@ -1364,7 +1296,9 @@ int ssl3_send_server_hello(SSL *s) {
 
 int ssl3_send_server_done(SSL *s) {
   if (s->state == SSL3_ST_SW_SRVR_DONE_A) {
-    ssl_set_handshake_header(s, SSL3_MT_SERVER_DONE, 0);
+    if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_DONE, 0)) {
+      return -1;
+    }
     s->state = SSL3_ST_SW_SRVR_DONE_B;
   }
 
@@ -1374,7 +1308,7 @@ int ssl3_send_server_done(SSL *s) {
 
 int ssl3_send_server_key_exchange(SSL *s) {
   DH *dh = NULL, *dhp;
-  EC_KEY *ecdh = NULL, *ecdhp;
+  EC_KEY *ecdh = NULL;
   uint8_t *encodedPoint = NULL;
   int encodedlen = 0;
   uint16_t curve_id = 0;
@@ -1384,8 +1318,8 @@ int ssl3_send_server_key_exchange(SSL *s) {
   EVP_PKEY *pkey;
   uint8_t *p, *d;
   int al, i;
-  unsigned long alg_k;
-  unsigned long alg_a;
+  uint32_t alg_k;
+  uint32_t alg_a;
   int n;
   CERT *cert;
   BIGNUM *r[4];
@@ -1414,7 +1348,7 @@ int ssl3_send_server_key_exchange(SSL *s) {
       n += 2 + psk_identity_hint_len;
     }
 
-    if (alg_k & SSL_kEDH) {
+    if (alg_k & SSL_kDHE) {
       dhp = cert->dh_tmp;
       if (dhp == NULL && s->cert->dh_tmp_cb != NULL) {
         dhp = s->cert->dh_tmp_cb(s, 0, 1024);
@@ -1431,46 +1365,37 @@ int ssl3_send_server_key_exchange(SSL *s) {
                           ERR_R_INTERNAL_ERROR);
         goto err;
       }
-
       dh = DHparams_dup(dhp);
       if (dh == NULL) {
         OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange, ERR_R_DH_LIB);
         goto err;
       }
-
       s->s3->tmp.dh = dh;
-      if (dhp->pub_key == NULL || dhp->priv_key == NULL ||
-          (s->options & SSL_OP_SINGLE_DH_USE)) {
-        if (!DH_generate_key(dh)) {
-          OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange, ERR_R_DH_LIB);
-          goto err;
-        }
-      } else {
-        dh->pub_key = BN_dup(dhp->pub_key);
-        dh->priv_key = BN_dup(dhp->priv_key);
-        if (dh->pub_key == NULL || dh->priv_key == NULL) {
-          OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange, ERR_R_DH_LIB);
-          goto err;
-        }
+
+      if (!DH_generate_key(dh)) {
+        OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange, ERR_R_DH_LIB);
+        goto err;
       }
 
       r[0] = dh->p;
       r[1] = dh->g;
       r[2] = dh->pub_key;
-    } else if (alg_k & SSL_kEECDH) {
-      const EC_GROUP *group;
-
-      ecdhp = cert->ecdh_tmp;
-      if (s->cert->ecdh_tmp_auto) {
-        /* Get NID of appropriate shared curve */
-        int nid = tls1_get_shared_curve(s);
-        if (nid != NID_undef) {
-          ecdhp = EC_KEY_new_by_curve_name(nid);
+    } else if (alg_k & SSL_kECDHE) {
+      /* Determine the curve to use. */
+      int nid = NID_undef;
+      if (cert->ecdh_nid != NID_undef) {
+        nid = cert->ecdh_nid;
+      } else if (cert->ecdh_tmp_cb != NULL) {
+        /* Note: |ecdh_tmp_cb| does NOT pass ownership of the result
+         * to the caller. */
+        EC_KEY *template = s->cert->ecdh_tmp_cb(s, 0, 1024);
+        if (template != NULL && EC_KEY_get0_group(template) != NULL) {
+          nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(template));
         }
-      } else if (ecdhp == NULL && s->cert->ecdh_tmp_cb) {
-        ecdhp = s->cert->ecdh_tmp_cb(s, 0, 1024);
+      } else {
+        nid = tls1_get_shared_curve(s);
       }
-      if (ecdhp == NULL) {
+      if (nid == NID_undef) {
         al = SSL_AD_HANDSHAKE_FAILURE;
         OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange,
                           SSL_R_MISSING_TMP_ECDH_KEY);
@@ -1482,42 +1407,19 @@ int ssl3_send_server_key_exchange(SSL *s) {
                           ERR_R_INTERNAL_ERROR);
         goto err;
       }
-
-      /* Duplicate the ECDH structure. */
-      if (ecdhp == NULL) {
-        OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange, ERR_R_ECDH_LIB);
+      ecdh = EC_KEY_new_by_curve_name(nid);
+      if (ecdh == NULL) {
         goto err;
       }
-
-      if (s->cert->ecdh_tmp_auto) {
-        ecdh = ecdhp;
-      } else {
-        ecdh = EC_KEY_dup(ecdhp);
-        if (ecdh == NULL) {
-          OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange, ERR_R_ECDH_LIB);
-          goto err;
-        }
-      }
-
       s->s3->tmp.ecdh = ecdh;
-      if (EC_KEY_get0_public_key(ecdh) == NULL ||
-          EC_KEY_get0_private_key(ecdh) == NULL ||
-          (s->options & SSL_OP_SINGLE_ECDH_USE)) {
-        if (!EC_KEY_generate_key(ecdh)) {
-          OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange, ERR_R_ECDH_LIB);
-          goto err;
-        }
-      }
 
-      group = EC_KEY_get0_group(ecdh);
-      if (group == NULL ||
-          EC_KEY_get0_public_key(ecdh) == NULL ||
-          EC_KEY_get0_private_key(ecdh) == NULL) {
+      if (!EC_KEY_generate_key(ecdh)) {
         OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange, ERR_R_ECDH_LIB);
         goto err;
       }
 
       /* We only support ephemeral ECDH keys over named (not generic) curves. */
+      const EC_GROUP *group = EC_KEY_get0_group(ecdh);
       if (!tls1_ec_nid2curve_id(&curve_id, EC_GROUP_get_curve_name(group))) {
         OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange,
                           SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
@@ -1597,7 +1499,7 @@ int ssl3_send_server_key_exchange(SSL *s) {
       p += nr[i];
     }
 
-    /* Note: ECDHE PSK ciphersuites use SSL_kEECDH and SSL_aPSK. When one of
+    /* Note: ECDHE PSK ciphersuites use SSL_kECDHE and SSL_aPSK. When one of
      * them is used, the server key exchange record needs to have both the
      * psk_identity_hint and the ServerECDHParams. */
     if (alg_a & SSL_aPSK) {
@@ -1609,7 +1511,7 @@ int ssl3_send_server_key_exchange(SSL *s) {
       }
     }
 
-    if (alg_k & SSL_kEECDH) {
+    if (alg_k & SSL_kECDHE) {
       /* We only support named (not generic) curves. In this situation, the
        * serverKeyExchange message has:
        * [1 byte CurveType], [2 byte CurveName]
@@ -1667,7 +1569,9 @@ int ssl3_send_server_key_exchange(SSL *s) {
       }
     }
 
-    ssl_set_handshake_header(s, SSL3_MT_SERVER_KEY_EXCHANGE, n);
+    if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_KEY_EXCHANGE, n)) {
+      goto err;
+    }
   }
 
   s->state = SSL3_ST_SW_KEY_EXCH_B;
@@ -1677,9 +1581,7 @@ int ssl3_send_server_key_exchange(SSL *s) {
 f_err:
   ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
-  if (encodedPoint != NULL) {
-    OPENSSL_free(encodedPoint);
-  }
+  OPENSSL_free(encodedPoint);
   BN_CTX_free(bn_ctx);
   EVP_MD_CTX_cleanup(&md_ctx);
   return -1;
@@ -1740,27 +1642,9 @@ int ssl3_send_certificate_request(SSL *s) {
     p = ssl_handshake_start(s) + off;
     s2n(nl, p);
 
-    ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_REQUEST, n);
-
-#ifdef NETSCAPE_HANG_BUG
-    if (!SSL_IS_DTLS(s)) {
-      /* Prepare a ServerHelloDone in the same record. This is to workaround a
-       * hang in Netscape. */
-      if (!BUF_MEM_grow_clean(buf, s->init_num + 4)) {
-        OPENSSL_PUT_ERROR(SSL, ssl3_send_certificate_request, ERR_R_BUF_LIB);
-        goto err;
-      }
-      p = (uint8_t *)s->init_buf->data + s->init_num;
-      /* do the header */
-      *(p++) = SSL3_MT_SERVER_DONE;
-      *(p++) = 0;
-      *(p++) = 0;
-      *(p++) = 0;
-      s->init_num += 4;
-      ssl3_finish_mac(s, p - 4, 4);
+    if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_REQUEST, n)) {
+      goto err;
     }
-#endif
-
     s->state = SSL3_ST_SW_CERT_REQ_B;
   }
 
@@ -1775,8 +1659,8 @@ int ssl3_get_client_key_exchange(SSL *s) {
   int al, ok;
   long n;
   CBS client_key_exchange;
-  unsigned long alg_k;
-  unsigned long alg_a;
+  uint32_t alg_k;
+  uint32_t alg_a;
   uint8_t *premaster_secret = NULL;
   size_t premaster_secret_len = 0;
   RSA *rsa = NULL;
@@ -1795,7 +1679,7 @@ int ssl3_get_client_key_exchange(SSL *s) {
   n = s->method->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A,
                                  SSL3_ST_SR_KEY_EXCH_B,
                                  SSL3_MT_CLIENT_KEY_EXCHANGE, 2048, /* ??? */
-                                 SSL_GET_MESSAGE_HASH_MESSAGE, &ok);
+                                 ssl_hash_message, &ok);
 
   if (!ok) {
     return n;
@@ -1983,7 +1867,7 @@ int ssl3_get_client_key_exchange(SSL *s) {
     }
 
     premaster_secret_len = sizeof(rand_premaster_secret);
-  } else if (alg_k & SSL_kEDH) {
+  } else if (alg_k & SSL_kDHE) {
     CBS dh_Yc;
     int dh_len;
 
@@ -2014,6 +1898,7 @@ int ssl3_get_client_key_exchange(SSL *s) {
     if (premaster_secret == NULL) {
       OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange,
                         ERR_R_MALLOC_FAILURE);
+      BN_clear_free(pub);
       goto err;
     }
 
@@ -2030,7 +1915,7 @@ int ssl3_get_client_key_exchange(SSL *s) {
     pub = NULL;
 
     premaster_secret_len = dh_len;
-  } else if (alg_k & SSL_kEECDH) {
+  } else if (alg_k & SSL_kECDHE) {
     int field_size = 0, ecdh_len;
     const EC_KEY *tkey;
     const EC_GROUP *group;
@@ -2191,14 +2076,10 @@ err:
     }
     OPENSSL_free(premaster_secret);
   }
-  if (decrypt_buf) {
-    OPENSSL_free(decrypt_buf);
-  }
+  OPENSSL_free(decrypt_buf);
   EVP_PKEY_free(clnt_pub_pkey);
   EC_POINT_free(clnt_ecpoint);
-  if (srvr_ecdh != NULL) {
-    EC_KEY_free(srvr_ecdh);
-  }
+  EC_KEY_free(srvr_ecdh);
   BN_CTX_free(bn_ctx);
 
   return -1;
@@ -2229,7 +2110,7 @@ int ssl3_get_cert_verify(SSL *s) {
   n = s->method->ssl_get_message(
       s, SSL3_ST_SR_CERT_VRFY_A, SSL3_ST_SR_CERT_VRFY_B,
       SSL3_MT_CERTIFICATE_VERIFY, SSL3_RT_MAX_PLAIN_LENGTH,
-      SSL_GET_MESSAGE_DONT_HASH_MESSAGE, &ok);
+      ssl_dont_hash_message, &ok);
 
   if (!ok) {
     return n;
@@ -2237,6 +2118,9 @@ int ssl3_get_cert_verify(SSL *s) {
 
   /* Filter out unsupported certificate types. */
   pkey = X509_get_pubkey(peer);
+  if (pkey == NULL) {
+    goto err;
+  }
   if (!(X509_certificate_type(peer, pkey) & EVP_PKT_SIGN) ||
       (pkey->type != EVP_PKEY_RSA && pkey->type != EVP_PKEY_EC)) {
     al = SSL_AD_UNSUPPORTED_CERTIFICATE;
@@ -2264,7 +2148,9 @@ int ssl3_get_cert_verify(SSL *s) {
       !ssl3_digest_cached_records(s, free_handshake_buffer)) {
     goto err;
   }
-  ssl3_hash_current_message(s);
+  if (!ssl3_hash_current_message(s)) {
+    goto err;
+  }
 
   /* Parse and verify the signature. */
   if (!CBS_get_u16_length_prefixed(&certificate_verify, &signature) ||
@@ -2311,8 +2197,7 @@ int ssl3_get_client_certificate(SSL *s) {
   int is_first_certificate = 1;
 
   n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B, -1,
-                                 s->max_cert_list, SSL_GET_MESSAGE_HASH_MESSAGE,
-                                 &ok);
+                                 (long)s->max_cert_list, ssl_hash_message, &ok);
 
   if (!ok) {
     return n;
@@ -2433,11 +2318,7 @@ int ssl3_get_client_certificate(SSL *s) {
     }
   }
 
-  if (s->session->peer != NULL) {
-    /* This should not be needed */
-    X509_free(s->session->peer);
-  }
-
+  X509_free(s->session->peer);
   s->session->peer = sk_X509_shift(sk);
   s->session->verify_result = s->verify_result;
 
@@ -2450,9 +2331,7 @@ int ssl3_get_client_certificate(SSL *s) {
       goto err;
     }
   }
-  if (s->session->sess_cert->cert_chain != NULL) {
-    sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
-  }
+  sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
   s->session->sess_cert->cert_chain = sk;
   /* Inconsistency alert: cert_chain does *not* include the peer's own
    * certificate, while we do include it in s3_clnt.c */
@@ -2467,12 +2346,8 @@ int ssl3_get_client_certificate(SSL *s) {
   }
 
 err:
-  if (x != NULL) {
-    X509_free(x);
-  }
-  if (sk != NULL) {
-    sk_X509_pop_free(sk, X509_free);
-  }
+  X509_free(x);
+  sk_X509_pop_free(sk, X509_free);
   return ret;
 }
 
@@ -2487,7 +2362,9 @@ int ssl3_send_server_certificate(SSL *s) {
       return 0;
     }
 
-    ssl3_output_cert_chain(s, cpk);
+    if (!ssl3_output_cert_chain(s, cpk)) {
+      return 0;
+    }
     s->state = SSL3_ST_SW_CERT_B;
   }
 
@@ -2497,14 +2374,19 @@ int ssl3_send_server_certificate(SSL *s) {
 
 /* send a new session ticket (not necessarily for a new session) */
 int ssl3_send_new_session_ticket(SSL *s) {
+  int ret = -1;
+  uint8_t *session = NULL;
+  size_t session_len;
+  EVP_CIPHER_CTX ctx;
+  HMAC_CTX hctx;
+
+  EVP_CIPHER_CTX_init(&ctx);
+  HMAC_CTX_init(&hctx);
+
   if (s->state == SSL3_ST_SW_SESSION_TICKET_A) {
-    uint8_t *session;
-    size_t session_len;
     uint8_t *p, *macstart;
     int len;
     unsigned int hlen;
-    EVP_CIPHER_CTX ctx;
-    HMAC_CTX hctx;
     SSL_CTX *tctx = s->initial_ctx;
     uint8_t iv[EVP_MAX_IV_LENGTH];
     uint8_t key_name[16];
@@ -2515,7 +2397,7 @@ int ssl3_send_new_session_ticket(SSL *s) {
 
     /* Serialize the SSL_SESSION to be encoded into the ticket. */
     if (!SSL_SESSION_to_bytes_for_ticket(s->session, &session, &session_len)) {
-      return -1;
+      goto err;
     }
 
     /* If the session is too long, emit a dummy value rather than abort the
@@ -2525,6 +2407,7 @@ int ssl3_send_new_session_ticket(SSL *s) {
       const size_t placeholder_len = strlen(kTicketPlaceholder);
 
       OPENSSL_free(session);
+      session = NULL;
 
       p = ssl_handshake_start(s);
       /* Emit ticket_lifetime_hint. */
@@ -2535,7 +2418,9 @@ int ssl3_send_new_session_ticket(SSL *s) {
       p += placeholder_len;
 
       len = p - ssl_handshake_start(s);
-      ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len);
+      if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len)) {
+        goto err;
+      }
       s->state = SSL3_ST_SW_SESSION_TICKET_B;
       return ssl_do_write(s);
     }
@@ -2545,20 +2430,15 @@ int ssl3_send_new_session_ticket(SSL *s) {
      * max_ticket_overhead + * session_length */
     if (!BUF_MEM_grow(s->init_buf, SSL_HM_HEADER_LENGTH(s) + 6 +
                                        max_ticket_overhead + session_len)) {
-      OPENSSL_free(session);
-      return -1;
+      goto err;
     }
     p = ssl_handshake_start(s);
-    EVP_CIPHER_CTX_init(&ctx);
-    HMAC_CTX_init(&hctx);
     /* Initialize HMAC and cipher contexts. If callback present it does all the
      * work otherwise use generated values from parent ctx. */
     if (tctx->tlsext_ticket_key_cb) {
-      if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, &hctx, 1) < 0) {
-        OPENSSL_free(session);
-        EVP_CIPHER_CTX_cleanup(&ctx);
-        HMAC_CTX_cleanup(&hctx);
-        return -1;
+      if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, &hctx,
+                                     1 /* encrypt */) < 0) {
+        goto err;
       }
     } else {
       if (!RAND_bytes(iv, 16) ||
@@ -2566,10 +2446,7 @@ int ssl3_send_new_session_ticket(SSL *s) {
                               tctx->tlsext_tick_aes_key, iv) ||
           !HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, tlsext_tick_md(),
                         NULL)) {
-        OPENSSL_free(session);
-        EVP_CIPHER_CTX_cleanup(&ctx);
-        HMAC_CTX_cleanup(&hctx);
-        return -1;
+        goto err;
       }
       memcpy(key_name, tctx->tlsext_tick_key_name, 16);
     }
@@ -2589,15 +2466,19 @@ int ssl3_send_new_session_ticket(SSL *s) {
     memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx));
     p += EVP_CIPHER_CTX_iv_length(&ctx);
     /* Encrypt session data */
-    EVP_EncryptUpdate(&ctx, p, &len, session, session_len);
+    if (!EVP_EncryptUpdate(&ctx, p, &len, session, session_len)) {
+      goto err;
+    }
     p += len;
-    EVP_EncryptFinal_ex(&ctx, p, &len);
+    if (!EVP_EncryptFinal_ex(&ctx, p, &len)) {
+      goto err;
+    }
     p += len;
-    EVP_CIPHER_CTX_cleanup(&ctx);
 
-    HMAC_Update(&hctx, macstart, p - macstart);
-    HMAC_Final(&hctx, p, &hlen);
-    HMAC_CTX_cleanup(&hctx);
+    if (!HMAC_Update(&hctx, macstart, p - macstart) ||
+        !HMAC_Final(&hctx, p, &hlen)) {
+      goto err;
+    }
 
     p += hlen;
     /* Now write out lengths: p points to end of data written */
@@ -2606,13 +2487,20 @@ int ssl3_send_new_session_ticket(SSL *s) {
     /* Skip ticket lifetime hint */
     p = ssl_handshake_start(s) + 4;
     s2n(len - 6, p);
-    ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len);
+    if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len)) {
+      goto err;
+    }
     s->state = SSL3_ST_SW_SESSION_TICKET_B;
-    OPENSSL_free(session);
   }
 
   /* SSL3_ST_SW_SESSION_TICKET_B */
-  return ssl_do_write(s);
+  ret = ssl_do_write(s);
+
+err:
+  OPENSSL_free(session);
+  EVP_CIPHER_CTX_cleanup(&ctx);
+  HMAC_CTX_cleanup(&hctx);
+  return ret;
 }
 
 /* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It
@@ -2633,7 +2521,7 @@ int ssl3_get_next_proto(SSL *s) {
   n = s->method->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A,
                                  SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO,
                                  514, /* See the payload format below */
-                                 SSL_GET_MESSAGE_HASH_MESSAGE, &ok);
+                                 ssl_hash_message, &ok);
 
   if (!ok) {
     return n;
@@ -2688,7 +2576,7 @@ int ssl3_get_channel_id(SSL *s) {
   n = s->method->ssl_get_message(
       s, SSL3_ST_SR_CHANNEL_ID_A, SSL3_ST_SR_CHANNEL_ID_B,
       SSL3_MT_ENCRYPTED_EXTENSIONS, 2 + 2 + TLSEXT_CHANNEL_ID_SIZE,
-      SSL_GET_MESSAGE_DONT_HASH_MESSAGE, &ok);
+      ssl_dont_hash_message, &ok);
 
   if (!ok) {
     return n;
@@ -2707,7 +2595,9 @@ int ssl3_get_channel_id(SSL *s) {
   EVP_MD_CTX_cleanup(&md_ctx);
   assert(channel_id_hash_len == SHA256_DIGEST_LENGTH);
 
-  ssl3_hash_current_message(s);
+  if (!ssl3_hash_current_message(s)) {
+    return -1;
+  }
 
   /* s->state doesn't reflect whether ChangeCipherSpec has been received in
    * this handshake, but s->s3->change_cipher_spec does (will be reset by
@@ -2757,6 +2647,9 @@ int ssl3_get_channel_id(SSL *s) {
   BN_init(&y);
   sig.r = BN_new();
   sig.s = BN_new();
+  if (sig.r == NULL || sig.s == NULL) {
+    goto err;
+  }
 
   p = CBS_data(&extension);
   if (BN_bin2bn(p + 0, 32, &x) == NULL ||
@@ -2794,14 +2687,8 @@ err:
   BN_free(&y);
   BN_free(sig.r);
   BN_free(sig.s);
-  if (key) {
-    EC_KEY_free(key);
-  }
-  if (point) {
-    EC_POINT_free(point);
-  }
-  if (p256) {
-    EC_GROUP_free(p256);
-  }
+  EC_KEY_free(key);
+  EC_POINT_free(point);
+  EC_GROUP_free(p256);
   return ret;
 }
diff --git a/src/ssl/ssl_algs.c b/src/ssl/ssl_algs.c
index 6ec88bf..fda39a5 100644
--- a/src/ssl/ssl_algs.c
+++ b/src/ssl/ssl_algs.c
@@ -54,18 +54,13 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.] */
 
-#include "ssl_locl.h"
+#include "internal.h"
 
 #include <openssl/crypto.h>
 
-extern const ERR_STRING_DATA SSL_error_string_data[];
-
 int SSL_library_init(void) {
   CRYPTO_library_init();
-  ERR_load_crypto_strings();
-  ERR_load_strings(SSL_error_string_data);
   return 1;
 }
 
-void SSL_load_error_strings(void) {
-}
+void SSL_load_error_strings(void) {}
diff --git a/src/ssl/ssl_asn1.c b/src/ssl/ssl_asn1.c
index d39da87..eb0c725 100644
--- a/src/ssl/ssl_asn1.c
+++ b/src/ssl/ssl_asn1.c
@@ -85,9 +85,10 @@
 
 #include <openssl/bytestring.h>
 #include <openssl/err.h>
+#include <openssl/mem.h>
 #include <openssl/x509.h>
 
-#include "ssl_locl.h"
+#include "internal.h"
 
 
 /* An SSL_SESSION is serialized as the following ASN.1 structure:
@@ -177,14 +178,14 @@ static int SSL_SESSION_to_bytes_full(SSL_SESSION *in, uint8_t **out_data,
                      for_ticket ? 0 : in->session_id_length) ||
       !CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) ||
       !CBB_add_bytes(&child, in->master_key, in->master_key_length)) {
-    OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+    OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
     goto err;
   }
 
   if (in->time != 0) {
     if (!CBB_add_asn1(&session, &child, kTimeTag) ||
         !CBB_add_asn1_uint64(&child, in->time)) {
-      OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+      OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
       goto err;
     }
   }
@@ -192,7 +193,7 @@ static int SSL_SESSION_to_bytes_full(SSL_SESSION *in, uint8_t **out_data,
   if (in->timeout != 0) {
     if (!CBB_add_asn1(&session, &child, kTimeoutTag) ||
         !CBB_add_asn1_uint64(&child, in->timeout)) {
-      OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+      OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
       goto err;
     }
   }
@@ -207,7 +208,7 @@ static int SSL_SESSION_to_bytes_full(SSL_SESSION *in, uint8_t **out_data,
     }
     if (!CBB_add_asn1(&session, &child, kPeerTag) ||
         !CBB_add_space(&child, &buf, len)) {
-      OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+      OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
       goto err;
     }
     if (buf != NULL && i2d_X509(in->peer, &buf) < 0) {
@@ -220,14 +221,14 @@ static int SSL_SESSION_to_bytes_full(SSL_SESSION *in, uint8_t **out_data,
   if (!CBB_add_asn1(&session, &child, kSessionIDContextTag) ||
       !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) ||
       !CBB_add_bytes(&child2, in->sid_ctx, in->sid_ctx_length)) {
-    OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+    OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
     goto err;
   }
 
   if (in->verify_result != X509_V_OK) {
     if (!CBB_add_asn1(&session, &child, kVerifyResultTag) ||
         !CBB_add_asn1_uint64(&child, in->verify_result)) {
-      OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+      OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
       goto err;
     }
   }
@@ -237,7 +238,7 @@ static int SSL_SESSION_to_bytes_full(SSL_SESSION *in, uint8_t **out_data,
         !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) ||
         !CBB_add_bytes(&child2, (const uint8_t *)in->tlsext_hostname,
                        strlen(in->tlsext_hostname))) {
-      OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+      OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
       goto err;
     }
   }
@@ -247,7 +248,7 @@ static int SSL_SESSION_to_bytes_full(SSL_SESSION *in, uint8_t **out_data,
         !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) ||
         !CBB_add_bytes(&child2, (const uint8_t *)in->psk_identity,
                        strlen(in->psk_identity))) {
-      OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+      OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
       goto err;
     }
   }
@@ -255,7 +256,7 @@ static int SSL_SESSION_to_bytes_full(SSL_SESSION *in, uint8_t **out_data,
   if (in->tlsext_tick_lifetime_hint > 0) {
     if (!CBB_add_asn1(&session, &child, kTicketLifetimeHintTag) ||
         !CBB_add_asn1_uint64(&child, in->tlsext_tick_lifetime_hint)) {
-      OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+      OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
       goto err;
     }
   }
@@ -264,7 +265,7 @@ static int SSL_SESSION_to_bytes_full(SSL_SESSION *in, uint8_t **out_data,
     if (!CBB_add_asn1(&session, &child, kTicketTag) ||
         !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) ||
         !CBB_add_bytes(&child2, in->tlsext_tick, in->tlsext_ticklen)) {
-      OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+      OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
       goto err;
     }
   }
@@ -273,7 +274,7 @@ static int SSL_SESSION_to_bytes_full(SSL_SESSION *in, uint8_t **out_data,
     if (!CBB_add_asn1(&session, &child, kPeerSHA256Tag) ||
         !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) ||
         !CBB_add_bytes(&child2, in->peer_sha256, sizeof(in->peer_sha256))) {
-      OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+      OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
       goto err;
     }
   }
@@ -283,7 +284,7 @@ static int SSL_SESSION_to_bytes_full(SSL_SESSION *in, uint8_t **out_data,
         !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) ||
         !CBB_add_bytes(&child2, in->original_handshake_hash,
                        in->original_handshake_hash_len)) {
-      OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+      OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
       goto err;
     }
   }
@@ -293,7 +294,7 @@ static int SSL_SESSION_to_bytes_full(SSL_SESSION *in, uint8_t **out_data,
         !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) ||
         !CBB_add_bytes(&child2, in->tlsext_signed_cert_timestamp_list,
                        in->tlsext_signed_cert_timestamp_list_length)) {
-      OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+      OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
       goto err;
     }
   }
@@ -302,7 +303,7 @@ static int SSL_SESSION_to_bytes_full(SSL_SESSION *in, uint8_t **out_data,
     if (!CBB_add_asn1(&session, &child, kOCSPResponseTag) ||
         !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) ||
         !CBB_add_bytes(&child2, in->ocsp_response, in->ocsp_response_length)) {
-      OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+      OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
       goto err;
     }
   }
@@ -311,13 +312,13 @@ static int SSL_SESSION_to_bytes_full(SSL_SESSION *in, uint8_t **out_data,
     if (!CBB_add_asn1(&session, &child, kExtendedMasterSecretTag) ||
         !CBB_add_asn1(&child, &child2, CBS_ASN1_BOOLEAN) ||
         !CBB_add_u8(&child2, 0xff)) {
-      OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+      OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
       goto err;
     }
   }
 
   if (!CBB_finish(&cbb, out_data, out_len)) {
-    OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+    OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
     goto err;
   }
   return 1;
@@ -381,7 +382,7 @@ static int d2i_SSL_SESSION_get_string(CBS *cbs, char **out, unsigned tag) {
       OPENSSL_PUT_ERROR(SSL, d2i_SSL_SESSION, ERR_R_MALLOC_FAILURE);
       return 0;
     }
-  } else if (*out) {
+  } else {
     OPENSSL_free(*out);
     *out = NULL;
   }
@@ -409,7 +410,7 @@ static int d2i_SSL_SESSION_get_octet_string(CBS *cbs, uint8_t **out_ptr,
 }
 
 SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const uint8_t **pp, long length) {
-  SSL_SESSION *ret = NULL;
+  SSL_SESSION *ret, *allocated = NULL;
   CBS cbs, session, cipher, session_id, master_key;
   CBS peer, sid_ctx, peer_sha256, original_handshake_hash;
   int has_peer, has_peer_sha256, extended_master_secret;
@@ -419,8 +420,8 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const uint8_t **pp, long length) {
   if (a && *a) {
     ret = *a;
   } else {
-    ret = SSL_SESSION_new();
-    if (ret == NULL) {
+    ret = allocated = SSL_SESSION_new();
+    if (allocated == NULL) {
       goto err;
     }
   }
@@ -525,10 +526,8 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const uint8_t **pp, long length) {
   ret->time = session_time;
   ret->timeout = timeout;
 
-  if (ret->peer != NULL) {
-    X509_free(ret->peer);
-    ret->peer = NULL;
-  }
+  X509_free(ret->peer);
+  ret->peer = NULL;
   if (has_peer) {
     const uint8_t *ptr;
     ptr = CBS_data(&peer);
@@ -584,8 +583,6 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const uint8_t **pp, long length) {
   return ret;
 
 err:
-  if (a && *a != ret) {
-    SSL_SESSION_free(ret);
-  }
+  SSL_SESSION_free(allocated);
   return NULL;
 }
diff --git a/src/ssl/ssl_cert.c b/src/ssl/ssl_cert.c
index 624c41a..770912b 100644
--- a/src/ssl/ssl_cert.c
+++ b/src/ssl/ssl_cert.c
@@ -112,7 +112,9 @@
  * ECC cipher suite support in OpenSSL originally developed by
  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */
 
+#include <errno.h>
 #include <stdio.h>
+#include <string.h>
 
 #include <openssl/bio.h>
 #include <openssl/bn.h>
@@ -126,7 +128,7 @@
 
 #include "../crypto/dh/internal.h"
 #include "../crypto/directory.h"
-#include "ssl_locl.h"
+#include "internal.h"
 
 
 int SSL_get_ex_data_X509_STORE_CTX_idx(void) {
@@ -178,7 +180,6 @@ CERT *ssl_cert_dup(CERT *cert) {
     OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_MALLOC_FAILURE);
     return NULL;
   }
-
   memset(ret, 0, sizeof(CERT));
 
   ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]];
@@ -213,15 +214,8 @@ CERT *ssl_cert_dup(CERT *cert) {
   }
   ret->dh_tmp_cb = cert->dh_tmp_cb;
 
-  if (cert->ecdh_tmp) {
-    ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp);
-    if (ret->ecdh_tmp == NULL) {
-      OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_EC_LIB);
-      goto err;
-    }
-  }
+  ret->ecdh_nid = cert->ecdh_nid;
   ret->ecdh_tmp_cb = cert->ecdh_tmp_cb;
-  ret->ecdh_tmp_auto = cert->ecdh_tmp_auto;
 
   for (i = 0; i < SSL_PKEY_NUM; i++) {
     CERT_PKEY *cpk = cert->pkeys + i;
@@ -231,7 +225,7 @@ CERT *ssl_cert_dup(CERT *cert) {
     }
 
     if (cpk->privatekey != NULL) {
-      rpk->privatekey = EVP_PKEY_dup(cpk->privatekey);
+      rpk->privatekey = EVP_PKEY_up_ref(cpk->privatekey);
     }
 
     if (cpk->chain) {
@@ -243,34 +237,24 @@ CERT *ssl_cert_dup(CERT *cert) {
     }
   }
 
-  /* Peer sigalgs set to NULL as we get these from handshake too */
-  ret->peer_sigalgs = NULL;
-  ret->peer_sigalgslen = 0;
-  /* Configured sigalgs however we copy across */
-
+  /* Copy over signature algorithm configuration. */
   if (cert->conf_sigalgs) {
-    ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen);
+    ret->conf_sigalgs = BUF_memdup(cert->conf_sigalgs, cert->conf_sigalgslen);
     if (!ret->conf_sigalgs) {
       goto err;
     }
-    memcpy(ret->conf_sigalgs, cert->conf_sigalgs, cert->conf_sigalgslen);
     ret->conf_sigalgslen = cert->conf_sigalgslen;
-  } else {
-    ret->conf_sigalgs = NULL;
   }
 
   if (cert->client_sigalgs) {
-    ret->client_sigalgs = OPENSSL_malloc(cert->client_sigalgslen);
+    ret->client_sigalgs = BUF_memdup(cert->client_sigalgs,
+                                     cert->client_sigalgslen);
     if (!ret->client_sigalgs) {
       goto err;
     }
-    memcpy(ret->client_sigalgs, cert->client_sigalgs, cert->client_sigalgslen);
     ret->client_sigalgslen = cert->client_sigalgslen;
-  } else {
-    ret->client_sigalgs = NULL;
   }
-  /* Shared sigalgs also NULL */
-  ret->shared_sigalgs = NULL;
+
   /* Copy any custom client certificate types */
   if (cert->client_certificate_types) {
     ret->client_certificate_types = BUF_memdup(
@@ -281,8 +265,6 @@ CERT *ssl_cert_dup(CERT *cert) {
     ret->num_client_certificate_types = cert->num_client_certificate_types;
   }
 
-  ret->cert_flags = cert->cert_flags;
-
   ret->cert_cb = cert->cert_cb;
   ret->cert_cb_arg = cert->cert_cb_arg;
 
@@ -296,8 +278,6 @@ CERT *ssl_cert_dup(CERT *cert) {
     ret->chain_store = cert->chain_store;
   }
 
-  ret->ciphers_raw = NULL;
-
   return ret;
 
 err:
@@ -334,79 +314,32 @@ void ssl_cert_free(CERT *c) {
     return;
   }
 
-  if (c->dh_tmp) {
-    DH_free(c->dh_tmp);
-  }
-  if (c->ecdh_tmp) {
-    EC_KEY_free(c->ecdh_tmp);
-  }
+  DH_free(c->dh_tmp);
 
   ssl_cert_clear_certs(c);
-  if (c->peer_sigalgs) {
-    OPENSSL_free(c->peer_sigalgs);
-  }
-  if (c->conf_sigalgs) {
-    OPENSSL_free(c->conf_sigalgs);
-  }
-  if (c->client_sigalgs) {
-    OPENSSL_free(c->client_sigalgs);
-  }
-  if (c->shared_sigalgs) {
-    OPENSSL_free(c->shared_sigalgs);
-  }
-  if (c->client_certificate_types) {
-    OPENSSL_free(c->client_certificate_types);
-  }
-  if (c->verify_store) {
-    X509_STORE_free(c->verify_store);
-  }
-  if (c->chain_store) {
-    X509_STORE_free(c->chain_store);
-  }
-  if (c->ciphers_raw) {
-    OPENSSL_free(c->ciphers_raw);
-  }
+  OPENSSL_free(c->peer_sigalgs);
+  OPENSSL_free(c->conf_sigalgs);
+  OPENSSL_free(c->client_sigalgs);
+  OPENSSL_free(c->shared_sigalgs);
+  OPENSSL_free(c->client_certificate_types);
+  X509_STORE_free(c->verify_store);
+  X509_STORE_free(c->chain_store);
 
   OPENSSL_free(c);
 }
 
-int ssl_cert_inst(CERT **o) {
-  /* Create a CERT if there isn't already one (which cannot really happen, as
-   * it is initially created in SSL_CTX_new; but the earlier code usually
-   * allows for that one being non-existant, so we follow that behaviour, as it
-   * might turn out that there actually is a reason for it -- but I'm not sure
-   * that *all* of the existing code could cope with s->cert being NULL,
-   * otherwise we could do without the initialization in SSL_CTX_new). */
-
-  if (o == NULL) {
-    OPENSSL_PUT_ERROR(SSL, ssl_cert_inst, ERR_R_PASSED_NULL_PARAMETER);
-    return 0;
-  }
-  if (*o == NULL) {
-    *o = ssl_cert_new();
-    if (*o == NULL) {
-      OPENSSL_PUT_ERROR(SSL, ssl_cert_new, ERR_R_MALLOC_FAILURE);
-      return 0;
-    }
-  }
-
-  return 1;
-}
-
-int ssl_cert_set0_chain(CERT *c, STACK_OF(X509) * chain) {
+int ssl_cert_set0_chain(CERT *c, STACK_OF(X509) *chain) {
   CERT_PKEY *cpk = c->key;
   if (!cpk) {
     return 0;
   }
-  if (cpk->chain) {
-    sk_X509_pop_free(cpk->chain, X509_free);
-  }
+  sk_X509_pop_free(cpk->chain, X509_free);
   cpk->chain = chain;
   return 1;
 }
 
-int ssl_cert_set1_chain(CERT *c, STACK_OF(X509) * chain) {
-  STACK_OF(X509) * dchain;
+int ssl_cert_set1_chain(CERT *c, STACK_OF(X509) *chain) {
+  STACK_OF(X509) *dchain;
   if (!chain) {
     return ssl_cert_set0_chain(c, NULL);
   }
@@ -499,22 +432,14 @@ void ssl_sess_cert_free(SESS_CERT *sc) {
     return;
   }
 
-  if (sc->cert_chain != NULL) {
-    sk_X509_pop_free(sc->cert_chain, X509_free);
-  }
+  sk_X509_pop_free(sc->cert_chain, X509_free);
 
   for (i = 0; i < SSL_PKEY_NUM; i++) {
-    if (sc->peer_pkeys[i].x509 != NULL) {
-      X509_free(sc->peer_pkeys[i].x509);
-    }
+    X509_free(sc->peer_pkeys[i].x509);
   }
 
-  if (sc->peer_dh_tmp != NULL) {
-    DH_free(sc->peer_dh_tmp);
-  }
-  if (sc->peer_ecdh_tmp != NULL) {
-    EC_KEY_free(sc->peer_ecdh_tmp);
-  }
+  DH_free(sc->peer_dh_tmp);
+  EC_KEY_free(sc->peer_ecdh_tmp);
 
   OPENSSL_free(sc);
 }
@@ -524,7 +449,7 @@ int ssl_set_peer_cert_type(SESS_CERT *sc, int type) {
   return 1;
 }
 
-int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) * sk) {
+int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) {
   X509 *x;
   int i;
   X509_STORE *verify_store;
@@ -571,18 +496,15 @@ int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) * sk) {
   return i;
 }
 
-static void set_client_CA_list(STACK_OF(X509_NAME) * *ca_list,
-                               STACK_OF(X509_NAME) * name_list) {
-  if (*ca_list != NULL) {
-    sk_X509_NAME_pop_free(*ca_list, X509_NAME_free);
-  }
-
+static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,
+                               STACK_OF(X509_NAME) *name_list) {
+  sk_X509_NAME_pop_free(*ca_list, X509_NAME_free);
   *ca_list = name_list;
 }
 
-STACK_OF(X509_NAME) * SSL_dup_CA_list(STACK_OF(X509_NAME) * sk) {
+STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk) {
   size_t i;
-  STACK_OF(X509_NAME) * ret;
+  STACK_OF(X509_NAME) *ret;
   X509_NAME *name;
 
   ret = sk_X509_NAME_new_null();
@@ -597,19 +519,19 @@ STACK_OF(X509_NAME) * SSL_dup_CA_list(STACK_OF(X509_NAME) * sk) {
   return ret;
 }
 
-void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) * name_list) {
+void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list) {
   set_client_CA_list(&(s->client_CA), name_list);
 }
 
-void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) * name_list) {
+void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list) {
   set_client_CA_list(&(ctx->client_CA), name_list);
 }
 
-STACK_OF(X509_NAME) * SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) {
+STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) {
   return ctx->client_CA;
 }
 
-STACK_OF(X509_NAME) * SSL_get_client_CA_list(const SSL *s) {
+STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s) {
   if (s->server) {
     if (s->client_CA != NULL) {
       return s->client_CA;
@@ -625,7 +547,7 @@ STACK_OF(X509_NAME) * SSL_get_client_CA_list(const SSL *s) {
   }
 }
 
-static int add_client_CA(STACK_OF(X509_NAME) * *sk, X509 *x) {
+static int add_client_CA(STACK_OF(X509_NAME) **sk, X509 *x) {
   X509_NAME *name;
 
   if (x == NULL) {
@@ -670,7 +592,7 @@ static int xname_cmp(const X509_NAME **a, const X509_NAME **b) {
  *
  * \param file the file containing one or more certs.
  * \return a ::STACK containing the certs. */
-STACK_OF(X509_NAME) * SSL_load_client_CA_file(const char *file) {
+STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) {
   BIO *in;
   X509 *x = NULL;
   X509_NAME *xn = NULL;
@@ -719,21 +641,13 @@ STACK_OF(X509_NAME) * SSL_load_client_CA_file(const char *file) {
 
   if (0) {
   err:
-    if (ret != NULL) {
-      sk_X509_NAME_pop_free(ret, X509_NAME_free);
-    }
+    sk_X509_NAME_pop_free(ret, X509_NAME_free);
     ret = NULL;
   }
 
-  if (sk != NULL) {
-    sk_X509_NAME_free(sk);
-  }
-  if (in != NULL) {
-    BIO_free(in);
-  }
-  if (x != NULL) {
-    X509_free(x);
-  }
+  sk_X509_NAME_free(sk);
+  BIO_free(in);
+  X509_free(x);
   if (ret != NULL) {
     ERR_clear_error();
   }
@@ -747,7 +661,7 @@ STACK_OF(X509_NAME) * SSL_load_client_CA_file(const char *file) {
  *     already in the stack will be added.
  * \return 1 for success, 0 for failure. Note that in the case of failure some
  *     certs may have been added to \c stack. */
-int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) * stack,
+int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
                                         const char *file) {
   BIO *in;
   X509 *x = NULL;
@@ -794,12 +708,8 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) * stack,
     ret = 0;
   }
 
-  if (in != NULL) {
-    BIO_free(in);
-  }
-  if (x != NULL) {
-    X509_free(x);
-  }
+  BIO_free(in);
+  X509_free(x);
 
   (void) sk_X509_NAME_set_cmp_func(stack, oldcmp);
 
@@ -815,7 +725,7 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) * stack,
  *     be included.
  * \return 1 for success, 0 for failure. Note that in the case of failure some
  *     certs may have been added to \c stack. */
-int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) * stack,
+int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
                                        const char *dir) {
   OPENSSL_DIR_CTX *d = NULL;
   const char *filename;
@@ -842,7 +752,7 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) * stack,
   }
 
   if (errno) {
-    OPENSSL_PUT_ERROR(SSL, SSL_add_file_cert_subjects_to_stack, ERR_R_SYS_LIB);
+    OPENSSL_PUT_ERROR(SSL, SSL_add_dir_cert_subjects_to_stack, ERR_R_SYS_LIB);
     ERR_add_error_data(3, "OPENSSL_DIR_read(&ctx, '", dir, "')");
     goto err;
   }
@@ -881,12 +791,13 @@ int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l) {
   int no_chain = 0;
   size_t i;
 
-  X509 *x = NULL;
-  STACK_OF(X509) * extra_certs;
+  X509 *x = cpk->x509;
+  STACK_OF(X509) *extra_certs;
   X509_STORE *chain_store;
 
-  if (cpk) {
-    x = cpk->x509;
+  if (x == NULL) {
+    OPENSSL_PUT_ERROR(SSL, ssl_add_cert_chain, SSL_R_NO_CERTIFICATE_SET);
+    return 0;
   }
 
   if (s->cert->chain_store) {
@@ -906,44 +817,36 @@ int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l) {
     no_chain = 1;
   }
 
-  /* TLSv1 sends a chain with nothing in it, instead of an alert. */
-  if (!BUF_MEM_grow_clean(buf, 10)) {
-    OPENSSL_PUT_ERROR(SSL, ssl_add_cert_chain, ERR_R_BUF_LIB);
-    return 0;
-  }
+  if (no_chain) {
+    if (!ssl_add_cert_to_buf(buf, l, x)) {
+      return 0;
+    }
 
-  if (x != NULL) {
-    if (no_chain) {
+    for (i = 0; i < sk_X509_num(extra_certs); i++) {
+      x = sk_X509_value(extra_certs, i);
       if (!ssl_add_cert_to_buf(buf, l, x)) {
         return 0;
       }
-    } else {
-      X509_STORE_CTX xs_ctx;
-
-      if (!X509_STORE_CTX_init(&xs_ctx, chain_store, x, NULL)) {
-        OPENSSL_PUT_ERROR(SSL, ssl_add_cert_chain, ERR_R_X509_LIB);
-        return 0;
-      }
-      X509_verify_cert(&xs_ctx);
-      /* Don't leave errors in the queue */
-      ERR_clear_error();
-      for (i = 0; i < sk_X509_num(xs_ctx.chain); i++) {
-        x = sk_X509_value(xs_ctx.chain, i);
-
-        if (!ssl_add_cert_to_buf(buf, l, x)) {
-          X509_STORE_CTX_cleanup(&xs_ctx);
-          return 0;
-        }
-      }
-      X509_STORE_CTX_cleanup(&xs_ctx);
     }
-  }
+  } else {
+    X509_STORE_CTX xs_ctx;
 
-  for (i = 0; i < sk_X509_num(extra_certs); i++) {
-    x = sk_X509_value(extra_certs, i);
-    if (!ssl_add_cert_to_buf(buf, l, x)) {
+    if (!X509_STORE_CTX_init(&xs_ctx, chain_store, x, NULL)) {
+      OPENSSL_PUT_ERROR(SSL, ssl_add_cert_chain, ERR_R_X509_LIB);
       return 0;
     }
+    X509_verify_cert(&xs_ctx);
+    /* Don't leave errors in the queue */
+    ERR_clear_error();
+    for (i = 0; i < sk_X509_num(xs_ctx.chain); i++) {
+      x = sk_X509_value(xs_ctx.chain, i);
+
+      if (!ssl_add_cert_to_buf(buf, l, x)) {
+        X509_STORE_CTX_cleanup(&xs_ctx);
+        return 0;
+      }
+    }
+    X509_STORE_CTX_cleanup(&xs_ctx);
   }
 
   return 1;
@@ -956,7 +859,7 @@ int ssl_build_cert_chain(CERT *c, X509_STORE *chain_store, int flags) {
   STACK_OF(X509) *chain = NULL, *untrusted = NULL;
   X509 *x;
   int i, rv = 0;
-  unsigned long error;
+  uint32_t error;
 
   if (!cpk->x509) {
     OPENSSL_PUT_ERROR(SSL, ssl_build_cert_chain, SSL_R_NO_CERTIFICATE_SET);
@@ -1050,8 +953,9 @@ int ssl_build_cert_chain(CERT *c, X509_STORE *chain_store, int flags) {
   }
 
   cpk->chain = chain;
-  if (rv == 0)
+  if (rv == 0) {
     rv = 1;
+  }
 
 err:
   if (flags & SSL_BUILD_CHAIN_FLAG_CHECK) {
@@ -1069,9 +973,7 @@ int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref) {
     pstore = &c->verify_store;
   }
 
-  if (*pstore) {
-    X509_STORE_free(*pstore);
-  }
+  X509_STORE_free(*pstore);
   *pstore = store;
 
   if (ref && store) {
diff --git a/src/ssl/ssl_ciph.c b/src/ssl/ssl_cipher.c
index 60b9747..2cafeb9 100644
--- a/src/ssl/ssl_ciph.c
+++ b/src/ssl/ssl_cipher.c
@@ -138,20 +138,22 @@
  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
  * OTHERWISE. */
 
-#include <stdio.h>
 #include <assert.h>
+#include <stdio.h>
+#include <string.h>
 
-#include <openssl/engine.h>
+#include <openssl/buf.h>
+#include <openssl/err.h>
 #include <openssl/md5.h>
 #include <openssl/mem.h>
-#include <openssl/obj.h>
 #include <openssl/sha.h>
+#include <openssl/stack.h>
 
-#include "ssl_locl.h"
+#include "internal.h"
 
 
 struct handshake_digest {
-  long mask;
+  uint32_t mask;
   const EVP_MD *(*md_func)(void);
 };
 
@@ -171,78 +173,92 @@ static const struct handshake_digest ssl_handshake_digests[SSL_MAX_DIGEST] = {
 typedef struct cipher_order_st {
   const SSL_CIPHER *cipher;
   int active;
-  int dead;
   int in_group;
   struct cipher_order_st *next, *prev;
 } CIPHER_ORDER;
 
-static const SSL_CIPHER cipher_aliases[] =
+typedef struct cipher_alias_st {
+  /* name is the name of the cipher alias. */
+  const char *name;
+
+  /* The following fields are bitmasks for the corresponding fields on
+   * |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the
+   * bit corresponding to the cipher's value is set to 1. If any bitmask is
+   * all zeroes, the alias matches nothing. Use |~0u| for the default value. */
+  uint32_t algorithm_mkey;
+  uint32_t algorithm_auth;
+  uint32_t algorithm_enc;
+  uint32_t algorithm_mac;
+  uint32_t algorithm_ssl;
+  uint32_t algo_strength;
+} CIPHER_ALIAS;
+
+static const CIPHER_ALIAS kCipherAliases[] =
     {
-     {0, SSL_TXT_ALL, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+     {SSL_TXT_ALL, ~0u, ~0u, ~0u, ~0u, ~0u, ~0u},
 
-     /* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in
-        ALL!) */
-     {0, SSL_TXT_CMPDEF, 0, SSL_kEDH | SSL_kEECDH, SSL_aNULL, 0, 0, 0, 0, 0, 0,
-      0},
+     /* The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. */
 
      /* key exchange aliases
       * (some of those using only a single bit here combine
       * multiple key exchange algs according to the RFCs,
       * e.g. kEDH combines DHE_DSS and DHE_RSA) */
-     {0, SSL_TXT_kRSA, 0, SSL_kRSA, 0, 0, 0, 0, 0, 0, 0, 0},
+     {SSL_TXT_kRSA, SSL_kRSA, ~0u, ~0u, ~0u, ~0u, ~0u},
 
-     {0, SSL_TXT_kEDH, 0, SSL_kEDH, 0, 0, 0, 0, 0, 0, 0, 0},
-     {0, SSL_TXT_DH, 0, SSL_kEDH, 0, 0, 0, 0, 0, 0, 0, 0},
+     {SSL_TXT_kDHE, SSL_kDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
+     {SSL_TXT_kEDH, SSL_kDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
+     {SSL_TXT_DH, SSL_kDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
 
-     {0, SSL_TXT_kEECDH, 0, SSL_kEECDH, 0, 0, 0, 0, 0, 0, 0, 0},
-     {0, SSL_TXT_ECDH, 0, SSL_kEECDH, 0, 0, 0, 0, 0, 0, 0, 0},
+     {SSL_TXT_kECDHE, SSL_kECDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
+     {SSL_TXT_kEECDH, SSL_kECDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
+     {SSL_TXT_ECDH, SSL_kECDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
 
-     {0, SSL_TXT_kPSK, 0, SSL_kPSK, 0, 0, 0, 0, 0, 0, 0, 0},
+     {SSL_TXT_kPSK, SSL_kPSK, ~0u, ~0u, ~0u, ~0u, ~0u},
 
      /* server authentication aliases */
-     {0, SSL_TXT_aRSA, 0, 0, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0},
-     {0, SSL_TXT_aNULL, 0, 0, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
-     {0, SSL_TXT_aECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0},
-     {0, SSL_TXT_ECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0},
-     {0, SSL_TXT_aPSK, 0, 0, SSL_aPSK, 0, 0, 0, 0, 0, 0, 0},
+     {SSL_TXT_aRSA, ~0u, SSL_aRSA, ~0u, ~0u, ~0u, ~0u},
+     {SSL_TXT_aECDSA, ~0u, SSL_aECDSA, ~0u, ~0u, ~0u, ~0u},
+     {SSL_TXT_ECDSA, ~0u, SSL_aECDSA, ~0u, ~0u, ~0u, ~0u},
+     {SSL_TXT_aPSK, ~0u, SSL_aPSK, ~0u, ~0u, ~0u, ~0u},
 
      /* aliases combining key exchange and server authentication */
-     {0, SSL_TXT_EDH, 0, SSL_kEDH, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
-     {0, SSL_TXT_EECDH, 0, SSL_kEECDH, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
-     {0, SSL_TXT_RSA, 0, SSL_kRSA, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0},
-     {0, SSL_TXT_ADH, 0, SSL_kEDH, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
-     {0, SSL_TXT_AECDH, 0, SSL_kEECDH, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
-     {0, SSL_TXT_PSK, 0, SSL_kPSK, SSL_aPSK, 0, 0, 0, 0, 0, 0, 0},
+     {SSL_TXT_DHE, SSL_kDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
+     {SSL_TXT_EDH, SSL_kDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
+     {SSL_TXT_ECDHE, SSL_kECDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
+     {SSL_TXT_EECDH, SSL_kECDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
+     {SSL_TXT_RSA, SSL_kRSA, SSL_aRSA, ~0u, ~0u, ~0u, ~0u},
+     {SSL_TXT_PSK, SSL_kPSK, SSL_aPSK, ~0u, ~0u, ~0u, ~0u},
 
      /* symmetric encryption aliases */
-     {0, SSL_TXT_3DES, 0, 0, 0, SSL_3DES, 0, 0, 0, 0, 0, 0},
-     {0, SSL_TXT_RC4, 0, 0, 0, SSL_RC4, 0, 0, 0, 0, 0, 0},
-     {0, SSL_TXT_AES128, 0, 0, 0, SSL_AES128 | SSL_AES128GCM, 0, 0, 0, 0, 0, 0},
-     {0, SSL_TXT_AES256, 0, 0, 0, SSL_AES256 | SSL_AES256GCM, 0, 0, 0, 0, 0, 0},
-     {0, SSL_TXT_AES, 0, 0, 0, SSL_AES, 0, 0, 0, 0, 0, 0},
-     {0, SSL_TXT_AES_GCM, 0, 0, 0, SSL_AES128GCM | SSL_AES256GCM, 0, 0, 0, 0, 0,
-      0},
-     {0, SSL_TXT_CHACHA20, 0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, 0, 0, 0},
+     {SSL_TXT_3DES, ~0u, ~0u, SSL_3DES, ~0u, ~0u, ~0u},
+     {SSL_TXT_RC4, ~0u, ~0u, SSL_RC4, ~0u, ~0u, ~0u},
+     {SSL_TXT_AES128, ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, ~0u, ~0u},
+     {SSL_TXT_AES256, ~0u, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, ~0u, ~0u},
+     {SSL_TXT_AES, ~0u, ~0u, SSL_AES, ~0u, ~0u, ~0u},
+     {SSL_TXT_AES_GCM, ~0u, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, ~0u, ~0u},
+     {SSL_TXT_CHACHA20, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, ~0u, ~0u},
 
      /* MAC aliases */
-     {0, SSL_TXT_MD5, 0, 0, 0, 0, SSL_MD5, 0, 0, 0, 0, 0},
-     {0, SSL_TXT_SHA1, 0, 0, 0, 0, SSL_SHA1, 0, 0, 0, 0, 0},
-     {0, SSL_TXT_SHA, 0, 0, 0, 0, SSL_SHA1, 0, 0, 0, 0, 0},
-     {0, SSL_TXT_SHA256, 0, 0, 0, 0, SSL_SHA256, 0, 0, 0, 0, 0},
-     {0, SSL_TXT_SHA384, 0, 0, 0, 0, SSL_SHA384, 0, 0, 0, 0, 0},
+     {SSL_TXT_MD5, ~0u, ~0u, ~0u, SSL_MD5, ~0u, ~0u},
+     {SSL_TXT_SHA1, ~0u, ~0u, ~0u, SSL_SHA1, ~0u, ~0u},
+     {SSL_TXT_SHA, ~0u, ~0u, ~0u, SSL_SHA1, ~0u, ~0u},
+     {SSL_TXT_SHA256, ~0u, ~0u, ~0u, SSL_SHA256, ~0u, ~0u},
+     {SSL_TXT_SHA384, ~0u, ~0u, ~0u, SSL_SHA384, ~0u, ~0u},
 
      /* protocol version aliases */
-     {0, SSL_TXT_SSLV3, 0, 0, 0, 0, 0, SSL_SSLV3, 0, 0, 0, 0},
-     {0, SSL_TXT_TLSV1, 0, 0, 0, 0, 0, SSL_TLSV1, 0, 0, 0, 0},
-     {0, SSL_TXT_TLSV1_2, 0, 0, 0, 0, 0, SSL_TLSV1_2, 0, 0, 0, 0},
+     {SSL_TXT_SSLV3, ~0u, ~0u, ~0u, ~0u, SSL_SSLV3, ~0u},
+     {SSL_TXT_TLSV1, ~0u, ~0u, ~0u, ~0u, SSL_TLSV1, ~0u},
+     {SSL_TXT_TLSV1_2, ~0u, ~0u, ~0u, ~0u, SSL_TLSV1_2, ~0u},
 
      /* strength classes */
-     {0, SSL_TXT_MEDIUM, 0, 0, 0, 0, 0, 0, SSL_MEDIUM, 0, 0, 0},
-     {0, SSL_TXT_HIGH, 0, 0, 0, 0, 0, 0, SSL_HIGH, 0, 0, 0},
+     {SSL_TXT_MEDIUM, ~0u, ~0u, ~0u, ~0u, ~0u, SSL_MEDIUM},
+     {SSL_TXT_HIGH, ~0u, ~0u, ~0u, ~0u, ~0u, SSL_HIGH},
      /* FIPS 140-2 approved ciphersuite */
-     {0, SSL_TXT_FIPS, 0, 0, 0, 0, 0, 0, SSL_FIPS, 0, 0, 0},
+     {SSL_TXT_FIPS, ~0u, ~0u, ~0u, ~0u, ~0u, SSL_FIPS},
 };
 
+#define NUM_CIPHER_ALIASES (sizeof(kCipherAliases) / sizeof(kCipherAliases[0]))
+
 int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
                             size_t *out_mac_secret_len,
                             size_t *out_fixed_iv_len,
@@ -360,18 +376,26 @@ int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
   }
 }
 
-int ssl_get_handshake_digest(size_t idx, long *mask, const EVP_MD **md) {
+int ssl_get_handshake_digest(uint32_t *out_mask, const EVP_MD **out_md,
+                             size_t idx) {
   if (idx >= SSL_MAX_DIGEST) {
     return 0;
   }
-  *mask = ssl_handshake_digests[idx].mask;
-  *md = ssl_handshake_digests[idx].md_func();
+  *out_mask = ssl_handshake_digests[idx].mask;
+  *out_md = ssl_handshake_digests[idx].md_func();
   return 1;
 }
 
 #define ITEM_SEP(a) \
   (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
 
+/* rule_equals returns one iff the NUL-terminated string |rule| is equal to the
+ * |buf_len| bytes at |buf|. */
+static int rule_equals(const char *rule, const char *buf, size_t buf_len) {
+  /* |strncmp| alone only checks that |buf| is a prefix of |rule|. */
+  return strncmp(rule, buf, buf_len) == 0 && rule[buf_len] == '\0';
+}
+
 static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
                            CIPHER_ORDER **tail) {
   if (curr == *tail) {
@@ -413,12 +437,11 @@ static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
 }
 
 static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method,
-                                       int num_of_ciphers,
+                                       size_t num_of_ciphers,
                                        CIPHER_ORDER *co_list,
                                        CIPHER_ORDER **head_p,
                                        CIPHER_ORDER **tail_p) {
-  int i, co_list_num;
-  const SSL_CIPHER *c;
+  size_t i, co_list_num;
 
   /* We have num_of_ciphers descriptions compiled in, depending on the method
    * selected (SSLv2 and/or SSLv3, TLSv1 etc). These will later be sorted in a
@@ -427,9 +450,8 @@ static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method,
   /* Get the initial list of ciphers */
   co_list_num = 0; /* actual count of ciphers */
   for (i = 0; i < num_of_ciphers; i++) {
-    c = ssl_method->get_cipher(i);
-    /* drop those that use any of that is not available */
-    if (c != NULL && c->valid) {
+    const SSL_CIPHER *c = ssl_method->get_cipher(i);
+    if (c != NULL) {
       co_list[co_list_num].cipher = c;
       co_list[co_list_num].next = NULL;
       co_list[co_list_num].prev = NULL;
@@ -461,43 +483,31 @@ static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method,
   }
 }
 
-static void ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list,
-                                       int num_of_group_aliases,
-                                       CIPHER_ORDER *head) {
-  CIPHER_ORDER *ciph_curr;
-  const SSL_CIPHER **ca_curr;
-  int i;
-
-  /* First, add the real ciphers as already collected. */
-  ciph_curr = head;
-  ca_curr = ca_list;
-  while (ciph_curr != NULL) {
-    *ca_curr = ciph_curr->cipher;
-    ca_curr++;
-    ciph_curr = ciph_curr->next;
-  }
-
-  /* Now we add the available ones from the cipher_aliases[] table. They
-   * represent either one or more algorithms, some of which in any affected
-   * category must be supported (set in enabled_mask), or represent a cipher
-   * strength value (will be added in any case because algorithms=0). */
-  for (i = 0; i < num_of_group_aliases; i++) {
-    *ca_curr = cipher_aliases + i;
-    ca_curr++;
-  }
-
-  *ca_curr = NULL; /* end of list */
-}
-
+/* ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its
+ * parameters in the linked list from |*head_p| to |*tail_p|. It writes the new
+ * head and tail of the list to |*head_p| and |*tail_p|, respectively.
+ *
+ * - If |cipher_id| is non-zero, only that cipher is selected.
+ * - Otherwise, if |strength_bits| is non-negative, it selects ciphers
+ *   of that strength.
+ * - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and
+ *   |algo_strength|. */
 static void ssl_cipher_apply_rule(
-    unsigned long cipher_id, unsigned long alg_mkey, unsigned long alg_auth,
-    unsigned long alg_enc, unsigned long alg_mac, unsigned long alg_ssl,
-    unsigned long algo_strength, int rule, int strength_bits, int in_group,
+    uint32_t cipher_id, uint32_t alg_mkey, uint32_t alg_auth,
+    uint32_t alg_enc, uint32_t alg_mac, uint32_t alg_ssl,
+    uint32_t algo_strength, int rule, int strength_bits, int in_group,
     CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) {
   CIPHER_ORDER *head, *tail, *curr, *next, *last;
   const SSL_CIPHER *cp;
   int reverse = 0;
 
+  if (cipher_id == 0 && strength_bits == -1 &&
+      (alg_mkey == 0 || alg_auth == 0 || alg_enc == 0 || alg_mac == 0 ||
+       alg_ssl == 0 || algo_strength == 0)) {
+    /* The rule matches nothing, so bail early. */
+    return;
+  }
+
   if (rule == CIPHER_DEL) {
     /* needed to maintain sorting between currently deleted ciphers */
     reverse = 1;
@@ -528,21 +538,23 @@ static void ssl_cipher_apply_rule(
     next = reverse ? curr->prev : curr->next;
     cp = curr->cipher;
 
-    /* Selection criteria is either the value of strength_bits
-     * or the algorithms used. */
-    if (strength_bits >= 0) {
-      if (strength_bits != cp->strength_bits) {
+    /* Selection criteria is either a specific cipher, the value of
+     * |strength_bits|, or the algorithms used. */
+    if (cipher_id != 0) {
+      if (cipher_id != cp->id) {
         continue;
       }
-    } else {
-      if ((alg_mkey && !(alg_mkey & cp->algorithm_mkey)) ||
-          (alg_auth && !(alg_auth & cp->algorithm_auth)) ||
-          (alg_enc && !(alg_enc & cp->algorithm_enc)) ||
-          (alg_mac && !(alg_mac & cp->algorithm_mac)) ||
-          (alg_ssl && !(alg_ssl & cp->algorithm_ssl)) ||
-          (algo_strength && !(algo_strength & cp->algo_strength))) {
+    } else if (strength_bits >= 0) {
+      if (strength_bits != cp->strength_bits) {
         continue;
       }
+    } else if (!(alg_mkey & cp->algorithm_mkey) ||
+               !(alg_auth & cp->algorithm_auth) ||
+               !(alg_enc & cp->algorithm_enc) ||
+               !(alg_mac & cp->algorithm_mac) ||
+               !(alg_ssl & cp->algorithm_ssl) ||
+               !(algo_strength & cp->algo_strength)) {
+      continue;
     }
 
     /* add the cipher if it has not been added yet. */
@@ -644,14 +656,15 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
   return 1;
 }
 
-static int ssl_cipher_process_rulestr(const char *rule_str,
+static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method,
+                                      const char *rule_str,
                                       CIPHER_ORDER **head_p,
-                                      CIPHER_ORDER **tail_p,
-                                      const SSL_CIPHER **ca_list) {
-  unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength;
+                                      CIPHER_ORDER **tail_p) {
+  uint32_t alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength;
   const char *l, *buf;
-  int j, multi, found, rule, retval, ok, buflen, in_group = 0, has_group = 0;
-  unsigned long cipher_id = 0;
+  int multi, rule, retval, ok, in_group = 0, has_group = 0;
+  size_t j, buf_len;
+  uint32_t cipher_id;
   char ch;
 
   retval = 1;
@@ -665,12 +678,6 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 
     if (in_group) {
       if (ch == ']') {
-        if (!in_group) {
-          OPENSSL_PUT_ERROR(SSL, ssl_cipher_process_rulestr,
-                            SSL_R_UNEXPECTED_GROUP_CLOSE);
-          retval = found = in_group = 0;
-          break;
-        }
         if (*tail_p) {
           (*tail_p)->in_group = 0;
         }
@@ -687,7 +694,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                  !(ch >= '0' && ch <= '9')) {
         OPENSSL_PUT_ERROR(SSL, ssl_cipher_process_rulestr,
                           SSL_R_UNEXPECTED_OPERATOR_IN_GROUP);
-        retval = found = in_group = 0;
+        retval = in_group = 0;
         break;
       } else {
         rule = CIPHER_ADD;
@@ -707,7 +714,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
     } else if (ch == '[') {
       if (in_group) {
         OPENSSL_PUT_ERROR(SSL, ssl_cipher_process_rulestr, SSL_R_NESTED_GROUP);
-        retval = found = in_group = 0;
+        retval = in_group = 0;
         break;
       }
       in_group = 1;
@@ -723,7 +730,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
     if (has_group && rule != CIPHER_ADD) {
       OPENSSL_PUT_ERROR(SSL, ssl_cipher_process_rulestr,
                         SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
-      retval = found = in_group = 0;
+      retval = in_group = 0;
       break;
     }
 
@@ -732,159 +739,82 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
       continue;
     }
 
-    alg_mkey = 0;
-    alg_auth = 0;
-    alg_enc = 0;
-    alg_mac = 0;
-    alg_ssl = 0;
-    algo_strength = 0;
+    multi = 0;
+    cipher_id = 0;
+    alg_mkey = ~0u;
+    alg_auth = ~0u;
+    alg_enc = ~0u;
+    alg_mac = ~0u;
+    alg_ssl = ~0u;
+    algo_strength = ~0u;
 
     for (;;) {
       ch = *l;
       buf = l;
-      buflen = 0;
+      buf_len = 0;
       while (((ch >= 'A') && (ch <= 'Z')) || ((ch >= '0') && (ch <= '9')) ||
              ((ch >= 'a') && (ch <= 'z')) || (ch == '-') || (ch == '.')) {
         ch = *(++l);
-        buflen++;
+        buf_len++;
       }
 
-      if (buflen == 0) {
+      if (buf_len == 0) {
         /* We hit something we cannot deal with, it is no command or separator
          * nor alphanumeric, so we call this an error. */
         OPENSSL_PUT_ERROR(SSL, ssl_cipher_process_rulestr,
                           SSL_R_INVALID_COMMAND);
-        retval = found = in_group = 0;
+        retval = in_group = 0;
         l++;
         break;
       }
 
       if (rule == CIPHER_SPECIAL) {
-        found = 0; /* unused -- avoid compiler warning */
-        break;     /* special treatment */
-      }
-
-      /* check for multi-part specification */
-      if (ch == '+') {
-        multi = 1;
-        l++;
-      } else {
-        multi = 0;
-      }
-
-      /* Now search for the cipher alias in the ca_list. Be careful with the
-       * strncmp, because the "buflen" limitation will make the rule "ADH:SOME"
-       * and the cipher "ADH-MY-CIPHER" look like a match for buflen=3. So
-       * additionally check whether the cipher name found has the correct
-       * length. We can save a strlen() call: just checking for the '\0' at the
-       * right place is sufficient, we have to strncmp() anyway. (We cannot use
-       * strcmp(), because buf is not '\0' terminated.) */
-      j = found = 0;
-      cipher_id = 0;
-      while (ca_list[j]) {
-        if (!strncmp(buf, ca_list[j]->name, buflen) &&
-            (ca_list[j]->name[buflen] == '\0')) {
-          found = 1;
-          break;
-        } else {
-          j++;
-        }
-      }
-
-      if (!found) {
-        break; /* ignore this entry */
-      }
-
-      if (ca_list[j]->algorithm_mkey) {
-        if (alg_mkey) {
-          alg_mkey &= ca_list[j]->algorithm_mkey;
-          if (!alg_mkey) {
-            found = 0;
-            break;
-          }
-        } else {
-          alg_mkey = ca_list[j]->algorithm_mkey;
-        }
-      }
-
-      if (ca_list[j]->algorithm_auth) {
-        if (alg_auth) {
-          alg_auth &= ca_list[j]->algorithm_auth;
-          if (!alg_auth) {
-            found = 0;
-            break;
-          }
-        } else {
-          alg_auth = ca_list[j]->algorithm_auth;
-        }
-      }
-
-      if (ca_list[j]->algorithm_enc) {
-        if (alg_enc) {
-          alg_enc &= ca_list[j]->algorithm_enc;
-          if (!alg_enc) {
-            found = 0;
-            break;
-          }
-        } else {
-          alg_enc = ca_list[j]->algorithm_enc;
-        }
+        break;
       }
 
-      if (ca_list[j]->algorithm_mac) {
-        if (alg_mac) {
-          alg_mac &= ca_list[j]->algorithm_mac;
-          if (!alg_mac) {
-            found = 0;
+      /* Look for a matching exact cipher. These aren't allowed in multipart
+       * rules. */
+      if (!multi && ch != '+') {
+        size_t num_ciphers = ssl_method->num_ciphers();
+        for (j = 0; j < num_ciphers; j++) {
+          const SSL_CIPHER *cipher = ssl_method->get_cipher(j);
+          if (cipher != NULL && rule_equals(cipher->name, buf, buf_len)) {
+            cipher_id = cipher->id;
             break;
           }
-        } else {
-          alg_mac = ca_list[j]->algorithm_mac;
         }
       }
-
-      if (ca_list[j]->algo_strength) {
-        if (algo_strength) {
-          algo_strength &= ca_list[j]->algo_strength;
-          if (!algo_strength) {
-            found = 0;
+      if (cipher_id == 0) {
+        /* If not an exact cipher, look for a matching cipher alias. */
+        for (j = 0; j < NUM_CIPHER_ALIASES; j++) {
+          if (rule_equals(kCipherAliases[j].name, buf, buf_len)) {
+            alg_mkey &= kCipherAliases[j].algorithm_mkey;
+            alg_auth &= kCipherAliases[j].algorithm_auth;
+            alg_enc &= kCipherAliases[j].algorithm_enc;
+            alg_mac &= kCipherAliases[j].algorithm_mac;
+            alg_ssl &= kCipherAliases[j].algorithm_ssl;
+            algo_strength &= kCipherAliases[j].algo_strength;
             break;
           }
-        } else {
-          algo_strength |= ca_list[j]->algo_strength;
         }
-      }
-
-      if (ca_list[j]->valid) {
-        /* explicit ciphersuite found; its protocol version does not become
-         * part of the search pattern! */
-        cipher_id = ca_list[j]->id;
-      } else {
-        /* not an explicit ciphersuite; only in this case, the protocol version
-         * is considered part of the search pattern. */
-        if (ca_list[j]->algorithm_ssl) {
-          if (alg_ssl) {
-            alg_ssl &= ca_list[j]->algorithm_ssl;
-            if (!alg_ssl) {
-              found = 0;
-              break;
-            }
-          } else {
-            alg_ssl = ca_list[j]->algorithm_ssl;
-          }
+        if (j == NUM_CIPHER_ALIASES) {
+          alg_mkey = alg_auth = alg_enc = alg_mac = alg_ssl = algo_strength = 0;
         }
       }
 
-      if (!multi) {
+      /* Check for a multipart rule. */
+      if (ch != '+') {
         break;
       }
+      l++;
+      multi = 1;
     }
 
     /* Ok, we have the rule, now apply it. */
     if (rule == CIPHER_SPECIAL) {
       /* special command */
       ok = 0;
-      if (buflen == 8 && !strncmp(buf, "STRENGTH", 8)) {
+      if (buf_len == 8 && !strncmp(buf, "STRENGTH", 8)) {
         ok = ssl_cipher_strength_sort(head_p, tail_p);
       } else {
         OPENSSL_PUT_ERROR(SSL, ssl_cipher_process_rulestr,
@@ -900,14 +830,10 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
       while (*l != '\0' && !ITEM_SEP(*l)) {
         l++;
       }
-    } else if (found) {
+    } else {
       ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth, alg_enc, alg_mac,
                             alg_ssl, algo_strength, rule, -1, in_group, head_p,
                             tail_p);
-    } else {
-      while (*l != '\0' && !ITEM_SEP(*l)) {
-        l++;
-      }
     }
   }
 
@@ -921,20 +847,20 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 
 STACK_OF(SSL_CIPHER) *
 ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *ssl_method,
-                       struct ssl_cipher_preference_list_st **cipher_list,
-                       STACK_OF(SSL_CIPHER) * *cipher_list_by_id,
-                       const char *rule_str, CERT *c) {
-  int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
+                       struct ssl_cipher_preference_list_st **out_cipher_list,
+                       STACK_OF(SSL_CIPHER) **out_cipher_list_by_id,
+                       const char *rule_str) {
+  int ok;
+  size_t num_of_ciphers;
   STACK_OF(SSL_CIPHER) *cipherstack = NULL, *tmp_cipher_list = NULL;
   const char *rule_p;
   CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
-  const SSL_CIPHER **ca_list = NULL;
   uint8_t *in_group_flags = NULL;
   unsigned int num_in_group_flags = 0;
   struct ssl_cipher_preference_list_st *pref_list = NULL;
 
   /* Return with error if nothing to do. */
-  if (rule_str == NULL || cipher_list == NULL) {
+  if (rule_str == NULL || out_cipher_list == NULL) {
     return NULL;
   }
 
@@ -956,84 +882,64 @@ ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *ssl_method,
 
   /* Everything else being equal, prefer ECDHE_ECDSA then ECDHE_RSA over other
    * key exchange mechanisms */
-  ssl_cipher_apply_rule(0, SSL_kEECDH, SSL_aECDSA, 0, 0, 0, 0, CIPHER_ADD, -1,
+ ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, ~0u, ~0u, ~0u, ~0u,
+                       CIPHER_ADD, -1, 0, &head, &tail);
+  ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, ~0u, ~0u, CIPHER_ADD, -1,
+                        0, &head, &tail);
+  ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, ~0u, ~0u, CIPHER_DEL, -1,
                         0, &head, &tail);
-  ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_ADD, -1, 0, &head,
-                        &tail);
-  ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_DEL, -1, 0, &head,
-                        &tail);
 
   /* Order the bulk ciphers. First the preferred AEAD ciphers. We prefer
    * CHACHA20 unless there is hardware support for fast and constant-time
    * AES_GCM. */
   if (EVP_has_aes_hardware()) {
-    ssl_cipher_apply_rule(0, 0, 0, SSL_AES256GCM, 0, 0, 0, CIPHER_ADD, -1, 0,
-                          &head, &tail);
-    ssl_cipher_apply_rule(0, 0, 0, SSL_AES128GCM, 0, 0, 0, CIPHER_ADD, -1, 0,
-                          &head, &tail);
-    ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, CIPHER_ADD,
+    ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, ~0u, ~0u, CIPHER_ADD,
+                          -1, 0, &head, &tail);
+    ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, ~0u, ~0u, CIPHER_ADD,
                           -1, 0, &head, &tail);
+    ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, ~0u, ~0u,
+                          CIPHER_ADD, -1, 0, &head, &tail);
   } else {
-    ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, CIPHER_ADD,
+    ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, ~0u, ~0u,
+                          CIPHER_ADD, -1, 0, &head, &tail);
+    ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, ~0u, ~0u, CIPHER_ADD,
+                          -1, 0, &head, &tail);
+    ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, ~0u, ~0u, CIPHER_ADD,
                           -1, 0, &head, &tail);
-    ssl_cipher_apply_rule(0, 0, 0, SSL_AES256GCM, 0, 0, 0, CIPHER_ADD, -1, 0,
-                          &head, &tail);
-    ssl_cipher_apply_rule(0, 0, 0, SSL_AES128GCM, 0, 0, 0, CIPHER_ADD, -1, 0,
-                          &head, &tail);
   }
 
   /* Then the legacy non-AEAD ciphers: AES_256_CBC, AES-128_CBC, RC4_128_SHA,
    * RC4_128_MD5, 3DES_EDE_CBC_SHA. */
-  ssl_cipher_apply_rule(0, 0, 0, SSL_AES256, 0, 0, 0, CIPHER_ADD, -1, 0, &head,
-                        &tail);
-  ssl_cipher_apply_rule(0, 0, 0, SSL_AES128, 0, 0, 0, CIPHER_ADD, -1, 0, &head,
-                        &tail);
-  ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, ~SSL_MD5, 0, 0, CIPHER_ADD, -1, 0,
-                        &head, &tail);
-  ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, SSL_MD5, 0, 0, CIPHER_ADD, -1, 0,
+  ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, ~0u, ~0u, CIPHER_ADD, -1,
+                        0, &head, &tail);
+  ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128, ~0u, ~0u, ~0u, CIPHER_ADD, -1,
+                        0, &head, &tail);
+  ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_RC4, ~SSL_MD5, ~0u, ~0u, CIPHER_ADD,
+                        -1, 0, &head, &tail);
+  ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_RC4, SSL_MD5, ~0u, ~0u, CIPHER_ADD, -1,
+                        0, &head, &tail);
+  ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_3DES, ~0u, ~0u, ~0u, CIPHER_ADD, -1, 0,
                         &head, &tail);
-  ssl_cipher_apply_rule(0, 0, 0, SSL_3DES, 0, 0, 0, CIPHER_ADD, -1, 0, &head,
-                        &tail);
 
   /* Temporarily enable everything else for sorting */
-  ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, 0, &head, &tail);
+  ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, ~0u, ~0u, CIPHER_ADD, -1, 0,
+                        &head, &tail);
 
   /* Move ciphers without forward secrecy to the end. */
-  ssl_cipher_apply_rule(0, ~(SSL_kEDH | SSL_kEECDH), 0, 0, 0, 0, 0, CIPHER_ORD,
-                        -1, 0, &head, &tail);
-
-  /* Move anonymous ciphers to the end.  Usually, these will remain disabled.
-   * (For applications that allow them, they aren't too bad, but we prefer
-   * authenticated ciphers.)
-   * TODO(davidben): Remove them altogether? */
-  ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
-                        &tail);
+  ssl_cipher_apply_rule(0, ~(SSL_kDHE | SSL_kECDHE), ~0u, ~0u, ~0u, ~0u, ~0u,
+                        CIPHER_ORD, -1, 0, &head, &tail);
 
   /* Now disable everything (maintaining the ordering!) */
-  ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, 0, &head, &tail);
-
-  /* We also need cipher aliases for selecting based on the rule_str. There
-   * might be two types of entries in the rule_str: 1) names of ciphers
-   * themselves 2) aliases for groups of ciphers. For 1) we need the available
-   * ciphers and for 2) the cipher groups of cipher_aliases added together in
-   * one list (otherwise we would be happy with just the cipher_aliases
-   * table). */
-  num_of_group_aliases = sizeof(cipher_aliases) / sizeof(SSL_CIPHER);
-  num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
-  ca_list = OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max);
-  if (ca_list == NULL) {
-    OPENSSL_PUT_ERROR(SSL, ssl_create_cipher_list, ERR_R_MALLOC_FAILURE);
-    goto err;
-  }
-  ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, head);
+  ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, ~0u, ~0u, CIPHER_DEL, -1, 0,
+                        &head, &tail);
 
   /* If the rule_string begins with DEFAULT, apply the default rule before
    * using the (possibly available) additional rules. */
   ok = 1;
   rule_p = rule_str;
   if (strncmp(rule_str, "DEFAULT", 7) == 0) {
-    ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, &head, &tail,
-                                    ca_list);
+    ok = ssl_cipher_process_rulestr(ssl_method, SSL_DEFAULT_CIPHER_LIST, &head,
+                                    &tail);
     rule_p += 7;
     if (*rule_p == ':') {
       rule_p++;
@@ -1041,11 +947,9 @@ ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *ssl_method,
   }
 
   if (ok && strlen(rule_p) > 0) {
-    ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list);
+    ok = ssl_cipher_process_rulestr(ssl_method, rule_p, &head, &tail);
   }
 
-  OPENSSL_free((void *)ca_list); /* Not needed anymore */
-
   if (!ok) {
     goto err;
   }
@@ -1091,21 +995,20 @@ ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *ssl_method,
   memcpy(pref_list->in_group_flags, in_group_flags, num_in_group_flags);
   OPENSSL_free(in_group_flags);
   in_group_flags = NULL;
-  if (*cipher_list != NULL) {
-    ssl_cipher_preference_list_free(*cipher_list);
+  if (*out_cipher_list != NULL) {
+    ssl_cipher_preference_list_free(*out_cipher_list);
   }
-  *cipher_list = pref_list;
+  *out_cipher_list = pref_list;
   pref_list = NULL;
 
-  if (cipher_list_by_id != NULL) {
-    if (*cipher_list_by_id != NULL) {
-      sk_SSL_CIPHER_free(*cipher_list_by_id);
-    }
-    *cipher_list_by_id = tmp_cipher_list;
+  if (out_cipher_list_by_id != NULL) {
+    sk_SSL_CIPHER_free(*out_cipher_list_by_id);
+    *out_cipher_list_by_id = tmp_cipher_list;
     tmp_cipher_list = NULL;
-    (void) sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id, ssl_cipher_ptr_id_cmp);
+    (void) sk_SSL_CIPHER_set_cmp_func(*out_cipher_list_by_id,
+                                      ssl_cipher_ptr_id_cmp);
 
-    sk_SSL_CIPHER_sort(*cipher_list_by_id);
+    sk_SSL_CIPHER_sort(*out_cipher_list_by_id);
   } else {
     sk_SSL_CIPHER_free(tmp_cipher_list);
     tmp_cipher_list = NULL;
@@ -1114,32 +1017,177 @@ ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *ssl_method,
   return cipherstack;
 
 err:
-  if (co_list) {
-    OPENSSL_free(co_list);
+  OPENSSL_free(co_list);
+  OPENSSL_free(in_group_flags);
+  sk_SSL_CIPHER_free(cipherstack);
+  sk_SSL_CIPHER_free(tmp_cipher_list);
+  if (pref_list) {
+    OPENSSL_free(pref_list->in_group_flags);
   }
-  if (in_group_flags) {
-    OPENSSL_free(in_group_flags);
+  OPENSSL_free(pref_list);
+  return NULL;
+}
+
+uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher) { return cipher->id; }
+
+int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher) {
+  return (cipher->algorithm_enc & SSL_AES) != 0;
+}
+
+int SSL_CIPHER_has_MD5_HMAC(const SSL_CIPHER *cipher) {
+  return (cipher->algorithm_mac & SSL_MD5) != 0;
+}
+
+int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher) {
+  return (cipher->algorithm_mac & (SSL_AES128GCM | SSL_AES256GCM)) != 0;
+}
+
+int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher) {
+  return (cipher->algorithm_enc & SSL_CHACHA20POLY1305) != 0;
+}
+
+/* return the actual cipher being used */
+const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) {
+  if (cipher != NULL) {
+    return cipher->name;
   }
-  if (cipherstack) {
-    sk_SSL_CIPHER_free(cipherstack);
+
+  return "(NONE)";
+}
+
+const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher) {
+  if (cipher == NULL) {
+    return "";
   }
-  if (tmp_cipher_list) {
-    sk_SSL_CIPHER_free(tmp_cipher_list);
+
+  switch (cipher->algorithm_mkey) {
+    case SSL_kRSA:
+      return "RSA";
+
+    case SSL_kDHE:
+      switch (cipher->algorithm_auth) {
+        case SSL_aRSA:
+          return "DHE_RSA";
+        default:
+          assert(0);
+          return "UNKNOWN";
+      }
+
+    case SSL_kECDHE:
+      switch (cipher->algorithm_auth) {
+        case SSL_aECDSA:
+          return "ECDHE_ECDSA";
+        case SSL_aRSA:
+          return "ECDHE_RSA";
+        case SSL_aPSK:
+          return "ECDHE_PSK";
+        default:
+          assert(0);
+          return "UNKNOWN";
+      }
+
+    case SSL_kPSK:
+      assert(cipher->algorithm_auth == SSL_aPSK);
+      return "PSK";
+
+    default:
+      assert(0);
+      return "UNKNOWN";
   }
-  if (pref_list && pref_list->in_group_flags) {
-    OPENSSL_free(pref_list->in_group_flags);
+}
+
+static const char *ssl_cipher_get_enc_name(const SSL_CIPHER *cipher) {
+  switch (cipher->algorithm_enc) {
+    case SSL_3DES:
+      return "3DES_EDE_CBC";
+    case SSL_RC4:
+      return "RC4";
+    case SSL_AES128:
+      return "AES_128_CBC";
+    case SSL_AES256:
+      return "AES_256_CBC";
+    case SSL_AES128GCM:
+      return "AES_128_GCM";
+    case SSL_AES256GCM:
+      return "AES_256_GCM";
+    case SSL_CHACHA20POLY1305:
+      return "CHACHA20_POLY1305";
+      break;
+    default:
+      assert(0);
+      return "UNKNOWN";
   }
-  if (pref_list) {
-    OPENSSL_free(pref_list);
+}
+
+static const char *ssl_cipher_get_prf_name(const SSL_CIPHER *cipher) {
+  if ((cipher->algorithm2 & TLS1_PRF) == TLS1_PRF) {
+    /* Before TLS 1.2, the PRF component is the hash used in the HMAC, which is
+     * only ever MD5 or SHA-1. */
+    switch (cipher->algorithm_mac) {
+      case SSL_MD5:
+        return "MD5";
+      case SSL_SHA1:
+        return "SHA";
+      default:
+        assert(0);
+        return "UNKNOWN";
+    }
+  } else if (cipher->algorithm2 & TLS1_PRF_SHA256) {
+    return "SHA256";
+  } else if (cipher->algorithm2 & TLS1_PRF_SHA384) {
+    return "SHA384";
+  } else {
+    assert(0);
+    return "UNKNOWN";
   }
-  return NULL;
+}
+
+char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher) {
+  if (cipher == NULL) {
+    return NULL;
+  }
+
+  const char *kx_name = SSL_CIPHER_get_kx_name(cipher);
+  const char *enc_name = ssl_cipher_get_enc_name(cipher);
+  const char *prf_name = ssl_cipher_get_prf_name(cipher);
+
+  /* The final name is TLS_{kx_name}_WITH_{enc_name}_{prf_name}. */
+  size_t len = 4 + strlen(kx_name) + 6 + strlen(enc_name) + 1 +
+      strlen(prf_name) + 1;
+  char *ret = OPENSSL_malloc(len);
+  if (ret == NULL) {
+    return NULL;
+  }
+  if (BUF_strlcpy(ret, "TLS_", len) >= len ||
+      BUF_strlcat(ret, kx_name, len) >= len ||
+      BUF_strlcat(ret, "_WITH_", len) >= len ||
+      BUF_strlcat(ret, enc_name, len) >= len ||
+      BUF_strlcat(ret, "_", len) >= len ||
+      BUF_strlcat(ret, prf_name, len) >= len) {
+    assert(0);
+    OPENSSL_free(ret);
+    return NULL;
+  }
+  assert(strlen(ret) + 1 == len);
+  return ret;
+}
+
+int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *out_alg_bits) {
+  if (cipher == NULL) {
+    return 0;
+  }
+
+  if (out_alg_bits != NULL) {
+    *out_alg_bits = cipher->alg_bits;
+  }
+  return cipher->strength_bits;
 }
 
 const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf,
                                    int len) {
   const char *ver;
   const char *kx, *au, *enc, *mac;
-  unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl;
+  uint32_t alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl;
   static const char *format = "%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n";
 
   alg_mkey = cipher->algorithm_mkey;
@@ -1161,11 +1209,11 @@ const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf,
       kx = "RSA";
       break;
 
-    case SSL_kEDH:
+    case SSL_kDHE:
       kx = "DH";
       break;
 
-    case SSL_kEECDH:
+    case SSL_kECDHE:
       kx = "ECDH";
       break;
 
@@ -1182,10 +1230,6 @@ const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf,
       au = "RSA";
       break;
 
-    case SSL_aNULL:
-      au = "None";
-      break;
-
     case SSL_aECDSA:
       au = "ECDSA";
       break;
@@ -1262,8 +1306,9 @@ const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf,
   if (buf == NULL) {
     len = 128;
     buf = OPENSSL_malloc(len);
-    if (buf == NULL)
-      return "OPENSSL_malloc Error";
+    if (buf == NULL) {
+      return NULL;
+    }
   } else if (len < 128) {
     return "Buffer too small";
   }
@@ -1272,109 +1317,18 @@ const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf,
   return buf;
 }
 
-int SSL_CIPHER_is_AES(const SSL_CIPHER *c) {
-  return (c->algorithm_enc & SSL_AES) != 0;
+const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher) {
+  return "TLSv1/SSLv3";
 }
 
-int SSL_CIPHER_has_MD5_HMAC(const SSL_CIPHER *c) {
-  return (c->algorithm_mac & SSL_MD5) != 0;
-}
-
-int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *c) {
-  return (c->algorithm_mac & (SSL_AES128GCM | SSL_AES256GCM)) != 0;
-}
-
-int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *c) {
-  return (c->algorithm_enc & SSL_CHACHA20POLY1305) != 0;
-}
-
-const char *SSL_CIPHER_get_version(const SSL_CIPHER *c) {
-  int i;
-
-  if (c == NULL) {
-    return "(NONE)";
-  }
-
-  i = (int)(c->id >> 24L);
-  if (i == 3) {
-    return "TLSv1/SSLv3";
-  } else if (i == 2) {
-    return "SSLv2";
-  } else {
-    return "unknown";
-  }
-}
-
-/* return the actual cipher being used */
-const char *SSL_CIPHER_get_name(const SSL_CIPHER *c) {
-  if (c != NULL) {
-    return c->name;
-  }
-
-  return "(NONE)";
-}
-
-const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher) {
-  if (cipher == NULL) {
-    return "";
-  }
-
-  switch (cipher->algorithm_mkey) {
-    case SSL_kRSA:
-      return SSL_TXT_RSA;
-
-    case SSL_kEDH:
-      switch (cipher->algorithm_auth) {
-        case SSL_aRSA:
-          return "DHE_" SSL_TXT_RSA;
-        case SSL_aNULL:
-          return SSL_TXT_DH "_anon";
-        default:
-          return "UNKNOWN";
-      }
-
-    case SSL_kEECDH:
-      switch (cipher->algorithm_auth) {
-        case SSL_aECDSA:
-          return "ECDHE_" SSL_TXT_ECDSA;
-        case SSL_aRSA:
-          return "ECDHE_" SSL_TXT_RSA;
-        case SSL_aNULL:
-          return SSL_TXT_ECDH "_anon";
-        default:
-          return "UNKNOWN";
-      }
-
-    default:
-      return "UNKNOWN";
-  }
-}
-
-/* number of bits for symmetric cipher */
-int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits) {
-  int ret = 0;
-
-  if (c != NULL) {
-    if (alg_bits != NULL) {
-      *alg_bits = c->alg_bits;
-    }
-    ret = c->strength_bits;
-  }
-
-  return ret;
-}
-
-unsigned long SSL_CIPHER_get_id(const SSL_CIPHER *c) { return c->id; }
-
 void *SSL_COMP_get_compression_methods(void) { return NULL; }
 
 int SSL_COMP_add_compression_method(int id, void *cm) { return 1; }
 
 const char *SSL_COMP_get_name(const void *comp) { return NULL; }
 
-/* For a cipher return the index corresponding to the certificate type */
-int ssl_cipher_get_cert_index(const SSL_CIPHER *c) {
-  unsigned long alg_a = c->algorithm_auth;
+int ssl_cipher_get_cert_index(const SSL_CIPHER *cipher) {
+  uint32_t alg_a = cipher->algorithm_auth;
 
   if (alg_a & SSL_aECDSA) {
     return SSL_PKEY_ECC;
@@ -1385,16 +1339,9 @@ int ssl_cipher_get_cert_index(const SSL_CIPHER *c) {
   return -1;
 }
 
-/* ssl_cipher_has_server_public_key returns 1 if |cipher| involves a server
- * public key in the key exchange, sent in a server Certificate message.
- * Otherwise it returns 0. */
 int ssl_cipher_has_server_public_key(const SSL_CIPHER *cipher) {
-  /* Anonymous ciphers do not include a server certificate. */
-  if (cipher->algorithm_auth & SSL_aNULL) {
-    return 0;
-  }
-
-  /* Neither do PSK ciphers, except for RSA_PSK. */
+  /* PSK-authenticated ciphers do not use a public key, except for
+   * RSA_PSK. */
   if ((cipher->algorithm_auth & SSL_aPSK) &&
       !(cipher->algorithm_mkey & SSL_kRSA)) {
     return 0;
@@ -1404,15 +1351,9 @@ int ssl_cipher_has_server_public_key(const SSL_CIPHER *cipher) {
   return 1;
 }
 
-/* ssl_cipher_requires_server_key_exchange returns 1 if |cipher| requires a
- * ServerKeyExchange message. Otherwise it returns 0.
- *
- * Unlike ssl_cipher_has_server_public_key, some ciphers take optional
- * ServerKeyExchanges. PSK and RSA_PSK only use the ServerKeyExchange to
- * communicate a psk_identity_hint, so it is optional. */
 int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) {
   /* Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. */
-  if (cipher->algorithm_mkey & SSL_kEDH || cipher->algorithm_mkey & SSL_kEECDH) {
+  if (cipher->algorithm_mkey & SSL_kDHE || cipher->algorithm_mkey & SSL_kECDHE) {
     return 1;
   }
 
diff --git a/src/ssl/ssl_error.c b/src/ssl/ssl_error.c
deleted file mode 100644
index 2ffb9e6..0000000
--- a/src/ssl/ssl_error.c
+++ /dev/null
@@ -1,566 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/ssl.h>
-
-const ERR_STRING_DATA SSL_error_string_data[] = {
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_D2I_SSL_SESSION, 0), "D2I_SSL_SESSION"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_check_private_key, 0), "SSL_CTX_check_private_key"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_new, 0), "SSL_CTX_new"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_set_cipher_list, 0), "SSL_CTX_set_cipher_list"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_set_cipher_list_tls11, 0), "SSL_CTX_set_cipher_list_tls11"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_set_session_id_context, 0), "SSL_CTX_set_session_id_context"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_set_ssl_version, 0), "SSL_CTX_set_ssl_version"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_use_PrivateKey, 0), "SSL_CTX_use_PrivateKey"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_use_PrivateKey_ASN1, 0), "SSL_CTX_use_PrivateKey_ASN1"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_use_PrivateKey_file, 0), "SSL_CTX_use_PrivateKey_file"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_use_RSAPrivateKey, 0), "SSL_CTX_use_RSAPrivateKey"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_use_RSAPrivateKey_ASN1, 0), "SSL_CTX_use_RSAPrivateKey_ASN1"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_use_RSAPrivateKey_file, 0), "SSL_CTX_use_RSAPrivateKey_file"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_use_authz, 0), "SSL_CTX_use_authz"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_use_certificate, 0), "SSL_CTX_use_certificate"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_use_certificate_ASN1, 0), "SSL_CTX_use_certificate_ASN1"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_use_certificate_chain_file, 0), "SSL_CTX_use_certificate_chain_file"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_use_certificate_file, 0), "SSL_CTX_use_certificate_file"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_use_psk_identity_hint, 0), "SSL_CTX_use_psk_identity_hint"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_new, 0), "SSL_SESSION_new"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_print_fp, 0), "SSL_SESSION_print_fp"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_set1_id_context, 0), "SSL_SESSION_set1_id_context"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_to_bytes_full, 0), "SSL_SESSION_to_bytes_full"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_accept, 0), "SSL_accept"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_add_dir_cert_subjects_to_stack, 0), "SSL_add_dir_cert_subjects_to_stack"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_add_file_cert_subjects_to_stack, 0), "SSL_add_file_cert_subjects_to_stack"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_check_private_key, 0), "SSL_check_private_key"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_clear, 0), "SSL_clear"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_connect, 0), "SSL_connect"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_do_handshake, 0), "SSL_do_handshake"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_load_client_CA_file, 0), "SSL_load_client_CA_file"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_new, 0), "SSL_new"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_peek, 0), "SSL_peek"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_read, 0), "SSL_read"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_set_cipher_list, 0), "SSL_set_cipher_list"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_set_fd, 0), "SSL_set_fd"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_set_rfd, 0), "SSL_set_rfd"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_set_session, 0), "SSL_set_session"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_set_session_id_context, 0), "SSL_set_session_id_context"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_set_session_ticket_ext, 0), "SSL_set_session_ticket_ext"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_set_wfd, 0), "SSL_set_wfd"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_shutdown, 0), "SSL_shutdown"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_use_PrivateKey, 0), "SSL_use_PrivateKey"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_use_PrivateKey_ASN1, 0), "SSL_use_PrivateKey_ASN1"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_use_PrivateKey_file, 0), "SSL_use_PrivateKey_file"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_use_RSAPrivateKey, 0), "SSL_use_RSAPrivateKey"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_use_RSAPrivateKey_ASN1, 0), "SSL_use_RSAPrivateKey_ASN1"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_use_RSAPrivateKey_file, 0), "SSL_use_RSAPrivateKey_file"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_use_authz, 0), "SSL_use_authz"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_use_certificate, 0), "SSL_use_certificate"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_use_certificate_ASN1, 0), "SSL_use_certificate_ASN1"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_use_certificate_file, 0), "SSL_use_certificate_file"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_use_psk_identity_hint, 0), "SSL_use_psk_identity_hint"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_write, 0), "SSL_write"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_authz_find_data, 0), "authz_find_data"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_check_suiteb_cipher_list, 0), "check_suiteb_cipher_list"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_d2i_SSL_SESSION, 0), "d2i_SSL_SESSION"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_d2i_SSL_SESSION_get_octet_string, 0), "d2i_SSL_SESSION_get_octet_string"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_d2i_SSL_SESSION_get_string, 0), "d2i_SSL_SESSION_get_string"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_do_dtls1_write, 0), "do_dtls1_write"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_do_ssl3_write, 0), "do_ssl3_write"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_dtls1_accept, 0), "dtls1_accept"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_dtls1_buffer_record, 0), "dtls1_buffer_record"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_dtls1_check_timeout_num, 0), "dtls1_check_timeout_num"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_dtls1_connect, 0), "dtls1_connect"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_dtls1_do_write, 0), "dtls1_do_write"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_dtls1_get_hello_verify, 0), "dtls1_get_hello_verify"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_dtls1_get_message, 0), "dtls1_get_message"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_dtls1_get_message_fragment, 0), "dtls1_get_message_fragment"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_dtls1_heartbeat, 0), "dtls1_heartbeat"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_dtls1_preprocess_fragment, 0), "dtls1_preprocess_fragment"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_dtls1_process_record, 0), "dtls1_process_record"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_dtls1_read_bytes, 0), "dtls1_read_bytes"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_dtls1_send_hello_verify_request, 0), "dtls1_send_hello_verify_request"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_dtls1_write_app_data_bytes, 0), "dtls1_write_app_data_bytes"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_fclose, 0), "fclose"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_fprintf, 0), "fprintf"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_i2d_SSL_SESSION, 0), "i2d_SSL_SESSION"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_printf, 0), "printf"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_read_authz, 0), "read_authz"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl23_accept, 0), "ssl23_accept"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl23_client_hello, 0), "ssl23_client_hello"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl23_connect, 0), "ssl23_connect"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl23_get_client_hello, 0), "ssl23_get_client_hello"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl23_get_server_hello, 0), "ssl23_get_server_hello"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl23_get_v2_client_hello, 0), "ssl23_get_v2_client_hello"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl23_peek, 0), "ssl23_peek"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl23_read, 0), "ssl23_read"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl23_write, 0), "ssl23_write"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_accept, 0), "ssl3_accept"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_callback_ctrl, 0), "ssl3_callback_ctrl"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_cert_verify_hash, 0), "ssl3_cert_verify_hash"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_change_cipher_state, 0), "ssl3_change_cipher_state"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_check_cert_and_algorithm, 0), "ssl3_check_cert_and_algorithm"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_check_client_hello, 0), "ssl3_check_client_hello"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_connect, 0), "ssl3_connect"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_ctrl, 0), "ssl3_ctrl"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_ctx_ctrl, 0), "ssl3_ctx_ctrl"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_digest_cached_records, 0), "ssl3_digest_cached_records"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_do_change_cipher_spec, 0), "ssl3_do_change_cipher_spec"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_expect_change_cipher_spec, 0), "ssl3_expect_change_cipher_spec"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_generate_key_block, 0), "ssl3_generate_key_block"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_cert_status, 0), "ssl3_get_cert_status"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_cert_verify, 0), "ssl3_get_cert_verify"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_certificate_request, 0), "ssl3_get_certificate_request"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_channel_id, 0), "ssl3_get_channel_id"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_client_certificate, 0), "ssl3_get_client_certificate"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_client_hello, 0), "ssl3_get_client_hello"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_client_key_exchange, 0), "ssl3_get_client_key_exchange"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_finished, 0), "ssl3_get_finished"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_initial_bytes, 0), "ssl3_get_initial_bytes"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_message, 0), "ssl3_get_message"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_new_session_ticket, 0), "ssl3_get_new_session_ticket"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_next_proto, 0), "ssl3_get_next_proto"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_record, 0), "ssl3_get_record"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_server_certificate, 0), "ssl3_get_server_certificate"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_server_done, 0), "ssl3_get_server_done"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_server_hello, 0), "ssl3_get_server_hello"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_server_key_exchange, 0), "ssl3_get_server_key_exchange"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_v2_client_hello, 0), "ssl3_get_v2_client_hello"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_handshake_mac, 0), "ssl3_handshake_mac"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_prf, 0), "ssl3_prf"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_read_bytes, 0), "ssl3_read_bytes"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_read_n, 0), "ssl3_read_n"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_send_cert_verify, 0), "ssl3_send_cert_verify"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_send_certificate_request, 0), "ssl3_send_certificate_request"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_send_channel_id, 0), "ssl3_send_channel_id"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_send_client_certificate, 0), "ssl3_send_client_certificate"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_send_client_hello, 0), "ssl3_send_client_hello"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_send_client_key_exchange, 0), "ssl3_send_client_key_exchange"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_send_new_session_ticket, 0), "ssl3_send_new_session_ticket"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_send_server_certificate, 0), "ssl3_send_server_certificate"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_send_server_hello, 0), "ssl3_send_server_hello"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_send_server_key_exchange, 0), "ssl3_send_server_key_exchange"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_setup_key_block, 0), "ssl3_setup_key_block"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_setup_read_buffer, 0), "ssl3_setup_read_buffer"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_setup_write_buffer, 0), "ssl3_setup_write_buffer"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_write_bytes, 0), "ssl3_write_bytes"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_write_pending, 0), "ssl3_write_pending"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_add_cert_chain, 0), "ssl_add_cert_chain"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_add_cert_to_buf, 0), "ssl_add_cert_to_buf"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_add_clienthello_renegotiate_ext, 0), "ssl_add_clienthello_renegotiate_ext"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_add_clienthello_tlsext, 0), "ssl_add_clienthello_tlsext"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_add_clienthello_use_srtp_ext, 0), "ssl_add_clienthello_use_srtp_ext"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_add_serverhello_renegotiate_ext, 0), "ssl_add_serverhello_renegotiate_ext"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_add_serverhello_tlsext, 0), "ssl_add_serverhello_tlsext"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_add_serverhello_use_srtp_ext, 0), "ssl_add_serverhello_use_srtp_ext"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_bad_method, 0), "ssl_bad_method"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_build_cert_chain, 0), "ssl_build_cert_chain"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_bytes_to_cipher_list, 0), "ssl_bytes_to_cipher_list"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_cert_dup, 0), "ssl_cert_dup"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_cert_inst, 0), "ssl_cert_inst"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_cert_new, 0), "ssl_cert_new"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_check_serverhello_tlsext, 0), "ssl_check_serverhello_tlsext"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_check_srvr_ecc_cert_and_alg, 0), "ssl_check_srvr_ecc_cert_and_alg"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_cipher_process_rulestr, 0), "ssl_cipher_process_rulestr"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_cipher_strength_sort, 0), "ssl_cipher_strength_sort"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_create_cipher_list, 0), "ssl_create_cipher_list"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_ctx_log_master_secret, 0), "ssl_ctx_log_master_secret"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_ctx_log_rsa_client_key_exchange, 0), "ssl_ctx_log_rsa_client_key_exchange"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_ctx_make_profiles, 0), "ssl_ctx_make_profiles"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_get_new_session, 0), "ssl_get_new_session"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_get_prev_session, 0), "ssl_get_prev_session"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_get_server_cert_index, 0), "ssl_get_server_cert_index"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_get_sign_pkey, 0), "ssl_get_sign_pkey"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_init_wbio_buffer, 0), "ssl_init_wbio_buffer"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_new, 0), "ssl_new"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_parse_clienthello_renegotiate_ext, 0), "ssl_parse_clienthello_renegotiate_ext"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_parse_clienthello_tlsext, 0), "ssl_parse_clienthello_tlsext"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_parse_clienthello_use_srtp_ext, 0), "ssl_parse_clienthello_use_srtp_ext"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_parse_serverhello_renegotiate_ext, 0), "ssl_parse_serverhello_renegotiate_ext"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_parse_serverhello_tlsext, 0), "ssl_parse_serverhello_tlsext"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_parse_serverhello_use_srtp_ext, 0), "ssl_parse_serverhello_use_srtp_ext"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_prepare_clienthello_tlsext, 0), "ssl_prepare_clienthello_tlsext"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_scan_clienthello_tlsext, 0), "ssl_scan_clienthello_tlsext"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_scan_serverhello_tlsext, 0), "ssl_scan_serverhello_tlsext"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_sess_cert_new, 0), "ssl_sess_cert_new"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_set_authz, 0), "ssl_set_authz"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_set_cert, 0), "ssl_set_cert"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_set_pkey, 0), "ssl_set_pkey"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_undefined_const_function, 0), "ssl_undefined_const_function"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_undefined_function, 0), "ssl_undefined_function"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_undefined_void_function, 0), "ssl_undefined_void_function"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_verify_cert_chain, 0), "ssl_verify_cert_chain"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_tls12_check_peer_sigalg, 0), "tls12_check_peer_sigalg"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_tls1_aead_ctx_init, 0), "tls1_aead_ctx_init"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_tls1_cert_verify_mac, 0), "tls1_cert_verify_mac"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_tls1_change_cipher_state, 0), "tls1_change_cipher_state"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_tls1_change_cipher_state_aead, 0), "tls1_change_cipher_state_aead"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_tls1_change_cipher_state_cipher, 0), "tls1_change_cipher_state_cipher"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_tls1_check_duplicate_extensions, 0), "tls1_check_duplicate_extensions"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_tls1_enc, 0), "tls1_enc"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_tls1_export_keying_material, 0), "tls1_export_keying_material"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_tls1_get_server_supplemental_data, 0), "tls1_get_server_supplemental_data"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_tls1_heartbeat, 0), "tls1_heartbeat"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_tls1_prf, 0), "tls1_prf"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_tls1_send_server_supplemental_data, 0), "tls1_send_server_supplemental_data"},
-  {ERR_PACK(ERR_LIB_SSL, SSL_F_tls1_setup_key_block, 0), "tls1_setup_key_block"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_APP_DATA_IN_HANDSHAKE), "APP_DATA_IN_HANDSHAKE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT), "ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_AUTHZ_DATA_TOO_LARGE), "AUTHZ_DATA_TOO_LARGE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_ALERT), "BAD_ALERT"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_ALERT_RECORD), "BAD_ALERT_RECORD"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_AUTHENTICATION_TYPE), "BAD_AUTHENTICATION_TYPE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_CHANGE_CIPHER_SPEC), "BAD_CHANGE_CIPHER_SPEC"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_CHECKSUM), "BAD_CHECKSUM"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DATA), "BAD_DATA"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK), "BAD_DATA_RETURNED_BY_CALLBACK"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DECOMPRESSION), "BAD_DECOMPRESSION"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DH_G_LENGTH), "BAD_DH_G_LENGTH"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DH_PUB_KEY_LENGTH), "BAD_DH_PUB_KEY_LENGTH"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DH_P_LENGTH), "BAD_DH_P_LENGTH"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DIGEST_LENGTH), "BAD_DIGEST_LENGTH"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DSA_SIGNATURE), "BAD_DSA_SIGNATURE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_ECC_CERT), "BAD_ECC_CERT"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_ECDSA_SIGNATURE), "BAD_ECDSA_SIGNATURE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_ECPOINT), "BAD_ECPOINT"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_HANDSHAKE_LENGTH), "BAD_HANDSHAKE_LENGTH"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_HELLO_REQUEST), "BAD_HELLO_REQUEST"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_LENGTH), "BAD_LENGTH"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_MAC_DECODE), "BAD_MAC_DECODE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_MAC_LENGTH), "BAD_MAC_LENGTH"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_MESSAGE_TYPE), "BAD_MESSAGE_TYPE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_PACKET_LENGTH), "BAD_PACKET_LENGTH"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_PROTOCOL_VERSION_NUMBER), "BAD_PROTOCOL_VERSION_NUMBER"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH), "BAD_PSK_IDENTITY_HINT_LENGTH"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_RESPONSE_ARGUMENT), "BAD_RESPONSE_ARGUMENT"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_RSA_DECRYPT), "BAD_RSA_DECRYPT"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_RSA_ENCRYPT), "BAD_RSA_ENCRYPT"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_RSA_E_LENGTH), "BAD_RSA_E_LENGTH"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_RSA_MODULUS_LENGTH), "BAD_RSA_MODULUS_LENGTH"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_RSA_SIGNATURE), "BAD_RSA_SIGNATURE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SIGNATURE), "BAD_SIGNATURE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SRP_A_LENGTH), "BAD_SRP_A_LENGTH"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SRP_B_LENGTH), "BAD_SRP_B_LENGTH"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SRP_G_LENGTH), "BAD_SRP_G_LENGTH"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SRP_N_LENGTH), "BAD_SRP_N_LENGTH"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SRP_S_LENGTH), "BAD_SRP_S_LENGTH"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SRTP_MKI_VALUE), "BAD_SRTP_MKI_VALUE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST), "BAD_SRTP_PROTECTION_PROFILE_LIST"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SSL_FILETYPE), "BAD_SSL_FILETYPE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SSL_SESSION_ID_LENGTH), "BAD_SSL_SESSION_ID_LENGTH"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_STATE), "BAD_STATE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_VALUE), "BAD_VALUE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_WRITE_RETRY), "BAD_WRITE_RETRY"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BIO_NOT_SET), "BIO_NOT_SET"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG), "BLOCK_CIPHER_PAD_IS_WRONG"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BN_LIB), "BN_LIB"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CANNOT_SERIALIZE_PUBLIC_KEY), "CANNOT_SERIALIZE_PUBLIC_KEY"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CA_DN_LENGTH_MISMATCH), "CA_DN_LENGTH_MISMATCH"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CA_DN_TOO_LONG), "CA_DN_TOO_LONG"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CCS_RECEIVED_EARLY), "CCS_RECEIVED_EARLY"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CERTIFICATE_VERIFY_FAILED), "CERTIFICATE_VERIFY_FAILED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CERT_CB_ERROR), "CERT_CB_ERROR"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CERT_LENGTH_MISMATCH), "CERT_LENGTH_MISMATCH"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CHALLENGE_IS_DIFFERENT), "CHALLENGE_IS_DIFFERENT"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CHANNEL_ID_NOT_P256), "CHANNEL_ID_NOT_P256"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CHANNEL_ID_SIGNATURE_INVALID), "CHANNEL_ID_SIGNATURE_INVALID"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CIPHER_CODE_WRONG_LENGTH), "CIPHER_CODE_WRONG_LENGTH"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CIPHER_OR_HASH_UNAVAILABLE), "CIPHER_OR_HASH_UNAVAILABLE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CIPHER_TABLE_SRC_ERROR), "CIPHER_TABLE_SRC_ERROR"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CLIENTHELLO_PARSE_FAILED), "CLIENTHELLO_PARSE_FAILED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CLIENTHELLO_TLSEXT), "CLIENTHELLO_TLSEXT"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COMPRESSED_LENGTH_TOO_LONG), "COMPRESSED_LENGTH_TOO_LONG"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COMPRESSION_DISABLED), "COMPRESSION_DISABLED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COMPRESSION_FAILURE), "COMPRESSION_FAILURE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE), "COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COMPRESSION_LIBRARY_ERROR), "COMPRESSION_LIBRARY_ERROR"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CONNECTION_ID_IS_DIFFERENT), "CONNECTION_ID_IS_DIFFERENT"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CONNECTION_REJECTED), "CONNECTION_REJECTED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CONNECTION_TYPE_NOT_SET), "CONNECTION_TYPE_NOT_SET"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COOKIE_MISMATCH), "COOKIE_MISMATCH"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_D2I_ECDSA_SIG), "D2I_ECDSA_SIG"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DATA_BETWEEN_CCS_AND_FINISHED), "DATA_BETWEEN_CCS_AND_FINISHED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DATA_LENGTH_TOO_LONG), "DATA_LENGTH_TOO_LONG"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DECODE_ERROR), "DECODE_ERROR"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DECRYPTION_FAILED), "DECRYPTION_FAILED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC), "DECRYPTION_FAILED_OR_BAD_RECORD_MAC"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG), "DH_PUBLIC_VALUE_LENGTH_IS_WRONG"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DIGEST_CHECK_FAILED), "DIGEST_CHECK_FAILED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DTLS_MESSAGE_TOO_BIG), "DTLS_MESSAGE_TOO_BIG"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DUPLICATE_COMPRESSION_ID), "DUPLICATE_COMPRESSION_ID"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT), "ECC_CERT_NOT_FOR_KEY_AGREEMENT"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ECC_CERT_NOT_FOR_SIGNING), "ECC_CERT_NOT_FOR_SIGNING"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE), "ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE), "ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER), "ECGROUP_TOO_LARGE_FOR_CIPHER"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST), "EMPTY_SRTP_PROTECTION_PROFILE_LIST"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ENCRYPTED_LENGTH_TOO_LONG), "ENCRYPTED_LENGTH_TOO_LONG"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ERROR_GENERATING_TMP_RSA_KEY), "ERROR_GENERATING_TMP_RSA_KEY"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST), "ERROR_IN_RECEIVED_CIPHER_LIST"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EVP_DIGESTSIGNFINAL_FAILED), "EVP_DIGESTSIGNFINAL_FAILED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EVP_DIGESTSIGNINIT_FAILED), "EVP_DIGESTSIGNINIT_FAILED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EXCESSIVE_MESSAGE_SIZE), "EXCESSIVE_MESSAGE_SIZE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EXTRA_DATA_IN_MESSAGE), "EXTRA_DATA_IN_MESSAGE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_GOST_NOT_SUPPORTED), "GOST_NOT_SUPPORTED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_GOT_A_FIN_BEFORE_A_CCS), "GOT_A_FIN_BEFORE_A_CCS"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_GOT_CHANNEL_ID_BEFORE_A_CCS), "GOT_CHANNEL_ID_BEFORE_A_CCS"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS), "GOT_NEXT_PROTO_BEFORE_A_CCS"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION), "GOT_NEXT_PROTO_WITHOUT_EXTENSION"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_HANDSHAKE_FAILURE_ON_CLIENT_HELLO), "HANDSHAKE_FAILURE_ON_CLIENT_HELLO"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_HANDSHAKE_RECORD_BEFORE_CCS), "HANDSHAKE_RECORD_BEFORE_CCS"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_HTTPS_PROXY_REQUEST), "HTTPS_PROXY_REQUEST"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_HTTP_REQUEST), "HTTP_REQUEST"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ILLEGAL_PADDING), "ILLEGAL_PADDING"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ILLEGAL_SUITEB_DIGEST), "ILLEGAL_SUITEB_DIGEST"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INAPPROPRIATE_FALLBACK), "INAPPROPRIATE_FALLBACK"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INCONSISTENT_COMPRESSION), "INCONSISTENT_COMPRESSION"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_AUDIT_PROOF), "INVALID_AUDIT_PROOF"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_AUTHZ_DATA), "INVALID_AUTHZ_DATA"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_CHALLENGE_LENGTH), "INVALID_CHALLENGE_LENGTH"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_COMMAND), "INVALID_COMMAND"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_COMPRESSION_ALGORITHM), "INVALID_COMPRESSION_ALGORITHM"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_MESSAGE), "INVALID_MESSAGE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_NULL_CMD_NAME), "INVALID_NULL_CMD_NAME"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_PURPOSE), "INVALID_PURPOSE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_SERVERINFO_DATA), "INVALID_SERVERINFO_DATA"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_SRP_USERNAME), "INVALID_SRP_USERNAME"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_SSL_SESSION), "INVALID_SSL_SESSION"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_STATUS_RESPONSE), "INVALID_STATUS_RESPONSE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_TICKET_KEYS_LENGTH), "INVALID_TICKET_KEYS_LENGTH"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_TRUST), "INVALID_TRUST"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_KEY_ARG_TOO_LONG), "KEY_ARG_TOO_LONG"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_KRB5), "KRB5"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_KRB5_C_CC_PRINC), "KRB5_C_CC_PRINC"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_KRB5_C_GET_CRED), "KRB5_C_GET_CRED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_KRB5_C_INIT), "KRB5_C_INIT"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_KRB5_C_MK_REQ), "KRB5_C_MK_REQ"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_KRB5_S_BAD_TICKET), "KRB5_S_BAD_TICKET"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_KRB5_S_INIT), "KRB5_S_INIT"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_KRB5_S_RD_REQ), "KRB5_S_RD_REQ"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_KRB5_S_TKT_EXPIRED), "KRB5_S_TKT_EXPIRED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_KRB5_S_TKT_NYV), "KRB5_S_TKT_NYV"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_KRB5_S_TKT_SKEW), "KRB5_S_TKT_SKEW"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LENGTH_MISMATCH), "LENGTH_MISMATCH"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LENGTH_TOO_SHORT), "LENGTH_TOO_SHORT"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LIBRARY_BUG), "LIBRARY_BUG"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LIBRARY_HAS_NO_CIPHERS), "LIBRARY_HAS_NO_CIPHERS"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MESSAGE_TOO_LONG), "MESSAGE_TOO_LONG"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_DH_DSA_CERT), "MISSING_DH_DSA_CERT"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_DH_KEY), "MISSING_DH_KEY"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_DH_RSA_CERT), "MISSING_DH_RSA_CERT"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_DSA_SIGNING_CERT), "MISSING_DSA_SIGNING_CERT"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_ECDH_CERT), "MISSING_ECDH_CERT"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_ECDSA_SIGNING_CERT), "MISSING_ECDSA_SIGNING_CERT"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_EXPORT_TMP_DH_KEY), "MISSING_EXPORT_TMP_DH_KEY"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_EXPORT_TMP_RSA_KEY), "MISSING_EXPORT_TMP_RSA_KEY"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_RSA_CERTIFICATE), "MISSING_RSA_CERTIFICATE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_RSA_ENCRYPTING_CERT), "MISSING_RSA_ENCRYPTING_CERT"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_RSA_SIGNING_CERT), "MISSING_RSA_SIGNING_CERT"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_SRP_PARAM), "MISSING_SRP_PARAM"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_DH_KEY), "MISSING_TMP_DH_KEY"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_ECDH_KEY), "MISSING_TMP_ECDH_KEY"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_RSA_KEY), "MISSING_TMP_RSA_KEY"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_RSA_PKEY), "MISSING_TMP_RSA_PKEY"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_VERIFY_MESSAGE), "MISSING_VERIFY_MESSAGE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS), "MIXED_SPECIAL_OPERATOR_WITH_GROUPS"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MTU_TOO_SMALL), "MTU_TOO_SMALL"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MULTIPLE_SGC_RESTARTS), "MULTIPLE_SGC_RESTARTS"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NESTED_GROUP), "NESTED_GROUP"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NON_SSLV2_INITIAL_PACKET), "NON_SSLV2_INITIAL_PACKET"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CERTIFICATES_RETURNED), "NO_CERTIFICATES_RETURNED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CERTIFICATE_ASSIGNED), "NO_CERTIFICATE_ASSIGNED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CERTIFICATE_RETURNED), "NO_CERTIFICATE_RETURNED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CERTIFICATE_SET), "NO_CERTIFICATE_SET"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CERTIFICATE_SPECIFIED), "NO_CERTIFICATE_SPECIFIED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CIPHERS_AVAILABLE), "NO_CIPHERS_AVAILABLE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CIPHERS_PASSED), "NO_CIPHERS_PASSED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CIPHERS_SPECIFIED), "NO_CIPHERS_SPECIFIED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CIPHER_LIST), "NO_CIPHER_LIST"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CIPHER_MATCH), "NO_CIPHER_MATCH"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CLIENT_CERT_METHOD), "NO_CLIENT_CERT_METHOD"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CLIENT_CERT_RECEIVED), "NO_CLIENT_CERT_RECEIVED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_COMPRESSION_SPECIFIED), "NO_COMPRESSION_SPECIFIED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER), "NO_GOST_CERTIFICATE_SENT_BY_PEER"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_METHOD_SPECIFIED), "NO_METHOD_SPECIFIED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_P256_SUPPORT), "NO_P256_SUPPORT"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_PEM_EXTENSIONS), "NO_PEM_EXTENSIONS"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_PRIVATEKEY), "NO_PRIVATEKEY"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_PRIVATE_KEY_ASSIGNED), "NO_PRIVATE_KEY_ASSIGNED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_PROTOCOLS_AVAILABLE), "NO_PROTOCOLS_AVAILABLE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_PUBLICKEY), "NO_PUBLICKEY"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_RENEGOTIATION), "NO_RENEGOTIATION"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_REQUIRED_DIGEST), "NO_REQUIRED_DIGEST"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SHARED_CIPHER), "NO_SHARED_CIPHER"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SHARED_SIGATURE_ALGORITHMS), "NO_SHARED_SIGATURE_ALGORITHMS"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SRTP_PROFILES), "NO_SRTP_PROFILES"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_VERIFY_CALLBACK), "NO_VERIFY_CALLBACK"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NULL_SSL_CTX), "NULL_SSL_CTX"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NULL_SSL_METHOD_PASSED), "NULL_SSL_METHOD_PASSED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED), "OLD_SESSION_CIPHER_NOT_RETURNED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED), "OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE), "ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE), "ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE), "ONLY_TLS_ALLOWED_IN_FIPS_MODE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_OPAQUE_PRF_INPUT_TOO_LONG), "OPAQUE_PRF_INPUT_TOO_LONG"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PACKET_LENGTH_TOO_LONG), "PACKET_LENGTH_TOO_LONG"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PARSE_TLSEXT), "PARSE_TLSEXT"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PATH_TOO_LONG), "PATH_TOO_LONG"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE), "PEER_DID_NOT_RETURN_A_CERTIFICATE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PEER_ERROR), "PEER_ERROR"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PEER_ERROR_CERTIFICATE), "PEER_ERROR_CERTIFICATE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PEER_ERROR_NO_CERTIFICATE), "PEER_ERROR_NO_CERTIFICATE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PEER_ERROR_NO_CIPHER), "PEER_ERROR_NO_CIPHER"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE), "PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PEM_NAME_BAD_PREFIX), "PEM_NAME_BAD_PREFIX"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PEM_NAME_TOO_SHORT), "PEM_NAME_TOO_SHORT"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PRE_MAC_LENGTH_TOO_LONG), "PRE_MAC_LENGTH_TOO_LONG"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS), "PROBLEMS_MAPPING_CIPHER_FUNCTIONS"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PROTOCOL_IS_SHUTDOWN), "PROTOCOL_IS_SHUTDOWN"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PSK_IDENTITY_NOT_FOUND), "PSK_IDENTITY_NOT_FOUND"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PSK_NO_CLIENT_CB), "PSK_NO_CLIENT_CB"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PSK_NO_SERVER_CB), "PSK_NO_SERVER_CB"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PUBLIC_KEY_ENCRYPT_ERROR), "PUBLIC_KEY_ENCRYPT_ERROR"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PUBLIC_KEY_IS_NOT_RSA), "PUBLIC_KEY_IS_NOT_RSA"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PUBLIC_KEY_NOT_RSA), "PUBLIC_KEY_NOT_RSA"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_READ_BIO_NOT_SET), "READ_BIO_NOT_SET"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_READ_TIMEOUT_EXPIRED), "READ_TIMEOUT_EXPIRED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_READ_WRONG_PACKET_TYPE), "READ_WRONG_PACKET_TYPE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RECORD_LENGTH_MISMATCH), "RECORD_LENGTH_MISMATCH"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RECORD_TOO_LARGE), "RECORD_TOO_LARGE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RECORD_TOO_SMALL), "RECORD_TOO_SMALL"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RENEGOTIATE_EXT_TOO_LONG), "RENEGOTIATE_EXT_TOO_LONG"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RENEGOTIATION_ENCODING_ERR), "RENEGOTIATION_ENCODING_ERR"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RENEGOTIATION_MISMATCH), "RENEGOTIATION_MISMATCH"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_REQUIRED_CIPHER_MISSING), "REQUIRED_CIPHER_MISSING"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING), "REQUIRED_COMPRESSSION_ALGORITHM_MISSING"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_REUSE_CERT_LENGTH_NOT_ZERO), "REUSE_CERT_LENGTH_NOT_ZERO"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_REUSE_CERT_TYPE_NOT_ZERO), "REUSE_CERT_TYPE_NOT_ZERO"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_REUSE_CIPHER_LIST_NOT_ZERO), "REUSE_CIPHER_LIST_NOT_ZERO"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING), "SCSV_RECEIVED_WHEN_RENEGOTIATING"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SERVERHELLO_TLSEXT), "SERVERHELLO_TLSEXT"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED), "SESSION_ID_CONTEXT_UNINITIALIZED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SESSION_MAY_NOT_BE_CREATED), "SESSION_MAY_NOT_BE_CREATED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SHORT_READ), "SHORT_READ"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SIGNATURE_ALGORITHMS_ERROR), "SIGNATURE_ALGORITHMS_ERROR"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE), "SIGNATURE_FOR_NON_SIGNING_CERTIFICATE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SRP_A_CALC), "SRP_A_CALC"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES), "SRTP_COULD_NOT_ALLOCATE_PROFILES"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG), "SRTP_PROTECTION_PROFILE_LIST_TOO_LONG"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE), "SRTP_UNKNOWN_PROTECTION_PROFILE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL23_DOING_SESSION_ID_REUSE), "SSL23_DOING_SESSION_ID_REUSE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL2_CONNECTION_ID_TOO_LONG), "SSL2_CONNECTION_ID_TOO_LONG"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT), "SSL3_EXT_INVALID_ECPOINTFORMAT"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL3_EXT_INVALID_SERVERNAME), "SSL3_EXT_INVALID_SERVERNAME"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE), "SSL3_EXT_INVALID_SERVERNAME_TYPE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL3_SESSION_ID_TOO_LONG), "SSL3_SESSION_ID_TOO_LONG"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL3_SESSION_ID_TOO_SHORT), "SSL3_SESSION_ID_TOO_SHORT"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_BAD_CERTIFICATE), "SSLV3_ALERT_BAD_CERTIFICATE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_BAD_RECORD_MAC), "SSLV3_ALERT_BAD_RECORD_MAC"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED), "SSLV3_ALERT_CERTIFICATE_EXPIRED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED), "SSLV3_ALERT_CERTIFICATE_REVOKED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN), "SSLV3_ALERT_CERTIFICATE_UNKNOWN"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_CLOSE_NOTIFY), "SSLV3_ALERT_CLOSE_NOTIFY"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE), "SSLV3_ALERT_DECOMPRESSION_FAILURE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE), "SSLV3_ALERT_HANDSHAKE_FAILURE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER), "SSLV3_ALERT_ILLEGAL_PARAMETER"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_NO_CERTIFICATE), "SSLV3_ALERT_NO_CERTIFICATE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE), "SSLV3_ALERT_UNEXPECTED_MESSAGE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE), "SSLV3_ALERT_UNSUPPORTED_CERTIFICATE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION), "SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_HANDSHAKE_FAILURE), "SSL_HANDSHAKE_FAILURE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS), "SSL_LIBRARY_HAS_NO_CIPHERS"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_ID_CALLBACK_FAILED), "SSL_SESSION_ID_CALLBACK_FAILED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_ID_CONFLICT), "SSL_SESSION_ID_CONFLICT"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG), "SSL_SESSION_ID_CONTEXT_TOO_LONG"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH), "SSL_SESSION_ID_HAS_BAD_LENGTH"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_ID_IS_DIFFERENT), "SSL_SESSION_ID_IS_DIFFERENT"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_ACCESS_DENIED), "TLSV1_ALERT_ACCESS_DENIED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_DECODE_ERROR), "TLSV1_ALERT_DECODE_ERROR"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_DECRYPTION_FAILED), "TLSV1_ALERT_DECRYPTION_FAILED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_DECRYPT_ERROR), "TLSV1_ALERT_DECRYPT_ERROR"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION), "TLSV1_ALERT_EXPORT_RESTRICTION"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK), "TLSV1_ALERT_INAPPROPRIATE_FALLBACK"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY), "TLSV1_ALERT_INSUFFICIENT_SECURITY"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_INTERNAL_ERROR), "TLSV1_ALERT_INTERNAL_ERROR"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_NO_RENEGOTIATION), "TLSV1_ALERT_NO_RENEGOTIATION"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_PROTOCOL_VERSION), "TLSV1_ALERT_PROTOCOL_VERSION"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_RECORD_OVERFLOW), "TLSV1_ALERT_RECORD_OVERFLOW"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_UNKNOWN_CA), "TLSV1_ALERT_UNKNOWN_CA"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_USER_CANCELLED), "TLSV1_ALERT_USER_CANCELLED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE), "TLSV1_BAD_CERTIFICATE_HASH_VALUE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE), "TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE), "TLSV1_CERTIFICATE_UNOBTAINABLE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_UNRECOGNIZED_NAME), "TLSV1_UNRECOGNIZED_NAME"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_UNSUPPORTED_EXTENSION), "TLSV1_UNSUPPORTED_EXTENSION"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER), "TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL), "TLS_ILLEGAL_EXPORTER_LABEL"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST), "TLS_INVALID_ECPOINTFORMAT_LIST"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST), "TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG), "TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TOO_MANY_EMPTY_FRAGMENTS), "TOO_MANY_EMPTY_FRAGMENTS"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER), "TRIED_TO_USE_UNSUPPORTED_CIPHER"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_DECODE_DH_CERTS), "UNABLE_TO_DECODE_DH_CERTS"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_DECODE_ECDH_CERTS), "UNABLE_TO_DECODE_ECDH_CERTS"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY), "UNABLE_TO_EXTRACT_PUBLIC_KEY"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_FIND_DH_PARAMETERS), "UNABLE_TO_FIND_DH_PARAMETERS"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS), "UNABLE_TO_FIND_ECDH_PARAMETERS"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS), "UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_FIND_SSL_METHOD), "UNABLE_TO_FIND_SSL_METHOD"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES), "UNABLE_TO_LOAD_SSL2_MD5_ROUTINES"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES), "UNABLE_TO_LOAD_SSL3_MD5_ROUTINES"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES), "UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_GROUP_CLOSE), "UNEXPECTED_GROUP_CLOSE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_MESSAGE), "UNEXPECTED_MESSAGE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_OPERATOR_IN_GROUP), "UNEXPECTED_OPERATOR_IN_GROUP"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_RECORD), "UNEXPECTED_RECORD"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "UNINITIALIZED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "UNKNOWN_ALERT_TYPE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_AUTHZ_DATA_TYPE), "UNKNOWN_AUTHZ_DATA_TYPE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_CERTIFICATE_TYPE), "UNKNOWN_CERTIFICATE_TYPE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_CIPHER_RETURNED), "UNKNOWN_CIPHER_RETURNED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_CIPHER_TYPE), "UNKNOWN_CIPHER_TYPE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_CMD_NAME), "UNKNOWN_CMD_NAME"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_DIGEST), "UNKNOWN_DIGEST"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE), "UNKNOWN_KEY_EXCHANGE_TYPE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_PKEY_TYPE), "UNKNOWN_PKEY_TYPE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_PROTOCOL), "UNKNOWN_PROTOCOL"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_REMOTE_ERROR_TYPE), "UNKNOWN_REMOTE_ERROR_TYPE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_SSL_VERSION), "UNKNOWN_SSL_VERSION"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_STATE), "UNKNOWN_STATE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_SUPPLEMENTAL_DATA_TYPE), "UNKNOWN_SUPPLEMENTAL_DATA_TYPE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNPROCESSED_HANDSHAKE_DATA), "UNPROCESSED_HANDSHAKE_DATA"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED), "UNSAFE_LEGACY_RENEGOTIATION_DISABLED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_CIPHER), "UNSUPPORTED_CIPHER"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM), "UNSUPPORTED_COMPRESSION_ALGORITHM"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_DIGEST_TYPE), "UNSUPPORTED_DIGEST_TYPE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE), "UNSUPPORTED_ELLIPTIC_CURVE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_PROTOCOL), "UNSUPPORTED_PROTOCOL"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_SSL_VERSION), "UNSUPPORTED_SSL_VERSION"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_STATUS_TYPE), "UNSUPPORTED_STATUS_TYPE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_USE_SRTP_NOT_NEGOTIATED), "USE_SRTP_NOT_NEGOTIATED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRITE_BIO_NOT_SET), "WRITE_BIO_NOT_SET"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_CERTIFICATE_TYPE), "WRONG_CERTIFICATE_TYPE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_CIPHER_RETURNED), "WRONG_CIPHER_RETURNED"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_CURVE), "WRONG_CURVE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_MESSAGE_TYPE), "WRONG_MESSAGE_TYPE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_NUMBER_OF_KEY_BITS), "WRONG_NUMBER_OF_KEY_BITS"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_SIGNATURE_LENGTH), "WRONG_SIGNATURE_LENGTH"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_SIGNATURE_SIZE), "WRONG_SIGNATURE_SIZE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_SIGNATURE_TYPE), "WRONG_SIGNATURE_TYPE"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_SSL_VERSION), "WRONG_SSL_VERSION"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_VERSION_NUMBER), "WRONG_VERSION_NUMBER"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_X509_LIB), "X509_LIB"},
-  {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS), "X509_VERIFICATION_SETUP_PROBLEMS"},
-  {0, NULL},
-};
diff --git a/src/ssl/ssl_lib.c b/src/ssl/ssl_lib.c
index 35eb1ec..6c8e2c9 100644
--- a/src/ssl/ssl_lib.c
+++ b/src/ssl/ssl_lib.c
@@ -138,19 +138,22 @@
  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
  * OTHERWISE. */
 
-#include <stdio.h>
 #include <assert.h>
+#include <stdio.h>
+#include <string.h>
 
 #include <openssl/bytestring.h>
 #include <openssl/dh.h>
-#include <openssl/engine.h>
+#include <openssl/err.h>
 #include <openssl/lhash.h>
 #include <openssl/mem.h>
 #include <openssl/obj.h>
 #include <openssl/rand.h>
 #include <openssl/x509v3.h>
 
-#include "ssl_locl.h"
+#include "internal.h"
+#include "../crypto/internal.h"
+
 
 /* Some error codes are special. Ensure the make_errors.go script never
  * regresses this. */
@@ -158,6 +161,12 @@ OPENSSL_COMPILE_ASSERT(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION ==
                            SSL_AD_NO_RENEGOTIATION + SSL_AD_REASON_OFFSET,
                        ssl_alert_reason_code_mismatch);
 
+/* kMaxHandshakeSize is the maximum size, in bytes, of a handshake message. */
+static const size_t kMaxHandshakeSize = (1u << 24) - 1;
+
+static CRYPTO_EX_DATA_CLASS g_ex_data_class_ssl = CRYPTO_EX_DATA_CLASS_INIT;
+static CRYPTO_EX_DATA_CLASS g_ex_data_class_ssl_ctx = CRYPTO_EX_DATA_CLASS_INIT;
+
 int SSL_clear(SSL *s) {
   if (s->method == NULL) {
     OPENSSL_PUT_ERROR(SSL, SSL_clear, SSL_R_NO_METHOD_SPECIFIED);
@@ -199,21 +208,17 @@ int SSL_clear(SSL *s) {
   s->rwstate = SSL_NOTHING;
   s->rstate = SSL_ST_READ_HEADER;
 
-  if (s->init_buf != NULL) {
-    BUF_MEM_free(s->init_buf);
-    s->init_buf = NULL;
-  }
+  BUF_MEM_free(s->init_buf);
+  s->init_buf = NULL;
 
   s->packet = NULL;
   s->packet_length = 0;
 
   ssl_clear_cipher_ctx(s);
 
-  if (s->next_proto_negotiated) {
-    OPENSSL_free(s->next_proto_negotiated);
-    s->next_proto_negotiated = NULL;
-    s->next_proto_negotiated_len = 0;
-  }
+  OPENSSL_free(s->next_proto_negotiated);
+  s->next_proto_negotiated = NULL;
+  s->next_proto_negotiated_len = 0;
 
   /* The s->d1->mtu is simultaneously configuration (preserved across
    * clear) and connection-specific state (gets reset).
@@ -265,21 +270,9 @@ SSL *SSL_new(SSL_CTX *ctx) {
   s->mode = ctx->mode;
   s->max_cert_list = ctx->max_cert_list;
 
-  if (ctx->cert != NULL) {
-    /* Earlier library versions used to copy the pointer to the CERT, not its
-     * contents; only when setting new parameters for the per-SSL copy,
-     * ssl_cert_new would be called (and the direct reference to the
-     * per-SSL_CTX settings would be lost, but those still were indirectly
-     * accessed for various purposes, and for that reason they used to be known
-     * as s->ctx->default_cert). Now we don't look at the SSL_CTX's CERT after
-     * having duplicated it once. */
-
-    s->cert = ssl_cert_dup(ctx->cert);
-    if (s->cert == NULL) {
-      goto err;
-    }
-  } else {
-    s->cert = NULL; /* Cannot really happen (see SSL_CTX_new) */
+  s->cert = ssl_cert_dup(ctx->cert);
+  if (s->cert == NULL) {
+    goto err;
   }
 
   s->read_ahead = ctx->read_ahead;
@@ -302,8 +295,6 @@ SSL *SSL_new(SSL_CTX *ctx) {
 
   CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
   s->ctx = ctx;
-  s->tlsext_debug_cb = 0;
-  s->tlsext_debug_arg = NULL;
   s->tlsext_ticket_expected = 0;
   CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
   s->initial_ctx = ctx;
@@ -345,12 +336,10 @@ SSL *SSL_new(SSL_CTX *ctx) {
   s->enc_method = ssl3_get_enc_method(s->version);
   assert(s->enc_method != NULL);
 
-  s->references = 1;
-
   s->rwstate = SSL_NOTHING;
   s->rstate = SSL_ST_READ_HEADER;
 
-  CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
+  CRYPTO_new_ex_data(&g_ex_data_class_ssl, s, &s->ex_data);
 
   s->psk_identity_hint = NULL;
   if (ctx->psk_identity_hint) {
@@ -364,7 +353,8 @@ SSL *SSL_new(SSL_CTX *ctx) {
 
   s->tlsext_channel_id_enabled = ctx->tlsext_channel_id_enabled;
   if (ctx->tlsext_channel_id_private) {
-    s->tlsext_channel_id_private = EVP_PKEY_dup(ctx->tlsext_channel_id_private);
+    s->tlsext_channel_id_private =
+        EVP_PKEY_up_ref(ctx->tlsext_channel_id_private);
   }
 
   s->signed_cert_timestamps_enabled = s->ctx->signed_cert_timestamps_enabled;
@@ -373,9 +363,7 @@ SSL *SSL_new(SSL_CTX *ctx) {
   return s;
 
 err:
-  if (s != NULL) {
-    SSL_free(s);
-  }
+  SSL_free(s);
   OPENSSL_PUT_ERROR(SSL, SSL_new, ERR_R_MALLOC_FAILURE);
 
   return NULL;
@@ -415,9 +403,7 @@ int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb) {
 }
 
 int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb) {
-  CRYPTO_w_lock(CRYPTO_LOCK_SSL);
   ssl->generate_session_id = cb;
-  CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
   return 1;
 }
 
@@ -470,6 +456,9 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm) {
 
 void ssl_cipher_preference_list_free(
     struct ssl_cipher_preference_list_st *cipher_list) {
+  if (cipher_list == NULL) {
+    return;
+  }
   sk_SSL_CIPHER_free(cipher_list->ciphers);
   OPENSSL_free(cipher_list->in_group_flags);
   OPENSSL_free(cipher_list);
@@ -499,17 +488,12 @@ struct ssl_cipher_preference_list_st *ssl_cipher_preference_list_dup(
   return ret;
 
 err:
-  if (ret && ret->ciphers) {
-    sk_SSL_CIPHER_free(ret->ciphers);
-  }
-  if (ret) {
-    OPENSSL_free(ret);
-  }
+  ssl_cipher_preference_list_free(ret);
   return NULL;
 }
 
 struct ssl_cipher_preference_list_st *ssl_cipher_preference_list_from_ciphers(
-    STACK_OF(SSL_CIPHER) * ciphers) {
+    STACK_OF(SSL_CIPHER) *ciphers) {
   struct ssl_cipher_preference_list_st *ret = NULL;
   size_t n = sk_SSL_CIPHER_num(ciphers);
 
@@ -531,12 +515,7 @@ struct ssl_cipher_preference_list_st *ssl_cipher_preference_list_from_ciphers(
   return ret;
 
 err:
-  if (ret && ret->ciphers) {
-    sk_SSL_CIPHER_free(ret->ciphers);
-  }
-  if (ret) {
-    OPENSSL_free(ret);
-  }
+  ssl_cipher_preference_list_free(ret);
   return NULL;
 }
 
@@ -547,22 +526,13 @@ X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl) { return ssl->param; }
 void SSL_certs_clear(SSL *s) { ssl_cert_clear_certs(s->cert); }
 
 void SSL_free(SSL *s) {
-  int i;
-
   if (s == NULL) {
     return;
   }
 
-  i = CRYPTO_add(&s->references, -1, CRYPTO_LOCK_SSL);
-  if (i > 0) {
-    return;
-  }
-
-  if (s->param) {
-    X509_VERIFY_PARAM_free(s->param);
-  }
+  X509_VERIFY_PARAM_free(s->param);
 
-  CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
+  CRYPTO_free_ex_data(&g_ex_data_class_ssl, s, &s->ex_data);
 
   if (s->bbio != NULL) {
     /* If the buffering BIO is in place, pop it off */
@@ -573,74 +543,40 @@ void SSL_free(SSL *s) {
     s->bbio = NULL;
   }
 
-  if (s->rbio != NULL) {
-    BIO_free_all(s->rbio);
-  }
-
-  if (s->wbio != NULL && s->wbio != s->rbio) {
+  int free_wbio = s->wbio != s->rbio;
+  BIO_free_all(s->rbio);
+  if (free_wbio) {
     BIO_free_all(s->wbio);
   }
 
-  if (s->init_buf != NULL) {
-    BUF_MEM_free(s->init_buf);
-  }
+  BUF_MEM_free(s->init_buf);
 
   /* add extra stuff */
-  if (s->cipher_list != NULL) {
-    ssl_cipher_preference_list_free(s->cipher_list);
-  }
-  if (s->cipher_list_by_id != NULL) {
-    sk_SSL_CIPHER_free(s->cipher_list_by_id);
-  }
+  ssl_cipher_preference_list_free(s->cipher_list);
+  sk_SSL_CIPHER_free(s->cipher_list_by_id);
 
-  if (s->session != NULL) {
-    ssl_clear_bad_session(s);
-    SSL_SESSION_free(s->session);
-  }
+  ssl_clear_bad_session(s);
+  SSL_SESSION_free(s->session);
 
   ssl_clear_cipher_ctx(s);
 
-  if (s->cert != NULL) {
-    ssl_cert_free(s->cert);
-  }
+  ssl_cert_free(s->cert);
 
-  if (s->tlsext_hostname) {
-    OPENSSL_free(s->tlsext_hostname);
-  }
-  if (s->initial_ctx) {
-    SSL_CTX_free(s->initial_ctx);
-  }
-  if (s->tlsext_ecpointformatlist) {
-    OPENSSL_free(s->tlsext_ecpointformatlist);
-  }
-  if (s->tlsext_ellipticcurvelist) {
-    OPENSSL_free(s->tlsext_ellipticcurvelist);
-  }
-  if (s->alpn_client_proto_list) {
-    OPENSSL_free(s->alpn_client_proto_list);
-  }
-  if (s->tlsext_channel_id_private) {
-    EVP_PKEY_free(s->tlsext_channel_id_private);
-  }
-  if (s->psk_identity_hint) {
-    OPENSSL_free(s->psk_identity_hint);
-  }
-  if (s->client_CA != NULL) {
-    sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free);
-  }
-  if (s->next_proto_negotiated) {
-    OPENSSL_free(s->next_proto_negotiated);
-  }
-  if (s->srtp_profiles) {
-    sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
-  }
+  OPENSSL_free(s->tlsext_hostname);
+  SSL_CTX_free(s->initial_ctx);
+  OPENSSL_free(s->tlsext_ecpointformatlist);
+  OPENSSL_free(s->tlsext_ellipticcurvelist);
+  OPENSSL_free(s->alpn_client_proto_list);
+  EVP_PKEY_free(s->tlsext_channel_id_private);
+  OPENSSL_free(s->psk_identity_hint);
+  sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free);
+  OPENSSL_free(s->next_proto_negotiated);
+  sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
 
   if (s->method != NULL) {
     s->method->ssl_free(s);
   }
-  if (s->ctx) {
-    SSL_CTX_free(s->ctx);
-  }
+  SSL_CTX_free(s->ctx);
 
   OPENSSL_free(s);
 }
@@ -654,10 +590,10 @@ void SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio) {
     }
   }
 
-  if (s->rbio != NULL && s->rbio != rbio) {
+  if (s->rbio != rbio) {
     BIO_free_all(s->rbio);
   }
-  if (s->wbio != NULL && s->wbio != wbio && s->rbio != s->wbio) {
+  if (s->wbio != wbio && s->rbio != s->wbio) {
     BIO_free_all(s->wbio);
   }
   s->rbio = rbio;
@@ -822,10 +758,14 @@ void SSL_set_verify_depth(SSL *s, int depth) {
   X509_VERIFY_PARAM_set_depth(s->param, depth);
 }
 
-void SSL_set_read_ahead(SSL *s, int yes) { s->read_ahead = yes; }
+int SSL_CTX_get_read_ahead(const SSL_CTX *ctx) { return ctx->read_ahead; }
 
 int SSL_get_read_ahead(const SSL *s) { return s->read_ahead; }
 
+void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes) { ctx->read_ahead = !!yes; }
+
+void SSL_set_read_ahead(SSL *s, int yes) { s->read_ahead = !!yes; }
+
 int SSL_pending(const SSL *s) {
   /* SSL_pending cannot work properly if read-ahead is enabled
    * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)), and it is
@@ -851,8 +791,8 @@ X509 *SSL_get_peer_certificate(const SSL *s) {
   return X509_up_ref(r);
 }
 
-STACK_OF(X509) * SSL_get_peer_cert_chain(const SSL *s) {
-  STACK_OF(X509) * r;
+STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s) {
+  STACK_OF(X509) *r;
 
   if (s == NULL || s->session == NULL || s->session->sess_cert == NULL) {
     r = NULL;
@@ -919,7 +859,7 @@ int SSL_accept(SSL *s) {
   }
 
   if (s->handshake_func != s->method->ssl_accept) {
-    OPENSSL_PUT_ERROR(SSL, SSL_connect, ERR_R_INTERNAL_ERROR);
+    OPENSSL_PUT_ERROR(SSL, SSL_accept, ERR_R_INTERNAL_ERROR);
     return -1;
   }
 
@@ -1005,20 +945,17 @@ int SSL_shutdown(SSL *s) {
 }
 
 int SSL_renegotiate(SSL *s) {
-  if (s->renegotiate == 0) {
-    s->renegotiate = 1;
+  if (SSL_IS_DTLS(s)) {
+    /* Renegotiation is not supported for DTLS. */
+    OPENSSL_PUT_ERROR(SSL, SSL_renegotiate, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+    return 0;
   }
 
-  s->new_session = 1;
-  return s->method->ssl_renegotiate(s);
-}
-
-int SSL_renegotiate_abbreviated(SSL *s) {
   if (s->renegotiate == 0) {
     s->renegotiate = 1;
   }
 
-  s->new_session = 0;
+  s->new_session = 1;
   return s->method->ssl_renegotiate(s);
 }
 
@@ -1028,221 +965,140 @@ int SSL_renegotiate_pending(SSL *s) {
   return s->renegotiate != 0;
 }
 
-long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) {
-  long l;
-
-  switch (cmd) {
-    case SSL_CTRL_GET_READ_AHEAD:
-      return s->read_ahead;
-
-    case SSL_CTRL_SET_READ_AHEAD:
-      l = s->read_ahead;
-      s->read_ahead = larg;
-      return l;
-
-    case SSL_CTRL_SET_MSG_CALLBACK_ARG:
-      s->msg_callback_arg = parg;
-      return 1;
-
-    case SSL_CTRL_OPTIONS:
-      return s->options |= larg;
+uint32_t SSL_CTX_set_options(SSL_CTX *ctx, uint32_t options) {
+  ctx->options |= options;
+  return ctx->options;
+}
 
-    case SSL_CTRL_CLEAR_OPTIONS:
-      return s->options &= ~larg;
+uint32_t SSL_set_options(SSL *ssl, uint32_t options) {
+  ssl->options |= options;
+  return ssl->options;
+}
 
-    case SSL_CTRL_MODE:
-      return s->mode |= larg;
+uint32_t SSL_CTX_clear_options(SSL_CTX *ctx, uint32_t options) {
+  ctx->options &= ~options;
+  return ctx->options;
+}
 
-    case SSL_CTRL_CLEAR_MODE:
-      return s->mode &= ~larg;
+uint32_t SSL_clear_options(SSL *ssl, uint32_t options) {
+  ssl->options &= ~options;
+  return ssl->options;
+}
 
-    case SSL_CTRL_GET_MAX_CERT_LIST:
-      return s->max_cert_list;
+uint32_t SSL_CTX_get_options(const SSL_CTX *ctx) { return ctx->options; }
 
-    case SSL_CTRL_SET_MAX_CERT_LIST:
-      l = s->max_cert_list;
-      s->max_cert_list = larg;
-      return l;
+uint32_t SSL_get_options(const SSL *ssl) { return ssl->options; }
 
-    case SSL_CTRL_SET_MTU:
-      if (larg < (long)dtls1_min_mtu()) {
-        return 0;
-      }
-      if (SSL_IS_DTLS(s)) {
-        s->d1->mtu = larg;
-        return larg;
-      }
-      return 0;
+uint32_t SSL_CTX_set_mode(SSL_CTX *ctx, uint32_t mode) {
+  ctx->mode |= mode;
+  return ctx->mode;
+}
 
-    case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
-      if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) {
-        return 0;
-      }
-      s->max_send_fragment = larg;
-      return 1;
+uint32_t SSL_set_mode(SSL *ssl, uint32_t mode) {
+  ssl->mode |= mode;
+  return ssl->mode;
+}
 
-    case SSL_CTRL_GET_RI_SUPPORT:
-      if (s->s3) {
-        return s->s3->send_connection_binding;
-      }
-      return 0;
+uint32_t SSL_CTX_clear_mode(SSL_CTX *ctx, uint32_t mode) {
+  ctx->mode &= ~mode;
+  return ctx->mode;
+}
 
-    case SSL_CTRL_CERT_FLAGS:
-      return s->cert->cert_flags |= larg;
+uint32_t SSL_clear_mode(SSL *ssl, uint32_t mode) {
+  ssl->mode &= ~mode;
+  return ssl->mode;
+}
 
-    case SSL_CTRL_CLEAR_CERT_FLAGS:
-      return s->cert->cert_flags &= ~larg;
+uint32_t SSL_CTX_get_mode(const SSL_CTX *ctx) { return ctx->mode; }
 
-    case SSL_CTRL_GET_RAW_CIPHERLIST:
-      if (parg) {
-        if (s->cert->ciphers_raw == NULL) {
-          return 0;
-        }
-        *(uint8_t **)parg = s->cert->ciphers_raw;
-        return (int)s->cert->ciphers_rawlen;
-      }
+uint32_t SSL_get_mode(const SSL *ssl) { return ssl->mode; }
 
-      /* Passing a NULL |parg| returns the size of a single
-       * cipher suite value. */
-      return 2;
+size_t SSL_CTX_get_max_cert_list(const SSL_CTX *ctx) {
+  return ctx->max_cert_list;
+}
 
-    default:
-      return s->method->ssl_ctrl(s, cmd, larg, parg);
+void SSL_CTX_set_max_cert_list(SSL_CTX *ctx, size_t max_cert_list) {
+  if (max_cert_list > kMaxHandshakeSize) {
+    max_cert_list = kMaxHandshakeSize;
   }
+  ctx->max_cert_list = (uint32_t)max_cert_list;
 }
 
-long SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) {
-  switch (cmd) {
-    case SSL_CTRL_SET_MSG_CALLBACK:
-      s->msg_callback =
-          (void (*)(int write_p, int version, int content_type, const void *buf,
-                    size_t len, SSL *ssl, void *arg))(fp);
-      return 1;
+size_t SSL_get_max_cert_list(const SSL *ssl) {
+  return ssl->max_cert_list;
+}
 
-    default:
-      return s->method->ssl_callback_ctrl(s, cmd, fp);
+void SSL_set_max_cert_list(SSL *ssl, size_t max_cert_list) {
+  if (max_cert_list > kMaxHandshakeSize) {
+    max_cert_list = kMaxHandshakeSize;
   }
+  ssl->max_cert_list = (uint32_t)max_cert_list;
 }
 
-LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx) { return ctx->sessions; }
-
-long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) {
-  long l;
-
-  switch (cmd) {
-    case SSL_CTRL_GET_READ_AHEAD:
-      return ctx->read_ahead;
-
-    case SSL_CTRL_SET_READ_AHEAD:
-      l = ctx->read_ahead;
-      ctx->read_ahead = larg;
-      return l;
-
-    case SSL_CTRL_SET_MSG_CALLBACK_ARG:
-      ctx->msg_callback_arg = parg;
-      return 1;
-
-    case SSL_CTRL_GET_MAX_CERT_LIST:
-      return ctx->max_cert_list;
-
-    case SSL_CTRL_SET_MAX_CERT_LIST:
-      l = ctx->max_cert_list;
-      ctx->max_cert_list = larg;
-      return l;
-
-    case SSL_CTRL_SET_SESS_CACHE_SIZE:
-      l = ctx->session_cache_size;
-      ctx->session_cache_size = larg;
-      return l;
-
-    case SSL_CTRL_GET_SESS_CACHE_SIZE:
-      return ctx->session_cache_size;
-
-    case SSL_CTRL_SET_SESS_CACHE_MODE:
-      l = ctx->session_cache_mode;
-      ctx->session_cache_mode = larg;
-      return l;
-
-    case SSL_CTRL_GET_SESS_CACHE_MODE:
-      return ctx->session_cache_mode;
-
-    case SSL_CTRL_SESS_NUMBER:
-      return lh_SSL_SESSION_num_items(ctx->sessions);
-
-    case SSL_CTRL_SESS_CONNECT:
-      return ctx->stats.sess_connect;
-
-    case SSL_CTRL_SESS_CONNECT_GOOD:
-      return ctx->stats.sess_connect_good;
-
-    case SSL_CTRL_SESS_CONNECT_RENEGOTIATE:
-      return ctx->stats.sess_connect_renegotiate;
-
-    case SSL_CTRL_SESS_ACCEPT:
-      return ctx->stats.sess_accept;
-
-    case SSL_CTRL_SESS_ACCEPT_GOOD:
-      return ctx->stats.sess_accept_good;
-
-    case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE:
-      return ctx->stats.sess_accept_renegotiate;
-
-    case SSL_CTRL_SESS_HIT:
-      return ctx->stats.sess_hit;
-
-    case SSL_CTRL_SESS_CB_HIT:
-      return ctx->stats.sess_cb_hit;
-
-    case SSL_CTRL_SESS_MISSES:
-      return ctx->stats.sess_miss;
-
-    case SSL_CTRL_SESS_TIMEOUTS:
-      return ctx->stats.sess_timeout;
+void SSL_CTX_set_max_send_fragment(SSL_CTX *ctx, size_t max_send_fragment) {
+  if (max_send_fragment < 512) {
+    max_send_fragment = 512;
+  }
+  if (max_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) {
+    max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
+  }
+  ctx->max_send_fragment = (uint16_t)max_send_fragment;
+}
 
-    case SSL_CTRL_SESS_CACHE_FULL:
-      return ctx->stats.sess_cache_full;
+void SSL_set_max_send_fragment(SSL *ssl, size_t max_send_fragment) {
+  if (max_send_fragment < 512) {
+    max_send_fragment = 512;
+  }
+  if (max_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) {
+    max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
+  }
+  ssl->max_send_fragment = (uint16_t)max_send_fragment;
+}
 
-    case SSL_CTRL_OPTIONS:
-      return ctx->options |= larg;
+int SSL_set_mtu(SSL *ssl, unsigned mtu) {
+  if (!SSL_IS_DTLS(ssl) || mtu < dtls1_min_mtu()) {
+    return 0;
+  }
+  ssl->d1->mtu = mtu;
+  return 1;
+}
 
-    case SSL_CTRL_CLEAR_OPTIONS:
-      return ctx->options &= ~larg;
+int SSL_get_secure_renegotiation_support(const SSL *ssl) {
+  return ssl->s3->send_connection_binding;
+}
 
-    case SSL_CTRL_MODE:
-      return ctx->mode |= larg;
+long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) {
+  return s->method->ssl_ctrl(s, cmd, larg, parg);
+}
 
-    case SSL_CTRL_CLEAR_MODE:
-      return ctx->mode &= ~larg;
+LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx) { return ctx->sessions; }
 
-    case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
-      if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) {
-        return 0;
-      }
-      ctx->max_send_fragment = larg;
-      return 1;
+size_t SSL_CTX_sess_number(const SSL_CTX *ctx) {
+  return lh_SSL_SESSION_num_items(ctx->sessions);
+}
 
-    case SSL_CTRL_CERT_FLAGS:
-      return ctx->cert->cert_flags |= larg;
+unsigned long SSL_CTX_sess_set_cache_size(SSL_CTX *ctx, unsigned long size) {
+  unsigned long ret = ctx->session_cache_size;
+  ctx->session_cache_size = size;
+  return ret;
+}
 
-    case SSL_CTRL_CLEAR_CERT_FLAGS:
-      return ctx->cert->cert_flags &= ~larg;
+unsigned long SSL_CTX_sess_get_cache_size(const SSL_CTX *ctx) {
+  return ctx->session_cache_size;
+}
 
-    default:
-      return ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg);
-  }
+int SSL_CTX_set_session_cache_mode(SSL_CTX *ctx, int mode) {
+  int ret = ctx->session_cache_mode;
+  ctx->session_cache_mode = mode;
+  return ret;
 }
 
-long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) {
-  switch (cmd) {
-    case SSL_CTRL_SET_MSG_CALLBACK:
-      ctx->msg_callback =
-          (void (*)(int write_p, int version, int content_type, const void *buf,
-                    size_t len, SSL *ssl, void *arg))(fp);
-      return 1;
+int SSL_CTX_get_session_cache_mode(const SSL_CTX *ctx) {
+  return ctx->session_cache_mode;
+}
 
-    default:
-      return ctx->method->ssl_ctx_callback_ctrl(ctx, cmd, fp);
-  }
+long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) {
+  return ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg);
 }
 
 int ssl_cipher_id_cmp(const void *in_a, const void *in_b) {
@@ -1275,7 +1131,7 @@ int ssl_cipher_ptr_id_cmp(const SSL_CIPHER **ap, const SSL_CIPHER **bp) {
 
 /* return a STACK of the ciphers available for the SSL and in order of
  * preference */
-STACK_OF(SSL_CIPHER) * SSL_get_ciphers(const SSL *s) {
+STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s) {
   if (s == NULL) {
     return NULL;
   }
@@ -1298,7 +1154,7 @@ STACK_OF(SSL_CIPHER) * SSL_get_ciphers(const SSL *s) {
 
 /* return a STACK of the ciphers available for the SSL and in order of
  * algorithm id */
-STACK_OF(SSL_CIPHER) * ssl_get_ciphers_by_id(SSL *s) {
+STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s) {
   if (s == NULL) {
     return NULL;
   }
@@ -1317,7 +1173,7 @@ STACK_OF(SSL_CIPHER) * ssl_get_ciphers_by_id(SSL *s) {
 /* The old interface to get the same thing as SSL_get_ciphers() */
 const char *SSL_get_cipher_list(const SSL *s, int n) {
   const SSL_CIPHER *c;
-  STACK_OF(SSL_CIPHER) * sk;
+  STACK_OF(SSL_CIPHER) *sk;
 
   if (s == NULL) {
     return NULL;
@@ -1341,7 +1197,7 @@ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) {
   STACK_OF(SSL_CIPHER) *sk;
 
   sk = ssl_create_cipher_list(ctx->method, &ctx->cipher_list,
-                              &ctx->cipher_list_by_id, str, ctx->cert);
+                              &ctx->cipher_list_by_id, str);
   /* ssl_create_cipher_list may return an empty stack if it was unable to find
    * a cipher matching the given rule string (for example if the rule string
    * specifies a cipher which has been disabled). This is not an error as far
@@ -1360,8 +1216,7 @@ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) {
 int SSL_CTX_set_cipher_list_tls11(SSL_CTX *ctx, const char *str) {
   STACK_OF(SSL_CIPHER) *sk;
 
-  sk = ssl_create_cipher_list(ctx->method, &ctx->cipher_list_tls11, NULL, str,
-                              ctx->cert);
+  sk = ssl_create_cipher_list(ctx->method, &ctx->cipher_list_tls11, NULL, str);
   if (sk == NULL) {
     return 0;
   } else if (sk_SSL_CIPHER_num(sk) == 0) {
@@ -1378,7 +1233,7 @@ int SSL_set_cipher_list(SSL *s, const char *str) {
   STACK_OF(SSL_CIPHER) *sk;
 
   sk = ssl_create_cipher_list(s->ctx->method, &s->cipher_list,
-                              &s->cipher_list_by_id, str, s->cert);
+                              &s->cipher_list_by_id, str);
 
   /* see comment in SSL_CTX_set_cipher_list */
   if (sk == NULL) {
@@ -1435,7 +1290,7 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, uint8_t *p) {
 STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, const CBS *cbs) {
   CBS cipher_suites = *cbs;
   const SSL_CIPHER *c;
-  STACK_OF(SSL_CIPHER) * sk;
+  STACK_OF(SSL_CIPHER) *sk;
 
   if (s->s3) {
     s->s3->send_connection_binding = 0;
@@ -1453,12 +1308,6 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, const CBS *cbs) {
     goto err;
   }
 
-  if (!CBS_stow(&cipher_suites, &s->cert->ciphers_raw,
-                &s->cert->ciphers_rawlen)) {
-    OPENSSL_PUT_ERROR(SSL, ssl_bytes_to_cipher_list, ERR_R_MALLOC_FAILURE);
-    goto err;
-  }
-
   while (CBS_len(&cipher_suites) > 0) {
     uint16_t cipher_suite;
 
@@ -1503,9 +1352,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, const CBS *cbs) {
   return sk;
 
 err:
-  if (sk != NULL) {
-    sk_SSL_CIPHER_free(sk);
-  }
+  sk_SSL_CIPHER_free(sk);
   return NULL;
 }
 
@@ -1691,17 +1538,9 @@ void SSL_CTX_set_next_proto_select_cb(
   ctx->next_proto_select_cb_arg = arg;
 }
 
-/* SSL_CTX_set_alpn_protos sets the ALPN protocol list on |ctx| to |protos|.
- * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
- * length-prefixed strings).
- *
- * Returns 0 on success. */
 int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos,
                             unsigned protos_len) {
-  if (ctx->alpn_client_proto_list) {
-    OPENSSL_free(ctx->alpn_client_proto_list);
-  }
-
+  OPENSSL_free(ctx->alpn_client_proto_list);
   ctx->alpn_client_proto_list = BUF_memdup(protos, protos_len);
   if (!ctx->alpn_client_proto_list) {
     return 1;
@@ -1711,16 +1550,8 @@ int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos,
   return 0;
 }
 
-/* SSL_set_alpn_protos sets the ALPN protocol list on |ssl| to |protos|.
- * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
- * length-prefixed strings).
- *
- * Returns 0 on success. */
 int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos, unsigned protos_len) {
-  if (ssl->alpn_client_proto_list) {
-    OPENSSL_free(ssl->alpn_client_proto_list);
-  }
-
+  OPENSSL_free(ssl->alpn_client_proto_list);
   ssl->alpn_client_proto_list = BUF_memdup(protos, protos_len);
   if (!ssl->alpn_client_proto_list) {
     return 1;
@@ -1759,15 +1590,16 @@ void SSL_get0_alpn_selected(const SSL *ssl, const uint8_t **data,
   }
 }
 
-int SSL_export_keying_material(SSL *s, uint8_t *out, size_t olen,
-                               const char *label, size_t llen, const uint8_t *p,
-                               size_t plen, int use_context) {
+int SSL_export_keying_material(SSL *s, uint8_t *out, size_t out_len,
+                               const char *label, size_t label_len,
+                               const uint8_t *context, size_t context_len,
+                               int use_context) {
   if (s->version < TLS1_VERSION) {
-    return -1;
+    return 0;
   }
 
-  return s->enc_method->export_keying_material(s, out, olen, label, llen, p,
-                                               plen, use_context);
+  return s->enc_method->export_keying_material(
+      s, out, out_len, label, label_len, context, context_len, use_context);
 }
 
 static uint32_t ssl_session_hash(const SSL_SESSION *a) {
@@ -1833,8 +1665,6 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) {
   ret->get_session_cb = 0;
   ret->generate_session_id = 0;
 
-  memset((char *)&ret->stats, 0, sizeof(ret->stats));
-
   ret->references = 1;
   ret->quiet_shutdown = 0;
 
@@ -1858,8 +1688,6 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) {
   ret->default_passwd_callback = 0;
   ret->default_passwd_callback_userdata = NULL;
   ret->client_cert_cb = 0;
-  ret->app_gen_cookie_cb = 0;
-  ret->app_verify_cookie_cb = 0;
 
   ret->sessions = lh_SSL_SESSION_new(ssl_session_hash, ssl_session_cmp);
   if (ret->sessions == NULL) {
@@ -1871,8 +1699,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) {
   }
 
   ssl_create_cipher_list(ret->method, &ret->cipher_list,
-                         &ret->cipher_list_by_id, SSL_DEFAULT_CIPHER_LIST,
-                         ret->cert);
+                         &ret->cipher_list_by_id, SSL_DEFAULT_CIPHER_LIST);
   if (ret->cipher_list == NULL ||
       sk_SSL_CIPHER_num(ret->cipher_list->ciphers) <= 0) {
     OPENSSL_PUT_ERROR(SSL, SSL_CTX_new, SSL_R_LIBRARY_HAS_NO_CIPHERS);
@@ -1889,7 +1716,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) {
     goto err;
   }
 
-  CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data);
+  CRYPTO_new_ex_data(&g_ex_data_class_ssl_ctx, ret, &ret->ex_data);
 
   ret->extra_certs = NULL;
 
@@ -1904,9 +1731,6 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) {
     ret->options |= SSL_OP_NO_TICKET;
   }
 
-  ret->tlsext_status_cb = 0;
-  ret->tlsext_status_arg = NULL;
-
   ret->next_protos_advertised_cb = 0;
   ret->next_proto_select_cb = 0;
   ret->psk_identity_hint = NULL;
@@ -1929,27 +1753,17 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) {
 err:
   OPENSSL_PUT_ERROR(SSL, SSL_CTX_new, ERR_R_MALLOC_FAILURE);
 err2:
-  if (ret != NULL) {
-    SSL_CTX_free(ret);
-  }
+  SSL_CTX_free(ret);
   return NULL;
 }
 
-void SSL_CTX_free(SSL_CTX *a) {
-  int i;
-
-  if (a == NULL) {
+void SSL_CTX_free(SSL_CTX *ctx) {
+  if (ctx == NULL ||
+      CRYPTO_add(&ctx->references, -1, CRYPTO_LOCK_SSL_CTX) > 0) {
     return;
   }
 
-  i = CRYPTO_add(&a->references, -1, CRYPTO_LOCK_SSL_CTX);
-  if (i > 0) {
-    return;
-  }
-
-  if (a->param) {
-    X509_VERIFY_PARAM_free(a->param);
-  }
+  X509_VERIFY_PARAM_free(ctx->param);
 
   /* Free internal session cache. However: the remove_cb() may reference the
    * ex_data of SSL_CTX, thus the ex_data store can only be removed after the
@@ -1957,59 +1771,27 @@ void SSL_CTX_free(SSL_CTX *a) {
    * the session cache, the most secure solution seems to be: empty (flush) the
    * cache, then free ex_data, then finally free the cache. (See ticket
    * [openssl.org #212].) */
-  if (a->sessions != NULL) {
-    SSL_CTX_flush_sessions(a, 0);
-  }
+  SSL_CTX_flush_sessions(ctx, 0);
 
-  CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data);
+  CRYPTO_free_ex_data(&g_ex_data_class_ssl_ctx, ctx, &ctx->ex_data);
 
-  if (a->sessions != NULL) {
-    lh_SSL_SESSION_free(a->sessions);
-  }
-  if (a->cert_store != NULL) {
-    X509_STORE_free(a->cert_store);
-  }
-  if (a->cipher_list != NULL) {
-    ssl_cipher_preference_list_free(a->cipher_list);
-  }
-  if (a->cipher_list_by_id != NULL) {
-    sk_SSL_CIPHER_free(a->cipher_list_by_id);
-  }
-  if (a->cipher_list_tls11 != NULL) {
-    ssl_cipher_preference_list_free(a->cipher_list_tls11);
-  }
-  if (a->cert != NULL) {
-    ssl_cert_free(a->cert);
-  }
-  if (a->client_CA != NULL) {
-    sk_X509_NAME_pop_free(a->client_CA, X509_NAME_free);
-  }
-  if (a->extra_certs != NULL) {
-    sk_X509_pop_free(a->extra_certs, X509_free);
-  }
-  if (a->srtp_profiles) {
-    sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles);
-  }
-  if (a->psk_identity_hint) {
-    OPENSSL_free(a->psk_identity_hint);
-  }
-  if (a->tlsext_ecpointformatlist) {
-    OPENSSL_free(a->tlsext_ecpointformatlist);
-  }
-  if (a->tlsext_ellipticcurvelist) {
-    OPENSSL_free(a->tlsext_ellipticcurvelist);
-  }
-  if (a->alpn_client_proto_list != NULL) {
-    OPENSSL_free(a->alpn_client_proto_list);
-  }
-  if (a->tlsext_channel_id_private) {
-    EVP_PKEY_free(a->tlsext_channel_id_private);
-  }
-  if (a->keylog_bio) {
-    BIO_free(a->keylog_bio);
-  }
+  lh_SSL_SESSION_free(ctx->sessions);
+  X509_STORE_free(ctx->cert_store);
+  ssl_cipher_preference_list_free(ctx->cipher_list);
+  sk_SSL_CIPHER_free(ctx->cipher_list_by_id);
+  ssl_cipher_preference_list_free(ctx->cipher_list_tls11);
+  ssl_cert_free(ctx->cert);
+  sk_X509_NAME_pop_free(ctx->client_CA, X509_NAME_free);
+  sk_X509_pop_free(ctx->extra_certs, X509_free);
+  sk_SRTP_PROTECTION_PROFILE_free(ctx->srtp_profiles);
+  OPENSSL_free(ctx->psk_identity_hint);
+  OPENSSL_free(ctx->tlsext_ecpointformatlist);
+  OPENSSL_free(ctx->tlsext_ellipticcurvelist);
+  OPENSSL_free(ctx->alpn_client_proto_list);
+  EVP_PKEY_free(ctx->tlsext_channel_id_private);
+  BIO_free(ctx->keylog_bio);
 
-  OPENSSL_free(a);
+  OPENSSL_free(ctx);
 }
 
 void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb) {
@@ -2051,13 +1833,12 @@ static int ssl_has_key(SSL *s, size_t idx) {
   return cpk->x509 && cpk->privatekey;
 }
 
-void ssl_get_compatible_server_ciphers(SSL *s, unsigned long *out_mask_k,
-                                       unsigned long *out_mask_a) {
+void ssl_get_compatible_server_ciphers(SSL *s, uint32_t *out_mask_k,
+                                       uint32_t *out_mask_a) {
   CERT *c = s->cert;
   int rsa_enc, rsa_sign, dh_tmp;
-  unsigned long mask_k, mask_a;
+  uint32_t mask_k, mask_a;
   int have_ecc_cert, ecdsa_ok;
-  int have_ecdh_tmp;
   X509 *x;
 
   if (c == NULL) {
@@ -2069,7 +1850,6 @@ void ssl_get_compatible_server_ciphers(SSL *s, unsigned long *out_mask_k,
 
   dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL);
 
-  have_ecdh_tmp = (c->ecdh_tmp || c->ecdh_tmp_cb || c->ecdh_tmp_auto);
   rsa_enc = ssl_has_key(s, SSL_PKEY_RSA_ENC);
   rsa_sign = ssl_has_key(s, SSL_PKEY_RSA_SIGN);
   have_ecc_cert = ssl_has_key(s, SSL_PKEY_ECC);
@@ -2080,14 +1860,12 @@ void ssl_get_compatible_server_ciphers(SSL *s, unsigned long *out_mask_k,
     mask_k |= SSL_kRSA;
   }
   if (dh_tmp) {
-    mask_k |= SSL_kEDH;
+    mask_k |= SSL_kDHE;
   }
   if (rsa_enc || rsa_sign) {
     mask_a |= SSL_aRSA;
   }
 
-  mask_a |= SSL_aNULL;
-
   /* An ECC certificate may be usable for ECDSA cipher suites depending on the
    * key usage extension and on the client's curve preferences. */
   if (have_ecc_cert) {
@@ -2107,8 +1885,8 @@ void ssl_get_compatible_server_ciphers(SSL *s, unsigned long *out_mask_k,
 
   /* If we are considering an ECC cipher suite that uses an ephemeral EC
    * key, check it. */
-  if (have_ecdh_tmp && tls1_check_ec_tmp_key(s)) {
-    mask_k |= SSL_kEECDH;
+  if (tls1_check_ec_tmp_key(s)) {
+    mask_k |= SSL_kECDHE;
   }
 
   /* PSK requires a server callback. */
@@ -2126,11 +1904,9 @@ void ssl_get_compatible_server_ciphers(SSL *s, unsigned long *out_mask_k,
   (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
 
 int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) {
-  unsigned long alg_a;
-  int signature_nid = 0, md_nid = 0, pk_nid = 0;
   const SSL_CIPHER *cs = s->s3->tmp.new_cipher;
-
-  alg_a = cs->algorithm_auth;
+  uint32_t alg_a = cs->algorithm_auth;
+  int signature_nid = 0, md_nid = 0, pk_nid = 0;
 
   /* This call populates the ex_flags field correctly */
   X509_check_purpose(x, -1, 0);
@@ -2175,13 +1951,10 @@ CERT_PKEY *ssl_get_server_send_pkey(const SSL *s) {
 }
 
 EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher) {
-  unsigned long alg_a;
-  CERT *c;
+  uint32_t alg_a = cipher->algorithm_auth;
+  CERT *c = s->cert;
   int idx = -1;
 
-  alg_a = cipher->algorithm_auth;
-  c = s->cert;
-
   if (alg_a & SSL_aRSA) {
     if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL) {
       idx = SSL_PKEY_RSA_SIGN;
@@ -2202,56 +1975,62 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher) {
 }
 
 void ssl_update_cache(SSL *s, int mode) {
-  int i;
-
-  /* If the session_id_length is 0, we are not supposed to cache it, and it
-   * would be rather hard to do anyway :-) */
+  /* Never cache sessions with empty session IDs. */
   if (s->session->session_id_length == 0) {
     return;
   }
 
-  i = s->initial_ctx->session_cache_mode;
-  if ((i & mode) && !s->hit &&
-      ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) ||
-       SSL_CTX_add_session(s->initial_ctx, s->session)) &&
-      s->initial_ctx->new_session_cb != NULL) {
-    CRYPTO_add(&s->session->references, 1, CRYPTO_LOCK_SSL_SESSION);
-    if (!s->initial_ctx->new_session_cb(s, s->session)) {
+  SSL_CTX *ctx = s->initial_ctx;
+  if ((ctx->session_cache_mode & mode) == mode && !s->hit &&
+      ((ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE) ||
+       SSL_CTX_add_session(ctx, s->session)) &&
+      ctx->new_session_cb != NULL) {
+    /* Note: |new_session_cb| is called whether the internal session cache is
+     * used or not. */
+    if (!ctx->new_session_cb(s, SSL_SESSION_up_ref(s->session))) {
       SSL_SESSION_free(s->session);
     }
   }
 
-  /* auto flush every 255 connections */
-  if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) && ((i & mode) == mode)) {
-    if ((((mode & SSL_SESS_CACHE_CLIENT)
-              ? s->initial_ctx->stats.sess_connect_good
-              : s->initial_ctx->stats.sess_accept_good) &
-         0xff) == 0xff) {
-      SSL_CTX_flush_sessions(s->initial_ctx, (unsigned long)time(NULL));
+  if (!(ctx->session_cache_mode & SSL_SESS_CACHE_NO_AUTO_CLEAR) &&
+      !(ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE) &&
+      (ctx->session_cache_mode & mode) == mode) {
+    /* Automatically flush the internal session cache every 255 connections. */
+    int flush_cache = 0;
+    CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
+    ctx->handshakes_since_cache_flush++;
+    if (ctx->handshakes_since_cache_flush >= 255) {
+      flush_cache = 1;
+      ctx->handshakes_since_cache_flush = 0;
+    }
+    CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
+
+    if (flush_cache) {
+      SSL_CTX_flush_sessions(ctx, (unsigned long)time(NULL));
     }
   }
 }
 
-int SSL_get_error(const SSL *s, int i) {
+int SSL_get_error(const SSL *s, int ret_code) {
   int reason;
-  unsigned long l;
+  uint32_t err;
   BIO *bio;
 
-  if (i > 0) {
+  if (ret_code > 0) {
     return SSL_ERROR_NONE;
   }
 
   /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc,
    * where we do encode the error */
-  l = ERR_peek_error();
-  if (l != 0) {
-    if (ERR_GET_LIB(l) == ERR_LIB_SYS) {
+  err = ERR_peek_error();
+  if (err != 0) {
+    if (ERR_GET_LIB(err) == ERR_LIB_SYS) {
       return SSL_ERROR_SYSCALL;
     }
     return SSL_ERROR_SSL;
   }
 
-  if (i == 0) {
+  if (ret_code == 0) {
     if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) &&
         (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY)) {
       /* The socket was cleanly shut down with a close_notify. */
@@ -2371,24 +2150,6 @@ void SSL_set_connect_state(SSL *s) {
   ssl_clear_cipher_ctx(s);
 }
 
-int ssl_undefined_function(SSL *s) {
-  OPENSSL_PUT_ERROR(SSL, ssl_undefined_function,
-                    ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-  return 0;
-}
-
-int ssl_undefined_void_function(void) {
-  OPENSSL_PUT_ERROR(SSL, ssl_undefined_void_function,
-                    ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-  return 0;
-}
-
-int ssl_undefined_const_function(const SSL *s) {
-  OPENSSL_PUT_ERROR(SSL, ssl_undefined_const_function,
-                    ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-  return 0;
-}
-
 static const char *ssl_get_version(int version) {
   switch (version) {
     case TLS1_2_VERSION:
@@ -2403,6 +2164,12 @@ static const char *ssl_get_version(int version) {
     case SSL3_VERSION:
       return "SSLv3";
 
+    case DTLS1_VERSION:
+      return "DTLSv1";
+
+    case DTLS1_2_VERSION:
+      return "DTLSv1.2";
+
     default:
       return "unknown";
   }
@@ -2552,15 +2319,11 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) {
     ctx = ssl->initial_ctx;
   }
 
-  if (ssl->cert != NULL) {
-    ssl_cert_free(ssl->cert);
-  }
-
+  ssl_cert_free(ssl->cert);
   ssl->cert = ssl_cert_dup(ctx->cert);
+
   CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
-  if (ssl->ctx != NULL) {
-    SSL_CTX_free(ssl->ctx); /* decrement reference count */
-  }
+  SSL_CTX_free(ssl->ctx); /* decrement reference count */
   ssl->ctx = ctx;
 
   ssl->sid_ctx_length = ctx->sid_ctx_length;
@@ -2599,8 +2362,12 @@ long SSL_get_verify_result(const SSL *ssl) { return ssl->verify_result; }
 
 int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
                          CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) {
-  return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl, argp, new_func,
-                                 dup_func, free_func);
+  int index;
+  if (!CRYPTO_get_ex_new_index(&g_ex_data_class_ssl, &index, argl, argp,
+                               new_func, dup_func, free_func)) {
+    return -1;
+  }
+  return index;
 }
 
 int SSL_set_ex_data(SSL *s, int idx, void *arg) {
@@ -2614,8 +2381,12 @@ void *SSL_get_ex_data(const SSL *s, int idx) {
 int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
                              CRYPTO_EX_dup *dup_func,
                              CRYPTO_EX_free *free_func) {
-  return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, argl, argp, new_func,
-                                 dup_func, free_func);
+  int index;
+  if (!CRYPTO_get_ex_new_index(&g_ex_data_class_ssl_ctx, &index, argl, argp,
+                               new_func, dup_func, free_func)) {
+    return -1;
+  }
+  return index;
 }
 
 int SSL_CTX_set_ex_data(SSL_CTX *s, int idx, void *arg) {
@@ -2633,9 +2404,7 @@ X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx) {
 }
 
 void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store) {
-  if (ctx->cert_store != NULL) {
-    X509_STORE_free(ctx->cert_store);
-  }
+  X509_STORE_free(ctx->cert_store);
   ctx->cert_store = store;
 }
 
@@ -2644,35 +2413,33 @@ int SSL_want(const SSL *s) { return s->rwstate; }
 void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
                                   RSA *(*cb)(SSL *ssl, int is_export,
                                              int keylength)) {
-  SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_RSA_CB, (void (*)(void))cb);
 }
 
 void SSL_set_tmp_rsa_callback(SSL *ssl, RSA *(*cb)(SSL *ssl, int is_export,
                                                    int keylength)) {
-  SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_RSA_CB, (void (*)(void))cb);
 }
 
 void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
-                                 DH *(*dh)(SSL *ssl, int is_export,
-                                           int keylength)) {
-  SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
+                                 DH *(*callback)(SSL *ssl, int is_export,
+                                                 int keylength)) {
+  ctx->cert->dh_tmp_cb = callback;
 }
 
-void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh)(SSL *ssl, int is_export,
-                                                 int keylength)) {
-  SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
+void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*callback)(SSL *ssl, int is_export,
+                                                       int keylength)) {
+  ssl->cert->dh_tmp_cb = callback;
 }
 
 void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,
-                                   EC_KEY *(*ecdh)(SSL *ssl, int is_export,
-                                                   int keylength)) {
-  SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH_CB, (void (*)(void))ecdh);
+                                   EC_KEY *(*callback)(SSL *ssl, int is_export,
+                                                       int keylength)) {
+  ctx->cert->ecdh_tmp_cb = callback;
 }
 
 void SSL_set_tmp_ecdh_callback(SSL *ssl,
-                               EC_KEY *(*ecdh)(SSL *ssl, int is_export,
-                                               int keylength)) {
-  SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_ECDH_CB, (void (*)(void))ecdh);
+                               EC_KEY *(*callback)(SSL *ssl, int is_export,
+                                                   int keylength)) {
+  ssl->cert->ecdh_tmp_cb = callback;
 }
 
 int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) {
@@ -2682,9 +2449,7 @@ int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) {
     return 0;
   }
 
-  if (ctx->psk_identity_hint != NULL) {
-    OPENSSL_free(ctx->psk_identity_hint);
-  }
+  OPENSSL_free(ctx->psk_identity_hint);
 
   if (identity_hint != NULL) {
     ctx->psk_identity_hint = BUF_strdup(identity_hint);
@@ -2710,10 +2475,8 @@ int SSL_use_psk_identity_hint(SSL *s, const char *identity_hint) {
   }
 
   /* Clear currently configured hint, if any. */
-  if (s->psk_identity_hint != NULL) {
-    OPENSSL_free(s->psk_identity_hint);
-    s->psk_identity_hint = NULL;
-  }
+  OPENSSL_free(s->psk_identity_hint);
+  s->psk_identity_hint = NULL;
 
   if (identity_hint != NULL) {
     s->psk_identity_hint = BUF_strdup(identity_hint);
@@ -2786,19 +2549,26 @@ void SSL_CTX_set_msg_callback(SSL_CTX *ctx,
                               void (*cb)(int write_p, int version,
                                          int content_type, const void *buf,
                                          size_t len, SSL *ssl, void *arg)) {
-  SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
+  ctx->msg_callback = cb;
+}
+
+void SSL_CTX_set_msg_callback_arg(SSL_CTX *ctx, void *arg) {
+  ctx->msg_callback_arg = arg;
 }
+
 void SSL_set_msg_callback(SSL *ssl,
                           void (*cb)(int write_p, int version, int content_type,
                                      const void *buf, size_t len, SSL *ssl,
                                      void *arg)) {
-  SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
+  ssl->msg_callback = cb;
+}
+
+void SSL_set_msg_callback_arg(SSL *ssl, void *arg) {
+  ssl->msg_callback_arg = arg;
 }
 
 void SSL_CTX_set_keylog_bio(SSL_CTX *ctx, BIO *keylog_bio) {
-  if (ctx->keylog_bio != NULL) {
-    BIO_free(ctx->keylog_bio);
-  }
+  BIO_free(ctx->keylog_bio);
   ctx->keylog_bio = keylog_bio;
 }
 
@@ -2904,19 +2674,12 @@ int ssl_ctx_log_master_secret(SSL_CTX *ctx, const uint8_t *client_random,
   return ret;
 }
 
+int SSL_in_false_start(const SSL *s) {
+  return s->s3->tmp.in_false_start;
+}
+
 int SSL_cutthrough_complete(const SSL *s) {
-  return (
-      !s->server && /* cutthrough only applies to clients */
-      !s->hit &&    /* full-handshake */
-      s->version >= SSL3_VERSION &&
-      s->s3->in_read_app_data == 0 && /* cutthrough only applies to write() */
-      (SSL_get_mode((SSL *)s) &
-       SSL_MODE_HANDSHAKE_CUTTHROUGH) && /* cutthrough enabled */
-      ssl3_can_cutthrough(s) &&          /* cutthrough allowed */
-      s->s3->previous_server_finished_len ==
-          0 && /* not a renegotiation handshake */
-      (s->state == SSL3_ST_CR_SESSION_TICKET_A || /* ready to write app-data*/
-       s->state == SSL3_ST_CR_CHANGE || s->state == SSL3_ST_CR_FINISHED_A));
+  return SSL_in_false_start(s);
 }
 
 void SSL_get_structure_sizes(size_t *ssl_size, size_t *ssl_ctx_size,
@@ -2926,27 +2689,18 @@ void SSL_get_structure_sizes(size_t *ssl_size, size_t *ssl_ctx_size,
   *ssl_session_size = sizeof(SSL_SESSION);
 }
 
-int ssl3_can_cutthrough(const SSL *s) {
-  const SSL_CIPHER *c;
-
-  /* require a strong enough cipher */
-  if (SSL_get_cipher_bits(s, NULL) < 128) {
-    return 0;
-  }
-
-  /* require ALPN or NPN extension */
-  if (!s->s3->alpn_selected && !s->s3->next_proto_neg_seen) {
-    return 0;
-  }
-
-  /* require a forward-secret cipher */
-  c = SSL_get_current_cipher(s);
-  if (!c ||
-      (c->algorithm_mkey != SSL_kEDH && c->algorithm_mkey != SSL_kEECDH)) {
-    return 0;
-  }
+int ssl3_can_false_start(const SSL *s) {
+  const SSL_CIPHER *const cipher = SSL_get_current_cipher(s);
 
-  return 1;
+  /* False Start only for TLS 1.2 with an ECDHE+AEAD cipher and ALPN or NPN. */
+  return !SSL_IS_DTLS(s) &&
+      SSL_version(s) >= TLS1_2_VERSION &&
+      (s->s3->alpn_selected || s->s3->next_proto_neg_seen) &&
+      cipher != NULL &&
+      cipher->algorithm_mkey == SSL_kECDHE &&
+      (cipher->algorithm_enc == SSL_AES128GCM ||
+       cipher->algorithm_enc == SSL_AES256GCM ||
+       cipher->algorithm_enc == SSL_CHACHA20POLY1305);
 }
 
 const SSL3_ENC_METHOD *ssl3_get_enc_method(uint16_t version) {
@@ -2957,18 +2711,14 @@ const SSL3_ENC_METHOD *ssl3_get_enc_method(uint16_t version) {
     case TLS1_VERSION:
       return &TLSv1_enc_data;
 
+    case DTLS1_VERSION:
     case TLS1_1_VERSION:
       return &TLSv1_1_enc_data;
 
+    case DTLS1_2_VERSION:
     case TLS1_2_VERSION:
       return &TLSv1_2_enc_data;
 
-    case DTLS1_VERSION:
-      return &DTLSv1_enc_data;
-
-    case DTLS1_2_VERSION:
-      return &DTLSv1_2_enc_data;
-
     default:
       return NULL;
   }
@@ -3016,7 +2766,7 @@ uint16_t ssl3_get_mutual_version(SSL *s, uint16_t client_version) {
     if (client_version <= DTLS1_2_VERSION && !(s->options & SSL_OP_NO_DTLSv1_2)) {
       version = DTLS1_2_VERSION;
     } else if (client_version <= DTLS1_VERSION &&
-             !(s->options & SSL_OP_NO_DTLSv1)) {
+               !(s->options & SSL_OP_NO_DTLSv1)) {
       version = DTLS1_VERSION;
     }
 
@@ -3051,7 +2801,7 @@ uint16_t ssl3_get_mutual_version(SSL *s, uint16_t client_version) {
 }
 
 uint16_t ssl3_get_max_client_version(SSL *s) {
-  unsigned long options = s->options;
+  uint32_t options = s->options;
   uint16_t version = 0;
 
   /* OpenSSL's API for controlling versions entails blacklisting individual
@@ -3169,6 +2919,41 @@ int SSL_cache_hit(SSL *s) { return s->hit; }
 
 int SSL_is_server(SSL *s) { return s->server; }
 
+void SSL_CTX_set_dos_protection_cb(
+    SSL_CTX *ctx, int (*cb)(const struct ssl_early_callback_ctx *)) {
+  ctx->dos_protection_cb = cb;
+}
+
 void SSL_enable_fastradio_padding(SSL *s, char on_off) {
   s->fastradio_padding = on_off;
 }
+
+void SSL_set_reject_peer_renegotiations(SSL *s, int reject) {
+  s->reject_peer_renegotiations = !!reject;
+}
+
+const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value) {
+  return ssl3_get_cipher_by_value(value);
+}
+
+int SSL_get_rc4_state(const SSL *ssl, const RC4_KEY **read_key,
+                      const RC4_KEY **write_key) {
+  if (ssl->aead_read_ctx == NULL || ssl->aead_write_ctx == NULL) {
+    return 0;
+  }
+
+  return EVP_AEAD_CTX_get_rc4_state(&ssl->aead_read_ctx->ctx, read_key) &&
+         EVP_AEAD_CTX_get_rc4_state(&ssl->aead_write_ctx->ctx, write_key);
+}
+
+int SSL_CTX_sess_connect(const SSL_CTX *ctx) { return 0; }
+int SSL_CTX_sess_connect_good(const SSL_CTX *ctx) { return 0; }
+int SSL_CTX_sess_connect_renegotiate(const SSL_CTX *ctx) { return 0; }
+int SSL_CTX_sess_accept(const SSL_CTX *ctx) { return 0; }
+int SSL_CTX_sess_accept_renegotiate(const SSL_CTX *ctx) { return 0; }
+int SSL_CTX_sess_accept_good(const SSL_CTX *ctx) { return 0; }
+int SSL_CTX_sess_hits(const SSL_CTX *ctx) { return 0; }
+int SSL_CTX_sess_cb_hits(const SSL_CTX *ctx) { return 0; }
+int SSL_CTX_sess_misses(const SSL_CTX *ctx) { return 0; }
+int SSL_CTX_sess_timeouts(const SSL_CTX *ctx) { return 0; }
+int SSL_CTX_sess_cache_full(const SSL_CTX *ctx) { return 0; }
diff --git a/src/ssl/ssl_rsa.c b/src/ssl/ssl_rsa.c
index 3d1bc62..87f4c1c 100644
--- a/src/ssl/ssl_rsa.c
+++ b/src/ssl/ssl_rsa.c
@@ -64,7 +64,7 @@
 #include <openssl/pem.h>
 #include <openssl/x509.h>
 
-#include "ssl_locl.h"
+#include "internal.h"
 
 static int ssl_set_cert(CERT *c, X509 *x509);
 static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
@@ -74,10 +74,6 @@ int SSL_use_certificate(SSL *ssl, X509 *x) {
     OPENSSL_PUT_ERROR(SSL, SSL_use_certificate, ERR_R_PASSED_NULL_PARAMETER);
     return 0;
   }
-  if (!ssl_cert_inst(&ssl->cert)) {
-    OPENSSL_PUT_ERROR(SSL, SSL_use_certificate, ERR_R_MALLOC_FAILURE);
-    return 0;
-  }
   return ssl_set_cert(ssl->cert, x);
 }
 
@@ -118,12 +114,8 @@ int SSL_use_certificate_file(SSL *ssl, const char *file, int type) {
   ret = SSL_use_certificate(ssl, x);
 
 end:
-  if (x != NULL) {
-    X509_free(x);
-  }
-  if (in != NULL) {
-    BIO_free(in);
-  }
+  X509_free(x);
+  BIO_free(in);
 
   return ret;
 }
@@ -152,11 +144,6 @@ int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) {
     return 0;
   }
 
-  if (!ssl_cert_inst(&ssl->cert)) {
-    OPENSSL_PUT_ERROR(SSL, SSL_use_RSAPrivateKey, ERR_R_MALLOC_FAILURE);
-    return 0;
-  }
-
   pkey = EVP_PKEY_new();
   if (pkey == NULL) {
     OPENSSL_PUT_ERROR(SSL, SSL_use_RSAPrivateKey, ERR_R_EVP_LIB);
@@ -182,12 +169,6 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) {
   }
 
   if (c->pkeys[i].x509 != NULL) {
-    EVP_PKEY *pktmp;
-    pktmp = X509_get_pubkey(c->pkeys[i].x509);
-    EVP_PKEY_copy_parameters(pktmp, pkey);
-    EVP_PKEY_free(pktmp);
-    ERR_clear_error();
-
     /* Sanity-check that the private key and the certificate match, unless the
      * key is opaque (in case of, say, a smartcard). */
     if (!EVP_PKEY_is_opaque(pkey) &&
@@ -198,10 +179,8 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) {
     }
   }
 
-  if (c->pkeys[i].privatekey != NULL) {
-    EVP_PKEY_free(c->pkeys[i].privatekey);
-  }
-  c->pkeys[i].privatekey = EVP_PKEY_dup(pkey);
+  EVP_PKEY_free(c->pkeys[i].privatekey);
+  c->pkeys[i].privatekey = EVP_PKEY_up_ref(pkey);
   c->key = &(c->pkeys[i]);
 
   return 1;
@@ -244,9 +223,7 @@ int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type) {
   RSA_free(rsa);
 
 end:
-  if (in != NULL) {
-    BIO_free(in);
-  }
+  BIO_free(in);
   return ret;
 }
 
@@ -275,11 +252,6 @@ int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) {
     return 0;
   }
 
-  if (!ssl_cert_inst(&ssl->cert)) {
-    OPENSSL_PUT_ERROR(SSL, SSL_use_PrivateKey, ERR_R_MALLOC_FAILURE);
-    return 0;
-  }
-
   ret = ssl_set_pkey(ssl->cert, pkey);
   return ret;
 }
@@ -320,9 +292,7 @@ int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type) {
   EVP_PKEY_free(pkey);
 
 end:
-  if (in != NULL) {
-    BIO_free(in);
-  }
+  BIO_free(in);
   return ret;
 }
 
@@ -349,10 +319,6 @@ int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) {
                       ERR_R_PASSED_NULL_PARAMETER);
     return 0;
   }
-  if (!ssl_cert_inst(&ctx->cert)) {
-    OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_certificate, ERR_R_MALLOC_FAILURE);
-    return 0;
-  }
 
   return ssl_set_cert(ctx->cert, x);
 }
@@ -375,9 +341,6 @@ static int ssl_set_cert(CERT *c, X509 *x) {
   }
 
   if (c->pkeys[i].privatekey != NULL) {
-    EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey);
-    ERR_clear_error();
-
     /* Sanity-check that the private key and the certificate match, unless the
      * key is opaque (in case of, say, a smartcard). */
     if (!EVP_PKEY_is_opaque(c->pkeys[i].privatekey) &&
@@ -394,9 +357,7 @@ static int ssl_set_cert(CERT *c, X509 *x) {
 
   EVP_PKEY_free(pkey);
 
-  if (c->pkeys[i].x509 != NULL) {
-    X509_free(c->pkeys[i].x509);
-  }
+  X509_free(c->pkeys[i].x509);
   c->pkeys[i].x509 = X509_up_ref(x);
   c->key = &(c->pkeys[i]);
 
@@ -441,12 +402,8 @@ int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type) {
   ret = SSL_CTX_use_certificate(ctx, x);
 
 end:
-  if (x != NULL) {
-    X509_free(x);
-  }
-  if (in != NULL) {
-    BIO_free(in);
-  }
+  X509_free(x);
+  BIO_free(in);
   return ret;
 }
 
@@ -475,11 +432,6 @@ int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) {
     return 0;
   }
 
-  if (!ssl_cert_inst(&ctx->cert)) {
-    OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_RSAPrivateKey, ERR_R_MALLOC_FAILURE);
-    return 0;
-  }
-
   pkey = EVP_PKEY_new();
   if (pkey == NULL) {
     OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_RSAPrivateKey, ERR_R_EVP_LIB);
@@ -531,9 +483,7 @@ int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type) {
   RSA_free(rsa);
 
 end:
-  if (in != NULL) {
-    BIO_free(in);
-  }
+  BIO_free(in);
   return ret;
 }
 
@@ -560,11 +510,6 @@ int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) {
     return 0;
   }
 
-  if (!ssl_cert_inst(&ctx->cert)) {
-    OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_PrivateKey, ERR_R_MALLOC_FAILURE);
-    return 0;
-  }
-
   return ssl_set_pkey(ctx->cert, pkey);
 }
 
@@ -604,9 +549,7 @@ int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type) {
   EVP_PKEY_free(pkey);
 
 end:
-  if (in != NULL) {
-    BIO_free(in);
-  }
+  BIO_free(in);
   return ret;
 }
 
@@ -668,7 +611,7 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) {
      * certificates. */
     X509 *ca;
     int r;
-    unsigned long err;
+    uint32_t err;
 
     SSL_CTX_clear_chain_certs(ctx);
 
@@ -697,11 +640,7 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) {
   }
 
 end:
-  if (x != NULL) {
-    X509_free(x);
-  }
-  if (in != NULL) {
-    BIO_free(in);
-  }
+  X509_free(x);
+  BIO_free(in);
   return ret;
 }
diff --git a/src/ssl/ssl_sess.c b/src/ssl/ssl_sess.c
index c5069d8..3eb428f 100644
--- a/src/ssl/ssl_sess.c
+++ b/src/ssl/ssl_sess.c
@@ -134,22 +134,26 @@
  * OTHERWISE. */
 
 #include <stdio.h>
+#include <string.h>
 
-#include <openssl/engine.h>
 #include <openssl/err.h>
 #include <openssl/lhash.h>
 #include <openssl/mem.h>
 #include <openssl/rand.h>
 
-#include "ssl_locl.h"
+#include "internal.h"
+#include "../crypto/internal.h"
+
 
 /* The address of this is a magic value, a pointer to which is returned by
  * SSL_magic_pending_session_ptr(). It allows a session callback to indicate
  * that it needs to asynchronously fetch session information. */
 static const char g_pending_session_magic = 0;
 
+static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;
+
 static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
-static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
+static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s);
 static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
 
 SSL_SESSION *SSL_magic_pending_session_ptr(void) {
@@ -164,25 +168,18 @@ SSL_SESSION *SSL_get_session(const SSL *ssl)
 
 SSL_SESSION *SSL_get1_session(SSL *ssl) {
   /* variant of SSL_get_session: caller really gets something */
-  SSL_SESSION *sess;
-  /* Need to lock this all up rather than just use CRYPTO_add so that
-   * somebody doesn't free ssl->session between when we check it's
-   * non-null and when we up the reference count. */
-  CRYPTO_w_lock(CRYPTO_LOCK_SSL_SESSION);
-  sess = ssl->session;
-  if (sess) {
-    sess->references++;
-  }
-  CRYPTO_w_unlock(CRYPTO_LOCK_SSL_SESSION);
-
-  return sess;
+  return SSL_SESSION_up_ref(ssl->session);
 }
 
 int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
                                  CRYPTO_EX_dup *dup_func,
                                  CRYPTO_EX_free *free_func) {
-  return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION, argl, argp,
-                                 new_func, dup_func, free_func);
+  int index;
+  if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp, new_func,
+                               dup_func, free_func)) {
+    return -1;
+  }
+  return index;
 }
 
 int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg) {
@@ -207,7 +204,7 @@ SSL_SESSION *SSL_SESSION_new(void) {
   ss->references = 1;
   ss->timeout = SSL_DEFAULT_SESSION_TIMEOUT;
   ss->time = (unsigned long)time(NULL);
-  CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
+  CRYPTO_new_ex_data(&g_ex_data_class, ss, &ss->ex_data);
   return ss;
 }
 
@@ -275,10 +272,8 @@ int ssl_get_new_session(SSL *s, int session) {
     ss->timeout = s->initial_ctx->session_timeout;
   }
 
-  if (s->session != NULL) {
-    SSL_SESSION_free(s->session);
-    s->session = NULL;
-  }
+  SSL_SESSION_free(s->session);
+  s->session = NULL;
 
   if (session) {
     if (s->version == SSL3_VERSION || s->version == TLS1_VERSION ||
@@ -425,15 +420,9 @@ int ssl_get_prev_session(SSL *s, const struct ssl_early_callback_ctx *ctx) {
     }
     memcpy(data.session_id, ctx->session_id, ctx->session_id_len);
     CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
-    ret = lh_SSL_SESSION_retrieve(s->initial_ctx->sessions, &data);
-    if (ret != NULL) {
-      /* don't allow other threads to steal it: */
-      CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_SSL_SESSION);
-    }
+    ret = SSL_SESSION_up_ref(lh_SSL_SESSION_retrieve(s->initial_ctx->sessions,
+                                                     &data));
     CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
-    if (ret == NULL) {
-      s->initial_ctx->stats.sess_miss++;
-    }
   }
 
   if (try_session_cache && ret == NULL &&
@@ -448,14 +437,13 @@ int ssl_get_prev_session(SSL *s, const struct ssl_early_callback_ctx *ctx) {
          * unwind the stack and figure out the session asynchronously. */
         return PENDING_SESSION;
       }
-      s->initial_ctx->stats.sess_cb_hit++;
 
       /* Increment reference count now if the session callback asks us to do so
        * (note that if the session structures returned by the callback are
        * shared between threads, it must handle the reference count itself
        * [i.e. copy == 0], or things won't be thread-safe). */
       if (copy) {
-        CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_SSL_SESSION);
+        SSL_SESSION_up_ref(ret);
       }
 
       /* Add the externally cached session to the internal cache as well if and
@@ -499,7 +487,6 @@ int ssl_get_prev_session(SSL *s, const struct ssl_early_callback_ctx *ctx) {
 
   if (ret->timeout < (long)(time(NULL) - ret->time)) {
     /* timeout */
-    s->initial_ctx->stats.sess_timeout++;
     if (try_session_cache) {
       /* session was from the cache, so remove it */
       SSL_CTX_remove_session(s->initial_ctx, ret);
@@ -507,11 +494,7 @@ int ssl_get_prev_session(SSL *s, const struct ssl_early_callback_ctx *ctx) {
     goto err;
   }
 
-  s->initial_ctx->stats.sess_hit++;
-
-  if (s->session != NULL) {
-    SSL_SESSION_free(s->session);
-  }
+  SSL_SESSION_free(s->session);
   s->session = ret;
   s->verify_result = s->session->verify_result;
   return 1;
@@ -538,7 +521,7 @@ int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c) {
   /* add just 1 reference count for the SSL_CTX's session cache even though it
    * has two ways of access: each session is in a doubly linked list and an
    * lhash */
-  CRYPTO_add(&c->references, 1, CRYPTO_LOCK_SSL_SESSION);
+  SSL_SESSION_up_ref(c);
   /* if session c is in already in cache, we take back the increment later */
 
   CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
@@ -579,7 +562,6 @@ int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c) {
         if (!remove_session_lock(ctx, ctx->session_cache_tail, 0)) {
           break;
         }
-        ctx->stats.sess_cache_full++;
       }
     }
   }
@@ -623,45 +605,32 @@ static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lock) {
   return ret;
 }
 
-void SSL_SESSION_free(SSL_SESSION *ss) {
-  int i;
-
-  if (ss == NULL) {
-    return;
+SSL_SESSION *SSL_SESSION_up_ref(SSL_SESSION *session) {
+  if (session) {
+    CRYPTO_add(&session->references, 1, CRYPTO_LOCK_SSL_SESSION);
   }
+  return session;
+}
 
-  i = CRYPTO_add(&ss->references, -1, CRYPTO_LOCK_SSL_SESSION);
-  if (i > 0) {
+void SSL_SESSION_free(SSL_SESSION *session) {
+  if (session == NULL ||
+      CRYPTO_add(&session->references, -1, CRYPTO_LOCK_SSL_SESSION) > 0) {
     return;
   }
 
-  CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
+  CRYPTO_free_ex_data(&g_ex_data_class, session, &session->ex_data);
 
-  OPENSSL_cleanse(ss->master_key, sizeof ss->master_key);
-  OPENSSL_cleanse(ss->session_id, sizeof ss->session_id);
-  if (ss->sess_cert != NULL) {
-    ssl_sess_cert_free(ss->sess_cert);
-  }
-  if (ss->peer != NULL) {
-    X509_free(ss->peer);
-  }
-  if (ss->tlsext_hostname != NULL) {
-    OPENSSL_free(ss->tlsext_hostname);
-  }
-  if (ss->tlsext_tick != NULL) {
-    OPENSSL_free(ss->tlsext_tick);
-  }
-  if (ss->tlsext_signed_cert_timestamp_list != NULL) {
-    OPENSSL_free(ss->tlsext_signed_cert_timestamp_list);
-  }
-  if (ss->ocsp_response != NULL) {
-    OPENSSL_free(ss->ocsp_response);
-  }
-  if (ss->psk_identity != NULL) {
-    OPENSSL_free(ss->psk_identity);
-  }
-  OPENSSL_cleanse(ss, sizeof(*ss));
-  OPENSSL_free(ss);
+  OPENSSL_cleanse(session->master_key, sizeof(session->master_key));
+  OPENSSL_cleanse(session->session_id, sizeof(session->session_id));
+  ssl_sess_cert_free(session->sess_cert);
+  X509_free(session->peer);
+  OPENSSL_free(session->tlsext_hostname);
+  OPENSSL_free(session->tlsext_tick);
+  OPENSSL_free(session->tlsext_signed_cert_timestamp_list);
+  OPENSSL_free(session->ocsp_response);
+  OPENSSL_free(session->psk_identity);
+  OPENSSL_cleanse(session, sizeof(*session));
+  OPENSSL_free(session);
 }
 
 int SSL_set_session(SSL *s, SSL_SESSION *session) {
@@ -669,12 +638,10 @@ int SSL_set_session(SSL *s, SSL_SESSION *session) {
     return 1;
   }
 
-  if (s->session != NULL) {
-    SSL_SESSION_free(s->session);
-  }
+  SSL_SESSION_free(s->session);
   s->session = session;
   if (session != NULL) {
-    CRYPTO_add(&session->references, 1, CRYPTO_LOCK_SSL_SESSION);
+    SSL_SESSION_up_ref(session);
     s->verify_result = session->verify_result;
   }
 
@@ -753,7 +720,7 @@ long SSL_CTX_get_timeout(const SSL_CTX *s) {
 typedef struct timeout_param_st {
   SSL_CTX *ctx;
   long time;
-  LHASH_OF(SSL_SESSION) * cache;
+  LHASH_OF(SSL_SESSION) *cache;
 } TIMEOUT_PARAM;
 
 static void timeout_doall_arg(SSL_SESSION *sess, void *void_param) {
@@ -896,18 +863,6 @@ int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509,
   return ctx->client_cert_cb;
 }
 
-void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
-                                    int (*cb)(SSL *ssl, uint8_t *cookie,
-                                              size_t *cookie_len)) {
-  ctx->app_gen_cookie_cb = cb;
-}
-
-void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx,
-                                  int (*cb)(SSL *ssl, const uint8_t *cookie,
-                                            size_t cookie_len)) {
-  ctx->app_verify_cookie_cb = cb;
-}
-
 void SSL_CTX_set_channel_id_cb(SSL_CTX *ctx,
                                void (*cb)(SSL *ssl, EVP_PKEY **pkey)) {
   ctx->channel_id_cb = cb;
diff --git a/src/ssl/ssl_stat.c b/src/ssl/ssl_stat.c
index 450ed7c..8bed9ad 100644
--- a/src/ssl/ssl_stat.c
+++ b/src/ssl/ssl_stat.c
@@ -83,7 +83,7 @@
  */
 
 #include <stdio.h>
-#include "ssl_locl.h"
+#include "internal.h"
 
 const char *SSL_state_string_long(const SSL *s) {
   const char *str;
@@ -382,14 +382,6 @@ const char *SSL_state_string_long(const SSL *s) {
       str = "DTLS1 read hello verify request B";
       break;
 
-    case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
-      str = "DTLS1 write hello verify request A";
-      break;
-
-    case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
-      str = "DTLS1 write hello verify request B";
-      break;
-
     default:
       str = "unknown state";
       break;
@@ -691,14 +683,6 @@ const char *SSL_state_string(const SSL *s) {
       str = "DRCHVB";
       break;
 
-    case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
-      str = "DWCHVA";
-      break;
-
-    case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
-      str = "DWCHVB";
-      break;
-
     default:
       str = "UNKWN ";
       break;
diff --git a/src/ssl/ssl_test.c b/src/ssl/ssl_test.cc
index 70291a2..7886304 100644
--- a/src/ssl/ssl_test.c
+++ b/src/ssl/ssl_test.cc
@@ -15,40 +15,45 @@
 #include <stdio.h>
 #include <string.h>
 
+#include <string>
+#include <vector>
+
 #include <openssl/base64.h>
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/ssl.h>
 
-typedef struct {
-  int id;
+#include "test/scoped_types.h"
+
+struct ExpectedCipher {
+  unsigned long id;
   int in_group_flag;
-} EXPECTED_CIPHER;
+};
 
-typedef struct {
-  /* The rule string to apply. */
+struct CipherTest {
+  // The rule string to apply.
   const char *rule;
-  /* The list of expected ciphers, in order, terminated with -1. */
-  const EXPECTED_CIPHER *expected;
-} CIPHER_TEST;
+  // The list of expected ciphers, in order, terminated with -1.
+  const ExpectedCipher *expected;
+};
 
-/* Selecting individual ciphers should work. */
+// Selecting individual ciphers should work.
 static const char kRule1[] =
     "ECDHE-ECDSA-CHACHA20-POLY1305:"
     "ECDHE-RSA-CHACHA20-POLY1305:"
     "ECDHE-ECDSA-AES128-GCM-SHA256:"
     "ECDHE-RSA-AES128-GCM-SHA256";
 
-static const EXPECTED_CIPHER kExpected1[] = {
+static const ExpectedCipher kExpected1[] = {
   { TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, 0 },
   { TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, 0 },
   { TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0 },
   { TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0 },
-  { -1, -1 },
+  { 0, 0 },
 };
 
-/* + reorders selected ciphers to the end, keeping their relative
- * order. */
+// + reorders selected ciphers to the end, keeping their relative
+// order.
 static const char kRule2[] =
     "ECDHE-ECDSA-CHACHA20-POLY1305:"
     "ECDHE-RSA-CHACHA20-POLY1305:"
@@ -56,15 +61,15 @@ static const char kRule2[] =
     "ECDHE-RSA-AES128-GCM-SHA256:"
     "+aRSA";
 
-static const EXPECTED_CIPHER kExpected2[] = {
+static const ExpectedCipher kExpected2[] = {
   { TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, 0 },
   { TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0 },
   { TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, 0 },
   { TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0 },
-  { -1, -1 },
+  { 0, 0 },
 };
 
-/* ! banishes ciphers from future selections. */
+// ! banishes ciphers from future selections.
 static const char kRule3[] =
     "!aRSA:"
     "ECDHE-ECDSA-CHACHA20-POLY1305:"
@@ -72,35 +77,35 @@ static const char kRule3[] =
     "ECDHE-ECDSA-AES128-GCM-SHA256:"
     "ECDHE-RSA-AES128-GCM-SHA256";
 
-static const EXPECTED_CIPHER kExpected3[] = {
+static const ExpectedCipher kExpected3[] = {
   { TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, 0 },
   { TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0 },
-  { -1, -1 },
+  { 0, 0 },
 };
 
-/* Multiple masks can be ANDed in a single rule. */
+// Multiple masks can be ANDed in a single rule.
 static const char kRule4[] = "kRSA+AESGCM+AES128";
 
-static const EXPECTED_CIPHER kExpected4[] = {
+static const ExpectedCipher kExpected4[] = {
   { TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0 },
-  { -1, -1 },
+  { 0, 0 },
 };
 
-/* - removes selected ciphers, but preserves their order for future
- * selections. Select AES_128_GCM, but order the key exchanges RSA,
- * DHE_RSA, ECDHE_RSA. */
+// - removes selected ciphers, but preserves their order for future
+// selections. Select AES_128_GCM, but order the key exchanges RSA,
+// DHE_RSA, ECDHE_RSA.
 static const char kRule5[] =
-    "ALL:-kEECDH:-kEDH:-kRSA:-ALL:"
+    "ALL:-kECDHE:-kDHE:-kRSA:-ALL:"
     "AESGCM+AES128+aRSA";
 
-static const EXPECTED_CIPHER kExpected5[] = {
+static const ExpectedCipher kExpected5[] = {
   { TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0 },
   { TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, 0 },
   { TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0 },
-  { -1, -1 },
+  { 0, 0 },
 };
 
-/* Unknown selectors are no-ops. */
+// Unknown selectors are no-ops.
 static const char kRule6[] =
     "ECDHE-ECDSA-CHACHA20-POLY1305:"
     "ECDHE-RSA-CHACHA20-POLY1305:"
@@ -108,44 +113,44 @@ static const char kRule6[] =
     "ECDHE-RSA-AES128-GCM-SHA256:"
     "BOGUS1:-BOGUS2:+BOGUS3:!BOGUS4";
 
-static const EXPECTED_CIPHER kExpected6[] = {
+static const ExpectedCipher kExpected6[] = {
   { TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, 0 },
   { TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, 0 },
   { TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0 },
   { TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0 },
-  { -1, -1 },
+  { 0, 0 },
 };
 
-/* Square brackets specify equi-preference groups. */
+// Square brackets specify equi-preference groups.
 static const char kRule7[] =
     "[ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]:"
     "[ECDHE-RSA-CHACHA20-POLY1305]:"
     "ECDHE-RSA-AES128-GCM-SHA256";
 
-static const EXPECTED_CIPHER kExpected7[] = {
+static const ExpectedCipher kExpected7[] = {
   { TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, 1 },
   { TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0 },
   { TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, 0 },
   { TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0 },
-  { -1, -1 },
+  { 0, 0 },
 };
 
-/* @STRENGTH performs a stable strength-sort of the selected
- * ciphers and only the selected ciphers. */
+// @STRENGTH performs a stable strength-sort of the selected
+// ciphers and only the selected ciphers.
 static const char kRule8[] =
-    /* To simplify things, banish all but {ECDHE_RSA,RSA} x
-     * {CHACHA20,AES_256_CBC,AES_128_CBC,RC4} x SHA1. */
+    // To simplify things, banish all but {ECDHE_RSA,RSA} x
+    // {CHACHA20,AES_256_CBC,AES_128_CBC,RC4} x SHA1.
     "!kEDH:!AESGCM:!3DES:!SHA256:!MD5:!SHA384:"
-    /* Order some ciphers backwards by strength. */
+    // Order some ciphers backwards by strength.
     "ALL:-CHACHA20:-AES256:-AES128:-RC4:-ALL:"
-    /* Select ECDHE ones and sort them by strength. Ties should resolve
-     * based on the order above. */
-    "kEECDH:@STRENGTH:-ALL:"
-    /* Now bring back everything uses RSA. ECDHE_RSA should be first,
-     * sorted by strength. Then RSA, backwards by strength. */
+    // Select ECDHE ones and sort them by strength. Ties should resolve
+    // based on the order above.
+    "kECDHE:@STRENGTH:-ALL:"
+    // Now bring back everything uses RSA. ECDHE_RSA should be first,
+    // sorted by strength. Then RSA, backwards by strength.
     "aRSA";
 
-static const EXPECTED_CIPHER kExpected8[] = {
+static const ExpectedCipher kExpected8[] = {
   { TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0 },
   { TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, 0 },
   { TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA, 0 },
@@ -153,10 +158,24 @@ static const EXPECTED_CIPHER kExpected8[] = {
   { SSL3_CK_RSA_RC4_128_SHA, 0 },
   { TLS1_CK_RSA_WITH_AES_128_SHA, 0 },
   { TLS1_CK_RSA_WITH_AES_256_SHA, 0 },
-  { -1, -1 },
+  { 0, 0 },
+};
+
+// Exact ciphers may not be used in multi-part rules; they are treated
+// as unknown aliases.
+static const char kRule9[] =
+    "ECDHE-ECDSA-CHACHA20-POLY1305:"
+    "ECDHE-RSA-CHACHA20-POLY1305:"
+    "!ECDHE-RSA-CHACHA20-POLY1305+RSA:"
+    "!ECDSA+ECDHE-ECDSA-CHACHA20-POLY1305";
+
+static const ExpectedCipher kExpected9[] = {
+  { TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, 0 },
+  { TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, 0 },
+  { 0, 0 },
 };
 
-static CIPHER_TEST kCipherTests[] = {
+static CipherTest kCipherTests[] = {
   { kRule1, kExpected1 },
   { kRule2, kExpected2 },
   { kRule3, kExpected3 },
@@ -165,24 +184,27 @@ static CIPHER_TEST kCipherTests[] = {
   { kRule6, kExpected6 },
   { kRule7, kExpected7 },
   { kRule8, kExpected8 },
+  { kRule9, kExpected9 },
   { NULL, NULL },
 };
 
 static const char *kBadRules[] = {
-  /* Invalid brackets. */
+  // Invalid brackets.
   "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256",
   "RSA]",
   "[[RSA]]",
-  /* Operators inside brackets */
+  // Operators inside brackets.
   "[+RSA]",
-  /* Unknown directive. */
+  // Unknown directive.
   "@BOGUS",
-  /* Empty cipher lists error at SSL_CTX_set_cipher_list. */
+  // Empty cipher lists error at SSL_CTX_set_cipher_list.
   "",
   "BOGUS",
-  /* Invalid command. */
+  // COMPLEMENTOFDEFAULT is empty.
+  "COMPLEMENTOFDEFAULT",
+  // Invalid command.
   "?BAR",
-  /* Special operators are not allowed if groups are used. */
+  // Special operators are not allowed if groups are used.
   "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:+FOO",
   "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:!FOO",
   "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:-FOO",
@@ -190,15 +212,13 @@ static const char *kBadRules[] = {
   NULL,
 };
 
-static void print_cipher_preference_list(
-    struct ssl_cipher_preference_list_st *list) {
-  size_t i;
-  int in_group = 0;
-  for (i = 0; i < sk_SSL_CIPHER_num(list->ciphers); i++) {
+static void PrintCipherPreferenceList(ssl_cipher_preference_list_st *list) {
+  bool in_group = false;
+  for (size_t i = 0; i < sk_SSL_CIPHER_num(list->ciphers); i++) {
     const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(list->ciphers, i);
     if (!in_group && list->in_group_flags[i]) {
       fprintf(stderr, "\t[\n");
-      in_group = 1;
+      in_group = true;
     }
     fprintf(stderr, "\t");
     if (in_group) {
@@ -207,69 +227,68 @@ static void print_cipher_preference_list(
     fprintf(stderr, "%s\n", SSL_CIPHER_get_name(cipher));
     if (in_group && !list->in_group_flags[i]) {
       fprintf(stderr, "\t]\n");
-      in_group = 0;
+      in_group = false;
     }
   }
 }
 
-static int test_cipher_rule(CIPHER_TEST *t) {
-  int ret = 0;
-  SSL_CTX *ctx = SSL_CTX_new(SSLv23_server_method());
-  size_t i;
+static bool TestCipherRule(CipherTest *t) {
+  ScopedSSL_CTX ctx(SSL_CTX_new(TLS_method()));
+  if (!ctx) {
+    return false;
+  }
 
-  if (!SSL_CTX_set_cipher_list(ctx, t->rule)) {
+  if (!SSL_CTX_set_cipher_list(ctx.get(), t->rule)) {
     fprintf(stderr, "Error testing cipher rule '%s'\n", t->rule);
-    BIO_print_errors_fp(stderr);
-    goto done;
+    return false;
   }
 
-  /* Compare the two lists. */
+  // Compare the two lists.
+  size_t i;
   for (i = 0; i < sk_SSL_CIPHER_num(ctx->cipher_list->ciphers); i++) {
     const SSL_CIPHER *cipher =
         sk_SSL_CIPHER_value(ctx->cipher_list->ciphers, i);
     if (t->expected[i].id != SSL_CIPHER_get_id(cipher) ||
         t->expected[i].in_group_flag != ctx->cipher_list->in_group_flags[i]) {
-      fprintf(stderr, "Error: cipher rule '%s' evaluted to:\n", t->rule);
-      print_cipher_preference_list(ctx->cipher_list);
-      goto done;
+      fprintf(stderr, "Error: cipher rule '%s' evaluated to:\n", t->rule);
+      PrintCipherPreferenceList(ctx->cipher_list);
+      return false;
     }
   }
 
-  if (t->expected[i].id != -1) {
-    fprintf(stderr, "Error: cipher rule '%s' evaluted to:\n", t->rule);
-    print_cipher_preference_list(ctx->cipher_list);
-    goto done;
+  if (t->expected[i].id != 0) {
+    fprintf(stderr, "Error: cipher rule '%s' evaluated to:\n", t->rule);
+    PrintCipherPreferenceList(ctx->cipher_list);
+    return false;
   }
 
-  ret = 1;
-done:
-  SSL_CTX_free(ctx);
-  return ret;
+  return true;
 }
 
-static int test_cipher_rules(void) {
-  size_t i;
-  for (i = 0; kCipherTests[i].rule != NULL; i++) {
-    if (!test_cipher_rule(&kCipherTests[i])) {
-      return 0;
+static bool TestCipherRules() {
+  for (size_t i = 0; kCipherTests[i].rule != NULL; i++) {
+    if (!TestCipherRule(&kCipherTests[i])) {
+      return false;
     }
   }
 
-  for (i = 0; kBadRules[i] != NULL; i++) {
-    SSL_CTX *ctx = SSL_CTX_new(SSLv23_server_method());
-    if (SSL_CTX_set_cipher_list(ctx, kBadRules[i])) {
+  for (size_t i = 0; kBadRules[i] != NULL; i++) {
+    ScopedSSL_CTX ctx(SSL_CTX_new(SSLv23_server_method()));
+    if (!ctx) {
+      return false;
+    }
+    if (SSL_CTX_set_cipher_list(ctx.get(), kBadRules[i])) {
       fprintf(stderr, "Cipher rule '%s' unexpectedly succeeded\n", kBadRules[i]);
-      return 0;
+      return false;
     }
     ERR_clear_error();
-    SSL_CTX_free(ctx);
   }
 
-  return 1;
+  return true;
 }
 
-/* kOpenSSLSession is a serialized SSL_SESSION generated from openssl
- * s_client -sess_out. */
+// kOpenSSLSession is a serialized SSL_SESSION generated from openssl
+// s_client -sess_out.
 static const char kOpenSSLSession[] =
     "MIIFpQIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
     "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
@@ -303,9 +322,9 @@ static const char kOpenSSLSession[] =
     "OTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdA"
     "i4gv7Y5oliyn";
 
-/* kCustomSession is a custom serialized SSL_SESSION generated by
- * filling in missing fields from |kOpenSSLSession|. This includes
- * providing |peer_sha256|, so |peer| is not serialized. */
+// kCustomSession is a custom serialized SSL_SESSION generated by
+// filling in missing fields from |kOpenSSLSession|. This includes
+// providing |peer_sha256|, so |peer| is not serialized.
 static const char kCustomSession[] =
     "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
     "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
@@ -316,138 +335,172 @@ static const char kCustomSession[] =
     "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
     "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
 
-static int decode_base64(uint8_t **out, size_t *out_len, const char *in) {
+static bool DecodeBase64(std::vector<uint8_t> *out, const char *in) {
   size_t len;
-
   if (!EVP_DecodedLength(&len, strlen(in))) {
     fprintf(stderr, "EVP_DecodedLength failed\n");
-    return 0;
+    return false;
   }
 
-  *out = OPENSSL_malloc(len);
-  if (*out == NULL) {
-    fprintf(stderr, "malloc failed\n");
-    return 0;
-  }
-
-  if (!EVP_DecodeBase64(*out, out_len, len, (const uint8_t *)in,
+  out->resize(len);
+  if (!EVP_DecodeBase64(bssl::vector_data(out), &len, len, (const uint8_t *)in,
                         strlen(in))) {
     fprintf(stderr, "EVP_DecodeBase64 failed\n");
-    OPENSSL_free(*out);
-    *out = NULL;
-    return 0;
+    return false;
   }
-  return 1;
+  out->resize(len);
+  return true;
 }
 
-static int test_ssl_session_asn1(const char *input_b64) {
-  int ret = 0, len;
-  size_t input_len, encoded_len;
-  uint8_t *input = NULL, *encoded = NULL;
+static bool TestSSL_SESSIONEncoding(const char *input_b64) {
   const uint8_t *cptr;
   uint8_t *ptr;
-  SSL_SESSION *session = NULL;
 
-  /* Decode the input. */
-  if (!decode_base64(&input, &input_len, input_b64)) {
-    goto done;
+  // Decode the input.
+  std::vector<uint8_t> input;
+  if (!DecodeBase64(&input, input_b64)) {
+    return false;
   }
 
-  /* Verify the SSL_SESSION decodes. */
-  cptr = input;
-  session = d2i_SSL_SESSION(NULL, &cptr, input_len);
-  if (session == NULL || cptr != input + input_len) {
+  // Verify the SSL_SESSION decodes.
+  cptr = bssl::vector_data(&input);
+  ScopedSSL_SESSION session(d2i_SSL_SESSION(NULL, &cptr, input.size()));
+  if (!session || cptr != bssl::vector_data(&input) + input.size()) {
     fprintf(stderr, "d2i_SSL_SESSION failed\n");
-    goto done;
+    return false;
   }
 
-  /* Verify the SSL_SESSION encoding round-trips. */
-  if (!SSL_SESSION_to_bytes(session, &encoded, &encoded_len)) {
+  // Verify the SSL_SESSION encoding round-trips.
+  size_t encoded_len;
+  ScopedOpenSSLBytes encoded;
+  uint8_t *encoded_raw;
+  if (!SSL_SESSION_to_bytes(session.get(), &encoded_raw, &encoded_len)) {
     fprintf(stderr, "SSL_SESSION_to_bytes failed\n");
-    goto done;
+    return false;
   }
-  if (encoded_len != input_len ||
-      memcmp(input, encoded, input_len) != 0) {
+  encoded.reset(encoded_raw);
+  if (encoded_len != input.size() ||
+      memcmp(bssl::vector_data(&input), encoded.get(), input.size()) != 0) {
     fprintf(stderr, "SSL_SESSION_to_bytes did not round-trip\n");
-    goto done;
+    return false;
   }
-  OPENSSL_free(encoded);
-  encoded = NULL;
 
-  /* Verify the SSL_SESSION encoding round-trips via the legacy API. */
-  len = i2d_SSL_SESSION(session, NULL);
-  if (len < 0 || (size_t)len != input_len) {
+  // Verify the SSL_SESSION encoding round-trips via the legacy API.
+  int len = i2d_SSL_SESSION(session.get(), NULL);
+  if (len < 0 || (size_t)len != input.size()) {
     fprintf(stderr, "i2d_SSL_SESSION(NULL) returned invalid length\n");
-    goto done;
+    return false;
   }
 
-  encoded = OPENSSL_malloc(input_len);
-  if (encoded == NULL) {
+  encoded.reset((uint8_t *)OPENSSL_malloc(input.size()));
+  if (!encoded) {
     fprintf(stderr, "malloc failed\n");
-    goto done;
+    return false;
   }
-  ptr = encoded;
-  len = i2d_SSL_SESSION(session, &ptr);
-  if (len < 0 || (size_t)len != input_len) {
+
+  ptr = encoded.get();
+  len = i2d_SSL_SESSION(session.get(), &ptr);
+  if (len < 0 || (size_t)len != input.size()) {
     fprintf(stderr, "i2d_SSL_SESSION returned invalid length\n");
-    goto done;
+    return false;
   }
-  if (ptr != encoded + input_len) {
+  if (ptr != encoded.get() + input.size()) {
     fprintf(stderr, "i2d_SSL_SESSION did not advance ptr correctly\n");
-    goto done;
+    return false;
   }
-  if (memcmp(input, encoded, input_len) != 0) {
+  if (memcmp(bssl::vector_data(&input), encoded.get(), input.size()) != 0) {
     fprintf(stderr, "i2d_SSL_SESSION did not round-trip\n");
-    goto done;
+    return false;
   }
 
-  ret = 1;
+  return true;
+}
 
- done:
-  if (!ret) {
-    BIO_print_errors_fp(stderr);
+static bool TestDefaultVersion(uint16_t version,
+                               const SSL_METHOD *(*method)(void)) {
+  ScopedSSL_CTX ctx(SSL_CTX_new(method()));
+  if (!ctx) {
+    return false;
   }
+  return ctx->min_version == version && ctx->max_version == version;
+}
 
-  if (session) {
-    SSL_SESSION_free(session);
+static bool CipherGetRFCName(std::string *out, uint16_t value) {
+  const SSL_CIPHER *cipher = SSL_get_cipher_by_value(value);
+  if (cipher == NULL) {
+    return false;
   }
-  if (input) {
-    OPENSSL_free(input);
-  }
-  if (encoded) {
-    OPENSSL_free(encoded);
-  }
-  return ret;
+  ScopedOpenSSLString rfc_name(SSL_CIPHER_get_rfc_name(cipher));
+  out->assign(rfc_name.get());
+  return true;
 }
 
-int test_default_version(uint16_t version, const SSL_METHOD *(*method)(void)) {
-  SSL_CTX *ctx;
-  int ret;
+typedef struct {
+  int id;
+  const char *rfc_name;
+} CIPHER_RFC_NAME_TEST;
+
+static const CIPHER_RFC_NAME_TEST kCipherRFCNameTests[] = {
+  { SSL3_CK_RSA_DES_192_CBC3_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
+  { SSL3_CK_RSA_RC4_128_MD5, "TLS_RSA_WITH_RC4_MD5" },
+  { TLS1_CK_RSA_WITH_AES_128_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA" },
+  { TLS1_CK_DHE_RSA_WITH_AES_256_SHA, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
+  { TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
+    "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
+  { TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
+    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
+  { TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
+    "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
+  { TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
+  { TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
+  { TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
+  { TLS1_CK_PSK_WITH_RC4_128_SHA, "TLS_PSK_WITH_RC4_SHA" },
+  // These names are non-standard:
+  { TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305,
+    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
+  { TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305,
+    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
+  { TLS1_CK_ECDHE_PSK_WITH_AES_128_GCM_SHA256,
+    "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256" },
+};
 
-  ctx = SSL_CTX_new(method());
-  if (ctx == NULL) {
-    return 0;
+static bool TestCipherGetRFCName(void) {
+  for (size_t i = 0;
+       i < sizeof(kCipherRFCNameTests) / sizeof(kCipherRFCNameTests[0]); i++) {
+    const CIPHER_RFC_NAME_TEST *test = &kCipherRFCNameTests[i];
+    std::string rfc_name;
+    if (!CipherGetRFCName(&rfc_name, test->id & 0xffff)) {
+      fprintf(stderr, "SSL_CIPHER_get_rfc_name failed\n");
+      return false;
+    }
+    if (rfc_name != test->rfc_name) {
+      fprintf(stderr, "SSL_CIPHER_get_rfc_name: got '%s', wanted '%s'\n",
+              rfc_name.c_str(), test->rfc_name);
+      return false;
+    }
   }
-
-  ret = ctx->min_version == version && ctx->max_version == version;
-  SSL_CTX_free(ctx);
-  return ret;
+  return true;
 }
 
 int main(void) {
   SSL_library_init();
 
-  if (!test_cipher_rules() ||
-      !test_ssl_session_asn1(kOpenSSLSession) ||
-      !test_ssl_session_asn1(kCustomSession) ||
-      !test_default_version(0, &TLS_method) ||
-      !test_default_version(SSL3_VERSION, &SSLv3_method) ||
-      !test_default_version(TLS1_VERSION, &TLSv1_method) ||
-      !test_default_version(TLS1_1_VERSION, &TLSv1_1_method) ||
-      !test_default_version(TLS1_2_VERSION, &TLSv1_2_method) ||
-      !test_default_version(0, &DTLS_method) ||
-      !test_default_version(DTLS1_VERSION, &DTLSv1_method) ||
-      !test_default_version(DTLS1_2_VERSION, &DTLSv1_2_method)) {
+  if (!TestCipherRules() ||
+      !TestSSL_SESSIONEncoding(kOpenSSLSession) ||
+      !TestSSL_SESSIONEncoding(kCustomSession) ||
+      !TestDefaultVersion(0, &TLS_method) ||
+      !TestDefaultVersion(SSL3_VERSION, &SSLv3_method) ||
+      !TestDefaultVersion(TLS1_VERSION, &TLSv1_method) ||
+      !TestDefaultVersion(TLS1_1_VERSION, &TLSv1_1_method) ||
+      !TestDefaultVersion(TLS1_2_VERSION, &TLSv1_2_method) ||
+      !TestDefaultVersion(0, &DTLS_method) ||
+      !TestDefaultVersion(DTLS1_VERSION, &DTLSv1_method) ||
+      !TestDefaultVersion(DTLS1_2_VERSION, &DTLSv1_2_method) ||
+      !TestCipherGetRFCName()) {
+    ERR_print_errors_fp(stderr);
     return 1;
   }
 
diff --git a/src/ssl/ssl_txt.c b/src/ssl/ssl_txt.c
index c950ce8..2275f16 100644
--- a/src/ssl/ssl_txt.c
+++ b/src/ssl/ssl_txt.c
@@ -87,7 +87,7 @@
 #include <openssl/err.h>
 #include <openssl/mem.h>
 
-#include "ssl_locl.h"
+#include "internal.h"
 
 
 int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x) {
@@ -145,8 +145,9 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) {
   }
 
   for (i = 0; i < x->session_id_length; i++) {
-    if (BIO_printf(bp, "%02X", x->session_id[i]) <= 0)
+    if (BIO_printf(bp, "%02X", x->session_id[i]) <= 0) {
       goto err;
+    }
   }
 
   if (BIO_puts(bp, "\n    Session-ID-ctx: ") <= 0) {
diff --git a/src/ssl/t1_enc.c b/src/ssl/t1_enc.c
index 014bc88..3eaffe7 100644
--- a/src/ssl/t1_enc.c
+++ b/src/ssl/t1_enc.c
@@ -133,8 +133,9 @@
  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
  * OTHERWISE. */
 
-#include <stdio.h>
 #include <assert.h>
+#include <stdio.h>
+#include <string.h>
 
 #include <openssl/err.h>
 #include <openssl/evp.h>
@@ -144,7 +145,7 @@
 #include <openssl/obj.h>
 #include <openssl/rand.h>
 
-#include "ssl_locl.h"
+#include "internal.h"
 
 
 /* tls1_P_hash computes the TLS P_<hash> function as described in RFC 5246,
@@ -225,7 +226,7 @@ int tls1_prf(SSL *s, uint8_t *out, size_t out_len, const uint8_t *secret,
              const uint8_t *seed2, size_t seed2_len) {
   size_t idx, len, count, i;
   const uint8_t *S1;
-  long m;
+  uint32_t m;
   const EVP_MD *md;
   int ret = 0;
   uint8_t *tmp;
@@ -243,7 +244,7 @@ int tls1_prf(SSL *s, uint8_t *out, size_t out_len, const uint8_t *secret,
 
   /* Count number of digests and partition |secret| evenly. */
   count = 0;
-  for (idx = 0; ssl_get_handshake_digest(idx, &m, &md); idx++) {
+  for (idx = 0; ssl_get_handshake_digest(&m, &md, idx); idx++) {
     if ((m << TLS1_PRF_DGST_SHIFT) & ssl_get_algorithm2(s)) {
       count++;
     }
@@ -258,7 +259,7 @@ int tls1_prf(SSL *s, uint8_t *out, size_t out_len, const uint8_t *secret,
   }
   S1 = secret;
   memset(out, 0, out_len);
-  for (idx = 0; ssl_get_handshake_digest(idx, &m, &md); idx++) {
+  for (idx = 0; ssl_get_handshake_digest(&m, &md, idx); idx++) {
     if ((m << TLS1_PRF_DGST_SHIFT) & ssl_get_algorithm2(s)) {
       /* If |count| is 2 and |secret_len| is odd, |secret| is partitioned into
        * two halves with an overlapping byte. */
@@ -340,14 +341,12 @@ static int tls1_change_cipher_state_aead(SSL *s, char is_read,
     }
     aead_ctx = s->aead_read_ctx;
   } else {
-    /* When updating the cipher state for DTLS, we do not wish to overwrite the
-     * old ones because DTLS stores pointers to them in order to implement
-     * retransmission. See dtls1_hm_fragment_free.
-     *
-     * TODO(davidben): Simplify aead_write_ctx ownership, probably by just
-     * forbidding DTLS renego. */
-    if (SSL_IS_DTLS(s)) {
-      s->aead_write_ctx = NULL;
+    if (SSL_IS_DTLS(s) && s->aead_write_ctx != NULL) {
+      /* DTLS renegotiation is unsupported, so a CCS can only switch away from
+       * the NULL cipher. This simplifies renegotiation. */
+      OPENSSL_PUT_ERROR(SSL, tls1_change_cipher_state_aead,
+                        ERR_R_INTERNAL_ERROR);
+      return 0;
     }
     if (!tls1_aead_ctx_init(&s->aead_write_ctx)) {
       return 0;
@@ -355,8 +354,9 @@ static int tls1_change_cipher_state_aead(SSL *s, char is_read,
     aead_ctx = s->aead_write_ctx;
   }
 
-  if (!EVP_AEAD_CTX_init(&aead_ctx->ctx, aead, key, key_len,
-                         EVP_AEAD_DEFAULT_TAG_LENGTH, NULL /* engine */)) {
+  if (!EVP_AEAD_CTX_init_with_direction(
+          &aead_ctx->ctx, aead, key, key_len, EVP_AEAD_DEFAULT_TAG_LENGTH,
+          is_read ? evp_aead_open : evp_aead_seal)) {
     OPENSSL_free(aead_ctx);
     if (is_read) {
       s->aead_read_ctx = NULL;
@@ -578,7 +578,7 @@ int tls1_enc(SSL *s, int send) {
     aead = s->aead_read_ctx;
   }
 
-  if (s->session == NULL || aead == NULL) {
+  if (aead == NULL) {
     /* Handle the initial NULL cipher. */
     memmove(rec->data, rec->input, rec->length);
     rec->input = rec->data;
@@ -598,13 +598,9 @@ int tls1_enc(SSL *s, int send) {
     memcpy(p, &seq[2], 6);
     memcpy(ad, dtlsseq, 8);
   } else {
-    int i;
     memcpy(ad, seq, 8);
-    for (i = 7; i >= 0; i--) {
-      ++seq[i];
-      if (seq[i] != 0) {
-        break;
-      }
+    if (!ssl3_record_sequence_update(seq, 8)) {
+      return 0;
     }
   }
 
@@ -739,7 +735,10 @@ int tls1_cert_verify_mac(SSL *s, int md_nid, uint8_t *out) {
   }
 
   EVP_MD_CTX_init(&ctx);
-  EVP_MD_CTX_copy_ex(&ctx, d);
+  if (!EVP_MD_CTX_copy_ex(&ctx, d)) {
+    EVP_MD_CTX_cleanup(&ctx);
+    return 0;
+  }
   EVP_DigestFinal_ex(&ctx, out, &ret);
   EVP_MD_CTX_cleanup(&ctx);
 
@@ -756,11 +755,11 @@ int tls1_handshake_digest(SSL *s, uint8_t *out, size_t out_len) {
   EVP_MD_CTX ctx;
   int err = 0, len = 0;
   size_t i;
-  long mask;
+  uint32_t mask;
 
   EVP_MD_CTX_init(&ctx);
 
-  for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) {
+  for (i = 0; ssl_get_handshake_digest(&mask, &md, i); i++) {
     size_t hash_size;
     unsigned int digest_len;
     EVP_MD_CTX *hdgst = s->s3->handshake_dgst[i];
@@ -863,82 +862,42 @@ int tls1_generate_master_secret(SSL *s, uint8_t *out, const uint8_t *premaster,
   return SSL3_MASTER_SECRET_SIZE;
 }
 
-int tls1_export_keying_material(SSL *s, uint8_t *out, size_t olen,
-                                const char *label, size_t llen,
-                                const uint8_t *context, size_t contextlen,
+int tls1_export_keying_material(SSL *s, uint8_t *out, size_t out_len,
+                                const char *label, size_t label_len,
+                                const uint8_t *context, size_t context_len,
                                 int use_context) {
-  uint8_t *val = NULL;
-  size_t vallen, currentvalpos;
-  int ret;
-
-  /* construct PRF arguments we construct the PRF argument ourself rather than
-   * passing separate values into the TLS PRF to ensure that the concatenation
-   * of values does not create a prohibited label. */
-  vallen = llen + SSL3_RANDOM_SIZE * 2;
-  if (use_context) {
-    vallen += 2 + contextlen;
-  }
-
-  val = OPENSSL_malloc(vallen);
-  if (val == NULL) {
-    goto err2;
+  if (!s->s3->have_version || s->version == SSL3_VERSION) {
+    OPENSSL_PUT_ERROR(SSL, tls1_export_keying_material,
+                      ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+    return 0;
   }
 
-  currentvalpos = 0;
-  memcpy(val + currentvalpos, (uint8_t *)label, llen);
-  currentvalpos += llen;
-  memcpy(val + currentvalpos, s->s3->client_random, SSL3_RANDOM_SIZE);
-  currentvalpos += SSL3_RANDOM_SIZE;
-  memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE);
-  currentvalpos += SSL3_RANDOM_SIZE;
-
+  size_t seed_len = 2 * SSL3_RANDOM_SIZE;
   if (use_context) {
-    val[currentvalpos] = (contextlen >> 8) & 0xff;
-    currentvalpos++;
-    val[currentvalpos] = contextlen & 0xff;
-    currentvalpos++;
-    if (contextlen > 0 || context != NULL) {
-      memcpy(val + currentvalpos, context, contextlen);
+    if (context_len >= 1u << 16) {
+      OPENSSL_PUT_ERROR(SSL, tls1_export_keying_material, ERR_R_OVERFLOW);
+      return 0;
     }
+    seed_len += 2 + context_len;
   }
-
-  /* disallow prohibited labels note that SSL3_RANDOM_SIZE > max(prohibited
-   * label len) = 15, so size of val > max(prohibited label len) = 15 and the
-   * comparisons won't have buffer overflow. */
-  if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST,
-             TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0 ||
-      memcmp(val, TLS_MD_SERVER_FINISH_CONST,
-             TLS_MD_SERVER_FINISH_CONST_SIZE) == 0 ||
-      memcmp(val, TLS_MD_MASTER_SECRET_CONST,
-             TLS_MD_MASTER_SECRET_CONST_SIZE) == 0 ||
-      memcmp(val, TLS_MD_KEY_EXPANSION_CONST,
-             TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) {
-    goto err1;
+  uint8_t *seed = OPENSSL_malloc(seed_len);
+  if (seed == NULL) {
+    OPENSSL_PUT_ERROR(SSL, tls1_export_keying_material, ERR_R_MALLOC_FAILURE);
+    return 0;
   }
 
-  /* SSL_export_keying_material is not implemented for SSLv3, so passing
-   * everything through the label parameter works. */
-  assert(s->version != SSL3_VERSION);
-  ret = s->enc_method->prf(s, out, olen, s->session->master_key,
-                           s->session->master_key_length, (const char *)val,
-                           vallen, NULL, 0, NULL, 0);
-  goto out;
-
-err1:
-  OPENSSL_PUT_ERROR(SSL, tls1_export_keying_material,
-                    SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);
-  ret = 0;
-  goto out;
-
-err2:
-  OPENSSL_PUT_ERROR(SSL, tls1_export_keying_material, ERR_R_MALLOC_FAILURE);
-  ret = 0;
-
-out:
-  if (val != NULL) {
-    OPENSSL_free(val);
+  memcpy(seed, s->s3->client_random, SSL3_RANDOM_SIZE);
+  memcpy(seed + SSL3_RANDOM_SIZE, s->s3->server_random, SSL3_RANDOM_SIZE);
+  if (use_context) {
+    seed[2 * SSL3_RANDOM_SIZE] = (uint8_t)(context_len >> 8);
+    seed[2 * SSL3_RANDOM_SIZE + 1] = (uint8_t)context_len;
+    memcpy(seed + 2 * SSL3_RANDOM_SIZE + 2, context, context_len);
   }
 
+  int ret = s->enc_method->prf(s, out, out_len, s->session->master_key,
+                               s->session->master_key_length, label, label_len,
+                               seed, seed_len, NULL, 0);
+  OPENSSL_free(seed);
   return ret;
 }
 
diff --git a/src/ssl/t1_lib.c b/src/ssl/t1_lib.c
index e26351b..433a647 100644
--- a/src/ssl/t1_lib.c
+++ b/src/ssl/t1_lib.c
@@ -106,18 +106,20 @@
  * (eay@cryptsoft.com).  This product includes software written by Tim
  * Hudson (tjh@cryptsoft.com). */
 
+#include <assert.h>
 #include <stdio.h>
 #include <stdlib.h>
-#include <assert.h>
+#include <string.h>
 
 #include <openssl/bytestring.h>
+#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include <openssl/mem.h>
 #include <openssl/obj.h>
 #include <openssl/rand.h>
 
-#include "ssl_locl.h"
+#include "internal.h"
 
 
 static int tls_decrypt_ticket(SSL *s, const uint8_t *tick, int ticklen,
@@ -133,16 +135,12 @@ const SSL3_ENC_METHOD TLSv1_enc_data = {
     tls1_generate_master_secret,
     tls1_change_cipher_state,
     tls1_final_finish_mac,
-    TLS1_FINISH_MAC_LENGTH,
     tls1_cert_verify_mac,
     TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
     TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
     tls1_alert_code,
     tls1_export_keying_material,
     0,
-    SSL3_HM_HEADER_LENGTH,
-    ssl3_set_handshake_header,
-    ssl3_handshake_write,
 };
 
 const SSL3_ENC_METHOD TLSv1_1_enc_data = {
@@ -152,16 +150,12 @@ const SSL3_ENC_METHOD TLSv1_1_enc_data = {
     tls1_generate_master_secret,
     tls1_change_cipher_state,
     tls1_final_finish_mac,
-    TLS1_FINISH_MAC_LENGTH,
     tls1_cert_verify_mac,
     TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
     TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
     tls1_alert_code,
     tls1_export_keying_material,
     SSL_ENC_FLAG_EXPLICIT_IV,
-    SSL3_HM_HEADER_LENGTH,
-    ssl3_set_handshake_header,
-    ssl3_handshake_write,
 };
 
 const SSL3_ENC_METHOD TLSv1_2_enc_data = {
@@ -171,7 +165,6 @@ const SSL3_ENC_METHOD TLSv1_2_enc_data = {
     tls1_generate_master_secret,
     tls1_change_cipher_state,
     tls1_final_finish_mac,
-    TLS1_FINISH_MAC_LENGTH,
     tls1_cert_verify_mac,
     TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
     TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
@@ -179,9 +172,6 @@ const SSL3_ENC_METHOD TLSv1_2_enc_data = {
     tls1_export_keying_material,
     SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF
             |SSL_ENC_FLAG_TLS1_2_CIPHERS,
-    SSL3_HM_HEADER_LENGTH,
-    ssl3_set_handshake_header,
-    ssl3_handshake_write,
 };
 
 static int compare_uint16_t(const void *p1, const void *p2) {
@@ -255,8 +245,7 @@ static int tls1_check_duplicate_extensions(const CBS *cbs) {
   ret = 1;
 
 done:
-  if (extension_types)
-    OPENSSL_free(extension_types);
+  OPENSSL_free(extension_types);
   return ret;
 }
 
@@ -367,7 +356,7 @@ static const uint8_t ecformats_default[] = {
 };
 
 static const uint16_t eccurves_default[] = {
-    23, /* X9_64_prime256v1 */
+    23, /* X9_62_prime256v1 */
     24, /* secp384r1 */
 };
 
@@ -399,6 +388,9 @@ static void tls1_get_curvelist(SSL *s, int get_peer_curves,
                                const uint16_t **out_curve_ids,
                                size_t *out_curve_ids_len) {
   if (get_peer_curves) {
+    /* Only clients send a curve list, so this function is only called
+     * on the server. */
+    assert(s->server);
     *out_curve_ids = s->s3->tmp.peer_ellipticcurvelist;
     *out_curve_ids_len = s->s3->tmp.peer_ellipticcurvelist_length;
     return;
@@ -437,22 +429,38 @@ int tls1_check_curve(SSL *s, CBS *cbs, uint16_t *out_curve_id) {
 }
 
 int tls1_get_shared_curve(SSL *s) {
-  const uint16_t *pref, *supp;
-  size_t preflen, supplen, i, j;
+  const uint16_t *curves, *peer_curves, *pref, *supp;
+  size_t curves_len, peer_curves_len, pref_len, supp_len, i, j;
 
   /* Can't do anything on client side */
   if (s->server == 0) {
     return NID_undef;
   }
 
-  /* Return first preference shared curve */
-  tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &supp,
-                     &supplen);
-  tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,
-                     &preflen);
+  tls1_get_curvelist(s, 0 /* local curves */, &curves, &curves_len);
+  tls1_get_curvelist(s, 1 /* peer curves */, &peer_curves, &peer_curves_len);
+
+  if (peer_curves_len == 0) {
+    /* Clients are not required to send a supported_curves extension. In this
+     * case, the server is free to pick any curve it likes. See RFC 4492,
+     * section 4, paragraph 3. */
+    return (curves_len == 0) ? NID_undef : tls1_ec_curve_id2nid(curves[0]);
+  }
+
+  if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
+    pref = curves;
+    pref_len = curves_len;
+    supp = peer_curves;
+    supp_len = peer_curves_len;
+  } else {
+    pref = peer_curves;
+    pref_len = peer_curves_len;
+    supp = curves;
+    supp_len = curves_len;
+  }
 
-  for (i = 0; i < preflen; i++) {
-    for (j = 0; j < supplen; j++) {
+  for (i = 0; i < pref_len; i++) {
+    for (j = 0; j < supp_len; j++) {
       if (pref[i] == supp[j]) {
         return tls1_ec_curve_id2nid(pref[i]);
       }
@@ -479,9 +487,7 @@ int tls1_set_curves(uint16_t **out_curve_ids, size_t *out_curve_ids_len,
     }
   }
 
-  if (*out_curve_ids) {
-    OPENSSL_free(*out_curve_ids);
-  }
+  OPENSSL_free(*out_curve_ids);
   *out_curve_ids = curve_ids;
   *out_curve_ids_len = ncurves;
 
@@ -556,11 +562,23 @@ static int tls1_check_point_format(SSL *s, uint8_t comp_id) {
  * preferences are checked; the peer (the server) does not send preferences. */
 static int tls1_check_curve_id(SSL *s, uint16_t curve_id) {
   const uint16_t *curves;
-  size_t curves_len, i, j;
+  size_t curves_len, i, get_peer_curves;
 
   /* Check against our list, then the peer's list. */
-  for (j = 0; j <= 1; j++) {
-    tls1_get_curvelist(s, j, &curves, &curves_len);
+  for (get_peer_curves = 0; get_peer_curves <= 1; get_peer_curves++) {
+    if (get_peer_curves && !s->server) {
+      /* Servers do not present a preference list so, if we are a client, only
+       * check our list. */
+      continue;
+    }
+
+    tls1_get_curvelist(s, get_peer_curves, &curves, &curves_len);
+    if (get_peer_curves && curves_len == 0) {
+      /* Clients are not required to send a supported_curves extension. In this
+       * case, the server is free to pick any curve it likes. See RFC 4492,
+       * section 4, paragraph 3. */
+      continue;
+    }
     for (i = 0; i < curves_len; i++) {
       if (curves[i] == curve_id) {
         break;
@@ -570,12 +588,6 @@ static int tls1_check_curve_id(SSL *s, uint16_t curve_id) {
     if (i == curves_len) {
       return 0;
     }
-
-    /* Servers do not present a preference list so, if we are a client, only
-     * check our list. */
-    if (!s->server) {
-      return 1;
-    }
   }
 
   return 1;
@@ -610,30 +622,27 @@ int tls1_check_ec_cert(SSL *s, X509 *x) {
   ret = 1;
 
 done:
-  if (pkey) {
-    EVP_PKEY_free(pkey);
-  }
+  EVP_PKEY_free(pkey);
   return ret;
 }
 
 int tls1_check_ec_tmp_key(SSL *s) {
-  uint16_t curve_id;
-  EC_KEY *ec = s->cert->ecdh_tmp;
-
-  if (s->cert->ecdh_tmp_auto) {
-    /* Need a shared curve */
-    return tls1_get_shared_curve(s) != NID_undef;
+  if (s->cert->ecdh_nid != NID_undef) {
+    /* If the curve is preconfigured, ECDH is acceptable iff the peer supports
+     * the curve. */
+    uint16_t curve_id;
+    return tls1_ec_nid2curve_id(&curve_id, s->cert->ecdh_nid) &&
+           tls1_check_curve_id(s, curve_id);
   }
 
-  if (!ec) {
-    if (s->cert->ecdh_tmp_cb) {
-      return 1;
-    }
-    return 0;
+  if (s->cert->ecdh_tmp_cb != NULL) {
+    /* Assume the callback will provide an acceptable curve. */
+    return 1;
   }
 
-  return tls1_curve_params_from_ec_key(&curve_id, NULL, ec) &&
-         tls1_check_curve_id(s, curve_id);
+  /* Otherwise, the curve gets selected automatically. ECDH is acceptable iff
+   * there is a shared curve. */
+  return tls1_get_shared_curve(s) != NID_undef;
 }
 
 /* List of supported signature algorithms and hashes. Should make this
@@ -803,7 +812,7 @@ uint8_t *ssl_add_clienthello_tlsext(SSL *s, uint8_t *buf, uint8_t *limit,
 
   if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
     size_t i;
-    unsigned long alg_k, alg_a;
+    uint32_t alg_k, alg_a;
     STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
 
     for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
@@ -811,7 +820,7 @@ uint8_t *ssl_add_clienthello_tlsext(SSL *s, uint8_t *buf, uint8_t *limit,
 
       alg_k = c->algorithm_mkey;
       alg_a = c->algorithm_auth;
-      if ((alg_k & SSL_kEECDH) || (alg_a & SSL_aECDSA)) {
+      if ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA)) {
         using_ecc = 1;
         break;
       }
@@ -1117,9 +1126,9 @@ uint8_t *ssl_add_serverhello_tlsext(SSL *s, uint8_t *buf, uint8_t *limit) {
   uint8_t *orig = buf;
   uint8_t *ret = buf;
   int next_proto_neg_seen;
-  unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
-  unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
-  int using_ecc = (alg_k & SSL_kEECDH) || (alg_a & SSL_aECDSA);
+  uint32_t alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
+  uint32_t alg_a = s->s3->tmp.new_cipher->algorithm_auth;
+  int using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
   using_ecc = using_ecc && (s->s3->tmp.peer_ecpointformatlist != NULL);
 
   /* don't add extensions for SSLv3, unless doing secure renegotiation */
@@ -1331,9 +1340,7 @@ static int tls1_alpn_handle_client_hello(SSL *s, CBS *cbs, int *out_alert) {
       s, &selected, &selected_len, CBS_data(&protocol_name_list),
       CBS_len(&protocol_name_list), s->ctx->alpn_select_cb_arg);
   if (r == SSL_TLSEXT_ERR_OK) {
-    if (s->s3->alpn_selected) {
-      OPENSSL_free(s->s3->alpn_selected);
-    }
+    OPENSSL_free(s->s3->alpn_selected);
     s->s3->alpn_selected = BUF_memdup(selected, selected_len);
     if (!s->s3->alpn_selected) {
       *out_alert = SSL_AD_INTERNAL_ERROR;
@@ -1359,35 +1366,27 @@ static int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert) {
   s->s3->tmp.certificate_status_expected = 0;
   s->s3->tmp.extended_master_secret = 0;
 
-  if (s->s3->alpn_selected) {
-    OPENSSL_free(s->s3->alpn_selected);
-    s->s3->alpn_selected = NULL;
-  }
+  OPENSSL_free(s->s3->alpn_selected);
+  s->s3->alpn_selected = NULL;
 
   /* Clear any signature algorithms extension received */
-  if (s->cert->peer_sigalgs) {
-    OPENSSL_free(s->cert->peer_sigalgs);
-    s->cert->peer_sigalgs = NULL;
-  }
+  OPENSSL_free(s->cert->peer_sigalgs);
+  s->cert->peer_sigalgs = NULL;
+  s->cert->peer_sigalgslen = 0;
 
   /* Clear any shared signature algorithms */
-  if (s->cert->shared_sigalgs) {
-    OPENSSL_free(s->cert->shared_sigalgs);
-    s->cert->shared_sigalgs = NULL;
-  }
+  OPENSSL_free(s->cert->shared_sigalgs);
+  s->cert->shared_sigalgs = NULL;
+  s->cert->shared_sigalgslen = 0;
 
   /* Clear ECC extensions */
-  if (s->s3->tmp.peer_ecpointformatlist != 0) {
-    OPENSSL_free(s->s3->tmp.peer_ecpointformatlist);
-    s->s3->tmp.peer_ecpointformatlist = NULL;
-    s->s3->tmp.peer_ecpointformatlist_length = 0;
-  }
+  OPENSSL_free(s->s3->tmp.peer_ecpointformatlist);
+  s->s3->tmp.peer_ecpointformatlist = NULL;
+  s->s3->tmp.peer_ecpointformatlist_length = 0;
 
-  if (s->s3->tmp.peer_ellipticcurvelist != 0) {
-    OPENSSL_free(s->s3->tmp.peer_ellipticcurvelist);
-    s->s3->tmp.peer_ellipticcurvelist = NULL;
-    s->s3->tmp.peer_ellipticcurvelist_length = 0;
-  }
+  OPENSSL_free(s->s3->tmp.peer_ellipticcurvelist);
+  s->s3->tmp.peer_ellipticcurvelist = NULL;
+  s->s3->tmp.peer_ellipticcurvelist_length = 0;
 
   /* There may be no extensions. */
   if (CBS_len(cbs) == 0) {
@@ -1412,11 +1411,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert) {
       return 0;
     }
 
-    if (s->tlsext_debug_cb) {
-      s->tlsext_debug_cb(s, 0, type, (uint8_t *)CBS_data(&extension),
-                         CBS_len(&extension), s->tlsext_debug_arg);
-    }
-
     /* The servername extension is treated as follows:
 
        - Only the hostname type is supported with a maximum length of 255.
@@ -1529,10 +1523,8 @@ static int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert) {
         return 0;
       }
 
-      if (s->s3->tmp.peer_ellipticcurvelist) {
-        OPENSSL_free(s->s3->tmp.peer_ellipticcurvelist);
-        s->s3->tmp.peer_ellipticcurvelist_length = 0;
-      }
+      OPENSSL_free(s->s3->tmp.peer_ellipticcurvelist);
+      s->s3->tmp.peer_ellipticcurvelist_length = 0;
 
       s->s3->tmp.peer_ellipticcurvelist =
           (uint16_t *)OPENSSL_malloc(CBS_len(&elliptic_curve_list));
@@ -1586,7 +1578,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, CBS *cbs, int *out_alert) {
       }
       /* If sigalgs received and no shared algorithms fatal error. */
       if (s->cert->peer_sigalgs && !s->cert->shared_sigalgs) {
-        OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext,
+        OPENSSL_PUT_ERROR(SSL, ssl_scan_clienthello_tlsext,
                           SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
         *out_alert = SSL_AD_ILLEGAL_PARAMETER;
         return 0;
@@ -1714,17 +1706,13 @@ static int ssl_scan_serverhello_tlsext(SSL *s, CBS *cbs, int *out_alert) {
   s->s3->tmp.extended_master_secret = 0;
   s->srtp_profile = NULL;
 
-  if (s->s3->alpn_selected) {
-    OPENSSL_free(s->s3->alpn_selected);
-    s->s3->alpn_selected = NULL;
-  }
+  OPENSSL_free(s->s3->alpn_selected);
+  s->s3->alpn_selected = NULL;
 
   /* Clear ECC extensions */
-  if (s->s3->tmp.peer_ecpointformatlist != 0) {
-    OPENSSL_free(s->s3->tmp.peer_ecpointformatlist);
-    s->s3->tmp.peer_ecpointformatlist = NULL;
-    s->s3->tmp.peer_ecpointformatlist_length = 0;
-  }
+  OPENSSL_free(s->s3->tmp.peer_ecpointformatlist);
+  s->s3->tmp.peer_ecpointformatlist = NULL;
+  s->s3->tmp.peer_ecpointformatlist_length = 0;
 
   /* There may be no extensions. */
   if (CBS_len(cbs) == 0) {
@@ -1749,11 +1737,6 @@ static int ssl_scan_serverhello_tlsext(SSL *s, CBS *cbs, int *out_alert) {
       return 0;
     }
 
-    if (s->tlsext_debug_cb) {
-      s->tlsext_debug_cb(s, 1, type, (uint8_t *)CBS_data(&extension),
-                         CBS_len(&extension), s->tlsext_debug_arg);
-    }
-
     if (type == TLSEXT_TYPE_server_name) {
       /* The extension must be empty. */
       if (CBS_len(&extension) != 0) {
@@ -1987,9 +1970,9 @@ static int ssl_check_serverhello_tlsext(SSL *s) {
   /* If we are client and using an elliptic curve cryptography cipher suite,
    * then if server returns an EC point formats lists extension it must contain
    * uncompressed. */
-  unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
-  unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
-  if (((alg_k & SSL_kEECDH) || (alg_a & SSL_aECDSA)) &&
+  uint32_t alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
+  uint32_t alg_a = s->s3->tmp.new_cipher->algorithm_auth;
+  if (((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA)) &&
       !tls1_check_point_format(s, TLSEXT_ECPOINTFORMAT_uncompressed)) {
     OPENSSL_PUT_ERROR(SSL, ssl_check_serverhello_tlsext,
                       SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
@@ -2001,7 +1984,7 @@ static int ssl_check_serverhello_tlsext(SSL *s) {
     ret = s->ctx->tlsext_servername_callback(s, &al,
                                              s->ctx->tlsext_servername_arg);
   } else if (s->initial_ctx != NULL &&
-           s->initial_ctx->tlsext_servername_callback != 0) {
+             s->initial_ctx->tlsext_servername_callback != 0) {
     ret = s->initial_ctx->tlsext_servername_callback(
         s, &al, s->initial_ctx->tlsext_servername_arg);
   }
@@ -2133,8 +2116,11 @@ static int tls_decrypt_ticket(SSL *s, const uint8_t *etick, int eticklen,
   EVP_CIPHER_CTX ctx;
   SSL_CTX *tctx = s->initial_ctx;
 
-  /* Need at least keyname + iv + some encrypted data */
-  if (eticklen < 48) {
+  /* Ensure there is room for the key name and the largest IV
+   * |tlsext_ticket_key_cb| may try to consume. The real limit may be lower, but
+   * the maximum IV length should be well under the minimum size for the
+   * session material and HMAC. */
+  if (eticklen < 16 + EVP_MAX_IV_LENGTH) {
     return 2;
   }
 
@@ -2143,7 +2129,8 @@ static int tls_decrypt_ticket(SSL *s, const uint8_t *etick, int eticklen,
   EVP_CIPHER_CTX_init(&ctx);
   if (tctx->tlsext_ticket_key_cb) {
     uint8_t *nctick = (uint8_t *)etick;
-    int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, &ctx, &hctx, 0);
+    int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, &ctx, &hctx,
+                                        0 /* decrypt */);
     if (rv < 0) {
       return -1;
     }
@@ -2168,13 +2155,13 @@ static int tls_decrypt_ticket(SSL *s, const uint8_t *etick, int eticklen,
     }
   }
 
-  /* Attempt to process session ticket, first conduct sanity and integrity
-   * checks on ticket. */
+  /* First, check the MAC. The MAC is at the end of the ticket. */
   mlen = HMAC_size(&hctx);
-  if (mlen < 0) {
+  if ((size_t) eticklen < 16 + EVP_CIPHER_CTX_iv_length(&ctx) + 1 + mlen) {
+    /* The ticket must be large enough for key name, IV, data, and MAC. */
     HMAC_CTX_cleanup(&hctx);
     EVP_CIPHER_CTX_cleanup(&ctx);
-    return -1;
+    return 2;
   }
   eticklen -= mlen;
   /* Check HMAC of encrypted ticket */
@@ -2407,10 +2394,9 @@ static int tls1_set_shared_sigalgs(SSL *s) {
   TLS_SIGALGS *salgs = NULL;
   CERT *c = s->cert;
 
-  if (c->shared_sigalgs) {
-    OPENSSL_free(c->shared_sigalgs);
-    c->shared_sigalgs = NULL;
-  }
+  OPENSSL_free(c->shared_sigalgs);
+  c->shared_sigalgs = NULL;
+  c->shared_sigalgslen = 0;
 
   /* If client use client signature algorithms if not NULL */
   if (!s->server && c->client_sigalgs) {
@@ -2460,21 +2446,12 @@ int tls1_process_sigalgs(SSL *s, const CBS *sigalgs) {
     return 1;
   }
 
-  /* Length must be even */
-  if (CBS_len(sigalgs) % 2 != 0) {
-    return 0;
-  }
-
-  /* Should never happen */
-  if (!c) {
-    return 0;
-  }
-
-  if (!CBS_stow(sigalgs, &c->peer_sigalgs, &c->peer_sigalgslen)) {
+  if (CBS_len(sigalgs) % 2 != 0 ||
+      !CBS_stow(sigalgs, &c->peer_sigalgs, &c->peer_sigalgslen) ||
+      !tls1_set_shared_sigalgs(s)) {
     return 0;
   }
 
-  tls1_set_shared_sigalgs(s);
   return 1;
 }
 
@@ -2583,7 +2560,10 @@ int tls1_channel_id_hash(EVP_MD_CTX *md, SSL *s) {
     if (s->s3->handshake_dgst[i] == NULL) {
       continue;
     }
-    EVP_MD_CTX_copy_ex(&ctx, s->s3->handshake_dgst[i]);
+    if (!EVP_MD_CTX_copy_ex(&ctx, s->s3->handshake_dgst[i])) {
+      EVP_MD_CTX_cleanup(&ctx);
+      return 0;
+    }
     EVP_DigestFinal_ex(&ctx, temp_digest, &temp_digest_len);
     EVP_DigestUpdate(md, temp_digest, temp_digest_len);
   }
@@ -2650,15 +2630,11 @@ int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen,
   }
 
   if (client) {
-    if (c->client_sigalgs) {
-      OPENSSL_free(c->client_sigalgs);
-    }
+    OPENSSL_free(c->client_sigalgs);
     c->client_sigalgs = sigalgs;
     c->client_sigalgslen = salglen;
   } else {
-    if (c->conf_sigalgs) {
-      OPENSSL_free(c->conf_sigalgs);
-    }
+    OPENSSL_free(c->conf_sigalgs);
     c->conf_sigalgs = sigalgs;
     c->conf_sigalgslen = salglen;
   }
diff --git a/src/ssl/t1_reneg.c b/src/ssl/t1_reneg.c
index 2d9fbc0..d0009c1 100644
--- a/src/ssl/t1_reneg.c
+++ b/src/ssl/t1_reneg.c
@@ -106,14 +106,14 @@
  * (eay@cryptsoft.com).  This product includes software written by Tim
  * Hudson (tjh@cryptsoft.com). */
 
-#include <stdio.h>
 #include <assert.h>
+#include <stdio.h>
+#include <string.h>
 
 #include <openssl/bytestring.h>
-#include <openssl/obj.h>
 #include <openssl/err.h>
 
-#include "ssl_locl.h"
+#include "internal.h"
 
 
 /* Add the client's renegotiation binding */
@@ -170,8 +170,7 @@ int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
                                         int maxlen) {
   if (p) {
     if (s->s3->previous_client_finished_len +
-            s->s3->previous_server_finished_len + 1 >
-        maxlen) {
+            s->s3->previous_server_finished_len + 1 > maxlen) {
       OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_renegotiate_ext,
                         SSL_R_RENEGOTIATE_EXT_TOO_LONG);
       return 0;
diff --git a/src/ssl/test/CMakeLists.txt b/src/ssl/test/CMakeLists.txt
index 9992360..a0d7a5e 100644
--- a/src/ssl/test/CMakeLists.txt
+++ b/src/ssl/test/CMakeLists.txt
@@ -11,6 +11,3 @@ add_executable(
 )
 
 target_link_libraries(bssl_shim ssl crypto)
-if (NOT APPLE AND NOT WIN32)
-  target_link_libraries(bssl_shim dl)
-endif()
diff --git a/src/ssl/test/async_bio.cc b/src/ssl/test/async_bio.cc
index c007ffa..0534845 100644
--- a/src/ssl/test/async_bio.cc
+++ b/src/ssl/test/async_bio.cc
@@ -22,23 +22,23 @@
 
 namespace {
 
-extern const BIO_METHOD async_bio_method;
+extern const BIO_METHOD g_async_bio_method;
 
-struct async_bio {
+struct AsyncBio {
   bool datagram;
   size_t read_quota;
   size_t write_quota;
 };
 
-async_bio *get_data(BIO *bio) {
-  if (bio->method != &async_bio_method) {
+AsyncBio *GetData(BIO *bio) {
+  if (bio->method != &g_async_bio_method) {
     return NULL;
   }
-  return (async_bio *)bio->ptr;
+  return (AsyncBio *)bio->ptr;
 }
 
-static int async_write(BIO *bio, const char *in, int inl) {
-  async_bio *a = get_data(bio);
+static int AsyncWrite(BIO *bio, const char *in, int inl) {
+  AsyncBio *a = GetData(bio);
   if (a == NULL || bio->next_bio == NULL) {
     return 0;
   }
@@ -69,8 +69,8 @@ static int async_write(BIO *bio, const char *in, int inl) {
   return ret;
 }
 
-static int async_read(BIO *bio, char *out, int outl) {
-  async_bio *a = get_data(bio);
+static int AsyncRead(BIO *bio, char *out, int outl) {
+  AsyncBio *a = GetData(bio);
   if (a == NULL || bio->next_bio == NULL) {
     return 0;
   }
@@ -95,7 +95,7 @@ static int async_read(BIO *bio, char *out, int outl) {
   return ret;
 }
 
-static long async_ctrl(BIO *bio, int cmd, long num, void *ptr) {
+static long AsyncCtrl(BIO *bio, int cmd, long num, void *ptr) {
   if (bio->next_bio == NULL) {
     return 0;
   }
@@ -105,8 +105,8 @@ static long async_ctrl(BIO *bio, int cmd, long num, void *ptr) {
   return ret;
 }
 
-static int async_new(BIO *bio) {
-  async_bio *a = (async_bio *)OPENSSL_malloc(sizeof(*a));
+static int AsyncNew(BIO *bio) {
+  AsyncBio *a = (AsyncBio *)OPENSSL_malloc(sizeof(*a));
   if (a == NULL) {
     return 0;
   }
@@ -116,7 +116,7 @@ static int async_new(BIO *bio) {
   return 1;
 }
 
-static int async_free(BIO *bio) {
+static int AsyncFree(BIO *bio) {
   if (bio == NULL) {
     return 0;
   }
@@ -128,51 +128,51 @@ static int async_free(BIO *bio) {
   return 1;
 }
 
-static long async_callback_ctrl(BIO *bio, int cmd, bio_info_cb fp) {
+static long AsyncCallbackCtrl(BIO *bio, int cmd, bio_info_cb fp) {
   if (bio->next_bio == NULL) {
     return 0;
   }
   return BIO_callback_ctrl(bio->next_bio, cmd, fp);
 }
 
-const BIO_METHOD async_bio_method = {
+const BIO_METHOD g_async_bio_method = {
   BIO_TYPE_FILTER,
   "async bio",
-  async_write,
-  async_read,
+  AsyncWrite,
+  AsyncRead,
   NULL /* puts */,
   NULL /* gets */,
-  async_ctrl,
-  async_new,
-  async_free,
-  async_callback_ctrl,
+  AsyncCtrl,
+  AsyncNew,
+  AsyncFree,
+  AsyncCallbackCtrl,
 };
 
 }  // namespace
 
-BIO *async_bio_create() {
-  return BIO_new(&async_bio_method);
+ScopedBIO AsyncBioCreate() {
+  return ScopedBIO(BIO_new(&g_async_bio_method));
 }
 
-BIO *async_bio_create_datagram() {
-  BIO *ret = BIO_new(&async_bio_method);
+ScopedBIO AsyncBioCreateDatagram() {
+  ScopedBIO ret(BIO_new(&g_async_bio_method));
   if (!ret) {
-    return NULL;
+    return nullptr;
   }
-  get_data(ret)->datagram = true;
+  GetData(ret.get())->datagram = true;
   return ret;
 }
 
-void async_bio_allow_read(BIO *bio, size_t count) {
-  async_bio *a = get_data(bio);
+void AsyncBioAllowRead(BIO *bio, size_t count) {
+  AsyncBio *a = GetData(bio);
   if (a == NULL) {
     return;
   }
   a->read_quota += count;
 }
 
-void async_bio_allow_write(BIO *bio, size_t count) {
-  async_bio *a = get_data(bio);
+void AsyncBioAllowWrite(BIO *bio, size_t count) {
+  AsyncBio *a = GetData(bio);
   if (a == NULL) {
     return;
   }
diff --git a/src/ssl/test/async_bio.h b/src/ssl/test/async_bio.h
index 2904036..1ccdf9b 100644
--- a/src/ssl/test/async_bio.h
+++ b/src/ssl/test/async_bio.h
@@ -17,24 +17,26 @@
 
 #include <openssl/bio.h>
 
+#include "../../crypto/test/scoped_types.h"
 
-// async_bio_create creates a filter BIO for testing asynchronous state
+
+// AsyncBioCreate creates a filter BIO for testing asynchronous state
 // machines which consume a stream socket. Reads and writes will fail
 // and return EAGAIN unless explicitly allowed. Each async BIO has a
 // read quota and a write quota. Initially both are zero. As each is
 // incremented, bytes are allowed to flow through the BIO.
-BIO *async_bio_create();
+ScopedBIO AsyncBioCreate();
 
-// async_bio_create_datagram creates a filter BIO for testing for
+// AsyncBioCreateDatagram creates a filter BIO for testing for
 // asynchronous state machines which consume datagram sockets. The read
 // and write quota count in packets rather than bytes.
-BIO *async_bio_create_datagram();
+ScopedBIO AsyncBioCreateDatagram();
 
-// async_bio_allow_read increments |bio|'s read quota by |count|.
-void async_bio_allow_read(BIO *bio, size_t count);
+// AsyncBioAllowRead increments |bio|'s read quota by |count|.
+void AsyncBioAllowRead(BIO *bio, size_t count);
 
-// async_bio_allow_write increments |bio|'s write quota by |count|.
-void async_bio_allow_write(BIO *bio, size_t count);
+// AsyncBioAllowWrite increments |bio|'s write quota by |count|.
+void AsyncBioAllowWrite(BIO *bio, size_t count);
 
 
 #endif  // HEADER_ASYNC_BIO
diff --git a/src/ssl/test/bssl_shim.cc b/src/ssl/test/bssl_shim.cc
index 37891b9..1cf96f2 100644
--- a/src/ssl/test/bssl_shim.cc
+++ b/src/ssl/test/bssl_shim.cc
@@ -17,9 +17,19 @@
 #if !defined(OPENSSL_WINDOWS)
 #include <arpa/inet.h>
 #include <netinet/in.h>
+#include <netinet/tcp.h>
 #include <signal.h>
 #include <sys/socket.h>
+#include <sys/types.h>
 #include <unistd.h>
+#else
+#include <io.h>
+#pragma warning(push, 3)
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#pragma warning(pop)
+
+#pragma comment(lib, "Ws2_32.lib")
 #endif
 
 #include <string.h>
@@ -28,126 +38,198 @@
 #include <openssl/bio.h>
 #include <openssl/buf.h>
 #include <openssl/bytestring.h>
+#include <openssl/err.h>
 #include <openssl/ssl.h>
 
+#include <memory>
+#include <vector>
+
+#include "../../crypto/test/scoped_types.h"
 #include "async_bio.h"
 #include "packeted_bio.h"
+#include "scoped_types.h"
 #include "test_config.h"
 
-static int usage(const char *program) {
-  fprintf(stderr, "Usage: %s [flags...]\n",
-          program);
+
+#if !defined(OPENSSL_WINDOWS)
+static int closesocket(int sock) {
+  return close(sock);
+}
+
+static void PrintSocketError(const char *func) {
+  perror(func);
+}
+#else
+static void PrintSocketError(const char *func) {
+  fprintf(stderr, "%s: %d\n", func, WSAGetLastError());
+}
+#endif
+
+static int Usage(const char *program) {
+  fprintf(stderr, "Usage: %s [flags...]\n", program);
   return 1;
 }
 
-static int g_ex_data_index = 0;
+struct TestState {
+  TestState() {
+    // MSVC cannot initialize these inline.
+    memset(&clock, 0, sizeof(clock));
+    memset(&clock_delta, 0, sizeof(clock_delta));
+  }
+
+  // async_bio is async BIO which pauses reads and writes.
+  BIO *async_bio = nullptr;
+  // clock is the current time for the SSL connection.
+  timeval clock;
+  // clock_delta is how far the clock advanced in the most recent failed
+  // |BIO_read|.
+  timeval clock_delta;
+  ScopedEVP_PKEY channel_id;
+  bool cert_ready = false;
+  ScopedSSL_SESSION session;
+  ScopedSSL_SESSION pending_session;
+  bool early_callback_called = false;
+  bool handshake_done = false;
+};
+
+static void TestStateExFree(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+			    int index, long argl, void *argp) {
+  delete ((TestState *)ptr);
+}
+
+static int g_config_index = 0;
+static int g_state_index = 0;
 
 static bool SetConfigPtr(SSL *ssl, const TestConfig *config) {
-  return SSL_set_ex_data(ssl, g_ex_data_index, (void *)config) == 1;
+  return SSL_set_ex_data(ssl, g_config_index, (void *)config) == 1;
 }
 
-static const TestConfig *GetConfigPtr(SSL *ssl) {
-  return (const TestConfig *)SSL_get_ex_data(ssl, g_ex_data_index);
+static const TestConfig *GetConfigPtr(const SSL *ssl) {
+  return (const TestConfig *)SSL_get_ex_data(ssl, g_config_index);
 }
 
-static EVP_PKEY *LoadPrivateKey(const std::string &file) {
-  BIO *bio = BIO_new(BIO_s_file());
-  if (bio == NULL) {
-    return NULL;
+static bool SetTestState(SSL *ssl, std::unique_ptr<TestState> async) {
+  if (SSL_set_ex_data(ssl, g_state_index, (void *)async.get()) == 1) {
+    async.release();
+    return true;
   }
-  if (!BIO_read_filename(bio, file.c_str())) {
-    BIO_free(bio);
-    return NULL;
+  return false;
+}
+
+static TestState *GetTestState(const SSL *ssl) {
+  return (TestState *)SSL_get_ex_data(ssl, g_state_index);
+}
+
+static ScopedEVP_PKEY LoadPrivateKey(const std::string &file) {
+  ScopedBIO bio(BIO_new(BIO_s_file()));
+  if (!bio || !BIO_read_filename(bio.get(), file.c_str())) {
+    return nullptr;
   }
-  EVP_PKEY *pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
-  BIO_free(bio);
+  ScopedEVP_PKEY pkey(PEM_read_bio_PrivateKey(bio.get(), NULL, NULL, NULL));
   return pkey;
 }
 
-static int early_callback_called = 0;
-
-static int select_certificate_callback(const struct ssl_early_callback_ctx *ctx) {
-  early_callback_called = 1;
+static bool InstallCertificate(SSL *ssl) {
+  const TestConfig *config = GetConfigPtr(ssl);
+  if (!config->key_file.empty() &&
+      !SSL_use_PrivateKey_file(ssl, config->key_file.c_str(),
+                               SSL_FILETYPE_PEM)) {
+    return false;
+  }
+  if (!config->cert_file.empty() &&
+      !SSL_use_certificate_file(ssl, config->cert_file.c_str(),
+                                SSL_FILETYPE_PEM)) {
+    return false;
+  }
+  return true;
+}
 
+static int SelectCertificateCallback(const struct ssl_early_callback_ctx *ctx) {
   const TestConfig *config = GetConfigPtr(ctx->ssl);
+  GetTestState(ctx->ssl)->early_callback_called = true;
 
-  if (config->expected_server_name.empty()) {
-    return 1;
-  }
+  if (!config->expected_server_name.empty()) {
+    const uint8_t *extension_data;
+    size_t extension_len;
+    CBS extension, server_name_list, host_name;
+    uint8_t name_type;
+
+    if (!SSL_early_callback_ctx_extension_get(ctx, TLSEXT_TYPE_server_name,
+                                              &extension_data,
+                                              &extension_len)) {
+      fprintf(stderr, "Could not find server_name extension.\n");
+      return -1;
+    }
 
-  const uint8_t *extension_data;
-  size_t extension_len;
-  CBS extension, server_name_list, host_name;
-  uint8_t name_type;
+    CBS_init(&extension, extension_data, extension_len);
+    if (!CBS_get_u16_length_prefixed(&extension, &server_name_list) ||
+        CBS_len(&extension) != 0 ||
+        !CBS_get_u8(&server_name_list, &name_type) ||
+        name_type != TLSEXT_NAMETYPE_host_name ||
+        !CBS_get_u16_length_prefixed(&server_name_list, &host_name) ||
+        CBS_len(&server_name_list) != 0) {
+      fprintf(stderr, "Could not decode server_name extension.\n");
+      return -1;
+    }
 
-  if (!SSL_early_callback_ctx_extension_get(ctx, TLSEXT_TYPE_server_name,
-                                            &extension_data,
-                                            &extension_len)) {
-    fprintf(stderr, "Could not find server_name extension.\n");
-    return -1;
+    if (!CBS_mem_equal(&host_name,
+                       (const uint8_t*)config->expected_server_name.data(),
+                       config->expected_server_name.size())) {
+      fprintf(stderr, "Server name mismatch.\n");
+    }
   }
 
-  CBS_init(&extension, extension_data, extension_len);
-  if (!CBS_get_u16_length_prefixed(&extension, &server_name_list) ||
-      CBS_len(&extension) != 0 ||
-      !CBS_get_u8(&server_name_list, &name_type) ||
-      name_type != TLSEXT_NAMETYPE_host_name ||
-      !CBS_get_u16_length_prefixed(&server_name_list, &host_name) ||
-      CBS_len(&server_name_list) != 0) {
-    fprintf(stderr, "Could not decode server_name extension.\n");
+  if (config->fail_early_callback) {
     return -1;
   }
 
-  if (!CBS_mem_equal(&host_name,
-                     (const uint8_t*)config->expected_server_name.data(),
-                     config->expected_server_name.size())) {
-    fprintf(stderr, "Server name mismatch.\n");
+  // Install the certificate in the early callback.
+  if (config->use_early_callback) {
+    if (config->async) {
+      // Install the certificate asynchronously.
+      return 0;
+    }
+    if (!InstallCertificate(ctx->ssl)) {
+      return -1;
+    }
   }
-
   return 1;
 }
 
-static int skip_verify(int preverify_ok, X509_STORE_CTX *store_ctx) {
+static int SkipVerify(int preverify_ok, X509_STORE_CTX *store_ctx) {
   return 1;
 }
 
-static int next_protos_advertised_callback(SSL *ssl,
-                                           const uint8_t **out,
-                                           unsigned int *out_len,
-                                           void *arg) {
+static int NextProtosAdvertisedCallback(SSL *ssl, const uint8_t **out,
+                                        unsigned int *out_len, void *arg) {
   const TestConfig *config = GetConfigPtr(ssl);
-  if (config->advertise_npn.empty())
+  if (config->advertise_npn.empty()) {
     return SSL_TLSEXT_ERR_NOACK;
+  }
 
   *out = (const uint8_t*)config->advertise_npn.data();
   *out_len = config->advertise_npn.size();
   return SSL_TLSEXT_ERR_OK;
 }
 
-static int next_proto_select_callback(SSL* ssl,
-                                      uint8_t** out,
-                                      uint8_t* outlen,
-                                      const uint8_t* in,
-                                      unsigned inlen,
-                                      void* arg) {
+static int NextProtoSelectCallback(SSL* ssl, uint8_t** out, uint8_t* outlen,
+                                   const uint8_t* in, unsigned inlen, void* arg) {
   const TestConfig *config = GetConfigPtr(ssl);
-  if (config->select_next_proto.empty())
+  if (config->select_next_proto.empty()) {
     return SSL_TLSEXT_ERR_NOACK;
+  }
 
   *out = (uint8_t*)config->select_next_proto.data();
   *outlen = config->select_next_proto.size();
   return SSL_TLSEXT_ERR_OK;
 }
 
-static int alpn_select_callback(SSL* ssl,
-                                const uint8_t** out,
-                                uint8_t* outlen,
-                                const uint8_t* in,
-                                unsigned inlen,
-                                void* arg) {
+static int AlpnSelectCallback(SSL* ssl, const uint8_t** out, uint8_t* outlen,
+                              const uint8_t* in, unsigned inlen, void* arg) {
   const TestConfig *config = GetConfigPtr(ssl);
-  if (config->select_alpn.empty())
+  if (config->select_alpn.empty()) {
     return SSL_TLSEXT_ERR_NOACK;
+  }
 
   if (!config->expected_advertised_alpn.empty() &&
       (config->expected_advertised_alpn.size() != inlen ||
@@ -162,34 +244,10 @@ static int alpn_select_callback(SSL* ssl,
   return SSL_TLSEXT_ERR_OK;
 }
 
-static int cookie_generate_callback(SSL *ssl, uint8_t *cookie, size_t *cookie_len) {
-  if (*cookie_len < 32) {
-    fprintf(stderr, "Insufficient space for cookie\n");
-    return 0;
-  }
-  *cookie_len = 32;
-  memset(cookie, 42, *cookie_len);
-  return 1;
-}
-
-static int cookie_verify_callback(SSL *ssl, const uint8_t *cookie, size_t cookie_len) {
-  if (cookie_len != 32) {
-    fprintf(stderr, "Cookie length mismatch.\n");
-    return 0;
-  }
-  for (size_t i = 0; i < cookie_len; i++) {
-    if (cookie[i] != 42) {
-      fprintf(stderr, "Cookie mismatch.\n");
-      return 0;
-    }
-  }
-  return 1;
-}
-
-static unsigned psk_client_callback(SSL *ssl, const char *hint,
-                                    char *out_identity,
-                                    unsigned max_identity_len,
-                                    uint8_t *out_psk, unsigned max_psk_len) {
+static unsigned PskClientCallback(SSL *ssl, const char *hint,
+                                  char *out_identity,
+                                  unsigned max_identity_len,
+                                  uint8_t *out_psk, unsigned max_psk_len) {
   const TestConfig *config = GetConfigPtr(ssl);
 
   if (strcmp(hint ? hint : "", config->psk_identity.c_str()) != 0) {
@@ -210,8 +268,8 @@ static unsigned psk_client_callback(SSL *ssl, const char *hint,
   return config->psk.size();
 }
 
-static unsigned psk_server_callback(SSL *ssl, const char *identity,
-                                    uint8_t *out_psk, unsigned max_psk_len) {
+static unsigned PskServerCallback(SSL *ssl, const char *identity,
+                                  uint8_t *out_psk, unsigned max_psk_len) {
   const TestConfig *config = GetConfigPtr(ssl);
 
   if (strcmp(identity, config->psk_identity.c_str()) != 0) {
@@ -228,13 +286,124 @@ static unsigned psk_server_callback(SSL *ssl, const char *identity,
   return config->psk.size();
 }
 
-static SSL_CTX *setup_ctx(const TestConfig *config) {
-  SSL_CTX *ssl_ctx = NULL;
-  DH *dh = NULL;
+static void CurrentTimeCallback(const SSL *ssl, timeval *out_clock) {
+  *out_clock = GetTestState(ssl)->clock;
+}
 
-  ssl_ctx = SSL_CTX_new(config->is_dtls ? DTLS_method() : TLS_method());
-  if (ssl_ctx == NULL) {
-    goto err;
+static void ChannelIdCallback(SSL *ssl, EVP_PKEY **out_pkey) {
+  *out_pkey = GetTestState(ssl)->channel_id.release();
+}
+
+static int CertCallback(SSL *ssl, void *arg) {
+  if (!GetTestState(ssl)->cert_ready) {
+    return -1;
+  }
+  if (!InstallCertificate(ssl)) {
+    return 0;
+  }
+  return 1;
+}
+
+static SSL_SESSION *GetSessionCallback(SSL *ssl, uint8_t *data, int len,
+                                       int *copy) {
+  TestState *async_state = GetTestState(ssl);
+  if (async_state->session) {
+    *copy = 0;
+    return async_state->session.release();
+  } else if (async_state->pending_session) {
+    return SSL_magic_pending_session_ptr();
+  } else {
+    return NULL;
+  }
+}
+
+static int DDoSCallback(const struct ssl_early_callback_ctx *early_context) {
+  const TestConfig *config = GetConfigPtr(early_context->ssl);
+  static int callback_num = 0;
+
+  callback_num++;
+  if (config->fail_ddos_callback ||
+      (config->fail_second_ddos_callback && callback_num == 2)) {
+    return 0;
+  }
+  return 1;
+}
+
+static void InfoCallback(const SSL *ssl, int type, int val) {
+  if (type == SSL_CB_HANDSHAKE_DONE) {
+    if (GetConfigPtr(ssl)->handshake_never_done) {
+      fprintf(stderr, "handshake completed\n");
+      // Abort before any expected error code is printed, to ensure the overall
+      // test fails.
+      abort();
+    }
+    GetTestState(ssl)->handshake_done = true;
+  }
+}
+
+// Connect returns a new socket connected to localhost on |port| or -1 on
+// error.
+static int Connect(uint16_t port) {
+  int sock = socket(AF_INET, SOCK_STREAM, 0);
+  if (sock == -1) {
+    PrintSocketError("socket");
+    return -1;
+  }
+  int nodelay = 1;
+  if (setsockopt(sock, IPPROTO_TCP, TCP_NODELAY,
+          reinterpret_cast<const char*>(&nodelay), sizeof(nodelay)) != 0) {
+    PrintSocketError("setsockopt");
+    closesocket(sock);
+    return -1;
+  }
+  sockaddr_in sin;
+  memset(&sin, 0, sizeof(sin));
+  sin.sin_family = AF_INET;
+  sin.sin_port = htons(port);
+  if (!inet_pton(AF_INET, "127.0.0.1", &sin.sin_addr)) {
+    PrintSocketError("inet_pton");
+    closesocket(sock);
+    return -1;
+  }
+  if (connect(sock, reinterpret_cast<const sockaddr*>(&sin),
+              sizeof(sin)) != 0) {
+    PrintSocketError("connect");
+    closesocket(sock);
+    return -1;
+  }
+  return sock;
+}
+
+class SocketCloser {
+ public:
+  explicit SocketCloser(int sock) : sock_(sock) {}
+  ~SocketCloser() {
+    // Half-close and drain the socket before releasing it. This seems to be
+    // necessary for graceful shutdown on Windows. It will also avoid write
+    // failures in the test runner.
+#if defined(OPENSSL_WINDOWS)
+    shutdown(sock_, SD_SEND);
+#else
+    shutdown(sock_, SHUT_WR);
+#endif
+    while (true) {
+      char buf[1024];
+      if (recv(sock_, buf, sizeof(buf), 0) <= 0) {
+        break;
+      }
+    }
+    closesocket(sock_);
+  }
+
+ private:
+  const int sock_;
+};
+
+static ScopedSSL_CTX SetupCtx(const TestConfig *config) {
+  ScopedSSL_CTX ssl_ctx(SSL_CTX_new(
+      config->is_dtls ? DTLS_method() : TLS_method()));
+  if (!ssl_ctx) {
+    return nullptr;
   }
 
   if (config->is_dtls) {
@@ -242,376 +411,473 @@ static SSL_CTX *setup_ctx(const TestConfig *config) {
     //
     // TODO(davidben): this should not be necessary. DTLS code should only
     // expect a datagram BIO.
-    SSL_CTX_set_read_ahead(ssl_ctx, 1);
+    SSL_CTX_set_read_ahead(ssl_ctx.get(), 1);
   }
 
-  if (!SSL_CTX_set_ecdh_auto(ssl_ctx, 1)) {
-    goto err;
+  if (!SSL_CTX_set_cipher_list(ssl_ctx.get(), "ALL")) {
+    return nullptr;
   }
 
-  if (!SSL_CTX_set_cipher_list(ssl_ctx, "ALL")) {
-    goto err;
+  ScopedDH dh(DH_get_2048_256(NULL));
+  if (!dh || !SSL_CTX_set_tmp_dh(ssl_ctx.get(), dh.get())) {
+    return nullptr;
   }
 
-  dh = DH_get_2048_256(NULL);
-  if (dh == NULL ||
-      !SSL_CTX_set_tmp_dh(ssl_ctx, dh)) {
-    goto err;
+  if (config->async && config->is_server) {
+    // Disable the internal session cache. To test asynchronous session lookup,
+    // we use an external session cache.
+    SSL_CTX_set_session_cache_mode(
+        ssl_ctx.get(), SSL_SESS_CACHE_BOTH | SSL_SESS_CACHE_NO_INTERNAL);
+    SSL_CTX_sess_set_get_cb(ssl_ctx.get(), GetSessionCallback);
+  } else {
+    SSL_CTX_set_session_cache_mode(ssl_ctx.get(), SSL_SESS_CACHE_BOTH);
   }
 
-  SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_BOTH);
-
-  ssl_ctx->select_certificate_cb = select_certificate_callback;
+  ssl_ctx->select_certificate_cb = SelectCertificateCallback;
 
   SSL_CTX_set_next_protos_advertised_cb(
-      ssl_ctx, next_protos_advertised_callback, NULL);
+      ssl_ctx.get(), NextProtosAdvertisedCallback, NULL);
   if (!config->select_next_proto.empty()) {
-    SSL_CTX_set_next_proto_select_cb(ssl_ctx, next_proto_select_callback, NULL);
+    SSL_CTX_set_next_proto_select_cb(ssl_ctx.get(), NextProtoSelectCallback,
+                                     NULL);
   }
 
   if (!config->select_alpn.empty()) {
-    SSL_CTX_set_alpn_select_cb(ssl_ctx, alpn_select_callback, NULL);
+    SSL_CTX_set_alpn_select_cb(ssl_ctx.get(), AlpnSelectCallback, NULL);
   }
 
-  SSL_CTX_set_cookie_generate_cb(ssl_ctx, cookie_generate_callback);
-  SSL_CTX_set_cookie_verify_cb(ssl_ctx, cookie_verify_callback);
-
   ssl_ctx->tlsext_channel_id_enabled_new = 1;
+  SSL_CTX_set_channel_id_cb(ssl_ctx.get(), ChannelIdCallback);
 
-  DH_free(dh);
-  return ssl_ctx;
+  ssl_ctx->current_time_cb = CurrentTimeCallback;
 
- err:
-  if (dh != NULL) {
-    DH_free(dh);
-  }
-  if (ssl_ctx != NULL) {
-    SSL_CTX_free(ssl_ctx);
-  }
-  return NULL;
+  SSL_CTX_set_info_callback(ssl_ctx.get(), InfoCallback);
+
+  return ssl_ctx;
 }
 
-static int retry_async(SSL *ssl, int ret, BIO *bio) {
+// RetryAsync is called after a failed operation on |ssl| with return code
+// |ret|. If the operation should be retried, it simulates one asynchronous
+// event and returns true. Otherwise it returns false.
+static bool RetryAsync(SSL *ssl, int ret) {
   // No error; don't retry.
   if (ret >= 0) {
-    return 0;
+    return false;
+  }
+
+  TestState *test_state = GetTestState(ssl);
+  if (test_state->clock_delta.tv_usec != 0 ||
+      test_state->clock_delta.tv_sec != 0) {
+    // Process the timeout and retry.
+    test_state->clock.tv_usec += test_state->clock_delta.tv_usec;
+    test_state->clock.tv_sec += test_state->clock.tv_usec / 1000000;
+    test_state->clock.tv_usec %= 1000000;
+    test_state->clock.tv_sec += test_state->clock_delta.tv_sec;
+    memset(&test_state->clock_delta, 0, sizeof(test_state->clock_delta));
+
+    if (DTLSv1_handle_timeout(ssl) < 0) {
+      fprintf(stderr, "Error retransmitting.\n");
+      return false;
+    }
+    return true;
   }
+
   // See if we needed to read or write more. If so, allow one byte through on
   // the appropriate end to maximally stress the state machine.
-  int err = SSL_get_error(ssl, ret);
-  if (err == SSL_ERROR_WANT_READ) {
-    async_bio_allow_read(bio, 1);
-    return 1;
-  } else if (err == SSL_ERROR_WANT_WRITE) {
-    async_bio_allow_write(bio, 1);
-    return 1;
+  switch (SSL_get_error(ssl, ret)) {
+    case SSL_ERROR_WANT_READ:
+      AsyncBioAllowRead(test_state->async_bio, 1);
+      return true;
+    case SSL_ERROR_WANT_WRITE:
+      AsyncBioAllowWrite(test_state->async_bio, 1);
+      return true;
+    case SSL_ERROR_WANT_CHANNEL_ID_LOOKUP: {
+      ScopedEVP_PKEY pkey = LoadPrivateKey(GetConfigPtr(ssl)->send_channel_id);
+      if (!pkey) {
+        return false;
+      }
+      test_state->channel_id = std::move(pkey);
+      return true;
+    }
+    case SSL_ERROR_WANT_X509_LOOKUP:
+      test_state->cert_ready = true;
+      return true;
+    case SSL_ERROR_PENDING_SESSION:
+      test_state->session = std::move(test_state->pending_session);
+      return true;
+    case SSL_ERROR_PENDING_CERTIFICATE:
+      // The handshake will resume without a second call to the early callback.
+      return InstallCertificate(ssl);
+    default:
+      return false;
   }
-  return 0;
 }
 
-static int do_exchange(SSL_SESSION **out_session,
-                       SSL_CTX *ssl_ctx,
-                       const TestConfig *config,
-                       bool is_resume,
-                       int fd,
-                       SSL_SESSION *session) {
-  early_callback_called = 0;
+// DoRead reads from |ssl|, resolving any asynchronous operations. It returns
+// the result value of the final |SSL_read| call.
+static int DoRead(SSL *ssl, uint8_t *out, size_t max_out) {
+  const TestConfig *config = GetConfigPtr(ssl);
+  int ret;
+  do {
+    ret = SSL_read(ssl, out, max_out);
+  } while (config->async && RetryAsync(ssl, ret));
+  return ret;
+}
 
-  SSL *ssl = SSL_new(ssl_ctx);
-  if (ssl == NULL) {
-    BIO_print_errors_fp(stdout);
-    return 1;
-  }
+// WriteAll writes |in_len| bytes from |in| to |ssl|, resolving any asynchronous
+// operations. It returns the result of the final |SSL_write| call.
+static int WriteAll(SSL *ssl, const uint8_t *in, size_t in_len) {
+  const TestConfig *config = GetConfigPtr(ssl);
+  int ret;
+  do {
+    ret = SSL_write(ssl, in, in_len);
+    if (ret > 0) {
+      in += ret;
+      in_len -= ret;
+    }
+  } while ((config->async && RetryAsync(ssl, ret)) || (ret > 0 && in_len > 0));
+  return ret;
+}
 
-  if (!SetConfigPtr(ssl, config)) {
-    BIO_print_errors_fp(stdout);
-    return 1;
+// DoExchange runs a test SSL exchange against the peer. On success, it returns
+// true and sets |*out_session| to the negotiated SSL session. If the test is a
+// resumption attempt, |is_resume| is true and |session| is the session from the
+// previous exchange.
+static bool DoExchange(ScopedSSL_SESSION *out_session, SSL_CTX *ssl_ctx,
+                       const TestConfig *config, bool is_resume,
+                       SSL_SESSION *session) {
+  ScopedSSL ssl(SSL_new(ssl_ctx));
+  if (!ssl) {
+    return false;
   }
 
-  if (config->fallback_scsv) {
-    if (!SSL_enable_fallback_scsv(ssl)) {
-      BIO_print_errors_fp(stdout);
-      return 1;
-    }
+  if (!SetConfigPtr(ssl.get(), config) ||
+      !SetTestState(ssl.get(), std::unique_ptr<TestState>(new TestState))) {
+    return false;
   }
-  if (!config->key_file.empty()) {
-    if (!SSL_use_PrivateKey_file(ssl, config->key_file.c_str(),
-                                 SSL_FILETYPE_PEM)) {
-      BIO_print_errors_fp(stdout);
-      return 1;
-    }
+
+  if (config->fallback_scsv &&
+      !SSL_set_mode(ssl.get(), SSL_MODE_SEND_FALLBACK_SCSV)) {
+    return false;
   }
-  if (!config->cert_file.empty()) {
-    if (!SSL_use_certificate_file(ssl, config->cert_file.c_str(),
-                                  SSL_FILETYPE_PEM)) {
-      BIO_print_errors_fp(stdout);
-      return 1;
+  if (!config->use_early_callback) {
+    if (config->async) {
+      // TODO(davidben): Also test |s->ctx->client_cert_cb| on the client.
+      SSL_set_cert_cb(ssl.get(), CertCallback, NULL);
+    } else if (!InstallCertificate(ssl.get())) {
+      return false;
     }
   }
   if (config->require_any_client_certificate) {
-    SSL_set_verify(ssl, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
-                   skip_verify);
+    SSL_set_verify(ssl.get(), SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+                   SkipVerify);
   }
   if (config->false_start) {
-    SSL_set_mode(ssl, SSL_MODE_HANDSHAKE_CUTTHROUGH);
+    SSL_set_mode(ssl.get(), SSL_MODE_ENABLE_FALSE_START);
   }
   if (config->cbc_record_splitting) {
-    SSL_set_mode(ssl, SSL_MODE_CBC_RECORD_SPLITTING);
+    SSL_set_mode(ssl.get(), SSL_MODE_CBC_RECORD_SPLITTING);
   }
   if (config->partial_write) {
-    SSL_set_mode(ssl, SSL_MODE_ENABLE_PARTIAL_WRITE);
+    SSL_set_mode(ssl.get(), SSL_MODE_ENABLE_PARTIAL_WRITE);
   }
   if (config->no_tls12) {
-    SSL_set_options(ssl, SSL_OP_NO_TLSv1_2);
+    SSL_set_options(ssl.get(), SSL_OP_NO_TLSv1_2);
   }
   if (config->no_tls11) {
-    SSL_set_options(ssl, SSL_OP_NO_TLSv1_1);
+    SSL_set_options(ssl.get(), SSL_OP_NO_TLSv1_1);
   }
   if (config->no_tls1) {
-    SSL_set_options(ssl, SSL_OP_NO_TLSv1);
+    SSL_set_options(ssl.get(), SSL_OP_NO_TLSv1);
   }
   if (config->no_ssl3) {
-    SSL_set_options(ssl, SSL_OP_NO_SSLv3);
-  }
-  if (config->cookie_exchange) {
-    SSL_set_options(ssl, SSL_OP_COOKIE_EXCHANGE);
+    SSL_set_options(ssl.get(), SSL_OP_NO_SSLv3);
   }
   if (config->tls_d5_bug) {
-    SSL_set_options(ssl, SSL_OP_TLS_D5_BUG);
+    SSL_set_options(ssl.get(), SSL_OP_TLS_D5_BUG);
   }
   if (config->allow_unsafe_legacy_renegotiation) {
-    SSL_set_options(ssl, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+    SSL_set_options(ssl.get(), SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
   }
   if (!config->expected_channel_id.empty()) {
-    SSL_enable_tls_channel_id(ssl);
+    SSL_enable_tls_channel_id(ssl.get());
   }
   if (!config->send_channel_id.empty()) {
-    EVP_PKEY *pkey = LoadPrivateKey(config->send_channel_id);
-    if (pkey == NULL) {
-      BIO_print_errors_fp(stdout);
-      return 1;
-    }
-    SSL_enable_tls_channel_id(ssl);
-    if (!SSL_set1_tls_channel_id(ssl, pkey)) {
-      EVP_PKEY_free(pkey);
-      BIO_print_errors_fp(stdout);
-      return 1;
+    SSL_enable_tls_channel_id(ssl.get());
+    if (!config->async) {
+      // The async case will be supplied by |ChannelIdCallback|.
+      ScopedEVP_PKEY pkey = LoadPrivateKey(config->send_channel_id);
+      if (!pkey || !SSL_set1_tls_channel_id(ssl.get(), pkey.get())) {
+        return false;
+      }
     }
-    EVP_PKEY_free(pkey);
   }
-  if (!config->host_name.empty()) {
-    SSL_set_tlsext_host_name(ssl, config->host_name.c_str());
+  if (!config->host_name.empty() &&
+      !SSL_set_tlsext_host_name(ssl.get(), config->host_name.c_str())) {
+    return false;
   }
-  if (!config->advertise_alpn.empty()) {
-    SSL_set_alpn_protos(ssl, (const uint8_t *)config->advertise_alpn.data(),
-                        config->advertise_alpn.size());
+  if (!config->advertise_alpn.empty() &&
+      SSL_set_alpn_protos(ssl.get(),
+                          (const uint8_t *)config->advertise_alpn.data(),
+                          config->advertise_alpn.size()) != 0) {
+    return false;
   }
   if (!config->psk.empty()) {
-    SSL_set_psk_client_callback(ssl, psk_client_callback);
-    SSL_set_psk_server_callback(ssl, psk_server_callback);
+    SSL_set_psk_client_callback(ssl.get(), PskClientCallback);
+    SSL_set_psk_server_callback(ssl.get(), PskServerCallback);
   }
   if (!config->psk_identity.empty() &&
-      !SSL_use_psk_identity_hint(ssl, config->psk_identity.c_str())) {
-    BIO_print_errors_fp(stdout);
-    return 1;
+      !SSL_use_psk_identity_hint(ssl.get(), config->psk_identity.c_str())) {
+    return false;
   }
   if (!config->srtp_profiles.empty() &&
-      !SSL_set_srtp_profiles(ssl, config->srtp_profiles.c_str())) {
-    BIO_print_errors_fp(stdout);
-    return 1;
+      !SSL_set_srtp_profiles(ssl.get(), config->srtp_profiles.c_str())) {
+    return false;
   }
   if (config->enable_ocsp_stapling &&
-      !SSL_enable_ocsp_stapling(ssl)) {
-    BIO_print_errors_fp(stdout);
-    return 1;
+      !SSL_enable_ocsp_stapling(ssl.get())) {
+    return false;
   }
   if (config->enable_signed_cert_timestamps &&
-      !SSL_enable_signed_cert_timestamps(ssl)) {
-    BIO_print_errors_fp(stdout);
-    return 1;
+      !SSL_enable_signed_cert_timestamps(ssl.get())) {
+    return false;
   }
-  SSL_enable_fastradio_padding(ssl, config->fastradio_padding);
+  SSL_enable_fastradio_padding(ssl.get(), config->fastradio_padding);
   if (config->min_version != 0) {
-    SSL_set_min_version(ssl, (uint16_t)config->min_version);
+    SSL_set_min_version(ssl.get(), (uint16_t)config->min_version);
   }
   if (config->max_version != 0) {
-    SSL_set_max_version(ssl, (uint16_t)config->max_version);
+    SSL_set_max_version(ssl.get(), (uint16_t)config->max_version);
   }
   if (config->mtu != 0) {
-    SSL_set_options(ssl, SSL_OP_NO_QUERY_MTU);
-    SSL_set_mtu(ssl, config->mtu);
+    SSL_set_options(ssl.get(), SSL_OP_NO_QUERY_MTU);
+    SSL_set_mtu(ssl.get(), config->mtu);
+  }
+  if (config->install_ddos_callback) {
+    SSL_CTX_set_dos_protection_cb(ssl_ctx, DDoSCallback);
+  }
+  if (!config->cipher.empty() &&
+      !SSL_set_cipher_list(ssl.get(), config->cipher.c_str())) {
+    return false;
+  }
+  if (config->reject_peer_renegotiations) {
+    SSL_set_reject_peer_renegotiations(ssl.get(), 1);
   }
 
-  BIO *bio = BIO_new_fd(fd, 1 /* take ownership */);
-  if (bio == NULL) {
-    BIO_print_errors_fp(stdout);
-    return 1;
+  int sock = Connect(config->port);
+  if (sock == -1) {
+    return false;
+  }
+  SocketCloser closer(sock);
+
+  ScopedBIO bio(BIO_new_socket(sock, BIO_NOCLOSE));
+  if (!bio) {
+    return false;
   }
   if (config->is_dtls) {
-    BIO *packeted = packeted_bio_create();
-    BIO_push(packeted, bio);
-    bio = packeted;
+    ScopedBIO packeted =
+        PacketedBioCreate(&GetTestState(ssl.get())->clock_delta);
+    BIO_push(packeted.get(), bio.release());
+    bio = std::move(packeted);
   }
   if (config->async) {
-    BIO *async =
-        config->is_dtls ? async_bio_create_datagram() : async_bio_create();
-    BIO_push(async, bio);
-    bio = async;
+    ScopedBIO async_scoped =
+        config->is_dtls ? AsyncBioCreateDatagram() : AsyncBioCreate();
+    BIO_push(async_scoped.get(), bio.release());
+    GetTestState(ssl.get())->async_bio = async_scoped.get();
+    bio = std::move(async_scoped);
   }
-  SSL_set_bio(ssl, bio, bio);
+  SSL_set_bio(ssl.get(), bio.get(), bio.get());
+  bio.release();  // SSL_set_bio takes ownership.
 
   if (session != NULL) {
-    if (SSL_set_session(ssl, session) != 1) {
-      fprintf(stderr, "failed to set session\n");
-      return 2;
+    if (!config->is_server) {
+      if (SSL_set_session(ssl.get(), session) != 1) {
+        return false;
+      }
+    } else if (config->async) {
+      // The internal session cache is disabled, so install the session
+      // manually.
+      GetTestState(ssl.get())->pending_session.reset(
+          SSL_SESSION_up_ref(session));
     }
   }
 
   int ret;
-  do {
+  if (config->implicit_handshake) {
     if (config->is_server) {
-      ret = SSL_accept(ssl);
+      SSL_set_accept_state(ssl.get());
     } else {
-      ret = SSL_connect(ssl);
+      SSL_set_connect_state(ssl.get());
+    }
+  } else {
+    do {
+      if (config->is_server) {
+        ret = SSL_accept(ssl.get());
+      } else {
+        ret = SSL_connect(ssl.get());
+      }
+    } while (config->async && RetryAsync(ssl.get(), ret));
+    if (ret != 1) {
+      return false;
     }
-  } while (config->async && retry_async(ssl, ret, bio));
-  if (ret != 1) {
-    SSL_free(ssl);
-    BIO_print_errors_fp(stdout);
-    return 2;
-  }
 
-  if (is_resume && (!!SSL_session_reused(ssl) == config->expect_session_miss)) {
-    fprintf(stderr, "session was%s reused\n",
-            SSL_session_reused(ssl) ? "" : " not");
-    return 2;
-  }
+    if (is_resume &&
+        (!!SSL_session_reused(ssl.get()) == config->expect_session_miss)) {
+      fprintf(stderr, "session was%s reused\n",
+              SSL_session_reused(ssl.get()) ? "" : " not");
+      return false;
+    }
 
-  if (!config->expected_server_name.empty()) {
-    const char *server_name =
-        SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
-    if (server_name != config->expected_server_name) {
-      fprintf(stderr, "servername mismatch (got %s; want %s)\n",
-              server_name, config->expected_server_name.c_str());
-      return 2;
+    bool expect_handshake_done = is_resume || !config->false_start;
+    if (expect_handshake_done != GetTestState(ssl.get())->handshake_done) {
+      fprintf(stderr, "handshake was%s completed\n",
+              GetTestState(ssl.get())->handshake_done ? "" : " not");
+      return false;
     }
 
-    if (!early_callback_called) {
+    if (config->is_server && !GetTestState(ssl.get())->early_callback_called) {
       fprintf(stderr, "early callback not called\n");
-      return 2;
+      return false;
     }
-  }
 
-  if (!config->expected_certificate_types.empty()) {
-    uint8_t *certificate_types;
-    int num_certificate_types =
-        SSL_get0_certificate_types(ssl, &certificate_types);
-    if (num_certificate_types !=
-        (int)config->expected_certificate_types.size() ||
-        memcmp(certificate_types,
-               config->expected_certificate_types.data(),
-               num_certificate_types) != 0) {
-      fprintf(stderr, "certificate types mismatch\n");
-      return 2;
+    if (!config->expected_server_name.empty()) {
+      const char *server_name =
+        SSL_get_servername(ssl.get(), TLSEXT_NAMETYPE_host_name);
+      if (server_name != config->expected_server_name) {
+        fprintf(stderr, "servername mismatch (got %s; want %s)\n",
+                server_name, config->expected_server_name.c_str());
+        return false;
+      }
     }
-  }
 
-  if (!config->expected_next_proto.empty()) {
-    const uint8_t *next_proto;
-    unsigned next_proto_len;
-    SSL_get0_next_proto_negotiated(ssl, &next_proto, &next_proto_len);
-    if (next_proto_len != config->expected_next_proto.size() ||
-        memcmp(next_proto, config->expected_next_proto.data(),
-               next_proto_len) != 0) {
-      fprintf(stderr, "negotiated next proto mismatch\n");
-      return 2;
+    if (!config->expected_certificate_types.empty()) {
+      uint8_t *certificate_types;
+      int num_certificate_types =
+        SSL_get0_certificate_types(ssl.get(), &certificate_types);
+      if (num_certificate_types !=
+          (int)config->expected_certificate_types.size() ||
+          memcmp(certificate_types,
+                 config->expected_certificate_types.data(),
+                 num_certificate_types) != 0) {
+        fprintf(stderr, "certificate types mismatch\n");
+        return false;
+      }
     }
-  }
 
-  if (!config->expected_alpn.empty()) {
-    const uint8_t *alpn_proto;
-    unsigned alpn_proto_len;
-    SSL_get0_alpn_selected(ssl, &alpn_proto, &alpn_proto_len);
-    if (alpn_proto_len != config->expected_alpn.size() ||
-        memcmp(alpn_proto, config->expected_alpn.data(),
-               alpn_proto_len) != 0) {
-      fprintf(stderr, "negotiated alpn proto mismatch\n");
-      return 2;
+    if (!config->expected_next_proto.empty()) {
+      const uint8_t *next_proto;
+      unsigned next_proto_len;
+      SSL_get0_next_proto_negotiated(ssl.get(), &next_proto, &next_proto_len);
+      if (next_proto_len != config->expected_next_proto.size() ||
+          memcmp(next_proto, config->expected_next_proto.data(),
+                 next_proto_len) != 0) {
+        fprintf(stderr, "negotiated next proto mismatch\n");
+        return false;
+      }
     }
-  }
 
-  if (!config->expected_channel_id.empty()) {
-    uint8_t channel_id[64];
-    if (!SSL_get_tls_channel_id(ssl, channel_id, sizeof(channel_id))) {
-      fprintf(stderr, "no channel id negotiated\n");
-      return 2;
+    if (!config->expected_alpn.empty()) {
+      const uint8_t *alpn_proto;
+      unsigned alpn_proto_len;
+      SSL_get0_alpn_selected(ssl.get(), &alpn_proto, &alpn_proto_len);
+      if (alpn_proto_len != config->expected_alpn.size() ||
+          memcmp(alpn_proto, config->expected_alpn.data(),
+                 alpn_proto_len) != 0) {
+        fprintf(stderr, "negotiated alpn proto mismatch\n");
+        return false;
+      }
     }
-    if (config->expected_channel_id.size() != 64 ||
-        memcmp(config->expected_channel_id.data(),
-               channel_id, 64) != 0) {
-      fprintf(stderr, "channel id mismatch\n");
-      return 2;
+
+    if (!config->expected_channel_id.empty()) {
+      uint8_t channel_id[64];
+      if (!SSL_get_tls_channel_id(ssl.get(), channel_id, sizeof(channel_id))) {
+        fprintf(stderr, "no channel id negotiated\n");
+        return false;
+      }
+      if (config->expected_channel_id.size() != 64 ||
+          memcmp(config->expected_channel_id.data(),
+                 channel_id, 64) != 0) {
+        fprintf(stderr, "channel id mismatch\n");
+        return false;
+      }
     }
-  }
 
-  if (config->expect_extended_master_secret) {
-    if (!ssl->session->extended_master_secret) {
-      fprintf(stderr, "No EMS for session when expected");
-      return 2;
+    if (config->expect_extended_master_secret) {
+      if (!ssl->session->extended_master_secret) {
+        fprintf(stderr, "No EMS for session when expected");
+        return false;
+      }
     }
-  }
 
-  if (!config->expected_ocsp_response.empty()) {
-    const uint8_t *data;
-    size_t len;
-    SSL_get0_ocsp_response(ssl, &data, &len);
-    if (config->expected_ocsp_response.size() != len ||
-        memcmp(config->expected_ocsp_response.data(), data, len) != 0) {
-      fprintf(stderr, "OCSP response mismatch\n");
-      return 2;
+    if (!config->expected_ocsp_response.empty()) {
+      const uint8_t *data;
+      size_t len;
+      SSL_get0_ocsp_response(ssl.get(), &data, &len);
+      if (config->expected_ocsp_response.size() != len ||
+          memcmp(config->expected_ocsp_response.data(), data, len) != 0) {
+        fprintf(stderr, "OCSP response mismatch\n");
+        return false;
+      }
     }
-  }
 
-  if (!config->expected_signed_cert_timestamps.empty()) {
-    const uint8_t *data;
-    size_t len;
-    SSL_get0_signed_cert_timestamp_list(ssl, &data, &len);
-    if (config->expected_signed_cert_timestamps.size() != len ||
-        memcmp(config->expected_signed_cert_timestamps.data(),
-               data, len) != 0) {
-      fprintf(stderr, "SCT list mismatch\n");
-      return 2;
+    if (!config->expected_signed_cert_timestamps.empty()) {
+      const uint8_t *data;
+      size_t len;
+      SSL_get0_signed_cert_timestamp_list(ssl.get(), &data, &len);
+      if (config->expected_signed_cert_timestamps.size() != len ||
+          memcmp(config->expected_signed_cert_timestamps.data(),
+                 data, len) != 0) {
+        fprintf(stderr, "SCT list mismatch\n");
+        return false;
+      }
     }
   }
 
   if (config->renegotiate) {
     if (config->async) {
-      fprintf(stderr, "--renegotiate is not supported with --async.\n");
-      return 2;
+      fprintf(stderr, "-renegotiate is not supported with -async.\n");
+      return false;
+    }
+    if (config->implicit_handshake) {
+      fprintf(stderr, "-renegotiate is not supported with -implicit-handshake.\n");
+      return false;
     }
 
-    SSL_renegotiate(ssl);
+    SSL_renegotiate(ssl.get());
 
-    ret = SSL_do_handshake(ssl);
+    ret = SSL_do_handshake(ssl.get());
     if (ret != 1) {
-      SSL_free(ssl);
-      BIO_print_errors_fp(stdout);
-      return 2;
+      return false;
     }
 
-    SSL_set_state(ssl, SSL_ST_ACCEPT);
-    ret = SSL_do_handshake(ssl);
+    SSL_set_state(ssl.get(), SSL_ST_ACCEPT);
+    ret = SSL_do_handshake(ssl.get());
     if (ret != 1) {
-      SSL_free(ssl);
-      BIO_print_errors_fp(stdout);
-      return 2;
+      return false;
+    }
+  }
+
+  if (config->export_keying_material > 0) {
+    std::vector<uint8_t> result(
+        static_cast<size_t>(config->export_keying_material));
+    if (!SSL_export_keying_material(
+            ssl.get(), result.data(), result.size(),
+            config->export_label.data(), config->export_label.size(),
+            reinterpret_cast<const uint8_t*>(config->export_context.data()),
+            config->export_context.size(), config->use_export_context)) {
+      fprintf(stderr, "failed to export keying material\n");
+      return false;
+    }
+    if (WriteAll(ssl.get(), result.data(), result.size()) < 0) {
+      return false;
     }
   }
 
   if (config->write_different_record_sizes) {
     if (config->is_dtls) {
       fprintf(stderr, "write_different_record_sizes not supported for DTLS\n");
-      return 6;
+      return false;
     }
     // This mode writes a number of different record sizes in an attempt to
     // trip up the CBC record splitting code.
@@ -621,138 +887,123 @@ static int do_exchange(SSL_SESSION **out_session,
         0, 1, 255, 256, 257, 16383, 16384, 16385, 32767, 32768, 32769};
     for (size_t i = 0; i < sizeof(kRecordSizes) / sizeof(kRecordSizes[0]);
          i++) {
-      int w;
       const size_t len = kRecordSizes[i];
-      size_t off = 0;
-
       if (len > sizeof(buf)) {
         fprintf(stderr, "Bad kRecordSizes value.\n");
-        return 5;
+        return false;
       }
-
-      do {
-        w = SSL_write(ssl, buf + off, len - off);
-        if (w > 0) {
-          off += (size_t) w;
-        }
-      } while ((config->async && retry_async(ssl, w, bio)) ||
-               (w > 0 && off < len));
-
-      if (w < 0 || off != len) {
-        SSL_free(ssl);
-        BIO_print_errors_fp(stdout);
-        return 4;
+      if (WriteAll(ssl.get(), buf, len) < 0) {
+        return false;
       }
     }
   } else {
     if (config->shim_writes_first) {
-      int w;
-      do {
-        w = SSL_write(ssl, "hello", 5);
-      } while (config->async && retry_async(ssl, w, bio));
+      if (WriteAll(ssl.get(), reinterpret_cast<const uint8_t *>("hello"),
+                   5) < 0) {
+        return false;
+      }
     }
     for (;;) {
       uint8_t buf[512];
-      int n;
-      do {
-        n = SSL_read(ssl, buf, sizeof(buf));
-      } while (config->async && retry_async(ssl, n, bio));
-      int err = SSL_get_error(ssl, n);
+      int n = DoRead(ssl.get(), buf, sizeof(buf));
+      int err = SSL_get_error(ssl.get(), n);
       if (err == SSL_ERROR_ZERO_RETURN ||
           (n == 0 && err == SSL_ERROR_SYSCALL)) {
         if (n != 0) {
           fprintf(stderr, "Invalid SSL_get_error output\n");
-          return 3;
+          return false;
         }
-        /* Accept shutdowns with or without close_notify.
-         * TODO(davidben): Write tests which distinguish these two cases. */
+        // Accept shutdowns with or without close_notify.
+        // TODO(davidben): Write tests which distinguish these two cases.
         break;
       } else if (err != SSL_ERROR_NONE) {
         if (n > 0) {
           fprintf(stderr, "Invalid SSL_get_error output\n");
-          return 3;
+          return false;
         }
-        SSL_free(ssl);
-        BIO_print_errors_fp(stdout);
-        return 3;
+        return false;
       }
-      /* Successfully read data. */
+      // Successfully read data.
       if (n <= 0) {
         fprintf(stderr, "Invalid SSL_get_error output\n");
-        return 3;
+        return false;
       }
+
+      // After a successful read, with or without False Start, the handshake
+      // must be complete.
+      if (!GetTestState(ssl.get())->handshake_done) {
+        fprintf(stderr, "handshake was not completed after SSL_read\n");
+        return false;
+      }
+
       for (int i = 0; i < n; i++) {
         buf[i] ^= 0xff;
       }
-      int w;
-      do {
-        w = SSL_write(ssl, buf, n);
-      } while (config->async && retry_async(ssl, w, bio));
-      if (w != n) {
-        SSL_free(ssl);
-        BIO_print_errors_fp(stdout);
-        return 4;
+      if (WriteAll(ssl.get(), buf, n) < 0) {
+        return false;
       }
     }
   }
 
   if (out_session) {
-    *out_session = SSL_get1_session(ssl);
+    out_session->reset(SSL_get1_session(ssl.get()));
   }
 
-  SSL_shutdown(ssl);
-  SSL_free(ssl);
-  return 0;
+  SSL_shutdown(ssl.get());
+  return true;
 }
 
 int main(int argc, char **argv) {
-#if !defined(OPENSSL_WINDOWS)
+#if defined(OPENSSL_WINDOWS)
+  /* Initialize Winsock. */
+  WORD wsa_version = MAKEWORD(2, 2);
+  WSADATA wsa_data;
+  int wsa_err = WSAStartup(wsa_version, &wsa_data);
+  if (wsa_err != 0) {
+    fprintf(stderr, "WSAStartup failed: %d\n", wsa_err);
+    return 1;
+  }
+  if (wsa_data.wVersion != wsa_version) {
+    fprintf(stderr, "Didn't get expected version: %x\n", wsa_data.wVersion);
+    return 1;
+  }
+#else
   signal(SIGPIPE, SIG_IGN);
 #endif
 
   if (!SSL_library_init()) {
     return 1;
   }
-  g_ex_data_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
-  if (g_ex_data_index < 0) {
+  g_config_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
+  g_state_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, TestStateExFree);
+  if (g_config_index < 0 || g_state_index < 0) {
     return 1;
   }
 
   TestConfig config;
   if (!ParseConfig(argc - 1, argv + 1, &config)) {
-    return usage(argv[0]);
+    return Usage(argv[0]);
   }
 
-  SSL_CTX *ssl_ctx = setup_ctx(&config);
-  if (ssl_ctx == NULL) {
-    BIO_print_errors_fp(stdout);
+  ScopedSSL_CTX ssl_ctx = SetupCtx(&config);
+  if (!ssl_ctx) {
+    ERR_print_errors_fp(stderr);
     return 1;
   }
 
-  SSL_SESSION *session = NULL;
-  int ret = do_exchange(&session,
-                        ssl_ctx, &config,
-                        false /* is_resume */,
-                        3 /* fd */, NULL /* session */);
-  if (ret != 0) {
-    goto out;
+  ScopedSSL_SESSION session;
+  if (!DoExchange(&session, ssl_ctx.get(), &config, false /* is_resume */,
+                  NULL /* session */)) {
+    ERR_print_errors_fp(stderr);
+    return 1;
   }
 
-  if (config.resume) {
-    ret = do_exchange(NULL,
-                      ssl_ctx, &config,
-                      true /* is_resume */,
-                      4 /* fd */,
-                      config.is_server ? NULL : session);
-    if (ret != 0) {
-      goto out;
-    }
+  if (config.resume &&
+      !DoExchange(NULL, ssl_ctx.get(), &config, true /* is_resume */,
+                  session.get())) {
+    ERR_print_errors_fp(stderr);
+    return 1;
   }
 
-  ret = 0;
-
-out:
-  SSL_SESSION_free(session);
-  SSL_CTX_free(ssl_ctx);
-  return ret;
+  return 0;
 }
diff --git a/src/ssl/test/malloc.cc b/src/ssl/test/malloc.cc
index 6cc0b33..2ec5582 100644
--- a/src/ssl/test/malloc.cc
+++ b/src/ssl/test/malloc.cc
@@ -14,15 +14,24 @@
 
 #include <openssl/base.h>
 
+#if defined(__has_feature)
+#if __has_feature(address_sanitizer)
+#define OPENSSL_ASAN
+#endif
+#endif
+
 // This file isn't built on ARM or Aarch64 because we link statically in those
-// builds and trying to override malloc in a static link doesn't work.
-#if defined(__linux__) && !defined(OPENSSL_ARM) && !defined(OPENSSL_AARCH64)
+// builds and trying to override malloc in a static link doesn't work. It's also
+// disabled on ASan builds as this interferes with ASan's malloc interceptor.
+//
+// TODO(davidben): See if this and ASan's interceptors can be made to coexist.
+#if defined(__linux__) && !defined(OPENSSL_ARM) && \
+    !defined(OPENSSL_AARCH64) && !defined(OPENSSL_ASAN)
 
 #include <stdint.h>
+#include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
-#include <unistd.h>
-#include <stdio.h>
 
 #include <new>
 
@@ -127,4 +136,4 @@ void *realloc(void *ptr, size_t size) {
 
 }  // extern "C"
 
-#endif  /* defined(linux) && !ARM && !AARCH64 */
+#endif  /* defined(linux) && !ARM && !AARCH64 && !ASAN */
diff --git a/src/ssl/test/packeted_bio.cc b/src/ssl/test/packeted_bio.cc
index 93b2164..e831082 100644
--- a/src/ssl/test/packeted_bio.cc
+++ b/src/ssl/test/packeted_bio.cc
@@ -15,7 +15,8 @@
 #include "packeted_bio.h"
 
 #include <assert.h>
-#include <errno.h>
+#include <limits.h>
+#include <stdio.h>
 #include <string.h>
 
 #include <openssl/mem.h>
@@ -23,58 +24,135 @@
 
 namespace {
 
-extern const BIO_METHOD packeted_bio_method;
+extern const BIO_METHOD g_packeted_bio_method;
+
+const uint8_t kOpcodePacket = 'P';
+const uint8_t kOpcodeTimeout = 'T';
+const uint8_t kOpcodeTimeoutAck = 't';
+
+// ReadAll reads |len| bytes from |bio| into |out|. It returns 1 on success and
+// 0 or -1 on error.
+static int ReadAll(BIO *bio, uint8_t *out, size_t len) {
+  while (len > 0) {
+    int chunk_len = INT_MAX;
+    if (len <= INT_MAX) {
+      chunk_len = (int)len;
+    }
+    int ret = BIO_read(bio, out, chunk_len);
+    if (ret <= 0) {
+      return ret;
+    }
+    out += ret;
+    len -= ret;
+  }
+  return 1;
+}
 
-static int packeted_write(BIO *bio, const char *in, int inl) {
+static int PacketedWrite(BIO *bio, const char *in, int inl) {
   if (bio->next_bio == NULL) {
     return 0;
   }
 
   BIO_clear_retry_flags(bio);
 
-  // Write the length prefix.
-  uint8_t len_bytes[4];
-  len_bytes[0] = (inl >> 24) & 0xff;
-  len_bytes[1] = (inl >> 16) & 0xff;
-  len_bytes[2] = (inl >> 8) & 0xff;
-  len_bytes[3] = inl & 0xff;
-  int ret = BIO_write(bio->next_bio, len_bytes, sizeof(len_bytes));
+  // Write the header.
+  uint8_t header[5];
+  header[0] = kOpcodePacket;
+  header[1] = (inl >> 24) & 0xff;
+  header[2] = (inl >> 16) & 0xff;
+  header[3] = (inl >> 8) & 0xff;
+  header[4] = inl & 0xff;
+  int ret = BIO_write(bio->next_bio, header, sizeof(header));
   if (ret <= 0) {
     BIO_copy_next_retry(bio);
     return ret;
   }
 
-  // Write the buffer. BIOs for which this operation fails are not supported.
+  // Write the buffer.
   ret = BIO_write(bio->next_bio, in, inl);
+  if (ret < 0 || (inl > 0 && ret == 0)) {
+    BIO_copy_next_retry(bio);
+    return ret;
+  }
   assert(ret == inl);
   return ret;
 }
 
-static int packeted_read(BIO *bio, char *out, int outl) {
+static int PacketedRead(BIO *bio, char *out, int outl) {
   if (bio->next_bio == NULL) {
     return 0;
   }
 
   BIO_clear_retry_flags(bio);
 
+  // Read the opcode.
+  uint8_t opcode;
+  int ret = ReadAll(bio->next_bio, &opcode, sizeof(opcode));
+  if (ret <= 0) {
+    BIO_copy_next_retry(bio);
+    return ret;
+  }
+
+  if (opcode == kOpcodeTimeout) {
+    // Process the timeout.
+    uint8_t buf[8];
+    ret = ReadAll(bio->next_bio, buf, sizeof(buf));
+    if (ret <= 0) {
+      BIO_copy_next_retry(bio);
+      return ret;
+    }
+    uint64_t timeout = (static_cast<uint64_t>(buf[0]) << 56) |
+        (static_cast<uint64_t>(buf[1]) << 48) |
+        (static_cast<uint64_t>(buf[2]) << 40) |
+        (static_cast<uint64_t>(buf[3]) << 32) |
+        (static_cast<uint64_t>(buf[4]) << 24) |
+        (static_cast<uint64_t>(buf[5]) << 16) |
+        (static_cast<uint64_t>(buf[6]) << 8) |
+        static_cast<uint64_t>(buf[7]);
+    timeout /= 1000;  // Convert nanoseconds to microseconds.
+    timeval *out_timeout = reinterpret_cast<timeval *>(bio->ptr);
+    assert(out_timeout->tv_usec == 0);
+    assert(out_timeout->tv_sec == 0);
+    out_timeout->tv_usec = timeout % 1000000;
+    out_timeout->tv_sec = timeout / 1000000;
+
+    // Send an ACK to the peer.
+    ret = BIO_write(bio->next_bio, &kOpcodeTimeoutAck, 1);
+    if (ret <= 0) {
+      return ret;
+    }
+    assert(ret == 1);
+
+    // Signal to the caller to retry the read, after processing the
+    // new clock.
+    BIO_set_retry_read(bio);
+    return -1;
+  }
+
+  if (opcode != kOpcodePacket) {
+    fprintf(stderr, "Unknown opcode, %u\n", opcode);
+    return -1;
+  }
+
   // Read the length prefix.
   uint8_t len_bytes[4];
-  int ret = BIO_read(bio->next_bio, &len_bytes, sizeof(len_bytes));
+  ret = ReadAll(bio->next_bio, len_bytes, sizeof(len_bytes));
   if (ret <= 0) {
     BIO_copy_next_retry(bio);
     return ret;
   }
-  // BIOs for which a partial length comes back are not supported.
-  assert(ret == 4);
 
   uint32_t len = (len_bytes[0] << 24) | (len_bytes[1] << 16) |
       (len_bytes[2] << 8) | len_bytes[3];
-  char *buf = (char *)OPENSSL_malloc(len);
+  uint8_t *buf = (uint8_t *)OPENSSL_malloc(len);
   if (buf == NULL) {
     return -1;
   }
-  ret = BIO_read(bio->next_bio, buf, len);
-  assert(ret == (int)len);
+  ret = ReadAll(bio->next_bio, buf, len);
+  if (ret <= 0) {
+    fprintf(stderr, "Packeted BIO was truncated\n");
+    return -1;
+  }
 
   if (outl > (int)len) {
     outl = len;
@@ -84,7 +162,7 @@ static int packeted_read(BIO *bio, char *out, int outl) {
   return outl;
 }
 
-static long packeted_ctrl(BIO *bio, int cmd, long num, void *ptr) {
+static long PacketedCtrl(BIO *bio, int cmd, long num, void *ptr) {
   if (bio->next_bio == NULL) {
     return 0;
   }
@@ -94,12 +172,12 @@ static long packeted_ctrl(BIO *bio, int cmd, long num, void *ptr) {
   return ret;
 }
 
-static int packeted_new(BIO *bio) {
+static int PacketedNew(BIO *bio) {
   bio->init = 1;
   return 1;
 }
 
-static int packeted_free(BIO *bio) {
+static int PacketedFree(BIO *bio) {
   if (bio == NULL) {
     return 0;
   }
@@ -108,28 +186,33 @@ static int packeted_free(BIO *bio) {
   return 1;
 }
 
-static long packeted_callback_ctrl(BIO *bio, int cmd, bio_info_cb fp) {
+static long PacketedCallbackCtrl(BIO *bio, int cmd, bio_info_cb fp) {
   if (bio->next_bio == NULL) {
     return 0;
   }
   return BIO_callback_ctrl(bio->next_bio, cmd, fp);
 }
 
-const BIO_METHOD packeted_bio_method = {
+const BIO_METHOD g_packeted_bio_method = {
   BIO_TYPE_FILTER,
   "packeted bio",
-  packeted_write,
-  packeted_read,
+  PacketedWrite,
+  PacketedRead,
   NULL /* puts */,
   NULL /* gets */,
-  packeted_ctrl,
-  packeted_new,
-  packeted_free,
-  packeted_callback_ctrl,
+  PacketedCtrl,
+  PacketedNew,
+  PacketedFree,
+  PacketedCallbackCtrl,
 };
 
 }  // namespace
 
-BIO *packeted_bio_create() {
-  return BIO_new(&packeted_bio_method);
+ScopedBIO PacketedBioCreate(timeval *out_timeout) {
+  ScopedBIO bio(BIO_new(&g_packeted_bio_method));
+  if (!bio) {
+    return nullptr;
+  }
+  bio->ptr = out_timeout;
+  return bio;
 }
diff --git a/src/ssl/test/packeted_bio.h b/src/ssl/test/packeted_bio.h
index 384bd64..30697a5 100644
--- a/src/ssl/test/packeted_bio.h
+++ b/src/ssl/test/packeted_bio.h
@@ -15,18 +15,30 @@
 #ifndef HEADER_PACKETED_BIO
 #define HEADER_PACKETED_BIO
 
+#include <openssl/base.h>
 #include <openssl/bio.h>
 
+#include "../../crypto/test/scoped_types.h"
 
-// packeted_bio_create creates a filter BIO for testing protocols which expect
-// datagram BIOs. It implements a reliable datagram socket and reads and writes
-// packets by prefixing each packet with a big-endian 32-bit length. It must be
-// layered over a reliable blocking stream BIO.
+#if defined(OPENSSL_WINDOWS)
+#pragma warning(push, 3)
+#include <winsock2.h>
+#pragma warning(pop)
+#else
+#include <sys/types.h>
+#endif
+
+
+// PacketedBioCreate creates a filter BIO which implements a reliable in-order
+// blocking datagram socket. The resulting BIO, on |BIO_read|, may simulate a
+// timeout which sets |*out_timeout| to the timeout and fails the read.
+// |*out_timeout| must be zero on entry to |BIO_read|; it is an error to not
+// apply the timeout before the next |BIO_read|.
 //
-// Note: packeted_bio_create exists because a SOCK_DGRAM socketpair on OS X is
-// does not block the caller, unlike on Linux. Writes simply fail with
-// ENOBUFS. POSIX also does not guarantee that such sockets are reliable.
-BIO *packeted_bio_create();
+// Note: The read timeout simulation is intended to be used with the async BIO
+// wrapper. It doesn't simulate BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, used in DTLS's
+// blocking mode.
+ScopedBIO PacketedBioCreate(timeval *out_timeout);
 
 
 #endif  // HEADER_PACKETED_BIO
diff --git a/src/ssl/test/runner/chacha20_poly1305.go b/src/ssl/test/runner/chacha20_poly1305.go
new file mode 100644
index 0000000..42911d4
--- /dev/null
+++ b/src/ssl/test/runner/chacha20_poly1305.go
@@ -0,0 +1,159 @@
+package main
+
+import (
+	"crypto/cipher"
+	"crypto/subtle"
+	"encoding/binary"
+	"errors"
+)
+
+// See draft-agl-tls-chacha20poly1305-04 and
+// draft-irtf-cfrg-chacha20-poly1305-10. Where the two differ, the
+// draft-agl-tls-chacha20poly1305-04 variant is implemented.
+
+func leftRotate(a uint32, n uint) uint32 {
+	return (a << n) | (a >> (32 - n))
+}
+
+func chaChaQuarterRound(state *[16]uint32, a, b, c, d int) {
+	state[a] += state[b]
+	state[d] = leftRotate(state[d]^state[a], 16)
+
+	state[c] += state[d]
+	state[b] = leftRotate(state[b]^state[c], 12)
+
+	state[a] += state[b]
+	state[d] = leftRotate(state[d]^state[a], 8)
+
+	state[c] += state[d]
+	state[b] = leftRotate(state[b]^state[c], 7)
+}
+
+func chaCha20Block(state *[16]uint32, out []byte) {
+	var workingState [16]uint32
+	copy(workingState[:], state[:])
+	for i := 0; i < 10; i++ {
+		chaChaQuarterRound(&workingState, 0, 4, 8, 12)
+		chaChaQuarterRound(&workingState, 1, 5, 9, 13)
+		chaChaQuarterRound(&workingState, 2, 6, 10, 14)
+		chaChaQuarterRound(&workingState, 3, 7, 11, 15)
+		chaChaQuarterRound(&workingState, 0, 5, 10, 15)
+		chaChaQuarterRound(&workingState, 1, 6, 11, 12)
+		chaChaQuarterRound(&workingState, 2, 7, 8, 13)
+		chaChaQuarterRound(&workingState, 3, 4, 9, 14)
+	}
+	for i := 0; i < 16; i++ {
+		binary.LittleEndian.PutUint32(out[i*4:i*4+4], workingState[i]+state[i])
+	}
+}
+
+// sliceForAppend takes a slice and a requested number of bytes. It returns a
+// slice with the contents of the given slice followed by that many bytes and a
+// second slice that aliases into it and contains only the extra bytes. If the
+// original slice has sufficient capacity then no allocation is performed.
+func sliceForAppend(in []byte, n int) (head, tail []byte) {
+	if total := len(in) + n; cap(in) >= total {
+		head = in[:total]
+	} else {
+		head = make([]byte, total)
+		copy(head, in)
+	}
+	tail = head[len(in):]
+	return
+}
+
+type chaCha20Poly1305 struct {
+	key [32]byte
+}
+
+func newChaCha20Poly1305(key []byte) (cipher.AEAD, error) {
+	if len(key) != 32 {
+		return nil, errors.New("bad key length")
+	}
+	aead := new(chaCha20Poly1305)
+	copy(aead.key[:], key)
+	return aead, nil
+}
+
+func (c *chaCha20Poly1305) NonceSize() int { return 8 }
+func (c *chaCha20Poly1305) Overhead() int  { return 16 }
+
+func (c *chaCha20Poly1305) chaCha20(out, in, nonce []byte, counter uint64) {
+	var state [16]uint32
+	state[0] = 0x61707865
+	state[1] = 0x3320646e
+	state[2] = 0x79622d32
+	state[3] = 0x6b206574
+	for i := 0; i < 8; i++ {
+		state[4+i] = binary.LittleEndian.Uint32(c.key[i*4 : i*4+4])
+	}
+	state[14] = binary.LittleEndian.Uint32(nonce[0:4])
+	state[15] = binary.LittleEndian.Uint32(nonce[4:8])
+
+	for i := 0; i < len(in); i += 64 {
+		state[12] = uint32(counter & 0xffffffff)
+		state[13] = uint32(counter >> 32)
+
+		var tmp [64]byte
+		chaCha20Block(&state, tmp[:])
+		count := 64
+		if len(in)-i < count {
+			count = len(in) - i
+		}
+		for j := 0; j < count; j++ {
+			out[i+j] = in[i+j] ^ tmp[j]
+		}
+
+		counter++
+	}
+}
+
+func (c *chaCha20Poly1305) poly1305(tag *[16]byte, nonce, ciphertext, additionalData []byte) {
+	input := make([]byte, 0, len(additionalData)+8+len(ciphertext)+8)
+	input = append(input, additionalData...)
+	input, out := sliceForAppend(input, 8)
+	binary.LittleEndian.PutUint64(out, uint64(len(additionalData)))
+	input = append(input, ciphertext...)
+	input, out = sliceForAppend(input, 8)
+	binary.LittleEndian.PutUint64(out, uint64(len(ciphertext)))
+
+	var poly1305Key [32]byte
+	c.chaCha20(poly1305Key[:], poly1305Key[:], nonce, 0)
+
+	poly1305Sum(tag, input, &poly1305Key)
+}
+
+func (c *chaCha20Poly1305) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
+	if len(nonce) != 8 {
+		panic("Bad nonce length")
+	}
+
+	ret, out := sliceForAppend(dst, len(plaintext)+16)
+	c.chaCha20(out[:len(plaintext)], plaintext, nonce, 1)
+
+	var tag [16]byte
+	c.poly1305(&tag, nonce, out[:len(plaintext)], additionalData)
+	copy(out[len(plaintext):], tag[:])
+
+	return ret
+}
+
+func (c *chaCha20Poly1305) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
+	if len(nonce) != 8 {
+		panic("Bad nonce length")
+	}
+	if len(ciphertext) < 16 {
+		return nil, errors.New("chacha20: message authentication failed")
+	}
+	plaintextLen := len(ciphertext) - 16
+
+	var tag [16]byte
+	c.poly1305(&tag, nonce, ciphertext[:plaintextLen], additionalData)
+	if subtle.ConstantTimeCompare(tag[:], ciphertext[plaintextLen:]) != 1 {
+		return nil, errors.New("chacha20: message authentication failed")
+	}
+
+	ret, out := sliceForAppend(dst, plaintextLen)
+	c.chaCha20(out, ciphertext[:plaintextLen], nonce, 1)
+	return ret, nil
+}
diff --git a/src/ssl/test/runner/chacha20_poly1305_test.go b/src/ssl/test/runner/chacha20_poly1305_test.go
new file mode 100644
index 0000000..726f482
--- /dev/null
+++ b/src/ssl/test/runner/chacha20_poly1305_test.go
@@ -0,0 +1,99 @@
+package main
+
+import (
+	"bytes"
+	"encoding/hex"
+	"testing"
+)
+
+// See draft-irtf-cfrg-chacha20-poly1305-10, section 2.1.1.
+func TestChaChaQuarterRound(t *testing.T) {
+	state := [16]uint32{0x11111111, 0x01020304, 0x9b8d6f43, 0x01234567}
+	chaChaQuarterRound(&state, 0, 1, 2, 3)
+
+	a, b, c, d := state[0], state[1], state[2], state[3]
+	if a != 0xea2a92f4 || b != 0xcb1cf8ce || c != 0x4581472e || d != 0x5881c4bb {
+		t.Errorf("Incorrect results: %x", state)
+	}
+}
+
+// See draft-irtf-cfrg-chacha20-poly1305-10, section 2.2.1.
+func TestChaChaQuarterRoundState(t *testing.T) {
+	state := [16]uint32{
+		0x879531e0, 0xc5ecf37d, 0x516461b1, 0xc9a62f8a,
+		0x44c20ef3, 0x3390af7f, 0xd9fc690b, 0x2a5f714c,
+		0x53372767, 0xb00a5631, 0x974c541a, 0x359e9963,
+		0x5c971061, 0x3d631689, 0x2098d9d6, 0x91dbd320,
+	}
+	chaChaQuarterRound(&state, 2, 7, 8, 13)
+
+	expected := [16]uint32{
+		0x879531e0, 0xc5ecf37d, 0xbdb886dc, 0xc9a62f8a,
+		0x44c20ef3, 0x3390af7f, 0xd9fc690b, 0xcfacafd2,
+		0xe46bea80, 0xb00a5631, 0x974c541a, 0x359e9963,
+		0x5c971061, 0xccc07c79, 0x2098d9d6, 0x91dbd320,
+	}
+	for i := range state {
+		if state[i] != expected[i] {
+			t.Errorf("Mismatch at %d: %x vs %x", i, state, expected)
+		}
+	}
+}
+
+// See draft-irtf-cfrg-chacha20-poly1305-10, section 2.3.2.
+func TestChaCha20Block(t *testing.T) {
+	state := [16]uint32{
+		0x61707865, 0x3320646e, 0x79622d32, 0x6b206574,
+		0x03020100, 0x07060504, 0x0b0a0908, 0x0f0e0d0c,
+		0x13121110, 0x17161514, 0x1b1a1918, 0x1f1e1d1c,
+		0x00000001, 0x09000000, 0x4a000000, 0x00000000,
+	}
+	out := make([]byte, 64)
+	chaCha20Block(&state, out)
+
+	expected := []byte{
+		0x10, 0xf1, 0xe7, 0xe4, 0xd1, 0x3b, 0x59, 0x15,
+		0x50, 0x0f, 0xdd, 0x1f, 0xa3, 0x20, 0x71, 0xc4,
+		0xc7, 0xd1, 0xf4, 0xc7, 0x33, 0xc0, 0x68, 0x03,
+		0x04, 0x22, 0xaa, 0x9a, 0xc3, 0xd4, 0x6c, 0x4e,
+		0xd2, 0x82, 0x64, 0x46, 0x07, 0x9f, 0xaa, 0x09,
+		0x14, 0xc2, 0xd7, 0x05, 0xd9, 0x8b, 0x02, 0xa2,
+		0xb5, 0x12, 0x9c, 0xd1, 0xde, 0x16, 0x4e, 0xb9,
+		0xcb, 0xd0, 0x83, 0xe8, 0xa2, 0x50, 0x3c, 0x4e,
+	}
+	if !bytes.Equal(out, expected) {
+		t.Errorf("Got %x, wanted %x", out, expected)
+	}
+}
+
+// See draft-agl-tls-chacha20poly1305-04, section 7.
+func TestChaCha20Poly1305(t *testing.T) {
+	key, _ := hex.DecodeString("4290bcb154173531f314af57f3be3b5006da371ece272afa1b5dbdd1100a1007")
+	input, _ := hex.DecodeString("86d09974840bded2a5ca")
+	nonce, _ := hex.DecodeString("cd7cf67be39c794a")
+	ad, _ := hex.DecodeString("87e229d4500845a079c0")
+	output, _ := hex.DecodeString("e3e446f7ede9a19b62a4677dabf4e3d24b876bb284753896e1d6")
+
+	aead, err := newChaCha20Poly1305(key)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	out, err := aead.Open(nil, nonce, output, ad)
+	if err != nil {
+		t.Errorf("Open failed: %s", err)
+	} else if !bytes.Equal(out, input) {
+		t.Errorf("Open gave %x, wanted %x", out, input)
+	}
+
+	out = aead.Seal(nil, nonce, input, ad)
+	if !bytes.Equal(out, output) {
+		t.Errorf("Open gave %x, wanted %x", out, output)
+	}
+
+	out[0]++
+	_, err = aead.Open(nil, nonce, out, ad)
+	if err == nil {
+		t.Errorf("Open on malformed data unexpectedly succeeded")
+	}
+}
diff --git a/src/ssl/test/runner/cipher_suites.go b/src/ssl/test/runner/cipher_suites.go
index 89e75c8..162c0c0 100644
--- a/src/ssl/test/runner/cipher_suites.go
+++ b/src/ssl/test/runner/cipher_suites.go
@@ -62,6 +62,11 @@ const (
 	suitePSK
 )
 
+type tlsAead struct {
+	cipher.AEAD
+	explicitNonce bool
+}
+
 // A cipherSuite is a specific combination of key agreement, cipher and MAC
 // function. All cipher suites currently assume RSA key agreement.
 type cipherSuite struct {
@@ -75,12 +80,14 @@ type cipherSuite struct {
 	flags  int
 	cipher func(key, iv []byte, isRead bool) interface{}
 	mac    func(version uint16, macKey []byte) macFunction
-	aead   func(key, fixedNonce []byte) cipher.AEAD
+	aead   func(key, fixedNonce []byte) *tlsAead
 }
 
 var cipherSuites = []*cipherSuite{
 	// Ciphersuite order is chosen so that ECDHE comes before plain RSA
 	// and RC4 comes before AES (because of the Lucky13 attack).
+	{TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 32, 0, 0, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadCHACHA20POLY1305},
+	{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 32, 0, 0, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadCHACHA20POLY1305},
 	{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM},
 	{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadAESGCM},
 	{TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
@@ -95,6 +102,7 @@ var cipherSuites = []*cipherSuite{
 	{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 32, 48, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, cipherAES, macSHA384, nil},
 	{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
 	{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},
+	{TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 32, 0, 0, dheRSAKA, suiteTLS12, nil, nil, aeadCHACHA20POLY1305},
 	{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, dheRSAKA, suiteTLS12, nil, nil, aeadAESGCM},
 	{TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, dheRSAKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
 	{TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, dheRSAKA, suiteTLS12, cipherAES, macSHA256, nil},
@@ -216,7 +224,7 @@ func (f *fixedNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]b
 	return f.aead.Open(out, f.openNonce, plaintext, additionalData)
 }
 
-func aeadAESGCM(key, fixedNonce []byte) cipher.AEAD {
+func aeadAESGCM(key, fixedNonce []byte) *tlsAead {
 	aes, err := aes.NewCipher(key)
 	if err != nil {
 		panic(err)
@@ -230,7 +238,15 @@ func aeadAESGCM(key, fixedNonce []byte) cipher.AEAD {
 	copy(nonce1, fixedNonce)
 	copy(nonce2, fixedNonce)
 
-	return &fixedNonceAEAD{nonce1, nonce2, aead}
+	return &tlsAead{&fixedNonceAEAD{nonce1, nonce2, aead}, true}
+}
+
+func aeadCHACHA20POLY1305(key, fixedNonce []byte) *tlsAead {
+	aead, err := newChaCha20Poly1305(key)
+	if err != nil {
+		panic(err)
+	}
+	return &tlsAead{aead, false}
 }
 
 // ssl30MAC implements the SSLv3 MAC function, as defined in
@@ -289,7 +305,7 @@ func (s tls10MAC) MAC(digestBuf, seq, header, length, data []byte) []byte {
 }
 
 func rsaKA(version uint16) keyAgreement {
-	return &rsaKeyAgreement{}
+	return &rsaKeyAgreement{version: version}
 }
 
 func ecdheECDSAKA(version uint16) keyAgreement {
@@ -391,5 +407,8 @@ const (
 
 // Additional cipher suite IDs, not IANA-assigned.
 const (
-	TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 uint16 = 0xcafe
+	TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256         uint16 = 0xcafe
+	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   uint16 = 0xcc13
+	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcc14
+	TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256     uint16 = 0xcc15
 )
diff --git a/src/ssl/test/runner/common.go b/src/ssl/test/runner/common.go
index 7aaf9a2..4ac7250 100644
--- a/src/ssl/test/runner/common.go
+++ b/src/ssl/test/runner/common.go
@@ -97,6 +97,7 @@ const (
 type CurveID uint16
 
 const (
+	CurveP224 CurveID = 21
 	CurveP256 CurveID = 23
 	CurveP384 CurveID = 24
 	CurveP521 CurveID = 25
@@ -429,15 +430,32 @@ type ProtocolBugs struct {
 	// ServerKeyExchange.
 	UnauthenticatedECDH bool
 
+	// SkipHelloVerifyRequest causes a DTLS server to skip the
+	// HelloVerifyRequest message.
+	SkipHelloVerifyRequest bool
+
+	// SkipCertificateStatus, if true, causes the server to skip the
+	// CertificateStatus message. This is legal because CertificateStatus is
+	// optional, even with a status_request in ServerHello.
+	SkipCertificateStatus bool
+
 	// SkipServerKeyExchange causes the server to skip sending
 	// ServerKeyExchange messages.
 	SkipServerKeyExchange bool
 
+	// SkipNewSessionTicket causes the server to skip sending the
+	// NewSessionTicket message despite promising to in ServerHello.
+	SkipNewSessionTicket bool
+
 	// SkipChangeCipherSpec causes the implementation to skip
 	// sending the ChangeCipherSpec message (and adjusting cipher
 	// state accordingly for the Finished message).
 	SkipChangeCipherSpec bool
 
+	// SkipFinished causes the implementation to skip sending the Finished
+	// message.
+	SkipFinished bool
+
 	// EarlyChangeCipherSpec causes the client to send an early
 	// ChangeCipherSpec message before the ClientKeyExchange. A value of
 	// zero disables this behavior. One and two configure variants for 0.9.8
@@ -449,10 +467,6 @@ type ProtocolBugs struct {
 	// messages.
 	FragmentAcrossChangeCipherSpec bool
 
-	// SkipNewSessionTicket causes the server to skip sending the
-	// NewSessionTicket message despite promising to in ServerHello.
-	SkipNewSessionTicket bool
-
 	// SendV2ClientHello causes the client to send a V2ClientHello
 	// instead of a normal ClientHello.
 	SendV2ClientHello bool
@@ -475,8 +489,9 @@ type ProtocolBugs struct {
 	// two records.
 	FragmentAlert bool
 
-	// SendSpuriousAlert will cause an spurious, unwanted alert to be sent.
-	SendSpuriousAlert bool
+	// SendSpuriousAlert, if non-zero, will cause an spurious, unwanted
+	// alert to be sent.
+	SendSpuriousAlert alert
 
 	// RsaClientKeyExchangeVersion, if non-zero, causes the client to send a
 	// ClientKeyExchange with the specified version rather than the
@@ -491,16 +506,19 @@ type ProtocolBugs struct {
 	// TLS version in the ClientHello than the maximum supported version.
 	SendClientVersion uint16
 
-	// SkipHelloVerifyRequest causes a DTLS server to skip the
-	// HelloVerifyRequest message.
-	SkipHelloVerifyRequest bool
-
 	// ExpectFalseStart causes the server to, on full handshakes,
 	// expect the peer to False Start; the server Finished message
 	// isn't sent until we receive an application data record
 	// from the peer.
 	ExpectFalseStart bool
 
+	// AlertBeforeFalseStartTest, if non-zero, causes the server to, on full
+	// handshakes, send an alert just before reading the application data
+	// record to test False Start. This can be used in a negative False
+	// Start test to determine whether the peer processed the alert (and
+	// closed the connection) before or after sending app data.
+	AlertBeforeFalseStartTest alert
+
 	// SSL3RSAKeyExchange causes the client to always send an RSA
 	// ClientKeyExchange message without the two-byte length
 	// prefix, as if it were SSL3.
@@ -557,9 +575,10 @@ type ProtocolBugs struct {
 	// retransmit at the record layer.
 	SequenceNumberIncrement uint64
 
-	// RSAServerKeyExchange, if true, causes the server to send a
-	// ServerKeyExchange message in the plain RSA key exchange.
-	RSAServerKeyExchange bool
+	// RSAEphemeralKey, if true, causes the server to send a
+	// ServerKeyExchange message containing an ephemeral key (as in
+	// RSA_EXPORT) in the plain RSA key exchange.
+	RSAEphemeralKey bool
 
 	// SRTPMasterKeyIdentifer, if not empty, is the SRTP MKI value that the
 	// client offers when negotiating SRTP. MKI support is still missing so
@@ -578,6 +597,10 @@ type ProtocolBugs struct {
 	// still be enforced.
 	NoSignatureAndHashes bool
 
+	// NoSupportedCurves, if true, causes the client to omit the
+	// supported_curves extension.
+	NoSupportedCurves bool
+
 	// RequireSameRenegoClientVersion, if true, causes the server
 	// to require that all ClientHellos match in offered version
 	// across a renego.
@@ -603,6 +626,87 @@ type ProtocolBugs struct {
 	// AppDataAfterChangeCipherSpec, if not null, causes application data to
 	// be sent immediately after ChangeCipherSpec.
 	AppDataAfterChangeCipherSpec []byte
+
+	// AlertAfterChangeCipherSpec, if non-zero, causes an alert to be sent
+	// immediately after ChangeCipherSpec.
+	AlertAfterChangeCipherSpec alert
+
+	// TimeoutSchedule is the schedule of packet drops and simulated
+	// timeouts for before each handshake leg from the peer.
+	TimeoutSchedule []time.Duration
+
+	// PacketAdaptor is the packetAdaptor to use to simulate timeouts.
+	PacketAdaptor *packetAdaptor
+
+	// ReorderHandshakeFragments, if true, causes handshake fragments in
+	// DTLS to overlap and be sent in the wrong order. It also causes
+	// pre-CCS flights to be sent twice. (Post-CCS flights consist of
+	// Finished and will trigger a spurious retransmit.)
+	ReorderHandshakeFragments bool
+
+	// MixCompleteMessageWithFragments, if true, causes handshake
+	// messages in DTLS to redundantly both fragment the message
+	// and include a copy of the full one.
+	MixCompleteMessageWithFragments bool
+
+	// SendInvalidRecordType, if true, causes a record with an invalid
+	// content type to be sent immediately following the handshake.
+	SendInvalidRecordType bool
+
+	// WrongCertificateMessageType, if true, causes Certificate message to
+	// be sent with the wrong message type.
+	WrongCertificateMessageType bool
+
+	// FragmentMessageTypeMismatch, if true, causes all non-initial
+	// handshake fragments in DTLS to have the wrong message type.
+	FragmentMessageTypeMismatch bool
+
+	// FragmentMessageLengthMismatch, if true, causes all non-initial
+	// handshake fragments in DTLS to have the wrong message length.
+	FragmentMessageLengthMismatch bool
+
+	// SplitFragmentHeader, if true, causes the handshake fragments in DTLS
+	// to be split across two records.
+	SplitFragmentHeader bool
+
+	// SplitFragmentBody, if true, causes the handshake bodies in DTLS to be
+	// split across two records.
+	//
+	// TODO(davidben): There's one final split to test: when the header and
+	// body are split across two records. But those are (incorrectly)
+	// accepted right now.
+	SplitFragmentBody bool
+
+	// SendEmptyFragments, if true, causes handshakes to include empty
+	// fragments in DTLS.
+	SendEmptyFragments bool
+
+	// NeverResumeOnRenego, if true, causes renegotiations to always be full
+	// handshakes.
+	NeverResumeOnRenego bool
+
+	// NoSignatureAlgorithmsOnRenego, if true, causes renegotiations to omit
+	// the signature_algorithms extension.
+	NoSignatureAlgorithmsOnRenego bool
+
+	// IgnorePeerCipherPreferences, if true, causes the peer's cipher
+	// preferences to be ignored.
+	IgnorePeerCipherPreferences bool
+
+	// IgnorePeerSignatureAlgorithmPreferences, if true, causes the peer's
+	// signature algorithm preferences to be ignored.
+	IgnorePeerSignatureAlgorithmPreferences bool
+
+	// IgnorePeerCurvePreferences, if true, causes the peer's curve
+	// preferences to be ignored.
+	IgnorePeerCurvePreferences bool
+
+	// SendWarningAlerts, if non-zero, causes every record to be prefaced by
+	// a warning alert.
+	SendWarningAlerts alert
+
+	// BadFinished, if true, causes the Finished hash to be broken.
+	BadFinished bool
 }
 
 func (c *Config) serverInit() {
diff --git a/src/ssl/test/runner/conn.go b/src/ssl/test/runner/conn.go
index d4a6817..fd198ca 100644
--- a/src/ssl/test/runner/conn.go
+++ b/src/ssl/test/runner/conn.go
@@ -37,14 +37,16 @@ type Conn struct {
 	handshakeComplete    bool
 	didResume            bool // whether this connection was a session resumption
 	extendedMasterSecret bool // whether this session used an extended master secret
-	cipherSuite          uint16
+	cipherSuite          *cipherSuite
 	ocspResponse         []byte // stapled OCSP response
 	peerCertificates     []*x509.Certificate
 	// verifiedChains contains the certificate chains that we built, as
 	// opposed to the ones presented by the server.
 	verifiedChains [][]*x509.Certificate
 	// serverName contains the server name indicated by the client, if any.
-	serverName string
+	serverName                 string
+	clientRandom, serverRandom [32]byte
+	masterSecret               [48]byte
 
 	clientProtocol         string
 	clientProtocolFallback bool
@@ -69,8 +71,9 @@ type Conn struct {
 	// DTLS state
 	sendHandshakeSeq uint16
 	recvHandshakeSeq uint16
-	handMsg          []byte // pending assembled handshake message
-	handMsgLen       int    // handshake message length, not including the header
+	handMsg          []byte   // pending assembled handshake message
+	handMsgLen       int      // handshake message length, not including the header
+	pendingFragments [][]byte // pending outgoing handshake fragments.
 
 	tmp [16]byte
 }
@@ -131,6 +134,7 @@ type halfConn struct {
 
 	nextCipher interface{} // next encryption state
 	nextMac    macFunction // next MAC algorithm
+	nextSeq    [6]byte     // next epoch's starting sequence number in DTLS
 
 	// used to save allocating a new buffer for each MAC.
 	inDigestBuf, outDigestBuf []byte
@@ -200,10 +204,20 @@ func (hc *halfConn) incSeq(isOutgoing bool) {
 	}
 }
 
-// incEpoch resets the sequence number. In DTLS, it increments the
-// epoch half of the sequence number.
+// incNextSeq increments the starting sequence number for the next epoch.
+func (hc *halfConn) incNextSeq() {
+	for i := len(hc.nextSeq) - 1; i >= 0; i-- {
+		hc.nextSeq[i]++
+		if hc.nextSeq[i] != 0 {
+			return
+		}
+	}
+	panic("TLS: sequence number wraparound")
+}
+
+// incEpoch resets the sequence number. In DTLS, it also increments the epoch
+// half of the sequence number.
 func (hc *halfConn) incEpoch() {
-	limit := 0
 	if hc.isDTLS {
 		for i := 1; i >= 0; i-- {
 			hc.seq[i]++
@@ -214,11 +228,14 @@ func (hc *halfConn) incEpoch() {
 				panic("TLS: epoch number wraparound")
 			}
 		}
-		limit = 2
-	}
-	seq := hc.seq[limit:]
-	for i := range seq {
-		seq[i] = 0
+		copy(hc.seq[2:], hc.nextSeq[:])
+		for i := range hc.nextSeq {
+			hc.nextSeq[i] = 0
+		}
+	} else {
+		for i := range hc.seq {
+			hc.seq[i] = 0
+		}
 	}
 }
 
@@ -321,13 +338,16 @@ func (hc *halfConn) decrypt(b *block) (ok bool, prefixLen int, alertValue alert)
 		switch c := hc.cipher.(type) {
 		case cipher.Stream:
 			c.XORKeyStream(payload, payload)
-		case cipher.AEAD:
-			explicitIVLen = 8
-			if len(payload) < explicitIVLen {
-				return false, 0, alertBadRecordMAC
+		case *tlsAead:
+			nonce := seq
+			if c.explicitNonce {
+				explicitIVLen = 8
+				if len(payload) < explicitIVLen {
+					return false, 0, alertBadRecordMAC
+				}
+				nonce = payload[:8]
+				payload = payload[8:]
 			}
-			nonce := payload[:8]
-			payload = payload[8:]
 
 			var additionalData [13]byte
 			copy(additionalData[:], seq)
@@ -451,10 +471,13 @@ func (hc *halfConn) encrypt(b *block, explicitIVLen int) (bool, alert) {
 		switch c := hc.cipher.(type) {
 		case cipher.Stream:
 			c.XORKeyStream(payload, payload)
-		case cipher.AEAD:
+		case *tlsAead:
 			payloadLen := len(b.data) - recordHeaderLen - explicitIVLen
 			b.resize(len(b.data) + c.Overhead())
-			nonce := b.data[recordHeaderLen : recordHeaderLen+explicitIVLen]
+			nonce := hc.seq[:]
+			if c.explicitNonce {
+				nonce = b.data[recordHeaderLen : recordHeaderLen+explicitIVLen]
+			}
 			payload := b.data[recordHeaderLen+explicitIVLen:]
 			payload = payload[:payloadLen]
 
@@ -756,11 +779,8 @@ Again:
 		if typ != want {
 			// A client might need to process a HelloRequest from
 			// the server, thus receiving a handshake message when
-			// application data is expected is ok. Moreover, a DTLS
-			// peer who sends Finished second may retransmit the
-			// final leg. BoringSSL retrainsmits on an internal
-			// timer, so this may also occur in test code.
-			if !c.isClient && !c.isDTLS {
+			// application data is expected is ok.
+			if !c.isClient {
 				return c.in.setErrorLocked(c.sendAlert(alertNoRenegotiation))
 			}
 		}
@@ -817,6 +837,13 @@ func (c *Conn) writeV2Record(data []byte) (n int, err error) {
 // to the connection and updates the record layer state.
 // c.out.Mutex <= L.
 func (c *Conn) writeRecord(typ recordType, data []byte) (n int, err error) {
+	if typ != recordTypeAlert && c.config.Bugs.SendWarningAlerts != 0 {
+		alert := make([]byte, 2)
+		alert[0] = alertLevelWarning
+		alert[1] = byte(c.config.Bugs.SendWarningAlerts)
+		c.writeRecord(recordTypeAlert, alert)
+	}
+
 	if c.isDTLS {
 		return c.dtlsWriteRecord(typ, data)
 	}
@@ -851,7 +878,7 @@ func (c *Conn) writeRecord(typ recordType, data []byte) (n int, err error) {
 			}
 		}
 		if explicitIVLen == 0 {
-			if _, ok := c.out.cipher.(cipher.AEAD); ok {
+			if aead, ok := c.out.cipher.(*tlsAead); ok && aead.explicitNonce {
 				explicitIVLen = 8
 				// The AES-GCM construction in TLS has an
 				// explicit nonce so that the nonce can be
@@ -1003,6 +1030,67 @@ func (c *Conn) readHandshake() (interface{}, error) {
 	return m, nil
 }
 
+// skipPacket processes all the DTLS records in packet. It updates
+// sequence number expectations but otherwise ignores them.
+func (c *Conn) skipPacket(packet []byte) error {
+	for len(packet) > 0 {
+		// Dropped packets are completely ignored save to update
+		// expected sequence numbers for this and the next epoch. (We
+		// don't assert on the contents of the packets both for
+		// simplicity and because a previous test with one shorter
+		// timeout schedule would have done so.)
+		epoch := packet[3:5]
+		seq := packet[5:11]
+		length := uint16(packet[11])<<8 | uint16(packet[12])
+		if bytes.Equal(c.in.seq[:2], epoch) {
+			if !bytes.Equal(c.in.seq[2:], seq) {
+				return errors.New("tls: sequence mismatch")
+			}
+			c.in.incSeq(false)
+		} else {
+			if !bytes.Equal(c.in.nextSeq[:], seq) {
+				return errors.New("tls: sequence mismatch")
+			}
+			c.in.incNextSeq()
+		}
+		packet = packet[13+length:]
+	}
+	return nil
+}
+
+// simulatePacketLoss simulates the loss of a handshake leg from the
+// peer based on the schedule in c.config.Bugs. If resendFunc is
+// non-nil, it is called after each simulated timeout to retransmit
+// handshake messages from the local end. This is used in cases where
+// the peer retransmits on a stale Finished rather than a timeout.
+func (c *Conn) simulatePacketLoss(resendFunc func()) error {
+	if len(c.config.Bugs.TimeoutSchedule) == 0 {
+		return nil
+	}
+	if !c.isDTLS {
+		return errors.New("tls: TimeoutSchedule may only be set in DTLS")
+	}
+	if c.config.Bugs.PacketAdaptor == nil {
+		return errors.New("tls: TimeoutSchedule set without PacketAdapter")
+	}
+	for _, timeout := range c.config.Bugs.TimeoutSchedule {
+		// Simulate a timeout.
+		packets, err := c.config.Bugs.PacketAdaptor.SendReadTimeout(timeout)
+		if err != nil {
+			return err
+		}
+		for _, packet := range packets {
+			if err := c.skipPacket(packet); err != nil {
+				return err
+			}
+		}
+		if resendFunc != nil {
+			resendFunc()
+		}
+	}
+	return nil
+}
+
 // Write writes data to the connection.
 func (c *Conn) Write(b []byte) (int, error) {
 	if err := c.Handshake(); err != nil {
@@ -1020,8 +1108,8 @@ func (c *Conn) Write(b []byte) (int, error) {
 		return 0, alertInternalError
 	}
 
-	if c.config.Bugs.SendSpuriousAlert {
-		c.sendAlertLocked(alertRecordOverflow)
+	if c.config.Bugs.SendSpuriousAlert != 0 {
+		c.sendAlertLocked(c.config.Bugs.SendSpuriousAlert)
 	}
 
 	// SSL 3.0 and TLS 1.0 are susceptible to a chosen-plaintext
@@ -1096,9 +1184,9 @@ func (c *Conn) Read(b []byte) (n int, err error) {
 				// Soft error, like EAGAIN
 				return 0, err
 			}
-			if c.hand.Len() > 0 && !c.isDTLS {
+			if c.hand.Len() > 0 {
 				// We received handshake bytes, indicating the
-				// start of a renegotiation or a DTLS retransmit.
+				// start of a renegotiation.
 				if err := c.handleRenegotiation(); err != nil {
 					return 0, err
 				}
@@ -1177,6 +1265,9 @@ func (c *Conn) Handshake() error {
 	} else {
 		c.handshakeErr = c.serverHandshake()
 	}
+	if c.handshakeErr == nil && c.config.Bugs.SendInvalidRecordType {
+		c.writeRecord(recordType(42), []byte("invalid record"))
+	}
 	return c.handshakeErr
 }
 
@@ -1193,7 +1284,7 @@ func (c *Conn) ConnectionState() ConnectionState {
 		state.DidResume = c.didResume
 		state.NegotiatedProtocolIsMutual = !c.clientProtocolFallback
 		state.NegotiatedProtocolFromALPN = c.usedALPN
-		state.CipherSuite = c.cipherSuite
+		state.CipherSuite = c.cipherSuite.id
 		state.PeerCertificates = c.peerCertificates
 		state.VerifiedChains = c.verifiedChains
 		state.ServerName = c.serverName
@@ -1227,3 +1318,28 @@ func (c *Conn) VerifyHostname(host string) error {
 	}
 	return c.peerCertificates[0].VerifyHostname(host)
 }
+
+// ExportKeyingMaterial exports keying material from the current connection
+// state, as per RFC 5705.
+func (c *Conn) ExportKeyingMaterial(length int, label, context []byte, useContext bool) ([]byte, error) {
+	c.handshakeMutex.Lock()
+	defer c.handshakeMutex.Unlock()
+	if !c.handshakeComplete {
+		return nil, errors.New("tls: handshake has not yet been performed")
+	}
+
+	seedLen := len(c.clientRandom) + len(c.serverRandom)
+	if useContext {
+		seedLen += 2 + len(context)
+	}
+	seed := make([]byte, 0, seedLen)
+	seed = append(seed, c.clientRandom[:]...)
+	seed = append(seed, c.serverRandom[:]...)
+	if useContext {
+		seed = append(seed, byte(len(context)>>8), byte(len(context)))
+		seed = append(seed, context...)
+	}
+	result := make([]byte, length)
+	prfForVersion(c.vers, c.cipherSuite)(result, c.masterSecret[:], label, seed)
+	return result, nil
+}
diff --git a/src/ssl/test/runner/dtls.go b/src/ssl/test/runner/dtls.go
index a395980..85c4247 100644
--- a/src/ssl/test/runner/dtls.go
+++ b/src/ssl/test/runner/dtls.go
@@ -16,10 +16,10 @@ package main
 
 import (
 	"bytes"
-	"crypto/cipher"
 	"errors"
 	"fmt"
 	"io"
+	"math/rand"
 	"net"
 )
 
@@ -38,7 +38,6 @@ func wireToVersion(vers uint16, isDTLS bool) uint16 {
 }
 
 func (c *Conn) dtlsDoReadRecord(want recordType) (recordType, *block, error) {
-Again:
 	recordHeaderLen := dtlsRecordHeaderLen
 
 	if c.rawInput == nil {
@@ -82,13 +81,6 @@ Again:
 		}
 	}
 	seq := b.data[3:11]
-	if !bytes.Equal(seq[:2], c.in.seq[:2]) {
-		// If the epoch didn't match, silently drop the record.
-		// BoringSSL retransmits on an internal timer, so it may flakily
-		// revisit the previous epoch if retransmiting ChangeCipherSpec
-		// and Finished.
-		goto Again
-	}
 	// For test purposes, we assume a reliable channel. Require
 	// that the explicit sequence number matches the incrementing
 	// one we maintain. A real implementation would maintain a
@@ -113,127 +105,196 @@ Again:
 	return typ, b, nil
 }
 
+func (c *Conn) makeFragment(header, data []byte, fragOffset, fragLen int) []byte {
+	fragment := make([]byte, 0, 12+fragLen)
+	fragment = append(fragment, header...)
+	fragment = append(fragment, byte(c.sendHandshakeSeq>>8), byte(c.sendHandshakeSeq))
+	fragment = append(fragment, byte(fragOffset>>16), byte(fragOffset>>8), byte(fragOffset))
+	fragment = append(fragment, byte(fragLen>>16), byte(fragLen>>8), byte(fragLen))
+	fragment = append(fragment, data[fragOffset:fragOffset+fragLen]...)
+	return fragment
+}
+
 func (c *Conn) dtlsWriteRecord(typ recordType, data []byte) (n int, err error) {
-	recordHeaderLen := dtlsRecordHeaderLen
+	if typ != recordTypeHandshake {
+		// Only handshake messages are fragmented.
+		return c.dtlsWriteRawRecord(typ, data)
+	}
+
 	maxLen := c.config.Bugs.MaxHandshakeRecordLength
 	if maxLen <= 0 {
 		maxLen = 1024
 	}
 
-	b := c.out.newBlock()
+	// Handshake messages have to be modified to include fragment
+	// offset and length and with the header replicated. Save the
+	// TLS header here.
+	//
+	// TODO(davidben): This assumes that data contains exactly one
+	// handshake message. This is incompatible with
+	// FragmentAcrossChangeCipherSpec. (Which is unfortunate
+	// because OpenSSL's DTLS implementation will probably accept
+	// such fragmentation and could do with a fix + tests.)
+	header := data[:4]
+	data = data[4:]
 
-	var header []byte
-	if typ == recordTypeHandshake {
-		// Handshake messages have to be modified to include
-		// fragment offset and length and with the header
-		// replicated. Save the header here.
-		//
-		// TODO(davidben): This assumes that data contains
-		// exactly one handshake message. This is incompatible
-		// with FragmentAcrossChangeCipherSpec. (Which is
-		// unfortunate because OpenSSL's DTLS implementation
-		// will probably accept such fragmentation and could
-		// do with a fix + tests.)
-		if len(data) < 4 {
-			// This should not happen.
-			panic(data)
-		}
-		header = data[:4]
-		data = data[4:]
+	isFinished := header[0] == typeFinished
+
+	if c.config.Bugs.SendEmptyFragments {
+		fragment := c.makeFragment(header, data, 0, 0)
+		c.pendingFragments = append(c.pendingFragments, fragment)
 	}
 
 	firstRun := true
-	for firstRun || len(data) > 0 {
+	fragOffset := 0
+	for firstRun || fragOffset < len(data) {
 		firstRun = false
-		m := len(data)
-		var fragment []byte
-		// Handshake messages get fragmented. Other records we
-		// pass-through as is. DTLS should be a packet
-		// interface.
-		if typ == recordTypeHandshake {
-			if m > maxLen {
-				m = maxLen
-			}
+		fragLen := len(data) - fragOffset
+		if fragLen > maxLen {
+			fragLen = maxLen
+		}
 
-			// Standard handshake header.
-			fragment = make([]byte, 0, 12+m)
-			fragment = append(fragment, header...)
-			// message_seq
-			fragment = append(fragment, byte(c.sendHandshakeSeq>>8), byte(c.sendHandshakeSeq))
-			// fragment_offset
-			fragment = append(fragment, byte(n>>16), byte(n>>8), byte(n))
-			// fragment_length
-			fragment = append(fragment, byte(m>>16), byte(m>>8), byte(m))
-			fragment = append(fragment, data[:m]...)
-		} else {
-			fragment = data[:m]
+		fragment := c.makeFragment(header, data, fragOffset, fragLen)
+		if c.config.Bugs.FragmentMessageTypeMismatch && fragOffset > 0 {
+			fragment[0]++
+		}
+		if c.config.Bugs.FragmentMessageLengthMismatch && fragOffset > 0 {
+			fragment[3]++
 		}
 
-		// Send the fragment.
-		explicitIVLen := 0
-		explicitIVIsSeq := false
+		// Buffer the fragment for later. They will be sent (and
+		// reordered) on flush.
+		c.pendingFragments = append(c.pendingFragments, fragment)
+		if c.config.Bugs.ReorderHandshakeFragments {
+			// Don't duplicate Finished to avoid the peer
+			// interpreting it as a retransmit request.
+			if !isFinished {
+				c.pendingFragments = append(c.pendingFragments, fragment)
+			}
 
-		if cbc, ok := c.out.cipher.(cbcMode); ok {
-			// Block cipher modes have an explicit IV.
-			explicitIVLen = cbc.BlockSize()
-		} else if _, ok := c.out.cipher.(cipher.AEAD); ok {
-			explicitIVLen = 8
-			// The AES-GCM construction in TLS has an
-			// explicit nonce so that the nonce can be
-			// random. However, the nonce is only 8 bytes
-			// which is too small for a secure, random
-			// nonce. Therefore we use the sequence number
-			// as the nonce.
-			explicitIVIsSeq = true
-		} else if c.out.cipher != nil {
-			panic("Unknown cipher")
+			if fragLen > (maxLen+1)/2 {
+				// Overlap each fragment by half.
+				fragLen = (maxLen + 1) / 2
+			}
 		}
-		b.resize(recordHeaderLen + explicitIVLen + len(fragment))
-		b.data[0] = byte(typ)
-		vers := c.vers
-		if vers == 0 {
-			// Some TLS servers fail if the record version is
-			// greater than TLS 1.0 for the initial ClientHello.
-			vers = VersionTLS10
+		fragOffset += fragLen
+		n += fragLen
+	}
+	if !isFinished && c.config.Bugs.MixCompleteMessageWithFragments {
+		fragment := c.makeFragment(header, data, 0, len(data))
+		c.pendingFragments = append(c.pendingFragments, fragment)
+	}
+
+	// Increment the handshake sequence number for the next
+	// handshake message.
+	c.sendHandshakeSeq++
+	return
+}
+
+func (c *Conn) dtlsFlushHandshake() error {
+	if !c.isDTLS {
+		return nil
+	}
+
+	var fragments [][]byte
+	fragments, c.pendingFragments = c.pendingFragments, fragments
+
+	if c.config.Bugs.ReorderHandshakeFragments {
+		perm := rand.New(rand.NewSource(0)).Perm(len(fragments))
+		tmp := make([][]byte, len(fragments))
+		for i := range tmp {
+			tmp[i] = fragments[perm[i]]
 		}
-		vers = versionToWire(vers, c.isDTLS)
-		b.data[1] = byte(vers >> 8)
-		b.data[2] = byte(vers)
-		// DTLS records include an explicit sequence number.
-		copy(b.data[3:11], c.out.seq[0:])
-		b.data[11] = byte(len(fragment) >> 8)
-		b.data[12] = byte(len(fragment))
-		if explicitIVLen > 0 {
-			explicitIV := b.data[recordHeaderLen : recordHeaderLen+explicitIVLen]
-			if explicitIVIsSeq {
-				copy(explicitIV, c.out.seq[:])
-			} else {
-				if _, err = io.ReadFull(c.config.rand(), explicitIV); err != nil {
-					break
-				}
+		fragments = tmp
+	}
+
+	// Send them all.
+	for _, fragment := range fragments {
+		if c.config.Bugs.SplitFragmentHeader {
+			if _, err := c.dtlsWriteRawRecord(recordTypeHandshake, fragment[:2]); err != nil {
+				return err
 			}
+			fragment = fragment[2:]
+		} else if c.config.Bugs.SplitFragmentBody && len(fragment) > 12 {
+			if _, err := c.dtlsWriteRawRecord(recordTypeHandshake, fragment[:13]); err != nil {
+				return err
+			}
+			fragment = fragment[13:]
 		}
-		copy(b.data[recordHeaderLen+explicitIVLen:], fragment)
-		c.out.encrypt(b, explicitIVLen)
 
 		// TODO(davidben): A real DTLS implementation needs to
-		// retransmit handshake messages. For testing
-		// purposes, we don't actually care.
-		_, err = c.conn.Write(b.data)
-		if err != nil {
-			break
+		// retransmit handshake messages. For testing purposes, we don't
+		// actually care.
+		if _, err := c.dtlsWriteRawRecord(recordTypeHandshake, fragment); err != nil {
+			return err
 		}
-		n += m
-		data = data[m:]
 	}
-	c.out.freeBlock(b)
+	return nil
+}
 
-	// Increment the handshake sequence number for the next
-	// handshake message.
-	if typ == recordTypeHandshake {
-		c.sendHandshakeSeq++
+func (c *Conn) dtlsWriteRawRecord(typ recordType, data []byte) (n int, err error) {
+	recordHeaderLen := dtlsRecordHeaderLen
+	maxLen := c.config.Bugs.MaxHandshakeRecordLength
+	if maxLen <= 0 {
+		maxLen = 1024
 	}
 
+	b := c.out.newBlock()
+
+	explicitIVLen := 0
+	explicitIVIsSeq := false
+
+	if cbc, ok := c.out.cipher.(cbcMode); ok {
+		// Block cipher modes have an explicit IV.
+		explicitIVLen = cbc.BlockSize()
+	} else if aead, ok := c.out.cipher.(*tlsAead); ok {
+		if aead.explicitNonce {
+			explicitIVLen = 8
+			// The AES-GCM construction in TLS has an explicit nonce so that
+			// the nonce can be random. However, the nonce is only 8 bytes
+			// which is too small for a secure, random nonce. Therefore we
+			// use the sequence number as the nonce.
+			explicitIVIsSeq = true
+		}
+	} else if c.out.cipher != nil {
+		panic("Unknown cipher")
+	}
+	b.resize(recordHeaderLen + explicitIVLen + len(data))
+	b.data[0] = byte(typ)
+	vers := c.vers
+	if vers == 0 {
+		// Some TLS servers fail if the record version is greater than
+		// TLS 1.0 for the initial ClientHello.
+		vers = VersionTLS10
+	}
+	vers = versionToWire(vers, c.isDTLS)
+	b.data[1] = byte(vers >> 8)
+	b.data[2] = byte(vers)
+	// DTLS records include an explicit sequence number.
+	copy(b.data[3:11], c.out.seq[0:])
+	b.data[11] = byte(len(data) >> 8)
+	b.data[12] = byte(len(data))
+	if explicitIVLen > 0 {
+		explicitIV := b.data[recordHeaderLen : recordHeaderLen+explicitIVLen]
+		if explicitIVIsSeq {
+			copy(explicitIV, c.out.seq[:])
+		} else {
+			if _, err = io.ReadFull(c.config.rand(), explicitIV); err != nil {
+				return
+			}
+		}
+	}
+	copy(b.data[recordHeaderLen+explicitIVLen:], data)
+	c.out.encrypt(b, explicitIVLen)
+
+	_, err = c.conn.Write(b.data)
+	if err != nil {
+		return
+	}
+	n = len(data)
+
+	c.out.freeBlock(b)
+
 	if typ == recordTypeChangeCipherSpec {
 		err = c.out.changeCipherSpec(c.config)
 		if err != nil {
@@ -250,9 +311,9 @@ func (c *Conn) dtlsWriteRecord(typ recordType, data []byte) (n int, err error) {
 
 func (c *Conn) dtlsDoReadHandshake() ([]byte, error) {
 	// Assemble a full handshake message.  For test purposes, this
-	// implementation assumes fragments arrive in order, but tolerates
-	// retransmits. It may need to be cleverer if we ever test BoringSSL's
-	// retransmit behavior.
+	// implementation assumes fragments arrive in order. It may
+	// need to be cleverer if we ever test BoringSSL's retransmit
+	// behavior.
 	for len(c.handMsg) < 4+c.handMsgLen {
 		// Get a new handshake record if the previous has been
 		// exhausted.
@@ -281,16 +342,9 @@ func (c *Conn) dtlsDoReadHandshake() ([]byte, error) {
 		}
 		fragment := c.hand.Next(fragLen)
 
-		if fragSeq < c.recvHandshakeSeq {
-			// BoringSSL retransmits based on an internal timer, so
-			// it may flakily retransmit part of a handshake
-			// message. Ignore those fragments.
-			//
-			// TODO(davidben): Revise this if BoringSSL's retransmit
-			// logic is made more deterministic.
-			continue
-		} else if fragSeq > c.recvHandshakeSeq {
-			return nil, errors.New("dtls: handshake messages sent out of order")
+		// Check it's a fragment for the right message.
+		if fragSeq != c.recvHandshakeSeq {
+			return nil, errors.New("dtls: bad handshake sequence number")
 		}
 
 		// Check that the length is consistent.
diff --git a/src/ssl/test/runner/handshake_client.go b/src/ssl/test/runner/handshake_client.go
index f297fc1..0dac05d 100644
--- a/src/ssl/test/runner/handshake_client.go
+++ b/src/ssl/test/runner/handshake_client.go
@@ -6,7 +6,6 @@ package main
 
 import (
 	"bytes"
-	"crypto"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rsa"
@@ -22,13 +21,14 @@ import (
 )
 
 type clientHandshakeState struct {
-	c            *Conn
-	serverHello  *serverHelloMsg
-	hello        *clientHelloMsg
-	suite        *cipherSuite
-	finishedHash finishedHash
-	masterSecret []byte
-	session      *ClientSessionState
+	c             *Conn
+	serverHello   *serverHelloMsg
+	hello         *clientHelloMsg
+	suite         *cipherSuite
+	finishedHash  finishedHash
+	masterSecret  []byte
+	session       *ClientSessionState
+	finishedBytes []byte
 }
 
 func (c *Conn) clientHandshake() error {
@@ -83,6 +83,10 @@ func (c *Conn) clientHandshake() error {
 		hello.extendedMasterSecret = false
 	}
 
+	if c.config.Bugs.NoSupportedCurves {
+		hello.supportedCurves = nil
+	}
+
 	if len(c.clientVerify) > 0 && !c.config.Bugs.EmptyRenegotiationInfo {
 		if c.config.Bugs.BadRenegotiationInfo {
 			hello.secureRenegotiation = append(hello.secureRenegotiation, c.clientVerify...)
@@ -129,13 +133,16 @@ NextCipherSuite:
 		return errors.New("tls: short read from Rand: " + err.Error())
 	}
 
-	if hello.vers >= VersionTLS12 && !c.config.Bugs.NoSignatureAndHashes {
+	if hello.vers >= VersionTLS12 && !c.config.Bugs.NoSignatureAndHashes && (c.cipherSuite == nil || !c.config.Bugs.NoSignatureAlgorithmsOnRenego) {
 		hello.signatureAndHashes = c.config.signatureAndHashesForClient()
 	}
 
 	var session *ClientSessionState
 	var cacheKey string
 	sessionCache := c.config.ClientSessionCache
+	if c.config.Bugs.NeverResumeOnRenego && c.cipherSuite != nil {
+		sessionCache = nil
+	}
 
 	if sessionCache != nil {
 		hello.ticketSupported = !c.config.SessionTicketsDisabled
@@ -213,7 +220,11 @@ NextCipherSuite:
 		helloBytes = hello.marshal()
 		c.writeRecord(recordTypeHandshake, helloBytes)
 	}
+	c.dtlsFlushHandshake()
 
+	if err := c.simulatePacketLoss(nil); err != nil {
+		return err
+	}
 	msg, err := c.readHandshake()
 	if err != nil {
 		return err
@@ -233,7 +244,11 @@ NextCipherSuite:
 			hello.cookie = helloVerifyRequest.cookie
 			helloBytes = hello.marshal()
 			c.writeRecord(recordTypeHandshake, helloBytes)
+			c.dtlsFlushHandshake()
 
+			if err := c.simulatePacketLoss(nil); err != nil {
+				return err
+			}
 			msg, err = c.readHandshake()
 			if err != nil {
 				return err
@@ -317,6 +332,15 @@ NextCipherSuite:
 		if err := hs.sendFinished(isResume); err != nil {
 			return err
 		}
+		// Most retransmits are triggered by a timeout, but the final
+		// leg of the handshake is retransmited upon re-receiving a
+		// Finished.
+		if err := c.simulatePacketLoss(func() {
+			c.writeRecord(recordTypeHandshake, hs.finishedBytes)
+			c.dtlsFlushHandshake()
+		}); err != nil {
+			return err
+		}
 		if err := hs.readSessionTicket(); err != nil {
 			return err
 		}
@@ -331,7 +355,10 @@ NextCipherSuite:
 
 	c.didResume = isResume
 	c.handshakeComplete = true
-	c.cipherSuite = suite.id
+	c.cipherSuite = suite
+	copy(c.clientRandom[:], hs.hello.random)
+	copy(c.serverRandom[:], hs.serverHello.random)
+	copy(c.masterSecret[:], hs.masterSecret)
 	return nil
 }
 
@@ -559,33 +586,39 @@ func (hs *clientHandshakeState) doFullHandshake() error {
 			hasSignatureAndHash: c.vers >= VersionTLS12,
 		}
 
+		// Determine the hash to sign.
+		var signatureType uint8
+		switch c.config.Certificates[0].PrivateKey.(type) {
+		case *ecdsa.PrivateKey:
+			signatureType = signatureECDSA
+		case *rsa.PrivateKey:
+			signatureType = signatureRSA
+		default:
+			c.sendAlert(alertInternalError)
+			return errors.New("unknown private key type")
+		}
+		if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences {
+			certReq.signatureAndHashes = c.config.signatureAndHashesForClient()
+		}
+		certVerify.signatureAndHash, err = hs.finishedHash.selectClientCertSignatureAlgorithm(certReq.signatureAndHashes, c.config.signatureAndHashesForClient(), signatureType)
+		if err != nil {
+			c.sendAlert(alertInternalError)
+			return err
+		}
+		digest, hashFunc, err := hs.finishedHash.hashForClientCertificate(certVerify.signatureAndHash, hs.masterSecret)
+		if err != nil {
+			c.sendAlert(alertInternalError)
+			return err
+		}
+
 		switch key := c.config.Certificates[0].PrivateKey.(type) {
 		case *ecdsa.PrivateKey:
-			certVerify.signatureAndHash, err = hs.finishedHash.selectClientCertSignatureAlgorithm(certReq.signatureAndHashes, signatureECDSA)
-			if err != nil {
-				break
-			}
-			var digest []byte
-			digest, _, err = hs.finishedHash.hashForClientCertificate(certVerify.signatureAndHash, hs.masterSecret)
-			if err != nil {
-				break
-			}
 			var r, s *big.Int
 			r, s, err = ecdsa.Sign(c.config.rand(), key, digest)
 			if err == nil {
 				signed, err = asn1.Marshal(ecdsaSignature{r, s})
 			}
 		case *rsa.PrivateKey:
-			certVerify.signatureAndHash, err = hs.finishedHash.selectClientCertSignatureAlgorithm(certReq.signatureAndHashes, signatureRSA)
-			if err != nil {
-				break
-			}
-			var digest []byte
-			var hashFunc crypto.Hash
-			digest, hashFunc, err = hs.finishedHash.hashForClientCertificate(certVerify.signatureAndHash, hs.masterSecret)
-			if err != nil {
-				break
-			}
 			signed, err = rsa.SignPKCS1v15(c.config.rand(), key, hashFunc, digest)
 		default:
 			err = errors.New("unknown private key type")
@@ -599,6 +632,7 @@ func (hs *clientHandshakeState) doFullHandshake() error {
 		hs.writeClientHash(certVerify.marshal())
 		c.writeRecord(recordTypeHandshake, certVerify.marshal())
 	}
+	c.dtlsFlushHandshake()
 
 	hs.finishedHash.discardHandshakeBuffer()
 
@@ -825,15 +859,19 @@ func (hs *clientHandshakeState) sendFinished(isResume bool) error {
 	} else {
 		finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret)
 	}
+	if c.config.Bugs.BadFinished {
+		finished.verifyData[0]++
+	}
 	c.clientVerify = append(c.clientVerify[:0], finished.verifyData...)
-	finishedBytes := finished.marshal()
-	hs.writeHash(finishedBytes, seqno)
-	postCCSBytes = append(postCCSBytes, finishedBytes...)
+	hs.finishedBytes = finished.marshal()
+	hs.writeHash(hs.finishedBytes, seqno)
+	postCCSBytes = append(postCCSBytes, hs.finishedBytes...)
 
 	if c.config.Bugs.FragmentAcrossChangeCipherSpec {
 		c.writeRecord(recordTypeHandshake, postCCSBytes[:5])
 		postCCSBytes = postCCSBytes[5:]
 	}
+	c.dtlsFlushHandshake()
 
 	if !c.config.Bugs.SkipChangeCipherSpec &&
 		c.config.Bugs.EarlyChangeCipherSpec == 0 {
@@ -843,8 +881,15 @@ func (hs *clientHandshakeState) sendFinished(isResume bool) error {
 	if c.config.Bugs.AppDataAfterChangeCipherSpec != nil {
 		c.writeRecord(recordTypeApplicationData, c.config.Bugs.AppDataAfterChangeCipherSpec)
 	}
+	if c.config.Bugs.AlertAfterChangeCipherSpec != 0 {
+		c.sendAlert(c.config.Bugs.AlertAfterChangeCipherSpec)
+		return errors.New("tls: simulating post-CCS alert")
+	}
 
-	c.writeRecord(recordTypeHandshake, postCCSBytes)
+	if !c.config.Bugs.SkipFinished {
+		c.writeRecord(recordTypeHandshake, postCCSBytes)
+		c.dtlsFlushHandshake()
+	}
 	return nil
 }
 
diff --git a/src/ssl/test/runner/handshake_server.go b/src/ssl/test/runner/handshake_server.go
index 1234a57..59ed9df 100644
--- a/src/ssl/test/runner/handshake_server.go
+++ b/src/ssl/test/runner/handshake_server.go
@@ -33,6 +33,7 @@ type serverHandshakeState struct {
 	masterSecret    []byte
 	certsFromClient [][]byte
 	cert            *Certificate
+	finishedBytes   []byte
 }
 
 // serverHandshake performs a TLS handshake as a server.
@@ -71,6 +72,15 @@ func (c *Conn) serverHandshake() error {
 		if err := hs.sendFinished(); err != nil {
 			return err
 		}
+		// Most retransmits are triggered by a timeout, but the final
+		// leg of the handshake is retransmited upon re-receiving a
+		// Finished.
+		if err := c.simulatePacketLoss(func() {
+			c.writeRecord(recordTypeHandshake, hs.finishedBytes)
+			c.dtlsFlushHandshake()
+		}); err != nil {
+			return err
+		}
 		if err := hs.readFinished(isResume); err != nil {
 			return err
 		}
@@ -87,9 +97,12 @@ func (c *Conn) serverHandshake() error {
 		if err := hs.readFinished(isResume); err != nil {
 			return err
 		}
+		if c.config.Bugs.AlertBeforeFalseStartTest != 0 {
+			c.sendAlert(c.config.Bugs.AlertBeforeFalseStartTest)
+		}
 		if c.config.Bugs.ExpectFalseStart {
 			if err := c.readRecord(recordTypeApplicationData); err != nil {
-				return err
+				return fmt.Errorf("tls: peer did not false start: %s", err)
 			}
 		}
 		if err := hs.sendSessionTicket(); err != nil {
@@ -100,6 +113,9 @@ func (c *Conn) serverHandshake() error {
 		}
 	}
 	c.handshakeComplete = true
+	copy(c.clientRandom[:], hs.clientHello.random)
+	copy(c.serverRandom[:], hs.hello.random)
+	copy(c.masterSecret[:], hs.masterSecret)
 
 	return nil
 }
@@ -110,6 +126,9 @@ func (hs *serverHandshakeState) readClientHello() (isResume bool, err error) {
 	config := hs.c.config
 	c := hs.c
 
+	if err := c.simulatePacketLoss(nil); err != nil {
+		return false, err
+	}
 	msg, err := c.readHandshake()
 	if err != nil {
 		return false, err
@@ -136,7 +155,11 @@ func (hs *serverHandshakeState) readClientHello() (isResume bool, err error) {
 			return false, errors.New("dtls: short read from Rand: " + err.Error())
 		}
 		c.writeRecord(recordTypeHandshake, helloVerifyRequest.marshal())
+		c.dtlsFlushHandshake()
 
+		if err := c.simulatePacketLoss(nil); err != nil {
+			return false, err
+		}
 		msg, err := c.readHandshake()
 		if err != nil {
 			return false, err
@@ -176,6 +199,9 @@ func (hs *serverHandshakeState) readClientHello() (isResume bool, err error) {
 	if c.clientVersion < VersionTLS12 && len(hs.clientHello.signatureAndHashes) > 0 {
 		return false, fmt.Errorf("tls: client included signature_algorithms before TLS 1.2")
 	}
+	if config.Bugs.IgnorePeerSignatureAlgorithmPreferences {
+		hs.clientHello.signatureAndHashes = config.signatureAndHashesForServer()
+	}
 
 	c.vers, ok = config.mutualVersion(hs.clientHello.vers)
 	if !ok {
@@ -189,6 +215,9 @@ func (hs *serverHandshakeState) readClientHello() (isResume bool, err error) {
 
 	supportedCurve := false
 	preferredCurves := config.curvePreferences()
+	if config.Bugs.IgnorePeerCurvePreferences {
+		hs.clientHello.supportedCurves = preferredCurves
+	}
 Curves:
 	for _, curve := range hs.clientHello.supportedCurves {
 		for _, supported := range preferredCurves {
@@ -323,6 +352,9 @@ Curves:
 		return false, errors.New("tls: fallback SCSV found when not expected")
 	}
 
+	if config.Bugs.IgnorePeerCipherPreferences {
+		hs.clientHello.cipherSuites = c.config.cipherSuites()
+	}
 	var preferenceList, supportedList []uint16
 	if c.config.PreferServerCipherSuites {
 		preferenceList = c.config.cipherSuites()
@@ -350,6 +382,10 @@ Curves:
 func (hs *serverHandshakeState) checkForResumption() bool {
 	c := hs.c
 
+	if c.config.Bugs.NeverResumeOnRenego && c.cipherSuite != nil {
+		return false
+	}
+
 	if len(hs.clientHello.sessionTicket) > 0 {
 		if c.config.SessionTicketsDisabled {
 			return false
@@ -410,6 +446,9 @@ func (hs *serverHandshakeState) doResumeHandshake() error {
 	c := hs.c
 
 	hs.hello.cipherSuite = hs.suite.id
+	if c.config.Bugs.SendCipherSuite != 0 {
+		hs.hello.cipherSuite = c.config.Bugs.SendCipherSuite
+	}
 	// We echo the client's session ID in the ServerHello to let it know
 	// that we're doing a resumption.
 	hs.hello.sessionId = hs.clientHello.sessionId
@@ -473,12 +512,16 @@ func (hs *serverHandshakeState) doFullHandshake() error {
 		certMsg := new(certificateMsg)
 		certMsg.certificates = hs.cert.Certificate
 		if !config.Bugs.UnauthenticatedECDH {
-			hs.writeServerHash(certMsg.marshal())
-			c.writeRecord(recordTypeHandshake, certMsg.marshal())
+			certMsgBytes := certMsg.marshal()
+			if config.Bugs.WrongCertificateMessageType {
+				certMsgBytes[0] += 42
+			}
+			hs.writeServerHash(certMsgBytes)
+			c.writeRecord(recordTypeHandshake, certMsgBytes)
 		}
 	}
 
-	if hs.hello.ocspStapling {
+	if hs.hello.ocspStapling && !c.config.Bugs.SkipCertificateStatus {
 		certStatus := new(certificateStatusMsg)
 		certStatus.statusType = statusTypeOCSP
 		certStatus.response = hs.cert.OCSPStaple
@@ -530,9 +573,13 @@ func (hs *serverHandshakeState) doFullHandshake() error {
 	helloDone := new(serverHelloDoneMsg)
 	hs.writeServerHash(helloDone.marshal())
 	c.writeRecord(recordTypeHandshake, helloDone.marshal())
+	c.dtlsFlushHandshake()
 
 	var pub crypto.PublicKey // public key for client auth, if any
 
+	if err := c.simulatePacketLoss(nil); err != nil {
+		return err
+	}
 	msg, err := c.readHandshake()
 	if err != nil {
 		return err
@@ -811,14 +858,19 @@ func (hs *serverHandshakeState) sendFinished() error {
 
 	finished := new(finishedMsg)
 	finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret)
+	if c.config.Bugs.BadFinished {
+		finished.verifyData[0]++
+	}
 	c.serverVerify = append(c.serverVerify[:0], finished.verifyData...)
-	postCCSBytes := finished.marshal()
-	hs.writeServerHash(postCCSBytes)
+	hs.finishedBytes = finished.marshal()
+	hs.writeServerHash(hs.finishedBytes)
+	postCCSBytes := hs.finishedBytes
 
 	if c.config.Bugs.FragmentAcrossChangeCipherSpec {
 		c.writeRecord(recordTypeHandshake, postCCSBytes[:5])
 		postCCSBytes = postCCSBytes[5:]
 	}
+	c.dtlsFlushHandshake()
 
 	if !c.config.Bugs.SkipChangeCipherSpec {
 		c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
@@ -827,10 +879,17 @@ func (hs *serverHandshakeState) sendFinished() error {
 	if c.config.Bugs.AppDataAfterChangeCipherSpec != nil {
 		c.writeRecord(recordTypeApplicationData, c.config.Bugs.AppDataAfterChangeCipherSpec)
 	}
+	if c.config.Bugs.AlertAfterChangeCipherSpec != 0 {
+		c.sendAlert(c.config.Bugs.AlertAfterChangeCipherSpec)
+		return errors.New("tls: simulating post-CCS alert")
+	}
 
-	c.writeRecord(recordTypeHandshake, postCCSBytes)
+	if !c.config.Bugs.SkipFinished {
+		c.writeRecord(recordTypeHandshake, postCCSBytes)
+		c.dtlsFlushHandshake()
+	}
 
-	c.cipherSuite = hs.suite.id
+	c.cipherSuite = hs.suite
 
 	return nil
 }
diff --git a/src/ssl/test/runner/key_agreement.go b/src/ssl/test/runner/key_agreement.go
index 116dfd8..5e44b54 100644
--- a/src/ssl/test/runner/key_agreement.go
+++ b/src/ssl/test/runner/key_agreement.go
@@ -25,19 +25,73 @@ var errServerKeyExchange = errors.New("tls: invalid ServerKeyExchange message")
 // rsaKeyAgreement implements the standard TLS key agreement where the client
 // encrypts the pre-master secret to the server's public key.
 type rsaKeyAgreement struct {
+	version       uint16
 	clientVersion uint16
+	exportKey     *rsa.PrivateKey
 }
 
 func (ka *rsaKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {
 	// Save the client version for comparison later.
 	ka.clientVersion = versionToWire(clientHello.vers, clientHello.isDTLS)
 
-	if config.Bugs.RSAServerKeyExchange {
-		// Send an empty ServerKeyExchange message.
-		return &serverKeyExchangeMsg{}, nil
+	if !config.Bugs.RSAEphemeralKey {
+		return nil, nil
 	}
 
-	return nil, nil
+	// Generate an ephemeral RSA key to use instead of the real
+	// one, as in RSA_EXPORT.
+	key, err := rsa.GenerateKey(config.rand(), 512)
+	if err != nil {
+		return nil, err
+	}
+	ka.exportKey = key
+
+	modulus := key.N.Bytes()
+	exponent := big.NewInt(int64(key.E)).Bytes()
+	serverRSAParams := make([]byte, 0, 2+len(modulus)+2+len(exponent))
+	serverRSAParams = append(serverRSAParams, byte(len(modulus)>>8), byte(len(modulus)))
+	serverRSAParams = append(serverRSAParams, modulus...)
+	serverRSAParams = append(serverRSAParams, byte(len(exponent)>>8), byte(len(exponent)))
+	serverRSAParams = append(serverRSAParams, exponent...)
+
+	var tls12HashId uint8
+	if ka.version >= VersionTLS12 {
+		if tls12HashId, err = pickTLS12HashForSignature(signatureRSA, clientHello.signatureAndHashes, config.signatureAndHashesForServer()); err != nil {
+			return nil, err
+		}
+	}
+
+	digest, hashFunc, err := hashForServerKeyExchange(signatureRSA, tls12HashId, ka.version, clientHello.random, hello.random, serverRSAParams)
+	if err != nil {
+		return nil, err
+	}
+	privKey, ok := cert.PrivateKey.(*rsa.PrivateKey)
+	if !ok {
+		return nil, errors.New("RSA ephemeral key requires an RSA server private key")
+	}
+	sig, err := rsa.SignPKCS1v15(config.rand(), privKey, hashFunc, digest)
+	if err != nil {
+		return nil, errors.New("failed to sign RSA parameters: " + err.Error())
+	}
+
+	skx := new(serverKeyExchangeMsg)
+	sigAndHashLen := 0
+	if ka.version >= VersionTLS12 {
+		sigAndHashLen = 2
+	}
+	skx.key = make([]byte, len(serverRSAParams)+sigAndHashLen+2+len(sig))
+	copy(skx.key, serverRSAParams)
+	k := skx.key[len(serverRSAParams):]
+	if ka.version >= VersionTLS12 {
+		k[0] = tls12HashId
+		k[1] = signatureRSA
+		k = k[2:]
+	}
+	k[0] = byte(len(sig) >> 8)
+	k[1] = byte(len(sig))
+	copy(k[2:], sig)
+
+	return skx, nil
 }
 
 func (ka *rsaKeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {
@@ -60,7 +114,11 @@ func (ka *rsaKeyAgreement) processClientKeyExchange(config *Config, cert *Certif
 		ciphertext = ckx.ciphertext[2:]
 	}
 
-	err = rsa.DecryptPKCS1v15SessionKey(config.rand(), cert.PrivateKey.(*rsa.PrivateKey), ciphertext, preMasterSecret)
+	key := cert.PrivateKey.(*rsa.PrivateKey)
+	if ka.exportKey != nil {
+		key = ka.exportKey
+	}
+	err = rsa.DecryptPKCS1v15SessionKey(config.rand(), key, ciphertext, preMasterSecret)
 	if err != nil {
 		return nil, err
 	}
@@ -154,20 +212,19 @@ func hashForServerKeyExchange(sigType, hashFunc uint8, version uint16, slices ..
 // pickTLS12HashForSignature returns a TLS 1.2 hash identifier for signing a
 // ServerKeyExchange given the signature type being used and the client's
 // advertized list of supported signature and hash combinations.
-func pickTLS12HashForSignature(sigType uint8, clientSignatureAndHashes []signatureAndHash) (uint8, error) {
-	if len(clientSignatureAndHashes) == 0 {
+func pickTLS12HashForSignature(sigType uint8, clientList, serverList []signatureAndHash) (uint8, error) {
+	if len(clientList) == 0 {
 		// If the client didn't specify any signature_algorithms
 		// extension then we can assume that it supports SHA1. See
 		// http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
 		return hashSHA1, nil
 	}
 
-	for _, sigAndHash := range clientSignatureAndHashes {
+	for _, sigAndHash := range clientList {
 		if sigAndHash.signature != sigType {
 			continue
 		}
-		switch sigAndHash.hash {
-		case hashSHA1, hashSHA256:
+		if isSupportedSignatureAndHash(sigAndHash, serverList) {
 			return sigAndHash.hash, nil
 		}
 	}
@@ -177,6 +234,8 @@ func pickTLS12HashForSignature(sigType uint8, clientSignatureAndHashes []signatu
 
 func curveForCurveID(id CurveID) (elliptic.Curve, bool) {
 	switch id {
+	case CurveP224:
+		return elliptic.P224(), true
 	case CurveP256:
 		return elliptic.P256(), true
 	case CurveP384:
@@ -221,7 +280,7 @@ func (ka *signedKeyAgreement) signParameters(config *Config, cert *Certificate,
 	var tls12HashId uint8
 	var err error
 	if ka.version >= VersionTLS12 {
-		if tls12HashId, err = pickTLS12HashForSignature(ka.sigType, clientHello.signatureAndHashes); err != nil {
+		if tls12HashId, err = pickTLS12HashForSignature(ka.sigType, clientHello.signatureAndHashes, config.signatureAndHashesForServer()); err != nil {
 			return nil, err
 		}
 	}
diff --git a/src/ssl/test/runner/packet_adapter.go b/src/ssl/test/runner/packet_adapter.go
index 671b413..bbcd388 100644
--- a/src/ssl/test/runner/packet_adapter.go
+++ b/src/ssl/test/runner/packet_adapter.go
@@ -6,50 +6,115 @@ package main
 
 import (
 	"encoding/binary"
-	"errors"
+	"fmt"
+	"io"
 	"net"
+	"time"
 )
 
+// opcodePacket signals a packet, encoded with a 32-bit length prefix, followed
+// by the payload.
+const opcodePacket = byte('P')
+
+// opcodeTimeout signals a read timeout, encoded by a 64-bit number of
+// nanoseconds. On receipt, the peer should reply with
+// opcodeTimeoutAck. opcodeTimeout may only be sent by the Go side.
+const opcodeTimeout = byte('T')
+
+// opcodeTimeoutAck acknowledges a read timeout. This opcode has no payload and
+// may only be sent by the C side. Timeout ACKs act as a synchronization point
+// at the timeout, to bracket one flight of messages from C.
+const opcodeTimeoutAck = byte('t')
+
 type packetAdaptor struct {
 	net.Conn
 }
 
-// newPacketAdaptor wraps a reliable streaming net.Conn into a
-// reliable packet-based net.Conn. Every packet is encoded with a
-// 32-bit length prefix as a framing layer.
-func newPacketAdaptor(conn net.Conn) net.Conn {
+// newPacketAdaptor wraps a reliable streaming net.Conn into a reliable
+// packet-based net.Conn. The stream contains packets and control commands,
+// distinguished by a one byte opcode.
+func newPacketAdaptor(conn net.Conn) *packetAdaptor {
 	return &packetAdaptor{conn}
 }
 
-func (p *packetAdaptor) Read(b []byte) (int, error) {
+func (p *packetAdaptor) readOpcode() (byte, error) {
+	out := make([]byte, 1)
+	if _, err := io.ReadFull(p.Conn, out); err != nil {
+		return 0, err
+	}
+	return out[0], nil
+}
+
+func (p *packetAdaptor) readPacketBody() ([]byte, error) {
 	var length uint32
 	if err := binary.Read(p.Conn, binary.BigEndian, &length); err != nil {
-		return 0, err
+		return nil, err
 	}
 	out := make([]byte, length)
-	n, err := p.Conn.Read(out)
+	if _, err := io.ReadFull(p.Conn, out); err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (p *packetAdaptor) Read(b []byte) (int, error) {
+	opcode, err := p.readOpcode()
 	if err != nil {
 		return 0, err
 	}
-	if n != int(length) {
-		return 0, errors.New("internal error: length mismatch!")
+	if opcode != opcodePacket {
+		return 0, fmt.Errorf("unexpected opcode '%d'", opcode)
+	}
+	out, err := p.readPacketBody()
+	if err != nil {
+		return 0, err
 	}
 	return copy(b, out), nil
 }
 
 func (p *packetAdaptor) Write(b []byte) (int, error) {
-	length := uint32(len(b))
-	if err := binary.Write(p.Conn, binary.BigEndian, length); err != nil {
+	payload := make([]byte, 1+4+len(b))
+	payload[0] = opcodePacket
+	binary.BigEndian.PutUint32(payload[1:5], uint32(len(b)))
+	copy(payload[5:], b)
+	if _, err := p.Conn.Write(payload); err != nil {
 		return 0, err
 	}
-	n, err := p.Conn.Write(b)
-	if err != nil {
-		return 0, err
+	return len(b), nil
+}
+
+// SendReadTimeout instructs the peer to simulate a read timeout. It then waits
+// for acknowledgement of the timeout, buffering any packets received since
+// then. The packets are then returned.
+func (p *packetAdaptor) SendReadTimeout(d time.Duration) ([][]byte, error) {
+	payload := make([]byte, 1+8)
+	payload[0] = opcodeTimeout
+	binary.BigEndian.PutUint64(payload[1:], uint64(d.Nanoseconds()))
+	if _, err := p.Conn.Write(payload); err != nil {
+		return nil, err
 	}
-	if n != len(b) {
-		return 0, errors.New("internal error: length mismatch!")
+
+	var packets [][]byte
+	for {
+		opcode, err := p.readOpcode()
+		if err != nil {
+			return nil, err
+		}
+		switch opcode {
+		case opcodeTimeoutAck:
+			// Done! Return the packets buffered and continue.
+			return packets, nil
+		case opcodePacket:
+			// Buffer the packet for the caller to process.
+			packet, err := p.readPacketBody()
+			if err != nil {
+				return nil, err
+			}
+			packets = append(packets, packet)
+		default:
+			return nil, fmt.Errorf("unexpected opcode '%d'", opcode)
+		}
 	}
-	return len(b), nil
 }
 
 type replayAdaptor struct {
diff --git a/src/ssl/test/runner/poly1305.go b/src/ssl/test/runner/poly1305.go
new file mode 100644
index 0000000..51a1009
--- /dev/null
+++ b/src/ssl/test/runner/poly1305.go
@@ -0,0 +1,1540 @@
+// Copyright 2012 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+// Based on original, public domain implementation from NaCl by D. J.
+// Bernstein.
+
+import (
+	"crypto/subtle"
+	"math"
+)
+
+const (
+	alpham80 = 0.00000000558793544769287109375
+	alpham48 = 24.0
+	alpham16 = 103079215104.0
+	alpha0   = 6755399441055744.0
+	alpha18  = 1770887431076116955136.0
+	alpha32  = 29014219670751100192948224.0
+	alpha50  = 7605903601369376408980219232256.0
+	alpha64  = 124615124604835863084731911901282304.0
+	alpha82  = 32667107224410092492483962313449748299776.0
+	alpha96  = 535217884764734955396857238543560676143529984.0
+	alpha112 = 35076039295941670036888435985190792471742381031424.0
+	alpha130 = 9194973245195333150150082162901855101712434733101613056.0
+	scale    = 0.0000000000000000000000000000000000000036734198463196484624023016788195177431833298649127735047148490821200539357960224151611328125
+	offset0  = 6755408030990331.0
+	offset1  = 29014256564239239022116864.0
+	offset2  = 124615283061160854719918951570079744.0
+	offset3  = 535219245894202480694386063513315216128475136.0
+)
+
+// poly1305Verify returns true if mac is a valid authenticator for m with the
+// given key.
+func poly1305Verify(mac *[16]byte, m []byte, key *[32]byte) bool {
+	var tmp [16]byte
+	poly1305Sum(&tmp, m, key)
+	return subtle.ConstantTimeCompare(tmp[:], mac[:]) == 1
+}
+
+// poly1305Sum generates an authenticator for m using a one-time key and puts
+// the 16-byte result into out. Authenticating two different messages with the
+// same key allows an attacker to forge messages at will.
+func poly1305Sum(out *[16]byte, m []byte, key *[32]byte) {
+	r := key
+	s := key[16:]
+	var (
+		y7        float64
+		y6        float64
+		y1        float64
+		y0        float64
+		y5        float64
+		y4        float64
+		x7        float64
+		x6        float64
+		x1        float64
+		x0        float64
+		y3        float64
+		y2        float64
+		x5        float64
+		r3lowx0   float64
+		x4        float64
+		r0lowx6   float64
+		x3        float64
+		r3highx0  float64
+		x2        float64
+		r0highx6  float64
+		r0lowx0   float64
+		sr1lowx6  float64
+		r0highx0  float64
+		sr1highx6 float64
+		sr3low    float64
+		r1lowx0   float64
+		sr2lowx6  float64
+		r1highx0  float64
+		sr2highx6 float64
+		r2lowx0   float64
+		sr3lowx6  float64
+		r2highx0  float64
+		sr3highx6 float64
+		r1highx4  float64
+		r1lowx4   float64
+		r0highx4  float64
+		r0lowx4   float64
+		sr3highx4 float64
+		sr3lowx4  float64
+		sr2highx4 float64
+		sr2lowx4  float64
+		r0lowx2   float64
+		r0highx2  float64
+		r1lowx2   float64
+		r1highx2  float64
+		r2lowx2   float64
+		r2highx2  float64
+		sr3lowx2  float64
+		sr3highx2 float64
+		z0        float64
+		z1        float64
+		z2        float64
+		z3        float64
+		m0        int64
+		m1        int64
+		m2        int64
+		m3        int64
+		m00       uint32
+		m01       uint32
+		m02       uint32
+		m03       uint32
+		m10       uint32
+		m11       uint32
+		m12       uint32
+		m13       uint32
+		m20       uint32
+		m21       uint32
+		m22       uint32
+		m23       uint32
+		m30       uint32
+		m31       uint32
+		m32       uint32
+		m33       uint64
+		lbelow2   int32
+		lbelow3   int32
+		lbelow4   int32
+		lbelow5   int32
+		lbelow6   int32
+		lbelow7   int32
+		lbelow8   int32
+		lbelow9   int32
+		lbelow10  int32
+		lbelow11  int32
+		lbelow12  int32
+		lbelow13  int32
+		lbelow14  int32
+		lbelow15  int32
+		s00       uint32
+		s01       uint32
+		s02       uint32
+		s03       uint32
+		s10       uint32
+		s11       uint32
+		s12       uint32
+		s13       uint32
+		s20       uint32
+		s21       uint32
+		s22       uint32
+		s23       uint32
+		s30       uint32
+		s31       uint32
+		s32       uint32
+		s33       uint32
+		bits32    uint64
+		f         uint64
+		f0        uint64
+		f1        uint64
+		f2        uint64
+		f3        uint64
+		f4        uint64
+		g         uint64
+		g0        uint64
+		g1        uint64
+		g2        uint64
+		g3        uint64
+		g4        uint64
+	)
+
+	var p int32
+
+	l := int32(len(m))
+
+	r00 := uint32(r[0])
+
+	r01 := uint32(r[1])
+
+	r02 := uint32(r[2])
+	r0 := int64(2151)
+
+	r03 := uint32(r[3])
+	r03 &= 15
+	r0 <<= 51
+
+	r10 := uint32(r[4])
+	r10 &= 252
+	r01 <<= 8
+	r0 += int64(r00)
+
+	r11 := uint32(r[5])
+	r02 <<= 16
+	r0 += int64(r01)
+
+	r12 := uint32(r[6])
+	r03 <<= 24
+	r0 += int64(r02)
+
+	r13 := uint32(r[7])
+	r13 &= 15
+	r1 := int64(2215)
+	r0 += int64(r03)
+
+	d0 := r0
+	r1 <<= 51
+	r2 := int64(2279)
+
+	r20 := uint32(r[8])
+	r20 &= 252
+	r11 <<= 8
+	r1 += int64(r10)
+
+	r21 := uint32(r[9])
+	r12 <<= 16
+	r1 += int64(r11)
+
+	r22 := uint32(r[10])
+	r13 <<= 24
+	r1 += int64(r12)
+
+	r23 := uint32(r[11])
+	r23 &= 15
+	r2 <<= 51
+	r1 += int64(r13)
+
+	d1 := r1
+	r21 <<= 8
+	r2 += int64(r20)
+
+	r30 := uint32(r[12])
+	r30 &= 252
+	r22 <<= 16
+	r2 += int64(r21)
+
+	r31 := uint32(r[13])
+	r23 <<= 24
+	r2 += int64(r22)
+
+	r32 := uint32(r[14])
+	r2 += int64(r23)
+	r3 := int64(2343)
+
+	d2 := r2
+	r3 <<= 51
+
+	r33 := uint32(r[15])
+	r33 &= 15
+	r31 <<= 8
+	r3 += int64(r30)
+
+	r32 <<= 16
+	r3 += int64(r31)
+
+	r33 <<= 24
+	r3 += int64(r32)
+
+	r3 += int64(r33)
+	h0 := alpha32 - alpha32
+
+	d3 := r3
+	h1 := alpha32 - alpha32
+
+	h2 := alpha32 - alpha32
+
+	h3 := alpha32 - alpha32
+
+	h4 := alpha32 - alpha32
+
+	r0low := math.Float64frombits(uint64(d0))
+	h5 := alpha32 - alpha32
+
+	r1low := math.Float64frombits(uint64(d1))
+	h6 := alpha32 - alpha32
+
+	r2low := math.Float64frombits(uint64(d2))
+	h7 := alpha32 - alpha32
+
+	r0low -= alpha0
+
+	r1low -= alpha32
+
+	r2low -= alpha64
+
+	r0high := r0low + alpha18
+
+	r3low := math.Float64frombits(uint64(d3))
+
+	r1high := r1low + alpha50
+	sr1low := scale * r1low
+
+	r2high := r2low + alpha82
+	sr2low := scale * r2low
+
+	r0high -= alpha18
+	r0high_stack := r0high
+
+	r3low -= alpha96
+
+	r1high -= alpha50
+	r1high_stack := r1high
+
+	sr1high := sr1low + alpham80
+
+	r0low -= r0high
+
+	r2high -= alpha82
+	sr3low = scale * r3low
+
+	sr2high := sr2low + alpham48
+
+	r1low -= r1high
+	r1low_stack := r1low
+
+	sr1high -= alpham80
+	sr1high_stack := sr1high
+
+	r2low -= r2high
+	r2low_stack := r2low
+
+	sr2high -= alpham48
+	sr2high_stack := sr2high
+
+	r3high := r3low + alpha112
+	r0low_stack := r0low
+
+	sr1low -= sr1high
+	sr1low_stack := sr1low
+
+	sr3high := sr3low + alpham16
+	r2high_stack := r2high
+
+	sr2low -= sr2high
+	sr2low_stack := sr2low
+
+	r3high -= alpha112
+	r3high_stack := r3high
+
+	sr3high -= alpham16
+	sr3high_stack := sr3high
+
+	r3low -= r3high
+	r3low_stack := r3low
+
+	sr3low -= sr3high
+	sr3low_stack := sr3low
+
+	if l < 16 {
+		goto addatmost15bytes
+	}
+
+	m00 = uint32(m[p+0])
+	m0 = 2151
+
+	m0 <<= 51
+	m1 = 2215
+	m01 = uint32(m[p+1])
+
+	m1 <<= 51
+	m2 = 2279
+	m02 = uint32(m[p+2])
+
+	m2 <<= 51
+	m3 = 2343
+	m03 = uint32(m[p+3])
+
+	m10 = uint32(m[p+4])
+	m01 <<= 8
+	m0 += int64(m00)
+
+	m11 = uint32(m[p+5])
+	m02 <<= 16
+	m0 += int64(m01)
+
+	m12 = uint32(m[p+6])
+	m03 <<= 24
+	m0 += int64(m02)
+
+	m13 = uint32(m[p+7])
+	m3 <<= 51
+	m0 += int64(m03)
+
+	m20 = uint32(m[p+8])
+	m11 <<= 8
+	m1 += int64(m10)
+
+	m21 = uint32(m[p+9])
+	m12 <<= 16
+	m1 += int64(m11)
+
+	m22 = uint32(m[p+10])
+	m13 <<= 24
+	m1 += int64(m12)
+
+	m23 = uint32(m[p+11])
+	m1 += int64(m13)
+
+	m30 = uint32(m[p+12])
+	m21 <<= 8
+	m2 += int64(m20)
+
+	m31 = uint32(m[p+13])
+	m22 <<= 16
+	m2 += int64(m21)
+
+	m32 = uint32(m[p+14])
+	m23 <<= 24
+	m2 += int64(m22)
+
+	m33 = uint64(m[p+15])
+	m2 += int64(m23)
+
+	d0 = m0
+	m31 <<= 8
+	m3 += int64(m30)
+
+	d1 = m1
+	m32 <<= 16
+	m3 += int64(m31)
+
+	d2 = m2
+	m33 += 256
+
+	m33 <<= 24
+	m3 += int64(m32)
+
+	m3 += int64(m33)
+	d3 = m3
+
+	p += 16
+	l -= 16
+
+	z0 = math.Float64frombits(uint64(d0))
+
+	z1 = math.Float64frombits(uint64(d1))
+
+	z2 = math.Float64frombits(uint64(d2))
+
+	z3 = math.Float64frombits(uint64(d3))
+
+	z0 -= alpha0
+
+	z1 -= alpha32
+
+	z2 -= alpha64
+
+	z3 -= alpha96
+
+	h0 += z0
+
+	h1 += z1
+
+	h3 += z2
+
+	h5 += z3
+
+	if l < 16 {
+		goto multiplyaddatmost15bytes
+	}
+
+multiplyaddatleast16bytes:
+
+	m2 = 2279
+	m20 = uint32(m[p+8])
+	y7 = h7 + alpha130
+
+	m2 <<= 51
+	m3 = 2343
+	m21 = uint32(m[p+9])
+	y6 = h6 + alpha130
+
+	m3 <<= 51
+	m0 = 2151
+	m22 = uint32(m[p+10])
+	y1 = h1 + alpha32
+
+	m0 <<= 51
+	m1 = 2215
+	m23 = uint32(m[p+11])
+	y0 = h0 + alpha32
+
+	m1 <<= 51
+	m30 = uint32(m[p+12])
+	y7 -= alpha130
+
+	m21 <<= 8
+	m2 += int64(m20)
+	m31 = uint32(m[p+13])
+	y6 -= alpha130
+
+	m22 <<= 16
+	m2 += int64(m21)
+	m32 = uint32(m[p+14])
+	y1 -= alpha32
+
+	m23 <<= 24
+	m2 += int64(m22)
+	m33 = uint64(m[p+15])
+	y0 -= alpha32
+
+	m2 += int64(m23)
+	m00 = uint32(m[p+0])
+	y5 = h5 + alpha96
+
+	m31 <<= 8
+	m3 += int64(m30)
+	m01 = uint32(m[p+1])
+	y4 = h4 + alpha96
+
+	m32 <<= 16
+	m02 = uint32(m[p+2])
+	x7 = h7 - y7
+	y7 *= scale
+
+	m33 += 256
+	m03 = uint32(m[p+3])
+	x6 = h6 - y6
+	y6 *= scale
+
+	m33 <<= 24
+	m3 += int64(m31)
+	m10 = uint32(m[p+4])
+	x1 = h1 - y1
+
+	m01 <<= 8
+	m3 += int64(m32)
+	m11 = uint32(m[p+5])
+	x0 = h0 - y0
+
+	m3 += int64(m33)
+	m0 += int64(m00)
+	m12 = uint32(m[p+6])
+	y5 -= alpha96
+
+	m02 <<= 16
+	m0 += int64(m01)
+	m13 = uint32(m[p+7])
+	y4 -= alpha96
+
+	m03 <<= 24
+	m0 += int64(m02)
+	d2 = m2
+	x1 += y7
+
+	m0 += int64(m03)
+	d3 = m3
+	x0 += y6
+
+	m11 <<= 8
+	m1 += int64(m10)
+	d0 = m0
+	x7 += y5
+
+	m12 <<= 16
+	m1 += int64(m11)
+	x6 += y4
+
+	m13 <<= 24
+	m1 += int64(m12)
+	y3 = h3 + alpha64
+
+	m1 += int64(m13)
+	d1 = m1
+	y2 = h2 + alpha64
+
+	x0 += x1
+
+	x6 += x7
+
+	y3 -= alpha64
+	r3low = r3low_stack
+
+	y2 -= alpha64
+	r0low = r0low_stack
+
+	x5 = h5 - y5
+	r3lowx0 = r3low * x0
+	r3high = r3high_stack
+
+	x4 = h4 - y4
+	r0lowx6 = r0low * x6
+	r0high = r0high_stack
+
+	x3 = h3 - y3
+	r3highx0 = r3high * x0
+	sr1low = sr1low_stack
+
+	x2 = h2 - y2
+	r0highx6 = r0high * x6
+	sr1high = sr1high_stack
+
+	x5 += y3
+	r0lowx0 = r0low * x0
+	r1low = r1low_stack
+
+	h6 = r3lowx0 + r0lowx6
+	sr1lowx6 = sr1low * x6
+	r1high = r1high_stack
+
+	x4 += y2
+	r0highx0 = r0high * x0
+	sr2low = sr2low_stack
+
+	h7 = r3highx0 + r0highx6
+	sr1highx6 = sr1high * x6
+	sr2high = sr2high_stack
+
+	x3 += y1
+	r1lowx0 = r1low * x0
+	r2low = r2low_stack
+
+	h0 = r0lowx0 + sr1lowx6
+	sr2lowx6 = sr2low * x6
+	r2high = r2high_stack
+
+	x2 += y0
+	r1highx0 = r1high * x0
+	sr3low = sr3low_stack
+
+	h1 = r0highx0 + sr1highx6
+	sr2highx6 = sr2high * x6
+	sr3high = sr3high_stack
+
+	x4 += x5
+	r2lowx0 = r2low * x0
+	z2 = math.Float64frombits(uint64(d2))
+
+	h2 = r1lowx0 + sr2lowx6
+	sr3lowx6 = sr3low * x6
+
+	x2 += x3
+	r2highx0 = r2high * x0
+	z3 = math.Float64frombits(uint64(d3))
+
+	h3 = r1highx0 + sr2highx6
+	sr3highx6 = sr3high * x6
+
+	r1highx4 = r1high * x4
+	z2 -= alpha64
+
+	h4 = r2lowx0 + sr3lowx6
+	r1lowx4 = r1low * x4
+
+	r0highx4 = r0high * x4
+	z3 -= alpha96
+
+	h5 = r2highx0 + sr3highx6
+	r0lowx4 = r0low * x4
+
+	h7 += r1highx4
+	sr3highx4 = sr3high * x4
+
+	h6 += r1lowx4
+	sr3lowx4 = sr3low * x4
+
+	h5 += r0highx4
+	sr2highx4 = sr2high * x4
+
+	h4 += r0lowx4
+	sr2lowx4 = sr2low * x4
+
+	h3 += sr3highx4
+	r0lowx2 = r0low * x2
+
+	h2 += sr3lowx4
+	r0highx2 = r0high * x2
+
+	h1 += sr2highx4
+	r1lowx2 = r1low * x2
+
+	h0 += sr2lowx4
+	r1highx2 = r1high * x2
+
+	h2 += r0lowx2
+	r2lowx2 = r2low * x2
+
+	h3 += r0highx2
+	r2highx2 = r2high * x2
+
+	h4 += r1lowx2
+	sr3lowx2 = sr3low * x2
+
+	h5 += r1highx2
+	sr3highx2 = sr3high * x2
+
+	p += 16
+	l -= 16
+	h6 += r2lowx2
+
+	h7 += r2highx2
+
+	z1 = math.Float64frombits(uint64(d1))
+	h0 += sr3lowx2
+
+	z0 = math.Float64frombits(uint64(d0))
+	h1 += sr3highx2
+
+	z1 -= alpha32
+
+	z0 -= alpha0
+
+	h5 += z3
+
+	h3 += z2
+
+	h1 += z1
+
+	h0 += z0
+
+	if l >= 16 {
+		goto multiplyaddatleast16bytes
+	}
+
+multiplyaddatmost15bytes:
+
+	y7 = h7 + alpha130
+
+	y6 = h6 + alpha130
+
+	y1 = h1 + alpha32
+
+	y0 = h0 + alpha32
+
+	y7 -= alpha130
+
+	y6 -= alpha130
+
+	y1 -= alpha32
+
+	y0 -= alpha32
+
+	y5 = h5 + alpha96
+
+	y4 = h4 + alpha96
+
+	x7 = h7 - y7
+	y7 *= scale
+
+	x6 = h6 - y6
+	y6 *= scale
+
+	x1 = h1 - y1
+
+	x0 = h0 - y0
+
+	y5 -= alpha96
+
+	y4 -= alpha96
+
+	x1 += y7
+
+	x0 += y6
+
+	x7 += y5
+
+	x6 += y4
+
+	y3 = h3 + alpha64
+
+	y2 = h2 + alpha64
+
+	x0 += x1
+
+	x6 += x7
+
+	y3 -= alpha64
+	r3low = r3low_stack
+
+	y2 -= alpha64
+	r0low = r0low_stack
+
+	x5 = h5 - y5
+	r3lowx0 = r3low * x0
+	r3high = r3high_stack
+
+	x4 = h4 - y4
+	r0lowx6 = r0low * x6
+	r0high = r0high_stack
+
+	x3 = h3 - y3
+	r3highx0 = r3high * x0
+	sr1low = sr1low_stack
+
+	x2 = h2 - y2
+	r0highx6 = r0high * x6
+	sr1high = sr1high_stack
+
+	x5 += y3
+	r0lowx0 = r0low * x0
+	r1low = r1low_stack
+
+	h6 = r3lowx0 + r0lowx6
+	sr1lowx6 = sr1low * x6
+	r1high = r1high_stack
+
+	x4 += y2
+	r0highx0 = r0high * x0
+	sr2low = sr2low_stack
+
+	h7 = r3highx0 + r0highx6
+	sr1highx6 = sr1high * x6
+	sr2high = sr2high_stack
+
+	x3 += y1
+	r1lowx0 = r1low * x0
+	r2low = r2low_stack
+
+	h0 = r0lowx0 + sr1lowx6
+	sr2lowx6 = sr2low * x6
+	r2high = r2high_stack
+
+	x2 += y0
+	r1highx0 = r1high * x0
+	sr3low = sr3low_stack
+
+	h1 = r0highx0 + sr1highx6
+	sr2highx6 = sr2high * x6
+	sr3high = sr3high_stack
+
+	x4 += x5
+	r2lowx0 = r2low * x0
+
+	h2 = r1lowx0 + sr2lowx6
+	sr3lowx6 = sr3low * x6
+
+	x2 += x3
+	r2highx0 = r2high * x0
+
+	h3 = r1highx0 + sr2highx6
+	sr3highx6 = sr3high * x6
+
+	r1highx4 = r1high * x4
+
+	h4 = r2lowx0 + sr3lowx6
+	r1lowx4 = r1low * x4
+
+	r0highx4 = r0high * x4
+
+	h5 = r2highx0 + sr3highx6
+	r0lowx4 = r0low * x4
+
+	h7 += r1highx4
+	sr3highx4 = sr3high * x4
+
+	h6 += r1lowx4
+	sr3lowx4 = sr3low * x4
+
+	h5 += r0highx4
+	sr2highx4 = sr2high * x4
+
+	h4 += r0lowx4
+	sr2lowx4 = sr2low * x4
+
+	h3 += sr3highx4
+	r0lowx2 = r0low * x2
+
+	h2 += sr3lowx4
+	r0highx2 = r0high * x2
+
+	h1 += sr2highx4
+	r1lowx2 = r1low * x2
+
+	h0 += sr2lowx4
+	r1highx2 = r1high * x2
+
+	h2 += r0lowx2
+	r2lowx2 = r2low * x2
+
+	h3 += r0highx2
+	r2highx2 = r2high * x2
+
+	h4 += r1lowx2
+	sr3lowx2 = sr3low * x2
+
+	h5 += r1highx2
+	sr3highx2 = sr3high * x2
+
+	h6 += r2lowx2
+
+	h7 += r2highx2
+
+	h0 += sr3lowx2
+
+	h1 += sr3highx2
+
+addatmost15bytes:
+
+	if l == 0 {
+		goto nomorebytes
+	}
+
+	lbelow2 = l - 2
+
+	lbelow3 = l - 3
+
+	lbelow2 >>= 31
+	lbelow4 = l - 4
+
+	m00 = uint32(m[p+0])
+	lbelow3 >>= 31
+	p += lbelow2
+
+	m01 = uint32(m[p+1])
+	lbelow4 >>= 31
+	p += lbelow3
+
+	m02 = uint32(m[p+2])
+	p += lbelow4
+	m0 = 2151
+
+	m03 = uint32(m[p+3])
+	m0 <<= 51
+	m1 = 2215
+
+	m0 += int64(m00)
+	m01 &^= uint32(lbelow2)
+
+	m02 &^= uint32(lbelow3)
+	m01 -= uint32(lbelow2)
+
+	m01 <<= 8
+	m03 &^= uint32(lbelow4)
+
+	m0 += int64(m01)
+	lbelow2 -= lbelow3
+
+	m02 += uint32(lbelow2)
+	lbelow3 -= lbelow4
+
+	m02 <<= 16
+	m03 += uint32(lbelow3)
+
+	m03 <<= 24
+	m0 += int64(m02)
+
+	m0 += int64(m03)
+	lbelow5 = l - 5
+
+	lbelow6 = l - 6
+	lbelow7 = l - 7
+
+	lbelow5 >>= 31
+	lbelow8 = l - 8
+
+	lbelow6 >>= 31
+	p += lbelow5
+
+	m10 = uint32(m[p+4])
+	lbelow7 >>= 31
+	p += lbelow6
+
+	m11 = uint32(m[p+5])
+	lbelow8 >>= 31
+	p += lbelow7
+
+	m12 = uint32(m[p+6])
+	m1 <<= 51
+	p += lbelow8
+
+	m13 = uint32(m[p+7])
+	m10 &^= uint32(lbelow5)
+	lbelow4 -= lbelow5
+
+	m10 += uint32(lbelow4)
+	lbelow5 -= lbelow6
+
+	m11 &^= uint32(lbelow6)
+	m11 += uint32(lbelow5)
+
+	m11 <<= 8
+	m1 += int64(m10)
+
+	m1 += int64(m11)
+	m12 &^= uint32(lbelow7)
+
+	lbelow6 -= lbelow7
+	m13 &^= uint32(lbelow8)
+
+	m12 += uint32(lbelow6)
+	lbelow7 -= lbelow8
+
+	m12 <<= 16
+	m13 += uint32(lbelow7)
+
+	m13 <<= 24
+	m1 += int64(m12)
+
+	m1 += int64(m13)
+	m2 = 2279
+
+	lbelow9 = l - 9
+	m3 = 2343
+
+	lbelow10 = l - 10
+	lbelow11 = l - 11
+
+	lbelow9 >>= 31
+	lbelow12 = l - 12
+
+	lbelow10 >>= 31
+	p += lbelow9
+
+	m20 = uint32(m[p+8])
+	lbelow11 >>= 31
+	p += lbelow10
+
+	m21 = uint32(m[p+9])
+	lbelow12 >>= 31
+	p += lbelow11
+
+	m22 = uint32(m[p+10])
+	m2 <<= 51
+	p += lbelow12
+
+	m23 = uint32(m[p+11])
+	m20 &^= uint32(lbelow9)
+	lbelow8 -= lbelow9
+
+	m20 += uint32(lbelow8)
+	lbelow9 -= lbelow10
+
+	m21 &^= uint32(lbelow10)
+	m21 += uint32(lbelow9)
+
+	m21 <<= 8
+	m2 += int64(m20)
+
+	m2 += int64(m21)
+	m22 &^= uint32(lbelow11)
+
+	lbelow10 -= lbelow11
+	m23 &^= uint32(lbelow12)
+
+	m22 += uint32(lbelow10)
+	lbelow11 -= lbelow12
+
+	m22 <<= 16
+	m23 += uint32(lbelow11)
+
+	m23 <<= 24
+	m2 += int64(m22)
+
+	m3 <<= 51
+	lbelow13 = l - 13
+
+	lbelow13 >>= 31
+	lbelow14 = l - 14
+
+	lbelow14 >>= 31
+	p += lbelow13
+	lbelow15 = l - 15
+
+	m30 = uint32(m[p+12])
+	lbelow15 >>= 31
+	p += lbelow14
+
+	m31 = uint32(m[p+13])
+	p += lbelow15
+	m2 += int64(m23)
+
+	m32 = uint32(m[p+14])
+	m30 &^= uint32(lbelow13)
+	lbelow12 -= lbelow13
+
+	m30 += uint32(lbelow12)
+	lbelow13 -= lbelow14
+
+	m3 += int64(m30)
+	m31 &^= uint32(lbelow14)
+
+	m31 += uint32(lbelow13)
+	m32 &^= uint32(lbelow15)
+
+	m31 <<= 8
+	lbelow14 -= lbelow15
+
+	m3 += int64(m31)
+	m32 += uint32(lbelow14)
+	d0 = m0
+
+	m32 <<= 16
+	m33 = uint64(lbelow15 + 1)
+	d1 = m1
+
+	m33 <<= 24
+	m3 += int64(m32)
+	d2 = m2
+
+	m3 += int64(m33)
+	d3 = m3
+
+	z3 = math.Float64frombits(uint64(d3))
+
+	z2 = math.Float64frombits(uint64(d2))
+
+	z1 = math.Float64frombits(uint64(d1))
+
+	z0 = math.Float64frombits(uint64(d0))
+
+	z3 -= alpha96
+
+	z2 -= alpha64
+
+	z1 -= alpha32
+
+	z0 -= alpha0
+
+	h5 += z3
+
+	h3 += z2
+
+	h1 += z1
+
+	h0 += z0
+
+	y7 = h7 + alpha130
+
+	y6 = h6 + alpha130
+
+	y1 = h1 + alpha32
+
+	y0 = h0 + alpha32
+
+	y7 -= alpha130
+
+	y6 -= alpha130
+
+	y1 -= alpha32
+
+	y0 -= alpha32
+
+	y5 = h5 + alpha96
+
+	y4 = h4 + alpha96
+
+	x7 = h7 - y7
+	y7 *= scale
+
+	x6 = h6 - y6
+	y6 *= scale
+
+	x1 = h1 - y1
+
+	x0 = h0 - y0
+
+	y5 -= alpha96
+
+	y4 -= alpha96
+
+	x1 += y7
+
+	x0 += y6
+
+	x7 += y5
+
+	x6 += y4
+
+	y3 = h3 + alpha64
+
+	y2 = h2 + alpha64
+
+	x0 += x1
+
+	x6 += x7
+
+	y3 -= alpha64
+	r3low = r3low_stack
+
+	y2 -= alpha64
+	r0low = r0low_stack
+
+	x5 = h5 - y5
+	r3lowx0 = r3low * x0
+	r3high = r3high_stack
+
+	x4 = h4 - y4
+	r0lowx6 = r0low * x6
+	r0high = r0high_stack
+
+	x3 = h3 - y3
+	r3highx0 = r3high * x0
+	sr1low = sr1low_stack
+
+	x2 = h2 - y2
+	r0highx6 = r0high * x6
+	sr1high = sr1high_stack
+
+	x5 += y3
+	r0lowx0 = r0low * x0
+	r1low = r1low_stack
+
+	h6 = r3lowx0 + r0lowx6
+	sr1lowx6 = sr1low * x6
+	r1high = r1high_stack
+
+	x4 += y2
+	r0highx0 = r0high * x0
+	sr2low = sr2low_stack
+
+	h7 = r3highx0 + r0highx6
+	sr1highx6 = sr1high * x6
+	sr2high = sr2high_stack
+
+	x3 += y1
+	r1lowx0 = r1low * x0
+	r2low = r2low_stack
+
+	h0 = r0lowx0 + sr1lowx6
+	sr2lowx6 = sr2low * x6
+	r2high = r2high_stack
+
+	x2 += y0
+	r1highx0 = r1high * x0
+	sr3low = sr3low_stack
+
+	h1 = r0highx0 + sr1highx6
+	sr2highx6 = sr2high * x6
+	sr3high = sr3high_stack
+
+	x4 += x5
+	r2lowx0 = r2low * x0
+
+	h2 = r1lowx0 + sr2lowx6
+	sr3lowx6 = sr3low * x6
+
+	x2 += x3
+	r2highx0 = r2high * x0
+
+	h3 = r1highx0 + sr2highx6
+	sr3highx6 = sr3high * x6
+
+	r1highx4 = r1high * x4
+
+	h4 = r2lowx0 + sr3lowx6
+	r1lowx4 = r1low * x4
+
+	r0highx4 = r0high * x4
+
+	h5 = r2highx0 + sr3highx6
+	r0lowx4 = r0low * x4
+
+	h7 += r1highx4
+	sr3highx4 = sr3high * x4
+
+	h6 += r1lowx4
+	sr3lowx4 = sr3low * x4
+
+	h5 += r0highx4
+	sr2highx4 = sr2high * x4
+
+	h4 += r0lowx4
+	sr2lowx4 = sr2low * x4
+
+	h3 += sr3highx4
+	r0lowx2 = r0low * x2
+
+	h2 += sr3lowx4
+	r0highx2 = r0high * x2
+
+	h1 += sr2highx4
+	r1lowx2 = r1low * x2
+
+	h0 += sr2lowx4
+	r1highx2 = r1high * x2
+
+	h2 += r0lowx2
+	r2lowx2 = r2low * x2
+
+	h3 += r0highx2
+	r2highx2 = r2high * x2
+
+	h4 += r1lowx2
+	sr3lowx2 = sr3low * x2
+
+	h5 += r1highx2
+	sr3highx2 = sr3high * x2
+
+	h6 += r2lowx2
+
+	h7 += r2highx2
+
+	h0 += sr3lowx2
+
+	h1 += sr3highx2
+
+nomorebytes:
+
+	y7 = h7 + alpha130
+
+	y0 = h0 + alpha32
+
+	y1 = h1 + alpha32
+
+	y2 = h2 + alpha64
+
+	y7 -= alpha130
+
+	y3 = h3 + alpha64
+
+	y4 = h4 + alpha96
+
+	y5 = h5 + alpha96
+
+	x7 = h7 - y7
+	y7 *= scale
+
+	y0 -= alpha32
+
+	y1 -= alpha32
+
+	y2 -= alpha64
+
+	h6 += x7
+
+	y3 -= alpha64
+
+	y4 -= alpha96
+
+	y5 -= alpha96
+
+	y6 = h6 + alpha130
+
+	x0 = h0 - y0
+
+	x1 = h1 - y1
+
+	x2 = h2 - y2
+
+	y6 -= alpha130
+
+	x0 += y7
+
+	x3 = h3 - y3
+
+	x4 = h4 - y4
+
+	x5 = h5 - y5
+
+	x6 = h6 - y6
+
+	y6 *= scale
+
+	x2 += y0
+
+	x3 += y1
+
+	x4 += y2
+
+	x0 += y6
+
+	x5 += y3
+
+	x6 += y4
+
+	x2 += x3
+
+	x0 += x1
+
+	x4 += x5
+
+	x6 += y5
+
+	x2 += offset1
+	d1 = int64(math.Float64bits(x2))
+
+	x0 += offset0
+	d0 = int64(math.Float64bits(x0))
+
+	x4 += offset2
+	d2 = int64(math.Float64bits(x4))
+
+	x6 += offset3
+	d3 = int64(math.Float64bits(x6))
+
+	f0 = uint64(d0)
+
+	f1 = uint64(d1)
+	bits32 = math.MaxUint64
+
+	f2 = uint64(d2)
+	bits32 >>= 32
+
+	f3 = uint64(d3)
+	f = f0 >> 32
+
+	f0 &= bits32
+	f &= 255
+
+	f1 += f
+	g0 = f0 + 5
+
+	g = g0 >> 32
+	g0 &= bits32
+
+	f = f1 >> 32
+	f1 &= bits32
+
+	f &= 255
+	g1 = f1 + g
+
+	g = g1 >> 32
+	f2 += f
+
+	f = f2 >> 32
+	g1 &= bits32
+
+	f2 &= bits32
+	f &= 255
+
+	f3 += f
+	g2 = f2 + g
+
+	g = g2 >> 32
+	g2 &= bits32
+
+	f4 = f3 >> 32
+	f3 &= bits32
+
+	f4 &= 255
+	g3 = f3 + g
+
+	g = g3 >> 32
+	g3 &= bits32
+
+	g4 = f4 + g
+
+	g4 = g4 - 4
+	s00 = uint32(s[0])
+
+	f = uint64(int64(g4) >> 63)
+	s01 = uint32(s[1])
+
+	f0 &= f
+	g0 &^= f
+	s02 = uint32(s[2])
+
+	f1 &= f
+	f0 |= g0
+	s03 = uint32(s[3])
+
+	g1 &^= f
+	f2 &= f
+	s10 = uint32(s[4])
+
+	f3 &= f
+	g2 &^= f
+	s11 = uint32(s[5])
+
+	g3 &^= f
+	f1 |= g1
+	s12 = uint32(s[6])
+
+	f2 |= g2
+	f3 |= g3
+	s13 = uint32(s[7])
+
+	s01 <<= 8
+	f0 += uint64(s00)
+	s20 = uint32(s[8])
+
+	s02 <<= 16
+	f0 += uint64(s01)
+	s21 = uint32(s[9])
+
+	s03 <<= 24
+	f0 += uint64(s02)
+	s22 = uint32(s[10])
+
+	s11 <<= 8
+	f1 += uint64(s10)
+	s23 = uint32(s[11])
+
+	s12 <<= 16
+	f1 += uint64(s11)
+	s30 = uint32(s[12])
+
+	s13 <<= 24
+	f1 += uint64(s12)
+	s31 = uint32(s[13])
+
+	f0 += uint64(s03)
+	f1 += uint64(s13)
+	s32 = uint32(s[14])
+
+	s21 <<= 8
+	f2 += uint64(s20)
+	s33 = uint32(s[15])
+
+	s22 <<= 16
+	f2 += uint64(s21)
+
+	s23 <<= 24
+	f2 += uint64(s22)
+
+	s31 <<= 8
+	f3 += uint64(s30)
+
+	s32 <<= 16
+	f3 += uint64(s31)
+
+	s33 <<= 24
+	f3 += uint64(s32)
+
+	f2 += uint64(s23)
+	f3 += uint64(s33)
+
+	out[0] = byte(f0)
+	f0 >>= 8
+	out[1] = byte(f0)
+	f0 >>= 8
+	out[2] = byte(f0)
+	f0 >>= 8
+	out[3] = byte(f0)
+	f0 >>= 8
+	f1 += f0
+
+	out[4] = byte(f1)
+	f1 >>= 8
+	out[5] = byte(f1)
+	f1 >>= 8
+	out[6] = byte(f1)
+	f1 >>= 8
+	out[7] = byte(f1)
+	f1 >>= 8
+	f2 += f1
+
+	out[8] = byte(f2)
+	f2 >>= 8
+	out[9] = byte(f2)
+	f2 >>= 8
+	out[10] = byte(f2)
+	f2 >>= 8
+	out[11] = byte(f2)
+	f2 >>= 8
+	f3 += f2
+
+	out[12] = byte(f3)
+	f3 >>= 8
+	out[13] = byte(f3)
+	f3 >>= 8
+	out[14] = byte(f3)
+	f3 >>= 8
+	out[15] = byte(f3)
+}
diff --git a/src/ssl/test/runner/prf.go b/src/ssl/test/runner/prf.go
index 75a8933..d445e76 100644
--- a/src/ssl/test/runner/prf.go
+++ b/src/ssl/test/runner/prf.go
@@ -323,14 +323,14 @@ func (h finishedHash) serverSum(masterSecret []byte) []byte {
 
 // selectClientCertSignatureAlgorithm returns a signatureAndHash to sign a
 // client's CertificateVerify with, or an error if none can be found.
-func (h finishedHash) selectClientCertSignatureAlgorithm(serverList []signatureAndHash, sigType uint8) (signatureAndHash, error) {
+func (h finishedHash) selectClientCertSignatureAlgorithm(serverList, clientList []signatureAndHash, sigType uint8) (signatureAndHash, error) {
 	if h.version < VersionTLS12 {
 		// Nothing to negotiate before TLS 1.2.
 		return signatureAndHash{signature: sigType}, nil
 	}
 
 	for _, v := range serverList {
-		if v.signature == sigType && v.hash == hashSHA256 {
+		if v.signature == sigType && isSupportedSignatureAndHash(v, clientList) {
 			return v, nil
 		}
 	}
diff --git a/src/ssl/test/runner/runner.go b/src/ssl/test/runner/runner.go
index aaa2a4d..ec2fede 100644
--- a/src/ssl/test/runner/runner.go
+++ b/src/ssl/test/runner/runner.go
@@ -20,14 +20,17 @@ import (
 	"strings"
 	"sync"
 	"syscall"
+	"time"
 )
 
 var (
-	useValgrind            = flag.Bool("valgrind", false, "If true, run code under valgrind")
-	useGDB                 = flag.Bool("gdb", false, "If true, run BoringSSL code under gdb")
-	flagDebug       *bool  = flag.Bool("debug", false, "Hexdump the contents of the connection")
-	mallocTest      *int64 = flag.Int64("malloc-test", -1, "If non-negative, run each test with each malloc in turn failing from the given number onwards.")
-	mallocTestDebug *bool  = flag.Bool("malloc-test-debug", false, "If true, ask bssl_shim to abort rather than fail a malloc. This can be used with a specific value for --malloc-test to identity the malloc failing that is causing problems.")
+	useValgrind     = flag.Bool("valgrind", false, "If true, run code under valgrind")
+	useGDB          = flag.Bool("gdb", false, "If true, run BoringSSL code under gdb")
+	flagDebug       = flag.Bool("debug", false, "Hexdump the contents of the connection")
+	mallocTest      = flag.Int64("malloc-test", -1, "If non-negative, run each test with each malloc in turn failing from the given number onwards.")
+	mallocTestDebug = flag.Bool("malloc-test-debug", false, "If true, ask bssl_shim to abort rather than fail a malloc. This can be used with a specific value for --malloc-test to identity the malloc failing that is causing problems.")
+	jsonOutput      = flag.String("json-output", "", "The file to output JSON results to.")
+	pipe            = flag.Bool("pipe", false, "If true, print status output suitable for piping into another program.")
 )
 
 const (
@@ -132,6 +135,9 @@ type testCase struct {
 	// expectedResumeVersion, if non-zero, specifies the TLS version that
 	// must be negotiated on resumption. If zero, expectedVersion is used.
 	expectedResumeVersion uint16
+	// expectedCipher, if non-zero, specifies the TLS cipher suite that
+	// should be negotiated.
+	expectedCipher uint16
 	// expectChannelID controls whether the connection should have
 	// negotiated a Channel ID with channelIDKey.
 	expectChannelID bool
@@ -181,6 +187,12 @@ type testCase struct {
 	// damageFirstWrite, if true, configures the underlying transport to
 	// damage the final byte of the first application data write.
 	damageFirstWrite bool
+	// exportKeyingMaterial, if non-zero, configures the test to exchange
+	// keying material and verify they match.
+	exportKeyingMaterial int
+	exportLabel          string
+	exportContext        string
+	useExportContext     bool
 	// flags, if not empty, contains a list of command-line flags that will
 	// be passed to the shim program.
 	flags []string
@@ -292,6 +304,18 @@ var testCases = []testCase{
 		expectedError: ":UNEXPECTED_MESSAGE:",
 	},
 	{
+		name: "SkipCertificateStatus",
+		config: Config{
+			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+			Bugs: ProtocolBugs{
+				SkipCertificateStatus: true,
+			},
+		},
+		flags: []string{
+			"-enable-ocsp-stapling",
+		},
+	},
+	{
 		name: "SkipServerKeyExchange",
 		config: Config{
 			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
@@ -376,11 +400,47 @@ var testCases = []testCase{
 	},
 	{
 		testType: serverTest,
+		name:     "Alert",
+		config: Config{
+			Bugs: ProtocolBugs{
+				SendSpuriousAlert: alertRecordOverflow,
+			},
+		},
+		shouldFail:    true,
+		expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
+	},
+	{
+		protocol: dtls,
+		testType: serverTest,
+		name:     "Alert-DTLS",
+		config: Config{
+			Bugs: ProtocolBugs{
+				SendSpuriousAlert: alertRecordOverflow,
+			},
+		},
+		shouldFail:    true,
+		expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
+	},
+	{
+		testType: serverTest,
 		name:     "FragmentAlert",
 		config: Config{
 			Bugs: ProtocolBugs{
 				FragmentAlert:     true,
-				SendSpuriousAlert: true,
+				SendSpuriousAlert: alertRecordOverflow,
+			},
+		},
+		shouldFail:    true,
+		expectedError: ":BAD_ALERT:",
+	},
+	{
+		protocol: dtls,
+		testType: serverTest,
+		name:     "FragmentAlert-DTLS",
+		config: Config{
+			Bugs: ProtocolBugs{
+				FragmentAlert:     true,
+				SendSpuriousAlert: alertRecordOverflow,
 			},
 		},
 		shouldFail:    true,
@@ -536,11 +596,11 @@ var testCases = []testCase{
 		expectedError: ":WRONG_CIPHER_RETURNED:",
 	},
 	{
-		name: "RSAServerKeyExchange",
+		name: "RSAEphemeralKey",
 		config: Config{
 			CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
 			Bugs: ProtocolBugs{
-				RSAServerKeyExchange: true,
+				RSAEphemeralKey: true,
 			},
 		},
 		shouldFail:    true,
@@ -650,6 +710,380 @@ var testCases = []testCase{
 				AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
 			},
 		},
+		// BoringSSL's DTLS implementation will drop the out-of-order
+		// application data.
+	},
+	{
+		name: "AlertAfterChangeCipherSpec",
+		config: Config{
+			Bugs: ProtocolBugs{
+				AlertAfterChangeCipherSpec: alertRecordOverflow,
+			},
+		},
+		shouldFail:    true,
+		expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
+	},
+	{
+		protocol: dtls,
+		name:     "AlertAfterChangeCipherSpec-DTLS",
+		config: Config{
+			Bugs: ProtocolBugs{
+				AlertAfterChangeCipherSpec: alertRecordOverflow,
+			},
+		},
+		shouldFail:    true,
+		expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
+	},
+	{
+		protocol: dtls,
+		name:     "ReorderHandshakeFragments-Small-DTLS",
+		config: Config{
+			Bugs: ProtocolBugs{
+				ReorderHandshakeFragments: true,
+				// Small enough that every handshake message is
+				// fragmented.
+				MaxHandshakeRecordLength: 2,
+			},
+		},
+	},
+	{
+		protocol: dtls,
+		name:     "ReorderHandshakeFragments-Large-DTLS",
+		config: Config{
+			Bugs: ProtocolBugs{
+				ReorderHandshakeFragments: true,
+				// Large enough that no handshake message is
+				// fragmented.
+				MaxHandshakeRecordLength: 2048,
+			},
+		},
+	},
+	{
+		protocol: dtls,
+		name:     "MixCompleteMessageWithFragments-DTLS",
+		config: Config{
+			Bugs: ProtocolBugs{
+				ReorderHandshakeFragments:       true,
+				MixCompleteMessageWithFragments: true,
+				MaxHandshakeRecordLength:        2,
+			},
+		},
+	},
+	{
+		name: "SendInvalidRecordType",
+		config: Config{
+			Bugs: ProtocolBugs{
+				SendInvalidRecordType: true,
+			},
+		},
+		shouldFail:    true,
+		expectedError: ":UNEXPECTED_RECORD:",
+	},
+	{
+		protocol: dtls,
+		name:     "SendInvalidRecordType-DTLS",
+		config: Config{
+			Bugs: ProtocolBugs{
+				SendInvalidRecordType: true,
+			},
+		},
+		shouldFail:    true,
+		expectedError: ":UNEXPECTED_RECORD:",
+	},
+	{
+		name: "FalseStart-SkipServerSecondLeg",
+		config: Config{
+			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+			NextProtos:   []string{"foo"},
+			Bugs: ProtocolBugs{
+				SkipNewSessionTicket: true,
+				SkipChangeCipherSpec: true,
+				SkipFinished:         true,
+				ExpectFalseStart:     true,
+			},
+		},
+		flags: []string{
+			"-false-start",
+			"-handshake-never-done",
+			"-advertise-alpn", "\x03foo",
+		},
+		shimWritesFirst: true,
+		shouldFail:      true,
+		expectedError:   ":UNEXPECTED_RECORD:",
+	},
+	{
+		name: "FalseStart-SkipServerSecondLeg-Implicit",
+		config: Config{
+			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+			NextProtos:   []string{"foo"},
+			Bugs: ProtocolBugs{
+				SkipNewSessionTicket: true,
+				SkipChangeCipherSpec: true,
+				SkipFinished:         true,
+			},
+		},
+		flags: []string{
+			"-implicit-handshake",
+			"-false-start",
+			"-handshake-never-done",
+			"-advertise-alpn", "\x03foo",
+		},
+		shouldFail:    true,
+		expectedError: ":UNEXPECTED_RECORD:",
+	},
+	{
+		testType:           serverTest,
+		name:               "FailEarlyCallback",
+		flags:              []string{"-fail-early-callback"},
+		shouldFail:         true,
+		expectedError:      ":CONNECTION_REJECTED:",
+		expectedLocalError: "remote error: access denied",
+	},
+	{
+		name: "WrongMessageType",
+		config: Config{
+			Bugs: ProtocolBugs{
+				WrongCertificateMessageType: true,
+			},
+		},
+		shouldFail:         true,
+		expectedError:      ":UNEXPECTED_MESSAGE:",
+		expectedLocalError: "remote error: unexpected message",
+	},
+	{
+		protocol: dtls,
+		name:     "WrongMessageType-DTLS",
+		config: Config{
+			Bugs: ProtocolBugs{
+				WrongCertificateMessageType: true,
+			},
+		},
+		shouldFail:         true,
+		expectedError:      ":UNEXPECTED_MESSAGE:",
+		expectedLocalError: "remote error: unexpected message",
+	},
+	{
+		protocol: dtls,
+		name:     "FragmentMessageTypeMismatch-DTLS",
+		config: Config{
+			Bugs: ProtocolBugs{
+				MaxHandshakeRecordLength:    2,
+				FragmentMessageTypeMismatch: true,
+			},
+		},
+		shouldFail:    true,
+		expectedError: ":FRAGMENT_MISMATCH:",
+	},
+	{
+		protocol: dtls,
+		name:     "FragmentMessageLengthMismatch-DTLS",
+		config: Config{
+			Bugs: ProtocolBugs{
+				MaxHandshakeRecordLength:      2,
+				FragmentMessageLengthMismatch: true,
+			},
+		},
+		shouldFail:    true,
+		expectedError: ":FRAGMENT_MISMATCH:",
+	},
+	{
+		protocol: dtls,
+		name:     "SplitFragmentHeader-DTLS",
+		config: Config{
+			Bugs: ProtocolBugs{
+				SplitFragmentHeader: true,
+			},
+		},
+		shouldFail:    true,
+		expectedError: ":UNEXPECTED_MESSAGE:",
+	},
+	{
+		protocol: dtls,
+		name:     "SplitFragmentBody-DTLS",
+		config: Config{
+			Bugs: ProtocolBugs{
+				SplitFragmentBody: true,
+			},
+		},
+		shouldFail:    true,
+		expectedError: ":UNEXPECTED_MESSAGE:",
+	},
+	{
+		protocol: dtls,
+		name:     "SendEmptyFragments-DTLS",
+		config: Config{
+			Bugs: ProtocolBugs{
+				SendEmptyFragments: true,
+			},
+		},
+	},
+	{
+		name: "UnsupportedCipherSuite",
+		config: Config{
+			CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
+			Bugs: ProtocolBugs{
+				IgnorePeerCipherPreferences: true,
+			},
+		},
+		flags:         []string{"-cipher", "DEFAULT:!RC4"},
+		shouldFail:    true,
+		expectedError: ":WRONG_CIPHER_RETURNED:",
+	},
+	{
+		name: "UnsupportedCurve",
+		config: Config{
+			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+			// BoringSSL implements P-224 but doesn't enable it by
+			// default.
+			CurvePreferences: []CurveID{CurveP224},
+			Bugs: ProtocolBugs{
+				IgnorePeerCurvePreferences: true,
+			},
+		},
+		shouldFail:    true,
+		expectedError: ":WRONG_CURVE:",
+	},
+	{
+		name: "SendWarningAlerts",
+		config: Config{
+			Bugs: ProtocolBugs{
+				SendWarningAlerts: alertAccessDenied,
+			},
+		},
+	},
+	{
+		protocol: dtls,
+		name:     "SendWarningAlerts-DTLS",
+		config: Config{
+			Bugs: ProtocolBugs{
+				SendWarningAlerts: alertAccessDenied,
+			},
+		},
+	},
+	{
+		name: "BadFinished",
+		config: Config{
+			Bugs: ProtocolBugs{
+				BadFinished: true,
+			},
+		},
+		shouldFail:    true,
+		expectedError: ":DIGEST_CHECK_FAILED:",
+	},
+	{
+		name: "FalseStart-BadFinished",
+		config: Config{
+			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+			NextProtos:   []string{"foo"},
+			Bugs: ProtocolBugs{
+				BadFinished:      true,
+				ExpectFalseStart: true,
+			},
+		},
+		flags: []string{
+			"-false-start",
+			"-handshake-never-done",
+			"-advertise-alpn", "\x03foo",
+		},
+		shimWritesFirst: true,
+		shouldFail:      true,
+		expectedError:   ":DIGEST_CHECK_FAILED:",
+	},
+	{
+		name: "NoFalseStart-NoALPN",
+		config: Config{
+			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+			Bugs: ProtocolBugs{
+				ExpectFalseStart:          true,
+				AlertBeforeFalseStartTest: alertAccessDenied,
+			},
+		},
+		flags: []string{
+			"-false-start",
+		},
+		shimWritesFirst:    true,
+		shouldFail:         true,
+		expectedError:      ":TLSV1_ALERT_ACCESS_DENIED:",
+		expectedLocalError: "tls: peer did not false start: EOF",
+	},
+	{
+		name: "NoFalseStart-NoAEAD",
+		config: Config{
+			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
+			NextProtos:   []string{"foo"},
+			Bugs: ProtocolBugs{
+				ExpectFalseStart:          true,
+				AlertBeforeFalseStartTest: alertAccessDenied,
+			},
+		},
+		flags: []string{
+			"-false-start",
+			"-advertise-alpn", "\x03foo",
+		},
+		shimWritesFirst:    true,
+		shouldFail:         true,
+		expectedError:      ":TLSV1_ALERT_ACCESS_DENIED:",
+		expectedLocalError: "tls: peer did not false start: EOF",
+	},
+	{
+		name: "NoFalseStart-RSA",
+		config: Config{
+			CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
+			NextProtos:   []string{"foo"},
+			Bugs: ProtocolBugs{
+				ExpectFalseStart:          true,
+				AlertBeforeFalseStartTest: alertAccessDenied,
+			},
+		},
+		flags: []string{
+			"-false-start",
+			"-advertise-alpn", "\x03foo",
+		},
+		shimWritesFirst:    true,
+		shouldFail:         true,
+		expectedError:      ":TLSV1_ALERT_ACCESS_DENIED:",
+		expectedLocalError: "tls: peer did not false start: EOF",
+	},
+	{
+		name: "NoFalseStart-DHE_RSA",
+		config: Config{
+			CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
+			NextProtos:   []string{"foo"},
+			Bugs: ProtocolBugs{
+				ExpectFalseStart:          true,
+				AlertBeforeFalseStartTest: alertAccessDenied,
+			},
+		},
+		flags: []string{
+			"-false-start",
+			"-advertise-alpn", "\x03foo",
+		},
+		shimWritesFirst:    true,
+		shouldFail:         true,
+		expectedError:      ":TLSV1_ALERT_ACCESS_DENIED:",
+		expectedLocalError: "tls: peer did not false start: EOF",
+	},
+	{
+		testType: serverTest,
+		name:     "NoSupportedCurves",
+		config: Config{
+			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+			Bugs: ProtocolBugs{
+				NoSupportedCurves: true,
+			},
+		},
+	},
+	{
+		testType: serverTest,
+		name:     "NoCommonCurves",
+		config: Config{
+			CipherSuites: []uint16{
+				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+				TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+			},
+			CurvePreferences: []CurveID{CurveP224},
+		},
+		expectedCipher: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
 	},
 }
 
@@ -665,7 +1099,8 @@ func doExchange(test *testCase, config *Config, conn net.Conn, messageLen int, i
 	}
 
 	if test.protocol == dtls {
-		conn = newPacketAdaptor(conn)
+		config.Bugs.PacketAdaptor = newPacketAdaptor(conn)
+		conn = config.Bugs.PacketAdaptor
 		if test.replayWrites {
 			conn = newReplayAdaptor(conn)
 		}
@@ -713,6 +1148,10 @@ func doExchange(test *testCase, config *Config, conn net.Conn, messageLen int, i
 		return fmt.Errorf("got version %x, expected %x", vers, expectedVersion)
 	}
 
+	if cipher := tlsConn.ConnectionState().CipherSuite; test.expectedCipher != 0 && cipher != test.expectedCipher {
+		return fmt.Errorf("got cipher %x, expected %x", cipher, test.expectedCipher)
+	}
+
 	if test.expectChannelID {
 		channelID := tlsConn.ConnectionState().ChannelID
 		if channelID == nil {
@@ -741,6 +1180,20 @@ func doExchange(test *testCase, config *Config, conn net.Conn, messageLen int, i
 		return fmt.Errorf("SRTP profile mismatch: got %d, wanted %d", p, test.expectedSRTPProtectionProfile)
 	}
 
+	if test.exportKeyingMaterial > 0 {
+		actual := make([]byte, test.exportKeyingMaterial)
+		if _, err := io.ReadFull(tlsConn, actual); err != nil {
+			return err
+		}
+		expected, err := tlsConn.ExportKeyingMaterial(test.exportKeyingMaterial, []byte(test.exportLabel), []byte(test.exportContext), test.useExportContext)
+		if err != nil {
+			return err
+		}
+		if !bytes.Equal(actual, expected) {
+			return fmt.Errorf("keying material mismatch")
+		}
+	}
+
 	if test.shimWritesFirst {
 		var buf [5]byte
 		_, err := io.ReadFull(tlsConn, buf[:])
@@ -778,21 +1231,14 @@ func doExchange(test *testCase, config *Config, conn net.Conn, messageLen int, i
 		return err
 	}
 
-	var testMessage []byte
-	if config.Bugs.AppDataAfterChangeCipherSpec != nil {
-		// We've already sent a message. Expect the shim to echo it
-		// back.
-		testMessage = config.Bugs.AppDataAfterChangeCipherSpec
-	} else {
-		if messageLen == 0 {
-			messageLen = 32
-		}
-		testMessage = make([]byte, messageLen)
-		for i := range testMessage {
-			testMessage[i] = 0x42
-		}
-		tlsConn.Write(testMessage)
+	if messageLen == 0 {
+		messageLen = 32
 	}
+	testMessage := make([]byte, messageLen)
+	for i := range testMessage {
+		testMessage[i] = 0x42
+	}
+	tlsConn.Write(testMessage)
 
 	buf := make([]byte, len(testMessage))
 	if test.protocol == dtls {
@@ -840,27 +1286,6 @@ func gdbOf(path string, args ...string) *exec.Cmd {
 	return exec.Command("xterm", xtermArgs...)
 }
 
-func openSocketPair() (shimEnd *os.File, conn net.Conn) {
-	socks, err := syscall.Socketpair(syscall.AF_UNIX, syscall.SOCK_STREAM, 0)
-	if err != nil {
-		panic(err)
-	}
-
-	syscall.CloseOnExec(socks[0])
-	syscall.CloseOnExec(socks[1])
-	shimEnd = os.NewFile(uintptr(socks[0]), "shim end")
-	connFile := os.NewFile(uintptr(socks[1]), "our end")
-	conn, err = net.FileConn(connFile)
-	if err != nil {
-		panic(err)
-	}
-	connFile.Close()
-	if err != nil {
-		panic(err)
-	}
-	return shimEnd, conn
-}
-
 type moreMallocsError struct{}
 
 func (moreMallocsError) Error() string {
@@ -869,16 +1294,45 @@ func (moreMallocsError) Error() string {
 
 var errMoreMallocs = moreMallocsError{}
 
+// accept accepts a connection from listener, unless waitChan signals a process
+// exit first.
+func acceptOrWait(listener net.Listener, waitChan chan error) (net.Conn, error) {
+	type connOrError struct {
+		conn net.Conn
+		err  error
+	}
+	connChan := make(chan connOrError, 1)
+	go func() {
+		conn, err := listener.Accept()
+		connChan <- connOrError{conn, err}
+		close(connChan)
+	}()
+	select {
+	case result := <-connChan:
+		return result.conn, result.err
+	case childErr := <-waitChan:
+		waitChan <- childErr
+		return nil, fmt.Errorf("child exited early: %s", childErr)
+	}
+}
+
 func runTest(test *testCase, buildDir string, mallocNumToFail int64) error {
 	if !test.shouldFail && (len(test.expectedError) > 0 || len(test.expectedLocalError) > 0) {
 		panic("Error expected without shouldFail in " + test.name)
 	}
 
-	shimEnd, conn := openSocketPair()
-	shimEndResume, connResume := openSocketPair()
+	listener, err := net.ListenTCP("tcp4", &net.TCPAddr{IP: net.IP{127, 0, 0, 1}})
+	if err != nil {
+		panic(err)
+	}
+	defer func() {
+		if listener != nil {
+			listener.Close()
+		}
+	}()
 
 	shim_path := path.Join(buildDir, "ssl/test/bssl_shim")
-	var flags []string
+	flags := []string{"-port", strconv.Itoa(listener.Addr().(*net.TCPAddr).Port)}
 	if test.testType == serverTest {
 		flags = append(flags, "-server")
 
@@ -909,6 +1363,15 @@ func runTest(test *testCase, buildDir string, mallocNumToFail int64) error {
 		flags = append(flags, "-shim-writes-first")
 	}
 
+	if test.exportKeyingMaterial > 0 {
+		flags = append(flags, "-export-keying-material", strconv.Itoa(test.exportKeyingMaterial))
+		flags = append(flags, "-export-label", test.exportLabel)
+		flags = append(flags, "-export-context", test.exportContext)
+		if test.useExportContext {
+			flags = append(flags, "-use-export-context")
+		}
+	}
+
 	flags = append(flags, test.flags...)
 
 	var shim *exec.Cmd
@@ -919,13 +1382,13 @@ func runTest(test *testCase, buildDir string, mallocNumToFail int64) error {
 	} else {
 		shim = exec.Command(shim_path, flags...)
 	}
-	shim.ExtraFiles = []*os.File{shimEnd, shimEndResume}
 	shim.Stdin = os.Stdin
 	var stdoutBuf, stderrBuf bytes.Buffer
 	shim.Stdout = &stdoutBuf
 	shim.Stderr = &stderrBuf
 	if mallocNumToFail >= 0 {
-		shim.Env = []string{"MALLOC_NUMBER_TO_FAIL=" + strconv.FormatInt(mallocNumToFail, 10)}
+		shim.Env = os.Environ()
+		shim.Env = append(shim.Env, "MALLOC_NUMBER_TO_FAIL="+strconv.FormatInt(mallocNumToFail, 10))
 		if *mallocTestDebug {
 			shim.Env = append(shim.Env, "MALLOC_ABORT_ON_FAIL=1")
 		}
@@ -935,8 +1398,8 @@ func runTest(test *testCase, buildDir string, mallocNumToFail int64) error {
 	if err := shim.Start(); err != nil {
 		panic(err)
 	}
-	shimEnd.Close()
-	shimEndResume.Close()
+	waitChan := make(chan error, 1)
+	go func() { waitChan <- shim.Wait() }()
 
 	config := test.config
 	config.ClientSessionCache = NewLRUClientSessionCache(1)
@@ -945,16 +1408,27 @@ func runTest(test *testCase, buildDir string, mallocNumToFail int64) error {
 		if len(config.Certificates) == 0 {
 			config.Certificates = []Certificate{getRSACertificate()}
 		}
+	} else {
+		// Supply a ServerName to ensure a constant session cache key,
+		// rather than falling back to net.Conn.RemoteAddr.
+		if len(config.ServerName) == 0 {
+			config.ServerName = "test"
+		}
 	}
 
-	err := doExchange(test, &config, conn, test.messageLen,
-		false /* not a resumption */)
-	conn.Close()
+	conn, err := acceptOrWait(listener, waitChan)
+	if err == nil {
+		err = doExchange(test, &config, conn, test.messageLen, false /* not a resumption */)
+		conn.Close()
+	}
 
 	if err == nil && test.resumeSession {
 		var resumeConfig Config
 		if test.resumeConfig != nil {
 			resumeConfig = *test.resumeConfig
+			if len(resumeConfig.ServerName) == 0 {
+				resumeConfig.ServerName = config.ServerName
+			}
 			if len(resumeConfig.Certificates) == 0 {
 				resumeConfig.Certificates = []Certificate{getRSACertificate()}
 			}
@@ -966,12 +1440,20 @@ func runTest(test *testCase, buildDir string, mallocNumToFail int64) error {
 		} else {
 			resumeConfig = config
 		}
-		err = doExchange(test, &resumeConfig, connResume, test.messageLen,
-			true /* resumption */)
+		var connResume net.Conn
+		connResume, err = acceptOrWait(listener, waitChan)
+		if err == nil {
+			err = doExchange(test, &resumeConfig, connResume, test.messageLen, true /* resumption */)
+			connResume.Close()
+		}
 	}
-	connResume.Close()
 
-	childErr := shim.Wait()
+	// Close the listener now. This is to avoid hangs should the shim try to
+	// open more connections than expected.
+	listener.Close()
+	listener = nil
+
+	childErr := <-waitChan
 	if exitError, ok := childErr.(*exec.ExitError); ok {
 		if exitError.Sys().(syscall.WaitStatus).ExitStatus() == 88 {
 			return errMoreMallocs
@@ -981,7 +1463,7 @@ func runTest(test *testCase, buildDir string, mallocNumToFail int64) error {
 	stdout := string(stdoutBuf.Bytes())
 	stderr := string(stderrBuf.Bytes())
 	failed := err != nil || childErr != nil
-	correctFailure := len(test.expectedError) == 0 || strings.Contains(stdout, test.expectedError)
+	correctFailure := len(test.expectedError) == 0 || strings.Contains(stderr, test.expectedError)
 	localError := "none"
 	if err != nil {
 		localError = err.Error()
@@ -1008,10 +1490,10 @@ func runTest(test *testCase, buildDir string, mallocNumToFail int64) error {
 			panic("internal error")
 		}
 
-		return fmt.Errorf("%s: local error '%s', child error '%s', stdout:\n%s\nstderr:\n%s", msg, localError, childError, string(stdoutBuf.Bytes()), stderr)
+		return fmt.Errorf("%s: local error '%s', child error '%s', stdout:\n%s\nstderr:\n%s", msg, localError, childError, stdout, stderr)
 	}
 
-	if !*useValgrind && len(stderr) > 0 {
+	if !*useValgrind && !failed && len(stderr) > 0 {
 		println(stderr)
 	}
 
@@ -1047,12 +1529,14 @@ var testCipherSuites = []struct {
 	{"DHE-RSA-AES256-GCM", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384},
 	{"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA},
 	{"DHE-RSA-AES256-SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256},
+	{"DHE-RSA-CHACHA20-POLY1305", TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
 	{"ECDHE-ECDSA-AES128-GCM", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
 	{"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
 	{"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
 	{"ECDHE-ECDSA-AES256-GCM", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
 	{"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
 	{"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384},
+	{"ECDHE-ECDSA-CHACHA20-POLY1305", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
 	{"ECDHE-ECDSA-RC4-SHA", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA},
 	{"ECDHE-PSK-AES128-GCM-SHA256", TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256},
 	{"ECDHE-RSA-AES128-GCM", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
@@ -1061,6 +1545,7 @@ var testCipherSuites = []struct {
 	{"ECDHE-RSA-AES256-GCM", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
 	{"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
 	{"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384},
+	{"ECDHE-RSA-CHACHA20-POLY1305", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
 	{"ECDHE-RSA-RC4-SHA", TLS_ECDHE_RSA_WITH_RC4_128_SHA},
 	{"PSK-AES128-CBC-SHA", TLS_PSK_WITH_AES_128_CBC_SHA},
 	{"PSK-AES256-CBC-SHA", TLS_PSK_WITH_AES_256_CBC_SHA},
@@ -1076,7 +1561,8 @@ func hasComponent(suiteName, component string) bool {
 func isTLS12Only(suiteName string) bool {
 	return hasComponent(suiteName, "GCM") ||
 		hasComponent(suiteName, "SHA256") ||
-		hasComponent(suiteName, "SHA384")
+		hasComponent(suiteName, "SHA384") ||
+		hasComponent(suiteName, "POLY1305")
 }
 
 func isDTLSCipher(suiteName string) bool {
@@ -1454,6 +1940,17 @@ func addStateMachineCoverageTests(async, splitHandshake bool, protocol protocol)
 	})
 	testCases = append(testCases, testCase{
 		protocol: protocol,
+		name:     "Basic-Client-Implicit" + suffix,
+		config: Config{
+			Bugs: ProtocolBugs{
+				MaxHandshakeRecordLength: maxHandshakeRecordLength,
+			},
+		},
+		flags:         append(flags, "-implicit-handshake"),
+		resumeSession: true,
+	})
+	testCases = append(testCases, testCase{
+		protocol: protocol,
 		testType: serverTest,
 		name:     "Basic-Server" + suffix,
 		config: Config{
@@ -1477,6 +1974,30 @@ func addStateMachineCoverageTests(async, splitHandshake bool, protocol protocol)
 		flags:         flags,
 		resumeSession: true,
 	})
+	testCases = append(testCases, testCase{
+		protocol: protocol,
+		testType: serverTest,
+		name:     "Basic-Server-Implicit" + suffix,
+		config: Config{
+			Bugs: ProtocolBugs{
+				MaxHandshakeRecordLength: maxHandshakeRecordLength,
+			},
+		},
+		flags:         append(flags, "-implicit-handshake"),
+		resumeSession: true,
+	})
+	testCases = append(testCases, testCase{
+		protocol: protocol,
+		testType: serverTest,
+		name:     "Basic-Server-EarlyCallback" + suffix,
+		config: Config{
+			Bugs: ProtocolBugs{
+				MaxHandshakeRecordLength: maxHandshakeRecordLength,
+			},
+		},
+		flags:         append(flags, "-use-early-callback"),
+		resumeSession: true,
+	})
 
 	// TLS client auth.
 	testCases = append(testCases, testCase{
@@ -1588,6 +2109,8 @@ func addStateMachineCoverageTests(async, splitHandshake bool, protocol protocol)
 			expectedNextProtoType: npn,
 		})
 
+		// TODO(davidben): Add tests for when False Start doesn't trigger.
+
 		// Client does False Start and negotiates NPN.
 		testCases = append(testCases, testCase{
 			protocol: protocol,
@@ -1626,9 +2149,27 @@ func addStateMachineCoverageTests(async, splitHandshake bool, protocol protocol)
 			resumeSession:   true,
 		})
 
+		// Client does False Start but doesn't explicitly call
+		// SSL_connect.
+		testCases = append(testCases, testCase{
+			protocol: protocol,
+			name:     "FalseStart-Implicit" + suffix,
+			config: Config{
+				CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+				NextProtos:   []string{"foo"},
+				Bugs: ProtocolBugs{
+					MaxHandshakeRecordLength: maxHandshakeRecordLength,
+				},
+			},
+			flags: append(flags,
+				"-implicit-handshake",
+				"-false-start",
+				"-advertise-alpn", "\x03foo"),
+		})
+
 		// False Start without session tickets.
 		testCases = append(testCases, testCase{
-			name: "FalseStart-SessionTicketsDisabled",
+			name: "FalseStart-SessionTicketsDisabled" + suffix,
 			config: Config{
 				CipherSuites:           []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
 				NextProtos:             []string{"foo"},
@@ -1710,17 +2251,36 @@ func addStateMachineCoverageTests(async, splitHandshake bool, protocol protocol)
 			},
 			flags: flags,
 		})
+	}
+}
+
+func addDDoSCallbackTests() {
+	// DDoS callback.
+
+	for _, resume := range []bool{false, true} {
+		suffix := "Resume"
+		if resume {
+			suffix = "No" + suffix
+		}
 
 		testCases = append(testCases, testCase{
-			testType: serverTest,
-			protocol: protocol,
-			name:     "CookieExchange" + suffix,
-			config: Config{
-				Bugs: ProtocolBugs{
-					MaxHandshakeRecordLength: maxHandshakeRecordLength,
-				},
-			},
-			flags: append(flags, "-cookie-exchange"),
+			testType:      serverTest,
+			name:          "Server-DDoS-OK-" + suffix,
+			flags:         []string{"-install-ddos-callback"},
+			resumeSession: resume,
+		})
+
+		failFlag := "-fail-ddos-callback"
+		if resume {
+			failFlag = "-fail-second-ddos-callback"
+		}
+		testCases = append(testCases, testCase{
+			testType:      serverTest,
+			name:          "Server-DDoS-Reject-" + suffix,
+			flags:         []string{"-install-ddos-callback", failFlag},
+			resumeSession: resume,
+			shouldFail:    true,
+			expectedError: ":CONNECTION_REJECTED:",
 		})
 	}
 }
@@ -1976,7 +2536,7 @@ func addExtensionTests() {
 	})
 	testCases = append(testCases, testCase{
 		testType: clientTest,
-		name:     "ServerNameExtensionClient",
+		name:     "ServerNameExtensionClientMismatch",
 		config: Config{
 			Bugs: ProtocolBugs{
 				ExpectServerName: "mismatch.com",
@@ -1988,7 +2548,7 @@ func addExtensionTests() {
 	})
 	testCases = append(testCases, testCase{
 		testType: clientTest,
-		name:     "ServerNameExtensionClient",
+		name:     "ServerNameExtensionClientMissing",
 		config: Config{
 			Bugs: ProtocolBugs{
 				ExpectServerName: "missing.com",
@@ -2201,27 +2761,40 @@ func addResumptionVersionTests() {
 					suffix += "-DTLS"
 				}
 
-				testCases = append(testCases, testCase{
-					protocol:      protocol,
-					name:          "Resume-Client" + suffix,
-					resumeSession: true,
-					config: Config{
-						MaxVersion:   sessionVers.version,
-						CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
-						Bugs: ProtocolBugs{
-							AllowSessionVersionMismatch: true,
+				if sessionVers.version == resumeVers.version {
+					testCases = append(testCases, testCase{
+						protocol:      protocol,
+						name:          "Resume-Client" + suffix,
+						resumeSession: true,
+						config: Config{
+							MaxVersion:   sessionVers.version,
+							CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
 						},
-					},
-					expectedVersion: sessionVers.version,
-					resumeConfig: &Config{
-						MaxVersion:   resumeVers.version,
-						CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
-						Bugs: ProtocolBugs{
-							AllowSessionVersionMismatch: true,
+						expectedVersion:       sessionVers.version,
+						expectedResumeVersion: resumeVers.version,
+					})
+				} else {
+					testCases = append(testCases, testCase{
+						protocol:      protocol,
+						name:          "Resume-Client-Mismatch" + suffix,
+						resumeSession: true,
+						config: Config{
+							MaxVersion:   sessionVers.version,
+							CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
 						},
-					},
-					expectedResumeVersion: resumeVers.version,
-				})
+						expectedVersion: sessionVers.version,
+						resumeConfig: &Config{
+							MaxVersion:   resumeVers.version,
+							CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
+							Bugs: ProtocolBugs{
+								AllowSessionVersionMismatch: true,
+							},
+						},
+						expectedResumeVersion: resumeVers.version,
+						shouldFail:            true,
+						expectedError:         ":OLD_SESSION_VERSION_NOT_RETURNED:",
+					})
+				}
 
 				testCases = append(testCases, testCase{
 					protocol:      protocol,
@@ -2265,6 +2838,22 @@ func addResumptionVersionTests() {
 			}
 		}
 	}
+
+	testCases = append(testCases, testCase{
+		name:          "Resume-Client-CipherMismatch",
+		resumeSession: true,
+		config: Config{
+			CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
+		},
+		resumeConfig: &Config{
+			CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
+			Bugs: ProtocolBugs{
+				SendCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA,
+			},
+		},
+		shouldFail:    true,
+		expectedError: ":OLD_SESSION_CIPHER_NOT_RETURNED:",
+	})
 }
 
 func addRenegotiationTests() {
@@ -2276,6 +2865,17 @@ func addRenegotiationTests() {
 	})
 	testCases = append(testCases, testCase{
 		testType: serverTest,
+		name:     "Renegotiate-Server-Full",
+		config: Config{
+			Bugs: ProtocolBugs{
+				NeverResumeOnRenego: true,
+			},
+		},
+		flags:           []string{"-renegotiate"},
+		shimWritesFirst: true,
+	})
+	testCases = append(testCases, testCase{
+		testType: serverTest,
 		name:     "Renegotiate-Server-EmptyExt",
 		config: Config{
 			Bugs: ProtocolBugs{
@@ -2328,12 +2928,43 @@ func addRenegotiationTests() {
 		},
 		flags: []string{"-allow-unsafe-legacy-renegotiation"},
 	})
+	testCases = append(testCases, testCase{
+		testType:           serverTest,
+		name:               "Renegotiate-Server-ClientInitiated-Forbidden",
+		renegotiate:        true,
+		flags:              []string{"-reject-peer-renegotiations"},
+		shouldFail:         true,
+		expectedError:      ":NO_RENEGOTIATION:",
+		expectedLocalError: "remote error: no renegotiation",
+	})
+	// Regression test for CVE-2015-0291.
+	testCases = append(testCases, testCase{
+		testType: serverTest,
+		name:     "Renegotiate-Server-NoSignatureAlgorithms",
+		config: Config{
+			Bugs: ProtocolBugs{
+				NeverResumeOnRenego:           true,
+				NoSignatureAlgorithmsOnRenego: true,
+			},
+		},
+		flags:           []string{"-renegotiate"},
+		shimWritesFirst: true,
+	})
 	// TODO(agl): test the renegotiation info SCSV.
 	testCases = append(testCases, testCase{
 		name:        "Renegotiate-Client",
 		renegotiate: true,
 	})
 	testCases = append(testCases, testCase{
+		name: "Renegotiate-Client-Full",
+		config: Config{
+			Bugs: ProtocolBugs{
+				NeverResumeOnRenego: true,
+			},
+		},
+		renegotiate: true,
+	})
+	testCases = append(testCases, testCase{
 		name:        "Renegotiate-Client-EmptyExt",
 		renegotiate: true,
 		config: Config{
@@ -2372,6 +3003,14 @@ func addRenegotiationTests() {
 		renegotiateCiphers: []uint16{TLS_RSA_WITH_RC4_128_SHA},
 	})
 	testCases = append(testCases, testCase{
+		name:               "Renegotiate-Client-Forbidden",
+		renegotiate:        true,
+		flags:              []string{"-reject-peer-renegotiations"},
+		shouldFail:         true,
+		expectedError:      ":NO_RENEGOTIATION:",
+		expectedLocalError: "remote error: no renegotiation",
+	})
+	testCases = append(testCases, testCase{
 		name:        "Renegotiate-SameClientVersion",
 		renegotiate: true,
 		config: Config{
@@ -2418,7 +3057,7 @@ func addFastRadioPaddingTests() {
 	})
 	testCases = append(testCases, testCase{
 		protocol: dtls,
-		name:     "FastRadio-Padding",
+		name:     "FastRadio-Padding-DTLS",
 		config: Config{
 			Bugs: ProtocolBugs{
 				RequireFastradioPadding: true,
@@ -2534,6 +3173,196 @@ func addSigningHashTests() {
 			},
 		},
 	})
+
+	// Test that hash preferences are enforced. BoringSSL defaults to
+	// rejecting MD5 signatures.
+	testCases = append(testCases, testCase{
+		testType: serverTest,
+		name:     "SigningHash-ClientAuth-Enforced",
+		config: Config{
+			Certificates: []Certificate{rsaCertificate},
+			SignatureAndHashes: []signatureAndHash{
+				{signatureRSA, hashMD5},
+				// Advertise SHA-1 so the handshake will
+				// proceed, but the shim's preferences will be
+				// ignored in CertificateVerify generation, so
+				// MD5 will be chosen.
+				{signatureRSA, hashSHA1},
+			},
+			Bugs: ProtocolBugs{
+				IgnorePeerSignatureAlgorithmPreferences: true,
+			},
+		},
+		flags:         []string{"-require-any-client-certificate"},
+		shouldFail:    true,
+		expectedError: ":WRONG_SIGNATURE_TYPE:",
+	})
+
+	testCases = append(testCases, testCase{
+		name: "SigningHash-ServerKeyExchange-Enforced",
+		config: Config{
+			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+			SignatureAndHashes: []signatureAndHash{
+				{signatureRSA, hashMD5},
+			},
+			Bugs: ProtocolBugs{
+				IgnorePeerSignatureAlgorithmPreferences: true,
+			},
+		},
+		shouldFail:    true,
+		expectedError: ":WRONG_SIGNATURE_TYPE:",
+	})
+}
+
+// timeouts is the retransmit schedule for BoringSSL. It doubles and
+// caps at 60 seconds. On the 13th timeout, it gives up.
+var timeouts = []time.Duration{
+	1 * time.Second,
+	2 * time.Second,
+	4 * time.Second,
+	8 * time.Second,
+	16 * time.Second,
+	32 * time.Second,
+	60 * time.Second,
+	60 * time.Second,
+	60 * time.Second,
+	60 * time.Second,
+	60 * time.Second,
+	60 * time.Second,
+	60 * time.Second,
+}
+
+func addDTLSRetransmitTests() {
+	// Test that this is indeed the timeout schedule. Stress all
+	// four patterns of handshake.
+	for i := 1; i < len(timeouts); i++ {
+		number := strconv.Itoa(i)
+		testCases = append(testCases, testCase{
+			protocol: dtls,
+			name:     "DTLS-Retransmit-Client-" + number,
+			config: Config{
+				Bugs: ProtocolBugs{
+					TimeoutSchedule: timeouts[:i],
+				},
+			},
+			resumeSession: true,
+			flags:         []string{"-async"},
+		})
+		testCases = append(testCases, testCase{
+			protocol: dtls,
+			testType: serverTest,
+			name:     "DTLS-Retransmit-Server-" + number,
+			config: Config{
+				Bugs: ProtocolBugs{
+					TimeoutSchedule: timeouts[:i],
+				},
+			},
+			resumeSession: true,
+			flags:         []string{"-async"},
+		})
+	}
+
+	// Test that exceeding the timeout schedule hits a read
+	// timeout.
+	testCases = append(testCases, testCase{
+		protocol: dtls,
+		name:     "DTLS-Retransmit-Timeout",
+		config: Config{
+			Bugs: ProtocolBugs{
+				TimeoutSchedule: timeouts,
+			},
+		},
+		resumeSession: true,
+		flags:         []string{"-async"},
+		shouldFail:    true,
+		expectedError: ":READ_TIMEOUT_EXPIRED:",
+	})
+
+	// Test that timeout handling has a fudge factor, due to API
+	// problems.
+	testCases = append(testCases, testCase{
+		protocol: dtls,
+		name:     "DTLS-Retransmit-Fudge",
+		config: Config{
+			Bugs: ProtocolBugs{
+				TimeoutSchedule: []time.Duration{
+					timeouts[0] - 10*time.Millisecond,
+				},
+			},
+		},
+		resumeSession: true,
+		flags:         []string{"-async"},
+	})
+
+	// Test that the final Finished retransmitting isn't
+	// duplicated if the peer badly fragments everything.
+	testCases = append(testCases, testCase{
+		testType: serverTest,
+		protocol: dtls,
+		name:     "DTLS-Retransmit-Fragmented",
+		config: Config{
+			Bugs: ProtocolBugs{
+				TimeoutSchedule:          []time.Duration{timeouts[0]},
+				MaxHandshakeRecordLength: 2,
+			},
+		},
+		flags: []string{"-async"},
+	})
+}
+
+func addExportKeyingMaterialTests() {
+	for _, vers := range tlsVersions {
+		if vers.version == VersionSSL30 {
+			continue
+		}
+		testCases = append(testCases, testCase{
+			name: "ExportKeyingMaterial-" + vers.name,
+			config: Config{
+				MaxVersion: vers.version,
+			},
+			exportKeyingMaterial: 1024,
+			exportLabel:          "label",
+			exportContext:        "context",
+			useExportContext:     true,
+		})
+		testCases = append(testCases, testCase{
+			name: "ExportKeyingMaterial-NoContext-" + vers.name,
+			config: Config{
+				MaxVersion: vers.version,
+			},
+			exportKeyingMaterial: 1024,
+		})
+		testCases = append(testCases, testCase{
+			name: "ExportKeyingMaterial-EmptyContext-" + vers.name,
+			config: Config{
+				MaxVersion: vers.version,
+			},
+			exportKeyingMaterial: 1024,
+			useExportContext:     true,
+		})
+		testCases = append(testCases, testCase{
+			name: "ExportKeyingMaterial-Small-" + vers.name,
+			config: Config{
+				MaxVersion: vers.version,
+			},
+			exportKeyingMaterial: 1,
+			exportLabel:          "label",
+			exportContext:        "context",
+			useExportContext:     true,
+		})
+	}
+	testCases = append(testCases, testCase{
+		name: "ExportKeyingMaterial-SSL3",
+		config: Config{
+			MaxVersion: VersionSSL30,
+		},
+		exportKeyingMaterial: 1024,
+		exportLabel:          "label",
+		exportContext:        "context",
+		useExportContext:     true,
+		shouldFail:           true,
+		expectedError:        "failed to export keying material",
+	})
 }
 
 func worker(statusChan chan statusMsg, c chan *testCase, buildDir string, wg *sync.WaitGroup) {
@@ -2566,27 +3395,47 @@ type statusMsg struct {
 	err     error
 }
 
-func statusPrinter(doneChan chan struct{}, statusChan chan statusMsg, total int) {
+func statusPrinter(doneChan chan *testOutput, statusChan chan statusMsg, total int) {
 	var started, done, failed, lineLen int
-	defer close(doneChan)
 
+	testOutput := newTestOutput()
 	for msg := range statusChan {
+		if !*pipe {
+			// Erase the previous status line.
+			var erase string
+			for i := 0; i < lineLen; i++ {
+				erase += "\b \b"
+			}
+			fmt.Print(erase)
+		}
+
 		if msg.started {
 			started++
 		} else {
 			done++
-		}
 
-		fmt.Printf("\x1b[%dD\x1b[K", lineLen)
+			if msg.err != nil {
+				fmt.Printf("FAILED (%s)\n%s\n", msg.test.name, msg.err)
+				failed++
+				testOutput.addResult(msg.test.name, "FAIL")
+			} else {
+				if *pipe {
+					// Print each test instead of a status line.
+					fmt.Printf("PASSED (%s)\n", msg.test.name)
+				}
+				testOutput.addResult(msg.test.name, "PASS")
+			}
+		}
 
-		if msg.err != nil {
-			fmt.Printf("FAILED (%s)\n%s\n", msg.test.name, msg.err)
-			failed++
+		if !*pipe {
+			// Print a new status line.
+			line := fmt.Sprintf("%d/%d/%d/%d", failed, done, started, total)
+			lineLen = len(line)
+			os.Stdout.WriteString(line)
 		}
-		line := fmt.Sprintf("%d/%d/%d/%d", failed, done, started, total)
-		lineLen = len(line)
-		os.Stdout.WriteString(line)
 	}
+
+	doneChan <- testOutput
 }
 
 func main() {
@@ -2601,6 +3450,7 @@ func main() {
 	addCBCPaddingTests()
 	addCBCSplittingTests()
 	addClientAuthTests()
+	addDDoSCallbackTests()
 	addVersionNegotiationTests()
 	addMinimumVersionTests()
 	addD5BugTests()
@@ -2611,6 +3461,8 @@ func main() {
 	addDTLSReplayTests()
 	addSigningHashTests()
 	addFastRadioPaddingTests()
+	addDTLSRetransmitTests()
+	addExportKeyingMaterialTests()
 	for _, async := range []bool{false, true} {
 		for _, splitHandshake := range []bool{false, true} {
 			for _, protocol := range []protocol{tls, dtls} {
@@ -2625,7 +3477,7 @@ func main() {
 
 	statusChan := make(chan statusMsg, numWorkers)
 	testChan := make(chan *testCase, numWorkers)
-	doneChan := make(chan struct{})
+	doneChan := make(chan *testOutput)
 
 	go statusPrinter(doneChan, statusChan, len(testCases))
 
@@ -2643,7 +3495,17 @@ func main() {
 	close(testChan)
 	wg.Wait()
 	close(statusChan)
-	<-doneChan
+	testOutput := <-doneChan
 
 	fmt.Printf("\n")
+
+	if *jsonOutput != "" {
+		if err := testOutput.writeTo(*jsonOutput); err != nil {
+			fmt.Fprintf(os.Stderr, "Error: %s\n", err)
+		}
+	}
+
+	if !testOutput.allPassed {
+		os.Exit(1)
+	}
 }
diff --git a/src/ssl/test/runner/test_output.go b/src/ssl/test/runner/test_output.go
new file mode 100644
index 0000000..bcb7a93
--- /dev/null
+++ b/src/ssl/test/runner/test_output.go
@@ -0,0 +1,79 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+package main
+
+import (
+	"encoding/json"
+	"os"
+	"time"
+)
+
+// testOutput is a representation of Chromium's JSON test result format. See
+// https://www.chromium.org/developers/the-json-test-results-format
+type testOutput struct {
+	Version           int                   `json:"version"`
+	Interrupted       bool                  `json:"interrupted"`
+	PathDelimiter     string                `json:"path_delimiter"`
+	SecondsSinceEpoch float64               `json:"seconds_since_epoch"`
+	NumFailuresByType map[string]int        `json:"num_failures_by_type"`
+	Tests             map[string]testResult `json:"tests"`
+	allPassed         bool
+}
+
+type testResult struct {
+	Actual       string `json:"actual"`
+	Expected     string `json:"expected"`
+	IsUnexpected bool   `json:"is_unexpected"`
+}
+
+func newTestOutput() *testOutput {
+	return &testOutput{
+		Version:           3,
+		PathDelimiter:     ".",
+		SecondsSinceEpoch: float64(time.Now().UnixNano()) / float64(time.Second/time.Nanosecond),
+		NumFailuresByType: make(map[string]int),
+		Tests:             make(map[string]testResult),
+		allPassed:         true,
+	}
+}
+
+func (t *testOutput) addResult(name, result string) {
+	if _, found := t.Tests[name]; found {
+		panic(name)
+	}
+	t.Tests[name] = testResult{
+		Actual:       result,
+		Expected:     "PASS",
+		IsUnexpected: result != "PASS",
+	}
+	t.NumFailuresByType[result]++
+	if result != "PASS" {
+		t.allPassed = false
+	}
+}
+
+func (t *testOutput) writeTo(name string) error {
+	file, err := os.Create(name)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+	out, err := json.MarshalIndent(t, "", "  ")
+	if err != nil {
+		return err
+	}
+	_, err = file.Write(out)
+	return err
+}
diff --git a/src/crypto/buf/buf_error.c b/src/ssl/test/scoped_types.h
index fac6011..7e92cee 100644
--- a/src/crypto/buf/buf_error.c
+++ b/src/ssl/test/scoped_types.h
@@ -1,4 +1,4 @@
-/* Copyright (c) 2014, Google Inc.
+/* Copyright (c) 2015, Google Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -12,14 +12,17 @@
  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
 
-#include <openssl/err.h>
+#ifndef OPENSSL_HEADER_SSL_TEST_SCOPED_TYPES_H
+#define OPENSSL_HEADER_SSL_TEST_SCOPED_TYPES_H
 
-#include <openssl/buf.h>
+#include <openssl/ssl.h>
 
-const ERR_STRING_DATA BUF_error_string_data[] = {
-  {ERR_PACK(ERR_LIB_BUF, BUF_F_BUF_MEM_new, 0), "BUF_MEM_new"},
-  {ERR_PACK(ERR_LIB_BUF, BUF_F_BUF_memdup, 0), "BUF_memdup"},
-  {ERR_PACK(ERR_LIB_BUF, BUF_F_BUF_strndup, 0), "BUF_strndup"},
-  {ERR_PACK(ERR_LIB_BUF, BUF_F_buf_mem_grow, 0), "buf_mem_grow"},
-  {0, NULL},
-};
+#include "../../crypto/test/scoped_types.h"
+
+
+using ScopedSSL = ScopedOpenSSLType<SSL, SSL_free>;
+using ScopedSSL_CTX = ScopedOpenSSLType<SSL_CTX, SSL_CTX_free>;
+using ScopedSSL_SESSION = ScopedOpenSSLType<SSL_SESSION, SSL_SESSION_free>;
+
+
+#endif  // OPENSSL_HEADER_SSL_TEST_SCOPED_TYPES_H
diff --git a/src/ssl/test/test_config.cc b/src/ssl/test/test_config.cc
index c032d96..25906f7 100644
--- a/src/ssl/test/test_config.cc
+++ b/src/ssl/test/test_config.cc
@@ -60,7 +60,6 @@ const Flag<bool> kBoolFlags[] = {
   { "-no-tls11", &TestConfig::no_tls11 },
   { "-no-tls1", &TestConfig::no_tls1 },
   { "-no-ssl3", &TestConfig::no_ssl3 },
-  { "-cookie-exchange", &TestConfig::cookie_exchange },
   { "-shim-writes-first", &TestConfig::shim_writes_first },
   { "-tls-d5-bug", &TestConfig::tls_d5_bug },
   { "-expect-session-miss", &TestConfig::expect_session_miss },
@@ -73,6 +72,15 @@ const Flag<bool> kBoolFlags[] = {
   { "-enable-signed-cert-timestamps",
     &TestConfig::enable_signed_cert_timestamps },
   { "-fastradio-padding", &TestConfig::fastradio_padding },
+  { "-implicit-handshake", &TestConfig::implicit_handshake },
+  { "-use-early-callback", &TestConfig::use_early_callback },
+  { "-fail-early-callback", &TestConfig::fail_early_callback },
+  { "-install-ddos-callback", &TestConfig::install_ddos_callback },
+  { "-fail-ddos-callback", &TestConfig::fail_ddos_callback },
+  { "-fail-second-ddos-callback", &TestConfig::fail_second_ddos_callback },
+  { "-handshake-never-done", &TestConfig::handshake_never_done },
+  { "-use-export-context", &TestConfig::use_export_context },
+  { "-reject-peer-renegotiations", &TestConfig::reject_peer_renegotiations },
 };
 
 const Flag<std::string> kStringFlags[] = {
@@ -91,6 +99,9 @@ const Flag<std::string> kStringFlags[] = {
   { "-psk", &TestConfig::psk },
   { "-psk-identity", &TestConfig::psk_identity },
   { "-srtp-profiles", &TestConfig::srtp_profiles },
+  { "-cipher", &TestConfig::cipher },
+  { "-export-label", &TestConfig::export_label },
+  { "-export-context", &TestConfig::export_context },
 };
 
 const Flag<std::string> kBase64Flags[] = {
@@ -102,43 +113,15 @@ const Flag<std::string> kBase64Flags[] = {
 };
 
 const Flag<int> kIntFlags[] = {
+  { "-port", &TestConfig::port },
   { "-min-version", &TestConfig::min_version },
   { "-max-version", &TestConfig::max_version },
   { "-mtu", &TestConfig::mtu },
+  { "-export-keying-material", &TestConfig::export_keying_material },
 };
 
 }  // namespace
 
-TestConfig::TestConfig()
-    : is_server(false),
-      is_dtls(false),
-      resume(false),
-      fallback_scsv(false),
-      require_any_client_certificate(false),
-      false_start(false),
-      async(false),
-      write_different_record_sizes(false),
-      cbc_record_splitting(false),
-      partial_write(false),
-      no_tls12(false),
-      no_tls11(false),
-      no_tls1(false),
-      no_ssl3(false),
-      cookie_exchange(false),
-      shim_writes_first(false),
-      tls_d5_bug(false),
-      expect_session_miss(false),
-      expect_extended_master_secret(false),
-      renegotiate(false),
-      allow_unsafe_legacy_renegotiation(false),
-      enable_ocsp_stapling(false),
-      enable_signed_cert_timestamps(false),
-      fastradio_padding(false),
-      min_version(0),
-      max_version(0),
-      mtu(0) {
-}
-
 bool ParseConfig(int argc, char **argv, TestConfig *out_config) {
   for (int i = 0; i < argc; i++) {
     bool *bool_field = FindField(out_config, kBoolFlags, argv[i]);
diff --git a/src/ssl/test/test_config.h b/src/ssl/test/test_config.h
index ba54227..f107a0f 100644
--- a/src/ssl/test/test_config.h
+++ b/src/ssl/test/test_config.h
@@ -19,54 +19,65 @@
 
 
 struct TestConfig {
-  TestConfig();
-
-  bool is_server;
-  bool is_dtls;
-  bool resume;
-  bool fallback_scsv;
+  int port = 0;
+  bool is_server = false;
+  bool is_dtls = false;
+  bool resume = false;
+  bool fallback_scsv = false;
   std::string key_file;
   std::string cert_file;
   std::string expected_server_name;
   std::string expected_certificate_types;
-  bool require_any_client_certificate;
+  bool require_any_client_certificate = false;
   std::string advertise_npn;
   std::string expected_next_proto;
-  bool false_start;
+  bool false_start = false;
   std::string select_next_proto;
-  bool async;
-  bool write_different_record_sizes;
-  bool cbc_record_splitting;
-  bool partial_write;
-  bool no_tls12;
-  bool no_tls11;
-  bool no_tls1;
-  bool no_ssl3;
-  bool cookie_exchange;
+  bool async = false;
+  bool write_different_record_sizes = false;
+  bool cbc_record_splitting = false;
+  bool partial_write = false;
+  bool no_tls12 = false;
+  bool no_tls11 = false;
+  bool no_tls1 = false;
+  bool no_ssl3 = false;
   std::string expected_channel_id;
   std::string send_channel_id;
-  bool shim_writes_first;
-  bool tls_d5_bug;
+  bool shim_writes_first = false;
+  bool tls_d5_bug = false;
   std::string host_name;
   std::string advertise_alpn;
   std::string expected_alpn;
   std::string expected_advertised_alpn;
   std::string select_alpn;
-  bool expect_session_miss;
-  bool expect_extended_master_secret;
+  bool expect_session_miss = false;
+  bool expect_extended_master_secret = false;
   std::string psk;
   std::string psk_identity;
-  bool renegotiate;
-  bool allow_unsafe_legacy_renegotiation;
+  bool renegotiate = false;
+  bool allow_unsafe_legacy_renegotiation = false;
   std::string srtp_profiles;
-  bool enable_ocsp_stapling;
+  bool enable_ocsp_stapling = false;
   std::string expected_ocsp_response;
-  bool enable_signed_cert_timestamps;
+  bool enable_signed_cert_timestamps = false;
   std::string expected_signed_cert_timestamps;
-  bool fastradio_padding;
-  int min_version;
-  int max_version;
-  int mtu;
+  bool fastradio_padding = false;
+  int min_version = 0;
+  int max_version = 0;
+  int mtu = 0;
+  bool implicit_handshake = false;
+  bool use_early_callback = false;
+  bool fail_early_callback = false;
+  bool install_ddos_callback = false;
+  bool fail_ddos_callback = false;
+  bool fail_second_ddos_callback = false;
+  std::string cipher;
+  bool handshake_never_done = false;
+  int export_keying_material = 0;
+  std::string export_label;
+  std::string export_context;
+  bool use_export_context = false;
+  bool reject_peer_renegotiations = false;
 };
 
 bool ParseConfig(int argc, char **argv, TestConfig *out_config);
diff --git a/src/tool/CMakeLists.txt b/src/tool/CMakeLists.txt
index d542f26..4bb6ca2 100644
--- a/src/tool/CMakeLists.txt
+++ b/src/tool/CMakeLists.txt
@@ -8,14 +8,11 @@ add_executable(
   const.cc
   digest.cc
   pkcs12.cc
+  rand.cc
   server.cc
   speed.cc
   tool.cc
   transport_common.cc
 )
 
-if (APPLE OR WIN32)
-  target_link_libraries(bssl ssl crypto)
-else()
-  target_link_libraries(bssl ssl crypto -lrt)
-endif()
+target_link_libraries(bssl ssl crypto)
diff --git a/src/tool/args.cc b/src/tool/args.cc
index 52856d4..a164476 100644
--- a/src/tool/args.cc
+++ b/src/tool/args.cc
@@ -41,22 +41,26 @@ bool ParseKeyValueArguments(std::map<std::string, std::string> *out_args,
       return false;
     }
 
-    if (i + 1 >= args.size()) {
-      fprintf(stderr, "Missing argument for option: %s\n", arg.c_str());
-      return false;
-    }
-
     if (out_args->find(arg) != out_args->end()) {
-      fprintf(stderr, "Duplicate value given for: %s\n", arg.c_str());
+      fprintf(stderr, "Duplicate argument: %s\n", arg.c_str());
       return false;
     }
 
-    (*out_args)[arg] = args[++i];
+    if (templ->type == kBooleanArgument) {
+      (*out_args)[arg] = "";
+    } else {
+      if (i + 1 >= args.size()) {
+        fprintf(stderr, "Missing argument for option: %s\n", arg.c_str());
+        return false;
+      }
+      (*out_args)[arg] = args[++i];
+    }
   }
 
   for (size_t j = 0; templates[j].name[0] != 0; j++) {
     const struct argument *templ = &templates[j];
-    if (templ->required && out_args->find(templ->name) == out_args->end()) {
+    if (templ->type == kRequiredArgument &&
+        out_args->find(templ->name) == out_args->end()) {
       fprintf(stderr, "Missing value for required argument: %s\n", templ->name);
       return false;
     }
diff --git a/src/tool/client.cc b/src/tool/client.cc
index 59c5fe3..1de0df2 100644
--- a/src/tool/client.cc
+++ b/src/tool/client.cc
@@ -14,34 +14,101 @@
 
 #include <openssl/base.h>
 
-#include <string>
-#include <vector>
-
-#include <errno.h>
-#include <stdlib.h>
-#include <sys/types.h>
-
 #include <openssl/err.h>
+#include <openssl/pem.h>
 #include <openssl/ssl.h>
 
+#include "../crypto/test/scoped_types.h"
+#include "../ssl/test/scoped_types.h"
 #include "internal.h"
 #include "transport_common.h"
 
 
 static const struct argument kArguments[] = {
     {
-     "-connect", true,
+     "-connect", kRequiredArgument,
      "The hostname and port of the server to connect to, e.g. foo.com:443",
     },
     {
-     "-cipher", false,
+     "-cipher", kOptionalArgument,
      "An OpenSSL-style cipher suite string that configures the offered ciphers",
     },
     {
-     "", false, "",
+     "-max-version", kOptionalArgument,
+     "The maximum acceptable protocol version",
+    },
+    {
+     "-min-version", kOptionalArgument,
+     "The minimum acceptable protocol version",
+    },
+    {
+     "-server-name", kOptionalArgument,
+     "The server name to advertise",
+    },
+    {
+     "-select-next-proto", kOptionalArgument,
+     "An NPN protocol to select if the server supports NPN",
+    },
+    {
+     "-alpn-protos", kOptionalArgument,
+     "A comma-separated list of ALPN protocols to advertise",
+    },
+    {
+     "-fallback-scsv", kBooleanArgument,
+     "Enable FALLBACK_SCSV",
+    },
+    {
+     "-ocsp-stapling", kBooleanArgument,
+     "Advertise support for OCSP stabling",
+    },
+    {
+     "-signed-certificate-timestamps", kBooleanArgument,
+     "Advertise support for signed certificate timestamps",
+    },
+    {
+     "-channel-id-key", kOptionalArgument,
+     "The key to use for signing a channel ID",
+    },
+    {
+     "", kOptionalArgument, "",
     },
 };
 
+static ScopedEVP_PKEY LoadPrivateKey(const std::string &file) {
+  ScopedBIO bio(BIO_new(BIO_s_file()));
+  if (!bio || !BIO_read_filename(bio.get(), file.c_str())) {
+    return nullptr;
+  }
+  ScopedEVP_PKEY pkey(PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr,
+                                              nullptr));
+  return pkey;
+}
+
+static bool VersionFromString(uint16_t *out_version,
+                              const std::string& version) {
+  if (version == "ssl3") {
+    *out_version = SSL3_VERSION;
+    return true;
+  } else if (version == "tls1" || version == "tls1.0") {
+    *out_version = TLS1_VERSION;
+    return true;
+  } else if (version == "tls1.1") {
+    *out_version = TLS1_1_VERSION;
+    return true;
+  } else if (version == "tls1.2") {
+    *out_version = TLS1_2_VERSION;
+    return true;
+  }
+  return false;
+}
+
+static int NextProtoSelectCallback(SSL* ssl, uint8_t** out, uint8_t* outlen,
+                                   const uint8_t* in, unsigned inlen, void* arg) {
+  *out = reinterpret_cast<uint8_t *>(arg);
+  *outlen = strlen(reinterpret_cast<const char *>(arg));
+  return SSL_TLSEXT_ERR_OK;
+}
+
 bool Client(const std::vector<std::string> &args) {
   if (!InitSocketLibrary()) {
     return false;
@@ -54,7 +121,7 @@ bool Client(const std::vector<std::string> &args) {
     return false;
   }
 
-  SSL_CTX *ctx = SSL_CTX_new(SSLv23_client_method());
+  ScopedSSL_CTX ctx(SSL_CTX_new(SSLv23_client_method()));
 
   const char *keylog_file = getenv("SSLKEYLOGFILE");
   if (keylog_file) {
@@ -63,38 +130,117 @@ bool Client(const std::vector<std::string> &args) {
       ERR_print_errors_cb(PrintErrorCallback, stderr);
       return false;
     }
-    SSL_CTX_set_keylog_bio(ctx, keylog_bio);
+    SSL_CTX_set_keylog_bio(ctx.get(), keylog_bio);
   }
 
   if (args_map.count("-cipher") != 0 &&
-      !SSL_CTX_set_cipher_list(ctx, args_map["-cipher"].c_str())) {
+      !SSL_CTX_set_cipher_list(ctx.get(), args_map["-cipher"].c_str())) {
     fprintf(stderr, "Failed setting cipher list\n");
     return false;
   }
 
+  if (args_map.count("-max-version") != 0) {
+    uint16_t version;
+    if (!VersionFromString(&version, args_map["-max-version"])) {
+      fprintf(stderr, "Unknown protocol version: '%s'\n",
+              args_map["-max-version"].c_str());
+      return false;
+    }
+    SSL_CTX_set_max_version(ctx.get(), version);
+  }
+
+  if (args_map.count("-min-version") != 0) {
+    uint16_t version;
+    if (!VersionFromString(&version, args_map["-min-version"])) {
+      fprintf(stderr, "Unknown protocol version: '%s'\n",
+              args_map["-min-version"].c_str());
+      return false;
+    }
+    SSL_CTX_set_min_version(ctx.get(), version);
+  }
+
+  if (args_map.count("-select-next-proto") != 0) {
+    const std::string &proto = args_map["-select-next-proto"];
+    if (proto.size() > 255) {
+      fprintf(stderr, "Bad NPN protocol: '%s'\n", proto.c_str());
+      return false;
+    }
+    // |SSL_CTX_set_next_proto_select_cb| is not const-correct.
+    SSL_CTX_set_next_proto_select_cb(ctx.get(), NextProtoSelectCallback,
+                                     const_cast<char *>(proto.c_str()));
+  }
+
+  if (args_map.count("-alpn-protos") != 0) {
+    const std::string &alpn_protos = args_map["-alpn-protos"];
+    std::vector<uint8_t> wire;
+    size_t i = 0;
+    while (i <= alpn_protos.size()) {
+      size_t j = alpn_protos.find(',', i);
+      if (j == std::string::npos) {
+        j = alpn_protos.size();
+      }
+      size_t len = j - i;
+      if (len > 255) {
+        fprintf(stderr, "Invalid ALPN protocols: '%s'\n", alpn_protos.c_str());
+        return false;
+      }
+      wire.push_back(static_cast<uint8_t>(len));
+      wire.resize(wire.size() + len);
+      memcpy(wire.data() + wire.size() - len, alpn_protos.data() + i, len);
+      i = j + 1;
+    }
+    if (SSL_CTX_set_alpn_protos(ctx.get(), wire.data(), wire.size()) != 0) {
+      return false;
+    }
+  }
+
+  if (args_map.count("-fallback-scsv") != 0) {
+    SSL_CTX_set_mode(ctx.get(), SSL_MODE_SEND_FALLBACK_SCSV);
+  }
+
+  if (args_map.count("-ocsp-stapling") != 0) {
+    SSL_CTX_enable_ocsp_stapling(ctx.get());
+  }
+
+  if (args_map.count("-signed-certificate-timestamps") != 0) {
+    SSL_CTX_enable_signed_cert_timestamps(ctx.get());
+  }
+
+  if (args_map.count("-channel-id-key") != 0) {
+    ScopedEVP_PKEY pkey = LoadPrivateKey(args_map["-channel-id-key"]);
+    if (!pkey || !SSL_CTX_set1_tls_channel_id(ctx.get(), pkey.get())) {
+      return false;
+    }
+    ctx->tlsext_channel_id_enabled_new = 1;
+  }
+
   int sock = -1;
   if (!Connect(&sock, args_map["-connect"])) {
     return false;
   }
 
-  BIO *bio = BIO_new_socket(sock, BIO_CLOSE);
-  SSL *ssl = SSL_new(ctx);
-  SSL_set_bio(ssl, bio, bio);
+  ScopedBIO bio(BIO_new_socket(sock, BIO_CLOSE));
+  ScopedSSL ssl(SSL_new(ctx.get()));
+
+  if (args_map.count("-server-name") != 0) {
+    SSL_set_tlsext_host_name(ssl.get(), args_map["-server-name"].c_str());
+  }
+
+  SSL_set_bio(ssl.get(), bio.get(), bio.get());
+  bio.release();
 
-  int ret = SSL_connect(ssl);
+  int ret = SSL_connect(ssl.get());
   if (ret != 1) {
-    int ssl_err = SSL_get_error(ssl, ret);
+    int ssl_err = SSL_get_error(ssl.get(), ret);
     fprintf(stderr, "Error while connecting: %d\n", ssl_err);
     ERR_print_errors_cb(PrintErrorCallback, stderr);
     return false;
   }
 
   fprintf(stderr, "Connected.\n");
-  PrintConnectionInfo(ssl);
+  PrintConnectionInfo(ssl.get());
 
-  bool ok = TransferData(ssl, sock);
+  bool ok = TransferData(ssl.get(), sock);
 
-  SSL_free(ssl);
-  SSL_CTX_free(ctx);
   return ok;
 }
diff --git a/src/tool/const.cc b/src/tool/const.cc
index 219fd3c..5222667 100644
--- a/src/tool/const.cc
+++ b/src/tool/const.cc
@@ -12,8 +12,8 @@
  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
 
+#include <stddef.h>
 #include <stdint.h>
-#include <stdlib.h>
 
 extern "C" {
 
diff --git a/src/tool/digest.cc b/src/tool/digest.cc
index f95f412..7cd8827 100644
--- a/src/tool/digest.cc
+++ b/src/tool/digest.cc
@@ -21,18 +21,16 @@
 #include <errno.h>
 #include <fcntl.h>
 #include <limits.h>
-#include <stdio.h>
-#include <string.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 
 #if !defined(OPENSSL_WINDOWS)
+#include <string.h>
 #include <unistd.h>
 #if !defined(O_BINARY)
 #define O_BINARY 0
 #endif
 #else
-#define NOMINMAX
 #pragma warning(push, 3)
 #include <windows.h>
 #pragma warning(pop)
@@ -89,29 +87,25 @@ static bool OpenFile(int *out_fd, const std::string &filename) {
             strerror(errno));
     return false;
   }
+  std::unique_ptr<int, close_delete> scoped_fd(&fd);
 
 #if !defined(OPENSSL_WINDOWS)
   struct stat st;
   if (fstat(fd, &st)) {
     fprintf(stderr, "Failed to stat input file '%s': %s\n", filename.c_str(),
             strerror(errno));
-    goto err;
+    return false;
   }
 
   if (!S_ISREG(st.st_mode)) {
     fprintf(stderr, "%s: not a regular file\n", filename.c_str());
-    goto err;
+    return false;
   }
 #endif
 
   *out_fd = fd;
+  scoped_fd.release();
   return true;
-
-#if !defined(OPENSSL_WINDOWS)
-err:
-  close(fd);
-  return false;
-#endif
 }
 
 // SumFile hashes the contents of |source| with |md| and sets |*out_hex| to the
diff --git a/src/tool/internal.h b/src/tool/internal.h
index bc87c51..277d099 100644
--- a/src/tool/internal.h
+++ b/src/tool/internal.h
@@ -32,9 +32,15 @@
 #pragma warning(pop)
 #endif
 
+enum ArgumentType {
+  kRequiredArgument,
+  kOptionalArgument,
+  kBooleanArgument,
+};
+
 struct argument {
-  const char name[15];
-  bool required;
+  const char *name;
+  ArgumentType type;
   const char *description;
 };
 
diff --git a/src/tool/pkcs12.cc b/src/tool/pkcs12.cc
index e0133e5..c191531 100644
--- a/src/tool/pkcs12.cc
+++ b/src/tool/pkcs12.cc
@@ -31,6 +31,7 @@
 #endif
 
 #include <openssl/bytestring.h>
+#include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/pkcs8.h>
 #include <openssl/stack.h>
@@ -46,10 +47,11 @@ typedef ssize_t read_result_t;
 
 static const struct argument kArguments[] = {
     {
-     "-dump", false, "Dump the key and contents of the given file to stdout",
+     "-dump", kOptionalArgument,
+     "Dump the key and contents of the given file to stdout",
     },
     {
-     "", false, "",
+     "", kOptionalArgument, "",
     },
 };
 
@@ -122,7 +124,7 @@ bool DoPKCS12(const std::vector<std::string> &args) {
 
   if (!PKCS12_get_key_and_certs(&key, certs, &pkcs12, password)) {
     fprintf(stderr, "Failed to parse PKCS#12 data:\n");
-    BIO_print_errors_fp(stderr);
+    ERR_print_errors_fp(stderr);
     return false;
   }
 
diff --git a/src/tool/rand.cc b/src/tool/rand.cc
new file mode 100644
index 0000000..10078e2
--- /dev/null
+++ b/src/tool/rand.cc
@@ -0,0 +1,95 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <string>
+#include <vector>
+
+#include <stdint.h>
+#include <stdlib.h>
+
+#include <openssl/rand.h>
+
+#include "internal.h"
+
+
+static const struct argument kArguments[] = {
+    {
+     "-hex", kBooleanArgument,
+     "Hex encoded output."
+    },
+    {
+     "", kOptionalArgument, "",
+    },
+};
+
+bool Rand(const std::vector<std::string> &args) {
+  bool forever = true, hex = false;
+  size_t len = 0;
+
+  if (!args.empty()) {
+    std::vector<std::string> args_copy(args);
+    const std::string &last_arg = args.back();
+
+    if (last_arg.size() > 0 && last_arg[0] != '-') {
+      char *endptr;
+      unsigned long long num = strtoull(last_arg.c_str(), &endptr, 10);
+      if (*endptr == 0) {
+        len = num;
+        forever = false;
+        args_copy.pop_back();
+      }
+    }
+
+    std::map<std::string, std::string> args_map;
+    if (!ParseKeyValueArguments(&args_map, args_copy, kArguments)) {
+      PrintUsage(kArguments);
+      return false;
+    }
+
+    hex = args_map.count("-hex") > 0;
+  }
+
+  uint8_t buf[4096];
+  uint8_t hex_buf[8192];
+
+  size_t done = 0;
+  while (forever || done < len) {
+    size_t todo = sizeof(buf);
+    if (!forever && todo > len - done) {
+      todo = len - done;
+    }
+    RAND_bytes(buf, todo);
+    if (hex) {
+      static const char hextable[] = "0123456789abdef";
+      for (unsigned i = 0; i < todo; i++) {
+        hex_buf[i*2] = hextable[buf[i] >> 4];
+        hex_buf[i*2 + 1] = hextable[buf[i] & 0xf];
+      }
+      if (fwrite(hex_buf, todo*2, 1, stdout) != 1) {
+        return false;
+      }
+    } else {
+      if (fwrite(buf, todo, 1, stdout) != 1) {
+        return false;
+      }
+    }
+    done += todo;
+  }
+
+  if (hex && fwrite("\n", 1, 1, stdout) != 1) {
+    return false;
+  }
+
+  return true;
+}
diff --git a/src/tool/server.cc b/src/tool/server.cc
index 120e450..164d6a5 100644
--- a/src/tool/server.cc
+++ b/src/tool/server.cc
@@ -14,13 +14,6 @@
 
 #include <openssl/base.h>
 
-#include <string>
-#include <vector>
-
-#include <errno.h>
-#include <stdlib.h>
-#include <sys/types.h>
-
 #include <openssl/err.h>
 #include <openssl/ssl.h>
 
@@ -30,19 +23,19 @@
 
 static const struct argument kArguments[] = {
     {
-     "-accept", true,
+     "-accept", kRequiredArgument,
      "The port of the server to bind on; eg 45102",
     },
     {
-     "-cipher", false,
+     "-cipher", kOptionalArgument,
      "An OpenSSL-style cipher suite string that configures the offered ciphers",
     },
     {
-      "-key", false,
+      "-key", kOptionalArgument,
       "Private-key file to use (default is server.pem)",
     },
     {
-     "", false, "",
+     "", kOptionalArgument, "",
     },
 };
 
diff --git a/src/tool/speed.cc b/src/tool/speed.cc
index 3c2a0f1..ab17c2f 100644
--- a/src/tool/speed.cc
+++ b/src/tool/speed.cc
@@ -19,12 +19,12 @@
 
 #include <stdint.h>
 #include <string.h>
-#include <time.h>
 
 #include <openssl/aead.h>
-#include <openssl/bio.h>
 #include <openssl/digest.h>
+#include <openssl/err.h>
 #include <openssl/obj.h>
+#include <openssl/rand.h>
 #include <openssl/rsa.h>
 
 #if defined(OPENSSL_WINDOWS)
@@ -35,6 +35,8 @@
 #include <sys/time.h>
 #endif
 
+#include "../crypto/test/scoped_types.h"
+
 
 extern "C" {
 // These values are DER encoded, RSA private keys.
@@ -93,7 +95,7 @@ static uint64_t time_now() {
 static bool TimeFunction(TimeResults *results, std::function<bool()> func) {
   // kTotalMS is the total amount of time that we'll aim to measure a function
   // for.
-  static const uint64_t kTotalUS = 3000000;
+  static const uint64_t kTotalUS = 1000000;
   uint64_t start = time_now(), now, delta;
   unsigned done = 0, iterations_between_time_checks;
 
@@ -134,20 +136,24 @@ static bool TimeFunction(TimeResults *results, std::function<bool()> func) {
   return true;
 }
 
-static bool SpeedRSA(const std::string& key_name, RSA *key) {
-  TimeResults results;
+static bool SpeedRSA(const std::string &key_name, RSA *key,
+                     const std::string &selected) {
+  if (!selected.empty() && key_name.find(selected) == std::string::npos) {
+    return true;
+  }
 
   std::unique_ptr<uint8_t[]> sig(new uint8_t[RSA_size(key)]);
   const uint8_t fake_sha256_hash[32] = {0};
   unsigned sig_len;
 
+  TimeResults results;
   if (!TimeFunction(&results,
                     [key, &sig, &fake_sha256_hash, &sig_len]() -> bool {
         return RSA_sign(NID_sha256, fake_sha256_hash, sizeof(fake_sha256_hash),
                         sig.get(), &sig_len, key);
       })) {
     fprintf(stderr, "RSA_sign failed.\n");
-    BIO_print_errors_fp(stderr);
+    ERR_print_errors_fp(stderr);
     return false;
   }
   results.Print(key_name + " signing");
@@ -158,7 +164,7 @@ static bool SpeedRSA(const std::string& key_name, RSA *key) {
                           sizeof(fake_sha256_hash), sig.get(), sig_len, key);
       })) {
     fprintf(stderr, "RSA_verify failed.\n");
-    BIO_print_errors_fp(stderr);
+    ERR_print_errors_fp(stderr);
     return false;
   }
   results.Print(key_name + " verify");
@@ -166,16 +172,10 @@ static bool SpeedRSA(const std::string& key_name, RSA *key) {
   return true;
 }
 
-template<typename T>
-struct free_functor {
-  void operator()(T* ptr) {
-    free(ptr);
-  }
-};
-
 static uint8_t *align(uint8_t *in, unsigned alignment) {
   return reinterpret_cast<uint8_t *>(
-      (reinterpret_cast<uintptr_t>(in) + alignment) & ~(alignment - 1));
+      (reinterpret_cast<uintptr_t>(in) + alignment) &
+      ~static_cast<size_t>(alignment - 1));
 }
 
 static bool SpeedAEADChunk(const EVP_AEAD *aead, const std::string &name,
@@ -191,10 +191,8 @@ static bool SpeedAEADChunk(const EVP_AEAD *aead, const std::string &name,
   memset(key.get(), 0, key_len);
   std::unique_ptr<uint8_t[]> nonce(new uint8_t[nonce_len]);
   memset(nonce.get(), 0, nonce_len);
-  std::unique_ptr<uint8_t, free_functor<uint8_t>> in_storage(
-      new uint8_t[chunk_len + kAlignment]);
-  std::unique_ptr<uint8_t, free_functor<uint8_t>> out_storage(
-      new uint8_t[chunk_len + overhead_len + kAlignment]);
+  std::unique_ptr<uint8_t[]> in_storage(new uint8_t[chunk_len + kAlignment]);
+  std::unique_ptr<uint8_t[]> out_storage(new uint8_t[chunk_len + overhead_len + kAlignment]);
   std::unique_ptr<uint8_t[]> ad(new uint8_t[ad_len]);
   memset(ad.get(), 0, ad_len);
 
@@ -203,10 +201,11 @@ static bool SpeedAEADChunk(const EVP_AEAD *aead, const std::string &name,
   uint8_t *const out = align(out_storage.get(), kAlignment);
   memset(out, 0, chunk_len + overhead_len);
 
-  if (!EVP_AEAD_CTX_init(&ctx, aead, key.get(), key_len,
-                         EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) {
+  if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, key.get(), key_len,
+                                        EVP_AEAD_DEFAULT_TAG_LENGTH,
+                                        evp_aead_seal)) {
     fprintf(stderr, "Failed to create EVP_AEAD_CTX.\n");
-    BIO_print_errors_fp(stderr);
+    ERR_print_errors_fp(stderr);
     return false;
   }
 
@@ -220,7 +219,7 @@ static bool SpeedAEADChunk(const EVP_AEAD *aead, const std::string &name,
             nonce_len, in, chunk_len, ad.get(), ad_len);
       })) {
     fprintf(stderr, "EVP_AEAD_CTX_seal failed.\n");
-    BIO_print_errors_fp(stderr);
+    ERR_print_errors_fp(stderr);
     return false;
   }
 
@@ -232,7 +231,11 @@ static bool SpeedAEADChunk(const EVP_AEAD *aead, const std::string &name,
 }
 
 static bool SpeedAEAD(const EVP_AEAD *aead, const std::string &name,
-                      size_t ad_len) {
+                      size_t ad_len, const std::string &selected) {
+  if (!selected.empty() && name.find(selected) == std::string::npos) {
+    return true;
+  }
+
   return SpeedAEADChunk(aead, name + " (16 bytes)", 16, ad_len) &&
          SpeedAEADChunk(aead, name + " (1350 bytes)", 1350, ad_len) &&
          SpeedAEADChunk(aead, name + " (8192 bytes)", 8192, ad_len);
@@ -257,7 +260,7 @@ static bool SpeedHashChunk(const EVP_MD *md, const std::string &name,
                EVP_DigestFinal_ex(ctx, digest, &md_len);
       })) {
     fprintf(stderr, "EVP_DigestInit_ex failed.\n");
-    BIO_print_errors_fp(stderr);
+    ERR_print_errors_fp(stderr);
     return false;
   }
 
@@ -267,24 +270,159 @@ static bool SpeedHashChunk(const EVP_MD *md, const std::string &name,
 
   return true;
 }
-static bool SpeedHash(const EVP_MD *md, const std::string &name) {
+static bool SpeedHash(const EVP_MD *md, const std::string &name,
+                      const std::string &selected) {
+  if (!selected.empty() && name.find(selected) == std::string::npos) {
+    return true;
+  }
+
   return SpeedHashChunk(md, name + " (16 bytes)", 16) &&
          SpeedHashChunk(md, name + " (256 bytes)", 256) &&
          SpeedHashChunk(md, name + " (8192 bytes)", 8192);
 }
 
-bool Speed(const std::vector<std::string>& /*args*/) {
-  const uint8_t *inp;
+static bool SpeedRandomChunk(const std::string name, size_t chunk_len) {
+  uint8_t scratch[8192];
+
+  if (chunk_len > sizeof(scratch)) {
+    return false;
+  }
+
+  TimeResults results;
+  if (!TimeFunction(&results, [chunk_len, &scratch]() -> bool {
+        RAND_bytes(scratch, chunk_len);
+        return true;
+      })) {
+    return false;
+  }
+
+  results.PrintWithBytes(name, chunk_len);
+  return true;
+}
+
+static bool SpeedRandom(const std::string &selected) {
+  if (!selected.empty() && selected != "RNG") {
+    return true;
+  }
+
+  return SpeedRandomChunk("RNG (16 bytes)", 16) &&
+         SpeedRandomChunk("RNG (256 bytes)", 256) &&
+         SpeedRandomChunk("RNG (8192 bytes)", 8192);
+}
+
+static bool SpeedECDHCurve(const std::string &name, int nid,
+                           const std::string &selected) {
+  if (!selected.empty() && name.find(selected) == std::string::npos) {
+    return true;
+  }
+
+  TimeResults results;
+  if (!TimeFunction(&results, [nid]() -> bool {
+        ScopedEC_KEY key(EC_KEY_new_by_curve_name(nid));
+        if (!key ||
+            !EC_KEY_generate_key(key.get())) {
+          return false;
+        }
+        const EC_GROUP *const group = EC_KEY_get0_group(key.get());
+        ScopedEC_POINT point(EC_POINT_new(group));
+        ScopedBN_CTX ctx(BN_CTX_new());
+
+        ScopedBIGNUM x(BN_new());
+        ScopedBIGNUM y(BN_new());
+
+        if (!point || !ctx || !x || !y ||
+            !EC_POINT_mul(group, point.get(), NULL,
+                          EC_KEY_get0_public_key(key.get()),
+                          EC_KEY_get0_private_key(key.get()), ctx.get()) ||
+            !EC_POINT_get_affine_coordinates_GFp(group, point.get(), x.get(),
+                                                 y.get(), ctx.get())) {
+          return false;
+        }
+
+        return true;
+      })) {
+    return false;
+  }
+
+  results.Print(name);
+  return true;
+}
+
+static bool SpeedECDSACurve(const std::string &name, int nid,
+                            const std::string &selected) {
+  if (!selected.empty() && name.find(selected) == std::string::npos) {
+    return true;
+  }
+
+  ScopedEC_KEY key(EC_KEY_new_by_curve_name(nid));
+  if (!key ||
+      !EC_KEY_generate_key(key.get())) {
+    return false;
+  }
+
+  uint8_t signature[256];
+  if (ECDSA_size(key.get()) > sizeof(signature)) {
+    return false;
+  }
+  uint8_t digest[20];
+  memset(digest, 42, sizeof(digest));
+  unsigned sig_len;
+
+  TimeResults results;
+  if (!TimeFunction(&results, [&key, &signature, &digest, &sig_len]() -> bool {
+        return ECDSA_sign(0, digest, sizeof(digest), signature, &sig_len,
+                          key.get()) == 1;
+      })) {
+    return false;
+  }
+
+  results.Print(name + " signing");
+
+  if (!TimeFunction(&results, [&key, &signature, &digest, sig_len]() -> bool {
+        return ECDSA_verify(0, digest, sizeof(digest), signature, sig_len,
+                            key.get()) == 1;
+      })) {
+    return false;
+  }
+
+  results.Print(name + " verify");
+
+  return true;
+}
+
+static bool SpeedECDH(const std::string &selected) {
+  return SpeedECDHCurve("ECDH P-224", NID_secp224r1, selected) &&
+         SpeedECDHCurve("ECDH P-256", NID_X9_62_prime256v1, selected) &&
+         SpeedECDHCurve("ECDH P-384", NID_secp384r1, selected) &&
+         SpeedECDHCurve("ECDH P-521", NID_secp521r1, selected);
+}
+
+static bool SpeedECDSA(const std::string &selected) {
+  return SpeedECDSACurve("ECDSA P-224", NID_secp224r1, selected) &&
+         SpeedECDSACurve("ECDSA P-256", NID_X9_62_prime256v1, selected) &&
+         SpeedECDSACurve("ECDSA P-384", NID_secp384r1, selected) &&
+         SpeedECDSACurve("ECDSA P-521", NID_secp521r1, selected);
+}
+
+bool Speed(const std::vector<std::string> &args) {
+  std::string selected;
+  if (args.size() > 1) {
+    fprintf(stderr, "Usage: bssl speed [speed test selector, i.e. 'RNG']\n");
+    return false;
+  }
+  if (args.size() > 0) {
+    selected = args[0];
+  }
 
   RSA *key = NULL;
-  inp = kDERRSAPrivate2048;
+  const uint8_t *inp = kDERRSAPrivate2048;
   if (NULL == d2i_RSAPrivateKey(&key, &inp, kDERRSAPrivate2048Len)) {
     fprintf(stderr, "Failed to parse RSA key.\n");
-    BIO_print_errors_fp(stderr);
+    ERR_print_errors_fp(stderr);
     return false;
   }
 
-  if (!SpeedRSA("RSA 2048", key)) {
+  if (!SpeedRSA("RSA 2048", key, selected)) {
     return false;
   }
 
@@ -294,11 +432,11 @@ bool Speed(const std::vector<std::string>& /*args*/) {
   inp = kDERRSAPrivate4096;
   if (NULL == d2i_RSAPrivateKey(&key, &inp, kDERRSAPrivate4096Len)) {
     fprintf(stderr, "Failed to parse 4096-bit RSA key.\n");
-    BIO_print_errors_fp(stderr);
+    ERR_print_errors_fp(stderr);
     return 1;
   }
 
-  if (!SpeedRSA("RSA 4096", key)) {
+  if (!SpeedRSA("RSA 4096", key, selected)) {
     return false;
   }
 
@@ -313,17 +451,23 @@ bool Speed(const std::vector<std::string>& /*args*/) {
   // knowledge in them and construct a couple of the AD bytes internally.
   static const size_t kLegacyADLen = kTLSADLen - 2;
 
-  if (!SpeedAEAD(EVP_aead_aes_128_gcm(), "AES-128-GCM", kTLSADLen) ||
-      !SpeedAEAD(EVP_aead_aes_256_gcm(), "AES-256-GCM", kTLSADLen) ||
-      !SpeedAEAD(EVP_aead_chacha20_poly1305(), "ChaCha20-Poly1305", kTLSADLen) ||
-      !SpeedAEAD(EVP_aead_rc4_md5_tls(), "RC4-MD5", kLegacyADLen) ||
-      !SpeedAEAD(EVP_aead_aes_128_cbc_sha1_tls(), "AES-128-CBC-SHA1", kLegacyADLen) ||
-      !SpeedAEAD(EVP_aead_aes_256_cbc_sha1_tls(), "AES-256-CBC-SHA1", kLegacyADLen) ||
-      !SpeedHash(EVP_sha1(), "SHA-1") ||
-      !SpeedHash(EVP_sha256(), "SHA-256") ||
-      !SpeedHash(EVP_sha512(), "SHA-512")) {
+  if (!SpeedAEAD(EVP_aead_aes_128_gcm(), "AES-128-GCM", kTLSADLen, selected) ||
+      !SpeedAEAD(EVP_aead_aes_256_gcm(), "AES-256-GCM", kTLSADLen, selected) ||
+      !SpeedAEAD(EVP_aead_chacha20_poly1305(), "ChaCha20-Poly1305", kTLSADLen,
+                 selected) ||
+      !SpeedAEAD(EVP_aead_rc4_md5_tls(), "RC4-MD5", kLegacyADLen, selected) ||
+      !SpeedAEAD(EVP_aead_aes_128_cbc_sha1_tls(), "AES-128-CBC-SHA1",
+                 kLegacyADLen, selected) ||
+      !SpeedAEAD(EVP_aead_aes_256_cbc_sha1_tls(), "AES-256-CBC-SHA1",
+                 kLegacyADLen, selected) ||
+      !SpeedHash(EVP_sha1(), "SHA-1", selected) ||
+      !SpeedHash(EVP_sha256(), "SHA-256", selected) ||
+      !SpeedHash(EVP_sha512(), "SHA-512", selected) ||
+      !SpeedRandom(selected) ||
+      !SpeedECDH(selected) ||
+      !SpeedECDSA(selected)) {
     return false;
   }
 
-  return 0;
+  return true;
 }
diff --git a/src/tool/tool.cc b/src/tool/tool.cc
index 36e3de9..4bd7d1a 100644
--- a/src/tool/tool.cc
+++ b/src/tool/tool.cc
@@ -36,6 +36,7 @@ bool SHA384Sum(const std::vector<std::string> &args);
 bool SHA512Sum(const std::vector<std::string> &args);
 bool DoPKCS12(const std::vector<std::string> &args);
 bool Speed(const std::vector<std::string> &args);
+bool Rand(const std::vector<std::string> &args);
 
 typedef bool (*tool_func_t)(const std::vector<std::string> &args);
 
@@ -57,6 +58,7 @@ static const Tool kTools[] = {
   { "sha256sum", SHA256Sum },
   { "sha384sum", SHA384Sum },
   { "sha512sum", SHA512Sum },
+  { "rand", Rand },
   { "", nullptr },
 };
 
diff --git a/src/tool/transport_common.cc b/src/tool/transport_common.cc
index 1a09d08..3f5e631 100644
--- a/src/tool/transport_common.cc
+++ b/src/tool/transport_common.cc
@@ -18,6 +18,7 @@
 #include <vector>
 
 #include <errno.h>
+#include <stddef.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/types.h>
@@ -31,7 +32,6 @@
 #include <sys/socket.h>
 #include <unistd.h>
 #else
-#define NOMINMAX
 #include <io.h>
 #pragma warning(push, 3)
 #include <winsock2.h>
@@ -172,6 +172,17 @@ void PrintConnectionInfo(const SSL *ssl) {
   fprintf(stderr, "  Cipher: %s\n", SSL_CIPHER_get_name(cipher));
   fprintf(stderr, "  Secure renegotiation: %s\n",
           SSL_get_secure_renegotiation_support(ssl) ? "yes" : "no");
+
+  const uint8_t *next_proto;
+  unsigned next_proto_len;
+  SSL_get0_next_proto_negotiated(ssl, &next_proto, &next_proto_len);
+  fprintf(stderr, "  Next protocol negotiated: %.*s\n", next_proto_len,
+          next_proto);
+
+  const uint8_t *alpn;
+  unsigned alpn_len;
+  SSL_get0_alpn_selected(ssl, &alpn, &alpn_len);
+  fprintf(stderr, "  ALPN protocol: %.*s\n", alpn_len, alpn);
 }
 
 bool SocketSetNonBlocking(int sock, bool is_non_blocking) {
diff --git a/src/util/aarch64-toolchain.cmake b/src/util/aarch64-toolchain.cmake
deleted file mode 100644
index 77f33ab..0000000
--- a/src/util/aarch64-toolchain.cmake
+++ /dev/null
@@ -1,6 +0,0 @@
-set(CMAKE_SYSTEM_NAME Linux)
-set(CMAKE_SYSTEM_VERSION 1)
-set(CMAKE_SYSTEM_PROCESSOR "aarch64")
-set(CMAKE_CXX_COMPILER "/opt/gcc-linaro-4.9-2014.11-x86_64_aarch64-linux-gnu/bin/aarch64-linux-gnu-g++")
-set(CMAKE_C_COMPILER "/opt/gcc-linaro-4.9-2014.11-x86_64_aarch64-linux-gnu/bin/aarch64-linux-gnu-gcc")
-set(CMAKE_EXE_LINKER_FLAGS "-static")
diff --git a/src/util/all_tests.go b/src/util/all_tests.go
new file mode 100644
index 0000000..91822d1
--- /dev/null
+++ b/src/util/all_tests.go
@@ -0,0 +1,240 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+package main
+
+import (
+	"bytes"
+	"encoding/json"
+	"flag"
+	"fmt"
+	"os"
+	"os/exec"
+	"path"
+	"strings"
+	"time"
+)
+
+// TODO(davidben): Link tests with the malloc shim and port -malloc-test to this runner.
+
+var (
+	useValgrind = flag.Bool("valgrind", false, "If true, run code under valgrind")
+	buildDir    = flag.String("build-dir", "build", "The build directory to run the tests from.")
+	jsonOutput  = flag.String("json-output", "", "The file to output JSON results to.")
+)
+
+type test []string
+
+var tests = []test{
+	{"crypto/base64/base64_test"},
+	{"crypto/bio/bio_test"},
+	{"crypto/bn/bn_test"},
+	{"crypto/bytestring/bytestring_test"},
+	{"crypto/cipher/aead_test", "aes-128-gcm", "crypto/cipher/test/aes_128_gcm_tests.txt"},
+	{"crypto/cipher/aead_test", "aes-128-key-wrap", "crypto/cipher/test/aes_128_key_wrap_tests.txt"},
+	{"crypto/cipher/aead_test", "aes-256-gcm", "crypto/cipher/test/aes_256_gcm_tests.txt"},
+	{"crypto/cipher/aead_test", "aes-256-key-wrap", "crypto/cipher/test/aes_256_key_wrap_tests.txt"},
+	{"crypto/cipher/aead_test", "chacha20-poly1305", "crypto/cipher/test/chacha20_poly1305_tests.txt"},
+	{"crypto/cipher/aead_test", "rc4-md5-tls", "crypto/cipher/test/rc4_md5_tls_tests.txt"},
+	{"crypto/cipher/aead_test", "rc4-sha1-tls", "crypto/cipher/test/rc4_sha1_tls_tests.txt"},
+	{"crypto/cipher/aead_test", "aes-128-cbc-sha1-tls", "crypto/cipher/test/aes_128_cbc_sha1_tls_tests.txt"},
+	{"crypto/cipher/aead_test", "aes-128-cbc-sha1-tls-implicit-iv", "crypto/cipher/test/aes_128_cbc_sha1_tls_implicit_iv_tests.txt"},
+	{"crypto/cipher/aead_test", "aes-128-cbc-sha256-tls", "crypto/cipher/test/aes_128_cbc_sha256_tls_tests.txt"},
+	{"crypto/cipher/aead_test", "aes-256-cbc-sha1-tls", "crypto/cipher/test/aes_256_cbc_sha1_tls_tests.txt"},
+	{"crypto/cipher/aead_test", "aes-256-cbc-sha1-tls-implicit-iv", "crypto/cipher/test/aes_256_cbc_sha1_tls_implicit_iv_tests.txt"},
+	{"crypto/cipher/aead_test", "aes-256-cbc-sha256-tls", "crypto/cipher/test/aes_256_cbc_sha256_tls_tests.txt"},
+	{"crypto/cipher/aead_test", "aes-256-cbc-sha384-tls", "crypto/cipher/test/aes_256_cbc_sha384_tls_tests.txt"},
+	{"crypto/cipher/aead_test", "des-ede3-cbc-sha1-tls", "crypto/cipher/test/des_ede3_cbc_sha1_tls_tests.txt"},
+	{"crypto/cipher/aead_test", "des-ede3-cbc-sha1-tls-implicit-iv", "crypto/cipher/test/des_ede3_cbc_sha1_tls_implicit_iv_tests.txt"},
+	{"crypto/cipher/aead_test", "rc4-md5-ssl3", "crypto/cipher/test/rc4_md5_ssl3_tests.txt"},
+	{"crypto/cipher/aead_test", "rc4-sha1-ssl3", "crypto/cipher/test/rc4_sha1_ssl3_tests.txt"},
+	{"crypto/cipher/aead_test", "aes-128-cbc-sha1-ssl3", "crypto/cipher/test/aes_128_cbc_sha1_ssl3_tests.txt"},
+	{"crypto/cipher/aead_test", "aes-256-cbc-sha1-ssl3", "crypto/cipher/test/aes_256_cbc_sha1_ssl3_tests.txt"},
+	{"crypto/cipher/aead_test", "des-ede3-cbc-sha1-ssl3", "crypto/cipher/test/des_ede3_cbc_sha1_ssl3_tests.txt"},
+	{"crypto/cipher/aead_test", "aes-128-ctr-hmac-sha256", "crypto/cipher/test/aes_128_ctr_hmac_sha256.txt"},
+	{"crypto/cipher/aead_test", "aes-256-ctr-hmac-sha256", "crypto/cipher/test/aes_256_ctr_hmac_sha256.txt"},
+	{"crypto/cipher/cipher_test", "crypto/cipher/test/cipher_test.txt"},
+	{"crypto/cmac/cmac_test"},
+	{"crypto/constant_time_test"},
+	{"crypto/dh/dh_test"},
+	{"crypto/digest/digest_test"},
+	{"crypto/dsa/dsa_test"},
+	{"crypto/ec/ec_test"},
+	{"crypto/ec/example_mul"},
+	{"crypto/ecdsa/ecdsa_test"},
+	{"crypto/err/err_test"},
+	{"crypto/evp/evp_extra_test"},
+	{"crypto/evp/evp_test", "crypto/evp/evp_tests.txt"},
+	{"crypto/evp/evp_test", "crypto/hmac/hmac_tests.txt"},
+	{"crypto/evp/pbkdf_test"},
+	{"crypto/hkdf/hkdf_test"},
+	{"crypto/hmac/hmac_test", "crypto/hmac/hmac_tests.txt"},
+	{"crypto/lhash/lhash_test"},
+	{"crypto/modes/gcm_test"},
+	{"crypto/pkcs8/pkcs12_test"},
+	{"crypto/rsa/rsa_test"},
+	{"crypto/thread_test"},
+	{"crypto/x509/pkcs7_test"},
+	{"crypto/x509v3/tab_test"},
+	{"crypto/x509v3/v3name_test"},
+	{"ssl/pqueue/pqueue_test"},
+	{"ssl/ssl_test"},
+}
+
+// testOutput is a representation of Chromium's JSON test result format. See
+// https://www.chromium.org/developers/the-json-test-results-format
+type testOutput struct {
+	Version           int                   `json:"version"`
+	Interrupted       bool                  `json:"interrupted"`
+	PathDelimiter     string                `json:"path_delimiter"`
+	SecondsSinceEpoch float64               `json:"seconds_since_epoch"`
+	NumFailuresByType map[string]int        `json:"num_failures_by_type"`
+	Tests             map[string]testResult `json:"tests"`
+}
+
+type testResult struct {
+	Actual       string `json:"actual"`
+	Expected     string `json:"expected"`
+	IsUnexpected bool   `json:"is_unexpected"`
+}
+
+func newTestOutput() *testOutput {
+	return &testOutput{
+		Version:           3,
+		PathDelimiter:     ".",
+		SecondsSinceEpoch: float64(time.Now().UnixNano()) / float64(time.Second/time.Nanosecond),
+		NumFailuresByType: make(map[string]int),
+		Tests:             make(map[string]testResult),
+	}
+}
+
+func (t *testOutput) addResult(name, result string) {
+	if _, found := t.Tests[name]; found {
+		panic(name)
+	}
+	t.Tests[name] = testResult{
+		Actual:       result,
+		Expected:     "PASS",
+		IsUnexpected: result != "PASS",
+	}
+	t.NumFailuresByType[result]++
+}
+
+func (t *testOutput) writeTo(name string) error {
+	file, err := os.Create(name)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+	out, err := json.MarshalIndent(t, "", "  ")
+	if err != nil {
+		return err
+	}
+	_, err = file.Write(out)
+	return err
+}
+
+func valgrindOf(dbAttach bool, path string, args ...string) *exec.Cmd {
+	valgrindArgs := []string{"--error-exitcode=99", "--track-origins=yes", "--leak-check=full"}
+	if dbAttach {
+		valgrindArgs = append(valgrindArgs, "--db-attach=yes", "--db-command=xterm -e gdb -nw %f %p")
+	}
+	valgrindArgs = append(valgrindArgs, path)
+	valgrindArgs = append(valgrindArgs, args...)
+
+	return exec.Command("valgrind", valgrindArgs...)
+}
+
+func runTest(test test) (passed bool, err error) {
+	prog := path.Join(*buildDir, test[0])
+	args := test[1:]
+	var cmd *exec.Cmd
+	if *useValgrind {
+		cmd = valgrindOf(false, prog, args...)
+	} else {
+		cmd = exec.Command(prog, args...)
+	}
+	var stdoutBuf bytes.Buffer
+	cmd.Stdout = &stdoutBuf
+	cmd.Stderr = os.Stderr
+
+	if err := cmd.Start(); err != nil {
+		return false, err
+	}
+	if err := cmd.Wait(); err != nil {
+		return false, err
+	}
+
+	// Account for Windows line-endings.
+	stdout := bytes.Replace(stdoutBuf.Bytes(), []byte("\r\n"), []byte("\n"), -1)
+
+	if bytes.HasSuffix(stdout, []byte("PASS\n")) &&
+		(len(stdout) == 5 || stdout[len(stdout)-6] == '\n') {
+		return true, nil
+	}
+	return false, nil
+}
+
+// shortTestName returns the short name of a test. Except for evp_test, it
+// assumes that any argument which ends in .txt is a path to a data file and not
+// relevant to the test's uniqueness.
+func shortTestName(test test) string {
+	var args []string
+	for _, arg := range test {
+		if test[0] == "crypto/evp/evp_test" || !strings.HasSuffix(arg, ".txt") {
+			args = append(args, arg)
+		}
+	}
+	return strings.Join(args, " ")
+}
+
+func main() {
+	flag.Parse()
+
+	testOutput := newTestOutput()
+	var failed []test
+	for _, test := range tests {
+		fmt.Printf("%s\n", strings.Join([]string(test), " "))
+
+		name := shortTestName(test)
+		passed, err := runTest(test)
+		if err != nil {
+			fmt.Printf("%s failed to complete: %s\n", test[0], err)
+			failed = append(failed, test)
+			testOutput.addResult(name, "CRASHED")
+		} else if !passed {
+			fmt.Printf("%s failed to print PASS on the last line.\n", test[0])
+			failed = append(failed, test)
+			testOutput.addResult(name, "FAIL")
+		} else {
+			testOutput.addResult(name, "PASS")
+		}
+	}
+
+	if *jsonOutput != "" {
+		if err := testOutput.writeTo(*jsonOutput); err != nil {
+			fmt.Fprintf(os.Stderr, "Error: %s\n", err)
+		}
+	}
+
+	if len(failed) > 0 {
+		fmt.Printf("\n%d of %d tests failed:\n", len(failed), len(tests))
+		for _, test := range failed {
+			fmt.Printf("\t%s\n", strings.Join([]string(test), " "))
+		}
+		os.Exit(1)
+	}
+
+	fmt.Printf("\nAll tests passed!\n")
+}
diff --git a/src/util/all_tests.sh b/src/util/all_tests.sh
deleted file mode 100644
index bcb5c24..0000000
--- a/src/util/all_tests.sh
+++ /dev/null
@@ -1,85 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright (c) 2014, Google Inc.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
-# SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
-# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
-# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-SRC=..
-if [ "$#" -ge 1 ]; then
-  SRC=$1
-fi
-
-TESTS="
-./crypto/base64/base64_test
-./crypto/bio/bio_test
-./crypto/bn/bn_test
-./crypto/bytestring/bytestring_test
-./crypto/cipher/aead_test aes-128-gcm $SRC/crypto/cipher/test/aes_128_gcm_tests.txt
-./crypto/cipher/aead_test aes-128-key-wrap $SRC/crypto/cipher/test/aes_128_key_wrap_tests.txt
-./crypto/cipher/aead_test aes-256-gcm $SRC/crypto/cipher/test/aes_256_gcm_tests.txt
-./crypto/cipher/aead_test aes-256-key-wrap $SRC/crypto/cipher/test/aes_256_key_wrap_tests.txt
-./crypto/cipher/aead_test chacha20-poly1305 $SRC/crypto/cipher/test/chacha20_poly1305_tests.txt
-./crypto/cipher/aead_test rc4-md5-tls $SRC/crypto/cipher/test/rc4_md5_tls_tests.txt
-./crypto/cipher/aead_test rc4-sha1-tls $SRC/crypto/cipher/test/rc4_sha1_tls_tests.txt
-./crypto/cipher/aead_test aes-128-cbc-sha1-tls $SRC/crypto/cipher/test/aes_128_cbc_sha1_tls_tests.txt
-./crypto/cipher/aead_test aes-128-cbc-sha1-tls-implicit-iv $SRC/crypto/cipher/test/aes_128_cbc_sha1_tls_implicit_iv_tests.txt
-./crypto/cipher/aead_test aes-128-cbc-sha256-tls $SRC/crypto/cipher/test/aes_128_cbc_sha256_tls_tests.txt
-./crypto/cipher/aead_test aes-256-cbc-sha1-tls $SRC/crypto/cipher/test/aes_256_cbc_sha1_tls_tests.txt
-./crypto/cipher/aead_test aes-256-cbc-sha1-tls-implicit-iv $SRC/crypto/cipher/test/aes_256_cbc_sha1_tls_implicit_iv_tests.txt
-./crypto/cipher/aead_test aes-256-cbc-sha256-tls $SRC/crypto/cipher/test/aes_256_cbc_sha256_tls_tests.txt
-./crypto/cipher/aead_test aes-256-cbc-sha384-tls $SRC/crypto/cipher/test/aes_256_cbc_sha384_tls_tests.txt
-./crypto/cipher/aead_test des-ede3-cbc-sha1-tls $SRC/crypto/cipher/test/des_ede3_cbc_sha1_tls_tests.txt
-./crypto/cipher/aead_test des-ede3-cbc-sha1-tls-implicit-iv $SRC/crypto/cipher/test/des_ede3_cbc_sha1_tls_implicit_iv_tests.txt
-./crypto/cipher/aead_test rc4-md5-ssl3 $SRC/crypto/cipher/test/rc4_md5_ssl3_tests.txt
-./crypto/cipher/aead_test rc4-sha1-ssl3 $SRC/crypto/cipher/test/rc4_sha1_ssl3_tests.txt
-./crypto/cipher/aead_test aes-128-cbc-sha1-ssl3 $SRC/crypto/cipher/test/aes_128_cbc_sha1_ssl3_tests.txt
-./crypto/cipher/aead_test aes-256-cbc-sha1-ssl3 $SRC/crypto/cipher/test/aes_256_cbc_sha1_ssl3_tests.txt
-./crypto/cipher/aead_test des-ede3-cbc-sha1-ssl3 $SRC/crypto/cipher/test/des_ede3_cbc_sha1_ssl3_tests.txt
-./crypto/cipher/cipher_test $SRC/crypto/cipher/test/cipher_test.txt
-./crypto/constant_time_test
-./crypto/dh/dh_test
-./crypto/digest/digest_test
-./crypto/dsa/dsa_test
-./crypto/ec/ec_test
-./crypto/ec/example_mul
-./crypto/ecdsa/ecdsa_test
-./crypto/err/err_test
-./crypto/evp/evp_test
-./crypto/evp/pbkdf_test
-./crypto/hkdf/hkdf_test
-./crypto/hmac/hmac_test
-./crypto/lhash/lhash_test
-./crypto/modes/gcm_test
-./crypto/pkcs8/pkcs12_test
-./crypto/rsa/rsa_test
-./crypto/x509/pkcs7_test
-./crypto/x509v3/tab_test
-./crypto/x509v3/v3name_test
-./ssl/pqueue/pqueue_test
-./ssl/ssl_test
-"
-
-IFS=$'\n'
-for bin in $TESTS; do
-  echo $bin
-  out=$(bash -c "$bin" | tail -n 1)
-  if [ $? -ne 0 ]; then
-    echo $bin failed to complete.
-    exit 1
-  fi
-
-  if [ "x$out" != "xPASS" ]; then
-    echo $bin failed to print PASS on the last line.
-    exit 1
-  fi
-done
diff --git a/src/util/arm-toolchain.cmake b/src/util/arm-toolchain.cmake
deleted file mode 100644
index 2dfd2bd..0000000
--- a/src/util/arm-toolchain.cmake
+++ /dev/null
@@ -1,6 +0,0 @@
-set(CMAKE_SYSTEM_NAME Linux)
-set(CMAKE_SYSTEM_VERSION 1)
-set(CMAKE_SYSTEM_PROCESSOR "arm")
-set(CMAKE_CXX_COMPILER "/opt/gcc-linaro-4.9-2014.11-x86_64_arm-linux-gnueabihf/bin/arm-linux-gnueabihf-g++")
-set(CMAKE_C_COMPILER "/opt/gcc-linaro-4.9-2014.11-x86_64_arm-linux-gnueabihf/bin/arm-linux-gnueabihf-gcc")
-set(CMAKE_EXE_LINKER_FLAGS "-static")
diff --git a/src/util/bot/DEPS b/src/util/bot/DEPS
new file mode 100644
index 0000000..738fbd3
--- /dev/null
+++ b/src/util/bot/DEPS
@@ -0,0 +1,134 @@
+# Copyright (c) 2015, Google Inc.
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+# SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+vars = {
+  'chromium_git': 'https://chromium.googlesource.com',
+}
+
+deps = {
+  'boringssl/util/bot/gyp':
+    Var('chromium_git') + '/external/gyp.git' + '@' + '4a9b712d5cb4a5ba7a9950128a7219569caf7263',
+}
+
+hooks = [
+  {
+    'name': 'cmake_linux64',
+    'pattern': '.',
+    'action': [ 'download_from_google_storage',
+                '--no_resume',
+                '--platform=linux*',
+                '--no_auth',
+                '--bucket', 'chromium-tools',
+                '-s', 'boringssl/util/bot/cmake-linux64.tar.gz.sha1',
+    ],
+  },
+  {
+    'name': 'cmake_mac',
+    'pattern': '.',
+    'action': [ 'download_from_google_storage',
+                '--no_resume',
+                '--platform=darwin',
+                '--no_auth',
+                '--bucket', 'chromium-tools',
+                '-s', 'boringssl/util/bot/cmake-mac.tar.gz.sha1',
+    ],
+  },
+  {
+    'name': 'cmake_win32',
+    'pattern': '.',
+    'action': [ 'download_from_google_storage',
+                '--no_resume',
+                '--platform=win32',
+                '--no_auth',
+                '--bucket', 'chromium-tools',
+                '-s', 'boringssl/util/bot/cmake-win32.zip.sha1',
+    ],
+  },
+  {
+    'name': 'perl_win32',
+    'pattern': '.',
+    'action': [ 'download_from_google_storage',
+                '--no_resume',
+                '--platform=win32',
+                '--no_auth',
+                '--bucket', 'chromium-tools',
+                '-s', 'boringssl/util/bot/perl-win32.zip.sha1',
+    ],
+  },
+  {
+    'name': 'yasm_win32',
+    'pattern': '.',
+    'action': [ 'download_from_google_storage',
+                '--no_resume',
+                '--platform=win32',
+                '--no_auth',
+                '--bucket', 'chromium-tools',
+                '-s', 'boringssl/util/bot/yasm-win32.exe.sha1',
+    ],
+  },
+  {
+    'name': 'win_toolchain',
+    'pattern': '.',
+    'action': [ 'python',
+                'boringssl/util/bot/vs_toolchain.py',
+                'update',
+    ],
+  },
+  {
+    'name': 'clang',
+    'pattern': '.',
+    'action': [ 'python',
+                'boringssl/util/bot/update_clang.py',
+    ],
+  },
+  # TODO(davidben): Only extract archives when they've changed. Extracting perl
+  # on Windows is a significant part of the cycle time.
+  {
+    'name': 'cmake_linux64_extract',
+    'pattern': '.',
+    'action': [ 'python',
+                'boringssl/util/bot/extract.py',
+                'boringssl/util/bot/cmake-linux64.tar.gz',
+                'boringssl/util/bot/cmake-linux64/',
+    ],
+  },
+  {
+    'name': 'cmake_mac_extract',
+    'pattern': '.',
+    'action': [ 'python',
+                'boringssl/util/bot/extract.py',
+                'boringssl/util/bot/cmake-mac.tar.gz',
+                'boringssl/util/bot/cmake-mac/',
+    ],
+  },
+  {
+    'name': 'cmake_win32_extract',
+    'pattern': '.',
+    'action': [ 'python',
+                'boringssl/util/bot/extract.py',
+                'boringssl/util/bot/cmake-win32.zip',
+                'boringssl/util/bot/cmake-win32/',
+    ],
+  },
+  {
+    'name': 'perl_win32_extract',
+    'pattern': '.',
+    'action': [ 'python',
+                'boringssl/util/bot/extract.py',
+                '--no-prefix',
+                'boringssl/util/bot/perl-win32.zip',
+                'boringssl/util/bot/perl-win32/',
+    ],
+  },
+]
diff --git a/src/util/bot/README b/src/util/bot/README
new file mode 100644
index 0000000..b7a4332
--- /dev/null
+++ b/src/util/bot/README
@@ -0,0 +1,3 @@
+This directory contains tools for setting up a hermetic toolchain on the
+continuous integration bots. It is in the repository for convenience and can be
+ignored in development.
diff --git a/src/util/bot/cmake-linux64.tar.gz.sha1 b/src/util/bot/cmake-linux64.tar.gz.sha1
new file mode 100644
index 0000000..6a8aa1c
--- /dev/null
+++ b/src/util/bot/cmake-linux64.tar.gz.sha1
@@ -0,0 +1 @@
+32cd1d5fe84ae569dbb36f5767650d62efb8be38
\ No newline at end of file
diff --git a/src/util/bot/cmake-mac.tar.gz.sha1 b/src/util/bot/cmake-mac.tar.gz.sha1
new file mode 100644
index 0000000..cb7251b
--- /dev/null
+++ b/src/util/bot/cmake-mac.tar.gz.sha1
@@ -0,0 +1 @@
+310df6945ae7f8c9da559d22f5794ee8e578a663
\ No newline at end of file
diff --git a/src/util/bot/cmake-win32.zip.sha1 b/src/util/bot/cmake-win32.zip.sha1
new file mode 100644
index 0000000..9196b58
--- /dev/null
+++ b/src/util/bot/cmake-win32.zip.sha1
@@ -0,0 +1 @@
+e9493171de0edd8879755aa7229a701010a19561
\ No newline at end of file
diff --git a/src/util/bot/extract.py b/src/util/bot/extract.py
new file mode 100644
index 0000000..77603c0
--- /dev/null
+++ b/src/util/bot/extract.py
@@ -0,0 +1,139 @@
+# Copyright (c) 2015, Google Inc.
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+# SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+"""Extracts archives."""
+
+
+import optparse
+import os
+import os.path
+import tarfile
+import shutil
+import sys
+import zipfile
+
+
+def CheckedJoin(output, path):
+  """
+  CheckedJoin returns os.path.join(output, path). It does sanity checks to
+  ensure the resulting path is under output, but shouldn't be used on untrusted
+  input.
+  """
+  path = os.path.normpath(path)
+  if os.path.isabs(path) or path.startswith('.'):
+    raise ValueError(path)
+  return os.path.join(output, path)
+
+
+def IterateZip(path):
+  """
+  IterateZip opens the zip file at path and returns a generator of
+  (filename, mode, fileobj) tuples for each file in it.
+  """
+  with zipfile.ZipFile(path, 'r') as zip_file:
+    for info in zip_file.infolist():
+      if info.filename.endswith('/'):
+        continue
+      yield (info.filename, None, zip_file.open(info))
+
+
+def IterateTar(path):
+  """
+  IterateTar opens the tar.gz file at path and returns a generator of
+  (filename, mode, fileobj) tuples for each file in it.
+  """
+  with tarfile.open(path, 'r:gz') as tar_file:
+    for info in tar_file:
+      if info.isdir():
+        continue
+      if not info.isfile():
+        raise ValueError('Unknown entry type "%s"' % (info.name, ))
+      yield (info.name, info.mode, tar_file.extractfile(info))
+
+
+def main(args):
+  parser = optparse.OptionParser(usage='Usage: %prog ARCHIVE OUTPUT')
+  parser.add_option('--no-prefix', dest='no_prefix', action='store_true',
+                    help='Do not remove a prefix from paths in the archive.')
+  options, args = parser.parse_args(args)
+
+  if len(args) != 2:
+    parser.print_help()
+    return 1
+
+  archive, output = args
+
+  if not os.path.exists(archive):
+    # Skip archives that weren't downloaded.
+    return 0
+
+  if archive.endswith('.zip'):
+    entries = IterateZip(archive)
+  elif archive.endswith('.tar.gz'):
+    entries = IterateTar(archive)
+  else:
+    raise ValueError(archive)
+
+  try:
+    if os.path.exists(output):
+      print "Removing %s" % (output, )
+      shutil.rmtree(output)
+
+    print "Extracting %s to %s" % (archive, output)
+    prefix = None
+    num_extracted = 0
+    for path, mode, inp in entries:
+      # Even on Windows, zip files must always use forward slashes.
+      if '\\' in path or path.startswith('/'):
+        raise ValueError(path)
+
+      if not options.no_prefix:
+        new_prefix, rest = path.split('/', 1)
+
+        # Ensure the archive is consistent.
+        if prefix is None:
+          prefix = new_prefix
+        if prefix != new_prefix:
+          raise ValueError((prefix, new_prefix))
+      else:
+        rest = path
+
+      # Extract the file into the output directory.
+      fixed_path = CheckedJoin(output, rest)
+      if not os.path.isdir(os.path.dirname(fixed_path)):
+        os.makedirs(os.path.dirname(fixed_path))
+      with open(fixed_path, 'wb') as out:
+        shutil.copyfileobj(inp, out)
+
+      # Fix up permissions if needbe.
+      # TODO(davidben): To be extra tidy, this should only track the execute bit
+      # as in git.
+      if mode is not None:
+        os.chmod(fixed_path, mode)
+
+      # Print every 100 files, so bots do not time out on large archives.
+      num_extracted += 1
+      if num_extracted % 100 == 0:
+        print "Extracted %d files..." % (num_extracted,)
+  finally:
+    entries.close()
+
+  if num_extracted % 100 == 0:
+    print "Done. Extracted %d files." % (num_extracted,)
+
+  return 0
+
+
+if __name__ == '__main__':
+  sys.exit(main(sys.argv[1:]))
diff --git a/src/util/bot/go/bootstrap.py b/src/util/bot/go/bootstrap.py
new file mode 100755
index 0000000..166ef3b
--- /dev/null
+++ b/src/util/bot/go/bootstrap.py
@@ -0,0 +1,297 @@
+#!/usr/bin/env python
+# Copyright 2014 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Modified from go/bootstrap.py in Chromium infrastructure's repository to patch
+# out everything but the core toolchain.
+#
+# https://chromium.googlesource.com/infra/infra/
+
+"""Prepares a local hermetic Go installation.
+
+- Downloads and unpacks the Go toolset in ../golang.
+"""
+
+import contextlib
+import logging
+import os
+import platform
+import shutil
+import stat
+import subprocess
+import sys
+import tarfile
+import tempfile
+import urllib
+import zipfile
+
+# TODO(vadimsh): Migrate to new golang.org/x/ paths once Golang moves to
+# git completely.
+
+LOGGER = logging.getLogger(__name__)
+
+
+# /path/to/util/bot
+ROOT = os.path.dirname(os.path.abspath(__file__))
+
+# Where to install Go toolset to. GOROOT would be <TOOLSET_ROOT>/go.
+TOOLSET_ROOT = os.path.join(os.path.dirname(ROOT), 'golang')
+
+# Default workspace with infra go code.
+WORKSPACE = os.path.join(ROOT, 'go')
+
+# Platform depended suffix for executable files.
+EXE_SFX = '.exe' if sys.platform == 'win32' else ''
+
+# Pinned version of Go toolset to download.
+TOOLSET_VERSION = 'go1.4'
+
+# Platform dependent portion of a download URL. See http://golang.org/dl/.
+TOOLSET_VARIANTS = {
+  ('darwin', 'x86-32'): 'darwin-386-osx10.8.tar.gz',
+  ('darwin', 'x86-64'): 'darwin-amd64-osx10.8.tar.gz',
+  ('linux2', 'x86-32'): 'linux-386.tar.gz',
+  ('linux2', 'x86-64'): 'linux-amd64.tar.gz',
+  ('win32', 'x86-32'): 'windows-386.zip',
+  ('win32', 'x86-64'): 'windows-amd64.zip',
+}
+
+# Download URL root.
+DOWNLOAD_URL_PREFIX = 'https://storage.googleapis.com/golang'
+
+
+class Failure(Exception):
+  """Bootstrap failed."""
+
+
+def get_toolset_url():
+  """URL of a platform specific Go toolset archive."""
+  # TODO(vadimsh): Support toolset for cross-compilation.
+  arch = {
+    'amd64': 'x86-64',
+    'x86_64': 'x86-64',
+    'i386': 'x86-32',
+    'x86': 'x86-32',
+  }.get(platform.machine().lower())
+  variant = TOOLSET_VARIANTS.get((sys.platform, arch))
+  if not variant:
+    # TODO(vadimsh): Compile go lang from source.
+    raise Failure('Unrecognized platform')
+  return '%s/%s.%s' % (DOWNLOAD_URL_PREFIX, TOOLSET_VERSION, variant)
+
+
+def read_file(path):
+  """Returns contents of a given file or None if not readable."""
+  assert isinstance(path, (list, tuple))
+  try:
+    with open(os.path.join(*path), 'r') as f:
+      return f.read()
+  except IOError:
+    return None
+
+
+def write_file(path, data):
+  """Writes |data| to a file."""
+  assert isinstance(path, (list, tuple))
+  with open(os.path.join(*path), 'w') as f:
+    f.write(data)
+
+
+def remove_directory(path):
+  """Recursively removes a directory."""
+  assert isinstance(path, (list, tuple))
+  p = os.path.join(*path)
+  if not os.path.exists(p):
+    return
+  LOGGER.info('Removing %s', p)
+  # Crutch to remove read-only file (.git/* in particular) on Windows.
+  def onerror(func, path, _exc_info):
+    if not os.access(path, os.W_OK):
+      os.chmod(path, stat.S_IWUSR)
+      func(path)
+    else:
+      raise
+  shutil.rmtree(p, onerror=onerror if sys.platform == 'win32' else None)
+
+
+def install_toolset(toolset_root, url):
+  """Downloads and installs Go toolset.
+
+  GOROOT would be <toolset_root>/go/.
+  """
+  if not os.path.exists(toolset_root):
+    os.makedirs(toolset_root)
+  pkg_path = os.path.join(toolset_root, url[url.rfind('/')+1:])
+
+  LOGGER.info('Downloading %s...', url)
+  download_file(url, pkg_path)
+
+  LOGGER.info('Extracting...')
+  if pkg_path.endswith('.zip'):
+    with zipfile.ZipFile(pkg_path, 'r') as f:
+      f.extractall(toolset_root)
+  elif pkg_path.endswith('.tar.gz'):
+    with tarfile.open(pkg_path, 'r:gz') as f:
+      f.extractall(toolset_root)
+  else:
+    raise Failure('Unrecognized archive format')
+
+  LOGGER.info('Validating...')
+  if not check_hello_world(toolset_root):
+    raise Failure('Something is not right, test program doesn\'t work')
+
+
+def download_file(url, path):
+  """Fetches |url| to |path|."""
+  last_progress = [0]
+  def report(a, b, c):
+    progress = int(a * b * 100.0 / c)
+    if progress != last_progress[0]:
+      print >> sys.stderr, 'Downloading... %d%%' % progress
+      last_progress[0] = progress
+  # TODO(vadimsh): Use something less crippled, something that validates SSL.
+  urllib.urlretrieve(url, path, reporthook=report)
+
+
+@contextlib.contextmanager
+def temp_dir(path):
+  """Creates a temporary directory, then deletes it."""
+  tmp = tempfile.mkdtemp(dir=path)
+  try:
+    yield tmp
+  finally:
+    remove_directory([tmp])
+
+
+def check_hello_world(toolset_root):
+  """Compiles and runs 'hello world' program to verify that toolset works."""
+  with temp_dir(toolset_root) as tmp:
+    path = os.path.join(tmp, 'hello.go')
+    write_file([path], r"""
+        package main
+        func main() { println("hello, world\n") }
+    """)
+    out = subprocess.check_output(
+        [get_go_exe(toolset_root), 'run', path],
+        env=get_go_environ(toolset_root, tmp),
+        stderr=subprocess.STDOUT)
+    if out.strip() != 'hello, world':
+      LOGGER.error('Failed to run sample program:\n%s', out)
+      return False
+    return True
+
+
+def ensure_toolset_installed(toolset_root):
+  """Installs or updates Go toolset if necessary.
+
+  Returns True if new toolset was installed.
+  """
+  installed = read_file([toolset_root, 'INSTALLED_TOOLSET'])
+  available = get_toolset_url()
+  if installed == available:
+    LOGGER.debug('Go toolset is up-to-date: %s', TOOLSET_VERSION)
+    return False
+
+  LOGGER.info('Installing Go toolset.')
+  LOGGER.info('  Old toolset is %s', installed)
+  LOGGER.info('  New toolset is %s', available)
+  remove_directory([toolset_root])
+  install_toolset(toolset_root, available)
+  LOGGER.info('Go toolset installed: %s', TOOLSET_VERSION)
+  write_file([toolset_root, 'INSTALLED_TOOLSET'], available)
+  return True
+
+
+def get_go_environ(
+    toolset_root,
+    workspace=None):
+  """Returns a copy of os.environ with added GO* environment variables.
+
+  Overrides GOROOT, GOPATH and GOBIN. Keeps everything else. Idempotent.
+
+  Args:
+    toolset_root: GOROOT would be <toolset_root>/go.
+    workspace: main workspace directory or None if compiling in GOROOT.
+  """
+  env = os.environ.copy()
+  env['GOROOT'] = os.path.join(toolset_root, 'go')
+  if workspace:
+    env['GOBIN'] = os.path.join(workspace, 'bin')
+  else:
+    env.pop('GOBIN', None)
+
+  all_go_paths = []
+  if workspace:
+    all_go_paths.append(workspace)
+  env['GOPATH'] = os.pathsep.join(all_go_paths)
+
+  # New PATH entries.
+  paths_to_add = [
+    os.path.join(env['GOROOT'], 'bin'),
+    env.get('GOBIN'),
+  ]
+
+  # Make sure not to add duplicates entries to PATH over and over again when
+  # get_go_environ is invoked multiple times.
+  path = env['PATH'].split(os.pathsep)
+  paths_to_add = [p for p in paths_to_add if p and p not in path]
+  env['PATH'] = os.pathsep.join(paths_to_add + path)
+
+  return env
+
+
+def get_go_exe(toolset_root):
+  """Returns path to go executable."""
+  return os.path.join(toolset_root, 'go', 'bin', 'go' + EXE_SFX)
+
+
+def bootstrap(logging_level):
+  """Installs all dependencies in default locations.
+
+  Supposed to be called at the beginning of some script (it modifies logger).
+
+  Args:
+    logging_level: logging level of bootstrap process.
+  """
+  logging.basicConfig()
+  LOGGER.setLevel(logging_level)
+  ensure_toolset_installed(TOOLSET_ROOT)
+
+
+def prepare_go_environ():
+  """Returns dict with environment variables to set to use Go toolset.
+
+  Installs or updates the toolset if necessary.
+  """
+  bootstrap(logging.INFO)
+  return get_go_environ(TOOLSET_ROOT, WORKSPACE)
+
+
+def find_executable(name, workspaces):
+  """Returns full path to an executable in some bin/ (in GOROOT or GOBIN)."""
+  basename = name
+  if EXE_SFX and basename.endswith(EXE_SFX):
+    basename = basename[:-len(EXE_SFX)]
+  roots = [os.path.join(TOOLSET_ROOT, 'go', 'bin')]
+  for path in workspaces:
+    roots.extend([
+      os.path.join(path, 'bin'),
+    ])
+  for root in roots:
+    full_path = os.path.join(root, basename + EXE_SFX)
+    if os.path.exists(full_path):
+      return full_path
+  return name
+
+
+def main(args):
+  if args:
+    print >> sys.stderr, sys.modules[__name__].__doc__,
+    return 2
+  bootstrap(logging.DEBUG)
+  return 0
+
+
+if __name__ == '__main__':
+  sys.exit(main(sys.argv[1:]))
diff --git a/src/util/bot/go/env.py b/src/util/bot/go/env.py
new file mode 100755
index 0000000..820968c
--- /dev/null
+++ b/src/util/bot/go/env.py
@@ -0,0 +1,49 @@
+#!/usr/bin/env python
+# Copyright 2014 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Modified from go/env.py in Chromium infrastructure's repository to patch out
+# everything but the core toolchain.
+#
+# https://chromium.googlesource.com/infra/infra/
+
+"""Can be used to point environment variable to hermetic Go toolset.
+
+Usage (on linux and mac):
+$ eval `./env.py`
+$ go version
+
+Or it can be used to wrap a command:
+
+$ ./env.py go version
+"""
+
+assert __name__ == '__main__'
+
+import imp
+import os
+import subprocess
+import sys
+
+# Do not want to mess with sys.path, load the module directly.
+bootstrap = imp.load_source(
+    'bootstrap', os.path.join(os.path.dirname(__file__), 'bootstrap.py'))
+
+old = os.environ.copy()
+new = bootstrap.prepare_go_environ()
+
+if len(sys.argv) == 1:
+  for key, value in sorted(new.iteritems()):
+    if old.get(key) != value:
+      print 'export %s="%s"' % (key, value)
+else:
+  exe = sys.argv[1]
+  if exe == 'python':
+    exe = sys.executable
+  else:
+    # Help Windows to find the executable in new PATH, do it only when
+    # executable is referenced by name (and not by path).
+    if os.sep not in exe:
+      exe = bootstrap.find_executable(exe, [bootstrap.WORKSPACE])
+  sys.exit(subprocess.call([exe] + sys.argv[2:], env=new))
diff --git a/src/util/bot/perl-win32.zip.sha1 b/src/util/bot/perl-win32.zip.sha1
new file mode 100644
index 0000000..a5559d8
--- /dev/null
+++ b/src/util/bot/perl-win32.zip.sha1
@@ -0,0 +1 @@
+ab6e7aee6a915c4d820b86f5227094763b649fce
\ No newline at end of file
diff --git a/src/util/bot/toolchain_vs2013.hash b/src/util/bot/toolchain_vs2013.hash
new file mode 100644
index 0000000..4ed8816
--- /dev/null
+++ b/src/util/bot/toolchain_vs2013.hash
@@ -0,0 +1 @@
+ee7d718ec60c2dc5d255bbe325909c2021a7efef
diff --git a/src/util/bot/update_clang.py b/src/util/bot/update_clang.py
new file mode 100644
index 0000000..0836d11
--- /dev/null
+++ b/src/util/bot/update_clang.py
@@ -0,0 +1,71 @@
+# Copyright (c) 2015, Google Inc.
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+# SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+import os.path
+import shutil
+import sys
+import tarfile
+import tempfile
+import urllib
+
+# CLANG_REVISION and CLANG_SUB_REVISION determine the build of clang
+# to use. These should be synced with tools/clang/scripts/update.sh in
+# Chromium.
+CLANG_REVISION = "233105"
+CLANG_SUB_REVISION = "1"
+
+PACKAGE_VERSION = "%s-%s" % (CLANG_REVISION, CLANG_SUB_REVISION)
+LLVM_BUILD_DIR = os.path.join(os.path.dirname(__file__), "llvm-build")
+STAMP_FILE = os.path.join(LLVM_BUILD_DIR, "cr_build_revision")
+
+CDS_URL = "https://commondatastorage.googleapis.com/chromium-browser-clang"
+
+def DownloadFile(url, path):
+  """DownloadFile fetches |url| to |path|."""
+  last_progress = [0]
+  def report(a, b, c):
+    progress = int(a * b * 100.0 / c)
+    if progress != last_progress[0]:
+      print >> sys.stderr, "Downloading... %d%%" % progress
+      last_progress[0] = progress
+  urllib.urlretrieve(url, path, reporthook=report)
+
+def main(args):
+  # For now, only download clang on Linux.
+  if not sys.platform.startswith("linux"):
+    return 0
+
+  if os.path.exists(STAMP_FILE):
+    with open(STAMP_FILE) as f:
+      if f.read().strip() == PACKAGE_VERSION:
+        print >> sys.stderr, "Clang already at %s" % (PACKAGE_VERSION,)
+        return 0
+
+  if os.path.exists(LLVM_BUILD_DIR):
+    shutil.rmtree(LLVM_BUILD_DIR)
+
+  print >> sys.stderr, "Downloading Clang %s" % (PACKAGE_VERSION,)
+  cds_full_url = "%s/Linux_x64/clang-%s.tgz" % (CDS_URL, PACKAGE_VERSION)
+  with tempfile.NamedTemporaryFile() as temp:
+    DownloadFile(cds_full_url, temp.name)
+    with tarfile.open(temp.name, "r:gz") as tar_file:
+      tar_file.extractall(LLVM_BUILD_DIR)
+
+  with open(STAMP_FILE, "wb") as stamp_file:
+    stamp_file.write(PACKAGE_VERSION)
+
+  return 0
+
+if __name__ == "__main__":
+  sys.exit(main(sys.argv[1:]))
diff --git a/src/util/bot/vs_env.py b/src/util/bot/vs_env.py
new file mode 100644
index 0000000..1847500
--- /dev/null
+++ b/src/util/bot/vs_env.py
@@ -0,0 +1,37 @@
+# Copyright (c) 2015, Google Inc.
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+# SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+import subprocess
+import sys
+
+import vs_toolchain
+# vs_toolchain adds gyp to sys.path.
+import gyp.MSVSVersion
+
+if len(sys.argv) < 2:
+  print >>sys.stderr, "Usage: vs_env.py TARGET_ARCH CMD..."
+  sys.exit(1)
+
+target_arch = sys.argv[1]
+cmd = sys.argv[2:]
+
+vs_toolchain.SetEnvironmentAndGetRuntimeDllDirs()
+vs_version = gyp.MSVSVersion.SelectVisualStudioVersion()
+
+# Using shell=True is somewhat ugly, but the alternative is to pull in a copy
+# of the Chromium GN build's setup_toolchain.py which runs the setup script,
+# then 'set', and then parses the environment variables out. (GYP internally
+# does the same thing.)
+sys.exit(subprocess.call(vs_version.SetupScript(target_arch) + ["&&"] + cmd,
+                         shell=True))
diff --git a/src/util/bot/vs_toolchain.py b/src/util/bot/vs_toolchain.py
new file mode 100644
index 0000000..fd76f39
--- /dev/null
+++ b/src/util/bot/vs_toolchain.py
@@ -0,0 +1,114 @@
+# Copyright 2014 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+import json
+import os
+import pipes
+import shutil
+import subprocess
+import sys
+
+
+script_dir = os.path.dirname(os.path.realpath(__file__))
+sys.path.insert(0, os.path.join(script_dir, 'gyp', 'pylib'))
+json_data_file = os.path.join(script_dir, 'win_toolchain.json')
+
+
+import gyp
+
+
+def SetEnvironmentAndGetRuntimeDllDirs():
+  """Sets up os.environ to use the depot_tools VS toolchain with gyp, and
+  returns the location of the VS runtime DLLs so they can be copied into
+  the output directory after gyp generation.
+  """
+  vs2013_runtime_dll_dirs = None
+  depot_tools_win_toolchain = \
+      bool(int(os.environ.get('DEPOT_TOOLS_WIN_TOOLCHAIN', '1')))
+  if sys.platform in ('win32', 'cygwin') and depot_tools_win_toolchain:
+    if not os.path.exists(json_data_file):
+      Update()
+    with open(json_data_file, 'r') as tempf:
+      toolchain_data = json.load(tempf)
+
+    toolchain = toolchain_data['path']
+    version = toolchain_data['version']
+    version_is_pro = version[-1] != 'e'
+    win8sdk = toolchain_data['win8sdk']
+    wdk = toolchain_data['wdk']
+    # TODO(scottmg): The order unfortunately matters in these. They should be
+    # split into separate keys for x86 and x64. (See CopyVsRuntimeDlls call
+    # below). http://crbug.com/345992
+    vs2013_runtime_dll_dirs = toolchain_data['runtime_dirs']
+
+    os.environ['GYP_MSVS_OVERRIDE_PATH'] = toolchain
+    os.environ['GYP_MSVS_VERSION'] = version
+    # We need to make sure windows_sdk_path is set to the automated
+    # toolchain values in GYP_DEFINES, but don't want to override any
+    # otheroptions.express
+    # values there.
+    gyp_defines_dict = gyp.NameValueListToDict(gyp.ShlexEnv('GYP_DEFINES'))
+    gyp_defines_dict['windows_sdk_path'] = win8sdk
+    os.environ['GYP_DEFINES'] = ' '.join('%s=%s' % (k, pipes.quote(str(v)))
+        for k, v in gyp_defines_dict.iteritems())
+    os.environ['WINDOWSSDKDIR'] = win8sdk
+    os.environ['WDK_DIR'] = wdk
+    # Include the VS runtime in the PATH in case it's not machine-installed.
+    runtime_path = ';'.join(vs2013_runtime_dll_dirs)
+    os.environ['PATH'] = runtime_path + ';' + os.environ['PATH']
+  return vs2013_runtime_dll_dirs
+
+
+def _GetDesiredVsToolchainHashes():
+  """Load a list of SHA1s corresponding to the toolchains that we want installed
+  to build with."""
+  sha1path = os.path.join(script_dir, 'toolchain_vs2013.hash')
+  with open(sha1path, 'rb') as f:
+    return f.read().strip().splitlines()
+
+
+def FindDepotTools():
+  """Returns the path to depot_tools in $PATH."""
+  for path in os.environ['PATH'].split(os.pathsep):
+    if os.path.isfile(os.path.join(path, 'gclient.py')):
+      return path
+  raise Exception("depot_tools not found!")
+
+
+def Update():
+  """Requests an update of the toolchain to the specific hashes we have at
+  this revision. The update outputs a .json of the various configuration
+  information required to pass to gyp which we use in |GetToolchainDir()|.
+  """
+  depot_tools_win_toolchain = \
+      bool(int(os.environ.get('DEPOT_TOOLS_WIN_TOOLCHAIN', '1')))
+  if sys.platform in ('win32', 'cygwin') and depot_tools_win_toolchain:
+    depot_tools_path = FindDepotTools()
+    json_data_file = os.path.join(script_dir, 'win_toolchain.json')
+    get_toolchain_args = [
+        sys.executable,
+        os.path.join(depot_tools_path,
+                    'win_toolchain',
+                    'get_toolchain_if_necessary.py'),
+        '--output-json', json_data_file,
+      ] + _GetDesiredVsToolchainHashes()
+    subprocess.check_call(get_toolchain_args)
+
+  return 0
+
+
+def main():
+  if not sys.platform.startswith(('win32', 'cygwin')):
+    return 0
+  commands = {
+      'update': Update,
+  }
+  if len(sys.argv) < 2 or sys.argv[1] not in commands:
+    print >>sys.stderr, 'Expected one of: %s' % ', '.join(commands)
+    return 1
+  return commands[sys.argv[1]](*sys.argv[2:])
+
+
+if __name__ == '__main__':
+  sys.exit(main())
diff --git a/src/util/bot/yasm-win32.exe.sha1 b/src/util/bot/yasm-win32.exe.sha1
new file mode 100644
index 0000000..5b8c9aa
--- /dev/null
+++ b/src/util/bot/yasm-win32.exe.sha1
@@ -0,0 +1 @@
+4c4d1951181a610923523cb10d83d9ae9952fbf3
\ No newline at end of file
diff --git a/src/util/clang-toolchain.cmake b/src/util/clang-toolchain.cmake
deleted file mode 100644
index 8d81379..0000000
--- a/src/util/clang-toolchain.cmake
+++ /dev/null
@@ -1,2 +0,0 @@
-set(CMAKE_CXX_COMPILER "/agl/chromium/src/third_party/llvm-build/Release+Asserts/bin/clang++")
-set(CMAKE_C_COMPILER "/agl/chromium/src/third_party/llvm-build/Release+Asserts/bin/clang")
diff --git a/src/util/doc.config b/src/util/doc.config
index 62db0f3..a427e04 100644
--- a/src/util/doc.config
+++ b/src/util/doc.config
@@ -9,10 +9,12 @@
       "include/openssl/bytestring.h",
       "include/openssl/err.h",
       "include/openssl/cpu.h",
+      "include/openssl/crypto.h",
       "include/openssl/ex_data.h",
       "include/openssl/lhash.h",
       "include/openssl/mem.h",
       "include/openssl/obj.h",
+      "include/openssl/rand.h",
       "include/openssl/stack.h",
       "include/openssl/thread.h",
       "include/openssl/time_support.h"
@@ -22,6 +24,7 @@
     "Headers": [
       "include/openssl/aes.h",
       "include/openssl/bn.h",
+      "include/openssl/cmac.h",
       "include/openssl/des.h",
       "include/openssl/dh.h",
       "include/openssl/dsa.h",
@@ -45,5 +48,10 @@
       "include/openssl/aead.h",
       "include/openssl/evp.h"
     ]
+  },{
+    "Name": "SSL implementation",
+    "Headers": [
+      "include/openssl/ssl.h"
+    ]
   }]
 }
diff --git a/src/util/doc.go b/src/util/doc.go
index 7c96af8..20feae5 100644
--- a/src/util/doc.go
+++ b/src/util/doc.go
@@ -111,7 +111,9 @@ func extractComment(lines []string, lineNo int) (comment []string, rest []string
 			err = fmt.Errorf("comment doesn't start with block prefix on line %d: %s", restLineNo, line)
 			return
 		}
-		line = line[2:]
+		if len(line) == 2 || line[2] != '/' {
+			line = line[2:]
+		}
 		if strings.HasPrefix(line, "   ") {
 			/* Identing the lines of a paragraph marks them as
 			* preformatted. */
@@ -193,12 +195,23 @@ func extractDecl(lines []string, lineNo int) (decl string, rest []string, restLi
 func skipPast(s, skip string) string {
 	i := strings.Index(s, skip)
 	if i > 0 {
-		return s[len(skip):]
+		return s[i:]
 	}
 	return s
 }
 
+func skipLine(s string) string {
+	i := strings.Index(s, "\n")
+	if i > 0 {
+		return s[i:]
+	}
+	return ""
+}
+
 func getNameFromDecl(decl string) (string, bool) {
+	for strings.HasPrefix(decl, "#if") {
+		decl = skipLine(decl)
+	}
 	if strings.HasPrefix(decl, "struct ") {
 		return "", false
 	}
@@ -582,8 +595,8 @@ func generateIndex(outPath string, config *Config, headerDescriptions map[string
 
 func main() {
 	var (
-		configFlag *string = flag.String("config", "", "Location of config file")
-		outputDir  *string = flag.String("out", "", "Path to the directory where the output will be written")
+		configFlag *string = flag.String("config", "doc.config", "Location of config file")
+		outputDir  *string = flag.String("out", ".", "Path to the directory where the output will be written")
 		config     Config
 	)
 
diff --git a/src/util/generate_build_files.py b/src/util/generate_build_files.py
new file mode 100644
index 0000000..94de546
--- /dev/null
+++ b/src/util/generate_build_files.py
@@ -0,0 +1,341 @@
+# Copyright (c) 2015, Google Inc.
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+# SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+"""Enumerates the BoringSSL source in src/ and either generates two gypi files
+  (boringssl.gypi and boringssl_tests.gypi) for Chromium, or generates
+  source-list files for Android."""
+
+import os
+import subprocess
+import sys
+
+
+# OS_ARCH_COMBOS maps from OS and platform to the OpenSSL assembly "style" for
+# that platform and the extension used by asm files.
+OS_ARCH_COMBOS = [
+    ('linux', 'arm', 'linux32', [], 'S'),
+    ('linux', 'aarch64', 'linux64', [], 'S'),
+    ('linux', 'x86', 'elf', ['-fPIC', '-DOPENSSL_IA32_SSE2'], 'S'),
+    ('linux', 'x86_64', 'elf', [], 'S'),
+    ('mac', 'x86', 'macosx', ['-fPIC', '-DOPENSSL_IA32_SSE2'], 'S'),
+    ('mac', 'x86_64', 'macosx', [], 'S'),
+    ('win', 'x86', 'win32n', ['-DOPENSSL_IA32_SSE2'], 'asm'),
+    ('win', 'x86_64', 'nasm', [], 'asm'),
+]
+
+# NON_PERL_FILES enumerates assembly files that are not processed by the
+# perlasm system.
+NON_PERL_FILES = {
+    ('linux', 'arm'): [
+        'src/crypto/poly1305/poly1305_arm_asm.S',
+        'src/crypto/chacha/chacha_vec_arm.S',
+        'src/crypto/cpu-arm-asm.S',
+    ],
+}
+
+
+class Chromium(object):
+
+  def __init__(self):
+    self.header = \
+"""# Copyright (c) 2014 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# This file is created by generate_build_files.py. Do not edit manually.
+
+"""
+
+  def PrintVariableSection(self, out, name, files):
+    out.write('    \'%s\': [\n' % name)
+    for f in sorted(files):
+      out.write('      \'%s\',\n' % f)
+    out.write('    ],\n')
+
+  def WriteFiles(self, files, asm_outputs):
+    with open('boringssl.gypi', 'w+') as gypi:
+      gypi.write(self.header + '{\n  \'variables\': {\n')
+
+      self.PrintVariableSection(
+          gypi, 'boringssl_lib_sources', files['crypto'] + files['ssl'])
+
+      for ((osname, arch), asm_files) in asm_outputs:
+        self.PrintVariableSection(gypi, 'boringssl_%s_%s_sources' %
+                                  (osname, arch), asm_files)
+
+      gypi.write('  }\n}\n')
+
+    with open('boringssl_tests.gypi', 'w+') as test_gypi:
+      test_gypi.write(self.header + '{\n  \'targets\': [\n')
+
+      test_names = []
+      for test in sorted(files['test']):
+        test_name = 'boringssl_%s' % os.path.splitext(os.path.basename(test))[0]
+        test_gypi.write("""    {
+      'target_name': '%s',
+      'type': 'executable',
+      'dependencies': [
+        'boringssl.gyp:boringssl',
+      ],
+      'sources': [
+        '%s',
+      ],
+      # TODO(davidben): Fix size_t truncations in BoringSSL.
+      # https://crbug.com/429039
+      'msvs_disabled_warnings': [ 4267, ],
+    },\n""" % (test_name, test))
+        test_names.append(test_name)
+
+      test_names.sort()
+
+      test_gypi.write("""  ],
+  'variables': {
+    'boringssl_test_targets': [\n""")
+
+      for test in test_names:
+        test_gypi.write("""      '%s',\n""" % test)
+
+      test_gypi.write('    ],\n  }\n}\n')
+
+
+class Android(object):
+
+  def __init__(self):
+    self.header = \
+"""# Copyright (C) 2015 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""
+
+  def PrintVariableSection(self, out, name, files):
+    out.write('%s := \\\n' % name)
+    for f in sorted(files):
+      out.write('  %s\\\n' % f)
+    out.write('\n')
+
+  def WriteFiles(self, files, asm_outputs):
+    with open('sources.mk', 'w+') as makefile:
+      makefile.write(self.header)
+
+      files['crypto'].append('android_compat_hacks.c')
+      files['crypto'].append('android_compat_keywrap.c')
+      self.PrintVariableSection(makefile, 'crypto_sources', files['crypto'])
+      self.PrintVariableSection(makefile, 'ssl_sources', files['ssl'])
+      self.PrintVariableSection(makefile, 'tool_sources', files['tool'])
+
+      for ((osname, arch), asm_files) in asm_outputs:
+        self.PrintVariableSection(
+            makefile, '%s_%s_sources' % (osname, arch), asm_files)
+
+
+def FindCMakeFiles(directory):
+  """Returns list of all CMakeLists.txt files recursively in directory."""
+  cmakefiles = []
+
+  for (path, _, filenames) in os.walk(directory):
+    for filename in filenames:
+      if filename == 'CMakeLists.txt':
+        cmakefiles.append(os.path.join(path, filename))
+
+  return cmakefiles
+
+
+def NoTests(dent, is_dir):
+  """Filter function that can be passed to FindCFiles in order to remove test
+  sources."""
+  if is_dir:
+    return dent != 'test'
+  return 'test.' not in dent and not dent.startswith('example_')
+
+
+def OnlyTests(dent, is_dir):
+  """Filter function that can be passed to FindCFiles in order to remove
+  non-test sources."""
+  if is_dir:
+    return True
+  return '_test.' in dent or dent.startswith('example_')
+
+
+def FindCFiles(directory, filter_func):
+  """Recurses through directory and returns a list of paths to all the C source
+  files that pass filter_func."""
+  cfiles = []
+
+  for (path, dirnames, filenames) in os.walk(directory):
+    for filename in filenames:
+      if not filename.endswith('.c') and not filename.endswith('.cc'):
+        continue
+      if not filter_func(filename, False):
+        continue
+      cfiles.append(os.path.join(path, filename))
+
+    for (i, dirname) in enumerate(dirnames):
+      if not filter_func(dirname, True):
+        del dirnames[i]
+
+  return cfiles
+
+
+def ExtractPerlAsmFromCMakeFile(cmakefile):
+  """Parses the contents of the CMakeLists.txt file passed as an argument and
+  returns a list of all the perlasm() directives found in the file."""
+  perlasms = []
+  with open(cmakefile) as f:
+    for line in f:
+      line = line.strip()
+      if not line.startswith('perlasm('):
+        continue
+      if not line.endswith(')'):
+        raise ValueError('Bad perlasm line in %s' % cmakefile)
+      # Remove "perlasm(" from start and ")" from end
+      params = line[8:-1].split()
+      if len(params) < 2:
+        raise ValueError('Bad perlasm line in %s' % cmakefile)
+      perlasms.append({
+          'extra_args': params[2:],
+          'input': os.path.join(os.path.dirname(cmakefile), params[1]),
+          'output': os.path.join(os.path.dirname(cmakefile), params[0]),
+      })
+
+  return perlasms
+
+
+def ReadPerlAsmOperations():
+  """Returns a list of all perlasm() directives found in CMake config files in
+  src/."""
+  perlasms = []
+  cmakefiles = FindCMakeFiles('src')
+
+  for cmakefile in cmakefiles:
+    perlasms.extend(ExtractPerlAsmFromCMakeFile(cmakefile))
+
+  return perlasms
+
+
+def PerlAsm(output_filename, input_filename, perlasm_style, extra_args):
+  """Runs the a perlasm script and puts the output into output_filename."""
+  base_dir = os.path.dirname(output_filename)
+  if not os.path.isdir(base_dir):
+    os.makedirs(base_dir)
+  output = subprocess.check_output(
+      ['perl', input_filename, perlasm_style] + extra_args)
+  with open(output_filename, 'w+') as out_file:
+    out_file.write(output)
+
+
+def ArchForAsmFilename(filename):
+  """Returns the architectures that a given asm file should be compiled for
+  based on substrings in the filename."""
+
+  if 'x86_64' in filename or 'avx2' in filename:
+    return ['x86_64']
+  elif ('x86' in filename and 'x86_64' not in filename) or '586' in filename:
+    return ['x86']
+  elif 'armx' in filename:
+    return ['arm', 'aarch64']
+  elif 'armv8' in filename:
+    return ['aarch64']
+  elif 'arm' in filename:
+    return ['arm']
+  else:
+    raise ValueError('Unknown arch for asm filename: ' + filename)
+
+
+def WriteAsmFiles(perlasms):
+  """Generates asm files from perlasm directives for each supported OS x
+  platform combination."""
+  asmfiles = {}
+
+  for osarch in OS_ARCH_COMBOS:
+    (osname, arch, perlasm_style, extra_args, asm_ext) = osarch
+    key = (osname, arch)
+    outDir = '%s-%s' % key
+
+    for perlasm in perlasms:
+      filename = os.path.basename(perlasm['input'])
+      output = perlasm['output']
+      if not output.startswith('src'):
+        raise ValueError('output missing src: %s' % output)
+      output = os.path.join(outDir, output[4:])
+      output = output.replace('${ASM_EXT}', asm_ext)
+
+      if arch in ArchForAsmFilename(filename):
+        PerlAsm(output, perlasm['input'], perlasm_style,
+                perlasm['extra_args'] + extra_args)
+        asmfiles.setdefault(key, []).append(output)
+
+  for (key, non_perl_asm_files) in NON_PERL_FILES.iteritems():
+    asmfiles.setdefault(key, []).extend(non_perl_asm_files)
+
+  return asmfiles
+
+
+def main(platform):
+  crypto_c_files = FindCFiles(os.path.join('src', 'crypto'), NoTests)
+  ssl_c_files = FindCFiles(os.path.join('src', 'ssl'), NoTests)
+  tool_cc_files = FindCFiles(os.path.join('src', 'tool'), NoTests)
+
+  # Generate err_data.c
+  with open('err_data.c', 'w+') as err_data:
+    subprocess.check_call(['go', 'run', 'err_data_generate.go'],
+                          cwd=os.path.join('src', 'crypto', 'err'),
+                          stdout=err_data)
+  crypto_c_files.append('err_data.c')
+
+  test_c_files = FindCFiles(os.path.join('src', 'crypto'), OnlyTests)
+  test_c_files += FindCFiles(os.path.join('src', 'ssl'), OnlyTests)
+
+  files = {
+      'crypto': crypto_c_files,
+      'ssl': ssl_c_files,
+      'tool': tool_cc_files,
+      'test': test_c_files,
+  }
+
+  asm_outputs = sorted(WriteAsmFiles(ReadPerlAsmOperations()).iteritems())
+
+  platform.WriteFiles(files, asm_outputs)
+
+  return 0
+
+
+def Usage():
+  print 'Usage: python %s [chromium|android]' % sys.argv[0]
+  sys.exit(1)
+
+
+if __name__ == '__main__':
+  if len(sys.argv) != 2:
+    Usage()
+
+  platform = None
+  if sys.argv[1] == 'chromium':
+    platform = Chromium()
+  elif sys.argv[1] == 'android':
+    platform = Android()
+  else:
+    Usage()
+
+  sys.exit(main(platform))
diff --git a/src/util/make_errors.go b/src/util/make_errors.go
index 5fd75e2..dc8039a 100644
--- a/src/util/make_errors.go
+++ b/src/util/make_errors.go
@@ -36,17 +36,20 @@ const reservedReasonCode = 1000
 var resetFlag *bool = flag.Bool("reset", false, "If true, ignore current assignments and reassign from scratch")
 
 func makeErrors(reset bool) error {
-	dirName, err := os.Getwd()
+	topLevelPath, err := findToplevel()
 	if err != nil {
 		return err
 	}
 
-	lib := filepath.Base(dirName)
-	headerPath, err := findHeader(lib + ".h")
+	dirName, err := os.Getwd()
 	if err != nil {
 		return err
 	}
-	sourcePath := lib + "_error.c"
+
+	lib := filepath.Base(dirName)
+	headerPath := filepath.Join(topLevelPath, "include", "openssl", lib+".h")
+	errDir := filepath.Join(topLevelPath, "crypto", "err")
+	dataPath := filepath.Join(errDir, lib+".errordata")
 
 	headerFile, err := os.Open(headerPath)
 	if err != nil {
@@ -90,7 +93,7 @@ func makeErrors(reset bool) error {
 	}
 
 	for _, name := range filenames {
-		if !strings.HasSuffix(name, ".c") || name == sourcePath {
+		if !strings.HasSuffix(name, ".c") {
 			continue
 		}
 
@@ -119,55 +122,32 @@ func makeErrors(reset bool) error {
 	}
 	os.Rename(headerPath+".tmp", headerPath)
 
-	sourceFile, err := os.OpenFile(sourcePath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0644)
+	dataFile, err := os.OpenFile(dataPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0644)
 	if err != nil {
 		return err
 	}
-	defer sourceFile.Close()
 
-	fmt.Fprintf(sourceFile, `/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/%s.h>
-
-const ERR_STRING_DATA %s_error_string_data[] = {
-`, lib, prefix)
-	outputStrings(sourceFile, lib, typeFunctions, functions)
-	outputStrings(sourceFile, lib, typeReasons, reasons)
-
-	sourceFile.WriteString("  {0, NULL},\n};\n")
+	outputStrings(dataFile, lib, typeFunctions, functions)
+	outputStrings(dataFile, lib, typeReasons, reasons)
+	dataFile.Close()
 
 	return nil
 }
 
-func findHeader(basename string) (path string, err error) {
-	includeDir := filepath.Join("..", "include")
+func findToplevel() (path string, err error) {
+	path = ".."
+	buildingPath := filepath.Join(path, "BUILDING")
 
-	fi, err := os.Stat(includeDir)
+	_, err = os.Stat(buildingPath)
 	if err != nil && os.IsNotExist(err) {
-		includeDir = filepath.Join("..", includeDir)
-		fi, err = os.Stat(includeDir)
+		path = filepath.Join("..", path)
+		buildingPath = filepath.Join(path, "BUILDING")
+		_, err = os.Stat(buildingPath)
 	}
 	if err != nil {
-		return "", errors.New("cannot find path to include directory")
-	}
-	if !fi.IsDir() {
-		return "", errors.New("include node is not a directory")
+		return "", errors.New("Cannot find BUILDING file at the top-level")
 	}
-	return filepath.Join(includeDir, "openssl", basename), nil
+	return path, nil
 }
 
 type assignment struct {
@@ -295,18 +275,17 @@ func outputStrings(w io.Writer, lib string, ty int, assignments map[string]int)
 	sort.Strings(keys)
 
 	for _, key := range keys {
-		var pack string
-		if ty == typeFunctions {
-			pack = key + ", 0"
-		} else {
-			pack = "0, " + key
+		typeString := "function"
+		if ty == typeReasons {
+			typeString = "reason"
 		}
-
-		fmt.Fprintf(w, "  {ERR_PACK(ERR_LIB_%s, %s), \"%s\"},\n", lib, pack, key[prefixLen:])
+		fmt.Fprintf(w, "%s,%s,%d,%s\n", lib, typeString, assignments[key], key[prefixLen:])
 	}
 }
 
 func assignNewValues(assignments map[string]int, reserved int) {
+	// Needs to be in sync with the reason limit in
+	// |ERR_reason_error_string|.
 	max := 99
 
 	for _, value := range assignments {
@@ -320,16 +299,23 @@ func assignNewValues(assignments map[string]int, reserved int) {
 
 	max++
 
+	// Sort the keys, so this script is reproducible.
+	keys := make([]string, 0, len(assignments))
 	for key, value := range assignments {
 		if value == -1 {
-			if reserved >= 0 && max >= reserved {
-				// If this happens, try passing
-				// -reset. Otherwise bump up reservedReasonCode.
-				panic("Automatically-assigned values exceeded limit!")
-			}
-			assignments[key] = max
-			max++
+			keys = append(keys, key)
+		}
+	}
+	sort.Strings(keys)
+
+	for _, key := range keys {
+		if reserved >= 0 && max >= reserved {
+			// If this happens, try passing -reset. Otherwise bump
+			// up reservedReasonCode.
+			panic("Automatically-assigned values exceeded limit!")
 		}
+		assignments[key] = max
+		max++
 	}
 }
 
@@ -360,8 +346,7 @@ func addFunctionsAndReasons(functions, reasons map[string]int, filename, prefix
 	}
 	defer file.Close()
 
-	prefix += "_"
-	reasonPrefix := prefix + "R_"
+	reasonPrefix := prefix + "_R_"
 	var currentFunction string
 
 	scanner := bufio.NewScanner(file)
@@ -388,8 +373,9 @@ func addFunctionsAndReasons(functions, reasons map[string]int, filename, prefix
 			}
 		}
 
-		if strings.Contains(line, "OPENSSL_PUT_ERROR(") {
-			functionToken := prefix + "F_" + currentFunction
+		// Do not include cross-module error lines.
+		if strings.Contains(line, "OPENSSL_PUT_ERROR(" + prefix + ",") {
+			functionToken := prefix + "_F_" + currentFunction
 			if _, ok := functions[functionToken]; !ok {
 				functions[functionToken] = -1
 			}
@@ -399,7 +385,7 @@ func addFunctionsAndReasons(functions, reasons map[string]int, filename, prefix
 		handleDeclareMacro(line, "_F_", "OPENSSL_DECLARE_ERROR_FUNCTION(", functions)
 
 		for len(line) > 0 {
-			i := strings.Index(line, prefix)
+			i := strings.Index(line, prefix + "_")
 			if i == -1 {
 				break
 			}